snort-2.9.7.0/0000755000000000000000000000000012416771510010007 500000000000000snort-2.9.7.0/ylwrap0000755000000000000000000001553612416771462011213 00000000000000#! /bin/sh # ylwrap - wrapper for lex/yacc invocations. scriptversion=2012-12-21.17; # UTC # Copyright (C) 1996-2013 Free Software Foundation, Inc. # # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # This file is maintained in Automake, please report # bugs to or send patches to # . get_dirname () { case $1 in */*|*\\*) printf '%s\n' "$1" | sed -e 's|\([\\/]\)[^\\/]*$|\1|';; # Otherwise, we want the empty string (not "."). esac } # guard FILE # ---------- # The CPP macro used to guard inclusion of FILE. guard() { printf '%s\n' "$1" \ | sed \ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/' \ -e 's/[^ABCDEFGHIJKLMNOPQRSTUVWXYZ]/_/g' \ -e 's/__*/_/g' } # quote_for_sed [STRING] # ---------------------- # Return STRING (or stdin) quoted to be used as a sed pattern. quote_for_sed () { case $# in 0) cat;; 1) printf '%s\n' "$1";; esac \ | sed -e 's|[][\\.*]|\\&|g' } case "$1" in '') echo "$0: No files given. Try '$0 --help' for more information." 1>&2 exit 1 ;; --basedir) basedir=$2 shift 2 ;; -h|--h*) cat <<\EOF Usage: ylwrap [--help|--version] INPUT [OUTPUT DESIRED]... -- PROGRAM [ARGS]... Wrapper for lex/yacc invocations, renaming files as desired. INPUT is the input file OUTPUT is one file PROG generates DESIRED is the file we actually want instead of OUTPUT PROGRAM is program to run ARGS are passed to PROG Any number of OUTPUT,DESIRED pairs may be used. Report bugs to . EOF exit $? ;; -v|--v*) echo "ylwrap $scriptversion" exit $? ;; esac # The input. input="$1" shift # We'll later need for a correct munging of "#line" directives. input_sub_rx=`get_dirname "$input" | quote_for_sed` case "$input" in [\\/]* | ?:[\\/]*) # Absolute path; do nothing. ;; *) # Relative path. Make it absolute. input="`pwd`/$input" ;; esac input_rx=`get_dirname "$input" | quote_for_sed` # Since DOS filename conventions don't allow two dots, # the DOS version of Bison writes out y_tab.c instead of y.tab.c # and y_tab.h instead of y.tab.h. Test to see if this is the case. y_tab_nodot=false if test -f y_tab.c || test -f y_tab.h; then y_tab_nodot=true fi # The parser itself, the first file, is the destination of the .y.c # rule in the Makefile. parser=$1 # A sed program to s/FROM/TO/g for all the FROM/TO so that, for # instance, we rename #include "y.tab.h" into #include "parse.h" # during the conversion from y.tab.c to parse.c. sed_fix_filenames= # Also rename header guards, as Bison 2.7 for instance uses its header # guard in its implementation file. sed_fix_header_guards= while test "$#" -ne 0; do if test "$1" = "--"; then shift break fi from=$1 # Handle y_tab.c and y_tab.h output by DOS if $y_tab_nodot; then case $from in "y.tab.c") from=y_tab.c;; "y.tab.h") from=y_tab.h;; esac fi shift to=$1 shift sed_fix_filenames="${sed_fix_filenames}s|"`quote_for_sed "$from"`"|$to|g;" sed_fix_header_guards="${sed_fix_header_guards}s|"`guard "$from"`"|"`guard "$to"`"|g;" done # The program to run. prog="$1" shift # Make any relative path in $prog absolute. case "$prog" in [\\/]* | ?:[\\/]*) ;; *[\\/]*) prog="`pwd`/$prog" ;; esac # FIXME: add hostname here for parallel makes that run commands on # other machines. But that might take us over the 14-char limit. dirname=ylwrap$$ do_exit="cd '`pwd`' && rm -rf $dirname > /dev/null 2>&1;"' (exit $ret); exit $ret' trap "ret=129; $do_exit" 1 trap "ret=130; $do_exit" 2 trap "ret=141; $do_exit" 13 trap "ret=143; $do_exit" 15 mkdir $dirname || exit 1 cd $dirname case $# in 0) "$prog" "$input" ;; *) "$prog" "$@" "$input" ;; esac ret=$? if test $ret -eq 0; then for from in * do to=`printf '%s\n' "$from" | sed "$sed_fix_filenames"` if test -f "$from"; then # If $2 is an absolute path name, then just use that, # otherwise prepend '../'. case $to in [\\/]* | ?:[\\/]*) target=$to;; *) target="../$to";; esac # Do not overwrite unchanged header files to avoid useless # recompilations. Always update the parser itself: it is the # destination of the .y.c rule in the Makefile. Divert the # output of all other files to a temporary file so we can # compare them to existing versions. if test $from != $parser; then realtarget="$target" target=tmp-`printf '%s\n' "$target" | sed 's|.*[\\/]||g'` fi # Munge "#line" or "#" directives. Don't let the resulting # debug information point at an absolute srcdir. Use the real # output file name, not yy.lex.c for instance. Adjust the # include guards too. sed -e "/^#/!b" \ -e "s|$input_rx|$input_sub_rx|" \ -e "$sed_fix_filenames" \ -e "$sed_fix_header_guards" \ "$from" >"$target" || ret=$? # Check whether files must be updated. if test "$from" != "$parser"; then if test -f "$realtarget" && cmp -s "$realtarget" "$target"; then echo "$to is unchanged" rm -f "$target" else echo "updating $to" mv -f "$target" "$realtarget" fi fi else # A missing file is only an error for the parser. This is a # blatant hack to let us support using "yacc -d". If -d is not # specified, don't fail when the header file is "missing". if test "$from" = "$parser"; then ret=1 fi fi done fi # Remove the directory. cd .. rm -rf $dirname exit $ret # Local Variables: # mode: shell-script # sh-indentation: 2 # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: snort-2.9.7.0/LICENSE0000644000000000000000000005103112026730050010723 00000000000000***************************************************************************** The text that follows is the GNU General Public License, Version 2 (GPL V2) and governs your use, modification and/or distribution of SNORT. Section 9 of the GPL V2 acknowledges that the Free Software Foundation may publish revised and/or new versions of the GPL V2 from time to time. Section 9 further states that a licensee of a program subject to the GPL V2 could be free to use any such revised and/or new versions under two different scenarios: 1. "Failure to Specify." Section 9 of the GPL V2 allows a licensee of a program governed by an unspecified version of the General Public License to choose any version of the General Public License ever published by the Free Software Foundation to govern his or her use of such program. This provision is not applicable to your use of SNORT because we have expressly stated in a number of instances that any third party's use, modification or distribution of SNORT is governed by GPL V2. 2. "Any Later Version." At the end of the terms and condition of the GPL V2 is a section called "How to Apply these Terms to Your New Program," which provides guidance to a developer on how to apply the GPL V2 to a third party's use, modification and/or distribution of his/her program. Among other things, this guidance suggests that the developer attach certain notices to the program. Of particular importance is the following notice: "This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version." Thus if a developer follows strictly the guidance provided by the Free Software Foundation, Section 9 of the GPL V2 provides the licensee the option to either use, modify or distribute the program under GPL V2 or under any later version published by the Free Software Foundation. SNORT is an open source project that is governed exclusively by the GPL V2 and any third party desiring to use, modify or distribute SNORT must do so by strictly following the terms and conditions of GPL V2. Anyone using, modifying or distributing SNORT does not have the option to chose to use, modify or distribute SNORT under any revised or new version of the GPL, including without limitation, the GNU General Public License Version 3. For ease of reference, the comparable notice that is used with SNORT (contained in the 'README' file) is as follows: "This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. You may not use, modify or distribute this program under any other version of the GNU General Public License." If you have any questions about this statement, please feel free to email snort-info@snort.org. ***************************************************************************** GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. snort-2.9.7.0/etc/0000755000000000000000000000000012416771510010562 500000000000000snort-2.9.7.0/etc/reference.config0000644000000000000000000000125711701611340013622 00000000000000# $Id$ # The following defines URLs for the references found in the rules # # config reference: system URL config reference: bugtraq http://www.securityfocus.com/bid/ config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= config reference: arachNIDS http://www.whitehats.com/info/IDS config reference: osvdb http://osvdb.org/show/osvdb/ # Note, this one needs a suffix as well.... lets add that in a bit. config reference: McAfee http://vil.nai.com/vil/content/v_ config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= config reference: url http:// config reference: msb http://technet.microsoft.com/en-us/security/bulletin/ snort-2.9.7.0/etc/unicode.map0000644000000000000000000047153611607417605012652 00000000000000# Windows Version: 6.01.7601 # OEM codepage: 437 # ACP codepage: 1252 # INSTALLED CODEPAGES 10081 (MAC - Turkish) 1254 (ANSI - Turkish) 00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 857 (OEM - Turkish) 00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c7:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02d8:5e 02dc:7e 0300:60 0302:5e 0303:7e 0306:5e 030c:5e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2215:2f 2216:5c 2217:2a 2219:07 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:7d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20905 (IBM EBCDIC - Turkish) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:68 005e:5f 005f:6d 007b:48 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c4:63 00c7:4a 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7b 00dc:7f 00df:59 00e0:44 00e1:45 00e2:42 00e4:43 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 010a:67 010b:47 011e:5a 0130:5b 0131:79 015e:7c 015f:6a ff01:4f ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:68 ff3e:5f ff3f:6d ff5b:48 28593 (ISO 8859-3 Latin 3) 00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b9:31 00ba:6f 00bb:3e 00c3:41 00c5:41 00c6:41 00d0:44 00d5:4f 00d8:4f 00dd:59 00e3:61 00e5:61 00e6:61 00f5:6f 00f8:6f 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 0122:47 0123:67 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1026 (IBM EBCDIC - Turkish (Latin-5)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:68 005e:5f 005f:6d 007b:48 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:4a 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7b 00dc:7f 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 011e:5a 0130:5b 0131:79 015e:7c 015f:6a ff01:4f ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:68 ff3e:5f ff3f:6d ff5b:48 10003 (MAC - Korean) 00a6:7c 00ae:52 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c 949 (ANSI/OEM - Korean) 00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c 1361 (Korean - Johab) 20a9:5c 20833 (IBM EBCDIC - Korean Extended) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:70 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a2:4a 00a6:6a 00ac:5f ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:70 ff3f:6d ff40:79 ff5c:4f ffa0:42 ffa1:43 ffa2:44 ffa3:45 ffa4:46 ffa5:47 ffa6:48 ffa7:49 ffa8:52 ffa9:53 ffaa:54 ffab:55 ffac:56 ffad:57 ffae:58 ffaf:59 ffb0:62 ffb1:63 ffb2:64 ffb3:65 ffb4:66 ffb5:67 ffb6:68 ffb7:69 ffb8:72 ffb9:73 ffba:74 ffbb:75 ffbc:76 ffbd:77 ffbe:78 00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c 50225 (ISO-2022 Korean) 51949 (EUC-Korean) 00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c 500 (IBM EBCDIC - International) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 10004 (MAC - Arabic) 1256 (ANSI - Arabic) 00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 0660:30 0661:31 0662:32 0663:33 0664:34 0665:35 0666:36 0667:37 0668:38 0669:39 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 720 (Arabic - Transparent ASMO) ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 708 (Arabic - ASMO) 864 (OEM - Arabic) 00a7:15 00b6:14 066a:25 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 2550:05 2551:06 2554:0d 2557:0c 255a:0e 255d:0f 2560:0a 2563:08 2566:09 2569:0b 256c:07 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 263a:01 263c:04 266a:02 266b:03 20420 (IBM EBCDIC - Arabic) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 060c:79 0621:46 0622:47 0623:49 0624:52 0626:55 0627:56 0628:58 0629:62 062a:63 062b:65 062c:67 062d:69 062e:71 062f:73 0630:74 0631:75 0632:76 0633:77 0640:44 0651:42 066a:6c 066c:4b 066d:5c f8f6:77 f8fc:45 fe7c:42 fe7d:43 fe80:46 fe81:47 fe82:48 fe83:49 fe84:51 fe85:52 fe86:52 fe8b:55 fe8c:55 fe8d:56 fe8e:57 fe8f:58 fe90:58 fe91:59 fe92:59 fe93:62 fe94:62 fe95:63 fe96:63 fe97:64 fe98:64 fe99:65 fe9a:65 fe9b:66 fe9c:66 fe9d:67 fe9e:67 fe9f:68 fea0:68 fea1:69 fea2:69 fea3:70 fea4:70 fea5:71 fea6:71 fea7:72 fea8:72 fea9:73 feaa:73 feab:74 feac:74 fead:75 feae:75 feaf:76 feb0:76 feb3:78 feb4:78 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff5c:4f 28596 (ISO 8859-6 Arabic) 00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 10008 (MAC - Simplified Chinese GB 2312) 936 (ANSI/OEM - Simplified Chinese GBK) 00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 52936 (HZ-GB2312 Simplified Chinese) 54936 (GB18030 Simplified Chinese) 20936 (Simplified Chinese GB2312) 50227 (ISO-2022 Simplified Chinese) 10029 (MAC - Latin II) 775 (OEM - Baltic) 00a1:21 00a5:59 00aa:61 00ba:6f 00c0:41 00c3:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d9:55 00db:55 00e0:61 00e3:61 00e8:63 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f9:75 00fb:75 00ff:79 0108:43 0109:63 010a:43 010b:63 0114:45 0115:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012c:49 012d:69 0130:49 0131:69 0134:4a 0135:6a 014e:4f 014f:6f 0152:4f 0153:6f 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016c:55 016d:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 03bc:75 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 201a:27 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2213:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:5d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1257 (ANSI - Baltic) ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 28594 (ISO 8859-4 Baltic) 00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c7:43 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d9:55 00dd:59 00e0:61 00e7:63 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f9:75 00fd:79 00ff:79 0102:41 0103:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010e:44 010f:64 0114:45 0115:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0126:48 0127:68 012c:49 012d:69 0130:49 0131:69 0134:4a 0135:6a 0139:4c 013a:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0147:4e 0148:6e 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 28603 (ISO 8859-13 Latin 7) 00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c7:43 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d9:55 00da:55 00db:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e7:63 00e8:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f4:6f 00f9:75 00fa:75 00fb:75 00fd:79 00ff:79 0102:41 0103:61 0108:43 0109:63 010a:43 010b:63 010e:44 010f:64 0114:45 0115:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0124:48 0125:68 0128:49 0129:69 012c:49 012d:69 0130:49 0134:4a 0135:6a 0139:4c 013a:6c 013d:4c 013e:6c 0147:4e 0148:6e 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0158:52 0159:72 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0168:55 0169:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0174:57 0175:77 0176:59 0177:79 0178:59 017f:73 01a0:4f 01a1:6f 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01e0:41 01e1:61 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 01f4:47 01f5:67 01f8:4e 01f9:6e 0200:41 0201:61 0202:41 0203:61 0204:45 0205:65 0206:45 0207:65 0208:49 0209:69 020a:49 020b:69 020c:4f 020d:6f 020e:4f 020f:6f 0210:52 0211:72 0212:52 0213:72 0214:55 0215:75 0216:55 0217:75 0218:53 0219:73 021a:54 021b:74 021e:48 021f:68 0226:41 0227:61 0228:45 0229:65 022e:4f 022f:6f 0230:4f 0231:6f 0232:59 0233:79 02b0:68 02b2:6a 02b3:72 02b7:77 02b8:79 02e1:6c 02e2:73 02e3:78 037e:3b 1e00:41 1e01:61 1e02:42 1e03:62 1e04:42 1e05:62 1e06:42 1e07:62 1e08:43 1e09:63 1e0a:44 1e0b:64 1e0c:44 1e0d:64 1e0e:44 1e0f:64 1e10:44 1e11:64 1e12:44 1e13:64 1e18:45 1e19:65 1e1a:45 1e1b:65 1e1c:45 1e1d:65 1e1e:46 1e1f:66 1e20:47 1e21:67 1e22:48 1e23:68 1e24:48 1e25:68 1e26:48 1e27:68 1e28:48 1e29:68 1e2a:48 1e2b:68 1e2c:49 1e2d:69 1e2e:49 1e2f:69 1e30:4b 1e31:6b 1e32:4b 1e33:6b 1e34:4b 1e35:6b 1e36:4c 1e37:6c 1e38:4c 1e39:6c 1e3a:4c 1e3b:6c 1e3c:4c 1e3d:6c 1e3e:4d 1e3f:6d 1e40:4d 1e41:6d 1e42:4d 1e43:6d 1e44:4e 1e45:6e 1e46:4e 1e47:6e 1e48:4e 1e49:6e 1e4a:4e 1e4b:6e 1e54:50 1e55:70 1e56:50 1e57:70 1e58:52 1e59:72 1e5a:52 1e5b:72 1e5c:52 1e5d:72 1e5e:52 1e5f:72 1e60:53 1e61:73 1e62:53 1e63:73 1e68:53 1e69:73 1e6a:54 1e6b:74 1e6c:54 1e6d:74 1e6e:54 1e6f:74 1e70:54 1e71:74 1e72:55 1e73:75 1e74:55 1e76:55 1e77:75 1e78:55 1e79:75 1e7c:56 1e7d:76 1e7e:56 1e7f:76 1e80:57 1e81:77 1e82:57 1e83:77 1e84:57 1e85:77 1e86:57 1e87:77 1e88:57 1e89:77 1e8a:58 1e8b:78 1e8c:58 1e8d:78 1e8e:59 1e8f:79 1e90:5a 1e91:7a 1e92:5a 1e93:7a 1e94:5a 1e95:7a 1e96:68 1e97:74 1e98:77 1e99:79 1e9b:73 1ea0:41 1ea1:61 1ea2:41 1ea3:61 1ea4:41 1ea5:61 1ea6:41 1ea7:61 1ea8:41 1ea9:61 1eaa:41 1eab:61 1eac:41 1ead:61 1eae:41 1eaf:61 1eb0:41 1eb1:61 1eb2:41 1eb3:61 1eb4:41 1eb5:61 1eb6:41 1eb7:61 1eb8:45 1eb9:65 1eba:45 1ebb:65 1ebc:45 1ebd:65 1ebe:45 1ebf:65 1ec0:45 1ec1:65 1ec2:45 1ec3:65 1ec4:45 1ec5:65 1ec6:45 1ec7:65 1ec8:49 1ec9:69 1eca:49 1ecb:69 1ecc:4f 1ecd:6f 1ece:4f 1ecf:6f 1ed0:4f 1ed1:6f 1ed2:4f 1ed3:6f 1ed4:4f 1ed5:6f 1ed6:4f 1ed7:6f 1ed8:4f 1ed9:6f 1eda:4f 1edb:6f 1edc:4f 1edd:6f 1ede:4f 1edf:6f 1ee0:4f 1ee1:6f 1ee2:4f 1ee3:6f 1ee4:55 1ee5:75 1ee6:55 1ee7:75 1ee8:55 1ee9:75 1eea:55 1eeb:75 1eec:55 1eed:75 1eee:55 1eef:75 1ef0:55 1ef1:75 1ef2:59 1ef3:79 1ef4:59 1ef5:79 1ef6:59 1ef7:79 1ef8:59 1ef9:79 1fef:60 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2007:20 2008:20 2009:20 200a:20 2024:2e 202f:20 205f:20 2070:30 2071:69 2074:34 2075:35 2076:36 2077:37 2078:38 2079:39 207a:2b 207c:3d 207d:28 207e:29 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 208a:2b 208c:3d 208d:28 208e:29 2102:43 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212f:65 2130:45 2131:46 2133:4d 2134:6f 2139:69 2145:44 2146:64 2147:65 2148:69 2149:6a 2160:49 2164:56 2169:58 216c:4c 216d:43 216e:44 216f:4d 2170:69 2174:76 2179:78 217c:6c 217d:63 217e:64 217f:6d 2260:3d 226e:3c 226f:3e 2460:31 2461:32 2462:33 2463:34 2464:35 2465:36 2466:37 2467:38 2468:39 24b6:41 24b7:42 24b8:43 24b9:44 24ba:45 24bb:46 24bc:47 24bd:48 24be:49 24bf:4a 24c0:4b 24c1:4c 24c2:4d 24c3:4e 24c4:4f 24c5:50 24c6:51 24c7:52 24c8:53 24c9:54 24ca:55 24cb:56 24cc:57 24cd:58 24ce:59 24cf:5a 24d0:61 24d1:62 24d2:63 24d3:64 24d4:65 24d5:66 24d6:67 24d7:68 24d8:69 24d9:6a 24da:6b 24db:6c 24dc:6d 24dd:6e 24de:6f 24df:70 24e0:71 24e1:72 24e2:73 24e3:74 24e4:75 24e5:76 24e6:77 24e7:78 24e8:79 24e9:7a 24ea:30 3000:20 fb29:2b fe33:5f fe34:5f fe35:28 fe36:29 fe37:7b fe38:7d fe4d:5f fe4e:5f fe4f:5f fe50:2c fe52:2e fe54:3b fe55:3a fe57:21 fe59:28 fe5a:29 fe5b:7b fe5c:7d fe5f:23 fe60:26 fe61:2a fe62:2b fe63:2d fe64:3c fe65:3e fe66:3d fe68:5c fe69:24 fe6a:25 fe6b:40 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 10001 (MAC - Japanese) 00a1:21 00a6:7c 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 932 (ANSI/OEM - Japanese Shift-JIS) 00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 20290 (IBM EBCDIC - Japanese Katakana Extended) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:70 005f:6d 0060:79 0061:62 0062:63 0063:64 0064:65 0065:66 0066:67 0067:68 0068:69 0069:71 006a:72 006b:73 006c:74 006d:75 006e:76 006f:77 0070:78 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a3:4a 00a5:5b 00ac:5f ff01:5a ff02:7f ff03:7b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:70 ff3f:6d ff40:79 ff41:62 ff42:63 ff43:64 ff44:65 ff45:66 ff46:67 ff47:68 ff48:69 ff49:71 ff4a:72 ff4b:73 ff4c:74 ff4d:75 ff4e:76 ff4f:77 ff50:78 ff5c:4f ff61:41 ff62:42 ff63:43 ff64:44 ff65:45 ff66:46 ff67:47 ff68:48 ff69:49 ff6a:51 ff6b:52 ff6c:53 ff6d:54 ff6e:55 ff6f:56 ff70:58 20932 (JIS X 0208-1990 & 0212-1990) 50220 (ISO-2022 Japanese with no halfwidth Katakana) 50221 (ISO-2022 Japanese with halfwidth Katakana) 50222 (ISO-2022 Japanese JIS X 0201-1989) 21027 (Ext Alpha Lowercase) 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 00a2:4a 00ac:5f f8c4:20 f8c5:21 f8c6:22 f8c7:23 f8c8:24 f8c9:25 f8ca:26 f8cb:27 f8cc:28 f8cd:29 f8ce:2a f8cf:2b f8d0:2c f8d1:2d f8d2:2e f8d3:2f f8d4:30 f8d5:31 f8d6:32 f8d7:33 f8d8:34 f8d9:35 f8da:36 f8db:37 f8dc:38 f8dd:39 f8de:3a f8df:3b f8e0:3c f8e1:3d f8e2:3f f8e3:68 f8e4:7e ff61:42 ff62:43 ff63:44 ff64:45 ff65:46 ff66:47 ff67:48 ff68:49 ff69:51 ff6a:52 ff6b:53 ff6c:54 ff6d:55 ff6e:56 ff6f:57 ff70:58 ff71:59 ff72:62 ff73:63 ff74:64 ff75:65 ff76:66 ff77:67 ff78:68 ff79:69 ff7a:70 ff7b:71 ff7c:72 ff7d:73 ff7e:74 ff7f:75 ff80:76 ff81:77 ff82:78 10007 (MAC - Cyrillic) 1251 (ANSI - Cyrillic) 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 866 (OEM - Russian) 00a7:15 00a9:63 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 855 (OEM - Cyrillic) 00a9:63 00ac:2d 00ae:52 00b0:6f 00b1:2b 00b5:75 00b6:14 00b7:07 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2020:2b 2021:2b 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2219:07 221a:76 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:7f 2663:7f 2665:7f 2666:7f 266a:64 266b:64 20880 (IBM EBCDIC - Cyrillic (Russian)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00ad:73 0401:63 0402:59 0403:62 0404:64 0405:65 0406:66 0407:67 0408:68 0409:69 040a:70 040b:71 040c:72 040e:74 040f:75 042a:57 0430:77 0431:78 044e:76 0451:44 0452:42 0453:43 0454:45 0455:46 0456:47 0457:48 0458:49 0459:51 045a:52 045b:53 045c:54 045e:55 045f:56 2116:58 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a 28595 (ISO 8859-5 Cyrillic) 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20866 (Russian - KOI8) 00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 21866 (Ukrainian - KOI8-U) 00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 21025 (IBM EBCDIC - Cyrillic (Serbian, Bulgarian)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00ad:73 0401:63 0402:59 0403:62 0404:64 0405:65 0406:66 0407:67 0408:68 0409:69 040a:70 040b:71 040c:72 040e:74 040f:75 042a:57 0430:77 0431:78 044e:76 0451:44 0452:42 0453:43 0454:45 0455:46 0456:47 0457:48 0458:49 0459:51 045a:52 045b:53 045c:54 045e:55 045f:56 2116:58 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a 57002 (ISCII - Devanagari) 57003 (ISCII - Bengali) 57004 (ISCII - Tamil) 57005 (ISCII - Telugu) 57006 (ISCII - Assamese) 57007 (ISCII - Oriya) 57008 (ISCII - Kannada) 57009 (ISCII - Malayalam) 57011 (ISCII - Punjabi (Gurmukhi)) 57010 (ISCII - Gujarati) 10010 (MAC - Romania) 10017 (MAC - Ukraine) 10082 (MAC - Croatia) 1250 (ANSI - Central Europe) 00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 852 (OEM - Latin II) 00a1:21 00a2:63 00a3:4c 00a5:59 00a6:7c 00a9:63 00aa:61 00ae:52 00b1:2b 00b2:32 00b3:33 00b5:75 00b6:14 00b7:07 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:63 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bb:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 03bc:75 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2033:22 2035:22 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a4:4c 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:2d 2213:2d 2215:2f 2216:5c 2217:2a 2219:07 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 275b:27 275c:27 275d:22 275e:22 3000:20 3008:3c 3009:3e 301a:5b 301b:5d 301d:22 301e:22 301f:22 30fb:07 30fc:5f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 28592 (ISO 8859-2 Central Europe) 00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 10000 (MAC - Roman) 437 (OEM - United States) 00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 850 (OEM - Multilingual Latin I) 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 858 (OEM - Multilingual Latin I + Euro) 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 1252 (ANSI - Latin I) 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 37 (IBM EBCDIC - U.S./Canada) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 20285 (IBM EBCDIC - United Kingdom) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:4a 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:5b 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:4a ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 28591 (ISO 8859-1 Latin I) 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20127 (US-ASCII) 00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20269 (ISO 6937 Non-Spacing Accent) f8f6:7f 20105 (IA5 IRV International Alphabet No.5) 00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 203e:7e 2122:54 2207:7f ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20106 (IA5 German) 00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a7:40 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:5b 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:5c 00d8:4f 00d9:55 00da:55 00db:55 00dc:5d 00dd:59 00df:7e 00e0:61 00e1:61 00e2:61 00e3:61 00e4:7b 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:7c 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:7d 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5e:7e 20107 (IA5 Swedish) 00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:5b 00c5:5d 00c6:41 00c7:43 00c8:45 00c9:40 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:5c 00d8:4f 00d9:55 00da:55 00db:55 00dc:5e 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:7b 00e5:7d 00e6:61 00e7:63 00e8:65 00e9:60 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:7c 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:7e 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c8:27 02cd:5f 02dc:7e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3f:5f ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5e:7e 20108 (IA5 Norwegian) 007c:7e 00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7e 00a7:23 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:5d 00c6:5b 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:5c 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:7d 00e6:7b 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:7c 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a 865 (OEM - Nordic) 00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 863 (OEM - Canadian French) 00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 861 (OEM - Icelandic) 00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 860 (OEM - Portuguese) 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 10079 (MAC - Icelandic) 1047 (IBM EBCDIC - Latin-1/Open System) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:15 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005e:5f 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:25 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3e:5f ff3f:6d ff40:79 ff5c:4f 1140 (IBM EBCDIC - U.S./Canada (37 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 1141 (IBM EBCDIC - Germany (20273 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:63 005e:5f 005f:6d 0060:79 007b:43 007e:59 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:7c 00c0:64 00c1:65 00c2:62 00c3:66 00c4:4a 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dc:5a 00e0:44 00e1:45 00e2:42 00e3:46 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:63 ff3e:5f ff3f:6d ff40:79 ff5b:43 ff5e:59 1142 (IBM EBCDIC - Denmark/Norway (20277 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:4a 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005e:5f 005f:6d 0060:79 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:70 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:5b 00c6:7b 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d8:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:6a 20ac:5a ff01:4f ff02:7f ff03:4a ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3e:5f ff3f:6d ff40:79 ff5d:47 1143 (IBM EBCDIC - Finland/Sweden (20278 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:63 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:71 005e:5f 005f:6d 0060:51 007b:43 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:7b 00c5:5b 00c7:68 00c8:74 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e7:48 00e8:54 00e9:79 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 20ac:5a ff01:4f ff02:7f ff03:63 ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:71 ff3e:5f ff3f:6d ff40:51 ff5b:43 ff5d:47 1144 (IBM EBCDIC - Italy (20280 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:48 005d:51 005e:5f 005f:6d 007b:44 007d:54 007e:58 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:7c 00b0:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e9:5a 00ea:52 00eb:53 00ed:55 00ee:56 00ef:57 00f1:49 00f2:6a 00f8:70 00f9:79 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:48 ff3d:51 ff3e:5f ff3f:6d ff5b:44 ff5d:54 ff5e:58 1145 (IBM EBCDIC - Latin America/Spain (20284 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0022:7f 0023:69 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:49 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:7b 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:6a 00f8:70 ff02:7f ff03:69 ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3f:6d ff40:79 ff5c:4f 1146 (IBM EBCDIC - United Kingdom (20285 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:4a 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:5b 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:4a ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:44 005c:48 005e:5f 005f:6d 007b:51 007d:54 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:5a 00b0:4a 00b5:79 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:7c 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 00f9:6a ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:44 ff3c:48 ff3e:5f ff3f:6d ff5b:51 ff5d:54 1148 (IBM EBCDIC - International (500 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 1149 (IBM EBCDIC - Icelandic (20871 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005f:6d 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c6:5a 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d0:7c 00d1:69 00d6:5f 00de:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f0:79 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3f:6d 20277 (IBM EBCDIC - Denmark/Norway) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:4a 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005e:5f 005f:6d 0060:79 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a4:5a 00a6:70 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:5b 00c6:7b 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d8:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:6a ff01:4f ff02:7f ff03:4a ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3e:5f ff3f:6d ff40:79 ff5d:47 20278 (IBM EBCDIC - Finland/Sweden) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:63 0024:67 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:71 005e:5f 005f:6d 0060:51 007b:43 007d:47 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a4:5a 00a7:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:7b 00c5:5b 00c7:68 00c8:74 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00d6:7c 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e7:48 00e8:54 00e9:79 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:63 ff04:67 ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:71 ff3e:5f ff3f:6d ff40:51 ff5b:43 ff5d:47 20280 (IBM EBCDIC - Italy) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005c:48 005d:51 005e:5f 005f:6d 007b:44 007d:54 007e:58 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:7c 00b0:4a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e9:5a 00ea:52 00eb:53 00ed:55 00ee:56 00ef:57 00f1:49 00f2:6a 00f8:70 00f9:79 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3c:48 ff3d:51 ff3e:5f ff3f:6d ff5b:44 ff5d:54 ff5e:58 20284 (IBM EBCDIC - Latin America/Spain) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0022:7f 0023:69 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:49 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:7b 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:6a 00f8:70 ff02:7f ff03:69 ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3f:6d ff40:79 ff5c:4f 20297 (IBM EBCDIC - France) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:44 005c:48 005e:5f 005f:6d 007b:51 007d:54 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a3:7b 00a7:5a 00b0:4a 00b5:79 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:7c 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 00f9:6a ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:44 ff3c:48 ff3e:5f ff3f:6d ff5b:51 ff5d:54 20871 (IBM EBCDIC - Icelandic) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005f:6d 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c6:5a 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d0:7c 00d1:69 00d6:5f 00de:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f0:79 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3f:6d 20924 (IBM EBCDIC - Latin-1/Open System (1047 + Euro)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:15 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005e:5f 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:25 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dd:4a 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 0160:6a ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3e:5f ff3f:6d ff40:79 ff5c:4f 28599 (ISO 8859-9 Latin 5) 00d0:44 00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 28605 (ISO 8859-15 Latin 9) 00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 870 (IBM EBCDIC - Multilingual/ROECE (Latin-2)) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00c1:65 00c2:62 00c4:63 00c7:68 00c9:71 00cb:73 00cd:75 00ce:76 00df:59 00e1:45 00e2:42 00e4:43 00e7:48 00e9:51 00eb:53 00ed:55 00ee:56 0102:66 0103:46 0106:69 0107:49 010c:67 010d:47 0118:72 0119:52 0139:78 013a:58 013d:77 013e:57 0163:44 016e:74 016f:54 02c7:70 02dd:64 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a 10021 (MAC - Thai) 874 (ANSI/OEM - Thai) 00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20838 (IBM EBCDIC - Thai) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:49 005d:59 005e:69 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 0e01:42 0e02:43 0e03:44 0e04:45 0e05:46 0e06:47 0e07:48 0e08:52 0e09:53 0e0a:54 0e0b:55 0e0c:56 0e0d:57 0e0e:58 0e0f:62 0e10:63 0e11:64 0e12:65 0e13:66 0e14:67 0e15:68 0e16:72 0e17:73 0e18:74 0e19:75 0e1a:76 0e1b:77 0e1c:78 0e3f:70 0e4e:71 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:49 ff3d:59 ff3e:69 ff3f:6d ff40:79 ff5c:4f 10005 (MAC - Hebrew) 1255 (ANSI - Hebrew) 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 862 (OEM - Hebrew) 00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 28598 (ISO 8859-8 Hebrew: Visual Ordering) 00a1:21 00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 38598 (ISO 8859-8 Hebrew: Logical Ordering) 00a1:21 00aa:61 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20424 (IBM EBCDIC - Hebrew) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a2:4a 00a6:6a 00ac:5f 05d0:41 05d1:42 05d2:43 05d3:44 05d4:45 05d5:46 05d6:47 05d7:48 05d8:49 05d9:51 05da:52 05db:53 05dc:54 05dd:55 05de:56 05df:57 05e0:58 05e1:59 05e2:62 05e3:63 05e4:64 05e5:65 05e6:66 05e7:67 05e8:68 05e9:69 05ea:71 2017:78 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f 10006 (MAC - Greek I) 1253 (ANSI - Greek) 00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 737 (OEM - Greek 437G) 00a7:15 00b6:14 037e:3b 2022:07 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 869 (OEM - Modern Greek) 00a4:6f 00a5:59 00ae:52 00b6:14 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 2013:16 2014:16 201c:22 201d:22 201e:22 2020:2b 2021:2b 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 20273 (IBM EBCDIC - Germany) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:63 005e:5f 005f:6d 0060:79 007b:43 007e:59 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a7:7c 00c0:64 00c1:65 00c2:62 00c3:66 00c4:4a 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00dc:5a 00e0:44 00e1:45 00e2:42 00e3:46 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f6:6a 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:63 ff3e:5f ff3f:6d ff40:79 ff5b:43 ff5e:59 28597 (ISO 8859-7 Greek) 00a1:21 00a2:63 00a4:24 00a5:59 00aa:61 00ae:52 00b8:2c 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 20423 (IBM EBCDIC - Greek) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a3:7b 00a7:7c 0386:71 0388:72 0389:73 038a:75 038c:76 038e:77 038f:78 0391:41 0392:42 0393:43 0394:44 0395:45 0396:46 0397:47 0398:48 0399:49 039a:51 039b:52 039c:53 039d:54 039e:55 039f:56 03a0:57 03a1:58 03a3:59 03a4:62 03a5:63 03a6:64 03a7:65 03a8:66 03a9:67 ff01:4f ff02:7f ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a 875 (IBM EBCDIC - Modern Greek) 0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007c:6a 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:74 00a8:70 0386:71 0388:72 0389:73 038a:75 038c:76 038e:77 038f:78 0391:41 0392:42 0393:43 0394:44 0395:45 0396:46 0397:47 0398:48 0399:49 039a:51 039b:52 039c:53 039d:54 039e:55 039f:56 03a0:57 03a1:58 03a3:59 03a4:62 03a5:63 03a6:64 03a7:65 03a8:66 03a9:67 03aa:68 03ab:69 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 ff5c:6a 1258 (ANSI/OEM - Viet Nam) ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e 10002 (MAC - Traditional Chinese Big5) 00a1:21 00a6:7c 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 950 (ANSI/OEM - Traditional Chinese Big5) 00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 20000 (CNS - Taiwan) 20001 (TCA - Taiwan) 20002 (Eten - Taiwan) 20003 (IBM5550 - Taiwan) 20004 (TeleText - Taiwan) 20005 (Wang - Taiwan) 20261 (T.61) f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f 50229 (ISO-2022 Traditional Chinese) 65000 (UTF-7) 65001 (UTF-8) snort-2.9.7.0/etc/file_magic.conf0000644000000000000000000005502212345604071013432 00000000000000#### file_magic.conf file type:XLW; id:1; category:Office Documents; msg:"Excel spreadsheet subheader (MS Office)"; rev:1; content:| 09 08 10 00 00 06 05 00 |; offset:512; group:office; file type:POSIX_TAR; id:2; category:Archive; msg:"POSIX Tape Archive file"; rev:1; content:| 75 73 74 61 72 00 20 20 |; offset:257; file type:OLD_TAR; id:3; category:Archive; msg:"Pre-POSIX Tape Archive file"; rev:1; content:| 75 73 74 61 72 20 |; offset:257; file type:MOV; id:4; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 66 72 65 65 |; offset:4; group:video; file type:MOV; id:5; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 6D 6F 6F 76 |; offset:4; group:video; file type:MOV; id:6; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 6D 64 61 74 |; offset:4; group:video; file type:MOV; id:7; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 70 6E 6F 74 |; offset:4; group:video; file type:MOV; id:8; category:Multimedia; msg:"QuickTime movie file"; rev:1; content:| 66 74 79 70 |; offset:4; group:video; file type:LHA; id:9; category:Archive; msg:"File compressed with lha utility/algorithm (lha, lzh)"; rev:1; content:| 2D 6C 68 |; offset:2; file type:ISO; id:10; category:System files; msg:"Disc Image file based on ISO-9660 standard (iso)c"; rev:1; content:| 43 44 30 30 31 |; offset:32769; file type:ISO; id:11; category:System files; msg:"Disc Image file based on ISO-9660 standard (iso)c"; rev:1; content:| 43 44 30 30 31 |; offset:34817; file type:ISO; id:12; category:System files; msg:"Disc Image file based on ISO-9660 standard (iso)c"; rev:1; content:| 43 44 30 30 31 |; offset:36865; file type:S3M; id:13; category:Multimedia; msg:"S3M audio module format"; rev:1; content:| 53 43 52 4d |; offset:44; group:audio; file type:FLIC; id:14; category:Multimedia; msg:"FLIC Animation file"; rev:2; content:|11 AF|; offset:4; content:|40 01|; offset:8; content:|c8 00|; offset:10; content:|00 00|; offset:20; content:|00 00 00 00 00 00 00 00|; offset:42; file type:FLIC; id:15; category:Multimedia; msg:"FLIC Animation file"; rev:2; content:|12 AF|; offset:4; content:|40 01|; offset:8; content:|c8 00|; offset:10; content:|00 00|; offset:20; content:|00 00 00 00 00 00 00 00|; offset:42; file type:MSEXE; id:21; category:Executables,Dynamic Analysis Capable; msg:"Windows/DOS executable file "; rev:1; content:| 4D 5A|; offset:0; file type:PDF; id:22; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46|; offset:0; file type:RTF; id:23; category:Office Documents; msg:"Rich text format word processing file "; rev:1; content:| 7B 5C 72 74 66 31|; offset:0; file type:RIFF; id:24; category:Multimedia; msg:"Resource Interchange File Format"; rev:1; content:| 52 49 46 46|; offset:0; file type:MSCHM; id:25; category:Office Documents; msg:"Microsoft Compiled HTML Help File"; rev:1; content:| 49 54 53 46|; offset:0; file type:MSCAB; id:26; category:Archive; msg:"Microsoft Windows CAB"; rev:1; content:| 4D 53 43 46|; offset:0; file type:MSOLE2; id:27; category:Office Documents; msg:"Microsoft Office applications OLE Document "; rev:1; content:| D0 CF 11 E0 A1 B1 1A E1|; offset:0; file type:MSSZDD; id:28; category:Archive; msg:"SZDD file format"; rev:1; content:| 53 5A 44 44 88 F0 27 33 |; offset:0; file type:ZIP; id:29; category:Archive; msg:"PKZIP archive file"; rev:1; content:| 50 4B 03 04 |; offset:0; file type:RAR; id:30; category:Archive; msg:"WinRAR compressed archive file"; rev:1; content:| 52 61 72 21 1A 07 00 |; offset:0; file type:7Z; id:31; category:Archive; msg:"7-Zip compressed file"; rev:1; content:| 37 7A BC AF 27 1C |; offset:0; file type:BZ; id:32; category:Archive; msg:"bzip2 compressed archive"; rev:1; content:| 42 5A 68 |; offset:0; file type:GZ; id:33; category:Archive; msg:"GZ"; rev:1; content:| 1F 8B 08 |; offset:0; file type:ARJ; id:34; category:Archive; msg:"Compressed archive file"; rev:1; content:| 60 EA 00 00 |; offset:0; file type:ISHIELD_MSI; id:35; category:Executables; msg:"Install Shield v5.x or 6.x compressed file"; rev:1; content:| 49 53 63 28 |; offset:0; file type:BINHEX; id:36; category:Executables; msg:"Macintosh BinHex 4 Compressed Archive"; rev:1; content:| 28 54 68 69 73 20 66 69 6C 65 20 6D 75 73 74 20 62 65 20 63 6F 6E 76 65 72 74 65 64 20 77 69 74 68 20 42 69 6E 48 65 78 20 |; offset:0; file type:MAIL; id:37; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 46 72 6F 6D 20 20 20 |; offset:0; file type:MAIL; id:38; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 46 72 6F 6D 20 3F 3F 3F |; offset:0; file type:MAIL; id:39; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 46 72 6F 6D 3A 20 |; offset:0; file type:MAIL; id:40; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 |; offset:0; file type:MAIL; id:41; category:Office Documents; msg:"E-mail files for Netscape, Eudora, Outlook Express and QuickMail."; rev:1; content:| 58 2D |; offset:0; file type:TNEF; id:42; category:Office Documents; msg:"Transport Neutral Encapsulation Format, an E-mail attachment format"; rev:1; content:| 78 9F 3E 22 |; offset:0; file type:BINARY_DATA; id:43; category:Executables; msg:"Universal Binary/Java Bytecode"; rev:1; content:| CA FE BA BE|; offset:0; file type:UUENCODED; id:44; category:Encoded; msg:"UUencoded file"; rev:1; content:| 62 65 67 69 6E |; offset:0; file type:SCRENC; id:45; category:Encoded; msg:"Script encoder file"; rev:1; content:| 23 40 7E 5E |; offset:0; file type:ELF; id:46; category:Executables; msg:"Executable and Linking Format executable file (Linux/Unix)"; rev:1; content:| 7F 45 4C 46|; offset:0; file type:MACHO; id:47; category:Executables; msg:"Mach object file format "; rev:1; content:| CE FA ED FE |; offset:0; file type:MACHO; id:48; category:Executables; msg:"Mach object file format "; rev:1; content:| CF FA ED FE |; offset:0; file type:MACHO; id:49; category:Executables; msg:"Mach object file format "; rev:1; content:| FE ED FA CE |; offset:0; file type:MACHO; id:50; category:Executables; msg:"Mach object file format "; rev:1; content:| FE ED FA CF |; offset:0; file type:SIS; id:51; category:Archive; msg:"Software Installation Script, an archive for Symbian OS"; rev:1; content:| 19 04 00 10 |; offset:0; file type:SWF; id:52; category:Multimedia; msg:"Flash file "; rev:1; content:| 43 57 53 |; offset:0; file type:SWF; id:53; category:Multimedia; msg:"Flash file "; rev:1; content:| 46 57 53 |; offset:0; file type:SWF; id:54; category:Multimedia; msg:"Flash file "; rev:1; content:| 58 46 49 52|; offset:0; file type:CPIO_ODC; id:55; category:Archive; msg:"Archive created with the cpio utility- standard ASCII format"; rev:1; content:| 30 37 30 37 30 37 |; offset:0; file type:CPIO_NEWC; id:56; category:Archive; msg:"Archive created with the cpio utility- new ASCII (aka SVR4) format"; rev:1; content:| 30 37 30 37 30 31 |; offset:0; file type:CPIO_CRC; id:57; category:Archive; msg:"Archive created with the cpio utility- CRC format"; rev:1; content:| 30 37 30 37 30 32 |; offset:0; file type:MPEG; id:58; category:Multimedia; msg:"MPEG video file"; rev:1; content:| 00 00 01 B3|; offset:0; group:video; file type:MPEG; id:59; category:Multimedia; msg:"MPEG video file"; rev:1; content:| 00 00 01 BA|; offset:0; group:video; file type:EPS; id:60; category:PDF files; msg:"Adobe encapsulated PostScript file"; rev:1; content:| 25 21 50 53 2D 41 64 6F 62 65 2D |; offset:0; file type:RMF; id:61; category:Multimedia; msg:"RealNetworks RealMedia streaming media file"; rev:1; content:| 2E 52 4D 46 |; offset:0; file type:GIF; id:62; category:Graphics; msg:"GIF"; rev:1; content:| 47 49 46 38 37 61 |; offset:0; group:multimedia; file type:GIF; id:63; category:Graphics; msg:"GIF"; rev:1; content:| 47 49 46 38 39 61 |; offset:0; group:multimedia; file type:MP3; id:64; category:Multimedia; msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; rev:1; content:| 49 44 33 |; offset:0; group:audio; file type:MP3; id:65; category:Multimedia; msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; rev:1; content:| FF FB 90 |; offset:0; group:audio; file type:OGG; id:66; category:Multimedia; msg:"Ogg Vorbis Codec compressed Multimedia file"; rev:1; content:| 4F 67 67 53 |; offset:0; group:audio; file type:RIFX; id:67; category:Multimedia; msg:"RIFX audio format"; rev:1; content:| 52 49 46 58 |; offset:0; group:audio; file type:SYMANTEC; id:68; category:System files; msg:"Symantec files"; rev:1; content:| 58 2D 53 79 6D 61 6E 74 65 63 2D |; offset:0; file type:PNG; id:69; category:Graphics; msg:"Portable Network Graphics file"; rev:1; content:| 89 50 4E 47 0D 0A 1A 0A |; offset:0; group:multimedia; file type:JPEG; id:70; category:Graphics; msg:"JPEG/JFIF graphics file"; rev:1; content:| FF D8 FF E0 |; offset:0; group:multimedia; file type:JARPACK; id:72; category:Executables; msg:"Jar pack file"; rev:1; content:| CA FE D0 0D |; offset:0; file type:JAR; id:73; category:Archive; msg:"Java archive file"; rev:3; content:| 50 4B 03 04 |; offset:0; content:| 4D 45 54 41 2D 49 4E 46 2F |; offset:30; file type:FLV; id:74; category:Multimedia; msg:"Flash video file"; rev:1; content:| 46 4C 56 01 |; offset:0; group:video; file type:WAV; id:76; category:Multimedia; msg:"Waveform Audio File Format"; rev:1; content:| 62 65 61 74 |; offset:0; group:audio; file type:WAV; id:77; category:Multimedia; msg:"Waveform Audio File Format"; rev:1; content:| 4D 58 43 33 |; offset:0; group:audio; file type:FFMPEG; id:78; category:Multimedia; msg:"ffmpeg Multimedia framework"; rev:1; content:| 34 58 4D 56 |; offset:0; file type:DMG; id:79; category:System files; msg:"Apple Disk Image"; rev:1; content:| 45 52 02 00 |; offset:0; file type:DMG; id:80; category:System files; msg:"Apple Disk Image"; rev:1; content:| 32 49 4D 47 |; offset:0; file type:IVR; id:81; category:Multimedia; msg:"RealPlayer video file"; rev:1; content:| 2E 52 45 43 |; offset:0; group:video; file type:IVR; id:82; category:Multimedia; msg:"RealPlayer video file"; rev:1; content:| 2E 52 31 4D |; offset:0; group:video; file type:RA; id:83; category:Multimedia; msg:"RealAudio file"; rev:1; content:| 2E 52 4D 46 00 00 00 12 00 |; offset:0; group:audio; file type:RA; id:84; category:Multimedia; msg:"RealAudio file"; rev:1; content:| 2E 72 61 FD 00 |; offset:0; group:audio; file type:VMDK; id:85; category:System files; msg:"Virtual Machine Disk"; rev:1; content:| 43 4F 57 44 |; offset:0; file type:VMDK; id:86; category:System files; msg:"Virtual Machine Disk"; rev:1; content:|4B 44 4D |; offset:0; file type:VMDK; id:87; category:System files; msg:"Virtual Machine Disk"; rev:1; content:| 23 20 44 69 73 6B 20 44 65 73 63 72 69 70 74 6F |; offset:0; file type:VMDK; id:88; category:System files; msg:"Virtual Machine Disk"; rev:1; content:| 2E 03 00 00 01 |; offset:0; file type:FLAC; id:89; category:Multimedia; msg:"Free Lossless Audio Codec file"; rev:1; content:| 66 4C 61 43 00 00 00 22 |; offset:0; group:audio; file type:S3M; id:90; category:Multimedia; msg:"S3M audio module format"; rev:1; content:| 53 43 52 4d |; offset:0; group:audio; file type:ASF; id:91; category:Multimedia; msg:"Microsoft Windows Media Audio/Video File "; rev:1; content:| 30 26 B2 75 8E 66 CF 11 A6 D9 00 AA 00 62 CE 6C |; offset:0; group:audio; file type:MSWORD_MAC5; id:93; category:Office Documents; msg:"Microsoft Word for Mac 5"; rev:1; content:| FE 37 00 23|; offset:0; group:office; file type:SYLKc; id:94; category:System files; msg:"Microsoft symbolic Link"; rev:1; content:| 49 44 3B 50 |; offset:0; file type:WP; id:95; category:Office Documents; msg:"WordPerfect text and graphics file"; rev:1; content:| FF 57 50 43|; offset:0; file type:WP; id:96; category:Office Documents; msg:"WordPerfect text and graphics file"; rev:1; content:| 81 CD AB|; offset:0; file type:TIFF; id:97; category:Graphics; msg:"Tagged Image File Format file"; rev:1; content:| 49 49 2A 00|; offset:0; group:multimedia; file type:TIFF; id:98; category:Graphics; msg:"Tagged Image File Format file"; rev:1; content:| 49 20 49|; offset:0; group:multimedia; file type:TIFF; id:99; category:Graphics; msg:"Tagged Image File Format file"; rev:1; content:| 4D 4D 00 2A|; offset:0; group:multimedia; file type:TIFF; id:100; category:Graphics; msg:"Tagged Image File Format file"; rev:1; content:| 4D 4D 00 2B|; offset:0; group:multimedia; file type:MWL; id:101; category:Office Documents; msg:"Metastock technical analysis program for traders"; rev:1; content:| 5b 4d 65 74 61 53 74 6f 63 6b |; offset:0; file type:MDB; id:102; category:Office Documents; msg:"Microsoft Access file"; rev:1; content:| 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 |; offset:0; file type:ACCDB; id:103; category:Office Documents; msg:"Microsoft Access 2007 file"; rev:1; content:| 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42|; offset:0; file type:MNY; id:104; category:Office Documents; msg:"Microsoft Money file"; rev:1; content:| 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65|; offset:0; file type:REC; id:105; category:Multimedia; msg:"RealNetworks Realplayer REC"; rev:1; content:| 2e 72 65 63 00 |; offset:0; file type:R1M; id:106; category:Multimedia; msg:"RealNetworks Realplayer R1M"; rev:1; content:| 2e 72 31 6d |; offset:0; file type:WAB; id:107; category:Office Documents; msg:"Outlook address file"; rev:1; content:| 9C CB CB 8D 13 75 D2 11 91 58 00 C0 4F 79 56 A4 |; offset:0; group:office; file type:WAB; id:108; category:Office Documents; msg:"Outlook address file"; rev:1; content:| 81 32 84 C1 85 05 D0 11 B2 90 00 AA 00 3C F6 76 |; offset:0; group:office; file type:M3U; id:109; category:Multimedia; msg:"Multimedia playlists"; rev:1; content:| 23 45 58 54 4d 33 55 |; offset:0; file type:MKV; id:110; category:Multimedia; msg:"Matroska stream file"; rev:1; content:| 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61|; offset:0; file type:IMG_PICT; id:111; category:Graphics; msg:"ChromaGraph Graphics Card Bitmap Graphic file"; rev:1; content:| 50 49 43 54 00 08 |; offset:0; group:multimedia; file type:AMF; id:112; category:Multimedia; msg:"Advanced Module Format for digital music"; rev:1; content:| 41 4d 46 |; offset:0; group:audio; file type:WEBM; id:113; category:Multimedia; msg:"WebM audio-video format"; rev:1; content:| 1A 45 DF A3|; offset:0; group:audio,video; file type:MAYA; id:114; category:Graphics; msg:"Autodesk Maya"; rev:1; content:| 2f 2f 4d 61 79 61 |; offset:0; file type:MIDI; id:115; category:Multimedia; msg:"Musical Instrument Digital Interface (MIDI) sound file"; rev:1; content:| 4D 54 68 64 |; offset:0; group:audio; file type:PLS; id:116; category:Multimedia; msg:"multimedia playlists"; rev:1; content:| 5b 70 6c 61 79 6c 69 73 74 5d |; offset:0; file type:SMIL; id:117; category:Multimedia; msg:"Synchronized Multimedia Integration Language"; rev:1; content:| 3c 73 6d 69 6c 3e |; offset:0; file type:SAMI; id:119; category:Multimedia; msg:"Synchronized Accessible Media Interchange"; rev:1; content:| 3c 53 41 4d 49 |; offset:0; file type:NEW_OFFICE; id:120; category:Office Documents; msg:"Microsoft Office Open XML Format (OOXML) Document (DOCX, PPTX, XLSX)"; rev:1; content:|50 4B 03 04 14 00 06 00|; offset:0; group:office; file type:DWG; id:130; category:Graphics; msg:"Autodesk AutoCAD file (dwg) "; rev:1; content:| 41 43 31 30 |; offset:0; file type:MDI; id:132; category:Office Documents; msg:"Microsoft Document Imaging file (mdi)"; rev:1; content:| 45 50 |; offset:0; file type:PGD; id:133; category:System files; msg:"PGP disk image(PGD)"; rev:1; content:| 50 47 50 64 4D 41 49 4E |; offset:0; file type:PSD; id:134; category:Graphics; msg:"Photoshop image file (PSD)"; rev:1; content:|38 42 50 53 |; offset:0; file type:9XHIVE; id:135; category:System files; msg:"Windows 9x registry hive (REG)"; rev:1; content:| 43 52 45 47 |; offset:0; file type:REG; id:136; category:System files; msg:"Windows Registry and Registry Undo files (REG)"; rev:1; content:| 52 45 47 45 44 49 54 |; offset:0; file type:WMF; id:137; category:Graphics; msg:"Windows graphics metafile "; rev:1; content:| 01 00 09 00 00 03 |; offset:0; file type:WRI; id:138; category:Office Documents; msg:"Windows Write document file (wri) "; rev:1; content:| BE 00 00 00 AB 00 00 00 00 00 00 00 00|; offset:0; file type:RPM; id:139; category:Executables; msg:"RedHat Package Manager file"; rev:1; content:| ED AB EE DB |; offset:0; file type:ONE; id:140; category:Office Documents; msg:"Microsoft OneNote note"; rev:1; content:| E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 |; offset:0; group:office; file type:MP4; id:141; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 00 00 00 18 66 74 79 70 33 67 70 35 |; offset:0; group:video; file type:MP4; id:142; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 00 00 00 14 66 74 79 70 69 73 6F 6D |; offset:0; group:video; file type:PCAP; id:143; category:System files; msg:"Packet capture file"; rev:1; content:| D4 C3 B2 A1 |; offset:0; file type:PCAP; id:144; category:System files; msg:"Packet capture file"; rev:1; content:|34 CD B2 A1 |; offset:0; file type:PCAP; id:145; category:System files; msg:"Packet capture file"; rev:1; content:|A1 B2 C3 D4 |; offset:0; file type:PCAP; id:146; category:System files; msg:"Packet capture file"; rev:1; content:|A1 B2 CD 34 |; offset:0; file type:PCAP; id:147; category:System files; msg:"Packet capture file"; rev:1; content:|52 54 53 53 |; offset:0; file type:BMP; id:148; category:Graphics; msg:"Bitmap image file"; rev:1; content:|42 4D |; offset:0; group:multimedia; file type:ICO; id:149; category:Graphics; msg:"Windows icon file"; rev:1; content:| 00 00 01 00 |; offset:0; file type:TORRENT; id:150; category:Executables; msg:"BitTorrent File"; rev:1; content:| 64 38 3A 61 6E 6E 6F 75 6E 63 65 |; offset:0; file type:AMR; id:151; category:Multimedia; msg:"Adaptive Multi-Rate Codec File"; rev:1; content:| 23 21 41 4D 52|; offset:0; file type:SIT; id:152; category:Archive; msg:"StuffIt compressed archive"; rev:1; content:| 53 49 54 21 00|; offset:0; file type:PST; id:153; category:Office Documents; msg:"Microsoft Outlook Personal Folder File"; rev:1; content:| 21 42 44 4E |; offset:0; group:office; file type:HLP; id:154; category:Office Documents; msg:"Windows Help file"; rev:1; content:| 4C 4E 02 00 |; offset:0; file type:HLP; id:155; category:Office Documents; msg:"Windows Help file"; rev:1; content:| 3F 5F 03 00 |; offset:0; file type:AUTORUN; id:156; category:Executables; msg:"Windows Autorun setup file"; rev:1; content:| 5B 61 75 74 6F 72 75 6E 5D 0D 0A |; offset:0; file type:JPEG; id:157; category:Graphics; msg:"JPEG/JFIF graphics file"; rev:1; content:| FF D8 FF E1 |; offset:0; group:multimedia; file type:ARJ; id:158; category:Archive; msg:"Compressed archive file"; rev:1; content:| 60 EA |; offset:0; file type:MP3; id:159; category:Multimedia; msg:"MPEG-1 Audio Layer 3 (MP3) audio file"; rev:1; content:| FF FA |; offset:0; group:audio; file type:SIT; id:160; category:Archive; msg:"StuffIt compressed archive"; rev:1; content:| 53 74 75 66 66 49 74 20 |; offset:0; file type:NTHIVE; id:161; category:System files; msg:"Windows NT registry hive (REG)"; rev:1; content:| 72 65 67 66 |; offset:0; file type:WMF; id:162; category:Graphics; msg:"Windows graphics metafile "; rev:1; content:| D7 CD C6 9A |; offset:0; file type:SIS; id:163; category:Archive; msg:"Software Installation Script, an archive for Symbian OS"; rev:1; content:| 7A 1A 20 10 |; offset:0; file type:WRI; id:164; category:Office Documents; msg:"Windows Write document file (wri) "; rev:1; content:| 31 BE|; offset:0; file type:WRI; id:165; category:Office Documents; msg:"Windows Write document file (wri) "; rev:1; content:| 32 BE|; offset:0; file type:WAV; id:166; category:Multimedia; msg:"Waveform Audio File Format"; rev:1; content:| 52 49 46 46 |; offset:0; content:| 57 41 56 45 66 6D 74 20 |; offset:8; group:audio; file type:MP4; id:167; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 66 74 79 70 6D 70 34 32 |; offset:4; group:video; file type:MP4; id:168; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 66 74 79 70 33 67 70 35 |; offset:4; group:video; file type:MP4; id:169; category:Multimedia; msg:"MPEG-4 video files"; rev:1; content:| 66 74 79 70 4D 53 4E 56 |; offset:4; group:video; file type:DICM; id:170; category:Multimedia; msg:"Digital Imaging and Communications in Medicine"; rev:1; content:| 44 49 43 4D |; offset:128; file type:ZIP_ENC; id:171; category:Archive; msg:"PKZIP encrypted archive file"; rev:1; content:| 50 4B 03 04 |; offset:0; content:| 01 |; offset:6; file type:EICAR; id:273; category:Executables; msg:"Standard Anti-Virus Test File"; rev:1; content:| 58 35 4F 21 50 25 |; offset:0; file type:XPS; id:275; category:Office Documents; msg:"Microsoft XML Paper Specification Document"; rev:1; content:| 50 4B 03 04 |; offset:0; content:| 46 69 78 65 64 44 6F 63 75 6D |; offset:30; file type:XPS; id:277; category:Office Documents; msg:"Microsoft XML Paper Specification Document"; rev:1; content:| 50 4B 03 04 |; offset:0; content:| 44 6F 63 75 6D 65 6E 74 73 2F |; offset:30; file type:XPS; id:278; category:Office Documents; msg:"Microsoft XML Paper Specification Document"; rev:1; content:| 50 4B 03 04 |; offset:0; content:| 4D 65 74 61 64 61 74 61 2F |; offset:30; file type:DMP; id:279; category:System files; msg:"Windows crash dump file"; rev:1; content:|4D 44 4D 50 93 A7|; offset:0; file type:DMP; id:280; category:System files; msg:"Windows crash dump file"; rev:1; content:|50 41 47 45 44 55 36 34|; offset:0; file type:DMP; id:281; category:System files; msg:"Windows crash dump file"; rev:1; content:|50 41 47 45 44 55 4D 50|; offset:0; file type:PDF; id:282; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 30|; offset:0; ver:1.0; file type:PDF; id:283; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 31|; offset:0; ver:1.1; file type:PDF; id:284; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 32|; offset:0; ver:1.2; file type:PDF; id:285; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 33|; offset:0; ver:1.3; file type:PDF; id:286; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 34|; offset:0; ver:1.4; file type:PDF; id:287; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 35|; offset:0; ver:1.5; file type:PDF; id:288; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 36|; offset:0; ver:1.6; file type:PDF; id:289; category:PDF files; msg:"PDF file "; rev:1; content:| 25 50 44 46 2D 31 2E 37|; offset:0; ver:1.7; snort-2.9.7.0/etc/snort.conf0000644000000000000000000006422412416771510012526 00000000000000#-------------------------------------------------- # VRT Rule Packages Snort.conf # # For more information visit us at: # http://www.snort.org Snort Website # http://vrt-blog.snort.org/ Sourcefire VRT Blog # # Mailing list Contact: snort-sigs@lists.sourceforge.net # False Positive reports: fp@sourcefire.com # Snort bugs: bugs@snort.org # # Compatible with Snort Versions: # VERSIONS : 2.9.7.0 # # Snort build options: # OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3 # # Additional information: # This configuration file enables active response, to run snort in # test mode -T you are required to supply an interface -i # or test mode will fail to fully validate the configuration and # exit with a FATAL error #-------------------------------------------------- ################################################### # This file contains a sample snort configuration. # You should take the following steps to create your own custom configuration: # # 1) Set the network variables. # 2) Configure the decoder # 3) Configure the base detection engine # 4) Configure dynamic loaded libraries # 5) Configure preprocessors # 6) Configure output plugins # 7) Customize your rule set # 8) Customize preprocessor and decoder rule set # 9) Customize shared object rule set ################################################### ################################################### # Step #1: Set the network variables. For more information, see README.variables ################################################### # Setup the network addresses you are protecting ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET any # List of DNS servers on your network ipvar DNS_SERVERS $HOME_NET # List of SMTP servers on your network ipvar SMTP_SERVERS $HOME_NET # List of web servers on your network ipvar HTTP_SERVERS $HOME_NET # List of sql servers on your network ipvar SQL_SERVERS $HOME_NET # List of telnet servers on your network ipvar TELNET_SERVERS $HOME_NET # List of ssh servers on your network ipvar SSH_SERVERS $HOME_NET # List of ftp servers on your network ipvar FTP_SERVERS $HOME_NET # List of sip servers on your network ipvar SIP_SERVERS $HOME_NET # List of ports you run web servers on portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555] # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 # List of ports you might see oracle attacks on portvar ORACLE_PORTS 1024: # List of ports you want to look for SSH connections on: portvar SSH_PORTS 22 # List of ports you run ftp servers on portvar FTP_PORTS [21,2100,3535] # List of ports you run SIP servers on portvar SIP_PORTS [5060,5061,5600] # List of file data ports for file inspection portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143] # List of GTP ports for GTP preprocessor portvar GTP_PORTS [2123,2152,3386] # other variables, these should not be modified ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24] # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules var RULE_PATH ../rules var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH ../preproc_rules # If you are using reputation preprocessor set these # Currently there is a bug with relative paths, they are relative to where snort is # not relative to snort.conf like the above variables # This is completely inconsistent with how other vars work, BUG 89986 # Set the absolute path appropriately var WHITE_LIST_PATH ../rules var BLACK_LIST_PATH ../rules ################################################### # Step #2: Configure the decoder. For more information, see README.decode ################################################### # Stop generic decode events: config disable_decode_alerts # Stop Alerts on experimental TCP options config disable_tcpopt_experimental_alerts # Stop Alerts on obsolete TCP options config disable_tcpopt_obsolete_alerts # Stop Alerts on T/TCP alerts config disable_tcpopt_ttcp_alerts # Stop Alerts on all other TCPOption type events: config disable_tcpopt_alerts # Stop Alerts on invalid ip options config disable_ipopt_alerts # Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet # config enable_decode_oversized_alerts # Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts) # config enable_decode_oversized_drops # Configure IP / TCP checksum mode config checksum_mode: all # Configure maximum number of flowbit references. For more information, see README.flowbits # config flowbits_size: 64 # Configure ports to ignore # config ignore_ports: tcp 21 6667:6671 1356 # config ignore_ports: udp 1:17 53 # Configure active response for non inline operation. For more information, see REAMDE.active # config response: eth0 attempts 2 # Configure DAQ related options for inline operation. For more information, see README.daq # # config daq: # config daq_dir: # config daq_mode: # config daq_var: # # ::= pcap | afpacket | dump | nfq | ipq | ipfw # ::= read-file | passive | inline # ::= arbitrary = ::= path as to where to look for DAQ module so's # Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options # # config set_gid: # config set_uid: # Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README # # config snaplen: # # Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F) # # config bpf_file: # # Configure default log directory for snort to log to. For more information see snort -h command line options (-l) # # config logdir: ################################################### # Step #3: Configure the base detection engine. For more information, see README.decode ################################################### # Configure PCRE match limitations config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 # Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config config detection: search-method ac-split search-optimize max-pattern-len 20 # Configure the event queue. For more information, see README.event_queue config event_queue: max_queue 8 log 5 order_events content_length ################################################### ## Configure GTP if it is to be used. ## For more information, see README.GTP #################################################### # config enable_gtp ################################################### # Per packet and rule latency enforcement # For more information see README.ppm ################################################### # Per Packet latency configuration #config ppm: max-pkt-time 250, \ # fastpath-expensive-packets, \ # pkt-log # Per Rule latency configuration #config ppm: max-rule-time 200, \ # threshold 3, \ # suspend-expensive-rules, \ # suspend-timeout 20, \ # rule-log alert ################################################### # Configure Perf Profiling for debugging # For more information see README.PerfProfiling ################################################### #config profile_rules: print all, sort avg_ticks #config profile_preprocs: print all, sort avg_ticks ################################################### # Configure protocol aware flushing # For more information see README.stream5 ################################################### config paf_max: 16000 ################################################### # Step #4: Configure dynamic loaded libraries. # For more information, see Snort Manual, Configuring Snort - Dynamic Modules ################################################### # path to dynamic preprocessor libraries dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ # path to base preprocessor engine dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so # path to dynamic rules libraries dynamicdetection directory /usr/local/lib/snort_dynamicrules ################################################### # Step #5: Configure preprocessors # For more information, see the Snort Manual, Configuring Snort - Preprocessors ################################################### # GTP Control Channle Preprocessor. For more information, see README.GTP # preprocessor gtp: ports { 2123 3386 2152 } # Inline packet normalization. For more information, see README.normalize # Does nothing in IDS mode preprocessor normalize_ip4 preprocessor normalize_tcp: ips ecn stream preprocessor normalize_icmp4 preprocessor normalize_ip6 preprocessor normalize_icmp6 # Target-based IP defragmentation. For more inforation, see README.frag3 preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180 # Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5 preprocessor stream5_global: track_tcp yes, \ track_udp yes, \ track_icmp no, \ max_tcp 262144, \ max_udp 131072, \ max_active_responses 2, \ min_response_seconds 5 preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \ overlap_limit 10, small_segments 3 bytes 150, timeout 180, \ ports client 21 22 23 25 42 53 79 109 110 111 113 119 135 136 137 139 143 \ 161 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \ 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \ ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ 7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 preprocessor stream5_udp: timeout 180 # performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 # HTTP normalization and anomaly detection. For more information, see README.http_inspect preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 preprocessor http_inspect_server: server default \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ chunk_length 500000 \ server_flow_depth 0 \ client_flow_depth 0 \ post_depth 65495 \ oversize_dir_length 500 \ max_header_length 750 \ max_headers 100 \ max_spaces 200 \ small_chunk_length { 10 5 } \ ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 } \ non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \ enable_cookie \ extended_response_inspection \ inspect_gzip \ normalize_utf \ unlimited_decompress \ normalize_javascript \ apache_whitespace no \ ascii no \ bare_byte no \ directory no \ double_decode no \ iis_backslash no \ iis_delimiter no \ iis_unicode no \ multi_slash no \ utf_8 no \ u_encode yes \ webroot no # ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete # Back Orifice detection. preprocessor bo # FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted preprocessor ftp_telnet_protocol: telnet \ ayt_attack_thresh 20 \ normalize ports { 23 } \ detect_anomalies preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ ports { 21 2100 3535 } \ telnet_cmds yes \ ignore_telnet_erase_cmds yes \ ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \ ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \ ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \ ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \ ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \ ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \ ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \ ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \ ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \ ftp_cmds { XSEN XSHA1 XSHA256 } \ alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \ alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \ alt_max_param_len 256 { CWD RNTO } \ alt_max_param_len 400 { PORT } \ alt_max_param_len 512 { SIZE } \ chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \ chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \ chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \ chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \ chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \ chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \ chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \ chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \ cmd_validity ALLO < int [ char R int ] > \ cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \ cmd_validity MACB < string > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ cmd_validity MODE < char ASBCZ > \ cmd_validity PORT < host_port > \ cmd_validity PROT < char CSEP > \ cmd_validity STRU < char FRPO [ string ] > \ cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ ignore_telnet_erase_cmds yes \ telnet_cmds yes # SMTP normalization and anomaly detection. For more information, see README.SMTP preprocessor smtp: ports { 25 465 587 691 } \ inspection_type stateful \ b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_depth 0 \ log_mailfrom \ log_rcptto \ log_filename \ log_email_hdrs \ normalize cmds \ normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ max_command_line_len 512 \ max_header_line_len 1000 \ max_response_line_len 512 \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \ alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \ alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \ valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \ valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \ valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \ xlink2state { enabled } # Portscan detection. For more information, see README.sfportscan # preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } # ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor # preprocessor arpspoof # preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # SSH anomaly detection. For more information, see README.ssh preprocessor ssh: server_ports { 22 } \ autodetect \ max_client_bytes 19600 \ max_encrypted_packets 20 \ max_server_version_len 100 \ enable_respoverflow enable_ssh1crc32 \ enable_srvoverflow enable_protomismatch # SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2 preprocessor dcerpc2: memcap 102400, events [co ] preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"] # DNS anomaly detection. For more information, see README.dns preprocessor dns: ports { 53 } enable_rdata_overflow # SSL anomaly detection and traffic bypass. For more information, see README.ssl preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted # SDF sensitive data preprocessor. For more information see README.sensitive_data preprocessor sensitive_data: alert_threshold 25 # SIP Session Initiation Protocol preprocessor. For more information see README.sip preprocessor sip: max_sessions 40000, \ ports { 5060 5061 5600 }, \ methods { invite \ cancel \ ack \ bye \ register \ options \ refer \ subscribe \ update \ join \ info \ message \ notify \ benotify \ do \ qauth \ sprack \ publish \ service \ unsubscribe \ prack }, \ max_uri_len 512, \ max_call_id_len 80, \ max_requestName_len 20, \ max_from_len 256, \ max_to_len 256, \ max_via_len 1024, \ max_contact_len 512, \ max_content_len 2048 # IMAP preprocessor. For more information see README.imap preprocessor imap: \ ports { 143 } \ b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_depth 0 # POP preprocessor. For more information see README.pop preprocessor pop: \ ports { 110 } \ b64_decode_depth 0 \ qp_decode_depth 0 \ bitenc_decode_depth 0 \ uu_decode_depth 0 # Modbus preprocessor. For more information see README.modbus preprocessor modbus: ports { 502 } # DNP3 preprocessor. For more information see README.dnp3 preprocessor dnp3: ports { 20000 } \ memcap 262144 \ check_crc # Reputation preprocessor. For more information see README.reputation preprocessor reputation: \ memcap 500, \ priority whitelist, \ nested_ip inner, \ whitelist $WHITE_LIST_PATH/white_list.rules, \ blacklist $BLACK_LIST_PATH/black_list.rules ################################################### # Step #6: Configure output plugins # For more information, see Snort Manual, Configuring Snort - Output Modules ################################################### # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types # Additional configuration for specific types of installs # output alert_unified2: filename snort.alert, limit 128, nostamp # output log_unified2: filename snort.log, limit 128, nostamp # syslog # output alert_syslog: LOG_AUTH LOG_ALERT # pcap # output log_tcpdump: tcpdump.log # metadata reference data. do not modify these lines include classification.config include reference.config ################################################### # Step #7: Customize your rule set # For more information, see Snort Manual, Writing Snort Rules # # NOTE: All categories are enabled in this conf file ################################################### # site specific rules include $RULE_PATH/local.rules include $RULE_PATH/app-detect.