1 2--------------------------------------------------------------------- 3 4Snort 3 Upgrade Manual 5 6--------------------------------------------------------------------- 7 8The Snort Team 9 10Revision History 11Revision 3.1.19.0 2021-12-15 06:07:38 EST TST 12 13--------------------------------------------------------------------- 14 15Table of Contents 16 171. Overview 18 19 1.1. Efficacy 20 1.2. Performance 21 1.3. Scalability 22 1.4. Usability 23 1.5. Extensibility 24 252. Snort 3 vs Snort 2 26 27 2.1. Features New to Snort 3 28 2.2. Features Improved over Snort 2 29 2.3. Build Options 30 2.4. Command Line 31 2.5. Conf File 32 2.6. Rules 33 2.7. Output 34 2.8. Sensitive Data 35 2.9. Features Not Yet Supported by Snort 3 36 373. Snort2Lua 38 39 3.1. Snort2Lua Command Line 40 3.2. Known Problems 41 3.3. Usage 42 434. Configuration Changes 44 45 46--------------------------------------------------------------------- 47 481. Overview 49 50--------------------------------------------------------------------- 51 52Snort 3.0 is an updated version of the Snort Intrusion Prevention 53System (IPS) which features a new design that provides a superset of 54Snort 2.X functionality with better efficacy, performance, 55scalability, usability, and extensibility. Some of the key features 56of Snort 3.0 are: 57 58 * Support multiple packet processing threads 59 * Use a shared configuration and attribute table 60 * Autodetect services for portless configuration 61 * Modular design 62 * Plugin framework with over 200 plugins 63 * More scalable memory profile 64 * LuaJIT configuration, loggers, and rule options 65 * Hyperscan support 66 * Rewritten TCP handling 67 * New rule parser and syntax 68 * Service rules like alert http 69 * Rule "sticky" buffers 70 * Way better SO rules 71 * New HTTP inspector 72 * New performance monitor 73 * New time and space profiling 74 * New latency monitoring and enforcement 75 * Piglets to facilitate component testing 76 * Inspection Events 77 * Autogenerate reference documentation 78 79 801.1. Efficacy 81 82-------------- 83 84 * Detects and blocks all but 10 HTTP Evader tests (see https:// 85 noxxi.de/research/http-evader.html). 86 * Autodetection of services reduces misses due to incorrect or out 87 of date port configurations and improves detection on unexpected 88 command and control channels. 89 90 911.2. Performance 92 93-------------- 94 95 * Vastly improved throughput over Snort 2 for deep flow inspection. 96 * Many more fast pattern buffers means fewer non-fast pattern 97 rules. 98 * Hyperscan is used for faster fast patterns, content literals and 99 (optionally) compatible PCRE during signature evaluation, and 100 various searches done by inspectors. 101 * sd_pattern rules have normal fast patterns, don’t require extra 102 searches. 103 * The snort3_demo repo has a performance suite that can be used to 104 compare Snort 2 and Snort 3. 105 * The DAQ 3 interface facilitates leveraging your data plane for 106 maximum throughput including checksum offload and acquisition of 107 a vector of packets. 108 * Snort 3 is not run-to-completion, making it possible to detain 109 packets for lookaside acceleration and other new features. 110 111 1121.3. Scalability 113 114-------------- 115 116 * Much easier to leverage multiple cores. 117 * All packet threads share configuration and rule engine which 118 frees up much more memory for packet processing. 119 120 1211.4. Usability 122 123-------------- 124 125 * Sticky buffers make it easier to write correct rules. 126 * Autodetection eliminates much port configuration maintenance. 127 * Service-based detection doesn’t preclude port-based detection. 128 * Builtin defaults and policy tweaks make effective tuning much 129 simpler. 130 * Command line help and generated reference documentation make it 131 easy to get the correct configuration details. 132 * A trace mechanism is provided to make it easy to see how packets 133 are processed. 134 * Build a scaled down image and configure for smaller systems such 135 as IoT devices. 136 * The snort2lua utility (described later) makes it easy to convert 137 your local rules. 138 * Extensive peg counts capture the important events and actions to 139 provide more detailed insight into your deployment. 140 141 1421.5. Extensibility 143 144-------------- 145 146 * Several plugin types are defined and over 220 plugins are 147 available. 148 * Inspection events make collaboration among plugins possible 149 without framework updates. 150 * All plugins, including SO rules, can be mixed in the same 151 library. 152 * A command line shell is available for reloads and other 153 operations. 154 * The snort3_extra repo has examples to each plugin type to help 155 you get started. 156 * Easy to add SO rules for 0-day attacks. 157 158 159--------------------------------------------------------------------- 160 1612. Snort 3 vs Snort 2 162 163--------------------------------------------------------------------- 164 165 1662.1. Features New to Snort 3 167 168-------------- 169 170Some things Snort++ can do today that Snort can not do: 171 172 * regex fast patterns, not just literals 173 * FlatBuffers and JSON perf monitor logs 174 * LuaJIT scriptable rule options and loggers 175 * pub/sub inspection events (currently used by sip and http_inspect 176 to appid) 177 * JIT buffer stuffers (notably with new http_inspect) 178 * C-style comments in rules 179 * #begin … #end comment blocks in rules 180 * rule remarks (comment is part of rule, not just in it) 181 * process raw files (eg read a PDF and do file processing) 182 * process raw payload (eg bridge 2 sockets and do inspection) 183 * fast pattern offload to separate thread (experimental) 184 * add or override any config item on command line 185 * set CPU affinity 186 * pause and resume commands 187 188 1892.2. Features Improved over Snort 2 190 191-------------- 192 193Some things Snort++ can do today that Snort can not do as well: 194 195+-------------------------------------------------------------------+ 196|Feature |Snort 2 |Snort 3 | 197|-----------------+-------------------+-----------------------------| 198|Packet Threads |1 per process |N per process | 199|-----------------+-------------------+-----------------------------| 200|Config Memory Use|N processes * M GB |M GB total, more for packets | 201|-----------------+-------------------+-----------------------------| 202|Config Reload |N processes, slower|1 thread, can be pinned to | 203| | |separate core | 204|-----------------+-------------------+-----------------------------| 205|Startup |Single threaded, |Multithreaded, faster | 206| |slower | | 207|-----------------+-------------------+-----------------------------| 