1 2--------------------------------------------------------------------- 3 4Snort 3 Reference Manual 5 6--------------------------------------------------------------------- 7 8The Snort Team 9 10Revision History 11Revision 3.1.19.0 2021-12-15 06:07:48 EST TST 12 13--------------------------------------------------------------------- 14 15Table of Contents 16 171. Help 182. Basic Modules 19 20 2.1. active 21 2.2. alerts 22 2.3. attribute_table 23 2.4. classifications 24 2.5. daq 25 2.6. decode 26 2.7. detection 27 2.8. event_filter 28 2.9. event_queue 29 2.10. high_availability 30 2.11. host_cache 31 2.12. host_tracker 32 2.13. hosts 33 2.14. inspection 34 2.15. ips 35 2.16. latency 36 2.17. memory 37 2.18. network 38 2.19. output 39 2.20. packet_tracer 40 2.21. packets 41 2.22. payload_injector 42 2.23. process 43 2.24. profiler 44 2.25. rate_filter 45 2.26. references 46 2.27. search_engine 47 2.28. side_channel 48 2.29. snort 49 2.30. suppress 50 2.31. trace 51 523. Codec Modules 53 54 3.1. arp 55 3.2. auth 56 3.3. ciscometadata 57 3.4. eapol 58 3.5. erspan2 59 3.6. erspan3 60 3.7. esp 61 3.8. eth 62 3.9. fabricpath 63 3.10. geneve 64 3.11. gre 65 3.12. gtp 66 3.13. icmp4 67 3.14. icmp6 68 3.15. igmp 69 3.16. ipv4 70 3.17. ipv6 71 3.18. llc 72 3.19. mpls 73 3.20. pbb 74 3.21. pgm 75 3.22. pppoe 76 3.23. tcp 77 3.24. token_ring 78 3.25. udp 79 3.26. vlan 80 3.27. wlan 81 824. Connector Modules 83 84 4.1. file_connector 85 4.2. tcp_connector 86 875. Inspector Modules 88 89 5.1. appid 90 5.2. appid_listener 91 5.3. arp_spoof 92 5.4. back_orifice 93 5.5. binder 94 5.6. cip 95 5.7. cpeos_test 96 5.8. data_log 97 5.9. dce_http_proxy 98 5.10. dce_http_server 99 5.11. dce_smb 100 5.12. dce_tcp 101 5.13. dce_udp 102 5.14. dnp3 103 5.15. dns 104 5.16. domain_filter 105 5.17. dpx 106 5.18. file_id 107 5.19. file_log 108 5.20. ftp_client 109 5.21. ftp_data 110 5.22. ftp_server 111 5.23. gtp_inspect 112 5.24. http2_inspect 113 5.25. http_inspect 114 5.26. iec104 115 5.27. imap 116 5.28. mem_test 117 5.29. modbus 118 5.30. netflow 119 5.31. normalizer 120 5.32. null_trace_logger 121 5.33. packet_capture 122 5.34. perf_monitor 123 5.35. pop 124 5.36. port_scan 125 5.37. reputation 126 5.38. rna 127 5.39. rpc_decode 128 5.40. s7commplus 129 5.41. sip 130 5.42. smtp 131 5.43. so_proxy 132 5.44. ssh 133 5.45. ssl 134 5.46. stream 135 5.47. stream_file 136 5.48. stream_icmp 137 5.49. stream_ip 138 5.50. stream_tcp 139 5.51. stream_udp 140 5.52. stream_user 141 5.53. telnet 142 5.54. wizard 143 1446. IPS Action Modules 145 146 6.1. react 147 6.2. reject 148 1497. IPS Option Modules 150 151 7.1. ack 152 7.2. appids 153 7.3. asn1 154 7.4. base64_decode 155 7.5. ber_data 156 7.6. ber_skip 157 7.7. bufferlen 158 7.8. byte_extract 159 7.9. byte_jump 160 7.10. byte_math 161 7.11. byte_test 162 7.12. cip_attribute 163 7.13. cip_class 164 7.14. cip_conn_path_class 165 7.15. cip_instance 166 7.16. cip_req 167 7.17. cip_rsp 168 7.18. cip_service 169 7.19. cip_status 170 7.20. classtype 171 7.21. content 172 7.22. cvs 173 7.23. dce_iface 174 7.24. dce_opnum 175 7.25. dce_stub_data 176 7.26. detection_filter 177 7.27. dnp3_data 178 7.28. dnp3_func 179 7.29. dnp3_ind 180 7.30. dnp3_obj 181 7.31. dsize 182 7.32. enable 183 7.33. enip_command 184 7.34. enip_req 185 7.35. enip_rsp 186 7.36. file_data 187 7.37. file_type 188 7.38. flags 189 7.39. flow 190 7.40. flowbits 191 7.41. fragbits 192 7.42. fragoffset 193 7.43. gid 194 7.44. gtp_info 195 7.45. gtp_type 196 7.46. gtp_version 197 7.47. http_client_body 198 7.48. http_cookie 199 7.49. http_header 200 7.50. http_method 201 7.51. http_param 202 7.52. http_raw_body 203 7.53. http_raw_cookie 204 7.54. http_raw_header 205 7.55. http_raw_request 206 7.56. http_raw_status 207 7.57. http_raw_trailer 208 7.58. http_raw_uri 209 7.59. http_stat_code 210 7.60. http_stat_msg 211 7.61. http_trailer 212 7.62. http_true_ip 213 7.63. http_uri 214 7.64. http_version 215 7.65. icmp_id 216 7.66. icmp_seq 217 7.67. icode 218 7.68. id 219 7.69. iec104_apci_type 220 7.70. iec104_asdu_func 221 7.71. ip_proto 222 7.72. ipopts 223 7.73. isdataat 224 7.74. itype 225 7.75. js_data 226 7.76. md5 227 7.77. metadata 228 7.78. modbus_data 229 7.79. modbus_func 230 7.80. modbus_unit 231 7.81. msg 232 7.82. mss 233 7.83. num_headers 234 7.84. num_trailers 235 7.85. pcre 236 7.86. pkt_data 237 7.87. pkt_num 238 7.88. priority 239 7.89. raw_data 240 7.90. reference 241 7.91. regex 242 7.92. rem 243 7.93. replace 244 7.94. rev 245 7.95. rpc 246 7.96. s7commplus_content 247 7.97. s7commplus_func 248 7.98. s7commplus_opcode 249 7.99. sd_pattern 250 7.100. seq 251 7.101. service 252 7.102. sha256 253 7.103. sha512 254 7.104. sid 255 7.105. sip_body 256 7.106. sip_header 257 7.107. sip_method 258 7.108. sip_stat_code 259 7.109. so 260 7.110. soid 261 7.111. ssl_state 262 7.112. ssl_version 263 7.113. stream_reassemble 264 7.114. stream_size 265 7.115. tag 266 7.116. target 267 7.117. tos 268 7.118. ttl 269 7.119. urg 270 7.120. vba_data 271 7.121. window 272 7.122. wscale 273 2748. Search Engine Modules 2759. SO Rule Modules 27610. Logger Modules 277 278 10.1. alert_csv 279 10.2. alert_ex 280 10.3. alert_fast 281 10.4. alert_full 282 10.5. alert_json 283 10.6. alert_syslog 284 10.7. alert_talos 285 10.8. alert_unixsock 286 10.9. log_codecs 287 10.10. log_hext 288 10.11. log_pcap 289 10.12. unified2 290 29111. Appendix 292 293 11.1. Build Options 294 11.2. Environment Variables 295 11.3. Command Line Options 296 11.4. Configuration 297 11.5. Counts 298 11.6. Generators 299 11.7. Builtin Rules 300 11.8. Command Set 301 11.9. Signals 302 11.10. Module Listing 303 11.11. Plugin Listing 304 305 306--------------------------------------------------------------------- 307 3081. Help 309 310--------------------------------------------------------------------- 311 312The detail in this reference manual was generated from the various 313help commands available in Snort. snort --help will output: 314 315Snort has several options to get more help: 316 317-? list command line options (same as --help) 318--help this overview of help 319--help-commands [<module prefix>] output matching commands 320--help-config [<module prefix>] output matching config options 321--help-counts [<module prefix>] output matching peg counts 322--help-limits print the int upper bounds denoted by max* 323--help-module <module> output description of given module 324--help-modules list all available modules with brief help 325--help-modules-json dump description of all available modules in JSON format 326--help-plugins list all available plugins with brief help 327--help-options [<option prefix>] output matching command line options 328--help-signals dump available control signals 329--list-buffers output available inspection buffers 330--list-builtin [<module prefix>] output matching builtin rules 331--list-gids [<module prefix>] output matching generators 332--list-modules [<module type>] list all known modules 333--list-plugins list all known modules 334--show-plugins list module and plugin versions 335 336--help* and --list* options preempt other processing so should be last on the 337command line since any following options are ignored. To ensure options like 338--markup and --plugin-path take effect, place them ahead of the help or list 339options. 340 341Options that filter output based on a matching prefix, such as --help-config 342won't output anything if there is no match. If no prefix is given, everything 343matches. 344 345Report bugs to bugs@snort.org. 346 347 348--------------------------------------------------------------------- 349 3502. Basic Modules 351 352--------------------------------------------------------------------- 353 354Internal modules which are not plugins are termed "basic". These 355include configuration for core processing. 356 357 3582.1. active 359 360-------------- 361 362Help: configure responses 363 364Type: basic 365 366Usage: global 367 368Configuration: 369 370 * int active.attempts = 0: number of TCP packets sent per response 371 (with varying sequence numbers) { 0:255 } 372 * string active.device: use ip for network layer responses or eth0 373 etc for link layer 374 * string active.dst_mac: use format 01:23:45:67:89:ab 375 * int active.max_responses = 0: maximum number of responses { 0:255 376 } 377 * int active.min_interval = 255: minimum number of seconds between 378 responses { 1:255 } 379 380Peg counts: 381 382 * active.injects: total crafted packets encoded and injected (sum) 383 * active.failed_injects: total crafted packet encode + injects that 384 failed (sum) 385 * active.direct_injects: total crafted packets directly injected 386 (sum) 387 * active.failed_direct_injects: total crafted packet direct injects 388 that failed (sum) 389 * active.holds_denied: total number of packet hold requests denied 390 (sum) 391 * active.holds_canceled: total number of packet hold requests 392 canceled (sum) 393 * active.holds_allowed: total number of packet hold requests 394 allowed (sum) 395 396 3972.2. alerts 398 399-------------- 400 401Help: configure alerts 402 403Type: basic 404 405Usage: global 406 407Configuration: 408 409 * bool alerts.alert_with_interface_name = false: include interface 410 in alert info (fast, full, or syslog only) 411 * int alerts.detection_filter_memcap = 1048576: set available MB of 412 memory for detection_filters { 0:max32 } 413 * int alerts.event_filter_memcap = 1048576: set available MB of 414 memory for event_filters { 0:max32 } 415 * bool alerts.log_references = false: include rule references in 416 alert info (full only) 417 * string alerts.order: change the order of rule action application 418 * int alerts.rate_filter_memcap = 1048576: set available MB of 419 memory for rate_filters { 0:max32 } 420 * string alerts.reference_net: set the CIDR for homenet (for use 421 with -l or -B, does NOT change $HOME_NET in IDS mode) 422 * bool alerts.stateful = false: don’t alert w/o established session 423 (note: rule action still taken) 424 * string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts 425 for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic 426 427 4282.3. attribute_table 429 430-------------- 431 432Help: configure hosts loading 433 434Type: basic 435 436Usage: global 437 438Configuration: 439 440 * string attribute_table.hosts_file: filename to load attribute 441 host table from 442 * int attribute_table.max_hosts = 1024: maximum number of hosts in 443 attribute table { 32:max53 } 444 * int attribute_table.max_services_per_host = 8: maximum number of 445 services per host entry in attribute table { 1:65535 } 446 * int attribute_table.max_metadata_services = 9: maximum number of 447 services in rule { 1:255 } 448 449 4502.4. classifications 451 452-------------- 453 454Help: define rule categories with priority 455 456Type: basic 457 458Usage: global 459 460Configuration: 461 462 * string classifications[].name: name used with classtype rule 463 option 464 * int classifications[].priority = 1: default priority for class { 465 0:max32 } 466 * string classifications[].text: description of class 467 468 4692.5. daq 470 471-------------- 472 473Help: configure packet acquisition interface 474 475Type: basic 476 477Usage: global 478 479Configuration: 480 481 * string daq.module_dirs[].path: directory path 482 * string daq.inputs[].input: input source 483 * int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 } 484 * int daq.batch_size = 64: set receive batch size (same as 485 --daq-batch-size) { 1: } 486 * string daq.modules[].name: DAQ module name (required) 487 * enum daq.modules[].mode = passive: DAQ module mode { passive | 488 inline | read-file } 489 * string daq.modules[].variables[].variable: DAQ module variable 490 (foo[=bar]) 491 492Peg counts: 493 494 * daq.pcaps: total files and interfaces processed (max) 495 * daq.received: total packets received from DAQ (sum) 496 * daq.analyzed: total packets analyzed from DAQ (sum) 497 * daq.dropped: packets dropped (sum) 498 * daq.filtered: packets filtered out (sum) 499 * daq.outstanding: packets unprocessed (sum) 500 * daq.injected: active responses or replacements (sum) 501 * daq.allow: total allow verdicts (sum) 502 * daq.block: total block verdicts (sum) 503 * daq.replace: total replace verdicts (sum) 504 * daq.whitelist: total whitelist verdicts (sum) 505 * daq.blacklist: total blacklist verdicts (sum) 506 * daq.ignore: total ignore verdicts (sum) 507 * daq.internal_blacklist: packets blacklisted internally due to 508 lack of DAQ support (sum) 509 * daq.internal_whitelist: packets whitelisted internally due to 510 lack of DAQ support (sum) 511 * daq.skipped: packets skipped at startup (sum) 512 * daq.idle: attempts to acquire from DAQ without available packets 513 (sum) 514 * daq.rx_bytes: total bytes received (sum) 515 * daq.expected_flows: expected flows created in DAQ (sum) 516 * daq.retries_queued: messages queued for retry (sum) 517 * daq.retries_dropped: messages dropped when overrunning the retry 518 queue (sum) 519 * daq.retries_processed: messages processed from the retry queue 520 (sum) 521 * daq.retries_discarded: messages discarded when purging the retry 522 queue (sum) 523 * daq.sof_messages: start of flow messages received from DAQ (sum) 524 * daq.eof_messages: end of flow messages received from DAQ (sum) 525 * daq.other_messages: messages received from DAQ with unrecognized 526 message type (sum) 527 528 5292.6. decode 530 531-------------- 532 533Help: general decoder rules 534 535Type: basic 536 537Usage: context 538 539Rules: 540 541 * 116:150 (decode) loopback IP 542 * 116:151 (decode) same src/dst IP 543 * 116:293 (decode) two or more IP (v4 and/or v6) encapsulation 544 layers present 545 * 116:449 (decode) unassigned/reserved IP protocol 546 * 116:450 (decode) bad IP protocol 547 * 116:459 (decode) fragment with zero length 548 * 116:472 (decode) too many protocols present 549 * 116:473 (decode) ether type out of range 550 551 5522.7. detection 553 554-------------- 555 556Help: configure general IPS rule processing parameters 557 558Type: basic 559 560Usage: global 561 562Configuration: 563 564 * bool detection.allow_missing_so_rules = false: warn (true) or 565 error (false) when an SO rule stub refers to an SO rule that 566 isn’t loaded 567 * int detection.asn1 = 0: maximum decode nodes { 0:65535 } 568 * bool detection.global_default_rule_state = true: enable or 569 disable rules by default (overridden by ips policy settings) 570 * bool detection.global_rule_state = false: apply rule_state 571 against all policies 572 * bool detection.hyperscan_literals = false: use hyperscan for 573 content literal searches instead of boyer-moore 574 * int detection.offload_limit = 99999: minimum sizeof PDU to 575 offload fast pattern search (defaults to disabled) { 0:max32 } 576 * int detection.offload_threads = 0: maximum number of simultaneous 577 offloads (defaults to disabled) { 0:max32 } 578 * bool detection.pcre_enable = true: enable pcre pattern matching 579 * int detection.pcre_match_limit = 1500: limit pcre backtracking, 0 580 = off { 0:max32 } 581 * int detection.pcre_match_limit_recursion = 1500: limit pcre stack 582 consumption, 0 = off { 0:max32 } 583 * bool detection.pcre_override = true: enable pcre match limit 584 overrides when pattern matching (ie ignore /O) 585 * bool detection.pcre_to_regex = false: enable the use of regex 586 instead of pcre for compatible expressions 587 * bool detection.enable_address_anomaly_checks = false: enable 588 check and alerting of address anomalies 589 590Peg counts: 591 592 * detection.analyzed: total packets processed (now) 593 * detection.hard_evals: non-fast pattern rule evaluations (sum) 594 * detection.raw_searches: fast pattern searches in raw packet data 595 (sum) 596 * detection.cooked_searches: fast pattern searches in cooked packet 597 data (sum) 598 * detection.pkt_searches: fast pattern searches in packet data 599 (sum) 600 * detection.alt_searches: alt fast pattern searches in packet data 601 (sum) 602 * detection.key_searches: fast pattern searches in key buffer (sum) 603 * detection.header_searches: fast pattern searches in header buffer 604 (sum) 605 * detection.body_searches: fast pattern searches in body buffer 606 (sum) 607 * detection.file_searches: fast pattern searches in file buffer 608 (sum) 609 * detection.raw_key_searches: fast pattern searches in raw key 610 buffer (sum) 611 * detection.raw_header_searches: fast pattern searches in raw 612 header buffer (sum) 613 * detection.method_searches: fast pattern searches in method buffer 614 (sum) 615 * detection.stat_code_searches: fast pattern searches in status 616 code buffer (sum) 617 * detection.stat_msg_searches: fast pattern searches in status 618 message buffer (sum) 619 * detection.cookie_searches: fast pattern searches in cookie buffer 620 (sum) 621 * detection.js_data_searches: fast pattern searches in js_data 622 buffer (sum) 623 * detection.vba_searches: fast pattern searches in MS Office Visual 624 Basic for Applications buffer (sum) 625 * detection.offloads: fast pattern searches that were offloaded 626 (sum) 627 * detection.alerts: alerts not including IP reputation (sum) 628 * detection.total_alerts: alerts including IP reputation (sum) 629 * detection.logged: logged packets (sum) 630 * detection.passed: passed packets (sum) 631 * detection.match_limit: fast pattern matches not processed (sum) 632 * detection.queue_limit: events not queued because queue full (sum) 633 * detection.log_limit: events queued but not logged (sum) 634 * detection.event_limit: events filtered (sum) 635 * detection.alert_limit: events previously triggered on same PDU 636 (sum) 637 * detection.context_stalls: times processing stalled to wait for an 638 available context (sum) 639 * detection.offload_busy: times offload was not available (sum) 640 * detection.onload_waits: times processing waited for onload to 641 complete (sum) 642 * detection.offload_fallback: fast pattern offload search fallback 643 attempts (sum) 644 * detection.offload_failures: fast pattern offload search failures 645 (sum) 646 * detection.offload_suspends: fast pattern search suspends due to 647 offload context chains (sum) 648 * detection.pcre_match_limit: total number of times pcre hit the 649 match limit (sum) 650 * detection.pcre_recursion_limit: total number of times pcre hit 651 the recursion limit (sum) 652 * detection.pcre_error: total number of times pcre returns error 653 (sum) 654 655 6562.8. event_filter 657 658-------------- 659 660Help: configure thresholding of events 661 662Type: basic 663 664Usage: context 665 666Configuration: 667 668 * int event_filter[].gid = 1: rule generator ID { 0:max32 } 669 * int event_filter[].sid = 1: rule signature ID { 0:max32 } 670 * enum event_filter[].type: 1st count events | every count events | 671 once after count events { limit | threshold | both } 672 * enum event_filter[].track: filter only matching source or 673 destination addresses { by_src | by_dst } 674 * int event_filter[].count = 0: number of events in interval before 675 tripping; -1 to disable { -1:max31 } 676 * int event_filter[].seconds = 0: count interval { 0:max32 } 677 * string event_filter[].ip: restrict filter to these addresses 678 according to track 679 680Peg counts: 681 682 * event_filter.no_memory_local: number of times event filter ran 683 out of local memory (sum) 684 * event_filter.no_memory_global: number of times event filter ran 685 out of global memory (sum) 686 687 6882.9. event_queue 689 690-------------- 691 692Help: configure event queue parameters 693 694Type: basic 695 696Usage: context 697 698Configuration: 699 700 * int event_queue.max_queue = 8: maximum events to queue { 1:max32 701 } 702 * int event_queue.log = 3: maximum events to log { 1:max32 } 703 * enum event_queue.order_events = content_length: criteria for 704 ordering incoming events { priority|content_length } 705 * bool event_queue.process_all_events = false: process just first 706 action group or all action groups 707 708 7092.10. high_availability 710 711-------------- 712 713Help: implement flow tracking high availability 714 715Type: basic 716 717Usage: global 718 719Configuration: 720 721 * bool high_availability.enable = false: enable high availability 722 * bool high_availability.daq_channel = false: enable use of daq 723 data plane channel 724 * bit_list high_availability.ports: side channel message port list 725 { 65535 } 726 * int high_availability.min_age = 0: minimum session life in 727 milliseconds before HA updates { 0:max32 } 728 * int high_availability.min_sync = 0: minimum interval in 729 milliseconds between HA updates { 0:max32 } 730 731Peg counts: 732 733 * high_availability.msgs_recv: total messages received (sum) 734 * high_availability.update_msgs_recv: update messages received 735 (sum) 736 * high_availability.update_msgs_recv_no_flow: update messages 737 received without a local flow (sum) 738 * high_availability.update_msgs_consumed: update messages fully 739 consumed (sum) 740 * high_availability.delete_msgs_consumed: deletion messages 741 consumed (sum) 742 * high_availability.daq_stores: states stored via daq (sum) 743 * high_availability.daq_imports: states imported via daq (sum) 744 * high_availability.key_mismatch: messages received with a flow key 745 mismatch (sum) 746 * high_availability.msg_version_mismatch: messages received with a 747 version mismatch (sum) 748 * high_availability.msg_length_mismatch: messages received with an 749 inconsistent total length (sum) 750 * high_availability.truncated_msgs: truncated messages received 751 (sum) 752 * high_availability.unknown_key_type: messages received with an 753 unknown flow key type (sum) 754 * high_availability.unknown_client_idx: messages received with an 755 unknown client index (sum) 756 * high_availability.client_consume_errors: client data consume 757 failure count (sum) 758 759 7602.11. host_cache 761 762-------------- 763 764Help: global LRU cache of host_tracker data about hosts 765 766Type: basic 767 768Usage: global 769 770Configuration: 771 772 * string host_cache.dump_file: file name to dump host cache on 773 shutdown; won’t dump by default 774 * int host_cache.memcap = 8388608: maximum host cache size in bytes 775 { 512:maxSZ } 776 777Commands: 778 779 * host_cache.dump(file_name): dump host cache 780 * host_cache.delete_host(host_ip): delete host from host cache 781 * host_cache.delete_network_proto(host_ip, proto): delete network 782 protocol from host 783 * host_cache.delete_transport_proto(host_ip, proto): delete 784 transport protocol from host 785 * host_cache.delete_service(host_ip, port, proto): delete service 786 from host 787 * host_cache.delete_client(host_ip, id, service, version): delete 788 client from host 789 * host_cache.get_stats(): get current host cache usage and pegs 790 791Peg counts: 792 793 * host_cache.adds: lru cache added new entry (sum) 794 * host_cache.alloc_prunes: lru cache pruned entry to make space for 795 new entry (sum) 796 * host_cache.find_hits: lru cache found entry in cache (sum) 797 * host_cache.find_misses: lru cache did not find entry in cache 798 (sum) 799 * host_cache.reload_prunes: lru cache pruned entry for lower memcap 800 during reload (sum) 801 * host_cache.removes: lru cache found entry and removed it (sum) 802 * host_cache.replaced: lru cache found entry and replaced it (sum) 803 804 8052.12. host_tracker 806 807-------------- 808 809Help: configure hosts 810 811Type: basic 812 813Usage: global 814 815Configuration: 816 817 * addr host_tracker[].ip: hosts address / cidr 818 * port host_tracker[].services[].port: port number 819 * enum host_tracker[].services[].proto: IP protocol { ip | tcp | 820 udp } 821 822Peg counts: 823 824 * host_tracker.service_adds: host service adds (sum) 825 * host_tracker.service_finds: host service finds (sum) 826 827 8282.13. hosts 829 830-------------- 831 832Help: configure hosts 833 834Type: basic 835 836Usage: global 837 838Configuration: 839 840 * addr hosts[].ip = 0.0.0.0/32: hosts address / CIDR 841 * enum hosts[].frag_policy: defragmentation policy { first | linux 842 | bsd | bsd_right | last | windows | solaris } 843 * enum hosts[].tcp_policy: TCP reassembly policy { first | last | 844 linux | old_linux | bsd | macos | solaris | irix | hpux11 | 845 hpux10 | windows | win_2003 | vista | proxy } 846 * string hosts[].services[].name: service identifier 847 * enum hosts[].services[].proto = tcp: IP protocol { tcp | udp } 848 * port hosts[].services[].port: port number 849 850Peg counts: 851 852 * hosts.total_hosts: maximum number of entries in the host 853 attribute table (max) 854 * hosts.hosts_pruned: number of LRU hosts pruned due to configured 855 resource limits (sum) 856 * hosts.dynamic_host_adds: number of host additions after initial 857 host file load (sum) 858 * hosts.dynamic_service_adds: number of service additions after 859 initial host file load (sum) 860 * hosts.dynamic_service_updates: number of service updates after 861 initial host file load (sum) 862 * hosts.service_list_overflows: number of service additions that 863 failed due to configured resource limits (sum) 864 865 8662.14. inspection 867 868-------------- 869 870Help: configure basic inspection policy parameters 871 872Type: basic 873 874Usage: inspect 875 876Configuration: 877 878 * int inspection.id = 0: correlate policy and events with other 879 items in configuration { 0:65535 } 880 * string inspection.uuid: correlate events by uuid 881 * enum inspection.mode = inline-test: set policy mode { inline | 882 inline-test } 883 * int inspection.max_aux_ip = 16: maximum number of auxiliary IPs 884 per flow to detect and save (-1 = disable, 0 = detect but don’t 885 save, 1+ = save in FIFO manner) { -1:127 } 886 887 8882.15. ips 889 890-------------- 891 892Help: configure IPS rule processing 893 894Type: basic 895 896Usage: detect 897 898Configuration: 899 900 * string ips.action_map[].replace: action you want to change 901 * string ips.action_map[].with: action you want to use instead 902 * string ips.action_override: use this action for all rules 903 (applied before action_map) 904 * enum ips.default_rule_state = inherit: enable or disable ips 905 rules { no | yes | inherit } 906 * bool ips.enable_builtin_rules = false: enable events from builtin 907 rules w/o stubs 908 * int ips.id = 0: correlate unified2 events with configuration { 909 0:65535 } 910 * string ips.include: snort rules and includes 911 * string ips.includer: for internal use; where includes are 912 included from { (optional) } 913 * enum ips.mode: set policy mode { tap | inline | inline-test } 914 * bool ips.obfuscate_pii = false: mask all but the last 4 915 characters of credit card and social security numbers 916 * string ips.rules: snort rules and includes (may contain states 917 too) 918 * string ips.states: snort rule states and includes (may contain 919 rules too) 920 * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS 921 policy uuid 922 * string ips.variables.nets.$var: IPS policy variable 923 * string ips.variables.paths.$var: IPS policy variable 924 * string ips.variables.ports.$var: IPS policy variable 925 926 9272.16. latency 928 929-------------- 930 931Help: packet and rule latency monitoring and control 932 933Type: basic 934 935Usage: context 936 937Configuration: 938 939 * int latency.packet.max_time = 500: set timeout for packet latency 940 thresholding (usec) { 0:max53 } 941 * bool latency.packet.fastpath = false: fastpath expensive packets 942 (max_time exceeded) 943 * int latency.rule.max_time = 500: set timeout for rule evaluation 944 (usec) { 0:max53 } 945 * bool latency.rule.suspend = false: temporarily suspend expensive 946 rules 947 * int latency.rule.suspend_threshold = 5: set threshold for number 948 of timeouts before suspending a rule { 1:max32 } 949 * int latency.rule.max_suspend_time = 30000: set max time for 950 suspending a rule (ms, 0 means permanently disable rule) { 951 0:max32 } 952 953Rules: 954 955 * 134:1 (latency) rule tree suspended due to latency 956 * 134:2 (latency) rule tree re-enabled after suspend timeout 957 * 134:3 (latency) packet fastpathed due to latency 958 959Peg counts: 960 961 * latency.total_packets: total packets monitored (sum) 962 * latency.total_usecs: total usecs elapsed (sum) 963 * latency.max_usecs: maximum usecs elapsed (sum) 964 * latency.packet_timeouts: packets that timed out (sum) 965 * latency.total_rule_evals: total rule evals monitored (sum) 966 * latency.rule_eval_timeouts: rule evals that timed out (sum) 967 * latency.rule_tree_enables: rule tree re-enables (sum) 968 969 9702.17. memory 971 972-------------- 973 974Help: memory management configuration 975 976Type: basic 977 978Usage: global 979 980Configuration: 981 982 * int memory.cap = 0: set the per-packet-thread cap on memory 983 (bytes, 0 to disable) { 0:maxSZ } 984 * int memory.threshold = 100: scale cap to account for heap 985 overhead { 1:100 } 986 987Peg counts: 988 989 * memory.allocations: total number of allocations (now) 990 * memory.deallocations: total number of deallocations (now) 991 * memory.allocated: total amount of memory allocated (now) 992 * memory.deallocated: total amount of memory allocated (now) 993 * memory.reap_attempts: attempts to reclaim memory (now) 994 * memory.reap_failures: failures to reclaim memory (now) 995 * memory.max_in_use: highest allocated - deallocated (max) 996 997 9982.18. network 999 1000-------------- 1001 1002Help: configure basic network parameters 1003 1004Type: basic 1005 1006Usage: context 1007 1008Configuration: 1009 1010 * multi network.checksum_drop = none: drop if checksum is bad { all 1011 | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none } 1012 * multi network.checksum_eval = all: checksums to verify { all | ip 1013 | noip | tcp | notcp | udp | noudp | icmp | noicmp | none } 1014 * int network.id = 0: correlate unified2 events with configuration 1015 { 0:65535 } 1016 * int network.min_ttl = 1: alert / normalize packets with lower TTL 1017 / hop limit (you must enable rules and / or normalization also) { 1018 1:255 } 1019 * int network.new_ttl = 1: use this value for responses and when 1020 normalizing { 1:255 } 1021 * int network.layers = 40: the maximum number of protocols that 1022 Snort can correctly decode { 3:255 } 1023 * int network.max_ip6_extensions = 0: the maximum number of IP6 1024 options Snort will process for a given IPv6 layer before raising 1025 116:456 (0 = unlimited) { 0:255 } 1026 * int network.max_ip_layers = 0: the maximum number of IP layers 1027 Snort will process for a given packet before raising 116:293 (0 = 1028 unlimited) { 0:255 } 1029 1030 10312.19. output 1032 1033-------------- 1034 1035Help: configure general output parameters 1036 1037Type: basic 1038 1039Usage: global 1040 1041Configuration: 1042 1043 * bool output.dump_chars_only = false: turns on character dumps 1044 (same as -C) 1045 * bool output.dump_payload = false: dumps application layer (same 1046 as -d) 1047 * bool output.dump_payload_verbose = false: dumps raw packet 1048 starting at link layer (same as -X) 1049 * int output.event_trace.max_data = 0: maximum amount of packet 1050 data to capture { 0:65535 } 1051 * bool output.quiet = false: suppress normal logging on stdout 1052 (same as -q) 1053 * string output.logdir = .: where to put log files (same as -l) 1054 * bool output.show_year = false: include year in timestamp in the 1055 alert and log files (same as -y) 1056 * int output.tagged_packet_limit = 256: maximum number of packets 1057 tagged for non-packet metrics { 0:max32 } 1058 * bool output.verbose = false: be verbose (same as -v) 1059 * bool output.obfuscate = false: obfuscate the logged IP addresses 1060 (same as -O) 1061 * bool output.wide_hex_dump = false: output 20 bytes per lines 1062 instead of 16 when dumping buffers 1063 1064Rules: 1065 1066 * 2:1 (output) tagged packet 1067 1068 10692.20. packet_tracer 1070 1071-------------- 1072 1073Help: generate debug trace messages for packets 1074 1075Type: basic 1076 1077Usage: global 1078 1079Configuration: 1080 1081 * bool packet_tracer.enable = false: enable summary output of state 1082 that determined packet verdict 1083 * enum packet_tracer.output = console: select where to send packet 1084 trace { console | file } 1085 1086Commands: 1087 1088 * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port): 1089 enable packet tracer debugging 1090 * packet_tracer.disable(): disable packet tracer 1091 1092 10932.21. packets 1094 1095-------------- 1096 1097Help: configure basic packet handling 1098 1099Type: basic 1100 1101Usage: global 1102 1103Configuration: 1104 1105 * bool packets.address_space_agnostic = false: determines whether 1106 DAQ address space info is used to track fragments and connections 1107 * string packets.bpf_file: file with BPF to select traffic for 1108 Snort 1109 * int packets.limit = 0: maximum number of packets to process 1110 before stopping (0 is unlimited) { 0:max53 } 1111 * int packets.skip = 0: number of packets to skip before before 1112 processing { 0:max53 } 1113 * bool packets.mpls_agnostic = true: determines whether MPLS labels 1114 are used to track fragments and connections 1115 * bool packets.vlan_agnostic = false: determines whether VLAN tags 1116 are used to track fragments and connections 1117 1118 11192.22. payload_injector 1120 1121-------------- 1122 1123Help: payload injection utility 1124 1125Type: basic 1126 1127Usage: global 1128 1129Peg counts: 1130 1131 * payload_injector.http_injects: total number of http injections 1132 (sum) 1133 * payload_injector.http2_injects: total number of http2 injections 1134 (sum) 1135 * payload_injector.http2_translate_err: total number of http2 page 1136 translation errors (sum) 1137 * payload_injector.http2_mid_frame: total number of attempts to 1138 inject mid-frame (sum) 1139 1140 11412.23. process 1142 1143-------------- 1144 1145Help: configure basic process setup 1146 1147Type: basic 1148 1149Usage: global 1150 1151Configuration: 1152 1153 * string process.chroot: set chroot directory (same as -t) 1154 * string process.threads[].cpuset: pin the associated thread to 1155 this cpuset 1156 * int process.threads[].thread: set cpu affinity for the 1157 <cur_thread_num> thread that runs { 0:65535 } 1158 * enum process.threads[].type: define which threads will have 1159 specified affinity, by their type { other|packet|main } 1160 * string process.threads[].name: define which threads will have 1161 specified affinity, by thread name 1162 * bool process.daemon = false: fork as a daemon (same as -D) 1163 * bool process.dirty_pig = false: shutdown without internal cleanup 1164 * string process.set_gid: set group ID (same as -g) 1165 * string process.set_uid: set user ID (same as -u) 1166 * int process.umask: set process umask (same as -m) { 0x000:0x1FF } 1167 * bool process.utc = false: use UTC instead of local time for 1168 timestamps 1169 1170 11712.24. profiler 1172 1173-------------- 1174 1175Help: configure profiling of rules and/or modules 1176 1177Type: basic 1178 1179Usage: global 1180 1181Configuration: 1182 1183 * bool profiler.modules.show = true: show module time profile stats 1184 * int profiler.modules.count = 0: limit results to count items per 1185 level (0 = no limit) { 0:max32 } 1186 * enum profiler.modules.sort = total_time: sort by given field { 1187 none | checks | avg_check | total_time } 1188 * int profiler.modules.max_depth = -1: limit depth to max_depth (-1 1189 = no limit) { -1:255 } 1190 * bool profiler.memory.show = true: show module memory profile 1191 stats 1192 * int profiler.memory.count = 0: limit results to count items per 1193 level (0 = no limit) { 0:max32 } 1194 * enum profiler.memory.sort = total_used: sort by given field { 1195 none | allocations | total_used | avg_allocation } 1196 * int profiler.memory.max_depth = -1: limit depth to max_depth (-1 1197 = no limit) { -1:255 } 1198 * bool profiler.rules.show = true: show rule time profile stats 1199 * int profiler.rules.count = 0: print results to given level (0 = 1200 all) { 0:max32 } 1201 * enum profiler.rules.sort = total_time: sort by given field { none 1202 | checks | avg_check | total_time | matches | no_matches | 1203 avg_match | avg_no_match } 1204 1205 12062.25. rate_filter 1207 1208-------------- 1209 1210Help: configure rate filters (which change rule actions) 1211 1212Type: basic 1213 1214Usage: context 1215 1216Configuration: 1217 1218 * int rate_filter[].gid = 1: rule generator ID { 0:max32 } 1219 * int rate_filter[].sid = 1: rule signature ID { 0:max32 } 1220 * enum rate_filter[].track = by_src: filter only matching source or 1221 destination addresses { by_src | by_dst | by_rule } 1222 * int rate_filter[].count = 1: number of events in interval before 1223 tripping { 0:max32 } 1224 * int rate_filter[].seconds = 1: count interval { 0:max32 } 1225 * dynamic rate_filter[].new_action = alert: take this action on 1226 future hits until timeout { alert | block | drop | log | pass | 1227 react | reject | rewrite } 1228 * int rate_filter[].timeout = 1: count interval { 0:max32 } 1229 * string rate_filter[].apply_to: restrict filter to these addresses 1230 according to track 1231 1232Peg counts: 1233 1234 * rate_filter.no_memory: number of times rate filter ran out of 1235 memory (sum) 1236 1237 12382.26. references 1239 1240-------------- 1241 1242Help: define reference systems used in rules 1243 1244Type: basic 1245 1246Usage: global 1247 1248Configuration: 1249 1250 * string references[].name: name used with reference rule option 1251 * string references[].url: where this reference is defined 1252 1253 12542.27. search_engine 1255 1256-------------- 1257 1258Help: configure fast pattern matcher 1259 1260Type: basic 1261 1262Usage: global 1263 1264Configuration: 1265 1266 * int search_engine.bleedover_port_limit = 1024: maximum ports in 1267 rule before demotion to any-any port group { 1:max32 } 1268 * bool search_engine.bleedover_warnings_enabled = false: print 1269 warning if a rule is demoted to any-any port group 1270 * bool search_engine.enable_single_rule_group = false: put all 1271 rules into one group 1272 * bool search_engine.debug = false: print verbose fast pattern info 1273 * bool search_engine.debug_print_nocontent_rule_tests = false: 1274 print rule group info during packet evaluation 1275 * bool search_engine.debug_print_rule_group_build_details = false: 1276 print rule group info during compilation 1277 * bool search_engine.debug_print_rule_groups_uncompiled = false: 1278 prints uncompiled rule group information 1279 * bool search_engine.debug_print_rule_groups_compiled = false: 1280 prints compiled rule group information 1281 * int search_engine.max_pattern_len = 0: truncate patterns when 1282 compiling into state machine (0 means no maximum) { 0:max32 } 1283 * int search_engine.max_queue_events = 5: maximum number of 1284 matching fast pattern states to queue per packet { 2:100 } 1285 * bool search_engine.detect_raw_tcp = false: detect on TCP payload 1286 before reassembly 1287 * dynamic search_engine.search_method = ac_bnfa: set fast pattern 1288 algorithm - choose available search engine { ac_banded | ac_bnfa 1289 | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | 1290 lowmem } 1291 * dynamic search_engine.offload_search_method: set fast pattern 1292 offload algorithm - choose available search engine { ac_banded | 1293 ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | 1294 hyperscan | lowmem } 1295 * string search_engine.rule_db_dir: deserialize rule databases from 1296 given directory 1297 * bool search_engine.search_optimize = true: tweak state machine 1298 construction for better performance 1299 * bool search_engine.show_fast_patterns = false: print fast pattern 1300 info for each rule 1301 * bool search_engine.split_any_any = true: evaluate any-any rules 1302 separately to save memory 1303 * int search_engine.queue_limit = 0: maximum number of fast pattern 1304 matches to queue per packet (0 is unlimited) { 0:max32 } 1305 1306Peg counts: 1307 1308 * search_engine.max_queued: maximum fast pattern matches queued for 1309 further evaluation (max) 1310 * search_engine.total_flushed: total fast pattern matches processed 1311 (sum) 1312 * search_engine.total_inserts: total fast pattern hits (sum) 1313 * search_engine.total_overruns: fast pattern matches discarded due 1314 to overflow (sum) 1315 * search_engine.total_unique: total unique fast pattern hits (sum) 1316 * search_engine.non_qualified_events: total non-qualified events 1317 (sum) 1318 * search_engine.qualified_events: total qualified events (sum) 1319 * search_engine.searched_bytes: total bytes searched (sum) 1320 1321 13222.28. side_channel 1323 1324-------------- 1325 1326Help: implement the side-channel asynchronous messaging subsystem 1327 1328Type: basic 1329 1330Usage: global 1331 1332Configuration: 1333 1334 * bit_list side_channel[].ports: side channel message port list { 1335 65535 } 1336 * string side_channel[].connectors[].connector: connector handle 1337 * string side_channel[].connector: connector handle 1338 1339Peg counts: 1340 1341 * side_channel.packets: total packets (sum) 1342 1343 13442.29. snort 1345 1346-------------- 1347 1348Help: command line configuration and shell commands 1349 1350Type: basic 1351 1352Usage: global 1353 1354Configuration: 1355 1356 * string snort.-?: <option prefix> output matching command line 1357 option quick help (same as --help-options) { (optional) } 1358 * string snort.-A: <mode> set alert mode: none, cmg, or alert_* 1359 * addr snort.-B = 255.255.255.255/32: <mask> obfuscated IP 1360 addresses in alerts and packet dumps using CIDR mask 1361 * implied snort.-C: print out payloads with character data only (no 1362 hex) 1363 * string snort.-c: <conf> use this configuration 1364 * implied snort.-D: run Snort in background (daemon) mode 1365 * implied snort.-d: dump the Application Layer 1366 * implied snort.-e: display the second layer header info 1367 * implied snort.-f: turn off fflush() calls after binary log writes 1368 * int snort.-G: <0xid> (same as --logid) { 0:65535 } 1369 * string snort.-g: <gname> run snort gid as <gname> group (or gid) 1370 after initialization 1371 * implied snort.-H: make hash tables deterministic 1372 * implied snort.-h: show help overview (same as --help) 1373 * string snort.-i: <iface>… list of interfaces 1374 * port snort.-j: <port> to listen for Telnet connections 1375 * enum snort.-k = all: <mode> checksum mode; default is all { all| 1376 noip|notcp|noudp|noicmp|none } 1377 * string snort.-L: <mode> logging mode (none, dump, pcap, or log_*) 1378 * string snort.-l: <logdir> log to this directory instead of 1379 current directory 1380 * implied snort.-M: log messages to syslog (not alerts) 1381 * int snort.-m: <umask> set the process file mode creation mask { 1382 0x000:0x1FF } 1383 * int snort.-n: <count> stop after count packets { 0:max53 } 1384 * implied snort.-O: obfuscate the logged IP addresses 1385 * implied snort.-Q: enable inline mode operation 1386 * implied snort.-q: quiet mode - suppress normal logging on stdout 1387 * string snort.-R: <rules> include this rules file in the default 1388 policy 1389 * string snort.-r: <pcap>… (same as --pcap-list) 1390 * int snort.-s = 1518: <snap> (same as --snaplen); default is 1518 1391 { 68:65535 } 1392 * implied snort.-T: test and report on the current Snort 1393 configuration 1394 * string snort.-t: <dir> chroots process to <dir> after 1395 initialization 1396 * implied snort.-U: use UTC for timestamps 1397 * string snort.-u: <uname> run snort as <uname> or <uid> after 1398 initialization 1399 * implied snort.-V: (same as --version) 1400 * implied snort.-v: be verbose 1401 * implied snort.-X: dump the raw packet data starting at the link 1402 layer 1403 * implied snort.-x: same as --pedantic 1404 * implied snort.-y: include year in timestamp in the alert and log 1405 files 1406 * int snort.-z: <count> maximum number of packet threads (same as 1407 --max-packet-threads); 0 gets the number of CPU cores reported by 1408 the system; default is 1 { 0:max32 } 1409 * implied snort.--alert-before-pass: evaluate alert rules before 1410 pass rules; default is pass rules first 1411 * string snort.--bpf: <filter options> are standard BPF options, as 1412 seen in TCPDump 1413 * string snort.--c2x: output hex for given char (see also --x2c) 1414 * string snort.--control-socket: <file> to create unix socket 1415 * implied snort.--create-pidfile: create PID file, even when not in 1416 Daemon mode 1417 * string snort.--daq: <type> select packet acquisition module 1418 (default is pcap) 1419 * int snort.--daq-batch-size = 64: <size> set the DAQ receive batch 1420 size { 1: } 1421 * string snort.--daq-dir: <dir> tell snort where to find desired 1422 DAQ 1423 * implied snort.--daq-list: list packet acquisition modules 1424 available in optional dir, default is static modules only 1425 * enum snort.--daq-mode: <mode> select DAQ module operating mode 1426 (overrides automatic selection) { passive | inline | read-file } 1427 * string snort.--daq-var: <name=value> specify extra DAQ 1428 configuration variable 1429 * implied snort.--dirty-pig: don’t flush packets on shutdown 1430 * string snort.--dump-builtin-options: additional options to 1431 include with --dump-builtin-rules stubs 1432 * string snort.--dump-builtin-rules: [<module prefix>] output stub 1433 rules for selected modules { (optional) } 1434 * select snort.--dump-config: dump config in json format { all | 1435 top } 1436 * implied snort.--dump-config-text: dump config in text format 1437 * implied snort.--dump-dynamic-rules: output stub rules for all 1438 loaded rules libraries 1439 * string snort.--dump-defaults: [<module prefix>] output module 1440 defaults in Lua format { (optional) } 1441 * string snort.--dump-rule-databases: dump rule databases to given 1442 directory (hyperscan only) 1443 * implied snort.--dump-rule-deps: dump rule dependencies in json 1444 format for use by other tools 1445 * implied snort.--dump-rule-meta: dump configured rule info in json 1446 format for use by other tools 1447 * implied snort.--dump-rule-state: dump configured rule state in 1448 json format for use by other tools 1449 * implied snort.--dump-version: output the version, the whole 1450 version, and only the version 1451 * implied snort.--enable-inline-test: enable Inline-Test Mode 1452 Operation 1453 * implied snort.--enable-test-features: enable features used in 1454 testing 1455 * implied snort.--gen-msg-map: dump configured rules in gen-msg.map 1456 format for use by other tools 1457 * implied snort.--help: show help overview 1458 * string snort.--help-commands: [<module prefix>] output matching 1459 commands { (optional) } 1460 * string snort.--help-config: [<module prefix>] output matching 1461 config options { (optional) } 1462 * string snort.--help-counts: [<module prefix>] output matching peg 1463 counts { (optional) } 1464 * implied snort.--help-limits: print the int upper bounds denoted 1465 by max* 1466 * string snort.--help-module: <module> output description of given 1467 module 1468 * implied snort.--help-modules: list all available modules with 1469 brief help 1470 * implied snort.--help-modules-json: dump description of all 1471 available modules in JSON format 1472 * string snort.--help-options: [<option prefix>] output matching 1473 command line option quick help (same as -?) { (optional) } 1474 * implied snort.--help-plugins: list all available plugins with 1475 brief help 1476 * implied snort.--help-signals: dump available control signals 1477 * int snort.--id-offset = 0: offset to add to instance IDs when 1478 logging to files { 0:65535 } 1479 * implied snort.--id-subdir: create/use instance subdirectories in 1480 logdir instead of instance filename prefix 1481 * implied snort.--id-zero: use id prefix / subdirectory even with 1482 one packet thread 1483 * string snort.--include-path: <path> where to find Lua and rule 1484 included files; searched before current or config directories 1485 * implied snort.--list-buffers: output available inspection buffers 1486 * string snort.--list-builtin: [<module prefix>] output matching 1487 builtin rules { (optional) } 1488 * string snort.--list-gids: [<module prefix>] output matching 1489 generators { (optional) } 1490 * string snort.--list-modules: [<module type>] list all known 1491 modules of given type { (optional) } 1492 * implied snort.--list-plugins: list all known plugins 1493 * string snort.--lua: <chunk> extend/override conf with chunk; may 1494 be repeated 1495 * string snort.--lua-sandbox: <file> file that contains the lua 1496 sandbox environment in which config will be loaded 1497 * int snort.--logid: <0xid> log Identifier to uniquely id events 1498 for multiple snorts (same as -G) { 0:65535 } 1499 * implied snort.--markup: output help in asciidoc compatible format 1500 * int snort.--max-packet-threads: <count> configure maximum number 1501 of packet threads (same as -z) { 0:max32 } 1502 * implied snort.--mem-check: like -T but also compile search 1503 engines 1504 * string snort.--metadata-filter: <filter> load only rules 1505 containing filter string in metadata if set 1506 * implied snort.--nostamps: don’t include timestamps in log file 1507 names 1508 * implied snort.--nolock-pidfile: do not try to lock Snort PID file 1509 * implied snort.--no-warn-flowbits: ignore warnings about flowbits 1510 that are checked but not set and vice-versa 1511 * implied snort.--no-warn-rules: ignore warnings about duplicate 1512 rules and rule parsing issues 1513 * implied snort.--pause: wait for resume/quit command before 1514 processing packets/terminating 1515 * string snort.--pcap-file: <file> file that contains a list of 1516 pcaps to read - read mode is implied 1517 * string snort.--pcap-list: <list> a space separated list of pcaps 1518 to read - read mode is implied 1519 * string snort.--pcap-dir: <dir> a directory to recurse to look for 1520 pcaps - read mode is implied 1521 * string snort.--pcap-filter = .*cap: <filter> filter to apply when 1522 getting pcaps from file or directory 1523 * int snort.--pcap-loop: <count> read all pcaps <count> times; 0 1524 will read until Snort is terminated { 0:max32 } 1525 * implied snort.--pcap-no-filter: reset to use no filter when 1526 getting pcaps from file or directory 1527 * implied snort.--pcap-show: print a line saying what pcap is 1528 currently being read 1529 * implied snort.--pedantic: warnings are fatal 1530 * string snort.--plugin-path: <path> a colon separated list of 1531 directories or plugin libraries 1532 * implied snort.--process-all-events: process all action groups 1533 * string snort.--rule: <rules> to be added to configuration; may be 1534 repeated 1535 * string snort.--rule-path: <path> where to find rules files 1536 * implied snort.--rule-to-hex: output so rule header to stdout for 1537 text rule on stdin 1538 * string snort.--rule-to-text: output plain so rule header to 1539 stdout for text rule on stdin (specify delimiter or 1540 [Snort_SO_Rule] will be used) { 16 } 1541 * string snort.--run-prefix: <pfx> prepend this to each output file 1542 * string snort.--script-path: <path> to a luajit script or 1543 directory containing luajit scripts 1544 * implied snort.--shell: enable the interactive command line 1545 * implied snort.--show-file-codes: indicate how files are located: 1546 A=absolute and W, F, C which are relative to the working 1547 directory, including file, and config file respectively 1548 * implied snort.--show-plugins: list module and plugin versions 1549 * int snort.--skip: <n> skip 1st n packets { 0:max53 } 1550 * int snort.--snaplen = 1518: <snap> set snaplen of packet (same as 1551 -s) { 68:65535 } 1552 * implied snort.--stdin-rules: read rules from stdin until EOF or a 1553 line starting with END is read 1554 * implied snort.--talos: enable Talos tweak (same as --tweaks 1555 talos) 1556 * string snort.--tweaks: tune configuration 1557 * implied snort.--version: show version number (same as -V) 1558 * implied snort.--warn-all: enable all warnings 1559 * implied snort.--warn-conf: warn about configuration issues 1560 * implied snort.--warn-conf-strict: warn about unrecognized 1561 elements in configuration files 1562 * implied snort.--warn-daq: warn about DAQ issues, usually related 1563 to mode 1564 * implied snort.--warn-flowbits: warn about flowbits that are 1565 checked but not set and vice-versa 1566 * implied snort.--warn-hosts: warn about host table issues 1567 * implied snort.--warn-plugins: warn about issues that prevent 1568 plugins from loading 1569 * implied snort.--warn-rules: warn about duplicate rules and rule 1570 parsing issues 1571 * implied snort.--warn-scripts: warn about issues discovered while 1572 processing Lua scripts 1573 * implied snort.--warn-symbols: warn about unknown symbols in your 1574 Lua config 1575 * implied snort.--warn-vars: warn about variable definition and 1576 usage issues 1577 * int snort.--x2c: output ASCII char for given hex (see also --c2x) 1578 { 0x00:0xFF } 1579 * string snort.--x2s: output ASCII string for given byte code (see 1580 also --x2c) 1581 1582Commands: 1583 1584 * snort.show_plugins(): show available plugins 1585 * snort.delete_inspector(inspector): delete an inspector from the 1586 default policy 1587 * snort.dump_stats(): show summary statistics 1588 * snort.reset_stats(): clear summary statistics 1589 * snort.rotate_stats(): roll perfmonitor log files 1590 * snort.reload_config(filename): load new configuration 1591 * snort.reload_policy(filename): reload part or all of the default 1592 policy 1593 * snort.reload_module(module): reload module 1594 * snort.reload_daq(): reload daq module 1595 * snort.reload_hosts(filename): load a new hosts table 1596 * snort.pause(): suspend packet processing 1597 * snort.resume(pkt_num): continue packet processing. If number of 1598 packets is specified, will resume for n packets and pause 1599 * snort.detach(): detach from control shell (without shutting down) 1600 * snort.quit(): shutdown and dump-stats 1601 * snort.help(): this output 1602 1603Peg counts: 1604 1605 * snort.local_commands: total local commands processed (sum) 1606 * snort.remote_commands: total remote commands processed (sum) 1607 * snort.signals: total signals processed (sum) 1608 * snort.conf_reloads: number of times configuration was reloaded 1609 (sum) 1610 * snort.policy_reloads: number of times policies were reloaded 1611 (sum) 1612 * snort.inspector_deletions: number of times inspectors were 1613 deleted (sum) 1614 * snort.daq_reloads: number of times daq configuration was reloaded 1615 (sum) 1616 * snort.attribute_table_reloads: number of times hosts attribute 1617 table was reloaded (sum) 1618 * snort.attribute_table_hosts: number of hosts added to the 1619 attribute table (sum) 1620 * snort.attribute_table_overflow: number of host additions that 1621 failed due to attribute table full (sum) 1622 1623 16242.30. suppress 1625 1626-------------- 1627 1628Help: configure event suppressions 1629 1630Type: basic 1631 1632Usage: context 1633 1634Configuration: 1635 1636 * int suppress[].gid = 0: rule generator ID { 0:max32 } 1637 * int suppress[].sid = 0: rule signature ID { 0:max32 } 1638 * enum suppress[].track: suppress only matching source or 1639 destination addresses { by_src | by_dst } 1640 * string suppress[].ip: restrict suppression to these addresses 1641 according to track 1642 1643 16442.31. trace 1645 1646-------------- 1647 1648Help: configure trace log messages 1649 1650Type: basic 1651 1652Usage: global 1653 1654Configuration: 1655 1656 * int trace.modules.all: enable trace for all modules { 0:255 } 1657 * int trace.modules.dce_smb.all: enable all trace options { 0:255 } 1658 * int trace.modules.dpx.all: enable all trace options { 0:255 } 1659 * int trace.modules.file_id.all: enable all trace options { 0:255 } 1660 * int trace.modules.http_inspect.all: enable all trace options { 1661 0:255 } 1662 * int trace.modules.http_inspect.js_proc: enable JavaScript 1663 processing logging { 0:255 } 1664 * int trace.modules.http_inspect.js_dump: enable JavaScript data 1665 logging { 0:255 } 1666 * int trace.modules.snort.all: enable all trace options { 0:255 } 1667 * int trace.modules.snort.inspector_manager: enable inspector 1668 manager trace logging { 0:255 } 1669 * int trace.modules.vba_data.all: enable all trace options { 0:255 1670 } 1671 * int trace.modules.wizard.all: enable all trace options { 0:255 } 1672 * int trace.constraints.ip_proto: numerical IP protocol ID filter { 1673 0:255 } 1674 * string trace.constraints.src_ip: source IP address filter 1675 * int trace.constraints.src_port: source port filter { 0:65535 } 1676 * string trace.constraints.dst_ip: destination IP address filter 1677 * int trace.constraints.dst_port: destination port filter { 0:65535 1678 } 1679 * bool trace.constraints.match = true: use constraints to filter 1680 traces 1681 * enum trace.output: output method for trace log messages { stdout 1682 | syslog } 1683 * bool trace.ntuple = false: print packet n-tuple info with trace 1684 messages 1685 * bool trace.timestamp = false: print message timestamps with trace 1686 messages 1687 1688Commands: 1689 1690 * trace.set(modules, constraints, ntuple, timestamp): set modules 1691 traces, constraints, ntuple and timestamp options 1692 * trace.clear(): clear modules traces and constraints 1693 1694 1695--------------------------------------------------------------------- 1696 16973. Codec Modules 1698 1699--------------------------------------------------------------------- 1700 1701Codec is short for coder / decoder. These modules are used for basic 1702protocol decoding, anomaly detection, and construction of active 1703responses. 1704 1705 17063.1. arp 1707 1708-------------- 1709 1710Help: support for address resolution protocol 1711 1712Type: codec 1713 1714Usage: context 1715 1716Rules: 1717 1718 * 116:109 (arp) truncated ARP 1719 1720 17213.2. auth 1722 1723-------------- 1724 1725Help: support for IP authentication header 1726 1727Type: codec 1728 1729Usage: context 1730 1731Rules: 1732 1733 * 116:465 (auth) truncated authentication header 1734 * 116:466 (auth) bad authentication header length 1735 1736 17373.3. ciscometadata 1738 1739-------------- 1740 1741Help: support for cisco metadata 1742 1743Type: codec 1744 1745Usage: context 1746 1747Rules: 1748 1749 * 116:468 (ciscometadata) truncated Cisco Metadata header 1750 * 116:469 (ciscometadata) invalid Cisco Metadata option length 1751 * 116:470 (ciscometadata) invalid Cisco Metadata option type 1752 * 116:471 (ciscometadata) invalid Cisco Metadata security group tag 1753 1754Peg counts: 1755 1756 * ciscometadata.truncated_hdr: total truncated Cisco Metadata 1757 headers (sum) 1758 * ciscometadata.invalid_hdr_ver: total invalid Cisco Metadata 1759 header versions (sum) 1760 * ciscometadata.invalid_hdr_len: total invalid Cisco Metadata 1761 header lengths (sum) 1762 * ciscometadata.invalid_opt_len: total invalid Cisco Metadata 1763 option lengths (sum) 1764 * ciscometadata.invalid_opt_type: total invalid Cisco Metadata 1765 option types (sum) 1766 * ciscometadata.invalid_sgt: total invalid Cisco Metadata security 1767 group tags (sum) 1768 1769 17703.4. eapol 1771 1772-------------- 1773 1774Help: support for extensible authentication protocol over LAN 1775 1776Type: codec 1777 1778Usage: context 1779 1780Rules: 1781 1782 * 116:110 (eapol) truncated EAP header 1783 * 116:111 (eapol) EAP key truncated 1784 * 116:112 (eapol) EAP header truncated 1785 1786 17873.5. erspan2 1788 1789-------------- 1790 1791Help: support for encapsulated remote switched port analyzer - type 2 1792 1793Type: codec 1794 1795Usage: context 1796 1797Rules: 1798 1799 * 116:462 (erspan2) ERSpan header version mismatch 1800 * 116:463 (erspan2) captured length < ERSpan type2 header length 1801 1802 18033.6. erspan3 1804 1805-------------- 1806 1807Help: support for encapsulated remote switched port analyzer - type 3 1808 1809Type: codec 1810 1811Usage: context 1812 1813Rules: 1814 1815 * 116:464 (erspan3) captured < ERSpan type3 header length 1816 1817 18183.7. esp 1819 1820-------------- 1821 1822Help: support for encapsulating security payload 1823 1824Type: codec 1825 1826Usage: context 1827 1828Configuration: 1829 1830 * bool esp.decode_esp = false: enable for inspection of esp traffic 1831 that has authentication but not encryption 1832 1833Rules: 1834 1835 * 116:294 (esp) truncated encapsulated security payload header 1836 1837 18383.8. eth 1839 1840-------------- 1841 1842Help: support for ethernet protocol (DLT 1) (DLT 51) 1843 1844Type: codec 1845 1846Usage: context 1847 1848Rules: 1849 1850 * 116:424 (eth) truncated ethernet header 1851 1852 18533.9. fabricpath 1854 1855-------------- 1856 1857Help: support for fabricpath 1858 1859Type: codec 1860 1861Usage: context 1862 1863Rules: 1864 1865 * 116:467 (fabricpath) truncated FabricPath header 1866 1867 18683.10. geneve 1869 1870-------------- 1871 1872Help: support for Geneve: Generic Network Virtualization 1873Encapsulation 1874 1875Type: codec 1876 1877Usage: context 1878 1879Rules: 1880 1881 * 116:180 (geneve) insufficient room for geneve header 1882 * 116:181 (geneve) invalid version 1883 * 116:182 (geneve) invalid header 1884 * 116:183 (geneve) invalid flags 1885 * 116:184 (geneve) invalid options 1886 1887 18883.11. gre 1889 1890-------------- 1891 1892Help: support for generic routing encapsulation 1893 1894Type: codec 1895 1896Usage: context 1897 1898Rules: 1899 1900 * 116:160 (gre) GRE header length > payload length 1901 * 116:161 (gre) multiple encapsulations in packet 1902 * 116:162 (gre) invalid GRE version 1903 * 116:163 (gre) invalid GRE header 1904 * 116:164 (gre) invalid GRE v.1 PPTP header 1905 * 116:165 (gre) GRE trans header length > payload length 1906 1907 19083.12. gtp 1909 1910-------------- 1911 1912Help: support for general-packet-radio-service tunneling protocol 1913 1914Type: codec 1915 1916Usage: context 1917 1918Rules: 1919 1920 * 116:297 (gtp) two or more GTP encapsulation layers present 1921 * 116:298 (gtp) GTP header length is invalid 1922 1923 19243.13. icmp4 1925 1926-------------- 1927 1928Help: support for Internet control message protocol v4 1929 1930Type: codec 1931 1932Usage: context 1933 1934Rules: 1935 1936 * 116:105 (icmp4) ICMP header truncated 1937 * 116:106 (icmp4) ICMP timestamp header truncated 1938 * 116:107 (icmp4) ICMP address header truncated 1939 * 116:250 (icmp4) ICMP original IP header truncated 1940 * 116:251 (icmp4) ICMP version and original IP header versions 1941 differ 1942 * 116:252 (icmp4) ICMP original datagram length < original IP 1943 header length 1944 * 116:253 (icmp4) ICMP original IP payload < 64 bits 1945 * 116:254 (icmp4) ICMP original IP payload > 576 bytes 1946 * 116:255 (icmp4) ICMP original IP fragmented and offset not 0 1947 * 116:415 (icmp4) ICMP4 packet to multicast dest address 1948 * 116:416 (icmp4) ICMP4 packet to broadcast dest address 1949 * 116:418 (icmp4) ICMP4 type other 1950 * 116:426 (icmp4) truncated ICMP4 header 1951 * 116:434 (icmp4) ICMP ping Nmap 1952 * 116:435 (icmp4) ICMP icmpenum v1.1.1 1953 * 116:436 (icmp4) ICMP redirect host 1954 * 116:437 (icmp4) ICMP redirect net 1955 * 116:438 (icmp4) ICMP traceroute ipopts 1956 * 116:439 (icmp4) ICMP source quench 1957 * 116:440 (icmp4) broadscan smurf scanner 1958 * 116:441 (icmp4) ICMP destination unreachable communication 1959 administratively prohibited 1960 * 116:442 (icmp4) ICMP destination unreachable communication with 1961 destination host is administratively prohibited 1962 * 116:443 (icmp4) ICMP destination unreachable communication with 1963 destination network is administratively prohibited 1964 * 116:451 (icmp4) ICMP path MTU denial of service attempt 1965 * 116:452 (icmp4) Linux ICMP header DOS attempt 1966 1967Peg counts: 1968 1969 * icmp4.bad_checksum: non-zero icmp checksums (sum) 1970 * icmp4.checksum_bypassed: checksum calculations bypassed (sum) 1971 1972 19733.14. icmp6 1974 1975-------------- 1976 1977Help: support for Internet control message protocol v6 1978 1979Type: codec 1980 1981Usage: context 1982 1983Rules: 1984 1985 * 116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with 1986 MTU field < 1280 1987 * 116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable) 1988 with non-RFC 2463 code 1989 * 116:287 (icmp6) ICMPv6 router solicitation packet with a code not 1990 equal to 0 1991 * 116:288 (icmp6) ICMPv6 router advertisement packet with a code 1992 not equal to 0 1993 * 116:289 (icmp6) ICMPv6 router solicitation packet with the 1994 reserved field not equal to 0 1995 * 116:290 (icmp6) ICMPv6 router advertisement packet with the 1996 reachable time field set > 1 hour 1997 * 116:427 (icmp6) truncated ICMPv6 header 1998 * 116:431 (icmp6) ICMPv6 type not decoded 1999 * 116:432 (icmp6) ICMPv6 packet to multicast address 2000 * 116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable) 2001 with non-RFC 4443 code 2002 * 116:460 (icmp6) ICMPv6 node info query/response packet with a 2003 code greater than 2 2004 * 116:474 (icmp6) ICMPv6 not encapsulated in IPv6 2005 2006Peg counts: 2007 2008 * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum) 2009 * icmp6.checksum_bypassed: checksum calculations bypassed (sum) 2010 2011 20123.15. igmp 2013 2014-------------- 2015 2016Help: support for Internet group management protocol 2017 2018Type: codec 2019 2020Usage: context 2021 2022Rules: 2023 2024 * 116:455 (igmp) DOS IGMP IP options validation attempt 2025 2026 20273.16. ipv4 2028 2029-------------- 2030 2031Help: support for Internet protocol v4 (DLT 228) 2032 2033Type: codec 2034 2035Usage: context 2036 2037Rules: 2038 2039 * 116:1 (ipv4) not IPv4 datagram 2040 * 116:2 (ipv4) IPv4 header length < minimum 2041 * 116:3 (ipv4) IPv4 datagram length < header field 2042 * 116:4 (ipv4) IPv4 options found with bad lengths 2043 * 116:5 (ipv4) truncated IPv4 options 2044 * 116:6 (ipv4) IPv4 datagram length > captured length 2045 * 116:404 (ipv4) IPv4 packet with zero TTL 2046 * 116:405 (ipv4) IPv4 packet with bad frag bits (both MF and DF 2047 set) 2048 * 116:407 (ipv4) IPv4 packet frag offset + length exceed maximum 2049 * 116:408 (ipv4) IPv4 packet from current net source address 2050 * 116:409 (ipv4) IPv4 packet to current net dest address 2051 * 116:410 (ipv4) IPv4 packet from multicast source address 2052 * 116:411 (ipv4) IPv4 packet from reserved source address 2053 * 116:412 (ipv4) IPv4 packet to reserved dest address 2054 * 116:413 (ipv4) IPv4 packet from broadcast source address 2055 * 116:414 (ipv4) IPv4 packet to broadcast dest address 2056 * 116:425 (ipv4) truncated IPv4 header 2057 * 116:428 (ipv4) IPv4 packet below TTL limit 2058 * 116:430 (ipv4) IPv4 packet both DF and offset set 2059 * 116:444 (ipv4) IPv4 option set 2060 * 116:448 (ipv4) IPv4 reserved bit set 2061 2062Peg counts: 2063 2064 * ipv4.bad_checksum: nonzero ip checksums (sum) 2065 * ipv4.checksum_bypassed: checksum calculations bypassed (sum) 2066 2067 20683.17. ipv6 2069 2070-------------- 2071 2072Help: support for Internet protocol v6 (DLT 229) 2073 2074Type: codec 2075 2076Usage: context 2077 2078Rules: 2079 2080 * 116:270 (ipv6) IPv6 packet below TTL limit 2081 * 116:271 (ipv6) IPv6 header claims to not be IPv6 2082 * 116:272 (ipv6) IPv6 truncated extension header 2083 * 116:273 (ipv6) IPv6 truncated header 2084 * 116:274 (ipv6) IPv6 datagram length < header field 2085 * 116:275 (ipv6) IPv6 datagram length > captured length 2086 * 116:276 (ipv6) IPv6 packet with destination address ::0 2087 * 116:277 (ipv6) IPv6 packet with multicast source address 2088 * 116:278 (ipv6) IPv6 packet with reserved multicast destination 2089 address 2090 * 116:279 (ipv6) IPv6 header includes an undefined option type 2091 * 116:280 (ipv6) IPv6 address includes an unassigned multicast 2092 scope value 2093 * 116:281 (ipv6) IPv6 header includes an invalid value for the next 2094 header field 2095 * 116:282 (ipv6) IPv6 header includes a routing extension header 2096 followed by a hop-by-hop header 2097 * 116:283 (ipv6) IPv6 header includes two routing extension headers 2098 * 116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, 2099 possible Linux kernel attack 2100 * 116:292 (ipv6) IPv6 header has destination options followed by a 2101 routing header 2102 * 116:295 (ipv6) IPv6 header includes an option which is too big 2103 for the containing header 2104 * 116:296 (ipv6) IPv6 packet includes out-of-order extension 2105 headers 2106 * 116:429 (ipv6) IPv6 packet has zero hop limit 2107 * 116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt 2108 * 116:456 (ipv6) too many IPv6 extension headers 2109 * 116:458 (ipv6) bogus fragmentation packet, possible BSD attack 2110 * 116:461 (ipv6) IPv6 routing type 0 extension header 2111 * 116:475 (ipv6) IPv6 mobility header includes an invalid value for 2112 the payload protocol field 2113 2114 21153.18. llc 2116 2117-------------- 2118 2119Help: support for logical link control 2120 2121Type: codec 2122 2123Usage: context 2124 2125Rules: 2126 2127 * 116:131 (llc) bad LLC header 2128 * 116:132 (llc) bad extra LLC info 2129 2130 21313.19. mpls 2132 2133-------------- 2134 2135Help: support for multiprotocol label switching 2136 2137Type: codec 2138 2139Usage: context 2140 2141Configuration: 2142 2143 * int mpls.max_stack_depth = -1: set maximum MPLS stack depth { 2144 -1:255 } 2145 * enum mpls.payload_type = auto: force encapsulated payload type { 2146 auto | eth | ip4 | ip6 } 2147 2148Rules: 2149 2150 * 116:170 (mpls) bad MPLS frame 2151 * 116:171 (mpls) MPLS label 0 appears in bottom header when not 2152 decoding as ip4 2153 * 116:172 (mpls) MPLS label 1 appears in bottom header 2154 * 116:173 (mpls) MPLS label 2 appears in bottom header when not 2155 decoding as ip6 2156 * 116:174 (mpls) MPLS label 3 appears in header 2157 * 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header 2158 * 116:176 (mpls) too many MPLS headers 2159 2160 21613.20. pbb 2162 2163-------------- 2164 2165Help: support for 802.1ah protocol 2166 2167Type: codec 2168 2169Usage: context 2170 2171Rules: 2172 2173 * 116:424 (pbb) truncated ethernet header 2174 2175 21763.21. pgm 2177 2178-------------- 2179 2180Help: support for pragmatic general multicast 2181 2182Type: codec 2183 2184Usage: context 2185 2186Rules: 2187 2188 * 116:454 (pgm) PGM nak list overflow attempt 2189 2190 21913.22. pppoe 2192 2193-------------- 2194 2195Help: support for point-to-point protocol over ethernet 2196 2197Type: codec 2198 2199Usage: context 2200 2201Rules: 2202 2203 * 116:120 (pppoe) bad PPPOE frame detected 2204 2205 22063.23. tcp 2207 2208-------------- 2209 2210Help: support for transmission control protocol 2211 2212Type: codec 2213 2214Usage: context 2215 2216Rules: 2217 2218 * 116:45 (tcp) TCP packet length is smaller than 20 bytes 2219 * 116:46 (tcp) TCP data offset is less than 5 2220 * 116:47 (tcp) TCP header length exceeds packet length 2221 * 116:54 (tcp) TCP options found with bad lengths 2222 * 116:55 (tcp) truncated TCP options 2223 * 116:56 (tcp) T/TCP detected 2224 * 116:57 (tcp) obsolete TCP options found 2225 * 116:58 (tcp) experimental TCP options found 2226 * 116:59 (tcp) TCP window scale option found with length > 14 2227 * 116:400 (tcp) XMAS attack detected 2228 * 116:401 (tcp) Nmap XMAS attack detected 2229 * 116:402 (tcp) DOS NAPTHA vulnerability detected 2230 * 116:403 (tcp) SYN to multicast address 2231 * 116:419 (tcp) TCP urgent pointer exceeds payload length or no 2232 payload 2233 * 116:420 (tcp) TCP SYN with FIN 2234 * 116:421 (tcp) TCP SYN with RST 2235 * 116:422 (tcp) TCP PDU missing ack for established session 2236 * 116:423 (tcp) TCP has no SYN, ACK, or RST 2237 * 116:433 (tcp) DDOS shaft SYN flood 2238 * 116:446 (tcp) TCP port 0 traffic 2239 2240Peg counts: 2241 2242 * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum) 2243 * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum) 2244 * tcp.checksum_bypassed: checksum calculations bypassed (sum) 2245 2246 22473.24. token_ring 2248 2249-------------- 2250 2251Help: support for token ring decoding 2252 2253Type: codec 2254 2255Usage: context 2256 2257Rules: 2258 2259 * 116:140 (token_ring) bad Token Ring header 2260 * 116:141 (token_ring) bad Token Ring ETHLLC header 2261 * 116:142 (token_ring) bad Token Ring MRLEN header 2262 * 116:143 (token_ring) bad Token Ring MR header 2263 2264 22653.25. udp 2266 2267-------------- 2268 2269Help: support for user datagram protocol 2270 2271Type: codec 2272 2273Usage: context 2274 2275Configuration: 2276 2277 * bool udp.deep_teredo_inspection = false: look for Teredo on all 2278 UDP ports (default is only 3544) 2279 * bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 } 2280 * bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 } 2281 * bit_list udp.geneve_ports = 6081: set Geneve ports { 65535 } 2282 2283Rules: 2284 2285 * 116:95 (udp) truncated UDP header 2286 * 116:96 (udp) invalid UDP header, length field < 8 2287 * 116:97 (udp) short UDP packet, length field > payload length 2288 * 116:98 (udp) long UDP packet, length field < payload length 2289 * 116:406 (udp) invalid IPv6 UDP packet, checksum zero 2290 * 116:445 (udp) large UDP packet (> 4000 bytes) 2291 * 116:447 (udp) UDP port 0 traffic 2292 2293Peg counts: 2294 2295 * udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum) 2296 * udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum) 2297 * udp.checksum_bypassed: checksum calculations bypassed (sum) 2298 2299 23003.26. vlan 2301 2302-------------- 2303 2304Help: support for local area network 2305 2306Type: codec 2307 2308Usage: context 2309 2310Rules: 2311 2312 * 116:130 (vlan) bad VLAN frame 2313 2314 23153.27. wlan 2316 2317-------------- 2318 2319Help: support for wireless local area network protocol (DLT 105) 2320 2321Type: codec 2322 2323Usage: context 2324 2325Rules: 2326 2327 * 116:133 (wlan) bad 802.11 LLC header 2328 * 116:134 (wlan) bad 802.11 extra LLC info 2329 2330 2331--------------------------------------------------------------------- 2332 23334. Connector Modules 2334 2335--------------------------------------------------------------------- 2336 2337Connectors support High Availability communication links. 2338 2339 23404.1. file_connector 2341 2342-------------- 2343 2344Help: implement the file based connector 2345 2346Type: connector 2347 2348Usage: global 2349 2350Configuration: 2351 2352 * string file_connector[].connector: connector name 2353 * string file_connector[].name: channel name 2354 * enum file_connector[].format: file format { binary | text } 2355 * enum file_connector[].direction: usage { receive | transmit | 2356 duplex } 2357 2358Peg counts: 2359 2360 * file_connector.messages: total messages (sum) 2361 2362 23634.2. tcp_connector 2364 2365-------------- 2366 2367Help: implement the tcp stream connector 2368 2369Type: connector 2370 2371Usage: global 2372 2373Configuration: 2374 2375 * string tcp_connector[].connector: connector name 2376 * string tcp_connector[].address: address 2377 * port tcp_connector[].base_port: base port number 2378 * enum tcp_connector[].setup: stream establishment { call | answer 2379 } 2380 2381Peg counts: 2382 2383 * tcp_connector.messages: total messages (sum) 2384 2385 2386--------------------------------------------------------------------- 2387 23885. Inspector Modules 2389 2390--------------------------------------------------------------------- 2391 2392These modules perform a variety of functions, including analysis of 2393protocols beyond basic decoding. 