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/blacklist.rules include $RULE_PATH/botnet-cnc.rules include $RULE_PATH/browser-chrome.rules include $RULE_PATH/browser-firefox.rules include $RULE_PATH/browser-ie.rules include $RULE_PATH/browser-other.rules include $RULE_PATH/browser-plugins.rules include $RULE_PATH/browser-webkit.rules include $RULE_PATH/chat.rules include $RULE_PATH/content-replace.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/experimental.rules include $RULE_PATH/exploit-kit.rules include $RULE_PATH/exploit.rules include $RULE_PATH/file-executable.rules include $RULE_PATH/file-flash.rules include $RULE_PATH/file-identify.rules include $RULE_PATH/file-image.rules include $RULE_PATH/file-multimedia.rules include $RULE_PATH/file-office.rules include $RULE_PATH/file-other.rules include $RULE_PATH/file-pdf.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/icmp.rules include $RULE_PATH/imap.rules include $RULE_PATH/indicator-compromise.rules include $RULE_PATH/indicator-obfuscation.rules include $RULE_PATH/indicator-shellcode.rules include $RULE_PATH/info.rules include $RULE_PATH/malware-backdoor.rules include $RULE_PATH/malware-cnc.rules include $RULE_PATH/malware-other.rules include $RULE_PATH/malware-tools.rules include $RULE_PATH/misc.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/mysql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules include $RULE_PATH/oracle.rules include $RULE_PATH/os-linux.rules include $RULE_PATH/os-other.rules include $RULE_PATH/os-solaris.rules include $RULE_PATH/os-windows.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/p2p.rules include $RULE_PATH/phishing-spam.rules include $RULE_PATH/policy-multimedia.rules include $RULE_PATH/policy-other.rules include $RULE_PATH/policy.rules include $RULE_PATH/policy-social.rules include $RULE_PATH/policy-spam.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/protocol-finger.rules include $RULE_PATH/protocol-ftp.rules include $RULE_PATH/protocol-icmp.rules include $RULE_PATH/protocol-imap.rules include $RULE_PATH/protocol-pop.rules include $RULE_PATH/protocol-services.rules include $RULE_PATH/protocol-voip.rules include $RULE_PATH/pua-adware.rules include $RULE_PATH/pua-other.rules include $RULE_PATH/pua-p2p.rules include $RULE_PATH/pua-toolbars.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/scada.rules include $RULE_PATH/scan.rules include $RULE_PATH/server-apache.rules include $RULE_PATH/server-iis.rules include $RULE_PATH/server-mail.rules include $RULE_PATH/server-mssql.rules include $RULE_PATH/server-mysql.rules include $RULE_PATH/server-oracle.rules include $RULE_PATH/server-other.rules include $RULE_PATH/server-webapp.rules include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules include $RULE_PATH/snmp.rules include $RULE_PATH/specific-threats.rules include $RULE_PATH/spyware-put.rules include $RULE_PATH/sql.rules include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules include $RULE_PATH/virus.rules include $RULE_PATH/voip.rules include $RULE_PATH/web-activex.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules ################################################### # Step #8: Customize your preprocessor and decoder alerts # For more information, see README.decoder_preproc_rules ################################################### # decoder and preprocessor event rules # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules # include $PREPROC_RULE_PATH/sensitive-data.rules ################################################### # Step #9: Customize your Shared Object Snort Rules # For more information, see http://vrt-blog.snort.org/2009/01/using-vrt-certified-shared-object-rules.html ################################################### # dynamic library rules # include $SO_RULE_PATH/bad-traffic.rules # include $SO_RULE_PATH/chat.rules # include $SO_RULE_PATH/dos.rules # include $SO_RULE_PATH/exploit.rules # include $SO_RULE_PATH/icmp.rules # include $SO_RULE_PATH/imap.rules # include $SO_RULE_PATH/misc.rules # include $SO_RULE_PATH/multimedia.rules # include $SO_RULE_PATH/netbios.rules # include $SO_RULE_PATH/nntp.rules # include $SO_RULE_PATH/p2p.rules # include $SO_RULE_PATH/smtp.rules # include $SO_RULE_PATH/snmp.rules # include $SO_RULE_PATH/specific-threats.rules # include $SO_RULE_PATH/web-activex.rules # include $SO_RULE_PATH/web-client.rules # include $SO_RULE_PATH/web-iis.rules # include $SO_RULE_PATH/web-misc.rules # Event thresholding or suppression commands. See threshold.conf include threshold.conf snort-2.9.7.0/etc/attribute_table.dtd0000644000000000000000000000240110662351337014350 00000000000000 snort-2.9.7.0/etc/gen-msg.map0000644000000000000000000007563312406100153012540 00000000000000# $Id$ # GENERATORS -> msg map # Format: generatorid || alertid || MSG 1 || 1 || snort general alert 2 || 1 || tag: Tagged Packet 3 || 1 || snort dynamic alert 100 || 1 || spp_portscan: Portscan Detected 100 || 2 || spp_portscan: Portscan Status 100 || 3 || spp_portscan: Portscan Ended 101 || 1 || spp_minfrag: minfrag alert 102 || 1 || http_decode: Unicode Attack 102 || 2 || http_decode: CGI NULL Byte Attack 102 || 3 || http_decode: large method attempted 102 || 4 || http_decode: missing uri 102 || 5 || http_decode: double encoding detected 102 || 6 || http_decode: illegal hex values detected 102 || 7 || http_decode: overlong character detected 103 || 1 || spp_defrag: Fragmentation Overflow Detected 103 || 2 || spp_defrag: Stale Fragments Discarded 104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded 104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted 105 || 1 || spp_bo: Back Orifice Traffic Detected 105 || 2 || spp_bo: Back Orifice Client Traffic Detected 105 || 3 || spp_bo: Back Orifice Server Traffic Detected 105 || 4 || spp_bo: Back Orifice Snort Buffer Attack 106 || 1 || spp_rpc_decode: Fragmented RPC Records 106 || 2 || spp_rpc_decode: Multiple Records in one packet 106 || 3 || spp_rpc_decode: Large RPC Record Fragment 106 || 4 || spp_rpc_decode: Incomplete RPC segment 106 || 5 || spp_rpc_decode: Zero-length RPC Fragment 110 || 1 || spp_unidecode: CGI NULL Attack 110 || 2 || spp_unidecode: Directory Traversal 110 || 3 || spp_unidecode: Unknown Mapping 110 || 4 || spp_unidecode: Invalid Mapping 111 || 1 || spp_stream4: Stealth Activity Detected 111 || 2 || spp_stream4: Evasive Reset Packet 111 || 3 || spp_stream4: Retransmission 111 || 4 || spp_stream4: Window Violation 111 || 5 || spp_stream4: Data on SYN Packet 111 || 6 || spp_stream4: Full XMAS Stealth Scan 111 || 7 || spp_stream4: SAPU Stealth Scan 111 || 8 || spp_stream4: FIN Stealth Scan 111 || 9 || spp_stream4: NULL Stealth Scan 111 || 10 || spp_stream4: NMAP XMAS Stealth Scan 111 || 11 || spp_stream4: VECNA Stealth Scan 111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection 111 || 13 || spp_stream4: SYN FIN Stealth Scan 111 || 14 || spp_stream4: TCP forward overlap detected 111 || 15 || spp_stream4: TTL Evasion attempt 111 || 16 || spp_stream4: Evasive retransmitted data attempt 111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt 111 || 18 || spp_stream4: Multiple acked 111 || 19 || spp_stream4: Shifting to Emergency Session Mode 111 || 20 || spp_stream4: Shifting to Suspend Mode 111 || 21 || spp_stream4: TCP Timestamp option has value of zero 111 || 22 || spp_stream4: Too many overlapping TCP packets 111 || 23 || spp_stream4: Packet in established TCP stream missing ACK 111 || 24 || spp_stream4: Evasive FIN Packet 111 || 25 || spp_stream4: SYN on established 112 || 1 || spp_arpspoof: Directed ARP Request 112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC 112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST 112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack 113 || 1 || spp_frag2: Oversized Frag 113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack 113 || 3 || spp_frag2: TTL evasion detected 113 || 4 || spp_frag2: overlap detected 113 || 5 || spp_frag2: Duplicate first fragments 113 || 6 || spp_frag2: memcap exceeded 113 || 7 || spp_frag2: Out of order fragments 113 || 8 || spp_frag2: IP Options on Fragmented Packet 113 || 9 || spp_frag2: Shifting to Emegency Session Mode 113 || 10 || spp_frag2: Shifting to Suspend Mode 114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected 114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected 114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected 114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected 115 || 1 || spp_asn1: Indefinite ASN.1 length encoding 115 || 2 || spp_asn1: Invalid ASN.1 length encoding 115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow 115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow 115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length 116 || 1 || snort_decoder: WARNING: Not IPv4 datagram 116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN 116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len 116 || 4 || snort_decoder: WARNING: Bad IPv4 Options 116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options 116 || 6 || snort_decoder: WARNING: IP dgm len > captured len 116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes 116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5 116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload 116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths 116 || 55 || snort_decoder: WARNING: Truncated Tcp Options 116 || 56 || snort_decoder: WARNING: T/TCP Detected 116 || 57 || snort_decoder: WARNING: Obsolete TCP options 116 || 58 || snort_decoder: WARNING: Experimental TCP options 116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14) 116 || 95 || snort_decoder: WARNING: Truncated UDP Header 116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8 116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length 116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length 116 || 105 || snort_decoder: WARNING: ICMP Header Truncated 116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated 116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated 116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem 116 || 109 || snort_decoder: WARNING: Truncated ARP Packet 116 || 110 || snort_decoder: WARNING: Truncated EAP Header 116 || 111 || snort_decoder: WARNING: EAP Key Truncated 116 || 112 || snort_decoder: WARNING: EAP Header Truncated 116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected 116 || 130 || snort_decoder: WARNING: Bad VLAN Frame 116 || 131 || snort_decoder: WARNING: Bad LLC header 116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info 116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header 116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info 116 || 140 || snort_decoder: WARNING: Bad Token Ring Header 116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header 116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header 116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header 116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP 116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP 116 || 160 || snort_decoder: WARNING: GRE header length > payload length 116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet 116 || 162 || snort_decoder: WARNING: Invalid GRE version 116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header 116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header 116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length 116 || 170 || snort_decoder: WARNING: Bad MPLS Frame 116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header 116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header 116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header 116 || 174 || snort_decoder: WARNING: Bad use of label 3 116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header 116 || 176 || snort_decoder: WARNING: Too Many MPLS headers 116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated 116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4 116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length 116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits 116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes 116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0 116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit 116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6 116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header 116 || 273 || snort_decoder: WARNING: IPV6 truncated header 116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len 116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len 116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0 116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address 116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address 116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type 116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value 116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field 116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header 116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers 116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280 116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code 116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0 116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0 116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0 116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour 116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack 116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header 116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present 116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header 116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header. 116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers 116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present 116 || 298 || snort_decoder: WARNING: GTP header length is invalid 116 || 400 || snort_decoder: WARNING: XMAS Attack Detected 116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected 116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected 116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address 116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL 116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set) 116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero 116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum 116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address 116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address 116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address 116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address 116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address 116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address 116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address 116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address 116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address 116 || 417 || snort_decoder: WARNING: ICMP4 source quence 116 || 418 || snort_decoder: WARNING: ICMP4 type other 116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload 116 || 420 || snort_decoder: WARNING: TCP SYN with FIN 116 || 421 || snort_decoder: WARNING: TCP SYN with RST 116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session 116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST 116 || 424 || snort_decoder: WARNING: truncated eth header 116 || 425 || snort_decoder: WARNING: truncated IP4 header 116 || 426 || snort_decoder: WARNING: truncated ICMP4 header 116 || 427 || snort_decoder: WARNING: truncated ICMP6 header 116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit 116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit 116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set 116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded 116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address 116 || 433 || snort_decoder: WARNING: DDOS shaft synflood 116 || 434 || snort_decoder: WARNING: ICMP PING NMAP 116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1 116 || 436 || snort_decoder: WARNING: ICMP redirect host 116 || 437 || snort_decoder: WARNING: ICMP redirect net 116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts 116 || 439 || snort_decoder: WARNING: ICMP Source Quench 116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner 116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited 116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited 116 || 444 || snort_decoder: WARNING: MISC IP option set 116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet 116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic 116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic 116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set 116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol 116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol 116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt 116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt 116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof 116 || 454 || snort_decoder: WARNING: PGM NAK overflow 116 || 455 || snort_decoder: WARNING: IGMP options dos 116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers 116 || 457 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code 116 || 458 || snort_decoder: WARNING: bogus fragmentation packet. Possible BSD attack 116 || 459 || snort_decoder: WARNING: zero length fragment 116 || 460 || snort_decoder: WARNING: ICMPv6 node info query/response packet with a code greater than 2 116 || 461 || snort_decoder: WARNING: Deprecated IPv6 Type 0 Routing Header 116 || 462 || snort_decoder: WARNING: ERSpan Header version mismatch 116 || 463 || snort_decoder: WARNING: captured < ERSpan Type2 Header Length 116 || 464 || snort_decoder: WARNING: captured < ERSpan Type3 Header Length 117 || 1 || spp_portscan2: Portscan detected 118 || 1 || spp_conversation: Bad IP protocol 119 || 1 || http_inspect: ASCII ENCODING 119 || 2 || http_inspect: DOUBLE DECODING ATTACK 119 || 3 || http_inspect: U ENCODING 119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING 119 || 5 || http_inspect: BASE36 ENCODING 119 || 6 || http_inspect: UTF-8 ENCODING 119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING 119 || 8 || http_inspect: MULTI_SLASH ENCODING 119 || 9 || http_inspect: IIS BACKSLASH EVASION 119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL 119 || 11 || http_inspect: DIRECTORY TRAVERSAL 119 || 12 || http_inspect: APACHE WHITESPACE (TAB) 119 || 13 || http_inspect: NON-RFC HTTP DELIMITER 119 || 14 || http_inspect: NON-RFC DEFINED CHAR 119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY 119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING 119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED 119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL 119 || 19 || http_inspect: LONG HEADER 119 || 20 || http_inspect: MAX HEADERS 119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS 119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED 119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER 119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED 119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS 119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION 119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS 119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS 119 || 29 || http_inspect: MULTIPLE TRUE IPS IN A SESSION 119 || 30 || http_inspect: BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT 119 || 31 || http_inspect: UNKNOWN METHOD 119 || 32 || http_inspect: SIMPLE REQUEST 119 || 33 || http_inspect: UNESCAPED SPACE IN HTTP URI 119 || 34 || http_inspect: TOO MANY PIPELINED REQUESTS 120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT 120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE 120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE 120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET 120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED 120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS 120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE 120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED 120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA 120 || 12 || http_inspect: SWF FILE ZLIB DECOMPRESSION FAILURE 120 || 13 || http_inspect: SWF FILE LZMA DECOMPRESSION FAILURE 120 || 14 || http_inspect: PDF FILE DEFLATE DECOMPRESSION FAILURE 120 || 15 || http_inspect: PDF FILE UNSUPPORTED COMPRESSION TYPES 120 || 16 || http_inspect: PDF FILE CASCADED COMPRESSION 120 || 17 || http_inspect: PDF FILE PARSE FAILURE 121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded 121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded 121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded 121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded 122 || 1 || portscan: TCP Portscan 122 || 2 || portscan: TCP Decoy Portscan 122 || 3 || portscan: TCP Portsweep 122 || 4 || portscan: TCP Distributed Portscan 122 || 5 || portscan: TCP Filtered Portscan 122 || 6 || portscan: TCP Filtered Decoy Portscan 122 || 7 || portscan: TCP Filtered Portsweep 122 || 8 || portscan: TCP Filtered Distributed Portscan 122 || 9 || portscan: IP Protocol Scan 122 || 10 || portscan: IP Decoy Protocol Scan 122 || 11 || portscan: IP Protocol Sweep 122 || 12 || portscan: IP Distributed Protocol Scan 122 || 13 || portscan: IP Filtered Protocol Scan 122 || 14 || portscan: IP Filtered Decoy Protocol Scan 122 || 15 || portscan: IP Filtered Protocol Sweep 122 || 16 || portscan: IP Filtered Distributed Protocol Scan 122 || 17 || portscan: UDP Portscan 122 || 18 || portscan: UDP Decoy Portscan 122 || 19 || portscan: UDP Portsweep 122 || 20 || portscan: UDP Distributed Portscan 122 || 21 || portscan: UDP Filtered Portscan 122 || 22 || portscan: UDP Filtered Decoy Portscan 122 || 23 || portscan: UDP Filtered Portsweep 122 || 24 || portscan: UDP Filtered Distributed Portscan 122 || 25 || portscan: ICMP Sweep 122 || 26 || portscan: ICMP Filtered Sweep 122 || 27 || portscan: Open Port 123 || 1 || frag3: IP Options on fragmented packet 123 || 2 || frag3: Teardrop attack 123 || 3 || frag3: Short fragment, possible DoS attempt 123 || 4 || frag3: Fragment packet ends after defragmented packet 123 || 5 || frag3: Zero-byte fragment 123 || 6 || frag3: Bad fragment size, packet size is negative 123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 123 || 8 || frag3: Fragmentation overlap 123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow 123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack 123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly 123 || 12 || frag3: Number of overlapping fragments exceed configured limit 123 || 13 || frag3: Fragments smaller than configured min_fragment_length 124 || 1 || smtp: Attempted command buffer overflow 124 || 2 || smtp: Attempted data header buffer overflow 124 || 3 || smtp: Attempted response buffer overflow 124 || 4 || smtp: Attempted specific command buffer overflow 124 || 5 || smtp: Unknown command 124 || 6 || smtp: Illegal command 124 || 7 || smtp: Attempted header name buffer overflow 124 || 8 || smtp: Attempted X-Link2State command buffer overflow 124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded. 124 || 10 || smtp: Base64 Decoding failed 124 || 11 || smtp: Quoted-Printable Decoding failed 124 || 12 || smtp: Non-Encoded MIME attachment Extraction failed 124 || 13 || smtp: Unix-to-Unix Decoding failed 124 || 14 || smtp: Cyrus SASL authentication attack 125 || 1 || ftp_pp: Telnet command on FTP command channel 125 || 2 || ftp_pp: Invalid FTP command 125 || 3 || ftp_pp: FTP parameter length overflow 125 || 4 || ftp_pp: FTP malformed parameter 125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter 125 || 6 || ftp_pp: FTP response length overflow 125 || 7 || ftp_pp: FTP command channel encrypted 125 || 8 || ftp_pp: FTP bounce attack 125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel 126 || 1 || telnet_pp: Telnet consecutive AYT overflow 126 || 2 || telnet_pp: Telnet data encrypted 126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End 128 || 1 || ssh: Gobbles exploit 128 || 2 || ssh: SSH1 CRC32 exploit 128 || 3 || ssh: Server version string overflow 128 || 4 || ssh: Protocol mismatch 128 || 5 || ssh: Bad message direction 128 || 6 || ssh: Payload size incorrect for the given payload 128 || 7 || ssh: Failed to detect SSH version string 129 || 1 || stream5: SYN on established session 129 || 2 || stream5: Data on SYN packet 129 || 3 || stream5: Data sent on stream not accepting data 129 || 4 || stream5: TCP Timestamp is outside of PAWS window 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 129 || 6 || stream5: Window size (after scaling) larger than policy allows 129 || 7 || stream5: Limit on number of overlapping TCP packets reached 129 || 8 || stream5: Data sent on stream after TCP Reset 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 129 || 11 || stream5: TCP Data with no TCP Flags set 129 || 12 || stream5: TCP Small Segment Threshold Exceeded 129 || 13 || stream5: TCP 4-way handshake detected 129 || 14 || stream5: TCP Timestamp is missing 129 || 15 || stream5: Reset outside window 129 || 16 || stream5: FIN number is greater than prior FIN 129 || 17 || stream5: ACK number is greater than prior FIN 129 || 18 || stream5: Data sent on stream after TCP Reset received 129 || 19 || stream5: TCP window closed before receiving data 129 || 20 || stream5: TCP session without 3-way handshake 130 || 1 || dcerpc: Maximum memory usage reached 131 || 1 || dns: Obsolete DNS RData Type 131 || 2 || dns: Experimental DNS RData Type 131 || 3 || dns: Client RData TXT Overflow 133 || 1 || dcerpc2: Memory cap exceeded 133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type 133 || 3 || dcerpc2: SMB - Bad SMB message type 133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2) 133 || 5 || dcerpc2: SMB - Bad word count or structure size for command 133 || 6 || dcerpc2: SMB - Bad byte count for command 133 || 7 || dcerpc2: SMB - Bad format type for command 133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command 133 || 9 || dcerpc2: SMB - Zero total data count in command 133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length 133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length 133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count 133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size 133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size 133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected 133 || 16 || dcerpc2: SMB - Byte count less than command data size 133 || 17 || dcerpc2: SMB - Invalid command data size for byte count 133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses 133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses 133 || 20 || dcerpc2: SMB - Excessive command chaining 133 || 21 || dcerpc2: SMB - Multiple chained login requests 133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests 133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff 133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect 133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe 133 || 26 || dcerpc2: SMB - Invalid share access 133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version 133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version 133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type 133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size 133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed 133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified 133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified 133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client 133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size 133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind 133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request 133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request 133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request 133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version 133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type 133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size 133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number #133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen #133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen #133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding #133 || 47 || dcerpc2: SMB - Excessive command compounding 133 || 48 || dcerpc2: SMB - Zero data count 133 || 49 || dcerpc2: SMB - Data count mismatch 133 || 50 || dcerpc2: SMB - Maximum number of outstanding requests exceeded 133 || 51 || dcerpc2: SMB - Outstanding requests with the same MID 133 || 52 || dcerpc2: SMB - Deprecated dialect negotiated 133 || 53 || dcerpc2: SMB - Deprecated command used 133 || 54 || dcerpc2: SMB - Unusual command used 133 || 55 || dcerpc2: SMB - Invalid setup count 133 || 56 || dcerpc2: SMB - Client attempted multiple dialect negotiations on session 133 || 57 || dcerpc2: SMB - Client attempted to create or set a file's attributes to readonly/hidden/system 134 || 1 || ppm: rule tree disabled 134 || 2 || ppm: rule tree enabled 134 || 3 || ppm: packet aborted 135 || 1 || internal: syn received 135 || 2 || internal: session established 135 || 3 || internal: session cleared 136 || 1 || reputation: Packet is blacklisted 136 || 2 || reputation: Packet is whitelisted 137 || 1 || ssp_ssl: Invalid Client HELLO after Server HELLO Detected 137 || 2 || ssp_ssl: Invalid Server HELLO without Client HELLO Detected 137 || 3 || spp_ssl: Heartbeat Read Overrun Attempt Detected 137 || 4 || spp_ssl: Large Heartbeat Response Detected 138 || 2 || sensitive_data: sensitive data - Credit card numbers 138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes 138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes 138 || 5 || sensitive_data: sensitive data - eMail addresses 138 || 6 || sensitive_data: sensitive data - U.S. phone numbers 139 || 1 || sensitive_data: sensitive data global threshold exceeded 140 || 1 || sip: Maximum sessions reached 140 || 2 || sip: Empty request URI 140 || 3 || sip: URI is too long 140 || 4 || sip: Empty call-Id 140 || 5 || sip: Call-Id is too long 140 || 6 || sip: CSeq number is too large or negative 140 || 7 || sip: Request name in CSeq is too long 140 || 8 || sip: Empty From header 140 || 9 || sip: From header is too long 140 || 10 || sip: Empty To header 140 || 11 || sip: To header is too long 140 || 12 || sip: Empty Via header 140 || 13 || sip: Via header is too long 140 || 14 || sip: Empty Contact 140 || 15 || sip: Contact is too long 140 || 16 || sip: Content length is too large or negative 140 || 17 || sip: Multiple SIP messages in a packet 140 || 18 || sip: Content length mismatch 140 || 19 || sip: Request name is invalid 140 || 20 || sip: Invite replay attack 140 || 21 || sip: Illegal session information modification 140 || 22 || sip: Response status code is not a 3 digit number 140 || 23 || sip: Empty Content type 140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid 140 || 25 || sip: Mismatch in Method of request and the CSEQ header 140 || 26 || sip: The method is unknown 140 || 27 || sip: Maximum dialogs in a session reached 141 || 1 || imap: Unknown IMAP4 command 141 || 2 || imap: Unknown IMAP4 response 141 || 3 || imap: No memory available for decoding. Memcap exceeded. 141 || 4 || imap: Base64 Decoding failed 141 || 5 || imap: Quoted-Printable Decoding failed 141 || 6 || imap: Non-Encoded MIME attachment Extraction failed 141 || 7 || imap: Unix-to-Unix Decoding failed 142 || 1 || pop: Unknown POP3 command 142 || 2 || pop: Unknown POP3 response 142 || 3 || pop: No memory available for decoding. Memcap exceeded. 142 || 4 || pop: Base64 Decoding failed 142 || 5 || pop: Quoted-Printable Decoding failed 142 || 6 || pop: Non-Encoded MIME attachment Extraction failed 142 || 7 || pop: Unix-to-Unix Decoding failed 143 || 1 || gtp: Message length is invalid 143 || 2 || gtp: Information element length is invalid 143 || 3 || gtp: Information elements are out of order 144 || 1 || modbus: Length in Modbus MBAP header does not match the length needed for the given Modbus function. 144 || 2 || modbus: Modbus protocol ID is non-zero. 144 || 3 || modbus: Reserved Modbus function code in use. 145 || 1 || dnp3: DNP3 Link-Layer Frame contains bad CRC. 145 || 2 || dnp3: DNP3 Link-Layer Frame was dropped. 145 || 3 || dnp3: DNP3 Transport-Layer Segment was dropped during reassembly. 145 || 4 || dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message. 145 || 5 || dnp3: DNP3 Link-Layer Frame uses a reserved address. 145 || 6 || dnp3: DNP3 Application-Layer Fragment uses a reserved function code. snort-2.9.7.0/etc/classification.config0000644000000000000000000000725511573541500014672 00000000000000# $Id$ # The following includes information for prioritizing rules # # Each classification includes a shortname, a description, and a default # priority for that classification. # # This allows alerts to be classified and prioritized. You can specify # what priority each classification has. Any rule can override the default # priority for that rule. # # Here are a few example rules: # # alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; # dsize: > 128; classtype:attempted-admin; priority:10; # # alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \ # content:"expn root"; nocase; classtype:attempted-recon;) # # The first rule will set its type to "attempted-admin" and override # the default priority for that type to 10. # # The second rule set its type to "attempted-recon" and set its # priority to the default for that type. # # # config classification:shortname,short description,priority # config classification: not-suspicious,Not Suspicious Traffic,3 config classification: unknown,Unknown Traffic,3 config classification: bad-unknown,Potentially Bad Traffic, 2 config classification: attempted-recon,Attempted Information Leak,2 config classification: successful-recon-limited,Information Leak,2 config classification: successful-recon-largescale,Large Scale Information Leak,2 config classification: attempted-dos,Attempted Denial of Service,2 config classification: successful-dos,Denial of Service,2 config classification: attempted-user,Attempted User Privilege Gain,1 config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 config classification: successful-user,Successful User Privilege Gain,1 config classification: attempted-admin,Attempted Administrator Privilege Gain,1 config classification: successful-admin,Successful Administrator Privilege Gain,1 # NEW CLASSIFICATIONS config classification: rpc-portmap-decode,Decode of an RPC Query,2 config classification: shellcode-detect,Executable code was detected,1 config classification: string-detect,A suspicious string was detected,3 config classification: suspicious-filename-detect,A suspicious filename was detected,2 config classification: suspicious-login,An attempted login using a suspicious username was detected,2 config classification: system-call-detect,A system call was detected,2 config classification: tcp-connection,A TCP connection was detected,4 config classification: trojan-activity,A Network Trojan was detected, 1 config classification: unusual-client-port-connection,A client was using an unusual port,2 config classification: network-scan,Detection of a Network Scan,3 config classification: denial-of-service,Detection of a Denial of Service Attack,2 config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 config classification: protocol-command-decode,Generic Protocol Command Decode,3 config classification: web-application-activity,access to a potentially vulnerable web application,2 config classification: web-application-attack,Web Application Attack,1 config classification: misc-activity,Misc activity,3 config classification: misc-attack,Misc Attack,2 config classification: icmp-event,Generic ICMP event,3 config classification: inappropriate-content,Inappropriate Content was Detected,1 config classification: policy-violation,Potential Corporate Privacy Violation,1 config classification: default-login-attempt,Attempt to login by a default username and password,2 config classification: sdf,Senstive Data,2 config classification: file-format,Known malicious file or file based exploit,1 config classification: malware-cnc,Known malware command and control traffic,1 config classification: client-side-exploit,Known client side exploit attempt,1 snort-2.9.7.0/etc/Makefile.in0000644000000000000000000003014412416771457012563 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = etc DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = depcomp = am__depfiles_maybe = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies EXTRA_DIST = snort.conf classification.config gen-msg.map \ reference.config unicode.map threshold.conf attribute_table.dtd file_magic.conf all: all-am .SUFFIXES: $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign etc/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign etc/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/etc/threshold.conf0000644000000000000000000000443711224514523013350 00000000000000# Configure Thresholding and Suppression # ====================================== # # The threshold command is deprecated. Use detection_filter for thresholds # within a rule and event_filter for standalone threshold configurations. # Please see README.filters for more information on filters. # # Thresholding: # # This feature is used to reduce the number of logged alerts for noisy rules. # This can be tuned to significantly reduce false alarms, and it can also be # used to write a newer breed of rules. Thresholding commands limit the number # of times a particular event is logged during a specified time interval. # # There are 3 types of event_filters: # # 1) Limit # Alert on the 1st M events during the time interval, then ignore # events for the rest of the time interval. # # 2) Threshold # Alert every M times we see this event during the time interval. # # 3) Both # Alert once per time interval after seeing M occurrences of the # event, then ignore any additional events during the time interval. # # Threshold commands are formatted as: # # event_filter gen_id gen-id, sig_id sig-id, \ # type limit|threshold|both, track by_src|by_dst, \ # count n , seconds m # # Limit to logging 1 event per 60 seconds: # # event_filter gen_id 1, sig_id 1851, type limit, \ # track by_src, count 1, seconds 60 # # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering # each rule (rules are gen_id 1): # # event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60 # # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering # any alert for any event generator: # # event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 # # Suppression: # # Suppression commands are standalone commands that reference generators and # sids and IP addresses via a CIDR block (or IP list). This allows a rule to be # completely suppressed, or suppressed when the causitive traffic is going to # or comming from a specific IP or group of IP addresses. # # Suppress this event completely: # # suppress gen_id 1, sig_id 1852 # # Suppress this event from this IP: # # suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54 # # Suppress this event to this CIDR block: # # suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 # snort-2.9.7.0/etc/Makefile.am0000644000000000000000000000027612260355636012547 00000000000000## $Id$ AUTOMAKE_OPTIONS=foreign no-dependencies EXTRA_DIST = snort.conf classification.config gen-msg.map \ reference.config unicode.map threshold.conf attribute_table.dtd file_magic.conf snort-2.9.7.0/COPYING0000644000000000000000000005102312026730050010752 00000000000000***************************************************************************** The text that follows is the GNU General Public License, Version 2 (GPL V2) and governs your use, modification and/or distribution of SNORT. Section 9 of the GPL V2 acknowledges that the Free Software Foundation may publish revised and/or new versions of the GPL V2 from time to time. Section 9 further states that a licensee of a program subject to the GPL V2 could be free to use any such revised and/or new versions under two different scenarios: 1. "Failure to Specify." Section 9 of the GPL V2 allows a licensee of a program governed by an unspecified version of the General Public License to choose any version of the General Public License ever published by the Free Software Foundation to govern his or her use of such program. This provision is not applicable to your use of SNORT because we have expressly stated in a number of instances that any third party's use, modification or distribution of SNORT is governed by GPL V2. 2. "Any Later Version." At the end of the terms and condition of the GPL V2 is a section called "How to Apply these Terms to Your New Program," which provides guidance to a developer on how to apply the GPL V2 to a third party's use, modification and/or distribution of his/her program. Among other things, this guidance suggests that the developer attach certain notices to the program. Of particular importance is the following notice: "This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version." Thus if a developer follows strictly the guidance provided by the Free Software Foundation, Section 9 of the GPL V2 provides the licensee the option to either use, modify or distribute the program under GPL V2 or under any later version published by the Free Software Foundation. SNORT is an open source project that is governed exclusively by the GPL V2 and any third party desiring to use, modify or distribute SNORT must do so by strictly following the terms and conditions of GPL V2. Anyone using, modifying or distributing SNORT does not have the option to chose to use, modify or distribute SNORT under any revised or new version of the GPL, including without limitation, the GNU General Public License Version 3. For ease of reference, the comparable notice that is used with SNORT (contained in the 'README' file) is as follows: "This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. You may not use, modify or distribute this program under any other version of the GNU General Public License." If you have any questions about this statement, please feel free to email snort-info@snort.org. ***************************************************************************** GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. snort-2.9.7.0/tools/0000755000000000000000000000000012416771510011147 500000000000000snort-2.9.7.0/tools/file_server/0000755000000000000000000000000012416771510013454 500000000000000snort-2.9.7.0/tools/file_server/file_server.c0000644000000000000000000003472712345604073016062 00000000000000/* ** ** ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. ** Copyright (C) 2012-2013 Sourcefire, Inc. ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ** ** Author(s): Hui Cao ** */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define FILE_CAPTURE_SIZE 10485760 /*10M*/ #define VERBOSE_MODE_KEYWORD "-v" #define STD_BUF 1024 typedef struct _THREAD_ELEMENT { struct _THREAD_ELEMENT *next; int socket_fd; } ThreadElement; typedef enum { PRINT_MODE_FAST, PRINT_MODE_DETAIL } PrintMode; static PrintMode print_mode = PRINT_MODE_FAST; static int daemon_mode = 0; static int exit_signal = 0; int stop_processing = 0; #define FILE_NAME_LEN 200 typedef void (*sighandler_t)(int); typedef struct _FILE_MESSAGE_HEADER { /* All values must be in network byte order */ uint16_t version; uint16_t type; uint32_t length; /* Does not include the header */ char filename[FILE_NAME_LEN]; } FileMessageHeader; #define FILE_HEADER_VERSION 0x0001 typedef struct _File_Storage_Stats { int file_count; int file_storage_failures; int file_duplicates_total; } File_Storage_Stats; static File_Storage_Stats file_stats; static void CheckExit(void); static void LogMessage(const char *format,...); static void ErrorMessage(const char *format,...); static int ReadHeader(int socket_fd, FileMessageHeader *hdr) { ssize_t numread; unsigned total = 0; do { numread = read(socket_fd, (*(uint8_t **)&hdr) + total, sizeof(*hdr) - total); if (!numread) return 0; else if (numread > 0) total += numread; else if (errno != EINTR && errno != EAGAIN) return -1; } while (total < sizeof(*hdr) ); if (total < sizeof(*hdr)) return 0; hdr->length = ntohl(hdr->length); hdr->type = ntohs(hdr->type); hdr->version = ntohs(hdr->version); LogMessage("Receiving file %s, length: %d\n", hdr->filename, hdr->length); return 1; } static int ReadData(int socket_fd, uint8_t *buffer, uint32_t length) { ssize_t numread; unsigned total = 0; do { numread = read(socket_fd, buffer + total, length - total); if (!numread) return 0; else if (numread > 0) total += numread; else if (errno != EINTR && errno != EAGAIN) return -1; } while (total < length); if (total < length) return 0; return 1; } /* * writing file to the disk. * * In the case of interrupt errors, the write is retried, but only for a * finite number of times. * * Arguments * uint8_t *: The buffer containing the data to write * size_t: The length of the data to write * FILE *fh: File handler * * Returns: None * */ static void WriteFile(const uint8_t *buf, size_t buf_len, const char *file_name) { int max_retries = 3; size_t bytes_written = 0; int err; char filename[1024]; FILE *fh; struct stat buffer; /*save the file*/ sprintf(filename, "%s", file_name); filename[sizeof (filename) - 1] = '\0'; /*File exists*/ if(stat (filename, &buffer) == 0) { LogMessage("File exist: %s\n", filename); file_stats.file_duplicates_total++; return; } /*Opening file for writing in binary print_mode*/ fh = fopen(filename,"wb"); /* Nothing to write or nothing to write to */ if ((buf == NULL) || (fh == NULL)) return; /* Writing data to file */ /* writing several times */ do { size_t bytes_left = buf_len - bytes_written; bytes_written += fwrite(buf + bytes_written, 1, bytes_left, fh); err = ferror(fh); if (err && (err != EINTR) && (err != EAGAIN)) break; max_retries--; } while ((max_retries > 0) && (bytes_written < buf_len)); if (bytes_written < buf_len) { file_stats.file_storage_failures++; ErrorMessage("File server: disk writing error - %s!\n", strerror(err)); } /*Closing File*/ fclose(fh); file_stats.file_count++; } static void *FileSocketProcessThread(void *arg) { ThreadElement *t = (ThreadElement *)arg; if (t == NULL) { ErrorMessage("File Socket: Invalid process thread parameter\n"); return NULL; } if (t->socket_fd == -1) { ErrorMessage("File Socket: Invalid process thread socket\n"); return NULL; } while (!stop_processing) { FileMessageHeader hdr; int rval; if ((rval = ReadHeader(t->socket_fd, &hdr)) == 0) break; else if (rval < 0) { ErrorMessage("Failed to read!\n"); break; } if (hdr.version != FILE_HEADER_VERSION) { ErrorMessage("Bad message header version\n"); continue; } if (hdr.length > FILE_CAPTURE_SIZE) { ErrorMessage("Bad message data\n"); break; } if (hdr.length) { uint8_t *data; if ((data = malloc(hdr.length)) == NULL) { break; } LogMessage( "File Socket: Reading %u bytes\n", hdr.length); if ((rval = ReadData(t->socket_fd, data, hdr.length)) == 0) { ErrorMessage("File Socket: Socket closed before data read\n"); free(data); break; } else if (rval < 0) { ErrorMessage("File Socket: Failed to read %d\n", rval); free(data); continue; } WriteFile(data, hdr.length, hdr.filename); free(data); } CheckExit(); } LogMessage("File Socket: Close a processing thread for %d\n", t->socket_fd); free(t); return NULL; } /* Add a signal handler * Return: * 0: error * 1: success */ int AddSignal(int sig, sighandler_t signal_handler, int check_needed) { sighandler_t pre_handler; #ifdef HAVE_SIGACTION struct sigaction action; struct sigaction old_action; sigemptyset(&action.sa_mask); action.sa_flags = 0; action.sa_handler = signal_handler; sigaction(sig, &action, &old_action); pre_handler = old_action.sa_handler; #else pre_handler = signal(sig, signal_handler); #endif if (SIG_ERR == pre_handler) { ErrorMessage("Could not add handler for signal %d \n", sig); return 0; } else if (check_needed && (SIG_IGN != pre_handler) && (SIG_DFL!= pre_handler)) { ErrorMessage("WARNING: Handler is already installed for signal %d.\n", sig); } return 1; } /* Signal Handlers ************************************************************/ static void SigExitHandler(int signal) { exit_signal = signal; } static void CheckExit() { if ((SIGTERM == exit_signal) || (SIGINT == exit_signal)) { stop_processing = 1; } } static void PrintFileStats(File_Storage_Stats *stats) { LogMessage("Total files stored: %d\n", stats->file_count); LogMessage("Total file storage errors: %d\n", stats->file_storage_failures); LogMessage("Total duplicated files: %d\n", stats->file_duplicates_total); } static int ProcessClientRequest(int sockfd) { struct timeval to; socklen_t clilen; fd_set rfds; struct sockaddr_in cli_addr; int rval; pthread_t tid; ThreadElement *t; int newsockfd; to.tv_sec = 2; to.tv_usec = 0; FD_ZERO(&rfds); FD_SET(sockfd, &rfds); //accept incoming connections clilen = sizeof(cli_addr); rval = select(sockfd + 1, &rfds, NULL, NULL, &to); if (rval > 0) { memset(&cli_addr, 0, sizeof(cli_addr)); if ((newsockfd = accept(sockfd, (struct sockaddr *)&cli_addr, &clilen)) == -1) { if (errno != EINTR) { ErrorMessage("File Socket: Accept failed: %s\n", strerror(errno)); return -1; } } else { LogMessage("File Socket: Creating a processing thread for %d\n", newsockfd); if ((t = calloc(1, sizeof(*t))) == NULL) { close(newsockfd); ErrorMessage("File Socket: Failed to allocate a thread struct"); return -1; } t->socket_fd = newsockfd; if ((rval = pthread_create(&tid, NULL, &FileSocketProcessThread, (void *)t)) != 0) { close(newsockfd); ErrorMessage("File Socket: Unable to create a processing thread: %s", strerror(rval)); return -1; } pthread_join(tid, NULL); } } else if (rval < 0) { if (errno != EINTR) { ErrorMessage("File Socket: Select failed: %s\n", strerror(errno)); return -1; } } return 0; } /* * Print a message to stderr or with logfacility. * * Arguments: format => the formatted error string to print out * ... => format commands/fillers * * Returns: void function */ void LogMessage(const char *format,...) { char buf[STD_BUF+1]; va_list ap; if (print_mode == PRINT_MODE_FAST) return; va_start(ap, format); vsnprintf(buf, STD_BUF, format, ap); buf[STD_BUF] = '\0'; syslog(LOG_DAEMON | LOG_NOTICE, "%s", buf); printf("%s", buf); va_end(ap); } /* * Print a message to stderr or with logfacility. * * Arguments: format => the formatted error string to print out * ... => format commands/fillers * * Returns: void function */ void ErrorMessage(const char *format,...) { char buf[STD_BUF+1]; va_list ap; va_start(ap, format); vsnprintf(buf, STD_BUF, format, ap); buf[STD_BUF] = '\0'; syslog(LOG_CONS | LOG_DAEMON | LOG_ERR, "%s", buf); printf("%s", buf); va_end(ap); } /* Puts the program into daemon print_mode, nice and quiet like....*/ void GoDaemon(void) { int exit_val = 0; pid_t cpid; int i; LogMessage("Initializing daemon mode\n"); /* Don't daemonize if we've already daemonized */ if(getppid() != 1) { /* now fork the child */ printf("Spawning daemon child...\n"); cpid = fork(); if(cpid > 0) { /* Parent */ printf("Daemon child %d lives...\n", cpid); printf("Daemon parent exiting (%d)\n", exit_val); exit(exit_val); /* parent */ } if(cpid < 0) { /* Daemonizing failed... */ perror("fork"); exit(1); } } /* Child */ setsid(); close(0); close(1); close(2); /* redirect stdin/stdout/stderr to /dev/null */ i = open("/dev/null", O_RDWR); /* stdin, fd 0 */ dup(i); dup(i); } static void PrintHelp() { printf("Usage: file_server <-dvh> -\n"); printf("d: daemon mode -\n"); printf("v: verbos mode -\n"); printf("h: help -\n"); } static void ParseArgs(char *arg) { int len; int i; if (!arg) return; len = strlen(arg); if (len < 2) { printf("Option length two short!\n"); return; } if (arg[0] != '-') { printf("Please provide option start with -\n"); } for (i = 1; i < len; i++) { switch(arg[i]) { case 'd': daemon_mode = 1; break; case 'v': print_mode = PRINT_MODE_DETAIL; LogMessage("Verbose print_mode specified!\n"); break; case 'h': PrintHelp(); break; default: printf("Please provide correct option!\n"); PrintHelp(); exit(1); } } } int main(int argc, char *argv[]) { int sockfd, portno; struct sockaddr_in serv_addr; int one = 1; setlogmask (LOG_UPTO (LOG_NOTICE)); openlog("file_server", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_LOCAL1); if (argc < 2) { fprintf(stderr,"please specify a port number\n"); exit(1); } if(argc > 2) { int i; for (i = 2; i < argc; i++) ParseArgs(argv[i]); } if (daemon_mode) { GoDaemon(); } AddSignal(SIGTERM, SigExitHandler, 1); AddSignal(SIGINT, SigExitHandler, 1); sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) { ErrorMessage("ERROR create socket.\n"); exit(1); } //allow reuse of port setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof one); //bind to a local address memset((char *) &serv_addr, 0, sizeof(serv_addr)); portno = atoi(argv[1]); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = INADDR_ANY; serv_addr.sin_port = htons(portno); if (bind(sockfd, (struct sockaddr *) &serv_addr, sizeof(serv_addr)) < 0) { ErrorMessage("ERROR on bind.\n"); exit(1); } //listen marks the socket as passive socket listening to incoming connections, //it allows max 5 backlog connections: backlog connections are pending in queue //if pending connections are more than 5, later request may be ignored if (listen(sockfd,5)) { ErrorMessage("ERROR on listen.\n"); exit(1); } while (!stop_processing) { if (ProcessClientRequest(sockfd) < 0) break; CheckExit(); } close(sockfd); LogMessage("----------Exiting.........!\n"); PrintFileStats(&file_stats); closelog(); return 0; } snort-2.9.7.0/tools/file_server/Makefile.in0000644000000000000000000005673312416771463015466 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ bin_PROGRAMS = file_server$(EXEEXT) subdir = tools/file_server DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp $(dist_doc_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(docdir)" PROGRAMS = $(bin_PROGRAMS) am_file_server_OBJECTS = file_server-file_server.$(OBJEXT) file_server_OBJECTS = $(am_file_server_OBJECTS) file_server_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = file_server_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(file_server_CFLAGS) \ $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(file_server_SOURCES) DIST_SOURCES = $(file_server_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } DATA = $(dist_doc_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ @extra_incl@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = ${datadir}/doc/${PACKAGE} dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign file_server_SOURCES = file_server.c file_server_CFLAGS = @CFLAGS@ $(AM_CFLAGS) dist_doc_DATA = README.file_server all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/file_server/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tools/file_server/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ || test -f $$p1 \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list file_server$(EXEEXT): $(file_server_OBJECTS) $(file_server_DEPENDENCIES) $(EXTRA_file_server_DEPENDENCIES) @rm -f file_server$(EXEEXT) $(AM_V_CCLD)$(file_server_LINK) $(file_server_OBJECTS) $(file_server_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/file_server-file_server.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< file_server-file_server.o: file_server.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(file_server_CFLAGS) $(CFLAGS) -MT file_server-file_server.o -MD -MP -MF $(DEPDIR)/file_server-file_server.Tpo -c -o file_server-file_server.o `test -f 'file_server.c' || echo '$(srcdir)/'`file_server.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/file_server-file_server.Tpo $(DEPDIR)/file_server-file_server.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='file_server.c' object='file_server-file_server.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(file_server_CFLAGS) $(CFLAGS) -c -o file_server-file_server.o `test -f 'file_server.c' || echo '$(srcdir)/'`file_server.c file_server-file_server.obj: file_server.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(file_server_CFLAGS) $(CFLAGS) -MT file_server-file_server.obj -MD -MP -MF $(DEPDIR)/file_server-file_server.Tpo -c -o file_server-file_server.obj `if test -f 'file_server.c'; then $(CYGPATH_W) 'file_server.c'; else $(CYGPATH_W) '$(srcdir)/file_server.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/file_server-file_server.Tpo $(DEPDIR)/file_server-file_server.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='file_server.c' object='file_server-file_server.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(file_server_CFLAGS) $(CFLAGS) -c -o file_server-file_server.obj `if test -f 'file_server.c'; then $(CYGPATH_W) 'file_server.c'; else $(CYGPATH_W) '$(srcdir)/file_server.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-dist_docDATA: @$(NORMAL_UNINSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) $(DATA) installdirs: for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(docdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dist_docDATA install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-binPROGRAMS uninstall-dist_docDATA .