208|Plugins |Limited to preprocs|Full plugin system with over | 209| |and outputs |230 plugins | 210|-----------------+-------------------+-----------------------------| 211|Plugin Examples |DPX preproc |snort3_extra repo, all types,| 212| | |LuaJIT | 213|-----------------+-------------------+-----------------------------| 214|DAQ |2.X, run to |3.X, vector input, multiple | 215| |completion |outstanding packets | 216|-----------------+-------------------+-----------------------------| 217|DAQ Modules |Legacy modules |Stacked modules, IOCTLs, | 218| | |file, socket, text modules | 219|-----------------+-------------------+-----------------------------| 220|Pcap Readback |X Mbits/sec for |2X with ac, 4X with hyperscan| 221|Speed |Max-Detect | | 222|-----------------+-------------------+-----------------------------| 223|IP Layers |2 max |Arbitrary / configurable | 224| | |limits | 225|-----------------+-------------------+-----------------------------| 226|IP Reputation |Complex, shared |Simplified process memory | 227| |memory | | 228|-----------------+-------------------+-----------------------------| 229|Stream TCP |Complex |New and improved | 230| |implementation |implementation | 231|-----------------+-------------------+-----------------------------| 232|Service detection|appid only, port |Autodetection, most port | 233| |configs required |configs optional | 234|-----------------+-------------------+-----------------------------| 235|HTTP inspector |Partly stateful |Fully stateful | 236|-----------------+-------------------+-----------------------------| 237|HTTP Evader |65 misses |10 misses | 238|-----------------+-------------------+-----------------------------| 239|Port Scan |High, medium, low |Fully configurable detection | 240|Detection |thresholds only |thresholds | 241|-----------------+-------------------+-----------------------------| 242|Config parsing |Report one error |Report all errors | 243| |and quit | | 244|-----------------+-------------------+-----------------------------| 245|Config syntax |Irregular, static, |Lua, fully scriptable, | 246| |limited variables |arbitrary variables | 247|-----------------+-------------------+-----------------------------| 248|Command Line |Some overlap with |Set or override any config | 249| |config file |from command line | 250|-----------------+-------------------+-----------------------------| 251|Default Config |Complex, needs |Simplified, effective default| 252| |tuning |config | 253|-----------------+-------------------+-----------------------------| 254|Policy Examples |None |Tweaks for all standard Talos| 255| | |policies | 256|-----------------+-------------------+-----------------------------| 257|Policy Bindings |One level |Nested | 258|-----------------+-------------------+-----------------------------| 259|Rule syntax |Inconsistent, |Uniform syntax, arbitrary | 260| |requires line |whitespace | 261| |escapes | | 262|-----------------+-------------------+-----------------------------| 263|Rule parsing |Buggy, limited |Robust, many optional | 264| |warnings |warnings | 265|-----------------+-------------------+-----------------------------| 266|Rule comments |# comments only |#, #begin/#end, C-style, rem | 267| | |option | 268|-----------------+-------------------+-----------------------------| 269|Rule input |Config includes |Includes, external file or | 270| |only |path, stdin | 271|-----------------+-------------------+-----------------------------| 272|Hyperscan |External patch |Native support, regex fast | 273| |available |patterns | 274|-----------------+-------------------+-----------------------------| 275|Sensitive Data |Requires a slow, |Normal fast pattern rule | 276| |extra search | | 277|-----------------+-------------------+-----------------------------| 278|alert file rules |No |Yes | 279|-----------------+-------------------+-----------------------------| 280|alert service |No |Yes | 281|rules | | | 282|-----------------+-------------------+-----------------------------| 283|fast_pattern_only|Hand optimization |Automatic optimization | 284|-----------------+-------------------+-----------------------------| 285|Fast Pattern |6 available |14 available | 286|Buffers | | | 287|-----------------+-------------------+-----------------------------| 288|Elided rule |No |Yes (omit nets and/or ports) | 289|headers | | | 290|-----------------+-------------------+-----------------------------| 291|Rule sticky |Some |All buffers are sticky | 292|buffers | | | 293|-----------------+-------------------+-----------------------------| 294|SO rule features |Restricted |True superset of text rules | 295| |functionality | | 296|-----------------+-------------------+-----------------------------| 297|Simple SO rules |No (based on |Yes (based on text rule) | 298| |tedious C-structs) | | 299|-----------------+-------------------+-----------------------------| 300|Dump builtin |No (SO stubs only) |Yes | 301|stubs | | | 302|-----------------+-------------------+-----------------------------| 303|Runtime tracing |No (debug traces |Yes | 304| |and misc logs only)| | 305|-----------------+-------------------+-----------------------------| 306|Event Logging |Legacy unified2 |JSON recommended, integrates | 307| |recommended |with ELK stack, etc. | 308|-----------------+-------------------+-----------------------------| 309|Statistics |Limited counts, |2X counts, configurable perf | 310| |fixed perf monitor |monitor | 311|-----------------+-------------------+-----------------------------| 312|Control interface|Limited binary |Extensible text shell, socket| 313| |interface |access | 314|-----------------+-------------------+-----------------------------| 315|Documentation |LaTeX-based PDF, |Asciidoc text, html, and PDF | 316| |READMEs |(user, ref, dev, upgrade) | 317|-----------------+-------------------+-----------------------------| 318|Command line help|No |Extensive, supports data | 319| | |driven management | 320|-----------------+-------------------+-----------------------------| 321|Build system |Automake, Linux, |Cmake, Linux, *BSD, Mac | 322| |*BSD, Windows | | 323|-----------------+-------------------+-----------------------------| 324|Startup / |Noisy, limited |Clean, extensible, non-zero | 325|Shutdown | |counts only | 326|-----------------+-------------------+-----------------------------| 327|Sig Quit |Same as Sig Term |Quick exit | 328| |and Sig Int | | 329|-----------------+-------------------+-----------------------------| 330|Source Code |470K lines C, avg |389K lines C++, avg 200 lines| 331| |400 lines/file |/file | 332|-----------------+-------------------+-----------------------------| 333|Tests |A few unit tests |Many unit tests, snort3_demo | 334| | |suite | 335|-----------------+-------------------+-----------------------------| 336|Distribution |snort.org tarballs,|github repo, ~2 week updates | 337| |~6 month updates | | 338+-------------------------------------------------------------------+ 339 340 3412.3. Build Options 342 343-------------- 344 345 * configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-* 346 * control socket, cs_dir, and users were deleted 347 * POLICY_BY_ID_ONLY code was deleted 348 * hardened --enable-inline-init-failopen / INLINE_FAILOPEN 349 350 3512.4. Command Line 352 353-------------- 354 355 * --pause loads config and waits for resume before processing 356 packets 357 * --require-rule-sid is hardened 358 * --shell enables interactive Lua shell 359 * -T is assumed if no input given 360 * added --help-config prefix to dump all matching settings 361 * added --script-path 362 * added -L none|dump|pcap 363 * added -z <#> and --max-packet-threads <#> 364 * delete --enable-mpls-multicast, --enable-mpls-overlapping-ip, 365 --max-mpls-labelchain-len, --mpls-payload-type 366 * deleted --pid-path and --no-interface-pidfile 367 * deleting command line options which will be available with --lua 368 or some such including: -I, -h, -F, -p, 369 --disable-inline-init-failopen 370 * hardened -n < 0 371 * removed --search-method 372 * replaced "unknown args are bpf" with --bpf 373 * replaced --dynamic-*-lib[-dir] with --plugin-path (with : 374 separators) 375 * removed -b, -N, -Z and, --perfmon-file options 376 377 3782.5. Conf File 379 380-------------- 381 382 * Snort 3 has a default unicode.map 383 * Snort 3 will not enforce an upper bound on memcaps and the like 384 within 64 bits 385 * Snort 3 will supply a default *_global config if not specified 386 (Snort 2 would fatal; e.g. http_inspect_server w/o 387 http_inspect_global) 388 * address list syntax changes: [[ and ]] must be [ [ and ] ] to 389 avoid Lua string parsing errors (unless in quoted string) 390 * because the Lua conf is live code, we lose file:line locations in 391 app error messages (syntax errors from Lua have file:line) 392 * changed search-method names for consistency 393 * delete config include_vlan_in_alerts (not used in code) 394 * delete config so_rule_memcap (not used in code) 395 * deleted --disable-attribute-table-reload-thread 396 * deleted config decode_*_{alerts,drops} (use rules only) 397 * deleted config dump-dynamic-rules-path 398 * deleted config ipv6_frag (not actually used) 399 * deleted config threshold and ips rule threshold (→ event_filter) 400 * eliminated ac-split; must use ac-full-q split-any-any 401 * frag3 → defrag, arpspoof → arp_spoof, sfportscan → port_scan, 402 perfmonitor → perf_monitor, bo → back_orifice 403 * limits like "1234K" are now "limit = 1234, units = K" 404 * lua field names are (lower) case sensitive; snort.conf largely 405 wasn’t 406 * module filenames are not configurable: always <log-dir>/ 407 <module-name><suffix> (suffix is determined by module) 408 * no positional parameters; all name = value 409 * perf_monitor configuration was simplified 410 * portscan.detect_ack_scans deleted (exact same as 411 include_midstream) 412 * removed various run modes - now just one 413 * frag3 default policy is Linux not bsd 414 * lowmem* search methods are now in snort_examples 415 * deleted unused http_inspect stateful mode 416 * deleted stateless inspection from ftp and telnet 417 * deleted http and ftp alert options (now strictly rule based) 418 * preprocessor disabled settings deleted since no longer relevant 419 * sessions are always created; snort config stateful checks 420 eliminated 421 * stream5_tcp: prune_log_max deleted; to be replaced with histogram 422 * stream5_tcp: max_active_responses, min_response_seconds moved to 423 active.max_responses, min_interval 424 * ips policies support snort variables configured based on type, 425 ips = { variables = { nets = { var1 = expr1, … }, paths = { var2 426 = expr2, … }, ports = { var3 = expr3, … } } } 427 428 4292.6. Rules 430 431-------------- 432 433 * all rules must have a sid 434 * sid == 0 not allowed 435 * deleted activate / dynamic rules 436 * deleted metadata engine shared 437 * deleted metadata: rule-flushing (with PDU flushing rule flushing 438 can cause missed attacks, the opposite of its intent) 439 * changed metadata:service one[, service two]; to service:one[, 440 two]; 441 * soid is now a non-metadata option 442 * metadata is now truly metadata with no impact on detection (Snort 443 doesn’t care about metadata internal structure / syntax) 444 * deleted fast_pattern:only; use fast_pattern, nocase (option is 445 not added to detection tree if not required) 446 * changed fast_pattern:<offset>,<length> to 447 fast_pattern,fast_pattern_offset <offset>,fast_pattern_length 448 <length> 449 * fast pattern sensitive data with sd_pattern using hyperscan 450 * hyperscan regex fast patterns with regex:"<regex>", fast_pattern; 451 * no ; separated content suboptions 452 * offset, depth, distance, and within must use a space separator 453 not colon (e.g. offset:5; becomes offset 5;) 454 * content suboptions http_* are now full options 455 * added sticky buffers: buffer selector options must precede 456 contents and remain in effect until changed 457 * the following pcre options have been deleted: use sticky buffers 458 instead B, U, P, H, M, C, I, D, K, S, Y 459 * deleted uricontent option; use sticky buffer uricontent:"foo" -→ 460 http_uri; content:"foo" 461 * deleted urilen raw and norm; must use http_raw_uri and http_uri 462 instead 463 * deleted unused http_encode option 464 * urilen replaced with generic bufferlen which applies to current 465 sticky buffer 466 * added optional selector to http_header, e.g. 467 http_header:User-Agent; 468 * the all new http_inspect has new buffers and rule options 469 * added alert file and alert service rules (service in body not 470 required if there is only one and it is in header; alert service 471 / file rules disable fast pattern searching of raw packets) 472 * rule option sequence: <stub> soid <hidden> 473 * arbitrary whitespace and multiline rules w/o \n 474 * #begin … #end comments to easily comment out multiple lines 475 * add rule remarks option with rem:"arbitrary comment" 476 * nets and/or ports may be omitted from rule headers (matches any) 477 * parse all rules and output all errors before quitting 478 * read rules from conf, separate rules file, or stdin 479 * The symbol =< in a byte test is recognized as a syntax error. The 480 correct symbol is <=. 