2394 2395 23965.1. appid 2397 2398-------------- 2399 2400Help: application and service identification 2401 2402Type: inspector (control) 2403 2404Usage: context 2405 2406Instance Type: network 2407 2408Configuration: 2409 2410 * int appid.memcap = 1048576: max size of the service cache before 2411 we start pruning the cache { 1024:maxSZ } 2412 * bool appid.log_stats = false: enable logging of appid statistics 2413 * int appid.app_stats_period = 300: time period for collecting and 2414 logging appid statistics { 1:max32 } 2415 * int appid.app_stats_rollover_size = 20971520: max file size for 2416 appid stats before rolling over the log file { 0:max32 } 2417 * string appid.app_detector_dir: directory to load appid detectors 2418 from 2419 * bool appid.list_odp_detectors = false: enable logging of odp 2420 detectors statistics 2421 * string appid.tp_appid_path: path to third party appid dynamic 2422 library 2423 * string appid.tp_appid_config: path to third party appid 2424 configuration file 2425 * bool appid.tp_appid_stats_enable: enable collection of stats and 2426 print stats on exit in third party module 2427 * bool appid.tp_appid_config_dump: print third party configuration 2428 on startup 2429 * bool appid.log_all_sessions = false: enable logging of all appid 2430 sessions 2431 * bool appid.enable_rna_filter = false: monitor only the networks 2432 specified in rna configuration 2433 * string appid.rna_conf_path: path to rna configuration file 2434 2435Commands: 2436 2437 * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): 2438 enable appid debugging 2439 * appid.disable_debug(): disable appid debugging 2440 * appid.reload_third_party(): reload appid third-party module 2441 * appid.reload_detectors(): reload appid detectors 2442 2443Peg counts: 2444 2445 * appid.packets: count of packets received (sum) 2446 * appid.processed_packets: count of packets processed (sum) 2447 * appid.ignored_packets: count of packets ignored (sum) 2448 * appid.total_sessions: count of sessions created (sum) 2449 * appid.appid_unknown: count of sessions where appid could not be 2450 determined (sum) 2451 * appid.service_cache_prunes: number of times the service cache was 2452 pruned (sum) 2453 * appid.service_cache_adds: number of times an entry was added to 2454 the service cache (sum) 2455 * appid.service_cache_removes: number of times an item was removed 2456 from the service cache (sum) 2457 * appid.odp_reload_ignored_pkts: count of packets ignored after 2458 open detector package is reloaded (sum) 2459 * appid.tp_reload_ignored_pkts: count of packets ignored after 2460 third-party module is reloaded (sum) 2461 2462 24635.2. appid_listener 2464 2465-------------- 2466 2467Help: log selected published data to appid_listener.log 2468 2469Type: inspector (passive) 2470 2471Usage: context 2472 2473Instance Type: network 2474 2475Configuration: 2476 2477 * bool appid_listener.json_logging = false: log appid data in json 2478 format 2479 * string appid_listener.file: output data to given file 2480 2481 24825.3. arp_spoof 2483 2484-------------- 2485 2486Help: detect ARP attacks and anomalies 2487 2488Type: inspector (network) 2489 2490Usage: inspect 2491 2492Instance Type: singleton 2493 2494Configuration: 2495 2496 * ip4 arp_spoof.hosts[].ip: host ip address 2497 * mac arp_spoof.hosts[].mac: host mac address 2498 2499Rules: 2500 2501 * 112:1 (arp_spoof) unicast ARP request 2502 * 112:2 (arp_spoof) ethernet/ARP mismatch for source hardware 2503 address 2504 * 112:3 (arp_spoof) ethernet/ARP mismatch for destination hardware 2505 address in reply 2506 * 112:4 (arp_spoof) attempted ARP cache overwrite attack 2507 2508Peg counts: 2509 2510 * arp_spoof.packets: total packets (sum) 2511 2512 25135.4. back_orifice 2514 2515-------------- 2516 2517Help: back orifice detection 2518 2519Type: inspector (network) 2520 2521Usage: inspect 2522 2523Instance Type: multiton 2524 2525Rules: 2526 2527 * 105:1 (back_orifice) Back orifice traffic detected, unknown 2528 direction 2529 * 105:2 (back_orifice) Back orifice client traffic detected 2530 * 105:3 (back_orifice) Back orifice server traffic detected 2531 * 105:4 (back_orifice) Back orifice length field >= 1024 bytes 2532 2533Peg counts: 2534 2535 * back_orifice.packets: total packets (sum) 2536 2537 25385.5. binder 2539 2540-------------- 2541 2542Help: configure processing based on CIDRs, ports, services, etc. 2543 2544Type: inspector (passive) 2545 2546Usage: inspect 2547 2548Instance Type: singleton 2549 2550Configuration: 2551 2552 * int binder[].when.ips_policy_id: unique ID for selection of this 2553 config by external logic { 0:max32 } 2554 * bit_list binder[].when.vlans: list of VLAN IDs { 4095 } 2555 * addr_list binder[].when.nets: list of networks 2556 * addr_list binder[].when.src_nets: list of source networks 2557 * addr_list binder[].when.dst_nets: list of destination networks 2558 * enum binder[].when.proto: protocol { any | ip | icmp | tcp | udp 2559 | user | file } 2560 * bit_list binder[].when.ports: list of ports { 65535 } 2561 * bit_list binder[].when.src_ports: list of source ports { 65535 } 2562 * bit_list binder[].when.dst_ports: list of destination ports { 2563 65535 } 2564 * string binder[].when.intfs: list of interface IDs 2565 * string binder[].when.src_intfs: list of source interface IDs 2566 * string binder[].when.dst_intfs: list of destination interface IDs 2567 * string binder[].when.groups: list of interface group IDs 2568 * string binder[].when.src_groups: list of source interface group 2569 IDs 2570 * string binder[].when.dst_groups: list of destination group IDs 2571 * string binder[].when.addr_spaces: list of address space IDs 2572 * string binder[].when.tenants: list of tenants 2573 * enum binder[].when.role = any: use the given configuration on one 2574 or any end of a session { client | server | any } 2575 * string binder[].when.service: override default configuration 2576 * string binder[].when.zones: deprecated alias for groups 2577 * string binder[].when.src_zone: deprecated alias for src_groups 2578 * string binder[].when.dst_zone: deprecated alias for dst_groups 2579 * enum binder[].use.action = inspect: what to do with matching 2580 traffic { reset | block | allow | inspect } 2581 * string binder[].use.file: use configuration in given file 2582 * string binder[].use.network_policy: use network policy from given 2583 file 2584 * string binder[].use.inspection_policy: use inspection policy from 2585 given file 2586 * string binder[].use.ips_policy: use ips policy from given file 2587 * string binder[].use.service: override automatic service 2588 identification 2589 * string binder[].use.type: select module for binding 2590 * string binder[].use.name: symbol name (defaults to type) 2591 2592Peg counts: 2593 2594 * binder.raw_packets: raw packets evaluated (sum) 2595 * binder.new_flows: new flows evaluated (sum) 2596 * binder.service_changes: flow service changes evaluated (sum) 2597 * binder.assistant_inspectors: flow assistant inspector requests 2598 handled (sum) 2599 * binder.new_standby_flows: new HA flows evaluated (sum) 2600 * binder.no_match: binding evaluations that had no matches (sum) 2601 * binder.resets: reset actions bound (sum) 2602 * binder.blocks: block actions bound (sum) 2603 * binder.allows: allow actions bound (sum) 2604 * binder.inspects: inspect actions bound (sum) 2605 2606 26075.6. cip 2608 2609-------------- 2610 2611Help: cip inspection 2612 2613Type: inspector (service) 2614 2615Usage: inspect 2616 2617Instance Type: multiton 2618 2619Configuration: 2620 2621 * string cip.embedded_cip_path = false: check embedded CIP path 2622 * int cip.unconnected_timeout = 300: unconnected timeout in seconds 2623 { 0:360 } 2624 * int cip.max_cip_connections = 100: max cip connections { 1:10000 2625 } 2626 * int cip.max_unconnected_messages = 100: max unconnected cip 2627 messages { 1:10000 } 2628 2629Rules: 2630 2631 * 148:1 (cip) CIP data is malformed 2632 * 148:2 (cip) CIP data is non-conforming to ODVA standard 2633 * 148:3 (cip) CIP connection limit exceeded. Least recently used 2634 connection removed 2635 * 148:4 (cip) CIP unconnected request limit exceeded. Oldest 2636 request removed 2637 2638Peg counts: 2639 2640 * cip.packets: total packets (sum) 2641 * cip.session: total sessions (sum) 2642 * cip.concurrent_sessions: total concurrent SIP sessions (now) 2643 * cip.max_concurrent_sessions: maximum concurrent SIP sessions 2644 (max) 2645 2646 26475.7. cpeos_test 2648 2649-------------- 2650 2651Help: for testing CPE OS RNA event generation 2652 2653Type: inspector (control) 2654 2655Usage: context 2656 2657Instance Type: network 2658 2659 26605.8. data_log 2661 2662-------------- 2663 2664Help: log selected published data to data.log 2665 2666Type: inspector (passive) 2667 2668Usage: inspect 2669 2670Instance Type: singleton 2671 2672Configuration: 2673 2674 * select data_log.key = http_request_header_event : name of the 2675 event to log { http_request_header_event | 2676 http_response_header_event } 2677 * int data_log.limit = 0: set maximum size in MB before rollover (0 2678 is unlimited) { 0:max32 } 2679 2680Peg counts: 2681 2682 * data_log.packets: total packets (sum) 2683 2684 26855.9. dce_http_proxy 2686 2687-------------- 2688 2689Help: dce over http inspection - client to/from proxy 2690 2691Type: inspector (service) 2692 2693Usage: inspect 2694 2695Instance Type: multiton 2696 2697Peg counts: 2698 2699 * dce_http_proxy.http_proxy_sessions: successful http proxy 2700 sessions (sum) 2701 * dce_http_proxy.http_proxy_session_failures: failed http proxy 2702 sessions (sum) 2703 2704 27055.10. dce_http_server 2706 2707-------------- 2708 2709Help: dce over http inspection - proxy to/from server 2710 2711Type: inspector (service) 2712 2713Usage: inspect 2714 2715Instance Type: multiton 2716 2717Peg counts: 2718 2719 * dce_http_server.http_server_sessions: successful http server 2720 sessions (sum) 2721 * dce_http_server.http_server_session_failures: failed http server 2722 sessions (sum) 2723 2724 27255.11. dce_smb 2726 2727-------------- 2728 2729Help: dce over smb inspection 2730 2731Type: inspector (service) 2732 2733Usage: inspect 2734 2735Instance Type: multiton 2736 2737Configuration: 2738 2739 * bool dce_smb.limit_alerts = true: limit DCE alert to at most one 2740 per signature per flow 2741 * bool dce_smb.disable_defrag = false: disable DCE/RPC 2742 defragmentation 2743 * int dce_smb.max_frag_len = 65535: maximum fragment size for 2744 defragmentation { 1514:65535 } 2745 * int dce_smb.reassemble_threshold = 0: minimum bytes received 2746 before performing reassembly { 0:65535 } 2747 * enum dce_smb.smb_fingerprint_policy = none: target based SMB 2748 policy to use { none | client | server | both } 2749 * enum dce_smb.policy = WinXP: target based policy to use { Win2000 2750 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | 2751 Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 } 2752 * int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 } 2753 * int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 } 2754 * multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 | 2755 v2 | all } 2756 * enum dce_smb.smb_file_inspection: deprecated (not used): file 2757 inspection controlled by smb_file_depth { off | on | only } 2758 * int dce_smb.smb_file_depth = 16384: SMB file depth for file data 2759 (-1 = disabled, 0 = unlimited) { -1:32767 } 2760 * string dce_smb.smb_invalid_shares: SMB shares to alert on 2761 * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1 2762 * int dce_smb.smb_max_credit = 8192: Maximum number of outstanding 2763 request { 1:65536 } 2764 * int dce_smb.memcap = 8388608: Memory utilization limit on smb { 2765 512:maxSZ } 2766 2767Rules: 2768 2769 * 133:2 (dce_smb) SMB - bad NetBIOS session service session type 2770 * 133:3 (dce_smb) SMB - bad SMB message type 2771 * 133:4 (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \ 2772 xfeSMB for SMB2) 2773 * 133:5 (dce_smb) SMB - bad word count or structure size 2774 * 133:6 (dce_smb) SMB - bad byte count 2775 * 133:7 (dce_smb) SMB - bad format type 2776 * 133:8 (dce_smb) SMB - bad offset 2777 * 133:9 (dce_smb) SMB - zero total data count 2778 * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header 2779 length 2780 * 133:11 (dce_smb) SMB - remaining NetBIOS data length less than 2781 command length 2782 * 133:12 (dce_smb) SMB - remaining NetBIOS data length less than 2783 command byte count 2784 * 133:13 (dce_smb) SMB - remaining NetBIOS data length less than 2785 command data size 2786 * 133:14 (dce_smb) SMB - remaining total data count less than this 2787 command data size 2788 * 133:15 (dce_smb) SMB - total data sent (STDu64) greater than 2789 command total data expected 2790 * 133:16 (dce_smb) SMB - byte count less than command data size 2791 (STDu64) 2792 * 133:17 (dce_smb) SMB - invalid command data size for byte count 2793 * 133:18 (dce_smb) SMB - excessive tree connect requests with 2794 pending tree connect responses 2795 * 133:19 (dce_smb) SMB - excessive read requests with pending read 2796 responses 2797 * 133:20 (dce_smb) SMB - excessive command chaining 2798 * 133:21 (dce_smb) SMB - Multiple chained login requests 2799 * 133:22 (dce_smb) SMB - Multiple chained tree connect requests 2800 * 133:23 (dce_smb) SMB - chained/compounded login followed by 2801 logoff 2802 * 133:24 (dce_smb) SMB - chained/compounded tree connect followed 2803 by tree disconnect 2804 * 133:25 (dce_smb) SMB - chained/compounded open pipe followed by 2805 close pipe 2806 * 133:26 (dce_smb) SMB - invalid share access 2807 * 133:44 (dce_smb) SMB - invalid SMB version 1 seen 2808 * 133:45 (dce_smb) SMB - invalid SMB version 2 seen 2809 * 133:46 (dce_smb) SMB - invalid user, tree connect, file binding 2810 * 133:47 (dce_smb) SMB - excessive command compounding 2811 * 133:48 (dce_smb) SMB - zero data count 2812 * 133:50 (dce_smb) SMB - maximum number of outstanding requests 2813 exceeded 2814 * 133:51 (dce_smb) SMB - outstanding requests with same MID 2815 * 133:52 (dce_smb) SMB - deprecated dialect negotiated 2816 * 133:53 (dce_smb) SMB - deprecated command used 2817 * 133:54 (dce_smb) SMB - unusual command used 2818 * 133:55 (dce_smb) SMB - invalid setup count for command 2819 * 133:56 (dce_smb) SMB - client attempted multiple dialect 2820 negotiations on session 2821 * 133:57 (dce_smb) SMB - client attempted to create or set a file’s 2822 attributes to readonly/hidden/system 2823 * 133:58 (dce_smb) SMB - file offset provided is greater than file 2824 size specified 2825 * 133:59 (dce_smb) SMB - next command specified in SMB2 header is 2826 beyond payload boundary 2827 2828Peg counts: 2829 2830 * dce_smb.events: total events (sum) 2831 * dce_smb.pdus: total connection-oriented PDUs (sum) 2832 * dce_smb.binds: total connection-oriented binds (sum) 2833 * dce_smb.bind_acks: total connection-oriented binds acks (sum) 2834 * dce_smb.alter_contexts: total connection-oriented alter contexts 2835 (sum) 2836 * dce_smb.alter_context_responses: total connection-oriented alter 2837 context responses (sum) 2838 * dce_smb.bind_naks: total connection-oriented bind naks (sum) 2839 * dce_smb.requests: total connection-oriented requests (sum) 2840 * dce_smb.responses: total connection-oriented responses (sum) 2841 * dce_smb.cancels: total connection-oriented cancels (sum) 2842 * dce_smb.orphaned: total connection-oriented orphaned (sum) 2843 * dce_smb.faults: total connection-oriented faults (sum) 2844 * dce_smb.auth3s: total connection-oriented auth3s (sum) 2845 * dce_smb.shutdowns: total connection-oriented shutdowns (sum) 2846 * dce_smb.rejects: total connection-oriented rejects (sum) 2847 * dce_smb.ms_rpc_http_pdus: total connection-oriented MS requests 2848 to send RPC over HTTP (sum) 2849 * dce_smb.other_requests: total connection-oriented other requests 2850 (sum) 2851 * dce_smb.other_responses: total connection-oriented other 2852 responses (sum) 2853 * dce_smb.request_fragments: total connection-oriented request 2854 fragments (sum) 2855 * dce_smb.response_fragments: total connection-oriented response 2856 fragments (sum) 2857 * dce_smb.client_max_fragment_size: connection-oriented client 2858 maximum fragment size (sum) 2859 * dce_smb.client_min_fragment_size: connection-oriented client 2860 minimum fragment size (sum) 2861 * dce_smb.client_segs_reassembled: total connection-oriented client 2862 segments reassembled (sum) 2863 * dce_smb.client_frags_reassembled: total connection-oriented 2864 client fragments reassembled (sum) 2865 * dce_smb.server_max_fragment_size: connection-oriented server 2866 maximum fragment size (sum) 2867 * dce_smb.server_min_fragment_size: connection-oriented server 2868 minimum fragment size (sum) 2869 * dce_smb.server_segs_reassembled: total connection-oriented server 2870 segments reassembled (sum) 2871 * dce_smb.server_frags_reassembled: total connection-oriented 2872 server fragments reassembled (sum) 2873 * dce_smb.sessions: total smb sessions (sum) 2874 * dce_smb.packets: total smb packets (sum) 2875 * dce_smb.ignored_bytes: total ignored bytes (sum) 2876 * dce_smb.smb_client_segs_reassembled: total smb client segments 2877 reassembled (sum) 2878 * dce_smb.smb_server_segs_reassembled: total smb server segments 2879 reassembled (sum) 2880 * dce_smb.max_outstanding_requests: total smb maximum outstanding 2881 requests (sum) 2882 * dce_smb.files_processed: total smb files processed (sum) 2883 * dce_smb.v2_setup: total number of SMBv2 setup packets seen (sum) 2884 * dce_smb.v2_setup_err_resp: total number of SMBv2 setup error 2885 response packets seen (sum) 2886 * dce_smb.v2_setup_inv_str_sz: total number of SMBv2 setup packets 2887 seen with invalid structure size (sum) 2888 * dce_smb.v2_setup_resp_hdr_err: total number of SMBv2 setup 2889 response packets ignored due to corrupted header (sum) 2890 * dce_smb.v2_tree_cnct: total number of SMBv2 tree connect packets 2891 seen (sum) 2892 * dce_smb.v2_tree_cnct_err_resp: total number of SMBv2 tree connect 2893 error response packets seen (sum) 2894 * dce_smb.v2_tree_cnct_ignored: total number of SMBv2 setup 2895 response packets ignored due to failure in creating tree tracker 2896 (sum) 2897 * dce_smb.v2_tree_cnct_inv_str_sz: total number of SMBv2 tree 2898 connect packets seen with invalid structure size (sum) 2899 * dce_smb.v2_tree_cnct_resp_hdr_err: total number of SMBv2 tree 2900 connect response packets ignored due to corrupted header (sum) 2901 * dce_smb.v2_crt: total number of SMBv2 create packets seen (sum) 2902 * dce_smb.v2_crt_err_resp: total number of SMBv2 create error 2903 response packets seen (sum) 2904 * dce_smb.v2_crt_inv_file_data: total number of SMBv2 create 2905 request packets ignored due to error in getting file name (sum) 2906 * dce_smb.v2_crt_inv_str_sz: total number of SMBv2 create packets 2907 seen with invalid structure size (sum) 2908 * dce_smb.v2_crt_resp_hdr_err: total number of SMBv2 create 2909 response packets ignored due to corrupted header (sum) 2910 * dce_smb.v2_crt_req_hdr_err: total number of SMBv2 create request 2911 packets ignored due to corrupted header (sum) 2912 * dce_smb.v2_crt_rtrkr_misng: total number of SMBv2 create response 2913 packets ignored due to missing create request tracker (sum) 2914 * dce_smb.v2_crt_req_ipc: total number of SMBv2 create request 2915 packets ignored as share type is IPC (sum) 2916 * dce_smb.v2_crt_tree_trkr_misng: total number of SMBv2 create 2917 response packets ignored due to missing tree tracker (sum) 2918 * dce_smb.v2_wrt: total number of SMBv2 write packets seen (sum) 2919 * dce_smb.v2_wrt_err_resp: total number of SMBv2 write error 2920 response packets seen (sum) 2921 * dce_smb.v2_wrt_inv_str_sz: total number of SMBv2 write packets 2922 seen with invalid structure size (sum) 2923 * dce_smb.v2_wrt_req_hdr_err: total number of SMBv2 write request 2924 packets ignored due to corrupted header (sum) 2925 * dce_smb.v2_wrt_resp_hdr_err: total number of SMBv2 write response 2926 packets ignored due to corrupted header (sum) 2927 * dce_smb.v2_read: total number of SMBv2 read packets seen (sum) 2928 * dce_smb.v2_read_err_resp: total number of SMBv2 read error 2929 response packets seen (sum) 2930 * dce_smb.v2_read_inv_str_sz: total number of SMBv2 read packets 2931 seen with invalid structure size (sum) 2932 * dce_smb.v2_read_rtrkr_misng: total number of SMBv2 read response 2933 packets ignored due to missing read request tracker (sum) 2934 * dce_smb.v2_read_resp_hdr_err: total number of SMBv2 read response 2935 packets ignored due to corrupted header (sum) 2936 * dce_smb.v2_read_req_hdr_err: total number of SMBv2 read request 2937 packets ignored due to corrupted header (sum) 2938 * dce_smb.v2_setinfo: total number of SMBv2 set info packets seen 2939 (sum) 2940 * dce_smb.v2_stinf_err_resp: total number of SMBv2 set info error 2941 response packets seen (sum) 2942 * dce_smb.v2_stinf_inv_str_sz: total number of SMBv2 set info 2943 packets seen with invalid structure size (sum) 2944 * dce_smb.v2_stinf_req_ftrkr_misng: total number of SMBv2 set info 2945 request packets ignored due to missing file tracker (sum) 2946 * dce_smb.v2_stinf_req_hdr_err: total number of SMBv2 set info 2947 request packets ignored due to corrupted header (sum) 2948 * dce_smb.v2_cls: total number of SMBv2 close packets seen (sum) 2949 * dce_smb.v2_cls_err_resp: total number of SMBv2 close error 2950 response packets seen (sum) 2951 * dce_smb.v2_cls_inv_str_sz: total number of SMBv2 close packets 2952 seen with invalid structure size (sum) 2953 * dce_smb.v2_cls_req_ftrkr_misng: total number of SMBv2 close 2954 request packets ignored due to missing file tracker (sum) 2955 * dce_smb.v2_cls_req_hdr_err: total number of SMBv2 close request 2956 packets ignored due to corrupted header (sum) 2957 * dce_smb.v2_tree_discn: total number of SMBv2 tree disconnect 2958 packets seen (sum) 2959 * dce_smb.v2_tree_discn_ignored: total number of SMBv2 tree 2960 disconnect packets ignored due to missing trackers or invalid 2961 share type (sum) 2962 * dce_smb.v2_tree_discn_inv_str_sz: total number of SMBv2 tree 2963 disconnect packets seen with invalid structure size (sum) 2964 * dce_smb.v2_tree_discn_req_hdr_err: total number of SMBv2 tree 2965 disconnect request packets ignored due to corrupted header (sum) 2966 * dce_smb.v2_logoff: total number of SMBv2 logoff (sum) 2967 * dce_smb.v2_logoff_inv_str_sz: total number of SMBv2 logoff 2968 packets seen with invalid structure size (sum) 2969 * dce_smb.v2_hdr_err: total number of SMBv2 packets seen with 2970 corrupted hdr (sum) 2971 * dce_smb.v2_bad_next_cmd_offset: total number of SMBv2 packets 2972 seen with invalid next command offset (sum) 2973 * dce_smb.v2_inv_file_ctx_err: total number of times null file 2974 context are seen resulting in not being able to set file size 2975 (sum) 2976 * dce_smb.v2_msgs_uninspected: total number of SMBv2 packets seen 2977 where command is not being inspected (sum) 2978 * dce_smb.v2_cmpnd_req_lt_crossed: total number of SMBv2 packets 2979 seen where compound requests exceed the smb_max_compound limit 2980 (sum) 2981 * dce_smb.v2_tree_ignored: total number of packets ignored due to 2982 missing tree tracker (sum) 2983 * dce_smb.v2_session_ignored: total number of packets ignored due 2984 to missing session tracker (sum) 2985 * dce_smb.v2_ioctl: total number of ioctl calls (sum) 2986 * dce_smb.v2_ioctl_err_resp: total number of ioctl errors responses 2987 (sum) 2988 * dce_smb.v2_ioctl_inv_str_sz: total number of ioctl invalid 2989 structure size (sum) 2990 * dce_smb.v2_ioctl_req_hdr_err: total number of ioctl request 2991 header errors (sum) 2992 * dce_smb.v2_ioctl_resp_hdr_err: total number of ioctl response 2993 header errors (sum) 2994 * dce_smb.concurrent_sessions: total concurrent sessions (now) 2995 * dce_smb.max_concurrent_sessions: maximum concurrent sessions 2996 (max) 2997 * dce_smb.total_smb1_sessions: total smb1 sessions (sum) 2998 * dce_smb.total_smb2_sessions: total smb2 sessions (sum) 2999 * dce_smb.total_encrypted_sessions: total encrypted sessions (sum) 3000 * dce_smb.total_mc_sessions: total multichannel sessions (sum) 3001 3002 30035.12. dce_tcp 3004 3005-------------- 3006 3007Help: dce over tcp inspection 3008 3009Type: inspector (service) 3010 3011Usage: inspect 3012 3013Instance Type: multiton 3014 3015Configuration: 3016 3017 * bool dce_tcp.limit_alerts = true: limit DCE alert to at most one 3018 per signature per flow 3019 * bool dce_tcp.disable_defrag = false: disable DCE/RPC 3020 defragmentation 3021 * int dce_tcp.max_frag_len = 65535: maximum fragment size for 3022 defragmentation { 1514:65535 } 3023 * int dce_tcp.reassemble_threshold = 0: minimum bytes received 3024 before performing reassembly { 0:65535 } 3025 * enum dce_tcp.policy = WinXP: target based policy to use { Win2000 3026 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | 3027 Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 } 3028 3029Rules: 3030 3031 * 133:27 (dce_tcp) connection oriented DCE/RPC - invalid major 3032 version 3033 * 133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor 3034 version 3035 * 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type 3036 * 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length 3037 less than header size 3038 * 133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment 3039 length less than size needed 3040 * 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items 3041 specified 3042 * 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer 3043 syntaxes specified 3044 * 133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on 3045 non-last fragment less than maximum negotiated fragment transmit 3046 size for client 3047 * 133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length 3048 greater than maximum negotiated fragment transmit size 3049 * 133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte 3050 order different from bind 3051 * 133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non 3052 first/last fragment different from call id established for 3053 fragmented request 3054 * 133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first 3055 /last fragment different from opnum established for fragmented 3056 request 3057 * 133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non 3058 first/last fragment different from context id established for 3059 fragmented request 3060 3061Peg counts: 3062 3063 * dce_tcp.events: total events (sum) 3064 * dce_tcp.pdus: total connection-oriented PDUs (sum) 3065 * dce_tcp.binds: total connection-oriented binds (sum) 3066 * dce_tcp.bind_acks: total connection-oriented binds acks (sum) 3067 * dce_tcp.alter_contexts: total connection-oriented alter contexts 3068 (sum) 3069 * dce_tcp.alter_context_responses: total connection-oriented alter 3070 context responses (sum) 3071 * dce_tcp.bind_naks: total connection-oriented bind naks (sum) 3072 * dce_tcp.requests: total connection-oriented requests (sum) 3073 * dce_tcp.responses: total connection-oriented responses (sum) 3074 * dce_tcp.cancels: total connection-oriented cancels (sum) 3075 * dce_tcp.orphaned: total connection-oriented orphaned (sum) 3076 * dce_tcp.faults: total connection-oriented faults (sum) 3077 * dce_tcp.auth3s: total connection-oriented auth3s (sum) 3078 * dce_tcp.shutdowns: total connection-oriented shutdowns (sum) 3079 * dce_tcp.rejects: total connection-oriented rejects (sum) 3080 * dce_tcp.ms_rpc_http_pdus: total connection-oriented MS requests 3081 to send RPC over HTTP (sum) 3082 * dce_tcp.other_requests: total connection-oriented other requests 3083 (sum) 3084 * dce_tcp.other_responses: total connection-oriented other 3085 responses (sum) 3086 * dce_tcp.request_fragments: total connection-oriented request 3087 fragments (sum) 3088 * dce_tcp.response_fragments: total connection-oriented response 3089 fragments (sum) 3090 * dce_tcp.client_max_fragment_size: connection-oriented client 3091 maximum fragment size (sum) 3092 * dce_tcp.client_min_fragment_size: connection-oriented client 3093 minimum fragment size (sum) 3094 * dce_tcp.client_segs_reassembled: total connection-oriented client 3095 segments reassembled (sum) 3096 * dce_tcp.client_frags_reassembled: total connection-oriented 3097 client fragments reassembled (sum) 3098 * dce_tcp.server_max_fragment_size: connection-oriented server 3099 maximum fragment size (sum) 3100 * dce_tcp.server_min_fragment_size: connection-oriented server 3101 minimum fragment size (sum) 3102 * dce_tcp.server_segs_reassembled: total connection-oriented server 3103 segments reassembled (sum) 3104 * dce_tcp.server_frags_reassembled: total connection-oriented 3105 server fragments reassembled (sum) 3106 * dce_tcp.tcp_sessions: total tcp sessions (sum) 3107 * dce_tcp.tcp_expected_sessions: total tcp dynamic endpoint 3108 expected sessions (sum) 3109 * dce_tcp.tcp_expected_realized: total tcp dynamic endpoint 3110 expected realized sessions (sum) 3111 * dce_tcp.tcp_packets: total tcp packets (sum) 3112 * dce_tcp.concurrent_sessions: total concurrent sessions (now) 3113 * dce_tcp.max_concurrent_sessions: maximum concurrent sessions 3114 (max) 3115 3116 31175.13. dce_udp 3118 3119-------------- 3120 3121Help: dce over udp inspection 3122 3123Type: inspector (service) 3124 3125Usage: inspect 3126 3127Instance Type: multiton 3128 3129Configuration: 3130 3131 * bool dce_udp.limit_alerts = true: limit DCE alert to at most one 3132 per signature per flow 3133 * bool dce_udp.disable_defrag = false: disable DCE/RPC 3134 defragmentation 3135 * int dce_udp.max_frag_len = 65535: maximum fragment size for 3136 defragmentation { 1514:65535 } 3137 3138Rules: 3139 3140 * 133:40 (dce_udp) connection-less DCE/RPC - invalid major version 3141 * 133:41 (dce_udp) connection-less DCE/RPC - invalid PDU type 3142 * 133:42 (dce_udp) connection-less DCE/RPC - data length less than 3143 header size 3144 * 133:43 (dce_udp) connection-less DCE/RPC - bad sequence number 3145 3146Peg counts: 3147 3148 * dce_udp.events: total events (sum) 3149 * dce_udp.udp_sessions: total udp sessions (sum) 3150 * dce_udp.udp_packets: total udp packets (sum) 3151 * dce_udp.requests: total connection-less requests (sum) 3152 * dce_udp.acks: total connection-less acks (sum) 3153 * dce_udp.cancels: total connection-less cancels (sum) 3154 * dce_udp.client_facks: total connection-less client facks (sum) 3155 * dce_udp.ping: total connection-less ping (sum) 3156 * dce_udp.responses: total connection-less responses (sum) 3157 * dce_udp.rejects: total connection-less rejects (sum) 3158 * dce_udp.cancel_acks: total connection-less cancel acks (sum) 3159 * dce_udp.server_facks: total connection-less server facks (sum) 3160 * dce_udp.faults: total connection-less faults (sum) 3161 * dce_udp.no_calls: total connection-less no calls (sum) 3162 * dce_udp.working: total connection-less working (sum) 3163 * dce_udp.other_requests: total connection-less other requests 3164 (sum) 3165 * dce_udp.other_responses: total connection-less other responses 3166 (sum) 3167 * dce_udp.fragments: total connection-less fragments (sum) 3168 * dce_udp.max_fragment_size: connection-less maximum fragment size 3169 (sum) 3170 * dce_udp.frags_reassembled: total connection-less fragments 3171 reassembled (sum) 3172 * dce_udp.max_seqnum: max connection-less seqnum (sum) 3173 * dce_udp.concurrent_sessions: total concurrent sessions (now) 3174 * dce_udp.max_concurrent_sessions: maximum concurrent sessions 3175 (max) 3176 3177 31785.14. dnp3 3179 3180-------------- 3181 3182Help: dnp3 inspection 3183 3184Type: inspector (service) 3185 3186Usage: inspect 3187 3188Instance Type: multiton 3189 3190Configuration: 3191 3192 * bool dnp3.check_crc = false: validate checksums in DNP3 link 3193 layer frames 3194 3195Rules: 3196 3197 * 145:1 (dnp3) DNP3 link-layer frame contains bad CRC 3198 * 145:2 (dnp3) DNP3 link-layer frame is truncated or frame length 3199 is invalid 3200 * 145:3 (dnp3) DNP3 transport-layer segment sequence number is 3201 incorrect 3202 * 145:4 (dnp3) DNP3 transport-layer segment flag violation is 3203 detected 3204 * 145:5 (dnp3) DNP3 link-layer frame uses a reserved address 3205 * 145:6 (dnp3) DNP3 application-layer fragment uses a reserved 3206 function code 3207 3208Peg counts: 3209 3210 * dnp3.total_packets: total packets (sum) 3211 * dnp3.udp_packets: total udp packets (sum) 3212 * dnp3.tcp_pdus: total tcp pdus (sum) 3213 * dnp3.dnp3_link_layer_frames: total dnp3 link layer frames (sum) 3214 * dnp3.dnp3_application_pdus: total dnp3 application pdus (sum) 3215 * dnp3.concurrent_sessions: total concurrent dnp3 sessions (now) 3216 * dnp3.max_concurrent_sessions: maximum concurrent dnp3 sessions 3217 (max) 3218 3219 32205.15. dns 3221 3222-------------- 3223 3224Help: dns inspection 3225 3226Type: inspector (service) 3227 3228Usage: inspect 3229 3230Instance Type: multiton 3231 3232Rules: 3233 3234 * 131:1 (dns) obsolete DNS RR types 3235 * 131:2 (dns) experimental DNS RR types 3236 * 131:3 (dns) DNS client rdata txt overflow 3237 3238Peg counts: 3239 3240 * dns.packets: total packets processed (sum) 3241 * dns.requests: total dns requests (sum) 3242 * dns.responses: total dns responses (sum) 3243 * dns.concurrent_sessions: total concurrent dns sessions (now) 3244 * dns.max_concurrent_sessions: maximum concurrent dns sessions 3245 (max) 3246 3247 32485.16. domain_filter 3249 3250-------------- 3251 3252Help: alert on configured HTTP domains 3253 3254Type: inspector (passive) 3255 3256Usage: inspect 3257 3258Instance Type: singleton 3259 3260Configuration: 3261 3262 * string domain_filter.file: file with list of domains identifying 3263 hosts to be filtered 3264 * string domain_filter.hosts: list of domains identifying hosts to 3265 be filtered 3266 3267Rules: 3268 3269 * 175:1 (domain_filter) configured domain detected 3270 3271Peg counts: 3272 3273 * domain_filter.checked: domains checked (sum) 3274 * domain_filter.filtered: domains filtered (sum) 3275 3276 32775.17. dpx 3278 3279-------------- 3280 3281Help: dynamic inspector example 3282 3283Type: inspector (network) 3284 3285Usage: inspect 3286 3287Instance Type: singleton 3288 3289Configuration: 3290 3291 * port dpx.port: port to check 3292 * int dpx.max = 0: maximum payload before alert { 0:65535 } 3293 3294Rules: 3295 3296 * 256:1 (dpx) too much data sent to port 3297 3298Peg counts: 3299 3300 * dpx.packets: total packets (sum) 3301 3302 33035.18. file_id 3304 3305-------------- 3306 3307Help: configure file identification 3308 3309Type: inspector (passive) 3310 3311Usage: global 3312 3313Instance Type: global 3314 3315Configuration: 3316 3317 * int file_id.type_depth = 1460: stop type ID at this point { 3318 0:max53 } 3319 * int file_id.signature_depth = 10485760: stop signature at this 3320 point { 0:max53 } 3321 * int file_id.block_timeout = 86400: stop blocking after this many 3322 seconds { 0:max31 } 3323 * int file_id.lookup_timeout = 2: give up on lookup after this many 3324 seconds { 0:max31 } 3325 * bool file_id.block_timeout_lookup = false: block if lookup times 3326 out 3327 * int file_id.capture_memcap = 100: memcap for file capture in 3328 megabytes { 0:max53 } 3329 * int file_id.capture_max_size = 1048576: stop file capture beyond 3330 this point { 0:max53 } 3331 * int file_id.capture_min_size = 0: stop file capture if file size 3332 less than this { 0:max53 } 3333 * int file_id.capture_block_size = 32768: file capture block size 3334 in bytes { 8:max53 } 3335 * int file_id.max_files_cached = 65536: maximal number of files 3336 cached in memory { 8:max53 } 3337 * int file_id.max_files_per_flow = 128: maximal number of files 3338 able to be concurrently processed per flow { 1:max53 } 3339 * bool file_id.enable_type = true: enable type ID 3340 * bool file_id.enable_signature = false: enable signature 3341 calculation 3342 * bool file_id.enable_capture = false: enable file capture 3343 * int file_id.show_data_depth = 100: print this many octets { 3344 0:max53 } 3345 * int file_id.file_rules[].rev = 0: rule revision { 0:max32 } 3346 * string file_id.file_rules[].msg: information about the file type 3347 * string file_id.file_rules[].type: file type name 3348 * int file_id.file_rules[].id = 0: file type id { 0:max32 } 3349 * string file_id.file_rules[].category: file type category 3350 * string file_id.file_rules[].group: comma separated list of groups 3351 associated with file type 3352 * string file_id.file_rules[].version: file type version 3353 * string file_id.file_rules[].magic[].content: file magic content 3354 * int file_id.file_rules[].magic[].offset = 0: file magic offset { 3355 0:max32 } 3356 * int file_id.file_policy[].when.file_type_id = 0: unique ID for 3357 file type in file magic rule { 0:max32 } 3358 * string file_id.file_policy[].when.sha256: SHA 256 3359 * enum file_id.file_policy[].use.verdict = unknown: what to do with 3360 matching traffic { unknown | log | stop | block | reset } 3361 * bool file_id.file_policy[].use.enable_file_type = false: true/ 3362 false → enable/disable file type identification 3363 * bool file_id.file_policy[].use.enable_file_signature = false: 3364 true/false → enable/disable file signature 3365 * bool file_id.file_policy[].use.enable_file_capture = false: true/ 3366 false → enable/disable file capture 3367 * bool file_id.trace_type = false: enable runtime dump of type info 3368 * bool file_id.trace_signature = false: enable runtime dump of 3369 signature info 3370 * bool file_id.trace_stream = false: enable runtime dump of file 3371 data 3372 * int file_id.verdict_delay = 0: number of queries to return final 3373 verdict { 0:max53 } 3374 * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no 3375 limit) { -1:65535 } 3376 * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment 3377 extraction depth (-1 no limit) { -1:65535 } 3378 * bool file_id.decompress_pdf = false: decompress pdf files 3379 * bool file_id.decompress_swf = false: decompress swf files 3380 * bool file_id.decompress_zip = false: decompress zip files 3381 * int file_id.decompress_buffer_size = 100000: file decompression 3382 buffer size { 1024:max31 } 3383 * int file_id.qp_decode_depth = -1: Quoted Printable decoding depth 3384 (-1 no limit) { -1:65535 } 3385 * int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 3386 no limit) { -1:65535 } 3387 3388Rules: 3389 3390 * 150:1 (file_id) file not processed due to per flow limit 3391 3392Peg counts: 3393 3394 * file_id.total_files: number of files processed (sum) 3395 * file_id.total_file_data: number of file data bytes processed 3396 (sum) 3397 * file_id.cache_failures: number of file cache add failures (sum) 3398 * file_id.files_not_processed: number of files not processed due to 3399 per-flow limit (sum) 3400 * file_id.max_concurrent_files: maximum files processed 3401 concurrently on a flow (max) 3402 3403 34045.19. file_log 3405 3406-------------- 3407 3408Help: log file event to file.log 3409 3410Type: inspector (passive) 3411 3412Usage: inspect 3413 3414Instance Type: singleton 3415 3416Configuration: 3417 3418 * bool file_log.log_pkt_time = true: log the packet time when event 3419 generated 3420 * bool file_log.log_sys_time = false: log the system time when 3421 event generated 3422 3423Peg counts: 3424 3425 * file_log.total_events: total file events (sum) 3426 3427 34285.20. ftp_client 3429 3430-------------- 3431 3432Help: FTP client configuration module for use with ftp_server 3433 3434Type: inspector (passive) 3435 3436Usage: inspect 3437 3438Instance Type: multiton 3439 3440Configuration: 3441 3442 * bool ftp_client.bounce = false: check for bounces 3443 * addr ftp_client.bounce_to[].address = 1.0.0.0/32: allowed IP 3444 address in CIDR format 3445 * port ftp_client.bounce_to[].port = 20: allowed port 3446 * port ftp_client.bounce_to[].last_port: optional allowed range 3447 from port to last_port inclusive 3448 * bool ftp_client.ignore_telnet_erase_cmds = false: ignore erase 3449 character and erase line commands when normalizing 3450 * int ftp_client.max_resp_len = 4294967295: maximum FTP response 3451 accepted by client { 0:max32 } 3452 * bool ftp_client.telnet_cmds = false: detect Telnet escape 3453 sequences on FTP control channel 3454 3455 34565.21. ftp_data 3457 3458-------------- 3459 3460Help: FTP data channel handler 3461 3462Type: inspector (service) 3463 3464Usage: inspect 3465 3466Instance Type: multiton 3467 3468Peg counts: 3469 3470 * ftp_data.packets: total packets (sum) 3471 3472 34735.22. ftp_server 3474 3475-------------- 3476 3477Help: main FTP module; ftp_client should also be configured 3478 3479Type: inspector (service) 3480 3481Usage: inspect 3482 3483Instance Type: multiton 3484 3485Configuration: 3486 3487 * string ftp_server.chk_str_fmt: check the formatting of the given 3488 commands 3489 * string ftp_server.data_chan_cmds: check the formatting of the 3490 given commands 3491 * string ftp_server.data_rest_cmds: check the formatting of the 3492 given commands 3493 * string ftp_server.data_xfer_cmds: check the formatting of the 3494 given commands 3495 * string ftp_server.directory_cmds[].dir_cmd: directory command 3496 * int ftp_server.directory_cmds[].rsp_code = 200: expected 3497 successful response code for command { 200:max32 } 3498 * string ftp_server.file_put_cmds: check the formatting of the 3499 given commands 3500 * string ftp_server.file_get_cmds: check the formatting of the 3501 given commands 3502 * string ftp_server.encr_cmds: check the formatting of the given 3503 commands 3504 * string ftp_server.login_cmds: check the formatting of the given 3505 commands 3506 * bool ftp_server.check_encrypted = false: check for end of 3507 encryption 3508 * string ftp_server.cmd_validity[].command: command string 3509 * string ftp_server.cmd_validity[].format: format specification 3510 * int ftp_server.cmd_validity[].length = 0: specify non-default 3511 maximum for command { 0:max32 } 3512 * int ftp_server.def_max_param_len = 100: default maximum length of 3513 commands handled by server; 0 is unlimited { 1:max32 } 3514 * bool ftp_server.encrypted_traffic = false: check for encrypted 3515 Telnet and FTP 3516 * string ftp_server.ftp_cmds: specify additional commands supported 3517 by server beyond RFC 959 3518 * bool ftp_server.ignore_data_chan = false: do not inspect FTP data 3519 channels 3520 * bool ftp_server.ignore_telnet_erase_cmds = false: ignore erase 3521 character and erase line commands when normalizing 3522 * bool ftp_server.print_cmds = false: print command configurations 3523 on start up 3524 * bool ftp_server.telnet_cmds = false: detect Telnet escape 3525 sequences of FTP control channel 3526 3527Rules: 3528 3529 * 125:1 (ftp_server) TELNET cmd on FTP command channel 3530 * 125:2 (ftp_server) invalid FTP command 3531 * 125:3 (ftp_server) FTP command parameters were too long 3532 * 125:4 (ftp_server) FTP command parameters were malformed 3533 * 125:5 (ftp_server) FTP command parameters contained potential 3534 string format 3535 * 125:6 (ftp_server) FTP response message was too long 3536 * 125:7 (ftp_server) FTP traffic encrypted 3537 * 125:8 (ftp_server) FTP bounce attempt 3538 * 125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command 3539 channel 3540 3541Peg counts: 3542 3543 * ftp_server.total_packets: total packets (sum) 3544 * ftp_server.total_bytes: total number of bytes processed (sum) 3545 * ftp_server.concurrent_sessions: total concurrent FTP sessions 3546 (now) 3547 * ftp_server.max_concurrent_sessions: maximum concurrent FTP 3548 sessions (max) 3549 * ftp_server.start_tls: total STARTTLS events generated (sum) 3550 * ftp_server.ssl_search_abandoned: total SSL search abandoned (sum) 3551 * ftp_server.ssl_srch_abandoned_early: total SSL search abandoned 3552 too soon (sum) 3553 * ftp_server.pkt_segment_size_changed: total number of FTP data 3554 packets with segment size change (sum) 3555 * ftp_server.flow_segment_size_changed: total number of FTP 3556 sessions with segment size change (sum) 3557 3558 35595.23. gtp_inspect 3560 3561-------------- 3562 3563Help: gtp control channel inspection 3564 3565Type: inspector (service) 3566 3567Usage: inspect 3568 3569Instance Type: multiton 3570 3571Configuration: 3572 3573 * int gtp_inspect[].version = 2: GTP version { 0:2 } 3574 * int gtp_inspect[].messages[].type = 0: message type code { 0:255 3575 } 3576 * string gtp_inspect[].messages[].name: message name 3577 * int gtp_inspect[].infos[].type = 0: information element type code 3578 { 0:255 } 3579 * string gtp_inspect[].infos[].name: information element name 3580 * int gtp_inspect[].infos[].length = 0: information element type 3581 code { 0:255 } 3582 3583Rules: 3584 3585 * 143:1 (gtp_inspect) message length is invalid 3586 * 143:2 (gtp_inspect) information element length is invalid 3587 * 143:3 (gtp_inspect) information elements are out of order 3588 * 143:4 (gtp_inspect) TEID is missing 3589 3590Peg counts: 3591 3592 * gtp_inspect.sessions: total sessions processed (sum) 3593 * gtp_inspect.concurrent_sessions: total concurrent gtp sessions 3594 (now) 3595 * gtp_inspect.max_concurrent_sessions: maximum concurrent gtp 3596 sessions (max) 3597 * gtp_inspect.events: requests (sum) 3598 * gtp_inspect.unknown_types: unknown message types (sum) 3599 * gtp_inspect.unknown_infos: unknown information elements (sum) 3600 3601 36025.24. http2_inspect 3603 3604-------------- 3605 3606Help: HTTP/2 inspector 3607 3608Type: inspector (service) 3609 3610Usage: inspect 3611 3612Instance Type: multiton 3613 3614Configuration: 3615 3616 * int http2_inspect.concurrent_streams_limit = 100: Maximum number 3617 of concurrent streams allowed in a single HTTP/2 flow { 100:1000 3618 } 3619 3620Rules: 3621 3622 * 121:1 (http2_inspect) invalid flag set on HTTP/2 frame 3623 * 121:2 (http2_inspect) HPACK integer value has leading zeros 3624 * 121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream 3625 id 3626 * 121:4 (http2_inspect) missing HTTP/2 continuation frame 3627 * 121:5 (http2_inspect) unexpected HTTP/2 continuation frame 3628 * 121:6 (http2_inspect) HTTP/2 headers HPACK decoding error 3629 * 121:7 (http2_inspect) HTTP/2 connection preface does not match 3630 * 121:8 (http2_inspect) HTTP/2 request missing required header 3631 field 3632 * 121:9 (http2_inspect) HTTP/2 response has no status code 3633 * 121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path 3634 * 121:11 (http2_inspect) error in HTTP/2 settings frame 3635 * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame 3636 * 121:13 (http2_inspect) invalid HTTP/2 frame sequence 3637 * 121:14 (http2_inspect) HTTP/2 dynamic table has more than 512 3638 entries 3639 * 121:15 (http2_inspect) HTTP/2 push promise frame with promised 3640 stream ID already in use. 3641 * 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame 3642 data size 3643 * 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header 3644 * 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers 3645 * 121:19 (http2_inspect) invalid HTTP/2 pseudo-header 3646 * 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit 3647 * 121:21 (http2_inspect) HTTP/2 push promise frame sent when 3648 prohibited by receiver 3649 * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero 3650 length 3651 * 121:23 (http2_inspect) HTTP/2 push promise frame in 3652 client-to-server direction 3653 * 121:24 (http2_inspect) invalid HTTP/2 push promise frame 3654 * 121:25 (http2_inspect) HTTP/2 push promise frame sent at invalid 3655 time 3656 * 121:26 (http2_inspect) invalid parameter value sent in HTTP/2 3657 settings frame 3658 * 121:27 (http2_inspect) excessive concurrent HTTP/2 streams 3659 * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame 3660 * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid 3661 time 3662 * 121:30 (http2_inspect) uppercase HTTP/2 header field name 3663 * 121:31 (http2_inspect) invalid HTTP/2 window update frame 3664 * 121:32 (http2_inspect) HTTP/2 window update frame with zero 3665 increment 3666 * 121:33 (http2_inspect) HTTP/2 request without a method 3667 * 121:34 (http2_inspect) HTTP/2 HPACK table size update not at the 3668 start of a header block 3669 * 121:35 (http2_inspect) More than two HTTP/2 HPACK table size 3670 updates in a single header block 3671 * 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max 3672 value set by decoder in SETTINGS frame 3673 3674Peg counts: 3675 3676 * http2_inspect.flows: HTTP/2 connections inspected (sum) 3677 * http2_inspect.concurrent_sessions: total concurrent HTTP/2 3678 sessions (now) 3679 * http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2 3680 sessions (max) 3681 * http2_inspect.max_table_entries: maximum entries in an HTTP/2 3682 dynamic table (max) 3683 * http2_inspect.max_concurrent_files: maximum concurrent file 3684 transfers per HTTP/2 connection (max) 3685 * http2_inspect.total_bytes: total HTTP/2 data bytes inspected 3686 (sum) 3687 * http2_inspect.max_concurrent_streams: maximum concurrent streams 3688 per HTTP/2 connection (max) 3689 * http2_inspect.flows_over_stream_limit: HTTP/2 flows exceeding 100 3690 concurrent streams (sum) 3691 3692 36935.25. http_inspect 3694 3695-------------- 3696 3697Help: HTTP inspector 3698 3699Type: inspector (service) 3700 3701Usage: inspect 3702 3703Instance Type: multiton 3704 3705Configuration: 3706 3707 * int http_inspect.request_depth = -1: maximum request message body 3708 bytes to examine (-1 no limit) { -1:max53 } 3709 * int http_inspect.response_depth = -1: maximum response message 3710 body bytes to examine (-1 no limit) { -1:max53 } 3711 * bool http_inspect.unzip = true: decompress gzip and deflate 3712 message bodies 3713 * int http_inspect.maximum_host_length = -1: maximum allowed length 3714 for Host header value (-1 no limit) { -1:max53 } 3715 * int http_inspect.maximum_chunk_length = 4294967295: maximum 3716 allowed length for a message body chunk { 0:4294967295 } 3717 * bool http_inspect.normalize_utf = true: normalize charset utf 3718 encodings in response bodies 3719 * bool http_inspect.decompress_pdf = false: decompress pdf files in 3720 response bodies 3721 * bool http_inspect.decompress_swf = false: decompress swf files in 3722 response bodies 3723 * bool http_inspect.decompress_zip = false: decompress zip files in 3724 response bodies 3725 * bool http_inspect.decompress_vba = false: decompress MS Office 3726 Visual Basic for Applications macro files in response bodies 3727 * bool http_inspect.script_detection = false: inspect JavaScript 3728 immediately upon script end 3729 * bool http_inspect.normalize_javascript = false: use legacy 3730 normalizer to normalize JavaScript in response bodies 3731 * int http_inspect.js_norm_bytes_depth = -1: number of input 3732 JavaScript bytes to normalize (-1 unlimited) { -1:max53 } 3733 * int http_inspect.js_norm_identifier_depth = 65536: max number of 3734 unique JavaScript identifiers to normalize { 0:65536 } 3735 * int http_inspect.js_norm_max_tmpl_nest = 32: maximum depth of 3736 template literal nesting that enhanced javascript normalizer will 3737 process { 0:255 } 3738 * int http_inspect.js_norm_max_bracket_depth = 256: maximum depth 3739 of bracket nesting that enhanced JavaScript normalizer will 3740 process { 1:65535 } 3741 * int http_inspect.js_norm_max_scope_depth = 256: maximum depth of 3742 scope nesting that enhanced JavaScript normalizer will process { 3743 1:65535 } 3744 * string http_inspect.js_norm_ident_ignore[].ident_name: name of 3745 the identifier to ignore 3746 * int http_inspect.max_javascript_whitespaces = 200: maximum 3747 consecutive whitespaces allowed within the JavaScript obfuscated 3748 data { 1:65535 } 3749 * bit_list http_inspect.bad_characters: alert when any of specified 3750 bytes are present in URI after percent decoding { 255 } 3751 * string http_inspect.ignore_unreserved: do not alert when the 3752 specified unreserved characters are percent-encoded in a 3753 URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, 3754 tilde, and minus. { (optional) } 3755 * bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN 3756 encodings 3757 * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8 3758 characters to a single byte 3759 * bool http_inspect.utf8_bare_byte = false: when doing UTF-8 3760 character normalization include bytes that were not percent 3761 encoded 3762 * bool http_inspect.iis_unicode = false: use IIS unicode code point 3763 mapping to normalize characters 3764 * string http_inspect.iis_unicode_map_file: file containing code 3765 points for IIS unicode. { (optional) } 3766 * int http_inspect.iis_unicode_code_page = 1252: code page to use 3767 from the IIS unicode map file { 0:65535 } 3768 * bool http_inspect.iis_double_decode = true: perform double 3769 decoding of percent encodings to normalize characters 3770 * int http_inspect.oversize_dir_length = 300: maximum length for 3771 URL directory { 1:65535 } 3772 * bool http_inspect.backslash_to_slash = true: replace \ with / 3773 when normalizing URIs 3774 * bool http_inspect.plus_to_space = true: replace + with <sp> when 3775 normalizing URIs 3776 * bool http_inspect.simplify_path = true: reduce URI directory path 3777 to simplest form 3778 * string http_inspect.xff_headers = x-forwarded-for true-client-ip: 3779 specifies the xff type headers to parse and consider in the same 3780 order of preference as defined 3781 * bool http_inspect.request_body_app_detection = true: make HTTP/2 3782 request message bodies available for application detection 3783 (detection requires AppId) 3784 3785Rules: 3786 3787 * 119:1 (http_inspect) URI has percent-encoding of an unreserved 3788 character 3789 * 119:2 (http_inspect) URI is percent encoded and the result is 3790 percent encoded again 3791 * 119:3 (http_inspect) URI has non-standard %u-style Unicode 3792 encoding 3793 * 119:4 (http_inspect) URI has Unicode encodings containing bytes 3794 that were not percent-encoded 3795 * 119:6 (http_inspect) URI has two-byte or three-byte UTF-8 3796 encoding 3797 * 119:7 (http_inspect) URI has unicode map code point encoding 3798 * 119:8 (http_inspect) URI path contains consecutive slash 3799 characters 3800 * 119:9 (http_inspect) backslash character appears in the path 3801 portion of a URI. 3802 * 119:10 (http_inspect) URI path contains /./ pattern repeating the 3803 current directory 3804 * 119:11 (http_inspect) URI path contains /../ pattern moving up a 3805 directory 3806 * 119:12 (http_inspect) Tab character in HTTP start line 3807 * 119:13 (http_inspect) HTTP start line or header line terminated 3808 by LF without a CR 3809 * 119:14 (http_inspect) Normalized URI includes character from 3810 bad_characters list 3811 * 119:15 (http_inspect) URI path contains a segment that is longer 3812 than the oversize_dir_length parameter 3813 * 119:16 (http_inspect) chunk length exceeds configured 3814 maximum_chunk_length 3815 * 119:18 (http_inspect) URI path includes /../ that goes above the 3816 root directory 3817 * 119:19 (http_inspect) HTTP header line exceeds 4096 bytes 3818 * 119:20 (http_inspect) HTTP message has more than 200 header 3819 fields 3820 * 119:21 (http_inspect) HTTP message has more than one 3821 Content-Length header value 3822 * 119:24 (http_inspect) Host header field appears more than once or 3823 has multiple values 3824 * 119:25 (http_inspect) length of HTTP Host header field value 3825 exceeds maximum_host_length option 3826 * 119:28 (http_inspect) HTTP POST or PUT request without 3827 content-length or chunks 3828 * 119:31 (http_inspect) HTTP request method is not known to Snort 3829 * 119:32 (http_inspect) HTTP request uses primitive HTTP format 3830 known as HTTP/0.9 3831 * 119:33 (http_inspect) HTTP request URI has space character that 3832 is not percent-encoded 3833 * 119:34 (http_inspect) HTTP connection has more than 100 3834 simultaneous pipelined requests that have not been answered 3835 * 119:102 (http_inspect) invalid status code in HTTP response 3836 * 119:104 (http_inspect) HTTP response has UTF character set that 3837 failed to normalize 3838 * 119:105 (http_inspect) HTTP response has UTF-7 character set 3839 * 119:109 (http_inspect) more than one level of JavaScript 3840 obfuscation 3841 * 119:110 (http_inspect) consecutive JavaScript whitespaces exceed 3842 maximum allowed 3843 * 119:111 (http_inspect) multiple encodings within JavaScript 3844 obfuscated data 3845 * 119:112 (http_inspect) SWF file zlib decompression failure 3846 * 119:113 (http_inspect) SWF file LZMA decompression failure 3847 * 119:114 (http_inspect) PDF file deflate decompression failure 3848 * 119:115 (http_inspect) PDF file unsupported compression type 3849 * 119:116 (http_inspect) PDF file with more than one compression 3850 applied 3851 * 119:117 (http_inspect) PDF file parse failure 3852 * 119:201 (http_inspect) not HTTP traffic or unrecoverable HTTP 3853 protocol error 3854 * 119:202 (http_inspect) chunk length has excessive leading zeros 3855 * 119:203 (http_inspect) white space before or between HTTP 3856 messages 3857 * 119:204 (http_inspect) request message without URI 3858 * 119:205 (http_inspect) control character in HTTP response reason 3859 phrase 3860 * 119:206 (http_inspect) illegal extra whitespace in start line 3861 * 119:207 (http_inspect) corrupted HTTP version 3862 * 119:208 (http_inspect) HTTP version in start line is not HTTP/1.0 3863 or 1.1 3864 * 119:209 (http_inspect) format error in HTTP header 3865 * 119:210 (http_inspect) chunk header options present 3866 * 119:211 (http_inspect) URI badly formatted 3867 * 119:212 (http_inspect) unrecognized type of percent encoding in 3868 URI 3869 * 119:213 (http_inspect) HTTP chunk misformatted 3870 * 119:214 (http_inspect) white space adjacent to chunk length 3871 * 119:215 (http_inspect) white space within header name 3872 * 119:216 (http_inspect) excessive gzip compression 3873 * 119:217 (http_inspect) gzip decompression failed 3874 * 119:218 (http_inspect) HTTP 0.9 requested followed by another 3875 request 3876 * 119:219 (http_inspect) HTTP 0.9 request following a normal 3877 request 3878 * 119:220 (http_inspect) message has both Content-Length and 3879 Transfer-Encoding 3880 * 119:221 (http_inspect) status code implying no body combined with 3881 Transfer-Encoding or nonzero Content-Length 3882 * 119:222 (http_inspect) Transfer-Encoding not ending with chunked 3883 * 119:223 (http_inspect) Transfer-Encoding with encodings before 3884 chunked 3885 * 119:224 (http_inspect) misformatted HTTP traffic 3886 * 119:225 (http_inspect) unsupported Content-Encoding used 3887 * 119:226 (http_inspect) unknown Content-Encoding used 3888 * 119:227 (http_inspect) multiple Content-Encodings applied 3889 * 119:228 (http_inspect) server response before client request 3890 * 119:229 (http_inspect) PDF/SWF/ZIP decompression of server 3891 response too big 3892 * 119:230 (http_inspect) nonprinting character in HTTP message 3893 header name 3894 * 119:231 (http_inspect) bad Content-Length value in HTTP header 3895 * 119:232 (http_inspect) HTTP header line wrapped 3896 * 119:233 (http_inspect) HTTP header line terminated by CR without 3897 a LF 3898 * 119:234 (http_inspect) chunk terminated by nonstandard separator 3899 * 119:235 (http_inspect) chunk length terminated by LF without CR 3900 * 119:236 (http_inspect) more than one response with 100 status 3901 code 3902 * 119:237 (http_inspect) 100 status code not in response to Expect 3903 header 3904 * 119:238 (http_inspect) 1XX status code other than 100 or 101 3905 * 119:239 (http_inspect) Expect header sent without a message body 3906 * 119:240 (http_inspect) HTTP 1.0 message with Transfer-Encoding 3907 header 3908 * 119:241 (http_inspect) Content-Transfer-Encoding used as HTTP 3909 header 3910 * 119:242 (http_inspect) illegal field in chunked message trailers 3911 * 119:243 (http_inspect) header field inappropriately appears twice 3912 or has two values 3913 * 119:244 (http_inspect) invalid value chunked in Content-Encoding 3914 header 3915 * 119:245 (http_inspect) 206 response sent to a request without a 3916 Range header 3917 * 119:246 (http_inspect) HTTP in version field not all upper case 3918 * 119:247 (http_inspect) white space embedded in critical header 3919 value 3920 * 119:248 (http_inspect) gzip compressed data followed by 3921 unexpected non-gzip data 3922 * 119:249 (http_inspect) excessive HTTP parameter key repeats 3923 * 119:250 (http_inspect) HTTP/2 Transfer-Encoding header other than 3924 identity 3925 * 119:251 (http_inspect) HTTP/2 message body overruns 3926 Content-Length header value 3927 * 119:252 (http_inspect) HTTP/2 message body smaller than 3928 Content-Length header value 3929 * 119:253 (http_inspect) HTTP CONNECT request with a message body 3930 * 119:254 (http_inspect) HTTP client-to-server traffic after 3931 CONNECT request but before CONNECT response 3932 * 119:255 (http_inspect) HTTP CONNECT 2XX response with 3933 Content-Length header 3934 * 119:256 (http_inspect) HTTP CONNECT 2XX response with 3935 Transfer-Encoding header 3936 * 119:257 (http_inspect) HTTP CONNECT response with 1XX status code 3937 * 119:258 (http_inspect) HTTP CONNECT response before request 3938 message completed 3939 * 119:259 (http_inspect) malformed HTTP Content-Disposition 3940 filename parameter 3941 * 119:260 (http_inspect) HTTP Content-Length message body was 3942 truncated 3943 * 119:261 (http_inspect) HTTP chunked message body was truncated 3944 * 119:262 (http_inspect) HTTP URI scheme longer than 10 characters 3945 * 119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade 3946 * 119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade 3947 * 119:265 (http_inspect) bad token in JavaScript 3948 * 119:266 (http_inspect) unexpected script opening tag in 3949 JavaScript 3950 * 119:267 (http_inspect) unexpected script closing tag in 3951 JavaScript 3952 * 119:268 (http_inspect) JavaScript code under the external script 3953 tags 3954 * 119:269 (http_inspect) script opening tag in a short form 3955 * 119:270 (http_inspect) max number of unique JavaScript 3956 identifiers reached 3957 * 119:271 (http_inspect) JavaScript bracket nesting is over 3958 capacity 3959 * 119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding 3960 header 3961 * 119:273 (http_inspect) missed PDUs during JavaScript 3962 normalization 3963 * 119:274 (http_inspect) JavaScript scope nesting is over capacity 3964 3965Peg counts: 3966 3967 * http_inspect.flows: HTTP connections inspected (sum) 3968 * http_inspect.scans: TCP segments scanned looking for HTTP 3969 messages (sum) 3970 * http_inspect.reassembles: TCP segments combined into HTTP 3971 messages (sum) 3972 * http_inspect.inspections: total message sections inspected (sum) 3973 * http_inspect.requests: HTTP request messages inspected (sum) 3974 * http_inspect.responses: HTTP response messages inspected (sum) 3975 * http_inspect.get_requests: GET requests inspected (sum) 3976 * http_inspect.head_requests: HEAD requests inspected (sum) 3977 * http_inspect.post_requests: POST requests inspected (sum) 3978 * http_inspect.put_requests: PUT requests inspected (sum) 3979 * http_inspect.delete_requests: DELETE requests inspected (sum) 3980 * http_inspect.connect_requests: CONNECT requests inspected (sum) 3981 * http_inspect.options_requests: OPTIONS requests inspected (sum) 3982 * http_inspect.trace_requests: TRACE requests inspected (sum) 3983 * http_inspect.other_requests: other request methods inspected 3984 (sum) 3985 * http_inspect.request_bodies: POST, PUT, and other requests with 3986 message bodies (sum) 3987 * http_inspect.chunked: chunked message bodies (sum) 3988 * http_inspect.uri_normalizations: URIs needing to be normalization 3989 (sum) 3990 * http_inspect.uri_path: URIs with path problems (sum) 3991 * http_inspect.uri_coding: URIs with character coding problems 3992 (sum) 3993 * http_inspect.concurrent_sessions: total concurrent http sessions 3994 (now) 3995 * http_inspect.max_concurrent_sessions: maximum concurrent http 3996 sessions (max) 3997 * http_inspect.script_detections: early inspections of scripts in 3998 HTTP responses (sum) 3999 * http_inspect.partial_inspections: early inspections done for 4000 script detection (sum) 4001 * http_inspect.excess_parameters: repeat parameters exceeding max 4002 (sum) 4003 * http_inspect.parameters: HTTP parameters inspected (sum) 4004 * http_inspect.connect_tunnel_cutovers: CONNECT tunnel flow 4005 cutovers to wizard (sum) 4006 * http_inspect.ssl_srch_abandoned_early: total SSL search abandoned 4007 too soon (sum) 4008 * http_inspect.pipelined_flows: total HTTP connections containing 4009 pipelined requests (sum) 4010 * http_inspect.pipelined_requests: total requests placed in a 4011 pipeline (sum) 4012 * http_inspect.total_bytes: total HTTP data bytes inspected (sum) 4013 * http_inspect.js_inline_scripts: total number of inline 4014 JavaScripts processed (sum) 4015 * http_inspect.js_external_scripts: total number of external 4016 JavaScripts processed (sum) 4017 * http_inspect.js_bytes: total number of JavaScript bytes processed 4018 (sum) 4019 * http_inspect.js_identifiers: total number of unique JavaScript 4020 identifiers processed (sum) 4021 * http_inspect.js_identifier_overflows: total number of unique 4022 JavaScript identifier limit overflows (sum) 4023 4024 40255.26. iec104 4026 4027-------------- 4028 4029Help: iec104 inspection 4030 4031Type: inspector (service) 4032 4033Usage: inspect 4034 4035Instance Type: multiton 4036 4037Rules: 4038 4039 * 151:1 (iec104) Length in IEC104 APCI header does not match the 4040 length needed for the given IEC104 ASDU type id 4041 * 151:2 (iec104) IEC104 Start byte does not match 0x68 4042 * 151:3 (iec104) Reserved IEC104 ASDU type id in use 4043 * 151:4 (iec104) IEC104 APCI U Reserved field contains a 4044 non-default value 4045 * 151:5 (iec104) IEC104 APCI U message type was set to an invalid 4046 value 4047 * 151:6 (iec104) IEC104 APCI S Reserved field contains a 4048 non-default value 4049 * 151:7 (iec104) IEC104 APCI I number of elements set to zero 4050 * 151:8 (iec104) IEC104 APCI I SQ bit set on an ASDU that does not 4051 support the feature 4052 * 151:9 (iec104) IEC104 APCI I number of elements set to greater 4053 than one on an ASDU that does not support the feature 4054 * 151:10 (iec104) IEC104 APCI I Cause of Initialization set to a 4055 reserved value 4056 * 151:11 (iec104) IEC104 APCI I Qualifier of Interrogation Command 4057 set to a reserved value 4058 * 151:12 (iec104) IEC104 APCI I Qualifier of Counter Interrogation 4059 Command request parameter set to a reserved value 4060 * 151:13 (iec104) IEC104 APCI I Qualifier of Parameter of Measured 4061 Values kind of parameter set to a reserved value 4062 * 151:14 (iec104) IEC104 APCI I Qualifier of Parameter of Measured 4063 Values local parameter change set to a technically valid but 4064 unused value 4065 * 151:15 (iec104) IEC104 APCI I Qualifier of Parameter of Measured 4066 Values parameter option set to a technically valid but unused 4067 value 4068 * 151:16 (iec104) IEC104 APCI I Qualifier of Parameter Activation 4069 set to a reserved value 4070 * 151:17 (iec104) IEC104 APCI I Qualifier of Command set to a 4071 reserved value 4072 * 151:18 (iec104) IEC104 APCI I Qualifier of Reset Process set to a 4073 reserved value 4074 * 151:19 (iec104) IEC104 APCI I File Ready Qualifier set to a 4075 reserved value 4076 * 151:20 (iec104) IEC104 APCI I Section Ready Qualifier set to a 4077 reserved value 4078 * 151:21 (iec104) IEC104 APCI I Select and Call Qualifier set to a 4079 reserved value 4080 * 151:22 (iec104) IEC104 APCI I Last Section or Segment Qualifier 4081 set to a reserved value 4082 * 151:23 (iec104) IEC104 APCI I Acknowledge File or Section 4083 Qualifier set to a reserved value 4084 * 151:24 (iec104) IEC104 APCI I Structure Qualifier set on a 4085 message where it should have no effect 4086 * 151:25 (iec104) IEC104 APCI I Single Point Information Reserved 4087 field contains a non-default value 4088 * 151:26 (iec104) IEC104 APCI I Double Point Information Reserved 4089 field contains a non-default value 4090 * 151:27 (iec104) IEC104 APCI I Cause of Transmission set to a 4091 reserved value 4092 * 151:28 (iec104) IEC104 APCI I Cause of Transmission set to a 4093 value not allowed for the ASDU 4094 * 151:29 (iec104) IEC104 APCI I invalid two octet common address 4095 value detected 4096 * 151:30 (iec104) IEC104 APCI I Quality Descriptor Structure 4097 Reserved field contains a non-default value 4098 * 151:31 (iec104) IEC104 APCI I Quality Descriptor for Events of 4099 Protection Equipment Structure Reserved field contains a 4100 non-default value 4101 * 151:32 (iec104) IEC104 APCI I IEEE STD 754 value results in NaN 4102 * 151:33 (iec104) IEC104 APCI I IEEE STD 754 value results in 4103 infinity 4104 * 151:34 (iec104) IEC104 APCI I Single Event of Protection 4105 Equipment Structure Reserved field contains a non-default value 4106 * 151:35 (iec104) IEC104 APCI I Start Event of Protection Equipment 4107 Structure Reserved field contains a non-default value 4108 * 151:36 (iec104) IEC104 APCI I Output Circuit Information 4109 Structure Reserved field contains a non-default value 4110 * 151:37 (iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern 4111 detected 4112 * 151:38 (iec104) IEC104 APCI I Single Command Structure Reserved 4113 field contains a non-default value 4114 * 151:39 (iec104) IEC104 APCI I Double Command Structure contains 4115 an invalid value 4116 * 151:40 (iec104) IEC104 APCI I Regulating Step Command Structure 4117 Reserved field contains a non-default value 4118 * 151:41 (iec104) IEC104 APCI I Time2a Millisecond set outside of 4119 the allowable range 4120 * 151:42 (iec104) IEC104 APCI I Time2a Minute set outside of the 4121 allowable range 4122 * 151:43 (iec104) IEC104 APCI I Time2a Minute Reserved field 4123 contains a non-default value 4124 * 151:44 (iec104) IEC104 APCI I Time2a Hours set outside of the 4125 allowable range 4126 * 151:45 (iec104) IEC104 APCI I Time2a Hours Reserved field 4127 contains a non-default value 4128 * 151:46 (iec104) IEC104 APCI I Time2a Day of Month set outside of 4129 the allowable range 4130 * 151:47 (iec104) IEC104 APCI I Time2a Month set outside of the 4131 allowable range 4132 * 151:48 (iec104) IEC104 APCI I Time2a Month Reserved field 4133 contains a non-default value 4134 * 151:49 (iec104) IEC104 APCI I Time2a Year set outside of the 4135 allowable range 4136 * 151:50 (iec104) IEC104 APCI I Time2a Year Reserved field contains 4137 a non-default value 4138 * 151:51 (iec104) IEC104 APCI I a null Length of Segment value has 4139 been detected 4140 * 151:52 (iec104) IEC104 APCI I an invalid Length of Segment value 4141 has been detected 4142 * 151:53 (iec104) IEC104 APCI I Status of File set to a reserved 4143 value 4144 * 151:54 (iec104) IEC104 APCI I Qualifier of Set Point Command ql 4145 field set to a reserved value 4146 4147Peg counts: 4148 4149 * iec104.sessions: total sessions processed (sum) 4150 * iec104.frames: total IEC104 messages (sum) 4151 * iec104.concurrent_sessions: total concurrent IEC104 sessions 4152 (now) 4153 * iec104.max_concurrent_sessions: maximum concurrent IEC104 4154 sessions (max) 4155 4156 41575.27. imap 4158 4159-------------- 4160 4161Help: imap inspection 4162 4163Type: inspector (service) 4164 4165Usage: inspect 4166 4167Instance Type: multiton 4168 4169Configuration: 4170 4171 * int imap.b64_decode_depth = -1: base64 decoding depth (-1 no 4172 limit) { -1:65535 } 4173 * int imap.bitenc_decode_depth = -1: non-Encoded MIME attachment 4174 extraction depth (-1 no limit) { -1:65535 } 4175 * bool imap.decompress_pdf = false: decompress pdf files in MIME 4176 attachments 4177 * bool imap.decompress_swf = false: decompress swf files in MIME 4178 attachments 4179 * bool imap.decompress_zip = false: decompress zip files in MIME 4180 attachments 4181 * bool imap.decompress_vba = false: decompress MS Office Visual 4182 Basic for Applications macro files in MIME attachments 4183 * int imap.qp_decode_depth = -1: quoted Printable decoding depth 4184 (-1 no limit) { -1:65535 } 4185 * int imap.