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-binPROGRAMS \ install-data install-data-am install-dist_docDATA install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ uninstall-binPROGRAMS uninstall-dist_docDATA # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/tools/file_server/README.file_server0000644000000000000000000000127512232305217016556 00000000000000file-server - Tool to received captured files from snort -------------------------------------------- file server is used along with file inspect preprocessor, to receive and store files captured by file inspect preprocessor. This simple program should run on the directory that you want to store files. In other words, file will be saved on current directory. File name will be be SHA for that file (from file inspect preprocessor) Use -v option if you want to see what files are received/stored. Use -d option if you want to run it in daemon mode Use -h option for help Use Ctrl - c to stop file server Usage ----- $ file_server <-vdh> Example: file_server 8000 -v snort-2.9.7.0/tools/file_server/Makefile.am0000644000000000000000000000036112232305217015421 00000000000000AUTOMAKE_OPTIONS=foreign bin_PROGRAMS = file_server docdir = ${datadir}/doc/${PACKAGE} file_server_SOURCES = file_server.c file_server_CFLAGS = @CFLAGS@ $(AM_CFLAGS) INCLUDES = @INCLUDES@ @extra_incl@ dist_doc_DATA = README.file_server snort-2.9.7.0/tools/u2openappid/0000755000000000000000000000000012416771510013375 500000000000000snort-2.9.7.0/tools/u2openappid/u2openappid.c0000644000000000000000000006405412345604073015720 00000000000000/* * Copyright (C) 2002-2013 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch * Author: Adam Keeton * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #ifndef WIN32 #include #include #include #include #include #include #include #include #include #endif #ifdef HAVE_UUID_UUID_H #include #endif #include "Unified2_common.h" #define SUCCESS 314159265 #define STEVE -1 #define FAILURE STEVE #ifndef WIN32 #ifndef uint32_t typedef unsigned int uint32_t; typedef unsigned short uint16_t; typedef unsigned char uint8_t; #endif #else static void inet_ntop(int family, const void *ip_raw, char *buf, int bufsize) { int i; if(!ip_raw || !buf || !bufsize || (family != AF_INET && family != AF_INET6) || /* Make sure if it's IPv6 that the buf is large enough. */ /* Need atleast a max of 8 fields of 4 bytes plus 7 for colons in * between. Need 1 more byte for null. */ (family == AF_INET6 && bufsize < 8*4 + 7 + 1) || /* Make sure if it's IPv4 that the buf is large enough. */ /* 4 fields of 3 numbers, plus 3 dots and a null byte */ (family == AF_INET && bufsize < 3*4 + 4) ) { if(buf && bufsize > 0) buf[0] = 0; return; } /* 4 fields of at most 3 characters each */ if(family == AF_INET) { u_int8_t *p = (u_int8_t*)ip_raw; for(i=0; p < ((u_int8_t*)ip_raw) + 4; p++) { i += sprintf(&buf[i], "%d", *p); /* If this is the last iteration, this could technically cause one * extra byte to be written past the end. */ if(i < bufsize && ((p + 1) < ((u_int8_t*)ip_raw+4))) buf[i] = '.'; i++; } /* Check if this is really just an IPv4 address represented as 6, * in compatible format */ #if 0 } else if(!field[0] && !field[1] && !field[2]) { unsigned char *p = (unsigned char *)(&ip->ip[12]); for(i=0; p < &ip->ip[16]; p++) i += sprintf(&buf[i], "%d.", *p); #endif } else { u_int16_t *p = (u_int16_t*)ip_raw; for(i=0; p < ((u_int16_t*)ip_raw) + 8; p++) { i += sprintf(&buf[i], "%04x", ntohs(*p)); /* If this is the last iteration, this could technically cause one * extra byte to be written past the end. */ if(i < bufsize && ((p + 1) < ((u_int16_t*)ip_raw) + 8)) buf[i] = ':'; i++; } } } #endif typedef struct _record { uint32_t type; uint32_t length; uint8_t *data; } u2record; typedef struct _u2iterator { FILE *file; char *filename; u2record current; } u2iterator; static long s_pos = 0, s_off = 0; #define TO_IP(x) x >> 24, (x >> 16) & 0xff, (x >> 8) & 0xff, x & 0xff static u2iterator *new_iterator(char *filename) { FILE *f = fopen(filename, "rb"); u2iterator *ret; if(!f) { printf("new_iterator: Failed to open file: %s\n\tErrno: %s\n", filename, strerror(errno)); return NULL; } ret = (u2iterator*)malloc(sizeof(u2iterator)); if(!ret) { printf("new_iterator: Failed to malloc %lu bytes.\n", (unsigned long)sizeof(u2iterator)); fclose(f); return NULL; } ret->file = f; ret->filename = strdup(filename); return ret; } static inline void free_iterator(u2iterator *it) { if(it->file) fclose(it->file); if(it->filename) free(it->filename); if(it) free(it); } static int get_record(u2iterator *it, u2record *record) { uint32_t bytes_read; uint8_t *tmp; if(!it || !it->file) return FAILURE; /* check if the log was rotated */ if(feof(it->file)) { /* Get next timestamped file? */ puts("Hit the EOF .. and this is not being handled yet."); return FAILURE; } if ( s_off ) { if (fseek(it->file, s_pos+s_off, SEEK_SET)) { puts("Unable to SEEK on current file .. and this is not being handled yet."); return FAILURE; } s_off = 0; } /* read type and length */ bytes_read = fread(record, 1, sizeof(uint32_t) * 2, it->file); /* But they're in network order! */ record->type= ntohl(record->type); record->length= ntohl(record->length); //if(record->type == UNIFIED2_PACKET) record->length+=4; if(bytes_read == 0) /* EOF */ return FAILURE; if(bytes_read != sizeof(uint32_t)*2) { puts("get_record: (1) Failed to read all of record."); printf("\tRead %u of %lu bytes\n", bytes_read, (unsigned long)sizeof(uint32_t)*2); return FAILURE; } s_pos = ftell(it->file); tmp = (uint8_t *)realloc(record->data, record->length); if (!tmp) { puts("get_record: (2) Failed to allocate memory."); free(record->data); return FAILURE; } record->data = tmp; bytes_read = fread(record->data, 1, record->length, it->file); if(bytes_read != record->length) { puts("get_record: (3) Failed to read all of record data."); printf("\tRead %u of %u bytes\n", bytes_read, record->length); if ( record->type != UNIFIED2_PACKET || bytes_read < ntohl(((Serial_Unified2Packet*)record->data)->packet_length) ) return FAILURE; clearerr(it->file); } return SUCCESS; } static void extradata_dump(u2record *record) { uint8_t *field, *data; int i; int len = 0; SerialUnified2ExtraData event; Unified2ExtraDataHdr eventHdr; uint32_t ip; char ip6buf[INET6_ADDRSTRLEN+1]; struct in6_addr ipAddr; memcpy(&eventHdr, record->data, sizeof(Unified2ExtraDataHdr)); memcpy(&event, record->data + sizeof(Unified2ExtraDataHdr) , sizeof(SerialUnified2ExtraData)); /* network to host ordering */ field = (uint8_t*)&eventHdr; for(i=0; i<2; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = (uint8_t*)&event; for(i=0; i<6; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } printf("\n(ExtraDataHdr)\n" "\tevent type: %u\tevent length: %u\n", eventHdr.event_type, eventHdr.event_length); printf("\n(ExtraData)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\n" "\ttype: %u\tdatatype: %u\tbloblength: %u\t", event.sensor_id, event.event_id, event.event_second, event.type, event.data_type, event.blob_length); len = event.blob_length - sizeof(event.blob_length) - sizeof(event.data_type); switch(event.type) { case EVENT_INFO_XFF_IPV4: memcpy(&ip, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(uint32_t)); ip = ntohl(ip); printf("Original Client IP: %u.%u.%u.%u\n", TO_IP(ip)); break; case EVENT_INFO_XFF_IPV6: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); printf("Original Client IP: %s\n", ip6buf); break; case EVENT_INFO_GZIP_DATA: printf("GZIP Decompressed Data: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_JSNORM_DATA: printf("Normalized JavaScript Data: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_FILENAME: printf("SMTP Attachment Filename: %.*s\n", len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_MAILFROM: printf("SMTP MAIL FROM Addresses: %.*s\n", len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_RCPTTO: printf("SMTP RCPT TO Addresses: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_EMAIL_HDRS: printf("SMTP EMAIL HEADERS: \n%.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_HTTP_URI: printf("HTTP URI: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_HTTP_HOSTNAME: printf("HTTP Hostname: "); data = record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData); for(i=0; i < len; i++) { if(iscntrl(data[i])) printf("%c",'.'); else printf("%c",data[i]); } printf("\n"); break; case EVENT_INFO_IPV6_SRC: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); printf("IPv6 Source Address: %s\n", ip6buf); break; case EVENT_INFO_IPV6_DST: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); printf("IPv6 Destination Address: %s\n", ip6buf); break; default : break; } } static void event_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEvent_legacy event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent_legacy)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first 11 fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<11; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ /* done changing the network ordering */ printf("\n(Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %u.%u.%u.%u\tip destination: %u.%u.%u.%u\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, TO_IP(event.ip_source), TO_IP(event.ip_destination), event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked); } static void event6_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEventIPv6_legacy event; char ip6buf[INET6_ADDRSTRLEN+1]; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEventIPv6_legacy)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<9; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = field + 2*sizeof(struct in6_addr); /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ /* done changing the network ordering */ inet_ntop(AF_INET6, &event.ip_source, ip6buf, INET6_ADDRSTRLEN); printf("\n(IPv6 Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %s\t", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, ip6buf); inet_ntop(AF_INET6, &event.ip_destination, ip6buf, INET6_ADDRSTRLEN); printf("ip destination: %s\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n", ip6buf, event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked); } static void event2_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEvent event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first 11 fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<11; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ printf("\n(Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %u.%u.%u.%u\tip destination: %u.%u.%u.%u\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" "\tmpls label: %u\tvland id: %u\tpolicy id: %u\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, TO_IP(event.ip_source), TO_IP(event.ip_destination), event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId, event.pad2); } static void event3_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEvent event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first 11 fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<11; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ printf("\"(Event)\"" ",sensor_id=\"%u\",event_id=\"%u\",event_second=\"%u\",event_microsecond=\"%u\"" ",sig_id=\"%u\",gen_id=\"%u\",revision=\"%u\",classification=\"%u\"" ",priority=\"%u\",ip_source=\"%u.%u.%u.%u\",ip_destination=\"%u.%u.%u.%u\"" ",src_port=\"%u\",dest_port=\"%u\",protocol=\"%u\",impact_flag=\"%u\",blocked=\"%u\"" ",mpls_label=\"%u\",vland_id=\"%u\",policy_id=\"%u\",appid=\"%s\"\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, TO_IP(event.ip_source), TO_IP(event.ip_destination), event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId, event.pad2, event.app_name); } static void event2_6_dump(u2record *record) { uint8_t *field; int i; char ip6buf[INET6_ADDRSTRLEN+1]; Serial_Unified2IDSEventIPv6 event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEventIPv6)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<9; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = field + 2*sizeof(struct in6_addr); /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ inet_ntop(AF_INET6, &event.ip_source, ip6buf, INET6_ADDRSTRLEN); printf("\n(IPv6 Event)" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %s\t", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, ip6buf); inet_ntop(AF_INET6, &event.ip_destination, ip6buf, INET6_ADDRSTRLEN); printf("ip destination: %s\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" "\tmpls label: %u\tvland id: %u\tpolicy id: %u\n", ip6buf, event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId,event.pad2); } static void event3_6_dump(u2record *record) { uint8_t *field; int i; char ip6buf[INET6_ADDRSTRLEN+1]; Serial_Unified2IDSEventIPv6 event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEventIPv6)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<9; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = field + 2*sizeof(struct in6_addr); /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ inet_ntop(AF_INET6, &event.ip_source, ip6buf, INET6_ADDRSTRLEN); printf("\"(IPv6_Event)|\"" ",sensor_id=\"%u\",event_id=\"%u\",event_second=\"%u\",event_microsecond=\"%u\"" ",sig_id=\"%u\",gen_id=\"%u\",revision=\"%u\",classification=\"%u\"" ",priority=\"%u\",ip_source=\"%s\",", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, ip6buf); inet_ntop(AF_INET6, &event.ip_destination, ip6buf, INET6_ADDRSTRLEN); printf("ip_destination=\"%s\"" ",src_port=\"%u\",dest_port=\"%u\",protocol=\"%u\",impact_flag=\"%u\",blocked=\"%u\"" ",mpls_label=\"%u\",vland_id=\"%u\",policy_id=\"%u\",appid=\"%s\"\n", ip6buf, event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId,event.pad2, event.app_name); } static void appid_dump(u2record *record) { uint8_t *field = (uint8_t*)record->data; unsigned i; unsigned appCnt; unsigned statTime; /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ statTime = ntohl(*(uint32_t*)field); field += 4; appCnt = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; for(i=0; ilength - offset; Serial_Unified2Packet packet; memcpy(&packet, record->data, sizeof(Serial_Unified2Packet)); /* network to host ordering */ /* The first 7 fields need to be convertted */ field = (uint8_t*)&packet; for(counter=0; counter<7; counter++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* done changing from network ordering */ printf("\nPacket\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\n" "\tpacket second: %u\tpacket microsecond: %u\n" "\tlinktype: %u\tpacket_length: %u\n", packet.sensor_id, packet.event_id, packet.event_second, packet.packet_second, packet.packet_microsecond, packet.linktype, packet.packet_length); if ( record->length <= offset ) return; if ( packet.packet_length != reclen ) { printf("ERROR: logged %u but packet_length = %u\n", record->length-offset, packet.packet_length); if ( packet.packet_length < reclen ) { reclen = packet.packet_length; s_off = reclen + offset; } } LogBuffer(record->data+offset, reclen); } static int u2dump(char *file) { u2record record; u2iterator *it = new_iterator(file); memset(&record, 0, sizeof(record)); if(!it) { printf("u2dump: Failed to create new iterator with file: %s\n", file); return -1; } while( get_record(it, &record) == SUCCESS ) { if(record.type == UNIFIED2_IDS_EVENT) event_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_VLAN) event2_dump(&record); else if(record.type == UNIFIED2_PACKET) packet_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_IPV6) event6_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_IPV6_VLAN) event2_6_dump(&record); else if(record.type == UNIFIED2_EXTRA_DATA) extradata_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_APPID) event3_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_APPID_IPV6) event3_6_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_APPSTAT) appid_dump(&record); } free_iterator(it); if(record.data) free(record.data); return 0; } int main(int argc, char **argv) { if(argc != 2) { puts("usage: u2eventdump "); return 1; } return u2dump(argv[1]); } snort-2.9.7.0/tools/u2openappid/Makefile.in0000644000000000000000000005252212416771463015377 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ bin_PROGRAMS = u2openappid$(EXEEXT) subdir = tools/u2openappid DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" PROGRAMS = $(bin_PROGRAMS) am_u2openappid_OBJECTS = u2openappid-u2openappid.$(OBJEXT) u2openappid_OBJECTS = $(am_u2openappid_OBJECTS) u2openappid_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = u2openappid_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(u2openappid_CFLAGS) \ $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(u2openappid_SOURCES) DIST_SOURCES = $(u2openappid_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ @extra_incl@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign u2openappid_SOURCES = u2openappid.c u2openappid_CFLAGS = @CFLAGS@ $(AM_CFLAGS) EXTRA_DIST = all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/u2openappid/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tools/u2openappid/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ || test -f $$p1 \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list u2openappid$(EXEEXT): $(u2openappid_OBJECTS) $(u2openappid_DEPENDENCIES) $(EXTRA_u2openappid_DEPENDENCIES) @rm -f u2openappid$(EXEEXT) $(AM_V_CCLD)$(u2openappid_LINK) $(u2openappid_OBJECTS) $(u2openappid_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2openappid-u2openappid.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< u2openappid-u2openappid.o: u2openappid.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2openappid_CFLAGS) $(CFLAGS) -MT u2openappid-u2openappid.o -MD -MP -MF $(DEPDIR)/u2openappid-u2openappid.Tpo -c -o u2openappid-u2openappid.o `test -f 'u2openappid.c' || echo '$(srcdir)/'`u2openappid.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2openappid-u2openappid.Tpo $(DEPDIR)/u2openappid-u2openappid.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='u2openappid.c' object='u2openappid-u2openappid.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2openappid_CFLAGS) $(CFLAGS) -c -o u2openappid-u2openappid.o `test -f 'u2openappid.c' || echo '$(srcdir)/'`u2openappid.c u2openappid-u2openappid.obj: u2openappid.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2openappid_CFLAGS) $(CFLAGS) -MT u2openappid-u2openappid.obj -MD -MP -MF $(DEPDIR)/u2openappid-u2openappid.Tpo -c -o u2openappid-u2openappid.obj `if test -f 'u2openappid.c'; then $(CYGPATH_W) 'u2openappid.c'; else $(CYGPATH_W) '$(srcdir)/u2openappid.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2openappid-u2openappid.Tpo $(DEPDIR)/u2openappid-u2openappid.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='u2openappid.c' object='u2openappid-u2openappid.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2openappid_CFLAGS) $(CFLAGS) -c -o u2openappid-u2openappid.obj `if test -f 'u2openappid.c'; then $(CYGPATH_W) 'u2openappid.c'; else $(CYGPATH_W) '$(srcdir)/u2openappid.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(bindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-binPROGRAMS .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-binPROGRAMS \ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-binPROGRAMS # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/tools/u2openappid/Makefile.am0000644000000000000000000000027012345604073015350 00000000000000AUTOMAKE_OPTIONS=foreign bin_PROGRAMS = u2openappid u2openappid_SOURCES = u2openappid.c u2openappid_CFLAGS = @CFLAGS@ $(AM_CFLAGS) EXTRA_DIST = INCLUDES = @INCLUDES@ @extra_incl@ snort-2.9.7.0/tools/u2boat/0000755000000000000000000000000012416771510012343 500000000000000snort-2.9.7.0/tools/u2boat/README.u2boat0000644000000000000000000000106211404013614014323 00000000000000u2boat - Unified2 Binary Output & Alert Tool -------------------------------------------- About ----- The current version of SnortSP lacks support for some output formats that were present in Snort 2.8.X. u2boat aims to fill these gaps by converting Unified2 logs to other formats. Installation ------------ u2boat is made and installed along with snortsp in the same bin directory. Usage ----- $ u2boat [-t type] "type" specifies the type of output u2boat should create. Valid options are: - pcap: Tcpdump format (default) snort-2.9.7.0/tools/u2boat/u2boat.c0000644000000000000000000002214512260565733013634 00000000000000/* * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. * Copyright (C) 2002-2013 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch * Author: Ryan Jordan * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ #include #include #include #include #include #include #include #include #include #include #include #include #ifdef HAVE_CONFIG_H #include "config.h" #endif #include "u2boat.h" #define FAILURE -1 #define SUCCESS 0 #define PCAP_MAGIC_NUMBER 0xa1b2c3d4 #define PCAP_TIMEZONE 0 #define PCAP_SIGFIGS 0 #define PCAP_SNAPLEN 65535 #define ETHERNET 1 #define PCAP_LINKTYPE ETHERNET #define MAX_U2RECORD_DATA_LENGTH 65536 static int ConvertLog(FILE *input, FILE *output, char *format); static int GetRecord(FILE *input, u2record *rec); static int PcapInitOutput(FILE *output); static int PcapConversion(u2record *rec, FILE *output); static int ConvertLog(FILE *input, FILE *output, char *format) { u2record tmp_record; /* Determine conversion function */ int (* ConvertRecord)(u2record *, FILE *) = NULL; /* This will become an if/else series once more formats are supported. * Callbacks are used so that this comparison only needs to happen once. */ if (strncmp(format, "pcap", 4) == 0) { ConvertRecord = PcapConversion; } if (ConvertRecord == NULL) { fprintf(stderr, "Error setting conversion routine, aborting...\n"); return FAILURE; } /* Initialize the record's data pointer */ tmp_record.data = malloc(MAX_U2RECORD_DATA_LENGTH * sizeof(uint8_t)); if (tmp_record.data == NULL) { fprintf(stderr, "Error allocating memory, aborting...\n"); return FAILURE; } /* Run through input file and convert records */ while ( !(feof(input) || ferror(input) || ferror(output)) ) { if (GetRecord(input, &tmp_record) == FAILURE) { break; } if (ConvertRecord(&tmp_record, output) == FAILURE) { break; } } if (tmp_record.data != NULL) { free(tmp_record.data); tmp_record.data = NULL; } if (ferror(input)) { fprintf(stderr, "Error reading input file, aborting...\n"); return FAILURE; } if (ferror(output)) { fprintf(stderr, "Error reading output file, aborting...\n"); return FAILURE; } return SUCCESS; } /* Create and write the pcap file's global header */ static int PcapInitOutput(FILE *output) { size_t ret; struct pcap_file_header hdr; hdr.magic = PCAP_MAGIC_NUMBER; hdr.version_major = PCAP_VERSION_MAJOR; hdr.version_minor = PCAP_VERSION_MINOR; hdr.thiszone = PCAP_TIMEZONE; hdr.sigfigs = PCAP_SIGFIGS; hdr.snaplen = PCAP_SNAPLEN; hdr.linktype = PCAP_LINKTYPE; ret = fwrite( (void *)&hdr, sizeof(struct pcap_file_header), 1, output ); if (ret < 1) { fprintf(stderr, "Error: Unable to write pcap file header\n"); return FAILURE; } return SUCCESS; } /* Convert a unified2 packet record to pcap format, then dump */ static int PcapConversion(u2record *rec, FILE *output) { Serial_Unified2Packet packet; struct pcap_pkthdr pcap_hdr; uint32_t *field; uint8_t *pcap_data; static int packet_found = 0; /* Ignore IDS Events. We are only interested in Packets. */ if (rec->type != UNIFIED2_PACKET) { return SUCCESS; } /* Initialize the pcap file if this is the first packet */ if (!packet_found) { if (PcapInitOutput(output) == FAILURE) { return FAILURE; } packet_found = 1; } /* Fill out the Serial_Unified2Packet */ memcpy(&packet, rec->data, sizeof(Serial_Unified2Packet)); /* Unified 2 records are always stored in network order. * Convert all fields except packet data to host order */ field = (uint32_t *)&packet; while(field < (uint32_t *)packet.packet_data) { *field = ntohl(*field); field++; } /* Create a pcap packet header */ pcap_hdr.ts.tv_sec = packet.packet_second; pcap_hdr.ts.tv_usec = packet.packet_microsecond; pcap_hdr.caplen = packet.packet_length; pcap_hdr.len = packet.packet_length; /* Write to the pcap file */ pcap_data = rec->data + sizeof(Serial_Unified2Packet) - 4; pcap_dump( (u_char *)output, &pcap_hdr, (u_char *)pcap_data ); return SUCCESS; } /* Retrieve a single unified2 record from input file */ static int GetRecord(FILE *input, u2record *rec) { uint32_t items_read; static uint32_t buffer_size = MAX_U2RECORD_DATA_LENGTH; uint8_t *tmp; if (!input || !rec) return FAILURE; items_read = fread(rec, sizeof(uint32_t), 2, input); if (items_read != 2) { if ( !feof(input) ) /* Not really an error if at EOF */ { fprintf(stderr, "Error: incomplete record.\n"); } return FAILURE; } /* Type and Length are stored in network order */ rec->type = ntohl(rec->type); rec->length = ntohl(rec->length); /* Read in the data portion of the record */ if (rec->length > buffer_size) { tmp = malloc(rec->length * sizeof(uint8_t)); if (tmp == NULL) { fprintf(stderr, "Error: memory allocation failed.\n"); return FAILURE; } else { if (rec->data != NULL) { free(rec->data); } rec->data = tmp; buffer_size = rec->length; } } items_read = fread(rec->data, sizeof(uint8_t), rec->length, input); if (items_read != rec->length) { fprintf(stderr, "Error: incomplete record. %d of %u bytes read.\n", items_read, rec->length); return FAILURE; } return SUCCESS; } int main (int argc, char *argv[]) { char *input_filename = NULL; char *output_filename = NULL; char *output_type = NULL; FILE *input_file = NULL; FILE *output_file = NULL; int c, i, errnum; opterr = 0; /* Use Getopt to parse options */ while ((c = getopt (argc, argv, "t:")) != -1) { switch (c) { case 't': output_type = optarg; break; case '?': if (optopt == 't') fprintf(stderr, "Option -%c requires an argument.\n", optopt); else if (isprint (optopt)) fprintf(stderr, "Unknown option -%c.\n", optopt); return FAILURE; default: abort(); } } /* At this point, there should be two filenames remaining. */ if (optind != (argc - 2)) { fprintf(stderr, "Usage: u2boat [-t type] \n"); return FAILURE; } input_filename = argv[optind]; output_filename = argv[optind+1]; /* Check inputs */ if (input_filename == NULL) { fprintf(stderr, "Error: Input filename must be specified.\n"); return FAILURE; } if (output_type == NULL) { fprintf(stdout, "Defaulting to pcap output.\n"); output_type = "pcap"; } else { for (i = 0; i < (int)strlen(output_type); i++) output_type[i] = tolower(output_type[i]); } if (strcmp(output_type, "pcap")) { fprintf(stderr, "Invalid output type. Valid types are: pcap\n"); return FAILURE; } if (output_filename == NULL) { fprintf(stderr, "Error: Output filename must be specified.\n"); return FAILURE; } /* Open the files */ if ((input_file = fopen(input_filename, "r")) == NULL) { fprintf(stderr, "Unable to open file: %s\n", input_filename); return FAILURE; } if ((output_file = fopen(output_filename, "w")) == NULL) { fprintf(stderr, "Unable to open/create file: %s\n", output_filename); return FAILURE; } ConvertLog(input_file, output_file, output_type); if (fclose(input_file) != 0) { errnum = errno; fprintf(stderr, "Error closing input: %s\n", strerror(errnum)); } if (fclose(output_file) != 0) { errnum = errno; fprintf(stderr, "Error closing output: %s\n", strerror(errnum)); } return 0; } snort-2.9.7.0/tools/u2boat/u2boat.h0000644000000000000000000000232212260565733013634 00000000000000/* * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. * Copyright (C) 2002-2013 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ #ifndef U2BOAT_H #define U2BOAT_H #include "Unified2_common.h" typedef struct _record { uint32_t type; uint32_t length; uint8_t *data; } u2record; typedef struct _u2iterator { FILE *file; char *filename; u2record current; } u2iterator; #endif snort-2.9.7.0/tools/u2boat/Makefile.in0000644000000000000000000005616212416771463014351 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ bin_PROGRAMS = u2boat$(EXEEXT) subdir = tools/u2boat DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp $(dist_doc_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(docdir)" PROGRAMS = $(bin_PROGRAMS) am_u2boat_OBJECTS = u2boat-u2boat.$(OBJEXT) u2boat_OBJECTS = $(am_u2boat_OBJECTS) u2boat_DEPENDENCIES = AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = u2boat_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(u2boat_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(u2boat_SOURCES) DIST_SOURCES = $(u2boat_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } DATA = $(dist_doc_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ @extra_incl@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = ${datadir}/doc/${PACKAGE} dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign u2boat_SOURCES = u2boat.c u2boat.h u2boat_CFLAGS = @CFLAGS@ $(AM_CFLAGS) u2boat_LDADD = -lpcap dist_doc_DATA = README.u2boat all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/u2boat/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tools/u2boat/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ || test -f $$p1 \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list u2boat$(EXEEXT): $(u2boat_OBJECTS) $(u2boat_DEPENDENCIES) $(EXTRA_u2boat_DEPENDENCIES) @rm -f u2boat$(EXEEXT) $(AM_V_CCLD)$(u2boat_LINK) $(u2boat_OBJECTS) $(u2boat_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2boat-u2boat.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< u2boat-u2boat.o: u2boat.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2boat_CFLAGS) $(CFLAGS) -MT u2boat-u2boat.o -MD -MP -MF $(DEPDIR)/u2boat-u2boat.Tpo -c -o u2boat-u2boat.o `test -f 'u2boat.c' || echo '$(srcdir)/'`u2boat.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2boat-u2boat.Tpo $(DEPDIR)/u2boat-u2boat.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='u2boat.c' object='u2boat-u2boat.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2boat_CFLAGS) $(CFLAGS) -c -o u2boat-u2boat.o `test -f 'u2boat.c' || echo '$(srcdir)/'`u2boat.c u2boat-u2boat.obj: u2boat.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2boat_CFLAGS) $(CFLAGS) -MT u2boat-u2boat.obj -MD -MP -MF $(DEPDIR)/u2boat-u2boat.Tpo -c -o u2boat-u2boat.obj `if test -f 'u2boat.c'; then $(CYGPATH_W) 'u2boat.c'; else $(CYGPATH_W) '$(srcdir)/u2boat.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2boat-u2boat.Tpo $(DEPDIR)/u2boat-u2boat.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='u2boat.c' object='u2boat-u2boat.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2boat_CFLAGS) $(CFLAGS) -c -o u2boat-u2boat.obj `if test -f 'u2boat.c'; then $(CYGPATH_W) 'u2boat.c'; else $(CYGPATH_W) '$(srcdir)/u2boat.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-dist_docDATA: @$(NORMAL_UNINSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) $(DATA) installdirs: for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(docdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dist_docDATA install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-binPROGRAMS uninstall-dist_docDATA .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-binPROGRAMS \ install-data install-data-am install-dist_docDATA install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ uninstall-binPROGRAMS uninstall-dist_docDATA # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/tools/u2boat/Makefile.am0000644000000000000000000000036711600174703014320 00000000000000AUTOMAKE_OPTIONS=foreign bin_PROGRAMS = u2boat docdir = ${datadir}/doc/${PACKAGE} u2boat_SOURCES = u2boat.c u2boat.h u2boat_CFLAGS = @CFLAGS@ $(AM_CFLAGS) u2boat_LDADD = -lpcap INCLUDES = @INCLUDES@ @extra_incl@ dist_doc_DATA = README.u2boat snort-2.9.7.0/tools/u2spewfoo/0000755000000000000000000000000012416771510013100 500000000000000snort-2.9.7.0/tools/u2spewfoo/u2spewfoo.dsp0000644000000000000000000001001511662530534015457 00000000000000# Microsoft Developer Studio Project File - Name="u2spewfoo" - Package Owner=<4> # Microsoft Developer Studio Generated Build File, Format Version 6.00 # ** DO NOT EDIT ** # TARGTYPE "Win32 (x86) Console Application" 0x0103 CFG=u2spewfoo - Win32 Debug !MESSAGE This is not a valid makefile. To build this project using NMAKE, !MESSAGE use the Export Makefile command and run !MESSAGE !MESSAGE NMAKE /f "u2spewfoo.mak". !MESSAGE !MESSAGE You can specify a configuration when running NMAKE !MESSAGE by defining the macro CFG on the command line. For example: !MESSAGE !MESSAGE NMAKE /f "u2spewfoo.mak" CFG="u2spewfoo - Win32 Debug" !MESSAGE !MESSAGE Possible choices for configuration are: !MESSAGE !MESSAGE "u2spewfoo - Win32 Release" (based on "Win32 (x86) Console Application") !MESSAGE "u2spewfoo - Win32 Debug" (based on "Win32 (x86) Console Application") !MESSAGE # Begin Project # PROP AllowPerConfigDependencies 0 # PROP Scc_ProjName "" # PROP Scc_LocalPath "" CPP=cl.exe RSC=rc.exe !IF "$(CFG)" == "u2spewfoo - Win32 Release" # PROP BASE Use_MFC 0 # PROP BASE Use_Debug_Libraries 0 # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" # PROP Use_MFC 2 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "Release" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c # ADD CPP /nologo /MD /W3 /GX /O2 /I "..\..\src\win32\WIN32-Includes" /I "..\..\src\sfutil" /D "NDEBUG" /D "_CONSOLE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /c # ADD BASE RSC /l 0x409 /d "NDEBUG" # ADD RSC /l 0x409 /d "NDEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 # ADD LINK32 wsock32.lib /nologo /subsystem:console /machine:I386 !ELSEIF "$(CFG)" == "u2spewfoo - Win32 Debug" # PROP BASE Use_MFC 0 # PROP BASE Use_Debug_Libraries 1 # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" # PROP Use_MFC 2 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "Debug" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c # ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "..\..\src\win32\WIN32-Includes" /I "..\..\src\sfutil" /D "_DEBUG" /D "_CONSOLE" /D "WIN32" /D "_MBCS" /D "HAVE_CONFIG_H" /D "_AFXDLL" /D SIGNAL_SNORT_READ_ATTR_TBL=30 /YX /FD /GZ /c # ADD BASE RSC /l 0x409 /d "_DEBUG" # ADD RSC /l 0x409 /d "_DEBUG" /d "_AFXDLL" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept # ADD LINK32 wsock32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept !ENDIF # Begin Target # Name "u2spewfoo - Win32 Release" # Name "u2spewfoo - Win32 Debug" # Begin Group "Source Files" # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" # Begin Source File SOURCE=.\u2spewfoo.c # End Source File # End Group # Begin Group "Header Files" # PROP Default_Filter "h;hpp;hxx;hm;inl" # End Group # Begin Group "Resource Files" # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe" # End Group # End Target # End Project snort-2.9.7.0/tools/u2spewfoo/Makefile.in0000644000000000000000000005231012416771463015075 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ bin_PROGRAMS = u2spewfoo$(EXEEXT) subdir = tools/u2spewfoo DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" PROGRAMS = $(bin_PROGRAMS) am_u2spewfoo_OBJECTS = u2spewfoo-u2spewfoo.$(OBJEXT) u2spewfoo_OBJECTS = $(am_u2spewfoo_OBJECTS) u2spewfoo_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = u2spewfoo_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(u2spewfoo_CFLAGS) \ $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(u2spewfoo_SOURCES) DIST_SOURCES = $(u2spewfoo_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ @extra_incl@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign u2spewfoo_SOURCES = u2spewfoo.c u2spewfoo_CFLAGS = @CFLAGS@ $(AM_CFLAGS) EXTRA_DIST = \ u2spewfoo.dsp all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/u2spewfoo/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tools/u2spewfoo/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ || test -f $$p1 \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list u2spewfoo$(EXEEXT): $(u2spewfoo_OBJECTS) $(u2spewfoo_DEPENDENCIES) $(EXTRA_u2spewfoo_DEPENDENCIES) @rm -f u2spewfoo$(EXEEXT) $(AM_V_CCLD)$(u2spewfoo_LINK) $(u2spewfoo_OBJECTS) $(u2spewfoo_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2spewfoo-u2spewfoo.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< u2spewfoo-u2spewfoo.o: u2spewfoo.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2spewfoo_CFLAGS) $(CFLAGS) -MT u2spewfoo-u2spewfoo.o -MD -MP -MF $(DEPDIR)/u2spewfoo-u2spewfoo.Tpo -c -o u2spewfoo-u2spewfoo.o `test -f 'u2spewfoo.c' || echo '$(srcdir)/'`u2spewfoo.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2spewfoo-u2spewfoo.Tpo $(DEPDIR)/u2spewfoo-u2spewfoo.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='u2spewfoo.c' object='u2spewfoo-u2spewfoo.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2spewfoo_CFLAGS) $(CFLAGS) -c -o u2spewfoo-u2spewfoo.o `test -f 'u2spewfoo.c' || echo '$(srcdir)/'`u2spewfoo.c u2spewfoo-u2spewfoo.obj: u2spewfoo.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2spewfoo_CFLAGS) $(CFLAGS) -MT u2spewfoo-u2spewfoo.obj -MD -MP -MF $(DEPDIR)/u2spewfoo-u2spewfoo.Tpo -c -o u2spewfoo-u2spewfoo.obj `if test -f 'u2spewfoo.c'; then $(CYGPATH_W) 'u2spewfoo.c'; else $(CYGPATH_W) '$(srcdir)/u2spewfoo.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2spewfoo-u2spewfoo.Tpo $(DEPDIR)/u2spewfoo-u2spewfoo.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='u2spewfoo.c' object='u2spewfoo-u2spewfoo.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2spewfoo_CFLAGS) $(CFLAGS) -c -o u2spewfoo-u2spewfoo.obj `if test -f 'u2spewfoo.c'; then $(CYGPATH_W) 'u2spewfoo.c'; else $(CYGPATH_W) '$(srcdir)/u2spewfoo.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(bindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-binPROGRAMS .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-binPROGRAMS \ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-binPROGRAMS # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/tools/u2spewfoo/u2spewfoo.c0000644000000000000000000006452512345604073015131 00000000000000/* * Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. * Copyright (C) 2002-2013 Sourcefire, Inc. * Copyright (C) 1998-2002 Martin Roesch * Author: Adam Keeton * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation. You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #ifndef WIN32 #include #include #include #include #include #include #include #include #include #endif #ifdef HAVE_UUID_UUID_H #include #endif #include "Unified2_common.h" #define SUCCESS 314159265 #define STEVE -1 #define FAILURE STEVE #ifndef WIN32 #ifndef uint32_t typedef unsigned int uint32_t; typedef unsigned short uint16_t; typedef unsigned char uint8_t; #endif #else static void inet_ntop(int family, const void *ip_raw, char *buf, int bufsize) { int i; if(!ip_raw || !buf || !bufsize || (family != AF_INET && family != AF_INET6) || /* Make sure if it's IPv6 that the buf is large enough. */ /* Need atleast a max of 8 fields of 4 bytes plus 7 for colons in * between. Need 1 more byte for null. */ (family == AF_INET6 && bufsize < 8*4 + 7 + 1) || /* Make sure if it's IPv4 that the buf is large enough. */ /* 4 fields of 3 numbers, plus 3 dots and a null byte */ (family == AF_INET && bufsize < 3*4 + 4) ) { if(buf && bufsize > 0) buf[0] = 0; return; } /* 4 fields of at most 3 characters each */ if(family == AF_INET) { u_int8_t *p = (u_int8_t*)ip_raw; for(i=0; p < ((u_int8_t*)ip_raw) + 4; p++) { i += sprintf(&buf[i], "%d", *p); /* If this is the last iteration, this could technically cause one * extra byte to be written past the end. */ if(i < bufsize && ((p + 1) < ((u_int8_t*)ip_raw+4))) buf[i] = '.'; i++; } /* Check if this is really just an IPv4 address represented as 6, * in compatible format */ #if 0 } else if(!field[0] && !field[1] && !field[2]) { unsigned char *p = (unsigned char *)(&ip->ip[12]); for(i=0; p < &ip->ip[16]; p++) i += sprintf(&buf[i], "%d.", *p); #endif } else { u_int16_t *p = (u_int16_t*)ip_raw; for(i=0; p < ((u_int16_t*)ip_raw) + 8; p++) { i += sprintf(&buf[i], "%04x", ntohs(*p)); /* If this is the last iteration, this could technically cause one * extra byte to be written past the end. */ if(i < bufsize && ((p + 1) < ((u_int16_t*)ip_raw) + 8)) buf[i] = ':'; i++; } } } #endif typedef struct _record { uint32_t type; uint32_t length; uint8_t *data; } u2record; typedef struct _u2iterator { FILE *file; char *filename; u2record current; } u2iterator; static long s_pos = 0, s_off = 0; #define TO_IP(x) x >> 24, (x >> 16) & 0xff, (x >> 8) & 0xff, x & 0xff static u2iterator *new_iterator(char *filename) { FILE *f = fopen(filename, "rb"); u2iterator *ret; if(!f) { printf("new_iterator: Failed to open file: %s\n\tErrno: %s\n", filename, strerror(errno)); return NULL; } ret = (u2iterator*)malloc(sizeof(u2iterator)); if(!ret) { printf("new_iterator: Failed to malloc %lu bytes.\n", (unsigned long)sizeof(u2iterator)); fclose(f); return NULL; } ret->file = f; ret->filename = strdup(filename); return ret; } static inline void free_iterator(u2iterator *it) { if(it->file) fclose(it->file); if(it->filename) free(it->filename); if(it) free(it); } static int get_record(u2iterator *it, u2record *record) { uint32_t bytes_read; uint8_t *tmp; if(!it || !it->file) return FAILURE; /* check if the log was rotated */ if(feof(it->file)) { /* Get next timestamped file? */ puts("Hit the EOF .. and this is not being handled yet."); return FAILURE; } if ( s_off ) { if (fseek(it->file, s_pos+s_off, SEEK_SET)) { puts("Unable to SEEK on current file .. and this is not being handled yet."); return FAILURE; } s_off = 0; } /* read type and length */ bytes_read = fread(record, 1, sizeof(uint32_t) * 2, it->file); /* But they're in network order! */ record->type= ntohl(record->type); record->length= ntohl(record->length); //if(record->type == UNIFIED2_PACKET) record->length+=4; if(bytes_read == 0) /* EOF */ return FAILURE; if(bytes_read != sizeof(uint32_t)*2) { puts("get_record: (1) Failed to read all of record."); printf("\tRead %u of %lu bytes\n", bytes_read, (unsigned long)sizeof(uint32_t)*2); return FAILURE; } s_pos = ftell(it->file); tmp = (uint8_t *)realloc(record->data, record->length); if (!tmp) { puts("get_record: (2) Failed to allocate memory."); free(record->data); return FAILURE; } record->data = tmp; bytes_read = fread(record->data, 1, record->length, it->file); if(bytes_read != record->length) { puts("get_record: (3) Failed to read all of record data."); printf("\tRead %u of %u bytes\n", bytes_read, record->length); if ( record->type != UNIFIED2_PACKET || bytes_read < ntohl(((Serial_Unified2Packet*)record->data)->packet_length) ) return FAILURE; clearerr(it->file); } return SUCCESS; } static void extradata_dump(u2record *record) { uint8_t *field, *data; int i; int len = 0; SerialUnified2ExtraData event; Unified2ExtraDataHdr eventHdr; uint32_t ip; char ip6buf[INET6_ADDRSTRLEN+1]; struct in6_addr ipAddr; memcpy(&eventHdr, record->data, sizeof(Unified2ExtraDataHdr)); memcpy(&event, record->data + sizeof(Unified2ExtraDataHdr) , sizeof(SerialUnified2ExtraData)); /* network to host ordering */ field = (uint8_t*)&eventHdr; for(i=0; i<2; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = (uint8_t*)&event; for(i=0; i<6; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } printf("\n(ExtraDataHdr)\n" "\tevent type: %u\tevent length: %u\n", eventHdr.event_type, eventHdr.event_length); printf("\n(ExtraData)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\n" "\ttype: %u\tdatatype: %u\tbloblength: %u\t", event.sensor_id, event.event_id, event.event_second, event.type, event.data_type, event.blob_length); len = event.blob_length - sizeof(event.blob_length) - sizeof(event.data_type); switch(event.type) { case EVENT_INFO_XFF_IPV4: memcpy(&ip, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(uint32_t)); ip = ntohl(ip); printf("Original Client IP: %u.%u.%u.%u\n", TO_IP(ip)); break; case EVENT_INFO_XFF_IPV6: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); printf("Original Client IP: %s\n", ip6buf); break; case EVENT_INFO_GZIP_DATA: printf("GZIP Decompressed Data: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_JSNORM_DATA: printf("Normalized JavaScript Data: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_FILENAME: printf("SMTP Attachment Filename: %.*s\n", len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_MAILFROM: printf("SMTP MAIL FROM Addresses: %.*s\n", len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_RCPTTO: printf("SMTP RCPT TO Addresses: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_EMAIL_HDRS: printf("SMTP EMAIL HEADERS: \n%.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_HTTP_URI: printf("HTTP URI: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_HTTP_HOSTNAME: printf("HTTP Hostname: "); data = record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData); for(i=0; i < len; i++) { if(iscntrl(data[i])) printf("%c",'.'); else printf("%c",data[i]); } printf("\n"); break; case EVENT_INFO_IPV6_SRC: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); printf("IPv6 Source Address: %s\n", ip6buf); break; case EVENT_INFO_IPV6_DST: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); printf("IPv6 Destination Address: %s\n", ip6buf); break; default : break; } } static void event_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEvent_legacy event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent_legacy)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first 11 fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<11; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ /* done changing the network ordering */ printf("\n(Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %u.%u.%u.%u\tip destination: %u.%u.%u.%u\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, TO_IP(event.ip_source), TO_IP(event.ip_destination), event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked); } static void event6_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEventIPv6_legacy event; char ip6buf[INET6_ADDRSTRLEN+1]; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEventIPv6_legacy)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<9; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = field + 2*sizeof(struct in6_addr); /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ /* done changing the network ordering */ inet_ntop(AF_INET6, &event.ip_source, ip6buf, INET6_ADDRSTRLEN); printf("\n(IPv6 Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %s\t", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, ip6buf); inet_ntop(AF_INET6, &event.ip_destination, ip6buf, INET6_ADDRSTRLEN); printf("ip destination: %s\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n", ip6buf, event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked); } static void event2_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEvent event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first 11 fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<11; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ printf("\n(Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %u.%u.%u.%u\tip destination: %u.%u.%u.%u\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" "\tmpls label: %u\tvland id: %u\tpolicy id: %u\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, TO_IP(event.ip_source), TO_IP(event.ip_destination), event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId, event.pad2); } #if defined(FEAT_OPEN_APPID) static void event3_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEvent event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first 11 fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<11; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ printf("\n(Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %u.%u.%u.%u\tip destination: %u.%u.%u.%u\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" "\tmpls label: %u\tvland id: %u\tpolicy id: %u\tappid: %s\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, TO_IP(event.ip_source), TO_IP(event.ip_destination), event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId, event.pad2, event.app_name); } #endif /* defined(FEAT_OPEN_APPID) */ static void event2_6_dump(u2record *record) { uint8_t *field; int i; char ip6buf[INET6_ADDRSTRLEN+1]; Serial_Unified2IDSEventIPv6 event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEventIPv6)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<9; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = field + 2*sizeof(struct in6_addr); /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ inet_ntop(AF_INET6, &event.ip_source, ip6buf, INET6_ADDRSTRLEN); printf("\n(IPv6 Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %s\t", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, ip6buf); inet_ntop(AF_INET6, &event.ip_destination, ip6buf, INET6_ADDRSTRLEN); printf("ip destination: %s\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" "\tmpls label: %u\tvland id: %u\tpolicy id: %u\n", ip6buf, event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId,event.pad2); } #if defined(FEAT_OPEN_APPID) static void event3_6_dump(u2record *record) { uint8_t *field; int i; char ip6buf[INET6_ADDRSTRLEN+1]; Serial_Unified2IDSEventIPv6 event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEventIPv6)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<9; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = field + 2*sizeof(struct in6_addr); /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ inet_ntop(AF_INET6, &event.ip_source, ip6buf, INET6_ADDRSTRLEN); printf("\n(IPv6 Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %s\t", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, ip6buf); inet_ntop(AF_INET6, &event.ip_destination, ip6buf, INET6_ADDRSTRLEN); printf("ip destination: %s\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" "\tmpls label: %u\tvland id: %u\tpolicy id: %u\tappid: %s\n", ip6buf, event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId,event.pad2, event.app_name); } static void appid_dump(u2record *record) { uint8_t *field = (uint8_t*)record->data; unsigned i; unsigned appCnt; unsigned statTime; /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ statTime = ntohl(*(uint32_t*)field); field += 4; appCnt = ntohl(*(uint32_t*)field); field += 4; printf("\n(AppId Stats)\n" " event second: %u\tRecordCount: %u\n", statTime, appCnt); for(i=0; ilength - offset; Serial_Unified2Packet packet; memcpy(&packet, record->data, sizeof(Serial_Unified2Packet)); /* network to host ordering */ /* The first 7 fields need to be convertted */ field = (uint8_t*)&packet; for(counter=0; counter<7; counter++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* done changing from network ordering */ printf("\nPacket\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\n" "\tpacket second: %u\tpacket microsecond: %u\n" "\tlinktype: %u\tpacket_length: %u\n", packet.sensor_id, packet.event_id, packet.event_second, packet.packet_second, packet.packet_microsecond, packet.linktype, packet.packet_length); if ( record->length <= offset ) return; if ( packet.packet_length != reclen ) { printf("ERROR: logged %u but packet_length = %u\n", record->length-offset, packet.packet_length); if ( packet.packet_length < reclen ) { reclen = packet.packet_length; s_off = reclen + offset; } } LogBuffer(record->data+offset, reclen); } static int u2dump(char *file) { u2record record; u2iterator *it = new_iterator(file); memset(&record, 0, sizeof(record)); if(!it) { printf("u2dump: Failed to create new iterator with file: %s\n", file); return -1; } while( get_record(it, &record) == SUCCESS ) { if(record.type == UNIFIED2_IDS_EVENT) event_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_VLAN) event2_dump(&record); else if(record.type == UNIFIED2_PACKET) packet_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_IPV6) event6_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_IPV6_VLAN) event2_6_dump(&record); else if(record.type == UNIFIED2_EXTRA_DATA) extradata_dump(&record); #if defined(FEAT_OPEN_APPID) else if(record.type == UNIFIED2_IDS_EVENT_APPID) event3_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_APPID_IPV6) event3_6_dump(&record); else if(record.type == UNIFIED2_IDS_EVENT_APPSTAT) appid_dump(&record); #endif /* defined(FEAT_OPEN_APPID) */ } free_iterator(it); if(record.data) free(record.data); return 0; } int main(int argc, char **argv) { if(argc != 2) { puts("usage: u2eventdump "); return 1; } return u2dump(argv[1]); } snort-2.9.7.0/tools/u2spewfoo/Makefile.am0000644000000000000000000000027711607650044015061 00000000000000AUTOMAKE_OPTIONS=foreign bin_PROGRAMS = u2spewfoo u2spewfoo_SOURCES = u2spewfoo.c u2spewfoo_CFLAGS = @CFLAGS@ $(AM_CFLAGS) EXTRA_DIST = \ u2spewfoo.dsp INCLUDES = @INCLUDES@ @extra_incl@ snort-2.9.7.0/tools/control/0000755000000000000000000000000012416771510012627 500000000000000snort-2.9.7.0/tools/control/snort_dump_packets.c0000644000000000000000000002337112345604073016625 00000000000000/* ** $Id$ ** ** snort_dump_packets.c ** ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. ** Copyright (C) 2002-2013 Sourcefire, Inc. ** Author(s): Ron Dempster ** ** NOTES ** 3.4.14 - Initial Source Code. Dempster ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ** */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "sfcontrol.h" #ifndef PATH_MAX #define PATH_MAX 4096 #endif struct _CS_MESSAGE { CSMessageHeader hdr; uint8_t msg[0]; } __attribute__((packed)); typedef struct _CS_MESSAGE CSMessage; struct _CS_RESPONSE_MESSAGE { CSMessageHeader hdr; CSMessageDataHeader msg_hdr; uint8_t msg[4096]; } __attribute__((packed)); typedef struct _CS_RESPONSE_MESSAGE CSResponseMessage; static void DisplayUsage(const char *progname) { fprintf(stderr, "Usage %s [-a daq address space id (0-65535)] [ []]\n", progname); } static int SendMessage(int socket_fd, const CSMessage *msg, uint32_t len) { ssize_t numsent; unsigned total_len = sizeof(*msg) + len; unsigned total = 0; do { numsent = write(socket_fd, (*(uint8_t **)&msg) + total, total_len - total); if (!numsent) return 0; else if (numsent > 0) total += numsent; else if (errno != EINTR && errno != EAGAIN) return -1; } while (total < total_len); return 1; } static int ReadData(int socket_fd, uint8_t *buffer, uint32_t length) { ssize_t numread; unsigned total = 0; do { numread = read(socket_fd, buffer + total, length - total); if (!numread) return 0; else if (numread > 0) total += numread; else if (errno != EINTR && errno != EAGAIN) return -1; } while (total < length); if (total < length) return 0; return 1; } static int ReadResponse(int socket_fd, CSMessageHeader *hdr) { ssize_t numread; unsigned total = 0; do { numread = read(socket_fd, (*(uint8_t **)&hdr) + total, sizeof(*hdr) - total); if (!numread) return 0; else if (numread > 0) total += numread; else if (errno != EINTR && errno != EAGAIN) return -1; } while (total < sizeof(*hdr)); if (total < sizeof(*hdr)) return 0; hdr->length = ntohl(hdr->length); hdr->version = ntohs(hdr->version); hdr->type = ntohs(hdr->type); return 1; } static void ConnectToUnixSocket(const char * const name, int * const psock) { struct sockaddr_un sunaddr; int sock = -1; int rval; memset(&sunaddr, 0, sizeof(sunaddr)); rval = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), "%s", name); if (rval < 0 || (size_t)rval >= sizeof(sunaddr.sun_path)) { fprintf(stderr, "Socket name '%s' is too long\n", name); exit(-1); } sunaddr.sun_family = AF_UNIX; /* open the socket */ if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { fprintf(stderr, "Error opening socket: %s\n", strerror(errno)); exit(-1); } if (connect(sock, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) == -1) { fprintf(stderr, "Unable to connect to UNIX socket at %s: %s\n", name, strerror(errno)); close(sock); exit(-1); } *psock = sock; } int main(int argc, char *argv[]) { int rval; char socket_fn[PATH_MAX]; int socket_fd; int current_arg; uint16_t address_space_id = 0; unsigned address_space_id_len = 0; char *p; ssize_t len; const char *sep; const char* dump_file_name = NULL; unsigned dump_file_name_len = 0; const char* bpf = NULL; unsigned bpf_len = 0; CSMessage *message; uint32_t extra_len; CSResponseMessage response; if (argc < 2) { DisplayUsage(argv[0]); exit(-1); } current_arg = 1; if (strcmp(argv[current_arg], "-a") == 0) { unsigned long tmp; current_arg++; if (current_arg >= argc) { DisplayUsage(argv[0]); exit(-1); } tmp = strtoul(argv[current_arg], &p, 0); if (*p || tmp > UINT16_MAX) { DisplayUsage(argv[0]); exit(-1); } address_space_id = (uint16_t)tmp; current_arg++; } if (current_arg >= argc) { DisplayUsage(argv[0]); exit(-1); } len = strlen(argv[current_arg]); if (len && argv[current_arg][len - 1] == '/') sep = ""; else sep = "/"; snprintf(socket_fn, sizeof(socket_fn), "%s%s%s", argv[current_arg], sep, CONTROL_FILE); current_arg++; if (current_arg < argc) { address_space_id_len = sizeof(address_space_id); dump_file_name = argv[current_arg]; dump_file_name_len = strlen(dump_file_name) + 1; current_arg++; if (current_arg < argc) { bpf = argv[current_arg]; bpf_len = strlen(bpf) + 1; } else bpf_len = 1; } extra_len = address_space_id_len + dump_file_name_len + bpf_len; ConnectToUnixSocket(socket_fn, &socket_fd); message = malloc(sizeof *message + extra_len); if (message == NULL) { fprintf(stderr, "snort_control: could not allocate message.\n"); exit(-1); } message->hdr.version = htons(CS_HEADER_VERSION); message->hdr.type = htons((uint16_t)CS_TYPE_DUMP_PACKETS); message->hdr.length = 0; if (address_space_id_len) { uint8_t* msg = message->msg; message->hdr.length = htonl(extra_len); *((uint16_t*)msg) = address_space_id; msg += sizeof(address_space_id); snprintf((char*)msg, dump_file_name_len, "%s", dump_file_name); msg[dump_file_name_len - 1] = 0; msg += dump_file_name_len; if (bpf_len > 1) { snprintf((char*)msg, bpf_len, "%s", bpf); msg[bpf_len - 1] = 0; } else *msg = 0; } if ((rval = SendMessage(socket_fd, message, extra_len)) < 0) { fprintf(stderr, "Failed to send the message: %s\n", strerror(errno)); close(socket_fd); exit(-1); } else if (!rval) { fprintf(stderr, "Server closed the socket\n"); close(socket_fd); exit(-1); } free(message); do { /* Reusing the same CSMessage to capture the response */ if ((rval = ReadResponse(socket_fd, &response.hdr)) < 0) { fprintf(stderr, "Failed to read the response: %s\n", strerror(errno)); close(socket_fd); exit(-1); } else if (!rval) { fprintf(stderr, "Server closed the socket before sending a response\n"); close(socket_fd); exit(-1); } if (response.hdr.version != CS_HEADER_VERSION) { printf("snort_control: bad response version\n"); close(socket_fd); exit(-1); } if (response.hdr.length) { if (response.hdr.length < sizeof(response.msg_hdr)) { printf("snort_control: response message is too small\n"); close(socket_fd); exit(-1); } if (response.hdr.length > sizeof(response.msg)) { printf("snort_control: response message is too large\n"); close(socket_fd); exit(-1); } if ((rval = ReadData(socket_fd, (uint8_t *)(&response)+sizeof(response.hdr), response.hdr.length)) < 0) { fprintf(stderr, "Failed to read the response data: %s\n", strerror(errno)); close(socket_fd); exit(-1); } else if (!rval) { fprintf(stderr, "Server closed the socket before sending the response data\n"); close(socket_fd); exit(-1); } response.msg_hdr.code = ntohl(response.msg_hdr.code); response.msg_hdr.length = ntohs(response.msg_hdr.length); if (response.msg_hdr.length == response.hdr.length - sizeof(response.msg_hdr)) { response.msg[response.msg_hdr.length-1] = 0; fprintf(stdout, "Response %04X with code %d (%s)\n", response.hdr.type, response.msg_hdr.code, response.msg); } else fprintf(stdout, "Response %04X with code %d\n", response.hdr.type, response.msg_hdr.code); } else { printf("Response %04X\n", response.hdr.type); } } while (response.hdr.type == CS_HEADER_DATA); return 0; } snort-2.9.7.0/tools/control/README.snort_dump_packets_control0000644000000000000000000000274312345604073021100 00000000000000snort_dump_packets_control - Tool to connect to the snort control channel and issue a packet dump command -------------------------------------------- About ----- The current version of Snort can be configured to provide a Unix socket that can be used to issue commands to the running process. One command causes packets that match a given BPF to be dumped to pcap file of a given name. The file that is generated has "." appended to it, where "n" is the value of the "-G" option or "0", if not specified. To stop the packet dump, issues the command without a file name or BPF. Installation ------------ snort_dump_packets_control is made and installed along with snort in the same bin directory when configured with the --enable-control-socket option. The control socket functionality is supported on Linux only. Usage ----- $ snort_dump_packets_control [-a daq address space id (0-65535)] [ []] "-a " specifies the address space ID that is presented with the packets by the DAQ "log path" specifies the directory passed to snort with the -l option "file name" is the name of the pcap file, including the path, to generate "bpf" is the BPF that packets must match to be written to the file Examples: The following would generate a /var/tmp/dump.pcap.0 pcap file with HTTP packets: snort_dump_packets_control -a 3 /var/tmp/dump.pcap "tcp and port 80" The following would generate terminate the dump: snort_dump_packets_control snort-2.9.7.0/tools/control/README.snort_control0000644000000000000000000000124411652017025016327 00000000000000snort_control - Tool to connect to the snort control channel and issue a command -------------------------------------------- About ----- The current version of Snort can be configured to provide a Unix socket that can be used to issue commands to the running process. Installation ------------ snort_control is made and installed along with snort in the same bin directory when configured with the --enable-control-socket option. The control socket functionality is supported on Linux only. Usage ----- $ snort_control "log path" specifies the directory passed to snort with the -l option "command" is an unsigned 32-bit command value snort-2.9.7.0/tools/control/Makefile.in0000644000000000000000000006602712416771463014636 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ bin_PROGRAMS = snort_control$(EXEEXT) \ snort_dump_packets_control$(EXEEXT) subdir = tools/control DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp $(dist_doc_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(docdir)" PROGRAMS = $(bin_PROGRAMS) am_snort_control_OBJECTS = snort_control-sfcontrol.$(OBJEXT) snort_control_OBJECTS = $(am_snort_control_OBJECTS) snort_control_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = snort_control_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(snort_control_CFLAGS) \ $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ am_snort_dump_packets_control_OBJECTS = \ snort_dump_packets_control-snort_dump_packets.$(OBJEXT) snort_dump_packets_control_OBJECTS = \ $(am_snort_dump_packets_control_OBJECTS) snort_dump_packets_control_LDADD = $(LDADD) snort_dump_packets_control_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(snort_dump_packets_control_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(snort_control_SOURCES) \ $(snort_dump_packets_control_SOURCES) DIST_SOURCES = $(snort_control_SOURCES) \ $(snort_dump_packets_control_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__uninstall_files_from_dir = { \ test -z "$$files" \ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } DATA = $(dist_doc_DATA) am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ @extra_incl@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = ${datadir}/doc/${PACKAGE} dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign snort_control_SOURCES = sfcontrol.c snort_control_CFLAGS = @CFLAGS@ $(AM_CFLAGS) snort_dump_packets_control_SOURCES = snort_dump_packets.c snort_dump_packets_control_CFLAGS = @CFLAGS@ $(AM_CFLAGS) dist_doc_DATA = README.snort_control README.snort_dump_packets_control all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/control/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tools/control/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ || test -f $$p1 \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list snort_control$(EXEEXT): $(snort_control_OBJECTS) $(snort_control_DEPENDENCIES) $(EXTRA_snort_control_DEPENDENCIES) @rm -f snort_control$(EXEEXT) $(AM_V_CCLD)$(snort_control_LINK) $(snort_control_OBJECTS) $(snort_control_LDADD) $(LIBS) snort_dump_packets_control$(EXEEXT): $(snort_dump_packets_control_OBJECTS) $(snort_dump_packets_control_DEPENDENCIES) $(EXTRA_snort_dump_packets_control_DEPENDENCIES) @rm -f snort_dump_packets_control$(EXEEXT) $(AM_V_CCLD)$(snort_dump_packets_control_LINK) $(snort_dump_packets_control_OBJECTS) $(snort_dump_packets_control_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/snort_control-sfcontrol.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/snort_dump_packets_control-snort_dump_packets.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< snort_control-sfcontrol.o: sfcontrol.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_control_CFLAGS) $(CFLAGS) -MT snort_control-sfcontrol.o -MD -MP -MF $(DEPDIR)/snort_control-sfcontrol.Tpo -c -o snort_control-sfcontrol.o `test -f 'sfcontrol.c' || echo '$(srcdir)/'`sfcontrol.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/snort_control-sfcontrol.Tpo $(DEPDIR)/snort_control-sfcontrol.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sfcontrol.c' object='snort_control-sfcontrol.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_control_CFLAGS) $(CFLAGS) -c -o snort_control-sfcontrol.o `test -f 'sfcontrol.c' || echo '$(srcdir)/'`sfcontrol.c snort_control-sfcontrol.obj: sfcontrol.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_control_CFLAGS) $(CFLAGS) -MT snort_control-sfcontrol.obj -MD -MP -MF $(DEPDIR)/snort_control-sfcontrol.Tpo -c -o snort_control-sfcontrol.obj `if test -f 'sfcontrol.c'; then $(CYGPATH_W) 'sfcontrol.c'; else $(CYGPATH_W) '$(srcdir)/sfcontrol.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/snort_control-sfcontrol.Tpo $(DEPDIR)/snort_control-sfcontrol.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sfcontrol.c' object='snort_control-sfcontrol.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_control_CFLAGS) $(CFLAGS) -c -o snort_control-sfcontrol.obj `if test -f 'sfcontrol.c'; then $(CYGPATH_W) 'sfcontrol.c'; else $(CYGPATH_W) '$(srcdir)/sfcontrol.c'; fi` snort_dump_packets_control-snort_dump_packets.o: snort_dump_packets.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_dump_packets_control_CFLAGS) $(CFLAGS) -MT snort_dump_packets_control-snort_dump_packets.o -MD -MP -MF $(DEPDIR)/snort_dump_packets_control-snort_dump_packets.Tpo -c -o snort_dump_packets_control-snort_dump_packets.o `test -f 'snort_dump_packets.c' || echo '$(srcdir)/'`snort_dump_packets.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/snort_dump_packets_control-snort_dump_packets.Tpo $(DEPDIR)/snort_dump_packets_control-snort_dump_packets.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='snort_dump_packets.c' object='snort_dump_packets_control-snort_dump_packets.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_dump_packets_control_CFLAGS) $(CFLAGS) -c -o snort_dump_packets_control-snort_dump_packets.o `test -f 'snort_dump_packets.c' || echo '$(srcdir)/'`snort_dump_packets.c snort_dump_packets_control-snort_dump_packets.obj: snort_dump_packets.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_dump_packets_control_CFLAGS) $(CFLAGS) -MT snort_dump_packets_control-snort_dump_packets.obj -MD -MP -MF $(DEPDIR)/snort_dump_packets_control-snort_dump_packets.Tpo -c -o snort_dump_packets_control-snort_dump_packets.obj `if test -f 'snort_dump_packets.c'; then $(CYGPATH_W) 'snort_dump_packets.c'; else $(CYGPATH_W) '$(srcdir)/snort_dump_packets.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/snort_dump_packets_control-snort_dump_packets.Tpo $(DEPDIR)/snort_dump_packets_control-snort_dump_packets.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='snort_dump_packets.c' object='snort_dump_packets_control-snort_dump_packets.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(snort_dump_packets_control_CFLAGS) $(CFLAGS) -c -o snort_dump_packets_control-snort_dump_packets.obj `if test -f 'snort_dump_packets.c'; then $(CYGPATH_W) 'snort_dump_packets.c'; else $(CYGPATH_W) '$(srcdir)/snort_dump_packets.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs install-dist_docDATA: $(dist_doc_DATA) @$(NORMAL_INSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \ fi; \ for p in $$list; do \ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; \ done | $(am__base_list) | \ while read files; do \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ done uninstall-dist_docDATA: @$(NORMAL_UNINSTALL) @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir) ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) $(DATA) installdirs: for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(docdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dist_docDATA install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-binPROGRAMS uninstall-dist_docDATA .