481 482 4832.7. Output 484 485-------------- 486 487 * alert_fast includes packet data by default 488 * all text mode outputs default to stdout 489 * changed default logging mode to -L none 490 * deleted layer2resets and flexresp2_* 491 * deleted log_ascii 492 * general output guideline: don’t print zero counts 493 * Snort 3 queues decoder and inspector events to the main event 494 queue before ips policy is selected; since some events may not be 495 enabled, the queue needs to be sized larger than with Snort 2 496 which used an intermediate queue for decoder events. 497 * deleted the intermediate http and ftp_telnet event queues 498 * alert_unified2 and log_unified2 have been deleted 499 500 5012.8. Sensitive Data 502 503-------------- 504 505The Snort 2.X SDF Preprocessor is gone, replaced by ips option 506sd_pattern. The sd_pattern rule option is synonymous with the 507sd_pattern option used for gid:138 rules, but has a different syntax. 508A major difference in syntax is the use of Hyperscan pattern matching 509library which provides a regex language similar to PCRE. 510 511To facilitate continued performance, sd_pattern rule option is 512implemented with Hyperscan pattern matching library. The rule option 513is now also utilized as a "fast pattern" in the Snort engine which 514provides a significant performance improvement over the separate 515detection step of earlier implementations. 516 517The preprocessor alert SDF_COMBO_ALERT (139:1) has been removed and 518has no replacement in Snort 3.X. This is because the rule offered no 519additional value over gid:138 rules and was difficult to interpret 520the result of. 521 522For more information, See Features > Sensitive Data Filtering for 523details. 524 525 5262.9. Features Not Yet Supported by Snort 3 527 528-------------- 529 530 * Support in http_inspect for Original Client IP is limited to the 531 X-Forwarded-For and True-Client-IP headers in that order. It is 532 not possible to configure additional custom headers to search for 533 Original Client IP. 534 535 536--------------------------------------------------------------------- 537 5383. Snort2Lua 539 540--------------------------------------------------------------------- 541 542One of the major differences between Snort 2 and Snort 3 is the 543configuration. Snort 2 configuration files are written in 544Snort-specific syntax while Snort 3 configuration files are written 545in Lua. Snort2Lua is a program specifically designed to convert valid 546Snort 2 configuration files into Lua files that Snort 3 can 547understand. 548 549Snort2Lua reads your legacy Snort conf file(s) and generates Snort 3 550Lua and rules files. When running this program, the only mandatory 551option is to provide Snort2Lua with a Snort 2 configuration file. The 552default output file file is snort.lua, the default error file will be 553snort.rej, and the default rule file is the output file (default is 554snort.lua). When Snort2Lua finishes running, the resulting 555configuration file can be successfully run as the Snort3.0 556configuration file. The sole exception to this rule is when Snort2Lua 557cannot find an included file. If that occurs, the file will still be 558included in the output file and you will need to manually adjust or 559comment the file name. Additionally, if the exit code is not zero, 560some of the information may not be successfully converted. Check the 561error file for all of the conversion problems. 562 563Those errors can occur for a multitude of reasons and are not 564necessarily bad. Snort2Lua expects a valid Snort 2 configuration. 565Therefore, if the configuration is invalid or has questionable 566syntax, Snort2Lua may fail to parse the configuration file or create 567an invalid Snort 3 configuration file. 568 569There are a also few peculiarities of Snort2Lua that may be confusing 570to a first time user: 571 572 * Aside from an initial configuration file (which is specified from 573 the command line or as the file in ‘config binding’), every file 574 that is included into Snort 3 must be either a Lua file or a rule 575 file; the file cannot contain both rules and Lua syntax. 576 Therefore, when parsing a file specified with the ‘include’ 577 command, Snort2Lua will output both a Lua file and a rule file. 578 * Any line that is a comment in a configuration file will be added 579 in to a comments section at the bottom of the main configuration 580 file. 581 * Rules that contain unsupported options will be converted to the 582 best of Snort2Lua’s capability and then printed as a comment in 583 the rule file. 584 * Files with a .rules suffix are assumed to be Talos 2.X rules 585 files and converted line-by-line. In this case, lines starting 586 with alert are converted as usual but lines starting with # alert 587 are assumed to be commented out rules which are converted to 3.0 588 format and remain comments in the output file. All other comments 589 are passed through directly. There is no support for other 590 commented rule actions since these do not appear in Talos rules 591 files. 592 593 5943.1. Snort2Lua Command Line 595 596-------------- 597 598By default, Snort2Lua will attempt to parse every ‘include’ file and 599every ‘binding’ file. There is an option to change this 600functionality. 601 602When specifying a rule file with one of the command line options, 603Snort2Lua will output all of the converted rules to that specified 604rule file. This is especially useful when you are only interesting in 605converting rules since there is no Lua syntax in rule files. There is 606also an option that tells Snort2Lua to output every rule for a given 607configuration into a single rule file. Similarly, there is an option 608pull all of the Lua syntax from every ‘include’ file into the output 609file. 610 611There are currently three output modes: default, quiet, and 612differences. As expected, quiet mode produces a Snort configuration. 613All errors (aside from Fatal Snort2Lua errors), differences, and 614comments will omitted from the final output file. Default mode will 615print everything. That mean you will be able to see exactly what 616changes have occurred between Snort 2 and Snort 3 in addition to the 617new syntax, the original file’s comments, and all errors that have 618occurred. Finally, differences mode will not actually output a valid 619Snort 3 configuration. Instead, you can see the exact options from 620the input configuration that have changed. 