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no 4186 limit) { -1:65535 } 4187 4188Rules: 4189 4190 * 141:1 (imap) unknown IMAP3 command 4191 * 141:2 (imap) unknown IMAP3 response 4192 * 141:4 (imap) base64 decoding failed 4193 * 141:5 (imap) quoted-printable decoding failed 4194 * 141:7 (imap) Unix-to-Unix decoding failed 4195 * 141:8 (imap) file decompression failed 4196 4197Peg counts: 4198 4199 * imap.packets: total packets processed (sum) 4200 * imap.sessions: total imap sessions (sum) 4201 * imap.concurrent_sessions: total concurrent imap sessions (now) 4202 * imap.max_concurrent_sessions: maximum concurrent imap sessions 4203 (max) 4204 * imap.start_tls: total STARTTLS events generated (sum) 4205 * imap.ssl_search_abandoned: total SSL search abandoned (sum) 4206 * imap.ssl_srch_abandoned_early: total SSL search abandoned too 4207 soon (sum) 4208 * imap.b64_attachments: total base64 attachments decoded (sum) 4209 * imap.b64_decoded_bytes: total base64 decoded bytes (sum) 4210 * imap.qp_attachments: total quoted-printable attachments decoded 4211 (sum) 4212 * imap.qp_decoded_bytes: total quoted-printable decoded bytes (sum) 4213 * imap.uu_attachments: total uu attachments decoded (sum) 4214 * imap.uu_decoded_bytes: total uu decoded bytes (sum) 4215 * imap.non_encoded_attachments: total non-encoded attachments 4216 extracted (sum) 4217 * imap.non_encoded_bytes: total non-encoded extracted bytes (sum) 4218 4219 42205.28. mem_test 4221 4222-------------- 4223 4224Help: for testing memory management 4225 4226Type: inspector (service) 4227 4228Usage: inspect 4229 4230Instance Type: singleton 4231 4232Peg counts: 4233 4234 * mem_test.packets: total packets (sum) 4235 4236 42375.29. modbus 4238 4239-------------- 4240 4241Help: modbus inspection 4242 4243Type: inspector (service) 4244 4245Usage: inspect 4246 4247Instance Type: multiton 4248 4249Rules: 4250 4251 * 144:1 (modbus) length in Modbus MBAP header does not match the 4252 length needed for the given function 4253 * 144:2 (modbus) Modbus protocol ID is non-zero 4254 * 144:3 (modbus) reserved Modbus function code in use 4255 4256Peg counts: 4257 4258 * modbus.sessions: total sessions processed (sum) 4259 * modbus.frames: total Modbus messages (sum) 4260 * modbus.concurrent_sessions: total concurrent modbus sessions 4261 (now) 4262 * modbus.max_concurrent_sessions: maximum concurrent modbus 4263 sessions (max) 4264 4265 42665.30. netflow 4267 4268-------------- 4269 4270Help: netflow inspection 4271 4272Type: inspector (service) 4273 4274Usage: inspect 4275 4276Instance Type: multiton 4277 4278Configuration: 4279 4280 * string netflow.dump_file: file name to dump netflow cache on 4281 shutdown; won’t dump by default 4282 * int netflow.update_timeout = 3600: the interval at which the 4283 system updates host cache information { 0:max32 } 4284 * addr netflow.rules[].device_ip: restrict the NetFlow devices from 4285 which Snort will analyze packets 4286 * bool netflow.rules[].exclude = false: exclude the NetFlow records 4287 that match this rule 4288 * string netflow.rules[].zones: generate events only for NetFlow 4289 packets that originate from these zones 4290 * string netflow.rules[].networks: generate events for NetFlow 4291 records that contain an initiator or responder IP from these 4292 networks 4293 * bool netflow.rules[].create_host = false: generate a new host 4294 event 4295 * bool netflow.rules[].create_service = false: generate a new or 4296 changed service event 4297 4298Peg counts: 4299 4300 * netflow.invalid_netflow_record: count of invalid netflow records 4301 (sum) 4302 * netflow.packets: total packets processed (sum) 4303 * netflow.records: total records found in netflow data (sum) 4304 * netflow.unique_flows: count of unique netflow flows (sum) 4305 * netflow.v9_missing_template: count of data records that are 4306 missing templates (sum) 4307 * netflow.v9_options_template: count of options template flowset 4308 (sum) 4309 * netflow.v9_templates: count of total version 9 templates (sum) 4310 * netflow.version_5: count of netflow version 5 packets received 4311 (sum) 4312 * netflow.version_9: count of netflow version 9 packets received 4313 (sum) 4314 4315 43165.31. normalizer 4317 4318-------------- 4319 4320Help: packet scrubbing for inline mode 4321 4322Type: inspector (packet) 4323 4324Usage: context 4325 4326Instance Type: network 4327 4328Configuration: 4329 4330 * bool normalizer.ip4.base = false: clear options 4331 * bool normalizer.ip4.df = false: clear don’t frag flag 4332 * bool normalizer.ip4.rf = false: clear reserved flag 4333 * bool normalizer.ip4.tos = false: clear tos / differentiated 4334 services byte 4335 * bool normalizer.ip4.trim = false: truncate excess payload beyond 4336 datagram length 4337 * bool normalizer.tcp.base = false: clear reserved bits and option 4338 padding and fix urgent pointer / flags issues 4339 * bool normalizer.tcp.block = false: allow packet drops during TCP 4340 normalization 4341 * bool normalizer.tcp.urp = false: adjust urgent pointer if beyond 4342 segment length 4343 * bool normalizer.tcp.ips = true: ensure consistency in 4344 retransmitted data 4345 * select normalizer.tcp.ecn = off: clear ecn for all packets | 4346 sessions w/o ecn setup { off | packet | stream } 4347 * bool normalizer.tcp.pad = false: clear any option padding bytes 4348 * bool normalizer.tcp.trim_syn = false: remove data on SYN 4349 * bool normalizer.tcp.trim_rst = false: remove any data from RST 4350 packet 4351 * bool normalizer.tcp.trim_win = false: trim data to window 4352 * bool normalizer.tcp.trim_mss = false: trim data to MSS 4353 * bool normalizer.tcp.opts = false: clear all options except mss, 4354 wscale, timestamp, and any explicitly allowed 4355 * bool normalizer.tcp.req_urg = false: clear the urgent pointer if 4356 the urgent flag is not set 4357 * bool normalizer.tcp.req_pay = false: clear the urgent pointer and 4358 the urgent flag if there is no payload 4359 * bool normalizer.tcp.rsv = false: clear the reserved bits in the 4360 TCP header 4361 * bool normalizer.tcp.req_urp = false: clear the urgent flag if the 4362 urgent pointer is not set 4363 * multi normalizer.tcp.allow_names: don’t clear given option names 4364 { sack | echo | partial_order | conn_count | alt_checksum | md5 } 4365 * string normalizer.tcp.allow_codes: don’t clear given option codes 4366 * bool normalizer.ip6 = false: clear reserved flag 4367 * bool normalizer.icmp4 = false: clear reserved flag 4368 * bool normalizer.icmp6 = false: clear reserved flag 4369 4370Peg counts: 4371 4372 * normalizer.test_ip4_trim: test eth packets trimmed to datagram 4373 size (sum) 4374 * normalizer.ip4_trim: eth packets trimmed to datagram size (sum) 4375 * normalizer.test_ip4_tos: test type of service normalizations 4376 (sum) 4377 * normalizer.ip4_tos: type of service normalizations (sum) 4378 * normalizer.test_ip4_df: test don’t frag bit normalizations (sum) 4379 * normalizer.ip4_df: don’t frag bit normalizations (sum) 4380 * normalizer.test_ip4_rf: test reserved flag bit clears (sum) 4381 * normalizer.ip4_rf: reserved flag bit clears (sum) 4382 * normalizer.test_ip4_ttl: test time-to-live normalizations (sum) 4383 * normalizer.ip4_ttl: time-to-live normalizations (sum) 4384 * normalizer.test_ip4_opts: test ip4 options cleared (sum) 4385 * normalizer.ip4_opts: ip4 options cleared (sum) 4386 * normalizer.test_icmp4_echo: test icmp4 ping normalizations (sum) 4387 * normalizer.icmp4_echo: icmp4 ping normalizations (sum) 4388 * normalizer.test_ip6_hops: test ip6 hop limit normalizations (sum) 4389 * normalizer.ip6_hops: ip6 hop limit normalizations (sum) 4390 * normalizer.test_ip6_options: test ip6 options cleared (sum) 4391 * normalizer.ip6_options: ip6 options cleared (sum) 4392 * normalizer.test_icmp6_echo: test icmp6 echo normalizations (sum) 4393 * normalizer.icmp6_echo: icmp6 echo normalizations (sum) 4394 * normalizer.test_tcp_syn_options: test SYN only options cleared 4395 from non-SYN packets (sum) 4396 * normalizer.tcp_syn_options: SYN only options cleared from non-SYN 4397 packets (sum) 4398 * normalizer.test_tcp_options: test packets with options cleared 4399 (sum) 4400 * normalizer.tcp_options: packets with options cleared (sum) 4401 * normalizer.test_tcp_padding: test packets with padding cleared 4402 (sum) 4403 * normalizer.tcp_padding: packets with padding cleared (sum) 4404 * normalizer.test_tcp_reserved: test packets with reserved bits 4405 cleared (sum) 4406 * normalizer.tcp_reserved: packets with reserved bits cleared (sum) 4407 * normalizer.test_tcp_nonce: test packets with nonce bit cleared 4408 (sum) 4409 * normalizer.tcp_nonce: packets with nonce bit cleared (sum) 4410 * normalizer.test_tcp_urgent_ptr: test packets without data with 4411 urgent pointer cleared (sum) 4412 * normalizer.tcp_urgent_ptr: packets without data with urgent 4413 pointer cleared (sum) 4414 * normalizer.test_tcp_ecn_pkt: test packets with ECN bits cleared 4415 (sum) 4416 * normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum) 4417 * normalizer.test_tcp_ts_ecr: test timestamp cleared on non-ACKs 4418 (sum) 4419 * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum) 4420 * normalizer.test_tcp_req_urg: test cleared urgent pointer when 4421 urgent flag is not set (sum) 4422 * normalizer.tcp_req_urg: cleared urgent pointer when urgent flag 4423 is not set (sum) 4424 * normalizer.test_tcp_req_pay: test cleared urgent pointer and 4425 urgent flag when there is no payload (sum) 4426 * normalizer.tcp_req_pay: cleared urgent pointer and urgent flag 4427 when there is no payload (sum) 4428 * normalizer.test_tcp_req_urp: test cleared the urgent flag if the 4429 urgent pointer is not set (sum) 4430 * normalizer.tcp_req_urp: cleared the urgent flag if the urgent 4431 pointer is not set (sum) 4432 * normalizer.test_tcp_trim_syn: test tcp segments trimmed on SYN 4433 (sum) 4434 * normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum) 4435 * normalizer.test_tcp_trim_rst: test RST packets with data trimmed 4436 (sum) 4437 * normalizer.tcp_trim_rst: RST packets with data trimmed (sum) 4438 * normalizer.test_tcp_trim_win: test data trimmed to window (sum) 4439 * normalizer.tcp_trim_win: data trimmed to window (sum) 4440 * normalizer.test_tcp_trim_mss: test data trimmed to MSS (sum) 4441 * normalizer.tcp_trim_mss: data trimmed to MSS (sum) 4442 * normalizer.test_tcp_ecn_session: test ECN bits cleared (sum) 4443 * normalizer.tcp_ecn_session: ECN bits cleared (sum) 4444 * normalizer.test_tcp_ts_nop: test timestamp options cleared (sum) 4445 * normalizer.tcp_ts_nop: timestamp options cleared (sum) 4446 * normalizer.test_tcp_ips_data: test normalized segments (sum) 4447 * normalizer.tcp_ips_data: normalized segments (sum) 4448 * normalizer.test_tcp_block: test blocked segments (sum) 4449 * normalizer.tcp_block: blocked segments (sum) 4450 4451 44525.32. null_trace_logger 4453 4454-------------- 4455 4456Help: trace logger with a null printout 4457 4458Type: inspector (passive) 4459 4460Usage: global 4461 4462Instance Type: global 4463 4464 44655.33. packet_capture 4466 4467-------------- 4468 4469Help: raw packet dumping facility 4470 4471Type: inspector (probe) 4472 4473Usage: global 4474 4475Instance Type: global 4476 4477Configuration: 4478 4479 * bool packet_capture.enable = false: initially enable packet 4480 dumping 4481 * string packet_capture.filter: bpf filter to use for packet dump 4482 * int packet_capture.group = -1: group filter to use for the packet 4483 dump { -1:32767 } 4484 4485Commands: 4486 4487 * packet_capture.enable(filter, group): dump raw packets 4488 * packet_capture.disable(): stop packet dump 4489 4490Peg counts: 4491 4492 * packet_capture.processed: packets processed against filter (sum) 4493 * packet_capture.captured: packets matching dumped after matching 4494 filter (sum) 4495 4496 44975.34. perf_monitor 4498 4499-------------- 4500 4501Help: performance monitoring and flow statistics collection 4502 4503Type: inspector (probe) 4504 4505Usage: global 4506 4507Instance Type: global 4508 4509Configuration: 4510 4511 * bool perf_monitor.base = true: enable base statistics 4512 * bool perf_monitor.cpu = false: enable cpu statistics 4513 * bool perf_monitor.flow = false: enable traffic statistics 4514 * bool perf_monitor.flow_ip = false: enable statistics on host 4515 pairs 4516 * int perf_monitor.packets = 10000: minimum packets to report { 4517 0:max32 } 4518 * int perf_monitor.seconds = 60: report interval { 0:max32 } 4519 * int perf_monitor.flow_ip_memcap = 52428800: maximum memory in 4520 bytes for flow tracking { 236:maxSZ } 4521 * int perf_monitor.max_file_size = 1073741824: files will be rolled 4522 over if they exceed this size { 4096:max53 } 4523 * int perf_monitor.flow_ports = 1023: maximum ports to track { 4524 0:65535 } 4525 * enum perf_monitor.output = file: output location for stats { file 4526 | console } 4527 * string perf_monitor.modules[].name: name of the module 4528 * string perf_monitor.modules[].pegs: list of statistics to track 4529 or empty for all counters 4530 * enum perf_monitor.format = csv: output format for stats { csv | 4531 text | json | flatbuffers } 4532 * bool perf_monitor.summary = false: output summary at shutdown 4533 4534Commands: 4535 4536 * perf_monitor.enable_flow_ip_profiling(seconds, packets): enable 4537 statistics on host pairs 4538 * perf_monitor.disable_flow_ip_profiling(): disable statistics on 4539 host pairs 4540 * perf_monitor.show_flow_ip_profiling(): show status of statistics 4541 on host pairs 4542 4543Peg counts: 4544 4545 * perf_monitor.packets: total packets processed by performance 4546 monitor (sum) 4547 * perf_monitor.flow_tracker_creates: total number of flow trackers 4548 created (sum) 4549 * perf_monitor.flow_tracker_total_deletes: flow trackers deleted to 4550 stay below memcap limit (sum) 4551 * perf_monitor.flow_tracker_reload_deletes: flow trackers deleted 4552 due to memcap change on config reload (sum) 4553 * perf_monitor.flow_tracker_prunes: flow trackers pruned for reuse 4554 by new flows (sum) 4555 4556 45575.35. pop 4558 4559-------------- 4560 4561Help: pop inspection 4562 4563Type: inspector (service) 4564 4565Usage: inspect 4566 4567Instance Type: multiton 4568 4569Configuration: 4570 4571 * int pop.b64_decode_depth = -1: base64 decoding depth (-1 no 4572 limit) { -1:65535 } 4573 * int pop.bitenc_decode_depth = -1: Non-Encoded MIME attachment 4574 extraction depth (-1 no limit) { -1:65535 } 4575 * bool pop.decompress_pdf = false: decompress pdf files in MIME 4576 attachments 4577 * bool pop.decompress_swf = false: decompress swf files in MIME 4578 attachments 4579 * bool pop.decompress_zip = false: decompress zip files in MIME 4580 attachments 4581 * bool pop.decompress_vba = false: decompress MS Office Visual 4582 Basic for Applications macro files in MIME attachments 4583 * int pop.qp_decode_depth = -1: Quoted Printable decoding depth (-1 4584 no limit) { -1:65535 } 4585 * int pop.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no 4586 limit) { -1:65535 } 4587 4588Rules: 4589 4590 * 142:1 (pop) unknown POP3 command 4591 * 142:2 (pop) unknown POP3 response 4592 * 142:4 (pop) base64 decoding failed 4593 * 142:5 (pop) quoted-printable decoding failed 4594 * 142:7 (pop) Unix-to-Unix decoding failed 4595 * 142:8 (pop) file decompression failed 4596 4597Peg counts: 4598 4599 * pop.packets: total packets processed (sum) 4600 * pop.total_bytes: total number of bytes processed (sum) 4601 * pop.sessions: total pop sessions (sum) 4602 * pop.concurrent_sessions: total concurrent pop sessions (now) 4603 * pop.max_concurrent_sessions: maximum concurrent pop sessions 4604 (max) 4605 * pop.start_tls: total STARTTLS events generated (sum) 4606 * pop.ssl_search_abandoned: total SSL search abandoned (sum) 4607 * pop.ssl_srch_abandoned_early: total SSL search abandoned too soon 4608 (sum) 4609 * pop.b64_attachments: total base64 attachments decoded (sum) 4610 * pop.b64_decoded_bytes: total base64 decoded bytes (sum) 4611 * pop.qp_attachments: total quoted-printable attachments decoded 4612 (sum) 4613 * pop.qp_decoded_bytes: total quoted-printable decoded bytes (sum) 4614 * pop.uu_attachments: total uu attachments decoded (sum) 4615 * pop.uu_decoded_bytes: total uu decoded bytes (sum) 4616 * pop.non_encoded_attachments: total non-encoded attachments 4617 extracted (sum) 4618 * pop.non_encoded_bytes: total non-encoded extracted bytes (sum) 4619 4620 46215.36. port_scan 4622 4623-------------- 4624 4625Help: detect various ip, icmp, tcp, and udp port or protocol scans 4626 4627Type: inspector (probe) 4628 4629Usage: global 4630 4631Instance Type: global 4632 4633Configuration: 4634 4635 * int port_scan.memcap = 10485760: maximum tracker memory in bytes 4636 { 1024:maxSZ } 4637 * multi port_scan.protos = all: choose the protocols to monitor { 4638 tcp | udp | icmp | ip | all } 4639 * multi port_scan.scan_types = all: choose type of scans to look 4640 for { portscan | portsweep | decoy_portscan | 4641 distributed_portscan | all } 4642 * string port_scan.watch_ip: list of CIDRs with optional ports to 4643 watch 4644 * string port_scan.ignore_scanners: list of CIDRs with optional 4645 ports to ignore if the source of scan alerts 4646 * string port_scan.ignore_scanned: list of CIDRs with optional 4647 ports to ignore if the destination of scan alerts 4648 * bool port_scan.alert_all = false: alert on all events over 4649 threshold within window if true; else alert on first only 4650 * bool port_scan.include_midstream = false: list of CIDRs with 4651 optional ports 4652 * int port_scan.tcp_ports.scans = 100: scan attempts { 0:65535 } 4653 * int port_scan.tcp_ports.rejects = 15: scan attempts with negative 4654 response { 0:65535 } 4655 * int port_scan.tcp_ports.nets = 25: number of times address 4656 changed from prior attempt { 0:65535 } 4657 * int port_scan.tcp_ports.ports = 25: number of times port (or 4658 proto) changed from prior attempt { 0:65535 } 4659 * int port_scan.tcp_decoy.scans = 100: scan attempts { 0:65535 } 4660 * int port_scan.tcp_decoy.rejects = 15: scan attempts with negative 4661 response { 0:65535 } 4662 * int port_scan.tcp_decoy.nets = 25: number of times address 4663 changed from prior attempt { 0:65535 } 4664 * int port_scan.tcp_decoy.ports = 25: number of times port (or 4665 proto) changed from prior attempt { 0:65535 } 4666 * int port_scan.tcp_sweep.scans = 100: scan attempts { 0:65535 } 4667 * int port_scan.tcp_sweep.rejects = 15: scan attempts with negative 4668 response { 0:65535 } 4669 * int port_scan.tcp_sweep.nets = 25: number of times address 4670 changed from prior attempt { 0:65535 } 4671 * int port_scan.tcp_sweep.ports = 25: number of times port (or 4672 proto) changed from prior attempt { 0:65535 } 4673 * int port_scan.tcp_dist.scans = 100: scan attempts { 0:65535 } 4674 * int port_scan.tcp_dist.rejects = 15: scan attempts with negative 4675 response { 0:65535 } 4676 * int port_scan.tcp_dist.nets = 25: number of times address changed 4677 from prior attempt { 0:65535 } 4678 * int port_scan.tcp_dist.ports = 25: number of times port (or 4679 proto) changed from prior attempt { 0:65535 } 4680 * int port_scan.udp_ports.scans = 100: scan attempts { 0:65535 } 4681 * int port_scan.udp_ports.rejects = 15: scan attempts with negative 4682 response { 0:65535 } 4683 * int port_scan.udp_ports.nets = 25: number of times address 4684 changed from prior attempt { 0:65535 } 4685 * int port_scan.udp_ports.ports = 25: number of times port (or 4686 proto) changed from prior attempt { 0:65535 } 4687 * int port_scan.udp_decoy.scans = 100: scan attempts { 0:65535 } 4688 * int port_scan.udp_decoy.rejects = 15: scan attempts with negative 4689 response { 0:65535 } 4690 * int port_scan.udp_decoy.nets = 25: number of times address 4691 changed from prior attempt { 0:65535 } 4692 * int port_scan.udp_decoy.ports = 25: number of times port (or 4693 proto) changed from prior attempt { 0:65535 } 4694 * int port_scan.udp_sweep.scans = 100: scan attempts { 0:65535 } 4695 * int port_scan.udp_sweep.rejects = 15: scan attempts with negative 4696 response { 0:65535 } 4697 * int port_scan.udp_sweep.nets = 25: number of times address 4698 changed from prior attempt { 0:65535 } 4699 * int port_scan.udp_sweep.ports = 25: number of times port (or 4700 proto) changed from prior attempt { 0:65535 } 4701 * int port_scan.udp_dist.scans = 100: scan attempts { 0:65535 } 4702 * int port_scan.udp_dist.rejects = 15: scan attempts with negative 4703 response { 0:65535 } 4704 * int port_scan.udp_dist.nets = 25: number of times address changed 4705 from prior attempt { 0:65535 } 4706 * int port_scan.udp_dist.ports = 25: number of times port (or 4707 proto) changed from prior attempt { 0:65535 } 4708 * int port_scan.ip_proto.scans = 100: scan attempts { 0:65535 } 4709 * int port_scan.ip_proto.rejects = 15: scan attempts with negative 4710 response { 0:65535 } 4711 * int port_scan.ip_proto.nets = 25: number of times address changed 4712 from prior attempt { 0:65535 } 4713 * int port_scan.ip_proto.ports = 25: number of times port (or 4714 proto) changed from prior attempt { 0:65535 } 4715 * int port_scan.ip_decoy.scans = 100: scan attempts { 0:65535 } 4716 * int port_scan.ip_decoy.rejects = 15: scan attempts with negative 4717 response { 0:65535 } 4718 * int port_scan.ip_decoy.nets = 25: number of times address changed 4719 from prior attempt { 0:65535 } 4720 * int port_scan.ip_decoy.ports = 25: number of times port (or 4721 proto) changed from prior attempt { 0:65535 } 4722 * int port_scan.ip_sweep.scans = 100: scan attempts { 0:65535 } 4723 * int port_scan.ip_sweep.rejects = 15: scan attempts with negative 4724 response { 0:65535 } 4725 * int port_scan.ip_sweep.nets = 25: number of times address changed 4726 from prior attempt { 0:65535 } 4727 * int port_scan.ip_sweep.ports = 25: number of times port (or 4728 proto) changed from prior attempt { 0:65535 } 4729 * int port_scan.ip_dist.scans = 100: scan attempts { 0:65535 } 4730 * int port_scan.ip_dist.rejects = 15: scan attempts with negative 4731 response { 0:65535 } 4732 * int port_scan.ip_dist.nets = 25: number of times address changed 4733 from prior attempt { 0:65535 } 4734 * int port_scan.ip_dist.ports = 25: number of times port (or proto) 4735 changed from prior attempt { 0:65535 } 4736 * int port_scan.icmp_sweep.scans = 100: scan attempts { 0:65535 } 4737 * int port_scan.icmp_sweep.rejects = 15: scan attempts with 4738 negative response { 0:65535 } 4739 * int port_scan.icmp_sweep.nets = 25: number of times address 4740 changed from prior attempt { 0:65535 } 4741 * int port_scan.icmp_sweep.ports = 25: number of times port (or 4742 proto) changed from prior attempt { 0:65535 } 4743 * int port_scan.tcp_window = 0: detection interval for all TCP 4744 scans { 0:max32 } 4745 * int port_scan.udp_window = 0: detection interval for all UDP 4746 scans { 0:max32 } 4747 * int port_scan.ip_window = 0: detection interval for all IP scans 4748 { 0:max32 } 4749 * int port_scan.icmp_window = 0: detection interval for all ICMP 4750 scans { 0:max32 } 4751 4752Rules: 4753 4754 * 122:1 (port_scan) TCP portscan 4755 * 122:2 (port_scan) TCP decoy portscan 4756 * 122:3 (port_scan) TCP portsweep 4757 * 122:4 (port_scan) TCP distributed portscan 4758 * 122:5 (port_scan) TCP filtered portscan 4759 * 122:6 (port_scan) TCP filtered decoy portscan 4760 * 122:7 (port_scan) TCP filtered portsweep 4761 * 122:8 (port_scan) TCP filtered distributed portscan 4762 * 122:9 (port_scan) IP protocol scan 4763 * 122:10 (port_scan) IP decoy protocol scan 4764 * 122:11 (port_scan) IP protocol sweep 4765 * 122:12 (port_scan) IP distributed protocol scan 4766 * 122:13 (port_scan) IP filtered protocol scan 4767 * 122:14 (port_scan) IP filtered decoy protocol scan 4768 * 122:15 (port_scan) IP filtered protocol sweep 4769 * 122:16 (port_scan) IP filtered distributed protocol scan 4770 * 122:17 (port_scan) UDP portscan 4771 * 122:18 (port_scan) UDP decoy portscan 4772 * 122:19 (port_scan) UDP portsweep 4773 * 122:20 (port_scan) UDP distributed portscan 4774 * 122:21 (port_scan) UDP filtered portscan 4775 * 122:22 (port_scan) UDP filtered decoy portscan 4776 * 122:23 (port_scan) UDP filtered portsweep 4777 * 122:24 (port_scan) UDP filtered distributed portscan 4778 * 122:25 (port_scan) ICMP sweep 4779 * 122:26 (port_scan) ICMP filtered sweep 4780 * 122:27 (port_scan) open port 4781 4782Peg counts: 4783 4784 * port_scan.packets: number of packets processed by port scan (sum) 4785 * port_scan.trackers: number of trackers allocated by port scan 4786 (sum) 4787 * port_scan.alloc_prunes: number of trackers pruned on allocation 4788 of new tracking (sum) 4789 * port_scan.reload_prunes: number of trackers pruned on reload due 4790 to reduced memcap (sum) 4791 4792 47935.37. reputation 4794 4795-------------- 4796 4797Help: reputation inspection 4798 4799Type: inspector (first) 4800 4801Usage: context 4802 4803Instance Type: network 4804 4805Configuration: 4806 4807 * string reputation.blocklist: blocklist file name with IP lists 4808 * string reputation.list_dir: directory for IP lists and manifest 4809 file 4810 * int reputation.memcap = 500: maximum total MB of memory allocated 4811 { 1:4095 } 4812 * enum reputation.nested_ip = inner: IP to use when there is IP 4813 encapsulation { inner|outer|all } 4814 * enum reputation.priority = allowlist: defines priority when there 4815 is a decision conflict during run-time { blocklist|allowlist } 4816 * bool reputation.scan_local = false: inspect local address defined 4817 in RFC 1918 4818 * enum reputation.allow = do_not_block: specify the meaning of 4819 allowlist { do_not_block|trust } 4820 * string reputation.allowlist: allowlist file name with IP lists 4821 4822Rules: 4823 4824 * 136:1 (reputation) packets blocked based on source 4825 * 136:2 (reputation) packets trusted based on source 4826 * 136:3 (reputation) packets monitored based on source 4827 * 136:4 (reputation) packets blocked based on destination 4828 * 136:5 (reputation) packets trusted based on destination 4829 * 136:6 (reputation) packets monitored based on destination 4830 4831Peg counts: 4832 4833 * reputation.packets: total packets processed (sum) 4834 * reputation.blocked: number of packets blocked (sum) 4835 * reputation.trusted: number of packets trusted (sum) 4836 * reputation.monitored: number of packets monitored (sum) 4837 * reputation.memory_allocated: total memory allocated (sum) 4838 * reputation.aux_ip_blocked: number of auxiliary ip packets blocked 4839 (sum) 4840 * reputation.aux_ip_trusted: number of auxiliary ip packets trusted 4841 (sum) 4842 * reputation.aux_ip_monitored: number of auxiliary ip packets 4843 monitored (sum) 4844 4845 48465.38. rna 4847 4848-------------- 4849 4850Help: Real-time network awareness and OS fingerprinting 4851(experimental) 4852 4853Type: inspector (control) 4854 4855Usage: context 4856 4857Instance Type: network 4858 4859Configuration: 4860 4861 * string rna.rna_conf_path: path to rna configuration 4862 * bool rna.enable_logger = true: enable or disable writing 4863 discovery events into logger 4864 * bool rna.log_when_idle = false: enable host update logging when 4865 snort is idle 4866 * string rna.dump_file: file name to dump RNA mac cache on 4867 shutdown; won’t dump by default 4868 * int rna.tcp_fingerprints[].fpid = 0: fingerprint id { 0:max32 } 4869 * int rna.tcp_fingerprints[].type = 0: fingerprint type { 0:max32 } 4870 * string rna.tcp_fingerprints[].uuid: fingerprint uuid 4871 * int rna.tcp_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } 4872 * string rna.tcp_fingerprints[].tcp_window: fingerprint tcp window 4873 * string rna.tcp_fingerprints[].mss = X: fingerprint mss 4874 * string rna.tcp_fingerprints[].id = X: id 4875 * string rna.tcp_fingerprints[].topts: fingerprint tcp options 4876 * string rna.tcp_fingerprints[].ws = X: fingerprint window size 4877 * bool rna.tcp_fingerprints[].df = false: fingerprint don’t 4878 fragment flag 4879 * enum rna.tcp_fingerprints[].ua_type = os: type of user agent 4880 fingerprints { os | device | jail-broken | jail-broken-host } 4881 * string rna.tcp_fingerprints[].user_agent[].substring: a substring 4882 of user agent string 4883 * string rna.tcp_fingerprints[].host_name: host name information 4884 * string rna.tcp_fingerprints[].device: device information 4885 * string rna.tcp_fingerprints[].dhcp55: dhcp option 55 values 4886 * string rna.tcp_fingerprints[].dhcp60: dhcp option 60 values 4887 * int rna.tcp_fingerprints[].major: smb major version { 0:max31 } 4888 * int rna.tcp_fingerprints[].minor: smb minor version { 0:max31 } 4889 * int rna.tcp_fingerprints[].flags: smb flags { 0:max32 } 4890 * int rna.ua_fingerprints[].fpid = 0: fingerprint id { 0:max32 } 4891 * int rna.ua_fingerprints[].type = 0: fingerprint type { 0:max32 } 4892 * string rna.ua_fingerprints[].uuid: fingerprint uuid 4893 * int rna.ua_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } 4894 * string rna.ua_fingerprints[].tcp_window: fingerprint tcp window 4895 * string rna.ua_fingerprints[].mss = X: fingerprint mss 4896 * string rna.ua_fingerprints[].id = X: id 4897 * string rna.ua_fingerprints[].topts: fingerprint tcp options 4898 * string rna.ua_fingerprints[].ws = X: fingerprint window size 4899 * bool rna.ua_fingerprints[].df = false: fingerprint don’t fragment 4900 flag 4901 * enum rna.ua_fingerprints[].ua_type = os: type of user agent 4902 fingerprints { os | device | jail-broken | jail-broken-host } 4903 * string rna.ua_fingerprints[].user_agent[].substring: a substring 4904 of user agent string 4905 * string rna.ua_fingerprints[].host_name: host name information 4906 * string rna.ua_fingerprints[].device: device information 4907 * string rna.ua_fingerprints[].dhcp55: dhcp option 55 values 4908 * string rna.ua_fingerprints[].dhcp60: dhcp option 60 values 4909 * int rna.ua_fingerprints[].major: smb major version { 0:max31 } 4910 * int rna.ua_fingerprints[].minor: smb minor version { 0:max31 } 4911 * int rna.ua_fingerprints[].flags: smb flags { 0:max32 } 4912 * int rna.udp_fingerprints[].fpid = 0: fingerprint id { 0:max32 } 4913 * int rna.udp_fingerprints[].type = 0: fingerprint type { 0:max32 } 4914 * string rna.udp_fingerprints[].uuid: fingerprint uuid 4915 * int rna.udp_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } 4916 * string rna.udp_fingerprints[].tcp_window: fingerprint tcp window 4917 * string rna.udp_fingerprints[].mss = X: fingerprint mss 4918 * string rna.udp_fingerprints[].id = X: id 4919 * string rna.udp_fingerprints[].topts: fingerprint tcp options 4920 * string rna.udp_fingerprints[].ws = X: fingerprint window size 4921 * bool rna.udp_fingerprints[].df = false: fingerprint don’t 4922 fragment flag 4923 * enum rna.udp_fingerprints[].ua_type = os: type of user agent 4924 fingerprints { os | device | jail-broken | jail-broken-host } 4925 * string rna.udp_fingerprints[].user_agent[].substring: a substring 4926 of user agent string 4927 * string rna.udp_fingerprints[].host_name: host name information 4928 * string rna.udp_fingerprints[].device: device information 4929 * string rna.udp_fingerprints[].dhcp55: dhcp option 55 values 4930 * string rna.udp_fingerprints[].dhcp60: dhcp option 60 values 4931 * int rna.udp_fingerprints[].major: smb major version { 0:max31 } 4932 * int rna.udp_fingerprints[].minor: smb minor version { 0:max31 } 4933 * int rna.udp_fingerprints[].flags: smb flags { 0:max32 } 4934 * int rna.smb_fingerprints[].fpid = 0: fingerprint id { 0:max32 } 4935 * int rna.smb_fingerprints[].type = 0: fingerprint type { 0:max32 } 4936 * string rna.smb_fingerprints[].uuid: fingerprint uuid 4937 * int rna.smb_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } 4938 * string rna.smb_fingerprints[].tcp_window: fingerprint tcp window 4939 * string rna.smb_fingerprints[].mss = X: fingerprint mss 4940 * string rna.smb_fingerprints[].id = X: id 4941 * string rna.smb_fingerprints[].topts: fingerprint tcp options 4942 * string rna.smb_fingerprints[].ws = X: fingerprint window size 4943 * bool rna.smb_fingerprints[].df = false: fingerprint don’t 4944 fragment flag 4945 * enum rna.smb_fingerprints[].ua_type = os: type of user agent 4946 fingerprints { os | device | jail-broken | jail-broken-host } 4947 * string rna.smb_fingerprints[].user_agent[].substring: a substring 4948 of user agent string 4949 * string rna.smb_fingerprints[].host_name: host name information 4950 * string rna.smb_fingerprints[].device: device information 4951 * string rna.smb_fingerprints[].dhcp55: dhcp option 55 values 4952 * string rna.smb_fingerprints[].dhcp60: dhcp option 60 values 4953 * int rna.smb_fingerprints[].major: smb major version { 0:max31 } 4954 * int rna.smb_fingerprints[].minor: smb minor version { 0:max31 } 4955 * int rna.smb_fingerprints[].flags: smb flags { 0:max32 } 4956 4957Commands: 4958 4959 * rna.dump_macs(): dump rna’s internal MAC trackers 4960 * rna.delete_mac_host(mac): delete a MAC from rna’s MAC cache 4961 * rna.delete_mac_host_proto(mac, proto): delete a protocol 4962 associated with a MAC host 4963 * rna.purge_data(): purge all host cache and mac cache data 4964 4965Peg counts: 4966 4967 * rna.appid_change: count of appid change events received (sum) 4968 * rna.cpe_os: count of CPE OS events received (sum) 4969 * rna.icmp_bidirectional: count of bidirectional ICMP flows 4970 received (sum) 4971 * rna.icmp_new: count of new ICMP flows received (sum) 4972 * rna.ip_bidirectional: count of bidirectional IP received (sum) 4973 * rna.ip_new: count of new IP flows received (sum) 4974 * rna.udp_bidirectional: count of bidirectional UDP flows received 4975 (sum) 4976 * rna.udp_new: count of new UDP flows received (sum) 4977 * rna.tcp_syn: count of TCP SYN packets received (sum) 4978 * rna.tcp_syn_ack: count of TCP SYN-ACK packets received (sum) 4979 * rna.tcp_midstream: count of TCP midstream packets received (sum) 4980 * rna.other_packets: count of packets received without session 4981 tracking (sum) 4982 * rna.change_host_update: count number of change host update events 4983 (sum) 4984 * rna.dhcp_data: count of DHCP data events received (sum) 4985 * rna.dhcp_info: count of new DHCP lease events received (sum) 4986 * rna.smb: count of new SMB events received (sum) 4987 4988 49895.39. rpc_decode 4990 4991-------------- 4992 4993Help: RPC inspector 4994 4995Type: inspector (service) 4996 4997Usage: inspect 4998 4999Instance Type: multiton 5000 5001Rules: 5002 5003 * 106:1 (rpc_decode) fragmented RPC records 5004 * 106:2 (rpc_decode) multiple RPC records 5005 * 106:3 (rpc_decode) large RPC record fragment 5006 * 106:4 (rpc_decode) incomplete RPC segment 5007 * 106:5 (rpc_decode) zero-length RPC fragment 5008 5009Peg counts: 5010 5011 * rpc_decode.total_packets: total packets (sum) 5012 * rpc_decode.concurrent_sessions: total concurrent rpc sessions 5013 (now) 5014 * rpc_decode.max_concurrent_sessions: maximum concurrent rpc 5015 sessions (max) 5016 5017 50185.40. s7commplus 5019 5020-------------- 5021 5022Help: s7commplus inspection 5023 5024Type: inspector (service) 5025 5026Usage: inspect 5027 5028Instance Type: multiton 5029 5030Rules: 5031 5032 * 149:1 (s7commplus) length in S7commplus MBAP header does not 5033 match the length needed for the given S7commplus function 5034 * 149:2 (s7commplus) S7commplus protocol ID is non-zero 5035 * 149:3 (s7commplus) reserved S7commplus function code in use 5036 5037Peg counts: 5038 5039 * s7commplus.sessions: total sessions processed (sum) 5040 * s7commplus.frames: total S7commplus messages (sum) 5041 * s7commplus.concurrent_sessions: total concurrent s7commplus 5042 sessions (now) 5043 * s7commplus.max_concurrent_sessions: maximum concurrent s7commplus 5044 sessions (max) 5045 5046 50475.41. sip 5048 5049-------------- 5050 5051Help: sip inspection 5052 5053Type: inspector (service) 5054 5055Usage: inspect 5056 5057Instance Type: multiton 5058 5059Configuration: 5060 5061 * bool sip.ignore_call_channel = false: enables the support for 5062 ignoring audio/video data channel 5063 * int sip.max_call_id_len = 256: maximum call id field size { 5064 0:65535 } 5065 * int sip.max_contact_len = 256: maximum contact field size { 5066 0:65535 } 5067 * int sip.max_content_len = 1024: maximum content length of the 5068 message body { 0:65535 } 5069 * int sip.max_dialogs = 4: maximum number of dialogs within one 5070 stream session { 1:max32 } 5071 * int sip.max_from_len = 256: maximum from field size { 0:65535 } 5072 * int sip.max_request_name_len = 20: maximum request name field 5073 size { 0:65535 } 5074 * int sip.max_requestName_len = 20: deprecated - use 5075 max_request_name_len instead { 0:65535 } 5076 * int sip.max_to_len = 256: maximum to field size { 0:65535 } 5077 * int sip.max_uri_len = 256: maximum request uri field size { 5078 0:65535 } 5079 * int sip.max_via_len = 1024: maximum via field size { 0:65535 } 5080 * string sip.methods = invite cancel ack bye register options: list 5081 of methods to check in SIP messages 5082 5083Rules: 5084 5085 * 140:2 (sip) empty request URI 5086 * 140:3 (sip) URI is too long 5087 * 140:4 (sip) empty call-Id 5088 * 140:5 (sip) Call-Id is too long 5089 * 140:6 (sip) CSeq number is too large or negative 5090 * 140:7 (sip) request name in CSeq is too long 5091 * 140:8 (sip) empty From header 5092 * 140:9 (sip) From header is too long 5093 * 140:10 (sip) empty To header 5094 * 140:11 (sip) To header is too long 5095 * 140:12 (sip) empty Via header 5096 * 140:13 (sip) Via header is too long 5097 * 140:14 (sip) empty Contact 5098 * 140:15 (sip) contact is too long 5099 * 140:16 (sip) content length is too large or negative 5100 * 140:17 (sip) multiple SIP messages in a packet 5101 * 140:18 (sip) content length mismatch 5102 * 140:19 (sip) request name is invalid 5103 * 140:20 (sip) Invite replay attack 5104 * 140:21 (sip) illegal session information modification 5105 * 140:22 (sip) response status code is not a 3 digit number 5106 * 140:23 (sip) empty Content-type header 5107 * 140:24 (sip) SIP version is invalid 5108 * 140:25 (sip) mismatch in METHOD of request and the CSEQ header 5109 * 140:26 (sip) method is unknown 5110 * 140:27 (sip) maximum dialogs within a session reached 5111 5112Peg counts: 5113 5114 * sip.packets: total packets (sum) 5115 * sip.sessions: total sessions (sum) 5116 * sip.concurrent_sessions: total concurrent SIP sessions (now) 5117 * sip.max_concurrent_sessions: maximum concurrent SIP sessions 5118 (max) 5119 * sip.events: events generated (sum) 5120 * sip.dialogs: total dialogs (sum) 5121 * sip.ignored_channels: total channels ignored (sum) 5122 * sip.ignored_sessions: total sessions ignored (sum) 5123 * sip.total_requests: total requests (sum) 5124 * sip.invite: invite (sum) 5125 * sip.cancel: cancel (sum) 5126 * sip.ack: ack (sum) 5127 * sip.bye: bye (sum) 5128 * sip.register: register (sum) 5129 * sip.options: options (sum) 5130 * sip.refer: refer (sum) 5131 * sip.subscribe: subscribe (sum) 5132 * sip.update: update (sum) 5133 * sip.join: join (sum) 5134 * sip.info: info (sum) 5135 * sip.message: message (sum) 5136 * sip.notify: notify (sum) 5137 * sip.prack: prack (sum) 5138 * sip.total_responses: total responses (sum) 5139 * sip.code_1xx: 1xx (sum) 5140 * sip.code_2xx: 2xx (sum) 5141 * sip.code_3xx: 3xx (sum) 5142 * sip.code_4xx: 4xx (sum) 5143 * sip.code_5xx: 5xx (sum) 5144 * sip.code_6xx: 6xx (sum) 5145 * sip.code_7xx: 7xx (sum) 5146 * sip.code_8xx: 8xx (sum) 5147 * sip.code_9xx: 9xx (sum) 5148 5149 51505.42. smtp 5151 5152-------------- 5153 5154Help: smtp inspection 5155 5156Type: inspector (service) 5157 5158Usage: inspect 5159 5160Instance Type: multiton 5161 5162Configuration: 5163 5164 * string smtp.alt_max_command_line_len[].command: command string 5165 * int smtp.alt_max_command_line_len[].length = 0: specify 5166 non-default maximum for command { 0:max32 } 5167 * string smtp.auth_cmds: commands that initiate an authentication 5168 exchange 5169 * int smtp.b64_decode_depth = -1: depth used to decode the base64 5170 encoded MIME attachments (-1 no limit) { -1:65535 } 5171 * string smtp.binary_data_cmds: commands that initiate sending of 5172 data and use a length value after the command 5173 * int smtp.bitenc_decode_depth = -1: depth used to extract the 5174 non-encoded MIME attachments (-1 no limit) { -1:65535 } 5175 * string smtp.data_cmds: commands that initiate sending of data 5176 with an end of data delimiter 5177 * bool smtp.decompress_pdf = false: decompress pdf files in MIME 5178 attachments 5179 * bool smtp.decompress_swf = false: decompress swf files in MIME 5180 attachments 5181 * bool smtp.decompress_zip = false: decompress zip files in MIME 5182 attachments 5183 * bool smtp.decompress_vba = false: decompress MS Office Visual 5184 Basic for Applications macro files in MIME attachments 5185 * int smtp.email_hdrs_log_depth = 1464: depth for logging email 5186 headers { 0:20480 } 5187 * bool smtp.ignore_data = false: ignore data section of mail 5188 * bool smtp.ignore_tls_data = false: ignore TLS-encrypted data when 5189 processing rules 5190 * string smtp.invalid_cmds: alert if this command is sent from 5191 client side 5192 * bool smtp.log_email_hdrs = false: log the SMTP email headers 5193 extracted from SMTP data 5194 * bool smtp.log_filename = false: log the MIME attachment filenames 5195 extracted from the Content-Disposition header within the MIME 5196 body 5197 * bool smtp.log_mailfrom = false: log the sender’s email address 5198 extracted from the MAIL FROM command 5199 * bool smtp.log_rcptto = false: log the recipient’s email address 5200 extracted from the RCPT TO command 5201 * int smtp.max_auth_command_line_len = 1000: max auth command Line 5202 Length { 0:65535 } 5203 * int smtp.max_command_line_len = 512: max Command Line Length { 5204 0:65535 } 5205 * int smtp.max_header_line_len = 1000: max SMTP DATA header line { 5206 0:65535 } 5207 * int smtp.max_response_line_len = 512: max SMTP response line { 5208 0:65535 } 5209 * enum smtp.normalize = none: turns on/off normalization { none | 5210 cmds | all } 5211 * string smtp.normalize_cmds: list of commands to normalize 5212 * int smtp.qp_decode_depth = -1: quoted-Printable decoding depth 5213 (-1 no limit) { -1:65535 } 5214 * int smtp.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no 5215 limit) { -1:65535 } 5216 * string smtp.valid_cmds: list of valid commands 5217 * enum smtp.xlink2state = alert: enable/disable xlink2state alert { 5218 disable | alert | drop } 5219 5220Rules: 5221 5222 * 124:1 (smtp) attempted command buffer overflow 5223 * 124:2 (smtp) attempted data header buffer overflow 5224 * 124:3 (smtp) attempted response buffer overflow 5225 * 124:4 (smtp) attempted specific command buffer overflow 5226 * 124:5 (smtp) unknown command 5227 * 124:6 (smtp) illegal command 5228 * 124:7 (smtp) attempted header name buffer overflow 5229 * 124:8 (smtp) attempted X-Link2State command buffer overflow 5230 * 124:10 (smtp) base64 decoding failed 5231 * 124:11 (smtp) quoted-printable decoding failed 5232 * 124:13 (smtp) Unix-to-Unix decoding failed 5233 * 124:14 (smtp) Cyrus SASL authentication attack 5234 * 124:15 (smtp) attempted authentication command buffer overflow 5235 * 124:16 (smtp) file decompression failed 5236 5237Peg counts: 5238 5239 * smtp.packets: total packets processed (sum) 5240 * smtp.total_bytes: total number of bytes processed (sum) 5241 * smtp.sessions: total smtp sessions (sum) 5242 * smtp.concurrent_sessions: total concurrent smtp sessions (now) 5243 * smtp.max_concurrent_sessions: maximum concurrent smtp sessions 5244 (max) 5245 * smtp.start_tls: total STARTTLS events generated (sum) 5246 * smtp.ssl_search_abandoned: total SSL search abandoned (sum) 5247 * smtp.ssl_srch_abandoned_early: total SSL search abandoned too 5248 soon (sum) 5249 * smtp.b64_attachments: total base64 attachments decoded (sum) 5250 * smtp.b64_decoded_bytes: total base64 decoded bytes (sum) 5251 * smtp.qp_attachments: total quoted-printable attachments decoded 5252 (sum) 5253 * smtp.qp_decoded_bytes: total quoted-printable decoded bytes (sum) 5254 * smtp.uu_attachments: total uu attachments decoded (sum) 5255 * smtp.uu_decoded_bytes: total uu decoded bytes (sum) 5256 * smtp.non_encoded_attachments: total non-encoded attachments 5257 extracted (sum) 5258 * smtp.non_encoded_bytes: total non-encoded extracted bytes (sum) 5259 5260 52615.43. so_proxy 5262 5263-------------- 5264 5265Help: a proxy inspector to track flow data from SO rules (internal 5266use only) 5267 5268Type: inspector (passive) 5269 5270Usage: global 5271 5272Instance Type: global 5273 5274 52755.44. ssh 5276 5277-------------- 5278 5279Help: ssh inspection 5280 5281Type: inspector (service) 5282 5283Usage: inspect 5284 5285Instance Type: multiton 5286 5287Configuration: 5288 5289 * int ssh.max_encrypted_packets = 25: ignore session after this 5290 many encrypted packets { 0:65535 } 5291 * int ssh.max_client_bytes = 19600: number of unanswered bytes 5292 before alerting on challenge-response overflow or CRC32 { 0:65535 5293 } 5294 * int ssh.max_server_version_len = 80: limit before alerting on 5295 secure CRT server version string overflow { 0:255 } 5296 5297Rules: 5298 5299 * 128:1 (ssh) challenge-response overflow exploit 5300 * 128:2 (ssh) SSH1 CRC32 exploit 5301 * 128:3 (ssh) server version string overflow 5302 * 128:5 (ssh) bad message direction 5303 * 128:6 (ssh) payload size incorrect for the given payload 5304 * 128:7 (ssh) failed to detect SSH version string 5305 5306Peg counts: 5307 5308 * ssh.packets: total packets (sum) 5309 * ssh.total_bytes: total number of bytes processed (sum) 5310 * ssh.concurrent_sessions: total concurrent ssh sessions (now) 5311 * ssh.max_concurrent_sessions: maximum concurrent ssh sessions 5312 (max) 5313 5314 53155.45. ssl 5316 5317-------------- 5318 5319Help: ssl inspection 5320 5321Type: inspector (service) 5322 5323Usage: inspect 5324 5325Instance Type: multiton 5326 5327Configuration: 5328 5329 * bool ssl.trust_servers = false: disables requirement that 5330 application (encrypted) data must be observed on both sides 5331 * int ssl.max_heartbeat_length = 0: maximum length of heartbeat 5332 record allowed { 0:65535 } 5333 5334Rules: 5335 5336 * 137:1 (ssl) invalid client HELLO after server HELLO detected 5337 * 137:2 (ssl) invalid server HELLO without client HELLO detected 5338 * 137:3 (ssl) heartbeat read overrun attempt detected 5339 * 137:4 (ssl) large heartbeat response detected 5340 5341Peg counts: 5342 5343 * ssl.packets: total packets processed (sum) 5344 * ssl.decoded: ssl packets decoded (sum) 5345 * ssl.client_hello: total client hellos (sum) 5346 * ssl.server_hello: total server hellos (sum) 5347 * ssl.certificate: total ssl certificates (sum) 5348 * ssl.server_done: total server done (sum) 5349 * ssl.client_key_exchange: total client key exchanges (sum) 5350 * ssl.server_key_exchange: total server key exchanges (sum) 5351 * ssl.change_cipher: total change cipher records (sum) 5352 * ssl.finished: total handshakes finished (sum) 5353 * ssl.client_application: total client application records (sum) 5354 * ssl.server_application: total server application records (sum) 5355 * ssl.alert: total ssl alert records (sum) 5356 * ssl.unrecognized_records: total unrecognized records (sum) 5357 * ssl.handshakes_completed: total completed ssl handshakes (sum) 5358 * ssl.bad_handshakes: total bad handshakes (sum) 5359 * ssl.sessions_ignored: total sessions ignore (sum) 5360 * ssl.detection_disabled: total detection disabled (sum) 5361 * ssl.concurrent_sessions: total concurrent ssl sessions (now) 5362 * ssl.max_concurrent_sessions: maximum concurrent ssl sessions 5363 (max) 5364 5365 53665.46. stream 5367 5368-------------- 5369 5370Help: common flow tracking 5371 5372Type: inspector (stream) 5373 5374Usage: global 5375 5376Instance Type: global 5377 5378Configuration: 5379 5380 * bool stream.ip_frags_only = false: don’t process non-frag flows 5381 * int stream.max_flows = 476288: maximum simultaneous flows tracked 5382 before pruning { 2:max32 } 5383 * int stream.pruning_timeout = 30: minimum inactive time before 5384 being eligible for pruning { 1:max32 } 5385 * int stream.held_packet_timeout = 1000: timeout in milliseconds 5386 for held packets { 1:max32 } 5387 * int stream.ip_cache.idle_timeout = 180: maximum inactive time 5388 before retiring session tracker { 1:max32 } 5389 * int stream.ip_cache.cap_weight = 0: additional bytes to track per 5390 flow for better estimation against cap { 0:65535 } 5391 * int stream.icmp_cache.idle_timeout = 180: maximum inactive time 5392 before retiring session tracker { 1:max32 } 5393 * int stream.icmp_cache.cap_weight = 0: additional bytes to track 5394 per flow for better estimation against cap { 0:65535 } 5395 * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time 5396 before retiring session tracker { 1:max32 } 5397 * int stream.tcp_cache.cap_weight = 11000: additional bytes to 5398 track per flow for better estimation against cap { 0:65535 } 5399 * int stream.udp_cache.idle_timeout = 180: maximum inactive time 5400 before retiring session tracker { 1:max32 } 5401 * int stream.udp_cache.cap_weight = 0: additional bytes to track 5402 per flow for better estimation against cap { 0:65535 } 5403 * int stream.user_cache.idle_timeout = 180: maximum inactive time 5404 before retiring session tracker { 1:max32 } 5405 * int stream.user_cache.cap_weight = 0: additional bytes to track 5406 per flow for better estimation against cap { 0:65535 } 5407 * int stream.file_cache.idle_timeout = 180: maximum inactive time 5408 before retiring session tracker { 1:max32 } 5409 * int stream.file_cache.cap_weight = 32: additional bytes to track 5410 per flow for better estimation against cap { 0:65535 } 5411 5412Rules: 5413 5414 * 135:1 (stream) TCP SYN received 5415 * 135:2 (stream) TCP session established 5416 * 135:3 (stream) TCP session cleared 5417 5418Peg counts: 5419 5420 * stream.flows: total sessions (sum) 5421 * stream.total_prunes: total sessions pruned (sum) 5422 * stream.idle_prunes: sessions pruned due to timeout (sum) 5423 * stream.excess_prunes: sessions pruned due to excess (sum) 5424 * stream.uni_prunes: uni sessions pruned (sum) 5425 * stream.preemptive_prunes: sessions pruned during preemptive 5426 pruning (deprecated) (sum) 5427 * stream.memcap_prunes: sessions pruned due to memcap (sum) 5428 * stream.ha_prunes: sessions pruned by high availability sync (sum) 5429 * stream.stale_prunes: sessions pruned due to stale connection 5430 (sum) 5431 * stream.expected_flows: total expected flows created within snort 5432 (sum) 5433 * stream.expected_realized: number of expected flows realized (sum) 5434 * stream.expected_pruned: number of expected flows pruned (sum) 5435 * stream.expected_overflows: number of expected cache overflows 5436 (sum) 5437 * stream.reload_tuning_idle: number of times stream resource tuner 5438 called while idle (sum) 5439 * stream.reload_tuning_packets: number of times stream resource 5440 tuner called while processing packets (sum) 5441 * stream.reload_total_adds: number of flows added by config reloads 5442 (sum) 5443 * stream.reload_total_deletes: number of flows deleted by config 5444 reloads (sum) 5445 * stream.reload_freelist_deletes: number of flows deleted from the 5446 free list by config reloads (sum) 5447 * stream.reload_allowed_deletes: number of allowed flows deleted by 5448 config reloads (sum) 5449 * stream.reload_blocked_deletes: number of blocked flows deleted by 5450 config reloads (sum) 5451 * stream.reload_offloaded_deletes: number of offloaded flows 5452 deleted by config reloads (sum) 5453 5454 54555.47. stream_file 5456 5457-------------- 5458 5459Help: stream inspector for file flow tracking and processing 5460 5461Type: inspector (stream) 5462 5463Usage: inspect 5464 5465Instance Type: multiton 5466 5467Configuration: 5468 5469 * bool stream_file.upload = false: indicate file transfer direction 5470 5471 54725.48. stream_icmp 5473 5474-------------- 5475 5476Help: stream inspector for ICMP flow tracking 5477 5478Type: inspector (stream) 5479 5480Usage: inspect 5481 5482Instance Type: multiton 5483 5484Configuration: 5485 5486 * int stream_icmp.session_timeout = 60: session tracking timeout { 5487 1:max31 } 5488 5489Peg counts: 5490 5491 * stream_icmp.sessions: total icmp sessions (sum) 5492 * stream_icmp.max: max icmp sessions (max) 5493 * stream_icmp.created: icmp session trackers created (sum) 5494 * stream_icmp.released: icmp session trackers released (sum) 5495 * stream_icmp.timeouts: icmp session timeouts (sum) 5496 * stream_icmp.prunes: icmp session prunes (sum) 5497 5498 54995.49. stream_ip 5500 5501-------------- 5502 5503Help: stream inspector for IP flow tracking and defragmentation 5504 5505Type: inspector (stream) 5506 5507Usage: inspect 5508 5509Instance Type: multiton 5510 5511Configuration: 5512 5513 * int stream_ip.max_frags = 8192: maximum number of simultaneous 5514 fragments being tracked { 1:max32 } 5515 * int stream_ip.max_overlaps = 0: maximum allowed overlaps per 5516 datagram; 0 is unlimited { 0:max32 } 5517 * int stream_ip.min_frag_length = 0: alert if fragment length is 5518 below this limit before or after trimming { 0:65535 } 5519 * int stream_ip.min_ttl = 1: discard fragments with TTL below the 5520 minimum { 1:255 } 5521 * enum stream_ip.policy = linux: fragment reassembly policy { first 5522 | linux | bsd | bsd_right | last | windows | solaris } 5523 * int stream_ip.session_timeout = 60: session tracking timeout { 5524 1:max31 } 5525 5526Rules: 5527 5528 * 123:1 (stream_ip) inconsistent IP options on fragmented packets 5529 * 123:2 (stream_ip) teardrop attack 5530 * 123:3 (stream_ip) short fragment, possible DOS attempt 5531 * 123:4 (stream_ip) fragment packet ends after defragmented packet 5532 * 123:5 (stream_ip) zero-byte fragment packet 5533 * 123:6 (stream_ip) bad fragment size, packet size is negative 5534 * 123:7 (stream_ip) bad fragment size, packet size is greater than 5535 65536 5536 * 123:8 (stream_ip) fragmentation overlap 5537 * 123:11 (stream_ip) TTL value less than configured minimum, not 5538 using for reassembly 5539 * 123:12 (stream_ip) excessive fragment overlap 5540 * 123:13 (stream_ip) tiny fragment 5541 5542Peg counts: 5543 5544 * stream_ip.sessions: total ip sessions (sum) 5545 * stream_ip.max: max ip sessions (max) 5546 * stream_ip.created: ip session trackers created (sum) 5547 * stream_ip.released: ip session trackers released (sum) 5548 * stream_ip.timeouts: ip session timeouts (sum) 5549 * stream_ip.prunes: ip session prunes (sum) 5550 * stream_ip.total_bytes: total number of bytes processed (sum) 5551 * stream_ip.total_frags: total fragments (sum) 5552 * stream_ip.current_frags: current fragments (now) 5553 * stream_ip.max_frags: max fragments (sum) 5554 * stream_ip.reassembled: reassembled datagrams (sum) 5555 * stream_ip.discards: fragments discarded (sum) 5556 * stream_ip.frag_timeouts: datagrams abandoned (sum) 5557 * stream_ip.overlaps: overlapping fragments (sum) 5558 * stream_ip.anomalies: anomalies detected (sum) 5559 * stream_ip.alerts: alerts generated (sum) 5560 * stream_ip.drops: fragments dropped (sum) 5561 * stream_ip.trackers_added: datagram trackers created (sum) 5562 * stream_ip.trackers_freed: datagram trackers released (sum) 5563 * stream_ip.trackers_cleared: datagram trackers cleared (sum) 5564 * stream_ip.trackers_completed: datagram trackers completed (sum) 5565 * stream_ip.nodes_inserted: fragments added to tracker (sum) 5566 * stream_ip.nodes_deleted: fragments deleted from tracker (sum) 5567 * stream_ip.reassembled_bytes: total reassembled bytes (sum) 5568 * stream_ip.fragmented_bytes: total fragmented bytes (sum) 5569 5570 55715.50. stream_tcp 5572 5573-------------- 5574 5575Help: stream inspector for TCP flow tracking and stream normalization 5576and reassembly 5577 5578Type: inspector (stream) 5579 5580Usage: inspect 5581 5582Instance Type: multiton 5583 5584Configuration: 5585 5586 * int stream_tcp.flush_factor = 0: flush upon seeing a drop in 5587 segment size after given number of non-decreasing segments { 5588 0:65535 } 5589 * int stream_tcp.max_window = 0: maximum allowed TCP window { 5590 0:1073725440 } 5591 * int stream_tcp.overlap_limit = 0: maximum number of allowed 5592 overlapping segments per session { 0:max32 } 5593 * int stream_tcp.max_pdu = 16384: maximum reassembled PDU size { 5594 1460:32768 } 5595 * bool stream_tcp.no_ack = false: received data is implicitly acked 5596 immediately 5597 * enum stream_tcp.policy = bsd: determines operating system 5598 characteristics like reassembly { first | last | linux | 5599 old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | 5600 windows | win_2003 | vista | proxy } 5601 * bool stream_tcp.reassemble_async = true: queue data for 5602 reassembly before traffic is seen in both directions 5603 * int stream_tcp.require_3whs = -1: don’t track midstream sessions 5604 after given seconds from start up; -1 tracks all { -1:max31 } 5605 * bool stream_tcp.show_rebuilt_packets = false: enable cmg like 5606 output of reassembled packets 5607 * int stream_tcp.queue_limit.max_bytes = 4194304: don’t queue more 5608 than given bytes per session and direction, 0 = unlimited { 5609 0:max32 } 5610 * int stream_tcp.queue_limit.max_segments = 3072: don’t queue more 5611 than given segments per session and direction, 0 = unlimited { 5612 0:max32 } 5613 * int stream_tcp.small_segments.count = 0: number of consecutive 5614 TCP small segments considered to be excessive (129:12) { 0:2048 } 5615 * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for 5616 a TCP segment not to be considered small (129:12) { 0:2048 } 5617 * int stream_tcp.session_timeout = 180: session tracking timeout { 5618 1:max31 } 5619 * bool stream_tcp.track_only = false: disable reassembly if true 5620 5621Rules: 5622 5623 * 129:1 (stream_tcp) SYN on established session 5624 * 129:2 (stream_tcp) data on SYN packet 5625 * 129:3 (stream_tcp) data sent on stream not accepting data 5626 * 129:4 (stream_tcp) TCP timestamp is outside of PAWS window 5627 * 129:5 (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated) 5628 * 129:6 (stream_tcp) window size (after scaling) larger than policy 5629 allows 5630 * 129:7 (stream_tcp) limit on number of overlapping TCP packets 5631 reached 5632 * 129:8 (stream_tcp) data sent on stream after TCP reset sent 5633 * 129:9 (stream_tcp) TCP client possibly hijacked, different 5634 ethernet address 5635 * 129:10 (stream_tcp) TCP server possibly hijacked, different 5636 ethernet address 5637 * 129:11 (stream_tcp) TCP data with no TCP flags set 5638 * 129:12 (stream_tcp) consecutive TCP small segments exceeding 5639 threshold 5640 * 129:13 (stream_tcp) 4-way handshake detected 5641 * 129:14 (stream_tcp) TCP timestamp is missing 5642 * 129:15 (stream_tcp) reset outside window 5643 * 129:16 (stream_tcp) FIN number is greater than prior FIN 5644 * 129:17 (stream_tcp) ACK number is greater than prior FIN 5645 * 129:18 (stream_tcp) data sent on stream after TCP reset received 5646 * 129:19 (stream_tcp) TCP window closed before receiving data 5647 * 129:20 (stream_tcp) TCP session without 3-way handshake 5648 5649Peg counts: 5650 5651 * stream_tcp.sessions: total tcp sessions (sum) 5652 * stream_tcp.max: max tcp sessions (max) 5653 * stream_tcp.created: tcp session trackers created (sum) 5654 * stream_tcp.released: tcp session trackers released (sum) 5655 * stream_tcp.timeouts: tcp session timeouts (sum) 5656 * stream_tcp.prunes: tcp session prunes (sum) 5657 * stream_tcp.instantiated: new sessions instantiated (sum) 5658 * stream_tcp.setups: session initializations (sum) 5659 * stream_tcp.restarts: sessions restarted (sum) 5660 * stream_tcp.resyns: SYN received on established session (sum) 5661 * stream_tcp.discards: tcp packets discarded (sum) 5662 * stream_tcp.discards_skipped: tcp packet discards skipped due to 5663 normalization disabled (sum) 5664 * stream_tcp.invalid_seq_num: tcp packets received with an invalid 5665 sequence number (sum) 5666 * stream_tcp.invalid_ack: tcp packets received with an invalid ack 5667 number (sum) 5668 * stream_tcp.no_flags_set: tcp packets received with no TCP flags 5669 set (sum) 5670 * stream_tcp.events: events generated (sum) 5671 * stream_tcp.ignored: tcp packets ignored (sum) 5672 * stream_tcp.untracked: tcp packets not tracked (sum) 5673 * stream_tcp.syn_trackers: tcp session tracking started on syn 5674 (sum) 5675 * stream_tcp.syn_ack_trackers: tcp session tracking started on 5676 syn-ack (sum) 5677 * stream_tcp.three_way_trackers: tcp session tracking started on 5678 ack (sum) 5679 * stream_tcp.data_trackers: tcp session tracking started on data 5680 (sum) 5681 * stream_tcp.segs_queued: total segments queued (sum) 5682 * stream_tcp.segs_released: total segments released (sum) 5683 * stream_tcp.segs_split: tcp segments split when reassembling PDUs 5684 (sum) 5685 * stream_tcp.segs_used: queued tcp segments applied to reassembled 5686 PDUs (sum) 5687 * stream_tcp.rebuilt_packets: total reassembled PDUs (sum) 5688 * stream_tcp.rebuilt_buffers: rebuilt PDU sections (sum) 5689 * stream_tcp.rebuilt_bytes: total rebuilt bytes (sum) 5690 * stream_tcp.overlaps: overlapping segments queued (sum) 5691 * stream_tcp.gaps: missing data between PDUs (sum) 5692 * stream_tcp.exceeded_max_segs: number of times the maximum queued 5693 segment limit was reached (sum) 5694 * stream_tcp.exceeded_max_bytes: number of times the maximum queued 5695 byte limit was reached (sum) 5696 * stream_tcp.payload_fully_trimmed: segments with no data after 5697 trimming (sum) 5698 * stream_tcp.internal_events: 135:X events generated (sum) 5699 * stream_tcp.client_cleanups: number of times data from server was 5700 flushed when session released (sum) 5701 * stream_tcp.server_cleanups: number of times data from client was 5702 flushed when session released (sum) 5703 * stream_tcp.memory: current memory in use (now) 5704 * stream_tcp.initializing: number of sessions currently 5705 initializing (now) 5706 * stream_tcp.established: number of sessions currently established 5707 (now) 5708 * stream_tcp.closing: number of sessions currently closing (now) 5709 * stream_tcp.syns: number of syn packets (sum) 5710 * stream_tcp.syn_acks: number of syn-ack packets (sum) 5711 * stream_tcp.resets: number of reset packets (sum) 5712 * stream_tcp.fins: number of fin packets (sum) 5713 * stream_tcp.meta_acks: number of meta acks processed (sum) 5714 * stream_tcp.packets_held: number of packets held (sum) 5715 * stream_tcp.held_packet_rexmits: number of retransmits of held 5716 packets (sum) 5717 * stream_tcp.held_packets_dropped: number of held packets dropped 5718 (sum) 5719 * stream_tcp.held_packets_passed: number of held packets passed 5720 (sum) 5721 * stream_tcp.held_packet_timeouts: number of held packets that 5722 timed out (sum) 5723 * stream_tcp.held_packet_purges: number of held packets that were 5724 purged without flushing (sum) 5725 * stream_tcp.held_packet_retries: number of held packets that were 5726 added to the retry queue (sum) 5727 * stream_tcp.cur_packets_held: number of packets currently held 5728 (now) 5729 * stream_tcp.max_packets_held: maximum number of packets held 5730 simultaneously (max) 5731 * stream_tcp.partial_flushes: number of partial flushes initiated 5732 (sum) 5733 * stream_tcp.partial_flush_bytes: partial flush total bytes (sum) 5734 * stream_tcp.inspector_fallbacks: count of fallbacks from assigned 5735 service inspector (sum) 5736 * stream_tcp.partial_fallbacks: count of fallbacks from assigned 5737 service stream splitter (sum) 5738 * stream_tcp.max_segs: maximum number of segments queued in any 5739 flow (max) 5740 * stream_tcp.max_bytes: maximum number of bytes queued in any flow 5741 (max) 5742 * stream_tcp.zero_len_tcp_opt: number of zero length tcp options 5743 (sum) 5744 5745 57465.51. stream_udp 5747 5748-------------- 5749 5750Help: stream inspector for UDP flow tracking 5751 5752Type: inspector (stream) 5753 5754Usage: inspect 5755 5756Instance Type: multiton 5757 5758Configuration: 5759 5760 * int stream_udp.session_timeout = 30: session tracking timeout { 5761 1:max31 } 5762 5763Peg counts: 5764 5765 * stream_udp.sessions: total udp sessions (sum) 5766 * stream_udp.max: max udp sessions (max) 5767 * stream_udp.created: udp session trackers created (sum) 5768 * stream_udp.released: udp session trackers released (sum) 5769 * stream_udp.timeouts: udp session timeouts (sum) 5770 * stream_udp.prunes: udp session prunes (sum) 5771 * stream_udp.total_bytes: total number of bytes processed (sum) 5772 * stream_udp.ignored: udp packets ignored (sum) 5773 5774 57755.52. stream_user 5776 5777-------------- 5778 5779Help: stream inspector for user flow tracking and reassembly 5780 5781Type: inspector (stream) 5782 5783Usage: inspect 5784 5785Instance Type: multiton 5786 5787Configuration: 5788 5789 * int stream_user.session_timeout = 60: session tracking timeout { 5790 1:max31 } 5791 5792 57935.53. telnet 5794 5795-------------- 5796 5797Help: telnet inspection and normalization 5798 5799Type: inspector (service) 5800 5801Usage: inspect 5802 5803Instance Type: multiton 5804 5805Configuration: 5806 5807 * int telnet.ayt_attack_thresh = -1: alert beyond this number of 5808 consecutive Telnet AYT commands (-1 is disabled) { -1:max31 } 5809 * bool telnet.check_encrypted = false: check for end of encryption 5810 * bool telnet.encrypted_traffic = false: check for encrypted Telnet 5811 * bool telnet.normalize = false: eliminate escape sequences 5812 5813Rules: 5814 5815 * 126:1 (telnet) consecutive Telnet AYT commands beyond threshold 5816 * 126:2 (telnet) Telnet traffic encrypted 5817 * 126:3 (telnet) Telnet subnegotiation begin command without 5818 subnegotiation end 5819 5820Peg counts: 5821 5822 * telnet.total_packets: total packets (sum) 5823 * telnet.concurrent_sessions: total concurrent Telnet sessions 5824 (now) 5825 * telnet.max_concurrent_sessions: maximum concurrent Telnet 5826 sessions (max) 5827 5828 58295.54. wizard 5830 5831-------------- 5832 5833Help: inspector that implements port-independent protocol 5834identification 5835 5836Type: inspector (wizard) 5837 5838Usage: inspect 5839 5840Instance Type: multiton 5841 5842Configuration: 5843 5844 * string wizard.hexes[].service: name of service 5845 * select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp } 5846 * bool wizard.hexes[].client_first = true: which end initiates data 5847 transfer 5848 * string wizard.hexes[].to_server[].hex: sequence of data with wild 5849 chars (?) 5850 * string wizard.hexes[].to_client[].hex: sequence of data with wild 5851 chars (?) 5852 * string wizard.spells[].service: name of service 5853 * select wizard.spells[].proto = tcp: protocol to scan { tcp | udp 5854 } 5855 * bool wizard.spells[].client_first = true: which end initiates 5856 data transfer 5857 * string wizard.spells[].to_server[].spell: sequence of data with 5858 wild cards (*) 5859 * string wizard.spells[].to_client[].spell: sequence of data with 5860 wild cards (*) 5861 * multi wizard.curses: enable service identification based on 5862 internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 } 5863 * int wizard.max_search_depth = 8192: maximum scan depth per flow { 5864 0:65535 } 5865 5866Peg counts: 5867 5868 * wizard.tcp_scans: tcp payload scans (sum) 5869 * wizard.tcp_hits: tcp identifications (sum) 5870 * wizard.tcp_misses: tcp searches abandoned (sum) 5871 * wizard.udp_scans: udp payload scans (sum) 5872 * wizard.udp_hits: udp identifications (sum) 5873 * wizard.udp_misses: udp searches abandoned (sum) 5874 * wizard.user_scans: user payload scans (sum) 5875 * wizard.user_hits: user identifications (sum) 5876 * wizard.user_misses: user searches abandoned (sum) 5877 5878 5879--------------------------------------------------------------------- 5880 58816. IPS Action Modules 5882 5883--------------------------------------------------------------------- 5884 5885IPS actions allow you to perform custom actions when events are 5886generated. Unlike loggers, these are invoked before thresholding and 5887can be used to control external agents. 5888 5889Externally defined actions must be configured to become available to 5890the parser. For the reject rule, you can set reject = { } to get the 5891rule to parse. 5892 5893 58946.1. react 5895 5896-------------- 5897 5898Help: send response to client and terminate session 5899 5900Type: ips_action 5901 5902Usage: detect 5903 5904Configuration: 5905 5906 * string react.page: file containing HTTP response body 5907 5908 59096.2. reject 5910 5911-------------- 5912 5913Help: terminate session with TCP reset or ICMP unreachable 5914 5915Type: ips_action 5916 5917Usage: detect 5918 5919Configuration: 5920 5921 * enum reject.reset = both: send TCP reset to one or both ends { 5922 none|source|dest|both } 5923 * enum reject.control = none: send ICMP unreachable(s) { none| 5924 network|host|port|forward|all } 5925 5926 5927--------------------------------------------------------------------- 5928 59297. IPS Option Modules 5930 5931--------------------------------------------------------------------- 5932 5933IPS options are the building blocks of IPS rules. 5934 5935 59367.1. ack 5937 5938-------------- 5939 5940Help: rule option to match on TCP ack numbers 5941 5942Type: ips_option 5943 5944Usage: detect 5945 5946Configuration: 5947 5948 * interval ack.~range: check if TCP ack value is value | min<>max | 5949 <max | >min { 0: } 5950 5951 59527.2. appids 5953 5954-------------- 5955 5956Help: detection option for application ids 5957 5958Type: ips_option 5959 5960Usage: detect 5961 5962Configuration: 5963 5964 * string appids.~: comma separated list of application names 5965 5966 59677.3. asn1 5968 5969-------------- 5970 5971Help: rule option for asn1 detection 5972 5973Type: ips_option 5974 5975Usage: detect 5976 5977Configuration: 5978 5979 * implied asn1.bitstring_overflow: detects invalid bitstring 5980 encodings that are known to be remotely exploitable 5981 * implied asn1.double_overflow: detects a double ASCII encoding 5982 that is larger than a standard buffer 5983 * implied asn1.print: dump decode data to console; always true 5984 * int asn1.oversize_length: compares ASN.1 type lengths with the 5985 supplied argument { 0:max32 } 5986 * int asn1.absolute_offset: absolute offset from the beginning of 5987 the packet { 0:65535 } 5988 * int asn1.relative_offset: relative offset from the cursor { 5989 -65535:65535 } 5990 5991 59927.4. base64_decode 5993 5994-------------- 5995 5996Help: rule option to decode base64 data - must be used with 5997base64_data option 5998 5999Type: ips_option 6000 6001Usage: detect 6002 6003Configuration: 6004 6005 * int base64_decode.bytes: number of base64 encoded bytes to decode 6006 { 1:max32 } 6007 * int base64_decode.offset = 0: bytes past start of buffer to start 6008 decoding { 0:max32 } 6009 * implied base64_decode.relative: apply offset to cursor instead of 6010 start of buffer 6011 6012 60137.5. ber_data 6014 6015-------------- 6016 6017Help: rule option to move to the data for a specified BER element 6018 6019Type: ips_option 6020 6021Usage: detect 6022 6023Configuration: 6024 6025 * int ber_data.~type: move to the data for the specified BER 6026 element type { 0:255 } 6027 6028 60297.6. ber_skip 6030 6031-------------- 6032 6033Help: rule option to skip BER element 6034 6035Type: ips_option 6036 6037Usage: detect 6038 6039Configuration: 6040 6041 * int ber_skip.~type: BER element type to skip { 0:255 } 6042 * implied ber_skip.optional: match even if the specified BER type 6043 is not found 6044 6045 60467.7. bufferlen 6047 6048-------------- 6049 6050Help: rule option to check length of current buffer 6051 6052Type: ips_option 6053 6054Usage: detect 6055 6056Configuration: 6057 6058 * interval bufferlen.~range: check that total length of current 6059 buffer is in given range { 0:65535 } 6060 * implied bufferlen.relative: use remaining length (from current 6061 position) instead of total length 6062 6063 60647.8. byte_extract 6065 6066-------------- 6067 6068Help: rule option to convert data to an integer variable 6069 6070Type: ips_option 6071 6072Usage: detect 6073 6074Configuration: 6075 6076 * int byte_extract.~count: number of bytes to pick up from the 6077 buffer { 1:10 } 6078 * int byte_extract.~offset: number of bytes into the buffer to 6079 start processing { -65535:65535 } 6080 * string byte_extract.~name: name of the variable that will be used 6081 in other rule options 6082 * implied byte_extract.relative: offset from cursor instead of 6083 start of buffer 6084 * int byte_extract.multiplier = 1: scale extracted value by given 6085 amount { 1:65535 } 6086 * int byte_extract.align = 0: round the number of converted bytes 6087 up to the next 2- or 4-byte boundary { 0:4 } 6088 * implied byte_extract.big: big endian 6089 * implied byte_extract.little: little endian 6090 * implied byte_extract.dce: dcerpc2 determines endianness 6091 * implied byte_extract.string: convert from string 6092 * implied byte_extract.hex: convert from hex string 6093 * implied byte_extract.oct: convert from octal string 6094 * implied byte_extract.dec: convert from decimal string 6095 * int byte_extract.bitmask: applies as an AND to the extracted 6096 value before storage in name { 0x1:0xFFFFFFFF } 6097 6098 60997.9. byte_jump 6100 6101-------------- 6102 6103Help: rule option to move the detection cursor 6104 6105Type: ips_option 6106 6107Usage: detect 6108 6109Configuration: 6110 6111 * int byte_jump.~count: number of bytes to pick up from the buffer 6112 { 0:10 } 6113 * string byte_jump.~offset: variable name or number of bytes into 6114 the buffer to start processing 6115 * implied byte_jump.relative: offset from cursor instead of start 6116 of buffer 6117 * implied byte_jump.from_beginning: jump from start of buffer 6118 instead of cursor 6119 * implied byte_jump.from_end: jump backward from end of buffer 6120 * int byte_jump.multiplier = 1: scale extracted value by given 6121 amount { 1:65535 } 6122 * int byte_jump.align = 0: round the number of converted bytes up 6123 to the next 2- or 4-byte boundary { 0:4 } 6124 * string byte_jump.post_offset: skip forward or backward (positive 6125 or negative value) by variable name or number of bytes after the 6126 other jump options have been applied 6127 * implied byte_jump.big: big endian 6128 * implied byte_jump.little: little endian 6129 * implied byte_jump.dce: dcerpc2 determines endianness 6130 * implied byte_jump.string: convert from string 6131 * implied byte_jump.hex: convert from hex string 6132 * implied byte_jump.oct: convert from octal string 6133 * implied byte_jump.dec: convert from decimal string 6134 * int byte_jump.bitmask: applies as an AND prior to evaluation { 6135 0x1:0xFFFFFFFF } 6136 6137 61387.10. byte_math 6139 6140-------------- 6141 6142Help: rule option to perform mathematical operations on extracted 6143value and a specified value or existing variable 6144 6145Type: ips_option 6146 6147Usage: detect 6148 6149Configuration: 6150 6151 * int byte_math.bytes: number of bytes to pick up from the buffer { 6152 1:10 } 6153 * string byte_math.offset: number of bytes into the buffer to start 6154 processing 6155 * enum byte_math.oper: mathematical operation to perform { +|-|*|/| 6156 <<|>> } 6157 * string byte_math.rvalue: value to use mathematical operation 6158 against 6159 * string byte_math.result: name of the variable to store the result 6160 * implied byte_math.relative: offset from cursor instead of start 6161 of buffer 6162 * enum byte_math.endian: specify big/little endian { big|little } 6163 * implied byte_math.dce: dcerpc2 determines endianness 6164 * enum byte_math.string: convert extracted string to dec/hex/oct { 6165 hex|dec|oct } 6166 * int byte_math.bitmask: applies as bitwise AND to the extracted 6167 value before storage in name { 0x1:0xFFFFFFFF } 6168 6169 61707.11. byte_test 6171 6172-------------- 6173 6174Help: rule option to convert data to integer and compare 6175 6176Type: ips_option 6177 6178Usage: detect 6179 6180Configuration: 6181 6182 * int byte_test.~count: number of bytes to pick up from the buffer 6183 { 1:10 } 6184 * string byte_test.~operator: operation to perform to test the 6185 value 6186 * string byte_test.~compare: variable name or value to test the 6187 converted result against 6188 * string byte_test.~offset: variable name or number of bytes into 6189 the payload to start processing 6190 * implied byte_test.relative: offset from cursor instead of start 6191 of buffer 6192 * implied byte_test.big: big endian 6193 * implied byte_test.little: little endian 6194 * implied byte_test.dce: dcerpc2 determines endianness 6195 * implied byte_test.string: convert from string 6196 * implied byte_test.hex: convert from hex string 6197 * implied byte_test.oct: convert from octal string 6198 * implied byte_test.dec: convert from decimal string 6199 * int byte_test.bitmask: applies as an AND prior to evaluation { 6200 0x1:0xFFFFFFFF } 6201 6202 62037.12. cip_attribute 6204 6205-------------- 6206 6207Help: detection option to match CIP attribute 6208 6209Type: ips_option 6210 6211Usage: detect 6212 6213Configuration: 6214 6215 * interval cip_attribute.~range: match CIP attribute { 0:65535 } 6216 6217 62187.13. cip_class 6219 6220-------------- 6221 6222Help: detection option to match CIP class 6223 6224Type: ips_option 6225 6226Usage: detect 6227 6228Configuration: 6229 6230 * interval cip_class.~range: match CIP class { 0:65535 } 6231 6232 62337.14. cip_conn_path_class 6234 6235-------------- 6236 6237Help: detection option to match CIP Connection Path Class 6238 6239Type: ips_option 6240 6241Usage: detect 6242 6243Configuration: 6244 6245 * interval cip_conn_path_class.~range: match CIP Connection Path 6246 Class { 0:65535 } 6247 6248 62497.15. cip_instance 6250 6251-------------- 6252 6253Help: detection option to match CIP instance 6254 6255Type: ips_option 6256 6257Usage: detect 6258 6259Configuration: 6260 6261 * interval cip_instance.~range: match CIP instance { 0:4294967295 } 6262 6263 62647.16. cip_req 6265 6266-------------- 6267 6268Help: detection option to match CIP request 6269 6270Type: ips_option 6271 6272Usage: detect 6273 6274 62757.17. cip_rsp 6276 6277-------------- 6278 6279Help: detection option to match CIP response 6280 6281Type: ips_option 6282 6283Usage: detect 6284 6285 62867.18. cip_service 6287 6288-------------- 6289 6290Help: detection option to match CIP service 6291 6292Type: ips_option 6293 6294Usage: detect 6295 6296Configuration: 6297 6298 * interval cip_service.~range: match CIP service { 0:127 } 6299 6300 63017.19. cip_status 6302 6303-------------- 6304 6305Help: detection option to match CIP response status 6306 6307Type: ips_option 6308 6309Usage: detect 6310 6311Configuration: 6312 6313 * interval cip_status.~range: match CIP response status { 0:255 } 6314 6315 63167.20. classtype 6317 6318-------------- 6319 6320Help: general rule option for rule classification 6321 6322Type: ips_option 6323 6324Usage: detect 6325 6326Configuration: 6327 6328 * string classtype.~: classification for this rule 6329 6330 63317.21. content 6332 6333-------------- 6334 6335Help: payload rule option for basic pattern matching 6336 6337Type: ips_option 6338 6339Usage: detect 6340 6341Configuration: 6342 6343 * string content.