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-binPROGRAMS \ install-data install-data-am install-dist_docDATA install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \ uninstall-binPROGRAMS uninstall-dist_docDATA # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/tools/control/sfcontrol.c0000644000000000000000000002447512345604073014740 00000000000000/* ** $Id$ ** ** sfcontrol.c ** ** Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved. ** Copyright (C) 2002-2013 Sourcefire, Inc. ** Author(s): Ron Dempster ** ** NOTES ** 5.5.11 - Initial Source Code. Dempster ** ** This program is free software; you can redistribute it and/or modify ** it under the terms of the GNU General Public License Version 2 as ** published by the Free Software Foundation. You may not use, modify or ** distribute this program under any other version of the GNU General ** Public License. ** ** This program is distributed in the hope that it will be useful, ** but WITHOUT ANY WARRANTY; without even the implied warranty of ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ** GNU General Public License for more details. ** ** You should have received a copy of the GNU General Public License ** along with this program; if not, write to the Free Software ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ** */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "sfcontrol.h" #ifndef PATH_MAX #define PATH_MAX 4096 #endif typedef enum { PRINT_MODE_FAST, PRINT_MODE_DETAIL }PrintMode; #define PRINT_MODE_FAST_KEYWORD "-text" struct _CS_MESSAGE { CSMessageHeader hdr; CSMessageDataHeader msg_hdr; uint8_t msg[4096]; } __attribute__((packed)); typedef struct _CS_MESSAGE CSMessage; static void DumpHex(FILE *fp, const uint8_t *data, unsigned len) { char str[18]; unsigned i; unsigned pos; char c; for (i=0, pos=0; i [-text]" "[\"sub command string\"]\n",progname); } static int SendMessage(int socket_fd, const CSMessage *msg, uint32_t len) { ssize_t numsent; unsigned total_len = sizeof(*msg) + len; unsigned total = 0; do { numsent = write(socket_fd, (*(uint8_t **)&msg) + total, total_len - total); if (!numsent) return 0; else if (numsent > 0) total += numsent; else if (errno != EINTR && errno != EAGAIN) return -1; } while (total < total_len); return 1; } static int ReadData(int socket_fd, uint8_t *buffer, uint32_t length) { ssize_t numread; unsigned total = 0; do { numread = read(socket_fd, buffer + total, length - total); if (!numread) return 0; else if (numread > 0) total += numread; else if (errno != EINTR && errno != EAGAIN) return -1; } while (total < length); if (total < length) return 0; return 1; } static int ReadResponse(int socket_fd, CSMessageHeader *hdr) { ssize_t numread; unsigned total = 0; do { numread = read(socket_fd, (*(uint8_t **)&hdr) + total, sizeof(*hdr) - total); if (!numread) return 0; else if (numread > 0) total += numread; else if (errno != EINTR && errno != EAGAIN) return -1; } while (total < sizeof(*hdr)); if (total < sizeof(*hdr)) return 0; hdr->length = ntohl(hdr->length); hdr->version = ntohs(hdr->version); hdr->type = ntohs(hdr->type); return 1; } static void ConnectToUnixSocket(const char * const name, int * const psock) { struct sockaddr_un sunaddr; int sock = -1; int rval; memset(&sunaddr, 0, sizeof(sunaddr)); rval = snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), "%s", name); if (rval < 0 || (size_t)rval >= sizeof(sunaddr.sun_path)) { fprintf(stderr, "Socket name '%s' is too long\n", name); exit(-1); } sunaddr.sun_family = AF_UNIX; /* open the socket */ if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) { fprintf(stderr, "Error opening socket: %s\n", strerror(errno)); exit(-1); } if (connect(sock, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) == -1) { fprintf(stderr, "Unable to connect to UNIX socket at %s: %s\n", name, strerror(errno)); close(sock); exit(-1); } *psock = sock; } int main(int argc, char *argv[]) { int rval; char socket_fn[PATH_MAX]; int socket_fd; char *p; CSMessage *message; unsigned long type; const char *sep; ssize_t len; PrintMode mode = PRINT_MODE_DETAIL; const char *extra; unsigned int extra_len = 0; if (argc < 3 || argc > 5 || !*argv[1] || !*argv[2]) { DisplayUsage(argv[0]); exit(-1); } else if (argc > 3) { int idx = 3; if((strlen(PRINT_MODE_FAST_KEYWORD) == strlen(argv[idx])) && (strcmp(PRINT_MODE_FAST_KEYWORD,argv[idx]) == 0)) { mode = PRINT_MODE_FAST; idx ++; } if (argc > idx) { extra = argv[idx]; extra_len = strlen(extra) + 1; } } type = strtoul(argv[2], &p, 0); if (*p || type > CS_TYPE_MAX) { DisplayUsage(argv[0]); exit(-1); } len = strlen(argv[1]); if (len && argv[1][len - 1] == '/') sep = ""; else sep = "/"; snprintf(socket_fn, sizeof(socket_fn), "%s%s%s", argv[1], sep, CONTROL_FILE); ConnectToUnixSocket(socket_fn, &socket_fd); if (extra_len > sizeof(message->msg)) { fprintf(stderr, "snort_control: message is too long.\n"); exit(-1); } message = malloc(sizeof *message); if (message == NULL) { fprintf(stderr, "snort_control: could not allocate message.\n"); exit(-1); } message->hdr.version = htons(CS_HEADER_VERSION); message->hdr.type = htons((uint16_t)type); message->hdr.length = 0; if (extra_len) { message->hdr.length = htonl(extra_len + sizeof(message->msg_hdr)); message->msg_hdr.code = 0; message->msg_hdr.length = htons(extra_len); memcpy(message->msg, extra, extra_len); } if ((rval = SendMessage(socket_fd, message, extra_len)) < 0) { fprintf(stderr, "Failed to send the message: %s\n", strerror(errno)); close(socket_fd); exit(-1); } else if (!rval) { fprintf(stderr, "Server closed the socket\n"); close(socket_fd); exit(-1); } do { /* Reusing the same CSMessage to capture the response */ if ((rval = ReadResponse(socket_fd, &message->hdr)) < 0) { fprintf(stderr, "Failed to read the response: %s\n", strerror(errno)); close(socket_fd); exit(-1); } else if (!rval) { fprintf(stderr, "Server closed the socket before sending a response\n"); close(socket_fd); exit(-1); } if (message->hdr.version != CS_HEADER_VERSION) { printf("snort_control: bad response version\n"); close(socket_fd); exit(-1); } if (message->hdr.length) { if (message->hdr.length < sizeof(message->msg_hdr)) { printf("snort_control: response message is too small\n"); close(socket_fd); exit(-1); } if (message->hdr.length > sizeof(message->msg)) { printf("snort_control: response message is too large\n"); close(socket_fd); exit(-1); } if ((rval = ReadData(socket_fd, (uint8_t *)message+sizeof(message->hdr), message->hdr.length)) < 0) { fprintf(stderr, "Failed to read the response data: %s\n", strerror(errno)); close(socket_fd); exit(-1); } else if (!rval) { fprintf(stderr, "Server closed the socket before sending the response data\n"); close(socket_fd); exit(-1); } message->msg_hdr.code = ntohl(message->msg_hdr.code); message->msg_hdr.length = ntohs(message->msg_hdr.length); if (mode == PRINT_MODE_DETAIL) { fprintf(stdout, "Response %04X with code %d and length %u\n", message->hdr.type, message->msg_hdr.code, message->msg_hdr.length); DumpHex(stdout, message->msg, message->msg_hdr.length); } else if (mode == PRINT_MODE_FAST) { if (message->msg_hdr.length == message->hdr.length - sizeof(message->msg_hdr)) { message->msg[message->msg_hdr.length-1] = 0; fprintf(stdout, "Response %04X with code %d (%s)\n", message->hdr.type, message->msg_hdr.code, message->msg); } else fprintf(stdout, "Response %04X with code %d\n", message->hdr.type, message->msg_hdr.code); } } else { if (mode == PRINT_MODE_DETAIL) printf("Response %04X without data\n", message->hdr.type); else printf("Response %04X\n", message->hdr.type); } } while (message->hdr.type == CS_HEADER_DATA); return 0; } snort-2.9.7.0/tools/control/Makefile.am0000644000000000000000000000065112345604073014605 00000000000000AUTOMAKE_OPTIONS=foreign bin_PROGRAMS = snort_control snort_dump_packets_control docdir = ${datadir}/doc/${PACKAGE} snort_control_SOURCES = sfcontrol.c snort_control_CFLAGS = @CFLAGS@ $(AM_CFLAGS) snort_dump_packets_control_SOURCES = snort_dump_packets.c snort_dump_packets_control_CFLAGS = @CFLAGS@ $(AM_CFLAGS) INCLUDES = @INCLUDES@ @extra_incl@ dist_doc_DATA = README.snort_control README.snort_dump_packets_control snort-2.9.7.0/tools/u2streamer/0000755000000000000000000000000012416771510013240 500000000000000snort-2.9.7.0/tools/u2streamer/sf_error.h0000644000000000000000000000701312302007502015136 00000000000000 #ifndef __SF_ERROR_H__ #define __SF_ERROR_H__ /*! \defgroup SF_ERROR */ /** \addtogroup */ /*@{*/ #define SF_SUCCESS 0 /* success */ #define SF_EINVAL 1 /* Invalid argument */ #define SF_ENOSYS 2 /* Unimplemented */ #define SF_ENOMEM 3 /* Out of memory */ #define SF_ERANGE 4 /* Out of range */ #define SF_EPERM 5 /* Not allowed */ #define SF_ENOENT 6 /* No entry */ #define SF_EEXIST 7 /* Already exists */ #define SF_EDATABASE 8 /* Generic database error */ #define SF_ESYNTAX 9 /* Syntax error */ #define SF_NOUSER 10 /* required User value missing */ #define SF_NOUSERROLE 11 /* required User Role value missing */ #define SF_NOTIMESPENT 12 /* required TimeSpent value missing */ #define SF_NOCOMMENT 13 /* required Comment value missing */ #define SF_ETRANSACT 14 /* we need transaction support in the DB */ #define SF_NOTYPE 15 /* required Type value missing */ #define SF_NOSTATE 16 /* required State value missing */ #define SF_NOSUMMARY 17 /* required Summary value missing */ #define SF_EBUSY 18 /* Resource busy */ #define SF_ENOSPC 19 /* No space */ #define SF_EREAD 20 /* General read error */ #define SF_END_OF_FILE 21 /* End of file */ #define SF_EAGAIN 22 /* Try again */ #define SF_EREAD_PARTIAL 23 /* Partial read */ #define SF_ENOTCONN 24 /* Not connected */ #define SF_EREAD_TRUNCATED 25 /* Truncated read */ #define SF_CLOSED 26 /* Closed */ #define SF_ENOPROTOSUPPORT 27 /* Protocol not supported */ #define SF_ENOSUPPORT 28 /* Not supported */ #define SF_EWRITE 29 /* Write error */ #define SF_EWRITE_PARTIAL 30 /* Write error */ #define SF_EBADLEN 31 /* Bad length */ #define SF_EPROTOCOL_VIOLATION 32 /* Protocol violation */ #define SF_EPEER 33 /* peer error */ #define SF_ENOTDIR 34 /* not a directory */ #define SF_EMUTEX 35 #define SF_EMUTEX_INVAL 36 /* invalid lock */ #define SF_EMUTEX_DEADLK 37 /* operation would cause deadlock */ #define SF_EOPEN 38 /* open failed */ #define SF_ELOCKED 39 /* resource locked */ #define SF_ESSL 40 /* SSL error */ #define SF_ELICENSE_INVAL 41 /* Invalid license */ #define SF_ELICENSE_PLATFORM 42 /* Not a valid license for this platform */ #define SF_ELICENSE_CORRUPT 43 /* Corrupt license */ #define SF_ESSL_NOCIPHERS 44 /* No valid ciphers */ #define SF_ESSL_CRLEXPIRED 45 /* CRL expired */ #define SF_ENOMATCH 46 /* does not match */ #define SF_ESOCKET 47 /* Socket error */ #define SF_ENITRO 48 /* Error from Nitro database */ #define SF_ENOLICENSE 49 /* No license */ #define SF_EHASLICENSE 50 /* Already has a license */ #define SF_ECORRUPT 51 #define SF_EBAD_MAGIC 52 #define SF_EBAD_LINKTYPE 53 #define SF_ECONT 54 /* Continue */ #define SF_EINVHOST 55 /* invalid hostname entered */ #define SF_EUSER_LIMIT_REACHED 56 /* Couldn't create user - license limit reached*/ #define SF_EDELETE 57 /* Error in deleting file or entry in memory */ #define SF_EMEM 58 /* Error in manipulating memory */ #define SF_NITRO_DUPLICATE 114 /* duplicate key */ /** * Retrieve the text description of the specified error number. * * @param errnum the error number * * @returns descriptive error string */ const char *sf_strerror(int errnum); /*@}*/ #endif /* __SF_ERROR_H__ */ snort-2.9.7.0/tools/u2streamer/SpoolFileIterator.h0000644000000000000000000000425112302007502016724 00000000000000 #ifndef _SPOOL_FILE_ITERATOR_H_ #define _SPOOL_FILE_ITERATOR_H_ #include #ifdef LINUX #include #endif #include #include #include #include #include /* Sourcefire includes */ #include /* Local includes */ #include #include #define SPOOL_FILE_TYPE_UNIFIED 1 #define SPOOL_FILE_TYPE_UNIFIED2 2 /* Snort Unfied Log Iterator API **********************************************/ //typedef void SpoolFileIterator; typedef struct _SpoolFileIterator { /* Configuration data */ char *directory; char *bookmark_file; /* Runtime data */ uint8_t new_file_found; uint8_t initialized; uint8_t search_mode; uint8_t go_to_end; uint8_t tail_mode; int status; int err_status; uint32_t timestamp; /* Position seek data */ uint8_t seek_set; uint32_t seek_extension; uint32_t seek_position; /* Current file data */ uint8_t file_type; char *file_prefix; uint32_t file_extension; /* Timestamp extension of the current file */ uint32_t record_number; /* Record number from the current file */ Unified2File *u2f; char *filepath; /* Bookmarking data */ int bookmark_fd; /* Caching */ uint16_t event_type; //Unified2IPSEvent *ids_event; uint32_t ids_event_record_number; //Unified2Packet *packet; uint32_t packet_record_number; Unified2ExtraData *extra_data; uint32_t extra_data_record_number; uint32_t flow_event_record_number; Unified2Record *unified2_record; } SpoolFileIterator; int SpoolFileIterator_New(const char *directory, char *file_prefix, const char *bookmark_file, SpoolFileIterator **iterator); int SpoolFileIterator_Destroy(SpoolFileIterator *iterator); int SpoolFileIterator_GetNext(SpoolFileIterator *iterator, Unified2Record **p_record, uint32_t *p_file, uint32_t *p_position); int SpoolFileIterator_Ack(SpoolFileIterator *iterator); int SpoolFileIterator_SetPosition(SpoolFileIterator *iterator, uint32_t extension, uint32_t record_number); #endif /* _SPOOL_FILE_ITERATOR_H_ */ snort-2.9.7.0/tools/u2streamer/Unified2.h0000644000000000000000000002217312302007502014766 00000000000000 #ifndef __UNIFIED2_H__ #define __UNIFIED2_H__ #include #ifdef LINUX #include #endif #include "Unified2_common.h" /*! \defgroup Unified2 */ /** \addtogroup Unified2 */ /*@{*/ #define UNIFIED2_CLASSIFICATION 3 #define UNIFIED2_PRIORITY 4 #define UNIFIED2_SIGNATURE_MESSAGE 5 #define UNIFIED2_RNA_EVENT 6 #define UNIFIED2_POLICY_EVENT 8 #define UNIFIED2_IMPACT_ALERT 9 #define UNIFIED2_RNA_EVENT_NEW_HOST 10 #define UNIFIED2_RNA_EVENT_NEW_TCP_SERVICE 11 #define UNIFIED2_RNA_EVENT_NEW_UDP_SERVICE 12 #define UNIFIED2_RNA_EVENT_NEW_NET_PROTOCOL 13 #define UNIFIED2_RNA_EVENT_NEW_XPORT_PROTOCOL 14 #define UNIFIED2_RNA_EVENT_NEW_CLIENT_APP 15 #define UNIFIED2_RNA_EVENT_CHANGE_TCP_SERVICE_INFO 16 #define UNIFIED2_RNA_EVENT_CHANGE_UDP_SERVICE_INFO 17 #define UNIFIED2_RNA_EVENT_CHANGE_OS 18 #define UNIFIED2_RNA_EVENT_CHANGE_HT_TIMEOUT 19 #define UNIFIED2_RNA_EVENT_CHANGE_HT_REMOVE 20 #define UNIFIED2_RNA_EVENT_CHANGE_HT_ANR_DELETE 21 #define UNIFIED2_RNA_EVENT_CHANGE_HOPS 22 #define UNIFIED2_RNA_EVENT_CHANGE_TCP_PORT_CLOSED 23 #define UNIFIED2_RNA_EVENT_CHANGE_UDP_PORT_CLOSED 24 #define UNIFIED2_RNA_EVENT_CHANGE_TCP_PORT_TIMEOUT 25 #define UNIFIED2_RNA_EVENT_CHANGE_UDP_PORT_TIMEOUT 26 #define UNIFIED2_RNA_EVENT_CHANGE_MAC_INFO 27 #define UNIFIED2_RNA_EVENT_CHANGE_MAC_ADD 28 #define UNIFIED2_RNA_EVENT_CHANGE_HOST_IP 29 #define UNIFIED2_RNA_EVENT_CHANGE_HOST_UPDATE 30 #define UNIFIED2_RNA_EVENT_CHANGE_HOST_TYPE 31 #define UNIFIED2_RNA_EVENT_CHANGE_VULN_MAP 32 #define UNIFIED2_RNA_EVENT_CHANGE_FLOW_STATS 33 #define UNIFIED2_RNA_EVENT_CHANGE_VLAN_TAG 34 #define UNIFIED2_RNA_EVENT_CHANGE_CLIENT_APP_TIMEOUT 35 #define UNIFIED2_POLICY_EVENT_V2 36 #define UNIFIED2_RNA_EVENT_USER_VULN_VALID 37 #define UNIFIED2_RNA_EVENT_USER_VULN_INVALID 38 #define UNIFIED2_RNA_EVENT_USER_DELETE_ADDR 39 #define UNIFIED2_RNA_EVENT_USER_DELETE_SERVICE 40 #define UNIFIED2_RNA_EVENT_USER_SET_CRIICALITY 41 #define UNIFIED2_RNA_EVENT_CHANGE_NETBIOS_NAME 42 #define UNIFIED2_RNA_EVENT_CHANGE_HT_DROPPED 44 #define UNIFIED2_RNA_EVENT_CHANGE_BANNER_UPDATE 45 #define UNIFIED2_RNA_EVENT_USER_ADD_ATTRIBUTE 46 #define UNIFIED2_RNA_EVENT_USER_UPDATE_ATTRIBUTE 47 #define UNIFIED2_RNA_EVENT_USER_DELETE_ATTRIBUTE 48 #define UNIFIED2_RNA_EVENT_USER_SET_ATTRIBUTE_VALUE 49 #define UNIFIED2_RNA_EVENT_USER_DELETE_ATTRIBUTE_VALUE 50 #define UNIFIED2_RNA_EVENT_CHANGE_TCP_SERVICE_CONFIDENCE 51 #define UNIFIED2_RNA_EVENT_CHANGE_UDP_SERVICE_CONFIDENCE 52 #define UNIFIED2_RNA_EVENT_CHANGE_OS_CONFIDENCE 53 #define UNIFIED2_RNA_FINGERPRINT 54 #define UNIFIED2_RNA_CLIENT_APPLICATION 55 #define UNIFIED2_RNA_CLIENT_APPLICATION_TYPE 56 #define UNIFIED2_RNA_VULNERABILITY 57 #define UNIFIED2_RNA_CRITICALITY 58 #define UNIFIED2_RNA_NETWORK_PROTOCOL 59 #define UNIFIED2_RNA_ATTRIBUTE 60 #define UNIFIED2_RNA_SCAN_TYPE 61 #define UNIFIED2_USERS 62 #define UNIFIED2_RNA_SERVICE 63 #define UNIFIED2_DETECTION_ENGINE 64 #define UNIFIED2_POLICY_EVENT_V3 65 #define UNIFIED2_SIGNATURE_MESSAGE_V2 66 #define UNIFIED2_CLASSIFICATION_V2 67 #define UNIFIED2_DETECTION_ENGINE_V2 68 #define UNIFIED2_COMPLIANCE_POLICY 69 #define UNIFIED2_COMPLIANCE_RULE 70 #define UNIFIED2_RNA_EVENT_FLOW_FLOW_STATS 71 #define UNIFIED2_RNA_EVENT_FLOW_FLOW_CHUNK 73 #define UNIFIED2_RNA_EVENT_USER_SET_OS 74 #define UNIFIED2_RNA_EVENT_USER_SET_SERVICE 75 #define UNIFIED2_RNA_EVENT_USER_DELETE_PROTOCOL 76 #define UNIFIED2_RNA_EVENT_USER_DELETE_CLIENT_APP 77 #define UNIFIED2_RNA_EVENT_USER_DELETE_ADDR_V2 78 #define UNIFIED2_RNA_EVENT_USER_DELETE_SERVICE_V2 79 #define UNIFIED2_RNA_EVENT_USER_VULN_VALID_V2 80 #define UNIFIED2_RNA_EVENT_USER_VULN_INVALID_V2 81 #define UNIFIED2_RNA_EVENT_USER_SET_CRITICALITY_V2 82 #define UNIFIED2_RNA_EVENT_USER_SET_ATTRIBUTE_VALUE_V2 83 #define UNIFIED2_RNA_EVENT_USER_DELETE_ATTRIBUTE_VALUE_V2 84 #define UNIFIED2_RNA_EVENT_USER_ADD_HOST 85 #define UNIFIED2_RNA_EVENT_USER_ADD_SERVICE 86 #define UNIFIED2_RNA_EVENT_USER_ADD_CLIENT_APP 87 #define UNIFIED2_RNA_EVENT_USER_ADD_PROTOCOL 88 #define UNIFIED2_RNA_EVENT_USER_ADD_SCAN_RESULT 89 #define UNIFIED2_RNA_SOURCE_TYPE 90 #define UNIFIED2_RNA_SOURCE_APP 91 #define UNIFIED2_RUA_EVENT_CHANGE_USER_DROPPED 92 #define UNIFIED2_RUA_EVENT_CHANGE_USER_REMOVE 93 #define UNIFIED2_RUA_EVENT_NEW_USER_ID 94 #define UNIFIED2_RUA_EVENT_CHANGE_USER_LOGIN 95 #define UNIFIED2_RNA_SOURCE_DETECTOR 96 #define UNIFIED2_POLICY_EVENT_V5 97 #define UNIFIED2_RUA_USER 98 #define UNIFIED2_RNA_EVENT_NEW_OS 101 #define UNIFIED2_RNA_EVENT_CHANGE_IDENTITY_CONFLICT 102 #define UNIFIED2_RNA_EVENT_CHANGE_IDENTITY_TIMEOUT 103 #define UNIFIED2_SCAN_VULNERABILITY 106 #define UNIFIED2_RNA_EVENT_CHANGE_CLIENT_APP_UPDATE 107 #define UNIFIED2_RNA_PAYLOAD_TYPE 108 #define UNIFIED2_RNA_PAYLOAD 109 #define UNIFIED2_EXTRA_DATA_TYPE 111 #define UNIFIED2_POLICY_EVENT_V6 112 #define UNIFIED2_RUA_EVENT 113 #define UNIFIED2_RUA_EVENT_FAILED_USER_LOGIN 114 #define UNIFIED2_ZONE_NAME 115 #define UNIFIED2_INTERFACE_NAME 116 #define UNIFIED2_FW_POLICY_NAME 117 #define UNIFIED2_IDS_POLICY_NAME 118 #define UNIFIED2_FW_RULE_ID 119 #define UNIFIED2_FW_RULE_ACTION 120 #define UNIFIED2_FW_URL_CATEGORY 121 #define UNIFIED2_FW_URL_REPUTATION 122 #define UNIFIED2_SENSOR 123 #define UNIFIED2_FW_RULE_REASON 124 #define UNIFIED2_FIREAMP_EVENT 125 #define UNIFIED2_FIREAMP_HOST_EVENT 126 #define UNIFIED2_FIREAMP_CLOUD_NAME 127 #define UNIFIED2_FIREAMP_EVENT_TYPE 128 #define UNIFIED2_FIREAMP_EVENT_SUBTYPE 129 #define UNIFIED2_FIREAMP_DETECTOR_TYPE 130 #define UNIFIED2_FIREAMP_FILE_TYPE 131 #define UNIFIED2_IPS_RULE_DOC 140 #define UNIFIED2_USER_IP_MAP 150 #define UNIFIED2_USER_IP_MAP_UPDATE 151 #define UNIFIED2_USER_GROUP_MAP 152 #define UNIFIED2_USER_GROUP_MAP_UPDATE 153 #define UNIFIED2_USER_MAP_UPDATE 154 #define UNIFIED2_USER_SNAPSHOT 155 #define UNIFIED2_USER_GROUP_SNAPSHOT 156 #define UNIFIED2_USER_GROUP_CTRL_MSG 157 #define UNIFIED2_RNA_EVENT_IOC_SET 160 #define UNIFIED2_IOC_NAME 161 #define UNIFIED2_RNA_EVENT_USER_IOC_DELETE 162 #define UNIFIED2_RNA_EVENT_USER_IOC_ENABLE 163 #define UNIFIED2_RNA_EVENT_USER_IOC_DISABLE 164 #define UNIFIED2_FW_EVENT_START 200 #define UNIFIED2_FW_EVENT_END 210 #define UNIFIED2_FW_APP_STATS 220 #define UNIFIED2_FW_USER_STATS 230 #define UNIFIED2_FW_URLCAT_STATS 240 #define UNIFIED2_FW_URLREP_STATS 250 #define UNIFIED2_ICMP_TYPE 260 #define UNIFIED2_ICMP_CODE 270 #define UNIFIED2_IPREP_CATEGORY 280 #define UNIFIED2_IPREP_SRCDEST 281 #define UNIFIED2_FILELOG_EVENT 500 #define UNIFIED2_FILELOG_MALWARE_EVENT 502 #define UNIFIED2_FILELOG_FILE_TYPE 510 #define UNIFIED2_FILELOG_SHA 511 #define UNIFIED2_FILE_EXTRACT_EVENT 512 #define UNIFIED2_FILE_STORAGE_STATS 514 #define UNIFIED2_FILELOG_STORAGE 515 #define UNIFIED2_FILELOG_SANDBOX 516 #define UNIFIED2_FILELOG_SPERO 517 #define UNIFIED2_GEOLOCATION 520 #define UNIFIED2_FILE_POLICY_NAME 530 /* UEC Defines */ #define UNIFIED2_UEC_HELLO_410 4000 #define UNIFIED2_UEC_REPLY_410 4001 #define UNIFIED2_UEC_BUNDLE 4002 #define UNIFIED2_UEC_RUA_EVENT 4003 #define UNIFIED2_UEC_RESET 4004 #define UNIFIED2_UEC_HELLO 4010 #define UNIFIED2_UEC_REPLY 4011 #define UNIFIED2_UEC_UPDATE 4012 //Estreamer support only. Adds the time of archiving events typedef struct _Serial_Unified2HeaderExtension { uint32_t timestamp; uint32_t checksum; } Serial_Unified2HeaderExtension; typedef struct _Serial_Unified2_Header_Extended { uint32_t type; uint32_t length; uint32_t timestamp; uint32_t checksum; } Serial_Unified2_Header_Extended; typedef struct _Serial_Unified2 { uint32_t type; uint32_t length; uint8_t data[4]; } Serial_Unified2; typedef struct _Serial_Unified2_Extended { uint32_t type; uint32_t length; uint32_t timestamp; uint32_t checksum; uint8_t data[4]; } Serial_Unified2_Extended; //End Estreamer support /** Product serialization support */ //Data structure to hold de-serialized U2 record typedef struct _Unified2Record { uint32_t type; uint32_t timestamp; uint32_t length; uint8_t *data; } Unified2Record; int Unified2Record_Destroy(Unified2Record *u2_record); //Used by SFDC Agent handler only int Unified2Record_Deserialize(uint8_t *buffer, uint32_t length, Unified2Record **u2_record, int copy_data); //used by EStreamer only int Unified2Record_Serialize(Unified2Record *u2_record, int options, uint8_t **buffer, uint32_t *length); /*@}*/ #endif /* __UNIFIED2_H__ */ snort-2.9.7.0/tools/u2streamer/u2streamer.c0000644000000000000000000000777712406100154015424 00000000000000/* * Copyright (C) 2003-2005 Sourcefire, Inc. All Rights Reserved * Test program for streaming a unified log file */ #include #include "UnifiedLog.h" #include "SpoolFileIterator.h" #include #include #include #ifdef LINUX #include #endif #include #include #include #include #include struct _config { char *name; char *path; uint32_t priority; }config; static int ParseCommandLine(int argc, char *argv[]); bool stop_processing = false; #if 1 static void HandleSignal(int signal) { stop_processing = true; } #endif #define BOOKMARK_FILE_SIZE 128 int main(int argc, char *argv[]) { //UnifiedLog *unified_log = NULL; SpoolFileIterator *iterator = NULL; Unified2Record *record = NULL; int rval = 0; char bookmark[BOOKMARK_FILE_SIZE]; uint32_t file, position; #if 0 sflog_enable_details(); sflog_enable_stderr(); sflog_disable_syslog(); sflog_set_current_log_level(SFLOG_DEBUG); #endif signal(SIGTERM, HandleSignal); if((rval = ParseCommandLine(argc, argv)) != SF_SUCCESS) { return rval; } snprintf(bookmark, BOOKMARK_FILE_SIZE, "%s/%sbookmark", config.path, config.name); if((rval = SpoolFileIterator_New(config.path, config.name, bookmark, &iterator)) != SF_SUCCESS) { fprintf(stderr, "Failed to create iterator: %s\n", sf_strerror(rval)); return rval; } while (!stop_processing) { /* Get another record for this iterator */ rval = SpoolFileIterator_GetNext(iterator, &record, &file, &position); if(rval != SF_SUCCESS && rval != SF_EAGAIN && rval != SF_ENOENT) { fprintf(stderr, "Error getting record from iterator: %s",sf_strerror(rval)); return rval; } } fprintf(stderr, "GetNext returned: %s\n", sf_strerror(rval)); if(iterator) { SpoolFileIterator_Destroy(iterator); } free(config.path); free(config.name); return rval; } static void usage(char *binaryName) { printf("Usage: %s [options] --name=\n", binaryName); printf(" --path: directory containing the binary files.\n"); printf(" --help: This text.\n"); } static int ParseCommandLine(int argc, char *argv[]) { int c; int option_index = 0; static struct option long_options[] = { {"name", 1, NULL, 'n'}, {"path", 1, NULL, 'p'}, {"help", 0, NULL, 0}, {NULL, 0, NULL, 0} }; memset(&config, 0, sizeof(config)); while((c = getopt_long(argc, argv, "n:p:", long_options, &option_index)) != -1) { switch(c) { case 0: if(strcasecmp("help", long_options[option_index].name) == 0) { usage(argv[0]); exit(0); } else { fprintf(stderr, "Unknown command line option: %s", long_options[option_index].name); return SF_EINVAL; } break; case 'n': config.name = malloc(strlen(optarg)+2); if(!(config.name)) { fprintf(stderr, "Out of memory processing command line"); return SF_ENOMEM; } strcpy(config.name, optarg); strcat(config.name,"."); break; case 'p': if(!(config.path = strdup(optarg))) { fprintf(stderr, "Out of memory processing command line"); return SF_ENOMEM; } break; default: return SF_EINVAL; } } if (!config.name || !config.path) { usage(argv[0]); exit(-1); } config.priority = (LOG_INFO | LOG_INFO); return 0; } snort-2.9.7.0/tools/u2streamer/UnifiedLog.c0000644000000000000000000000075312302007502015341 00000000000000 /* System includes */ #include #include #include #include #include #include #include /* Local includes */ #include "UnifiedLog.h" /* Snort Unified Log Record API ***********************************************/ int UnifiedLog_Destroy(UnifiedLog *unified_log) { if(unified_log) { if(unified_log->packet) free(unified_log->packet); free(unified_log); } return 0; } snort-2.9.7.0/tools/u2streamer/TimestampedFile.h0000644000000000000000000000264712302007502016401 00000000000000 #ifndef __TIMESTAMPED_FILE_H__ #define __TIMESTAMPED_FILE_H__ #include #include "sf_types.h" /** * Find the next file using the timestamp extension. * * Search the specified directory for files matching file_prefix. The filename * information after the prefix is interpreted as a unix timestamp. Select * the oldest file that is after or within the specified timestamp (depending * on the mode) and returns the timestamp value to the user. If mode is set * to 1, we will return a timestamp equal or greater than the search timestamp. * If mode is set to 0, we will return a timestamp less than or equal to the * specified timestamp (this will indicate the file that is most likely to * contain data for the specified timestamp). * * @param directory The directory to scan * @param file_prefix The file prefix * @param timestamp search timestamp * @param mode operational mode (1 or 0) * @param next_timestamp return reference for the selected timestamp * * @retval SF_SUCCESS search succeeded * @retval SF_EINVAL invalid argument * @retval SF_ENOENT no files found * @retval SF_EOPEN unable to open directory * @retval SF_EREAD unbale to read from directory */ int FindNextTimestampedFile(char *directory, char *file_prefix, uint32_t timestamp, int after, uint32_t *next_timestamp); #endif /* __TIMESTAMPED_FILE_H__ */ snort-2.9.7.0/tools/u2streamer/Unified2.c0000644000000000000000000000072412302007502014757 00000000000000/* * Copyright(C) 2003 Sourcefire, Inc. All Rights Reserved */ /* System includes */ #include #include #include #ifdef LINUX #include #endif /* Sourcefire includes */ #include /* Local includes */ #include "Unified2.h" int Unified2Record_Destroy(Unified2Record *u2_record) { if(!u2_record) return SF_EINVAL; free(u2_record->data); free(u2_record); return SF_SUCCESS; } snort-2.9.7.0/tools/u2streamer/SpoolFileIterator.c0000644000000000000000000006503212345604073016740 00000000000000/* * Copyright (C) 2003-2007 Sourcefire. Inc. All Rights Reserved */ /* System includes */ #include #include #include #include #include #include #include #include #include #include #include #include /* Local includes */ #include #include #include #include "SpoolFileIterator.h" #include "TimestampedFile.h" #include "sf_error.h" #define STATUS_BAD -1 #define STATUS_OK 0 #define SPOOL_FILE_TYPE_UNIFIED 1 #define SPOOL_FILE_TYPE_UNIFIED2 2 #define TO_IP(x) x >> 24, (x >> 16) & 0xff, (x >> 8) & 0xff, x & 0xff /* Snort Unfied Log Iterator API **********************************************/ int SpoolFileIterator_Destroy(SpoolFileIterator *iterator); int SpoolFileIterator_SetPosition(SpoolFileIterator *iterator, uint32_t extension, uint32_t position); static int LoadData(SpoolFileIterator *iterator); static int OpenFile(char *filepath, SpoolFileIterator *iterator); static void CloseFile(SpoolFileIterator *iterator); static int UpdateBookmark(SpoolFileIterator *iterator, uint32_t timestamp, uint32_t position); static int BuildFilepath(SpoolFileIterator *iterator, char *file_prefix, uint32_t extension, char **filepath) { char *tmp = NULL; ssize_t filepath_len; /* construct the complete filepath for the next file */ filepath_len = strlen(iterator->directory) + 1 + strlen(file_prefix) + 16 + 1; if(!(tmp = (char *)calloc(filepath_len, sizeof(char)))) { fprintf(stderr, "Out of memory (wanted %zu bytes)\n", filepath_len + 1); return SF_ENOMEM; } snprintf(tmp, filepath_len, "%s/%s%u", iterator->directory, file_prefix, extension); *filepath = tmp; return 0; } int SpoolFileIterator_New(const char *directory, char *file_prefix, const char *bookmark_file, SpoolFileIterator **p_iterator) { SpoolFileIterator *iterator = NULL; int rval = 0; if(!directory || !file_prefix || !p_iterator) return SF_EINVAL; if(!(iterator = (SpoolFileIterator *)calloc(1, sizeof(SpoolFileIterator)))) { fprintf(stderr, "Out of memory (wanted %zu bytes)\n", sizeof(SpoolFileIterator)); return SF_ENOMEM; } iterator->bookmark_fd = -1; iterator->file_prefix = file_prefix; if(!(iterator->directory = strdup(directory))) { fprintf(stderr, "Out of memory (wanted %zu bytes)\n", strlen(directory) + 1); rval = SF_ENOMEM; goto exit; } if(bookmark_file) { iterator->bookmark_file = strdup(bookmark_file); //create a file } iterator->search_mode = 0; iterator->tail_mode = 1; iterator->timestamp = 0; exit: if(rval != 0) SpoolFileIterator_Destroy(iterator); else *p_iterator = iterator; return rval; } int SpoolFileIterator_Destroy(SpoolFileIterator *iterator) { if(!iterator) return SF_EINVAL; if(iterator->bookmark_fd != -1) close(iterator->bookmark_fd); if(iterator->u2f) Unified2File_Close(iterator->u2f); free(iterator->bookmark_file); free(iterator->directory); free(iterator->filepath); if(iterator->unified2_record) Unified2Record_Destroy(iterator->unified2_record); free(iterator); return 0; } int ReadBookmarkData(SpoolFileIterator *iterator) { int fd = -1; char buffer[256]; /* This is the most we would write */ char *s_position = NULL; unsigned long position; unsigned long extension; ssize_t bytes_read; int rval = 0; if(!iterator || !iterator->bookmark_file) return SF_EINVAL; if((fd = open(iterator->bookmark_file, O_RDONLY)) == -1) { if (UpdateBookmark(iterator, 0, 0)) { rval = errno; fprintf(stderr, "Failed to create file '%s': %s\n", iterator->bookmark_file, strerror(rval)); return rval; } if((fd = open(iterator->bookmark_file, O_RDONLY)) == -1) { rval = errno; fprintf(stderr, "Failed to open file '%s': %s\n", iterator->bookmark_file, strerror(rval)); return rval; } } errno = 0; /* Read from the file */ memset(buffer, 0, sizeof(buffer)); if((bytes_read = read(fd, buffer, sizeof(buffer) - 1)) == -1) { rval = errno; fprintf(stderr, "Failed to read from file '%s': %s\n", iterator->bookmark_file, strerror(rval)); return rval; } /* Remove trailing newline */ if((s_position = strchr(buffer, '\n'))) *s_position = '\0'; /* Parse the position */ if(!(s_position = strchr(buffer, ','))) { fprintf(stderr, "Syntax error processing bookmark data '%s'\n", buffer); goto exit; } *s_position = '\0'; s_position++; position = strtoul(s_position, NULL,0); if(errno) { fprintf(stderr, "Failed to parse position '%s': %s\n", s_position, strerror(errno)); rval = errno; goto exit; } /* Parse the extension */ extension = strtoul(buffer, NULL,0); if(errno) { fprintf(stderr, "Failed to parse extension '%s': %s\n", buffer, strerror(errno)); rval = errno; goto exit; } /* Set the iterator start position */ if((rval = SpoolFileIterator_SetPosition(iterator, extension, position)) != 0) { fprintf(stderr, "Failed to set position: %s\n", strerror(rval)); } exit: if(fd != -1) close(fd); fd = -1; return rval; } static int UpdateBookmark(SpoolFileIterator *iterator, uint32_t timestamp, uint32_t position) { char buffer[256]; if(!iterator || !iterator->bookmark_file) return SF_EINVAL; if(iterator->bookmark_fd == -1) { if((iterator->bookmark_fd = open(iterator->bookmark_file, //O_WRONLY | O_CREAT | O_SYNC, S_IRUSR | S_IWUSR)) == -1) O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR)) == -1) { fprintf(stderr, "Unable to open file '%s': %s\n", iterator->bookmark_file, strerror(errno)); return -1; } /* XXX We may want to get a lock on this too */ } memset(buffer, ' ', sizeof(buffer)); snprintf(buffer, sizeof(buffer)-1, "%u, %u\n", timestamp, position); /* Set back to the beginning of the file */ if (lseek(iterator->bookmark_fd, 0, SEEK_SET)) { fprintf(stderr, "Unable to seek file '%s': %s\n", iterator->bookmark_file, strerror(errno)); return -1; } if (write(iterator->bookmark_fd, buffer, sizeof(buffer)) < 0) { fprintf(stderr, "Unable to write file '%s': %s\n", iterator->bookmark_file, strerror(errno)); return -1; } /* XXX Block signals here */ /* XXX We may also want to check for errors */ return 0; } static int FindNewestSpoolFile(SpoolFileIterator *iterator, char **found_file_prefix, uint32_t *found_file_timestamp) { uint32_t file_timestamp = 0; int rval = 0; while((rval = FindNextTimestampedFile(iterator->directory, iterator->file_prefix, iterator->timestamp, 1, &file_timestamp)) == 0) { fprintf(stderr, "Found timestamp: %u\n", file_timestamp); if (found_file_prefix) *found_file_prefix = iterator->file_prefix; if (found_file_timestamp) *found_file_timestamp = file_timestamp; if(file_timestamp == iterator->timestamp) iterator->timestamp++; else { if(iterator->timestamp) { struct stat buf; /* Try to archive, since we found a newer one */ if(iterator->filepath) free(iterator->filepath); iterator->filepath = NULL; if((rval = BuildFilepath(iterator, iterator->file_prefix, iterator->timestamp, &(iterator->filepath))) != 0) { fprintf(stderr, "Unable to build filepath: %s\n", strerror(rval)); return SF_ENOENT; } if (stat(iterator->filepath, &buf)) { fprintf(stderr, "Unable to get file status: %s\n", strerror(rval)); /* warning only */ } } iterator->timestamp = file_timestamp; } fprintf(stderr, "Looking with timestamp: %u\n", iterator->timestamp); return SF_SUCCESS; } return SF_ENOENT; } static int FindNextSpoolFile(SpoolFileIterator *iterator,uint32_t timestamp, int mode, char **next_file_prefix, uint32_t *next_file_timestamp) { uint32_t file_timestamp = 0; int rval = 0; if((rval = FindNextTimestampedFile(iterator->directory, iterator->file_prefix, timestamp, mode, &file_timestamp)) == 0) { if (next_file_prefix) *next_file_prefix = iterator->file_prefix; if (next_file_timestamp) *next_file_timestamp = file_timestamp; return 0; } return rval; } static int OpenNextFile(SpoolFileIterator *iterator) { int rval = 0; char *filepath = NULL; char *file_prefix = NULL; uint32_t file_timestamp = 0; if(!iterator) return SF_EINVAL; if(iterator->go_to_end) { fprintf(stderr, "Looking with timestamp: %u\n", iterator->timestamp); /* Find the newest spool file */ if ((rval = FindNewestSpoolFile(iterator, &file_prefix, &file_timestamp)) != 0) { iterator->go_to_end = 0; return rval; } fprintf(stderr, "Using timestamp: %u\n", file_timestamp); } else { /* Find the next spool file */ if((rval = FindNextSpoolFile(iterator, iterator->timestamp, iterator->search_mode, &file_prefix, &file_timestamp)) != 0) { /* No next file */ if(rval == SF_ENOENT) /* No files found, return */ { return SF_EAGAIN; } fprintf(stderr, "Error finding next timestamped file: %s\n", strerror(rval)); return rval; /* other errors */ } } /* We found a file, attempt to open it */ if((rval = BuildFilepath(iterator, file_prefix, file_timestamp, &filepath)) != 0) { fprintf(stderr, "Unable to build filepath: %s\n", strerror(rval)); goto exit; } //reads unified file header and just opens unified2 file to read rval = OpenFile(filepath, iterator); if(rval == 0) { fprintf(stderr, "Opened %s\n", filepath); if(iterator->filepath) free(iterator->filepath); iterator->filepath = filepath; filepath = NULL; iterator->timestamp = file_timestamp; iterator->file_extension = file_timestamp; iterator->file_prefix = file_prefix; iterator->record_number = 0; iterator->search_mode = 1; } exit: if(filepath) { free(filepath); } return rval; } #if 0 typedef struct _BookmarkRecord { uint32_t extension; uint32_t position; } BookmarkRecord; #endif int SpoolFileIterator_GetNext(SpoolFileIterator *iterator, Unified2Record **p_record, uint32_t *p_file, uint32_t *p_position) { int rval = 0; Unified2Record *record = NULL; int offset; if((rval = LoadData(iterator)) != 0) { return rval; } /* Set pointer to record */ record = iterator->unified2_record; offset = lseek(iterator->u2f->fd, 0, SEEK_CUR); if (offset < 0) { fprintf(stderr, "Failed to determine current file offset: %s",sf_strerror(rval)); return rval; } if((rval = UpdateBookmark(iterator, iterator->file_extension, offset)) != SF_SUCCESS) { fprintf(stderr, "Failed to update bookmark: %s",sf_strerror(rval)); return rval; } if(p_file) { *p_file = iterator->file_extension; } if(p_position) { *p_position = iterator->extra_data_record_number; } iterator->extra_data_record_number = 0; *p_record = record; return rval; } static void event3_dump(Unified2Record *record) { uint8_t *field; int i; Serial_Unified2IDSEvent event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first 11 fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<11; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ syslog(LOG_ALERT|LOG_AUTH, "\"(Event)\"" ",sensor_id=\"%u\",event_id=\"%u\",event_second=\"%u\",event_microsecond=\"%u\"" ",sig_id=\"%u\",gen_id=\"%u\",revision=\"%u\",classification=\"%u\"" ",priority=\"%u\",ip_source=\"%u.%u.%u.%u\",ip_destination=\"%u.%u.%u.%u\"" ",src_port=\"%u\",dest_port=\"%u\",protocol=\"%u\",impact_flag=\"%u\",blocked=\"%u\"" ",mpls_label=\"%u\",vland_id=\"%u\",policy_id=\"%u\",appid=\"%s\"\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, TO_IP(event.ip_source), TO_IP(event.ip_destination), event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId, event.pad2, event.app_name); } static void event3_6_dump(Unified2Record *record) { uint8_t *field; int i; char ip6Src[INET6_ADDRSTRLEN+1]; char ip6Dst[INET6_ADDRSTRLEN+1]; Serial_Unified2IDSEventIPv6 event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEventIPv6)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<9; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = field + 2*sizeof(struct in6_addr); /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ inet_ntop(AF_INET6, &event.ip_source, ip6Src, INET6_ADDRSTRLEN); inet_ntop(AF_INET6, &event.ip_destination, ip6Dst, INET6_ADDRSTRLEN); syslog(LOG_ALERT|LOG_AUTH, "\"(IPv6_Event)|\"" ",sensor_id=\"%u\",event_id=\"%u\",event_second=\"%u\",event_microsecond=\"%u\"" ",sig_id=\"%u\",gen_id=\"%u\",revision=\"%u\",classification=\"%u\"" ",priority=\"%u\",ip_source=\"%s\"," "ip_destination=\"%s\"" ",src_port=\"%u\",dest_port=\"%u\",protocol=\"%u\",impact_flag=\"%u\",blocked=\"%u\"" ",mpls_label=\"%u\",vland_id=\"%u\",policy_id=\"%u\",appid=\"%s\"\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, ip6Src, ip6Dst, event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId,event.pad2, event.app_name); } static void appid_dump(Unified2Record *record) { uint8_t *field = (uint8_t*)record->data; unsigned i; unsigned appCnt; unsigned statTime; /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first fields need to be convertted */ statTime = ntohl(*(uint32_t*)field); field += 4; appCnt = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; for(i=0; itype) { case UNIFIED2_IDS_EVENT_APPSTAT: appid_dump(unified2_record); break; case UNIFIED2_IDS_EVENT_APPID: event3_dump(unified2_record); break; case UNIFIED2_IDS_EVENT_APPID_IPV6: event3_6_dump(unified2_record); break; } return 0; } static int LoadData(SpoolFileIterator *iterator) { int rval = 0; Unified2Record *unified2_record = NULL; /* validate arguments */ if(!iterator) { return SF_EINVAL; } iterator->new_file_found = 0; if(iterator->status != STATUS_OK) { fprintf(stderr, "Iterator status is not OK\n"); return -1; /* XXX better return code */ } if(!iterator->initialized && iterator->bookmark_file) { rval = ReadBookmarkData(iterator); if(rval != 0 && rval != SF_ENOENT) { fprintf(stderr, "Failed to process bookmark: %s\n",strerror(rval)); return rval; } iterator->initialized = 1; } if(iterator->seek_set && iterator->file_extension != iterator->seek_extension) { CloseFile(iterator); iterator->file_extension = 0; iterator->record_number = 0; iterator->timestamp = iterator->seek_extension; iterator->search_mode = 2; } while(1) { /* Find the file we need to use */ if(!iterator->u2f) { if(iterator->tail_mode == 0) { return SF_ENOENT; } rval = OpenNextFile(iterator); /* If we could not open the next file because it only had a * partial header, we keep trying until we can open a file * completely. * XXX This could cause us to loop forever. We * should kick the error back up to the parent so it can * decide when to retry. */ if(rval == SF_ECONT) { //if SF_ECONT is set twice and iterator->new_file_found == 1 and file size is zero - should archive? continue; } else if(rval != 0) { //fprintf(stderr, "No new file found for iterator - returning %d",rval); return rval; } /* Did we move past the desired file? */ if(iterator->seek_set && iterator->file_extension != iterator->seek_extension) { fprintf(stderr, "Wanted events from %u, but skipped to %u\n", iterator->seek_extension, iterator->file_extension); iterator->seek_set = 0; } } /* If we get here, we have a valid open file handle */ /* Attempt to read a record from the file */ if (iterator->file_type == SPOOL_FILE_TYPE_UNIFIED2) { //fprintf(stderr, "NORMAL - UNIFIED2 LOG\n"); rval = Unified2File_Read(iterator->u2f, &unified2_record); } if(rval == 0) { if (iterator->file_type == SPOOL_FILE_TYPE_UNIFIED2) { if((rval = ExtractUnified2Data(iterator, unified2_record)) != 0) { if(rval == SF_ECORRUPT || rval == SF_EBADLEN) { CloseFile(iterator); iterator->file_extension = 0; iterator->record_number = 0; } fprintf(stderr,"Failed to process unified2 record: %s\n",strerror(rval)); return rval; } if (iterator->unified2_record) Unified2Record_Destroy(iterator->unified2_record); iterator->unified2_record = unified2_record; unified2_record = NULL; } if(iterator->go_to_end) { continue; } else if(iterator->seek_set) { iterator->seek_set = 0; } return 0; } /* Read failed */ /* Bail out if we are not in tail mode */ if(iterator->tail_mode == 0) { CloseFile(iterator); iterator->status = -1; iterator->file_extension = 0; iterator->record_number = 0; return rval; } /* Invalidate the iterator on fatal errors */ if( rval != SF_EREAD_PARTIAL && rval != SF_ENOENT && rval != SF_ECORRUPT && rval != SF_EBADLEN && rval != SF_END_OF_FILE) { /* Fatal errors */ fprintf(stderr,"Error reading unified log record: %s\n",strerror(rval)); CloseFile(iterator); iterator->status = -1; iterator->file_extension = 0; iterator->record_number = 0; return rval; } //rval = SF_ECORRUPT;//test only /* Close the unified file on fatal file errors */ if(rval == SF_ECORRUPT || rval == SF_EBADLEN) { CloseFile(iterator); iterator->file_extension = 0; iterator->record_number = 0; return rval; } /* Drop out of finding the most recent record */ if(iterator->go_to_end) { iterator->go_to_end = 0; return SF_EAGAIN; } /* Is there a new file to rotate to? */ //we should never get here unless we have a truncated unified file (not unified2) if(iterator->new_file_found) { //Hey! this is it: Unified File_Read returned SF_END_OF_FILE if(rval == SF_END_OF_FILE) { iterator->status = STATUS_OK; } else if(rval == SF_EREAD_PARTIAL || rval == SF_EREAD_TRUNCATED) { fprintf(stderr,"SNORT(CRITICAL): File %s read is truncated (%s)\n", iterator->filepath,strerror(rval)); //ArchiveCurrentFile (iterator, "truncated"); } else { fprintf(stderr,"SNORT(UNIFIED): File %s read error:%s\n", iterator->filepath,strerror(rval)); } CloseFile(iterator); iterator->file_extension = 0; iterator->record_number = 0; /* Reset the new file found flag */ iterator->new_file_found = 0; continue; } else { int rval_read = rval; rval = FindNextSpoolFile(iterator, iterator->timestamp, 1, NULL, NULL); if(rval == 0) { if(rval_read == SF_EREAD_PARTIAL || rval_read == SF_EREAD_TRUNCATED) { iterator->new_file_found = 1;//need it only for the last read of a unified file iterator->err_status = 0; usleep(100); //give it the last chance to finish the last record } //for unified2->SF_END_OF_FILE, for unified->ENOENT --> Done reading else if(rval_read == SF_END_OF_FILE || rval_read == SF_ENOENT) { CloseFile(iterator); iterator->status = STATUS_OK; iterator->file_extension = 0; iterator->record_number = 0; } else { fprintf(stderr,"SNORT: File %s read error:%s\n",iterator->filepath,strerror(rval_read)); } continue; } else if(rval != SF_ENOENT) { /* Fatal search error */ fprintf(stderr,"Error finding next timestamped file %s\n",strerror(rval)); return rval; } iterator->err_status = SF_EREAD_PARTIAL; } return SF_EAGAIN; } return 0; } int SpoolFileIterator_SetPosition(SpoolFileIterator *iterator, uint32_t extension, uint32_t position) { if(!iterator) { return SF_EINVAL; } if(extension == 0) { iterator->go_to_end = 1; iterator->seek_set = 0; } else { iterator->seek_set = 1; iterator->go_to_end = 0; iterator->seek_extension = extension; iterator->seek_position = position; } return 0; } static void CloseFile(SpoolFileIterator *iterator) { if (iterator->file_type == SPOOL_FILE_TYPE_UNIFIED2) { Unified2File_Close(iterator->u2f); iterator->u2f = NULL; } } static int OpenFile(char *filepath, SpoolFileIterator *iterator) { int rval = 0; if((rval = Unified2File_Open(filepath, &iterator->u2f)) == 0) { iterator->file_type = SPOOL_FILE_TYPE_UNIFIED2; } return rval; } snort-2.9.7.0/tools/u2streamer/Makefile.in0000644000000000000000000010331712416771463015241 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ bin_PROGRAMS = u2streamer$(EXEEXT) subdir = tools/u2streamer DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__installdirs = "$(DESTDIR)$(bindir)" PROGRAMS = $(bin_PROGRAMS) am_u2streamer_OBJECTS = u2streamer-u2streamer.$(OBJEXT) \ u2streamer-SpoolFileIterator.$(OBJEXT) \ u2streamer-Unified2.$(OBJEXT) \ u2streamer-Unified2File.$(OBJEXT) \ u2streamer-TimestampedFile.$(OBJEXT) \ u2streamer-UnifiedLog.$(OBJEXT) u2streamer-sf_error.$(OBJEXT) u2streamer_OBJECTS = $(am_u2streamer_OBJECTS) u2streamer_LDADD = $(LDADD) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent am__v_lt_1 = u2streamer_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(u2streamer_CFLAGS) \ $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) am__v_CC_0 = @echo " CC " $@; am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(u2streamer_SOURCES) DIST_SOURCES = $(u2streamer_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ @extra_incl@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign u2streamer_SOURCES = u2streamer.c SpoolFileIterator.c SpoolFileIterator.h Unified2.c Unified2.h Unified2File.c Unified2File.h TimestampedFile.c TimestampedFile.h UnifiedLog.c UnifiedLog.h sf_error.c sf_error.h u2streamer_CFLAGS = @CFLAGS@ $(AM_CFLAGS) EXTRA_DIST = all: all-am .SUFFIXES: .SUFFIXES: .c .lo .o .obj $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/u2streamer/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tools/u2streamer/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ if test -n "$$list"; then \ echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p \ || test -f $$p1 \ ; then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' \ -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' \ `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ echo " rm -f" $$list; \ rm -f $$list || exit $$?; \ test -n "$(EXEEXT)" || exit 0; \ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list u2streamer$(EXEEXT): $(u2streamer_OBJECTS) $(u2streamer_DEPENDENCIES) $(EXTRA_u2streamer_DEPENDENCIES) @rm -f u2streamer$(EXEEXT) $(AM_V_CCLD)$(u2streamer_LINK) $(u2streamer_OBJECTS) $(u2streamer_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2streamer-SpoolFileIterator.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2streamer-TimestampedFile.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2streamer-Unified2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2streamer-Unified2File.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2streamer-UnifiedLog.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2streamer-sf_error.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/u2streamer-u2streamer.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< u2streamer-u2streamer.o: u2streamer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-u2streamer.o -MD -MP -MF $(DEPDIR)/u2streamer-u2streamer.Tpo -c -o u2streamer-u2streamer.o `test -f 'u2streamer.c' || echo '$(srcdir)/'`u2streamer.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-u2streamer.Tpo $(DEPDIR)/u2streamer-u2streamer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='u2streamer.c' object='u2streamer-u2streamer.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-u2streamer.o `test -f 'u2streamer.c' || echo '$(srcdir)/'`u2streamer.c u2streamer-u2streamer.obj: u2streamer.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-u2streamer.obj -MD -MP -MF $(DEPDIR)/u2streamer-u2streamer.Tpo -c -o u2streamer-u2streamer.obj `if test -f 'u2streamer.c'; then $(CYGPATH_W) 'u2streamer.c'; else $(CYGPATH_W) '$(srcdir)/u2streamer.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-u2streamer.Tpo $(DEPDIR)/u2streamer-u2streamer.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='u2streamer.c' object='u2streamer-u2streamer.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-u2streamer.obj `if test -f 'u2streamer.c'; then $(CYGPATH_W) 'u2streamer.c'; else $(CYGPATH_W) '$(srcdir)/u2streamer.c'; fi` u2streamer-SpoolFileIterator.o: SpoolFileIterator.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-SpoolFileIterator.o -MD -MP -MF $(DEPDIR)/u2streamer-SpoolFileIterator.Tpo -c -o u2streamer-SpoolFileIterator.o `test -f 'SpoolFileIterator.c' || echo '$(srcdir)/'`SpoolFileIterator.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-SpoolFileIterator.Tpo $(DEPDIR)/u2streamer-SpoolFileIterator.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='SpoolFileIterator.c' object='u2streamer-SpoolFileIterator.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-SpoolFileIterator.o `test -f 'SpoolFileIterator.c' || echo '$(srcdir)/'`SpoolFileIterator.c u2streamer-SpoolFileIterator.obj: SpoolFileIterator.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-SpoolFileIterator.obj -MD -MP -MF $(DEPDIR)/u2streamer-SpoolFileIterator.Tpo -c -o u2streamer-SpoolFileIterator.obj `if test -f 'SpoolFileIterator.c'; then $(CYGPATH_W) 'SpoolFileIterator.c'; else $(CYGPATH_W) '$(srcdir)/SpoolFileIterator.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-SpoolFileIterator.Tpo $(DEPDIR)/u2streamer-SpoolFileIterator.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='SpoolFileIterator.c' object='u2streamer-SpoolFileIterator.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-SpoolFileIterator.obj `if test -f 'SpoolFileIterator.c'; then $(CYGPATH_W) 'SpoolFileIterator.c'; else $(CYGPATH_W) '$(srcdir)/SpoolFileIterator.c'; fi` u2streamer-Unified2.o: Unified2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-Unified2.o -MD -MP -MF $(DEPDIR)/u2streamer-Unified2.Tpo -c -o u2streamer-Unified2.o `test -f 'Unified2.c' || echo '$(srcdir)/'`Unified2.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-Unified2.Tpo $(DEPDIR)/u2streamer-Unified2.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='Unified2.c' object='u2streamer-Unified2.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-Unified2.o `test -f 'Unified2.c' || echo '$(srcdir)/'`Unified2.c u2streamer-Unified2.obj: Unified2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-Unified2.obj -MD -MP -MF $(DEPDIR)/u2streamer-Unified2.Tpo -c -o u2streamer-Unified2.obj `if test -f 'Unified2.c'; then $(CYGPATH_W) 'Unified2.c'; else $(CYGPATH_W) '$(srcdir)/Unified2.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-Unified2.Tpo $(DEPDIR)/u2streamer-Unified2.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='Unified2.c' object='u2streamer-Unified2.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-Unified2.obj `if test -f 'Unified2.c'; then $(CYGPATH_W) 'Unified2.c'; else $(CYGPATH_W) '$(srcdir)/Unified2.c'; fi` u2streamer-Unified2File.o: Unified2File.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-Unified2File.o -MD -MP -MF $(DEPDIR)/u2streamer-Unified2File.Tpo -c -o u2streamer-Unified2File.o `test -f 'Unified2File.c' || echo '$(srcdir)/'`Unified2File.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-Unified2File.Tpo $(DEPDIR)/u2streamer-Unified2File.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='Unified2File.c' object='u2streamer-Unified2File.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-Unified2File.o `test -f 'Unified2File.c' || echo '$(srcdir)/'`Unified2File.c u2streamer-Unified2File.obj: Unified2File.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-Unified2File.obj -MD -MP -MF $(DEPDIR)/u2streamer-Unified2File.Tpo -c -o u2streamer-Unified2File.obj `if test -f 'Unified2File.c'; then $(CYGPATH_W) 'Unified2File.c'; else $(CYGPATH_W) '$(srcdir)/Unified2File.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-Unified2File.Tpo $(DEPDIR)/u2streamer-Unified2File.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='Unified2File.c' object='u2streamer-Unified2File.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-Unified2File.obj `if test -f 'Unified2File.c'; then $(CYGPATH_W) 'Unified2File.c'; else $(CYGPATH_W) '$(srcdir)/Unified2File.c'; fi` u2streamer-TimestampedFile.o: TimestampedFile.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-TimestampedFile.o -MD -MP -MF $(DEPDIR)/u2streamer-TimestampedFile.Tpo -c -o u2streamer-TimestampedFile.o `test -f 'TimestampedFile.c' || echo '$(srcdir)/'`TimestampedFile.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-TimestampedFile.Tpo $(DEPDIR)/u2streamer-TimestampedFile.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='TimestampedFile.c' object='u2streamer-TimestampedFile.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-TimestampedFile.o `test -f 'TimestampedFile.c' || echo '$(srcdir)/'`TimestampedFile.c u2streamer-TimestampedFile.obj: TimestampedFile.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-TimestampedFile.obj -MD -MP -MF $(DEPDIR)/u2streamer-TimestampedFile.Tpo -c -o u2streamer-TimestampedFile.obj `if test -f 'TimestampedFile.c'; then $(CYGPATH_W) 'TimestampedFile.c'; else $(CYGPATH_W) '$(srcdir)/TimestampedFile.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-TimestampedFile.Tpo $(DEPDIR)/u2streamer-TimestampedFile.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='TimestampedFile.c' object='u2streamer-TimestampedFile.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-TimestampedFile.obj `if test -f 'TimestampedFile.c'; then $(CYGPATH_W) 'TimestampedFile.c'; else $(CYGPATH_W) '$(srcdir)/TimestampedFile.c'; fi` u2streamer-UnifiedLog.o: UnifiedLog.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-UnifiedLog.o -MD -MP -MF $(DEPDIR)/u2streamer-UnifiedLog.Tpo -c -o u2streamer-UnifiedLog.o `test -f 'UnifiedLog.c' || echo '$(srcdir)/'`UnifiedLog.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-UnifiedLog.Tpo $(DEPDIR)/u2streamer-UnifiedLog.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='UnifiedLog.c' object='u2streamer-UnifiedLog.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-UnifiedLog.o `test -f 'UnifiedLog.c' || echo '$(srcdir)/'`UnifiedLog.c u2streamer-UnifiedLog.obj: UnifiedLog.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-UnifiedLog.obj -MD -MP -MF $(DEPDIR)/u2streamer-UnifiedLog.Tpo -c -o u2streamer-UnifiedLog.obj `if test -f 'UnifiedLog.c'; then $(CYGPATH_W) 'UnifiedLog.c'; else $(CYGPATH_W) '$(srcdir)/UnifiedLog.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-UnifiedLog.Tpo $(DEPDIR)/u2streamer-UnifiedLog.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='UnifiedLog.c' object='u2streamer-UnifiedLog.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-UnifiedLog.obj `if test -f 'UnifiedLog.c'; then $(CYGPATH_W) 'UnifiedLog.c'; else $(CYGPATH_W) '$(srcdir)/UnifiedLog.c'; fi` u2streamer-sf_error.o: sf_error.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-sf_error.o -MD -MP -MF $(DEPDIR)/u2streamer-sf_error.Tpo -c -o u2streamer-sf_error.o `test -f 'sf_error.c' || echo '$(srcdir)/'`sf_error.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-sf_error.Tpo $(DEPDIR)/u2streamer-sf_error.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sf_error.c' object='u2streamer-sf_error.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-sf_error.o `test -f 'sf_error.c' || echo '$(srcdir)/'`sf_error.c u2streamer-sf_error.obj: sf_error.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -MT u2streamer-sf_error.obj -MD -MP -MF $(DEPDIR)/u2streamer-sf_error.Tpo -c -o u2streamer-sf_error.obj `if test -f 'sf_error.c'; then $(CYGPATH_W) 'sf_error.c'; else $(CYGPATH_W) '$(srcdir)/sf_error.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/u2streamer-sf_error.Tpo $(DEPDIR)/u2streamer-sf_error.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='sf_error.c' object='u2streamer-sf_error.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(u2streamer_CFLAGS) $(CFLAGS) -c -o u2streamer-sf_error.obj `if test -f 'sf_error.c'; then $(CYGPATH_W) 'sf_error.c'; else $(CYGPATH_W) '$(srcdir)/sf_error.c'; fi` mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-am TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-am CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-am cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile $(PROGRAMS) installdirs: for dir in "$(DESTDIR)$(bindir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-binPROGRAMS install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: uninstall-binPROGRAMS .MAKE: install-am install-strip .PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ ctags ctags-am distclean distclean-compile distclean-generic \ distclean-libtool distclean-tags distdir dvi dvi-am html \ html-am info info-am install install-am install-binPROGRAMS \ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-binPROGRAMS # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/tools/u2streamer/Unified2File.h0000644000000000000000000000204112302007502015556 00000000000000 #ifndef __UNIFIED2_FILE_H__ #define __UNIFIED2_FILE_H__ /*! \defgroup Unified2File */ /** \addtogroup Unified2File */ /*@{*/ typedef struct _Unified2File { int fd; int read_status; int read_errno; int read_offset; Serial_Unified2_Header s_u2_hdr; Serial_Unified2HeaderExtension s_u2_hdr_ext; uint32_t checksum; Unified2Record *u2_record; } Unified2File; int Unified2File_Open(char *filepath, Unified2File **u2_file); /* * @retval SF_SUCCESS record read * @retval SF_ENOMEM out of memory * @retval SF_EINVAL invalid argument * @retval SF_EREAD read error * @retval SF_EREAD_TRUNCATED end of file while reading record * @retval SF_EREAD_PARTIAL partial read while reading record * @retval SF_END_OF_FILE end of file on record boundary * @retval -1 should never be reached */ int Unified2File_Read(Unified2File *u2_file, Unified2Record **u2_record); int Unified2File_Close(Unified2File *u2_file); /*@}*/ #endif /* __UNIFIED2_FILE_H__ */ snort-2.9.7.0/tools/u2streamer/sf_error.c0000644000000000000000000000403512302007502015132 00000000000000 #include "sf_error.h" #include static const char * const SF_errstrings[] = { "SUCCESS", // 0 "Invalid Argument", "Unsupported/Unimplemented", "Out of memory", "Out of range", "Not allowed", "No entry", "Already exists", "Unhandled database error", "Syntax error", "required User value missing", // 10 "required User Role value missing", "required TimeSpent value missing", "required Comment value missing", "Database corrupt due to lack of transactions", "required Type value missing", "required State value missing", "required Summary value missing", "Resource busy", "No space", "General read error", // 20 "End of file", "Try Again", "Partial Read", "Not connected", "Read Truncated", "Closed", "Protocol Unsupported", "Not supported", "Write Error", "Partial Write", // 30 "Bad Length", "Protocol Violation", "Peer Error", "Not a directory", "Mutex error", "Invalid mutex", "Mutex deadlock avoided", "Open failed", "Resource locked", "SSL Error", // 40 "Invalid license", "Invalid license for platform", "Corrupt license", "No valid ciphers", "CRL expired", "Does not match", "Socket error", "Nitro database error", "License unavailable/does not have a license", "Already has a license", // 50 "Corrupt file", "Bad magic", "Bad linktype", "Continue", "Invalid Hostname", "Couldn't create user - license limit reached", // 56 - SF_EUSER_LIMIT_REACHED "Error in deleting file or entry in memory", // 57 - SF_EDELETE "Error manipulating memory" // 58 - SF_EMEM }; #define SF_MAX_ERRNUM (sizeof(SF_errstrings)/sizeof(SF_errstrings[0])) const char *sf_strerror(int errnum) { if(errnum == -1) return "General error"; if(errnum >= (int)SF_MAX_ERRNUM || errnum < 0) return "Unknown Error"; return SF_errstrings[errnum]; } snort-2.9.7.0/tools/u2streamer/Unified2File.c0000644000000000000000000002616112345604073015577 00000000000000 /* System includes */ #include #ifdef LINUX #include #endif #include #include #include #include #include #include #include #include #include #include /* Sourcefire includes */ #include #include /* Local includes */ #include "Unified2.h" #include "Unified2File.h" #define U2FILE_STATUS_NOT_READY 0 #define U2FILE_STATUS_HEADER_READY 1 #define U2FILE_STATUS_HEADER_PARTIAL 2 #define U2FILE_STATUS_EXTENDED_HEADER_READY 3 #define U2FILE_STATUS_EXTENDED_HEADER_PARTIAL 4 #define U2FILE_STATUS_DATA_READY 5 #define U2FILE_STATUS_DATA_PARTIAL 6 #ifndef MAX_U2_MESSAGE #define MAX_U2_MESSAGE (16*1024*1024) #endif #define U2R_EXTENDED_HEADER_BIT 0x80000000 /* Unified2 File API **********************************************************/ int Unified2File_Open(char *filepath, Unified2File **u2_file) { Unified2File *tmp; char fn[1024]; if(!filepath || !u2_file) return SF_EINVAL; if(!(tmp = (Unified2File *)calloc(1, sizeof(Unified2File)))) { fprintf(stderr, "Out of memory (wanted %zu bytes)", sizeof(Unified2File)); return SF_ENOMEM; } tmp->fd = -1; tmp->read_status = U2FILE_STATUS_HEADER_READY; tmp->read_errno = 0; tmp->read_offset = 0; tmp->u2_record = NULL; if((tmp->fd = open(filepath, O_RDONLY)) == -1) { fprintf(stderr, "Unable to open file '%s': %s", fn, strerror(errno)); free(tmp); return SF_EOPEN; /* XXX better return code */ } *u2_file = tmp; return SF_SUCCESS; } int Unified2File_Close(Unified2File *u2_file) { if(!u2_file) return SF_EINVAL; if(u2_file->u2_record) Unified2Record_Destroy(u2_file->u2_record); u2_file->u2_record = NULL; if(u2_file->fd != -1) close(u2_file->fd); u2_file->fd = -1; u2_file->read_status = 0; free(u2_file); return SF_SUCCESS; } int Unified2File_Read(Unified2File *u2_file, Unified2Record **u2_record) { ssize_t bytes_read; ssize_t bytes_wanted; int error_count = 0; if(!u2_file || !u2_record) return SF_EINVAL; if(u2_file->read_status == U2FILE_STATUS_NOT_READY) return SF_EREAD; /* allocate a new record */ if(!u2_file->u2_record) { /* XXX we should check that we are in the HEADER_READY state */ if(!(u2_file->u2_record = (Unified2Record *)calloc(1, sizeof(Unified2Record)))) { fprintf(stderr, "Out of memory (wanted %zu bytes)", sizeof(Unified2Record)); return SF_ENOMEM; } u2_file->read_offset = 0; u2_file->read_status = U2FILE_STATUS_HEADER_READY; } if(u2_file->read_status == U2FILE_STATUS_HEADER_READY || u2_file->read_status == U2FILE_STATUS_HEADER_PARTIAL) { read_again: /* read the header */ bytes_wanted = sizeof(Serial_Unified2_Header); bytes_read = read(u2_file->fd, ((u_int8_t *)&u2_file->s_u2_hdr) + u2_file->read_offset, bytes_wanted - u2_file->read_offset); /* end of file **************************/ if(bytes_read == 0) { if(u2_file->read_status == U2FILE_STATUS_HEADER_PARTIAL) { fprintf(stderr, "End of file within header"); if(errno) return SF_EREAD_TRUNCATED; return SF_EREAD_PARTIAL; } //fprintf(stderr, "End of file on record boundary"); return SF_END_OF_FILE; } /* Read error **************************/ if(bytes_read == -1) { /* read error */ fprintf(stderr, "Read error: %s", strerror(errno)); u2_file->read_errno = errno; u2_file->read_status = U2FILE_STATUS_NOT_READY; return SF_EREAD; } /* check for partial read *************/ if(bytes_read + u2_file->read_offset < bytes_wanted) { u2_file->read_offset += bytes_read; u2_file->read_status = U2FILE_STATUS_HEADER_PARTIAL; fprintf(stderr, "Partial header read (%u of %zu bytes)", u2_file->read_offset, bytes_wanted); return SF_EREAD_PARTIAL; } /* basic header read is complete */ /* process basic header data */ u2_file->u2_record->type = ntohl(u2_file->s_u2_hdr.type); u2_file->u2_record->length = ntohl(u2_file->s_u2_hdr.length); /* XXX we have enough info now to allocate storage for the data */ if(!u2_file->u2_record->length || (u2_file->u2_record->length >= MAX_U2_MESSAGE)) { /* Seek back to where we started, in case we want to try again */ off_t rval = lseek(u2_file->fd, (0 - bytes_read), SEEK_CUR); fprintf(stderr, "Seek backwards %zu bytes, seek returns %ld", bytes_read, rval); error_count++; usleep(100); if (error_count >= 10) { fprintf(stderr, "Unsupported length: Tried to read (%d bytes - allowed %d) at offset %ld Type %u", u2_file->u2_record->length, MAX_U2_MESSAGE, rval, u2_file->u2_record->type & ~U2R_EXTENDED_HEADER_BIT); return SF_EBADLEN; } else { goto read_again; } } /* check to see if we have an extended header */ if(u2_file->u2_record->type & U2R_EXTENDED_HEADER_BIT) { u2_file->read_status = U2FILE_STATUS_EXTENDED_HEADER_READY; u2_file->u2_record->type &= ~U2R_EXTENDED_HEADER_BIT; } else { u2_file->u2_record->timestamp = 0; u2_file->checksum = 0; u2_file->read_status = U2FILE_STATUS_DATA_READY; } u2_file->read_offset = 0; } if(error_count > 0) { fprintf(stderr, "Bogus corrupt file, re-read %d times before file valid.", error_count); } if(u2_file->read_status == U2FILE_STATUS_EXTENDED_HEADER_READY || u2_file->read_status == U2FILE_STATUS_EXTENDED_HEADER_PARTIAL) { /* read the header extensions */ bytes_wanted = sizeof(Serial_Unified2HeaderExtension); bytes_read = read(u2_file->fd, ((u_int8_t *)&u2_file->s_u2_hdr_ext) + u2_file->read_offset, bytes_wanted - u2_file->read_offset); /* end of file **************************/ if(bytes_read == 0) { fprintf(stderr, "End of file within header"); if(errno) return SF_EREAD_TRUNCATED; return SF_EREAD_PARTIAL; } /* Read error **************************/ if(bytes_read == -1) { /* read error */ fprintf(stderr, "Read error: %s", strerror(errno)); u2_file->read_errno = errno; u2_file->read_status = U2FILE_STATUS_NOT_READY; return SF_EREAD; } /* check for partial read *************/ if(bytes_read + u2_file->read_offset < bytes_wanted) { u2_file->read_offset += bytes_read; u2_file->read_status = U2FILE_STATUS_EXTENDED_HEADER_PARTIAL; fprintf(stderr, "Partial header read (%u of %zu bytes)", u2_file->read_offset, bytes_wanted); return SF_EREAD_PARTIAL; } /* header extension read complete */ /* process header extenstion data */ //VLAD we do have an extended header? u2_file->u2_record->timestamp = ntohl(u2_file->s_u2_hdr_ext.timestamp); u2_file->checksum = ntohl(u2_file->s_u2_hdr_ext.checksum); u2_file->read_status = U2FILE_STATUS_DATA_READY; u2_file->read_offset = 0; } /* we should not have any of these, but just in case */ if(u2_file->u2_record->length == 0) { u2_file->read_offset = 0; u2_file->read_status = U2FILE_STATUS_HEADER_READY; *u2_record = u2_file->u2_record; u2_file->u2_record = NULL; return SF_SUCCESS; } /* XXX some other length sanity checking may be desirable */ /* read the actual data ***********************/ if(u2_file->read_status == U2FILE_STATUS_DATA_READY || u2_file->read_status == U2FILE_STATUS_DATA_PARTIAL) { /* allocate memory if we have not done so yet */ if(!u2_file->u2_record->data) { if(!u2_file->u2_record->length || (u2_file->u2_record->length >= MAX_U2_MESSAGE)) { fprintf(stderr, "Unsupported length: Tried to read (%d bytes - allowed %d) Type %u", u2_file->u2_record->length, MAX_U2_MESSAGE, u2_file->u2_record->type & ~U2R_EXTENDED_HEADER_BIT); return SF_EBADLEN; } /* allocate the buffer (we could do this earlier) */ if(!