621 6223.1.1. Usage: snort2lua [OPTIONS]… -c <snort_conf> … 623 624Converts the Snort configuration file specified by the -c or 625--conf-file options into a Snort++ configuration file 626 6273.1.1.1. Options: 628 629 * -? show usage 630 * -h this overview of snort2lua 631 * -a default option. print all data 632 * -c <snort_conf> The Snort <snort_conf> file to convert 633 * -d print the differences, and only the differences, between the 634 Snort and Snort++ configurations to the <out_file> 635 * -e <error_file> output all errors to <error_file> 636 * -i if <snort_conf> file contains any <include_file> or 637 <policy_file> (i.e. include path/to/conf/other_conf), do NOT 638 parse those files 639 * -m add a remark to the end of every converted rule 640 * -o <out_file> output the new Snort++ lua configuration to 641 <out_file> 642 * -q quiet mode. Only output valid configuration information to the 643 <out_file> 644 * -r <rule_file> output any converted rule to <rule_file> 645 * -s when parsing <include_file>, write <include_file>'s rules to 646 <rule_file>. Meaningless if -i provided 647 * -t when parsing <include_file>, write <include_file>'s 648 information, excluding rules, to <out_file>. Meaningless if -i 649 provided 650 * -V Print the current Snort2Lua version 651 * --bind-wizard Add default wizard to bindings 652 * --bind-port Convert port bindings 653 * --conf-file Same as -c. A Snort <snort_conf> file which will be 654 converted 655 * --dont-parse-includes Same as -p. if <snort_conf> file contains 656 any <include_file> or <policy_file> (i.e. include path/to/conf/ 657 other_conf), do NOT parse those files 658 * --dont-convert-max-sessions do not convert max_tcp, max_udp, 659 max_icmp, max_ip to max_session 660 * --error-file=<error_file> Same as -e. output all errors to 661 <error_file> 662 * --help Same as -h. this overview of snort2lua 663 * --ips-policy-pattern Convert config bindings matching this path 664 to ips policy bindings 665 * --markup print help in asciidoc compatible format 666 * --output-file=<out_file> Same as -o. output the new Snort++ lua 667 configuration to <out_file> 668 * --print-all Same as -a. default option. print all data 669 * --print-differences Same as -d. output the differences, and only 670 the differences, between the Snort and Snort++ configurations to 671 the <out_file> 672 * --quiet Same as -q. quiet mode. Only output valid configuration 673 information to the <out_file> 674 * --remark same as -m. add a remark to the end of every converted 675 rule 676 * --rule-file=<rule_file> Same as -r. output any converted rule to 677 <rule_file> 678 * --single-conf-file Same as -t. when parsing <include_file>, write 679 <include_file>'s information, excluding rules, to <out_file> 680 * --single-rule-file Same as -s. when parsing <include_file>, write 681 <include_file>'s rules to <rule_file>. 682 * --version Same as -V. Print the current Snort2Lua version 683 6843.1.1.2. Required option: 685 686 * A Snort configuration file to convert. Set with either -c or 687 --conf-file 688 6893.1.1.3. Default values: 690 691 * <out_file> = snort.lua 692 * <rule_file> = <out_file> = snort.lua. Rules are written to the 693 local_rules variable in the <out_file> 694 * <error_file> = snort.rej. This file will not be created in quiet 695 mode. 696 697 6983.2. Known Problems 699 700-------------- 701 702 * Any Snort 2 ‘string’ which is dependent on a variable will no 703 longer have that variable in the Lua string. 704 * Snort2Lua currently does not handle variables well. First, that 705 means variables will not always be parsed correctly. Second, 706 sometimes a variables value will be output in the lua file rather 707 than a variable For instance, if Snort2Lua attempted to convert 708 the line include $RULE_PATH/example.rule, the output may output 709 include /etc/rules/example.rule instead. 710 * When Snort2Lua parses a ‘binding’ configuration file, the rules 711 and configuration will automatically be combined into the same 712 file. Also, the new files name will automatically become the old 713 file’s name with a .lua extension. There is currently no way to 714 specify or change that files name. 715 * If a rule’s action is a custom ruletype, that rule action will be 716 silently converted to the rule’s type. No warnings or errors are 717 currently emitted. Additionally, the custom ruletypes outputs 718 will be silently discarded. 719 * If the original configuration contains a binding that points to 720 another file and the binding file contains an error, Snort2Lua 721 will output the number of rejects for the binding file in 722 addition to the number of rejects in the main file. The two 723 numbers will eventually be combined into one output. 724 * If the original configuration contains a replace rule with alert 725 action, Snort2Lua won’t translate the rule from alert to rewrite 726 action. It will keep the action as alert, which does not actually 727 replace the content in Snort 3. To replace content, the rule 728 action needs to be rewrite, which can be added manually or by 729 tooling. 730 731 7323.3. Usage 733 734-------------- 735 736Snort2Lua is included in the Snort 3 distribution. The Snort2Lua 737source code is located in the tools/snort2lua directory. The program 738is automatically built and installed. 739 740Translating your configuration 741 742To run Snort2Lua, the only requirement is a file containing Snort 2 743syntax. Assuming your configuration file is named snort.conf, run the 744command 745 746snort2lua –c snort.conf 747 748Snort2Lua will output a file named snort.lua. Assuming your 749snort.conf file is a valid Snort 2 configuration file, than the 750resulting snort.lua file will always be a valid Snort 3 configuration 751file; any errors that occur are because Snort 3 currently does not 752support all of the Snort 2 options. 753 754Every keyword from the Snort configuration can be found in the output 755file. If the option or keyword has changed, then a comment containing 756both the option or keyword’s old name and new name will be present in 757the output file. 758 759Translating a rule file 760 761Snort2Lua can also accommodate translating individual rule files. 762Assuming the Snort 2 rule file is named snort.rules and you want the 763new rule file to be name updated.rules, run the command 764 765snort2lua –c snort.rules -r updated.rules 766 767Snort2Lua will output a file named updated.rules. That file, 768updated.rules, will always be a valid Snort 3 rule file. Any rule 769that contains unsupported options will be a comment in the output 770file. 771 772Understanding the Output 773 774Although Snort2Lua outputs very little to the console, there are 775several things that occur when Snort2Lua runs. This is a list of 776Snort2Lua outputs. 777 778The console. Every line that Snort2Lua is unable to translate from 779the Snort 2.X format to the Snort 3 format is considered an error. 