~data: data to match 6344 * implied content.nocase: case insensitive match 6345 * implied content.fast_pattern: use this content in the fast 6346 pattern matcher instead of the content selected by default 6347 * int content.fast_pattern_offset = 0: number of leading characters 6348 of this content the fast pattern matcher should exclude { 0:65535 6349 } 6350 * int content.fast_pattern_length: maximum number of characters 6351 from this content the fast pattern matcher should use { 1:65535 } 6352 * string content.offset: var or number of bytes from start of 6353 buffer to start search 6354 * string content.depth: var or maximum number of bytes to search 6355 from beginning of buffer 6356 * string content.distance: var or number of bytes from cursor to 6357 start search 6358 * string content.within: var or maximum number of bytes to search 6359 from cursor 6360 6361 63627.22. cvs 6363 6364-------------- 6365 6366Help: payload rule option for detecting specific attacks 6367 6368Type: ips_option 6369 6370Usage: detect 6371 6372Configuration: 6373 6374 * implied cvs.invalid-entry: looks for an invalid Entry string 6375 6376 63777.23. dce_iface 6378 6379-------------- 6380 6381Help: detection option to check dcerpc interface 6382 6383Type: ips_option 6384 6385Usage: detect 6386 6387Configuration: 6388 6389 * string dce_iface.uuid: match given dcerpc uuid 6390 * interval dce_iface.version: interface version { 0: } 6391 * implied dce_iface.any_frag: match on any fragment 6392 6393 63947.24. dce_opnum 6395 6396-------------- 6397 6398Help: detection option to check dcerpc operation number 6399 6400Type: ips_option 6401 6402Usage: detect 6403 6404Configuration: 6405 6406 * string dce_opnum.~: match given dcerpc operation number, range or 6407 list 6408 6409 64107.25. dce_stub_data 6411 6412-------------- 6413 6414Help: sets the cursor to dcerpc stub data 6415 6416Type: ips_option 6417 6418Usage: detect 6419 6420 64217.26. detection_filter 6422 6423-------------- 6424 6425Help: rule option to require multiple hits before a rule generates an 6426event 6427 6428Type: ips_option 6429 6430Usage: detect 6431 6432Configuration: 6433 6434 * enum detection_filter.track: track hits by source or destination 6435 IP address { by_src | by_dst } 6436 * int detection_filter.count: hits in interval before allowing the 6437 rule to fire { 1:max32 } 6438 * int detection_filter.seconds: length of interval to count hits { 6439 1:max32 } 6440 6441 64427.27. dnp3_data 6443 6444-------------- 6445 6446Help: sets the cursor to dnp3 data 6447 6448Type: ips_option 6449 6450Usage: detect 6451 6452 64537.28. dnp3_func 6454 6455-------------- 6456 6457Help: detection option to check DNP3 function code 6458 6459Type: ips_option 6460 6461Usage: detect 6462 6463Configuration: 6464 6465 * string dnp3_func.~: match DNP3 function code or name 6466 6467 64687.29. dnp3_ind 6469 6470-------------- 6471 6472Help: detection option to check DNP3 indicator flags 6473 6474Type: ips_option 6475 6476Usage: detect 6477 6478Configuration: 6479 6480 * string dnp3_ind.~: match given DNP3 indicator flags 6481 6482 64837.30. dnp3_obj 6484 6485-------------- 6486 6487Help: detection option to check DNP3 object headers 6488 6489Type: ips_option 6490 6491Usage: detect 6492 6493Configuration: 6494 6495 * int dnp3_obj.group = 0: match given DNP3 object header group { 6496 0:255 } 6497 * int dnp3_obj.var = 0: match given DNP3 object header var { 0:255 6498 } 6499 6500 65017.31. dsize 6502 6503-------------- 6504 6505Help: rule option to test payload size 6506 6507Type: ips_option 6508 6509Usage: detect 6510 6511Configuration: 6512 6513 * interval dsize.~range: check if packet payload size is in the 6514 given range { 0:65535 } 6515 6516 65177.32. enable 6518 6519-------------- 6520 6521Help: stub rule option to enable or disable full rule 6522 6523Type: ips_option 6524 6525Usage: detect 6526 6527Configuration: 6528 6529 * enum enable.~enable = yes: enable or disable rule in current ips 6530 policy or use default defined by ips policy { no | yes | inherit 6531 } 6532 6533 65347.33. enip_command 6535 6536-------------- 6537 6538Help: detection option to match CIP Enip Command 6539 6540Type: ips_option 6541 6542Usage: detect 6543 6544Configuration: 6545 6546 * interval enip_command.~range: match CIP Enip Command { 0:65535 } 6547 6548 65497.34. enip_req 6550 6551-------------- 6552 6553Help: detection option to match ENIP Request 6554 6555Type: ips_option 6556 6557Usage: detect 6558 6559 65607.35. enip_rsp 6561 6562-------------- 6563 6564Help: detection option to match ENIP response 6565 6566Type: ips_option 6567 6568Usage: detect 6569 6570 65717.36. file_data 6572 6573-------------- 6574 6575Help: rule option to set detection cursor to file data 6576 6577Type: ips_option 6578 6579Usage: detect 6580 6581 65827.37. file_type 6583 6584-------------- 6585 6586Help: rule option to check file type 6587 6588Type: ips_option 6589 6590Usage: detect 6591 6592Configuration: 6593 6594 * string file_type.~: list of file type IDs to match 6595 6596 65977.38. flags 6598 6599-------------- 6600 6601Help: rule option to test TCP control flags 6602 6603Type: ips_option 6604 6605Usage: detect 6606 6607Configuration: 6608 6609 * string flags.~test_flags: these flags are tested 6610 * string flags.~mask_flags: these flags are don’t cares 6611 6612 66137.39. flow 6614 6615-------------- 6616 6617Help: rule option to check session properties 6618 6619Type: ips_option 6620 6621Usage: detect 6622 6623Configuration: 6624 6625 * implied flow.to_client: match on server responses 6626 * implied flow.to_server: match on client requests 6627 * implied flow.from_client: same as to_server 6628 * implied flow.from_server: same as to_client 6629 * implied flow.established: match only during data transfer phase 6630 * implied flow.not_established: match only outside data transfer 6631 phase 6632 * implied flow.stateless: match regardless of stream state 6633 * implied flow.no_stream: match on raw packets only 6634 * implied flow.only_stream: match on reassembled packets only 6635 * implied flow.no_frag: match on raw packets only 6636 * implied flow.only_frag: match on defragmented packets only 6637 6638 66397.40. flowbits 6640 6641-------------- 6642 6643Help: rule option to set and test arbitrary boolean flags 6644 6645Type: ips_option 6646 6647Usage: detect 6648 6649Configuration: 6650 6651 * enum flowbits.~op: bit operation or noalert (no bits) { set | 6652 unset | isset | isnotset | noalert } 6653 * string flowbits.~bits: bit [|bit]* or bit [&bit]* 6654 6655 66567.41. fragbits 6657 6658-------------- 6659 6660Help: rule option to test IP frag flags 6661 6662Type: ips_option 6663 6664Usage: detect 6665 6666Configuration: 6667 6668 * string fragbits.~flags: these flags are tested 6669 6670 66717.42. fragoffset 6672 6673-------------- 6674 6675Help: rule option to test IP frag offset 6676 6677Type: ips_option 6678 6679Usage: detect 6680 6681Configuration: 6682 6683 * interval fragoffset.~range: check if ip fragment offset is in 6684 given range { 0:8192 } 6685 6686 66877.43. gid 6688 6689-------------- 6690 6691Help: rule option specifying rule generator 6692 6693Type: ips_option 6694 6695Usage: detect 6696 6697Configuration: 6698 6699 * int gid.~: generator id { 1:max32 } 6700 6701 67027.44. gtp_info 6703 6704-------------- 6705 6706Help: rule option to check gtp info element 6707 6708Type: ips_option 6709 6710Usage: detect 6711 6712Configuration: 6713 6714 * string gtp_info.~: info element to match 6715 6716 67177.45. gtp_type 6718 6719-------------- 6720 6721Help: rule option to check gtp types 6722 6723Type: ips_option 6724 6725Usage: detect 6726 6727Configuration: 6728 6729 * string gtp_type.~: list of types to match 6730 6731 67327.46. gtp_version 6733 6734-------------- 6735 6736Help: rule option to check GTP version 6737 6738Type: ips_option 6739 6740Usage: detect 6741 6742Configuration: 6743 6744 * int gtp_version.~: version to match { 0:2 } 6745 6746 67477.47. http_client_body 6748 6749-------------- 6750 6751Help: rule option to set the detection cursor to the request body 6752 6753Type: ips_option 6754 6755Usage: detect 6756 6757 67587.48. http_cookie 6759 6760-------------- 6761 6762Help: rule option to set the detection cursor to the HTTP cookie 6763 6764Type: ips_option 6765 6766Usage: detect 6767 6768Configuration: 6769 6770 * implied http_cookie.request: match against the cookie from the 6771 request message even when examining the response 6772 * implied http_cookie.with_header: this rule is limited to 6773 examining HTTP message headers 6774 * implied http_cookie.with_body: parts of this rule examine HTTP 6775 message body 6776 * implied http_cookie.with_trailer: parts of this rule examine HTTP 6777 message trailers 6778 6779 67807.49. http_header 6781 6782-------------- 6783 6784Help: rule option to set the detection cursor to the normalized 6785headers 6786 6787Type: ips_option 6788 6789Usage: detect 6790 6791Configuration: 6792 6793 * string http_header.field: restrict to given header. Header name 6794 is case insensitive. 6795 * implied http_header.request: match against the headers from the 6796 request message even when examining the response 6797 * implied http_header.with_header: this rule is limited to 6798 examining HTTP message headers 6799 * implied http_header.with_body: parts of this rule examine HTTP 6800 message body 6801 * implied http_header.with_trailer: parts of this rule examine HTTP 6802 message trailers 6803 6804 68057.50. http_method 6806 6807-------------- 6808 6809Help: rule option to set the detection cursor to the HTTP request 6810method 6811 6812Type: ips_option 6813 6814Usage: detect 6815 6816Configuration: 6817 6818 * implied http_method.with_header: this rule is limited to 6819 examining HTTP message headers 6820 * implied http_method.with_body: parts of this rule examine HTTP 6821 message body 6822 * implied http_method.with_trailer: parts of this rule examine HTTP 6823 message trailers 6824 6825 68267.51. http_param 6827 6828-------------- 6829 6830Help: rule option to set the detection cursor to the value of the 6831specified HTTP parameter key which may be in the query or body 6832 6833Type: ips_option 6834 6835Usage: detect 6836 6837Configuration: 6838 6839 * string http_param.~param: parameter to match 6840 * implied http_param.nocase: case insensitive match 6841 6842 68437.52. http_raw_body 6844 6845-------------- 6846 6847Help: rule option to set the detection cursor to the unnormalized 6848message body 6849 6850Type: ips_option 6851 6852Usage: detect 6853 6854 68557.53. http_raw_cookie 6856 6857-------------- 6858 6859Help: rule option to set the detection cursor to the unnormalized 6860cookie 6861 6862Type: ips_option 6863 6864Usage: detect 6865 6866Configuration: 6867 6868 * implied http_raw_cookie.request: match against the cookie from 6869 the request message even when examining the response 6870 * implied http_raw_cookie.with_header: this rule is limited to 6871 examining HTTP message headers 6872 * implied http_raw_cookie.with_body: parts of this rule examine 6873 HTTP message body 6874 * implied http_raw_cookie.with_trailer: parts of this rule examine 6875 HTTP message trailers 6876 6877 68787.54. http_raw_header 6879 6880-------------- 6881 6882Help: rule option to set the detection cursor to the unnormalized 6883headers 6884 6885Type: ips_option 6886 6887Usage: detect 6888 6889Configuration: 6890 6891 * string http_raw_header.field: restrict to given header. Header 6892 name is case insensitive. 6893 * implied http_raw_header.request: match against the headers from 6894 the request message even when examining the response 6895 * implied http_raw_header.with_header: this rule is limited to 6896 examining HTTP message headers 6897 * implied http_raw_header.with_body: parts of this rule examine 6898 HTTP message body 6899 * implied http_raw_header.with_trailer: parts of this rule examine 6900 HTTP message trailers 6901 6902 69037.55. http_raw_request 6904 6905-------------- 6906 6907Help: rule option to set the detection cursor to the unnormalized 6908request line 6909 6910Type: ips_option 6911 6912Usage: detect 6913 6914Configuration: 6915 6916 * implied http_raw_request.with_header: this rule is limited to 6917 examining HTTP message headers 6918 * implied http_raw_request.with_body: parts of this rule examine 6919 HTTP message body 6920 * implied http_raw_request.with_trailer: parts of this rule examine 6921 HTTP message trailers 6922 6923 69247.56. http_raw_status 6925 6926-------------- 6927 6928Help: rule option to set the detection cursor to the unnormalized 6929status line 6930 6931Type: ips_option 6932 6933Usage: detect 6934 6935Configuration: 6936 6937 * implied http_raw_status.with_body: parts of this rule examine 6938 HTTP message body 6939 * implied http_raw_status.with_trailer: parts of this rule examine 6940 HTTP message trailers 6941 6942 69437.57. http_raw_trailer 6944 6945-------------- 6946 6947Help: rule option to set the detection cursor to the unnormalized 6948trailers 6949 6950Type: ips_option 6951 6952Usage: detect 6953 6954Configuration: 6955 6956 * string http_raw_trailer.field: restrict to given trailer. Trailer 6957 name is case insensitive. 6958 * implied http_raw_trailer.request: match against the trailers from 6959 the request message even when examining the response 6960 * implied http_raw_trailer.with_header: parts of this rule examine 6961 HTTP response message headers (must be combined with request) 6962 * implied http_raw_trailer.with_body: parts of this rule examine 6963 HTTP response message body (must be combined with request) 6964 6965 69667.58. http_raw_uri 6967 6968-------------- 6969 6970Help: rule option to set the detection cursor to the unnormalized URI 6971 6972Type: ips_option 6973 6974Usage: detect 6975 6976Configuration: 6977 6978 * implied http_raw_uri.with_header: this rule is limited to 6979 examining HTTP message headers 6980 * implied http_raw_uri.with_body: parts of this rule examine HTTP 6981 message body 6982 * implied http_raw_uri.with_trailer: parts of this rule examine 6983 HTTP message trailers 6984 * implied http_raw_uri.scheme: match against scheme section of URI 6985 only 6986 * implied http_raw_uri.host: match against host section of URI only 6987 * implied http_raw_uri.port: match against port section of URI only 6988 * implied http_raw_uri.path: match against path section of URI only 6989 * implied http_raw_uri.query: match against query section of URI 6990 only 6991 * implied http_raw_uri.fragment: match against fragment section of 6992 URI only 6993 6994 69957.59. http_stat_code 6996 6997-------------- 6998 6999Help: rule option to set the detection cursor to the HTTP status code 7000 7001Type: ips_option 7002 7003Usage: detect 7004 7005Configuration: 7006 7007 * implied http_stat_code.with_body: parts of this rule examine HTTP 7008 message body 7009 * implied http_stat_code.with_trailer: parts of this rule examine 7010 HTTP message trailers 7011 7012 70137.60. http_stat_msg 7014 7015-------------- 7016 7017Help: rule option to set the detection cursor to the HTTP status 7018message 7019 7020Type: ips_option 7021 7022Usage: detect 7023 7024Configuration: 7025 7026 * implied http_stat_msg.with_body: parts of this rule examine HTTP 7027 message body 7028 * implied http_stat_msg.with_trailer: parts of this rule examine 7029 HTTP message trailers 7030 7031 70327.61. http_trailer 7033 7034-------------- 7035 7036Help: rule option to set the detection cursor to the normalized 7037trailers 7038 7039Type: ips_option 7040 7041Usage: detect 7042 7043Configuration: 7044 7045 * string http_trailer.field: restrict to given trailer 7046 * implied http_trailer.request: match against the trailers from the 7047 request message even when examining the response 7048 * implied http_trailer.with_header: parts of this rule examine HTTP 7049 response message headers (must be combined with request) 7050 * implied http_trailer.with_body: parts of this rule examine HTTP 7051 message body (must be combined with request) 7052 7053 70547.62. http_true_ip 7055 7056-------------- 7057 7058Help: rule option to set the detection cursor to the final client IP 7059address 7060 7061Type: ips_option 7062 7063Usage: detect 7064 7065Configuration: 7066 7067 * implied http_true_ip.with_header: this rule is limited to 7068 examining HTTP message headers 7069 * implied http_true_ip.with_body: parts of this rule examine HTTP 7070 message body 7071 * implied http_true_ip.with_trailer: parts of this rule examine 7072 HTTP message trailers 7073 7074 70757.63. http_uri 7076 7077-------------- 7078 7079Help: rule option to set the detection cursor to the normalized URI 7080buffer 7081 7082Type: ips_option 7083 7084Usage: detect 7085 7086Configuration: 7087 7088 * implied http_uri.with_header: this rule is limited to examining 7089 HTTP message headers 7090 * implied http_uri.with_body: parts of this rule examine HTTP 7091 message body 7092 * implied http_uri.with_trailer: parts of this rule examine HTTP 7093 message trailers 7094 * implied http_uri.scheme: match against scheme section of URI only 7095 * implied http_uri.host: match against host section of URI only 7096 * implied http_uri.port: match against port section of URI only 7097 * implied http_uri.path: match against path section of URI only 7098 * implied http_uri.query: match against query section of URI only 7099 * implied http_uri.fragment: match against fragment section of URI 7100 only 7101 7102 71037.64. http_version 7104 7105-------------- 7106 7107Help: rule option to set the detection cursor to the version buffer 7108 7109Type: ips_option 7110 7111Usage: detect 7112 7113Configuration: 7114 7115 * implied http_version.request: match against the version from the 7116 request message even when examining the response 7117 * implied http_version.with_header: this rule is limited to 7118 examining HTTP message headers 7119 * implied http_version.with_body: parts of this rule examine HTTP 7120 message body 7121 * implied http_version.with_trailer: parts of this rule examine 7122 HTTP message trailers 7123 7124 71257.65. icmp_id 7126 7127-------------- 7128 7129Help: rule option to check ICMP ID 7130 7131Type: ips_option 7132 7133Usage: detect 7134 7135Configuration: 7136 7137 * interval icmp_id.~range: check if ICMP ID is in given range { 7138 0:65535 } 7139 7140 71417.66. icmp_seq 7142 7143-------------- 7144 7145Help: rule option to check ICMP sequence number 7146 7147Type: ips_option 7148 7149Usage: detect 7150 7151Configuration: 7152 7153 * interval icmp_seq.~range: check if ICMP sequence number is in 7154 given range { 0:65535 } 7155 7156 71577.67. icode 7158 7159-------------- 7160 7161Help: rule option to check ICMP code 7162 7163Type: ips_option 7164 7165Usage: detect 7166 7167Configuration: 7168 7169 * interval icode.~range: check if ICMP code is in given range is { 7170 0:255 } 7171 7172 71737.68. id 7174 7175-------------- 7176 7177Help: rule option to check the IP ID field 7178 7179Type: ips_option 7180 7181Usage: detect 7182 7183Configuration: 7184 7185 * interval id.~range: check if the IP ID is in the given range { 0: 7186 } 7187 7188 71897.69. iec104_apci_type 7190 7191-------------- 7192 7193Help: rule option to check iec104 apci type 7194 7195Type: ips_option 7196 7197Usage: detect 7198 7199Configuration: 7200 7201 * string iec104_apci_type.~: APCI type to match 7202 7203 72047.70. iec104_asdu_func 7205 7206-------------- 7207 7208Help: rule option to check iec104 function code 7209 7210Type: ips_option 7211 7212Usage: detect 7213 7214Configuration: 7215 7216 * string iec104_asdu_func.~: function code to match 7217 7218 72197.71. ip_proto 7220 7221-------------- 7222 7223Help: rule option to check the IP protocol number 7224 7225Type: ips_option 7226 7227Usage: detect 7228 7229Configuration: 7230 7231 * string ip_proto.~proto: [!|>|<] name or number 7232 7233 72347.72. ipopts 7235 7236-------------- 7237 7238Help: rule option to check for IP options 7239 7240Type: ips_option 7241 7242Usage: detect 7243 7244Configuration: 7245 7246 * select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr| 7247 lsrre|ssrr|satid|any } 7248 7249 72507.73. isdataat 7251 7252-------------- 7253 7254Help: rule option to check for the presence of payload data 7255 7256Type: ips_option 7257 7258Usage: detect 7259 7260Configuration: 7261 7262 * string isdataat.~length: num | !num 7263 * implied isdataat.relative: offset from cursor instead of start of 7264 buffer 7265 7266 72677.74. itype 7268 7269-------------- 7270 7271Help: rule option to check ICMP type 7272 7273Type: ips_option 7274 7275Usage: detect 7276 7277Configuration: 7278 7279 * interval itype.~range: check if ICMP type is in given range { 7280 0:255 } 7281 7282 72837.75. js_data 7284 7285-------------- 7286 7287Help: rule option to set detection cursor to normalized JavaScript 7288data 7289 7290Type: ips_option 7291 7292Usage: detect 7293 7294 72957.76. md5 7296 7297-------------- 7298 7299Help: payload rule option for hash matching 7300 7301Type: ips_option 7302 7303Usage: detect 7304 7305Configuration: 7306 7307 * string md5.~hash: data to match 7308 * int md5.length: number of octets in plain text { 1:65535 } 7309 * string md5.offset: var or number of bytes from start of buffer to 7310 start search 7311 * implied md5.relative = false: offset from cursor instead of start 7312 of buffer 7313 7314 73157.77. metadata 7316 7317-------------- 7318 7319Help: rule option for conveying arbitrary comma-separated name, value 7320data within the rule text 7321 7322Type: ips_option 7323 7324Usage: detect 7325 7326Configuration: 7327 7328 * string metadata.*: comma-separated list of arbitrary name value 7329 pairs 7330 7331 73327.78. modbus_data 7333 7334-------------- 7335 7336Help: rule option to set cursor to modbus data 7337 7338Type: ips_option 7339 7340Usage: detect 7341 7342 73437.79. modbus_func 7344 7345-------------- 7346 7347Help: rule option to check modbus function code 7348 7349Type: ips_option 7350 7351Usage: detect 7352 7353Configuration: 7354 7355 * string modbus_func.~: function code to match 7356 7357 73587.80. modbus_unit 7359 7360-------------- 7361 7362Help: rule option to check Modbus unit ID 7363 7364Type: ips_option 7365 7366Usage: detect 7367 7368Configuration: 7369 7370 * int modbus_unit.~: Modbus unit ID { 0:255 } 7371 7372 73737.81. msg 7374 7375-------------- 7376 7377Help: rule option summarizing rule purpose output with events 7378 7379Type: ips_option 7380 7381Usage: detect 7382 7383Configuration: 7384 7385 * string msg.~: message describing rule 7386 7387 73887.82. mss 7389 7390-------------- 7391 7392Help: detection for TCP maximum segment size 7393 7394Type: ips_option 7395 7396Usage: detect 7397 7398Configuration: 7399 7400 * interval mss.~range: check if TCP MSS is in given range { 0:65535 7401 } 7402 7403 74047.83. num_headers 7405 7406-------------- 7407 7408Help: rule option to perform range check on number of headers 7409 7410Type: ips_option 7411 7412Usage: detect 7413 7414Configuration: 7415 7416 * interval num_headers.~range: check that number of headers of 7417 current buffer are in given range { 0:200 } 7418 * implied num_headers.request: match against the version from the 7419 request message even when examining the response 7420 * implied num_headers.with_header: this rule is limited to 7421 examining HTTP message headers 7422 * implied num_headers.with_body: parts of this rule examine HTTP 7423 message body 7424 * implied num_headers.with_trailer: parts of this rule examine HTTP 7425 message trailers 7426 7427 74287.84. num_trailers 7429 7430-------------- 7431 7432Help: rule option to perform range check on number of trailers 7433 7434Type: ips_option 7435 7436Usage: detect 7437 7438Configuration: 7439 7440 * interval num_trailers.~range: check that number of headers of 7441 current buffer are in given range { 0:200 } 7442 * implied num_trailers.request: match against the version from the 7443 request message even when examining the response 7444 * implied num_trailers.with_header: this rule is limited to 7445 examining HTTP message headers 7446 * implied num_trailers.with_body: parts of this rule examine HTTP 7447 message body 7448 * implied num_trailers.with_trailer: parts of this rule examine 7449 HTTP message trailers 7450 7451 74527.85. pcre 7453 7454-------------- 7455 7456Help: rule option for matching payload data with pcre 7457 7458Type: ips_option 7459 7460Usage: detect 7461 7462Configuration: 7463 7464 * string pcre.~re: Snort regular expression 7465 7466Peg counts: 7467 7468 * pcre.pcre_rules: total rules processed with pcre option (sum) 7469 * pcre.pcre_to_hyper: total pcre rules by hyperscan engine (sum) 7470 * pcre.pcre_native: total pcre rules compiled by pcre engine (sum) 7471 * pcre.pcre_negated: total pcre rules using negation syntax (sum) 7472 7473 74747.86. pkt_data 7475 7476-------------- 7477 7478Help: rule option to set the detection cursor to the normalized 7479packet data 7480 7481Type: ips_option 7482 7483Usage: detect 7484 7485 74867.87. pkt_num 7487 7488-------------- 7489 7490Help: alert on raw packet number 7491 7492Type: ips_option 7493 7494Usage: detect 7495 7496Configuration: 7497 7498 * interval pkt_num.~range: check if packet number is in given range 7499 { 1: } 7500 7501 75027.88. priority 7503 7504-------------- 7505 7506Help: rule option for prioritizing events 7507 7508Type: ips_option 7509 7510Usage: detect 7511 7512Configuration: 7513 7514 * int priority.~: relative severity level; 1 is highest priority { 7515 1:max31 } 7516 7517 75187.89. raw_data 7519 7520-------------- 7521 7522Help: rule option to set the detection cursor to the raw packet data 7523 7524Type: ips_option 7525 7526Usage: detect 7527 7528 75297.90. reference 7530 7531-------------- 7532 7533Help: rule option to indicate relevant attack identification system 7534 7535Type: ips_option 7536 7537Usage: detect 7538 7539Configuration: 7540 7541 * string reference.~ref: reference: <scheme>,<id> 7542 7543 75447.91. regex 7545 7546-------------- 7547 7548Help: rule option for matching payload data with hyperscan regex; 7549uses pcre syntax 7550 7551Type: ips_option 7552 7553Usage: detect 7554 7555Configuration: 7556 7557 * string regex.~re: hyperscan regular expression 7558 * implied regex.dotall: matching a . will not exclude newlines 7559 * implied regex.fast_pattern: use this content in the fast pattern 7560 matcher instead of the content selected by default 7561 * implied regex.multiline: ^ and $ anchors match any newlines in 7562 data 7563 * implied regex.nocase: case insensitive match 7564 * implied regex.relative: start search from end of last match 7565 instead of start of buffer 7566 7567 75687.92. rem 7569 7570-------------- 7571 7572Help: rule option to convey an arbitrary comment in the rule body 7573 7574Type: ips_option 7575 7576Usage: detect 7577 7578Configuration: 7579 7580 * string rem.~: comment 7581 7582 75837.93. replace 7584 7585-------------- 7586 7587Help: rule option to overwrite payload data; use with "rewrite" 7588action; works for raw packets only 7589 7590Type: ips_option 7591 7592Usage: detect 7593 7594Configuration: 7595 7596 * string replace.~: byte code to replace with 7597 7598 75997.94. rev 7600 7601-------------- 7602 7603Help: rule option to indicate current revision of signature 7604 7605Type: ips_option 7606 7607Usage: detect 7608 7609Configuration: 7610 7611 * int rev.~: revision { 1:max32 } 7612 7613 76147.95. rpc 7615 7616-------------- 7617 7618Help: rule option to check SUNRPC CALL parameters 7619 7620Type: ips_option 7621 7622Usage: detect 7623 7624Configuration: 7625 7626 * int rpc.~app: application number { 0:max32 } 7627 * string rpc.~ver: version number or * for any 7628 * string rpc.~proc: procedure number or * for any 7629 7630 76317.96. s7commplus_content 7632 7633-------------- 7634 7635Help: rule option to set cursor to s7commplus content 7636 7637Type: ips_option 7638 7639Usage: detect 7640 7641 76427.97. s7commplus_func 7643 7644-------------- 7645 7646Help: rule option to check s7commplus function code 7647 7648Type: ips_option 7649 7650Usage: detect 7651 7652Configuration: 7653 7654 * string s7commplus_func.~: function code to match 7655 7656 76577.98. s7commplus_opcode 7658 7659-------------- 7660 7661Help: rule option to check s7commplus opcode code 7662 7663Type: ips_option 7664 7665Usage: detect 7666 7667Configuration: 7668 7669 * string s7commplus_opcode.~: opcode code to match 7670 7671 76727.99. sd_pattern 7673 7674-------------- 7675 7676Help: rule option for detecting sensitive data 7677 7678Type: ips_option 7679 7680Usage: detect 7681 7682Configuration: 7683 7684 * string sd_pattern.~pattern: The pattern to search for 7685 * int sd_pattern.threshold = 1: number of matches before alerting { 7686 1:max32 } 7687 7688Peg counts: 7689 7690 * sd_pattern.below_threshold: sd_pattern matched but missed 7691 threshold (sum) 7692 * sd_pattern.pattern_not_found: sd_pattern did not not match (sum) 7693 * sd_pattern.terminated: hyperscan terminated (sum) 7694 7695 76967.100. seq 7697 7698-------------- 7699 7700Help: rule option to check TCP sequence number 7701 7702Type: ips_option 7703 7704Usage: detect 7705 7706Configuration: 7707 7708 * interval seq.~range: check if TCP sequence number is in given 7709 range { 0: } 7710 7711 77127.101. service 7713 7714-------------- 7715 7716Help: rule option to specify list of services for grouping rules 7717 7718Type: ips_option 7719 7720Usage: detect 7721 7722Configuration: 7723 7724 * string service.*: one or more comma-separated service names 7725 7726 77277.102. sha256 7728 7729-------------- 7730 7731Help: payload rule option for hash matching 7732 7733Type: ips_option 7734 7735Usage: detect 7736 7737Configuration: 7738 7739 * string sha256.~hash: data to match 7740 * int sha256.length: number of octets in plain text { 1:65535 } 7741 * string sha256.offset: var or number of bytes from start of buffer 7742 to start search 7743 * implied sha256.relative = false: offset from cursor instead of 7744 start of buffer 7745 7746 77477.103. sha512 7748 7749-------------- 7750 7751Help: payload rule option for hash matching 7752 7753Type: ips_option 7754 7755Usage: detect 7756 7757Configuration: 7758 7759 * string sha512.~hash: data to match 7760 * int sha512.length: number of octets in plain text { 1:65535 } 7761 * string sha512.offset: var or number of bytes from start of buffer 7762 to start search 7763 * implied sha512.relative = false: offset from cursor instead of 7764 start of buffer 7765 7766 77677.104. sid 7768 7769-------------- 7770 7771Help: rule option to indicate signature number 7772 7773Type: ips_option 7774 7775Usage: detect 7776 7777Configuration: 7778 7779 * int sid.~: signature id { 1:max32 } 7780 7781 77827.105. sip_body 7783 7784-------------- 7785 7786Help: rule option to set the detection cursor to the request body 7787 7788Type: ips_option 7789 7790Usage: detect 7791 7792 77937.106. sip_header 7794 7795-------------- 7796 7797Help: rule option to set the detection cursor to the SIP header 7798buffer 7799 7800Type: ips_option 7801 7802Usage: detect 7803 7804 78057.107. sip_method 7806 7807-------------- 7808 7809Help: detection option for sip stat code 7810 7811Type: ips_option 7812 7813Usage: detect 7814 7815Configuration: 7816 7817 * string sip_method.*method: sip method 7818 7819 78207.108. sip_stat_code 7821 7822-------------- 7823 7824Help: detection option for sip stat code 7825 7826Type: ips_option 7827 7828Usage: detect 7829 7830Configuration: 7831 7832 * int sip_stat_code.*code: status code { 1:999 } 7833 7834 78357.109. so 7836 7837-------------- 7838 7839Help: rule option to call custom eval function 7840 7841Type: ips_option 7842 7843Usage: detect 7844 7845Configuration: 7846 7847 * string so.~func: name of eval function 7848 * implied so.relative: offset from cursor instead of start of 7849 buffer 7850 7851 78527.110. soid 7853 7854-------------- 7855 7856Help: rule option to specify a shared object rule ID 7857 7858Type: ips_option 7859 7860Usage: detect 7861 7862Configuration: 7863 7864 * string soid.~: SO rule ID is unique key, eg <gid>_<sid>_<rev> 7865 like 3_45678_9 7866 7867 78687.111. ssl_state 7869 7870-------------- 7871 7872Help: detection option for ssl state 7873 7874Type: ips_option 7875 7876Usage: detect 7877 7878Configuration: 7879 7880 * implied ssl_state.client_hello: check for client hello 7881 * implied ssl_state.server_hello: check for server hello 7882 * implied ssl_state.client_keyx: check for client keyx 7883 * implied ssl_state.server_keyx: check for server keyx 7884 * implied ssl_state.unknown: check for unknown record 7885 * implied ssl_state.!client_hello: check for records that are not 7886 client hello 7887 * implied ssl_state.!server_hello: check for records that are not 7888 server hello 7889 * implied ssl_state.!client_keyx: check for records that are not 7890 client keyx 7891 * implied ssl_state.!server_keyx: check for records that are not 7892 server keyx 7893 * implied ssl_state.!unknown: check for records that are not 7894 unknown 7895 7896 78977.112. ssl_version 7898 7899-------------- 7900 7901Help: detection option for ssl version 7902 7903Type: ips_option 7904 7905Usage: detect 7906 7907Configuration: 7908 7909 * implied ssl_version.sslv2: check for sslv2 7910 * implied ssl_version.sslv3: check for sslv3 7911 * implied ssl_version.tls1.0: check for tls1.0 7912 * implied ssl_version.tls1.1: check for tls1.1 7913 * implied ssl_version.tls1.2: check for tls1.2 7914 * implied ssl_version.!sslv2: check for records that are not sslv2 7915 * implied ssl_version.!sslv3: check for records that are not sslv3 7916 * implied ssl_version.!tls1.0: check for records that are not 7917 tls1.0 7918 * implied ssl_version.!tls1.1: check for records that are not 7919 tls1.1 7920 * implied ssl_version.!tls1.2: check for records that are not 7921 tls1.2 7922 7923 79247.113. stream_reassemble 7925 7926-------------- 7927 7928Help: detection option for stream reassembly control 7929 7930Type: ips_option 7931 7932Usage: detect 7933 7934Configuration: 7935 7936 * enum stream_reassemble.action: stop or start stream reassembly { 7937 disable|enable } 7938 * enum stream_reassemble.direction: action applies to the given 7939 direction(s) { client|server|both } 7940 * implied stream_reassemble.noalert: don’t alert when rule matches 7941 * implied stream_reassemble.fastpath: optionally trust the 7942 remainder of the session 7943 7944 79457.114. stream_size 7946 7947-------------- 7948 7949Help: detection option for stream size checking 7950 7951Type: ips_option 7952 7953Usage: detect 7954 7955Configuration: 7956 7957 * interval stream_size.~range: check if the stream size is in the 7958 given range { 0: } 7959 * enum stream_size.~direction: compare applies to the given 7960 direction(s) { either|to_server|to_client|both } 7961 7962 79637.115. tag 7964 7965-------------- 7966 7967Help: rule option to log additional packets 7968 7969Type: ips_option 7970 7971Usage: detect 7972 7973Configuration: 7974 7975 * enum tag.~: log all packets in session or all packets to or from 7976 host { session|host_src|host_dst } 7977 * int tag.packets: tag this many packets { 1:max32 } 7978 * int tag.seconds: tag for this many seconds { 1:max32 } 7979 * int tag.bytes: tag for this many bytes { 1:max32 } 7980 7981 79827.116. target 7983 7984-------------- 7985 7986Help: rule option to indicate target of attack 7987 7988Type: ips_option 7989 7990Usage: detect 7991 7992Configuration: 7993 7994 * enum target.~: indicate the target of the attack { src_ip | 7995 dst_ip } 7996 7997 79987.117. tos 7999 8000-------------- 8001 8002Help: rule option to check type of service field 8003 8004Type: ips_option 8005 8006Usage: detect 8007 8008Configuration: 8009 8010 * interval tos.~range: check if IP TOS is in given range { 0:255 } 8011 8012 80137.118. ttl 8014 8015-------------- 8016 8017Help: rule option to check time to live field 8018 8019Type: ips_option 8020 8021Usage: detect 8022 8023Configuration: 8024 8025 * interval ttl.~range: check if IP TTL is in the given range { 8026 0:255 } 8027 8028 80297.119. urg 8030 8031-------------- 8032 8033Help: detection for TCP urgent pointer 8034 8035Type: ips_option 8036 8037Usage: detect 8038 8039Configuration: 8040 8041 * interval urg.~range: check if tcp urgent offset is in given range 8042 { 0:65535 } 8043 8044 80457.120. vba_data 8046 8047-------------- 8048 8049Help: rule option to set the detection cursor to the MS Office Visual 8050Basic for Applications macros buffer 8051 8052Type: ips_option 8053 8054Usage: detect 8055 8056 80577.121. window 8058 8059-------------- 8060 8061Help: rule option to check TCP window field 8062 8063Type: ips_option 8064 8065Usage: detect 8066 8067Configuration: 8068 8069 * interval window.~range: check if TCP window size is in given 8070 range { 0:65535 } 8071 8072 80737.122. wscale 8074 8075-------------- 8076 8077Help: detection for TCP window scale 8078 8079Type: ips_option 8080 8081Usage: detect 8082 8083Configuration: 8084 8085 * interval wscale.~range: check if TCP window scale is in given 8086 range { 0:65535 } 8087 8088 8089--------------------------------------------------------------------- 8090 80918. Search Engine Modules 8092 8093--------------------------------------------------------------------- 8094 8095Search engines perform multipattern searching of packets and payload 8096to find rules that should be evaluated. There are currently no 8097specific modules, although there are several search engine plugins. 8098Related configuration is done with the basic detection module. 8099 8100 8101--------------------------------------------------------------------- 8102 81039. SO Rule Modules 8104 8105--------------------------------------------------------------------- 8106 8107SO rules are dynamic rules that require custom coding to perform 8108detection not possible with the existing rule options. These rules 8109typically do not have associated modules. 8110 8111 8112--------------------------------------------------------------------- 8113 811410. Logger Modules 8115 8116--------------------------------------------------------------------- 8117 8118All output of events and packets is done by Loggers. 8119 8120 812110.1. alert_csv 8122 8123-------------- 8124 8125Help: output event in csv format 8126 8127Type: logger 8128 8129Usage: global 8130 8131Configuration: 8132 8133 * bool alert_csv.file = false: output to alert_csv.txt instead of 8134 stdout 8135 * multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len 8136 dir src_ap dst_ap rule action: selected fields will be output in 8137 given order left to right { action | class | b64_data | 8138 client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | 8139 eth_dst | eth_len | eth_src | eth_type | flowstart_time | 8140 geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type | 8141 iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num 8142 | priority | proto | rev | rule | seconds | server_bytes | 8143 server_pkts | service | sgt| sid | src_addr | src_ap | src_port | 8144 target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | 8145 timestamp | tos | ttl | udp_len | vlan } 8146 * int alert_csv.limit = 0: set maximum size in MB before rollover 8147 (0 is unlimited) { 0:maxSZ } 8148 * string alert_csv.separator = , : separate fields with this 8149 character sequence 8150 8151 815210.2. alert_ex 8153 8154-------------- 8155 8156Help: output gid:sid:rev for alerts 8157 8158Type: logger 8159 8160Usage: context 8161 8162Configuration: 8163 8164 * bool alert_ex.upper = false: true/false → convert to upper/lower 8165 case 8166 8167 816810.3. alert_fast 8169 8170-------------- 8171 8172Help: output event with brief text format 8173 8174Type: logger 8175 8176Usage: global 8177 8178Configuration: 8179 8180 * bool alert_fast.file = false: output to alert_fast.txt instead of 8181 stdout 8182 * bool alert_fast.packet = false: output packet dump with alert 8183 * int alert_fast.limit = 0: set maximum size in MB before rollover 8184 (0 is unlimited) { 0:maxSZ } 8185 8186 818710.4. alert_full 8188 8189-------------- 8190 8191Help: output event with full packet dump 8192 8193Type: logger 8194 8195Usage: global 8196 8197Configuration: 8198 8199 * bool alert_full.file = false: output to alert_full.txt instead of 8200 stdout 8201 * int alert_full.limit = 0: set maximum size in MB before rollover 8202 (0 is unlimited) { 0:maxSZ } 8203 8204 820510.5. alert_json 8206 8207-------------- 8208 8209Help: output event in json format 8210 8211Type: logger 8212 8213Usage: global 8214 8215Configuration: 8216 8217 * bool alert_json.file = false: output to alert_json.txt instead of 8218 stdout 8219 * multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len 8220 dir src_ap dst_ap rule action: selected fields will be output in 8221 given order left to right { action | class | b64_data | 8222 client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | 8223 eth_dst | eth_len | eth_src | eth_type | flowstart_time | 8224 geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type | 8225 iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num 8226 | priority | proto | rev | rule | seconds | server_bytes | 8227 server_pkts | service | sgt| sid | src_addr | src_ap | src_port | 8228 target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | 8229 timestamp | tos | ttl | udp_len | vlan } 8230 * int alert_json.limit = 0: set maximum size in MB before rollover 8231 (0 is unlimited) { 0:maxSZ } 8232 * string alert_json.separator = , : separate fields with this 8233 character sequence 8234 8235 823610.6. alert_syslog 8237 8238-------------- 8239 8240Help: output event to syslog 8241 8242Type: logger 8243 8244Usage: global 8245 8246Configuration: 8247 8248 * enum alert_syslog.facility = auth: part of priority applied to 8249 each message { auth | authpriv | daemon | user | local0 | local1 8250 | local2 | local3 | local4 | local5 | local6 | local7 } 8251 * enum alert_syslog.level = info: part of priority applied to each 8252 message { emerg | alert | crit | err | warning | notice | info | 8253 debug } 8254 * multi alert_syslog.options: used to open the syslog connection { 8255 cons | ndelay | perror | pid } 8256 8257 825810.7. alert_talos 8259 8260-------------- 8261 8262Help: output event in Talos alert format 8263 8264Type: logger 8265 8266Usage: global 8267 8268 826910.8. alert_unixsock 8270 8271-------------- 8272 8273Help: output event over unix socket 8274 8275Type: logger 8276 8277Usage: global 8278 8279 828010.9. log_codecs 8281 8282-------------- 8283 8284Help: log protocols in packet by layer 8285 8286Type: logger 8287 8288Usage: global 8289 8290Configuration: 8291 8292 * bool log_codecs.file = false: output to log_codecs.txt instead of 8293 stdout 8294 * bool log_codecs.msg = false: include alert msg 8295 8296 829710.10. log_hext 8298 8299-------------- 8300 8301Help: output payload suitable for daq hext 8302 8303Type: logger 8304 8305Usage: global 8306 8307Configuration: 8308 8309 * bool log_hext.file = false: output to log_hext.txt instead of 8310 stdout 8311 * bool log_hext.raw = false: output all full packets if true, else 8312 just TCP payload 8313 * int log_hext.limit = 0: set maximum size in MB before rollover (0 8314 is unlimited) { 0:maxSZ } 8315 * int log_hext.width = 20: set line width (0 is unlimited) { 8316 0:max32 } 8317 8318 831910.11. log_pcap 8320 8321-------------- 8322 8323Help: log packet in pcap format 8324 8325Type: logger 8326 8327Usage: global 8328 8329Configuration: 8330 8331 * int log_pcap.limit = 0: set maximum size in MB before rollover (0 8332 is unlimited) { 0:maxSZ } 8333 8334 833510.12. unified2 8336 8337-------------- 8338 8339Help: output event and packet in unified2 format file 8340 8341Type: logger 8342 8343Usage: global 8344 8345Configuration: 8346 8347 * bool unified2.legacy_events = false: generate Snort 2.X style 8348 events for barnyard2 compatibility 8349 * int unified2.limit = 0: set maximum size in MB before rollover (0 8350 is unlimited) { 0:maxSZ } 8351 * bool unified2.nostamp = true: append file creation time to name 8352 (in Unix Epoch format) 8353 8354 8355--------------------------------------------------------------------- 8356 835711. Appendix 8358 8359--------------------------------------------------------------------- 8360 8361 836211.1. Build Options 8363 8364-------------- 8365 8366The options listed below must be explicitly enabled so they are built 8367into the Snort binary. For a full list of build options, run ./ 8368configure --help. 8369 8370 * --enable-shell: enable building local and remote command line 8371 shell support. 8372 * --enable-tsc-clock: use the TSC register on x86 systems for 8373 improved performance of latency and profiler features. 8374 8375These options are built only if the required libraries and headers 8376are present. There is no need to explicitly enable. 8377 8378 * flatbuffers: for an alternative perf_monitor logging format. 8379 * hyperscan >= 4.4.0: for the regex and sd_pattern rule options and 8380 the hyperscan search engine. 8381 * iconv: for converting UTF16-LE filenames to UTF8 (usually 8382 included in glibc) 8383 * libunwind: for printing a backtrace when a fatal signal is 8384 received. 8385 * lzma: for decompression of SWF and PDF files. 8386 * safec: for additional runtime error checking of some memory copy 8387 operations. 8388 8389If you need to use headers and/or libraries in non-standard 8390locations, you can use these options: 8391 8392 * --with-pkg-includes: specify the directory containing the package 8393 headers. 8394 * --with-pkg-libraries: specify the directory containing the 8395 package libraries. 8396 8397These can be used for pcap, luajit, pcre, dnet, daq, lzma, openssl, 8398flatbuffers, iconv, and hyperscan packages. For more information on 8399these libraries see the Getting Started section of the manual. 8400 8401 840211.2. Environment Variables 8403 8404-------------- 8405 8406 * HOSTTYPE: optional string that is output with the version at end 8407 of line. 8408 * SNORT_IGNORE: the list of symbols Snort should ignore when 8409 parsing the Lua conf. Unknown symbols not in SNORT_IGNORE will 8410 cause warnings with --warn-unknown or fatals with --warn-unknown 8411 --pedantic. 8412 * SNORT_PROMPT: the character sequence that is printed at startup, 8413 shutdown, and in the shell. The default is the mini-pig: o")~ . 8414 * SNORT_PLUGIN_PATH: an optional path where Snort can find 8415 supplemental shared libraries. This is only used when Snort is 8416 building manuals. Modules in supplemental shared libraries will 8417 be added to the manuals. 8418 8419 842011.3. Command Line Options 8421 8422-------------- 8423 8424 * -? <option prefix> output matching command line option quick help 8425 (same as --help-options) (optional) 8426 * -A <mode> set alert mode: none, cmg, or alert_* 8427 * -B <mask> obfuscated IP addresses in alerts and packet dumps 8428 using CIDR mask 8429 * -C print out payloads with character data only (no hex) 8430 * -c <conf> use this configuration 8431 * -D run Snort in background (daemon) mode 8432 * -d dump the Application Layer 8433 * -e display the second layer header info 8434 * -f turn off fflush() calls after binary log writes 8435 * -G <0xid> (same as --logid) (0:65535) 8436 * -g <gname> run snort gid as <gname> group (or gid) after 8437 initialization 8438 * -H make hash tables deterministic 8439 * -h show help overview (same as --help) 8440 * -i <iface>… list of interfaces 8441 * -j <port> to listen for Telnet connections 8442 * -k <mode> checksum mode; default is all (all|noip|notcp|noudp| 8443 noicmp|none) 8444 * -L <mode> logging mode (none, dump, pcap, or log_*) 8445 * -l <logdir> log to this directory instead of current directory 8446 * -M log messages to syslog (not alerts) 8447 * -m <umask> set the process file mode creation mask (0x000:0x1FF) 8448 * -n <count> stop after count packets (0:max53) 8449 * -O obfuscate the logged IP addresses 8450 * -Q enable inline mode operation 8451 * -q quiet mode - suppress normal logging on stdout 8452 * -R <rules> include this rules file in the default policy 8453 * -r <pcap>… (same as --pcap-list) 8454 * -s <snap> (same as --snaplen); default is 1518 (68:65535) 8455 * -T test and report on the current Snort configuration 8456 * -t <dir> chroots process to <dir> after initialization 8457 * -U use UTC for timestamps 8458 * -u <uname> run snort as <uname> or <uid> after initialization 8459 * -V (same as --version) 8460 * -v be verbose 8461 * -X dump the raw packet data starting at the link layer 8462 * -x same as --pedantic 8463 * -y include year in timestamp in the alert and log files 8464 * -z <count> maximum number of packet threads (same as 8465 --max-packet-threads); 0 gets the number of CPU cores reported by 8466 the system; default is 1 (0:max32) 8467 * --alert-before-pass evaluate alert rules before pass rules; 8468 default is pass rules first 8469 * --bpf <filter options> are standard BPF options, as seen in 8470 TCPDump 8471 * --c2x output hex for given char (see also --x2c) 8472 * --control-socket <file> to create unix socket 8473 * --create-pidfile create PID file, even when not in Daemon mode 8474 * --daq <type> select packet acquisition module (default is pcap) 8475 * --daq-batch-size <size> set the DAQ receive batch size (1:) 8476 * --daq-dir <dir> tell snort where to find desired DAQ 8477 * --daq-list list packet acquisition modules available in optional 8478 dir, default is static modules only 8479 * --daq-mode <mode> select DAQ module operating mode (overrides 8480 automatic selection) (passive | inline | read-file) 8481 * --daq-var <name=value> specify extra DAQ configuration variable 8482 * --dirty-pig don’t flush packets on shutdown 8483 * --dump-builtin-options additional options to include with 8484 --dump-builtin-rules stubs 8485 * --dump-builtin-rules [<module prefix>] output stub rules for 8486 selected modules (optional) 8487 * --dump-config dump config in json format (all | top) 8488 * --dump-config-text dump config in text format 8489 * --dump-dynamic-rules output stub rules for all loaded rules 8490 libraries 8491 * --dump-defaults [<module prefix>] output module defaults in Lua 8492 format (optional) 8493 * --dump-rule-databases dump rule databases to given directory 8494 (hyperscan only) 8495 * --dump-rule-deps dump rule dependencies in json format for use by 8496 other tools 8497 * --dump-rule-meta dump configured rule info in json format for use 8498 by other tools 8499 * --dump-rule-state dump configured rule state in json format for 8500 use by other tools 8501 * --dump-version output the version, the whole version, and only 8502 the version 8503 * --enable-inline-test enable Inline-Test Mode Operation 8504 * --enable-test-features enable features used in testing 8505 * --gen-msg-map dump configured rules in gen-msg.map format for use 8506 by other tools 8507 * --help show help overview 8508 * --help-commands [<module prefix>] output matching commands 8509 (optional) 8510 * --help-config [<module prefix>] output matching config options 8511 (optional) 8512 * --help-counts [<module prefix>] output matching peg counts 8513 (optional) 8514 * --help-limits print the int upper bounds denoted by max* 8515 * --help-module <module> output description of given module 8516 * --help-modules list all available modules with brief help 8517 * --help-modules-json dump description of all available modules in 8518 JSON format 8519 * --help-options [<option prefix>] output matching command line 8520 option quick help (same as -?) (optional) 8521 * --help-plugins list all available plugins with brief help 8522 * --help-signals dump available control signals 8523 * --id-offset offset to add to instance IDs when logging to files 8524 (0:65535) 8525 * --id-subdir create/use instance subdirectories in logdir instead 8526 of instance filename prefix 8527 * --id-zero use id prefix / subdirectory even with one packet 8528 thread 8529 * --include-path <path> where to find Lua and rule included files; 8530 searched before current or config directories 8531 * --list-buffers output available inspection buffers 8532 * --list-builtin [<module prefix>] output matching builtin rules 8533 (optional) 8534 * --list-gids [<module prefix>] output matching generators 8535 (optional) 8536 * --list-modules [<module type>] list all known modules of given 8537 type (optional) 8538 * --list-plugins list all known plugins 8539 * --lua <chunk> extend/override conf with chunk; may be repeated 8540 * --lua-sandbox <file> file that contains the lua sandbox 8541 environment in which config will be loaded 8542 * --logid <0xid> log Identifier to uniquely id events for multiple 8543 snorts (same as -G) (0:65535) 8544 * --markup output help in asciidoc compatible format 8545 * --max-packet-threads <count> configure maximum number of packet 8546 threads (same as -z) (0:max32) 8547 * --mem-check like -T but also compile search engines 8548 * --metadata-filter <filter> load only rules containing filter 8549 string in metadata if set 8550 * --nostamps don’t include timestamps in log file names 8551 * --nolock-pidfile do not try to lock Snort PID file 8552 * --no-warn-flowbits ignore warnings about flowbits that are 8553 checked but not set and vice-versa 8554 * --no-warn-rules ignore warnings about duplicate rules and rule 8555 parsing issues 8556 * --pause wait for resume/quit command before processing packets/ 8557 terminating 8558 * --pcap-file <file> file that contains a list of pcaps to read - 8559 read mode is implied 8560 * --pcap-list <list> a space separated list of pcaps to read - read 8561 mode is implied 8562 * --pcap-dir <dir> a directory to recurse to look for pcaps - read 8563 mode is implied 8564 * --pcap-filter <filter> filter to apply when getting pcaps from 8565 file or directory 8566 * --pcap-loop <count> read all pcaps <count> times; 0 will read 8567 until Snort is terminated (0:max32) 8568 * --pcap-no-filter reset to use no filter when getting pcaps from 8569 file or directory 8570 * --pcap-show print a line saying what pcap is currently being read 8571 * --pedantic warnings are fatal 8572 * --plugin-path <path> a colon separated list of directories or 8573 plugin libraries 8574 * --process-all-events process all action groups 8575 * --rule <rules> to be added to configuration; may be repeated 8576 * --rule-path <path> where to find rules files 8577 * --rule-to-hex output so rule header to stdout for text rule on 8578 stdin 8579 * --rule-to-text output plain so rule header to stdout for text 8580 rule on stdin (specify delimiter or [Snort_SO_Rule] will be used) 8581 (16) 8582 * --run-prefix <pfx> prepend this to each output file 8583 * --script-path <path> to a luajit script or directory containing 8584 luajit scripts 8585 * --shell enable the interactive command line 8586 * --show-file-codes indicate how files are located: A=absolute and 8587 W, F, C which are relative to the working directory, including 8588 file, and config file respectively 8589 * --show-plugins list module and plugin versions 8590 * --skip <n> skip 1st n packets (0:max53) 8591 * --snaplen <snap> set snaplen of packet (same as -s) (68:65535) 8592 * --stdin-rules read rules from stdin until EOF or a line starting 8593 with END is read 8594 * --talos enable Talos tweak (same as --tweaks talos) 8595 * --tweaks tune configuration 8596 * --version show version number (same as -V) 8597 * --warn-all enable all warnings 8598 * --warn-conf warn about configuration issues 8599 * --warn-conf-strict warn about unrecognized elements in 8600 configuration files 8601 * --warn-daq warn about DAQ issues, usually related to mode 8602 * --warn-flowbits warn about flowbits that are checked but not set 8603 and vice-versa 8604 * --warn-hosts warn about host table issues 8605 * --warn-plugins warn about issues that prevent plugins from 8606 loading 8607 * --warn-rules warn about duplicate rules and rule parsing issues 8608 * --warn-scripts warn about issues discovered while processing Lua 8609 scripts 8610 * --warn-symbols warn about unknown symbols in your Lua config 8611 * --warn-vars warn about variable definition and usage issues 8612 * --x2c output ASCII char for given hex (see also --c2x) 8613 (0x00:0xFF) 8614 * --x2s output ASCII string for given byte code (see also --x2c) 8615 8616 861711.4. Configuration 8618 8619-------------- 8620 8621 * interval ack.~range: check if TCP ack value is value | min<>max | 8622 <max | >min { 0: } 8623 * int active.attempts = 0: number of TCP packets sent per response 8624 (with varying sequence numbers) { 0:255 } 8625 * string active.device: use ip for network layer responses or eth0 8626 etc for link layer 8627 * string active.dst_mac: use format 01:23:45:67:89:ab 8628 * int active.max_responses = 0: maximum number of responses { 0:255 8629 } 8630 * int active.min_interval = 255: minimum number of seconds between 8631 responses { 1:255 } 8632 * string address_space_selector[].addr_spaces: list of address 8633 space IDs to match 8634 * string address_space_selector[].file: use configuration in given 8635 file 8636 * multi alert_csv.fields = timestamp pkt_num proto pkt_gen pkt_len 8637 dir src_ap dst_ap rule action: selected fields will be output in 8638 given order left to right { action | class | b64_data | 8639 client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | 8640 eth_dst | eth_len | eth_src | eth_type | flowstart_time | 8641 geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type | 8642 iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num 8643 | priority | proto | rev | rule | seconds | server_bytes | 8644 server_pkts | service | sgt| sid | src_addr | src_ap | src_port | 8645 target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | 8646 timestamp | tos | ttl | udp_len | vlan } 8647 * bool alert_csv.file = false: output to alert_csv.txt instead of 8648 stdout 8649 * int alert_csv.limit = 0: set maximum size in MB before rollover 8650 (0 is unlimited) { 0:maxSZ } 8651 * string alert_csv.separator = , : separate fields with this 8652 character sequence 8653 * bool alert_ex.upper = false: true/false → convert to upper/lower 8654 case 8655 * bool alert_fast.file = false: output to alert_fast.txt instead of 8656 stdout 8657 * int alert_fast.limit = 0: set maximum size in MB before rollover 8658 (0 is unlimited) { 0:maxSZ } 8659 * bool alert_fast.packet = false: output packet dump with alert 8660 * bool alert_full.file = false: output to alert_full.txt instead of 8661 stdout 8662 * int alert_full.limit = 0: set maximum size in MB before rollover 8663 (0 is unlimited) { 0:maxSZ } 8664 * multi alert_json.fields = timestamp pkt_num proto pkt_gen pkt_len 8665 dir src_ap dst_ap rule action: selected fields will be output in 8666 given order left to right { action | class | b64_data | 8667 client_bytes | client_pkts | dir | dst_addr | dst_ap | dst_port | 8668 eth_dst | eth_len | eth_src | eth_type | flowstart_time | 8669 geneve_vni | gid | icmp_code | icmp_id | icmp_seq | icmp_type | 8670 iface | ip_id | ip_len | msg | mpls | pkt_gen | pkt_len | pkt_num 8671 | priority | proto | rev | rule | seconds | server_bytes | 8672 server_pkts | service | sgt| sid | src_addr | src_ap | src_port | 8673 target | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | 8674 timestamp | tos | ttl | udp_len | vlan } 8675 * bool alert_json.file = false: output to alert_json.txt instead of 8676 stdout 8677 * int alert_json.limit = 0: set maximum size in MB before rollover 8678 (0 is unlimited) { 0:maxSZ } 8679 * string alert_json.separator = , : separate fields with this 8680 character sequence 8681 * bool alerts.alert_with_interface_name = false: include interface 8682 in alert info (fast, full, or syslog only) 8683 * int alerts.detection_filter_memcap = 1048576: set available MB of 8684 memory for detection_filters { 0:max32 } 8685 * int alerts.event_filter_memcap = 1048576: set available MB of 8686 memory for event_filters { 0:max32 } 8687 * bool alerts.log_references = false: include rule references in 8688 alert info (full only) 8689 * string alerts.order: change the order of rule action application 8690 * int alerts.rate_filter_memcap = 1048576: set available MB of 8691 memory for rate_filters { 0:max32 } 8692 * string alerts.reference_net: set the CIDR for homenet (for use 8693 with -l or -B, does NOT change $HOME_NET in IDS mode) 8694 * bool alerts.stateful = false: don’t alert w/o established session 8695 (note: rule action still taken) 8696 * string alerts.tunnel_verdicts: let DAQ handle non-allow verdicts 8697 for gtp|teredo|6in4|4in6|4in4|6in6|gre|mpls|vxlan traffic 8698 * enum alert_syslog.facility = auth: part of priority applied to 8699 each message { auth | authpriv | daemon | user | local0 | local1 8700 | local2 | local3 | local4 | local5 | local6 | local7 } 8701 * enum alert_syslog.level = info: part of priority applied to each 8702 message { emerg | alert | crit | err | warning | notice | info | 8703 debug } 8704 * multi alert_syslog.options: used to open the syslog connection { 8705 cons | ndelay | perror | pid } 8706 * string appid.app_detector_dir: directory to load appid detectors 8707 from 8708 * int appid.app_stats_period = 300: time period for collecting and 8709 logging appid statistics { 1:max32 } 8710 * int appid.app_stats_rollover_size = 20971520: max file size for 8711 appid stats before rolling over the log file { 0:max32 } 8712 * bool appid.enable_rna_filter = false: monitor only the networks 8713 specified in rna configuration 8714 * string appid_listener.file: output data to given file 8715 * bool appid_listener.json_logging = false: log appid data in json 8716 format 8717 * bool appid.list_odp_detectors = false: enable logging of odp 8718 detectors statistics 8719 * bool appid.log_all_sessions = false: enable logging of all appid 8720 sessions 8721 * bool appid.log_stats = false: enable logging of appid statistics 8722 * int appid.memcap = 1048576: max size of the service cache before 8723 we start pruning the cache { 1024:maxSZ } 8724 * string appid.rna_conf_path: path to rna configuration file 8725 * string appids.~: comma separated list of application names 8726 * bool appid.tp_appid_config_dump: print third party configuration 8727 on startup 8728 * string appid.tp_appid_config: path to third party appid 8729 configuration file 8730 * string appid.tp_appid_path: path to third party appid dynamic 8731 library 8732 * bool appid.tp_appid_stats_enable: enable collection of stats and 8733 print stats on exit in third party module 8734 * ip4 arp_spoof.hosts[].ip: host ip address 8735 * mac arp_spoof.hosts[].mac: host mac address 8736 * int asn1.absolute_offset: absolute offset from the beginning of 8737 the packet { 0:65535 } 8738 * implied asn1.bitstring_overflow: detects invalid bitstring 8739 encodings that are known to be remotely exploitable 8740 * implied asn1.double_overflow: detects a double ASCII encoding 8741 that is larger than a standard buffer 8742 * int asn1.oversize_length: compares ASN.1 type lengths with the 8743 supplied argument { 0:max32 } 8744 * implied asn1.print: dump decode data to console; always true 8745 * int asn1.relative_offset: relative offset from the cursor { 8746 -65535:65535 } 8747 * string attribute_table.hosts_file: filename to load attribute 8748 host table from 8749 * int attribute_table.max_hosts = 1024: maximum number of hosts in 8750 attribute table { 32:max53 } 8751 * int attribute_table.max_metadata_services = 9: maximum number of 8752 services in rule { 1:255 } 8753 * int attribute_table.max_services_per_host = 8: maximum number of 8754 services per host entry in attribute table { 1:65535 } 8755 * int base64_decode.bytes: number of base64 encoded bytes to decode 8756 { 1:max32 } 8757 * int base64_decode.offset = 0: bytes past start of buffer to start 8758 decoding { 0:max32 } 8759 * implied base64_decode.relative: apply offset to cursor instead of 8760 start of buffer 8761 * int ber_data.~type: move to the data for the specified BER 8762 element type { 0:255 } 8763 * implied ber_skip.optional: match even if the specified BER type 8764 is not found 8765 * int ber_skip.~type: BER element type to skip { 0:255 } 8766 * enum binder[].use.action = inspect: what to do with matching 8767 traffic { reset | block | allow | inspect } 8768 * string binder[].use.file: use configuration in given file 8769 * string binder[].use.inspection_policy: use inspection policy from 8770 given file 8771 * string binder[].use.ips_policy: use ips policy from given file 8772 * string binder[].use.name: symbol name (defaults to type) 8773 * string binder[].use.network_policy: use network policy from given 8774 file 8775 * string binder[].use.service: override automatic service 8776 identification 8777 * string binder[].use.type: select module for binding 8778 * string binder[].when.addr_spaces: list of address space IDs 8779 * string binder[].when.dst_groups: list of destination group IDs 8780 * string binder[].when.dst_intfs: list of destination interface IDs 8781 * addr_list binder[].when.dst_nets: list of destination networks 8782 * bit_list binder[].when.dst_ports: list of destination ports { 8783 65535 } 8784 * string binder[].when.dst_zone: deprecated alias for dst_groups 8785 * string binder[].when.groups: list of interface group IDs 8786 * string binder[].when.intfs: list of interface IDs 8787 * int binder[].when.ips_policy_id: unique ID for selection of this 8788 config by external logic { 0:max32 } 8789 * addr_list binder[].when.nets: list of networks 8790 * bit_list binder[].when.ports: list of ports { 65535 } 8791 * enum binder[].when.proto: protocol { any | ip | icmp | tcp | udp 8792 | user | file } 8793 * enum binder[].when.role = any: use the given configuration on one 8794 or any end of a session { client | server | any } 8795 * string binder[].when.service: override default configuration 8796 * string binder[].when.src_groups: list of source interface group 8797 IDs 8798 * string binder[].when.src_intfs: list of source interface IDs 8799 * addr_list binder[].when.src_nets: list of source networks 8800 * bit_list binder[].when.src_ports: list of source ports { 65535 } 8801 * string binder[].when.src_zone: deprecated alias for src_groups 8802 * string binder[].when.tenants: list of tenants 8803 * bit_list binder[].when.vlans: list of VLAN IDs { 4095 } 8804 * string binder[].when.zones: deprecated alias for groups 8805 * interval bufferlen.~range: check that total length of current 8806 buffer is in given range { 0:65535 } 8807 * implied bufferlen.relative: use remaining length (from current 8808 position) instead of total length 8809 * int byte_extract.align = 0: round the number of converted bytes 8810 up to the next 2- or 4-byte boundary { 0:4 } 8811 * implied byte_extract.big: big endian 8812 * int byte_extract.bitmask: applies as an AND to the extracted 8813 value before storage in name { 0x1:0xFFFFFFFF } 8814 * int byte_extract.~count: number of bytes to pick up from the 8815 buffer { 1:10 } 8816 * implied byte_extract.dce: dcerpc2 determines endianness 8817 * implied byte_extract.dec: convert from decimal string 8818 * implied byte_extract.hex: convert from hex string 8819 * implied byte_extract.little: little endian 8820 * int byte_extract.multiplier = 1: scale extracted value by given 8821 amount { 1:65535 } 8822 * string byte_extract.~name: name of the variable that will be used 8823 in other rule options 8824 * implied byte_extract.oct: convert from octal string 8825 * int byte_extract.~offset: number of bytes into the buffer to 8826 start processing { -65535:65535 } 8827 * implied byte_extract.relative: offset from cursor instead of 8828 start of buffer 8829 * implied byte_extract.string: convert from string 8830 * int byte_jump.align = 0: round the number of converted bytes up 8831 to the next 2- or 4-byte boundary { 0:4 } 8832 * implied byte_jump.big: big endian 8833 * int byte_jump.bitmask: applies as an AND prior to evaluation { 8834 0x1:0xFFFFFFFF } 8835 * int byte_jump.~count: number of bytes to pick up from the buffer 8836 { 0:10 } 8837 * implied byte_jump.dce: dcerpc2 determines endianness 8838 * implied byte_jump.dec: convert from decimal string 8839 * implied byte_jump.from_beginning: jump from start of buffer 8840 instead of cursor 8841 * implied byte_jump.from_end: jump backward from end of buffer 8842 * implied byte_jump.hex: convert from hex string 8843 * implied byte_jump.little: little endian 8844 * int byte_jump.multiplier = 1: scale extracted value by given 8845 amount { 1:65535 } 8846 * implied byte_jump.oct: convert from octal string 8847 * string byte_jump.~offset: variable name or number of bytes into 8848 the buffer to start processing 8849 * string byte_jump.post_offset: skip forward or backward (positive 8850 or negative value) by variable name or number of bytes after the 8851 other jump options have been applied 8852 * implied byte_jump.relative: offset from cursor instead of start 8853 of buffer 8854 * implied byte_jump.string: convert from string 8855 * int byte_math.bitmask: applies as bitwise AND to the extracted 8856 value before storage in name { 0x1:0xFFFFFFFF } 8857 * int byte_math.bytes: number of bytes to pick up from the buffer { 8858 1:10 } 8859 * implied byte_math.dce: dcerpc2 determines endianness 8860 * enum byte_math.endian: specify big/little endian { big|little } 8861 * string byte_math.offset: number of bytes into the buffer to start 8862 processing 8863 * enum byte_math.oper: mathematical operation to perform { +|-|*|/| 8864 <<|>> } 8865 * implied byte_math.relative: offset from cursor instead of start 8866 of buffer 8867 * string byte_math.result: name of the variable to store the result 8868 * string byte_math.rvalue: value to use mathematical operation 8869 against 8870 * enum byte_math.string: convert extracted string to dec/hex/oct { 8871 hex|dec|oct } 8872 * implied byte_test.big: big endian 8873 * int byte_test.bitmask: applies as an AND prior to evaluation { 8874 0x1:0xFFFFFFFF } 8875 * string byte_test.~compare: variable name or value to test the 8876 converted result against 8877 * int byte_test.~count: number of bytes to pick up from the buffer 8878 { 1:10 } 8879 * implied byte_test.dce: dcerpc2 determines endianness 8880 * implied byte_test.dec: convert from decimal string 8881 * implied byte_test.hex: convert from hex string 8882 * implied byte_test.little: little endian 8883 * implied byte_test.oct: convert from octal string 8884 * string byte_test.~offset: variable name or number of bytes into 8885 the payload to start processing 8886 * string byte_test.~operator: operation to perform to test the 8887 value 8888 * implied byte_test.relative: offset from cursor instead of start 8889 of buffer 8890 * implied byte_test.string: convert from string 8891 * interval cip_attribute.~range: match CIP attribute { 0:65535 } 8892 * interval cip_class.~range: match CIP class { 0:65535 } 8893 * interval cip_conn_path_class.~range: match CIP Connection Path 8894 Class { 0:65535 } 8895 * string cip.embedded_cip_path = false: check embedded CIP path 8896 * interval cip_instance.~range: match CIP instance { 0:4294967295 } 8897 * int cip.max_cip_connections = 100: max cip connections { 1:10000 8898 } 8899 * int cip.max_unconnected_messages = 100: max unconnected cip 8900 messages { 1:10000 } 8901 * interval cip_service.~range: match CIP service { 0:127 } 8902 * interval cip_status.~range: match CIP response status { 0:255 } 8903 * int cip.unconnected_timeout = 300: unconnected timeout in seconds 8904 { 0:360 } 8905 * string classifications[].name: name used with classtype rule 8906 option 8907 * int classifications[].priority = 1: default priority for class { 8908 0:max32 } 8909 * string classifications[].text: description of class 8910 * string classtype.~: classification for this rule 8911 * string content.~data: data to match 8912 * string content.depth: var or maximum number of bytes to search 8913 from beginning of buffer 8914 * string content.distance: var or number of bytes from cursor to 8915 start search 8916 * int content.fast_pattern_length: maximum number of characters 8917 from this content the fast pattern matcher should use { 1:65535 } 8918 * int content.fast_pattern_offset = 0: number of leading characters 8919 of this content the fast pattern matcher should exclude { 0:65535 8920 } 8921 * implied content.fast_pattern: use this content in the fast 8922 pattern matcher instead of the content selected by default 8923 * implied content.nocase: case insensitive match 8924 * string content.offset: var or number of bytes from start of 8925 buffer to start search 8926 * string content.within: var or maximum number of bytes to search 8927 from cursor 8928 * implied cvs.invalid-entry: looks for an invalid Entry string 8929 * int daq.batch_size = 64: set receive batch size (same as 8930 --daq-batch-size) { 1: } 8931 * string daq.inputs[].input: input source 8932 * string daq.module_dirs[].path: directory path 8933 * enum daq.modules[].mode = passive: DAQ module mode { passive | 8934 inline | read-file } 8935 * string daq.modules[].name: DAQ module name (required) 8936 * string daq.modules[].variables[].variable: DAQ module variable 8937 (foo[=bar]) 8938 * int daq.snaplen = 1518: set snap length (same as -s) { 0:65535 } 8939 * select data_log.key = http_request_header_event : name of the 8940 event to log { http_request_header_event | 8941 http_response_header_event } 8942 * int data_log.limit = 0: set maximum size in MB before rollover (0 8943 is unlimited) { 0:max32 } 8944 * implied dce_iface.any_frag: match on any fragment 8945 * string dce_iface.uuid: match given dcerpc uuid 8946 * interval dce_iface.version: interface version { 0: } 8947 * string dce_opnum.~: match given dcerpc operation number, range or 8948 list 8949 * bool dce_smb.disable_defrag = false: disable DCE/RPC 8950 defragmentation 8951 * bool dce_smb.limit_alerts = true: limit DCE alert to at most one 8952 per signature per flow 8953 * int dce_smb.max_frag_len = 65535: maximum fragment size for 8954 defragmentation { 1514:65535 } 8955 * int dce_smb.memcap = 8388608: Memory utilization limit on smb { 8956 512:maxSZ } 8957 * enum dce_smb.policy = WinXP: target based policy to use { Win2000 8958 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | 8959 Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 } 8960 * int dce_smb.reassemble_threshold = 0: minimum bytes received 8961 before performing reassembly { 0:65535 } 8962 * int dce_smb.smb_file_depth = 16384: SMB file depth for file data 8963 (-1 = disabled, 0 = unlimited) { -1:32767 } 8964 * enum dce_smb.smb_file_inspection: deprecated (not used): file 8965 inspection controlled by smb_file_depth { off | on | only } 8966 * enum dce_smb.smb_fingerprint_policy = none: target based SMB 8967 policy to use { none | client | server | both } 8968 * string dce_smb.smb_invalid_shares: SMB shares to alert on 8969 * bool dce_smb.smb_legacy_mode = false: inspect only SMBv1 8970 * int dce_smb.smb_max_chain = 3: SMB max chain size { 0:255 } 8971 * int dce_smb.smb_max_compound = 3: SMB max compound size { 0:255 } 8972 * int dce_smb.smb_max_credit = 8192: Maximum number of outstanding 8973 request { 1:65536 } 8974 * multi dce_smb.valid_smb_versions = all: valid SMB versions { v1 | 8975 v2 | all } 8976 * bool dce_tcp.disable_defrag = false: disable DCE/RPC 8977 defragmentation 8978 * bool dce_tcp.limit_alerts = true: limit DCE alert to at most one 8979 per signature per flow 8980 * int dce_tcp.max_frag_len = 65535: maximum fragment size for 8981 defragmentation { 1514:65535 } 8982 * enum dce_tcp.policy = WinXP: target based policy to use { Win2000 8983 | WinXP | WinVista | Win2003 | Win2008 | Win7 | Samba | 8984 Samba-3.0.37 | Samba-3.0.22 | Samba-3.0.20 } 8985 * int dce_tcp.reassemble_threshold = 0: minimum bytes received 8986 before performing reassembly { 0:65535 } 8987 * bool dce_udp.disable_defrag = false: disable DCE/RPC 8988 defragmentation 8989 * bool dce_udp.limit_alerts = true: limit DCE alert to at most one 8990 per signature per flow 8991 * int dce_udp.max_frag_len = 65535: maximum fragment size for 8992 defragmentation { 1514:65535 } 8993 * bool detection.allow_missing_so_rules = false: warn (true) or 8994 error (false) when an SO rule stub refers to an SO rule that 8995 isn’t loaded 8996 * int detection.asn1 = 0: maximum decode nodes { 0:65535 } 8997 * bool detection.enable_address_anomaly_checks = false: enable 8998 check and alerting of address anomalies 8999 * int detection_filter.count: hits in interval before allowing the 9000 rule to fire { 1:max32 } 9001 * int detection_filter.seconds: length of interval to count hits { 9002 1:max32 } 9003 * enum detection_filter.track: track hits by source or destination 9004 IP address { by_src | by_dst } 9005 * bool detection.global_default_rule_state = true: enable or 9006 disable rules by default (overridden by ips policy settings) 9007 * bool detection.global_rule_state = false: apply rule_state 9008 against all policies 9009 * bool detection.hyperscan_literals = false: use hyperscan for 9010 content literal searches instead of boyer-moore 9011 * int detection.offload_limit = 99999: minimum sizeof PDU to 9012 offload fast pattern search (defaults to disabled) { 0:max32 } 9013 * int detection.offload_threads = 0: maximum number of simultaneous 9014 offloads (defaults to disabled) { 0:max32 } 9015 * bool detection.pcre_enable = true: enable pcre pattern matching 9016 * int detection.pcre_match_limit = 1500: limit pcre backtracking, 0 9017 = off { 0:max32 } 9018 * int detection.pcre_match_limit_recursion = 1500: limit pcre stack 9019 consumption, 0 = off { 0:max32 } 9020 * bool detection.pcre_override = true: enable pcre match limit 9021 overrides when pattern matching (ie ignore /O) 9022 * bool detection.pcre_to_regex = false: enable the use of regex 9023 instead of pcre for compatible expressions 9024 * bool dnp3.check_crc = false: validate checksums in DNP3 link 9025 layer frames 9026 * string dnp3_func.