(u2_file->u2_record->data = calloc(u2_file->u2_record->length,sizeof(uint8_t)))) { fprintf(stderr,"Out of memory (wanted %u bytes)",u2_file->u2_record->length); return SF_ENOMEM; /* Amazingly enough, this is not a fatal error. if the user * frees up some memory, we can try again */ } } /* read the actual data */ bytes_wanted = u2_file->u2_record->length; bytes_read = read(u2_file->fd, ((u_int8_t *)u2_file->u2_record->data) + u2_file->read_offset, bytes_wanted - u2_file->read_offset); /* end of file **************************/ if(bytes_read == 0) { fprintf(stderr, "End of file reading data"); if(errno) return SF_EREAD_TRUNCATED; return SF_EREAD_PARTIAL; } /* Read error **************************/ if(bytes_read == -1) { /* read error */ fprintf(stderr, "Read error: %s", strerror(errno)); u2_file->read_errno = errno; u2_file->read_status = U2FILE_STATUS_NOT_READY; return SF_EREAD; } /* check for partial read *************/ if(bytes_read + u2_file->read_offset < bytes_wanted) { u2_file->read_offset += bytes_read; u2_file->read_status = U2FILE_STATUS_DATA_PARTIAL; fprintf(stderr, "Partial header read (%u of %zu bytes)", u2_file->read_offset, bytes_wanted); return SF_EREAD_PARTIAL; } /* data read complete */ if(u2_file->checksum != 0) { /* XXX validation code goes here */ } u2_file->read_offset = 0; u2_file->read_status = U2FILE_STATUS_HEADER_READY; *u2_record = u2_file->u2_record; u2_file->u2_record = NULL; return SF_SUCCESS; } /* We should never get here */ return -1; } snort-2.9.7.0/tools/u2streamer/UnifiedLog.h0000644000000000000000000000202712302007502015342 00000000000000 #ifndef __UNIFIED_LOG_H__ #define __UNIFIED_LOG_H__ #include #ifdef LINUX #include #endif #include "sf_types.h" struct u2_timeval { uint32_t tv_sec; uint32_t tv_usec; }; /* Miscelaneous data structures */ typedef struct SnortEvent { uint32_t sig_generator; uint32_t sig_id; uint32_t sig_rev; uint32_t classification; uint32_t priority; uint32_t event_id; uint32_t event_reference; struct u2_timeval ref_time; } SnortEvent; #define SNORT_EVENT_LENGTH 36 typedef struct _SnortPktHeader { struct u2_timeval ts; uint32_t caplen; uint32_t pktlen; } SnortPktHeader; #define SNORT_PKT_HEADER_LENGTH 16 /* Snort Unified Log Record API ***********************************************/ typedef struct _UnifiedLog { SnortEvent event; uint32_t flags; SnortPktHeader pkth; uint8_t *packet; } UnifiedLog; /** * Free a Unified Log record */ int UnifiedLog_Destroy(UnifiedLog *unified_log); #endif /*__UNIFIED_LOG_H__ */ snort-2.9.7.0/tools/u2streamer/TimestampedFile.c0000644000000000000000000000661612302007502016374 00000000000000 /* System includes */ #include #include #include #include #include #include #include #ifdef LINUX #include #endif /* local includes */ #include "sf_error.h" #include "TimestampedFile.h" #define MODULE_NAME "TimestampedFile" int FindNextTimestampedFile(char *directory, char *file_prefix, uint32_t timestamp, int mode, uint32_t *next_timestamp) { DIR *dir = NULL; struct dirent *entry; unsigned long file_timestamp; unsigned long selected_timestamp = 0; char *extension; /* check arguments */ if(!directory || !file_prefix) return SF_EINVAL; if(!(dir = opendir(directory))) { fprintf(stderr, "Unable to open directory '%s': %s", directory, strerror(errno)); return SF_EOPEN; } /* Reset errno */ errno = 0; while((entry = readdir(dir))) { char *ts_test = NULL; if(strncmp(entry->d_name, file_prefix, strlen(file_prefix)) != 0) { continue; } /* Make sure timestamp comes right after prefix - necessary for snapshot file at least */ ts_test = entry->d_name + strlen(file_prefix); if (ts_test && !isdigit(ts_test[0])) { continue; } ts_test = strrchr(entry->d_name, '.'); if(ts_test && !isdigit(ts_test[1])) { fprintf(stderr, "Skip validating file '%s' (%s)", entry->d_name,ts_test); continue; } extension = entry->d_name + strlen(file_prefix); if((file_timestamp = strtoul(extension, NULL, 10)) == 0) { fprintf(stderr, "Failed to extract timestamp from '%s'", entry->d_name); continue; } if(mode == 2) /* return smallest timestamp >= specified */ { if(file_timestamp < timestamp) continue; if((selected_timestamp != 0) && file_timestamp > selected_timestamp) continue; selected_timestamp = file_timestamp; } else if(mode == 1) /* return timestamp > specified */ { if(file_timestamp <= timestamp) continue; if((selected_timestamp != 0) && file_timestamp > selected_timestamp) continue; selected_timestamp = file_timestamp; } else /* return timestamp <= specified */ { if(selected_timestamp == 0) { selected_timestamp = file_timestamp; continue; } if(file_timestamp > timestamp) { if(selected_timestamp > file_timestamp) { selected_timestamp = file_timestamp; } } else /* file_timestamp <= timestamp */ { if(selected_timestamp <= file_timestamp) { selected_timestamp = file_timestamp; } } } } if(errno == EBADF) { fprintf(stderr, "Error reading directory %s", strerror(errno)); closedir(dir); return SF_EREAD; } closedir(dir); if(selected_timestamp == 0) /* no file found */ return SF_ENOENT; if(next_timestamp) *next_timestamp = selected_timestamp; return 0; } snort-2.9.7.0/tools/u2streamer/Makefile.am0000644000000000000000000000054512345604073015220 00000000000000AUTOMAKE_OPTIONS=foreign bin_PROGRAMS = u2streamer u2streamer_SOURCES = u2streamer.c SpoolFileIterator.c SpoolFileIterator.h Unified2.c Unified2.h Unified2File.c Unified2File.h TimestampedFile.c TimestampedFile.h UnifiedLog.c UnifiedLog.h sf_error.c sf_error.h u2streamer_CFLAGS = @CFLAGS@ $(AM_CFLAGS) EXTRA_DIST = INCLUDES = @INCLUDES@ @extra_incl@ snort-2.9.7.0/tools/Makefile.in0000644000000000000000000004477112416771463013160 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ @FEAT_OPEN_APPID_TRUE@am__append_1 = u2openappid u2streamer subdir = tools DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = depcomp = am__depfiles_maybe = SOURCES = DIST_SOURCES = RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ install-exec-recursive install-html-recursive \ install-info-recursive install-pdf-recursive \ install-ps-recursive install-recursive installcheck-recursive \ installdirs-recursive pdf-recursive ps-recursive \ tags-recursive uninstall-recursive am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive am__recursive_targets = \ $(RECURSIVE_TARGETS) \ $(RECURSIVE_CLEAN_TARGETS) \ $(am__extra_recursive_targets) AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ distdir am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) # Read a list of newline-separated strings from the standard input, # and print each of them once, without duplicates. Input order is # *not* preserved. am__uniquify_input = $(AWK) '\ BEGIN { nonempty = 0; } \ { items[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in items) print i; }; } \ ' # Make sure the list of sources is unique. This is necessary because, # e.g., the same source file might be shared among _SOURCES variables # for different programs/libraries. am__define_uniq_tagged_files = \ list='$(am__tagged_files)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags DIST_SUBDIRS = u2boat u2spewfoo control file_server u2openappid \ u2streamer DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies @BUILD_CONTROL_SOCKET_TRUE@CONTROL_DIR = control @FEAT_FILE_INSPECT_TRUE@FILE_INSPECT_SERVER = file_server SUBDIRS = u2boat u2spewfoo $(CONTROL_DIR) $(FILE_INSPECT_SERVER) \ $(am__append_1) all: all-recursive .SUFFIXES: $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tools/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tools/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs # This directory's subdirectories are mostly independent; you can cd # into them and run 'make' without going through this Makefile. # To change the values of 'make' variables: instead of editing Makefiles, # (1) if the variable is set in 'config.status', edit 'config.status' # (which will cause the Makefiles to be regenerated when you run 'make'); # (2) otherwise, pass the desired values on the 'make' command line. $(am__recursive_targets): @fail=; \ if $(am__make_keepgoing); then \ failcom='fail=yes'; \ else \ failcom='exit 1'; \ fi; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" ID: $(am__tagged_files) $(am__define_uniq_tagged_files); mkid -fID $$unique tags: tags-recursive TAGS: tags tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: ctags-recursive CTAGS: ctags ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" cscopelist: cscopelist-recursive cscopelist-am: $(am__tagged_files) list='$(am__tagged_files)'; \ case "$(srcdir)" in \ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ *) sdir=$(subdir)/$(srcdir) ;; \ esac; \ for i in $$list; do \ if test -f "$$i"; then \ echo "$(subdir)/$$i"; \ else \ echo "$$sdir/$$i"; \ fi; \ done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ $(am__make_dryrun) \ || test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done check-am: all-am check: check-recursive all-am: Makefile installdirs: installdirs-recursive installdirs-am: install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-recursive -rm -f Makefile distclean-am: clean-am distclean-generic distclean-tags dvi: dvi-recursive dvi-am: html: html-recursive html-am: info: info-recursive info-am: install-data-am: install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: .MAKE: $(am__recursive_targets) install-am install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \ check-am clean clean-generic clean-libtool cscopelist-am ctags \ ctags-am distclean distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ installdirs-am maintainer-clean maintainer-clean-generic \ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ ps ps-am tags tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/tools/Makefile.am0000644000000000000000000000045612345604073013130 00000000000000AUTOMAKE_OPTIONS=foreign no-dependencies if BUILD_CONTROL_SOCKET CONTROL_DIR = control endif if FEAT_FILE_INSPECT FILE_INSPECT_SERVER=file_server endif SUBDIRS = u2boat u2spewfoo $(CONTROL_DIR) $(FILE_INSPECT_SERVER) if FEAT_OPEN_APPID SUBDIRS += u2openappid u2streamer endif INCLUDES = @INCLUDES@ snort-2.9.7.0/configure.in0000644000000000000000000013306212416030330012231 00000000000000# $Id$ AC_INIT AC_CONFIG_SRCDIR([src/snort.c]) AC_PREREQ(2.50) #LT_PREREQ([2.2.6]) AM_CONFIG_HEADER(config.h) # When changing the snort version, please also update the VERSION # definition in "src/win32/WIN32-Includes/config.h" AM_INIT_AUTOMAKE(snort,2.9.7.0) NO_OPTIMIZE="no" ADD_WERROR="no" # Test for -Werror and sed it out for now since some of the auto tests, # for example AC_CHECK_LIB, will fail because of # warning: conflicting types for built-in function if eval "echo $CFLAGS | grep -e -Werror"; then CFLAGS=`echo $CFLAGS | sed -e "s/-Werror//g"` ADD_WERROR="yes" fi # Disable annoying practice of recursively re-running the autotools AM_MAINTAINER_MODE AC_PROG_CC_STDC AC_PROG_CC AC_PROG_LIBTOOL AC_PROG_RANLIB AC_C_BIGENDIAN AC_C_INLINE #AC_CANONICAL_HOST linux="no" sunos4="no" macos="no" so_with_static_lib="yes" case "$host" in *-openbsd2.6|*-openbsd2.5|*-openbsd2.4|*-openbsd2.3*) AC_DEFINE([OPENBSD],[1],[Define if OpenBSD]) AC_DEFINE([BROKEN_SIOCGIFMTU],[1],[Define if BROKEN_SIOCGIFMTU]) so_with_static_lib="no" ;; *-openbsd*) AC_DEFINE([OPENBSD],[1],[Define if OpenBSD < 2.3]) so_with_static_lib="no" ;; *-sgi-irix5*) AC_DEFINE([IRIX],[1],[Define if Irix 5]) no_libsocket="yes" no_libnsl="yes" if test -z "$GCC"; then sgi_cc="yes" fi LDFLAGS="${LDFLAGS} -L/usr/local/lib" extra_incl="-I/usr/local/include" ;; *-sgi-irix6*) AC_DEFINE([IRIX],[1],[Define if Irix 6]) no_libsocket="yes" no_libnsl="yes" if test -z "$GCC"; then sgi_cc="yes" fi LDFLAGS="${LDFLAGS} -L/usr/local/lib" extra_incl="-I/usr/local/include" ;; *-solaris*) AC_DEFINE([SOLARIS],[1],[Define if Solaris]) CONFIGFLAGS="${CONFIGFLAGS} -DBSD_COMP -D_REENTRANT" rt_nanosleep="yes" ;; *-sunos*) AC_DEFINE([SUNOS],[1],[Define if SunOS]) sunos4="yes" ;; *-linux*) linux="yes" AC_DEFINE([LINUX],[1],[Define if Linux]) AC_SUBST(extra_incl) extra_incl="-I/usr/include/pcap" ;; *-hpux10*|*-hpux11*) AC_DEFINE([HPUX],[1],[Define if HP-UX 10 or 11]) AC_DEFINE([WORDS_BIGENDIAN],[1],[Define if words are big endian]) AC_SUBST(extra_incl) extra_incl="-I/usr/local/include" ;; *-freebsd*) AC_DEFINE([FREEBSD],[1],[Define if FreeBSD]) ;; *-bsdi*) AC_DEFINE([BSDI],[1],[Define if BSDi]) ;; *-aix*) AC_DEFINE([AIX],[1],[Define if AIX]) ;; *-osf4*) AC_DEFINE([OSF1],[1],[Define if OSF-4]) CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; *-osf5.1*) AC_DEFINE([OSF1],[1],[Define if OSF-5.1]) CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; *-tru64*) AC_DEFINE([OSF1],[1],[Define if Tru64]) CONFIGFLAGS="${CONFIGFLAGS} -DOSF1" ;; # it is actually -apple-darwin1.2 or -apple-rhapsody5.x but lets stick with this for the moment *-apple*) macos="yes" AC_DEFINE([MACOS],[1],[Define if MacOS]) AC_DEFINE([BROKEN_SIOCGIFMTU],[1],[Define if broken SIOCGIFMTU]) esac AC_HEADER_STDBOOL # ICC stuff ICC=no if eval "echo $CC | grep icc > /dev/null" ; then if eval "$CC -help | grep libcxa > /dev/null" ; then CFLAGS="$CFLAGS -static-libcxa" LDFLAGS="$LDFLAGS -static-libcxa" XCCFLAGS="-XCClinker -static-libcxa" else CFLAGS="$CFLAGS -static-intel" LDFLAGS="$LDFLAGS -static-intel" XCCFLAGS="-XCClinker -static-intel" fi #CFLAGS=`echo $CFLAGS | sed 's/-O2/-O3/'` CFLAGS="$CFLAGS -O3 -ip -w1" ICC=yes GCC= fi AC_SUBST(XCCFLAGS) # This is really meant for Solaris Sparc v9 where it has 32bit and 64bit # capability but builds 32bit by default AC_ARG_ENABLE(64bit-gcc, [ --enable-64bit-gcc Try to compile 64bit (only tested on Sparc Solaris 9 and 10).], enable_64bit_gcc="$enableval", enable_64bit_gcc="no") if test "x$enable_64bit_gcc" = "xyes"; then CFLAGS="$CFLAGS -m64" fi # AC_PROG_YACC defaults to "yacc" when not found # this check defaults to "none" AC_CHECK_PROGS(YACC,bison yacc,none) # AC_PROG_YACC includes the -y arg if bison is found if test "x$YACC" = "xbison"; then YACC="$YACC -y" fi # AC_PROG_LEX defaults to ":" when not found # this check defaults to "none" # We're using flex specific options so we don't support lex AC_CHECK_PROGS(LEX,flex,none) # dnl checking headers AC_CHECK_HEADERS([ \ inttypes.h \ math.h \ paths.h \ stdlib.h \ string.h \ strings.h \ unistd.h \ wchar.h \ sys/sockio.h \ ]) if test "x$ac_cv_header_wchar_h" = "xyes"; then CONFIGFLAGS="${CONFIGFLAGS} -DSF_WCHAR" fi AC_CHECK_LIB([m],[floor]) AC_CHECK_LIB([m],[ceil]) AC_CHECK_HEADERS(uuid/uuid.h, [AC_CHECK_LIB(uuid,uuid_parse)]) if test "x$rt_nanosleep" = "xyes"; then AC_CHECK_LIB([rt],[nanosleep]) fi dnl make sure we've got all our libraries if test -z "$no_libnsl"; then AC_CHECK_LIB(nsl, inet_ntoa) fi if test -z "$no_libsocket"; then AC_CHECK_LIB(socket, socket) fi # SunOS4 has several things `broken' if test "$sunos4" != "no"; then AC_CHECK_FUNCS(vsnprintf,, LIBS="$LIBS -ldb") AC_CHECK_FUNCS(strtoul,, LIBS="$LIBS -l44bsd") fi # some funky macro to be backwards compatible with earlier autoconfs # in current they have AC_CHECK_DECLS AC_DEFUN([SN_CHECK_DECL],[ AC_MSG_CHECKING([whether $1 must be declared]) AC_CACHE_VAL(sn_cv_decl_needed_$1, [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include #ifdef HAVE_STRING_H #include #endif #ifdef HAVE_STRINGS_H #include #endif #ifdef HAVE_STDLIB_H #include #endif #ifdef HAVE_UNISTD_H #include #endif #include #include #include ]], [[char *(*pfn); pfn = (char *(*)) $1;]])],[eval "sn_cv_decl_needed_$1=no"],[eval "sn_cv_decl_needed_$1=yes"]) ]) if eval "test \"`echo '$sn_cv_decl_needed_'$1`\" != no"; then AC_MSG_RESULT(yes) ifelse([$2], , :, [$2]) else AC_MSG_RESULT(no) ifelse([$3], , ,[$3]) fi ])dnl AC_DEFUN([SN_CHECK_DECLS], [for sn_decl in $1 do sn_def_decl=`echo $sn_decl | tr [a-z] [A-Z]` SN_CHECK_DECL($sn_decl, [ AC_DEFINE_UNQUOTED(NEED_DECL_$sn_def_decl, 1, [you have this cuz autoheader is dumb]) $2], $3)dnl done ]) # some stuff for declarations which were missed on sunos4 platform too. # # add `#undef NEED_DECL_FUNCTIONAME to acconfig.h` because autoheader # fails to work properly with custom macroses. # you will see also #undef for each SN_CHECK_DECLS macros invocation # because autoheader doesn't execute shell script commands. # it is possible to make loops using m4 but the code would look even # more confusing.. SN_CHECK_DECLS(printf fprintf syslog puts fputs fputc fopen \ fclose fwrite fflush getopt bzero bcopy memset strtol \ strcasecmp strncasecmp strerror perror socket sendto \ vsnprintf snprintf strtoul) AC_CHECK_FUNCS([sigaction strlcpy strlcat strerror vswprintf wprintf memrchr inet_ntop]) AC_CHECK_FUNC([snprintf],[have_snprintf="yes"],[have_snprintf="no"]) AM_CONDITIONAL(BUILD_SNPRINTF, test "x$have_snprintf" != "xyes") if test "x$have_snprintf" = "xyes"; then AC_DEFINE([HAVE_SNPRINTF], [], [snprintf function is available]) fi AC_CHECK_FUNCS([malloc_trim mallinfo]) AC_CHECK_SIZEOF([char]) AC_CHECK_SIZEOF([short]) AC_CHECK_SIZEOF([int]) AC_CHECK_SIZEOF([long int]) AC_CHECK_SIZEOF([long long int]) AC_CHECK_SIZEOF([unsigned int]) AC_CHECK_SIZEOF([unsigned long int]) AC_CHECK_SIZEOF([unsigned long long int]) # Check for int types AC_CHECK_TYPES([u_int8_t,u_int16_t,u_int32_t,u_int64_t,uint8_t,uint16_t,uint32_t,uint64_t]) AC_CHECK_TYPES([int8_t,int16_t,int32_t,int64_t]) AC_CHECK_TYPES([boolean]) # In case INADDR_NONE is not defined (like on Solaris) have_inaddr_none="no" AC_MSG_CHECKING([for INADDR_NONE]) AC_RUN_IFELSE( [AC_LANG_PROGRAM( [[ #include #include #include ]], [[ if (inet_addr("10,5,2") == INADDR_NONE); return 0; ]])], [have_inaddr_none="yes"], [have_inaddr_none="no"]) AC_MSG_RESULT($have_inaddr_none) if test "x$have_inaddr_none" = "xno"; then AC_DEFINE([INADDR_NONE],[-1],[For INADDR_NONE definition]) fi AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[const char *foo; foo = sys_errlist[0];]])],[AC_DEFINE(ERRLIST_PREDEFINED,1,Define if errlist is predefined)],[]) AC_MSG_CHECKING(for __FUNCTION__) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[printf ("%s", __FUNCTION__);]])],[sn_cv_have___FUNCTION__=yes],[sn_cv__have___FUNCTION__=no]) if test "x$sn_cv_have___FUNCTION__" = "xyes"; then AC_MSG_RESULT(yes) AC_DEFINE([HAVE___FUNCTION__],[1],[Define if the compiler understands __FUNCTION__.]) else AC_MSG_RESULT(no) AC_MSG_CHECKING(for __func__) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[printf ("%s", __func__);]])],[sn_cv_have___func__=yes],[sn_cv__have___func__=no]) if test "x$sn_cv_have___func__" = "xyes"; then AC_MSG_RESULT(yes) AC_DEFINE([HAVE___func__],[1],[Define if the compiler understands __func__.]) AC_DEFINE([__FUNCTION__],[__func__],[Define __FUNCTION__ as required.]) else AC_MSG_RESULT(no) AC_DEFINE([__FUNCTION__],["mystery function"]) fi fi AC_ARG_WITH(libpcap_includes, [ --with-libpcap-includes=DIR libpcap include directory], [with_libpcap_includes="$withval"],[with_libpcap_includes="no"]) AC_ARG_WITH(libpcap_libraries, [ --with-libpcap-libraries=DIR libpcap library directory], [with_libpcap_libraries="$withval"],[with_libpcap_libraries="no"]) if test "x$with_libpcap_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libpcap_includes}" fi if test "x$with_libpcap_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" fi # --with-libpfring-* options AC_ARG_WITH(libpfring_includes, [ --with-libpfring-includes=DIR libpfring include directory], [with_libpfring_includes="$withval"],[with_libpfring_includes="no"]) AC_ARG_WITH(libpfring_libraries, [ --with-libpfring-libraries=DIR libpfring library directory], [with_libpfring_libraries="$withval"],[with_libpfring_libraries="no"]) if test "x$with_libpfring_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libpfring_includes}" fi if test "x$with_libpfring_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libpfring_libraries}" fi AC_ARG_WITH(daq_includes, [ --with-daq-includes=DIR DAQ include directory], [with_daq_includes="$withval"],[with_daq_includes="no"]) AC_ARG_WITH(daq_libraries, [ --with-daq-libraries=DIR DAQ library directory], [with_daq_libraries="$withval"],[with_daq_libraries="no"]) if test "x$with_daq_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_daq_includes}" ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_daq_includes}" fi if test "x$with_daq_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_daq_libraries}" fi if test "x$enable_control_socket" = "xyes"; then LSFBPF="" AC_CHECK_LIB([sfbpf], [sfbpf_compile], [LIBS="${LIBS} -lsfbpf"], [LSFBPF="no"], [ ]) if test "x$LSFBPF" = "xno"; then echo echo " ERROR! sfbpf library not found, go get it from" echo " http://www.snort.org/." #AC_MSG_ERROR("Fatal!") exit 1 fi fi LPCAP="" AC_CHECK_LIB(pcap, pcap_datalink,, LPCAP="no") # If the normal AC_CHECK_LIB for pcap fails then check to see if we are # using a pfring-enabled pcap. if test "x$LPCAP" = "xno"; then PFRING_H="" AC_CHECK_HEADERS(pfring.h,, PFRING_H="no") # It is important to have the AC_CHECK_LIB for the pfring library BEFORE # the one for pfring-enabled pcap. When the Makefile is created, all the # libraries used during linking are added to the LIBS variable in the # Makefile in the opposite order that their AC_CHECK_LIB macros appear # in configure.in. Durring linking, the pfring library (-lpfring) MUST come # _after_ the libpcap library (-lpcap) or linking will fail. PFRING_L="" AC_CHECK_LIB(pfring, pfring_open,, PFRING_L="no") LPFRING_PCAP="" AC_CHECK_LIB(pcap, pfring_open,, LPFRING_PCAP="no",-lpfring) fi # If both the AC_CHECK_LIB for normal pcap and pfring-enabled pcap fail then exit. if test "x$LPCAP" = "xno"; then if test "x$LPFRING_PCAP" = "xno"; then echo echo " ERROR! Libpcap library/headers (libpcap.a (or .so)/pcap.h)" echo " not found, go get it from http://www.tcpdump.org" echo " or use the --with-libpcap-* options, if you have it installed" echo " in unusual place. Also check if your libpcap depends on another" echo " shared library that may be installed in an unusual place" exit 1 fi fi AC_MSG_CHECKING([for pcap_lex_destroy]) AC_RUN_IFELSE( [AC_LANG_PROGRAM( [[ #include ]], [[ pcap_lex_destroy(); ]])], [have_pcap_lex_destroy="yes"], [have_pcap_lex_destroy="no"]) AC_MSG_RESULT($have_pcap_lex_destroy) if test "x$have_pcap_lex_destroy" = "xyes"; then AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter]) fi AC_MSG_CHECKING([for pcap_lib_version]) AC_LINK_IFELSE( [AC_LANG_PROGRAM( [[#include ]], [[pcap_lib_version();]] )], [have_pcap_lib_version="yes"], [have_pcap_lib_version="no"] ) AC_MSG_RESULT($have_pcap_lib_version) if test "x$have_pcap_lib_version" = "xyes"; then AC_DEFINE([HAVE_PCAP_LIB_VERSION],[1], [Can output the library version.]) fi AC_DEFUN([FAIL_MESSAGE],[ echo echo echo "**********************************************" echo " ERROR: unable to find" $1 echo " checked in the following places" for i in `echo $2`; do echo " $i" done echo "**********************************************" echo exit 1 ]) AC_ARG_WITH(libpcre_includes, [ --with-libpcre-includes=DIR libpcre include directory], [with_libpcre_includes="$withval"],[with_libpcre_includes="no"]) AC_ARG_WITH(libpcre_libraries, [ --with-libpcre-libraries=DIR libpcre library directory], [with_libpcre_libraries="$withval"],[with_libpcre_libraries="no"]) if test "x$with_libpcre_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_libpcre_includes}" ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_libpcre_includes}" else CPPFLAGS="${CPPFLAGS} `pcre-config --cflags`" fi if test "x$with_libpcre_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_libpcre_libraries}" else LDFLAGS="${LDFLAGS} `pcre-config --libs`" fi # PCRE configuration (required) # Verify that we have the headers PCRE_H="" AC_CHECK_HEADERS(pcre.h,, PCRE_H="no") if test "x$PCRE_H" = "xno"; then echo echo " ERROR! Libpcre header not found." echo " Get it from http://www.pcre.org" exit 1 fi # Verify that we have the library PCRE_L="" pcre_version_six="" AC_CHECK_LIB(pcre, pcre_compile, ,PCRE_L="no") if test "x$PCRE_L" = "xno"; then echo echo " ERROR! Libpcre library not found." echo " Get it from http://www.pcre.org" echo exit 1 else AC_MSG_CHECKING(for libpcre version 6.0 or greater) AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ #if (PCRE_MAJOR < 6) #error "Version failure" #else int a, b = 0, c = 0, d = 0; pcre *tmp = NULL; a = pcre_copy_named_substring(tmp, "", &b, c, "", "", d); #endif ]])],[pcre_version_six="yes"],[pcre_version_six="no"]) fi if test "x$pcre_version_six" != "xyes"; then AC_MSG_RESULT(no) echo echo " ERROR! Libpcre library version >= 6.0 not found." echo " Get it from http://www.pcre.org" echo exit 1 else AC_MSG_RESULT(yes) fi # OPENSSL SHA configuration (optional) AC_ARG_WITH(openssl_includes, [ --with-openssl-includes=DIR openssl include directory], [with_openssl_includes="$withval"],[with_openssl_includes="no"]) AC_ARG_WITH(openssl_libraries, [ --with-openssl-libraries=DIR openssl library directory], [with_openssl_libraries="$withval"],[with_openssl_libraries="no"]) if test "x$with_openssl_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_openssl_includes}" ICONFIGFLAGS="${ICONFIGFLAGS} -I${with_openssl_includes}" fi if test "x$with_openssl_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_openssl_libraries}" fi # Verify that we have the headers AC_CHECK_LIB([crypto],[SHA256_Init],AC_DEFINE([HAVE_OPENSSL_SHA],[1],openssl SHA available),) AC_CHECK_LIB([crypto],[MD5_Init],AC_DEFINE([HAVE_OPENSSL_MD5],[1],openssl MD5 available),) AM_CONDITIONAL([BUILD_OPENSSL_MD5], test "$ac_cv_lib_crypto_MD5_Init" != "yes" ) AM_CONDITIONAL([BUILD_OPENSSL_SHA], test "$ac_cv_lib_crypto_SHA256_Init" != "yes" ) if test "$ac_cv_lib_crypto_MD5_Init" = "yes"; then LIBS="${LIBS} -lcrypto" fi AC_ARG_VAR(SIGNAL_SNORT_RELOAD, set the SIGNAL_SNORT_RELOAD value) if test "x$SIGNAL_SNORT_RELOAD" != "x" ; then AC_DEFINE_UNQUOTED([SIGNAL_SNORT_RELOAD], [$SIGNAL_SNORT_RELOAD], [Set by user]) fi AC_ARG_VAR(SIGNAL_SNORT_DUMP_STATS, set the SIGNAL_SNORT_DUMP_STATS value) if test "x$SIGNAL_SNORT_DUMP_STATS" != "x" ; then AC_DEFINE_UNQUOTED([SIGNAL_SNORT_DUMP_STATS], [$SIGNAL_SNORT_DUMP_STATS], [Set by user]) fi AC_ARG_VAR(SIGNAL_SNORT_ROTATE_STATS, set the SIGNAL_SNORT_ROTATE_STATS value) if test "x$SIGNAL_SNORT_ROTATE_STATS" != "x" ; then AC_DEFINE_UNQUOTED([SIGNAL_SNORT_ROTATE_STATS], [$SIGNAL_SNORT_ROTATE_STATS], [Set by user]) fi AC_ARG_VAR(SIGNAL_SNORT_READ_ATTR_TBL, set the SIGNAL_SNORT_READ_ATTR_TBL value) if test "x$SIGNAL_SNORT_READ_ATTR_TBL" != "x" ; then AC_DEFINE_UNQUOTED([SIGNAL_SNORT_READ_ATTR_TBL], [$SIGNAL_SNORT_READ_ATTR_TBL], [Set by user]) fi AC_ARG_ENABLE(so_with_static_lib, [ --enable-so-with-static-lib Enable linking of dynamically loaded preprocessors with a static preprocessor library], enable_so_with_static_lib="$enableval", enable_so_with_static_lib=$so_with_static_lib) AM_CONDITIONAL(SO_WITH_STATIC_LIB, test "x$enable_so_with_static_lib" = "xyes") AC_ARG_ENABLE(control_socket, [ --enable-control-socket Enable the control socket], enable_control_socket="$enableval", enable_control_socket="no") if test "x$linux" != "xyes"; then if test "x$enable_control_socket" = "xyes"; then AC_MSG_WARN([[The control socket is only supported on Linux systems.]]) enable_control_socket="no" fi fi AM_CONDITIONAL(BUILD_CONTROL_SOCKET, test "x$enable_control_socket" = "xyes") if test "x$enable_control_socket" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DCONTROL_SOCKET" fi AC_ARG_ENABLE(side_channel, [ --enable-side-channel Enable the side channel (Experimental)], enable_side_channel="$enableval", enable_side_channel="no") if test "x$linux" != "xyes"; then if test "x$enable_side_channel" = "xyes"; then AC_MSG_WARN([[The side channel is only supported on Linux systems.]]) enable_side_channel="no" fi fi AM_CONDITIONAL(BUILD_SIDE_CHANNEL, test "x$enable_side_channel" = "xyes") if test "x$enable_side_channel" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DSIDE_CHANNEL" fi # check for dnet first since some DAQs need it AC_ARG_WITH(dnet_includes, [ --with-dnet-includes=DIR libdnet include directory], [with_dnet_includes="$withval"],[with_dnet_includes="no"]) AC_ARG_WITH(dnet_libraries, [ --with-dnet-libraries=DIR libdnet library directory], [with_dnet_libraries="$withval"],[with_dnet_libraries="no"]) if test "x$with_dnet_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_dnet_includes}" else CPPFLAGS="${CPPFLAGS} `dnet-config --cflags 2>/dev/null`" fi if test "x$with_dnet_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_dnet_libraries}" else LDFLAGS="${LDFLAGS} `dnet-config --libs 2>/dev/null`" fi AC_CHECK_HEADERS(dnet.h,,DNET_H="no") AC_CHECK_HEADERS(dumbnet.h,,DUMBNET_H="no") if test "x$DNET_H" = "xno" -a "x$DUMBNET_H" = "xno"; then echo echo " ERROR! dnet header not found, go get it from" echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" echo " options, if you have it installed in an unusual place" exit fi AC_CHECK_LIB(dnet, eth_set,,[DNET="no"]) AC_CHECK_LIB(dumbnet, eth_set,,[DUMBNET="no"]) if test "x$DNET" = "xno" -a "x$DUMBNET" = "xno"; then echo echo " ERROR! dnet library not found, go get it from" echo " http://code.google.com/p/libdnet/ or use the --with-dnet-*" echo " options, if you have it installed in an unusual place" exit fi AC_ARG_ENABLE(static_daq, [ --disable-static-daq Link static DAQ modules.], enable_static_daq="$enableval", enable_static_daq="yes") AC_CHECK_LIB(dl, dlsym, DLLIB="yes", DLLIB="no") if test "$DLLIB" != "no"; then LIBS="${LIBS} -ldl" else AC_CHECK_LIB(c, dlsym, DLLIB="yes", DLLIB="no") if test "$DLLIB" = "no"; then echo echo " ERROR! programmatic interface to dynamic link loader" echo " not found. Cannot build Snort." echo exit 1 fi fi if test "x$enable_static_daq" = "xyes"; then LDAQ="" LIBS="${LIBS} `daq-modules-config --static --libs`" AC_CHECK_LIB([daq_static], [daq_load_modules], [LIBS="-ldaq_static ${LIBS}"], [LDAQ="no"], [ ]) if test "x$LDAQ" = "xno"; then echo echo " ERROR! daq_static library not found, go get it from" echo " http://www.snort.org/." #AC_MSG_ERROR("Fatal!") # FIXTHIS switch over to this macro exit 1 # instead of raw exits! fi else LDAQ="" AC_CHECK_LIB([daq], [daq_load_modules], [LIBS="${LIBS} -ldaq"], [LDAQ="no"], [ ]) if test "x$LDAQ" = "xno"; then echo echo " ERROR! daq library not found, go get it from" echo " http://www.snort.org/." #AC_MSG_ERROR("Fatal!") exit 1 fi fi AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta] [daq_dp_add_dc]) if test "x$ac_cv_func_daq_dp_add_dc" = "xyes"; then AC_CHECK_MEMBER([struct _DAQ_DP_key_t.sa.src_ip4],[],[DAQ_C99_STRUCT="no"],[#include ]) if test "x$DAQ_C99_STRUCT" = "xno" ; then echo echo " ERROR! daq library missing C99 patch, upgrade to >=2.0.4, go get it from" echo " http://www.snort.org/." exit 1 fi fi AC_MSG_CHECKING([for daq address space ID]) AC_RUN_IFELSE( [AC_LANG_PROGRAM( [[ #include ]], [[ DAQ_PktHdr_t hdr; hdr.address_space_id = 0; ]])], [have_daq_address_space_id="yes"], [have_daq_address_space_id="no"]) AC_MSG_RESULT($have_daq_address_space_id) if test "x$have_daq_address_space_id" = "xyes"; then AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1], [DAQ version supports address space ID in header.]) fi AC_MSG_CHECKING([for daq flow ID]) AC_RUN_IFELSE( [AC_LANG_PROGRAM( [[ #include ]], [[ DAQ_PktHdr_t hdr; hdr.flow_id = 0; ]])], [have_daq_flow_id="yes"], [have_daq_flow_id="no"]) AC_MSG_RESULT($have_daq_flow_id) if test "x$have_daq_flow_id" = "xyes"; then AC_DEFINE([HAVE_DAQ_FLOW_ID],[1], [DAQ version supports flow ID in header.]) fi AC_MSG_CHECKING([for DAQ_VERDICT_RETRY]) AC_RUN_IFELSE( [AC_LANG_PROGRAM( [[ #include ]], [[ DAQ_Verdict verdict; verdict = DAQ_VERDICT_RETRY; ]])], [have_daq_verdict_retry="yes"], [have_daq_verdict_retry="no"]) AC_MSG_RESULT($have_daq_verdict_retry) if test "x$have_daq_verdict_retry" = "xyes"; then AC_DEFINE([HAVE_DAQ_VERDICT_RETRY],[1], [DAQ version supports DAQ_VERDICT_RETRY in DAQ_Verdict.]) fi # any sparc platform has to have this one defined. AC_MSG_CHECKING(for sparc) if eval "echo $host_cpu|grep -i sparc >/dev/null"; then AC_DEFINE([WORDS_MUSTALIGN],[1],[Define if words must align]) AC_MSG_RESULT(yes) # gcc, sparc and optimization not so good if test -n "$GCC"; then NO_OPTIMIZE="yes" fi else AC_MSG_RESULT(no) fi # check for sparc %time register if eval "echo $host_cpu|grep -i sparc >/dev/null"; then OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS -mcpu=v9 " AC_MSG_CHECKING([for sparc %time register]) AC_RUN_IFELSE( [AC_LANG_PROGRAM( [[]], [[ int val; __asm__ __volatile__("rd %%tick, %0" : "=r"(val)); ]])], [sparcv9="yes"], [sparcv9="no"]) AC_MSG_RESULT($sparcv9) if test "x$sparcv9" = "xyes"; then AC_DEFINE([SPARCV9],[1],[For sparc v9 with %time register]) else CFLAGS="$OLD_CFLAGS" fi fi # modified from gnulib/m4/visibility.m4 AC_DEFUN([CC_VISIBILITY], [ AC_REQUIRE([AC_PROG_CC]) AC_MSG_CHECKING([for visibility support]) AC_CACHE_VAL(gl_cv_cc_visibility, [ gl_save_CFLAGS="$CFLAGS" # Add -Werror flag since some compilers, e.g. icc 7.1, don't support it, # but only warn about it instead of compilation failing CFLAGS="$CFLAGS -Werror -fvisibility=hidden" AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ extern __attribute__((__visibility__("hidden"))) int hiddenvar; extern __attribute__((__visibility__("default"))) int exportedvar; extern __attribute__((__visibility__("hidden"))) int hiddenfunc (void); extern __attribute__((__visibility__("default"))) int exportedfunc (void);]], [[]])], [gl_cv_cc_visibility="yes"], [gl_cv_cc_visibility="no"]) ]) AC_MSG_RESULT([$gl_cv_cc_visibility]) CFLAGS="$gl_save_CFLAGS" if test "x$gl_cv_cc_visibility" = "xyes"; then CCONFIGFLAGS="${CCONFIGFLAGS} -DSF_VISIBILITY -fvisibility=hidden" AC_DEFINE([HAVE_VISIBILITY],[1], [Define if the compiler supports visibility declarations.]) fi ]) CC_VISIBILITY() AC_ARG_ENABLE(build-dynamic-examples, [ --enable-build-dynamic-examples Enable building of example dynamically loaded preprocessor and rule (off by default)], build_dynamic_examples="$enableval", build_dynamic_examples="no") AM_CONDITIONAL(BUILD_DYNAMIC_EXAMPLES, test "x$build_dynamic_examples" = "xyes") AC_ARG_ENABLE(dlclose, [ --disable-dlclose Only use if you are developing dynamic preprocessors or shared object rules. Disable (--disable-dlclose) for testing valgrind leaks in dynamic libraries so a usable backtrace is reported. Enabled by default.], enable_dlclose="$enableval", enable_dlclose="yes") if test "x$enable_dlclose" = "xno"; then AC_DEFINE([DISABLE_DLCLOSE_FOR_VALGRIND_TESTING],[1],[Don't close opened shared objects for valgrind leak testing of dynamic libraries]) fi Z_LIB="" AC_CHECK_HEADERS(zlib.h,, Z_LIB="no") if test "x$Z_LIB" = "xno"; then echo echo " ERROR! zlib header not found, go get it from" echo " http://www.zlib.net" exit fi Z_LIB="" AC_CHECK_LIB(z, inflate,, Z_LIB="no") if test "x$Z_LIB" = "xno"; then echo echo " ERROR! zlib library not found, go get it from" echo " http://www.zlib.net" exit fi LIBS="$LIBS -lz" AC_ARG_ENABLE(lzma, [ --disable-lzma Disable LZMA Decompression], enable_lzma="$enableval", enable_lzma="yes") AC_ARG_WITH(lzma_includes, [ --with-lzma-includes=DIR liblzma include directory], [with_lzma_includes="$withval"],[with_lzma_includes="no"]) AC_ARG_WITH(lzma_libraries, [ --with-lzma-libraries=DIR liblzma library directory], [with_lzma_libraries="$withval"],[with_lzma_libraries="no"]) AM_CONDITIONAL(HAVE_LZMA, test "x$enable_lzma" = "xyes") if test "x$enable_lzma" = "xyes"; then if test "x$with_lzma_includes" != "xno"; then CPPFLAGS="${CPPFLAGS} -I${with_lzma_includes}" LZMA_HEADERS="yes" else AC_CHECK_HEADERS(lzma.h, LZMA_HEADERS="yes", LZMA_HEADERS="no") fi if test "x$with_lzma_libraries" != "xno"; then LDFLAGS="${LDFLAGS} -L${with_lzma_libraries}" LZMA_LIB="yes" else AC_CHECK_LIB(lzma, lzma_stream_decoder, LZMA_LIB="yes", LZMA_LIB="no") fi if test "x$LZMA_LIB" != "xno"; then if test "x$LZMA_HEADERS" != "xno"; then CPPFLAGS="$CPPFLAGS -DLZMA" LIBS="$LIBS -llzma" fi fi fi AC_ARG_ENABLE(gre, [ --disable-gre Disable GRE and IP in IP encapsulation support], enable_gre="$enableval", enable_gre="yes") if test "x$enable_gre" = "xyes"; then CPPFLAGS="$CPPFLAGS -DGRE" fi AC_ARG_ENABLE(mpls, [ --disable-mpls Disable MPLS support], enable_mpls="$enableval", enable_mpls="yes") if test "x$enable_mpls" = "xyes"; then CPPFLAGS="$CPPFLAGS -DMPLS" fi AC_ARG_ENABLE(targetbased, [ --disable-targetbased Disable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly)], enable_targetbased="$enableval", enable_targetbased="yes") AM_CONDITIONAL(HAVE_TARGET_BASED, test "x$enable_targetbased" = "xyes") if test "x$enable_targetbased" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DTARGET_BASED" LIBS="$LIBS -lpthread" if test "$LEX" = "none"; then echo echo " ERROR! flex not found." echo " Get it from http://flex.sourceforge.net/" echo " (You may also try lex instead.)" echo exit 1 fi if test "$YACC" = "none"; then echo echo " ERROR! bison not found." echo " Get it from http://www.gnu.org/software/bison/" echo " (You may also try byacc or yacc instead.)" echo exit 1 fi fi AC_ARG_ENABLE(ppm, [ --disable-ppm Disable packet/rule performance monitor], enable_ppm="$enableval", enable_ppm="yes") if test "x$enable_ppm" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPPM_MGR" fi AC_ARG_ENABLE(perfprofiling, [ --disable-perfprofiling Disable preprocessor and rule performance profiling], enable_perfprofiling="$enableval", enable_perfprofiling="yes") if test "x$enable_perfprofiling" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi AC_ARG_ENABLE(linux-smp-stats, [ --enable-linux-smp-stats Enable statistics reporting through proc], enable_linux_smp_stats="$enableval", enable_linux_smp_stats="no") AM_CONDITIONAL(BUILD_PROCPIDSTATS, test "x$enable_linux_smp_stats" = "xyes") if test "x$enable_linux_smp_stats" = "xyes"; then CPPFLAGS="$CPPFLAGS -DLINUX_SMP" fi AC_ARG_ENABLE(inline-init-failopen, [ --enable-inline-init-failopen Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly)], enable_inline_init_failopen="$enableval", enable_inline_init_failopen="no") if test "x$enable_inline_init_failopen" = "xyes"; then CPPFLAGS="$CPPFLAGS -DINLINE_FAILOPEN" LIBS="$LIBS -lpthread" fi AC_ARG_ENABLE(pthread, [ --disable-pthread Disable pthread support], enable_pthread="$enableval", enable_pthread="yes") if test "x$enable_pthread" = "xyes"; then LIBS="$LIBS -lpthread" fi AC_ARG_ENABLE(debug-msgs, [ --enable-debug-msgs Enable debug printing options (bugreports and developers only)], enable_debug_msgs="$enableval", enable_debug_msgs="no") if test "x$enable_debug_msgs" = "xyes"; then CPPFLAGS="$CPPFLAGS -DDEBUG_MSGS" fi AC_ARG_ENABLE(debug, [ --enable-debug Enable debugging options (bugreports and developers only)], enable_debug="$enableval", enable_debug="no") if test "x$enable_debug" = "xyes"; then NO_OPTIMIZE="yes" # in case user override doesn't include -g if echo $CFLAGS | grep -qve -g ; then CFLAGS="$CFLAGS -g" fi CPPFLAGS="$CPPFLAGS -DDEBUG" else # disable assert()ions CPPFLAGS="$CPPFLAGS -DNDEBUG" fi AC_ARG_ENABLE(gdb, [ --enable-gdb Enable gdb debugging information], enable_gdb="$enableval", enable_gdb="no") if test "x$enable_gdb" = "xyes"; then CFLAGS="$CFLAGS -g -ggdb" fi AC_ARG_ENABLE(profile, [ --enable-profile Enable profiling options (developers only)], enable_profile="$enableval", enable_profile="no") if test "x$enable_profile" = "xyes"; then if test -n "$GCC"; then CPPFLAGS="$CPPFLAGS -DPROFILE" CFLAGS="$CFLAGS -pg" else CPPFLAGS="$CPPFLAGS -DPROFILE" fi fi AC_ARG_ENABLE(ppm-test, [ --disable-ppm-test Disable packet/rule performance monitor], enable_ppm_test="$enableval", enable_ppm_test="no") if test "x$enable_ppm_test" = "xyes"; then CPPFLAGS="$CPPFLAGS -DPPM_TEST" fi AC_ARG_ENABLE(sourcefire, [ --enable-sourcefire Enable Sourcefire specific build options, encompasing --enable-perfprofiling and --enable-ppm], enable_sourcefire="$enableval", enable_sourcefire="no") if test "x$enable_sourcefire" = "xyes"; then CPPFLAGS="$CPPFLAGS -DSOURCEFIRE -DPPM_MGR" CONFIGFLAGS="$CONFIGFLAGS -DPERF_PROFILING" fi AC_ARG_ENABLE(corefiles, [ --disable-corefiles Prevent Snort from generating core files], enable_corefiles="$enableval", enable_corefiles="yes") if test "x$enable_corefiles" = "xno"; then CPPFLAGS="$CPPFLAGS -DNOCOREFILE" fi AC_ARG_ENABLE(active-response, [ --disable-active-response Disable reject injection], enable_active_response="$enableval", enable_active_response="yes") AC_ARG_ENABLE(normalizer, [ --disable-normalizer Disable packet/stream normalizations], enable_normalizer="$enableval", enable_normalizer="yes") AC_ARG_ENABLE(reload, [ --disable-reload Disable reloading a configuration without restarting], enable_reload="$enableval", enable_reload="yes") AC_ARG_ENABLE(reload-error-restart, [ --disable-reload-error-restart Disable restarting on reload error], enable_reload_error_restart="$enableval", enable_reload_error_restart="yes") if test "x$enable_reload" = "xyes"; then if test "x$enable_reload_error_restart" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD" else CONFIGFLAGS="$CONFIGFLAGS -DSNORT_RELOAD -DRELOAD_ERROR_FATAL" fi LIBS="$LIBS -lpthread" fi AC_ARG_ENABLE(ha, [ --enable-ha Enable high-availability state sharing (Experimental)], enable_ha="$enableval", enable_ha="no") AM_CONDITIONAL(BUILD_HA, test "x$enable_ha" = "xyes") if test "x$enable_ha" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DENABLE_HA" fi # define NO_NON_ETHER_DECODERS by default AC_ARG_ENABLE(non-ether-decoders, [ --enable-non-ether-decoders Enable non Ethernet decoders.], enable_non_ether_decoders="$enableval", enable_non_ether_decoders="no") if test "x$enable_non_ether_decoders" = "xno"; then CONFIGFLAGS="$CONFIGFLAGS -DNO_NON_ETHER_DECODER" fi AC_ARG_ENABLE(react, [ --disable-react Disable interception and termination of offending HTTP accesses], enable_react="$enableval", enable_react="yes") AC_ARG_ENABLE(flexresp3, [ --disable-flexresp3 Disable flexible responses (v3) on hostile connection attempts], enable_flexresp3="$enableval", enable_flexresp3="yes") # test for invalid configurations here after all AC_ARG_ENABLEs if test "x$enable_flexresp3" = "xyes"; then # flexresp3 options are a union of flexresp (deleted) and flexresp2 # options so we assume flexresp3 if multiple are enabled. if test "x$enable_flexresp2" = "xyes"; then echo "WARNING: multiple flexresp versions enabled; using flexresp3." enable_flexresp2="no" fi fi AM_CONDITIONAL(BUILD_REACT, test "x$enable_react" = "xyes") if test "x$enable_react" = "xyes"; then CPPFLAGS="${CPPFLAGS} -DENABLE_REACT" fi AM_CONDITIONAL(BUILD_RESPOND3, test "x$enable_flexresp3" = "xyes") if test "x$enable_flexresp3" = "xyes"; then CPPFLAGS="${CPPFLAGS} -DENABLE_RESPOND -DENABLE_RESPONSE3" fi if test "x$enable_normalizer" = "xyes" \ -o "x$enable_sourcefire" = "xyes" ; \ then CONFIGFLAGS="${CONFIGFLAGS} -DNORMALIZER" fi if test "x$enable_active_response" = "xyes" \ -o "x$enable_flexresp3" = "xyes" \ -o "x$enable_react" = "xyes" \ -o "x$enable_sourcefire" = "xyes" ; \ then CONFIGFLAGS="${CONFIGFLAGS} -DACTIVE_RESPONSE" fi AC_ARG_ENABLE(intel_soft_cpm, [ --enable-intel-soft-cpm Enable Intel Soft CPM support], enable_intel_soft_cpm="$enableval", enable_intel_soft_cpm="no") AC_ARG_WITH(intel_soft_cpm_includes, [ --with-intel-soft-cpm-includes=DIR Intel Soft CPM include directory], [with_intel_soft_cpm_includes="$withval"],[with_intel_soft_cpm_includes="no"]) AC_ARG_WITH(intel_soft_cpm_libraries, [ --with-intel-soft-cpm-libraries=DIR Intel Soft CPM library directory], [with_intel_soft_cpm_libraries="$withval"],[with_intel_soft_cpm_libraries="no"]) if test "x$with_intel_soft_cpm_includes" != "xno"; then enable_intel_soft_cpm="yes" CPPFLAGS="${CPPFLAGS} -I${with_intel_soft_cpm_includes}" fi if test "x$with_intel_soft_cpm_libraries" != "xno"; then enable_intel_soft_cpm="yes" LDFLAGS="${LDFLAGS} -L${with_intel_soft_cpm_libraries}" LIBS="${LIBS} -lpm" fi AM_CONDITIONAL(HAVE_INTEL_SOFT_CPM, test "x$enable_intel_soft_cpm" = "xyes") if test "x$enable_intel_soft_cpm" = "xyes"; then CPPFLAGS="${CPPFLAGS} -DINTEL_SOFT_CPM" fi AC_ARG_ENABLE(shared_rep, [ --enable-shared-rep Enable use of Shared Memory for Reputation (Linux only)], enable_shared_rep="$enableval", enable_shared_rep="no") if test "x$enable_shared_rep" = "xyes"; then if test "x$linux" = "xyes"; then CPPFLAGS="${CPPFLAGS} -DSHARED_REP" LIBS="$LIBS -lrt" else echo "WARNING: shared reputation is only available on linux." enable_shared_rep="no" fi fi AM_CONDITIONAL(HAVE_SHARED_REP, test "x$enable_shared_rep" = "xyes") # Define PKG_CHECK_MODULES if it doesnt already exist. #file_ This prevents './configure' from erroring on machines that dont have # 'pkgconfig' installed. #m4_ifdef([PKG_CHECK_MODULES],[], [m4_define([PKG_CHECK_MODULES], # [echo "PKG_CHECK_MODULES not defined"])]) AC_ARG_ENABLE(large-pcap, [ --enable-large-pcap Enable support for pcaps larger than 2 GB], enable_large_pcap="$enableval", enable_large_pcap="no") if test "x$enable_large_pcap" = "xyes"; then CPPFLAGS="${CPPFLAGS} -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" fi ################################################### ## [!] File Type Inspection (Experimental) ## ################################################### AC_ARG_ENABLE([file-inspect], [AS_HELP_STRING([--enable-file-inspect],[Build with extended file inspection features. (Experimental)])], [enable_file_inspect=$enableval],[enable_file_inspect=no]) AS_IF([test x$enable_file_inspect = xyes], [AC_DEFINE([FEAT_FILE_INSPECT],[1],[Build with extended file inspection features. (Experimental)]) ]) AM_CONDITIONAL([FEAT_FILE_INSPECT],[test x$enable_file_inspect = xyes]) export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH ###### Start OpenAppId AC_ARG_ENABLE([open-appid], [AS_HELP_STRING([--enable-open-appid ],[Build with application id support. (Experimental)])], [enable_open_appid=$enableval],[enable_open_appid=no]) AM_CONDITIONAL([FEAT_OPEN_APPID],[test x$enable_open_appid = xyes]) if test "x$enable_open_appid" = "xyes"; then AC_DEFINE([FEAT_OPEN_APPID],[1],[Build with application id support. (Experimental)]) CONFIGFLAGS="$CONFIGFLAGS -DFEAT_OPEN_APPID" PKG_CHECK_MODULES(luajit, luajit,LLUAJIT="yes",LLUAJIT="no") if test "x$LLUAJIT" = "xyes"; then CONFIGFLAGS="$CONFIGFLAGS -DHAVE_LIBLUAJIT" LUA_CFLAGS="$luajit_CFLAGS" LUA_LIBS="$luajit_LIBS" AC_SUBST(LUA_CFLAGS) AC_SUBST(LUA_LIBS) if test "x$macos" != "xno"; then LDFLAGS="${LDFLAGS} -pagezero_size 10000 -image_base 100000000" fi else echo echo " ERROR! LuaJIT library not found. For better performance, go get it from" echo " http://www.luajit.org/." AC_MSG_ERROR("Fatal!") fi AC_CHECK_HEADER(openssl/x509.h, [AC_CHECK_LIB(crypto, d2i_X509, openssl_x509=yes, openssl_x509=no)],openssl_x509=no) if test "x$openssl_x509" = "xno"; then echo echo " ERROR! openssl/x509.h or openssl library not found." AC_MSG_ERROR("Fatal!") fi fi ###### End OpenAppId # let's make some fixes.. CFLAGS="${CFLAGS} ${CCONFIGFLAGS}" CFLAGS=`echo $CFLAGS | sed -e 's/-I\/usr\/include //g'` CPPFLAGS="${CPPFLAGS} ${CONFIGFLAGS}" CPPFLAGS=`echo $CPPFLAGS | sed -e 's/-I\/usr\/include //g'` if test "x$GCC" = "xyes" ; then echo `$CC -v 2>&1` | grep "version 4" > /dev/null if test $? = 0 ; then CFLAGS="$CFLAGS -fno-strict-aliasing" fi fi if test "x$linux" = "xyes"; then AC_MSG_CHECKING(for linuxthreads) tstr=`getconf GNU_LIBPTHREAD_VERSION 2>&1` if test $? = 0; then # GNU_LIBPTHREAD_VERSION is a valid system variable echo $tstr | grep -i linuxthreads > /dev/null 2>&1 if test $? = 0; then AC_DEFINE([HAVE_LINUXTHREADS],[1],[Define whether linuxthreads is being used]) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) fi else # Use libc.so to see if linuxthreads is being used $( ldd `which --skip-alias ls` | grep libc.so | awk '{print $3}' ) | grep -i linuxthreads > /dev/null 2>&1 if test $? = 0; then AC_DEFINE([HAVE_LINUXTHREADS],[1],[Define whether linuxthreads is being used]) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) fi fi fi if test "$LEX" != "none"; then AC_MSG_CHECKING(for yylex_destroy support) version=`$LEX --version | awk '{print $3}'` if test -z $version; then version=`$LEX --version | awk '{print $2}'` fi have_yylex_destroy="no" if test $version; then major=`echo $version | awk -F. '{ print $1 }'` minor=`echo $version | awk -F. '{ print $2 }'` subminor=`echo $version | awk -F. '{ print $3 }'` if test $major -a $minor -a $subminor; then if test $major -gt 2; then have_yylex_destroy="yes" else if test $major -eq 2; then if test $minor -gt 5; then have_yylex_destroy="yes" else if test $minor -eq 5; then if test $subminor -ge 9; then have_yylex_destroy="yes" fi fi fi fi fi fi fi if test "x$have_yylex_destroy" = "xyes"; then AC_MSG_RESULT(yes) AC_DEFINE([HAVE_YYLEX_DESTROY],[1],[Define whether yylex_destroy is supported in flex version]) else AC_MSG_RESULT(no) fi fi # Set to no optimization regardless of what user or autostuff set if test "x$NO_OPTIMIZE" = "xyes"; then CFLAGS=`echo $CFLAGS | sed -e "s/-O./-O0/"` # in case user override doesn't include -O if echo $CFLAGS | grep -qve -O0 ; then CFLAGS="$CFLAGS -O0" fi fi if test "x$ADD_WERROR" = "xyes"; then CFLAGS="$CFLAGS -Werror" fi if test -n "$GCC"; then CFLAGS="$CFLAGS -Wall" fi echo $CFLAGS > cflags.out echo $CPPFLAGS > cppflags.out INCLUDES='-I$(top_srcdir) -I$(top_srcdir)/src -I$(top_srcdir)/src/sfutil $(extra_incl) -I$(top_srcdir)/src/output-plugins -I$(top_srcdir)/src/detection-plugins -I$(top_srcdir)/src/dynamic-plugins -I$(top_srcdir)/src/preprocessors -I$(top_srcdir)/src/preprocessors/portscan -I$(top_srcdir)/src/preprocessors/HttpInspect/include -I$(top_srcdir)/src/preprocessors/Session -I$(top_srcdir)/src/preprocessors/Stream6 -I$(top_srcdir)/src/target-based -I$(top_srcdir)/src/control -I$(top_srcdir)/src/file-process -I$(top_srcdir)/src/file-process/libs -I$(top_srcdir)/src/side-channel -I$(top_srcdir)/src/side-channel/plugins' AC_SUBST(INCLUDES) AC_SUBST(CONFIGFLAGS) AC_SUBST(CCONFIGFLAGS) AC_SUBST(ICONFIGFLAGS) AC_PROG_INSTALL AC_CONFIG_FILES([ \ snort.pc \ Makefile \ src/Makefile \ src/sfutil/Makefile \ src/control/Makefile \ src/file-process/Makefile \ src/file-process/libs/Makefile \ src/side-channel/Makefile \ src/side-channel/dynamic-plugins/Makefile \ src/side-channel/dynamic-plugins/snort_side_channel.pc \ src/side-channel/plugins/Makefile \ src/detection-plugins/Makefile \ src/dynamic-examples/Makefile \ src/dynamic-examples/dynamic-preprocessor/Makefile \ src/dynamic-examples/dynamic-rule/Makefile \ src/dynamic-plugins/Makefile \ src/dynamic-plugins/sf_engine/Makefile \ src/dynamic-plugins/sf_engine/examples/Makefile \ src/dynamic-plugins/sf_preproc_example/Makefile \ src/dynamic-preprocessors/Makefile \ src/dynamic-preprocessors/libs/Makefile \ src/dynamic-preprocessors/libs/snort_preproc.pc \ src/dynamic-preprocessors/ftptelnet/Makefile \ src/dynamic-preprocessors/smtp/Makefile \ src/dynamic-preprocessors/ssh/Makefile \ src/dynamic-preprocessors/sip/Makefile \ src/dynamic-preprocessors/reputation/Makefile \ src/dynamic-preprocessors/gtp/Makefile \ src/dynamic-preprocessors/dcerpc2/Makefile \ src/dynamic-preprocessors/pop/Makefile \ src/dynamic-preprocessors/imap/Makefile \ src/dynamic-preprocessors/sdf/Makefile \ src/dynamic-preprocessors/dns/Makefile \ src/dynamic-preprocessors/ssl/Makefile \ src/dynamic-preprocessors/modbus/Makefile \ src/dynamic-preprocessors/dnp3/Makefile \ src/dynamic-preprocessors/file/Makefile \ src/dynamic-preprocessors/appid/Makefile \ src/dynamic-output/Makefile \ src/dynamic-output/plugins/Makefile \ src/dynamic-output/libs/Makefile \ src/dynamic-output/libs/snort_output.pc \ src/output-plugins/Makefile \ src/preprocessors/Makefile \ src/preprocessors/HttpInspect/Makefile \ src/preprocessors/HttpInspect/include/Makefile \ src/preprocessors/HttpInspect/utils/Makefile \ src/preprocessors/HttpInspect/anomaly_detection/Makefile \ src/preprocessors/HttpInspect/client/Makefile \ src/preprocessors/HttpInspect/files/Makefile \ src/preprocessors/HttpInspect/event_output/Makefile \ src/preprocessors/HttpInspect/mode_inspection/Makefile \ src/preprocessors/HttpInspect/normalization/Makefile \ src/preprocessors/HttpInspect/server/Makefile \ src/preprocessors/HttpInspect/session_inspection/Makefile \ src/preprocessors/HttpInspect/user_interface/Makefile \ src/preprocessors/Session/Makefile \ src/preprocessors/Stream6/Makefile \ src/parser/Makefile \ src/target-based/Makefile \ doc/Makefile \ rpm/Makefile \ preproc_rules/Makefile \ m4/Makefile \ etc/Makefile \ templates/Makefile \ tools/Makefile \ tools/control/Makefile \ tools/u2boat/Makefile \ tools/u2spewfoo/Makefile \ tools/u2openappid/Makefile \ tools/u2streamer/Makefile \ tools/file_server/Makefile \ src/win32/Makefile]) AC_OUTPUT snort-2.9.7.0/preproc_rules/0000755000000000000000000000000012416771510012673 500000000000000snort-2.9.7.0/preproc_rules/sensitive-data.rules0000644000000000000000000000243511435274307016615 00000000000000alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;) #alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;) snort-2.9.7.0/preproc_rules/preprocessor.rules0000644000000000000000000012477412406100153016420 00000000000000alert ( msg: "TAG_LOG_PKT"; sid: 1; gid: 2; rev: 1; metadata: rule-type preproc ; classtype:not-suspicious; ) alert ( msg: "BO_TRAFFIC_DETECT"; sid: 1; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; ) alert ( msg: "BO_CLIENT_TRAFFIC_DETECT"; sid: 2; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660; ) alert ( msg: "BO_SERVER_TRAFFIC_DETECT"; sid: 3; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,1999-0660;) alert ( msg: "BO_SNORT_BUFFER_ATTACK"; sid: 4; gid: 105; rev: 1; metadata: rule-type preproc, policy balanced-ips drop, policy security-ips drop ; classtype:trojan-activity; reference:cve,2005-3252; ) alert ( msg: "RPC_FRAG_TRAFFIC"; sid: 1; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc ; classtype:protocol-command-decode; ) alert ( msg: "RPC_MULTIPLE_RECORD"; sid: 2; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc ; classtype:protocol-command-decode; ) alert ( msg: "RPC_LARGE_FRAGSIZE"; sid: 3; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; ) alert ( msg: "RPC_INCOMPLETE_SEGMENT"; sid: 4; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; ) alert ( msg: "RPC_ZERO_LENGTH_FRAGMENT"; sid: 5; gid: 106; rev: 1; metadata: rule-type preproc, service sunrpc, policy security-ips alert ; classtype:bad-unknown; ) alert ( msg: "ARPSPOOF_UNICAST_ARP_REQUEST"; sid: 1; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC"; sid: 2; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST"; sid: 3; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "HI_CLIENT_ASCII"; sid: 1; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2009-1535; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; reference:url,docs.idsresearch.org/http_ids_evasions.pdf; ) alert ( msg: "HI_CLIENT_DOUBLE_DECODE"; sid: 2; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2009-1122; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; ) alert ( msg: "HI_CLIENT_U_ENCODE"; sid: 3; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) alert ( msg: "HI_CLIENT_BARE_BYTE"; sid: 4; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) alert ( msg: "HI_CLIENT_UTF_8"; sid: 6; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; reference:cve,2008-2938; reference:cve,2009-1535; reference:url,www.microsoft.com/technet/security/bulletin/ms09-020.mspx; ) alert ( msg: "HI_CLIENT_IIS_UNICODE"; sid: 7; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2009-1535; ) alert ( msg: "HI_CLIENT_MULTI_SLASH"; sid: 8; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) alert ( msg: "HI_CLIENT_IIS_BACKSLASH"; sid: 9; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:not-suspicious; ) alert ( msg: "HI_CLIENT_SELF_DIR_TRAV"; sid: 10; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) alert ( msg: "HI_CLIENT_DIR_TRAV"; sid: 11; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2001-0333; reference:cve,2002-1744; reference:cve,2008-5515; ) alert ( msg: "HI_CLIENT_APACHE_WS"; sid: 12; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) alert ( msg: "HI_CLIENT_IIS_DELIMITER"; sid: 13; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) alert ( msg: "HI_CLIENT_NON_RFC_CHAR"; sid: 14; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; ) alert ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791; reference:cve,2010-3281; reference:bugtraq,43338; reference:cve,2011-5007; ) alert ( msg: "HI_CLIENT_LARGE_CHUNK"; sid: 16; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:attempted-admin; ) alert ( msg: "HI_CLIENT_PROXY_USE"; sid: 17; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:protocol-command-decode; ) alert ( msg: "HI_CLIENT_WEBROOT_DIR"; sid: 18; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; reference:cve,2001-0333; reference:cve,2002-1744; reference:cve,2008-5515; ) alert ( msg: "HI_CLIENT_LONG_HEADER"; sid: 19; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2009-4873; ) alert ( msg: "HI_CLIENT_MAX_HEADERS"; sid: 20; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_MULTIPLE_CONTLEN"; sid: 21; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CHUNK_SIZE_MISMATCH"; sid: 22; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_INVALID_TRUEIP"; sid:23; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_MULTIPLE_HOST_HDRS"; sid:24; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_LONG_HOSTNAME"; sid:25; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_EXCEEDS_SPACES"; sid:26; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos;reference:cve,2004-0942; ) alert ( msg: "HI_CLIENT_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 27; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_UNBOUNDED POST"; sid: 28; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_MULTIPLE_TRUEIP_IN_SESSION"; sid: 29; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_BOTH_TRUEIP_XFF_HDRS"; sid: 30; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_SIMPLE_REQUEST"; sid: 32; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_UNESCAPED_SPACE_URI"; sid: 33; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLIENT_PIPELINE_MAX "; sid: 34; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_ANOM_SERVER_ALERT"; sid: 1; gid: 120; rev: 1; metadata: rule-type preproc, service http ; classtype:unknown; ) alert ( msg: "HI_SERVER_INVALID_STATCODE"; sid: 2; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_NO_CONTLEN"; sid: 3; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_UTF_NORM_FAIL"; sid: 4; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_UTF7"; sid: 5; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_DECOMPR_FAILED"; sid: 6; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_CONSECUTIVE_SMALL_CHUNK_SIZES"; sid: 7; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_CLISRV_MSG_SIZE_EXCEPTION"; sid: 8; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_JS_OBFUSCATION_EXCD"; sid: 9; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_JS_EXCESS_WS"; sid: 10; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_MIXED_ENCODINGS "; sid: 11; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_SWF_ZLIB_FAILURE"; sid: 12; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_SWF_LZMA_FAILURE"; sid: 13; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_PDF_DEFLATE_FAILURE"; sid: 14; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_PDF_UNSUP_COMP_TYPE"; sid: 15; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_PDF_CASC_COMP"; sid: 16; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "HI_SERVER_PDF_PARSE_FAILURE"; sid: 17; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_DECOY_PORTSCAN"; sid: 2; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_PORTSWEEP"; sid: 3; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_DISTRIBUTED_PORTSCAN"; sid: 4; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_FILTERED_PORTSCAN"; sid: 5; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_FILTERED_DECOY_PORTSCAN"; sid: 6; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_PORTSWEEP_FILTERED"; sid: 7; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_TCP_FILTERED_DISTRIBUTED_PORTSCAN"; sid: 8; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_IP_PORTSCAN"; sid: 9; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_IP_DECOY_PORTSCAN"; sid: 10; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_IP_PORTSWEEP"; sid: 11; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_IP_DISTRIBUTED_PORTSCAN"; sid: 12; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_IP_FILTERED_PORTSCAN"; sid: 13; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_IP_FILTERED_DECOY_PORTSCAN"; sid: 14; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon;) alert ( msg: "PSNG_IP_PORTSWEEP_FILTERED"; sid: 15; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_IP_FILTERED_DISTRIBUTED_PORTSCAN"; sid: 16; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_UDP_PORTSCAN"; sid: 17; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_UDP_DECOY_PORTSCAN"; sid: 18; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_UDP_PORTSWEEP"; sid: 19; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_UDP_DISTRIBUTED_PORTSCAN"; sid: 20; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_UDP_FILTERED_PORTSCAN"; sid: 21; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_UDP_FILTERED_DECOY_PORTSCAN"; sid: 22; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_UDP_PORTSWEEP_FILTERED"; sid: 23; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_UDP_FILTERED_DISTRIBUTED_PORTSCAN"; sid: 24; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_ICMP_PORTSWEEP"; sid: 25; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_ICMP_PORTSWEEP_FILTERED"; sid: 26; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "PSNG_OPEN_PORT"; sid: 27; gid: 122; rev: 1; metadata: rule-type preproc ; classtype:attempted-recon; ) alert ( msg: "FRAG3_IPOPTIONS"; sid: 1; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "FRAG3_TEARDROP"; sid: 2; gid: 123; rev: 1; metadata: rule-type preproc ; reference:cve,1999-0015; reference:bugtraq,124; classtype:attempted-dos; ) alert ( msg: "FRAG3_SHORT_FRAG"; sid: 3; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "FRAG3_ANOMALY_OVERSIZE"; sid: 4; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) alert ( msg: "FRAG3_ANOMALY_ZERO"; sid: 5; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) alert ( msg: "FRAG3_ANOMALY_BADSIZE_SM"; sid: 6; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "FRAG3_ANOMALY_BADSIZE_LG"; sid: 7; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "FRAG3_ANOMALY_OVLP"; sid: 8; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) #alert ( msg: "FRAG3_IPV6_BSD_ICMP_FRAG"; sid: 9; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; ) #alert ( msg: "FRAG3_IPV6_BAD_FRAG_PKT"; sid: 10; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; ) alert ( msg: "FRAG3_MIN_TTL"; sid: 11; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "FRAG3_EXCESSIVE_OVERLAP"; sid: 12; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:attempted-dos; ) alert ( msg: "FRAG3_TINY_FAGMENT"; sid: 13; gid: 123; rev: 1; metadata: rule-type preproc ; reference:cve,2005-0209; classtype:attempted-dos; ) alert ( msg: "SMTP_COMMAND_OVERFLOW"; sid: 1; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0260; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) alert ( msg: "SMTP_DATA_HDR_OVERFLOW"; sid: 2; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2002-1337; reference:cve,2010-4344; ) alert ( msg: "SMTP_RESPONSE_OVERFLOW"; sid: 3; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-user; reference:cve,2002-1090; ) alert ( msg: "SMTP_SPECIFIC_CMD_OVERFLOW"; sid: 4; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) alert ( msg: "SMTP_UNKNOWN_CMD"; sid: 5; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; ) alert ( msg: "SMTP_ILLEGAL_CMD"; sid: 6; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:protocol-command-decode; ) alert ( msg: "SMTP_HEADER_NAME_OVERFLOW"; sid: 7; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0105; ) alert ( msg: "SMTP_XLINK2STATE_OVERFLOW"; sid: 8; gid: 124; rev: 1; metadata: rule-type preproc, service smtp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2005-0560; reference:url,www.microsoft.com/technet/security/bulletin/ms05-021.mspx; ) alert ( msg: "SMTP_B64_DECODING_FAILED"; sid: 10; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_QP_DECODING_FAILED"; sid: 11; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) #alert ( msg: "SMTP_BITENC_DECODING_FAILED"; sid: 12; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_UU_DECODING_FAILED"; sid: 13; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "SMTP_AUTH_ATTACK"; sid: 14; gid: 124; rev: 1; metadata: rule-type preproc, service smtp ; classtype:unknown; ) alert ( msg: "FTPP_FTP_TELNET_CMD"; sid: 1; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; reference:cve,2010-3867; reference:cve,2010-3972; reference:cve,2010-4221; reference:url,www.microsoft.com/technet/security/bulletin/MS11-004.mspx; ) alert ( msg: "FTPP_FTP_INVALID_CMD"; sid: 2; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,2010-4221; ) alert ( msg: "FTPP_FTP_PARAMETER_LENGTH_OVERFLOW"; sid: 3; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2004-0286; reference:url,www.kb.cert.org/vuls/id/276653; reference:cve,1999-0368; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,2006-5815; reference:bugtraq,20992; ) alert ( msg: "FTPP_FTP_MALFORMED_PARAMETER"; sid: 4; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; ) alert ( msg: "FTPP_FTP_PARAMETER_STR_FORMAT"; sid: 5; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-admin; reference:cve,2000-0573; ) alert ( msg: "FTPP_FTP_RESPONSE_LENGTH_OVERFLOW"; sid: 6; gid: 125; rev: 1; metadata: rule-type preproc, service ftp, policy security-ips drop ; classtype:attempted-user; reference:cve,2007-3161; reference:cve,2010-1465; reference:url,www.kb.cert.org/vuls/id/276653; ) alert ( msg: "FTPP_FTP_ENCRYPTED"; sid: 7; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:protocol-command-decode; ) alert ( msg: "FTPP_FTP_BOUNCE"; sid: 8; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; reference:cve,1999-0017; reference:url,www.kb.cert.org/vuls/id/276653; ) alert ( msg: "FTPP_FTP_EVASIVE_TELNET_CMD"; sid: 9; gid: 125; rev: 1; metadata: rule-type preproc, service ftp ; classtype:bad-unknown; ) alert ( msg: "FTPP_TELNET_AYT_OVERFLOW"; sid: 1; gid: 126; rev: 1; metadata: rule-type preproc, service telnet, policy security-ips drop ; classtype:attempted-admin; reference:cve,2001-0554; ) alert ( msg: "FTPP_TELNET_ENCRYPTED"; sid: 2; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode;) alert ( msg: "FTPP_TELNET_SUBNEG_BEGIN_NO_END"; sid: 3; gid: 126; rev: 1; metadata: rule-type preproc, service telnet ; classtype:protocol-command-decode; ) alert ( msg: "SSH_EVENT_RESPOVERFLOW"; sid: 1; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-0639; reference:cve,2002-0640; classtype:attempted-admin;) alert ( msg: "SSH_EVENT_CRC32"; sid: 2; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2002-1024; reference:cve,2002-1547; reference:cve,2006-2971; reference:cve,2007-1051; reference:cve,2007-4654; classtype:attempted-admin;) alert ( msg: "SSH_EVENT_SECURECRT"; sid: 3; gid: 128; rev: 1; metadata: rule-type preproc, service ssh, policy security-ips drop ; reference:cve,2001-1466; reference:cve,2002-1059; classtype:attempted-admin;) alert ( msg: "SSH_EVENT_PROTOMISMATCH"; sid: 4; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;) alert ( msg: "SSH_EVENT_WRONGDIR"; sid: 5; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;) alert ( msg: "SSH_EVENT_PAYLOAD_SIZE"; sid: 6; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:bad-unknown;) alert ( msg: "SSH_EVENT_VERSION"; sid: 7; gid: 128; rev: 1; metadata: rule-type preproc, service ssh ; classtype:non-standard-protocol;) alert ( msg: "STREAM5_SYN_ON_EST"; sid: 1; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_DATA_ON_SYN"; sid: 2; gid: 129; rev: 1; metadata: rule-type preproc ; reference: cve,2009-1157; reference: bugtraq, 34429; classtype:protocol-command-decode; ) alert ( msg: "STREAM5_DATA_ON_CLOSED"; sid: 3; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "STREAM5_BAD_TIMESTAMP"; sid: 4; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; reference:cve,2009-1925; ) alert ( msg: "STREAM5_BAD_SEGMENT"; sid: 5; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_WINDOW_TOO_LARGE"; sid: 6; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_EXCESSIVE_TCP_OVERLAPS"; sid: 7; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_DATA_AFTER_RESET"; sid: 8; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "STREAM5_SESSION_HIJACKED_CLIENT"; sid: 9; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; ) alert ( msg: "STREAM5_SESSION_HIJACKED_SERVER"; sid: 10; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:attempted-user; ) alert ( msg: "STREAM5_DATA_WITHOUT_FLAGS"; sid: 11; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) alert ( msg: "STREAM5_SMALL_SEGMENT"; sid: 12; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_4WAY_HANDSHAKE"; sid: 13; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_NO_TIMESTAMP"; sid: 14; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_BAD_RST"; sid: 15; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_BAD_FIN"; sid: 16; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_BAD_ACK"; sid: 17; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_DATA_AFTER_RST_RCVD"; sid: 18; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "STREAM5_WINDOW_SLAM"; sid: 19; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2013-0075; reference:url,technet.microsoft.com/en-us/security/bulletin/ms13-018; ) alert ( msg: "STREAM5_NO_3WHS"; sid: 20; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "DNS_EVENT_OBSOLETE_TYPES"; sid: 1; gid: 131; rev: 1; metadata: rule-type preproc, service dns ; classtype:protocol-command-decode; ) alert ( msg: "DNS_EVENT_EXPERIMENTAL_TYPES"; sid: 2; gid: 131; rev: 1; metadata: rule-type preproc, service dns ; classtype:protocol-command-decode; ) alert ( msg: "DNS_EVENT_RDATA_OVERFLOW"; sid: 3; gid: 131; rev: 1; metadata: rule-type preproc, service dns, policy security-ips drop ; classtype:attempted-admin; reference:cve,2006-3441; reference:url,www.microsoft.com/technet/security/bulletin/ms06-041.mspx; ) alert ( msg: "DCE2_EVENT__MEMCAP"; sid: 1; gid: 133; rev: 1; metadata: rule-type preproc ; classtype: attempted-dos; ) alert ( msg: "DCE2_EVENT__SMB_BAD_NBSS_TYPE"; sid: 2; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_BAD_TYPE"; sid: 3; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_BAD_ID"; sid: 4; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_BAD_WCT"; sid: 5; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_BAD_BCC"; sid: 6; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_BAD_FORMAT"; sid: 7; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_BAD_OFF"; sid: 8; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_TDCNT_ZERO"; sid: 9; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_NB_LT_SMBHDR"; sid: 10; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_NB_LT_COM"; sid: 11; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_NB_LT_BCC"; sid: 12; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_NB_LT_DSIZE"; sid: 13; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_TDCNT_LT_DSIZE"; sid: 14; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_DSENT_GT_TDCNT"; sid: 15; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_BCC_LT_DSIZE"; sid: 16; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_INVALID_DSIZE"; sid: 17; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_TREE_CONNECTS"; sid: 18; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_READS"; sid: 19; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_EXCESSIVE_CHAINING"; sid: 20; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_SS"; sid: 21; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_MULT_CHAIN_TC"; sid: 22; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_CHAIN_SS_LOGOFF"; sid: 23; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_CHAIN_TC_TDIS"; sid: 24; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_CHAIN_OPEN_CLOSE"; sid: 25; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_INVALID_SHARE"; sid: 26; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_BAD_MAJ_VERSION"; sid: 27; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_BAD_MIN_VERSION"; sid: 28; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_BAD_PDU_TYPE"; sid: 29; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_FLEN_LT_HDR"; sid: 30; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_FLEN_LT_SIZE"; sid: 31; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_ZERO_CTX_ITEMS"; sid: 32; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_ZERO_TSYNS"; sid: 33; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_FRAG_LT_MAX_XMIT_FRAG"; sid: 34; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_FRAG_GT_MAX_XMIT_FRAG"; sid: 35; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_ALTER_CHANGE_BYTE_ORDER"; sid: 36; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CALL_ID"; sid: 37; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_OPNUM"; sid: 38; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CO_FRAG_DIFF_CTX_ID"; sid: 39; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CL_BAD_MAJ_VERSION"; sid: 40; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CL_BAD_PDU_TYPE"; sid: 41; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CL_DATA_LT_HDR"; sid: 42; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__CL_BAD_SEQ_NUM"; sid: 43; gid: 133; rev: 1; metadata: rule-type preproc, service dcerpc ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_DCNT_ZERO"; sid: 48; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_DCNT_MISMATCH"; sid: 49; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_MAX_REQS_EXCEEDED"; sid: 50; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_REQS_SAME_MID"; sid: 51; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_DEPR_DIALECT_NEGOTIATED"; sid: 52; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_DEPR_COMMAND_USED"; sid: 53; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_UNUSUAL_COMMAND_USED"; sid: 54; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_INVALID_SETUP_COUNT"; sid: 55; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_MULTIPLE_NEGOTIATIONS"; sid: 56; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "DCE2_EVENT__SMB_EVASIVE_FILE_ATTRS"; sid: 57; gid: 133; rev: 1; metadata: rule-type preproc, service netbios-ssn ; classtype: bad-unknown; reference:url,msdn.microsoft.com/en-us/library/cc201989.aspx; ) alert ( msg: "PPM_EVENT_RULE_TREE_DISABLED"; sid: 1; gid: 134; rev: 1; metadata: rule-type preproc ; classtype: not-suspicious; ) alert ( msg: "PPM_EVENT_RULE_TREE_ENABLED"; sid: 2; gid: 134; rev: 1; metadata: rule-type preproc ; classtype: not-suspicious; ) alert ( msg: "PPM_EVENT_PACKET_ABORTED"; sid: 3; gid: 134; rev: 1; metadata: rule-type preproc ; classtype: not-suspicious; ) alert ( msg: "INTERNAL_EVENT_SYN_RECEIVED"; sid: 1; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) alert ( msg: "INTERNAL_EVENT_SESSION_ADD"; sid: 2; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) alert ( msg: "INTERNAL_EVENT_SESSION_DEL"; sid: 3; gid: 135; rev: 1; metadata: rule-type preproc ; classtype:tcp-connection; ) alert ( msg: "REPUTATION_EVENT_BLACKLIST"; sid: 1; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "REPUTATION_EVENT_WHITELIST"; sid: 2; gid: 136; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SSL_INVALID_CLIENT_HELLO"; sid: 1; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-011; reference:cve,2004-0120; reference:bugtraq,10115; ) alert ( msg: "SSL_INVALID_SERVER_HELLO"; sid: 2; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SSL_HEARTBEAT_READ_OVERRUN_ATTEMPT"; sid: 3; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SSL_LARGE_HEARTBEAT_RESPONSE"; sid: 4; gid: 137; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SDF_COMBO_ALERT"; sid: 1; gid: 139; rev: 1; metadata: rule-type preproc ; classtype:sdf; ) alert ( msg: "SIP_EVENT_MAX_SESSIONS"; sid: 1; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_EMPTY_REQUEST_URI"; sid: 2; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2007-1306; ) alert ( msg: "SIP_EVENT_BAD_URI"; sid: 3; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_EMPTY_CALL_ID"; sid: 4; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_BAD_CALL_ID"; sid: 5; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_BAD_CSEQ_NUM"; sid: 6; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_BAD_CSEQ_NAME"; sid: 7; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2006-3524; ) alert ( msg: "SIP_EVENT_EMPTY_FROM"; sid: 8; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_BAD_FROM"; sid: 9; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_EMPTY_TO"; sid: 10; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_BAD_TO"; sid: 11; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_EMPTY_VIA"; sid: 12; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:bugtraq,25446; ) alert ( msg: "SIP_EVENT_BAD_VIA"; sid: 13; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_EMPTY_CONTACT"; sid: 14; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_BAD_CONTACT"; sid: 15; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_BAD_CONTENT_LEN"; sid: 16; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_MULTI_MSGS"; sid: 17; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_MISMATCH_CONTENT_LEN"; sid: 18; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_INVALID_CSEQ_NAME"; sid: 19; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:cve,2006-3524; ) alert ( msg: "SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK"; sid: 20; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_AUTH_INVITE_DIFF_SESSION"; sid: 21; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_BAD_STATUS_CODE"; sid: 22; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_EMPTY_CONTENT_TYPE"; sid: 23; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; reference:bugtraq,25300; ) alert ( msg: "SIP_EVENT_INVALID_VERSION"; sid: 24; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_MISMATCH_METHOD"; sid: 25; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_UNKOWN_METHOD"; sid: 26; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "SIP_EVENT_MAX_DIALOGS_IN_A_SESSION"; sid: 27; gid: 140; rev: 1; metadata: rule-type preproc ; classtype:bad-unknown; ) alert ( msg: "IMAP_UNKNOWN_CMD"; sid: 1; gid: 141; rev: 1; metadata: rule-type preproc, service imap ; classtype:protocol-command-decode; ) alert ( msg: "IMAP_UNKNOWN_RESP"; sid: 2; gid: 141; rev: 1; metadata: rule-type preproc, service imap ; classtype:protocol-command-decode; ) alert ( msg: "IMAP_MEMCAP_EXCEEDED"; sid: 3; gid: 141; rev: 1; metadata: rule-type preproc, service imap ; classtype:unknown; ) alert ( msg: "IMAP_B64_DECODING_FAILED"; sid: 4; gid: 141; rev: 1; metadata: rule-type preproc, service imap ; classtype:unknown; ) alert ( msg: "IMAP_QP_DECODING_FAILED"; sid: 5; gid: 141; rev: 1; metadata: rule-type preproc, service imap ; classtype:unknown; ) #alert ( msg: "IMAP_BITENC_DECODING_FAILED"; sid: 6; gid: 141; rev: 1; metadata: rule-type preproc, service imap ; classtype:unknown; ) alert ( msg: "IMAP_UU_DECODING_FAILED"; sid: 7; gid: 141; rev: 1; metadata: rule-type preproc, service imap ; classtype:unknown; ) alert ( msg: "POP_UNKNOWN_CMD"; sid: 1; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) alert ( msg: "POP_UNKNOWN_RESP"; sid: 2; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:protocol-command-decode; ) alert ( msg: "POP_MEMCAP_EXCEEDED"; sid: 3; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) alert ( msg: "POP_B64_DECODING_FAILED"; sid: 4; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) alert ( msg: "POP_QP_DECODING_FAILED"; sid: 5; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) #alert ( msg: "POP_BITENC_DECODING_FAILED"; sid: 6; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) alert ( msg: "POP_UU_DECODING_FAILED"; sid: 7; gid: 142; rev: 1; metadata: rule-type preproc, service pop ; classtype:unknown; ) alert ( msg: "GTP_EVENT_BAD_MSG_LEN"; sid: 1; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) alert ( msg: "GTP_EVENT_BAD_IE_LEN"; sid: 2; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) alert ( msg: "GTP_EVENT_OUT_OF_ORDER_IE"; sid: 3; gid: 143; rev: 1; metadata: rule-type preproc; classtype:bad-unknown; ) alert ( msg: "MODBUS_BAD_LENGTH"; sid:1; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) alert ( msg: "MODBUS_BAD_PROTO_ID"; sid:2; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) alert ( msg: "MODBUS_RESERVED_FUNCTION"; sid:3; gid: 144; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) alert ( msg: "DNP3_BAD_CRC"; sid:1; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) alert ( msg: "DNP3_DROPPED_FRAME"; sid:2; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) alert ( msg: "DNP3_DROPPED_SEGMENT"; sid:3; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) alert ( msg: "DNP3_REASSEMBLY_BUFFER_CLEARED"; sid:4; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) alert ( msg: "DNP3_RESERVED_ADDRESS"; sid:5; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) alert ( msg: "DNP3_RESERVED_FUNCTION"; sid:6; gid:145; rev: 1; metadata: rule-type preproc; classtype:protocol-command-decode; ) snort-2.9.7.0/preproc_rules/Makefile.in0000644000000000000000000003007012416771457014672 00000000000000# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ *) echo "am__make_running_with_option: internal error: invalid" \ "target option '$${target_option-}' specified" >&2; \ exit 1;; \ esac; \ has_opt=no; \ sane_makeflags=$$MAKEFLAGS; \ if $(am__is_gnu_make); then \ sane_makeflags=$$MFLAGS; \ else \ case $$MAKEFLAGS in \ *\\[\ \ ]*) \ bs=\\; \ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ esac; \ fi; \ skip_next=no; \ strip_trailopt () \ { \ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ }; \ for flg in $$sane_makeflags; do \ test $$skip_next = yes && { skip_next=no; continue; }; \ case $$flg in \ *=*|--*) continue;; \ -*I) strip_trailopt 'I'; skip_next=yes;; \ -*I?*) strip_trailopt 'I';; \ -*O) strip_trailopt 'O'; skip_next=yes;; \ -*O?*) strip_trailopt 'O';; \ -*l) strip_trailopt 'l'; skip_next=yes;; \ -*l?*) strip_trailopt 'l';; \ -[dEDm]) skip_next=yes;; \ -[JT]) skip_next=yes;; \ esac; \ case $$flg in \ *$$target_option*) has_opt=yes; break;; \ esac; \ done; \ test $$has_opt = yes am__make_dryrun = (target_option=n; $(am__make_running_with_option)) am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ subdir = preproc_rules DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false am__v_P_1 = : AM_V_GEN = $(am__v_GEN_@AM_V@) am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) am__v_GEN_0 = @echo " GEN " $@; am__v_GEN_1 = AM_V_at = $(am__v_at_@AM_V@) am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) am__v_at_0 = @ am__v_at_1 = depcomp = am__depfiles_maybe = SOURCES = DIST_SOURCES = am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ *) (install-info --version) >/dev/null 2>&1;; \ esac am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CCONFIGFLAGS = @CCONFIGFLAGS@ CFLAGS = @CFLAGS@ CONFIGFLAGS = @CONFIGFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ GREP = @GREP@ ICONFIGFLAGS = @ICONFIGFLAGS@ INCLUDES = @INCLUDES@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ LUA_CFLAGS = @LUA_CFLAGS@ LUA_LIBS = @LUA_LIBS@ MAINT = @MAINT@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ RANLIB = @RANLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SIGNAL_SNORT_DUMP_STATS = @SIGNAL_SNORT_DUMP_STATS@ SIGNAL_SNORT_READ_ATTR_TBL = @SIGNAL_SNORT_READ_ATTR_TBL@ SIGNAL_SNORT_RELOAD = @SIGNAL_SNORT_RELOAD@ SIGNAL_SNORT_ROTATE_STATS = @SIGNAL_SNORT_ROTATE_STATS@ STRIP = @STRIP@ VERSION = @VERSION@ XCCFLAGS = @XCCFLAGS@ YACC = @YACC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ extra_incl = @extra_incl@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ luajit_CFLAGS = @luajit_CFLAGS@ luajit_LIBS = @luajit_LIBS@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign no-dependencies EXTRA_DIST = preprocessor.rules decoder.rules sensitive-data.rules all: all-am .SUFFIXES: $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign preproc_rules/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign preproc_rules/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs tags TAGS: ctags CTAGS: cscope cscopelist: distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am check: check-am all-am: Makefile installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: if test -z '$(STRIP)'; then \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ install; \ else \ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ fi mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-generic clean-libtool mostlyclean-am distclean: distclean-am -rm -f Makefile distclean-am: clean-am distclean-generic dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-generic mostlyclean-libtool pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: install-am install-strip .PHONY: all all-am check check-am clean clean-generic clean-libtool \ cscopelist-am ctags-am distclean distclean-generic \ distclean-libtool distdir dvi dvi-am html html-am info info-am \ install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags-am uninstall uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: snort-2.9.7.0/preproc_rules/decoder.rules0000644000000000000000000004757112243745447015322 00000000000000alert ( msg:"DECODE_NOT_IPV4_DGRAM"; sid:1; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;) alert ( msg:"DECODE_IPV4_INVALID_HEADER_LEN"; sid:2; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV4_DGRAM_LT_IPHDR"; sid:3; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV4OPT_BADLEN"; sid:4; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV4OPT_TRUNCATED"; sid:5; gid:116; rev:1; metadata:rule-type decode; reference:cve,2005-0048; reference:url,www.microsoft.com/technet/security/bulletin/ms05-019.mspx; classtype:protocol-command-decode;) alert ( msg:"DECODE_IPV4_DGRAM_GT_CAPLEN"; sid:6; gid:116; rev:1; metadata:rule-type decode;classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCP_DGRAM_LT_TCPHDR"; sid:45; gid:116; rev:1; metadata:rule-type decode;classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCP_INVALID_OFFSET"; sid:46; gid:116; rev:1; metadata:rule-type decode; reference:cve,2004-0816; classtype:bad-unknown; ) alert ( msg:"DECODE_TCP_LARGE_OFFSET"; sid:47; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_TCPOPT_BADLEN"; sid:54; gid:116; rev:1; metadata:rule-type decode; reference:bugtraq,14811; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCPOPT_TRUNCATED"; sid:55; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCPOPT_TTCP"; sid:56; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCPOPT_OBSOLETE"; sid:57; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCPOPT_EXPERIMENT"; sid:58; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCPOPT_WSCALE_INVALID"; sid:59; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_UDP_DGRAM_LT_UDPHDR"; sid:95; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_UDP_DGRAM_INVALID_LENGTH"; sid:96; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_UDP_DGRAM_SHORT_PACKET"; sid:97; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_UDP_DGRAM_LONG_PACKET"; sid:98; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMP_DGRAM_LT_ICMPHDR"; sid:105; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMP_DGRAM_LT_TIMESTAMPHDR"; sid:106; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMP_DGRAM_LT_ADDRHDR"; sid:107; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV4_DGRAM_UNKNOWN"; sid:108; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ARP_TRUNCATED"; sid:109; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_EAPOL_TRUNCATED"; sid:110; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_EAPKEY_TRUNCATED"; sid:111; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_EAP_TRUNCATED"; sid:112; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_PPPOE"; sid:120; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_VLAN"; sid:130; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_VLAN_ETHLLC"; sid:131; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_VLAN_OTHER"; sid:132; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_80211_ETHLLC"; sid:133; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_80211_OTHER"; sid:134; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_TRH"; sid:140; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_TR_ETHLLC"; sid:141; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_TR_MR_LEN"; sid:142; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_TRHMR"; sid:143; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_TRAFFIC_LOOPBACK"; sid:150; gid:116; rev:1; metadata:rule-type decode;classtype:bad-unknown; ) alert ( msg:"DECODE_BAD_TRAFFIC_SAME_SRCDST"; sid:151; gid:116; rev:1; metadata:rule-type decode; reference:cve,1999-0016; reference:cve,2005-0688; reference:bugtraq,2666; reference:url,www.microsoft.com/technet/security/bulletin/ms05-019.mspx; classtype:bad-unknown; ) alert ( msg:"DECODE_GRE_DGRAM_LT_GREHDR"; sid:160; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_GRE_MULTIPLE_ENCAPSULATION"; sid:161; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_GRE_INVALID_VERSION"; sid:162; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_GRE_INVALID_HEADER"; sid:163; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_GRE_V1_INVALID_HEADER"; sid:164; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_GRE_TRANS_DGRAM_LT_TRANSHDR"; sid:165; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMP_ORIG_IP_TRUNCATED"; sid:250; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_ICMP_ORIG_IP_VER_MISMATCH"; sid:251; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMP_ORIG_DGRAM_LT_ORIG_IP"; sid:252; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMP_ORIG_PAYLOAD_LT_64"; sid:253; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMP_ORIG_PAYLOAD_GT_576"; sid:254; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMP_ORIG_IP_WITH_FRAGOFFSET"; sid:255; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_MIN_TTL"; sid:270; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_IS_NOT"; sid:271; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_TRUNCATED_EXT"; sid:272; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_IPV6_TRUNCATED"; sid:273; gid:116; rev:1; metadata:rule-type decode; classtype:bad-unknown; ) alert ( msg:"DECODE_IPV6_DGRAM_LT_IPHDR"; sid:274; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_DGRAM_GT_CAPLEN"; sid:275; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_DST_ZERO"; sid:276; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_SRC_MULTICAST"; sid:277; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_DST_RESERVED_MULTICAST"; sid:278; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_BAD_OPT_TYPE"; sid:279; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_BAD_MULTICAST_SCOPE"; sid:280; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_BAD_NEXT_HEADER"; sid:281; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_ROUTE_AND_HOPBYHOP"; sid:282; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_TWO_ROUTE_HEADERS"; sid:283; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMPV6_TOO_BIG_BAD_MTU"; sid:285; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMPV6_UNREACHABLE_NON_RFC_2463_CODE"; sid:286; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_CODE"; sid:287; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMPV6_ADVERT_BAD_CODE"; sid:288; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_RESERVED"; sid:289; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMPV6_ADVERT_BAD_REACHABLE"; sid:290; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_TUNNELED_IPV4_TRUNCATED"; sid:291; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-dos; reference:cve,2008-2136; reference:bugtraq,29235; ) alert ( msg:"DECODE_IPV6_DSTOPTS_WITH_ROUTING"; sid:292; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IP_MULTIPLE_ENCAPSULATION"; sid:293; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ESP_HEADER_TRUNC"; sid:294; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_BAD_OPT_LEN"; sid:295; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_UNORDERED_EXTENSIONS"; sid:296; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_GTP_MULTIPLE_ENCAPSULATION"; sid:297; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_GTP_BAD_LEN_STR"; sid:298; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_BAD_MPLS"; sid:170; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_BAD_MPLS_LABEL0"; sid:171; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_BAD_MPLS_LABEL1"; sid:172; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_BAD_MPLS_LABEL2"; sid:173; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_BAD_MPLS_LABEL3"; sid:174; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_MPLS_RESERVEDLABEL"; sid:175; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_MPLS_LABEL_STACK"; sid:176; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_TCP_XMAS"; sid: 400; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-recon; reference:bugtraq,7700; reference:cve,2003-0393; ) alert ( msg:"DECODE_TCP_NMAP_XMAS"; sid: 401; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-recon; reference:bugtraq,7700; reference:cve,2003-0393; ) alert ( msg:"DECODE_DOS_NAPTHA"; sid: 402; gid: 116; rev: 1; metadata: rule-type decode ; classtype:attempted-dos; reference:bugtraq,2022; reference:cve,2000-1039; reference:nessus,275; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; ) alert ( msg:"DECODE_SYN_TO_MULTICAST"; sid: 403; gid: 116; rev: 1; metadata: rule-type decode ; classtype:bad-unknown; ) alert ( msg:"DECODE_ZERO_TTL"; sid: 404; gid: 116; rev: 1; metadata: rule-type decode ; classtype:misc-activity; reference:url,support.microsoft.com/kb/q138268; reference:url,tools.ietf.org/html/rfc1122; ) alert ( msg:"DECODE_BAD_FRAGBITS"; sid: 405; gid: 116; rev: 1; metadata: rule-type decode ; classtype:misc-activity; ) alert ( msg:"DECODE_UDP_IPV6_ZERO_CHECKSUM"; sid:406; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IP4_LEN_OFFSET"; sid:407; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_SRC_THIS_NET"; sid:408; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_DST_THIS_NET"; sid:409; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_SRC_MULTICAST"; sid:410; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_SRC_RESERVED"; sid:411; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_DST_RESERVED"; sid:412; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_SRC_BROADCAST"; sid:413; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_DST_BROADCAST"; sid:414; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMP4_DST_MULTICAST"; sid:415; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMP4_DST_BROADCAST"; sid:416; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMP4_TYPE_OTHER"; sid:418; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_TCP_BAD_URP"; sid:419; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_TCP_SYN_FIN"; sid:420; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_TCP_SYN_RST"; sid:421; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_TCP_MUST_ACK"; sid:422; gid:116; rev:2; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_TCP_NO_SYN_ACK_RST"; sid:423; gid:116; rev:2; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ETH_HDR_TRUNC"; sid:424; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_HDR_TRUNC"; sid:425; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMP4_HDR_TRUNC"; sid:426; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMP6_HDR_TRUNC"; sid:427; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_MIN_TTL"; sid:428; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP6_ZERO_HOP_LIMIT"; sid:429; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_IP4_DF_OFFSET"; sid:430; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMP6_TYPE_OTHER"; sid:431; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMP6_DST_MULTICAST"; sid:432; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_TCP_SHAFT_SYNFLOOD"; sid:433; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-dos; reference:cve,2000-0138; ) alert ( msg:"DECODE_ICMP_PING_NMAP"; sid:434; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_ICMPENUM"; sid:435; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_REDIRECT_HOST"; sid:436; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_REDIRECT_NET"; sid:437; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_TRACEROUTE_IPOPTS"; sid:438; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_SOURCE_QUENCH"; sid:439; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_BROADSCAN_SMURF_SCANNER"; sid:440; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_DST_UNREACH_ADMIN_PROHIBITED"; sid:441; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_DST_UNREACH_DST_HOST_PROHIBITED"; sid:442; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_ICMP_DST_UNREACH_DST_NET_PROHIBITED"; sid:443; gid:116; rev:1; metadata:rule-type decode; classtype:attempted-recon; ) alert ( msg:"DECODE_IP_OPTION_SET"; sid:444; gid:116; rev:1; metadata:rule-type decode; classtype: bad-unknown; ) alert ( msg:"DECODE_UDP_LARGE_PACKET"; sid:445; gid:116; rev:1; metadata:rule-type decode; classtype: bad-unknown; ) alert ( msg:"DECODE_TCP_PORT_ZERO"; sid:446; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; ) alert ( msg:"DECODE_UDP_PORT_ZERO"; sid:447; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; ) alert ( msg:"DECODE_IP_RESERVED_FRAG_BIT"; sid:448; gid:116; rev:1; metadata:rule-type decode; classtype: misc-activity; ) alert ( msg:"DECODE_IP_UNASSIGNED_PROTO"; sid:449; gid:116; rev:1; metadata:rule-type decode; classtype: non-standard-protocol; ) alert ( msg:"DECODE_IP_BAD_PROTO"; sid:450; gid:116; rev:1; metadata:rule-type decode; classtype: non-standard-protocol; ) alert ( msg:"DECODE_ICMP_PATH_MTU_DOS"; sid:451; gid:116; rev:1; metadata:rule-type decode; reference:bugtraq,13124; reference:cve,2004-1060; classtype:attempted-dos;) alert ( msg:"DECODE_ICMP_DOS_ATTEMPT"; sid:452; gid:116; rev:1; metadata:rule-type decode; reference:url,www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.15.3; reference:cve,2006-0454; reference:bugtraq,16532; classtype:denial-of-service;) alert ( msg:"DECODE_IPV6_ISATAP_SPOOF"; sid:453; gid:116; rev:1; metadata:rule-type decode; reference:cve,2010-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS10-029.mspx; classtype:misc-attack; ) alert ( msg:"DECODE_PGM_NAK_OVERFLOW"; sid:454; gid:116; rev:1; metadata:rule-type decode; reference:url,www.microsoft.com/technet/security/bulletin/ms06-052.mspx; reference:cve,2006-3442; reference:bugtraq,19922; classtype:attempted-admin; ) alert ( msg:"DECODE_IGMP_OPTIONS_DOS"; sid:455; gid:116; rev:1; metadata:rule-type decode; reference:url,www.microsoft.com/technet/security/bulletin/ms06-007.mspx; reference:cve,2006-0021; reference:bugtraq,16645; classtype:attempted-dos; ) alert ( msg:"DECODE_IP6_EXCESS_EXT_HDR"; sid:456; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_ICMPV6_UNREACHABLE_NON_RFC_4443_CODE"; sid:457; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_BAD_FRAG_PKT"; sid:458; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ZERO_LENGTH_FRAG"; sid:459; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ICMPV6_SOLICITATION_BAD_CODE"; sid:460; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_IPV6_ROUTE_ZERO"; sid:461; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ERSPAN_HDR_VERSION_MISMATCH_STR"; sid:462; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ERSPAN2_DGRAM_LT_HDR_STR"; sid:463; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_ERSPAN3_DGRAM_LT_HDR_STR"; sid:464; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode; ) alert ( msg:"DECODE_AUTH_HDR_TRUNC"; sid:465; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) alert ( msg:"DECODE_AUTH_HDR_BAD_LEN"; sid:466; gid:116; rev:1; metadata:rule-type decode; classtype:misc-activity; ) snort-2.9.7.0/preproc_rules/Makefile.am0000644000000000000000000000015511326435735014655 00000000000000AUTOMAKE_OPTIONS=foreign no-dependencies EXTRA_DIST = preprocessor.rules decoder.rules sensitive-data.rules snort-2.9.7.0/config.sub0000755000000000000000000010550312416771457011730 00000000000000#! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, # 2011, 2012, 2013 Free Software Foundation, Inc. timestamp='2012-12-29' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # Please send patches with a ChangeLog entry to config-patches@gnu.org. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS $0 [OPTION] ALIAS Canonicalize a configuration name. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" exit 1 ;; *local*) # First pass through any local machine types. echo $1 exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; android-linux) os=-linux-android basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] then os=`echo $1 | sed 's/.*-/-/'` else os=; fi ;; esac ### Let's recognize common machines as not being operating systems so ### that things like config.sub decstation-3100 work. We also ### recognize some manufacturers as not being operating systems, so we ### can provide default operating systems below. case $os in -sun*os*) # Prevent following clause from handling this invalid input. ;; -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; -bluegene*) os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 ;; -scout) ;; -wrs) os=-vxworks basic_machine=$1 ;; -chorusos*) os=-chorusos basic_machine=$1 ;; -chorusrdb) os=-chorusrdb basic_machine=$1 ;; -hiux*) os=-hiuxwe2 ;; -sco6) os=-sco5v6 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco4) os=-sco3.2v4 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2.[4-9]*) os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2v[4-9]*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5v6*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -udk*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -isc) os=-isc2.2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -clix*) basic_machine=clipper-intergraph ;; -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -lynx*178) os=-lynxos178 ;; -lynx*5) os=-lynxos5 ;; -lynx*) os=-lynxos ;; -ptx*) basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` ;; -windowsnt*) os=`echo $os | sed -e 's/windowsnt/winnt/'` ;; -psos*) os=-psos ;; -mint | -mint[0-9]*) basic_machine=m68k-atari os=-mint ;; esac # Decode aliases for certain CPU-COMPANY combinations. case $basic_machine in # Recognize the basic CPU types without company name. # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ | be32 | be64 \ | bfin \ | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ | mips64octeon | mips64octeonel \ | mips64orion | mips64orionel \ | mips64r5900 | mips64r5900el \ | mips64vr | mips64vrel \ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ | nios | nios2 \ | ns16k | ns32k \ | open8 \ | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu \ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; c54x) basic_machine=tic54x-unknown ;; c55x) basic_machine=tic55x-unknown ;; c6x) basic_machine=tic6x-unknown ;; m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | picochip) basic_machine=$basic_machine-unknown os=-none ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; ms1) basic_machine=mt-unknown ;; strongarm | thumb | xscale) basic_machine=arm-unknown ;; xgate) basic_machine=$basic_machine-unknown os=-none ;; xscaleeb) basic_machine=armeb-unknown ;; xscaleel) basic_machine=armel-unknown ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. i*86 | x86_64) basic_machine=$basic_machine-pc ;; # Object if more than one company name word. *-*-*) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ | mips64octeon-* | mips64octeonel-* \ | mips64orion-* | mips64orionel-* \ | mips64r5900-* | mips64r5900el-* \ | mips64vr-* | mips64vrel-* \ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ | tron-* \ | ubicom32-* \ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) ;; # Recognize the basic CPU types without company name, with glob match. xtensa*) basic_machine=$basic_machine-unknown ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) basic_machine=i386-unknown os=-bsd ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) basic_machine=m68000-att ;; 3b*) basic_machine=we32k-att ;; a29khif) basic_machine=a29k-amd os=-udi ;; abacus) basic_machine=abacus-unknown ;; adobe68k) basic_machine=m68010-adobe os=-scout ;; alliant | fx80) basic_machine=fx80-alliant ;; altos | altos3068) basic_machine=m68k-altos ;; am29k) basic_machine=a29k-none os=-bsd ;; amd64) basic_machine=x86_64-pc ;; amd64-*) basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; amdahl) basic_machine=580-amdahl os=-sysv ;; amiga | amiga-*) basic_machine=m68k-unknown ;; amigaos | amigados) basic_machine=m68k-unknown os=-amigaos ;; amigaunix | amix) basic_machine=m68k-unknown os=-sysv4 ;; apollo68) basic_machine=m68k-apollo os=-sysv ;; apollo68bsd) basic_machine=m68k-apollo os=-bsd ;; aros) basic_machine=i386-pc os=-aros ;; aux) basic_machine=m68k-apple os=-aux ;; balance) basic_machine=ns32k-sequent os=-dynix ;; blackfin) basic_machine=bfin-unknown os=-linux ;; blackfin-*) basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; bluegene*) basic_machine=powerpc-ibm os=-cnk ;; c54x-*) basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c55x-*) basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c6x-*) basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c90) basic_machine=c90-cray os=-unicos ;; cegcc) basic_machine=arm-unknown os=-cegcc ;; convex-c1) basic_machine=c1-convex os=-bsd ;; convex-c2) basic_machine=c2-convex os=-bsd ;; convex-c32) basic_machine=c32-convex os=-bsd ;; convex-c34) basic_machine=c34-convex os=-bsd ;; convex-c38) basic_machine=c38-convex os=-bsd ;; cray | j90) basic_machine=j90-cray os=-unicos ;; craynv) basic_machine=craynv-cray os=-unicosmp ;; cr16 | cr16-*) basic_machine=cr16-unknown os=-elf ;; crds | unos) basic_machine=m68k-crds ;; crisv32 | crisv32-* | etraxfs*) basic_machine=crisv32-axis ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; crx) basic_machine=crx-unknown os=-elf ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; decsystem10* | dec10*) basic_machine=pdp10-dec os=-tops10 ;; decsystem20* | dec20*) basic_machine=pdp10-dec os=-tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola ;; delta88) basic_machine=m88k-motorola os=-sysv3 ;; dicos) basic_machine=i686-pc os=-dicos ;; djgpp) basic_machine=i586-pc os=-msdosdjgpp ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx ;; dpx2* | dpx2*-bull) basic_machine=m68k-bull os=-sysv3 ;; ebmon29k) basic_machine=a29k-amd os=-ebmon ;; elxsi) basic_machine=elxsi-elxsi os=-bsd ;; encore | umax | mmax) basic_machine=ns32k-encore ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson os=-ose ;; fx2800) basic_machine=i860-alliant ;; genix) basic_machine=ns32k-ns ;; gmicro) basic_machine=tron-gmicro os=-sysv ;; go32) basic_machine=i386-pc os=-go32 ;; h3050r* | hiux*) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; h8300hms) basic_machine=h8300-hitachi os=-hms ;; h8300xray) basic_machine=h8300-hitachi os=-xray ;; h8500hms) basic_machine=h8500-hitachi os=-hms ;; harris) basic_machine=m88k-harris os=-sysv3 ;; hp300-*) basic_machine=m68k-hp ;; hp300bsd) basic_machine=m68k-hp os=-bsd ;; hp300hpux) basic_machine=m68k-hp os=-hpux ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) basic_machine=m68000-hp ;; hp9k3[2-9][0-9]) basic_machine=m68k-hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) basic_machine=hppa1.1-hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) basic_machine=hppa1.1-hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) basic_machine=hppa1.0-hp ;; hppa-next) os=-nextstep3 ;; hppaosf) basic_machine=hppa1.1-hp os=-osf ;; hppro) basic_machine=hppa1.1-hp os=-proelf ;; i370-ibm* | ibm*) basic_machine=i370-ibm ;; i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 ;; i*86v4*) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv4 ;; i*86v) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv ;; i*86sol2) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-solaris2 ;; i386mach) basic_machine=i386-mach os=-mach ;; i386-vsta | vsta) basic_machine=i386-unknown os=-vsta ;; iris | iris4d) basic_machine=mips-sgi case $os in -irix*) ;; *) os=-irix4 ;; esac ;; isi68 | isi) basic_machine=m68k-isi os=-sysv ;; m68knommu) basic_machine=m68k-unknown os=-linux ;; m68knommu-*) basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; m88k-omron*) basic_machine=m88k-omron ;; magnum | m3230) basic_machine=mips-mips os=-sysv ;; merlin) basic_machine=ns32k-utek os=-sysv ;; microblaze*) basic_machine=microblaze-xilinx ;; mingw64) basic_machine=x86_64-pc os=-mingw64 ;; mingw32) basic_machine=i386-pc os=-mingw32 ;; mingw32ce) basic_machine=arm-unknown os=-mingw32ce ;; miniframe) basic_machine=m68000-convergent ;; *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) basic_machine=m68k-atari os=-mint ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; monitor) basic_machine=m68k-rom68k os=-coff ;; morphos) basic_machine=powerpc-unknown os=-morphos ;; msdos) basic_machine=i386-pc os=-msdos ;; ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; msys) basic_machine=i386-pc os=-msys ;; mvs) basic_machine=i370-ibm os=-mvs ;; nacl) basic_machine=le32-unknown os=-nacl ;; ncr3000) basic_machine=i486-ncr os=-sysv4 ;; netbsd386) basic_machine=i386-unknown os=-netbsd ;; netwinder) basic_machine=armv4l-rebel os=-linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony os=-newsos ;; news1000) basic_machine=m68030-sony os=-newsos ;; news-3600 | risc-news) basic_machine=mips-sony os=-newsos ;; necv70) basic_machine=v70-nec os=-sysv ;; next | m*-next ) basic_machine=m68k-next case $os in -nextstep* ) ;; -ns2*) os=-nextstep2 ;; *) os=-nextstep3 ;; esac ;; nh3000) basic_machine=m68k-harris os=-cxux ;; nh[45]000) basic_machine=m88k-harris os=-cxux ;; nindy960) basic_machine=i960-intel os=-nindy ;; mon960) basic_machine=i960-intel os=-mon960 ;; nonstopux) basic_machine=mips-compaq os=-nonstopux ;; np1) basic_machine=np1-gould ;; neo-tandem) basic_machine=neo-tandem ;; nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) basic_machine=nsr-tandem ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf ;; openrisc | openrisc-*) basic_machine=or32-unknown ;; os400) basic_machine=powerpc-ibm os=-os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose ;; os68k) basic_machine=m68k-none os=-os68k ;; pa-hitachi) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; paragon) basic_machine=i860-intel os=-osf ;; parisc) basic_machine=hppa-unknown os=-linux ;; parisc-*) basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; pbd) basic_machine=sparc-tti ;; pbb) basic_machine=m68k-tti ;; pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pc98) basic_machine=i386-pc ;; pc98-*) basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; pentium4) basic_machine=i786-pc ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium4-*) basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc | ppcbe) basic_machine=powerpc-unknown ;; ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown ;; ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ps2) basic_machine=i386-ibm ;; pw32) basic_machine=i586-unknown os=-pw32 ;; rdos | rdos64) basic_machine=x86_64-pc os=-rdos ;; rdos32) basic_machine=i386-pc os=-rdos ;; rom68k) basic_machine=m68k-rom68k os=-coff ;; rm[46]00) basic_machine=mips-siemens ;; rtpc | rtpc-*) basic_machine=romp-ibm ;; s390 | s390-*) basic_machine=s390-ibm ;; s390x | s390x-*) basic_machine=s390x-ibm ;; sa29200) basic_machine=a29k-amd os=-udi ;; sb1) basic_machine=mipsisa64sb1-unknown ;; sb1el) basic_machine=mipsisa64sb1el-unknown ;; sde) basic_machine=mipsisa32-sde os=-elf ;; sei) basic_machine=mips-sei os=-seiux ;; sequent) basic_machine=i386-sequent ;; sh) basic_machine=sh-hitachi os=-hms ;; sh5el) basic_machine=sh5le-unknown ;; sh64) basic_machine=sh64-unknown ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; sps7) basic_machine=m68k-bull os=-sysv2 ;; spur) basic_machine=spur-unknown ;; st2000) basic_machine=m68k-tandem ;; stratus) basic_machine=i860-stratus os=-sysv4 ;; strongarm-* | thumb-*) basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` ;; sun2) basic_machine=m68000-sun ;; sun2os3) basic_machine=m68000-sun os=-sunos3 ;; sun2os4) basic_machine=m68000-sun os=-sunos4 ;; sun3os3) basic_machine=m68k-sun os=-sunos3 ;; sun3os4) basic_machine=m68k-sun os=-sunos4 ;; sun4os3) basic_machine=sparc-sun os=-sunos3 ;; sun4os4) basic_machine=sparc-sun os=-sunos4 ;; sun4sol2) basic_machine=sparc-sun os=-solaris2 ;; sun3 | sun3-*) basic_machine=m68k-sun ;; sun4) basic_machine=sparc-sun ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; sv1) basic_machine=sv1-cray os=-unicos ;; symmetry) basic_machine=i386-sequent os=-dynix ;; t3e) basic_machine=alphaev5-cray os=-unicos ;; t90) basic_machine=t90-cray os=-unicos ;; tile*) basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; toad1) basic_machine=pdp10-xkl os=-tops20 ;; tower | tower-32) basic_machine=m68k-ncr ;; tpf) basic_machine=s390x-ibm os=-tpf ;; udi29k) basic_machine=a29k-amd os=-udi ;; ultra3) basic_machine=a29k-nyu os=-sym1 ;; v810 | necv810) basic_machine=v810-nec os=-none ;; vaxv) basic_machine=vax-dec os=-sysv ;; vms) basic_machine=vax-dec os=-vms ;; vpp*|vx|vx-*) basic_machine=f301-fujitsu ;; vxworks960) basic_machine=i960-wrs os=-vxworks ;; vxworks68) basic_machine=m68k-wrs os=-vxworks ;; vxworks29k) basic_machine=a29k-wrs os=-vxworks ;; w65*) basic_machine=w65-wdc os=-none ;; w89k-*) basic_machine=hppa1.1-winbond os=-proelf ;; xbox) basic_machine=i686-pc os=-mingw32 ;; xps | xps100) basic_machine=xps100-honeywell ;; xscale-* | xscalee[bl]-*) basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` ;; ymp) basic_machine=ymp-cray os=-unicos ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim ;; z80-*-coff) basic_machine=z80-unknown os=-sim ;; none) basic_machine=none-none os=-none ;; # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) basic_machine=hppa1.1-winbond ;; op50n) basic_machine=hppa1.1-oki ;; op60c) basic_machine=hppa1.1-oki ;; romp) basic_machine=romp-ibm ;; mmix) basic_machine=mmix-knuth ;; rs6000) basic_machine=rs6000-ibm ;; vax) basic_machine=vax-dec ;; pdp10) # there are many clones, so DEC is not a safe bet basic_machine=pdp10-unknown ;; pdp11) basic_machine=pdp11-dec ;; we32k) basic_machine=we32k-att ;; sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) basic_machine=sparc-sun ;; cydra) basic_machine=cydra-cydrome ;; orion) basic_machine=orion-highlevel ;; orion105) basic_machine=clipper-highlevel ;; mac | mpw | mac-mpw) basic_machine=m68k-apple ;; pmac | pmac-mpw) basic_machine=powerpc-apple ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; *) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; esac # Here we canonicalize certain aliases for manufacturers. case $basic_machine in *-digital*) basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` ;; *-commodore*) basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if [ x"$os" != x"" ] then case $os in # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. -auroraux) os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; -solaris) os=-solaris2 ;; -svr4*) os=-sysv4 ;; -unixware*) os=-sysv4.2uw ;; -gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; # First accept the basic system types. # The portable systems comes first. # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) case $basic_machine in x86-* | i*86-*) ;; *) os=-nto$os ;; esac ;; -nto-qnx*) ;; -nto*) os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; -linux-dietlibc) os=-linux-dietlibc ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; -sunos5*) os=`echo $os | sed -e 's|sunos5|solaris2|'` ;; -sunos6*) os=`echo $os | sed -e 's|sunos6|solaris3|'` ;; -opened*) os=-openedition ;; -os400*) os=-os400 ;; -wince*) os=-wince ;; -osfrose*) os=-osfrose ;; -osf*) os=-osf ;; -utek*) os=-bsd ;; -dynix*) os=-bsd ;; -acis*) os=-aos ;; -atheos*) os=-atheos ;; -syllable*) os=-syllable ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; -nova*) os=-rtmk-nova ;; -ns2 ) os=-nextstep2 ;; -nsk*) os=-nsk ;; # Preserve the version number of sinix5. -sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; -sinix*) os=-sysv4 ;; -tpf*) os=-tpf ;; -triton*) os=-sysv3 ;; -oss*) os=-sysv3 ;; -svr4) os=-sysv4 ;; -svr3) os=-sysv3 ;; -sysvr4) os=-sysv4 ;; # This must come after -sysvr4. -sysv*) ;; -ose*) os=-ose ;; -es1800*) os=-ose ;; -xenix) os=-xenix ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) os=-mint ;; -aros*) os=-aros ;; -kaos*) os=-kaos ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; -nacl*) ;; -none) ;; *) # Get rid of the `-' at the beginning of $os. os=`echo $os | sed 's/[^-]*-//'` echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 exit 1 ;; esac else # Here we handle the default operating systems that come with various machines. # The value should be what the vendor currently ships out the door with their # machine or put another way, the most popular os provided with the machine. # Note that if you're going to try to match "-MANUFACTURER" here (say, # "-sun"), then you have to tell the case statement up towards the top # that MANUFACTURER isn't an operating system. Otherwise, code above # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. case $basic_machine in score-*) os=-elf ;; spu-*) os=-elf ;; *-acorn) os=-riscix1.2 ;; arm*-rebel) os=-linux ;; arm*-semi) os=-aout ;; c4x-* | tic4x-*) os=-coff ;; hexagon-*) os=-elf ;; tic54x-*) os=-coff ;; tic55x-*) os=-coff ;; tic6x-*) os=-coff ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; pdp11-*) os=-none ;; *-dec | vax-*) os=-ultrix4.2 ;; m68*-apollo) os=-domain ;; i386-sun) os=-sunos4.0.2 ;; m68000-sun) os=-sunos3 ;; m68*-cisco) os=-aout ;; mep-*) os=-elf ;; mips*-cisco) os=-elf ;; mips*-*) os=-elf ;; or32-*) os=-coff ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; sparc-* | *-sun) os=-sunos4.1.1 ;; *-be) os=-beos ;; *-haiku) os=-haiku ;; *-ibm) os=-aix ;; *-knuth) os=-mmixware ;; *-wec) os=-proelf ;; *-winbond) os=-proelf ;; *-oki) os=-proelf ;; *-hp) os=-hpux ;; *-hitachi) os=-hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) os=-sysv ;; *-cbm) os=-amigaos ;; *-dg) os=-dgux ;; *-dolphin) os=-sysv3 ;; m68k-ccur) os=-rtu ;; m88k-omron*) os=-luna ;; *-next ) os=-nextstep ;; *-sequent) os=-ptx ;; *-crds) os=-unos ;; *-ns) os=-genix ;; i370-*) os=-mvs ;; *-next) os=-nextstep3 ;; *-gould) os=-sysv ;; *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; *-sgi) os=-irix ;; *-siemens) os=-sysv4 ;; *-masscomp) os=-rtu ;; f30[01]-fujitsu | f700-fujitsu) os=-uxpv ;; *-rom68k) os=-coff ;; *-*bug) os=-coff ;; *-apple) os=-macos ;; *-atari*) os=-mint ;; *) os=-none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. vendor=unknown case $basic_machine in *-unknown) case $os in -riscix*) vendor=acorn ;; -sunos*) vendor=sun ;; -cnk*|-aix*) vendor=ibm ;; -beos*) vendor=be ;; -hpux*) vendor=hp ;; -mpeix*) vendor=hp ;; -hiux*) vendor=hitachi ;; -unos*) vendor=crds ;; -dgux*) vendor=dg ;; -luna*) vendor=omron ;; -genix*) vendor=ns ;; -mvs* | -opened*) vendor=ibm ;; -os400*) vendor=ibm ;; -ptx*) vendor=sequent ;; -tpf*) vendor=ibm ;; -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) vendor=apple ;; -hms*) vendor=hitachi ;; -mpw* | -macos*) vendor=apple ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) vendor=atari ;; -vos*) vendor=stratus ;; esac basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac echo $basic_machine$os exit # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: snort-2.9.7.0/doc/0000755000000000000000000000000012416771510010554 500000000000000snort-2.9.7.0/doc/snort_manual.tex0000644000000000000000000246004312416771510013731 00000000000000% $Id$ % % BUILDING HTML VERSION: % latex2html -info 0 -local_icons -show_section_numbers -link +2 -split +2 -noaddress snort_manual.tex % % BUILDING PDF VERSION: % pdflatex snort_manual.tex \documentclass[english]{report} %\usepackage[T1]{fontenc} \usepackage[latin1]{inputenc} \usepackage{geometry} \usepackage{longtable} \geometry{verbose,letterpaper,tmargin=1in,bmargin=.5in,lmargin=1in,rmargin=1in} \usepackage{url} %\IfFileExists{url.sty}{\usepackage{url}} % {\newcommand{\url}{\texttt}} \usepackage{html} % \makeatletter \newcounter{slistnum} \newcounter{subslistnum} \newcounter{subsublistnum} \newenvironment{slist} { \begin{list}{ {\bf \arabic{slistnum}.} }{\usecounter{slistnum} } } { \end{list} } \newenvironment{subslist} { \begin{list} { {\bf \arabic{slistnum}-\Alph{subslistnum}. } } {\usecounter{subslistnum} } } { \end{list} } \newenvironment{subsubslist} { \begin{list}{ {\bf \arabic{slistnum}-\arabic{subslistnum}-\arabic{subsublistnum}. } }{ \usecounter{subsubslistnum} } }{ \end{list} } %\begin{latexonly} \newsavebox{\savepar} \newenvironment{note}{ \samepage \vspace{10pt}{\textsf{ {\hspace{7pt}\Huge{$\triangle$\hspace{-12.5pt}{\Large{$^!$}}}}\hspace{5pt} {\Large{NOTE}} } } \begin{center} \par\vspace{-17pt} \begin{lrbox}{\savepar} \begin{minipage}[r]{6in} } { \end{minipage} \end{lrbox} \fbox{ \usebox{ \savepar } } \par\vskip10pt \end{center} } %\end{latexonly} \begin{htmlonly} \newenvironment{note}{ \begin{rawhtml}

Note:   \end{rawhtml} }{ \begin{rawhtml}

\end{rawhtml} } \end{htmlonly} \usepackage{babel} % \makeatother \addtolength{\parindent}{-5mm} \addtolength{\parskip}{2mm} %\renewcommand\floatpagefraction{.9} %\renewcommand\topfraction{.9} %\renewcommand\bottomfraction{.9} %\renewcommand\textfraction{.1} %\setcounter{totalnumber}{50} %\setcounter{topnumber}{50} %\setcounter{bottomnumber}{50} \begin{document} \title{SNORT\textsuperscript{\textregistered} Users Manual\\2.9.7} \author{The Snort Project} \maketitle \newpage Copyright \copyright 1998-2003 Martin Roesch Copyright \copyright 2001-2003 Chris Green Copyright \copyright 2003-2013 Sourcefire, Inc. Copyright \copyright 2014 Cisco and/or its affiliates. All rights reserved. \tableofcontents{} \chapter{Snort Overview} This manual is based on \emph{Writing Snort Rules} by Martin Roesch and further work from Chris Green $<$cmg@snort.org$>$. It was then maintained by Brian Caswell $<$bmc@snort.org$>$ and now is maintained by the Snort Team. If you have a better way to say something or find that something in the documentation is outdated, drop us a line and we will update it. If you would like to submit patches for this document, you can find the latest version of the documentation in \LaTeX\ format in the most recent source tarball under \verb!/doc/snort_manual.tex!. Small documentation updates are the easiest way to help out the Snort Project. \section{Getting Started} Snort really isn't very hard to use, but there are a lot of command line options to play with, and it's not always obvious which ones go together well. This file aims to make using Snort easier for new users. Before we proceed, there are a few basic concepts you should understand about Snort. Snort can be configured to run in three modes: \begin{itemize} \item {\em Sniffer mode,} which simply reads the packets off of the network and displays them for you in a continuous stream on the console (screen). \item {\em Packet Logger mode,} which logs the packets to disk. \item {\em Network Intrusion Detection System (NIDS) mode,} which performs detection and analysis on network traffic. This is the most complex and configurable mode. \end{itemize} \section{Sniffer Mode} First, let's start with the basics. If you just want to print out the TCP/IP packet headers to the screen (i.e. sniffer mode), try this: \begin{verbatim} ./snort -v \end{verbatim} This command will run Snort and just show the IP and TCP/UDP/ICMP headers, nothing else. If you want to see the application data in transit, try the following: \begin{verbatim} ./snort -vd \end{verbatim} This instructs Snort to display the packet data as well as the headers. If you want an even more descriptive display, showing the data link layer headers, do this: \begin{verbatim} ./snort -vde \end{verbatim} As an aside, notice that the command line switches can be listed separately or in a combined form. The last command could also be typed out as: \begin{verbatim} ./snort -d -v -e \end{verbatim} to produce the same result. \section{Packet Logger Mode} OK, all of these commands are pretty cool, but if you want to record the packets to the disk, you need to specify a logging directory and Snort will automatically know to go into packet logger mode: \begin{verbatim} ./snort -dev -l ./log \end{verbatim} Of course, this assumes you have a directory named \verb!log! in the current directory. If you don't, Snort will exit with an error message. When Snort runs in this mode, it collects every packet it sees and places it in a directory hierarchy based upon the IP address of one of the hosts in the datagram. If you just specify a plain -l switch, you may notice that Snort sometimes uses the address of the remote computer as the directory in which it places packets and sometimes it uses the local host address. In order to log relative to the home network, you need to tell Snort which network is the home network: \begin{verbatim} ./snort -dev -l ./log -h 192.168.1.0/24 \end{verbatim} This rule tells Snort that you want to print out the data link and TCP/IP headers as well as application data into the directory \verb!./log!, and you want to log the packets relative to the 192.168.1.0 class C network. All incoming packets will be recorded into subdirectories of the log directory, with the directory names being based on the address of the remote (non-192.168.1) host. \begin{note} Note that if both the source and destination hosts are on the home network, they are logged to a directory with a name based on the higher of the two port numbers or, in the case of a tie, the source address. \end{note} If you're on a high speed network or you want to log the packets into a more compact form for later analysis, you should consider logging in binary mode. Binary mode logs the packets in tcpdump format to a single binary file in the logging directory: \begin{verbatim} ./snort -l ./log -b \end{verbatim} Note the command line changes here. We don't need to specify a home network any longer because binary mode logs everything into a single file, which eliminates the need to tell it how to format the output directory structure. Additionally, you don't need to run in verbose mode or specify the -d or -e switches because in binary mode the entire packet is logged, not just sections of it. All you really need to do to place Snort into logger mode is to specify a logging directory at the command line using the -l switch---the -b binary logging switch merely provides a modifier that tells Snort to log the packets in something other than the default output format of plain ASCII text. Once the packets have been logged to the binary file, you can read the packets back out of the file with any sniffer that supports the tcpdump binary format (such as tcpdump or Ethereal). Snort can also read the packets back by using the -r switch, which puts it into playback mode. Packets from any tcpdump formatted file can be processed through Snort in any of its run modes. For example, if you wanted to run a binary log file through Snort in sniffer mode to dump the packets to the screen, you can try something like this: \begin{verbatim} ./snort -dv -r packet.log \end{verbatim} You can manipulate the data in the file in a number of ways through Snort's packet logging and intrusion detection modes, as well as with the BPF interface that's available from the command line. For example, if you only wanted to see the ICMP packets from the log file, simply specify a BPF filter at the command line and Snort will only see the ICMP packets in the file: \begin{verbatim} ./snort -dvr packet.log icmp \end{verbatim} For more info on how to use the BPF interface, read the Snort and tcpdump man pages. \section{Network Intrusion Detection System Mode} To enable Network Intrusion Detection System (NIDS) mode so that you don't record every single packet sent down the wire, try this: \begin{verbatim} ./snort -dev -l ./log -h 192.168.1.0/24 -c snort.conf \end{verbatim} where \texttt{snort.conf} is the name of your snort configuration file. This will apply the rules configured in the \verb!snort.conf! file to each packet to decide if an action based upon the rule type in the file should be taken. If you don't specify an output directory for the program, it will default to \verb!/var/log/snort!. One thing to note about the last command line is that if Snort is going to be used in a long term way as an IDS, the -v switch should be left off the command line for the sake of speed. The screen is a slow place to write data to, and packets can be dropped while writing to the display. It's also not necessary to record the data link headers for most applications, so you can usually omit the -e switch, too. \begin{verbatim} ./snort -d -h 192.168.1.0/24 -l ./log -c snort.conf \end{verbatim} This will configure Snort to run in its most basic NIDS form, logging packets that trigger rules specified in the \texttt{snort.conf} in plain ASCII to disk using a hierarchical directory structure (just like packet logger mode). \subsection{NIDS Mode Output Options} There are a number of ways to configure the output of Snort in NIDS mode. The default logging and alerting mechanisms are to log in decoded ASCII format and use full alerts. The full alert mechanism prints out the alert message in addition to the full packet headers. There are several other alert output modes available at the command line, as well as two logging facilities. Alert modes are somewhat more complex. There are seven alert modes available at the command line: full, fast, socket, syslog, console, cmg, and none. Six of these modes are accessed with the -A command line switch. These options are: \begin{center} \begin{tabular}{| l | p{5.4in} |} \hline {\bf Option} & {\bf Description}\\ \hline \hline {\tt -A fast} & Fast alert mode. Writes the alert in a simple format with a timestamp, alert message, source and destination IPs/ports.\\ \hline {\tt -A full} & Full alert mode. This is the default alert mode and will be used automatically if you do not specify a mode.\\ \hline {\tt -A unsock} & Sends alerts to a UNIX socket that another program can listen on.\\ \hline {\tt -A none} & Turns off alerting.\\ \hline {\tt -A console} & Sends ``fast-style'' alerts to the console (screen).\\ \hline {\tt -A cmg} & Generates ``cmg style'' alerts.