780Upon exiting, Snort2Lua will print the number of errors that 781occurred. Snort2Lua will also print the name of the error file. 782 783The output file. As previously mentioned, Snort2Lua will create a Lua 784file with valid Snort 3 syntax. The default Lua file is named 785snort.lua. This file is the equivalent of your main Snort 2 786configuration file. 787 788The rule file. By default, all rules will be printed to the Lua file. 789However, if a rule file is specified on the command line, any rules 790found in the Snort 2 configuration will be written to the rule file 791instead 792 793The error file. By default, the error file is snort.rej. It will only 794be created if errors exist. Every error referenced on the command 795line can be found in this file. There are two reasons an error can 796occur. 797 798 * The Snort 2 configuration file has invalid syntax. If Snort 2 799 cannot parse the configuration file, neither can Snort2Lua. In 800 the example below, Snort2Lua could not convert the line config 801 bad_option. Since that is not valid Snort 2 syntax, this is a 802 syntax error. 803 * The Snort 2 configuration file contains preprocessors and rule 804 options that are not supported in Snort 3. If Snort 2 can parse a 805 line that Snort2Lua cannot parse, than Snort 3 does not support 806 something in the line. As Snort 3 begins supporting these 807 preprocessors and rule options, Snort2Lua will also begin 808 translating these lines. One example of such an error is dcerpc2. 809 810Additional .lua and .rules files. Every time Snort2Lua parses the 811include or binding keyword, the program will attempt to parse the 812file referenced by the keyword. Snort2Lua will then create one or two 813new files. The new files will have a .lua or .rules extension 814appended to the original filename. 815 816 817--------------------------------------------------------------------- 818 8194. Configuration Changes 820 821--------------------------------------------------------------------- 822 823change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy' 824change -> attribute_table: 'filename <file_name>' ==> 'hosts[]' 825change -> config 'addressspace_agnostic' ==> 'packets.address_space_agnostic' 826change -> config 'checksum_mode' ==> 'network.checksum_eval' 827change -> config 'daq_dir' ==> 'daq.module_dirs' 828change -> config 'detection_filter' ==> 'alerts.detection_filter_memcap' 829change -> config 'enable_deep_teredo_inspection' ==> 'udp.deep_teredo_inspection' 830change -> config 'enable_mpls_overlapping_ip' ==> 'packets.mpls_agnostic' 831change -> config 'event_filter' ==> 'alerts.event_filter_memcap' 832change -> config 'max_attribute_hosts' ==> 'attribute_table.max_hosts' 833change -> config 'max_attribute_services_per_host' ==> 'attribute_table.max_services_per_host' 834change -> config 'nopcre' ==> 'detection.pcre_enable' 835change -> config 'pkt_count' ==> 'packets.limit' 836change -> config 'rate_filter' ==> 'alerts.rate_filter_memcap' 837change -> config 'react' ==> 'react.page' 838change -> config 'threshold' ==> 'alerts.event_filter_memcap' 839change -> converter: 'gen_id' ==> 'gid' 840change -> converter: 'sid_id' ==> 'sid' 841change -> csv: 'csv' ==> 'fields' 842change -> csv: 'dgmlen' ==> 'pkt_len' 843change -> csv: 'dst' ==> 'dst_addr' 844change -> csv: 'dstport' ==> 'dst_port' 845change -> csv: 'ethdst' ==> 'eth_dst' 846change -> csv: 'ethlen' ==> 'eth_len' 847change -> csv: 'ethsrc' ==> 'eth_src' 848change -> csv: 'ethtype' ==> 'eth_type' 849change -> csv: 'icmpcode' ==> 'icmp_code' 850change -> csv: 'icmpid' ==> 'icmp_id' 851change -> csv: 'icmpseq' ==> 'icmp_seq' 852change -> csv: 'icmptype' ==> 'icmp_type' 853change -> csv: 'id' ==> 'ip_id' 854change -> csv: 'iplen' ==> 'ip_len' 855change -> csv: 'sig_generator' ==> 'gid' 856change -> csv: 'sig_id' ==> 'sid' 857change -> csv: 'sig_rev' ==> 'rev' 858change -> csv: 'src' ==> 'src_addr' 859change -> csv: 'srcport' ==> 'src_port' 860change -> csv: 'tcpack' ==> 'tcp_ack' 861change -> csv: 'tcpflags' ==> 'tcp_flags' 862change -> csv: 'tcplen' ==> 'tcp_len' 863change -> csv: 'tcpseq' ==> 'tcp_seq' 864change -> csv: 'tcpwindow' ==> 'tcp_win' 865change -> csv: 'udplength' ==> 'udp_len' 866change -> daq: 'config daq:' ==> 'name' 867change -> daq_mode: 'config daq_mode:' ==> 'mode' 868change -> daq_var: 'config daq_var:' ==> 'variables' 869change -> detection: 'ac' ==> 'ac_full' 870change -> detection: 'ac-banded' ==> 'ac_banded' 871change -> detection: 'ac-bnfa' ==> 'ac_bnfa' 872change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa' 873change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa' 874change -> detection: 'ac-nq' ==> 'ac_full' 875change -> detection: 'ac-q' ==> 'ac_full' 876change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands' 877change -> detection: 'ac-split' ==> 'ac_full' 878change -> detection: 'ac-split' ==> 'split_any_any' 879change -> detection: 'ac-std' ==> 'ac_std' 880change -> detection: 'acs' ==> 'ac_sparse' 881change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit' 882change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns' 883change -> detection: 'intel-cpm' ==> 'hyperscan' 884change -> detection: 'lowmem-nq' ==> 'lowmem' 885change -> detection: 'lowmem-q' ==> 'lowmem' 886change -> detection: 'max-pattern-len' ==> 'max_pattern_len' 887change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp' 888change -> detection: 'search-method' ==> 'search_method' 889change -> detection: 'search-optimize' ==> 'search_optimize' 890change -> detection: 'split-any-any' ==> 'split_any_any = true by default' 891change -> detection: 'split-any-any' ==> 'split_any_any' 892change -> dnp3: 'ports' ==> 'bindings' 893change -> dns: 'ports' ==> 'bindings' 894change -> dynamicdetection ==> 'snort.--plugin_path=<path>' 895change -> dynamicengine ==> 'snort.--plugin_path=<path>' 896change -> dynamicpreprocessor ==> 'snort.--plugin_path=<path>' 897change -> dynamicsidechannel ==> 'snort.