~: match DNP3 function code or name 9027 * string dnp3_ind.~: match given DNP3 indicator flags 9028 * int dnp3_obj.group = 0: match given DNP3 object header group { 9029 0:255 } 9030 * int dnp3_obj.var = 0: match given DNP3 object header var { 0:255 9031 } 9032 * string domain_filter.file: file with list of domains identifying 9033 hosts to be filtered 9034 * string domain_filter.hosts: list of domains identifying hosts to 9035 be filtered 9036 * int dpx.max = 0: maximum payload before alert { 0:65535 } 9037 * port dpx.port: port to check 9038 * interval dsize.~range: check if packet payload size is in the 9039 given range { 0:65535 } 9040 * enum enable.~enable = yes: enable or disable rule in current ips 9041 policy or use default defined by ips policy { no | yes | inherit 9042 } 9043 * interval enip_command.~range: match CIP Enip Command { 0:65535 } 9044 * bool esp.decode_esp = false: enable for inspection of esp traffic 9045 that has authentication but not encryption 9046 * int event_filter[].count = 0: number of events in interval before 9047 tripping; -1 to disable { -1:max31 } 9048 * int event_filter[].gid = 1: rule generator ID { 0:max32 } 9049 * string event_filter[].ip: restrict filter to these addresses 9050 according to track 9051 * int event_filter[].seconds = 0: count interval { 0:max32 } 9052 * int event_filter[].sid = 1: rule signature ID { 0:max32 } 9053 * enum event_filter[].track: filter only matching source or 9054 destination addresses { by_src | by_dst } 9055 * enum event_filter[].type: 1st count events | every count events | 9056 once after count events { limit | threshold | both } 9057 * int event_queue.log = 3: maximum events to log { 1:max32 } 9058 * int event_queue.max_queue = 8: maximum events to queue { 1:max32 9059 } 9060 * enum event_queue.order_events = content_length: criteria for 9061 ordering incoming events { priority|content_length } 9062 * bool event_queue.process_all_events = false: process just first 9063 action group or all action groups 9064 * string file_connector[].connector: connector name 9065 * enum file_connector[].direction: usage { receive | transmit | 9066 duplex } 9067 * enum file_connector[].format: file format { binary | text } 9068 * string file_connector[].name: channel name 9069 * int file_id.b64_decode_depth = -1: base64 decoding depth (-1 no 9070 limit) { -1:65535 } 9071 * int file_id.bitenc_decode_depth = -1: Non-Encoded MIME attachment 9072 extraction depth (-1 no limit) { -1:65535 } 9073 * int file_id.block_timeout = 86400: stop blocking after this many 9074 seconds { 0:max31 } 9075 * bool file_id.block_timeout_lookup = false: block if lookup times 9076 out 9077 * int file_id.capture_block_size = 32768: file capture block size 9078 in bytes { 8:max53 } 9079 * int file_id.capture_max_size = 1048576: stop file capture beyond 9080 this point { 0:max53 } 9081 * int file_id.capture_memcap = 100: memcap for file capture in 9082 megabytes { 0:max53 } 9083 * int file_id.capture_min_size = 0: stop file capture if file size 9084 less than this { 0:max53 } 9085 * int file_id.decompress_buffer_size = 100000: file decompression 9086 buffer size { 1024:max31 } 9087 * bool file_id.decompress_pdf = false: decompress pdf files 9088 * bool file_id.decompress_swf = false: decompress swf files 9089 * bool file_id.decompress_zip = false: decompress zip files 9090 * bool file_id.enable_capture = false: enable file capture 9091 * bool file_id.enable_signature = false: enable signature 9092 calculation 9093 * bool file_id.enable_type = true: enable type ID 9094 * bool file_id.file_policy[].use.enable_file_capture = false: true/ 9095 false → enable/disable file capture 9096 * bool file_id.file_policy[].use.enable_file_signature = false: 9097 true/false → enable/disable file signature 9098 * bool file_id.file_policy[].use.enable_file_type = false: true/ 9099 false → enable/disable file type identification 9100 * enum file_id.file_policy[].use.verdict = unknown: what to do with 9101 matching traffic { unknown | log | stop | block | reset } 9102 * int file_id.file_policy[].when.file_type_id = 0: unique ID for 9103 file type in file magic rule { 0:max32 } 9104 * string file_id.file_policy[].when.sha256: SHA 256 9105 * string file_id.file_rules[].category: file type category 9106 * string file_id.file_rules[].group: comma separated list of groups 9107 associated with file type 9108 * int file_id.file_rules[].id = 0: file type id { 0:max32 } 9109 * string file_id.file_rules[].magic[].content: file magic content 9110 * int file_id.file_rules[].magic[].offset = 0: file magic offset { 9111 0:max32 } 9112 * string file_id.file_rules[].msg: information about the file type 9113 * int file_id.file_rules[].rev = 0: rule revision { 0:max32 } 9114 * string file_id.file_rules[].type: file type name 9115 * string file_id.file_rules[].version: file type version 9116 * int file_id.lookup_timeout = 2: give up on lookup after this many 9117 seconds { 0:max31 } 9118 * int file_id.max_files_cached = 65536: maximal number of files 9119 cached in memory { 8:max53 } 9120 * int file_id.max_files_per_flow = 128: maximal number of files 9121 able to be concurrently processed per flow { 1:max53 } 9122 * int file_id.qp_decode_depth = -1: Quoted Printable decoding depth 9123 (-1 no limit) { -1:65535 } 9124 * int file_id.show_data_depth = 100: print this many octets { 9125 0:max53 } 9126 * int file_id.signature_depth = 10485760: stop signature at this 9127 point { 0:max53 } 9128 * bool file_id.trace_signature = false: enable runtime dump of 9129 signature info 9130 * bool file_id.trace_stream = false: enable runtime dump of file 9131 data 9132 * bool file_id.trace_type = false: enable runtime dump of type info 9133 * int file_id.type_depth = 1460: stop type ID at this point { 9134 0:max53 } 9135 * int file_id.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 9136 no limit) { -1:65535 } 9137 * int file_id.verdict_delay = 0: number of queries to return final 9138 verdict { 0:max53 } 9139 * bool file_log.log_pkt_time = true: log the packet time when event 9140 generated 9141 * bool file_log.log_sys_time = false: log the system time when 9142 event generated 9143 * string file_type.~: list of file type IDs to match 9144 * string flags.~mask_flags: these flags are don’t cares 9145 * string flags.~test_flags: these flags are tested 9146 * string flowbits.~bits: bit [|bit]* or bit [&bit]* 9147 * enum flowbits.~op: bit operation or noalert (no bits) { set | 9148 unset | isset | isnotset | noalert } 9149 * implied flow.established: match only during data transfer phase 9150 * implied flow.from_client: same as to_server 9151 * implied flow.from_server: same as to_client 9152 * implied flow.no_frag: match on raw packets only 9153 * implied flow.no_stream: match on raw packets only 9154 * implied flow.not_established: match only outside data transfer 9155 phase 9156 * implied flow.only_frag: match on defragmented packets only 9157 * implied flow.only_stream: match on reassembled packets only 9158 * implied flow.stateless: match regardless of stream state 9159 * implied flow.to_client: match on server responses 9160 * implied flow.to_server: match on client requests 9161 * string fragbits.~flags: these flags are tested 9162 * interval fragoffset.~range: check if ip fragment offset is in 9163 given range { 0:8192 } 9164 * bool ftp_client.bounce = false: check for bounces 9165 * addr ftp_client.bounce_to[].address = 1.0.0.0/32: allowed IP 9166 address in CIDR format 9167 * port ftp_client.bounce_to[].last_port: optional allowed range 9168 from port to last_port inclusive 9169 * port ftp_client.bounce_to[].port = 20: allowed port 9170 * bool ftp_client.ignore_telnet_erase_cmds = false: ignore erase 9171 character and erase line commands when normalizing 9172 * int ftp_client.max_resp_len = 4294967295: maximum FTP response 9173 accepted by client { 0:max32 } 9174 * bool ftp_client.telnet_cmds = false: detect Telnet escape 9175 sequences on FTP control channel 9176 * bool ftp_server.check_encrypted = false: check for end of 9177 encryption 9178 * string ftp_server.chk_str_fmt: check the formatting of the given 9179 commands 9180 * string ftp_server.cmd_validity[].command: command string 9181 * string ftp_server.cmd_validity[].format: format specification 9182 * int ftp_server.cmd_validity[].length = 0: specify non-default 9183 maximum for command { 0:max32 } 9184 * string ftp_server.data_chan_cmds: check the formatting of the 9185 given commands 9186 * string ftp_server.data_rest_cmds: check the formatting of the 9187 given commands 9188 * string ftp_server.data_xfer_cmds: check the formatting of the 9189 given commands 9190 * int ftp_server.def_max_param_len = 100: default maximum length of 9191 commands handled by server; 0 is unlimited { 1:max32 } 9192 * string ftp_server.directory_cmds[].dir_cmd: directory command 9193 * int ftp_server.directory_cmds[].rsp_code = 200: expected 9194 successful response code for command { 200:max32 } 9195 * string ftp_server.encr_cmds: check the formatting of the given 9196 commands 9197 * bool ftp_server.encrypted_traffic = false: check for encrypted 9198 Telnet and FTP 9199 * string ftp_server.file_get_cmds: check the formatting of the 9200 given commands 9201 * string ftp_server.file_put_cmds: check the formatting of the 9202 given commands 9203 * string ftp_server.ftp_cmds: specify additional commands supported 9204 by server beyond RFC 959 9205 * bool ftp_server.ignore_data_chan = false: do not inspect FTP data 9206 channels 9207 * bool ftp_server.ignore_telnet_erase_cmds = false: ignore erase 9208 character and erase line commands when normalizing 9209 * string ftp_server.login_cmds: check the formatting of the given 9210 commands 9211 * bool ftp_server.print_cmds = false: print command configurations 9212 on start up 9213 * bool ftp_server.telnet_cmds = false: detect Telnet escape 9214 sequences of FTP control channel 9215 * int gid.~: generator id { 1:max32 } 9216 * string gtp_info.~: info element to match 9217 * int gtp_inspect[].infos[].length = 0: information element type 9218 code { 0:255 } 9219 * string gtp_inspect[].infos[].name: information element name 9220 * int gtp_inspect[].infos[].type = 0: information element type code 9221 { 0:255 } 9222 * string gtp_inspect[].messages[].name: message name 9223 * int gtp_inspect[].messages[].type = 0: message type code { 0:255 9224 } 9225 * int gtp_inspect[].version = 2: GTP version { 0:2 } 9226 * string gtp_type.~: list of types to match 9227 * int gtp_version.~: version to match { 0:2 } 9228 * bool high_availability.daq_channel = false: enable use of daq 9229 data plane channel 9230 * bool high_availability.enable = false: enable high availability 9231 * int high_availability.min_age = 0: minimum session life in 9232 milliseconds before HA updates { 0:max32 } 9233 * int high_availability.min_sync = 0: minimum interval in 9234 milliseconds between HA updates { 0:max32 } 9235 * bit_list high_availability.ports: side channel message port list 9236 { 65535 } 9237 * string host_cache.dump_file: file name to dump host cache on 9238 shutdown; won’t dump by default 9239 * int host_cache.memcap = 8388608: maximum host cache size in bytes 9240 { 512:maxSZ } 9241 * enum hosts[].frag_policy: defragmentation policy { first | linux 9242 | bsd | bsd_right | last | windows | solaris } 9243 * addr hosts[].ip = 0.0.0.0/32: hosts address / CIDR 9244 * string hosts[].services[].name: service identifier 9245 * port hosts[].services[].port: port number 9246 * enum hosts[].services[].proto = tcp: IP protocol { tcp | udp } 9247 * enum hosts[].tcp_policy: TCP reassembly policy { first | last | 9248 linux | old_linux | bsd | macos | solaris | irix | hpux11 | 9249 hpux10 | windows | win_2003 | vista | proxy } 9250 * addr host_tracker[].ip: hosts address / cidr 9251 * port host_tracker[].services[].port: port number 9252 * enum host_tracker[].services[].proto: IP protocol { ip | tcp | 9253 udp } 9254 * int http2_inspect.concurrent_streams_limit = 100: Maximum number 9255 of concurrent streams allowed in a single HTTP/2 flow { 100:1000 9256 } 9257 * implied http_cookie.request: match against the cookie from the 9258 request message even when examining the response 9259 * implied http_cookie.with_body: parts of this rule examine HTTP 9260 message body 9261 * implied http_cookie.with_header: this rule is limited to 9262 examining HTTP message headers 9263 * implied http_cookie.with_trailer: parts of this rule examine HTTP 9264 message trailers 9265 * string http_header.field: restrict to given header. Header name 9266 is case insensitive. 9267 * implied http_header.request: match against the headers from the 9268 request message even when examining the response 9269 * implied http_header.with_body: parts of this rule examine HTTP 9270 message body 9271 * implied http_header.with_header: this rule is limited to 9272 examining HTTP message headers 9273 * implied http_header.with_trailer: parts of this rule examine HTTP 9274 message trailers 9275 * bool http_inspect.backslash_to_slash = true: replace \ with / 9276 when normalizing URIs 9277 * bit_list http_inspect.bad_characters: alert when any of specified 9278 bytes are present in URI after percent decoding { 255 } 9279 * bool http_inspect.decompress_pdf = false: decompress pdf files in 9280 response bodies 9281 * bool http_inspect.decompress_swf = false: decompress swf files in 9282 response bodies 9283 * bool http_inspect.decompress_vba = false: decompress MS Office 9284 Visual Basic for Applications macro files in response bodies 9285 * bool http_inspect.decompress_zip = false: decompress zip files in 9286 response bodies 9287 * string http_inspect.ignore_unreserved: do not alert when the 9288 specified unreserved characters are percent-encoded in a 9289 URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, 9290 tilde, and minus. { (optional) } 9291 * bool http_inspect.iis_double_decode = true: perform double 9292 decoding of percent encodings to normalize characters 9293 * int http_inspect.iis_unicode_code_page = 1252: code page to use 9294 from the IIS unicode map file { 0:65535 } 9295 * bool http_inspect.iis_unicode = false: use IIS unicode code point 9296 mapping to normalize characters 9297 * string http_inspect.iis_unicode_map_file: file containing code 9298 points for IIS unicode. { (optional) } 9299 * int http_inspect.js_norm_bytes_depth = -1: number of input 9300 JavaScript bytes to normalize (-1 unlimited) { -1:max53 } 9301 * int http_inspect.js_norm_identifier_depth = 65536: max number of 9302 unique JavaScript identifiers to normalize { 0:65536 } 9303 * string http_inspect.js_norm_ident_ignore[].ident_name: name of 9304 the identifier to ignore 9305 * int http_inspect.js_norm_max_bracket_depth = 256: maximum depth 9306 of bracket nesting that enhanced JavaScript normalizer will 9307 process { 1:65535 } 9308 * int http_inspect.js_norm_max_scope_depth = 256: maximum depth of 9309 scope nesting that enhanced JavaScript normalizer will process { 9310 1:65535 } 9311 * int http_inspect.js_norm_max_tmpl_nest = 32: maximum depth of 9312 template literal nesting that enhanced javascript normalizer will 9313 process { 0:255 } 9314 * int http_inspect.maximum_chunk_length = 4294967295: maximum 9315 allowed length for a message body chunk { 0:4294967295 } 9316 * int http_inspect.maximum_host_length = -1: maximum allowed length 9317 for Host header value (-1 no limit) { -1:max53 } 9318 * int http_inspect.max_javascript_whitespaces = 200: maximum 9319 consecutive whitespaces allowed within the JavaScript obfuscated 9320 data { 1:65535 } 9321 * bool http_inspect.normalize_javascript = false: use legacy 9322 normalizer to normalize JavaScript in response bodies 9323 * bool http_inspect.normalize_utf = true: normalize charset utf 9324 encodings in response bodies 9325 * int http_inspect.oversize_dir_length = 300: maximum length for 9326 URL directory { 1:65535 } 9327 * bool http_inspect.percent_u = false: normalize %uNNNN and %UNNNN 9328 encodings 9329 * bool http_inspect.plus_to_space = true: replace + with <sp> when 9330 normalizing URIs 9331 * bool http_inspect.request_body_app_detection = true: make HTTP/2 9332 request message bodies available for application detection 9333 (detection requires AppId) 9334 * int http_inspect.request_depth = -1: maximum request message body 9335 bytes to examine (-1 no limit) { -1:max53 } 9336 * int http_inspect.response_depth = -1: maximum response message 9337 body bytes to examine (-1 no limit) { -1:max53 } 9338 * bool http_inspect.script_detection = false: inspect JavaScript 9339 immediately upon script end 9340 * bool http_inspect.simplify_path = true: reduce URI directory path 9341 to simplest form 9342 * bool http_inspect.unzip = true: decompress gzip and deflate 9343 message bodies 9344 * bool http_inspect.utf8_bare_byte = false: when doing UTF-8 9345 character normalization include bytes that were not percent 9346 encoded 9347 * bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8 9348 characters to a single byte 9349 * string http_inspect.xff_headers = x-forwarded-for true-client-ip: 9350 specifies the xff type headers to parse and consider in the same 9351 order of preference as defined 9352 * implied http_method.with_body: parts of this rule examine HTTP 9353 message body 9354 * implied http_method.with_header: this rule is limited to 9355 examining HTTP message headers 9356 * implied http_method.with_trailer: parts of this rule examine HTTP 9357 message trailers 9358 * implied http_param.nocase: case insensitive match 9359 * string http_param.~param: parameter to match 9360 * implied http_raw_cookie.request: match against the cookie from 9361 the request message even when examining the response 9362 * implied http_raw_cookie.with_body: parts of this rule examine 9363 HTTP message body 9364 * implied http_raw_cookie.with_header: this rule is limited to 9365 examining HTTP message headers 9366 * implied http_raw_cookie.with_trailer: parts of this rule examine 9367 HTTP message trailers 9368 * string http_raw_header.field: restrict to given header. Header 9369 name is case insensitive. 9370 * implied http_raw_header.request: match against the headers from 9371 the request message even when examining the response 9372 * implied http_raw_header.with_body: parts of this rule examine 9373 HTTP message body 9374 * implied http_raw_header.with_header: this rule is limited to 9375 examining HTTP message headers 9376 * implied http_raw_header.with_trailer: parts of this rule examine 9377 HTTP message trailers 9378 * implied http_raw_request.with_body: parts of this rule examine 9379 HTTP message body 9380 * implied http_raw_request.with_header: this rule is limited to 9381 examining HTTP message headers 9382 * implied http_raw_request.with_trailer: parts of this rule examine 9383 HTTP message trailers 9384 * implied http_raw_status.with_body: parts of this rule examine 9385 HTTP message body 9386 * implied http_raw_status.with_trailer: parts of this rule examine 9387 HTTP message trailers 9388 * string http_raw_trailer.field: restrict to given trailer. Trailer 9389 name is case insensitive. 9390 * implied http_raw_trailer.request: match against the trailers from 9391 the request message even when examining the response 9392 * implied http_raw_trailer.with_body: parts of this rule examine 9393 HTTP response message body (must be combined with request) 9394 * implied http_raw_trailer.with_header: parts of this rule examine 9395 HTTP response message headers (must be combined with request) 9396 * implied http_raw_uri.fragment: match against fragment section of 9397 URI only 9398 * implied http_raw_uri.host: match against host section of URI only 9399 * implied http_raw_uri.path: match against path section of URI only 9400 * implied http_raw_uri.port: match against port section of URI only 9401 * implied http_raw_uri.query: match against query section of URI 9402 only 9403 * implied http_raw_uri.scheme: match against scheme section of URI 9404 only 9405 * implied http_raw_uri.with_body: parts of this rule examine HTTP 9406 message body 9407 * implied http_raw_uri.with_header: this rule is limited to 9408 examining HTTP message headers 9409 * implied http_raw_uri.with_trailer: parts of this rule examine 9410 HTTP message trailers 9411 * implied http_stat_code.with_body: parts of this rule examine HTTP 9412 message body 9413 * implied http_stat_code.with_trailer: parts of this rule examine 9414 HTTP message trailers 9415 * implied http_stat_msg.with_body: parts of this rule examine HTTP 9416 message body 9417 * implied http_stat_msg.with_trailer: parts of this rule examine 9418 HTTP message trailers 9419 * string http_trailer.field: restrict to given trailer 9420 * implied http_trailer.request: match against the trailers from the 9421 request message even when examining the response 9422 * implied http_trailer.with_body: parts of this rule examine HTTP 9423 message body (must be combined with request) 9424 * implied http_trailer.with_header: parts of this rule examine HTTP 9425 response message headers (must be combined with request) 9426 * implied http_true_ip.with_body: parts of this rule examine HTTP 9427 message body 9428 * implied http_true_ip.with_header: this rule is limited to 9429 examining HTTP message headers 9430 * implied http_true_ip.with_trailer: parts of this rule examine 9431 HTTP message trailers 9432 * implied http_uri.fragment: match against fragment section of URI 9433 only 9434 * implied http_uri.host: match against host section of URI only 9435 * implied http_uri.path: match against path section of URI only 9436 * implied http_uri.port: match against port section of URI only 9437 * implied http_uri.query: match against query section of URI only 9438 * implied http_uri.scheme: match against scheme section of URI only 9439 * implied http_uri.with_body: parts of this rule examine HTTP 9440 message body 9441 * implied http_uri.with_header: this rule is limited to examining 9442 HTTP message headers 9443 * implied http_uri.with_trailer: parts of this rule examine HTTP 9444 message trailers 9445 * implied http_version.request: match against the version from the 9446 request message even when examining the response 9447 * implied http_version.with_body: parts of this rule examine HTTP 9448 message body 9449 * implied http_version.with_header: this rule is limited to 9450 examining HTTP message headers 9451 * implied http_version.with_trailer: parts of this rule examine 9452 HTTP message trailers 9453 * interval icmp_id.~range: check if ICMP ID is in given range { 9454 0:65535 } 9455 * interval icmp_seq.~range: check if ICMP sequence number is in 9456 given range { 0:65535 } 9457 * interval icode.~range: check if ICMP code is in given range is { 9458 0:255 } 9459 * interval id.~range: check if the IP ID is in the given range { 0: 9460 } 9461 * string iec104_apci_type.~: APCI type to match 9462 * string iec104_asdu_func.~: function code to match 9463 * int imap.b64_decode_depth = -1: base64 decoding depth (-1 no 9464 limit) { -1:65535 } 9465 * int imap.bitenc_decode_depth = -1: non-Encoded MIME attachment 9466 extraction depth (-1 no limit) { -1:65535 } 9467 * bool imap.decompress_pdf = false: decompress pdf files in MIME 9468 attachments 9469 * bool imap.decompress_swf = false: decompress swf files in MIME 9470 attachments 9471 * bool imap.decompress_vba = false: decompress MS Office Visual 9472 Basic for Applications macro files in MIME attachments 9473 * bool imap.decompress_zip = false: decompress zip files in MIME 9474 attachments 9475 * int imap.qp_decode_depth = -1: quoted Printable decoding depth 9476 (-1 no limit) { -1:65535 } 9477 * int imap.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no 9478 limit) { -1:65535 } 9479 * int inspection.id = 0: correlate policy and events with other 9480 items in configuration { 0:65535 } 9481 * int inspection.max_aux_ip = 16: maximum number of auxiliary IPs 9482 per flow to detect and save (-1 = disable, 0 = detect but don’t 9483 save, 1+ = save in FIFO manner) { -1:127 } 9484 * enum inspection.mode = inline-test: set policy mode { inline | 9485 inline-test } 9486 * string inspection.uuid: correlate events by uuid 9487 * select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr| 9488 lsrre|ssrr|satid|any } 9489 * string ip_proto.~proto: [!|>|<] name or number 9490 * string ips.action_map[].replace: action you want to change 9491 * string ips.action_map[].with: action you want to use instead 9492 * string ips.action_override: use this action for all rules 9493 (applied before action_map) 9494 * enum ips.default_rule_state = inherit: enable or disable ips 9495 rules { no | yes | inherit } 9496 * bool ips.enable_builtin_rules = false: enable events from builtin 9497 rules w/o stubs 9498 * int ips.id = 0: correlate unified2 events with configuration { 9499 0:65535 } 9500 * string ips.includer: for internal use; where includes are 9501 included from { (optional) } 9502 * string ips.include: snort rules and includes 9503 * enum ips.mode: set policy mode { tap | inline | inline-test } 9504 * bool ips.obfuscate_pii = false: mask all but the last 4 9505 characters of credit card and social security numbers 9506 * string ips.rules: snort rules and includes (may contain states 9507 too) 9508 * string ips.states: snort rule states and includes (may contain 9509 rules too) 9510 * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS 9511 policy uuid 9512 * string ips.variables.nets.$var: IPS policy variable 9513 * string ips.variables.paths.$var: IPS policy variable 9514 * string ips.variables.ports.$var: IPS policy variable 9515 * string isdataat.~length: num | !num 9516 * implied isdataat.relative: offset from cursor instead of start of 9517 buffer 9518 * interval itype.~range: check if ICMP type is in given range { 9519 0:255 } 9520 * bool latency.packet.fastpath = false: fastpath expensive packets 9521 (max_time exceeded) 9522 * int latency.packet.max_time = 500: set timeout for packet latency 9523 thresholding (usec) { 0:max53 } 9524 * int latency.rule.max_suspend_time = 30000: set max time for 9525 suspending a rule (ms, 0 means permanently disable rule) { 9526 0:max32 } 9527 * int latency.rule.max_time = 500: set timeout for rule evaluation 9528 (usec) { 0:max53 } 9529 * bool latency.rule.suspend = false: temporarily suspend expensive 9530 rules 9531 * int latency.rule.suspend_threshold = 5: set threshold for number 9532 of timeouts before suspending a rule { 1:max32 } 9533 * bool log_codecs.file = false: output to log_codecs.txt instead of 9534 stdout 9535 * bool log_codecs.msg = false: include alert msg 9536 * bool log_hext.file = false: output to log_hext.txt instead of 9537 stdout 9538 * int log_hext.limit = 0: set maximum size in MB before rollover (0 9539 is unlimited) { 0:maxSZ } 9540 * bool log_hext.raw = false: output all full packets if true, else 9541 just TCP payload 9542 * int log_hext.width = 20: set line width (0 is unlimited) { 9543 0:max32 } 9544 * int log_pcap.limit = 0: set maximum size in MB before rollover (0 9545 is unlimited) { 0:maxSZ } 9546 * string md5.~hash: data to match 9547 * int md5.length: number of octets in plain text { 1:65535 } 9548 * string md5.offset: var or number of bytes from start of buffer to 9549 start search 9550 * implied md5.relative = false: offset from cursor instead of start 9551 of buffer 9552 * int memory.cap = 0: set the per-packet-thread cap on memory 9553 (bytes, 0 to disable) { 0:maxSZ } 9554 * int memory.threshold = 100: scale cap to account for heap 9555 overhead { 1:100 } 9556 * string metadata.*: comma-separated list of arbitrary name value 9557 pairs 9558 * string modbus_func.~: function code to match 9559 * int modbus_unit.~: Modbus unit ID { 0:255 } 9560 * int mpls.max_stack_depth = -1: set maximum MPLS stack depth { 9561 -1:255 } 9562 * enum mpls.payload_type = auto: force encapsulated payload type { 9563 auto | eth | ip4 | ip6 } 9564 * string msg.~: message describing rule 9565 * interval mss.~range: check if TCP MSS is in given range { 0:65535 9566 } 9567 * string netflow.dump_file: file name to dump netflow cache on 9568 shutdown; won’t dump by default 9569 * bool netflow.rules[].create_host = false: generate a new host 9570 event 9571 * bool netflow.rules[].create_service = false: generate a new or 9572 changed service event 9573 * addr netflow.rules[].device_ip: restrict the NetFlow devices from 9574 which Snort will analyze packets 9575 * bool netflow.rules[].exclude = false: exclude the NetFlow records 9576 that match this rule 9577 * string netflow.rules[].networks: generate events for NetFlow 9578 records that contain an initiator or responder IP from these 9579 networks 9580 * string netflow.rules[].zones: generate events only for NetFlow 9581 packets that originate from these zones 9582 * int netflow.update_timeout = 3600: the interval at which the 9583 system updates host cache information { 0:max32 } 9584 * multi network.checksum_drop = none: drop if checksum is bad { all 9585 | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none } 9586 * multi network.checksum_eval = all: checksums to verify { all | ip 9587 | noip | tcp | notcp | udp | noudp | icmp | noicmp | none } 9588 * int network.id = 0: correlate unified2 events with configuration 9589 { 0:65535 } 9590 * int network.layers = 40: the maximum number of protocols that 9591 Snort can correctly decode { 3:255 } 9592 * int network.max_ip6_extensions = 0: the maximum number of IP6 9593 options Snort will process for a given IPv6 layer before raising 9594 116:456 (0 = unlimited) { 0:255 } 9595 * int network.max_ip_layers = 0: the maximum number of IP layers 9596 Snort will process for a given packet before raising 116:293 (0 = 9597 unlimited) { 0:255 } 9598 * int network.min_ttl = 1: alert / normalize packets with lower TTL 9599 / hop limit (you must enable rules and / or normalization also) { 9600 1:255 } 9601 * int network.new_ttl = 1: use this value for responses and when 9602 normalizing { 1:255 } 9603 * bool normalizer.icmp4 = false: clear reserved flag 9604 * bool normalizer.icmp6 = false: clear reserved flag 9605 * bool normalizer.ip4.base = false: clear options 9606 * bool normalizer.ip4.df = false: clear don’t frag flag 9607 * bool normalizer.ip4.rf = false: clear reserved flag 9608 * bool normalizer.ip4.tos = false: clear tos / differentiated 9609 services byte 9610 * bool normalizer.ip4.trim = false: truncate excess payload beyond 9611 datagram length 9612 * bool normalizer.ip6 = false: clear reserved flag 9613 * string normalizer.tcp.allow_codes: don’t clear given option codes 9614 * multi normalizer.tcp.allow_names: don’t clear given option names 9615 { sack | echo | partial_order | conn_count | alt_checksum | md5 } 9616 * bool normalizer.tcp.base = false: clear reserved bits and option 9617 padding and fix urgent pointer / flags issues 9618 * bool normalizer.tcp.block = false: allow packet drops during TCP 9619 normalization 9620 * select normalizer.tcp.ecn = off: clear ecn for all packets | 9621 sessions w/o ecn setup { off | packet | stream } 9622 * bool normalizer.tcp.ips = true: ensure consistency in 9623 retransmitted data 9624 * bool normalizer.tcp.opts = false: clear all options except mss, 9625 wscale, timestamp, and any explicitly allowed 9626 * bool normalizer.tcp.pad = false: clear any option padding bytes 9627 * bool normalizer.tcp.req_pay = false: clear the urgent pointer and 9628 the urgent flag if there is no payload 9629 * bool normalizer.tcp.req_urg = false: clear the urgent pointer if 9630 the urgent flag is not set 9631 * bool normalizer.tcp.req_urp = false: clear the urgent flag if the 9632 urgent pointer is not set 9633 * bool normalizer.tcp.rsv = false: clear the reserved bits in the 9634 TCP header 9635 * bool normalizer.tcp.trim_mss = false: trim data to MSS 9636 * bool normalizer.tcp.trim_rst = false: remove any data from RST 9637 packet 9638 * bool normalizer.tcp.trim_syn = false: remove data on SYN 9639 * bool normalizer.tcp.trim_win = false: trim data to window 9640 * bool normalizer.tcp.urp = false: adjust urgent pointer if beyond 9641 segment length 9642 * interval num_headers.~range: check that number of headers of 9643 current buffer are in given range { 0:200 } 9644 * implied num_headers.request: match against the version from the 9645 request message even when examining the response 9646 * implied num_headers.with_body: parts of this rule examine HTTP 9647 message body 9648 * implied num_headers.with_header: this rule is limited to 9649 examining HTTP message headers 9650 * implied num_headers.with_trailer: parts of this rule examine HTTP 9651 message trailers 9652 * interval num_trailers.~range: check that number of headers of 9653 current buffer are in given range { 0:200 } 9654 * implied num_trailers.request: match against the version from the 9655 request message even when examining the response 9656 * implied num_trailers.with_body: parts of this rule examine HTTP 9657 message body 9658 * implied num_trailers.with_header: this rule is limited to 9659 examining HTTP message headers 9660 * implied num_trailers.with_trailer: parts of this rule examine 9661 HTTP message trailers 9662 * bool output.dump_chars_only = false: turns on character dumps 9663 (same as -C) 9664 * bool output.dump_payload = false: dumps application layer (same 9665 as -d) 9666 * bool output.dump_payload_verbose = false: dumps raw packet 9667 starting at link layer (same as -X) 9668 * int output.event_trace.max_data = 0: maximum amount of packet 9669 data to capture { 0:65535 } 9670 * string output.logdir = .: where to put log files (same as -l) 9671 * bool output.obfuscate = false: obfuscate the logged IP addresses 9672 (same as -O) 9673 * bool output.quiet = false: suppress normal logging on stdout 9674 (same as -q) 9675 * bool output.show_year = false: include year in timestamp in the 9676 alert and log files (same as -y) 9677 * int output.tagged_packet_limit = 256: maximum number of packets 9678 tagged for non-packet metrics { 0:max32 } 9679 * bool output.verbose = false: be verbose (same as -v) 9680 * bool output.wide_hex_dump = false: output 20 bytes per lines 9681 instead of 16 when dumping buffers 9682 * bool packet_capture.enable = false: initially enable packet 9683 dumping 9684 * string packet_capture.filter: bpf filter to use for packet dump 9685 * int packet_capture.group = -1: group filter to use for the packet 9686 dump { -1:32767 } 9687 * bool packets.address_space_agnostic = false: determines whether 9688 DAQ address space info is used to track fragments and connections 9689 * string packets.bpf_file: file with BPF to select traffic for 9690 Snort 9691 * int packets.limit = 0: maximum number of packets to process 9692 before stopping (0 is unlimited) { 0:max53 } 9693 * bool packets.mpls_agnostic = true: determines whether MPLS labels 9694 are used to track fragments and connections 9695 * int packets.skip = 0: number of packets to skip before before 9696 processing { 0:max53 } 9697 * bool packets.vlan_agnostic = false: determines whether VLAN tags 9698 are used to track fragments and connections 9699 * bool packet_tracer.enable = false: enable summary output of state 9700 that determined packet verdict 9701 * enum packet_tracer.output = console: select where to send packet 9702 trace { console | file } 9703 * string pcre.~re: Snort regular expression 9704 * bool perf_monitor.base = true: enable base statistics 9705 * bool perf_monitor.cpu = false: enable cpu statistics 9706 * bool perf_monitor.flow = false: enable traffic statistics 9707 * bool perf_monitor.flow_ip = false: enable statistics on host 9708 pairs 9709 * int perf_monitor.flow_ip_memcap = 52428800: maximum memory in 9710 bytes for flow tracking { 236:maxSZ } 9711 * int perf_monitor.flow_ports = 1023: maximum ports to track { 9712 0:65535 } 9713 * enum perf_monitor.format = csv: output format for stats { csv | 9714 text | json | flatbuffers } 9715 * int perf_monitor.max_file_size = 1073741824: files will be rolled 9716 over if they exceed this size { 4096:max53 } 9717 * string perf_monitor.modules[].name: name of the module 9718 * string perf_monitor.modules[].pegs: list of statistics to track 9719 or empty for all counters 9720 * enum perf_monitor.output = file: output location for stats { file 9721 | console } 9722 * int perf_monitor.packets = 10000: minimum packets to report { 9723 0:max32 } 9724 * int perf_monitor.seconds = 60: report interval { 0:max32 } 9725 * bool perf_monitor.summary = false: output summary at shutdown 9726 * interval pkt_num.~range: check if packet number is in given range 9727 { 1: } 9728 * int pop.b64_decode_depth = -1: base64 decoding depth (-1 no 9729 limit) { -1:65535 } 9730 * int pop.bitenc_decode_depth = -1: Non-Encoded MIME attachment 9731 extraction depth (-1 no limit) { -1:65535 } 9732 * bool pop.decompress_pdf = false: decompress pdf files in MIME 9733 attachments 9734 * bool pop.decompress_swf = false: decompress swf files in MIME 9735 attachments 9736 * bool pop.decompress_vba = false: decompress MS Office Visual 9737 Basic for Applications macro files in MIME attachments 9738 * bool pop.decompress_zip = false: decompress zip files in MIME 9739 attachments 9740 * int pop.qp_decode_depth = -1: Quoted Printable decoding depth (-1 9741 no limit) { -1:65535 } 9742 * int pop.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no 9743 limit) { -1:65535 } 9744 * bool port_scan.alert_all = false: alert on all events over 9745 threshold within window if true; else alert on first only 9746 * int port_scan.icmp_sweep.nets = 25: number of times address 9747 changed from prior attempt { 0:65535 } 9748 * int port_scan.icmp_sweep.ports = 25: number of times port (or 9749 proto) changed from prior attempt { 0:65535 } 9750 * int port_scan.icmp_sweep.rejects = 15: scan attempts with 9751 negative response { 0:65535 } 9752 * int port_scan.icmp_sweep.scans = 100: scan attempts { 0:65535 } 9753 * int port_scan.icmp_window = 0: detection interval for all ICMP 9754 scans { 0:max32 } 9755 * string port_scan.ignore_scanned: list of CIDRs with optional 9756 ports to ignore if the destination of scan alerts 9757 * string port_scan.ignore_scanners: list of CIDRs with optional 9758 ports to ignore if the source of scan alerts 9759 * bool port_scan.include_midstream = false: list of CIDRs with 9760 optional ports 9761 * int port_scan.ip_decoy.nets = 25: number of times address changed 9762 from prior attempt { 0:65535 } 9763 * int port_scan.ip_decoy.ports = 25: number of times port (or 9764 proto) changed from prior attempt { 0:65535 } 9765 * int port_scan.ip_decoy.rejects = 15: scan attempts with negative 9766 response { 0:65535 } 9767 * int port_scan.ip_decoy.scans = 100: scan attempts { 0:65535 } 9768 * int port_scan.ip_dist.nets = 25: number of times address changed 9769 from prior attempt { 0:65535 } 9770 * int port_scan.ip_dist.ports = 25: number of times port (or proto) 9771 changed from prior attempt { 0:65535 } 9772 * int port_scan.ip_dist.rejects = 15: scan attempts with negative 9773 response { 0:65535 } 9774 * int port_scan.ip_dist.scans = 100: scan attempts { 0:65535 } 9775 * int port_scan.ip_proto.nets = 25: number of times address changed 9776 from prior attempt { 0:65535 } 9777 * int port_scan.ip_proto.ports = 25: number of times port (or 9778 proto) changed from prior attempt { 0:65535 } 9779 * int port_scan.ip_proto.rejects = 15: scan attempts with negative 9780 response { 0:65535 } 9781 * int port_scan.ip_proto.scans = 100: scan attempts { 0:65535 } 9782 * int port_scan.ip_sweep.nets = 25: number of times address changed 9783 from prior attempt { 0:65535 } 9784 * int port_scan.ip_sweep.ports = 25: number of times port (or 9785 proto) changed from prior attempt { 0:65535 } 9786 * int port_scan.ip_sweep.rejects = 15: scan attempts with negative 9787 response { 0:65535 } 9788 * int port_scan.ip_sweep.scans = 100: scan attempts { 0:65535 } 9789 * int port_scan.ip_window = 0: detection interval for all IP scans 9790 { 0:max32 } 9791 * int port_scan.memcap = 10485760: maximum tracker memory in bytes 9792 { 1024:maxSZ } 9793 * multi port_scan.protos = all: choose the protocols to monitor { 9794 tcp | udp | icmp | ip | all } 9795 * multi port_scan.scan_types = all: choose type of scans to look 9796 for { portscan | portsweep | decoy_portscan | 9797 distributed_portscan | all } 9798 * int port_scan.tcp_decoy.nets = 25: number of times address 9799 changed from prior attempt { 0:65535 } 9800 * int port_scan.tcp_decoy.ports = 25: number of times port (or 9801 proto) changed from prior attempt { 0:65535 } 9802 * int port_scan.tcp_decoy.rejects = 15: scan attempts with negative 9803 response { 0:65535 } 9804 * int port_scan.tcp_decoy.scans = 100: scan attempts { 0:65535 } 9805 * int port_scan.tcp_dist.nets = 25: number of times address changed 9806 from prior attempt { 0:65535 } 9807 * int port_scan.tcp_dist.ports = 25: number of times port (or 9808 proto) changed from prior attempt { 0:65535 } 9809 * int port_scan.tcp_dist.rejects = 15: scan attempts with negative 9810 response { 0:65535 } 9811 * int port_scan.tcp_dist.scans = 100: scan attempts { 0:65535 } 9812 * int port_scan.tcp_ports.nets = 25: number of times address 9813 changed from prior attempt { 0:65535 } 9814 * int port_scan.tcp_ports.ports = 25: number of times port (or 9815 proto) changed from prior attempt { 0:65535 } 9816 * int port_scan.tcp_ports.rejects = 15: scan attempts with negative 9817 response { 0:65535 } 9818 * int port_scan.tcp_ports.scans = 100: scan attempts { 0:65535 } 9819 * int port_scan.tcp_sweep.nets = 25: number of times address 9820 changed from prior attempt { 0:65535 } 9821 * int port_scan.tcp_sweep.ports = 25: number of times port (or 9822 proto) changed from prior attempt { 0:65535 } 9823 * int port_scan.tcp_sweep.rejects = 15: scan attempts with negative 9824 response { 0:65535 } 9825 * int port_scan.tcp_sweep.scans = 100: scan attempts { 0:65535 } 9826 * int port_scan.tcp_window = 0: detection interval for all TCP 9827 scans { 0:max32 } 9828 * int port_scan.udp_decoy.nets = 25: number of times address 9829 changed from prior attempt { 0:65535 } 9830 * int port_scan.udp_decoy.ports = 25: number of times port (or 9831 proto) changed from prior attempt { 0:65535 } 9832 * int port_scan.udp_decoy.rejects = 15: scan attempts with negative 9833 response { 0:65535 } 9834 * int port_scan.udp_decoy.scans = 100: scan attempts { 0:65535 } 9835 * int port_scan.udp_dist.nets = 25: number of times address changed 9836 from prior attempt { 0:65535 } 9837 * int port_scan.udp_dist.ports = 25: number of times port (or 9838 proto) changed from prior attempt { 0:65535 } 9839 * int port_scan.udp_dist.rejects = 15: scan attempts with negative 9840 response { 0:65535 } 9841 * int port_scan.udp_dist.scans = 100: scan attempts { 0:65535 } 9842 * int port_scan.udp_ports.nets = 25: number of times address 9843 changed from prior attempt { 0:65535 } 9844 * int port_scan.udp_ports.ports = 25: number of times port (or 9845 proto) changed from prior attempt { 0:65535 } 9846 * int port_scan.udp_ports.rejects = 15: scan attempts with negative 9847 response { 0:65535 } 9848 * int port_scan.udp_ports.scans = 100: scan attempts { 0:65535 } 9849 * int port_scan.udp_sweep.nets = 25: number of times address 9850 changed from prior attempt { 0:65535 } 9851 * int port_scan.udp_sweep.ports = 25: number of times port (or 9852 proto) changed from prior attempt { 0:65535 } 9853 * int port_scan.udp_sweep.rejects = 15: scan attempts with negative 9854 response { 0:65535 } 9855 * int port_scan.udp_sweep.scans = 100: scan attempts { 0:65535 } 9856 * int port_scan.udp_window = 0: detection interval for all UDP 9857 scans { 0:max32 } 9858 * string port_scan.watch_ip: list of CIDRs with optional ports to 9859 watch 9860 * int priority.~: relative severity level; 1 is highest priority { 9861 1:max31 } 9862 * string process.chroot: set chroot directory (same as -t) 9863 * bool process.daemon = false: fork as a daemon (same as -D) 9864 * bool process.dirty_pig = false: shutdown without internal cleanup 9865 * string process.set_gid: set group ID (same as -g) 9866 * string process.set_uid: set user ID (same as -u) 9867 * string process.threads[].cpuset: pin the associated thread to 9868 this cpuset 9869 * string process.threads[].name: define which threads will have 9870 specified affinity, by thread name 9871 * int process.threads[].thread: set cpu affinity for the 9872 <cur_thread_num> thread that runs { 0:65535 } 9873 * enum process.threads[].type: define which threads will have 9874 specified affinity, by their type { other|packet|main } 9875 * int process.umask: set process umask (same as -m) { 0x000:0x1FF } 9876 * bool process.utc = false: use UTC instead of local time for 9877 timestamps 9878 * int profiler.memory.count = 0: limit results to count items per 9879 level (0 = no limit) { 0:max32 } 9880 * int profiler.memory.max_depth = -1: limit depth to max_depth (-1 9881 = no limit) { -1:255 } 9882 * bool profiler.memory.show = true: show module memory profile 9883 stats 9884 * enum profiler.memory.sort = total_used: sort by given field { 9885 none | allocations | total_used | avg_allocation } 9886 * int profiler.modules.count = 0: limit results to count items per 9887 level (0 = no limit) { 0:max32 } 9888 * int profiler.modules.max_depth = -1: limit depth to max_depth (-1 9889 = no limit) { -1:255 } 9890 * bool profiler.modules.show = true: show module time profile stats 9891 * enum profiler.modules.sort = total_time: sort by given field { 9892 none | checks | avg_check | total_time } 9893 * int profiler.rules.count = 0: print results to given level (0 = 9894 all) { 0:max32 } 9895 * bool profiler.rules.show = true: show rule time profile stats 9896 * enum profiler.rules.sort = total_time: sort by given field { none 9897 | checks | avg_check | total_time | matches | no_matches | 9898 avg_match | avg_no_match } 9899 * string rate_filter[].apply_to: restrict filter to these addresses 9900 according to track 9901 * int rate_filter[].count = 1: number of events in interval before 9902 tripping { 0:max32 } 9903 * int rate_filter[].gid = 1: rule generator ID { 0:max32 } 9904 * dynamic rate_filter[].new_action = alert: take this action on 9905 future hits until timeout { alert | block | drop | log | pass | 9906 react | reject | rewrite } 9907 * int rate_filter[].seconds = 1: count interval { 0:max32 } 9908 * int rate_filter[].sid = 1: rule signature ID { 0:max32 } 9909 * int rate_filter[].timeout = 1: count interval { 0:max32 } 9910 * enum rate_filter[].track = by_src: filter only matching source or 9911 destination addresses { by_src | by_dst | by_rule } 9912 * string react.page: file containing HTTP response body 9913 * string reference.~ref: reference: <scheme>,<id> 9914 * string references[].name: name used with reference rule option 9915 * string references[].url: where this reference is defined 9916 * implied regex.dotall: matching a . will not exclude newlines 9917 * implied regex.fast_pattern: use this content in the fast pattern 9918 matcher instead of the content selected by default 9919 * implied regex.multiline: ^ and $ anchors match any newlines in 9920 data 9921 * implied regex.nocase: case insensitive match 9922 * string regex.~re: hyperscan regular expression 9923 * implied regex.relative: start search from end of last match 9924 instead of start of buffer 9925 * enum reject.control = none: send ICMP unreachable(s) { none| 9926 network|host|port|forward|all } 9927 * enum reject.reset = both: send TCP reset to one or both ends { 9928 none|source|dest|both } 9929 * string rem.~: comment 9930 * string replace.~: byte code to replace with 9931 * enum reputation.allow = do_not_block: specify the meaning of 9932 allowlist { do_not_block|trust } 9933 * string reputation.allowlist: allowlist file name with IP lists 9934 * string reputation.blocklist: blocklist file name with IP lists 9935 * string reputation.list_dir: directory for IP lists and manifest 9936 file 9937 * int reputation.memcap = 500: maximum total MB of memory allocated 9938 { 1:4095 } 9939 * enum reputation.nested_ip = inner: IP to use when there is IP 9940 encapsulation { inner|outer|all } 9941 * enum reputation.priority = allowlist: defines priority when there 9942 is a decision conflict during run-time { blocklist|allowlist } 9943 * bool reputation.scan_local = false: inspect local address defined 9944 in RFC 1918 9945 * int rev.~: revision { 1:max32 } 9946 * string rna.dump_file: file name to dump RNA mac cache on 9947 shutdown; won’t dump by default 9948 * bool rna.enable_logger = true: enable or disable writing 9949 discovery events into logger 9950 * bool rna.log_when_idle = false: enable host update logging when 9951 snort is idle 9952 * string rna.rna_conf_path: path to rna configuration 9953 * string rna.smb_fingerprints[].device: device information 9954 * bool rna.smb_fingerprints[].df = false: fingerprint don’t 9955 fragment flag 9956 * string rna.smb_fingerprints[].dhcp55: dhcp option 55 values 9957 * string rna.smb_fingerprints[].dhcp60: dhcp option 60 values 9958 * int rna.smb_fingerprints[].flags: smb flags { 0:max32 } 9959 * int rna.smb_fingerprints[].fpid = 0: fingerprint id { 0:max32 } 9960 * string rna.smb_fingerprints[].host_name: host name information 9961 * string rna.smb_fingerprints[].id = X: id 9962 * int rna.smb_fingerprints[].major: smb major version { 0:max31 } 9963 * int rna.smb_fingerprints[].minor: smb minor version { 0:max31 } 9964 * string rna.smb_fingerprints[].mss = X: fingerprint mss 9965 * string rna.smb_fingerprints[].tcp_window: fingerprint tcp window 9966 * string rna.smb_fingerprints[].topts: fingerprint tcp options 9967 * int rna.smb_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } 9968 * int rna.smb_fingerprints[].type = 0: fingerprint type { 0:max32 } 9969 * enum rna.smb_fingerprints[].ua_type = os: type of user agent 9970 fingerprints { os | device | jail-broken | jail-broken-host } 9971 * string rna.smb_fingerprints[].user_agent[].substring: a substring 9972 of user agent string 9973 * string rna.smb_fingerprints[].uuid: fingerprint uuid 9974 * string rna.smb_fingerprints[].ws = X: fingerprint window size 9975 * string rna.tcp_fingerprints[].device: device information 9976 * bool rna.tcp_fingerprints[].df = false: fingerprint don’t 9977 fragment flag 9978 * string rna.tcp_fingerprints[].dhcp55: dhcp option 55 values 9979 * string rna.tcp_fingerprints[].dhcp60: dhcp option 60 values 9980 * int rna.tcp_fingerprints[].flags: smb flags { 0:max32 } 9981 * int rna.tcp_fingerprints[].fpid = 0: fingerprint id { 0:max32 } 9982 * string rna.tcp_fingerprints[].host_name: host name information 9983 * string rna.tcp_fingerprints[].id = X: id 9984 * int rna.tcp_fingerprints[].major: smb major version { 0:max31 } 9985 * int rna.tcp_fingerprints[].minor: smb minor version { 0:max31 } 9986 * string rna.tcp_fingerprints[].mss = X: fingerprint mss 9987 * string rna.tcp_fingerprints[].tcp_window: fingerprint tcp window 9988 * string rna.tcp_fingerprints[].topts: fingerprint tcp options 9989 * int rna.tcp_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } 9990 * int rna.tcp_fingerprints[].type = 0: fingerprint type { 0:max32 } 9991 * enum rna.tcp_fingerprints[].ua_type = os: type of user agent 9992 fingerprints { os | device | jail-broken | jail-broken-host } 9993 * string rna.tcp_fingerprints[].user_agent[].substring: a substring 9994 of user agent string 9995 * string rna.tcp_fingerprints[].uuid: fingerprint uuid 9996 * string rna.tcp_fingerprints[].ws = X: fingerprint window size 9997 * string rna.ua_fingerprints[].device: device information 9998 * bool rna.ua_fingerprints[].df = false: fingerprint don’t fragment 9999 flag 10000 * string rna.ua_fingerprints[].dhcp55: dhcp option 55 values 10001 * string rna.ua_fingerprints[].dhcp60: dhcp option 60 values 10002 * int rna.ua_fingerprints[].flags: smb flags { 0:max32 } 10003 * int rna.ua_fingerprints[].fpid = 0: fingerprint id { 0:max32 } 10004 * string rna.ua_fingerprints[].host_name: host name information 10005 * string rna.ua_fingerprints[].id = X: id 10006 * int rna.ua_fingerprints[].major: smb major version { 0:max31 } 10007 * int rna.ua_fingerprints[].minor: smb minor version { 0:max31 } 10008 * string rna.ua_fingerprints[].mss = X: fingerprint mss 10009 * string rna.ua_fingerprints[].tcp_window: fingerprint tcp window 10010 * string rna.ua_fingerprints[].topts: fingerprint tcp options 10011 * int rna.ua_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } 10012 * int rna.ua_fingerprints[].type = 0: fingerprint type { 0:max32 } 10013 * enum rna.ua_fingerprints[].ua_type = os: type of user agent 10014 fingerprints { os | device | jail-broken | jail-broken-host } 10015 * string rna.ua_fingerprints[].user_agent[].substring: a substring 10016 of user agent string 10017 * string rna.ua_fingerprints[].uuid: fingerprint uuid 10018 * string rna.ua_fingerprints[].ws = X: fingerprint window size 10019 * string rna.udp_fingerprints[].device: device information 10020 * bool rna.udp_fingerprints[].df = false: fingerprint don’t 10021 fragment flag 10022 * string rna.udp_fingerprints[].dhcp55: dhcp option 55 values 10023 * string rna.udp_fingerprints[].dhcp60: dhcp option 60 values 10024 * int rna.udp_fingerprints[].flags: smb flags { 0:max32 } 10025 * int rna.udp_fingerprints[].fpid = 0: fingerprint id { 0:max32 } 10026 * string rna.udp_fingerprints[].host_name: host name information 10027 * string rna.udp_fingerprints[].id = X: id 10028 * int rna.udp_fingerprints[].major: smb major version { 0:max31 } 10029 * int rna.udp_fingerprints[].minor: smb minor version { 0:max31 } 10030 * string rna.udp_fingerprints[].mss = X: fingerprint mss 10031 * string rna.udp_fingerprints[].tcp_window: fingerprint tcp window 10032 * string rna.udp_fingerprints[].topts: fingerprint tcp options 10033 * int rna.udp_fingerprints[].ttl = 0: fingerprint ttl { 0:256 } 10034 * int rna.udp_fingerprints[].type = 0: fingerprint type { 0:max32 } 10035 * enum rna.udp_fingerprints[].ua_type = os: type of user agent 10036 fingerprints { os | device | jail-broken | jail-broken-host } 10037 * string rna.udp_fingerprints[].user_agent[].substring: a substring 10038 of user agent string 10039 * string rna.udp_fingerprints[].uuid: fingerprint uuid 10040 * string rna.udp_fingerprints[].ws = X: fingerprint window size 10041 * int rpc.~app: application number { 0:max32 } 10042 * string rpc.~proc: procedure number or * for any 10043 * string rpc.~ver: version number or * for any 10044 * string s7commplus_func.~: function code to match 10045 * string s7commplus_opcode.~: opcode code to match 10046 * string sd_pattern.~pattern: The pattern to search for 10047 * int sd_pattern.threshold = 1: number of matches before alerting { 10048 1:max32 } 10049 * int search_engine.bleedover_port_limit = 1024: maximum ports in 10050 rule before demotion to any-any port group { 1:max32 } 10051 * bool search_engine.bleedover_warnings_enabled = false: print 10052 warning if a rule is demoted to any-any port group 10053 * bool search_engine.debug = false: print verbose fast pattern info 10054 * bool search_engine.debug_print_nocontent_rule_tests = false: 10055 print rule group info during packet evaluation 10056 * bool search_engine.debug_print_rule_group_build_details = false: 10057 print rule group info during compilation 10058 * bool search_engine.debug_print_rule_groups_compiled = false: 10059 prints compiled rule group information 10060 * bool search_engine.debug_print_rule_groups_uncompiled = false: 10061 prints uncompiled rule group information 10062 * bool search_engine.detect_raw_tcp = false: detect on TCP payload 10063 before reassembly 10064 * bool search_engine.enable_single_rule_group = false: put all 10065 rules into one group 10066 * int search_engine.max_pattern_len = 0: truncate patterns when 10067 compiling into state machine (0 means no maximum) { 0:max32 } 10068 * int search_engine.max_queue_events = 5: maximum number of 10069 matching fast pattern states to queue per packet { 2:100 } 10070 * dynamic search_engine.offload_search_method: set fast pattern 10071 offload algorithm - choose available search engine { ac_banded | 10072 ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | 10073 hyperscan | lowmem } 10074 * int search_engine.queue_limit = 0: maximum number of fast pattern 10075 matches to queue per packet (0 is unlimited) { 0:max32 } 10076 * string search_engine.rule_db_dir: deserialize rule databases from 10077 given directory 10078 * dynamic search_engine.search_method = ac_bnfa: set fast pattern 10079 algorithm - choose available search engine { ac_banded | ac_bnfa 10080 | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | 10081 lowmem } 10082 * bool search_engine.search_optimize = true: tweak state machine 10083 construction for better performance 10084 * bool search_engine.show_fast_patterns = false: print fast pattern 10085 info for each rule 10086 * bool search_engine.split_any_any = true: evaluate any-any rules 10087 separately to save memory 10088 * interval seq.~range: check if TCP sequence number is in given 10089 range { 0: } 10090 * string service.*: one or more comma-separated service names 10091 * string sha256.~hash: data to match 10092 * int sha256.length: number of octets in plain text { 1:65535 } 10093 * string sha256.offset: var or number of bytes from start of buffer 10094 to start search 10095 * implied sha256.relative = false: offset from cursor instead of 10096 start of buffer 10097 * string sha512.~hash: data to match 10098 * int sha512.length: number of octets in plain text { 1:65535 } 10099 * string sha512.offset: var or number of bytes from start of buffer 10100 to start search 10101 * implied sha512.relative = false: offset from cursor instead of 10102 start of buffer 10103 * string side_channel[].connector: connector handle 10104 * string side_channel[].connectors[].connector: connector handle 10105 * bit_list side_channel[].ports: side channel message port list { 10106 65535 } 10107 * int sid.~: signature id { 1:max32 } 10108 * bool sip.ignore_call_channel = false: enables the support for 10109 ignoring audio/video data channel 10110 * int sip.max_call_id_len = 256: maximum call id field size { 10111 0:65535 } 10112 * int sip.max_contact_len = 256: maximum contact field size { 10113 0:65535 } 10114 * int sip.max_content_len = 1024: maximum content length of the 10115 message body { 0:65535 } 10116 * int sip.max_dialogs = 4: maximum number of dialogs within one 10117 stream session { 1:max32 } 10118 * int sip.max_from_len = 256: maximum from field size { 0:65535 } 10119 * int sip.max_requestName_len = 20: deprecated - use 10120 max_request_name_len instead { 0:65535 } 10121 * int sip.max_request_name_len = 20: maximum request name field 10122 size { 0:65535 } 10123 * int sip.max_to_len = 256: maximum to field size { 0:65535 } 10124 * int sip.max_uri_len = 256: maximum request uri field size { 10125 0:65535 } 10126 * int sip.max_via_len = 1024: maximum via field size { 0:65535 } 10127 * string sip_method.*method: sip method 10128 * string sip.methods = invite cancel ack bye register options: list 10129 of methods to check in SIP messages 10130 * int sip_stat_code.*code: status code { 1:999 } 10131 * string smtp.alt_max_command_line_len[].command: command string 10132 * int smtp.alt_max_command_line_len[].length = 0: specify 10133 non-default maximum for command { 0:max32 } 10134 * string smtp.auth_cmds: commands that initiate an authentication 10135 exchange 10136 * int smtp.b64_decode_depth = -1: depth used to decode the base64 10137 encoded MIME attachments (-1 no limit) { -1:65535 } 10138 * string smtp.binary_data_cmds: commands that initiate sending of 10139 data and use a length value after the command 10140 * int smtp.bitenc_decode_depth = -1: depth used to extract the 10141 non-encoded MIME attachments (-1 no limit) { -1:65535 } 10142 * string smtp.data_cmds: commands that initiate sending of data 10143 with an end of data delimiter 10144 * bool smtp.decompress_pdf = false: decompress pdf files in MIME 10145 attachments 10146 * bool smtp.decompress_swf = false: decompress swf files in MIME 10147 attachments 10148 * bool smtp.decompress_vba = false: decompress MS Office Visual 10149 Basic for Applications macro files in MIME attachments 10150 * bool smtp.decompress_zip = false: decompress zip files in MIME 10151 attachments 10152 * int smtp.email_hdrs_log_depth = 1464: depth for logging email 10153 headers { 0:20480 } 10154 * bool smtp.ignore_data = false: ignore data section of mail 10155 * bool smtp.ignore_tls_data = false: ignore TLS-encrypted data when 10156 processing rules 10157 * string smtp.invalid_cmds: alert if this command is sent from 10158 client side 10159 * bool smtp.log_email_hdrs = false: log the SMTP email headers 10160 extracted from SMTP data 10161 * bool smtp.log_filename = false: log the MIME attachment filenames 10162 extracted from the Content-Disposition header within the MIME 10163 body 10164 * bool smtp.log_mailfrom = false: log the sender’s email address 10165 extracted from the MAIL FROM command 10166 * bool smtp.log_rcptto = false: log the recipient’s email address 10167 extracted from the RCPT TO command 10168 * int smtp.max_auth_command_line_len = 1000: max auth command Line 10169 Length { 0:65535 } 10170 * int smtp.max_command_line_len = 512: max Command Line Length { 10171 0:65535 } 10172 * int smtp.max_header_line_len = 1000: max SMTP DATA header line { 10173 0:65535 } 10174 * int smtp.max_response_line_len = 512: max SMTP response line { 10175 0:65535 } 10176 * string smtp.normalize_cmds: list of commands to normalize 10177 * enum smtp.normalize = none: turns on/off normalization { none | 10178 cmds | all } 10179 * int smtp.qp_decode_depth = -1: quoted-Printable decoding depth 10180 (-1 no limit) { -1:65535 } 10181 * int smtp.uu_decode_depth = -1: Unix-to-Unix decoding depth (-1 no 10182 limit) { -1:65535 } 10183 * string smtp.valid_cmds: list of valid commands 10184 * enum smtp.xlink2state = alert: enable/disable xlink2state alert { 10185 disable | alert | drop } 10186 * implied snort.--alert-before-pass: evaluate alert rules before 10187 pass rules; default is pass rules first 10188 * string snort.-A: <mode> set alert mode: none, cmg, or alert_* 10189 * addr snort.-B = 255.255.255.255/32: <mask> obfuscated IP 10190 addresses in alerts and packet dumps using CIDR mask 10191 * string snort.--bpf: <filter options> are standard BPF options, as 10192 seen in TCPDump 10193 * string snort.--c2x: output hex for given char (see also --x2c) 10194 * string snort.-c: <conf> use this configuration 10195 * string snort.--control-socket: <file> to create unix socket 10196 * implied snort.-C: print out payloads with character data only (no 10197 hex) 10198 * implied snort.--create-pidfile: create PID file, even when not in 10199 Daemon mode 10200 * int snort.--daq-batch-size = 64: <size> set the DAQ receive batch 10201 size { 1: } 10202 * string snort.--daq-dir: <dir> tell snort where to find desired 10203 DAQ 10204 * implied snort.--daq-list: list packet acquisition modules 10205 available in optional dir, default is static modules only 10206 * enum snort.--daq-mode: <mode> select DAQ module operating mode 10207 (overrides automatic selection) { passive | inline | read-file } 10208 * string snort.--daq: <type> select packet acquisition module 10209 (default is pcap) 10210 * string snort.--daq-var: <name=value> specify extra DAQ 10211 configuration variable 10212 * implied snort.-d: dump the Application Layer 10213 * implied snort.--dirty-pig: don’t flush packets on shutdown 10214 * implied snort.-D: run Snort in background (daemon) mode 10215 * string snort.--dump-builtin-options: additional options to 10216 include with --dump-builtin-rules stubs 10217 * string snort.--dump-builtin-rules: [<module prefix>] output stub 10218 rules for selected modules { (optional) } 10219 * select snort.--dump-config: dump config in json format { all | 10220 top } 10221 * implied snort.--dump-config-text: dump config in text format 10222 * string snort.--dump-defaults: [<module prefix>] output module 10223 defaults in Lua format { (optional) } 10224 * implied snort.--dump-dynamic-rules: output stub rules for all 10225 loaded rules libraries 10226 * string snort.--dump-rule-databases: dump rule databases to given 10227 directory (hyperscan only) 10228 * implied snort.--dump-rule-deps: dump rule dependencies in json 10229 format for use by other tools 10230 * implied snort.--dump-rule-meta: dump configured rule info in json 10231 format for use by other tools 10232 * implied snort.--dump-rule-state: dump configured rule state in 10233 json format for use by other tools 10234 * implied snort.--dump-version: output the version, the whole 10235 version, and only the version 10236 * implied snort.-e: display the second layer header info 10237 * implied snort.--enable-inline-test: enable Inline-Test Mode 10238 Operation 10239 * implied snort.--enable-test-features: enable features used in 10240 testing 10241 * implied snort.-f: turn off fflush() calls after binary log writes 10242 * int snort.-G: <0xid> (same as --logid) { 0:65535 } 10243 * implied snort.--gen-msg-map: dump configured rules in gen-msg.map 10244 format for use by other tools 10245 * string snort.-g: <gname> run snort gid as <gname> group (or gid) 10246 after initialization 10247 * string snort.--help-commands: [<module prefix>] output matching 10248 commands { (optional) } 10249 * string snort.--help-config: [<module prefix>] output matching 10250 config options { (optional) } 10251 * string snort.--help-counts: [<module prefix>] output matching peg 10252 counts { (optional) } 10253 * implied snort.--help-limits: print the int upper bounds denoted 10254 by max* 10255 * string snort.--help-module: <module> output description of given 10256 module 10257 * implied snort.--help-modules-json: dump description of all 10258 available modules in JSON format 10259 * implied snort.--help-modules: list all available modules with 10260 brief help 10261 * string snort.--help-options: [<option prefix>] output matching 10262 command line option quick help (same as -?) { (optional) } 10263 * implied snort.--help-plugins: list all available plugins with 10264 brief help 10265 * implied snort.--help: show help overview 10266 * implied snort.--help-signals: dump available control signals 10267 * implied snort.-H: make hash tables deterministic 10268 * implied snort.-h: show help overview (same as --help) 10269 * int snort.--id-offset = 0: offset to add to instance IDs when 10270 logging to files { 0:65535 } 10271 * implied snort.--id-subdir: create/use instance subdirectories in 10272 logdir instead of instance filename prefix 10273 * implied snort.--id-zero: use id prefix / subdirectory even with 10274 one packet thread 10275 * string snort.-i: <iface>… list of interfaces 10276 * string snort.--include-path: <path> where to find Lua and rule 10277 included files; searched before current or config directories 10278 * port snort.-j: <port> to listen for Telnet connections 10279 * enum snort.-k = all: <mode> checksum mode; default is all { all| 10280 noip|notcp|noudp|noicmp|none } 10281 * implied snort.--list-buffers: output available inspection buffers 10282 * string snort.--list-builtin: [<module prefix>] output matching 10283 builtin rules { (optional) } 10284 * string snort.--list-gids: [<module prefix>] output matching 10285 generators { (optional) } 10286 * string snort.--list-modules: [<module type>] list all known 10287 modules of given type { (optional) } 10288 * implied snort.--list-plugins: list all known plugins 10289 * string snort.-l: <logdir> log to this directory instead of 10290 current directory 10291 * string snort.-L: <mode> logging mode (none, dump, pcap, or log_*) 10292 * int snort.--logid: <0xid> log Identifier to uniquely id events 10293 for multiple snorts (same as -G) { 0:65535 } 10294 * string snort.--lua: <chunk> extend/override conf with chunk; may 10295 be repeated 10296 * string snort.--lua-sandbox: <file> file that contains the lua 10297 sandbox environment in which config will be loaded 10298 * implied snort.--markup: output help in asciidoc compatible format 10299 * int snort.--max-packet-threads: <count> configure maximum number 10300 of packet threads (same as -z) { 0:max32 } 10301 * implied snort.--mem-check: like -T but also compile search 10302 engines 10303 * string snort.--metadata-filter: <filter> load only rules 10304 containing filter string in metadata if set 10305 * implied snort.-M: log messages to syslog (not alerts) 10306 * int snort.-m: <umask> set the process file mode creation mask { 10307 0x000:0x1FF } 10308 * int snort.-n: <count> stop after count packets { 0:max53 } 10309 * implied snort.--nolock-pidfile: do not try to lock Snort PID file 10310 * implied snort.--nostamps: don’t include timestamps in log file 10311 names 10312 * implied snort.--no-warn-flowbits: ignore warnings about flowbits 10313 that are checked but not set and vice-versa 10314 * implied snort.--no-warn-rules: ignore warnings about duplicate 10315 rules and rule parsing issues 10316 * implied snort.-O: obfuscate the logged IP addresses 10317 * string snort.-?: <option prefix> output matching command line 10318 option quick help (same as --help-options) { (optional) } 10319 * implied snort.--pause: wait for resume/quit command before 10320 processing packets/terminating 10321 * string snort.--pcap-dir: <dir> a directory to recurse to look for 10322 pcaps - read mode is implied 10323 * string snort.--pcap-file: <file> file that contains a list of 10324 pcaps to read - read mode is implied 10325 * string snort.--pcap-filter = .*cap: <filter> filter to apply when 10326 getting pcaps from file or directory 10327 * string snort.--pcap-list: <list> a space separated list of pcaps 10328 to read - read mode is implied 10329 * int snort.--pcap-loop: <count> read all pcaps <count> times; 0 10330 will read until Snort is terminated { 0:max32 } 10331 * implied snort.--pcap-no-filter: reset to use no filter when 10332 getting pcaps from file or directory 10333 * implied snort.--pcap-show: print a line saying what pcap is 10334 currently being read 10335 * implied snort.--pedantic: warnings are fatal 10336 * string snort.--plugin-path: <path> a colon separated list of 10337 directories or plugin libraries 10338 * implied snort.--process-all-events: process all action groups 10339 * implied snort.-Q: enable inline mode operation 10340 * implied snort.-q: quiet mode - suppress normal logging on stdout 10341 * string snort.-r: <pcap>… (same as --pcap-list) 10342 * string snort.-R: <rules> include this rules file in the default 10343 policy 10344 * string snort.--rule-path: <path> where to find rules files 10345 * string snort.--rule: <rules> to be added to configuration; may be 10346 repeated 10347 * implied snort.--rule-to-hex: output so rule header to stdout for 10348 text rule on stdin 10349 * string snort.--rule-to-text: output plain so rule header to 10350 stdout for text rule on stdin (specify delimiter or 10351 [Snort_SO_Rule] will be used) { 16 } 10352 * string snort.--run-prefix: <pfx> prepend this to each output file 10353 * int snort.-s = 1518: <snap> (same as --snaplen); default is 1518 10354 { 68:65535 } 10355 * string snort.--script-path: <path> to a luajit script or 10356 directory containing luajit scripts 10357 * implied snort.--shell: enable the interactive command line 10358 * implied snort.--show-file-codes: indicate how files are located: 10359 A=absolute and W, F, C which are relative to the working 10360 directory, including file, and config file respectively 10361 * implied snort.--show-plugins: list module and plugin versions 10362 * int snort.--skip: <n> skip 1st n packets { 0:max53 } 10363 * int snort.--snaplen = 1518: <snap> set snaplen of packet (same as 10364 -s) { 68:65535 } 10365 * implied snort.--stdin-rules: read rules from stdin until EOF or a 10366 line starting with END is read 10367 * implied snort.--talos: enable Talos tweak (same as --tweaks 10368 talos) 10369 * string snort.-t: <dir> chroots process to <dir> after 10370 initialization 10371 * implied snort.-T: test and report on the current Snort 10372 configuration 10373 * string snort.--tweaks: tune configuration 10374 * string snort.-u: <uname> run snort as <uname> or <uid> after 10375 initialization 10376 * implied snort.-U: use UTC for timestamps 10377 * implied snort.-v: be verbose 10378 * implied snort.--version: show version number (same as -V) 10379 * implied snort.-V: (same as --version) 10380 * implied snort.--warn-all: enable all warnings 10381 * implied snort.--warn-conf-strict: warn about unrecognized 10382 elements in configuration files 10383 * implied snort.--warn-conf: warn about configuration issues 10384 * implied snort.--warn-daq: warn about DAQ issues, usually related 10385 to mode 10386 * implied snort.--warn-flowbits: warn about flowbits that are 10387 checked but not set and vice-versa 10388 * implied snort.--warn-hosts: warn about host table issues 10389 * implied snort.--warn-plugins: warn about issues that prevent 10390 plugins from loading 10391 * implied snort.--warn-rules: warn about duplicate rules and rule 10392 parsing issues 10393 * implied snort.--warn-scripts: warn about issues discovered while 10394 processing Lua scripts 10395 * implied snort.--warn-symbols: warn about unknown symbols in your 10396 Lua config 10397 * implied snort.--warn-vars: warn about variable definition and 10398 usage issues 10399 * int snort.--x2c: output ASCII char for given hex (see also --c2x) 10400 { 0x00:0xFF } 10401 * string snort.--x2s: output ASCII string for given byte code (see 10402 also --x2c) 10403 * implied snort.-X: dump the raw packet data starting at the link 10404 layer 10405 * implied snort.-x: same as --pedantic 10406 * implied snort.-y: include year in timestamp in the alert and log 10407 files 10408 * int snort.