\\ \hline \end{tabular} \end{center} Packets can be logged to their default decoded ASCII format or to a binary log file via the -b command line switch. To disable packet logging altogether, use the -N command line switch. For output modes available through the configuration file, see Section \ref{output config}. \begin{note} Command line logging options override any output options specified in the configuration file. This allows debugging of configuration issues quickly via the command line. \end{note} To send alerts to syslog, use the -s switch. The default facilities for the syslog alerting mechanism are LOG\_AUTHPRIV and LOG\_ALERT. If you want to configure other facilities for syslog output, use the output plugin directives in snort.conf. See Section \ref{alert syslog label} for more details on configuring syslog output. For example, use the following command line to log to default (decoded ASCII) facility and send alerts to syslog: \begin{verbatim} ./snort -c snort.conf -l ./log -h 192.168.1.0/24 -s \end{verbatim} As another example, use the following command line to log to the default facility in /var/log/snort and send alerts to a fast alert file: \begin{verbatim} ./snort -c snort.conf -A fast -h 192.168.1.0/24 \end{verbatim} \subsection{Understanding Standard Alert Output} When Snort generates an alert message, it will usually look like the following: \begin{verbatim} [**] [116:56:1] (snort_decoder): T/TCP Detected [**] \end{verbatim} The first number is the Generator ID, this tells the user what component of Snort generated this alert. For a list of GIDs, please read etc/generators in the Snort source. In this case, we know that this event came from the ``decode'' (116) component of Snort. The second number is the Snort ID (sometimes referred to as Signature ID). For a list of preprocessor SIDs, please see etc/gen-msg.map. Rule-based SIDs are written directly into the rules with the \emph{sid} option. In this case, \emph{56} represents a T/TCP event. The third number is the revision ID. This number is primarily used when writing signatures, as each rendition of the rule should increment this number with the \emph{rev} option. \subsection{High Performance Configuration} If you want Snort to go \emph{fast} (like keep up with a 1000 Mbps connection), you need to use unified2 logging and a unified2 log reader such as \emph{barnyard2}. This allows Snort to log alerts in a binary form as fast as possible while another program performs the slow actions, such as writing to a database. If you want a text file that's easily parsed, but still somewhat fast, try using binary logging with the ``fast'' output mechanism. This will log packets in tcpdump format and produce minimal alerts. For example: \begin{verbatim} ./snort -b -A fast -c snort.conf \end{verbatim} \subsection{Changing Alert Order} The default way in which Snort applies its rules to packets may not be appropriate for all installations. The Pass rules are applied first, then the Drop rules, then the Alert rules and finally, Log rules are applied. \begin{note} Sometimes an errant pass rule could cause alerts to not show up, in which case you can change the default ordering to allow Alert rules to be applied before Pass rules. For more information, please refer to the \texttt{--alert-before-pass} option. \end{note} Several command line options are available to change the order in which rule actions are taken. \begin{itemize} \item \texttt{--alert-before-pass} option forces alert rules to take affect in favor of a pass rule. \item \texttt{--treat-drop-as-alert} causes drop and reject rules and any associated alerts to be logged as alerts, rather then the normal action. This allows use of an inline policy with passive/IDS mode. The sdrop rules are not loaded. \item \texttt{--process-all-events} option causes Snort to process every event associated with a packet, while taking the actions based on the rules ordering. Without this option (default case), only the events for the first action based on rules ordering are processed. \end{itemize} \begin{note} Pass rules are special cases here, in that the event processing is terminated when a pass rule is encountered, regardless of the use of \texttt{--process-all-events}. \end{note} \section{Packet Acquisition} Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The DAQ replaces direct calls to libpcap functions with an abstraction layer that facilitates operation on a variety of hardware and software interfaces without requiring changes to Snort. It is possible to select the DAQ type and mode when invoking Snort to perform pcap readback or inline operation, etc. \begin{note} Some network cards have features which can affect Snort. Two of these features are named "Large Receive Offload" (lro) and "Generic Receive Offload" (gro). With these features enabled, the network card performs packet reassembly before they're processed by the kernel. By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream target-based reassembly. We recommend that you turn off LRO and GRO. On linux systems, you can run: \begin{verbatim} $ ethtool -K eth1 gro off $ ethtool -K eth1 lro off \end{verbatim} \end{note} \subsection{Configuration} Assuming that you did not disable static modules or change the default DAQ type, you can run Snort just as you always did for file readback or sniffing an interface. However, you can select and configure the DAQ when Snort is invoked as follows: \begin{verbatim} ./snort \ [--daq ] \ [--daq-mode ] \ [--daq-dir ] \ [--daq-var ] config daq: config daq_dir: config daq_var: config daq_mode: ::= pcap | afpacket | dump | nfq | ipq | ipfw ::= read-file | passive | inline ::= arbitrary = passed to DAQ ::= path where to look for DAQ module so's \end{verbatim} The DAQ type, mode, variable, and directory may be specified either via the command line or in the conf file. You may include as many variables and directories as needed by repeating the arg / config. DAQ type may be specified at most once in the conf and once on the command line; if configured in both places, the command line overrides the conf. If the mode is not set explicitly, -Q will force it to inline, and if that hasn't been set, -r will force it to read-file, and if that hasn't been set, the mode defaults to passive. Also, -Q and --daq-mode inline are allowed, since there is no conflict, but -Q and any other DAQ mode will cause a fatal error at start-up. Note that if Snort finds multiple versions of a given library, the most recent version is selected. This applies to static and dynamic versions of the same library. \begin{verbatim} ./snort --daq-list[=] ./snort --daq-dir= --daq-list \end{verbatim} The above commands search the specified directories for DAQ modules and print type, version, and attributes of each. This feature is not available in the conf. Snort stops processing after parsing --daq-list so if you want to add one or more directories add --daq-dir options before --daq-list on the command line. (Since the directory is optional to --daq-list, you must use an = without spaces for this option.) \subsection{pcap} pcap is the default DAQ. if snort is run w/o any DAQ arguments, it will operate as it always did using this module. These are equivalent: \begin{verbatim} ./snort -i ./snort -r ./snort --daq pcap --daq-mode passive -i ./snort --daq pcap --daq-mode read-file -r \end{verbatim} You can specify the buffer size pcap uses with: \begin{verbatim} ./snort --daq pcap --daq-var buffer_size=<#bytes> \end{verbatim} Note that the pcap DAQ does not count filtered packets. \subsection{AFPACKET} afpacket functions similar to the memory mapped pcap DAQ but no external library is required: \begin{verbatim} ./snort --daq afpacket -i [--daq-var buffer_size_mb=<#MB>] [--daq-var debug] \end{verbatim} If you want to run afpacket in inline mode, you must set device to one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon like this: \begin{verbatim} eth0:eth1 \end{verbatim} or this: \begin{verbatim} eth0:eth1::eth2:eth3 \end{verbatim} By default, the afpacket DAQ allocates 128MB for packet memory. You can change this with: \begin{verbatim} --daq-var buffer_size_mb=<#MB> \end{verbatim} Note that the total allocated is actually higher, here's why. Assuming the default packet memory with a snaplen of 1518, the numbers break down like this: \begin{slist} \item The frame size is 1518 (snaplen) + the size of the AFPacket header (66 bytes) = 1584 bytes. \item The number of frames is 128 MB / 1518 = 84733. \item The smallest block size that can fit at least one frame is 4 KB = 4096 bytes @ 2 frames per block. \item As a result, we need 84733 / 2 = 42366 blocks. \item Actual memory allocated is 42366 * 4 KB = 165.5 MB. \end{slist} \subsection{NFQ} NFQ is the new and improved way to process iptables packets: \begin{verbatim} ./snort --daq nfq \ [--daq-var device=] \ [--daq-var proto=] \ [--daq-var queue=] \ [--daq-var queue_len=] ::= ip | eth0, etc; default is IP injection ::= ip4 | ip6 | ip*; default is ip4 ::= 0..65535; default is 0 ::= 0..65535; default is 0 \end{verbatim} Notes on iptables can be found in the DAQ distro README. \subsection{IPQ} IPQ is the old way to process iptables packets. It replaces the inline version available in pre-2.9 versions built with this: \begin{verbatim} ./configure --enable-inline / -DGIDS \end{verbatim} Start the IPQ DAQ as follows: \begin{verbatim} ./snort --daq ipq \ [--daq-var device=] \ [--daq-var proto=] \ ::= ip | eth0, etc; default is IP injection ::= ip4 | ip6; default is ip4 \end{verbatim} \subsection{IPFW} IPFW is available for BSD systems. It replaces the inline version available in pre-2.9 versions built with this: \begin{verbatim} ./configure --enable-ipfw / -DGIDS -DIPFW \end{verbatim} This command line argument is no longer supported: \begin{verbatim} ./snort -J \end{verbatim} Instead, start Snort like this: \begin{verbatim} ./snort --daq ipfw [--daq-var port=] ::= 1..65535; default is 8000 \end{verbatim} * IPFW only supports ip4 traffic. \subsection{Dump} The dump DAQ allows you to test the various inline mode features available in 2.9 Snort like injection and normalization. \begin{verbatim} ./snort -i --daq dump ./snort -r --daq dump \end{verbatim} By default a file named inline-out.pcap will be created containing all packets that passed through or were generated by snort. You can optionally specify a different name. \begin{verbatim} ./snort --daq dump --daq-var file= \end{verbatim} dump uses the pcap daq for packet acquisition. It therefore does not count filtered packets. Note that the dump DAQ inline mode is not an actual inline mode. Furthermore, you will probably want to have the pcap DAQ acquire in another mode like this: \begin{verbatim} ./snort -r -Q --daq dump --daq-var load-mode=read-file ./snort -i -Q --daq dump --daq-var load-mode=passive \end{verbatim} \subsection{Statistics Changes} The Packet Wire Totals and Action Stats sections of Snort's output include additional fields: \begin{itemize} \item \texttt{Filtered} count of packets filtered out and not handed to Snort for analysis. \item \texttt{Injected} packets Snort generated and sent, e.g. TCP resets. \item \texttt{Allow} packets Snort analyzed and did not take action on. \item \texttt{Block} packets Snort did not forward, e.g. due to a block rule. \item \texttt{Replace} packets Snort modified. \item \texttt{Whitelist} packets that caused Snort to allow a flow to pass w/o inspection by any analysis program. \item \texttt{Blacklist} packets that caused Snort to block a flow from passing. \item \texttt{Ignore} packets that caused Snort to allow a flow to pass w/o inspection by this instance of Snort. \end{itemize} The action stats show "blocked" packets instead of "dropped" packets to avoid confusion between dropped packets (those Snort didn't actually see) and blocked packets (those Snort did not allow to pass). \section{Reading pcap files} Instead of having Snort listen on an interface, you can give it a packet capture to read. Snort will read and analyze the packets as if they came off the wire. This can be useful for testing and debugging Snort. \subsection{Command line arguments} Any of the below can be specified multiple times on the command line (\texttt{-r} included) and in addition to other Snort command line options. Note, however, that specifying \texttt{--pcap-reset} and \texttt{--pcap-show} multiple times has the same effect as specifying them once. \begin{center} \begin{tabular}{| l | p{4.5in} |} \hline \textbf{Option} & \textbf{Description}\\ \hline \hline \texttt{-r } & Read a single pcap. \\ \hline \texttt{--pcap-single=} & Same as -r. Added for completeness. \\ \hline \texttt{--pcap-file=} & File that contains a list of pcap files to read. Can specify path to each pcap or directory to recurse to get pcaps. \\ \hline \texttt{--pcap-list=""} & A space separated list of pcaps to read. \\ \hline \texttt{--pcap-dir=} & A directory to recurse to look for pcaps. Sorted in ASCII order. \\ \hline \texttt{--pcap-filter=} & Shell style filter to apply when getting pcaps from file or directory. This filter will apply to any \texttt{--pcap-file} or \texttt{--pcap-dir} arguments following. Use \texttt{--pcap-no-filter} to delete filter for following \texttt{--pcap-file} or \texttt{--pcap-dir} arguments or specify \texttt{--pcap-filter} again to forget previous filter and to apply to following \texttt{--pcap-file} or \texttt{--pcap-dir} arguments. \\ \hline \texttt{--pcap-no-filter} & Reset to use no filter when getting pcaps from file or directory. \\ \hline \texttt{--pcap-reset} & If reading multiple pcaps, reset snort to post-configuration state before reading next pcap. The default, i.e. without this option, is not to reset state. \\ \hline \texttt{--pcap-show} & Print a line saying what pcap is currently being read. \\ \hline \end{tabular} \end{center} \subsection{Examples} \subsubsection{Read a single pcap} \begin{verbatim} $ snort -r foo.pcap $ snort --pcap-single=foo.pcap \end{verbatim} \subsubsection{Read pcaps from a file} \begin{verbatim} $ cat foo.txt foo1.pcap foo2.pcap /home/foo/pcaps \end{verbatim} \begin{verbatim} $ snort --pcap-file=foo.txt \end{verbatim} This will read foo1.pcap, foo2.pcap and all files under /home/foo/pcaps. Note that Snort will not try to determine whether the files under that directory are really pcap files or not. \subsubsection{Read pcaps from a command line list} \begin{verbatim} $ snort --pcap-list="foo1.pcap foo2.pcap foo3.pcap" \end{verbatim} This will read foo1.pcap, foo2.pcap and foo3.pcap. \subsubsection{Read pcaps under a directory} \begin{verbatim} $ snort --pcap-dir="/home/foo/pcaps" \end{verbatim} This will include all of the files under /home/foo/pcaps. \subsubsection{Using filters} \begin{verbatim} $ cat foo.txt foo1.pcap foo2.pcap /home/foo/pcaps \end{verbatim} \begin{verbatim} $ snort --pcap-filter="*.pcap" --pcap-file=foo.txt $ snort --pcap-filter="*.pcap" --pcap-dir=/home/foo/pcaps \end{verbatim} The above will only include files that match the shell pattern "*.pcap", in other words, any file ending in ".pcap". \begin{verbatim} $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \ > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps \end{verbatim} In the above, the first filter "*.pcap" will only be applied to the pcaps in the file "foo.txt" (and any directories that are recursed in that file). The addition of the second filter "*.cap" will cause the first filter to be forgotten and then applied to the directory /home/foo/pcaps, so only files ending in ".cap" will be included from that directory. \begin{verbatim} $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \ > --pcap-no-filter --pcap-dir=/home/foo/pcaps \end{verbatim} In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files found under /home/foo/pcaps, so all files found under /home/foo/pcaps will be included. \begin{verbatim} $ snort --pcap-filter="*.pcap --pcap-file=foo.txt \ > --pcap-no-filter --pcap-dir=/home/foo/pcaps \ > --pcap-filter="*.cap" --pcap-dir=/home/foo/pcaps2 \end{verbatim} In this example, the first filter will be applied to foo.txt, then no filter will be applied to the files found under /home/foo/pcaps, so all files found under /home/foo/pcaps will be included, then the filter "*.cap" will be applied to files found under /home/foo/pcaps2. \subsubsection{Resetting state} \begin{verbatim} $ snort --pcap-dir=/home/foo/pcaps --pcap-reset \end{verbatim} The above example will read all of the files under /home/foo/pcaps, but after each pcap is read, Snort will be reset to a post-configuration state, meaning all buffers will be flushed, statistics reset, etc. For each pcap, it will be like Snort is seeing traffic for the first time. \subsubsection{Printing the pcap} \begin{verbatim} $ snort --pcap-dir=/home/foo/pcaps --pcap-show \end{verbatim} The above example will read all of the files under /home/foo/pcaps and will print a line indicating which pcap is currently being read. \section{Basic Output} Snort does a lot of work and outputs some useful statistics when it is done. Many of these are self-explanatory. The others are summarized below. This does not include all possible output data, just the basics. \subsection{Timing Statistics} This section provides basic timing statistics. It includes total seconds and packets as well as packet processing rates. The rates are based on whole seconds, minutes, etc. and only shown when non-zero. Example: \begin{verbatim} =============================================================================== Run time for packet processing was 175.856509 seconds Snort processed 3716022 packets. Snort ran for 0 days 0 hours 2 minutes 55 seconds Pkts/min: 1858011 Pkts/sec: 21234 =============================================================================== \end{verbatim} \subsection{Packet I/O Totals} This section shows basic packet acquisition and injection peg counts obtained from the DAQ. If you are reading pcaps, the totals are for all pcaps combined, unless you use --pcap-reset, in which case it is shown per pcap. \begin{itemize} \item Outstanding indicates how many packets are buffered awaiting processing. The way this is counted varies per DAQ so the DAQ documentation should be consulted for more info. \item Filtered packets are not shown for pcap DAQs. \item Injected packets are the result of active response which can be configured for inline or passive modes. \end{itemize} Example: \begin{verbatim} =============================================================================== Packet I/O Totals: Received: 3716022 Analyzed: 3716022 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== \end{verbatim} \subsection{Protocol Statistics} Traffic for all the protocols decoded by Snort is summarized in the breakdown section. This traffic includes internal "pseudo-packets" if preprocessors such as frag3 and stream5 are enabled so the total may be greater than the number of analyzed packets in the packet I/O section. \begin{itemize} \item Disc counts are discards due to basic encoding integrity flaws that prevents Snort from decoding the packet. \item Other includes packets that contained an encapsulation that Snort doesn't decode. \item S5 G 1/2 is the number of client/server sessions stream5 flushed due to cache limit, session timeout, session reset. \end{itemize} Example: \begin{verbatim} =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 3722347 (100.000%) VLAN: 0 ( 0.000%) IP4: 1782394 ( 47.884%) Frag: 3839 ( 0.103%) ICMP: 38860 ( 1.044%) UDP: 137162 ( 3.685%) TCP: 1619621 ( 43.511%) IP6: 1781159 ( 47.850%) IP6 Ext: 1787327 ( 48.016%) IP6 Opts: 6168 ( 0.166%) Frag6: 3839 ( 0.103%) ICMP6: 1650 ( 0.044%) UDP6: 140446 ( 3.773%) TCP6: 1619633 ( 43.511%) Teredo: 18 ( 0.000%) ICMP-IP: 0 ( 0.000%) EAPOL: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 202 ( 0.005%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 202 ( 0.005%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 104840 ( 2.817%) IPX: 60 ( 0.002%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 1385 ( 0.037%) ICMP Disc: 0 ( 0.000%) All Discard: 1385 ( 0.037%) Other: 57876 ( 1.555%) Bad Chk Sum: 32135 ( 0.863%) Bad TTL: 0 ( 0.000%) S5 G 1: 1494 ( 0.040%) S5 G 2: 1654 ( 0.044%) Total: 3722347 =============================================================================== \end{verbatim} \subsection{Snort Memory Statistics} On systems with mallinfo (3), you will see additional statistics. Check the man page of mallinfo for details Example: \begin{verbatim} =============================================================================== Memory usage summary: Total non-mmapped bytes (arena): 415481856 Bytes in mapped regions (hblkhd): 409612288 Total allocated space (uordblks): 92130384 Total free space (fordblks): 323351472 Topmost releasable block (keepcost): 3200 =============================================================================== \end{verbatim} \subsection{Actions, Limits, and Verdicts} Action and verdict counts show what Snort did with the packets it analyzed. This information is only output in IDS mode (when snort is run with the \texttt{-c } option). \begin{itemize} \item Alerts is the number of activate, alert, and block actions processed as determined by the rule actions. Here block includes block, drop, and reject actions. \end{itemize} Limits arise due to real world constraints on processing time and available memory. These indicate potential actions that did not happen: \begin{itemize} \item Match Limit counts rule matches were not processed due to the \texttt{config detection: max\_queue\_events} setting. The default is 5. \item Queue Limit counts events couldn't be stored in the event queue due to the \texttt{config event\_queue: max\_queue} setting. The default is 8. \item Log Limit counts events were not alerted due to the \texttt{config event\_queue: log} setting. The default is 3. \item Event Limit counts events not alerted due to \texttt{event\_filter} limits. \item Alert Limit counts events were not alerted because they already were triggered on the session. \end{itemize} Verdicts are rendered by Snort on each packet: \begin{itemize} \item Allow = packets Snort analyzed and did not take action on. \item Block = packets Snort did not forward, e.g. due to a block rule. "Block" is used instead of "Drop" to avoid confusion between dropped packets (those Snort didn't actually see) and blocked packets (those Snort did not allow to pass). \item Replace = packets Snort modified, for example, due to normalization or replace rules. This can only happen in inline mode with a compatible DAQ. \item Whitelist = packets that caused Snort to allow a flow to pass w/o inspection by any analysis program. Like blacklist, this is done by the DAQ or by Snort on subsequent packets. \item Blacklist = packets that caused Snort to block a flow from passing. This is the case when a block TCP rule fires. If the DAQ supports this in hardware, no further packets will be seen by Snort for that session. If not, snort will block each packet and this count will be higher. \item Ignore = packets that caused Snort to allow a flow to pass w/o inspection by this instance of Snort. Like blacklist, this is done by the DAQ or by Snort on subsequent packets. \item Int Blklst = packets that are GTP, Teredo, 6in4 or 4in6 encapsulated that are being blocked. These packets could get the Blacklist verdict if \texttt{config tunnel\_verdicts} was set for the given protocol. Note that these counts are output only if non-zero. Also, this count is incremented on the first packet in the flow that alerts. The alerting packet and all following packets on the flow will be counted under Block. \item Int Whtlst = packets that are GTP, Teredo, 6in4 or 4in6 encapsulated that are being allowed. These packets could get the Whitelist verdict if \texttt{config tunnel\_verdicts} was set for the given protocol. Note that these counts are output only if non-zero. Also, this count is incremented for all packets on the flow starting with the alerting packet. \end{itemize} Example: \begin{verbatim} =============================================================================== Action Stats: Alerts: 0 ( 0.000%) Logged: 0 ( 0.000%) Passed: 0 ( 0.000%) Limits: Match: 0 Queue: 0 Log: 0 Event: 0 Alert: 0 Verdicts: Allow: 3716022 (100.000%) Block: 0 ( 0.000%) Replace: 0 ( 0.000%) Whitelist: 0 ( 0.000%) Blacklist: 0 ( 0.000%) Ignore: 0 ( 0.000%) =============================================================================== \end{verbatim} \section{Tunneling Protocol Support} Snort supports decoding of many tunneling protocols, including GRE, PPTP over GRE, MPLS, IP in IP, and ERSPAN, all of which are enabled by default. To disable support for any GRE related encapsulation, PPTP over GRE, IPv4/IPv6 over GRE, and ERSPAN, an extra configuration option is necessary: \begin{verbatim} $ ./configure --disable-gre \end{verbatim} To disable support for MPLS, an separate extra configuration option is necessary: \begin{verbatim} $ ./configure --disable-mpls \end{verbatim} \subsection{Multiple Encapsulations} Snort will not decode more than one encapsulation. Scenarios such as \begin{verbatim} Eth IPv4 GRE IPv4 GRE IPv4 TCP Payload \end{verbatim} or \begin{verbatim} Eth IPv4 IPv6 IPv4 TCP Payload \end{verbatim} will not be handled and will generate a decoder alert. \subsection{Logging} Currently, only the encapsulated part of the packet is logged, e.g. \begin{verbatim} Eth IP1 GRE IP2 TCP Payload \end{verbatim} gets logged as \begin{verbatim} Eth IP2 TCP Payload \end{verbatim} and \begin{verbatim} Eth IP1 IP2 TCP Payload \end{verbatim} gets logged as \begin{verbatim} Eth IP2 TCP Payload \end{verbatim} \begin{note} Decoding of PPTP, which utilizes GRE and PPP, is not currently supported on architectures that require word alignment such as SPARC. \end{note} \section{Miscellaneous} \subsection{Running Snort as a Daemon} If you want to run Snort as a daemon, you can the add -D switch to any combination described in the previous sections. Please notice that if you want to be able to restart Snort by sending a SIGHUP signal to the daemon, you {\em must} specify the full path to the Snort binary when you start it, for example: \begin{verbatim} /usr/local/bin/snort -d -h 192.168.1.0/24 \ -l /var/log/snortlogs -c /usr/local/etc/snort.conf -s -D \end{verbatim} Relative paths are not supported due to security concerns. \subsubsection{Snort PID File} When Snort is run as a daemon , the daemon creates a PID file in the log directory. In Snort 2.6, the \texttt{--pid-path} command line switch causes Snort to write the PID file in the directory specified. Additionally, the \texttt{--create-pidfile} switch can be used to force creation of a PID file even when not running in daemon mode. The PID file will be locked so that other snort processes cannot start. Use the \texttt{--nolock-pidfile} switch to not lock the PID file. If you do not wish to include the name of the interface in the PID file, use the \texttt{--no-interface-pidfile} switch. \subsection{Running in Rule Stub Creation Mode} If you need to dump the shared object rules stub to a directory, you must use the --dump-dynamic-rules command line option. These rule stub files are used in conjunction with the shared object rules. The path can be relative or absolute. \begin{verbatim} /usr/local/bin/snort -c /usr/local/etc/snort.conf \ --dump-dynamic-rules=/tmp \end{verbatim} This path can also be configured in the snort.conf using the config option dump-dynamic-rules-path as follows: \begin{verbatim} config dump-dynamic-rules-path: /tmp/sorules \end{verbatim} The path configured by command line has precedence over the one configured using dump-dynamic-rules-path. \begin{verbatim} /usr/local/bin/snort -c /usr/local/etc/snort.conf \ --dump-dynamic-rules snort.conf: config dump-dynamic-rules-path: /tmp/sorules \end{verbatim} In the above mentioned scenario the dump path is set to /tmp/sorules. \subsection{Obfuscating IP Address Printouts} If you need to post packet logs to public mailing lists, you might want to use the -O switch. This switch obfuscates your IP addresses in packet printouts. This is handy if you don't want people on the mailing list to know the IP addresses involved. You can also combine the -O switch with the -h switch to only obfuscate the IP addresses of hosts on the home network. This is useful if you don't care who sees the address of the attacking host. For example, you could use the following command to read the packets from a log file and dump them to the screen, obfuscating only the addresses from the 192.168.1.0/24 class C network: \begin{verbatim} ./snort -d -v -r snort.log -O -h 192.168.1.0/24 \end{verbatim} \subsection{Specifying Multiple-Instance Identifiers} In Snort v2.4, the \texttt{-G} command line option was added that specifies an instance identifier for the event logs. This option can be used when running multiple instances of snort, either on different CPUs, or on the same CPU but a different interface. Each Snort instance will use the value specified to generate unique event IDs. Users can specify either a decimal value (\texttt{-G 1}) or hex value preceded by 0x (\texttt{-G 0x11}). This is also supported via a long option \texttt{--logid}. \subsection{Snort Modes} Snort can operate in three different modes namely tap (passive), inline, and inline-test. Snort policies can be configured in these three modes too. \subsubsection{Explanation of Modes} \begin{itemize} \item \texttt{Inline} When Snort is in Inline mode, it acts as an IPS allowing drop rules to trigger. Snort can be configured to run in inline mode using the command line argument -Q and snort config option \texttt{policy\_mode} as follows: \begin{verbatim} snort -Q config policy_mode:inline \end{verbatim} \item \texttt{Passive} When Snort is in Passive mode, it acts as a IDS. Drop rules are not loaded (without --treat-drop-as-alert). Snort can be configured to passive mode using the snort config option \texttt{policy\_mode} as follows: \begin{verbatim} config policy_mode:tap \end{verbatim} \item \texttt{Inline-Test} Inline-Test mode simulates the inline mode of snort, allowing evaluation of inline behavior without affecting traffic. The drop rules will be loaded and will be triggered as a Wdrop (Would Drop) alert. Snort can be configured to run in inline-test mode using the command line option (--enable-inline-test) or using the snort config option \texttt{policy\_mode} as follows: \begin{verbatim} snort --enable-inline-test config policy_mode:inline_test \end{verbatim} \begin{note} Please note --enable-inline-test cannot be used in conjunction with -Q. \end{note} \end{itemize} \texttt{Behavior of different modes with rule options} \begin{tabular}{|l|c|c|p{6cm}|} \hline Rule Option & Inline Mode & Passive Mode & Inline-Test Mode\\ \hline \hline \texttt{reject} & Drop + Response & Alert + Response & Wdrop + Response\\ \hline \texttt{react} & Blocks and send notice & Blocks and send notice & Blocks and send notice\\ \hline \texttt{normalize} & Normalizes packet & Doesn't normalize & Doesn't normalize\\ \hline \texttt{replace} & replace content & Doesn't replace & Doesn't replace\\ \hline \texttt{respond} & close session & close session & close session\\ \hline \end{tabular} \texttt{Behavior of different modes with rules actions} \begin{tabular}{|l|c|c|c|} \hline Adapter Mode & Snort args & config policy\_mode & Drop Rule Handling\\ \hline \hline Passive & \texttt{ --treat-drop-as-alert} & tap & Alert\\ \hline Passive & \texttt{ no args} & tap & Not Loaded\\ \hline Passive & \texttt{ --treat-drop-as-alert} & inline\_test & Alert\\ \hline Passive & \texttt{ no args} & inline\_test & Would Drop\\ \hline Passive & \texttt{ --treat-drop-as-alert} & inline & Alert\\ \hline Passive & \texttt{no args} & inline & Not loaded + warning\\ \hline Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & tap & Alert\\ \hline Inline Test & \texttt{ --enable-inline-test} & tap & Would Drop\\ \hline Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & inline\_test & Alert\\ \hline Inline Test & \texttt{ --enable-inline-test} & inline\_test & Would Drop\\ \hline Inline Test & \texttt{ --enable-inline-test --treat-drop-as-alert} & inline & Alert\\ \hline Inline Test & \texttt{ --enable-inline-test} & inline & Would Drop\\ \hline Inline & \texttt{ -Q --treat-drop-as-alert} & tap & Alert\\ \hline Inline & \texttt{ -Q} & tap & Alert\\ \hline Inline & \texttt{ -Q --treat-drop-as-alert} & inline\_test & Alert\\ \hline Inline & \texttt{ -Q} & inline\_test & Would Drop\\ \hline Inline & \texttt{ -Q --treat-drop-as-alert} & inline & Alert\\ \hline Inline & \texttt{ -Q} & inline & Drop\\ \hline \end{tabular} \section{Control socket} \label{control_socket} Snort can be configured to provide a Unix socket that can be used to issue commands to the running process. You must build snort with the \texttt{--enable-control-socket} option. The control socket functionality is supported on Linux only.\\ Snort can be configured to use control socket using the command line argument \texttt{--cs-dir } and snort config option \texttt{cs\_dir} as follows: \begin{verbatim} snort --cs-dir config cs_dir: \end{verbatim} \texttt{} specifies the directory for snort to create the socket. If relative path is used, the path is relative to pid path specified. If there is no pid path specified, it is relative to current working directory. A command \texttt{snort\_control} is made and installed along with snort in the same bin directory when configured with the \texttt{--enable-control-socket} option. \section{Configure signal value} \label{configure_signal} On some systems, signal used by snort might be used by other functions. To avoid conflicts, users can change the default signal value through \texttt{./configure} options for non-Windows system. These signals can be changed: \begin{itemize} \item \texttt{SIGNAL\_SNORT\_RELOAD} \item \texttt{SIGNAL\_SNORT\_DUMP\_STATS} \item \texttt{SIGNAL\_SNORT\_ROTATE\_STATS} \item \texttt{SIGNAL\_SNORT\_READ\_ATTR\_TBL} \end{itemize} Syntax: \begin{verbatim} ./configure SIGNAL_SNORT_RELOAD= SIGNAL_SNORT_DUMP_STATS=\ SIGNAL_SNORT_READ_ATTR_TBL= SIGNAL_SNORT_ROTATE_STATS= \end{verbatim} You can set those signals to user defined values or known signal names in the system. The following example changes the rotate stats signal to 31 and reload attribute table to signal SIGUSR2 : \begin{verbatim} ./configure SIGNAL_SNORT_ROTATE_STATS=31 SIGNAL_SNORT_READ_ATTR_TBL=SIGUSR2 \end{verbatim} If the same signal is assigned more than once a warning will be logged during snort initialization. If a signal handler cannot be installed a warning will be logged and that has to be fixed, otherwise the functionality will be lost. \texttt{Signals used in snort} \begin{tabular}{|l|l|l|} \hline Signal name & Default value & Action \\ \hline \hline SIGTERM & SIGTERM & exit \\ \hline SIGINT & SIGINT & exit \\ \hline SIGQUIT & SIGQUIT & exit \\ \hline SIGPIPE & SIGPIPE & ignore \\ \hline SIGNAL\_SNORT\_RELOAD & SIGHUP & reload snort \\ \hline SIGNAL\_SNORT\_DUMP\_STATS & SIGUSR1 & dump stats \\ \hline SIGNAL\_SNORT\_ROTATE\_STATS & SIGUSR2 & rotate stats \\ \hline SIGNAL\_SNORT\_READ\_ATTR\_TBL & SIGURG & reload attribute table \\ \hline SIGNAL\_SNORT\_CHILD\_READY & SIGCHLD & internal use in daemon mode \\ \hline \end{tabular} \section{More Information} Chapter \ref{Configuring Snort} contains much information about many configuration options available in the configuration file. The Snort manual page and the output of \texttt{snort -?} or \texttt{snort --help} contain information that can help you get Snort running in several different modes. \begin{note} In many shells, a backslash (\textbackslash{}) is needed to escape the ?, so you may have to type \texttt{snort -\textbackslash{}?} instead of \texttt{snort -?} for a list of Snort command line options. \end{note} The Snort web page (\url{http://www.snort.org}) and the Snort Users mailing list: \url{http://marc.theaimsgroup.com/?l=snort-users} at \verb?snort-users@lists.sourceforge.net? provide informative announcements as well as a venue for community discussion and support. There's a lot to Snort, so sit back with a beverage of your choosing and read the documentation and mailing list archives. \chapter{Configuring Snort} \label{Configuring Snort} \section{Includes} The {\tt include} keyword allows other snort config files to be included within the snort.conf indicated on the Snort command line. It works much like an \#include from the C programming language, reading the contents of the named file and adding the contents in the place where the include statement appears in the file. \subsection{Format} \begin{verbatim} include \end{verbatim} \begin{note} Note that there is no semicolon at the end of this line. \end{note} Included files will substitute any predefined variable values into their own variable references. See Section \ref{variables} for more information on defining and using variables in Snort config files. \subsection{Variables} \label{variables} Three types of variables may be defined in Snort: \begin{itemize} \item var \item portvar \item ipvar \end{itemize} These are simple substitution variables set with the {\tt var}, {\tt ipvar}, or {\tt portvar} keywords as follows: \begin{verbatim} var RULES_PATH rules/ portvar MY_PORTS [22,80,1024:1050] ipvar MY_NET [192.168.1.0/24,10.1.1.0/24] alert tcp any any -> $MY_NET $MY_PORTS (flags:S; msg:"SYN packet";) include $RULE_PATH/example.rule \end{verbatim} \subsubsection{IP Variables and IP Lists} IPs may be specified individually, in a list, as a CIDR block, or any combination of the three. IP variables should be specified using 'ipvar' instead of 'var'. Using 'var' for an IP variable is still allowed for backward compatibility, but it will be deprecated in a future release. IPs, IP lists, and CIDR blocks may be negated with '!'. Negation is handled differently compared with Snort versions 2.7.x and earlier. Previously, each element in a list was logically OR'ed together. IP lists now OR non-negated elements and AND the result with the OR'ed negated elements. The following example list will match the IP 1.1.1.1 and IP from 2.2.2.0 to 2.2.2.255, with the exception of IPs 2.2.2.2 and 2.2.2.3. \begin{verbatim} [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]] \end{verbatim} The order of the elements in the list does not matter. The element 'any' can be used to match all IPs, although '!any' is not allowed. Also, negated IP ranges that are more general than non-negated IP ranges are not allowed. See below for some valid examples if IP variables and IP lists. \begin{verbatim} ipvar EXAMPLE [1.1.1.1,2.2.2.0/24,![2.2.2.2,2.2.2.3]] alert tcp $EXAMPLE any -> any any (msg:"Example"; sid:1;) alert tcp [1.0.0.0/8,!1.1.1.0/24] any -> any any (msg:"Example";sid:2;) \end{verbatim} The following examples demonstrate some invalid uses of IP variables and IP lists. Use of !any: \begin{verbatim} ipvar EXAMPLE any alert tcp !$EXAMPLE any -> any any (msg:"Example";sid:3;) \end{verbatim} Different use of !any: \begin{verbatim} ipvar EXAMPLE !any alert tcp $EXAMPLE any -> any any (msg:"Example";sid:3;) \end{verbatim} Logical contradictions: \begin{verbatim} ipvar EXAMPLE [1.1.1.1,!1.1.1.1] \end{verbatim} Nonsensical negations: \begin{verbatim} ipvar EXAMPLE [1.1.1.0/24,!1.1.0.0/16] \end{verbatim} \subsubsection{Port Variables and Port Lists} Portlists supports the declaration and lookup of ports and the representation of lists and ranges of ports. Variables, ranges, or lists may all be negated with '!'. Also, 'any' will specify any ports, but '!any' is not allowed. Valid port ranges are from 0 to 65535. Lists of ports must be enclosed in brackets and port ranges may be specified with a ':', such as in: \begin{verbatim} [10:50,888:900] \end{verbatim} Port variables should be specified using 'portvar'. The use of 'var' to declare a port variable will be deprecated in a future release. For backwards compatibility, a 'var' can still be used to declare a port variable, provided the variable name either ends with '\_PORT' or begins with 'PORT\_'. The following examples demonstrate several valid usages of both port variables and port lists. \begin{verbatim} portvar EXAMPLE1 80 var EXAMPLE2_PORT [80:90] var PORT_EXAMPLE2 [1] portvar EXAMPLE3 any portvar EXAMPLE4 [!70:90] portvar EXAMPLE5 [80,91:95,100:200] alert tcp any $EXAMPLE1 -> any $EXAMPLE2_PORT (msg:"Example"; sid:1;) alert tcp any $PORT_EXAMPLE2 -> any any (msg:"Example"; sid:2;) alert tcp any 90 -> any [100:1000,9999:20000] (msg:"Example"; sid:3;) \end{verbatim} Several invalid examples of port variables and port lists are demonstrated below: Use of !any: \begin{verbatim} portvar EXAMPLE5 !any var EXAMPLE5 !any \end{verbatim} Logical contradictions: \begin{verbatim} portvar EXAMPLE6 [80,!80] \end{verbatim} Ports out of range: \begin{verbatim} portvar EXAMPLE7 [65536] \end{verbatim} Incorrect declaration and use of a port variable: \begin{verbatim} var EXAMPLE8 80 alert tcp any $EXAMPLE8 -> any any (msg:"Example"; sid:4;) \end{verbatim} Port variable used as an IP: \begin{verbatim} alert tcp $EXAMPLE1 any -> any any (msg:"Example"; sid:5;) \end{verbatim} \subsubsection{Variable Modifiers} Rule variable names can be modified in several ways. You can define meta-variables using the \$ operator. These can be used with the variable modifier operators {\tt ?} and {\tt -}, as described in the following table: \begin{center} \begin{tabular}{| l | p{4.5in} |} \hline \textbf{Variable Syntax} & \textbf{Description}\\ \hline \hline \texttt{var} & Defines a meta-variable.\\ \hline \texttt{\$(var) or \$var} & Replaces with the contents of variable \texttt{var}.\\ \hline \texttt{\$(var:-default)} & Replaces the contents of the variable \texttt{var} with ``default'' if \texttt{var} is undefined.\\ \hline \texttt{\$(var:?message)} & Replaces with the contents of variable \texttt{var} or prints out the error message and exits.\\ \hline \end{tabular} \end{center} Here is an example of advanced variable usage in action: \begin{verbatim} ipvar MY_NET 192.168.1.0/24 log tcp any any -> $(MY_NET:?MY_NET is undefined!) 23 \end{verbatim} \subsubsection{Limitations} When embedding variables, types can not be mixed. For instance, port variables can be defined in terms of other port variables, but old-style variables (with the 'var' keyword) can not be embedded inside a 'portvar'. Valid embedded variable: \begin{verbatim} portvar pvar1 80 portvar pvar2 [$pvar1,90] \end{verbatim} Invalid embedded variable: \begin{verbatim} var pvar1 80 portvar pvar2 [$pvar1,90] \end{verbatim} Likewise, variables can not be redefined if they were previously defined as a different type. They should be renamed instead: Invalid redefinition: \begin{verbatim} var pvar 80 portvar pvar 90 \end{verbatim} \subsection{Config} \label{Config} Many configuration and command line options of Snort can be specified in the configuration file. \subsubsection{Format} \begin{verbatim} config [: ] \end{verbatim} \newpage \begin{center} \begin{longtable}[t]{| p{2.5in} | p{3.5in} |} \hline {\bf Config Directive} & {\bf Description}\\ \hline % KEEP THESE IN ALPHABETICAL ORDER \hline \texttt{config alert\_with\_interface\_name} & Appends interface name to alert (\texttt{snort -I}). \\ \hline \texttt{config alertfile: } & Sets the alerts output file. \\ \hline \texttt{config asn1: } & Specifies the maximum number of nodes to track when doing ASN1 decoding. See Section \ref{asn1} for more information and examples.\\ \hline \texttt{config autogenerate\_preprocessor\newline \_decoder\_rules} & If Snort was configured to enable decoder and preprocessor rules, this option will cause Snort to revert back to its original behavior of alerting if the decoder or preprocessor generates an event. \\ \hline \texttt{config bpf\_file: } & Specifies BPF filters (\texttt{snort -F}). \\ \hline \texttt{config checksum\_drop: } & Types of packets to drop if invalid checksums. Values: \texttt{none}, \texttt{noip}, \texttt{notcp}, \texttt{noicmp}, \texttt{noudp}, \texttt{ip}, \texttt{tcp}, \texttt{udp}, \texttt{icmp} or \texttt{all} (only applicable in inline mode and for packets checked per \texttt{checksum\_mode} config option). \\ \hline \texttt{config checksum\_mode: } & Types of packets to calculate checksums. Values: \texttt{none}, \texttt{noip}, \texttt{notcp}, \texttt{noicmp}, \texttt{noudp}, \texttt{ip}, \texttt{tcp}, \texttt{udp}, \texttt{icmp} or \texttt{all}. \\ \hline \texttt{config chroot: } & Chroots to specified dir (\texttt{snort -t}). \\ \hline \texttt{config classification: } & See Table \ref{Snort Default Classifications} for a list of classifications.\\ \hline \texttt{config cs\_dir: } & configure snort to provide a Unix socket in the path that can be used to issue commands to the running process. See Section \ref{control_socket} for more details.\\ \hline \texttt{config daemon} & Forks as a daemon (\texttt{snort -D}). \\ \hline \texttt{config decode\_data\_link} & Decodes Layer2 headers (\texttt{snort -e}). \\ \hline \texttt{config default\_rule\_state: } & Global configuration directive to enable or disable the loading of rules into the detection engine. Default (with or without directive) is enabled. Specify \texttt{disabled} to disable loading rules. \\ \hline \texttt{config daq: } & Selects the type of DAQ to instantiate. The DAQ with the highest version of the given type is selected if there are multiple of the same type (this includes any built-in DAQs).\\ \hline \texttt{config daq\_mode: } & Select the DAQ mode: passive, inline, or read-file. Not all DAQs support modes. See the DAQ distro README for possible DAQ modes or list DAQ capabilities for a brief summary. \\ \hline \texttt{config daq\_var: } & Set a DAQ specific variable. Snort just passes this information down to the DAQ. See the DAQ distro README for possible DAQ variables. \\ \hline \texttt{config daq\_dir: } & Tell Snort where to look for available dynamic DAQ modules. This can be repeated. The selected DAQ will be the one with the latest version. \\ \hline \texttt{config daq\_list: []} & Tell Snort to dump basic DAQ capabilities and exit. You can optionally specify a directory to include any dynamic DAQs from that directory. You can also precede this option with extra DAQ directory options to look in multiple directories. \\ \hline \texttt{config decode\_esp: [enable | disable]} & Enable or disable the decoding of Encapsulated Security Protocol (ESP). This is disabled by default. Some networks use ESP for authentication without encryption, allowing their content to be inspected. Encrypted ESP may cause some false positives if this option is enabled.\\ \hline \texttt{config detection: [search-method ]} & Select type of fast pattern matcher algorithm to use. \begin{itemize} \item \texttt{search-method } \begin{itemize} \item Queued match search methods - Matches are queued until the fast pattern matcher is finished with the payload, then evaluated. This was found to generally increase performance through fewer cache misses (evaluating each rule would generally blow away the fast pattern matcher state in the cache). \begin{itemize} \item \texttt{ac} and \texttt{ac-q} - Aho-Corasick Full (high memory, best performance). \item \texttt{ac-bnfa} and \texttt{ac-bnfa-q} - Aho-Corasick Binary NFA (low memory, high performance) \item \texttt{lowmem} and \texttt{lowmem-q} - Low Memory Keyword Trie (low memory, moderate performance) \item \texttt{ac-split} - Aho-Corasick Full with ANY-ANY port group evaluated separately (low memory, high performance). Note this is shorthand for \texttt{search-method ac, split-any-any} \item \texttt{intel-cpm} - Intel CPM library (must have compiled Snort with location of libraries to enable this) \end{itemize} \end{itemize} \begin{itemize} \item No queue search methods - The "nq" option specifies that matches should not be queued and evaluated as they are found. \begin{itemize} \item \texttt{ac-nq} - Aho-Corasick Full (high memory, best performance). \item \texttt{ac-bnfa-nq} - Aho-Corasick Binary NFA (low memory, high performance). This is the default search method if none is specified. \item \texttt{lowmem-nq} - Low Memory Keyword Trie (low memory, moderate performance) \end{itemize} \end{itemize} \begin{itemize} \item Other search methods (the above are considered superior to these) \begin{itemize} \item \texttt{ac-std} - Aho-Corasick Standard (high memory, high performance) \item \texttt{acs} - Aho-Corasick Sparse (high memory, moderate performance) \item \texttt{ac-banded} - Aho-Corasick Banded (high memory, moderate performance) \item \texttt{ac-sparsebands} - Aho-Corasick Sparse-Banded (high memory, moderate performance) \end{itemize} \end{itemize} \end{itemize} \\ \hline \texttt{config detection: [split-any-any] [search-optimize] [max-pattern-len ]} & Other options that affect fast pattern matching. \begin{itemize} \item \texttt{split-any-any} \begin{itemize} \item A memory/performance tradeoff. By default, ANY-ANY port rules are added to every non ANY-ANY port group so that only one port group rule evaluation needs to be done per packet. Not putting the ANY-ANY port rule group into every other port group can significantly reduce the memory footprint of the fast pattern matchers if there are many ANY-ANY port rules. But doing so may require two port group evaluations per packet - one for the specific port group and one for the ANY-ANY port group, thus potentially reducing performance. This option is generic and can be used with any \texttt{search-method} but was specifically intended for use with the \texttt{ac} \texttt{search-method} where the memory footprint is significantly reduced though overall fast pattern performance is better than \texttt{ac-bnfa}. Of note is that the lower memory footprint can also increase performance through fewer cache misses. Default is not to split the ANY-ANY port group. \end{itemize} \item \texttt{search-optimize} \begin{itemize} \item Optimizes fast pattern memory when used with \texttt{search-method} \texttt{ac} or \texttt{ac-split} by dynamically determining the size of a state based on the total number of states. When used with \texttt{ac-bnfa}, some fail-state resolution will be attempted, potentially increasing performance. Default is not to optimize. \end{itemize} \item \texttt{max-pattern-len } \begin{itemize} \item This is a memory optimization that specifies the maximum length of a pattern that will be put in the fast pattern matcher. Patterns longer than this length will be truncated to this length before inserting into the pattern matcher. Useful when there are very long contents being used and truncating the pattern won't diminish the uniqueness of the patterns. Note that this may cause more false positive rule evaluations, i.e. rules that will be evaluated because a fast pattern was matched, but eventually fail, however CPU cache can play a part in performance so a smaller memory footprint of the fast pattern matcher can potentially increase performance. Default is to not set a maximum pattern length. \end{itemize} \end{itemize} \\ \hline \texttt{config detection: [no\_stream\_inserts] [max\_queue\_events ] [enable-single-rule-group] [bleedover-port-limit]} & Other detection engine options. \begin{itemize} \item \texttt{no\_stream\_inserts} \begin{itemize} \item Specifies that stream inserted packets should not be evaluated against the detection engine. This is a potential performance improvement with the idea that the stream rebuilt packet will contain the payload in the inserted one so the stream inserted packet doesn't need to be evaluated. Default is to inspect stream inserts. \end{itemize} \item \texttt{max\_queue\_events } \begin{itemize} \item Specifies the maximum number of matching fast-pattern states to queue per packet. Default is 5 events. \end{itemize} \item \texttt{enable-single-rule-group} \begin{itemize} \item Put all rules into one port group. Not recommended. Default is not to do this. \end{itemize} \item \texttt{bleedover-port-limit} \begin{itemize} \item The maximum number of source or destination ports designated in a rule before the rule is considered an ANY-ANY port group rule. Default is 1024. \end{itemize} \end{itemize} \\ \hline \texttt{config detection: [debug] [debug-print-nocontent-rule-tests] [debug-print-rule-group-build-details] [debug-print-rule-groups-uncompiled] [debug-print-rule-groups-compiled] [debug-print-fast-pattern] [bleedover-warnings-enabled]} & Options for detection engine debugging. \begin{itemize} \item \texttt{debug} \begin{itemize} \item Prints fast pattern information for a particular port group. \end{itemize} \item \texttt{debug-print-nocontent-rule-tests} \begin{itemize} \item Prints port group information during packet evaluation. \end{itemize} \item \texttt{debug-print-rule-group-build-details} \begin{itemize} \item Prints port group information during port group compilation. \end{itemize} \item \texttt{debug-print-rule-groups-uncompiled} \begin{itemize} \item Prints uncompiled port group information. \end{itemize} \item \texttt{debug-print-rule-groups-compiled} \begin{itemize} \item Prints compiled port group information. \end{itemize} \item \texttt{debug-print-fast-pattern} \begin{itemize} \item For each rule with fast pattern content, prints information about the content being used for the fast pattern matcher. \end{itemize} \item \texttt{bleedover-warnings-enabled} \begin{itemize} \item Prints a warning if the number of source or destination ports used in a rule exceed the \texttt{bleedover-port-limit} forcing the rule to be moved into the ANY-ANY port group. \end{itemize} \end{itemize} \\ \hline \texttt{config disable\_decode\_alerts} & Turns off the alerts generated by the decode phase of Snort. \\ \hline \texttt{config disable\_inline\_init\_failopen} & Disables failopen thread that allows inline traffic to pass while Snort is starting up. Only useful if Snort was configured with --enable-inline-init-failopen. (\texttt{snort --disable-inline-init-failopen}) \\ \hline \texttt{config disable\_ipopt\_alerts} & Disables IP option length validation alerts. \\ \hline \texttt{config disable\_tcpopt\_alerts} & Disables option length validation alerts. \\ \hline \texttt{config\newline disable\_tcpopt\_experimental\_alerts} & Turns off alerts generated by experimental TCP options. \\ \hline \texttt{config disable\_tcpopt\_obsolete\_alerts} & Turns off alerts generated by obsolete TCP options. \\ \hline \texttt{config disable\_tcpopt\_ttcp\_alerts} & Turns off alerts generated by T/TCP options. \\ \hline \texttt{config disable\_ttcp\_alerts} & Turns off alerts generated by T/TCP options. \\ \hline \texttt{config dump\_chars\_only} & Turns on character dumps (\texttt{snort -C}). \\ \hline \texttt{config dump\_payload} & Dumps application layer (\texttt{snort -d}). \\ \hline \texttt{config dump\_payload\_verbose} & Dumps raw packet starting at link layer (\texttt{snort -X}). \\ \hline \texttt{config enable\_decode\_drops} & Enables the dropping of bad packets identified by decoder (only applicable in inline mode).\\ \hline \texttt{config enable\_decode\_oversized\_alerts} & Enable alerting on packets that have headers containing length fields for which the value is greater than the length of the packet. \\ \hline \texttt{config enable\_decode\_oversized\_drops} & Enable dropping packets that have headers containing length fields for which the value is greater than the length of the packet. \texttt{enable\_decode\_oversized\_alerts} must also be enabled for this to be effective (only applicable in inline mode). \\ \hline \texttt{config enable\_deep\_teredo\_inspection} & Snort's packet decoder only decodes Teredo (IPv6 over UDP over IPv4) traffic on UDP port 3544. This option makes Snort decode Teredo traffic on all UDP ports. \\ \hline \texttt{config enable\_ipopt\_drops} & Enables the dropping of bad packets with bad/truncated IP options (only applicable in inline mode).\\ \hline \texttt{config enable\_mpls\_multicast} & Enables support for MPLS multicast. This option is needed when the network allows MPLS multicast traffic. When this option is off and MPLS multicast traffic is detected, Snort will generate an alert. By default, it is off.\\ \hline \texttt{config enable\_mpls\_overlapping\_ip} & Enables support for overlapping IP addresses in an MPLS network. In a normal situation, where there are no overlapping IP addresses, this configuration option should not be turned on. However, there could be situations where two private networks share the same IP space and different MPLS labels are used to differentiate traffic from the two VPNs. In such a situation, this configuration option should be turned on. By default, it is off. \\ \hline \texttt{config enable\_tcpopt\_drops} & Enables the dropping of bad packets with bad/truncated TCP option (only applicable in inline mode).\\ \hline \texttt{config\newline enable\_tcpopt\_experimental\_drops} & Enables the dropping of bad packets with experimental TCP option. (only applicable in inline mode).\\ \hline \texttt{config enable\_tcpopt\_obsolete\_drops} & Enables the dropping of bad packets with obsolete TCP option. (only applicable in inline mode).\\ \hline \texttt{config enable\_tcpopt\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).\\ \hline \texttt{config enable\_ttcp\_drops} & Enables the dropping of bad packets with T/TCP option. (only applicable in inline mode).\\ \hline \texttt{config event\_filter: memcap } & Set global memcap in bytes for thresholding. Default is 1048576 bytes (1 megabyte). \\ \hline \texttt{config event\_queue: [max\_queue ] [log ] [order\_events ]} & Specifies conditions about Snort's event queue. You can use the following options: \begin{itemize} \item \texttt{max\_queue $<$integer$>$} (max events supported) \item \texttt{log $<$integer$>$} (number of events to log) \item \texttt{order\_events [priority$|$content\_length]} (how to order events within the queue) \end{itemize} See Section \ref{eventqueue} for more information and examples.\\ \hline \texttt{config flowbits\_size: } & Specifies the maximum number of flowbit tags that can be used within a rule set. The default is 1024 bits and maximum is 2048. \\ \hline \texttt{config ignore\_ports: } & Specifies ports to ignore (useful for ignoring noisy NFS traffic). Specify the protocol (TCP, UDP, IP, or ICMP), followed by a list of ports. Port ranges are supported.\\ \hline \texttt{config interface: } & Sets the network interface (\texttt{snort -i}). \\ \hline \texttt{config ipv6\_frag: [bsd\_icmp\_frag\_alert on|off] [, bad\_ipv6\_frag\_alert on|off] [, frag\_timeout ] [, max\_frag\_sessions ]} & The following options can be used: \begin{itemize} \item \texttt{bsd\_icmp\_frag\_alert on|off} (Specify whether or not to alert. Default is on) \item \texttt{bad\_ipv6\_frag\_alert on|off} (Specify whether or not to alert. Default is on) \item \texttt{frag\_timeout $<$integer$>$} (Specify amount of time in seconds to timeout first frag in hash table) \item \texttt{max\_frag\_sessions $<$integer$>$} (Specify the number of fragments to track in the hash table) \end{itemize} \\ \hline \texttt{config logdir: } & Sets the logdir (\texttt{snort -l}). \\ \hline \texttt{config log\_ipv6\_extra\_data} & Set Snort to log IPv6 source and destination addresses as unified2 extra data events. \\ \hline \texttt{config max\_attribute\_hosts: } & Sets a limit on the maximum number of hosts to read from the attribute table. Minimum value is 32 and the maximum is 524288 (512k). The default is 10000. If the number of hosts in the attribute table exceeds this value, an error is logged and the remainder of the hosts are ignored. This option is only supported with a Host Attribute Table (see section \ref{targetbased}). \\ \hline \texttt{config max\_attribute\_services\_per\_host: } & Sets a per host limit on the maximum number of services to read from the attribute table. Minimum value is 1 and the maximum is 65535. The default is 100. For a given host, if the number of services in the attribute table exceeds this value, an error is logged and the remainder of the services for that host are ignored. This option is only supported with a Host Attribute Table (see section \ref{targetbased}). \\ \hline \texttt{config max\_mpls\_labelchain\_len: } & Sets a Snort-wide limit on the number of MPLS headers a packet can have. Its default value is -1, which means that there is no limit on label chain length.\\ \hline \texttt{config max\_ip6\_extensions: } & Sets the maximum number of IPv6 extension headers that Snort will decode. Default is 8. \\ \hline \texttt{config min\_ttl: } & Sets a Snort-wide minimum ttl to ignore all traffic. \\ \hline \texttt{config mpls\_payload\_type: ipv4|ipv6|ethernet} & Sets a Snort-wide MPLS payload type. In addition to ipv4, ipv6 and ethernet are also valid options. The default MPLS payload type is ipv4\\ \hline \texttt{config no\_promisc} & Disables promiscuous mode (\texttt{snort -p}). \\ \hline \texttt{config nolog} & Disables logging. Note: Alerts will still occur. (\texttt{snort -N}). \\ \hline \texttt{config nopcre} & Disables pcre pattern matching. \\ \hline \texttt{config obfuscate} & Obfuscates IP Addresses (\texttt{snort -O}). \\ \hline \texttt{config order: } & Changes the order that rules are evaluated, e.g.: pass alert log activation. \\ \hline \texttt{config pcre\_match\_limit: $<$integer$>$} & Restricts the amount of backtracking a given PCRE option. For example, it will limit the number of nested repeats within a pattern. A value of -1 allows for unlimited PCRE, up to the PCRE library compiled limit (around 10 million). A value of 0 results in no PCRE evaluation. The snort default value is 1500. \\ \hline \texttt{config pcre\_match\_limit\_recursion: $<$integer$>$} & Restricts the amount of stack used by a given PCRE option. A value of -1 allows for unlimited PCRE, up to the PCRE library compiled limit (around 10 million). A value of 0 results in no PCRE evaluation. The snort default value is 1500. This option is only useful if the value is less than the \texttt{pcre\_match\_limit} \\ \hline \texttt{config pkt\_count: } & Exits after N packets (\texttt{snort -n}). \\ \hline \texttt{config policy\_version: $<$base-version-string$>$ [$<$binding-version-string$>$]} & Supply versioning information to configuration files. Base version should be a string in all configuration files including included ones. In addition, binding version must be in any file configured with \texttt{config binding}. This option is used to avoid race conditions when modifying and loading a configuration within a short time span - before Snort has had a chance to load a previous configuration. \\ \hline \texttt{config profile\_preprocs} & Print statistics on preprocessor performance. See Section \ref{preproc profiling} for more details. \\ \hline \texttt{config profile\_rules} & Print statistics on rule performance. See Section \ref{rule profiling} for more details. \\ \hline \texttt{config protected\_content: md5|sha256|sha512} & Specifies a default algorithm to use for protected\_content rules. \\ \hline \texttt{config quiet}& Disables banner and status reports (\texttt{snort -q}). NOTE: The command line switch \texttt{-q} takes effect immediately after processing the command line parameters, whereas using \texttt{config quiet} in snort.conf takes effect when the configuration line in snort.conf is parsed. That may occur after other configuration settings that result in output to console or syslog. \\ \hline \texttt{config reference: } & Adds a new reference system to Snort, e.g.: myref http://myurl.com/?id=\\ \hline \texttt{config reference\_net } & For IP obfuscation, the obfuscated net will be used if the packet contains an IP address in the reference net. Also used to determine how to set up the logging directory structure for the \texttt{session} post detection rule option and ASCII output plugin - an attempt is made to name the log directories after the IP address that is not in the reference net. \\ \hline \texttt{config response: [attempts ] [, device ]} & Set the number of strafing attempts per injected response and/or the device, such as eth0, from which to send responses. These options may appear in any order but must be comma separated. The are intended for passive mode. \\ \hline \texttt{config set\_gid: } & Changes GID to specified GID (\texttt{snort -g}). \\ \hline \texttt{config set\_uid: } & Sets UID to $<$id$>$ (\texttt{snort -u}). \\ \hline \texttt{config show\_year} & Shows year in timestamps (\texttt{snort -y}). \\ \hline \texttt{config snaplen: } & Set the snaplength of packet, same effect as \texttt{-P $<$snaplen$>$} or \texttt{--snaplen $<$snaplen$>$} options.\\ \hline \texttt{config so\_rule\_memcap: } & Set global memcap in bytes for so rules that dynamically allocate memory for storing session data in the stream preprocessor. A value of 0 disables the memcap. Default is 0. Maximum value is the maximum value an unsigned 32 bit integer can hold which is 4294967295 or 4GB.\\ \hline \texttt{config stateful} & Sets assurance mode for stream (stream is established). \\ \hline \texttt{config tagged\_packet\_limit: } & When a metric other than \texttt{packets} is used in a tag option in a rule, this option sets the maximum number of packets to be tagged regardless of the amount defined by the other metric. See Section \ref{tag section} on using the tag option when writing rules for more details. The default value when this option is not configured is 256 packets. Setting this option to a value of 0 will disable the packet limit. \\ \hline \texttt{config threshold: memcap } & Set global memcap in bytes for thresholding. Default is 1048576 bytes (1 megabyte). (This is deprecated. Use config event\_filter instead.)\\ \hline \texttt{config umask: } & Sets umask when running (\texttt{snort -m}). \\ \hline \texttt{config utc} & Uses UTC instead of local time for timestamps (\texttt{snort -U}). \\ \hline \texttt{config verbose} & Uses verbose logging to STDOUT (\texttt{snort -v}). \\ \hline \texttt{config vlan\_agnostic} & Causes Snort to ignore vlan headers for the purposes of connection and frag tracking. This option is only valid in the base configuration when using multiple configurations, and the default is off. \\ \hline \texttt{config address\_space\_agnostic} & Causes Snort to ignore DAQ address space ID for the purposes of connection and frag tracking. This option is only valid in the base configuration when using multiple configurations, and the default is off. \\ \hline \texttt{config policy\_mode: tap|inline|inline\_test} & Sets the policy mode to either \texttt{passive}, \texttt{inline} or \texttt{inline\_test}. \\ \hline \texttt{config tunnel\_verdicts: gtp|teredo|6in4|4in6} & By default, whitelist and blacklist verdicts are handled internally by Snort for GTP, Teredo, 6in4 and 4in6 encapsulated traffic. This means Snort actually gives the DAQ a pass or block verdict instead. This is to workaround cases where the DAQ would apply the verdict to the whole tunnel instead of the individual session within the tunnel. If your DAQ decodes GTP, Teredo, 6in4 or 4in6 correctly, setting this config will allow the whitelist or blacklist verdict to go to the DAQ. There is a modest performance boost by doing this where possible since Snort won't see the remaining packets on the session. \\ \hline \end{longtable} \end{center} \section{Preprocessors} Preprocessors were introduced in version 1.5 of Snort. They allow the functionality of Snort to be extended by allowing users and programmers to drop modular plugins into Snort fairly easily. Preprocessor code is run before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism. Preprocessors are loaded and configured using the {\tt preprocessor} keyword. The format of the preprocessor directive in the Snort config file is: \begin{verbatim} preprocessor : \end{verbatim} \subsection{Frag3} \label{frag3 section} The frag3 preprocessor is a target-based IP defragmentation module for Snort. Frag3 is designed with the following goals: \begin{slist} \item Fast execution with less complex data management. \item Target-based host modeling anti-evasion techniques. \end{slist} Frag3 uses the sfxhash data structure and linked lists for data handling internally which allows it to have much more predictable and deterministic performance in any environment which should aid us in managing heavily fragmented environments. Target-based analysis is a relatively new concept in network-based intrusion detection. The idea of a target-based system is to model the actual targets on the network instead of merely modeling the protocols and looking for attacks within them. When IP stacks are written for different operating systems, they are usually implemented by people who read the RFCs and then write their interpretation of what the RFC outlines into code. Unfortunately, there are ambiguities in the way that the RFCs define some of the edge conditions that may occur and when this happens different people implement certain aspects of their IP stacks differently. For an IDS this is a big problem. In an environment where the attacker can determine what style of IP defragmentation is being used on a particular target, the attacker can try to fragment packets such that the target will put them back together in a specific manner while any passive systems trying to model the host traffic have to guess which way the target OS is going to handle the overlaps and retransmits. As I like to say, if the attacker has more information about the targets on a network than the IDS does, it is possible to evade the IDS. This is where the idea for ``target-based IDS'' came from. For more detail on this issue and how it affects IDS, check out the famous Ptacek \& Newsham paper at \url{http://www.snort.org/docs/idspaper/}. The basic idea behind target-based IDS is that we tell the IDS information about hosts on the network so that it can avoid Ptacek \& Newsham style evasion attacks based on information about how an individual target IP stack operates. Vern Paxson and Umesh Shankar did a great paper on this very topic in 2003 that detailed mapping the hosts on a network and determining how their various IP stack implementations handled the types of problems seen in IP defragmentation and TCP stream reassembly. Check it out at \url{http://www.icir.org/vern/papers/activemap-oak03.pdf}. We can also present the IDS with topology information to avoid TTL-based evasions and a variety of other issues, but that's a topic for another day. Once we have this information we can start to really change the game for these complex modeling problems. Frag3 was implemented to showcase and prototype a target-based module within Snort to test this idea. \subsubsection{Frag 3 Configuration} There are at least two preprocessor directives required to activate frag3, a global configuration directive and an engine instantiation. There can be an arbitrary number of engines defined at startup with their own configuration, but only one global configuration. \textbf{Global Configuration} \begin{itemize} \item Preprocessor name: \texttt{frag3\_global} \item Available options: NOTE: Global configuration options are comma separated. \begin{itemize} \item \texttt{max\_frags $<$number$>$} - Maximum simultaneous fragments to track. Default is 8192. \item \texttt{memcap $<$bytes$>$} - Memory cap for self preservation. Default is 4MB. \item \texttt{prealloc\_memcap $<$bytes$>$} - alternate memory management mode, use preallocated fragment nodes based on a memory cap (faster in some situations). \item \texttt{prealloc\_frags $<$number$>$} - Alternate memory management mode, use preallocated fragment nodes (faster in some situations). \item \texttt{disabled} - This optional keyword is allowed with any policy to avoid packet processing. This option disables the preprocessor for this config, but not for other instances of multiple configurations. Use the disable keyword in the base configuration to specify values for the options \texttt{memcap}, \texttt{prealloc\_memcap}, and \texttt{prealloc\_frags} without having the preprocessor inspect traffic for traffic applying to the base configuration. The other options are parsed but not used. Any valid configuration may have "disabled" added to it. \end{itemize} \end{itemize} \textbf{Engine Configuration} \begin{itemize} \item Preprocessor name: \texttt{frag3\_engine} \item Available options: NOTE: Engine configuration options are space separated. \begin{itemize} \item \texttt{timeout $<$seconds$>$} - Timeout for fragments. Fragments in the engine for longer than this period will be automatically dropped. Default is 60 seconds. \item \texttt{min\_ttl $<$value$>$} - Minimum acceptable TTL value for a fragment packet. Default is 1. The accepted range for this option is 1 - 255. \item \texttt{detect\_anomalies} - Detect fragment anomalies. \item \texttt{bind\_to $<$ip\_list$>$} - IP List to bind this engine to. This engine will only run for packets with destination addresses contained within the IP List. Default value is \texttt{all}. \item \texttt{overlap\_limit } - Limits the number of overlapping fragments per packet. The default is "0" (unlimited). This config option takes values equal to or greater than zero. This is an optional parameter. detect\_anomalies option must be configured for this option to take effect. \item \texttt{min\_fragment\_length } - Defines smallest fragment size (payload size) that should be considered valid. Fragments smaller than or equal to this limit are considered malicious and an event is raised, if detect\_anomalies is also configured. The default is "0" (unlimited), the minimum is "0". This is an optional parameter. detect\_anomalies option must be configured for this option to take effect. \item \texttt{policy $<$type$>$} - Select a target-based defragmentation mode. Available types are first, last, bsd, bsd-right, linux, windows and solaris. Default type is bsd. The Paxson Active Mapping paper introduced the terminology frag3 is using to describe policy types. The known mappings are as follows. Anyone who develops more mappings and would like to add to this list please feel free to send us an email! \begin{tabular}{| l | l |} \hline \textbf{Platform} & \textbf{Type}\\ \hline \hline AIX 2 & BSD \\ \hline AIX 4.3 8.9.3 & BSD \\ \hline Cisco IOS & Last \\ \hline FreeBSD & BSD\\ \hline HP JetDirect (printer) & BSD-right \\ \hline HP-UX B.10.20 & BSD \\ \hline HP-UX 11.00 & First \\ \hline IRIX 4.0.5F & BSD \\ \hline IRIX 6.2 & BSD \\ \hline IRIX 6.3 & BSD \\ \hline IRIX64 6.4 & BSD \\ \hline Linux 2.2.10 & linux \\ \hline Linux 2.2.14-5.0 & linux \\ \hline Linux 2.2.16-3 & linux \\ \hline Linux 2.2.19-6.2.10smp & linux \\ \hline Linux 2.4.7-10 & linux \\ \hline Linux 2.4.9-31SGI 1.0.2smp & linux \\ \hline Linux 2.4 (RedHat 7.1-7.3) & linux \\ \hline MacOS (version unknown) & First \\ \hline NCD Thin Clients & BSD \\ \hline OpenBSD (version unknown) & linux \\ \hline OpenBSD (version unknown) & linux \\ \hline OpenVMS 7.1 & BSD \\ \hline OS/2 (version unknown) & BSD \\ \hline OSF1 V3.0 & BSD \\ \hline OSF1 V3.2 & BSD \\ \hline OSF1 V4.0,5.0,5.1 & BSD \\ \hline SunOS 4.1.4 & BSD \\ \hline SunOS 5.5.1,5.6,5.7,5.8 & First \\ \hline Tru64 Unix V5.0A,V5.1 & BSD \\ \hline Vax/VMS & BSD \\ \hline Windows (95/98/NT4/W2K/XP) & Windows\\ \hline \end{tabular} \end{itemize} \end{itemize} \subsubsection{Format} Note in the advanced configuration below that there are three engines specified running with \emph{Linux}, \texttt{first} and \texttt{last} policies assigned. The first two engines are bound to specific IP address ranges and the last one applies to all other traffic. Packets that don't fall within the address requirements of the first two engines automatically fall through to the third one. \paragraph{Basic Configuration} \begin{verbatim} preprocessor frag3_global preprocessor frag3_engine \end{verbatim} \paragraph{Advanced Configuration} \begin{verbatim} preprocessor frag3_global: prealloc_nodes 8192 preprocessor frag3_engine: policy linux bind_to 192.168.1.0/24 preprocessor frag3_engine: policy first bind_to [10.1.47.0/24,172.16.8.0/24] preprocessor frag3_engine: policy last detect_anomalies \end{verbatim} \subsubsection{Frag 3 Alert Output} \label{frag3 alert output} Frag3 is capable of detecting eight different types of anomalies. Its event output is packet-based so it will work with all output modes of Snort. Read the documentation in the \texttt{doc/signatures} directory with filenames that begin with ``123-'' for information on the different event types. %%Need to doc these eight types of anomalies and truncate beginning of section. \subsection{Session} \label{session section} The Session preprocessor is a global stream session management module for Snort. It is derived from the session management functions that were part of the Stream5 preprocessor. Since Session implements part of the functionality and API that was previously in Stream5 it cannot be used with Stream5 but must be used in conjunction with the new Stream preprocessor. Similarly, due to the API changes, the other preprocessors in Snort 2.9.7 work only with the new Session and Stream preprocessers. \subsubsection{Session API} Session provides an API to enable the creation and management of the session control block for a flow and the management of data and state that may be associated with that flow by service and application preprocessors (most of these functions were previously supported by the Stream5 API). These methods are called to identify sessions that may be ignored (large data transfers, etc), and update the identifying information about the session (application protocol, direction, etc) that can later be used by rules. API methods to enable preprocessors to register for dispatch for ports and services for which they should be called to process the packet have been added to the Session API. Session is required for the use of the 'flow' and 'flowbits' keywords. \subsubsection{Session Global Configuration} Global settings for the Session preprocessor. \begin{verbatim} preprocessor stream5_global: \ [track_tcp ], [max_tcp ], \ [memcap ], \ [track_udp ], [max_udp ], \ [track_icmp ], [max_icmp ], \ [track_ip ], [max_ip ], \ [flush_on_alert], [show_rebuilt_packets], \ [prune_log_max ], [disabled], \ [flush_on_alert], [show_rebuilt_packets], \ [prune_log_max ], [enable_ha] \end{verbatim} \begin{center} \begin{tabular}{| l | p{4.5in} |} \hline \textbf{Option} & \textbf{Description}\\ \hline \hline \texttt{track\_tcp } & Track sessions for TCP. The default is "yes".