--plugin_path=<path>' 898change -> event_filter: 'gen_id' ==> 'gid' 899change -> event_filter: 'sig_id' ==> 'sid' 900change -> event_filter: 'threshold' ==> 'event_filter' 901change -> file: 'config file: file_block_timeout' ==> 'block_timeout' 902change -> file: 'config file: file_capture_block_size' ==> 'capture_block_size' 903change -> file: 'config file: file_capture_max' ==> 'capture_max_size' 904change -> file: 'config file: file_capture_memcap' ==> 'capture_memcap' 905change -> file: 'config file: file_capture_min' ==> 'capture_min_size' 906change -> file: 'config file: file_type_depth' ==> 'type_depth' 907change -> file: 'config file: signature' ==> 'enable_signature' 908change -> file: 'config file: type_id' ==> 'enable_type' 909change -> file: 'ver' ==> 'version' 910change -> frag3_engine: 'min_fragment_length' ==> 'min_frag_length' 911change -> frag3_engine: 'overlap_limit' ==> 'max_overlaps' 912change -> frag3_engine: 'policy bsd-right' ==> 'policy = bsd_right' 913change -> frag3_engine: 'timeout' ==> 'session_timeout' 914change -> ftp_telnet_protocol: 'alt_max_param_len' ==> 'cmd_validity' 915change -> ftp_telnet_protocol: 'data_chan' ==> 'ignore_data_chan' 916change -> ftp_telnet_protocol: 'ports' ==> 'bindings' 917change -> gtp: 'ports' ==> 'bindings' 918change -> http_inspect_server: 'bare_byte' ==> 'utf8_bare_byte' 919change -> http_inspect_server: 'client_flow_depth' ==> 'request_depth' 920change -> http_inspect_server: 'double_decode' ==> 'iis_double_decode' 921change -> http_inspect_server: 'http_inspect_server' ==> 'http_inspect' 922change -> http_inspect_server: 'iis_backslash' ==> 'backslash_to_slash' 923change -> http_inspect_server: 'inspect_gzip' ==> 'unzip' 924change -> http_inspect_server: 'non_rfc_char' ==> 'bad_characters' 925change -> http_inspect_server: 'ports' ==> 'bindings' 926change -> http_inspect_server: 'u_encode' ==> 'percent_u' 927change -> http_inspect_server: 'utf_8' ==> 'utf8' 928change -> imap: 'ports' ==> 'bindings' 929change -> modbus: 'ports' ==> 'bindings' 930change -> na_policy_mode: 'na_policy_mode' ==> 'mode' 931change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:32768]' 932change -> perfmonitor: 'console' ==> 'format = 'text'' 933change -> perfmonitor: 'console' ==> 'output = 'console'' 934change -> perfmonitor: 'file' ==> 'format = 'csv'' 935change -> perfmonitor: 'file' ==> 'output = 'file'' 936change -> perfmonitor: 'flow-file' ==> 'format = 'csv'' 937change -> perfmonitor: 'flow-file' ==> 'output = 'file'' 938change -> perfmonitor: 'flow-ip' ==> 'flow_ip' 939change -> perfmonitor: 'flow-ip-file' ==> 'format = 'csv'' 940change -> perfmonitor: 'flow-ip-file' ==> 'output = 'file'' 941change -> perfmonitor: 'flow-ip-memcap' ==> 'flow_ip_memcap' 942change -> perfmonitor: 'flow-ports' ==> 'flow_ports' 943change -> perfmonitor: 'pktcnt' ==> 'packets' 944change -> perfmonitor: 'snortfile' ==> 'format = 'csv'' 945change -> perfmonitor: 'snortfile' ==> 'output = 'file'' 946change -> perfmonitor: 'time' ==> 'seconds' 947change -> policy_mode: 'inline_test' ==> 'inline-test' 948change -> pop: 'ports' ==> 'bindings' 949change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath' 950change -> ppm: 'max-pkt-time' ==> 'packet.max_time' 951change -> ppm: 'max-rule-time' ==> 'rule.max_time' 952change -> ppm: 'ppm' ==> 'latency' 953change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend' 954change -> ppm: 'suspend-timeout' ==> 'max_suspend_time' 955change -> ppm: 'threshold' ==> 'rule.suspend_threshold' 956change -> preprocessor 'normalize_icmp4' ==> 'normalize.icmp4' 957change -> preprocessor 'normalize_icmp6' ==> 'normalize.icmp6' 958change -> preprocessor 'normalize_ip6' ==> 'normalize.ip6' 959change -> profile: 'print' ==> 'count' 960change -> profile: 'sort avg_ticks' ==> 'sort = avg_check' 961change -> profile: 'sort total_ticks' ==> 'sort = total_time' 962change -> rate_filter: 'gen_id' ==> 'gid' 963change -> rate_filter: 'sig_id' ==> 'sid' 964change -> reputation: 'shared_mem' ==> 'list_dir' 965change -> sfportscan: 'proto' ==> 'protos' 966change -> sfportscan: 'scan_type' ==> 'scan_types' 967change -> sip: 'max_requestName_len' ==> 'max_request_name_len' 968change -> sip: 'ports' ==> 'bindings' 969change -> smtp: 'ports' ==> 'bindings' 970change -> ssh: 'server_ports' ==> 'bindings' 971change -> ssl: 'ports' ==> 'bindings' 972change -> stream5_global: 'max_active_responses' ==> 'max_responses' 973change -> stream5_global: 'min_response_seconds' ==> 'min_interval' 974change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'idle_timeout' 975change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout' 976change -> stream5_ha: 'min_session_lifetime' ==> 'min_age' 977change -> stream5_ha: 'min_sync_interval' ==> 'min_sync' 978change -> stream5_ha: 'stream5_ha' ==> 'high_availability' 979change -> stream5_ha: 'use_daq' ==> 'daq_channel' 980change -> stream5_ip: 'timeout' ==> 'session_timeout' 981change -> stream5_tcp: 'bind_to' ==> 'bindings' 982change -> stream5_tcp: 'dont_reassemble_async' ==> 'reassemble_async' 983change -> stream5_tcp: 'max_queued_bytes' ==> 'queue_limit.max_bytes' 984change -> stream5_tcp: 'max_queued_segs' ==> 'queue_limit.max_segments' 985change -> stream5_tcp: 'policy hpux' ==> 'stream_tcp.policy = hpux11' 986change -> stream5_tcp: 'timeout' ==> 'session_timeout' 987change -> stream5_udp: 'timeout' ==> 'session_timeout' 988change -> suppress: 'gen_id' ==> 'gid' 989change -> suppress: 'sig_id' ==> 'sid' 990change -> syslog: 'log_alert' ==> 'level = alert' 991change -> syslog: 'log_auth' ==> 'facility = auth' 992change -> syslog: 'log_authpriv' ==> 'facility = authpriv' 993change -> syslog: 'log_cons' ==> 'options = cons' 994change -> syslog: 'log_crit' ==> 'level = crit' 995change -> syslog: 'log_daemon' ==> 'facility = daemon' 996change -> syslog: 'log_debug' ==> 'level = debug' 997change -> syslog: 'log_emerg' ==> 'level = emerg' 998change -> syslog: 'log_err' ==> 'level = err' 999change -> syslog: 'log_info' ==> 'level = info' 1000change -> syslog: 'log_local0' ==> 'facility = local0' 1001change -> syslog: 'log_local1' ==> 'facility = local1' 1002change -> syslog: 'log_local2' ==> 'facility = local2' 1003change -> syslog: 'log_local3' ==> 'facility = local3' 1004change -> syslog: 'log_local4' ==> 'facility = local4' 1005change -> syslog: 'log_local5' ==> 'facility = local5' 1006change -> syslog: 'log_local6' ==> 'facility = local6' 1007change -> syslog: 'log_local7' ==> 'facility = local7' 1008change -> syslog: 'log_ndelay' ==> 'options = ndelay' 1009change -> syslog: 'log_notice' ==> 'level = notice' 1010change -> syslog: 'log_perror' ==> 'options = perror' 1011change -> syslog: 'log_pid' ==> 'options = pid' 1012change -> syslog: 'log_user' ==> 'facility = user' 1013change -> syslog: 'log_warning' ==> 'level = warning' 1014change -> threshold: 'ips_option: threshold' ==> 'event_filter' 1015change -> unified2: 'alert_unified2' ==> 'unified2' 1016change -> unified2: 'log_unified2' ==> 'unified2' 1017change -> unified2: 'unified2' ==> 'unified2' 1018deleted -> arpspoof: 'unicast' 1019deleted -> attribute_table: '<FRAG_POLICY>hpux</FRAG_POLICY>' 1020deleted -> attribute_table: '<FRAG_POLICY>irix</FRAG_POLICY>' 1021deleted -> attribute_table: '<FRAG_POLICY>old-linux</FRAG_POLICY>' 1022deleted -> attribute_table: '<FRAG_POLICY>unknown</FRAG_POLICY>' 1023deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>' 1024deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>' 1025deleted -> config 'cs_dir' 