-z: <count> maximum number of packet threads (same as 10409 --max-packet-threads); 0 gets the number of CPU cores reported by 10410 the system; default is 1 { 0:max32 } 10411 * string so.~func: name of eval function 10412 * string soid.~: SO rule ID is unique key, eg <gid>_<sid>_<rev> 10413 like 3_45678_9 10414 * implied so.relative: offset from cursor instead of start of 10415 buffer 10416 * int ssh.max_client_bytes = 19600: number of unanswered bytes 10417 before alerting on challenge-response overflow or CRC32 { 0:65535 10418 } 10419 * int ssh.max_encrypted_packets = 25: ignore session after this 10420 many encrypted packets { 0:65535 } 10421 * int ssh.max_server_version_len = 80: limit before alerting on 10422 secure CRT server version string overflow { 0:255 } 10423 * int ssl.max_heartbeat_length = 0: maximum length of heartbeat 10424 record allowed { 0:65535 } 10425 * implied ssl_state.client_hello: check for client hello 10426 * implied ssl_state.!client_hello: check for records that are not 10427 client hello 10428 * implied ssl_state.client_keyx: check for client keyx 10429 * implied ssl_state.!client_keyx: check for records that are not 10430 client keyx 10431 * implied ssl_state.!server_hello: check for records that are not 10432 server hello 10433 * implied ssl_state.server_hello: check for server hello 10434 * implied ssl_state.!server_keyx: check for records that are not 10435 server keyx 10436 * implied ssl_state.server_keyx: check for server keyx 10437 * implied ssl_state.!unknown: check for records that are not 10438 unknown 10439 * implied ssl_state.unknown: check for unknown record 10440 * bool ssl.trust_servers = false: disables requirement that 10441 application (encrypted) data must be observed on both sides 10442 * implied ssl_version.!sslv2: check for records that are not sslv2 10443 * implied ssl_version.sslv2: check for sslv2 10444 * implied ssl_version.!sslv3: check for records that are not sslv3 10445 * implied ssl_version.sslv3: check for sslv3 10446 * implied ssl_version.!tls1.0: check for records that are not 10447 tls1.0 10448 * implied ssl_version.tls1.0: check for tls1.0 10449 * implied ssl_version.!tls1.1: check for records that are not 10450 tls1.1 10451 * implied ssl_version.tls1.1: check for tls1.1 10452 * implied ssl_version.!tls1.2: check for records that are not 10453 tls1.2 10454 * implied ssl_version.tls1.2: check for tls1.2 10455 * int stream.file_cache.cap_weight = 32: additional bytes to track 10456 per flow for better estimation against cap { 0:65535 } 10457 * int stream.file_cache.idle_timeout = 180: maximum inactive time 10458 before retiring session tracker { 1:max32 } 10459 * bool stream_file.upload = false: indicate file transfer direction 10460 * int stream.held_packet_timeout = 1000: timeout in milliseconds 10461 for held packets { 1:max32 } 10462 * int stream.icmp_cache.cap_weight = 0: additional bytes to track 10463 per flow for better estimation against cap { 0:65535 } 10464 * int stream.icmp_cache.idle_timeout = 180: maximum inactive time 10465 before retiring session tracker { 1:max32 } 10466 * int stream_icmp.session_timeout = 60: session tracking timeout { 10467 1:max31 } 10468 * int stream.ip_cache.cap_weight = 0: additional bytes to track per 10469 flow for better estimation against cap { 0:65535 } 10470 * int stream.ip_cache.idle_timeout = 180: maximum inactive time 10471 before retiring session tracker { 1:max32 } 10472 * bool stream.ip_frags_only = false: don’t process non-frag flows 10473 * int stream_ip.max_frags = 8192: maximum number of simultaneous 10474 fragments being tracked { 1:max32 } 10475 * int stream_ip.max_overlaps = 0: maximum allowed overlaps per 10476 datagram; 0 is unlimited { 0:max32 } 10477 * int stream_ip.min_frag_length = 0: alert if fragment length is 10478 below this limit before or after trimming { 0:65535 } 10479 * int stream_ip.min_ttl = 1: discard fragments with TTL below the 10480 minimum { 1:255 } 10481 * enum stream_ip.policy = linux: fragment reassembly policy { first 10482 | linux | bsd | bsd_right | last | windows | solaris } 10483 * int stream_ip.session_timeout = 60: session tracking timeout { 10484 1:max31 } 10485 * int stream.max_flows = 476288: maximum simultaneous flows tracked 10486 before pruning { 2:max32 } 10487 * int stream.pruning_timeout = 30: minimum inactive time before 10488 being eligible for pruning { 1:max32 } 10489 * enum stream_reassemble.action: stop or start stream reassembly { 10490 disable|enable } 10491 * enum stream_reassemble.direction: action applies to the given 10492 direction(s) { client|server|both } 10493 * implied stream_reassemble.fastpath: optionally trust the 10494 remainder of the session 10495 * implied stream_reassemble.noalert: don’t alert when rule matches 10496 * enum stream_size.~direction: compare applies to the given 10497 direction(s) { either|to_server|to_client|both } 10498 * interval stream_size.~range: check if the stream size is in the 10499 given range { 0: } 10500 * int stream.tcp_cache.cap_weight = 11000: additional bytes to 10501 track per flow for better estimation against cap { 0:65535 } 10502 * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time 10503 before retiring session tracker { 1:max32 } 10504 * int stream_tcp.flush_factor = 0: flush upon seeing a drop in 10505 segment size after given number of non-decreasing segments { 10506 0:65535 } 10507 * int stream_tcp.max_pdu = 16384: maximum reassembled PDU size { 10508 1460:32768 } 10509 * int stream_tcp.max_window = 0: maximum allowed TCP window { 10510 0:1073725440 } 10511 * bool stream_tcp.no_ack = false: received data is implicitly acked 10512 immediately 10513 * int stream_tcp.overlap_limit = 0: maximum number of allowed 10514 overlapping segments per session { 0:max32 } 10515 * enum stream_tcp.policy = bsd: determines operating system 10516 characteristics like reassembly { first | last | linux | 10517 old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | 10518 windows | win_2003 | vista | proxy } 10519 * int stream_tcp.queue_limit.max_bytes = 4194304: don’t queue more 10520 than given bytes per session and direction, 0 = unlimited { 10521 0:max32 } 10522 * int stream_tcp.queue_limit.max_segments = 3072: don’t queue more 10523 than given segments per session and direction, 0 = unlimited { 10524 0:max32 } 10525 * bool stream_tcp.reassemble_async = true: queue data for 10526 reassembly before traffic is seen in both directions 10527 * int stream_tcp.require_3whs = -1: don’t track midstream sessions 10528 after given seconds from start up; -1 tracks all { -1:max31 } 10529 * int stream_tcp.session_timeout = 180: session tracking timeout { 10530 1:max31 } 10531 * bool stream_tcp.show_rebuilt_packets = false: enable cmg like 10532 output of reassembled packets 10533 * int stream_tcp.small_segments.count = 0: number of consecutive 10534 TCP small segments considered to be excessive (129:12) { 0:2048 } 10535 * int stream_tcp.small_segments.maximum_size = 0: minimum bytes for 10536 a TCP segment not to be considered small (129:12) { 0:2048 } 10537 * bool stream_tcp.track_only = false: disable reassembly if true 10538 * int stream.udp_cache.cap_weight = 0: additional bytes to track 10539 per flow for better estimation against cap { 0:65535 } 10540 * int stream.udp_cache.idle_timeout = 180: maximum inactive time 10541 before retiring session tracker { 1:max32 } 10542 * int stream_udp.session_timeout = 30: session tracking timeout { 10543 1:max31 } 10544 * int stream.user_cache.cap_weight = 0: additional bytes to track 10545 per flow for better estimation against cap { 0:65535 } 10546 * int stream.user_cache.idle_timeout = 180: maximum inactive time 10547 before retiring session tracker { 1:max32 } 10548 * int stream_user.session_timeout = 60: session tracking timeout { 10549 1:max31 } 10550 * int suppress[].gid = 0: rule generator ID { 0:max32 } 10551 * string suppress[].ip: restrict suppression to these addresses 10552 according to track 10553 * int suppress[].sid = 0: rule signature ID { 0:max32 } 10554 * enum suppress[].track: suppress only matching source or 10555 destination addresses { by_src | by_dst } 10556 * int tag.bytes: tag for this many bytes { 1:max32 } 10557 * enum tag.~: log all packets in session or all packets to or from 10558 host { session|host_src|host_dst } 10559 * int tag.packets: tag this many packets { 1:max32 } 10560 * int tag.seconds: tag for this many seconds { 1:max32 } 10561 * enum target.~: indicate the target of the attack { src_ip | 10562 dst_ip } 10563 * string tcp_connector[].address: address 10564 * port tcp_connector[].base_port: base port number 10565 * string tcp_connector[].connector: connector name 10566 * enum tcp_connector[].setup: stream establishment { call | answer 10567 } 10568 * int telnet.ayt_attack_thresh = -1: alert beyond this number of 10569 consecutive Telnet AYT commands (-1 is disabled) { -1:max31 } 10570 * bool telnet.check_encrypted = false: check for end of encryption 10571 * bool telnet.encrypted_traffic = false: check for encrypted Telnet 10572 * bool telnet.normalize = false: eliminate escape sequences 10573 * string tenant_selector[].file: use configuration in given file 10574 * string tenant_selector[].tenants: list of tenants to match 10575 * interval tos.~range: check if IP TOS is in given range { 0:255 } 10576 * string trace.constraints.dst_ip: destination IP address filter 10577 * int trace.constraints.dst_port: destination port filter { 0:65535 10578 } 10579 * int trace.constraints.ip_proto: numerical IP protocol ID filter { 10580 0:255 } 10581 * bool trace.constraints.match = true: use constraints to filter 10582 traces 10583 * string trace.constraints.src_ip: source IP address filter 10584 * int trace.constraints.src_port: source port filter { 0:65535 } 10585 * int trace.modules.all: enable trace for all modules { 0:255 } 10586 * int trace.modules.dce_smb.all: enable all trace options { 0:255 } 10587 * int trace.modules.dpx.all: enable all trace options { 0:255 } 10588 * int trace.modules.file_id.all: enable all trace options { 0:255 } 10589 * int trace.modules.http_inspect.all: enable all trace options { 10590 0:255 } 10591 * int trace.modules.http_inspect.js_dump: enable JavaScript data 10592 logging { 0:255 } 10593 * int trace.modules.http_inspect.js_proc: enable JavaScript 10594 processing logging { 0:255 } 10595 * int trace.modules.snort.all: enable all trace options { 0:255 } 10596 * int trace.modules.snort.inspector_manager: enable inspector 10597 manager trace logging { 0:255 } 10598 * int trace.modules.vba_data.all: enable all trace options { 0:255 10599 } 10600 * int trace.modules.wizard.all: enable all trace options { 0:255 } 10601 * bool trace.ntuple = false: print packet n-tuple info with trace 10602 messages 10603 * enum trace.output: output method for trace log messages { stdout 10604 | syslog } 10605 * bool trace.timestamp = false: print message timestamps with trace 10606 messages 10607 * interval ttl.~range: check if IP TTL is in the given range { 10608 0:255 } 10609 * bool udp.deep_teredo_inspection = false: look for Teredo on all 10610 UDP ports (default is only 3544) 10611 * bit_list udp.geneve_ports = 6081: set Geneve ports { 65535 } 10612 * bit_list udp.gtp_ports = 2152 3386: set GTP ports { 65535 } 10613 * bit_list udp.vxlan_ports = 4789: set VXLAN ports { 65535 } 10614 * bool unified2.legacy_events = false: generate Snort 2.X style 10615 events for barnyard2 compatibility 10616 * int unified2.limit = 0: set maximum size in MB before rollover (0 10617 is unlimited) { 0:maxSZ } 10618 * bool unified2.nostamp = true: append file creation time to name 10619 (in Unix Epoch format) 10620 * interval urg.~range: check if tcp urgent offset is in given range 10621 { 0:65535 } 10622 * interval window.~range: check if TCP window size is in given 10623 range { 0:65535 } 10624 * multi wizard.curses: enable service identification based on 10625 internal algorithm { dce_smb | dce_udp | dce_tcp | sslv2 } 10626 * bool wizard.hexes[].client_first = true: which end initiates data 10627 transfer 10628 * select wizard.hexes[].proto = tcp: protocol to scan { tcp | udp } 10629 * string wizard.hexes[].service: name of service 10630 * string wizard.hexes[].to_client[].hex: sequence of data with wild 10631 chars (?) 10632 * string wizard.hexes[].to_server[].hex: sequence of data with wild 10633 chars (?) 10634 * int wizard.max_search_depth = 8192: maximum scan depth per flow { 10635 0:65535 } 10636 * bool wizard.spells[].client_first = true: which end initiates 10637 data transfer 10638 * select wizard.spells[].proto = tcp: protocol to scan { tcp | udp 10639 } 10640 * string wizard.spells[].service: name of service 10641 * string wizard.spells[].to_client[].spell: sequence of data with 10642 wild cards (*) 10643 * string wizard.spells[].to_server[].spell: sequence of data with 10644 wild cards (*) 10645 * interval wscale.~range: check if TCP window scale is in given 10646 range { 0:65535 } 10647 10648 1064911.5. Counts 10650 10651-------------- 10652 10653 * active.direct_injects: total crafted packets directly injected 10654 (sum) 10655 * active.failed_direct_injects: total crafted packet direct injects 10656 that failed (sum) 10657 * active.failed_injects: total crafted packet encode + injects that 10658 failed (sum) 10659 * active.holds_allowed: total number of packet hold requests 10660 allowed (sum) 10661 * active.holds_canceled: total number of packet hold requests 10662 canceled (sum) 10663 * active.holds_denied: total number of packet hold requests denied 10664 (sum) 10665 * active.injects: total crafted packets encoded and injected (sum) 10666 * address_space_selector.no_match: selection evaluations that had 10667 no matches (sum) 10668 * address_space_selector.packets: packets evaluated (sum) 10669 * appid.appid_unknown: count of sessions where appid could not be 10670 determined (sum) 10671 * appid.ignored_packets: count of packets ignored (sum) 10672 * appid.odp_reload_ignored_pkts: count of packets ignored after 10673 open detector package is reloaded (sum) 10674 * appid.packets: count of packets received (sum) 10675 * appid.processed_packets: count of packets processed (sum) 10676 * appid.service_cache_adds: number of times an entry was added to 10677 the service cache (sum) 10678 * appid.service_cache_prunes: number of times the service cache was 10679 pruned (sum) 10680 * appid.service_cache_removes: number of times an item was removed 10681 from the service cache (sum) 10682 * appid.total_sessions: count of sessions created (sum) 10683 * appid.tp_reload_ignored_pkts: count of packets ignored after 10684 third-party module is reloaded (sum) 10685 * arp_spoof.packets: total packets (sum) 10686 * back_orifice.packets: total packets (sum) 10687 * binder.allows: allow actions bound (sum) 10688 * binder.assistant_inspectors: flow assistant inspector requests 10689 handled (sum) 10690 * binder.blocks: block actions bound (sum) 10691 * binder.inspects: inspect actions bound (sum) 10692 * binder.new_flows: new flows evaluated (sum) 10693 * binder.new_standby_flows: new HA flows evaluated (sum) 10694 * binder.no_match: binding evaluations that had no matches (sum) 10695 * binder.raw_packets: raw packets evaluated (sum) 10696 * binder.resets: reset actions bound (sum) 10697 * binder.service_changes: flow service changes evaluated (sum) 10698 * cip.concurrent_sessions: total concurrent SIP sessions (now) 10699 * cip.max_concurrent_sessions: maximum concurrent SIP sessions 10700 (max) 10701 * cip.packets: total packets (sum) 10702 * cip.session: total sessions (sum) 10703 * ciscometadata.invalid_hdr_len: total invalid Cisco Metadata 10704 header lengths (sum) 10705 * ciscometadata.invalid_hdr_ver: total invalid Cisco Metadata 10706 header versions (sum) 10707 * ciscometadata.invalid_opt_len: total invalid Cisco Metadata 10708 option lengths (sum) 10709 * ciscometadata.invalid_opt_type: total invalid Cisco Metadata 10710 option types (sum) 10711 * ciscometadata.invalid_sgt: total invalid Cisco Metadata security 10712 group tags (sum) 10713 * ciscometadata.truncated_hdr: total truncated Cisco Metadata 10714 headers (sum) 10715 * daq.allow: total allow verdicts (sum) 10716 * daq.analyzed: total packets analyzed from DAQ (sum) 10717 * daq.blacklist: total blacklist verdicts (sum) 10718 * daq.block: total block verdicts (sum) 10719 * daq.dropped: packets dropped (sum) 10720 * daq.eof_messages: end of flow messages received from DAQ (sum) 10721 * daq.expected_flows: expected flows created in DAQ (sum) 10722 * daq.filtered: packets filtered out (sum) 10723 * daq.idle: attempts to acquire from DAQ without available packets 10724 (sum) 10725 * daq.ignore: total ignore verdicts (sum) 10726 * daq.injected: active responses or replacements (sum) 10727 * daq.internal_blacklist: packets blacklisted internally due to 10728 lack of DAQ support (sum) 10729 * daq.internal_whitelist: packets whitelisted internally due to 10730 lack of DAQ support (sum) 10731 * daq.other_messages: messages received from DAQ with unrecognized 10732 message type (sum) 10733 * daq.outstanding: packets unprocessed (sum) 10734 * daq.pcaps: total files and interfaces processed (max) 10735 * daq.received: total packets received from DAQ (sum) 10736 * daq.replace: total replace verdicts (sum) 10737 * daq.retries_discarded: messages discarded when purging the retry 10738 queue (sum) 10739 * daq.retries_dropped: messages dropped when overrunning the retry 10740 queue (sum) 10741 * daq.retries_processed: messages processed from the retry queue 10742 (sum) 10743 * daq.retries_queued: messages queued for retry (sum) 10744 * daq.rx_bytes: total bytes received (sum) 10745 * daq.skipped: packets skipped at startup (sum) 10746 * daq.sof_messages: start of flow messages received from DAQ (sum) 10747 * daq.whitelist: total whitelist verdicts (sum) 10748 * data_log.packets: total packets (sum) 10749 * dce_http_proxy.http_proxy_session_failures: failed http proxy 10750 sessions (sum) 10751 * dce_http_proxy.http_proxy_sessions: successful http proxy 10752 sessions (sum) 10753 * dce_http_server.http_server_session_failures: failed http server 10754 sessions (sum) 10755 * dce_http_server.http_server_sessions: successful http server 10756 sessions (sum) 10757 * dce_smb.alter_context_responses: total connection-oriented alter 10758 context responses (sum) 10759 * dce_smb.alter_contexts: total connection-oriented alter contexts 10760 (sum) 10761 * dce_smb.auth3s: total connection-oriented auth3s (sum) 10762 * dce_smb.bind_acks: total connection-oriented binds acks (sum) 10763 * dce_smb.bind_naks: total connection-oriented bind naks (sum) 10764 * dce_smb.binds: total connection-oriented binds (sum) 10765 * dce_smb.cancels: total connection-oriented cancels (sum) 10766 * dce_smb.client_frags_reassembled: total connection-oriented 10767 client fragments reassembled (sum) 10768 * dce_smb.client_max_fragment_size: connection-oriented client 10769 maximum fragment size (sum) 10770 * dce_smb.client_min_fragment_size: connection-oriented client 10771 minimum fragment size (sum) 10772 * dce_smb.client_segs_reassembled: total connection-oriented client 10773 segments reassembled (sum) 10774 * dce_smb.concurrent_sessions: total concurrent sessions (now) 10775 * dce_smb.events: total events (sum) 10776 * dce_smb.faults: total connection-oriented faults (sum) 10777 * dce_smb.files_processed: total smb files processed (sum) 10778 * dce_smb.ignored_bytes: total ignored bytes (sum) 10779 * dce_smb.max_concurrent_sessions: maximum concurrent sessions 10780 (max) 10781 * dce_smb.max_outstanding_requests: total smb maximum outstanding 10782 requests (sum) 10783 * dce_smb.ms_rpc_http_pdus: total connection-oriented MS requests 10784 to send RPC over HTTP (sum) 10785 * dce_smb.orphaned: total connection-oriented orphaned (sum) 10786 * dce_smb.other_requests: total connection-oriented other requests 10787 (sum) 10788 * dce_smb.other_responses: total connection-oriented other 10789 responses (sum) 10790 * dce_smb.packets: total smb packets (sum) 10791 * dce_smb.pdus: total connection-oriented PDUs (sum) 10792 * dce_smb.rejects: total connection-oriented rejects (sum) 10793 * dce_smb.request_fragments: total connection-oriented request 10794 fragments (sum) 10795 * dce_smb.requests: total connection-oriented requests (sum) 10796 * dce_smb.response_fragments: total connection-oriented response 10797 fragments (sum) 10798 * dce_smb.responses: total connection-oriented responses (sum) 10799 * dce_smb.server_frags_reassembled: total connection-oriented 10800 server fragments reassembled (sum) 10801 * dce_smb.server_max_fragment_size: connection-oriented server 10802 maximum fragment size (sum) 10803 * dce_smb.server_min_fragment_size: connection-oriented server 10804 minimum fragment size (sum) 10805 * dce_smb.server_segs_reassembled: total connection-oriented server 10806 segments reassembled (sum) 10807 * dce_smb.sessions: total smb sessions (sum) 10808 * dce_smb.shutdowns: total connection-oriented shutdowns (sum) 10809 * dce_smb.smb_client_segs_reassembled: total smb client segments 10810 reassembled (sum) 10811 * dce_smb.smb_server_segs_reassembled: total smb server segments 10812 reassembled (sum) 10813 * dce_smb.total_encrypted_sessions: total encrypted sessions (sum) 10814 * dce_smb.total_mc_sessions: total multichannel sessions (sum) 10815 * dce_smb.total_smb1_sessions: total smb1 sessions (sum) 10816 * dce_smb.total_smb2_sessions: total smb2 sessions (sum) 10817 * dce_smb.v2_bad_next_cmd_offset: total number of SMBv2 packets 10818 seen with invalid next command offset (sum) 10819 * dce_smb.v2_cls_err_resp: total number of SMBv2 close error 10820 response packets seen (sum) 10821 * dce_smb.v2_cls_inv_str_sz: total number of SMBv2 close packets 10822 seen with invalid structure size (sum) 10823 * dce_smb.v2_cls_req_ftrkr_misng: total number of SMBv2 close 10824 request packets ignored due to missing file tracker (sum) 10825 * dce_smb.v2_cls_req_hdr_err: total number of SMBv2 close request 10826 packets ignored due to corrupted header (sum) 10827 * dce_smb.v2_cls: total number of SMBv2 close packets seen (sum) 10828 * dce_smb.v2_cmpnd_req_lt_crossed: total number of SMBv2 packets 10829 seen where compound requests exceed the smb_max_compound limit 10830 (sum) 10831 * dce_smb.v2_crt_err_resp: total number of SMBv2 create error 10832 response packets seen (sum) 10833 * dce_smb.v2_crt_inv_file_data: total number of SMBv2 create 10834 request packets ignored due to error in getting file name (sum) 10835 * dce_smb.v2_crt_inv_str_sz: total number of SMBv2 create packets 10836 seen with invalid structure size (sum) 10837 * dce_smb.v2_crt_req_hdr_err: total number of SMBv2 create request 10838 packets ignored due to corrupted header (sum) 10839 * dce_smb.v2_crt_req_ipc: total number of SMBv2 create request 10840 packets ignored as share type is IPC (sum) 10841 * dce_smb.v2_crt_resp_hdr_err: total number of SMBv2 create 10842 response packets ignored due to corrupted header (sum) 10843 * dce_smb.v2_crt_rtrkr_misng: total number of SMBv2 create response 10844 packets ignored due to missing create request tracker (sum) 10845 * dce_smb.v2_crt: total number of SMBv2 create packets seen (sum) 10846 * dce_smb.v2_crt_tree_trkr_misng: total number of SMBv2 create 10847 response packets ignored due to missing tree tracker (sum) 10848 * dce_smb.v2_hdr_err: total number of SMBv2 packets seen with 10849 corrupted hdr (sum) 10850 * dce_smb.v2_inv_file_ctx_err: total number of times null file 10851 context are seen resulting in not being able to set file size 10852 (sum) 10853 * dce_smb.v2_ioctl_err_resp: total number of ioctl errors responses 10854 (sum) 10855 * dce_smb.v2_ioctl_inv_str_sz: total number of ioctl invalid 10856 structure size (sum) 10857 * dce_smb.v2_ioctl_req_hdr_err: total number of ioctl request 10858 header errors (sum) 10859 * dce_smb.v2_ioctl_resp_hdr_err: total number of ioctl response 10860 header errors (sum) 10861 * dce_smb.v2_ioctl: total number of ioctl calls (sum) 10862 * dce_smb.v2_logoff_inv_str_sz: total number of SMBv2 logoff 10863 packets seen with invalid structure size (sum) 10864 * dce_smb.v2_logoff: total number of SMBv2 logoff (sum) 10865 * dce_smb.v2_msgs_uninspected: total number of SMBv2 packets seen 10866 where command is not being inspected (sum) 10867 * dce_smb.v2_read_err_resp: total number of SMBv2 read error 10868 response packets seen (sum) 10869 * dce_smb.v2_read_inv_str_sz: total number of SMBv2 read packets 10870 seen with invalid structure size (sum) 10871 * dce_smb.v2_read_req_hdr_err: total number of SMBv2 read request 10872 packets ignored due to corrupted header (sum) 10873 * dce_smb.v2_read_resp_hdr_err: total number of SMBv2 read response 10874 packets ignored due to corrupted header (sum) 10875 * dce_smb.v2_read_rtrkr_misng: total number of SMBv2 read response 10876 packets ignored due to missing read request tracker (sum) 10877 * dce_smb.v2_read: total number of SMBv2 read packets seen (sum) 10878 * dce_smb.v2_session_ignored: total number of packets ignored due 10879 to missing session tracker (sum) 10880 * dce_smb.v2_setinfo: total number of SMBv2 set info packets seen 10881 (sum) 10882 * dce_smb.v2_setup_err_resp: total number of SMBv2 setup error 10883 response packets seen (sum) 10884 * dce_smb.v2_setup_inv_str_sz: total number of SMBv2 setup packets 10885 seen with invalid structure size (sum) 10886 * dce_smb.v2_setup_resp_hdr_err: total number of SMBv2 setup 10887 response packets ignored due to corrupted header (sum) 10888 * dce_smb.v2_setup: total number of SMBv2 setup packets seen (sum) 10889 * dce_smb.v2_stinf_err_resp: total number of SMBv2 set info error 10890 response packets seen (sum) 10891 * dce_smb.v2_stinf_inv_str_sz: total number of SMBv2 set info 10892 packets seen with invalid structure size (sum) 10893 * dce_smb.v2_stinf_req_ftrkr_misng: total number of SMBv2 set info 10894 request packets ignored due to missing file tracker (sum) 10895 * dce_smb.v2_stinf_req_hdr_err: total number of SMBv2 set info 10896 request packets ignored due to corrupted header (sum) 10897 * dce_smb.v2_tree_cnct_err_resp: total number of SMBv2 tree connect 10898 error response packets seen (sum) 10899 * dce_smb.v2_tree_cnct_ignored: total number of SMBv2 setup 10900 response packets ignored due to failure in creating tree tracker 10901 (sum) 10902 * dce_smb.v2_tree_cnct_inv_str_sz: total number of SMBv2 tree 10903 connect packets seen with invalid structure size (sum) 10904 * dce_smb.v2_tree_cnct_resp_hdr_err: total number of SMBv2 tree 10905 connect response packets ignored due to corrupted header (sum) 10906 * dce_smb.v2_tree_cnct: total number of SMBv2 tree connect packets 10907 seen (sum) 10908 * dce_smb.v2_tree_discn_ignored: total number of SMBv2 tree 10909 disconnect packets ignored due to missing trackers or invalid 10910 share type (sum) 10911 * dce_smb.v2_tree_discn_inv_str_sz: total number of SMBv2 tree 10912 disconnect packets seen with invalid structure size (sum) 10913 * dce_smb.v2_tree_discn_req_hdr_err: total number of SMBv2 tree 10914 disconnect request packets ignored due to corrupted header (sum) 10915 * dce_smb.v2_tree_discn: total number of SMBv2 tree disconnect 10916 packets seen (sum) 10917 * dce_smb.v2_tree_ignored: total number of packets ignored due to 10918 missing tree tracker (sum) 10919 * dce_smb.v2_wrt_err_resp: total number of SMBv2 write error 10920 response packets seen (sum) 10921 * dce_smb.v2_wrt_inv_str_sz: total number of SMBv2 write packets 10922 seen with invalid structure size (sum) 10923 * dce_smb.v2_wrt_req_hdr_err: total number of SMBv2 write request 10924 packets ignored due to corrupted header (sum) 10925 * dce_smb.v2_wrt_resp_hdr_err: total number of SMBv2 write response 10926 packets ignored due to corrupted header (sum) 10927 * dce_smb.v2_wrt: total number of SMBv2 write packets seen (sum) 10928 * dce_tcp.alter_context_responses: total connection-oriented alter 10929 context responses (sum) 10930 * dce_tcp.alter_contexts: total connection-oriented alter contexts 10931 (sum) 10932 * dce_tcp.auth3s: total connection-oriented auth3s (sum) 10933 * dce_tcp.bind_acks: total connection-oriented binds acks (sum) 10934 * dce_tcp.bind_naks: total connection-oriented bind naks (sum) 10935 * dce_tcp.binds: total connection-oriented binds (sum) 10936 * dce_tcp.cancels: total connection-oriented cancels (sum) 10937 * dce_tcp.client_frags_reassembled: total connection-oriented 10938 client fragments reassembled (sum) 10939 * dce_tcp.client_max_fragment_size: connection-oriented client 10940 maximum fragment size (sum) 10941 * dce_tcp.client_min_fragment_size: connection-oriented client 10942 minimum fragment size (sum) 10943 * dce_tcp.client_segs_reassembled: total connection-oriented client 10944 segments reassembled (sum) 10945 * dce_tcp.concurrent_sessions: total concurrent sessions (now) 10946 * dce_tcp.events: total events (sum) 10947 * dce_tcp.faults: total connection-oriented faults (sum) 10948 * dce_tcp.max_concurrent_sessions: maximum concurrent sessions 10949 (max) 10950 * dce_tcp.ms_rpc_http_pdus: total connection-oriented MS requests 10951 to send RPC over HTTP (sum) 10952 * dce_tcp.orphaned: total connection-oriented orphaned (sum) 10953 * dce_tcp.other_requests: total connection-oriented other requests 10954 (sum) 10955 * dce_tcp.other_responses: total connection-oriented other 10956 responses (sum) 10957 * dce_tcp.pdus: total connection-oriented PDUs (sum) 10958 * dce_tcp.rejects: total connection-oriented rejects (sum) 10959 * dce_tcp.request_fragments: total connection-oriented request 10960 fragments (sum) 10961 * dce_tcp.requests: total connection-oriented requests (sum) 10962 * dce_tcp.response_fragments: total connection-oriented response 10963 fragments (sum) 10964 * dce_tcp.responses: total connection-oriented responses (sum) 10965 * dce_tcp.server_frags_reassembled: total connection-oriented 10966 server fragments reassembled (sum) 10967 * dce_tcp.server_max_fragment_size: connection-oriented server 10968 maximum fragment size (sum) 10969 * dce_tcp.server_min_fragment_size: connection-oriented server 10970 minimum fragment size (sum) 10971 * dce_tcp.server_segs_reassembled: total connection-oriented server 10972 segments reassembled (sum) 10973 * dce_tcp.shutdowns: total connection-oriented shutdowns (sum) 10974 * dce_tcp.tcp_expected_realized: total tcp dynamic endpoint 10975 expected realized sessions (sum) 10976 * dce_tcp.tcp_expected_sessions: total tcp dynamic endpoint 10977 expected sessions (sum) 10978 * dce_tcp.tcp_packets: total tcp packets (sum) 10979 * dce_tcp.tcp_sessions: total tcp sessions (sum) 10980 * dce_udp.acks: total connection-less acks (sum) 10981 * dce_udp.cancel_acks: total connection-less cancel acks (sum) 10982 * dce_udp.cancels: total connection-less cancels (sum) 10983 * dce_udp.client_facks: total connection-less client facks (sum) 10984 * dce_udp.concurrent_sessions: total concurrent sessions (now) 10985 * dce_udp.events: total events (sum) 10986 * dce_udp.faults: total connection-less faults (sum) 10987 * dce_udp.fragments: total connection-less fragments (sum) 10988 * dce_udp.frags_reassembled: total connection-less fragments 10989 reassembled (sum) 10990 * dce_udp.max_concurrent_sessions: maximum concurrent sessions 10991 (max) 10992 * dce_udp.max_fragment_size: connection-less maximum fragment size 10993 (sum) 10994 * dce_udp.max_seqnum: max connection-less seqnum (sum) 10995 * dce_udp.no_calls: total connection-less no calls (sum) 10996 * dce_udp.other_requests: total connection-less other requests 10997 (sum) 10998 * dce_udp.other_responses: total connection-less other responses 10999 (sum) 11000 * dce_udp.ping: total connection-less ping (sum) 11001 * dce_udp.rejects: total connection-less rejects (sum) 11002 * dce_udp.requests: total connection-less requests (sum) 11003 * dce_udp.responses: total connection-less responses (sum) 11004 * dce_udp.server_facks: total connection-less server facks (sum) 11005 * dce_udp.udp_packets: total udp packets (sum) 11006 * dce_udp.udp_sessions: total udp sessions (sum) 11007 * dce_udp.working: total connection-less working (sum) 11008 * detection.alert_limit: events previously triggered on same PDU 11009 (sum) 11010 * detection.alerts: alerts not including IP reputation (sum) 11011 * detection.alt_searches: alt fast pattern searches in packet data 11012 (sum) 11013 * detection.analyzed: total packets processed (now) 11014 * detection.body_searches: fast pattern searches in body buffer 11015 (sum) 11016 * detection.context_stalls: times processing stalled to wait for an 11017 available context (sum) 11018 * detection.cooked_searches: fast pattern searches in cooked packet 11019 data (sum) 11020 * detection.cookie_searches: fast pattern searches in cookie buffer 11021 (sum) 11022 * detection.event_limit: events filtered (sum) 11023 * detection.file_searches: fast pattern searches in file buffer 11024 (sum) 11025 * detection.hard_evals: non-fast pattern rule evaluations (sum) 11026 * detection.header_searches: fast pattern searches in header buffer 11027 (sum) 11028 * detection.js_data_searches: fast pattern searches in js_data 11029 buffer (sum) 11030 * detection.key_searches: fast pattern searches in key buffer (sum) 11031 * detection.logged: logged packets (sum) 11032 * detection.log_limit: events queued but not logged (sum) 11033 * detection.match_limit: fast pattern matches not processed (sum) 11034 * detection.method_searches: fast pattern searches in method buffer 11035 (sum) 11036 * detection.offload_busy: times offload was not available (sum) 11037 * detection.offload_failures: fast pattern offload search failures 11038 (sum) 11039 * detection.offload_fallback: fast pattern offload search fallback 11040 attempts (sum) 11041 * detection.offloads: fast pattern searches that were offloaded 11042 (sum) 11043 * detection.offload_suspends: fast pattern search suspends due to 11044 offload context chains (sum) 11045 * detection.onload_waits: times processing waited for onload to 11046 complete (sum) 11047 * detection.passed: passed packets (sum) 11048 * detection.pcre_error: total number of times pcre returns error 11049 (sum) 11050 * detection.pcre_match_limit: total number of times pcre hit the 11051 match limit (sum) 11052 * detection.pcre_recursion_limit: total number of times pcre hit 11053 the recursion limit (sum) 11054 * detection.pkt_searches: fast pattern searches in packet data 11055 (sum) 11056 * detection.queue_limit: events not queued because queue full (sum) 11057 * detection.raw_header_searches: fast pattern searches in raw 11058 header buffer (sum) 11059 * detection.raw_key_searches: fast pattern searches in raw key 11060 buffer (sum) 11061 * detection.raw_searches: fast pattern searches in raw packet data 11062 (sum) 11063 * detection.stat_code_searches: fast pattern searches in status 11064 code buffer (sum) 11065 * detection.stat_msg_searches: fast pattern searches in status 11066 message buffer (sum) 11067 * detection.total_alerts: alerts including IP reputation (sum) 11068 * detection.vba_searches: fast pattern searches in MS Office Visual 11069 Basic for Applications buffer (sum) 11070 * dnp3.concurrent_sessions: total concurrent dnp3 sessions (now) 11071 * dnp3.dnp3_application_pdus: total dnp3 application pdus (sum) 11072 * dnp3.dnp3_link_layer_frames: total dnp3 link layer frames (sum) 11073 * dnp3.max_concurrent_sessions: maximum concurrent dnp3 sessions 11074 (max) 11075 * dnp3.tcp_pdus: total tcp pdus (sum) 11076 * dnp3.total_packets: total packets (sum) 11077 * dnp3.udp_packets: total udp packets (sum) 11078 * dns.concurrent_sessions: total concurrent dns sessions (now) 11079 * dns.max_concurrent_sessions: maximum concurrent dns sessions 11080 (max) 11081 * dns.packets: total packets processed (sum) 11082 * dns.requests: total dns requests (sum) 11083 * dns.responses: total dns responses (sum) 11084 * domain_filter.checked: domains checked (sum) 11085 * domain_filter.filtered: domains filtered (sum) 11086 * dpx.packets: total packets (sum) 11087 * event_filter.no_memory_global: number of times event filter ran 11088 out of global memory (sum) 11089 * event_filter.no_memory_local: number of times event filter ran 11090 out of local memory (sum) 11091 * file_connector.messages: total messages (sum) 11092 * file_id.cache_failures: number of file cache add failures (sum) 11093 * file_id.files_not_processed: number of files not processed due to 11094 per-flow limit (sum) 11095 * file_id.max_concurrent_files: maximum files processed 11096 concurrently on a flow (max) 11097 * file_id.total_file_data: number of file data bytes processed 11098 (sum) 11099 * file_id.total_files: number of files processed (sum) 11100 * file_log.total_events: total file events (sum) 11101 * ftp_data.packets: total packets (sum) 11102 * ftp_server.concurrent_sessions: total concurrent FTP sessions 11103 (now) 11104 * ftp_server.flow_segment_size_changed: total number of FTP 11105 sessions with segment size change (sum) 11106 * ftp_server.max_concurrent_sessions: maximum concurrent FTP 11107 sessions (max) 11108 * ftp_server.pkt_segment_size_changed: total number of FTP data 11109 packets with segment size change (sum) 11110 * ftp_server.ssl_search_abandoned: total SSL search abandoned (sum) 11111 * ftp_server.ssl_srch_abandoned_early: total SSL search abandoned 11112 too soon (sum) 11113 * ftp_server.start_tls: total STARTTLS events generated (sum) 11114 * ftp_server.total_bytes: total number of bytes processed (sum) 11115 * ftp_server.total_packets: total packets (sum) 11116 * gtp_inspect.concurrent_sessions: total concurrent gtp sessions 11117 (now) 11118 * gtp_inspect.events: requests (sum) 11119 * gtp_inspect.max_concurrent_sessions: maximum concurrent gtp 11120 sessions (max) 11121 * gtp_inspect.sessions: total sessions processed (sum) 11122 * gtp_inspect.unknown_infos: unknown information elements (sum) 11123 * gtp_inspect.unknown_types: unknown message types (sum) 11124 * high_availability.client_consume_errors: client data consume 11125 failure count (sum) 11126 * high_availability.daq_imports: states imported via daq (sum) 11127 * high_availability.daq_stores: states stored via daq (sum) 11128 * high_availability.delete_msgs_consumed: deletion messages 11129 consumed (sum) 11130 * high_availability.key_mismatch: messages received with a flow key 11131 mismatch (sum) 11132 * high_availability.msg_length_mismatch: messages received with an 11133 inconsistent total length (sum) 11134 * high_availability.msgs_recv: total messages received (sum) 11135 * high_availability.msg_version_mismatch: messages received with a 11136 version mismatch (sum) 11137 * high_availability.truncated_msgs: truncated messages received 11138 (sum) 11139 * high_availability.unknown_client_idx: messages received with an 11140 unknown client index (sum) 11141 * high_availability.unknown_key_type: messages received with an 11142 unknown flow key type (sum) 11143 * high_availability.update_msgs_consumed: update messages fully 11144 consumed (sum) 11145 * high_availability.update_msgs_recv_no_flow: update messages 11146 received without a local flow (sum) 11147 * high_availability.update_msgs_recv: update messages received 11148 (sum) 11149 * host_cache.adds: lru cache added new entry (sum) 11150 * host_cache.alloc_prunes: lru cache pruned entry to make space for 11151 new entry (sum) 11152 * host_cache.find_hits: lru cache found entry in cache (sum) 11153 * host_cache.find_misses: lru cache did not find entry in cache 11154 (sum) 11155 * host_cache.reload_prunes: lru cache pruned entry for lower memcap 11156 during reload (sum) 11157 * host_cache.removes: lru cache found entry and removed it (sum) 11158 * host_cache.replaced: lru cache found entry and replaced it (sum) 11159 * hosts.dynamic_host_adds: number of host additions after initial 11160 host file load (sum) 11161 * hosts.dynamic_service_adds: number of service additions after 11162 initial host file load (sum) 11163 * hosts.dynamic_service_updates: number of service updates after 11164 initial host file load (sum) 11165 * hosts.hosts_pruned: number of LRU hosts pruned due to configured 11166 resource limits (sum) 11167 * hosts.service_list_overflows: number of service additions that 11168 failed due to configured resource limits (sum) 11169 * hosts.total_hosts: maximum number of entries in the host 11170 attribute table (max) 11171 * host_tracker.service_adds: host service adds (sum) 11172 * host_tracker.service_finds: host service finds (sum) 11173 * http2_inspect.concurrent_sessions: total concurrent HTTP/2 11174 sessions (now) 11175 * http2_inspect.flows: HTTP/2 connections inspected (sum) 11176 * http2_inspect.flows_over_stream_limit: HTTP/2 flows exceeding 100 11177 concurrent streams (sum) 11178 * http2_inspect.max_concurrent_files: maximum concurrent file 11179 transfers per HTTP/2 connection (max) 11180 * http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2 11181 sessions (max) 11182 * http2_inspect.max_concurrent_streams: maximum concurrent streams 11183 per HTTP/2 connection (max) 11184 * http2_inspect.max_table_entries: maximum entries in an HTTP/2 11185 dynamic table (max) 11186 * http2_inspect.total_bytes: total HTTP/2 data bytes inspected 11187 (sum) 11188 * http_inspect.chunked: chunked message bodies (sum) 11189 * http_inspect.concurrent_sessions: total concurrent http sessions 11190 (now) 11191 * http_inspect.connect_requests: CONNECT requests inspected (sum) 11192 * http_inspect.connect_tunnel_cutovers: CONNECT tunnel flow 11193 cutovers to wizard (sum) 11194 * http_inspect.delete_requests: DELETE requests inspected (sum) 11195 * http_inspect.excess_parameters: repeat parameters exceeding max 11196 (sum) 11197 * http_inspect.flows: HTTP connections inspected (sum) 11198 * http_inspect.get_requests: GET requests inspected (sum) 11199 * http_inspect.head_requests: HEAD requests inspected (sum) 11200 * http_inspect.inspections: total message sections inspected (sum) 11201 * http_inspect.js_bytes: total number of JavaScript bytes processed 11202 (sum) 11203 * http_inspect.js_external_scripts: total number of external 11204 JavaScripts processed (sum) 11205 * http_inspect.js_identifier_overflows: total number of unique 11206 JavaScript identifier limit overflows (sum) 11207 * http_inspect.js_identifiers: total number of unique JavaScript 11208 identifiers processed (sum) 11209 * http_inspect.js_inline_scripts: total number of inline 11210 JavaScripts processed (sum) 11211 * http_inspect.max_concurrent_sessions: maximum concurrent http 11212 sessions (max) 11213 * http_inspect.options_requests: OPTIONS requests inspected (sum) 11214 * http_inspect.other_requests: other request methods inspected 11215 (sum) 11216 * http_inspect.parameters: HTTP parameters inspected (sum) 11217 * http_inspect.partial_inspections: early inspections done for 11218 script detection (sum) 11219 * http_inspect.pipelined_flows: total HTTP connections containing 11220 pipelined requests (sum) 11221 * http_inspect.pipelined_requests: total requests placed in a 11222 pipeline (sum) 11223 * http_inspect.post_requests: POST requests inspected (sum) 11224 * http_inspect.put_requests: PUT requests inspected (sum) 11225 * http_inspect.reassembles: TCP segments combined into HTTP 11226 messages (sum) 11227 * http_inspect.request_bodies: POST, PUT, and other requests with 11228 message bodies (sum) 11229 * http_inspect.requests: HTTP request messages inspected (sum) 11230 * http_inspect.responses: HTTP response messages inspected (sum) 11231 * http_inspect.scans: TCP segments scanned looking for HTTP 11232 messages (sum) 11233 * http_inspect.script_detections: early inspections of scripts in 11234 HTTP responses (sum) 11235 * http_inspect.ssl_srch_abandoned_early: total SSL search abandoned 11236 too soon (sum) 11237 * http_inspect.total_bytes: total HTTP data bytes inspected (sum) 11238 * http_inspect.trace_requests: TRACE requests inspected (sum) 11239 * http_inspect.uri_coding: URIs with character coding problems 11240 (sum) 11241 * http_inspect.uri_normalizations: URIs needing to be normalization 11242 (sum) 11243 * http_inspect.uri_path: URIs with path problems (sum) 11244 * icmp4.bad_checksum: non-zero icmp checksums (sum) 11245 * icmp4.checksum_bypassed: checksum calculations bypassed (sum) 11246 * icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum) 11247 * icmp6.checksum_bypassed: checksum calculations bypassed (sum) 11248 * iec104.concurrent_sessions: total concurrent IEC104 sessions 11249 (now) 11250 * iec104.frames: total IEC104 messages (sum) 11251 * iec104.max_concurrent_sessions: maximum concurrent IEC104 11252 sessions (max) 11253 * iec104.sessions: total sessions processed (sum) 11254 * imap.b64_attachments: total base64 attachments decoded (sum) 11255 * imap.b64_decoded_bytes: total base64 decoded bytes (sum) 11256 * imap.concurrent_sessions: total concurrent imap sessions (now) 11257 * imap.max_concurrent_sessions: maximum concurrent imap sessions 11258 (max) 11259 * imap.non_encoded_attachments: total non-encoded attachments 11260 extracted (sum) 11261 * imap.non_encoded_bytes: total non-encoded extracted bytes (sum) 11262 * imap.packets: total packets processed (sum) 11263 * imap.qp_attachments: total quoted-printable attachments decoded 11264 (sum) 11265 * imap.qp_decoded_bytes: total quoted-printable decoded bytes (sum) 11266 * imap.sessions: total imap sessions (sum) 11267 * imap.ssl_search_abandoned: total SSL search abandoned (sum) 11268 * imap.ssl_srch_abandoned_early: total SSL search abandoned too 11269 soon (sum) 11270 * imap.start_tls: total STARTTLS events generated (sum) 11271 * imap.uu_attachments: total uu attachments decoded (sum) 11272 * imap.uu_decoded_bytes: total uu decoded bytes (sum) 11273 * ipv4.bad_checksum: nonzero ip checksums (sum) 11274 * ipv4.checksum_bypassed: checksum calculations bypassed (sum) 11275 * latency.max_usecs: maximum usecs elapsed (sum) 11276 * latency.packet_timeouts: packets that timed out (sum) 11277 * latency.rule_eval_timeouts: rule evals that timed out (sum) 11278 * latency.rule_tree_enables: rule tree re-enables (sum) 11279 * latency.total_packets: total packets monitored (sum) 11280 * latency.total_rule_evals: total rule evals monitored (sum) 11281 * latency.total_usecs: total usecs elapsed (sum) 11282 * memory.allocated: total amount of memory allocated (now) 11283 * memory.allocations: total number of allocations (now) 11284 * memory.deallocated: total amount of memory allocated (now) 11285 * memory.deallocations: total number of deallocations (now) 11286 * memory.max_in_use: highest allocated - deallocated (max) 11287 * memory.reap_attempts: attempts to reclaim memory (now) 11288 * memory.reap_failures: failures to reclaim memory (now) 11289 * mem_test.packets: total packets (sum) 11290 * modbus.concurrent_sessions: total concurrent modbus sessions 11291 (now) 11292 * modbus.frames: total Modbus messages (sum) 11293 * modbus.max_concurrent_sessions: maximum concurrent modbus 11294 sessions (max) 11295 * modbus.sessions: total sessions processed (sum) 11296 * netflow.invalid_netflow_record: count of invalid netflow records 11297 (sum) 11298 * netflow.packets: total packets processed (sum) 11299 * netflow.records: total records found in netflow data (sum) 11300 * netflow.unique_flows: count of unique netflow flows (sum) 11301 * netflow.v9_missing_template: count of data records that are 11302 missing templates (sum) 11303 * netflow.v9_options_template: count of options template flowset 11304 (sum) 11305 * netflow.v9_templates: count of total version 9 templates (sum) 11306 * netflow.version_5: count of netflow version 5 packets received 11307 (sum) 11308 * netflow.version_9: count of netflow version 9 packets received 11309 (sum) 11310 * normalizer.icmp4_echo: icmp4 ping normalizations (sum) 11311 * normalizer.icmp6_echo: icmp6 echo normalizations (sum) 11312 * normalizer.ip4_df: don’t frag bit normalizations (sum) 11313 * normalizer.ip4_opts: ip4 options cleared (sum) 11314 * normalizer.ip4_rf: reserved flag bit clears (sum) 11315 * normalizer.ip4_tos: type of service normalizations (sum) 11316 * normalizer.ip4_trim: eth packets trimmed to datagram size (sum) 11317 * normalizer.ip4_ttl: time-to-live normalizations (sum) 11318 * normalizer.ip6_hops: ip6 hop limit normalizations (sum) 11319 * normalizer.ip6_options: ip6 options cleared (sum) 11320 * normalizer.tcp_block: blocked segments (sum) 11321 * normalizer.tcp_ecn_pkt: packets with ECN bits cleared (sum) 11322 * normalizer.tcp_ecn_session: ECN bits cleared (sum) 11323 * normalizer.tcp_ips_data: normalized segments (sum) 11324 * normalizer.tcp_nonce: packets with nonce bit cleared (sum) 11325 * normalizer.tcp_options: packets with options cleared (sum) 11326 * normalizer.tcp_padding: packets with padding cleared (sum) 11327 * normalizer.tcp_req_pay: cleared urgent pointer and urgent flag 11328 when there is no payload (sum) 11329 * normalizer.tcp_req_urg: cleared urgent pointer when urgent flag 11330 is not set (sum) 11331 * normalizer.tcp_req_urp: cleared the urgent flag if the urgent 11332 pointer is not set (sum) 11333 * normalizer.tcp_reserved: packets with reserved bits cleared (sum) 11334 * normalizer.tcp_syn_options: SYN only options cleared from non-SYN 11335 packets (sum) 11336 * normalizer.tcp_trim_mss: data trimmed to MSS (sum) 11337 * normalizer.tcp_trim_rst: RST packets with data trimmed (sum) 11338 * normalizer.tcp_trim_syn: tcp segments trimmed on SYN (sum) 11339 * normalizer.tcp_trim_win: data trimmed to window (sum) 11340 * normalizer.tcp_ts_ecr: timestamp cleared on non-ACKs (sum) 11341 * normalizer.tcp_ts_nop: timestamp options cleared (sum) 11342 * normalizer.tcp_urgent_ptr: packets without data with urgent 11343 pointer cleared (sum) 11344 * normalizer.test_icmp4_echo: test icmp4 ping normalizations (sum) 11345 * normalizer.test_icmp6_echo: test icmp6 echo normalizations (sum) 11346 * normalizer.test_ip4_df: test don’t frag bit normalizations (sum) 11347 * normalizer.test_ip4_opts: test ip4 options cleared (sum) 11348 * normalizer.test_ip4_rf: test reserved flag bit clears (sum) 11349 * normalizer.test_ip4_tos: test type of service normalizations 11350 (sum) 11351 * normalizer.test_ip4_trim: test eth packets trimmed to datagram 11352 size (sum) 11353 * normalizer.test_ip4_ttl: test time-to-live normalizations (sum) 11354 * normalizer.test_ip6_hops: test ip6 hop limit normalizations (sum) 11355 * normalizer.test_ip6_options: test ip6 options cleared (sum) 11356 * normalizer.test_tcp_block: test blocked segments (sum) 11357 * normalizer.test_tcp_ecn_pkt: test packets with ECN bits cleared 11358 (sum) 11359 * normalizer.test_tcp_ecn_session: test ECN bits cleared (sum) 11360 * normalizer.test_tcp_ips_data: test normalized segments (sum) 11361 * normalizer.test_tcp_nonce: test packets with nonce bit cleared 11362 (sum) 11363 * normalizer.test_tcp_options: test packets with options cleared 11364 (sum) 11365 * normalizer.test_tcp_padding: test packets with padding cleared 11366 (sum) 11367 * normalizer.test_tcp_req_pay: test cleared urgent pointer and 11368 urgent flag when there is no payload (sum) 11369 * normalizer.test_tcp_req_urg: test cleared urgent pointer when 11370 urgent flag is not set (sum) 11371 * normalizer.test_tcp_req_urp: test cleared the urgent flag if the 11372 urgent pointer is not set (sum) 11373 * normalizer.test_tcp_reserved: test packets with reserved bits 11374 cleared (sum) 11375 * normalizer.test_tcp_syn_options: test SYN only options cleared 11376 from non-SYN packets (sum) 11377 * normalizer.test_tcp_trim_mss: test data trimmed to MSS (sum) 11378 * normalizer.test_tcp_trim_rst: test RST packets with data trimmed 11379 (sum) 11380 * normalizer.test_tcp_trim_syn: test tcp segments trimmed on SYN 11381 (sum) 11382 * normalizer.test_tcp_trim_win: test data trimmed to window (sum) 11383 * normalizer.test_tcp_ts_ecr: test timestamp cleared on non-ACKs 11384 (sum) 11385 * normalizer.test_tcp_ts_nop: test timestamp options cleared (sum) 11386 * normalizer.test_tcp_urgent_ptr: test packets without data with 11387 urgent pointer cleared (sum) 11388 * packet_capture.captured: packets matching dumped after matching 11389 filter (sum) 11390 * packet_capture.processed: packets processed against filter (sum) 11391 * payload_injector.http2_injects: total number of http2 injections 11392 (sum) 11393 * payload_injector.http2_mid_frame: total number of attempts to 11394 inject mid-frame (sum) 11395 * payload_injector.http2_translate_err: total number of http2 page 11396 translation errors (sum) 11397 * payload_injector.http_injects: total number of http injections 11398 (sum) 11399 * pcre.pcre_native: total pcre rules compiled by pcre engine (sum) 11400 * pcre.pcre_negated: total pcre rules using negation syntax (sum) 11401 * pcre.pcre_rules: total rules processed with pcre option (sum) 11402 * pcre.pcre_to_hyper: total pcre rules by hyperscan engine (sum) 11403 * perf_monitor.flow_tracker_creates: total number of flow trackers 11404 created (sum) 11405 * perf_monitor.flow_tracker_prunes: flow trackers pruned for reuse 11406 by new flows (sum) 11407 * perf_monitor.flow_tracker_reload_deletes: flow trackers deleted 11408 due to memcap change on config reload (sum) 11409 * perf_monitor.flow_tracker_total_deletes: flow trackers deleted to 11410 stay below memcap limit (sum) 11411 * perf_monitor.packets: total packets processed by performance 11412 monitor (sum) 11413 * pop.b64_attachments: total base64 attachments decoded (sum) 11414 * pop.b64_decoded_bytes: total base64 decoded bytes (sum) 11415 * pop.concurrent_sessions: total concurrent pop sessions (now) 11416 * pop.max_concurrent_sessions: maximum concurrent pop sessions 11417 (max) 11418 * pop.non_encoded_attachments: total non-encoded attachments 11419 extracted (sum) 11420 * pop.non_encoded_bytes: total non-encoded extracted bytes (sum) 11421 * pop.packets: total packets processed (sum) 11422 * pop.qp_attachments: total quoted-printable attachments decoded 11423 (sum) 11424 * pop.qp_decoded_bytes: total quoted-printable decoded bytes (sum) 11425 * pop.sessions: total pop sessions (sum) 11426 * pop.ssl_search_abandoned: total SSL search abandoned (sum) 11427 * pop.ssl_srch_abandoned_early: total SSL search abandoned too soon 11428 (sum) 11429 * pop.start_tls: total STARTTLS events generated (sum) 11430 * pop.total_bytes: total number of bytes processed (sum) 11431 * pop.uu_attachments: total uu attachments decoded (sum) 11432 * pop.uu_decoded_bytes: total uu decoded bytes (sum) 11433 * port_scan.alloc_prunes: number of trackers pruned on allocation 11434 of new tracking (sum) 11435 * port_scan.packets: number of packets processed by port scan (sum) 11436 * port_scan.reload_prunes: number of trackers pruned on reload due 11437 to reduced memcap (sum) 11438 * port_scan.trackers: number of trackers allocated by port scan 11439 (sum) 11440 * rate_filter.no_memory: number of times rate filter ran out of 11441 memory (sum) 11442 * reputation.aux_ip_blocked: number of auxiliary ip packets blocked 11443 (sum) 11444 * reputation.aux_ip_monitored: number of auxiliary ip packets 11445 monitored (sum) 11446 * reputation.aux_ip_trusted: number of auxiliary ip packets trusted 11447 (sum) 11448 * reputation.blocked: number of packets blocked (sum) 11449 * reputation.memory_allocated: total memory allocated (sum) 11450 * reputation.monitored: number of packets monitored (sum) 11451 * reputation.packets: total packets processed (sum) 11452 * reputation.trusted: number of packets trusted (sum) 11453 * rna.appid_change: count of appid change events received (sum) 11454 * rna.change_host_update: count number of change host update events 11455 (sum) 11456 * rna.cpe_os: count of CPE OS events received (sum) 11457 * rna.dhcp_data: count of DHCP data events received (sum) 11458 * rna.dhcp_info: count of new DHCP lease events received (sum) 11459 * rna.icmp_bidirectional: count of bidirectional ICMP flows 11460 received (sum) 11461 * rna.icmp_new: count of new ICMP flows received (sum) 11462 * rna.ip_bidirectional: count of bidirectional IP received (sum) 11463 * rna.ip_new: count of new IP flows received (sum) 11464 * rna.other_packets: count of packets received without session 11465 tracking (sum) 11466 * rna.smb: count of new SMB events received (sum) 11467 * rna.tcp_midstream: count of TCP midstream packets received (sum) 11468 * rna.tcp_syn_ack: count of TCP SYN-ACK packets received (sum) 11469 * rna.tcp_syn: count of TCP SYN packets received (sum) 11470 * rna.udp_bidirectional: count of bidirectional UDP flows received 11471 (sum) 11472 * rna.udp_new: count of new UDP flows received (sum) 11473 * rpc_decode.concurrent_sessions: total concurrent rpc sessions 11474 (now) 11475 * rpc_decode.max_concurrent_sessions: maximum concurrent rpc 11476 sessions (max) 11477 * rpc_decode.total_packets: total packets (sum) 11478 * s7commplus.concurrent_sessions: total concurrent s7commplus 11479 sessions (now) 11480 * s7commplus.frames: total S7commplus messages (sum) 11481 * s7commplus.max_concurrent_sessions: maximum concurrent s7commplus 11482 sessions (max) 11483 * s7commplus.sessions: total sessions processed (sum) 11484 * sd_pattern.below_threshold: sd_pattern matched but missed 11485 threshold (sum) 11486 * sd_pattern.pattern_not_found: sd_pattern did not not match (sum) 11487 * sd_pattern.terminated: hyperscan terminated (sum) 11488 * search_engine.max_queued: maximum fast pattern matches queued for 11489 further evaluation (max) 11490 * search_engine.non_qualified_events: total non-qualified events 11491 (sum) 11492 * search_engine.qualified_events: total qualified events (sum) 11493 * search_engine.searched_bytes: total bytes searched (sum) 11494 * search_engine.total_flushed: total fast pattern matches processed 11495 (sum) 11496 * search_engine.total_inserts: total fast pattern hits (sum) 11497 * search_engine.total_overruns: fast pattern matches discarded due 11498 to overflow (sum) 11499 * search_engine.total_unique: total unique fast pattern hits (sum) 11500 * side_channel.packets: total packets (sum) 11501 * sip.ack: ack (sum) 11502 * sip.bye: bye (sum) 11503 * sip.cancel: cancel (sum) 11504 * sip.code_1xx: 1xx (sum) 11505 * sip.code_2xx: 2xx (sum) 11506 * sip.code_3xx: 3xx (sum) 11507 * sip.code_4xx: 4xx (sum) 11508 * sip.code_5xx: 5xx (sum) 11509 * sip.code_6xx: 6xx (sum) 11510 * sip.code_7xx: 7xx (sum) 11511 * sip.code_8xx: 8xx (sum) 11512 * sip.code_9xx: 9xx (sum) 11513 * sip.concurrent_sessions: total concurrent SIP sessions (now) 11514 * sip.dialogs: total dialogs (sum) 11515 * sip.events: events generated (sum) 11516 * sip.ignored_channels: total channels ignored (sum) 11517 * sip.ignored_sessions: total sessions ignored (sum) 11518 * sip.info: info (sum) 11519 * sip.invite: invite (sum) 11520 * sip.join: join (sum) 11521 * sip.max_concurrent_sessions: maximum concurrent SIP sessions 11522 (max) 11523 * sip.message: message (sum) 11524 * sip.notify: notify (sum) 11525 * sip.options: options (sum) 11526 * sip.packets: total packets (sum) 11527 * sip.prack: prack (sum) 11528 * sip.refer: refer (sum) 11529 * sip.register: register (sum) 11530 * sip.sessions: total sessions (sum) 11531 * sip.subscribe: subscribe (sum) 11532 * sip.total_requests: total requests (sum) 11533 * sip.total_responses: total responses (sum) 11534 * sip.update: update (sum) 11535 * smtp.b64_attachments: total base64 attachments decoded (sum) 11536 * smtp.b64_decoded_bytes: total base64 decoded bytes (sum) 11537 * smtp.concurrent_sessions: total concurrent smtp sessions (now) 11538 * smtp.max_concurrent_sessions: maximum concurrent smtp sessions 11539 (max) 11540 * smtp.non_encoded_attachments: total non-encoded attachments 11541 extracted (sum) 11542 * smtp.non_encoded_bytes: total non-encoded extracted bytes (sum) 11543 * smtp.packets: total packets processed (sum) 11544 * smtp.qp_attachments: total quoted-printable attachments decoded 11545 (sum) 11546 * smtp.qp_decoded_bytes: total quoted-printable decoded bytes (sum) 11547 * smtp.sessions: total smtp sessions (sum) 11548 * smtp.ssl_search_abandoned: total SSL search abandoned (sum) 11549 * smtp.ssl_srch_abandoned_early: total SSL search abandoned too 11550 soon (sum) 11551 * smtp.start_tls: total STARTTLS events generated (sum) 11552 * smtp.total_bytes: total number of bytes processed (sum) 11553 * smtp.uu_attachments: total uu attachments decoded (sum) 11554 * smtp.uu_decoded_bytes: total uu decoded bytes (sum) 11555 * snort.attribute_table_hosts: number of hosts added to the 11556 attribute table (sum) 11557 * snort.attribute_table_overflow: number of host additions that 11558 failed due to attribute table full (sum) 11559 * snort.attribute_table_reloads: number of times hosts attribute 11560 table was reloaded (sum) 11561 * snort.conf_reloads: number of times configuration was reloaded 11562 (sum) 11563 * snort.daq_reloads: number of times daq configuration was reloaded 11564 (sum) 11565 * snort.inspector_deletions: number of times inspectors were 11566 deleted (sum) 11567 * snort.local_commands: total local commands processed (sum) 11568 * snort.policy_reloads: number of times policies were reloaded 11569 (sum) 11570 * snort.remote_commands: total remote commands processed (sum) 11571 * snort.signals: total signals processed (sum) 11572 * ssh.concurrent_sessions: total concurrent ssh sessions (now) 11573 * ssh.max_concurrent_sessions: maximum concurrent ssh sessions 11574 (max) 11575 * ssh.packets: total packets (sum) 11576 * ssh.total_bytes: total number of bytes processed (sum) 11577 * ssl.alert: total ssl alert records (sum) 11578 * ssl.bad_handshakes: total bad handshakes (sum) 11579 * ssl.certificate: total ssl certificates (sum) 11580 * ssl.change_cipher: total change cipher records (sum) 11581 * ssl.client_application: total client application records (sum) 11582 * ssl.client_hello: total client hellos (sum) 11583 * ssl.client_key_exchange: total client key exchanges (sum) 11584 * ssl.concurrent_sessions: total concurrent ssl sessions (now) 11585 * ssl.decoded: ssl packets decoded (sum) 11586 * ssl.detection_disabled: total detection disabled (sum) 11587 * ssl.finished: total handshakes finished (sum) 11588 * ssl.handshakes_completed: total completed ssl handshakes (sum) 11589 * ssl.max_concurrent_sessions: maximum concurrent ssl sessions 11590 (max) 11591 * ssl.packets: total packets processed (sum) 11592 * ssl.server_application: total server application records (sum) 11593 * ssl.server_done: total server done (sum) 11594 * ssl.server_hello: total server hellos (sum) 11595 * ssl.server_key_exchange: total server key exchanges (sum) 11596 * ssl.sessions_ignored: total sessions ignore (sum) 11597 * ssl.unrecognized_records: total unrecognized records (sum) 11598 * stream.excess_prunes: sessions pruned due to excess (sum) 11599 * stream.expected_flows: total expected flows created within snort 11600 (sum) 11601 * stream.expected_overflows: number of expected cache overflows 11602 (sum) 11603 * stream.expected_pruned: number of expected flows pruned (sum) 11604 * stream.expected_realized: number of expected flows realized (sum) 11605 * stream.flows: total sessions (sum) 11606 * stream.ha_prunes: sessions pruned by high availability sync (sum) 11607 * stream_icmp.created: icmp session trackers created (sum) 11608 * stream_icmp.max: max icmp sessions (max) 11609 * stream_icmp.prunes: icmp session prunes (sum) 11610 * stream_icmp.released: icmp session trackers released (sum) 11611 * stream_icmp.sessions: total icmp sessions (sum) 11612 * stream_icmp.timeouts: icmp session timeouts (sum) 11613 * stream.idle_prunes: sessions pruned due to timeout (sum) 11614 * stream_ip.alerts: alerts generated (sum) 11615 * stream_ip.anomalies: anomalies detected (sum) 11616 * stream_ip.created: ip session trackers created (sum) 11617 * stream_ip.current_frags: current fragments (now) 11618 * stream_ip.discards: fragments discarded (sum) 11619 * stream_ip.drops: fragments dropped (sum) 11620 * stream_ip.fragmented_bytes: total fragmented bytes (sum) 11621 * stream_ip.frag_timeouts: datagrams abandoned (sum) 11622 * stream_ip.max_frags: max fragments (sum) 11623 * stream_ip.max: max ip sessions (max) 11624 * stream_ip.nodes_deleted: fragments deleted from tracker (sum) 11625 * stream_ip.nodes_inserted: fragments added to tracker (sum) 11626 * stream_ip.overlaps: overlapping fragments (sum) 11627 * stream_ip.prunes: ip session prunes (sum) 11628 * stream_ip.reassembled_bytes: total reassembled bytes (sum) 11629 * stream_ip.reassembled: reassembled datagrams (sum) 11630 * stream_ip.released: ip session trackers released (sum) 11631 * stream_ip.sessions: total ip sessions (sum) 11632 * stream_ip.timeouts: ip session timeouts (sum) 11633 * stream_ip.total_bytes: total number of bytes processed (sum) 11634 * stream_ip.total_frags: total fragments (sum) 11635 * stream_ip.trackers_added: datagram trackers created (sum) 11636 * stream_ip.trackers_cleared: datagram trackers cleared (sum) 11637 * stream_ip.trackers_completed: datagram trackers completed (sum) 11638 * stream_ip.trackers_freed: datagram trackers released (sum) 11639 * stream.memcap_prunes: sessions pruned due to memcap (sum) 11640 * stream.preemptive_prunes: sessions pruned during preemptive 11641 pruning (deprecated) (sum) 11642 * stream.reload_allowed_deletes: number of allowed flows deleted by 11643 config reloads (sum) 11644 * stream.reload_blocked_deletes: number of blocked flows deleted by 11645 config reloads (sum) 11646 * stream.reload_freelist_deletes: number of flows deleted from the 11647 free list by config reloads (sum) 11648 * stream.reload_offloaded_deletes: number of offloaded flows 11649 deleted by config reloads (sum) 11650 * stream.reload_total_adds: number of flows added by config reloads 11651 (sum) 11652 * stream.reload_total_deletes: number of flows deleted by config 11653 reloads (sum) 11654 * stream.reload_tuning_idle: number of times stream resource tuner 11655 called while idle (sum) 11656 * stream.reload_tuning_packets: number of times stream resource 11657 tuner called while processing packets (sum) 11658 * stream.stale_prunes: sessions pruned due to stale connection 11659 (sum) 11660 * stream_tcp.client_cleanups: number of times data from server was 11661 flushed when session released (sum) 11662 * stream_tcp.closing: number of sessions currently closing (now) 11663 * stream_tcp.created: tcp session trackers created (sum) 11664 * stream_tcp.cur_packets_held: number of packets currently held 11665 (now) 11666 * stream_tcp.data_trackers: tcp session tracking started on data 11667 (sum) 11668 * stream_tcp.discards_skipped: tcp packet discards skipped due to 11669 normalization disabled (sum) 11670 * stream_tcp.discards: tcp packets discarded (sum) 11671 * stream_tcp.established: number of sessions currently established 11672 (now) 11673 * stream_tcp.events: events generated (sum) 11674 * stream_tcp.exceeded_max_bytes: number of times the maximum queued 11675 byte limit was reached (sum) 11676 * stream_tcp.exceeded_max_segs: number of times the maximum queued 11677 segment limit was reached (sum) 11678 * stream_tcp.fins: number of fin packets (sum) 11679 * stream_tcp.gaps: missing data between PDUs (sum) 11680 * stream_tcp.held_packet_purges: number of held packets that were 11681 purged without flushing (sum) 11682 * stream_tcp.held_packet_retries: number of held packets that were 11683 added to the retry queue (sum) 11684 * stream_tcp.held_packet_rexmits: number of retransmits of held 11685 packets (sum) 11686 * stream_tcp.held_packets_dropped: number of held packets dropped 11687 (sum) 11688 * stream_tcp.held_packets_passed: number of held packets passed 11689 (sum) 11690 * stream_tcp.held_packet_timeouts: number of held packets that 11691 timed out (sum) 11692 * stream_tcp.ignored: tcp packets ignored (sum) 11693 * stream_tcp.initializing: number of sessions currently 11694 initializing (now) 11695 * stream_tcp.inspector_fallbacks: count of fallbacks from assigned 11696 service inspector (sum) 11697 * stream_tcp.instantiated: new sessions instantiated (sum) 11698 * stream_tcp.internal_events: 135:X events generated (sum) 11699 * stream_tcp.invalid_ack: tcp packets received with an invalid ack 11700 number (sum) 11701 * stream_tcp.invalid_seq_num: tcp packets received with an invalid 11702 sequence number (sum) 11703 * stream_tcp.max_bytes: maximum number of bytes queued in any flow 11704 (max) 11705 * stream_tcp.max: max tcp sessions (max) 11706 * stream_tcp.max_packets_held: maximum number of packets held 11707 simultaneously (max) 11708 * stream_tcp.max_segs: maximum number of segments queued in any 11709 flow (max) 11710 * stream_tcp.memory: current memory in use (now) 11711 * stream_tcp.meta_acks: number of meta acks processed (sum) 11712 * stream_tcp.no_flags_set: tcp packets received with no TCP flags 11713 set (sum) 11714 * stream_tcp.overlaps: overlapping segments queued (sum) 11715 * stream_tcp.packets_held: number of packets held (sum) 11716 * stream_tcp.partial_fallbacks: count of fallbacks from assigned 11717 service stream splitter (sum) 11718 * stream_tcp.partial_flush_bytes: partial flush total bytes (sum) 11719 * stream_tcp.partial_flushes: number of partial flushes initiated 11720 (sum) 11721 * stream_tcp.payload_fully_trimmed: segments with no data after 11722 trimming (sum) 11723 * stream_tcp.prunes: tcp session prunes (sum) 11724 * stream_tcp.rebuilt_buffers: rebuilt PDU sections (sum) 11725 * stream_tcp.rebuilt_bytes: total rebuilt bytes (sum) 11726 * stream_tcp.rebuilt_packets: total reassembled PDUs (sum) 11727 * stream_tcp.released: tcp session trackers released (sum) 11728 * stream_tcp.resets: number of reset packets (sum) 11729 * stream_tcp.restarts: sessions restarted (sum) 11730 * stream_tcp.resyns: SYN received on established session (sum) 11731 * stream_tcp.segs_queued: total segments queued (sum) 11732 * stream_tcp.segs_released: total segments released (sum) 11733 * stream_tcp.segs_split: tcp segments split when reassembling PDUs 11734 (sum) 11735 * stream_tcp.segs_used: queued tcp segments applied to reassembled 11736 PDUs (sum) 11737 * stream_tcp.server_cleanups: number of times data from client was 11738 flushed when session released (sum) 11739 * stream_tcp.sessions: total tcp sessions (sum) 11740 * stream_tcp.setups: session initializations (sum) 11741 * stream_tcp.syn_acks: number of syn-ack packets (sum) 11742 * stream_tcp.syn_ack_trackers: tcp session tracking started on 11743 syn-ack (sum) 11744 * stream_tcp.syns: number of syn packets (sum) 11745 * stream_tcp.syn_trackers: tcp session tracking started on syn 11746 (sum) 11747 * stream_tcp.three_way_trackers: tcp session tracking started on 11748 ack (sum) 11749 * stream_tcp.timeouts: tcp session timeouts (sum) 11750 * stream_tcp.untracked: tcp packets not tracked (sum) 11751 * stream_tcp.zero_len_tcp_opt: number of zero length tcp options 11752 (sum) 11753 * stream.total_prunes: total sessions pruned (sum) 11754 * stream_udp.created: udp session trackers created (sum) 11755 * stream_udp.ignored: udp packets ignored (sum) 11756 * stream_udp.max: max udp sessions (max) 11757 * stream_udp.prunes: udp session prunes (sum) 11758 * stream_udp.released: udp session trackers released (sum) 11759 * stream_udp.sessions: total udp sessions (sum) 11760 * stream_udp.timeouts: udp session timeouts (sum) 11761 * stream_udp.total_bytes: total number of bytes processed (sum) 11762 * stream.uni_prunes: uni sessions pruned (sum) 11763 * tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum) 11764 * tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum) 11765 * tcp.checksum_bypassed: checksum calculations bypassed (sum) 11766 * tcp_connector.messages: total messages (sum) 11767 * telnet.concurrent_sessions: total concurrent Telnet sessions 11768 (now) 11769 * telnet.max_concurrent_sessions: maximum concurrent Telnet 11770 sessions (max) 11771 * telnet.total_packets: total packets (sum) 11772 * tenant_selector.no_match: selection evaluations that had no 11773 matches (sum) 11774 * tenant_selector.packets: packets evaluated (sum) 11775 * udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum) 11776 * udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum) 11777 * udp.checksum_bypassed: checksum calculations bypassed (sum) 11778 * wizard.tcp_hits: tcp identifications (sum) 11779 * wizard.tcp_misses: tcp searches abandoned (sum) 11780 * wizard.tcp_scans: tcp payload scans (sum) 11781 * wizard.udp_hits: udp identifications (sum) 11782 * wizard.udp_misses: udp searches abandoned (sum) 11783 * wizard.udp_scans: udp payload scans (sum) 11784 * wizard.user_hits: user identifications (sum) 11785 * wizard.user_misses: user searches abandoned (sum) 11786 * wizard.user_scans: user payload scans (sum) 11787 11788 1178911.6. Generators 11790 11791-------------- 11792 11793 * 2: output 11794 * 105: back_orifice 11795 * 106: rpc_decode 11796 * 112: arp_spoof 11797 * 116: arp 11798 * 116: auth 11799 * 116: ciscometadata 11800 * 116: decode 11801 * 116: eapol 11802 * 116: erspan2 11803 * 116: erspan3 11804 * 116: esp 11805 * 116: eth 11806 * 116: fabricpath 11807 * 116: geneve 11808 * 116: gre 11809 * 116: gtp 11810 * 116: icmp4 11811 * 116: icmp6 11812 * 116: igmp 11813 * 116: ipv4 11814 * 116: ipv6 11815 * 116: llc 11816 * 116: mpls 11817 * 116: pbb 11818 * 116: pgm 11819 * 116: pppoe 11820 * 116: tcp 11821 * 116: token_ring 11822 * 116: udp 11823 * 116: vlan 11824 * 116: wlan 11825 * 119: http_inspect 11826 * 121: http2_inspect 11827 * 122: port_scan 11828 * 123: stream_ip 11829 * 124: smtp 11830 * 125: ftp_server 11831 * 126: telnet 11832 * 128: ssh 11833 * 129: stream_tcp 11834 * 131: dns 11835 * 133: dce_http_proxy 11836 * 133: dce_http_server 11837 * 133: dce_smb 11838 * 133: dce_tcp 11839 * 133: dce_udp 11840 * 134: latency 11841 * 135: stream 11842 * 136: reputation 11843 * 137: ssl 11844 * 140: sip 11845 * 141: imap 11846 * 142: pop 11847 * 143: gtp_inspect 11848 * 144: modbus 11849 * 145: dnp3 11850 * 148: cip 11851 * 149: s7commplus 11852 * 150: file_id 11853 * 151: iec104 11854 * 175: domain_filter 11855 * 256: dpx 11856 11857 1185811.7. Builtin Rules 11859 11860-------------- 11861 118622:1 (output) tagged packet 11863 11864A tagged packet was logged. 11865 11866105:1 (back_orifice) Back orifice traffic detected, unknown direction 11867 11868Back orifice traffic detected, unknown direction 11869 11870105:2 (back_orifice) Back orifice client traffic detected 11871 11872Back orifice client traffic detected 11873 11874105:3 (back_orifice) Back orifice server traffic detected 11875 11876Back orifice server traffic detected 11877 11878105:4 (back_orifice) Back orifice length field >= 1024 bytes 11879 11880Back orifice length field >= 1024 bytes 11881 11882106:1 (rpc_decode) fragmented RPC records 11883 11884Detected fragmented RPC records. 11885 11886106:2 (rpc_decode) multiple RPC records 11887 11888Detected multiple RPC records in the packet. 11889 11890106:3 (rpc_decode) large RPC record fragment 11891 11892Large RPC record fragment. RPC fragment length is greater than packet 11893data size. 11894 11895106:4 (rpc_decode) incomplete RPC segment 11896 11897Incomplete RPC segment. Packet data size is less than required RPC 11898fragment length. 11899 11900106:5 (rpc_decode) zero-length RPC fragment 11901 11902Zero-length RPC fragment. 11903 11904112:1 (arp_spoof) unicast ARP request 11905 11906ARP request is unicast, not broadcast. 11907 11908112:2 (arp_spoof) ethernet/ARP mismatch for source hardware address 11909 11910Mismatch between ethernet source hardware address and ARP source 11911hardware address. 11912 11913112:3 (arp_spoof) ethernet/ARP mismatch for destination hardware 11914address in reply 11915 11916Mismatch between ethernet destination hardware address and ARP 11917destination hardware address in an ARP reply. 