1026deleted -> config 'decode_data_link' 1027deleted -> config 'disable_attribute_reload_thread' 1028deleted -> config 'disable_decode_alerts' 1029deleted -> config 'disable_decode_drops' 1030deleted -> config 'disable_inline_init_failopen' 1031deleted -> config 'disable_ipopt_alerts' 1032deleted -> config 'disable_ipopt_drops' 1033deleted -> config 'disable_replace' 1034deleted -> config 'disable_tcpopt_alerts' 1035deleted -> config 'disable_tcpopt_drops' 1036deleted -> config 'disable_tcpopt_experimental_alerts' 1037deleted -> config 'disable_tcpopt_experimental_drops' 1038deleted -> config 'disable_tcpopt_obsolete_alerts' 1039deleted -> config 'disable_tcpopt_obsolete_drops' 1040deleted -> config 'disable_tcpopt_ttcp_alerts' 1041deleted -> config 'disable_ttcp_alerts' 1042deleted -> config 'disable_ttcp_drops' 1043deleted -> config 'dump_dynamic_rules_path' 1044deleted -> config 'dynamicoutput' 1045deleted -> config 'enable_decode_drops' 1046deleted -> config 'enable_decode_oversized_alerts' 1047deleted -> config 'enable_decode_oversized_drops' 1048deleted -> config 'enable_gtp' 1049deleted -> config 'enable_ipopt_drops' 1050deleted -> config 'enable_mpls_multicast' 1051deleted -> config 'enable_tcpopt_drops' 1052deleted -> config 'enable_tcpopt_experimental_drops' 1053deleted -> config 'enable_tcpopt_obsolete_drops' 1054deleted -> config 'enable_tcpopt_ttcp_drops' 1055deleted -> config 'enable_ttcp_drops' 1056deleted -> config 'flexresp2_attempts' 1057deleted -> config 'flexresp2_interface' 1058deleted -> config 'flexresp2_memcap' 1059deleted -> config 'flexresp2_rows' 1060deleted -> config 'flowbits_size' 1061deleted -> config 'include_vlan_in_alerts' 1062deleted -> config 'interface' 1063deleted -> config 'layer2resets' 1064deleted -> config 'log_ipv6_extra_data' 1065deleted -> config 'no_promisc' 1066deleted -> config 'nolog' 1067deleted -> config 'protected_content' 1068deleted -> config 'sfalert_unified2' 1069deleted -> config 'sflog_unified2' 1070deleted -> config 'sidechannel' 1071deleted -> config 'so_rule_memcap' 1072deleted -> csv: '<filename> can no longer be specific' 1073deleted -> csv: 'default' 1074deleted -> csv: 'trheader' 1075deleted -> detection: 'mwm' 1076deleted -> dnp3: 'disabled' 1077deleted -> dnp3: 'memcap' 1078deleted -> dns: 'enable_experimental_types' 1079deleted -> dns: 'enable_obsolete_types' 1080deleted -> dns: 'enable_rdata_overflow' 1081deleted -> event_trace: 'file' 1082deleted -> fast: '<filename> can no longer be specific' 1083deleted -> frag3_engine: 'detect_anomalies' 1084deleted -> frag3_global: 'disabled' 1085deleted -> ftp_telnet_protocol: 'detect_anomalies' 1086deleted -> full: '<filename> can no longer be specific' 1087deleted -> http_inspect: 'detect_anomalous_servers' 1088deleted -> http_inspect: 'disabled' 1089deleted -> http_inspect: 'fast_blocking' 1090deleted -> http_inspect: 'normalize_random_nulls_in_text' 1091deleted -> http_inspect: 'proxy_alert' 1092deleted -> http_inspect_server: 'allow_proxy_use' 1093deleted -> http_inspect_server: 'enable_cookie' 1094deleted -> http_inspect_server: 'enable_xff' 1095deleted -> http_inspect_server: 'extended_ascii_uri' 1096deleted -> http_inspect_server: 'extended_response_inspection' 1097deleted -> http_inspect_server: 'iis_unicode_map not allowed in sever' 1098deleted -> http_inspect_server: 'inspect_uri_only' 1099deleted -> http_inspect_server: 'log_hostname' 1100deleted -> http_inspect_server: 'log_uri' 1101deleted -> http_inspect_server: 'no_alerts' 1102deleted -> http_inspect_server: 'no_pipeline_req' 1103deleted -> http_inspect_server: 'non_strict' 1104deleted -> http_inspect_server: 'normalize_cookies' 1105deleted -> http_inspect_server: 'normalize_headers' 1106deleted -> http_inspect_server: 'small_chunk_length' 1107deleted -> http_inspect_server: 'tab_uri_delimiter' 1108deleted -> http_inspect_server: 'unlimited_decompress' 1109deleted -> imap: 'disabled' 1110deleted -> imap: 'max_mime_mem' 1111deleted -> imap: 'memcap' 1112deleted -> perfmonitor: 'accumulate' 1113deleted -> perfmonitor: 'atexitonly' 1114deleted -> perfmonitor: 'atexitonly: base-stats' 1115deleted -> perfmonitor: 'atexitonly: events-stats' 1116deleted -> perfmonitor: 'atexitonly: flow-ip-stats' 1117deleted -> perfmonitor: 'atexitonly: flow-stats' 1118deleted -> perfmonitor: 'atexitonly: reset' 1119deleted -> perfmonitor: 'events' 1120deleted -> perfmonitor: 'max' 1121deleted -> pop: 'disabled' 1122deleted -> pop: 'max_mime_mem' 1123deleted -> pop: 'memcap' 1124deleted -> ppm: 'debug-pkts' 1125deleted -> reputation: 'shared_max_instances' 1126deleted -> reputation: 'shared_refresh' 1127deleted -> rpc_decode: 'alert_fragments' 1128deleted -> rpc_decode: 'no_alert_incomplete' 1129deleted -> rpc_decode: 'no_alert_large_fragments' 1130deleted -> rpc_decode: 'no_alert_multiple_requests' 1131deleted -> rule_state: 'action' 1132deleted -> rule_state: 'enable' 1133deleted -> sfportscan: 'detect_ack_scans' 1134deleted -> sfportscan: 'disabled' 1135deleted -> sfportscan: 'logfile' 1136deleted -> sfportscan: 'sense_level' 1137deleted -> sip: 'disabled' 1138deleted -> sip: 'max_sessions' 1139deleted -> smtp: 'alert_unknown_cmds' 1140deleted -> smtp: 'disabled' 1141deleted -> smtp: 'enable_mime_decoding' 1142deleted -> smtp: 'inspection_type' 1143deleted -> smtp: 'max_mime_depth' 1144deleted -> smtp: 'max_mime_mem' 1145deleted -> smtp: 'memcap' 1146deleted -> smtp: 'no_alerts' 1147deleted -> smtp: 'print_cmds' 1148deleted -> ssh: 'autodetect' 1149deleted -> ssh: 'enable_badmsgdir' 1150deleted -> ssh: 'enable_paysize' 1151deleted -> ssh: 'enable_protomismatch' 1152deleted -> ssh: 'enable_recognition' 1153deleted -> ssh: 'enable_respoverflow' 1154deleted -> ssh: 'enable_srvoverflow' 1155deleted -> ssh: 'enable_ssh1crc32' 1156deleted -> ssl: 'noinspect_encrypted' 1157deleted -> stream5_global: 'disabled' 1158deleted -> stream5_global: 'flush_on_alert' 1159deleted -> stream5_global: 'memcap' 1160deleted -> stream5_global: 'no_midstream_drop_alerts' 1161deleted -> stream5_tcp: 'check_session_hijacking' 1162deleted -> stream5_tcp: 'detect_anomalies' 1163deleted -> stream5_tcp: 'dont_store_large_packets' 1164deleted -> stream5_tcp: 'ignore_any_rules' 1165deleted -> stream5_tcp: 'log_asymmetric_traffic' 1166deleted -> stream5_tcp: 'policy noack' 1167deleted -> stream5_tcp: 'policy unknown' 1168deleted -> stream5_tcp: 'use_static_footprint_sizes' 1169deleted -> stream5_udp: 'ignore_any_rules' 1170deleted -> tcpdump: '<filename> can no longer be specific' 1171deleted -> test: 'file' 1172deleted -> test: 'stdout' 1173deleted -> unified2: 'filename' 1174deleted -> unified2: 'mpls_event_types' 1175deleted -> unified2: 'vlan_event_types' 1176 1177