11918 11919112:4 (arp_spoof) attempted ARP cache overwrite attack 11920 11921Attempted ARP cache overwrite attack. The ethernet source hardware 11922address or ARP source hardware address doesn’t match the one provided 11923for this IP address in the configured host table. 11924 11925116:1 (ipv4) not IPv4 datagram 11926 11927The packet is not an IPv4 datagram (based on the ip header’s version 11928field). 11929 11930116:2 (ipv4) IPv4 header length < minimum 11931 11932The IPv4 header length (based on the header’s length field) is less 11933than the ip version 4’s minimum header length (20 bytes). 11934 11935116:3 (ipv4) IPv4 datagram length < header field 11936 11937The total IPv4 datagram length is less than the length calculated 11938using the ipv4 header length field. 11939 11940116:4 (ipv4) IPv4 options found with bad lengths 11941 11942The IPv4 options field has a bad/incorrect length. 11943 11944116:5 (ipv4) truncated IPv4 options 11945 11946The IPv4 options field is truncated. 11947 11948116:6 (ipv4) IPv4 datagram length > captured length 11949 11950The IPv4 datagram length is greater than the captured packet’s 11951length. 11952 11953116:45 (tcp) TCP packet length is smaller than 20 bytes 11954 11955The TCP packet length is smaller than the minimum tcp header length 11956(20 bytes). 11957 11958116:46 (tcp) TCP data offset is less than 5 11959 11960The TCP data offset is less than five 32 bit words (20 bytes) and is 11961invalid. 11962 11963116:47 (tcp) TCP header length exceeds packet length 11964 11965The TCP header length exceeds the packet’s length. 11966 11967116:54 (tcp) TCP options found with bad lengths 11968 11969The TCP options are invalid and/or have bad lengths. 11970 11971116:55 (tcp) truncated TCP options 11972 11973The TCP options field is truncated. 11974 11975116:56 (tcp) T/TCP detected 11976 11977A tcp packet was detected with the CC Echo field set. 11978 11979116:57 (tcp) obsolete TCP options found 11980 11981A tcp packet was detected that contained obsolete TCP options. 11982 11983116:58 (tcp) experimental TCP options found 11984 11985A tcp packet was detected that contained experimental TCP options. 11986 11987116:59 (tcp) TCP window scale option found with length > 14 11988 11989The TCP window scale option found with a length greater than 14. 11990 11991116:95 (udp) truncated UDP header 11992 11993A truncated UDP header has been detected. 11994 11995116:96 (udp) invalid UDP header, length field < 8 11996 11997An invalid UDP header detected. The header’s length is less than 8 11998bytes. 11999 12000116:97 (udp) short UDP packet, length field > payload length 12001 12002The UDP length field is greater than the payload length. 12003 12004116:98 (udp) long UDP packet, length field < payload length 12005 12006The UDP length field is less than the payload length. 12007 12008116:105 (icmp4) ICMP header truncated 12009 12010An ICMP packet was detected with the header truncated. 12011 12012116:106 (icmp4) ICMP timestamp header truncated 12013 12014The ICMP packet’s timestamp header is truncated. 12015 12016116:107 (icmp4) ICMP address header truncated 12017 12018The ICMP packet’s address header is truncated. 12019 12020116:109 (arp) truncated ARP 12021 12022The packet length is less than ethernet arp’s minimum length of 28 12023bytes. 12024 12025116:110 (eapol) truncated EAP header 12026 12027(eapol) truncated EAP header 12028 12029116:111 (eapol) EAP key truncated 12030 12031(eapol) EAP key truncated 12032 12033116:112 (eapol) EAP header truncated 12034 12035(eapol) EAP header truncated 12036 12037116:120 (pppoe) bad PPPOE frame detected 12038 12039A bad PPPOE frame has been detected. The frames length is less than 12040the PPPOE frame minimum (6 bytes). 12041 12042116:130 (vlan) bad VLAN frame 12043 12044A bad VLAN frame was detected due to either the packet being smaller 12045than the minimum VLAN header size or the VLAN ID being invalid (0 or 120464095). 12047 12048116:131 (llc) bad LLC header 12049 12050An invalid LLC header has been detected (less than 3 bytes). 12051 12052116:132 (llc) bad extra LLC info 12053 12054(llc) bad extra LLC info 12055 12056116:133 (wlan) bad 802.11 LLC header 12057 12058(wlan) bad 802.11 LLC header 12059 12060116:134 (wlan) bad 802.11 extra LLC info 12061 12062(wlan) bad 802.11 extra LLC info 12063 12064116:140 (token_ring) bad Token Ring header 12065 12066(token_ring) bad Token Ring header 12067 12068116:141 (token_ring) bad Token Ring ETHLLC header 12069 12070(token_ring) bad Token Ring ETHLLC header 12071 12072116:142 (token_ring) bad Token Ring MRLEN header 12073 12074(token_ring) bad Token Ring MRLEN header 12075 12076116:143 (token_ring) bad Token Ring MR header 12077 12078(token_ring) bad Token Ring MR header 12079 12080116:150 (decode) loopback IP 12081 12082A loopback IP was detected within a packet. 12083 12084116:151 (decode) same src/dst IP 12085 12086The same source and destination IP was detected. 12087 12088116:160 (gre) GRE header length > payload length 12089 12090The payload length is greater than the packet length. 12091 12092116:161 (gre) multiple encapsulations in packet 12093 12094There are multiple encapsulations within the GRE packet. 12095 12096116:162 (gre) invalid GRE version 12097 12098The detected GRE version field value is invalid (should be 0 or 1). 12099 12100116:163 (gre) invalid GRE header 12101 12102Invalid flag set in GRE header. 12103 12104116:164 (gre) invalid GRE v.1 PPTP header 12105 12106Invalid GRE v.1 PPTP header detected. 12107 12108116:165 (gre) GRE trans header length > payload length 12109 12110The GRE trans header length is greater than the payload length. 12111 12112116:170 (mpls) bad MPLS frame 12113 12114The MPLS frame is invalid. The MPLS header length is less than the 12115MPLS minimum frame size (4 bytes). 12116 12117116:171 (mpls) MPLS label 0 appears in bottom header when not 12118decoding as ip4 12119 12120The MPLS label 0 appears in bottom header when not decoding as an ip4 12121packet. 12122 12123116:172 (mpls) MPLS label 1 appears in bottom header 12124 12125The MPLS label 1 appears in bottom header. 12126 12127116:173 (mpls) MPLS label 2 appears in bottom header when not 12128decoding as ip6 12129 12130The MPLS label 2 appears in bottom header when not decoding as an ip6 12131packet. 12132 12133116:174 (mpls) MPLS label 3 appears in header 12134 12135A MPLS label 3 (Implicit NULL Label) appears in header. 12136 12137116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header 12138 12139A reserved MPLS label (4, 5 or 15) appears in header. 12140 12141116:176 (mpls) too many MPLS headers 12142 12143There were too many MPLS headers detected. (Use the 12144mpls.max_stack_depth setting to set the max value). 12145 12146116:180 (geneve) insufficient room for geneve header 12147 12148The packet length is less than the expected GENEVE header length. 12149 12150116:181 (geneve) invalid version 12151 12152The version number in the GENEVE header is not valid (not equal to 12153zero). 12154 12155116:182 (geneve) invalid header 12156 12157The packet length is less than the minimum GENEVE header length. 12158 12159116:183 (geneve) invalid flags 12160 12161There are several scenarios for this event. 1) The C flag is clear 12162but critical options are present. 2) The C flag is set but critical 12163options are absent. 3) If the critical header present bit is set the 12164option’s length cannot be 0. 12165 12166116:184 (geneve) invalid options 12167 12168The options length field extends past the end of the GENEVE header. 12169 12170116:250 (icmp4) ICMP original IP header truncated 12171 12172The ICMP error message’s original IP header is truncated. 12173 12174116:251 (icmp4) ICMP version and original IP header versions differ 12175 12176The ICMP error message’s original IP packet’s version and original IP 12177header versions differ. 12178 12179116:252 (icmp4) ICMP original datagram length < original IP header 12180length 12181 12182The ICMP error message’s original datagram’s length is less than the 12183original IP’s header length. 12184 12185116:253 (icmp4) ICMP original IP payload < 64 bits 12186 12187The ICMP error message’s original IP packet’s payload is less than 64 12188bits. 12189 12190116:254 (icmp4) ICMP original IP payload > 576 bytes 12191 12192The ICMP error message’s original IP packet’s payload is greater than 12193the expected max of 576 bytes. 12194 12195116:255 (icmp4) ICMP original IP fragmented and offset not 0 12196 12197An ICMP original IP is fragmented and the offset is not 0. 12198 12199116:270 (ipv6) IPv6 packet below TTL limit 12200 12201The IPv6 packet has a TTL value that is below the TTL limit. 12202 12203116:271 (ipv6) IPv6 header claims to not be IPv6 12204 12205The IPv6 header claims to not be an IPv6 packet. 12206 12207116:272 (ipv6) IPv6 truncated extension header 12208 12209The IPv6 packet has a truncated extension header. 12210 12211116:273 (ipv6) IPv6 truncated header 12212 12213The IPv6 packet has a truncated header. 12214 12215116:274 (ipv6) IPv6 datagram length < header field 12216 12217The IPv6 datagram length field is less than the header field. 12218 12219116:275 (ipv6) IPv6 datagram length > captured length 12220 12221The IPv6 datagram’s length is greater than the captured packet’s 12222length. 12223 12224116:276 (ipv6) IPv6 packet with destination address ::0 12225 12226An IPv6 packet was detected with a destination address of ::0 12227 12228116:277 (ipv6) IPv6 packet with multicast source address 12229 12230An IPv6 packet with a multicast source address has been detected. 12231 12232116:278 (ipv6) IPv6 packet with reserved multicast destination 12233address 12234 12235An IPv6 packet with a reserved multicast destination address has been 12236detected. 12237 12238116:279 (ipv6) IPv6 header includes an undefined option type 12239 12240The IPv6 header includes an undefined option type. 12241 12242116:280 (ipv6) IPv6 address includes an unassigned multicast scope 12243value 12244 12245The IPv6 address includes an unassigned multicast scope value. 12246 12247116:281 (ipv6) IPv6 header includes an invalid value for the next 12248header field 12249 12250The IPv6 header includes an invalid value for the next header field. 12251 12252116:282 (ipv6) IPv6 header includes a routing extension header 12253followed by a hop-by-hop header 12254 12255The IPv6 header includes a routing extension header followed by a 12256hop-by-hop header. 12257 12258116:283 (ipv6) IPv6 header includes two routing extension headers 12259 12260The IPv6 header includes two routing extension headers. 12261 12262116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with MTU 12263field < 1280 12264 12265An ICMPv6 packet of type 2 (message too big) that contains an MTU 12266field of less than 1280 bytes has been detected. 12267 12268116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable) 12269with non-RFC 2463 code 12270 12271An ICMPv6 packet of type 1 (destination unreachable) that contains a 12272non-RFC 2463 code has been detected. 12273 12274116:287 (icmp6) ICMPv6 router solicitation packet with a code not 12275equal to 0 12276 12277An ICMPv6 router solicitation packet with a code not equal to 0 has 12278been detected. 12279 12280116:288 (icmp6) ICMPv6 router advertisement packet with a code not 12281equal to 0 12282 12283An ICMPv6 router advertisement packet with a code not equal to 0 has 12284been detected. 12285 12286116:289 (icmp6) ICMPv6 router solicitation packet with the reserved 12287field not equal to 0 12288 12289An ICMPv6 router solicitation packet with the reserved field not 12290equal to 0 has been detected. 12291 12292116:290 (icmp6) ICMPv6 router advertisement packet with the reachable 12293time field set > 1 hour 12294 12295An ICMPv6 router advertisement packet with the reachable time field 12296set to greater than 1 hour was detected. 12297 12298116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, 12299possible Linux kernel attack 12300 12301An IPV6 tunnel over IPv4 packet was received. The IPv6 header 12302truncated which could possibly be a Linux kernel attack. 12303 12304116:292 (ipv6) IPv6 header has destination options followed by a 12305routing header 12306 12307The IPv6 header has destination options followed by a routing header. 12308 12309116:293 (decode) two or more IP (v4 and/or v6) encapsulation layers 12310present 12311 12312There are two or more IP (v4 and/or v6) encapsulation layers present. 12313 12314116:294 (esp) truncated encapsulated security payload header 12315 12316The encapsulated security payload header was too short (less than 22 12317bytes). 12318 12319116:295 (ipv6) IPv6 header includes an option which is too big for 12320the containing header 12321 12322The IPv6 header includes an option which is too big for the 12323containing header. 12324 12325116:296 (ipv6) IPv6 packet includes out-of-order extension headers 12326 12327The IPv6 packet includes out-of-order extension headers. 12328 12329116:297 (gtp) two or more GTP encapsulation layers present 12330 12331There are multiple GTP encapsulation layers present. 12332 12333116:298 (gtp) GTP header length is invalid 12334 12335The packet data is smaller than the GTP header length making the 12336packet invalid. 12337 12338116:400 (tcp) XMAS attack detected 12339 12340A XMAS attack detected. 12341 12342116:401 (tcp) Nmap XMAS attack detected 12343 12344A NMAP XMAS attack detected. 12345 12346116:402 (tcp) DOS NAPTHA vulnerability detected 12347 12348(tcp) DOS NAPTHA vulnerability detected. 12349 12350116:403 (tcp) SYN to multicast address 12351 12352A SYN packet was sent to a multicast address. 12353 12354116:404 (ipv4) IPv4 packet with zero TTL 12355 12356IPv4 packet was detected with a zero TTL value. 12357 12358116:405 (ipv4) IPv4 packet with bad frag bits (both MF and DF set) 12359 12360The IPv4 packet contains an invalid frag bits combination (both MF 12361and DF are set). 12362 12363116:406 (udp) invalid IPv6 UDP packet, checksum zero 12364 12365An invalid IPv6 UDP packet was detected. The checksum value is zero. 12366 12367116:407 (ipv4) IPv4 packet frag offset + length exceed maximum 12368 12369The IPv4 packet’s frag offset + the datagram length field exceeds the 12370maximum packet size (65535) 12371 12372116:408 (ipv4) IPv4 packet from current net source address 12373 12374The IPv4 packet’s source address is from the current net (value of 12375zero) 12376 12377116:409 (ipv4) IPv4 packet to current net dest address 12378 12379The IPv4 packet’s destination address is to the current net (value of 12380zero) 12381 12382116:410 (ipv4) IPv4 packet from multicast source address 12383 12384The IPv4 packet has a multicast source address. 12385 12386116:411 (ipv4) IPv4 packet from reserved source address 12387 12388The IPv4 packet has a reserved source address. 12389 12390116:412 (ipv4) IPv4 packet to reserved dest address 12391 12392The IPv4 packet has a reserved destination address. 12393 12394116:413 (ipv4) IPv4 packet from broadcast source address 12395 12396The IPv4 packet has a broadcast source address. 12397 12398116:414 (ipv4) IPv4 packet to broadcast dest address 12399 12400The IPv4 packet has a broadcast destination address 12401 12402116:415 (icmp4) ICMP4 packet to multicast dest address 12403 12404ICMP4 packet to multicast destination address 12405 12406116:416 (icmp4) ICMP4 packet to broadcast dest address 12407 12408ICMP4 packet to broadcast destination address 12409 12410116:418 (icmp4) ICMP4 type other 12411 12412The ICMP4 packet type is not known. 12413 12414116:419 (tcp) TCP urgent pointer exceeds payload length or no payload 12415 12416The TCP urgent pointer exceeds payload length or has no payload. 12417 12418116:420 (tcp) TCP SYN with FIN 12419 12420An invalid tcp flag combination was detected (SYN and FIN). 12421 12422116:421 (tcp) TCP SYN with RST 12423 12424An invalid tcp flag combination was detected (SYN with RST) 12425 12426116:422 (tcp) TCP PDU missing ack for established session 12427 12428The TCP packet is missing the acknowledgment flag for an established 12429session. 12430 12431116:423 (tcp) TCP has no SYN, ACK, or RST 12432 12433The TCP packet is invalid because it doesn’t have a SYN, ACK, or RST 12434flag set. 12435 12436116:424 (pbb) truncated ethernet header 12437 12438The packet length is less than the minimum ethernet header size (14 12439bytes) 12440 12441116:424 (pbb) truncated ethernet header 12442 12443A truncated ethernet header was detected. 12444 12445116:425 (ipv4) truncated IPv4 header 12446 12447The IPv4 header is truncated. 12448 12449116:426 (icmp4) truncated ICMP4 header 12450 12451The ICMP4 header is truncated. 12452 12453116:427 (icmp6) truncated ICMPv6 header 12454 12455The ICMPv6 header is truncated. 12456 12457116:428 (ipv4) IPv4 packet below TTL limit 12458 12459An IPv4 packet was received after the TTL limit. 12460 12461116:429 (ipv6) IPv6 packet has zero hop limit 12462 12463An IPv6 packet has a zero hop limit count. 12464 12465116:430 (ipv4) IPv4 packet both DF and offset set 12466 12467An invalid IPv4 packet was detected. The DF bit and an offset value 12468are set. 12469 12470116:431 (icmp6) ICMPv6 type not decoded 12471 12472The ICMPv6 type is unknown and not decoded. 12473 12474116:432 (icmp6) ICMPv6 packet to multicast address 12475 12476An ICMPv6 packet to a multicast address was detected. 12477 12478116:433 (tcp) DDOS shaft SYN flood 12479 12480A tcp DDOS shaft SYN flood was detected. 12481 12482116:434 (icmp4) ICMP ping Nmap 12483 12484An ICMP ping from NMAP was detected. 12485 12486116:435 (icmp4) ICMP icmpenum v1.1.1 12487 12488An ICMP icmpenum v1.1.1 packet was received (the payload length is 12489zero and icmp seq number equals 666). 12490 12491116:436 (icmp4) ICMP redirect host 12492 12493An ICMP host redirect packet was received. 12494 12495116:437 (icmp4) ICMP redirect net 12496 12497An ICMP network redirect packet was received. 12498 12499116:438 (icmp4) ICMP traceroute ipopts 12500 12501An ICMP packet with trace route ipopts was detected. 12502 12503116:439 (icmp4) ICMP source quench 12504 12505An ICMP packet with the source quench field set was detected. 12506 12507116:440 (icmp4) broadscan smurf scanner 12508 12509Broadscan smurf scanner traffic was detected. 12510 12511116:441 (icmp4) ICMP destination unreachable communication 12512administratively prohibited 12513 12514ICMP destination unreachable traffic was detected (communication 12515administratively prohibited). 12516 12517116:442 (icmp4) ICMP destination unreachable communication with 12518destination host is administratively prohibited 12519 12520ICMP destination unreachable traffic detected (communication with 12521destination host is administratively prohibited). 12522 12523116:443 (icmp4) ICMP destination unreachable communication with 12524destination network is administratively prohibited 12525 12526ICMP destination unreachable traffic detected (communication with 12527destination network is administratively prohibited). 12528 12529116:444 (ipv4) IPv4 option set 12530 12531(ipv4) IPv4 option set 12532 12533116:445 (udp) large UDP packet (> 4000 bytes) 12534 12535A large UDP packet was received (greater than 4000 bytes). 12536 12537116:446 (tcp) TCP port 0 traffic 12538 12539TCP port 0 traffic was detected. 12540 12541116:447 (udp) UDP port 0 traffic 12542 12543UDP port 0 traffic was detected. 12544 12545116:448 (ipv4) IPv4 reserved bit set 12546 12547An IPv4 packet was detected that has the reserved bit set. 12548 12549116:449 (decode) unassigned/reserved IP protocol 12550 12551An IP packet has an unassigned/reserved IP protocol number. 12552 12553116:450 (decode) bad IP protocol 12554 12555An invalid/bad IP protocol number has been detected. 12556 12557116:451 (icmp4) ICMP path MTU denial of service attempt 12558 12559An ICMP path MTU denial of service attempt has been detected. 12560 12561116:452 (icmp4) Linux ICMP header DOS attempt 12562 12563A Linux ICMP header DOS attempt has been detected. 12564 12565116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt 12566 12567(ipv6) ISATAP-addressed IPv6 traffic spoofing attempt 12568 12569116:454 (pgm) PGM nak list overflow attempt 12570 12571(pgm) PGM nak list overflow attempt 12572 12573116:455 (igmp) DOS IGMP IP options validation attempt 12574 12575An IGMP IP options validation DOS attempt was detected. 12576 12577116:456 (ipv6) too many IPv6 extension headers 12578 12579The decoder detected more than the configured amount of IPv6 12580extension headers. 12581 12582116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable) 12583with non-RFC 4443 code 12584 12585An ICMPv6 packet of type 1 (destination unreachable) was received 12586with non-RFC 4443 code. 12587 12588116:458 (ipv6) bogus fragmentation packet, possible BSD attack 12589 12590An invalid fragmentation packet was detected. Could be a possible BSD 12591attack. 12592 12593116:459 (decode) fragment with zero length 12594 12595An ip fragment was received with a zero length payload. 12596 12597116:460 (icmp6) ICMPv6 node info query/response packet with a code 12598greater than 2 12599 12600The ICMPv6 node info query/response packet has a code value greater 12601than 2. 12602 12603116:461 (ipv6) IPv6 routing type 0 extension header 12604 12605An IPv6 packet was received with a routing type 0 extension header. 12606 12607116:462 (erspan2) ERSpan header version mismatch 12608 12609The ERSpan2 version is not equal to 1 (the value of 1 signals that 12610it’s ERSpan2). 12611 12612116:463 (erspan2) captured length < ERSpan type2 header length 12613 12614The packet’s length is less than the ERSpan2 headers minimum length 12615(8 bytes). 12616 12617116:464 (erspan3) captured < ERSpan type3 header length 12618 12619The packet’s length is less than the ERSpan3 header’s minimum length 12620(20 bytes). 12621 12622116:465 (auth) truncated authentication header 12623 12624The length of the packet received is less than the expected minimum 12625of 16 bytes. 12626 12627116:466 (auth) bad authentication header length 12628 12629The authentication header length is greater than the packet data 12630length. 12631 12632116:467 (fabricpath) truncated FabricPath header 12633 12634The packet header length is less than the minimum FabricPath header 12635size of 16 bytes. 12636 12637116:468 (ciscometadata) truncated Cisco Metadata header 12638 12639The packet length is less than the Cisco Metadata header length. 12640 12641116:469 (ciscometadata) invalid Cisco Metadata option length 12642 12643The Cisco Metadata option length value is greater than zero. 12644 12645116:470 (ciscometadata) invalid Cisco Metadata option type 12646 12647The Cisco metadata option type is not set to 1. 12648 12649116:471 (ciscometadata) invalid Cisco Metadata security group tag 12650 12651The Cisco Metadata security group tag value is invalid (0xFFFF). 12652 12653116:472 (decode) too many protocols present 12654 12655The decoder detected that there were too many protocols present. 12656 12657116:473 (decode) ether type out of range 12658 12659An ether type value is below the minimum of 0x0600 (1536) and 12660therefore out of range. 12661 12662116:474 (icmp6) ICMPv6 not encapsulated in IPv6 12663 12664An ICMPv6 packet was received that was not encapsulated in IPv6. 12665 12666116:475 (ipv6) IPv6 mobility header includes an invalid value for the 12667payload protocol field 12668 12669The IPv6 mobility header includes an invalid value for the payload 12670protocol field. 12671 12672119:1 (http_inspect) URI has percent-encoding of an unreserved 12673character 12674 12675URI has percent encoding of an unreserved character. The 12676ignore_unreserved option designates specific unreserved characters 12677that are exempted from triggering this alert. 12678 12679119:2 (http_inspect) URI is percent encoded and the result is percent 12680encoded again 12681 12682URI is percent encoded and the result is percent encoded again. This 12683alert can only be generated if the iis_double_decode option is 12684configured. 12685 12686119:3 (http_inspect) URI has non-standard %u-style Unicode encoding 12687 12688URI has non-standard %u-style Unicode encoding. This alert can only 12689be generated if the percent_u option is configured. 12690 12691119:4 (http_inspect) URI has Unicode encodings containing bytes that 12692were not percent-encoded 12693 12694URI has Unicode encodings containing bytes that were not 12695percent-encoded as required by the HTTP RFC. This is sometimes called 12696"bare byte" encoding. This alert can only be generated if the 12697utf8_bare_byte option is configured. 12698 12699119:6 (http_inspect) URI has two-byte or three-byte UTF-8 encoding 12700 12701URI has two-byte or three-byte UTF-8 encoding. This alert can only be 12702generated if the utf8 option is configured. 12703 12704119:7 (http_inspect) URI has unicode map code point encoding 12705 12706URI includes a two-byte or three-byte unicode character that 12707normalized through the unicode map to some byte other than 0xFF. This 12708alert can only be generated if the iis_unicode option is configured. 12709 12710119:8 (http_inspect) URI path contains consecutive slash characters 12711 12712URI path contains consecutive slash characters which are redundant. 12713This alert can only be generated if the simplify_path option is 12714configured. 12715 12716119:9 (http_inspect) backslash character appears in the path portion 12717of a URI. 12718 12719The backslash character appears in the path portion of a URI. This 12720alert can only be generated if the backslash_to_slash option is 12721configured. 12722 12723119:10 (http_inspect) URI path contains /./ pattern repeating the 12724current directory 12725 12726URI path contains "/./" pattern repeating the current directory. 12727Alternatively the path may end with "/." repeating the current 12728directory. This alert can only be generated if the simplify_path 12729option is configured. 12730 12731119:11 (http_inspect) URI path contains /../ pattern moving up a 12732directory 12733 12734URI path contains "/../" pattern moving upward a directory. 12735Alternatively the path may end with "/.." with the same effect. This 12736alert can only be generated if the simplify_path option is 12737configured. 12738 12739119:12 (http_inspect) Tab character in HTTP start line 12740 12741The HTTP start line has a tab character among the blank space 12742separators. 12743 12744119:13 (http_inspect) HTTP start line or header line terminated by LF 12745without a CR 12746 12747HTTP start line or header line terminated by LF without a CR. 12748 12749119:14 (http_inspect) Normalized URI includes character from 12750bad_characters list 12751 12752Normalized URI (after percent decoding) contains a forbidden 12753character specified by the bad_characters option. 12754 12755119:15 (http_inspect) URI path contains a segment that is longer than 12756the oversize_dir_length parameter 12757 12758URI path contains a segment (directory or file name) that is longer 12759than the oversize_dir_length parameter. 12760 12761119:16 (http_inspect) chunk length exceeds configured 12762maximum_chunk_length 12763 12764Chunk length as given in the chunk header exceeds 12765maximum_chunk_length parameter. 12766 12767119:18 (http_inspect) URI path includes /../ that goes above the root 12768directory 12769 12770The URI path has used /../ segments to go above the root of the 12771directory tree. For example /foo/../../bar which specifies an object 12772not under the root directory /. This alert can only be generated if 12773the simplify_path option is configured. 12774 12775119:19 (http_inspect) HTTP header line exceeds 4096 bytes 12776 12777HTTP header line exceeds 4096 bytes. This does not apply to the start 12778line. Header line length includes both header field name and value. 12779 12780119:20 (http_inspect) HTTP message has more than 200 header fields 12781 12782HTTP message has more than 200 header fields. 12783 12784119:21 (http_inspect) HTTP message has more than one Content-Length 12785header value 12786 12787HTTP message has more than one Content-Length header value. This may 12788be multiple header lines or comma-separated values on one line. 12789 12790119:24 (http_inspect) Host header field appears more than once or has 12791multiple values 12792 12793Host header field appears more than once or has multiple values. 12794 12795119:25 (http_inspect) length of HTTP Host header field value exceeds 12796maximum_host_length option 12797 12798Length of HTTP Host header field value exceeds maximum_host_length 12799option. 12800 12801119:28 (http_inspect) HTTP POST or PUT request without content-length 12802or chunks 12803 12804HTTP request uses POST or PUT method without delimiting the message 12805body using either the Content-Length header or Transfer-Encoding 12806chunked. 12807 12808119:31 (http_inspect) HTTP request method is not known to Snort 12809 12810HTTP request method is not known to Snort. Snort is familiar with all 12811RFC methods and dozens of other methods. 12812 12813119:32 (http_inspect) HTTP request uses primitive HTTP format known 12814as HTTP/0.9 12815 12816HTTP request uses primitive HTTP format known as HTTP/0.9. 12817 12818119:33 (http_inspect) HTTP request URI has space character that is 12819not percent-encoded 12820 12821HTTP request URI has space character that is not percent-encoded. 12822 12823119:34 (http_inspect) HTTP connection has more than 100 simultaneous 12824pipelined requests that have not been answered 12825 12826HTTP connection has more than 100 simultaneous pipelined requests 12827that have not been answered. 12828 12829119:102 (http_inspect) invalid status code in HTTP response 12830 12831Invalid status code in HTTP response. Either it is outside the range 12832100-599 or it is not a number. 12833 12834119:104 (http_inspect) HTTP response has UTF character set that 12835failed to normalize 12836 12837HTTP response has Content-Type charset=utf-16le, utf-16be, utf-32le, 12838or utf-32be, but UTF decoding of the message body failed. 12839 12840119:105 (http_inspect) HTTP response has UTF-7 character set 12841 12842HTTP response has Content-Type charset=utf-7. 12843 12844119:109 (http_inspect) more than one level of JavaScript obfuscation 12845 12846More than one level of JavaScript obfuscation. This alert can only be 12847generated when normalize_javascript configuration option is true. 12848 12849119:110 (http_inspect) consecutive JavaScript whitespaces exceed 12850maximum allowed 12851 12852Consecutive whitespaces within a JavaScript exceed 12853max_javascript_whitespaces configuration option. This alert can only 12854be generated when normalize_javascript configuration option is true. 12855 12856119:111 (http_inspect) multiple encodings within JavaScript 12857obfuscated data 12858 12859More than one encoding within JavaScript obfuscated data. This alert 12860can only be generated when normalize_javascript configuration option 12861is true. 12862 12863119:112 (http_inspect) SWF file zlib decompression failure 12864 12865The HTTP message body contains compressed SWF file data with errors 12866that cannot be decompressed. 12867 12868119:113 (http_inspect) SWF file LZMA decompression failure 12869 12870The HTTP message body contains compressed LZMA file data with errors 12871that cannot be decompressed. 12872 12873119:114 (http_inspect) PDF file deflate decompression failure 12874 12875The HTTP message body contains compressed PDF file data with errors 12876that cannot be decompressed. 12877 12878119:115 (http_inspect) PDF file unsupported compression type 12879 12880The HTTP message body contains a compressed PDF file that uses a 12881compression type other than deflate ("FlateDecode" and "Fl"). 12882 12883119:116 (http_inspect) PDF file with more than one compression 12884applied 12885 12886The HTTP message body contains a PDF file with more than one 12887compression applied. 12888 12889119:117 (http_inspect) PDF file parse failure 12890 12891The HTTP message body contains PDF file data with an error that made 12892the start of the PDF compressed stream unable to be located. 12893 12894119:201 (http_inspect) not HTTP traffic or unrecoverable HTTP 12895protocol error 12896 12897HTTP inspector is unable to parse this flow. Either the connection is 12898not actually using HTTP or some sort of unrecoverable HTTP protocol 12899error has occurred. This conclusion applies only to one direction of 12900the flow. The opposite direction may be OK. 12901 12902119:202 (http_inspect) chunk length has excessive leading zeros 12903 12904Chunk length has five or more leading zeros. 12905 12906119:203 (http_inspect) white space before or between HTTP messages 12907 12908White space characters before the first HTTP message or inserted 12909between HTTP messages. 12910 12911119:204 (http_inspect) request message without URI 12912 12913HTTP request message does not include a URI. There is nothing between 12914the method and the version except whitespace. Alternatively the 0.9 12915equivalent which is GET followed by nothing except whitespace. 12916 12917119:205 (http_inspect) control character in HTTP response reason 12918phrase 12919 12920The reason phrase in an HTTP response message contains a control 12921character. 12922 12923119:206 (http_inspect) illegal extra whitespace in start line 12924 12925There is more than one space (or other whitespace) character between 12926two elements of an HTTP request or status line. 12927 12928119:207 (http_inspect) corrupted HTTP version 12929 12930The HTTP version in the start line begins with "HTTP/" but the 12931remainder is not in the expected <digit>.<digit> format. 12932 12933119:208 (http_inspect) HTTP version in start line is not HTTP/1.0 or 129341.1 12935 12936The HTTP version in the start line has a valid format but is not HTTP 12937/1.0 or HTTP/1.1. This alert does not apply to HTTP/2 or HTTP/3 12938traffic. 12939 12940119:209 (http_inspect) format error in HTTP header 12941 12942An HTTP header line contains a format error. A well-formed header 12943consists of a field name followed by a colon followed by the field 12944value. 12945 12946119:210 (http_inspect) chunk header options present 12947 12948A chunked transfer-encoded HTTP message body contains chunk 12949extensions. A chunk extension is an optional parameter following the 12950chunk length in the chunk header. 12951 12952119:211 (http_inspect) URI badly formatted 12953 12954The HTTP request URI is not well-formatted as one of the four types 12955defined for the HTTP protocol. 12956 12957119:212 (http_inspect) unrecognized type of percent encoding in URI 12958 12959The HTTP URI contains an unrecognized type of percent encoding. 12960 12961119:213 (http_inspect) HTTP chunk misformatted 12962 12963A chunked transfer-encoded HTTP message body contains a misformatted 12964chunk. The following conditions make a chunk misformatted: there are 12965at least five leading whitespaces before the chunk length in the 12966chunk header, there is an illegal character in the chunk length 12967(expressed as the hex number in ASCII), the chunk length is longer 12968than 32 bits, the chunk header is terminated by lone CR (\r) without 12969an LF (\n), the chunk header does not contain the length, or the 12970chunk data is terminated by a character other than CR or LF 12971 12972119:214 (http_inspect) white space adjacent to chunk length 12973 12974A chunked transfer-encoded HTTP message body contains a chunk header 12975with white space adjacent to the chunk length. This covers leading 12976and trailing whitespace. 12977 12978119:215 (http_inspect) white space within header name 12979 12980An HTTP header name contains whitespace. 12981 12982119:216 (http_inspect) excessive gzip compression 12983 12984A gzip-encoded HTTP message body was found to have an excessive 12985compression ratio during decompression. 12986 12987119:217 (http_inspect) gzip decompression failed 12988 12989An error was encountered during decompression of a gzip-encoded HTTP 12990message body. 12991 12992119:218 (http_inspect) HTTP 0.9 requested followed by another request 12993 12994An HTTP connection contains an HTTP 0.9 request followed by another 12995request. There can only be one 0.9 response per connection because it 12996ends the server-to-client connection. 12997 12998119:219 (http_inspect) HTTP 0.9 request following a normal request 12999 13000An HTTP connection contains an HTTP 0.9 request following a normal 13001request. 13002 13003119:220 (http_inspect) message has both Content-Length and 13004Transfer-Encoding 13005 13006An HTTP message has both Content-Length and Transfer-Encoding 13007headers. These headers conflict since the size of the message body 13008will be determined by either the Content-Length value or by the 13009chunked transfer-encoding formatting. 13010 13011119:221 (http_inspect) status code implying no body combined with 13012Transfer-Encoding or nonzero Content-Length 13013 13014An HTTP server sent a response with a status code implying there will 13015be no body but also sent a Transfer-Encoding or nonzero 13016Content-Length header. The status codes that imply no message body 13017are the informational (1XX) codes, 204 No Content and 304 Not 13018Modified. Transfer-Encoding and nonzero Content-Length headers 13019indicate that there will be a message body. 13020 13021119:222 (http_inspect) Transfer-Encoding not ending with chunked 13022 13023The HTTP Transfer-Encoding header value does not end with "chunked". 13024The HTTP protocol specifies that when a transfer coding is applied to 13025a message, "chunked" must the last transfer coding applied to the 13026message body so that the length of the message body can be determined 13027by the client. 13028 13029119:223 (http_inspect) Transfer-Encoding with encodings before 13030chunked 13031 13032An HTTP message includes a Transfer-Encoding header value that 13033specifies other encodings before "chunked." 13034 13035119:224 (http_inspect) misformatted HTTP traffic 13036 13037The traffic contains an HTTP version, but does not contain a 13038recognizable start line. This conclusion applies only to one 13039direction of the flow. The opposite direction may be OK. 13040 13041119:225 (http_inspect) unsupported Content-Encoding used 13042 13043The HTTP Content-Encoding header contains a coding other than gzip 13044and deflate decompression. 13045 13046119:226 (http_inspect) unknown Content-Encoding used 13047 13048The HTTP Content-Encoding header contains an unknown coding. 13049 13050119:227 (http_inspect) multiple Content-Encodings applied 13051 13052The HTTP Content-Encoding header has multiple values, meaning 13053multiple content encodings have been applied. 13054 13055119:228 (http_inspect) server response before client request 13056 13057An HTTP server response was seen before a corresponding client 13058request. 13059 13060119:229 (http_inspect) PDF/SWF/ZIP decompression of server response 13061too big 13062 13063The decompressed size of the PDF/SWF/ZIP file contained in the HTTP 13064message body exceeded the configured limit. The decompression limit 13065can be configured with file_id.decompress_buffer_size. 13066 13067119:230 (http_inspect) nonprinting character in HTTP message header 13068name 13069 13070An HTTP message header field name contains a nonprinting character. 13071 13072119:231 (http_inspect) bad Content-Length value in HTTP header 13073 13074The HTTP Content-Length header value is not a valid decimal length. 13075 13076119:232 (http_inspect) HTTP header line wrapped 13077 13078The HTTP header contains a wrapped header line. This means that the 13079header field value has been folded onto multiple lines, indicated by 13080beginning the continuation line with a space or horizontal tab. 13081 13082119:233 (http_inspect) HTTP header line terminated by CR without a LF 13083 13084An HTTP header line is terminated by CR (\r) without LF (\n). The 13085HTTP protocol specifies that header lines should be terminated by 13086CRLF (\r\n). 13087 13088119:234 (http_inspect) chunk terminated by nonstandard separator 13089 13090A chunked transfer-encoded HTTP message body contains a chunk 13091terminated by a nonstandard separator. The separator defined by the 13092protocol that should terminate each chunk is CRLF (\r\n). 13093 13094119:235 (http_inspect) chunk length terminated by LF without CR 13095 13096A chunked transfer-encoded HTTP message body contains a chunk length 13097that is terminated by LF (\n) without CR (\r). The protocol specifies 13098that chunk lengths should be terminated by CRLF (\r\n) as the line 13099separator. 13100 13101119:236 (http_inspect) more than one response with 100 status code 13102 13103An HTTP server sent more than one response with 100 Continue status 13104code. 13105 13106119:237 (http_inspect) 100 status code not in response to Expect 13107header 13108 13109An HTTP server sent a response with a status code other than 100 13110Continue in response to a request with an Expect header. The Expect 13111header informs the server that the client will send a (presumably 13112large) message body, and requests that the server send an interim 100 13113Continue response if it can handle the request. 13114 13115119:238 (http_inspect) 1XX status code other than 100 or 101 13116 13117An HTTP server sent an informational (1XX) response with a status 13118code other than 100 Continue or 101 Switching Protocols. 13119 13120119:239 (http_inspect) Expect header sent without a message body 13121 13122An HTTP client sent an Expect header without sending a request 13123message body. The Expect header informs the server that the client 13124will send a (presumably large) message body, and requests that the 13125server send an interim 100 Continue response if it can handle the 13126request. 13127 13128119:240 (http_inspect) HTTP 1.0 message with Transfer-Encoding header 13129 13130An HTTP 1.0 message contains a Transfer-Encoding header, which is 13131disallowed for that version. 13132 13133119:241 (http_inspect) Content-Transfer-Encoding used as HTTP header 13134 13135The Content-Transfer-Encoding field is used as an HTTP header. 13136Content-Transfer-Encoding is a MIME header and is not registered as 13137an HTTP header. 13138 13139119:242 (http_inspect) illegal field in chunked message trailers 13140 13141The HTTP trailer contains a header field that is disallowed in 13142chunked message trailers. 13143 13144119:243 (http_inspect) header field inappropriately appears twice or 13145has two values 13146 13147The HTTP Age header field appears twice or has two values. 13148 13149119:244 (http_inspect) invalid value chunked in Content-Encoding 13150header 13151 13152An HTTP Content-Encoding header has a value of "chunked", which is 13153not a registered content encoding. 13154 13155119:245 (http_inspect) 206 response sent to a request without a Range 13156header 13157 13158A partial content (status code 206) response was sent to a request 13159without a Range header, meaning the client did not request the 13160message body be fragmented. 13161 13162119:246 (http_inspect) HTTP in version field not all upper case 13163 13164An HTTP start line contains a version field where the letters in HTTP 13165are not all upper case. 13166 13167119:247 (http_inspect) white space embedded in critical header value 13168 13169There is whitespace embedded in the Content-Length header value other 13170than leading and trailing whitespace. 13171 13172119:248 (http_inspect) gzip compressed data followed by unexpected 13173non-gzip data 13174 13175While decompressing a gzip-encoded message body, the zipped data 13176stream ended before the end of the message body, so there is 13177unexpected non-gzip data following the compressed data. 13178 13179119:249 (http_inspect) excessive HTTP parameter key repeats 13180 13181There is an HTTP parameter key that is repeated at least 100 times 13182within a request query. 13183 13184119:250 (http_inspect) HTTP/2 Transfer-Encoding header other than 13185identity 13186 13187There is an HTTP/2 Transfer-Encoding header value other than 13188identity. The HTTP/2 protocol specifies that the chunked transfer 13189encoding is not allowed. 13190 13191119:251 (http_inspect) HTTP/2 message body overruns Content-Length 13192header value 13193 13194An HTTP/2 message header contained a Content-Length header value, but 13195the actual message body transferred is larger than that value. The 13196Content-Length header is not used to determine the length of the 13197message body for HTTP/2 traffic. 13198 13199119:252 (http_inspect) HTTP/2 message body smaller than 13200Content-Length header value 13201 13202An HTTP/2 message header contained a Content-Length header value, but 13203the actual message body transferred is smaller than that value. The 13204Content-Length header is not used to determine the length of the 13205message body for HTTP/2 traffic. 13206 13207119:253 (http_inspect) HTTP CONNECT request with a message body 13208 13209An HTTP client sent a CONNECT request with a request message body. 13210 13211119:254 (http_inspect) HTTP client-to-server traffic after CONNECT 13212request but before CONNECT response 13213 13214There was traffic from an HTTP client after the client sent a CONNECT 13215request but before the CONNECT response from the server was received. 13216 13217119:255 (http_inspect) HTTP CONNECT 2XX response with Content-Length 13218header 13219 13220An HTTP server sent a successful (2XX) CONNECT response with a 13221Content-Length header. 13222 13223119:256 (http_inspect) HTTP CONNECT 2XX response with 13224Transfer-Encoding header 13225 13226An HTTP server sent a successful (2XX) CONNECT response with a 13227Transfer-Encoding header. 13228 13229119:257 (http_inspect) HTTP CONNECT response with 1XX status code 13230 13231An HTTP server sent a CONNECT response with an informational (1XX) 13232status code. 13233 13234119:258 (http_inspect) HTTP CONNECT response before request message 13235completed 13236 13237An HTTP CONNECT response was received before the request message from 13238the client was completed. 13239 13240119:259 (http_inspect) malformed HTTP Content-Disposition filename 13241parameter 13242 13243A Content-Disposition HTTP header field contains a malformed filename 13244parameter. 13245 13246119:260 (http_inspect) HTTP Content-Length message body was truncated 13247 13248The TCP connection was closed before the full HTTP message body was 13249transferred. The length of the full message body was determined by 13250the Content-Length HTTP header field. 13251 13252119:261 (http_inspect) HTTP chunked message body was truncated 13253 13254The TCP connection was closed before the full HTTP message body was 13255transferred. The message uses the chunked transfer-encoding, so this 13256means there was no well-formed chunk of length zero to terminate the 13257message. 13258 13259119:262 (http_inspect) HTTP URI scheme longer than 10 characters 13260 13261The scheme portion of an HTTP URI is longer than 10 characters. 13262 13263119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade 13264 13265A client sent a request to upgrade an HTTP/1 connection to HTTP/2. 13266 13267119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade 13268 13269A server granted a request to upgrade a connection from HTTP/1 to 13270HTTP/2. 13271 13272119:265 (http_inspect) bad token in JavaScript 13273 13274JavaScript normalizer has encountered a symbol that is not expected 13275as a part of a valid JavaScript statement, making further 13276normalization impossible. 13277 13278119:266 (http_inspect) unexpected script opening tag in JavaScript 13279 13280HTML <script> tag must not have a nested <script> tag inside it. If a 13281nested tag is encountered, this alert is raised. 13282 13283119:267 (http_inspect) unexpected script closing tag in JavaScript 13284 13285This alert is raised when </script> end-tag is encountered inside a 13286JavaScript comment or literal, which is a syntax error, as the last 13287comment or literal is not closed before script end. 13288 13289119:268 (http_inspect) JavaScript code under the external script tags 13290 13291When HTML <script> tag contains a reference to an external script, it 13292must not contain any executable JavaScript code. This alert is raised 13293if executable (i.e. not comment) code is found inside a script tag 13294that has an external reference. 13295 13296119:269 (http_inspect) script opening tag in a short form 13297 13298In HTML, a script tag must not be self-closing (written as <script /> 13299without a following end-tag). If a self-closing "short-form" script 13300tag is encountered, this alert is raised. 13301 13302119:270 (http_inspect) max number of unique JavaScript identifiers 13303reached 13304 13305JavaScript normalization includes identifier substitution, which 13306brings arbitrary JavaScript identifiers to a common form. Amount of 13307unique identifiers to normalize is limited, for memory 13308considerations, with http_inspect.js_norm_identifier_depth parameter. 13309When this threshold is reached, a corresponding alert is raised. This 13310alert is not expected for typical network traffic and may be an 13311indication that an attacker is trying to exhaust resources. 13312 13313119:271 (http_inspect) JavaScript bracket nesting is over capacity 13314 13315In JavaScript, template literals can have substitutions, that in turn 13316can have nested template literals, which requires a stack to track 13317for proper whitespace normalization. Also, the normalization tracks 13318the current bracket scope, which requires a stack as well. When the 13319depth of nesting exceeds limit set in 13320http_inspect.js_norm_max_tmpl_nest or in 13321http_inspect.js_norm_max_bracket_depth, this alert is raised. This 13322alert is not expected for typical network traffic and may be an 13323indication that an attacker is trying to exhaust resources. 13324 13325119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding 13326header 13327 13328There are consecutive commas, possibly separated by whitespace, in an 13329HTTP Accept-Encoding header. This pattern constitutes a Microsoft 13330Windows HTTP protocol stack remote code execution attempt. Reference: 13331CVE-2021-31166. 13332 13333119:273 (http_inspect) missed PDUs during JavaScript normalization 13334 13335This alert is raised for the following situation. During JavaScript 13336normalization middle PDUs can be missed and not normalized. Usually 13337it happens when rules have file_data and js_data ips options and 13338fast-pattern (FP) search is applying to file_data. Some PDUs don’t 13339match file_data FP search and JavaScript normalization won’t be 13340executed for these PDUs. The normalization of the following PDUs for 13341inline/external scripts will be stopped for current request within 13342the flow. 13343 13344119:274 (http_inspect) JavaScript scope nesting is over capacity 13345 13346In JavaScript, a program is split into several scopes such as a 13347global scope, function scope, if block, block of code, object, etc. 13348The scope has a nesting nature which requires a stack to track it for 13349proper normalization of JavaScript identifiers. When the depth of 13350nesting exceeds limit set in http_inspect.js_norm_max_scope_depth, 13351this alert is raised. This alert is not expected for typical network 13352traffic and may be an indication that an attacker is trying to 13353exhaust resources. 13354 13355121:1 (http2_inspect) invalid flag set on HTTP/2 frame 13356 13357Invalid flag set on HTTP/2 frame header 13358 13359121:2 (http2_inspect) HPACK integer value has leading zeros 13360 13361HPACK integer value has leading zeros 13362 13363121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream id 13364 13365HTTP/2 stream initiated with invalid stream ID. Either server 13366initiated push promise with odd promised stream ID or new stream with 13367stream ID that is not greater than the last one seen on this side. 13368 13369121:4 (http2_inspect) missing HTTP/2 continuation frame 13370 13371HTTP/2 Headers, Continuation or Push promise frame without the 13372END_HEADERS flag set was not followed by a Continuation frame. 13373 13374121:5 (http2_inspect) unexpected HTTP/2 continuation frame 13375 13376HTTP/2 Continuation frame not preceded by Headers, Continuation or 13377Push promise frame without the END_HEADERS flag. 13378 13379121:6 (http2_inspect) HTTP/2 headers HPACK decoding error 13380 13381HTTP/2 headers HPACK decoding error 13382 13383121:7 (http2_inspect) HTTP/2 connection preface does not match 13384 13385HTTP/2 connection preface does not match 13386 13387121:8 (http2_inspect) HTTP/2 request missing required header field 13388 13389HTTP/2 request missing required header field. CONNECT request without 13390authority, non-CONNECT request without a scheme, or http/https scheme 13391without a path. 13392 13393121:9 (http2_inspect) HTTP/2 response has no status code 13394 13395HTTP/2 response has no status code 13396 13397121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path 13398 13399HTTP/2 CONNECT request with scheme or path 13400 13401121:11 (http2_inspect) error in HTTP/2 settings frame 13402 13403HTTP/2 settings frame error: stream ID isn’t 0, length isn’t multiple 13404of 6, or ACK flag is set and length isn’t 0. 13405 13406121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame 13407 13408Unknown parameter in HTTP/2 settings frame. Parameter identifier is 13409not one of the six RFC-defined values. 13410 13411121:13 (http2_inspect) invalid HTTP/2 frame sequence 13412 13413Invalid HTTP/2 frame sequence. Frame type is not valid for current 13414stream state. 13415 13416121:14 (http2_inspect) HTTP/2 dynamic table has more than 512 entries 13417 13418HTTP/2 dynamic table has more than 512 entries 13419 13420121:15 (http2_inspect) HTTP/2 push promise frame with promised stream 13421ID already in use. 13422 13423HTTP/2 push promise frame with promised stream ID already in use. 13424 13425121:16 (http2_inspect) HTTP/2 padding length is bigger than frame 13426data size 13427 13428HTTP/2 padding length is bigger than frame data size 13429 13430121:17 (http2_inspect) HTTP/2 pseudo-header after regular header 13431 13432HTTP/2 pseudo-header after regular header 13433 13434121:18 (http2_inspect) HTTP/2 pseudo-header in trailers 13435 13436HTTP/2 pseudo-header in trailers 13437 13438121:19 (http2_inspect) invalid HTTP/2 pseudo-header 13439 13440Invalid HTTP/2 pseudo header. For response only :status is valid. For 13441request only :authority, :method, :path and :scheme are valid. Any 13442other pseudo-header or seeing one of these more than once will 13443trigger the alert. 13444 13445121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit 13446 13447HTTP/2 trailers without END_STREAM bit 13448 13449121:21 (http2_inspect) HTTP/2 push promise frame sent when prohibited 13450by receiver 13451 13452HTTP/2 push promise frame sent when prohibited by receiver. Receiver 13453prohibited push promise by sending settings frame with 13454SETTINGS_ENABLE_PUSH 0. 13455 13456121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero 13457length 13458 13459Padding flag set on HTTP/2 frame with zero length 13460 13461121:23 (http2_inspect) HTTP/2 push promise frame in client-to-server 13462direction 13463 13464HTTP/2 push promise frame in client-to-server direction 13465 13466121:24 (http2_inspect) invalid HTTP/2 push promise frame 13467 13468Invalid HTTP/2 push promise frame, length is less than promised 13469stream ID length. 13470 13471121:25 (http2_inspect) HTTP/2 push promise frame sent at invalid time 13472 13473HTTP/2 push promise frame sent at invalid time. Client didn’t send 13474headers yet for this stream, END_STREAM already seen on server side 13475or server side in error state. 13476 13477121:26 (http2_inspect) invalid parameter value sent in HTTP/2 13478settings frame 13479 13480Invalid SETTINGS_ENABLE_PUSH value sent in HTTP/2 settings frame 13481 13482121:27 (http2_inspect) excessive concurrent HTTP/2 streams 13483 13484HTTP/2 flow exceed concurrent streams limit, as configured by 13485concurrent_streams_limit. 13486 13487121:28 (http2_inspect) invalid HTTP/2 rst stream frame 13488 13489Invalid HTTP/2 RST_STREAM frame. Stream ID is not 0 or length is not 134904. 13491 13492121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid time 13493 13494HTTP/2 RST_STREAM frame sent at invalid time. Stream is not in idle 13495state, already started with a push promise or headers frame. 13496 13497121:30 (http2_inspect) uppercase HTTP/2 header field name 13498 13499Uppercase HTTP/2 header field name 13500 13501121:31 (http2_inspect) invalid HTTP/2 window update frame 13502 13503HTTP/2 window update frame length is not 4 13504 13505121:32 (http2_inspect) HTTP/2 window update frame with zero increment 13506 13507HTTP/2 window update frame with zero increment 13508 13509121:33 (http2_inspect) HTTP/2 request without a method 13510 13511HTTP/2 request without a method 13512 13513121:34 (http2_inspect) HTTP/2 HPACK table size update not at the 13514start of a header block 13515 13516HTTP/2 HPACK table size update not at the start of a header block 13517 13518121:35 (http2_inspect) More than two HTTP/2 HPACK table size updates 13519in a single header block 13520 13521More than two HTTP/2 HPACK table size updates in a single header 13522block 13523 13524121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max 13525value set by decoder in SETTINGS frame 13526 13527HTTP/2 HPACK table size update exceeds max value set by decoder in 13528SETTINGS frame 13529 13530122:1 (port_scan) TCP portscan 13531 13532Basic one host to one host TCP portscan where multiple TCP ports are 13533scanned on the destination host from a single host 13534 13535122:2 (port_scan) TCP decoy portscan 13536 13537Decoy TCP portscan where the real scanner’s host address was mixed 13538with multiple decoy hosts to connect to a single port multiple times 13539 13540122:3 (port_scan) TCP portsweep 13541 13542One host to many hosts TCP portsweep where multiple TCP ports are 13543scanned on each destination host 13544 13545122:4 (port_scan) TCP distributed portscan 13546 13547Many hosts to one host TCP distributed portscan where many hosts 13548connect to a single destination host and multiple ports are scanned 13549on the destination host 13550 13551122:5 (port_scan) TCP filtered portscan 13552 13553Filtered one host to one host TCP portscan where multiple firewall 13554filtered TCP ports are scanned on the destination host from a single 13555host 13556 13557122:6 (port_scan) TCP filtered decoy portscan 13558 13559Filtered decoy TCP portscan where the real scanner’s host address was 13560mixed with multiple decoy hosts to connect to a single firewall 13561filtered port multiple times 13562 13563122:7 (port_scan) TCP filtered portsweep 13564 13565Filtered one host to many hosts TCP portsweep where multiple firewall 13566filtered TCP ports are scanned on each destination host 13567 13568122:8 (port_scan) TCP filtered distributed portscan 13569 13570Filtered many hosts to one host TCP distributed portscan where many 13571hosts connect to a single destination host and multiple firewall 13572filtered ports are scanned on the destination host 13573 13574122:9 (port_scan) IP protocol scan 13575 13576One host to one host IP protocol scan where multiple IP protocols are 13577scanned on the destination host from a single host 13578 13579122:10 (port_scan) IP decoy protocol scan 13580 13581Decoy IP protocol scan where the real scanner’s host address was 13582mixed with multiple decoy hosts to scan IP protocols on a single host 13583multiple times 13584 13585122:11 (port_scan) IP protocol sweep 13586 13587One host to many hosts IP protocol sweep where multiple IP protocols 13588are scanned on each host 13589 13590122:12 (port_scan) IP distributed protocol scan 13591 13592Many hosts to one host distributed IP protocol scan where many hosts 13593attempt to scan multiple IP protocols on a single destination host 13594 13595122:13 (port_scan) IP filtered protocol scan 13596 13597Filtered one host to one host IP protocol scan where multiple 13598firewall filtered IP protocols are scanned on the destination host 13599from a single host 13600 13601122:14 (port_scan) IP filtered decoy protocol scan 13602 13603Filtered decoy IP protocol scan where the real scanner’s host address 13604was mixed with multiple decoy hosts to scan firewall filtered IP 13605protocols on a single host multiple times 13606 13607122:15 (port_scan) IP filtered protocol sweep 13608 13609Filtered one host to many hosts IP protocol sweep where multiple 13610firewall filtered IP protocols are scanned on each host 13611 13612122:16 (port_scan) IP filtered distributed protocol scan 13613 13614Filtered many hosts to one host distributed IP protocol scan where 13615many hosts attempt to scan multiple firewall filtered IP protocols on 13616a single destination host 13617 13618122:17 (port_scan) UDP portscan 13619 13620Basic one host to one host UDP portscan where multiple UDP ports are 13621scanned on the destination host from a single host 13622 13623122:18 (port_scan) UDP decoy portscan 13624 13625Decoy UDP portscan where the real scanner’s host address was mixed 13626with multiple decoy hosts to scan a single UDP port on the single 13627destination host multiple times 13628 13629122:19 (port_scan) UDP portsweep 13630 13631One host to many hosts UDP portsweep where multiple UDP ports are 13632scanned on each destination host from a single host 13633 13634122:20 (port_scan) UDP distributed portscan 13635 13636Many hosts to one host distributed UDP portscan where many hosts scan 13637multiple UDP ports on a single destination host 13638 13639122:21 (port_scan) UDP filtered portscan 13640 13641Filtered one host to one host UDP portscan where multiple firewall 13642filtered UDP ports are scanned on the destination host from a single 13643host 13644 13645122:22 (port_scan) UDP filtered decoy portscan 13646 13647Filtered decoy UDP portscan where the real scanner’s host address was 13648mixed with multiple decoy hosts to scan a single firewall filtered 13649UDP port on the single destination host multiple times 13650 13651122:23 (port_scan) UDP filtered portsweep 13652 13653Filtered one host to many hosts UDP portsweep where multiple firewall 13654filtered UDP ports are scanned on each destination host from a single 13655host 13656 13657122:24 (port_scan) UDP filtered distributed portscan 13658 13659Filtered many hosts to one host distributed UDP portscan where many 13660hosts scan multiple firewall filtered UDP ports on a single 13661destination host 13662 13663122:25 (port_scan) ICMP sweep 13664 13665One host to many hosts ICMP sweep scan where multiple ICMP scan 13666occurred on each destination host from a single host 13667 13668122:26 (port_scan) ICMP filtered sweep 13669 13670Filtered one host to many hosts ICMP sweep scan where multiple ICMP 13671scan occurred on each firewall filtered destination host from a 13672single host 13673 13674122:27 (port_scan) open port 13675 13676open port 13677 13678123:1 (stream_ip) inconsistent IP options on fragmented packets 13679 13680Received inconsistent IP options on fragmented packets. 13681 13682123:2 (stream_ip) teardrop attack 13683 13684Received indicators of a teardrop attack on fragmented packets. 13685 13686123:3 (stream_ip) short fragment, possible DOS attempt 13687 13688Received short fragment, possible DOS attempt (possible boink/bolt/ 13689jolt attack). The minimum length required to throw this alert is 13690specified by stream_ip.min_frag_length. 13691 13692123:4 (stream_ip) fragment packet ends after defragmented packet 13693 13694Overlap anomaly: fragment packet ends after defragmented packet. 13695 13696123:5 (stream_ip) zero-byte fragment packet 13697 13698Received a zero-byte fragment. 13699 13700123:6 (stream_ip) bad fragment size, packet size is negative 13701 13702Bad fragment size encountered, packet size is negative. 13703 13704123:7 (stream_ip) bad fragment size, packet size is greater than 1370565536 13706 13707Bad fragment size encountered, packet size is greater than 65536. 13708 13709123:8 (stream_ip) fragmentation overlap 13710 13711Fragmentation results in overlap between segments. 13712 13713123:11 (stream_ip) TTL value less than configured minimum, not using 13714for reassembly 13715 13716TTL value is less than configured minimum, not using for reassembly. 13717Minimum TTL can be configured with stream_ip.min_ttl. 13718 13719123:12 (stream_ip) excessive fragment overlap 13720 13721Fragment overlap limit exceeded, event will be raised for all 13722successive fragments. The max fragment overlaps that can occur before 13723alerting is configurable by changing stream_ip.max_overlaps. 13724 13725123:13 (stream_ip) tiny fragment 13726 13727Received a tiny fragment (less than minimum fragment length). 13728 13729124:1 (smtp) attempted command buffer overflow 13730 13731SMTP command exceeds the configured max_command_line_len. 13732 13733124:2 (smtp) attempted data header buffer overflow 13734 13735SMTP data header exceeds the configured max_header_line_len. 13736 13737124:3 (smtp) attempted response buffer overflow 13738 13739SMTP response exceeds the configured max_response_line_len. 13740 13741124:4 (smtp) attempted specific command buffer overflow 13742 13743SMTP command that is specified in the alt_max_command_line_len array 13744is detected, and its length exceeds the maximum length that is 13745configured in the array. 13746 13747124:5 (smtp) unknown command 13748 13749Command did not match valid_cmds list. 13750 13751124:6 (smtp) illegal command 13752 13753Invalid command(invalid_cmds) is detected. 13754 13755124:7 (smtp) attempted header name buffer overflow 13756 13757SMTP header name exceeds 64 characters. 13758 13759124:8 (smtp) attempted X-Link2State command buffer overflow 13760 13761Microsoft Exchange X-Link2State command exceeds maximum length of 520 13762characters. 13763 13764124:10 (smtp) base64 decoding failed 13765 13766Base64 decoding failed. 13767 13768124:11 (smtp) quoted-printable decoding failed 13769 13770Quoted-printable data decoding failed. 13771 13772124:13 (smtp) Unix-to-Unix decoding failed 13773 13774Uudecoding failed. 13775 13776124:14 (smtp) Cyrus SASL authentication attack 13777 13778Cyrus SASL authentication attack is detected. 13779 13780124:15 (smtp) attempted authentication command buffer overflow 13781 13782AUTH command exceeds the configured max_auth_command_line_len. 13783 13784124:16 (smtp) file decompression failed 13785 13786File decompression failed. 13787 13788125:1 (ftp_server) TELNET cmd on FTP command channel 13789 13790TELNET command is detected on FTP control channel. 13791 13792125:2 (ftp_server) invalid FTP command 13793 13794Invalid FTP command is detected. 13795 13796125:3 (ftp_server) FTP command parameters were too long 13797 13798The length of a FTP command parameter is longer than the configured 13799maximum parameter length. 13800 13801125:4 (ftp_server) FTP command parameters were malformed 13802 13803One or more FTP command parameters are malformed. 13804 13805125:5 (ftp_server) FTP command parameters contained potential string 13806format 13807 13808FTP command parameter had invalid string format. Two or more than % 13809signs are detected in FTP command parameter. 13810 13811125:6 (ftp_server) FTP response message was too long 13812 13813FTP response message is longer than the maximum configured response 13814length. 13815 13816125:7 (ftp_server) FTP traffic encrypted 13817 13818FTP traffic is encrypted 13819 13820125:8 (ftp_server) FTP bounce attempt 13821 13822FTP servers can allow an attacker to connect to arbitrary ports on 13823machines other than the FTP client. This is called as FTP bounce 13824attempt and bounce attempt has been detected. 13825 13826125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command 13827channel 13828 13829Evasive (incomplete) TELNET command is detected on FTP control 13830channel. 13831 13832126:1 (telnet) consecutive Telnet AYT commands beyond threshold 13833 13834Consecutive Telnet AYT(Are you There) commands are detected beyond 13835the configured AYT threshold limit. 13836 13837126:2 (telnet) Telnet traffic encrypted 13838 13839Telnet traffic is encrypted. 13840 13841126:3 (telnet) Telnet subnegotiation begin command without 13842subnegotiation end 13843 13844Telnet subnegotiation begin command is detected without 13845subnegotiation end. 13846 13847128:1 (ssh) challenge-response overflow exploit 13848 13849SSH challenge-response overflow exploit. Amount of data transferred 13850from client is more than configured maximum. 13851 13852128:2 (ssh) SSH1 CRC32 exploit 13853 13854SSH1 CRC32 exploit. Amount of data transferred from client is more 13855than configured maximum. 13856 13857128:3 (ssh) server version string overflow 13858 13859SSH version string is greater than the configured maximum. 13860 13861128:5 (ssh) bad message direction 13862 13863SSH bad message direction. 13864 13865128:6 (ssh) payload size incorrect for the given payload 13866 13867SSH payload size incorrect for the given payload. 13868 13869128:7 (ssh) failed to detect SSH version string 13870 13871Failed to detect SSH version string. 13872 13873129:1 (stream_tcp) SYN on established session 13874 13875Received a TCP SYN on an already established TCP session. 13876 13877129:2 (stream_tcp) data on SYN packet 13878 13879Data present on SYN packet. 13880 13881129:3 (stream_tcp) data sent on stream not accepting data 13882 13883Data was sent on a stream not accepting data. The stream is in the 13884TIME-WAIT, FIN-WAIT, CLOSED, or CLOSE-WAIT state. 13885 13886129:4 (stream_tcp) TCP timestamp is outside of PAWS window 13887 13888The TCP timestamp is outside of PAWS (protection against wrapped 13889sequences) window. 13890 13891129:5 (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated) 13892 13893Bad segment, adjusted size ⇐ 0 (deprecated) 13894 13895129:6 (stream_tcp) window size (after scaling) larger than policy 13896allows 13897 13898Window size (after scaling) is larger than policy allows. 13899stream_tcp.max_window can be increased to allow for larger window 13900sizes if desired. 13901 13902129:7 (stream_tcp) limit on number of overlapping TCP packets reached 13903 13904Limit on number of overlapping TCP packets per session was reached. 13905stream_tcp.overlap_limit can be increased to allow for more overlaps 13906per session, if desired. 13907 13908129:8 (stream_tcp) data sent on stream after TCP reset sent 13909 13910Data was sent on stream after a TCP reset was sent, and the stream is 13911in CLOSED state. 13912 13913129:9 (stream_tcp) TCP client possibly hijacked, different ethernet 13914address 13915 13916TCP client is possibly hijacked, MAC addresses on received packets 13917differ from what was originally seen on this flow. 13918 13919129:10 (stream_tcp) TCP server possibly hijacked, different ethernet 13920address 13921 13922TCP server is possibly hijacked, MAC addresses on received packets 13923differ from what was originally seen on this flow. 13924 13925129:11 (stream_tcp) TCP data with no TCP flags set 13926 13927Received TCP data with no TCP flags set. 13928 13929129:12 (stream_tcp) consecutive TCP small segments exceeding 13930threshold 13931 13932Consecutive TCP small segments exceed the configured threshold. The 13933size required to be a small segment can be configured via 13934stream_tcp.small_segments.maximum_size, and the maximum number of 13935these small segments can be configured with int 13936stream_tcp.small_segments.count. 13937 13938129:13 (stream_tcp) 4-way handshake detected 13939 13940stream_tcp detected a 4-way handshake, which includes a TCP SYN 13941(without ACK) in response to the initiating client SYN. 13942stream_tcp.require_3whs = 0 should be set to ensure this can be 13943detected in all cases. 13944 13945129:14 (stream_tcp) TCP timestamp is missing 13946 13947TCP timestamp is missing, which could cause a failure in PAWS 13948checking, or RTT calculation. 13949 13950129:15 (stream_tcp) reset outside window 13951 13952TCP reset was requested outside window (bad RST). 13953 13954129:16 (stream_tcp) FIN number is greater than prior FIN 13955 13956TCP Anomaly: FIN number is greater than prior FIN while the 13957connection is in TIME-WAIT. 13958 13959129:17 (stream_tcp) ACK number is greater than prior FIN 13960 13961TCP Anomaly: ACK number is greater than prior FIN while the 13962connection is in FIN-WAIT-2. 13963 13964129:18 (stream_tcp) data sent on stream after TCP reset received 13965 13966Data was sent on stream after TCP reset received. 13967 13968129:19 (stream_tcp) TCP window closed before receiving data 13969 13970TCP window was closed before receiving data. 13971 13972129:20 (stream_tcp) TCP session without 3-way handshake 13973 13974The TCP 3-way handshake was not seen for this TCP session. 13975 13976131:1 (dns) obsolete DNS RR types 13977 13978DNS Response Resource Record Type is Obsolete. 13979 13980131:2 (dns) experimental DNS RR types 13981 13982DNS Response Resource Record Type is Experimental. 13983 13984131:3 (dns) DNS client rdata txt overflow 13985 13986DNS Response Resource Record Type is Client rdata Overflow. 13987 13988133:2 (dce_smb) SMB - bad NetBIOS session service session type 13989 13990Invalid NetBIOS session service type specified in the header. Valid 13991types are keep alive, request from client, positive response, 13992negative response, and retarget response from the server. 13993 13994133:3 (dce_smb) SMB - bad SMB message type 13995 13996Invalid SMB message type specified in the header. Either a request 13997was made by server or a response was given by client. 13998 13999133:4 (dce_smb) SMB - bad SMB Id (not xffSMB for SMB1 or not xfeSMB 14000for SMB2) 14001 14002SMB id not equal to \xffSMB for SMB1 or not \xfeSMB for SMB2. 14003 14004133:5 (dce_smb) SMB - bad word count or structure size 14005 14006Invalid word count for the command or structure size. SMB commands 14007have specific word counts and if a command with word count not 14008matching with the required word count, this alert is raised. 14009 14010133:6 (dce_smb) SMB - bad byte count 14011 14012Bad byte count for the command. Either word count is zero and byte 14013count isn’t or byte count is not in the range of minimum and maximum 14014required byte count for the SMB command. 14015 14016133:7 (dce_smb) SMB - bad format type 14017 14018Bad format type for the SMB command. 14019 14020133:8 (dce_smb) SMB - bad offset 14021 14022Bad Offset. Offset points to beginning of SMB header. Offset is bad, 14023if it points to the data already looked at or after the end of 14024payload. 14025 14026133:9 (dce_smb) SMB - zero total data count 14027 14028SMB command has a field containing total amount of data to be 14029transmitted. If this field is zero, an alert is raised. 14030 14031133:10 (dce_smb) SMB - NetBIOS data length less than SMB header 14032length 14033 14034NetBIOS data length value is less than size of the SMB header. 14035 14036133:11 (dce_smb) SMB - remaining NetBIOS data length less than 14037command length 14038 14039Remaining NetBIOS data length is less than SMB command length. 14040 14041133:12 (dce_smb) SMB - remaining NetBIOS data length less than 14042command byte count 14043 14044Remaining NetBIOS data length is less than the SMB command byte 14045count. 14046 14047133:13 (dce_smb) SMB - remaining NetBIOS data length less than 14048command data size 14049 14050Remaining NetBIOS data length is less than SMB command data size. 14051 14052133:14 (dce_smb) SMB - remaining total data count less than this 14053command data size 14054 14055Total data count is less than SMB command data size. Total data count 14056must always be greater than or equal to current data size. 14057 14058133:15 (dce_smb) SMB - total data sent (STDu64) greater than command 14059total data expected 14060 14061Total data sent in transaction is greater than SMB command total data 14062expected. 14063 14064133:16 (dce_smb) SMB - byte count less than command data size 14065(STDu64) 14066 14067Byte count in the SMB command header is less than the command data 14068size. 14069 14070133:17 (dce_smb) SMB - invalid command data size for byte count 14071 14072Byte count minus predetermined value for the SMB command is not equal 14073to data size. 14074 14075133:18 (dce_smb) SMB - excessive tree connect requests with pending 14076tree connect responses 14077 14078Excessive SMB tree connect requests with pending tree connect 14079responses. Tree connect requests queue up and wait for server 14080response. This alert raised for excessing pending tree connect 14081requests. 14082 14083133:19 (dce_smb) SMB - excessive read requests with pending read 14084responses 14085 14086Excessive SMB read requests with pending read responses. After client 14087is done writing data, read request is queued and gets dequeued upon 14088receiving response. This alert raised for excessive pending read 14089requests 14090 14091133:20 (dce_smb) SMB - excessive command chaining 14092 14093Excessive command chaining. Number of SMB chained commands in a 14094single request is greater than or equal to the configured value. 14095 14096133:21 (dce_smb) SMB - Multiple chained login requests 14097 14098It is possible to chain multiple Session Setup AndX commands within 14099the same request. There is, however, only one place in the SMB header 14100to return a login handle (or Uid). Windows does not allow this 14101behavior, however Samba does. This is an anomalous behavior. 14102 14103133:22 (dce_smb) SMB - Multiple chained tree connect requests 14104 14105It is possible to chain multiple Tree Connect AndX commands within 14106the same request. There is, however, only one place in the SMB header 14107to return a tree handle (or Tid). Windows does not allow this 14108behavior, however Samba does. This is anomalous behavior. 14109 14110133:23 (dce_smb) SMB - chained/compounded login followed by logoff 14111 14112When a Session Setup AndX request is sent to the server, the server 14113responds with a user id or login handle. This is used by the client 14114in subsequent requests to indicate that it has authenticated. A 14115Logoff AndX request is sent by the client to indicate it wants to end 14116the session and invalidate the login handle. With SMB commands that 14117are chained after a Session Setup AndX request, the login handle 14118returned by the server is used for the subsequent chained commands. 14119The combination of a Session Setup AndX command with a chained Logoff 14120AndX command, essentially logins in and logs off in the same request 14121and is anomalous behavior. 14122 14123133:24 (dce_smb) SMB - chained/compounded tree connect followed by 14124tree disconnect 14125 14126A SMB Tree Connect AndX command is used to connect to a share. The 14127Tree Disconnect command is used to disconnect from that share. The 14128combination of a Tree Connect AndX command with a chained Tree 14129Disconnect command, essentially connects to a share and disconnects 14130from the same share in the same request and is anomalous behavior. 14131 14132133:25 (dce_smb) SMB - chained/compounded open pipe followed by close 14133pipe 14134 14135An SMB Open AndX or Nt Create AndX command is used to open/create a 14136file handle. The Close command is used to close that file handle. The 14137combination of a Open AndX or Nt Create AndX command with a chained 14138Close command, essentially opens and closes the file handle in the 14139same request and is anomalous behavior. 14140 14141133:26 (dce_smb) SMB - invalid share access 14142 14143Invalid SMB shares configured. It looks for a Tree Connect or Tree 14144Connect AndX to the share. 14145 14146133:27 (dce_tcp) connection oriented DCE/RPC - invalid major version 14147 14148Major version contained in the connection oriented DCE/RPC header is 14149not equal to 5. 14150 14151133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor version 14152 14153Minor version contained in the connection oriented DCE/RPC header is 14154not equal to 0. 14155 14156133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type 14157 14158Connection oriented DCE/RPC PDU type contained in the header is not a 14159valid PDU type. 14160 14161133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length less 14162than header size 14163 14164Fragment length less than connection oriented DCE/RPC header size. 14165 14166133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment 14167length less than size needed 14168 14169Connection oriented DCE/RPC remaining fragment length less than size 14170needed. 14171 14172133:32 (dce_tcp) connection-oriented DCE/RPC - no context items 14173specified 14174 14175In connection oriented DCE/RPC Client’s Bind or Alter Context 14176request, there are no context items specified. 14177 14178133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes 14179specified 14180 14181In connection oriented DCE/RPC Client’s Bind or Alter context 14182request, there are no transfer syntaxes to go with the requested 14183interface. 14184 14185133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on 14186non-last fragment less than maximum negotiated fragment transmit size 14187for client 14188 14189Connection oriented DCE/RPC non-last fragment is less than the size 14190of the negotiated maximum fragment length. Most evasion techniques 14191try to fragment the data as much as possible and usually each 14192fragment comes well below the negotiated transmit size. 14193 14194133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length 14195greater than maximum negotiated fragment transmit size 14196 14197Connection oriented DCE/RPC fragment length greater than maximum 14198negotiated fragment length. 14199 14200133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte 14201order different from bind 14202 14203Alter context byte order different from bind. The byte order of the 14204request data is determined by the Bind in connection-oriented DCE/RPC 14205for Windows. It is anomalous behavior to attempt to change the byte 14206order. 14207 14208133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non first/ 14209last fragment different from call id established for fragmented 14210request 14211 14212Call id of non first/last fragment different from call id established 14213for fragmented request in connection oriented DCE/RPC. The call id 14214for a set of fragments in a fragmented request should stay the same. 14215 14216133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first/ 14217last fragment different from opnum established for fragmented request 14218 14219Connection-oriented DCE/RPC opnum of non first/last fragment 14220different from opnum established for fragmented request. The 14221operation number specifies which function the request is calling on 14222the bound interface. If a request is fragmented, this number should 14223stay the same for all fragments. 14224 14225133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non 14226first/last fragment different from context id established for 14227fragmented request 14228 14229Connection-oriented DCE/RPC context id of non first/last fragment 14230different from context id established for fragmented request. The 14231context id is a handle to a interface that was bound to. If a request 14232if fragmented, this number should stay same for all fragments. 14233 14234133:40 (dce_udp) connection-less DCE/RPC - invalid major version 14235 14236Connection-less DCE/RPC invalid major version. Major version is not 14237equal to 4. 14238 14239133:41 (dce_udp) connection-less DCE/RPC - invalid PDU type 14240 14241Connection-less DCE/RPC PDU type is not a valid PDU type. 14242 14243133:42 (dce_udp) connection-less DCE/RPC - data length less than 14244header size 14245 14246Connection-less DCE/RPC packet data length is less than size of the 14247header. 14248 14249133:43 (dce_udp) connection-less DCE/RPC - bad sequence number 14250 14251Connection-less DCE/RPC bad sequence number. The sequence number used 14252in a request is the same or less than a previously used sequence 14253number on the session. 14254 14255133:44 (dce_smb) SMB - invalid SMB version 1 seen 14256 14257Invalid SMB version 1 seen. 14258 14259133:45 (dce_smb) SMB - invalid SMB version 2 seen 14260 14261Invalid SMB version 2 seen. 14262 14263133:46 (dce_smb) SMB - invalid user, tree connect, file binding 14264 14265SMB invalid user, tree connect, file binding seen. 14266 14267133:47 (dce_smb) SMB - excessive command compounding 14268 14269SMB excessive command compounding seen. 14270 14271133:48 (dce_smb) SMB - zero data count 14272 14273SMB Data count is zero. 14274 14275133:50 (dce_smb) SMB - maximum number of outstanding requests 14276exceeded 14277 14278Maximum number of outstanding SMB requests exceeded. 14279 14280133:51 (dce_smb) SMB - outstanding requests with same MID 14281 14282Multiple outstanding SMB requests with same MID. When a client sends 14283a request it uses a value called the MID (multiplex id) to match a 14284response, which the server is supposed to echo, to a request. 14285 14286133:52 (dce_smb) SMB - deprecated dialect negotiated 14287 14288Deprecated dialect negotiated. In the Negotiate request a client 14289gives a list of SMB dialects it supports, normally in order from 14290least desirable to most desirable and the server responds with the 14291index of the dialect to be used on the SMB session. If the client 14292doesn’t offer it as a supported dialect or the server chooses a 14293lesser dialect, it is deprecated dialect negotiated. 14294 14295133:53 (dce_smb) SMB - deprecated command used 14296 14297Deprecated SMB command used. There are a number of commands that are 14298considered deprecated and/or obsolete by Microsoft (see MS-CIFS and 14299MS-SMB). Detected use of a deprecated/obsolete command. 14300 14301133:54 (dce_smb) SMB - unusual command used 14302 14303Unusual SMB command used. There are some commands considered unusual 14304in the context they are used. Some of the commands such as : 14305TRANS_READ_NMPIPE/TRANS_WRITE_NMPIPE/TRANS2_OPEN2/NT_TRANSACT_CREATE/ 14306NT_TRANSACT_CREATE. 14307 14308133:55 (dce_smb) SMB - invalid setup count for command 14309 14310Transaction SMB commands have a setup count field that indicates word 14311count in the transaction setup, Alert raised if setup count is 14312invalid for transaction command. 14313 14314133:56 (dce_smb) SMB - client attempted multiple dialect negotiations 14315on session 14316 14317Client attempted multiple SMB dialect negotiations on session. There 14318can be only one Negotiate transaction per session and it is the first 14319thing a client and server do to determine the SMB dialect each 14320supports. 14321 14322133:57 (dce_smb) SMB - client attempted to create or set a file’s 14323attributes to readonly/hidden/system 14324 14325SMB client attempted to create or set a file’s attributes to readonly 14326/hidden/system. Malware will often set a files attributes to ReadOnly 14327/Hidden/System if it is successful in installing itself as a Windows 14328service or is able to write an autorun.inf file since it doesn’t want 14329the user to see the file and the default folder options in Windows is 14330not to display Hidden files. 14331 14332133:58 (dce_smb) SMB - file offset provided is greater than file size 14333specified 14334 14335SMB file offset provided is greater than file size specified. 14336 14337133:59 (dce_smb) SMB - next command specified in SMB2 header is 14338beyond payload boundary 14339 14340SMB protocol allows multiple smb commands to be grouped in a single 14341packet. Next command specified in SMB2 header is greater than the 14342payload boundary. 14343 14344134:1 (latency) rule tree suspended due to latency 14345 14346(latency) rule tree suspended due to latency 14347 14348134:2 (latency) rule tree re-enabled after suspend timeout 14349 14350(latency) rule tree re-enabled after suspend timeout 14351 14352134:3 (latency) packet fastpathed due to latency 14353 14354(latency) packet fastpathed due to latency 14355 14356135:1 (stream) TCP SYN received 14357 14358A TCP SYN was received. 14359 14360135:2 (stream) TCP session established 14361 14362A TCP session was established. 14363 14364135:3 (stream) TCP session cleared 14365 14366A TCP session was cleared. 14367 14368136:1 (reputation) packets blocked based on source 14369 14370The flow was blocked based on the source IP address, since it appears 14371on the IP reputation block list. Configure either the discovery 14372filter, or the reputation IP lists to change this behavior. 14373 14374136:2 (reputation) packets trusted based on source 14375 14376The flow was trusted based on the source IP address, since it appears 14377on the IP reputation trust list. Configure either the discovery 14378filter, or the reputation IP lists to change this behavior. 14379 14380136:3 (reputation) packets monitored based on source 14381 14382The flow was monitored based on the source IP address, since it 14383appears on the IP reputation monitor list. Configure either the 14384discovery filter, or the reputation IP lists to change this behavior. 14385 14386136:4 (reputation) packets blocked based on destination 14387 14388The flow was blocked based on the destination IP address, since it 14389appears on the IP reputation block list. If the flow contained proxy 14390traffic, the IP address could also be the address of the 14391(inner-layer) proxied connection. Configure either the discovery 14392filter, or the reputation IP lists to change this behavior. 14393 14394136:5 (reputation) packets trusted based on destination 14395 14396The flow was trusted based on the destination IP address, since it 14397appears on the IP reputation trust list. If the flow contained proxy 14398traffic, the IP address could also be the address of the 14399(inner-layer) proxied connection. Configure either the discovery 14400filter, or the reputation IP lists to change this behavior. 14401 14402136:6 (reputation) packets monitored based on destination 14403 14404The flow was monitored (passed to further inspection) based on the 14405destination IP address, since it appears on the IP reputation monitor 14406list. If the flow contained proxy traffic, the IP address could also 14407be the address of the (inner-layer) proxied connection. Configure 14408either the discovery filter, or the reputation IP lists to change 14409this behavior. 14410 14411137:1 (ssl) invalid client HELLO after server HELLO detected 14412 14413An invalid SSL client HELLO was received after an SSL server HELLO 14414has been detected. 14415 14416137:2 (ssl) invalid server HELLO without client HELLO detected 14417 14418An invalid SSL server HELLO was received without an SSL client HELLO 14419having been detected. 14420 14421137:3 (ssl) heartbeat read overrun attempt detected 14422 14423An SSL heartbeat read overrun attempt has been detected. 14424 14425137:4 (ssl) large heartbeat response detected 14426 14427A large SSL heartbeat response was detected. 14428 14429140:2 (sip) empty request URI 14430 14431SIP Request_URI header field is empty. 14432 14433140:3 (sip) URI is too long 14434 14435SIP Request_URI header field is larger than the defined length in 14436configuration. 14437 14438140:4 (sip) empty call-Id 14439 14440SIP Call-ID header field is empty. 14441 14442140:5 (sip) Call-Id is too long 14443 14444SIP Call-ID header field is larger than the defined length in 14445configuration. 14446 14447140:6 (sip) CSeq number is too large or negative 14448 14449SIP header field CSeq number is too large or negative. The CSeq 14450number value must be expressible as a 32-bit unsigned integer and 14451must be less than 2^31. 14452 14453140:7 (sip) request name in CSeq is too long 14454 14455The request name in the CSeq is larger than the defined length in 14456configuration. 14457 14458140:8 (sip) empty From header 14459 14460SIP From header field is empty. 14461 14462140:9 (sip) From header is too long 14463 14464SIP From field in header is larger than the defined length in 14465configuration. 14466 14467140:10 (sip) empty To header 14468 14469SIP To field in header is empty. 14470 14471140:11 (sip) To header is too long 14472 14473SIP To field in header is larger than the defined length in 14474configuration. 14475 14476140:12 (sip) empty Via header 14477 14478SIP Via field in header is empty. 14479 14480140:13 (sip) Via header is too long 14481 14482SIP Via field in header is larger than the defined length in 14483configuration. 14484 14485140:14 (sip) empty Contact 14486 14487SIP contact field in header is empty. 14488 14489140:15 (sip) contact is too long 14490 14491SIP contact field in header is larger than the defined length in 14492configuration. 14493 14494140:16 (sip) content length is too large or negative 14495 14496SIP content length is too large or negative. 14497 14498140:17 (sip) multiple SIP messages in a packet 14499 14500SIP packet has multiple requests in a single packet. 14501 14502140:18 (sip) content length mismatch 14503 14504Inconsistencies present between the Content-Length in SIP header and 14505actual body data. 14506 14507140:19 (sip) request name is invalid 14508 14509SIP request name field is invalid in response. 14510 14511140:20 (sip) Invite replay attack 14512 14513SIP received authenticated invite message, but no challenge from 14514server is received. This is the case of Invite replay attack. 14515 14516140:21 (sip) illegal session information modification 14517 14518SIP received authenticated invite message, but session information 14519has been changed. This is different from re-INVITE, where the dialog 14520has been established and authenticated. 14521 14522140:22 (sip) response status code is not a 3 digit number 14523 14524SIP response status code is not a 3 digit number. 14525 14526140:23 (sip) empty Content-type header 14527 14528SIP Content-type header field is empty. 14529 14530140:24 (sip) SIP version is invalid 14531 14532SIP version is invalid. SIP version other than 1.0, 1.1, and 2.0 is 14533invalid. 14534 14535140:25 (sip) mismatch in METHOD of request and the CSEQ header 14536 14537Mismatch in method of request and the CSEQ header detected. 14538 14539140:26 (sip) method is unknown 14540 14541SIP method is unknown. 14542 14543140:27 (sip) maximum dialogs within a session reached 14544 14545SIP dialog numbers in the stream session exceeds the maximal value. 14546 14547141:1 (imap) unknown IMAP3 command 14548 14549Unknown IMAP3 command is detected. 14550 14551141:2 (imap) unknown IMAP3 response 14552 14553Unknown IMAP3 response is detected. 14554 14555141:4 (imap) base64 decoding failed 14556 14557Base64 decoding failed. 14558 14559141:5 (imap) quoted-printable decoding failed 14560 14561Quoted-printable decoding failed. 14562 14563141:7 (imap) Unix-to-Unix decoding failed 14564 14565Uudecoding failed. 14566 14567141:8 (imap) file decompression failed 14568 14569File decompression failed. 14570 14571142:1 (pop) unknown POP3 command 14572 14573Unknown POP3 command is detected. 14574 14575142:2 (pop) unknown POP3 response 14576 14577Unknown POP3 response is detected. 14578 14579142:4 (pop) base64 decoding failed 14580 14581Base64 decoding failed. 14582 14583142:5 (pop) quoted-printable decoding failed 14584 14585Quoted-printable decoding failed. 14586 14587142:7 (pop) Unix-to-Unix decoding failed 14588 14589Uudecoding failed. 14590 14591142:8 (pop) file decompression failed 14592 14593File decompression failed. 14594 14595143:1 (gtp_inspect) message length is invalid 14596 14597gtp_inspect detected invalid message length 14598 14599143:2 (gtp_inspect) information element length is invalid 14600 14601gtp_inspect detected invalid information element length 14602 14603143:3 (gtp_inspect) information elements are out of order 14604 14605gtp_inspect detected information elements are out of order 14606 14607143:4 (gtp_inspect) TEID is missing 14608 14609gtp_inspect detected tunnel endpoint identifier having zero 14610 14611144:1 (modbus) length in Modbus MBAP header does not match the length 14612needed for the given function 14613 14614Length in Modbus MBAP header does not match the length needed for the 14615given function or length mismatch discovered while parsing the PDU 14616 14617144:2 (modbus) Modbus protocol ID is non-zero 14618 14619Modbus protocol ID is non-zero 14620 14621144:3 (modbus) reserved Modbus function code in use 14622 14623Modbus using reserved function code 14624 14625145:1 (dnp3) DNP3 link-layer frame contains bad CRC 14626 14627DNP3 link-layer frame contains bad CRC 14628 14629145:2 (dnp3) DNP3 link-layer frame is truncated or frame length is 14630invalid 14631 14632DNP3 link-layer frame is truncated or frame length is invalid 14633 14634145:3 (dnp3) DNP3 transport-layer segment sequence number is 14635incorrect 14636 14637DNP3 transport-layer segment sequence number is incorrect 14638 14639145:4 (dnp3) DNP3 transport-layer segment flag violation is detected 14640 14641DNP3 transport-layer segment flag violation is detected, FIR flag was 14642set in middle fragment 14643 14644145:5 (dnp3) DNP3 link-layer frame uses a reserved address 14645 14646DNP3 link-layer frame uses a reserved address (0xFFF0 to 0xFFFB) 14647 14648145:6 (dnp3) DNP3 application-layer fragment uses a reserved function 14649code 14650 14651DNP3 application-layer fragment uses an undefined function code, 14652defined function codes: Requests (0 to 33) and Responses (129 to 131) 14653 14654148:1 (cip) CIP data is malformed 14655 14656(cip) CIP data is malformed 14657 14658148:2 (cip) CIP data is non-conforming to ODVA standard 14659 14660(cip) CIP data is non-conforming to ODVA standard 14661 14662148:3 (cip) CIP connection limit exceeded. Least recently used 14663connection removed 14664 14665(cip) CIP connection limit exceeded. Least recently used connection 14666removed 14667 14668148:4 (cip) CIP unconnected request limit exceeded. Oldest request 14669removed 14670 14671(cip) CIP unconnected request limit exceeded. Oldest request removed 14672 14673149:1 (s7commplus) length in S7commplus MBAP header does not match 14674the length needed for the given S7commplus function 14675 14676(s7commplus) length in S7commplus MBAP header does not match the 14677length needed for the given S7commplus function 14678 14679149:2 (s7commplus) S7commplus protocol ID is non-zero 14680 14681(s7commplus) S7commplus protocol ID is non-zero 14682 14683149:3 (s7commplus) reserved S7commplus function code in use 14684 14685(s7commplus) reserved S7commplus function code in use 14686 14687150:1 (file_id) file not processed due to per flow limit 14688 14689(file_id) file not processed due to per flow limit 14690 14691151:1 (iec104) Length in IEC104 APCI header does not match the length 14692needed for the given IEC104 ASDU type id 14693 14694(iec104) Length in IEC104 APCI header does not match the length 14695needed for the given IEC104 ASDU type id 14696 14697151:2 (iec104) IEC104 Start byte does not match 0x68 14698 14699(iec104) IEC104 Start byte does not match 0x68 14700 14701151:3 (iec104) Reserved IEC104 ASDU type id in use 14702 14703(iec104) Reserved IEC104 ASDU type id in use 14704 14705151:4 (iec104) IEC104 APCI U Reserved field contains a non-default 14706value 14707 14708(iec104) IEC104 APCI U Reserved field contains a non-default value 14709 14710151:5 (iec104) IEC104 APCI U message type was set to an invalid value 14711 14712(iec104) IEC104 APCI U message type was set to an invalid value 14713 14714151:6 (iec104) IEC104 APCI S Reserved field contains a non-default 14715value 14716 14717(iec104) IEC104 APCI S Reserved field contains a non-default value 14718 14719151:7 (iec104) IEC104 APCI I number of elements set to zero 14720 14721(iec104) IEC104 APCI I number of elements set to zero 14722 14723151:8 (iec104) IEC104 APCI I SQ bit set on an ASDU that does not 14724support the feature 14725 14726(iec104) IEC104 APCI I SQ bit set on an ASDU that does not support 14727the feature 14728 14729151:9 (iec104) IEC104 APCI I number of elements set to greater than 14730one on an ASDU that does not support the feature 14731 14732(iec104) IEC104 APCI I number of elements set to greater than one on 14733an ASDU that does not support the feature 14734 14735151:10 (iec104) IEC104 APCI I Cause of Initialization set to a 14736reserved value 14737 14738(iec104) IEC104 APCI I Cause of Initialization set to a reserved 14739value 14740 14741151:11 (iec104) IEC104 APCI I Qualifier of Interrogation Command set 14742to a reserved value 14743 14744(iec104) IEC104 APCI I Qualifier of Interrogation Command set to a 14745reserved value 14746 14747151:12 (iec104) IEC104 APCI I Qualifier of Counter Interrogation 14748Command request parameter set to a reserved value 14749 14750(iec104) IEC104 APCI I Qualifier of Counter Interrogation Command 14751request parameter set to a reserved value 14752 14753151:13 (iec104) IEC104 APCI I Qualifier of Parameter of Measured 14754Values kind of parameter set to a reserved value 14755 14756(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values kind 14757of parameter set to a reserved value 14758 14759151:14 (iec104) IEC104 APCI I Qualifier of Parameter of Measured 14760Values local parameter change set to a technically valid but unused 14761value 14762 14763(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values 14764local parameter change set to a technically valid but unused value 14765 14766151:15 (iec104) IEC104 APCI I Qualifier of Parameter of Measured 14767Values parameter option set to a technically valid but unused value 14768 14769(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values 14770parameter option set to a technically valid but unused value 14771 14772151:16 (iec104) IEC104 APCI I Qualifier of Parameter Activation set 14773to a reserved value 14774 14775(iec104) IEC104 APCI I Qualifier of Parameter Activation set to a 14776reserved value 14777 14778151:17 (iec104) IEC104 APCI I Qualifier of Command set to a reserved 14779value 14780 14781(iec104) IEC104 APCI I Qualifier of Command set to a reserved value 14782 14783151:18 (iec104) IEC104 APCI I Qualifier of Reset Process set to a 14784reserved value 14785 14786(iec104) IEC104 APCI I Qualifier of Reset Process set to a reserved 14787value 14788 14789151:19 (iec104) IEC104 APCI I File Ready Qualifier set to a reserved 14790value 14791 14792(iec104) IEC104 APCI I File Ready Qualifier set to a reserved value 14793 14794151:20 (iec104) IEC104 APCI I Section Ready Qualifier set to a 14795reserved value 14796 14797(iec104) IEC104 APCI I Section Ready Qualifier set to a reserved 14798value 14799 14800151:21 (iec104) IEC104 APCI I Select and Call Qualifier set to a 14801reserved value 14802 14803(iec104) IEC104 APCI I Select and Call Qualifier set to a reserved 14804value 14805 14806151:22 (iec104) IEC104 APCI I Last Section or Segment Qualifier set 14807to a reserved value 14808 14809(iec104) IEC104 APCI I Last Section or Segment Qualifier set to a 14810reserved value 14811 14812151:23 (iec104) IEC104 APCI I Acknowledge File or Section Qualifier 14813set to a reserved value 14814 14815(iec104) IEC104 APCI I Acknowledge File or Section Qualifier set to a 14816reserved value 14817 14818151:24 (iec104) IEC104 APCI I Structure Qualifier set on a message 14819where it should have no effect 14820 14821(iec104) IEC104 APCI I Structure Qualifier set on a message where it 14822should have no effect 14823 14824151:25 (iec104) IEC104 APCI I Single Point Information Reserved field 14825contains a non-default value 14826 14827(iec104) IEC104 APCI I Single Point Information Reserved field 14828contains a non-default value 14829 14830151:26 (iec104) IEC104 APCI I Double Point Information Reserved field 14831contains a non-default value 14832 14833(iec104) IEC104 APCI I Double Point Information Reserved field 14834contains a non-default value 14835 14836151:27 (iec104) IEC104 APCI I Cause of Transmission set to a reserved 14837value 14838 14839(iec104) IEC104 APCI I Cause of Transmission set to a reserved value 14840 14841151:28 (iec104) IEC104 APCI I Cause of Transmission set to a value 14842not allowed for the ASDU 14843 14844(iec104) IEC104 APCI I Cause of Transmission set to a value not 14845allowed for the ASDU 14846 14847151:29 (iec104) IEC104 APCI I invalid two octet common address value 14848detected 14849 14850(iec104) IEC104 APCI I invalid two octet common address value 14851detected 14852 14853151:30 (iec104) IEC104 APCI I Quality Descriptor Structure Reserved 14854field contains a non-default value 14855 14856(iec104) IEC104 APCI I Quality Descriptor Structure Reserved field 14857contains a non-default value 14858 14859151:31 (iec104) IEC104 APCI I Quality Descriptor for Events of 14860Protection Equipment Structure Reserved field contains a non-default 14861value 14862 14863(iec104) IEC104 APCI I Quality Descriptor for Events of Protection 14864Equipment Structure Reserved field contains a non-default value 14865 14866151:32 (iec104) IEC104 APCI I IEEE STD 754 value results in NaN 14867 14868(iec104) IEC104 APCI I IEEE STD 754 value results in NaN 14869 14870151:33 (iec104) IEC104 APCI I IEEE STD 754 value results in infinity 14871 14872(iec104) IEC104 APCI I IEEE STD 754 value results in infinity 14873 14874151:34 (iec104) IEC104 APCI I Single Event of Protection Equipment 14875Structure Reserved field contains a non-default value 14876 14877(iec104) IEC104 APCI I Single Event of Protection Equipment Structure 14878Reserved field contains a non-default value 14879 14880151:35 (iec104) IEC104 APCI I Start Event of Protection Equipment 14881Structure Reserved field contains a non-default value 14882 14883(iec104) IEC104 APCI I Start Event of Protection Equipment Structure 14884Reserved field contains a non-default value 14885 14886151:36 (iec104) IEC104 APCI I Output Circuit Information Structure 14887Reserved field contains a non-default value 14888 14889(iec104) IEC104 APCI I Output Circuit Information Structure Reserved 14890field contains a non-default value 14891 14892151:37 (iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern 14893detected 14894 14895(iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern detected 14896 14897151:38 (iec104) IEC104 APCI I Single Command Structure Reserved field 14898contains a non-default value 14899 14900(iec104) IEC104 APCI I Single Command Structure Reserved field 14901contains a non-default value 14902 14903151:39 (iec104) IEC104 APCI I Double Command Structure contains an 14904invalid value 14905 14906(iec104) IEC104 APCI I Double Command Structure contains an invalid 14907value 14908 14909151:40 (iec104) IEC104 APCI I Regulating Step Command Structure 14910Reserved field contains a non-default value 14911 14912(iec104) IEC104 APCI I Regulating Step Command Structure Reserved 14913field contains a non-default value 14914 14915151:41 (iec104) IEC104 APCI I Time2a Millisecond set outside of the 14916allowable range 14917 14918(iec104) IEC104 APCI I Time2a Millisecond set outside of the 14919allowable range 14920 14921151:42 (iec104) IEC104 APCI I Time2a Minute set outside of the 14922allowable range 14923 14924(iec104) IEC104 APCI I Time2a Minute set outside of the allowable 14925range 14926 14927151:43 (iec104) IEC104 APCI I Time2a Minute Reserved field contains a 14928non-default value 14929 14930(iec104) IEC104 APCI I Time2a Minute Reserved field contains a 14931non-default value 14932 14933151:44 (iec104) IEC104 APCI I Time2a Hours set outside of the 14934allowable range 14935 14936(iec104) IEC104 APCI I Time2a Hours set outside of the allowable 14937range 14938 14939151:45 (iec104) IEC104 APCI I Time2a Hours Reserved field contains a 14940non-default value 14941 14942(iec104) IEC104 APCI I Time2a Hours Reserved field contains a 14943non-default value 14944 14945151:46 (iec104) IEC104 APCI I Time2a Day of Month set outside of the 14946allowable range 14947 14948(iec104) IEC104 APCI I Time2a Day of Month set outside of the 14949allowable range 14950 14951151:47 (iec104) IEC104 APCI I Time2a Month set outside of the 14952allowable range 14953 14954(iec104) IEC104 APCI I Time2a Month set outside of the allowable 14955range 14956 14957151:48 (iec104) IEC104 APCI I Time2a Month Reserved field contains a 14958non-default value 14959 14960(iec104) IEC104 APCI I Time2a Month Reserved field contains a 14961non-default value 14962 14963151:49 (iec104) IEC104 APCI I Time2a Year set outside of the 14964allowable range 14965 14966(iec104) IEC104 APCI I Time2a Year set outside of the allowable range 14967 14968151:50 (iec104) IEC104 APCI I Time2a Year Reserved field contains a 14969non-default value 14970 14971(iec104) IEC104 APCI I Time2a Year Reserved field contains a 14972non-default value 14973 14974151:51 (iec104) IEC104 APCI I a null Length of Segment value has been 14975detected 14976 14977(iec104) IEC104 APCI I a null Length of Segment value has been 14978detected 14979 14980151:52 (iec104) IEC104 APCI I an invalid Length of Segment value has 14981been detected 14982 14983(iec104) IEC104 APCI I an invalid Length of Segment value has been 14984detected 14985 14986151:53 (iec104) IEC104 APCI I Status of File set to a reserved value 14987 14988(iec104) IEC104 APCI I Status of File set to a reserved value 14989 14990151:54 (iec104) IEC104 APCI I Qualifier of Set Point Command ql field 14991set to a reserved value 14992 14993(iec104) IEC104 APCI I Qualifier of Set Point Command ql field set to 14994a reserved value 14995 14996175:1 (domain_filter) configured domain detected 14997 14998(domain_filter) configured domain detected 14999 15000256:1 (dpx) too much data sent to port 15001 15002(dpx) too much data sent to port 15003 15004 1500511.8. Command Set 15006 15007-------------- 15008 15009 * appid.enable_debug(proto, src_ip, src_port, dst_ip, dst_port): 15010 enable appid debugging 15011 * appid.disable_debug(): disable appid debugging 15012 * appid.reload_third_party(): reload appid third-party module 15013 * appid.reload_detectors(): reload appid detectors 15014 * host_cache.dump(file_name): dump host cache 15015 * host_cache.delete_host(host_ip): delete host from host cache 15016 * host_cache.delete_network_proto(host_ip, proto): delete network 15017 protocol from host 15018 * host_cache.delete_transport_proto(host_ip, proto): delete 15019 transport protocol from host 15020 * host_cache.delete_service(host_ip, port, proto): delete service 15021 from host 15022 * host_cache.delete_client(host_ip, id, service, version): delete 15023 client from host 15024 * host_cache.get_stats(): get current host cache usage and pegs 15025 * packet_capture.enable(filter, group): dump raw packets 15026 * packet_capture.disable(): stop packet dump 15027 * packet_tracer.enable(proto, src_ip, src_port, dst_ip, dst_port): 15028 enable packet tracer debugging 15029 * packet_tracer.disable(): disable packet tracer 15030 * perf_monitor.enable_flow_ip_profiling(seconds, packets): enable 15031 statistics on host pairs 15032 * perf_monitor.disable_flow_ip_profiling(): disable statistics on 15033 host pairs 15034 * perf_monitor.show_flow_ip_profiling(): show status of statistics 15035 on host pairs 15036 * rna.dump_macs(): dump rna’s internal MAC trackers 15037 * rna.delete_mac_host(mac): delete a MAC from rna’s MAC cache 15038 * rna.delete_mac_host_proto(mac, proto): delete a protocol 15039 associated with a MAC host 15040 * rna.purge_data(): purge all host cache and mac cache data 15041 * snort.show_plugins(): show available plugins 15042 * snort.delete_inspector(inspector): delete an inspector from the 15043 default policy 15044 * snort.dump_stats(): show summary statistics 15045 * snort.reset_stats(): clear summary statistics 15046 * snort.rotate_stats(): roll perfmonitor log files 15047 * snort.reload_config(filename): load new configuration 15048 * snort.reload_policy(filename): reload part or all of the default 15049 policy 15050 * snort.reload_module(module): reload module 15051 * snort.reload_daq(): reload daq module 15052 * snort.reload_hosts(filename): load a new hosts table 15053 * snort.pause(): suspend packet processing 15054 * snort.resume(pkt_num): continue packet processing. If number of 15055 packets is specified, will resume for n packets and pause 15056 * snort.detach(): detach from control shell (without shutting down) 15057 * snort.quit(): shutdown and dump-stats 15058 * snort.help(): this output 15059 * trace.set(modules, constraints, ntuple, timestamp): set modules 15060 traces, constraints, ntuple and timestamp options 15061 * trace.clear(): clear modules traces and constraints 15062 15063 1506411.9. Signals 15065 15066-------------- 15067 15068Important 15069 15070Signal numbers are for the system that generated this documentation 15071and are not applicable elsewhere. 15072 15073 * term(15): shutdown normally 15074 * int(2): shutdown normally 15075 * quit(3): shutdown as if started with --dirty-pig 15076 * stats(10): dump stats to stdout 15077 * rotate(12): rotate stats files 15078 * reload(1): reload config file 15079 * hosts(23): reload hosts file 15080 15081 1508211.10. Module Listing 15083 15084-------------- 15085 15086 * ack (ips_option): rule option to match on TCP ack numbers 15087 * active (basic): configure responses 15088 * address_space_selector (policy_selector): configure traffic 15089 processing based on address space 15090 * alert_csv (logger): output event in csv format 15091 * alert_ex (logger): output gid:sid:rev for alerts 15092 * alert_fast (logger): output event with brief text format 15093 * alert_full (logger): output event with full packet dump 15094 * alert_json (logger): output event in json format 15095 * alert_syslog (logger): output event to syslog 15096 * alert_talos (logger): output event in Talos alert format 15097 * alert_unixsock (logger): output event over unix socket 15098 * alerts (basic): configure alerts 15099 * appid (inspector): application and service identification 15100 * appid_listener (inspector): log selected published data to 15101 appid_listener.log 15102 * appids (ips_option): detection option for application ids 15103 * arp (codec): support for address resolution protocol 15104 * arp_spoof (inspector): detect ARP attacks and anomalies 15105 * asn1 (ips_option): rule option for asn1 detection 15106 * attribute_table (basic): configure hosts loading 15107 * auth (codec): support for IP authentication header 15108 * back_orifice (inspector): back orifice detection 15109 * base64_decode (ips_option): rule option to decode base64 data - 15110 must be used with base64_data option 15111 * ber_data (ips_option): rule option to move to the data for a 15112 specified BER element 15113 * ber_skip (ips_option): rule option to skip BER element 15114 * binder (inspector): configure processing based on CIDRs, ports, 15115 services, etc. 15116 * bufferlen (ips_option): rule option to check length of current 15117 buffer 15118 * byte_extract (ips_option): rule option to convert data to an 15119 integer variable 15120 * byte_jump (ips_option): rule option to move the detection cursor 15121 * byte_math (ips_option): rule option to perform mathematical 15122 operations on extracted value and a specified value or existing 15123 variable 15124 * byte_test (ips_option): rule option to convert data to integer 15125 and compare 15126 * cip (inspector): cip inspection 15127 * cip_attribute (ips_option): detection option to match CIP 15128 attribute 15129 * cip_class (ips_option): detection option to match CIP class 15130 * cip_conn_path_class (ips_option): detection option to match CIP 15131 Connection Path Class 15132 * cip_instance (ips_option): detection option to match CIP instance 15133 * cip_req (ips_option): detection option to match CIP request 15134 * cip_rsp (ips_option): detection option to match CIP response 15135 * cip_service (ips_option): detection option to match CIP service 15136 * cip_status (ips_option): detection option to match CIP response 15137 status 15138 * ciscometadata (codec): support for cisco metadata 15139 * classifications (basic): define rule categories with priority 15140 * classtype (ips_option): general rule option for rule 15141 classification 15142 * content (ips_option): payload rule option for basic pattern 15143 matching 15144 * cpeos_test (inspector): for testing CPE OS RNA event generation 15145 * cvs (ips_option): payload rule option for detecting specific 15146 attacks 15147 * daq (basic): configure packet acquisition interface 15148 * data_log (inspector): log selected published data to data.log 15149 * dce_http_proxy (inspector): dce over http inspection - client to/ 15150 from proxy 15151 * dce_http_server (inspector): dce over http inspection - proxy to/ 15152 from server 15153 * dce_iface (ips_option): detection option to check dcerpc 15154 interface 15155 * dce_opnum (ips_option): detection option to check dcerpc 15156 operation number 15157 * dce_smb (inspector): dce over smb inspection 15158 * dce_stub_data (ips_option): sets the cursor to dcerpc stub data 15159 * dce_tcp (inspector): dce over tcp inspection 15160 * dce_udp (inspector): dce over udp inspection 15161 * decode (basic): general decoder rules 15162 * detection (basic): configure general IPS rule processing 15163 parameters 15164 * detection_filter (ips_option): rule option to require multiple 15165 hits before a rule generates an event 15166 * dnp3 (inspector): dnp3 inspection 15167 * dnp3_data (ips_option): sets the cursor to dnp3 data 15168 * dnp3_func (ips_option): detection option to check DNP3 function 15169 code 15170 * dnp3_ind (ips_option): detection option to check DNP3 indicator 15171 flags 15172 * dnp3_obj (ips_option): detection option to check DNP3 object 15173 headers 15174 * dns (inspector): dns inspection 15175 * domain_filter (inspector): alert on configured HTTP domains 15176 * dpx (inspector): dynamic inspector example 15177 * dsize (ips_option): rule option to test payload size 15178 * eapol (codec): support for extensible authentication protocol 15179 over LAN 15180 * enable (ips_option): stub rule option to enable or disable full 15181 rule 15182 * enip_command (ips_option): detection option to match CIP Enip 15183 Command 15184 * enip_req (ips_option): detection option to match ENIP Request 15185 * enip_rsp (ips_option): detection option to match ENIP response 15186 * erspan2 (codec): support for encapsulated remote switched port 15187 analyzer - type 2 15188 * erspan3 (codec): support for encapsulated remote switched port 15189 analyzer - type 3 15190 * esp (codec): support for encapsulating security payload 15191 * eth (codec): support for ethernet protocol (DLT 1) (DLT 51) 15192 * event_filter (basic): configure thresholding of events 15193 * event_queue (basic): configure event queue parameters 15194 * fabricpath (codec): support for fabricpath 15195 * file_connector (connector): implement the file based connector 15196 * file_data (ips_option): rule option to set detection cursor to 15197 file data 15198 * file_id (inspector): configure file identification 15199 * file_log (inspector): log file event to file.log 15200 * file_type (ips_option): rule option to check file type 15201 * flags (ips_option): rule option to test TCP control flags 15202 * flow (ips_option): rule option to check session properties 15203 * flowbits (ips_option): rule option to set and test arbitrary 15204 boolean flags 15205 * fragbits (ips_option): rule option to test IP frag flags 15206 * fragoffset (ips_option): rule option to test IP frag offset 15207 * ftp_client (inspector): FTP client configuration module for use 15208 with ftp_server 15209 * ftp_data (inspector): FTP data channel handler 15210 * ftp_server (inspector): main FTP module; ftp_client should also 15211 be configured 15212 * geneve (codec): support for Geneve: Generic Network 15213 Virtualization Encapsulation 15214 * gid (ips_option): rule option specifying rule generator 15215 * gre (codec): support for generic routing encapsulation 15216 * gtp (codec): support for general-packet-radio-service tunneling 15217 protocol 15218 * gtp_info (ips_option): rule option to check gtp info element 15219 * gtp_inspect (inspector): gtp control channel inspection 15220 * gtp_type (ips_option): rule option to check gtp types 15221 * gtp_version (ips_option): rule option to check GTP version 15222 * high_availability (basic): implement flow tracking high 15223 availability 15224 * host_cache (basic): global LRU cache of host_tracker data about 15225 hosts 15226 * host_tracker (basic): configure hosts 15227 * hosts (basic): configure hosts 15228 * http2_inspect (inspector): HTTP/2 inspector 15229 * http_client_body (ips_option): rule option to set the detection 15230 cursor to the request body 15231 * http_cookie (ips_option): rule option to set the detection cursor 15232 to the HTTP cookie 15233 * http_header (ips_option): rule option to set the detection cursor 15234 to the normalized headers 15235 * http_inspect (inspector): HTTP inspector 15236 * http_method (ips_option): rule option to set the detection cursor 15237 to the HTTP request method 15238 * http_param (ips_option): rule option to set the detection cursor 15239 to the value of the specified HTTP parameter key which may be in 15240 the query or body 15241 * http_raw_body (ips_option): rule option to set the detection 15242 cursor to the unnormalized message body 15243 * http_raw_cookie (ips_option): rule option to set the detection 15244 cursor to the unnormalized cookie 15245 * http_raw_header (ips_option): rule option to set the detection 15246 cursor to the unnormalized headers 15247 * http_raw_request (ips_option): rule option to set the detection 15248 cursor to the unnormalized request line 15249 * http_raw_status (ips_option): rule option to set the detection 15250 cursor to the unnormalized status line 15251 * http_raw_trailer (ips_option): rule option to set the detection 15252 cursor to the unnormalized trailers 15253 * http_raw_uri (ips_option): rule option to set the detection 15254 cursor to the unnormalized URI 15255 * http_stat_code (ips_option): rule option to set the detection 15256 cursor to the HTTP status code 15257 * http_stat_msg (ips_option): rule option to set the detection 15258 cursor to the HTTP status message 15259 * http_trailer (ips_option): rule option to set the detection 15260 cursor to the normalized trailers 15261 * http_true_ip (ips_option): rule option to set the detection 15262 cursor to the final client IP address 15263 * http_uri (ips_option): rule option to set the detection cursor to 15264 the normalized URI buffer 15265 * http_version (ips_option): rule option to set the detection 15266 cursor to the version buffer 15267 * hyperscan (search_engine): intel hyperscan-based mpse with regex 15268 support 15269 * icmp4 (codec): support for Internet control message protocol v4 15270 * icmp6 (codec): support for Internet control message protocol v6 15271 * icmp_id (ips_option): rule option to check ICMP ID 15272 * icmp_seq (ips_option): rule option to check ICMP sequence number 15273 * icode (ips_option): rule option to check ICMP code 15274 * id (ips_option): rule option to check the IP ID field 15275 * iec104 (inspector): iec104 inspection 15276 * iec104_apci_type (ips_option): rule option to check iec104 apci 15277 type 15278 * iec104_asdu_func (ips_option): rule option to check iec104 15279 function code 15280 * igmp (codec): support for Internet group management protocol 15281 * imap (inspector): imap inspection 15282 * inspection (basic): configure basic inspection policy parameters 15283 * ip_proto (ips_option): rule option to check the IP protocol 15284 number 15285 * ipopts (ips_option): rule option to check for IP options 15286 * ips (basic): configure IPS rule processing 15287 * ipv4 (codec): support for Internet protocol v4 (DLT 228) 15288 * ipv6 (codec): support for Internet protocol v6 (DLT 229) 15289 * isdataat (ips_option): rule option to check for the presence of 15290 payload data 15291 * itype (ips_option): rule option to check ICMP type 15292 * js_data (ips_option): rule option to set detection cursor to 15293 normalized JavaScript data 15294 * latency (basic): packet and rule latency monitoring and control 15295 * llc (codec): support for logical link control 15296 * log_codecs (logger): log protocols in packet by layer 15297 * log_hext (logger): output payload suitable for daq hext 15298 * log_pcap (logger): log packet in pcap format 15299 * md5 (ips_option): payload rule option for hash matching 15300 * mem_test (inspector): for testing memory management 15301 * memory (basic): memory management configuration 15302 * metadata (ips_option): rule option for conveying arbitrary 15303 comma-separated name, value data within the rule text 15304 * modbus (inspector): modbus inspection 15305 * modbus_data (ips_option): rule option to set cursor to modbus 15306 data 15307 * modbus_func (ips_option): rule option to check modbus function 15308 code 15309 * modbus_unit (ips_option): rule option to check Modbus unit ID 15310 * mpls (codec): support for multiprotocol label switching 15311 * msg (ips_option): rule option summarizing rule purpose output 15312 with events 15313 * mss (ips_option): detection for TCP maximum segment size 15314 * netflow (inspector): netflow inspection 15315 * network (basic): configure basic network parameters 15316 * normalizer (inspector): packet scrubbing for inline mode 15317 * null_trace_logger (inspector): trace logger with a null printout 15318 * num_headers (ips_option): rule option to perform range check on 15319 number of headers 15320 * num_trailers (ips_option): rule option to perform range check on 15321 number of trailers 15322 * output (basic): configure general output parameters 15323 * packet_capture (inspector): raw packet dumping facility 15324 * packet_tracer (basic): generate debug trace messages for packets 15325 * packets (basic): configure basic packet handling 15326 * payload_injector (basic): payload injection utility 15327 * pbb (codec): support for 802.1ah protocol 15328 * pcre (ips_option): rule option for matching payload data with 15329 pcre 15330 * perf_monitor (inspector): performance monitoring and flow 15331 statistics collection 15332 * pgm (codec): support for pragmatic general multicast 15333 * pkt_data (ips_option): rule option to set the detection cursor to 15334 the normalized packet data 15335 * pkt_num (ips_option): alert on raw packet number 15336 * pop (inspector): pop inspection 15337 * port_scan (inspector): detect various ip, icmp, tcp, and udp port 15338 or protocol scans 15339 * pppoe (codec): support for point-to-point protocol over ethernet 15340 * priority (ips_option): rule option for prioritizing events 15341 * process (basic): configure basic process setup 15342 * profiler (basic): configure profiling of rules and/or modules 15343 * rate_filter (basic): configure rate filters (which change rule 15344 actions) 15345 * raw_data (ips_option): rule option to set the detection cursor to 15346 the raw packet data 15347 * react (ips_action): send response to client and terminate session 15348 * reference (ips_option): rule option to indicate relevant attack 15349 identification system 15350 * references (basic): define reference systems used in rules 15351 * regex (ips_option): rule option for matching payload data with 15352 hyperscan regex; uses pcre syntax 15353 * reject (ips_action): terminate session with TCP reset or ICMP 15354 unreachable 15355 * rem (ips_option): rule option to convey an arbitrary comment in 15356 the rule body 15357 * replace (ips_option): rule option to overwrite payload data; use 15358 with "rewrite" action; works for raw packets only 15359 * reputation (inspector): reputation inspection 15360 * rev (ips_option): rule option to indicate current revision of 15361 signature 15362 * rna (inspector): Real-time network awareness and OS 15363 fingerprinting (experimental) 15364 * rpc (ips_option): rule option to check SUNRPC CALL parameters 15365 * rpc_decode (inspector): RPC inspector 15366 * s7commplus (inspector): s7commplus inspection 15367 * s7commplus_content (ips_option): rule option to set cursor to 15368 s7commplus content 15369 * s7commplus_func (ips_option): rule option to check s7commplus 15370 function code 15371 * s7commplus_opcode (ips_option): rule option to check s7commplus 15372 opcode code 15373 * sd_pattern (ips_option): rule option for detecting sensitive data 15374 * search_engine (basic): configure fast pattern matcher 15375 * seq (ips_option): rule option to check TCP sequence number 15376 * service (ips_option): rule option to specify list of services for 15377 grouping rules 15378 * sha256 (ips_option): payload rule option for hash matching 15379 * sha512 (ips_option): payload rule option for hash matching 15380 * sid (ips_option): rule option to indicate signature number 15381 * side_channel (basic): implement the side-channel asynchronous 15382 messaging subsystem 15383 * sip (inspector): sip inspection 15384 * sip_body (ips_option): rule option to set the detection cursor to 15385 the request body 15386 * sip_header (ips_option): rule option to set the detection cursor 15387 to the SIP header buffer 15388 * sip_method (ips_option): detection option for sip stat code 15389 * sip_stat_code (ips_option): detection option for sip stat code 15390 * smtp (inspector): smtp inspection 15391 * snort (basic): command line configuration and shell commands 15392 * so (ips_option): rule option to call custom eval function 15393 * so_proxy (inspector): a proxy inspector to track flow data from 15394 SO rules (internal use only) 15395 * soid (ips_option): rule option to specify a shared object rule ID 15396 * ssh (inspector): ssh inspection 15397 * ssl (inspector): ssl inspection 15398 * ssl_state (ips_option): detection option for ssl state 15399 * ssl_version (ips_option): detection option for ssl version 15400 * stream (inspector): common flow tracking 15401 * stream_file (inspector): stream inspector for file flow tracking 15402 and processing 15403 * stream_icmp (inspector): stream inspector for ICMP flow tracking 15404 * stream_ip (inspector): stream inspector for IP flow tracking and 15405 defragmentation 15406 * stream_reassemble (ips_option): detection option for stream 15407 reassembly control 15408 * stream_size (ips_option): detection option for stream size 15409 checking 15410 * stream_tcp (inspector): stream inspector for TCP flow tracking 15411 and stream normalization and reassembly 15412 * stream_udp (inspector): stream inspector for UDP flow tracking 15413 * stream_user (inspector): stream inspector for user flow tracking 15414 and reassembly 15415 * suppress (basic): configure event suppressions 15416 * tag (ips_option): rule option to log additional packets 15417 * target (ips_option): rule option to indicate target of attack 15418 * tcp (codec): support for transmission control protocol 15419 * tcp_connector (connector): implement the tcp stream connector 15420 * telnet (inspector): telnet inspection and normalization 15421 * tenant_selector (policy_selector): configure traffic processing 15422 based on tenants 15423 * token_ring (codec): support for token ring decoding 15424 * tos (ips_option): rule option to check type of service field 15425 * trace (basic): configure trace log messages 15426 * ttl (ips_option): rule option to check time to live field 15427 * udp (codec): support for user datagram protocol 15428 * unified2 (logger): output event and packet in unified2 format 15429 file 15430 * urg (ips_option): detection for TCP urgent pointer 15431 * vba_data (ips_option): rule option to set the detection cursor to 15432 the MS Office Visual Basic for Applications macros buffer 15433 * vlan (codec): support for local area network 15434 * window (ips_option): rule option to check TCP window field 15435 * wizard (inspector): inspector that implements port-independent 15436 protocol identification 15437 * wlan (codec): support for wireless local area network protocol 15438 (DLT 105) 15439 * wscale (ips_option): detection for TCP window scale 15440 15441 1544211.11. Plugin Listing 15443 15444-------------- 15445 15446 * codec::arp: support for address resolution protocol 15447 * codec::auth: support for IP authentication header 15448 * codec::bad_proto: bad protocol id 15449 * codec::ciscometadata: support for cisco metadata 15450 * codec::eapol: support for extensible authentication protocol over 15451 LAN 15452 * codec::erspan2: support for encapsulated remote switched port 15453 analyzer - type 2 15454 * codec::erspan3: support for encapsulated remote switched port 15455 analyzer - type 3 15456 * codec::esp: support for encapsulating security payload 15457 * codec::eth: support for ethernet protocol (DLT 1) (DLT 51) 15458 * codec::fabricpath: support for fabricpath 15459 * codec::geneve: support for Geneve: Generic Network Virtualization 15460 Encapsulation 15461 * codec::gre: support for generic routing encapsulation 15462 * codec::gtp: support for general-packet-radio-service tunneling 15463 protocol 15464 * codec::icmp4: support for Internet control message protocol v4 15465 * codec::icmp4_ip: support for IP in ICMPv4 15466 * codec::icmp6: support for Internet control message protocol v6 15467 * codec::icmp6_ip: support for IP in ICMPv6 15468 * codec::igmp: support for Internet group management protocol 15469 * codec::ipv4: support for Internet protocol v4 (DLT 228) 15470 * codec::ipv6: support for Internet protocol v6 (DLT 229) 15471 * codec::ipv6_dst_opts: support for ipv6 destination options 15472 * codec::ipv6_frag: support for IPv6 fragment decoding 15473 * codec::ipv6_hop_opts: support for IPv6 hop options 15474 * codec::ipv6_mobility: support for mobility 15475 * codec::ipv6_no_next: sentinel codec 15476 * codec::ipv6_routing: support for IPv6 routing extension 15477 * codec::linux_sll: support for Linux SLL (DLT 113) 15478 * codec::llc: support for logical link control 15479 * codec::mpls: support for multiprotocol label switching 15480 * codec::null: support for null encapsulation (DLT 0) 15481 * codec::pbb: support for 802.1ah protocol 15482 * codec::pflog: support for OpenBSD PF log (DLT 117) 15483 * codec::pgm: support for pragmatic general multicast 15484 * codec::ppp: support for point-to-point encapsulation (DLT 9) 15485 * codec::ppp_encap: support for point-to-point encapsulation 15486 * codec::pppoe_disc: support for point-to-point discovery 15487 * codec::pppoe_sess: support for point-to-point session 15488 * codec::raw: support for raw IP (DLT 12) 15489 * codec::slip: support for slip protocol (DLT 8) 15490 * codec::tcp: support for transmission control protocol 15491 * codec::teredo: support for teredo 15492 * codec::token_ring: support for token ring decoding 15493 * codec::trans_bridge: support for trans-bridging 15494 * codec::udp: support for user datagram protocol 15495 * codec::user: support for user sessions (DLT 230) 15496 * codec::vlan: support for local area network 15497 * codec::vxlan: support for Virtual Extensible LAN 15498 * codec::wlan: support for wireless local area network protocol 15499 (DLT 105) 15500 * connector::file_connector: implement the file based connector 15501 * connector::tcp_connector: implement the tcp stream connector 15502 * inspector::appid: application and service identification 15503 * inspector::appid_listener: log selected published data to 15504 appid_listener.log 15505 * inspector::arp_spoof: detect ARP attacks and anomalies 15506 * inspector::back_orifice: back orifice detection 15507 * inspector::binder: configure processing based on CIDRs, ports, 15508 services, etc. 15509 * inspector::cip: cip inspection 15510 * inspector::cpeos_test: for testing CPE OS RNA event generation 15511 * inspector::data_log: log selected published data to data.log 15512 * inspector::dce_http_proxy: dce over http inspection - client to/ 15513 from proxy 15514 * inspector::dce_http_server: dce over http inspection - proxy to/ 15515 from server 15516 * inspector::dce_smb: dce over smb inspection 15517 * inspector::dce_tcp: dce over tcp inspection 15518 * inspector::dce_udp: dce over udp inspection 15519 * inspector::dnp3: dnp3 inspection 15520 * inspector::dns: dns inspection 15521 * inspector::domain_filter: alert on configured HTTP domains 15522 * inspector::dpx: dynamic inspector example 15523 * inspector::file_id: configure file identification 15524 * inspector::file_log: log file event to file.log 15525 * inspector::ftp_client: FTP inspector client module 15526 * inspector::ftp_data: FTP data channel handler 15527 * inspector::ftp_server: FTP inspector server module 15528 * inspector::gtp_inspect: gtp control channel inspection 15529 * inspector::http2_inspect: the HTTP/2 inspector 15530 * inspector::http_inspect: the new HTTP inspector! 15531 * inspector::iec104: iec104 inspection 15532 * inspector::imap: imap inspection 15533 * inspector::mem_test: for testing memory management 15534 * inspector::modbus: modbus inspection 15535 * inspector::netflow: netflow inspection 15536 * inspector::normalizer: packet scrubbing for inline mode 15537 * inspector::null_trace_logger: trace logger with a null printout 15538 * inspector::packet_capture: raw packet dumping facility 15539 * inspector::perf_monitor: performance monitoring and flow 15540 statistics collection 15541 * inspector::pop: pop inspection 15542 * inspector::port_scan: detect various ip, icmp, tcp, and udp port 15543 or protocol scans 15544 * inspector::reputation: reputation inspection 15545 * inspector::rna: Real-time network awareness and OS fingerprinting 15546 (experimental) 15547 * inspector::rpc_decode: RPC inspector 15548 * inspector::s7commplus: s7commplus inspection 15549 * inspector::sip: sip inspection 15550 * inspector::smtp: smtp inspection 15551 * inspector::so_proxy: a proxy inspector to track flow data from SO 15552 rules (internal use only) 15553 * inspector::ssh: ssh inspection 15554 * inspector::ssl: ssl inspection 15555 * inspector::stream: common flow tracking 15556 * inspector::stream_file: stream inspector for file flow tracking 15557 and processing 15558 * inspector::stream_icmp: stream inspector for ICMP flow tracking 15559 * inspector::stream_ip: stream inspector for IP flow tracking and 15560 defragmentation 15561 * inspector::stream_tcp: stream inspector for TCP flow tracking and 15562 stream normalization and reassembly 15563 * inspector::stream_udp: stream inspector for UDP flow tracking 15564 * inspector::stream_user: stream inspector for user flow tracking 15565 and reassembly 15566 * inspector::telnet: telnet inspection and normalization 15567 * inspector::wizard: inspector that implements port-independent 15568 protocol identification 15569 * ips_action::alert: generate alert on the current packet 15570 * ips_action::block: block current packet and all the subsequent 15571 packets in this flow 15572 * ips_action::drop: drop the current packet 15573 * ips_action::log: log the current packet 15574 * ips_action::pass: mark the current packet as passed 15575 * ips_action::react: send response to client and terminate session 15576 * ips_action::reject: terminate session with TCP reset or ICMP 15577 unreachable 15578 * ips_action::rewrite: overwrite packet contents with the "replace" 15579 option content 15580 * ips_option::ack: rule option to match on TCP ack numbers 15581 * ips_option::appids: detection option for application ids 15582 * ips_option::asn1: rule option for asn1 detection 15583 * ips_option::base64_data: set detection cursor to decoded Base64 15584 data 15585 * ips_option::base64_decode: rule option to decode base64 data - 15586 must be used with base64_data option 15587 * ips_option::ber_data: rule option to move to the data for a 15588 specified BER element 15589 * ips_option::ber_skip: rule option to skip BER element 15590 * ips_option::bufferlen: rule option to check length of current 15591 buffer 15592 * ips_option::byte_extract: rule option to convert data to an 15593 integer variable 15594 * ips_option::byte_jump: rule option to move the detection cursor 15595 * ips_option::byte_math: rule option to perform mathematical 15596 operations on extracted value and a specified value or existing 15597 variable 15598 * ips_option::byte_test: rule option to convert data to integer and 15599 compare 15600 * ips_option::cip_attribute: detection option to match CIP 15601 attribute 15602 * ips_option::cip_class: detection option to match CIP class 15603 * ips_option::cip_conn_path_class: detection option to match CIP 15604 Connection Path Class 15605 * ips_option::cip_instance: detection option to match CIP instance 15606 * ips_option::cip_req: detection option to match CIP request 15607 * ips_option::cip_rsp: detection option to match CIP response 15608 * ips_option::cip_service: detection option to match CIP service 15609 * ips_option::cip_status: detection option to match CIP response 15610 status 15611 * ips_option::classtype: general rule option for rule 15612 classification 15613 * ips_option::content: payload rule option for basic pattern 15614 matching 15615 * ips_option::cvs: payload rule option for detecting specific 15616 attacks 15617 * ips_option::dce_iface: detection option to check dcerpc interface 15618 * ips_option::dce_opnum: detection option to check dcerpc operation 15619 number 15620 * ips_option::dce_stub_data: sets the cursor to dcerpc stub data 15621 * ips_option::detection_filter: rule option to require multiple 15622 hits before a rule generates an event 15623 * ips_option::dnp3_data: sets the cursor to dnp3 data 15624 * ips_option::dnp3_func: detection option to check DNP3 function 15625 code 15626 * ips_option::dnp3_ind: detection option to check DNP3 indicator 15627 flags 15628 * ips_option::dnp3_obj: detection option to check DNP3 object 15629 headers 15630 * ips_option::dsize: rule option to test payload size 15631 * ips_option::enable: stub rule option to enable or disable full 15632 rule 15633 * ips_option::enip_command: detection option to match CIP Enip 15634 Command 15635 * ips_option::enip_req: detection option to match ENIP Request 15636 * ips_option::enip_rsp: detection option to match ENIP response 15637 * ips_option::file_data: rule option to set detection cursor to 15638 file data 15639 * ips_option::file_type: rule option to check file type 15640 * ips_option::flags: rule option to test TCP control flags 15641 * ips_option::flow: rule option to check session properties 15642 * ips_option::flowbits: rule option to set and test arbitrary 15643 boolean flags 15644 * ips_option::fragbits: rule option to test IP frag flags 15645 * ips_option::fragoffset: rule option to test IP frag offset 15646 * ips_option::gid: rule option specifying rule generator 15647 * ips_option::gtp_info: rule option to check gtp info element 15648 * ips_option::gtp_type: rule option to check gtp types 15649 * ips_option::gtp_version: rule option to check GTP version 15650 * ips_option::http_client_body: rule option to set the detection 15651 cursor to the request body 15652 * ips_option::http_cookie: rule option to set the detection cursor 15653 to the HTTP cookie 15654 * ips_option::http_header: rule option to set the detection cursor 15655 to the normalized headers 15656 * ips_option::http_method: rule option to set the detection cursor 15657 to the HTTP request method 15658 * ips_option::http_param: rule option to set the detection cursor 15659 to the value of the specified HTTP parameter key which may be in 15660 the query or body 15661 * ips_option::http_raw_body: rule option to set the detection 15662 cursor to the unnormalized message body 15663 * ips_option::http_raw_cookie: rule option to set the detection 15664 cursor to the unnormalized cookie 15665 * ips_option::http_raw_header: rule option to set the detection 15666 cursor to the unnormalized headers 15667 * ips_option::http_raw_request: rule option to set the detection 15668 cursor to the unnormalized request line 15669 * ips_option::http_raw_status: rule option to set the detection 15670 cursor to the unnormalized status line 15671 * ips_option::http_raw_trailer: rule option to set the detection 15672 cursor to the unnormalized trailers 15673 * ips_option::http_raw_uri: rule option to set the detection cursor 15674 to the unnormalized URI 15675 * ips_option::http_stat_code: rule option to set the detection 15676 cursor to the HTTP status code 15677 * ips_option::http_stat_msg: rule option to set the detection 15678 cursor to the HTTP status message 15679 * ips_option::http_trailer: rule option to set the detection cursor 15680 to the normalized trailers 15681 * ips_option::http_true_ip: rule option to set the detection cursor 15682 to the final client IP address 15683 * ips_option::http_uri: rule option to set the detection cursor to 15684 the normalized URI buffer 15685 * ips_option::http_version: rule option to set the detection cursor 15686 to the version buffer 15687 * ips_option::icmp_id: rule option to check ICMP ID 15688 * ips_option::icmp_seq: rule option to check ICMP sequence number 15689 * ips_option::icode: rule option to check ICMP code 15690 * ips_option::id: rule option to check the IP ID field 15691 * ips_option::iec104_apci_type: rule option to check iec104 apci 15692 type 15693 * ips_option::iec104_asdu_func: rule option to check iec104 15694 function code 15695 * ips_option::ip_proto: rule option to check the IP protocol number 15696 * ips_option::ipopts: rule option to check for IP options 15697 * ips_option::isdataat: rule option to check for the presence of 15698 payload data 15699 * ips_option::itype: rule option to check ICMP type 15700 * ips_option::js_data: rule option to set detection cursor to 15701 normalized JavaScript data 15702 * ips_option::md5: payload rule option for hash matching 15703 * ips_option::metadata: rule option for conveying arbitrary 15704 comma-separated name, value data within the rule text 15705 * ips_option::modbus_data: rule option to set cursor to modbus data 15706 * ips_option::modbus_func: rule option to check modbus function 15707 code 15708 * ips_option::modbus_unit: rule option to check Modbus unit ID 15709 * ips_option::msg: rule option summarizing rule purpose output with 15710 events 15711 * ips_option::mss: detection for TCP maximum segment size 15712 * ips_option::num_headers: rule option to perform range check on 15713 number of headers 15714 * ips_option::num_trailers: rule option to perform range check on 15715 number of trailers 15716 * ips_option::pcre: rule option for matching payload data with pcre 15717 * ips_option::pkt_data: rule option to set the detection cursor to 15718 the normalized packet data 15719 * ips_option::pkt_num: alert on raw packet number 15720 * ips_option::priority: rule option for prioritizing events 15721 * ips_option::raw_data: rule option to set the detection cursor to 15722 the raw packet data 15723 * ips_option::reference: rule option to indicate relevant attack 15724 identification system 15725 * ips_option::regex: rule option for matching payload data with 15726 hyperscan regex; uses pcre syntax 15727 * ips_option::rem: rule option to convey an arbitrary comment in 15728 the rule body 15729 * ips_option::replace: rule option to overwrite payload data; use 15730 with "rewrite" action; works for raw packets only 15731 * ips_option::rev: rule option to indicate current revision of 15732 signature 15733 * ips_option::rpc: rule option to check SUNRPC CALL parameters 15734 * ips_option::s7commplus_content: rule option to set cursor to 15735 s7commplus content 15736 * ips_option::s7commplus_func: rule option to check s7commplus 15737 function code 15738 * ips_option::s7commplus_opcode: rule option to check s7commplus 15739 opcode code 15740 * ips_option::sd_pattern: rule option for detecting sensitive data 15741 * ips_option::seq: rule option to check TCP sequence number 15742 * ips_option::service: rule option to specify list of services for 15743 grouping rules 15744 * ips_option::sha256: payload rule option for hash matching 15745 * ips_option::sha512: payload rule option for hash matching 15746 * ips_option::sid: rule option to indicate signature number 15747 * ips_option::sip_body: rule option to set the detection cursor to 15748 the request body 15749 * ips_option::sip_header: rule option to set the detection cursor 15750 to the SIP header buffer 15751 * ips_option::sip_method: detection option for sip stat code 15752 * ips_option::sip_stat_code: detection option for sip stat code 15753 * ips_option::so: rule option to call custom eval function 15754 * ips_option::soid: rule option to specify a shared object rule ID 15755 * ips_option::ssl_state: detection option for ssl state 15756 * ips_option::ssl_version: detection option for ssl version 15757 * ips_option::stream_reassemble: detection option for stream 15758 reassembly control 15759 * ips_option::stream_size: detection option for stream size 15760 checking 15761 * ips_option::tag: rule option to log additional packets 15762 * ips_option::target: rule option to indicate target of attack 15763 * ips_option::tos: rule option to check type of service field 15764 * ips_option::ttl: rule option to check time to live field 15765 * ips_option::urg: detection for TCP urgent pointer 15766 * ips_option::vba_data: rule option to set the detection cursor to 15767 the MS Office Visual Basic for Applications macros buffer 15768 * ips_option::window: rule option to check TCP window field 15769 * ips_option::wscale: detection for TCP window scale 15770 * logger::alert_csv: output event in csv format 15771 * logger::alert_ex: output gid:sid:rev for alerts 15772 * logger::alert_fast: output event with brief text format 15773 * logger::alert_full: output event with full packet dump 15774 * logger::alert_json: output event in json format 15775 * logger::alert_syslog: output event to syslog 15776 * logger::alert_talos: output event in Talos alert format 15777 * logger::alert_unixsock: output event over unix socket 15778 * logger::log_codecs: log protocols in packet by layer 15779 * logger::log_hext: output payload suitable for daq hext 15780 * logger::log_null: disable logging of packets 15781 * logger::log_pcap: log packet in pcap format 15782 * logger::unified2: output event and packet in unified2 format file 15783 * policy_selector::address_space_selector: configure traffic 15784 processing based on address space 15785 * policy_selector::tenant_selector: configure traffic processing 15786 based on tenants 15787 * search_engine::ac_banded: Aho-Corasick Banded (high memory, 15788 moderate performance) 15789 * search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high 15790 performance) MPSE 15791 * search_engine::ac_full: Aho-Corasick Full (high memory, best 15792 performance), implements search_all() 15793 * search_engine::ac_sparse: Aho-Corasick Sparse (high memory, 15794 moderate performance) MPSE 15795 * search_engine::ac_sparse_bands: Aho-Corasick Sparse-Banded (high 15796 memory, moderate performance) MPSE 15797 * search_engine::ac_std: Aho-Corasick Full (high memory, best 15798 performance) MPSE 15799 * search_engine::hyperscan: intel hyperscan-based mpse with regex 15800 support 15801 * search_engine::lowmem: Keyword Trie (low memory, moderate 15802 performance) MPSE 15803 * so_rule::3|18758: SO rule example 15804 15805