\\ \hline \texttt{max\_tcp } & Maximum simultaneous TCP sessions tracked. The default is "262144", maximum is "1048576", minimum is "2".\\ \hline \texttt{memcap } & Memcap for TCP packet storage. The default is "8388608" (8MB), maximum is "1073741824" (1GB), minimum is "32768" (32KB).\\ \hline \texttt{track\_udp } & Track sessions for UDP. The default is "yes".\\ \hline \texttt{max\_udp } & Maximum simultaneous UDP sessions tracked. The default is "131072", maximum is "1048576", minimum is "1".\\ \hline \texttt{track\_icmp } & Track sessions for ICMP. The default is "no".\\ \hline \texttt{max\_icmp } & Maximum simultaneous ICMP sessions tracked. The default is "65536", maximum is "1048576", minimum is "1".\\ \hline \texttt{track\_ip } & Track sessions for IP. The default is "no". Note that "IP" includes all non-TCP/UDP traffic over IP including ICMP if ICMP not otherwise configured.\\ \hline \texttt{max\_ip } & Maximum simultaneous IP sessions tracked. The default is "16384", maximum is "1048576", minimum is "1".\\ \hline \texttt{disabled} & Option to disable the stream5 tracking. By default this option is turned off. When the preprocessor is disabled only the options memcap, max\_tcp, max\_udp and max\_icmp are applied when specified with the configuration.\\ \hline \texttt{flush\_on\_alert} & Backwards compatibility. Flush a TCP stream when an alert is generated on that stream. The default is set to off.\\ \hline \texttt{show\_rebuilt\_packets} & Print/display packet after rebuilt (for debugging). The default is set to off.\\ \hline \texttt{prune\_log\_max } & Print a message when a session terminates that was consuming more than the specified number of bytes. The default is "1048576" (1MB), minimum can be either "0" (disabled) or if not disabled the minimum is "1024" and maximum is "1073741824".\\ \hline \texttt{enable\_ha} & Enable High Availability state sharing. The default is set to off.\\ \hline \end{tabular} \end{center} \subsubsection{Session HA Configuration} Configuration for HA session state sharing. \begin{verbatim} preprocessor stream5_ha: [min_session_lifetime ], \ [min_sync_interval ], [startup_input_file ], \ [runtime_output_file ], [use_side_channel] \end{verbatim} \begin{center} \begin{tabular}{| l | p{4.5in} |} \hline \textbf{Option} & \textbf{Description}\\ \hline \hline \texttt{min\_session\_lifetime } & Minimum session liftime in milliseconds. HA update messages will only be generated once a session has existed for at least this long. The default is 0, the minimum is 0, and the maximum is 65535.\\ \hline \texttt{min\_sync\_interval } & Minimum synchronization interval in milliseconds. HA update messages will not be generated more often than once per interval on a given session. The default is 0, the minimum is 0, and the maximum is 65535.\\ \hline \texttt{startup\_input\_file } & The name of a file for snort to read HA messages from at startup.\\ \hline \texttt{runtime\_output\_file } & The name of a file to which Snort will write all HA messages that are generated while it is running.\\ \hline \texttt{use\_side\_channel} & Indicates that all HA messages should also be sent to the side channel for processing.\\ \hline \end{tabular} \end{center} \subsubsection{Example Configurations} \begin{enumerate} \item{} This example configuration sets a maximum number of TCP session control blocks to 8192, enables tracking of TCP and UPD sessions, and disables tracking of ICMP sessions. The number of UDP session control blocks will be set to the compiled default. \begin{verbatim} preprocessor stream5_global: \ max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no preprocessor stream5_tcp: \ policy first, use_static_footprint_sizes preprocessor stream5_udp: \ ignore_any_rules \end{verbatim} \end{enumerate} \subsection{Stream} \label{stream5 section} The Stream preprocessor is a target-based TCP reassembly module for Snort. It is capable of tracking sessions for both TCP and UDP. \subsubsection{Transport Protocols} TCP sessions are identified via the classic TCP "connection". UDP sessions are established as the result of a series of UDP packets from two end points via the same set of ports. ICMP messages are tracked for the purposes of checking for unreachable and service unavailable messages, which effectively terminate a TCP or UDP session. \subsubsection{Target-Based} Stream, like Frag3, introduces target-based actions for handling of overlapping data and other TCP anomalies. The methods for handling overlapping data, TCP Timestamps, Data on SYN, FIN and Reset sequence numbers, etc. and the policies supported by Stream are the results of extensive research with many target operating systems. \subsubsection{Stream API} Stream supports the modified Stream API that is now focused on functions specific to reassembly and protocol aware flushing operations. Session management functions have been moved to the Session API. The remaining API functions enable other protocol normalizers/preprocessors to dynamically configure reassembly behavior as required by the application layer protocol. \subsubsection{Anomaly Detection} TCP protocol anomalies, such as data on SYN packets, data received outside the TCP window, etc are configured via the \texttt{detect\_anomalies} option to the TCP configuration. Some of these anomalies are detected on a per-target basis. For example, a few operating systems allow data in TCP SYN packets, while others do not. \subsubsection{Protocol Aware Flushing} Protocol aware flushing of HTTP, SMB and DCE/RPC can be enabled with this option: \begin{verbatim} config paf_max: \end{verbatim} where \texttt{} is between zero (off) and 63780. This allows Snort to statefully scan a stream and reassemble a complete PDU regardless of segmentation. For example, multiple PDUs within a single TCP segment, as well as one PDU spanning multiple TCP segments will be reassembled into one PDU per packet for each PDU. PDUs larger than the configured maximum will be split into multiple packets. \subsubsection{Stream TCP Configuration} Provides a means on a per IP address target to configure TCP policy. This can have multiple occurrences, per policy that is bound to an IP address or network. One default policy must be specified, and that policy is not bound to an IP address or network. \begin{verbatim} preprocessor stream5_tcp: \ [bind_to ], \ [timeout ], [policy ], \ [overlap_limit ], [max_window ], \ [require_3whs []], [detect_anomalies], \ [check_session_hijacking], [use_static_footprint_sizes], \ [dont_store_large_packets], [dont_reassemble_async], \ [max_queued_bytes ], [max_queued_segs ], \ [small_segments bytes [ignore_ports number [number]*]], \ [ports ], \ [protocol ], \ [ignore_any_rules], [flush_factor ] \end{verbatim} \begin{longtable}[h]{| p{2in} | p{4in} |} \hline \textbf{Option} & \textbf{Description}\\ \hline \hline \texttt{bind\_to } & IP address or network for this policy. The default is set to any.\\ \hline \texttt{timeout } & Session timeout. The default is "30", the minimum is "1", and the maximum is "86400" (approximately 1 day).\\ \hline \texttt{policy } & The Operating System policy for the target OS. The policy\_id can be one of the following: \begin{tabular}{| l | p{2.5in} |} \hline Policy Name & Operating Systems.\\ \hline \hline \texttt{first} & Favor first overlapped segment.\\ \hline \texttt{last} & Favor first overlapped segment.\\ \hline \texttt{bsd} & FresBSD 4.x and newer, NetBSD 2.x and newer, OpenBSD 3.x and newer\\ \hline \texttt{linux} & Linux 2.4 and newer\\ \hline \texttt{old-linux} & Linux 2.2 and earlier\\ \hline \texttt{windows} & Windows 2000, Windows XP, Windows 95/98/ME\\ \hline \texttt{win2003} & Windows 2003 Server\\ \hline \texttt{vista} & Windows Vista\\ \hline \texttt{solaris} & Solaris 9.x and newer\\ \hline \texttt{hpux} & HPUX 11 and newer\\ \hline \texttt{hpux10} & HPUX 10\\ \hline \texttt{irix} & IRIX 6 and newer\\ \hline \texttt{macos} & MacOS 10.3 and newer\\ \hline \end{tabular}\\ \hline \texttt{overlap\_limit } & Limits the number of overlapping packets per session. The default is "0" (unlimited), the minimum is "0", and the maximum is "255".\\ \hline \texttt{max\_window } & Maximum TCP window allowed. The default is "0" (unlimited), the minimum is "0", and the maximum is "1073725440" (65535 left shift 14). That is the highest possible TCP window per RFCs. This option is intended to prevent a DoS against Stream by an attacker using an abnormally large window, so using a value near the maximum is discouraged.\\ \hline \texttt{require\_3whs []} & Establish sessions only on completion of a SYN/SYN-ACK/ACK handshake. The default is set to off. The optional number of seconds specifies a startup timeout. This allows a grace period for existing sessions to be considered established during that interval immediately after Snort is started. The default is "0" (don't consider existing sessions established), the minimum is "0", and the maximum is "86400" (approximately 1 day).\\ \hline \texttt{detect\_anomalies} & Detect and alert on TCP protocol anomalies. The default is set to off.\\ \hline \texttt{check\_session\_hijacking} & Check for TCP session hijacking. This check validates the hardware (MAC) address from both sides of the connect -- as established on the 3-way handshake against subsequent packets received on the session. If an ethernet layer is not part of the protocol stack received by Snort, there are no checks performed. Alerts are generated (per '\texttt{detect\_anomalies}' option) for either the client or server when the MAC address for one side or the other does not match. The default is set to off.\\ \hline \texttt{use\_static\_footprint\_sizes} & Use static values for determining when to build a reassembled packet to allow for repeatable tests. This option should not be used production environments. The default is set to off.\\ \hline \texttt{dont\_store\_large\_packets} & Performance improvement to not queue large packets in reassembly buffer. The default is set to off. Using this option may result in missed attacks.\\ \hline \texttt{dont\_reassemble\_async} & Don't queue packets for reassembly if traffic has not been seen in both directions. The default is set to queue packets.\\ \hline \texttt{max\_queued\_bytes } & Limit the number of bytes queued for reassembly on a given TCP session to bytes. Default is "1048576" (1MB). A value of "0" means unlimited, with a non-zero minimum of "1024", and a maximum of "1073741824" (1GB). A message is written to console/syslog when this limit is enforced.\\ \hline \texttt{max\_queued\_segs } & Limit the number of segments queued for reassembly on a given TCP session. The default is "2621", derived based on an average size of 400 bytes. A value of "0" means unlimited, with a non-zero minimum of "2", and a maximum of "1073741824" (1GB). A message is written to console/syslog when this limit is enforced.\\ \hline \texttt{small\_segments bytes [ignore\_ports ]} & Configure the maximum small segments queued. This feature requires that detect\_anomalies be enabled. The first number is the number of consecutive segments that will trigger the detection rule. The default value is "0" (disabled), with a maximum of "2048". The second number is the minimum bytes for a segment to be considered "small". The default value is "0" (disabled), with a maximum of "2048". ignore\_ports is optional, defines the list of ports in which will be ignored for this rule. The number of ports can be up to "65535". A message is written to console/syslog when this limit is enforced.\\ \hline \texttt{ports } & Specify the client, server, or both and list of ports in which to perform reassembly. This can appear more than once in a given config. The default settings are \texttt{ports client 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 514 1433 1521 2401 3306}. The minimum port allowed is "1" and the maximum allowed is "65535". To disable reassembly for a port specifiy the port number preceeded by an '!', e.g. !8080 !25\\ \hline \texttt{protocol } & Specify the client, server, or both and list of services in which to perform reassembly. This can appear more than once in a given config. The default settings are \texttt{ports client ftp telnet smtp nameserver dns http pop3 sunrpc dcerpc netbios-ssn imap login shell mssql oracle cvs mysql}. The service names can be any of those used in the host attribute table (see \ref{targetbased}), including any of the internal defaults (see \ref{attribute:service names}) or others specific to the network.\\ \hline \texttt{ignore\_any\_rules} & Don't process any \texttt{->} any (ports) rules for TCP that attempt to match payload if there are no port specific rules for the src or destination port. Rules that have flow or flowbits will never be ignored. This is a performance improvement and may result in missed attacks. Using this does not affect rules that look at protocol headers, only those with content, PCRE, or byte test options. The default is "off". This option can be used only in default policy.\\ \hline \texttt{flush\_factor} & Useful in ips mode to flush upon seeing a drop in segment size after N segments of non-decreasing size. The drop in size often indicates an end of request or response.\\ \hline \end{longtable} \begin{note} If no options are specified for a given TCP policy, that is the default TCP policy. If only a bind\_to option is used with no other options that TCP policy uses all of the default values. \end{note} \subsubsection{Stream UDP Configuration} Configuration for UDP session tracking. Since there is no target based binding, there should be only one occurrence of the UDP configuration. \begin{verbatim} preprocessor stream5_udp: [timeout ], [ignore_any_rules] \end{verbatim} \begin{center} \begin{tabular}{| l | p{4.5in} |} \hline \textbf{Option} & \textbf{Description}\\ \hline \hline \texttt{timeout } & Session timeout. The default is "30", the minimum is "1", and the maximum is "86400" (approximately 1 day).\\ \hline \texttt{ignore\_any\_rules} & Don't process any \texttt{->} any (ports) rules for UDP that attempt to match payload if there are no port specific rules for the src or destination port. Rules that have flow or flowbits will never be ignored. This is a performance improvement and may result in missed attacks. Using this does not affect rules that look at protocol headers, only those with content, PCRE, or byte test options. The default is "off".\\ \hline \end{tabular} \end{center} \begin{note} With the ignore\_any\_rules option, a UDP rule will be ignored except when there is another port specific rule that may be applied to the traffic. For example, if a UDP rule specifies destination port 53, the 'ignored' any \texttt{->} any rule will be applied to traffic to/from port 53, but NOT to any other source or destination port. A list of rule SIDs affected by this option are printed at Snort's startup. \end{note} \begin{note} With the ignore\_any\_rules option, if a UDP rule that uses any \texttt{->} any ports includes either flow or flowbits, the ignore\_any\_rules option is effectively pointless. Because of the potential impact of disabling a flowbits rule, the ignore\_any\_rules option will be disabled in this case. \end{note} \subsubsection{Stream ICMP Configuration} Configuration for ICMP session tracking. Since there is no target based binding, there should be only one occurrence of the ICMP configuration. \begin{note} ICMP is currently untested, in minimal code form and is NOT ready for use in production networks. It is not turned on by default. \end{note} \begin{verbatim} preprocessor stream5_icmp: [timeout ] \end{verbatim} \begin{center} \begin{tabular}{| l | p{4.5in} |} \hline \textbf{Option} & \textbf{Description}\\ \hline \hline \texttt{timeout } & Session timeout. The default is "30", the minimum is "1", and the maximum is "86400" (approximately 1 day).\\ \hline \end{tabular} \end{center} \subsubsection{Stream IP Configuration} Configuration for IP session tracking. Since there is no target based binding, there should be only one occurrence of the IP configuration. \begin{note} "IP" includes all non-TCP/UDP traffic over IP including ICMP if ICMP not otherwise configured. It is not turned on by default. \end{note} \begin{verbatim} preprocessor stream5_ip: [timeout ] \end{verbatim} \begin{center} \begin{tabular}{| l | p{4.5in} |} \hline \textbf{Option} & \textbf{Description}\\ \hline \hline \texttt{timeout } & Session timeout. The default is "30", the minimum is "1", and the maximum is "86400" (approximately 1 day).\\ \hline \end{tabular} \end{center} \subsubsection{Example Configurations} \begin{enumerate} \item{} This example configuration is the default configuration in snort.conf and can be used for repeatable tests of stream reassembly in readback mode. \begin{verbatim} preprocessor stream5_global: \ max_tcp 8192, track_tcp yes, track_udp yes, track_icmp no preprocessor stream5_tcp: \ policy first, use_static_footprint_sizes preprocessor stream5_udp: \ ignore_any_rules \end{verbatim} \item{} This configuration maps two network segments to different OS policies, one for Windows and one for Linux, with all other traffic going to the default policy of Solaris. \begin{verbatim} preprocessor stream5_global: track_tcp yes preprocessor stream5_tcp: bind_to 192.168.1.0/24, policy windows preprocessor stream5_tcp: bind_to 10.1.1.0/24, policy linux preprocessor stream5_tcp: policy solaris \end{verbatim} \end{enumerate} \subsection{sfPortscan} The sfPortscan module, developed by Sourcefire, is designed to detect the first phase in a network attack: Reconnaissance. In the Reconnaissance phase, an attacker determines what types of network protocols or services a host supports. This is the traditional place where a portscan takes place. This phase assumes the attacking host has no prior knowledge of what protocols or services are supported by the target; otherwise, this phase would not be necessary. As the attacker has no beforehand knowledge of its intended target, most queries sent by the attacker will be negative (meaning that the service ports are closed). In the nature of legitimate network communications, negative responses from hosts are rare, and rarer still are multiple negative responses within a given amount of time. Our primary objective in detecting portscans is to detect and track these negative responses. One of the most common portscanning tools in use today is Nmap. Nmap encompasses many, if not all, of the current portscanning techniques. sfPortscan was designed to be able to detect the different types of scans Nmap can produce. sfPortscan will currently alert for the following types of Nmap scans: \begin{itemize} \item TCP Portscan \item UDP Portscan \item IP Portscan \end{itemize} These alerts are for one$\rightarrow$one portscans, which are the traditional types of scans; one host scans multiple ports on another host. Most of the port queries will be negative, since most hosts have relatively few services available. sfPortscan also alerts for the following types of decoy portscans: \begin{itemize} \item TCP Decoy Portscan \item UDP Decoy Portscan \item IP Decoy Portscan \end{itemize} Decoy portscans are much like the Nmap portscans described above, only the attacker has a spoofed source address inter-mixed with the real scanning address. This tactic helps hide the true identity of the attacker. sfPortscan alerts for the following types of distributed portscans: \begin{itemize} \item TCP Distributed Portscan \item UDP Distributed Portscan \item IP Distributed Portscan \end{itemize} These are many$\rightarrow$one portscans. Distributed portscans occur when multiple hosts query one host for open services. This is used to evade an IDS and obfuscate command and control hosts. \begin{note} Negative queries will be distributed among scanning hosts, so we track this type of scan through the scanned host. \end{note} sfPortscan alerts for the following types of portsweeps: \begin{itemize} \item TCP Portsweep \item UDP Portsweep \item IP Portsweep \item ICMP Portsweep \end{itemize} These alerts are for one$\rightarrow$many portsweeps. One host scans a single port on multiple hosts. This usually occurs when a new exploit comes out and the attacker is looking for a specific service. \begin{note} The characteristics of a portsweep scan may not result in many negative responses. For example, if an attacker portsweeps a web farm for port 80, we will most likely not see many negative responses. \end{note} sfPortscan alerts on the following filtered portscans and portsweeps: \begin{itemize} \item TCP Filtered Portscan \item UDP Filtered Portscan \item IP Filtered Portscan \item TCP Filtered Decoy Portscan \item UDP Filtered Decoy Portscan \item IP Filtered Decoy Portscan \item TCP Filtered Portsweep \item UDP Filtered Portsweep \item IP Filtered Portsweep \item ICMP Filtered Portsweep \item TCP Filtered Distributed Portscan \item UDP Filtered Distributed Portscan \item IP Filtered Distributed Portscan \end{itemize} ``Filtered'' alerts indicate that there were no network errors (ICMP unreachables or TCP RSTs) or responses on closed ports have been suppressed. It's also a good indicator of whether the alert is just a very active legitimate host. Active hosts, such as NATs, can trigger these alerts because they can send out many connection attempts within a very small amount of time. A filtered alert may go off before responses from the remote hosts are received. sfPortscan only generates one alert for each host pair in question during the time window (more on windows below). On TCP scan alerts, sfPortscan will also display any open ports that were scanned. On TCP sweep alerts however, sfPortscan will only track open ports after the alert has been triggered. Open port events are not individual alerts, but tags based on the original scan alert. \subsubsection{sfPortscan Configuration} Use of the Stream preprocessor is required for sfPortscan. Stream gives portscan direction in the case of connectionless protocols like ICMP and UDP. You should enable the Stream preprocessor in your \texttt{snort.conf}, as described in Section \ref{stream5 section}. The parameters you can use to configure the portscan module are: \begin{slist} \item \textbf{proto $<$protocol$>$} Available options: \begin{itemize} \item \texttt{TCP} \item \texttt{UDP} \item \texttt{ICMP} \item \texttt{ip\_proto} \item \texttt{all} \end{itemize} \item \textbf{scan\_type $<$scan\_type$>$} Available options: \begin{itemize} \item \texttt{portscan} \item \texttt{portsweep} \item \texttt{decoy\_portscan} \item \texttt{distributed\_portscan} \item \texttt{all} \end{itemize} \item \textbf{sense\_level $<$level$>$} Available options: \begin{itemize} \item \texttt{low} - ``Low'' alerts are only generated on error packets sent from the target host, and because of the nature of error responses, this setting should see very few false positives. However, this setting will never trigger a Filtered Scan alert because of a lack of error responses. This setting is based on a static time window of 60 seconds, after which this window is reset. \item \texttt{medium} - ``Medium'' alerts track connection counts, and so will generate filtered scan alerts. This setting may false positive on active hosts (NATs, proxies, DNS caches, etc), so the user may need to deploy the use of Ignore directives to properly tune this directive. \item \texttt{high} - ``High'' alerts continuously track hosts on a network using a time window to evaluate portscan statistics for that host. A "High" setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune sfPortscan. \end{itemize} \item \textbf{watch\_ip $<$ip1$|$ip2/cidr[ [port$|$port2-port3]]$>$ } Defines which IPs, networks, and specific ports on those hosts to watch. The list is a comma separated list of IP addresses, IP address using CIDR notation. Optionally, ports are specified after the IP address/CIDR using a space and can be either a single port or a range denoted by a dash. IPs or networks not falling into this range are ignored if this option is used. \item \textbf{ignore\_scanners $<$ip1$|$ip2/cidr[ [port$|$port2-port3]]$>$ } Ignores the source of scan alerts. The parameter is the same format as that of \texttt{watch\_ip}. \item \textbf{ignore\_scanned $<$ip1$|$ip2/cidr[ [port$|$port2-port3]]$>$ } Ignores the destination of scan alerts. The parameter is the same format as that of \texttt{watch\_ip}. \item \textbf{logfile $<$file$>$ } This option will output portscan events to the file specified. If \texttt{file} does not contain a leading slash, this file will be placed in the Snort config dir. \item \textbf{include\_midstream} This option will include sessions picked up in midstream by Stream. This can lead to false alerts, especially under heavy load with dropped packets; which is why the option is off by default. \item \textbf{detect\_ack\_scans} This option will include sessions picked up in midstream by the stream module, which is necessary to detect ACK scans. However, this can lead to false alerts, especially under heavy load with dropped packets; which is why the option is off by default. \item \textbf{disabled} This optional keyword is allowed with any policy to avoid packet processing. This option disables the preprocessor. When the preprocessor is disabled only the memcap option is applied when specified with the configuration. The other options are parsed but not used. Any valid configuration may have "disabled" added to it. \end{slist} \subsubsection{Format} \begin{verbatim} preprocessor sfportscan: proto \ scan_type \ sense_level \ watch_ip \ ignore_scanners \ ignore_scanned \ logfile \ disabled \end{verbatim} \subsubsection{Example} \begin{verbatim} preprocessor flow: stats_interval 0 hash 2 preprocessor sfportscan:\ proto { all } \ scan_type { all } \ sense_level { low } \end{verbatim} \subsubsection{sfPortscan Alert Output} \paragraph{Unified Output} In order to get all the portscan information logged with the alert, snort generates a pseudo-packet and uses the payload portion to store the additional portscan information of priority count, connection count, IP count, port count, IP range, and port range. The characteristics of the packet are: \begin{verbatim} Src/Dst MAC Addr == MACDAD IP Protocol == 255 IP TTL == 0 \end{verbatim} Other than that, the packet looks like the IP portion of the packet that caused the portscan alert to be generated. This includes any IP options, etc. The payload and payload size of the packet are equal to the length of the additional portscan information that is logged. The size tends to be around 100 - 200 bytes. Open port alerts differ from the other portscan alerts, because open port alerts utilize the tagged packet output system. This means that if an output system that doesn't print tagged packets is used, then the user won't see open port alerts. The open port information is stored in the IP payload and contains the port that is open. The sfPortscan alert output was designed to work with unified2 packet logging, so it is possible to extend favorite Snort GUIs to display portscan alerts and the additional information in the IP payload using the above packet characteristics. \paragraph{Log File Output} Log file output is displayed in the following format, and explained further below: \begin{verbatim} Time: 09/08-15:07:31.603880 event_id: 2 192.168.169.3 -> 192.168.169.5 (portscan) TCP Filtered Portscan Priority Count: 0 Connection Count: 200 IP Count: 2 Scanner IP Range: 192.168.169.3:192.168.169.4 Port/Proto Count: 200 Port/Proto Range: 20:47557 \end{verbatim} If there are open ports on the target, one or more additional tagged packet(s) will be appended: \begin{verbatim} Time: 09/08-15:07:31.603881 event_ref: 2 192.168.169.3 -> 192.168.169.5 (portscan) Open Port Open Port: 38458 \end{verbatim} \begin{slist} \item \textbf{Event\_id/Event\_ref} These fields are used to link an alert with the corresponding \texttt{Open Port} tagged packet \item \textbf{Priority Count} \texttt{Priority Count} keeps track of bad responses (resets, unreachables). The higher the priority count, the more bad responses have been received. \item \textbf{Connection Count} \texttt{Connection Count} lists how many connections are active on the hosts (src or dst). This is accurate for connection-based protocols, and is more of an estimate for others. Whether or not a portscan was filtered is determined here. High connection count and low priority count would indicate filtered (no response received from target). \item \textbf{IP Count} IP Count keeps track of the last IP to contact a host, and increments the count if the next IP is different. For one-to-one scans, this is a low number. For active hosts this number will be high regardless, and one-to-one scans may appear as a distributed scan. \item \textbf{Scanned/Scanner IP Range} This field changes depending on the type of alert. Portsweep (one-to-many) scans display the scanned IP range; Portscans (one-to-one) display the scanner IP. \item \textbf{Port Count} Port Count keeps track of the last port contacted and increments this number when that changes. We use this count (along with IP Count) to determine the difference between one-to-one portscans and one-to-one decoys. \end{slist} \subsubsection{Tuning sfPortscan} \label{tuning sfportscan} The most important aspect in detecting portscans is tuning the detection engine for your network(s). Here are some tuning tips: \begin{slist} \item \textbf{Use the watch\_ip, ignore\_scanners, and ignore\_scanned options.} It's important to correctly set these options. The \texttt{watch\_ip} option is easy to understand. The analyst should set this option to the list of CIDR blocks and IPs that they want to watch. If no \texttt{watch\_ip} is defined, sfPortscan will watch all network traffic. The \texttt{ignore\_scanners} and \texttt{ignore\_scanned} options come into play in weeding out legitimate hosts that are very active on your network. Some of the most common examples are NAT IPs, DNS cache servers, syslog servers, and nfs servers. sfPortscan may not generate false positives for these types of hosts, but be aware when first tuning sfPortscan for these IPs. Depending on the type of alert that the host generates, the analyst will know which to ignore it as. If the host is generating portsweep events, then add it to the \texttt{ignore\_scanners} option. If the host is generating portscan alerts (and is the host that is being scanned), add it to the \texttt{ignore\_scanned} option. \item \textbf{Filtered scan alerts are much more prone to false positives.} When determining false positives, the alert type is very important. Most of the false positives that sfPortscan may generate are of the filtered scan alert type. So be much more suspicious of filtered portscans. Many times this just indicates that a host was very active during the time period in question. If the host continually generates these types of alerts, add it to the \texttt{ignore\_scanners} list or use a lower sensitivity level. \item \textbf{Make use of the Priority Count, Connection Count, IP Count, Port Count, IP Range, and Port Range to determine false positives.} The portscan alert details are vital in determining the scope of a portscan and also the confidence of the portscan. In the future, we hope to automate much of this analysis in assigning a scope level and confidence level, but for now the user must manually do this. The easiest way to determine false positives is through simple ratio estimations. The following is a list of ratios to estimate and the associated values that indicate a legitimate scan and not a false positive. \textbf{Connection Count / IP Count:} This ratio indicates an estimated average of connections per IP. For portscans, this ratio should be high, the higher the better. For portsweeps, this ratio should be low. \textbf{Port Count / IP Count:} This ratio indicates an estimated average of ports connected to per IP. For portscans, this ratio should be high and indicates that the scanned host's ports were connected to by fewer IPs. For portsweeps, this ratio should be low, indicating that the scanning host connected to few ports but on many hosts. \textbf{Connection Count / Port Count:} This ratio indicates an estimated average of connections per port. For portscans, this ratio should be low. This indicates that each connection was to a different port. For portsweeps, this ratio should be high. This indicates that there were many connections to the same port. The reason that \texttt{Priority Count} is not included, is because the priority count is included in the connection count and the above comparisons take that into consideration. The Priority Count play an important role in tuning because the higher the priority count the more likely it is a real portscan or portsweep (unless the host is firewalled). \item \textbf{If all else fails, lower the sensitivity level.} If none of these other tuning techniques work or the analyst doesn't have the time for tuning, lower the sensitivity level. You get the best protection the higher the sensitivity level, but it's also important that the portscan detection engine generate alerts that the analyst will find informative. The low sensitivity level only generates alerts based on error responses. These responses indicate a portscan and the alerts generated by the low sensitivity level are highly accurate and require the least tuning. The low sensitivity level does not catch filtered scans; since these are more prone to false positives. \end{slist} \subsection{RPC Decode} \label{sub:rpc-decoder} The rpc\_decode preprocessor normalizes RPC multiple fragmented records into a single un-fragmented record. It does this by normalizing the packet into the packet buffer. If stream5 is enabled, it will only process client-side traffic. By default, it runs against traffic on ports 111 and 32771. \subsubsection{Format} \begin{verbatim} preprocessor rpc_decode: \ [ alert_fragments ] \ [no_alert_multiple_requests] \ [no_alert_large_fragments] \ [no_alert_incomplete] \end{verbatim} \begin{table}[h] \begin{center} \begin{tabular}{| l | l |} \hline \textbf{Option}& \textbf{Description}\\ \hline \hline \texttt{alert\_fragments}& Alert on any fragmented RPC record.\\ \hline \texttt{no\_alert\_multiple\_requests}& Don't alert when there are multiple records in one packet.\\ \hline \texttt{no\_alert\_large\_fragments}& Don't alert when the sum of fragmented records exceeds one packet.\\ \hline \texttt{no\_alert\_incomplete}& Don't alert when a single fragment record exceeds the size of one packet.\\ \hline \end{tabular} \end{center} \end{table} \subsection{Performance Monitor} \label{sub:perfmonitor} This preprocessor measures Snort's real-time and theoretical maximum performance. Whenever this preprocessor is turned on, it should have an output mode enabled, either ``console'' which prints statistics to the console window or ``file'' with a file name, where statistics get printed to the specified file name. By default, Snort's real-time statistics are processed. This includes: \begin{itemize} \item Time Stamp \item Drop Rate \item Mbits/Sec (wire) [duplicated below for easy comparison with other rates] \item Alerts/Sec \item K-Pkts/Sec (wire) [duplicated below for easy comparison with other rates] \item Avg Bytes/Pkt (wire) [duplicated below for easy comparison with other rates] \item Pat-Matched [percent of data received that Snort processes in pattern matching] \item Syns/Sec \item SynAcks/Sec \item New Sessions Cached/Sec \item Sessions Del fr Cache/Sec \item Current Cached Sessions \item Max Cached Sessions \item Stream Flushes/Sec \item Stream Session Cache Faults \item Stream Session Cache Timeouts \item New Frag Trackers/Sec \item Frag-Completes/Sec \item Frag-Inserts/Sec \item Frag-Deletes/Sec \item Frag-Auto Deletes/Sec [memory DoS protection] \item Frag-Flushes/Sec \item Frag-Current [number of current Frag Trackers] \item Frag-Max [max number of Frag Trackers at any time] \item Frag-Timeouts \item Frag-Faults \item Number of CPUs [*** Only if compiled with LINUX\_SMP ***, the next three appear for each CPU] \item CPU usage (user) \item CPU usage (sys) \item CPU usage (Idle) \item Mbits/Sec (wire) [average mbits of total traffic] \item Mbits/Sec (ipfrag) [average mbits of IP fragmented traffic] \item Mbits/Sec (ipreass) [average mbits Snort injects after IP reassembly] \item Mbits/Sec (tcprebuilt) [average mbits Snort injects after TCP reassembly] \item Mbits/Sec (applayer) [average mbits seen by rules and protocol decoders] \item Avg Bytes/Pkt (wire) \item Avg Bytes/Pkt (ipfrag) \item Avg Bytes/Pkt (ipreass) \item Avg Bytes/Pkt (tcprebuilt) \item Avg Bytes/Pkt (applayer) \item K-Pkts/Sec (wire) \item K-Pkts/Sec (ipfrag) \item K-Pkts/Sec (ipreass) \item K-Pkts/Sec (tcprebuilt) \item K-Pkts/Sec (applayer) \item Total Packets Received \item Total Packets Dropped (not processed) \item Total Packets Blocked (inline) \item Percentage of Packets Dropped \item Total Filtered TCP Packets \item Total Filtered UDP Packets \item Midstream TCP Sessions/Sec \item Closed TCP Sessions/Sec \item Pruned TCP Sessions/Sec \item TimedOut TCP Sessions/Sec \item Dropped Async TCP Sessions/Sec \item TCP Sessions Initializing \item TCP Sessions Established \item TCP Sessions Closing \item Max TCP Sessions (interval) \item New Cached UDP Sessions/Sec \item Cached UDP Ssns Del/Sec \item Current Cached UDP Sessions \item Max Cached UDP Sessions \item Current Attribute Table Hosts (Target Based) \item Attribute Table Reloads (Target Based) \item Mbits/Sec (Snort) \item Mbits/Sec (sniffing) \item Mbits/Sec (combined) \item uSeconds/Pkt (Snort) \item uSeconds/Pkt (sniffing) \item uSeconds/Pkt (combined) \item KPkts/Sec (Snort) \item KPkts/Sec (sniffing) \item KPkts/Sec (combined) \end{itemize} There are over 100 individual statistics included. A header line is output at startup and rollover that labels each column. The following options can be used with the performance monitor: \begin{itemize} \item \texttt{flow} - Prints out statistics about the type and amount of traffic and protocol distributions that Snort is seeing. This option can produce large amounts of output. \item \texttt{flow-file} - Prints \texttt{flow} statistics in a comma-delimited format to the file that is specified. \begin{itemize} \item Timestamp \item Total \% TCP bytes \item Total \% UDP bytes \item Total \% ICMP bytes \item Total \% OTHER bytes \item Number of Packet length entries \item Packet length entries - bytes,\%total \item Number of TCP port flow entries \item TCP port flow entries : port,\%total,\%src,\%dst \item \% TCP high port to high port \item Number of UDP port flow entries \item UDP port flow entries : port,\%total,\%src,\%dst \item \% UDP high port to high port \item Number of ICMP type entries \item ICMP type entries : type,\%total \end{itemize} Specifying this option implicitly enables \texttt{flow} statistics. \item \texttt{events} - Turns on event reporting. This prints out statistics as to the number of rules that were evaluated and didn't match (\textit{non-qualified events}) vs. the number of rules that were evaluated and matched (\textit{qualified events}). A high \textit{non-qualified event} to \textit{qualified event} ratio can indicate there are many rules with either minimal content or no content that are being evaluated without success. The fast pattern matcher is used to select a set of rules for evaluation based on the longest \texttt{content} or a \texttt{content} modified with the \texttt{fast\_pattern} rule option in a rule. Rules with short, generic contents are more likely to be selected for evaluation than those with longer, more unique contents. Rules without \texttt{content} are not filtered via the fast pattern matcher and are always evaluated, so if possible, adding a \texttt{content} rule option to those rules can decrease the number of times they need to be evaluated and improve performance. \item \texttt{max} - Turns on the theoretical maximum performance that Snort calculates given the processor speed and current performance. This is only valid for uniprocessor machines, since many operating systems don't keep accurate kernel statistics for multiple CPUs. \item \texttt{console} - Prints statistics at the console. \item \texttt{file} - Prints statistics in a comma-delimited format to the file that is specified. Not all statistics are output to this file. You may also use \texttt{snortfile} which will output into your defined Snort log directory. Both of these directives can be overridden on the command line with the \texttt{-Z} or \texttt{--perfmon-file} options. At startup, Snort will log a distinctive line to this file with a timestamp to all readers to easily identify gaps in the stats caused by Snort not running. \item \texttt{pktcnt} - Adjusts the number of packets to process before checking for the time sample. This boosts performance, since checking the time sample reduces Snort's performance. By default, this is 10000. \item \texttt{time} - Represents the number of seconds between intervals. \item \texttt{accumulate} or \texttt{reset} - Defines which type of drop statistics are kept by the operating system. By default, \texttt{reset} is used. \item \texttt{atexitonly} - Dump stats for entire life of Snort. One or more of the following arguments can be given to specify specific statistic types to dump at exit: \begin{itemize} \item \texttt{base-stats} \item \texttt{flow-stats} \item \texttt{flow-ip-stats} \item \texttt{events-stats} \end{itemize} Without any arguments, all enabled stats will be dumped only when Snort exits. \item \texttt{max\_file\_size} - Defines the maximum size of the comma-delimited file. Before the file exceeds this size, it will be rolled into a new date stamped file of the format YYYY-MM-DD, followed by YYYY-MM-DD.x, where x will be incremented each time the comma delimited file is rolled over. The minimum is 4096 bytes and the maximum is 2147483648 bytes (2GB). The default is the same as the maximum. \item \texttt{flow-ip} - Collects IP traffic distribution statistics based on host pairs. For each pair of hosts for which IP traffic has been seen, the following statistics are collected for both directions (A to B and B to A): \begin{itemize} \item TCP Packets \item TCP Traffic in Bytes \item TCP Sessions Established \item TCP Sessions Closed \item UDP Packets \item UDP Traffic in Bytes \item UDP Sessions Created \item Other IP Packets \item Other IP Traffic in Bytes \end{itemize} These statistics are printed and reset at the end of each interval. \item \texttt{flow-ip-file} - Prints the flow IP statistics in a comma-delimited format to the file that is specified. All of the statistics mentioned above, as well as the IP addresses of the host pairs in human-readable format, are included. Each line in the file will have its values correspond (in order) to those below: \begin{itemize} \item IP Address A (String) \item IP Address B (String) \item TCP Packets from A to B \item TCP Traffic in Bytes from A to B \item TCP Packets from B to A \item TCP Traffic in Bytes from B to A \item UDP Packets from A to B \item UDP Traffic in Bytes from A to B \item UDP Packets from B to A \item UDP Traffic in Bytes from B to A \item Other IP Packets from A to B \item Other IP Traffic in Bytes from A to B \item Other IP Packets from B to A \item Other IP Traffic in Bytes from B to A \item TCP Sessions Established \item TCP Sessions Closed \item UDP Sessions Created \end{itemize} \item \texttt{flow-ip-memcap} - Sets the memory cap on the hash table used to store IP traffic statistics for host pairs. Once the cap has been reached, the table will start to prune the statistics for the least recently seen host pairs to free memory. This value is in bytes and the default value is 52428800 (50MB). \end{itemize} \subsubsection{Examples} \begin{verbatim} preprocessor perfmonitor: \ time 30 events flow file stats.profile max console pktcnt 10000 preprocessor perfmonitor: \ time 300 file /var/tmp/snortstat pktcnt 10000 preprocessor perfmonitor: \ time 30 flow-ip flow-ip-file flow-ip-stats.csv pktcnt 1000 preprocessor perfmonitor: \ time 30 pktcnt 1000 snortfile base.csv flow-file flows.csv atexitonly flow-stats preprocessor perfmonitor: \ time 30 pktcnt 1000 flow events atexitonly base-stats flow-stats console \end{verbatim} \subsection{HTTP Inspect} \label{sub:http-inspect} HTTP Inspect is a generic HTTP decoder for user applications. Given a data buffer, HTTP Inspect will decode the buffer, find HTTP fields, and normalize the fields. HTTP Inspect works on both client requests and server responses. HTTP Inspect has a very ``rich'' user configuration. Users can configure individual HTTP servers with a variety of options, which should allow the user to emulate any type of web server. Within HTTP Inspect, there are two areas of configuration: global and server. \subsubsection{Global Configuration} The global configuration deals with configuration options that determine the global functioning of HTTP Inspect. The following example gives the generic global configuration format: \subsubsection{Format} \begin{verbatim} preprocessor http_inspect: \ global \ iis_unicode_map \ codemap \ [detect_anomalous_servers] \ [proxy_alert] \ [max_gzip_mem ] \ [compress_depth ] [decompress_depth ] \ [memcap ] \ disabled \end{verbatim} You can only have a single global configuration, you'll get an error if you try otherwise. \paragraph{Configuration} \begin{slist} \item \texttt{iis\_unicode\_map $<$map\_filename$>$ [codemap $<$integer$>$]} This is the global \texttt{iis\_unicode\_map} file. The \texttt{iis\_unicode\_map} is a required configuration parameter. The map file can reside in the same directory as \texttt{snort.conf} or be specified via a fully-qualified path to the map file. The \texttt{iis\_unicode\_map} file is a Unicode codepoint map which tells HTTP Inspect which codepage to use when decoding Unicode characters. For US servers, the codemap is usually 1252. A Microsoft US Unicode codepoint map is provided in the Snort source \texttt{etc} directory by default. It is called \texttt{unicode.map} and should be used if no other codepoint map is available. A tool is supplied with Snort to generate custom Unicode \texttt{maps--ms\_unicode\_generator.c}, which is available at \url{http://www.snort.org/dl/contrib/}. \begin{note} Remember that this configuration is for the global IIS Unicode map, individual servers can reference their own IIS Unicode map. \end{note} \item \texttt{detect\_anomalous\_servers} This global configuration option enables generic HTTP server traffic inspection on non-HTTP configured ports, and alerts if HTTP traffic is seen. Don't turn this on if you don't have a default server configuration that encompasses all of the HTTP server ports that your users might access. In the future, we want to limit this to specific networks so it's more useful, but for right now, this inspects all network traffic. This option is turned off by default. \item \texttt{proxy\_alert} This enables global alerting on HTTP server proxy usage. By configuring HTTP Inspect servers and enabling \texttt{allow\_proxy\_use}, you will only receive proxy use alerts for web users that aren't using the configured proxies or are using a rogue proxy server. Please note that if users aren't required to configure web proxy use, then you may get a lot of proxy alerts. So, please only use this feature with traditional proxy environments. Blind firewall proxies don't count. \item \texttt{compress\_depth $<$integer$>$} This option specifies the maximum amount of packet payload to decompress. This value can be set from 1 to 65535. The default for this option is 1460. \begin{note} Please note, in case of multiple policies, the value specified in the default policy is used and this value overwrites the values specified in the other policies. In case of \texttt{unlimited\_decompress} this should be set to its max value. This value should be specified in the default policy even when the HTTP inspect preprocessor is turned off using the \texttt{disabled} keyword. \end{note} \item \texttt{decompress\_depth $<$integer$>$} This option specifies the maximum amount of decompressed data to obtain from the compressed packet payload. This value can be set from 1 to 65535. The default for this option is 2920. \begin{note} Please note, in case of multiple policies, the value specified in the default policy is used and this value overwrites the values specified in the other policies. In case of \texttt{unlimited\_decompress} this should be set to its max value. This value should be specified in the default policy even when the HTTP inspect preprocessor is turned off using the \texttt{disabled} keyword. \end{note} \item \texttt{max\_gzip\_mem $<$integer$>$} This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor will use for decompression. The minimum allowed value for this option is 3276 bytes. This option determines the number of concurrent sessions that can be decompressed at any given instant. The default value for this option is 838860. This value is also used for the optional SWF/PDF file decompression. If these modes are enabled this same value sets the maximum about of memory used for file decompression session state information. \begin{note} This value should be specified in the default policy even when the HTTP inspect preprocessor is turned off using the \texttt{disabled} keyword. \end{note} \item \texttt{memcap $<$integer$>$} This option determines (in bytes) the maximum amount of memory the HTTP Inspect preprocessor will use for logging the URI and Hostname data. This value can be set from 2304 to 603979776 (576 MB). This option along with the maximum uri and hostname logging size (which is defined in snort) will determine the maximum HTTP sessions that will log the URI and hostname data at any given instant. The maximum size for logging URI data is 2048 and for hostname is 256. The default value for this option is 150994944 (144 MB). \begin {note} This value should be specified in the default policy even when the HTTP inspect preprocessor is turned off using the \texttt{disabled} keyword. In case of multiple policies, the value specified in the default policy will overwrite the value specified in other policies. max http sessions logged = memcap /( max uri logging size + max hostname logging size ) max uri logging size defined in snort : 2048 max hostname logging size defined in snort : 256 \end{note} \item \texttt{disabled} This optional keyword is allowed with any policy to avoid packet processing. This option disables the preprocessor. When the preprocessor is disabled only the "memcap", "max\_gzip\_mem", "compress\_depth" and "decompress\_depth" options are applied when specified with the configuration. Other options are parsed but not used. Any valid configuration may have "disabled" added to it. \end{slist} \subsubsection{Example Global Configuration} \begin{verbatim} preprocessor http_inspect: \ global iis_unicode_map unicode.map 1252 \end{verbatim} \subsubsection{Server Configuration} There are two types of server configurations: default and by IP address. \paragraph{Default} This configuration supplies the default server configuration for any server that is not individually configured. Most of your web servers will most likely end up using the default configuration. \subsubsection{Example Default Configuration} \begin{verbatim} preprocessor http_inspect_server: \ server default profile all ports { 80 } \end{verbatim} \paragraph{Configuration by IP Address} This format is very similar to ``default'', the only difference being that specific IPs can be configured. \subsubsection{Example IP Configuration} \begin{verbatim} preprocessor http_inspect_server: \ server 10.1.1.1 profile all ports { 80 } \end{verbatim} \paragraph{Configuration by Multiple IP Addresses} This format is very similar to ``Configuration by IP Address'', the only difference being that multiple IPs can be specified via a space separated list. There is a limit of 40 IP addresses or CIDR notations per \texttt{http\_inspect\_server} line. \subsubsection{Example Multiple IP Configuration} \begin{verbatim} preprocessor http_inspect_server: \ server { 10.1.1.1 10.2.2.0/24 } profile all ports { 80 } \end{verbatim} \subsubsection{Server Configuration Options} Important: Some configuration options have an argument of `yes' or `no'. This argument specifies whether the user wants the configuration option to generate an HTTP Inspect alert or not. The `yes/no' argument does not specify whether the configuration option itself is on or off, only the alerting functionality. In other words, whether set to `yes' or 'no', HTTP normalization will still occur, and rules based on HTTP traffic will still trigger. \begin{slist} \item \texttt{profile $<$all$|$apache$|$iis$|$iis5\_0$|$iis4\_0$>$} Users can configure HTTP Inspect by using pre-defined HTTP server profiles. Profiles allow the user to easily configure the preprocessor for a certain type of server, but are not required for proper operation. There are five profiles available: all, apache, iis, iis5\_0, and iis4\_0. \begin{subslist} \item \texttt{all} The \texttt{all} profile is meant to normalize the URI using most of the common tricks available. We alert on the more serious forms of evasions. This is a great profile for detecting all types of attacks, regardless of the HTTP server. \texttt{profile all} sets the configuration options described in Table \ref{profile_all_options}. \begin{table}[h] \begin{center} \caption{Options for the ``all'' Profile} \label{profile_all_options} \begin{tabular}{| l | p{3in} |} \hline \textbf{Option} & \textbf{Setting} \\ \hline \hline server\_flow\_depth & 300 \\ \hline client\_flow\_depth & 300 \\ \hline post\_depth & 0 \\ \hline chunk encoding & alert on chunks larger than 500000 bytes \\ \hline iis\_unicode\_map & codepoint map in the global configuration \\ \hline ASCII decoding & on, alert off \\ \hline multiple slash & on, alert off \\ \hline directory normalization & on, alert off \\ \hline apache whitespace & on, alert off \\ \hline double decoding & on, alert on \\ \hline \%u decoding & on, alert on \\ \hline bare byte decoding & on, alert on \\ \hline iis unicode codepoints & on, alert on \\ \hline iis backslash & on, alert off \\ \hline iis delimiter & on, alert off \\ \hline webroot & on, alert on\\ \hline non\_strict URL parsing & on\\ \hline tab\_uri\_delimiter & is set\\ \hline max\_header\_length & 0, header length not checked\\ \hline max\_spaces & 200 \\ \hline max\_headers & 0, number of headers not checked\\ \hline \end{tabular} \end{center} \end{table} \item \texttt{apache} The \texttt{apache} profile is used for Apache web servers. This differs from the \texttt{iis} profile by only accepting UTF-8 standard Unicode encoding and not accepting backslashes as legitimate slashes, like IIS does. Apache also accepts tabs as whitespace. \texttt{profile apache} sets the configuration options described in Table \ref{profile_apache_options}. \begin{table}[h] \begin{center} \caption{Options for the \texttt{apache} Profile} \label{profile_apache_options} \begin{tabular}{| l | p{3in} |} \hline \textbf{Option} & \textbf{Setting}\\ \hline \hline server\_flow\_depth & 300 \\ \hline client\_flow\_depth & 300 \\ \hline post\_depth & 0 \\ \hline chunk encoding & alert on chunks larger than 500000 bytes \\ \hline ASCII decoding & on, alert off \\ \hline multiple slash & on, alert off \\ \hline directory normalization & on, alert off \\ \hline webroot & on, alert on\\ \hline apache whitespace & on, alert on \\ \hline utf\_8 encoding & on, alert off \\ \hline non\_strict url parsing & on \\ \hline tab\_uri\_delimiter & is set\\ \hline max\_header\_length & 0, header length not checked\\ \hline max\_spaces & 200 \\ \hline max\_headers & 0, number of headers not checked\\ \hline \hline \end{tabular} \end{center} \end{table} \item \texttt{iis} The \texttt{iis} profile mimics IIS servers. So that means we use IIS Unicode codemaps for each server, \%u encoding, bare-byte encoding, double decoding, backslashes, etc. \texttt{profile iis} sets the configuration options described in Table \ref{profile_iis_options}. \begin{table}[h] \begin{center} \caption{Options for the \texttt{iis} Profile} \label{profile_iis_options} \begin{tabular}{| l | p{3in} |} \hline \textbf{Option} & \textbf{Setting}\\ \hline \hline server\_flow\_depth & 300 \\ \hline client\_flow\_depth & 300 \\ \hline post\_depth & -1 \\ \hline chunk encoding & alert on chunks larger than 500000 bytes\\ \hline iis\_unicode\_map & codepoint map in the global configuration \\ \hline ASCII decoding & on, alert off \\ \hline multiple slash & on, alert off \\ \hline directory normalization & on, alert off \\ \hline webroot & on, alert on\\ \hline double decoding & on, alert on \\ \hline \%u decoding & on, alert on \\ \hline bare byte decoding & on, alert on \\ \hline iis unicode codepoints & on, alert on \\ \hline iis backslash & on, alert off \\ \hline iis delimiter & on, alert on \\ \hline apache whitespace & on, alert on \\ \hline non\_strict URL parsing & on\\ \hline max\_header\_length & 0, header length not checked\\ \hline max\_spaces & 200 \\ \hline max\_headers & 0, number of headers not checked\\ \hline \end{tabular} \end{center} \end{table} \item \texttt{iis4\_0, iis5\_0} In IIS 4.0 and IIS 5.0, there was a double decoding vulnerability. These two profiles are identical to \texttt{iis}, except they will alert by default if a URL has a double encoding. Double decode is not supported in IIS 5.1 and beyond, so it's disabled by default. \item \texttt{default, no profile} The default options used by HTTP Inspect do not use a profile and are described in Table \ref{default_HTTP_Inspect_options}. \begin{table}[h] \begin{center} \caption{Default HTTP Inspect Options} \label{default_HTTP_Inspect_options} \begin{tabular}{| l | p{3in} |} \hline \textbf{Option} & \textbf{Setting}\\ \hline \hline port & 80\\ \hline server\_flow\_depth & 300 \\ \hline client\_flow\_depth & 300 \\ \hline post\_depth & -1 \\ \hline chunk encoding & alert on chunks larger than 500000 bytes\\ \hline ASCII decoding & on, alert off \\ \hline utf\_8 encoding & on, alert off\\ \hline multiple slash & on, alert off \\ \hline directory normalization & on, alert off \\ \hline webroot & on, alert on\\ \hline iis backslash & on, alert off \\ \hline apache whitespace & on, alert off \\ \hline iis delimiter & on, alert off \\ \hline non\_strict URL parsing & on\\ \hline max\_header\_length & 0, header length not checked\\ \hline max\_spaces & 200 \\ \hline max\_headers & 0, number of headers not checked\\ \hline \end{tabular} \end{center} \end{table} Profiles must be specified as the first server option and cannot be combined with any other options except: \begin{itemize} \item \texttt{ports} \item \texttt{iis\_unicode\_map} \item \texttt{allow\_proxy\_use} \item \texttt{server\_flow\_depth} \item \texttt{client\_flow\_depth} \item \texttt{post\_depth} \item \texttt{no\_alerts} \item \texttt{inspect\_uri\_only} \item \texttt{oversize\_dir\_length} \item \texttt{normalize\_headers} \item \texttt{normalize\_cookies} \item \texttt{normalize\_utf} \item \texttt{max\_header\_length} \item \texttt{max\_spaces} \item \texttt{max\_headers} \item \texttt{extended\_response\_inspection} \item \texttt{enable\_cookie} \item \texttt{inspect\_gzip} \item \texttt{unlimited\_decompress} \item \texttt{normalize\_javascript} \item \texttt{max\_javascript\_whitespaces} \item \texttt{enable\_xff} \item \texttt{http\_methods} \item \texttt{log\_uri} \item \texttt{log\_hostname} \item \texttt{small\_chunk\_length} \item \texttt{decompress\_swf} \item \texttt{decompress\_pdf} \end{itemize} These options must be specified after the \texttt{profile} option. \end{subslist} \subsubsection{Example} \begin{verbatim} preprocessor http_inspect_server: \ server 1.1.1.1 profile all ports { 80 3128 } \end{verbatim} \item \texttt{ports $\{ <$port$> [<$port$> <...>] \}$} This is how the user configures which ports to decode on the HTTP server. However, HTTPS traffic is encrypted and cannot be decoded with HTTP Inspect. To ignore HTTPS traffic, use the SSL preprocessor. \item \texttt{iis\_unicode\_map $<$map\_filename$>$ codemap $<$integer$>$} The IIS Unicode map is generated by the program ms\_unicode\_generator.c. This program is located on the Snort.org web site at \url{http://www.snort.org/dl/contrib/} directory. Executing this program generates a Unicode map for the system that it was run on. So, to get the specific Unicode mappings for an IIS web server, you run this program on that server and use that Unicode map in this configuration. When using this option, the user needs to specify the file that contains the IIS Unicode map and also specify the Unicode map to use. For US servers, this is usually 1252. But the ms\_unicode\_generator program tells you which codemap to use for you server; it's the ANSI code page. You can select the correct code page by looking at the available code pages that the ms\_unicode\_generator outputs. \item \texttt{extended\_response\_inspection} This enables the extended HTTP response inspection. The default http response inspection does not inspect the various fields of a HTTP response. By turning this option the HTTP response will be thoroughly inspected. The different fields of a HTTP response such as status code, status message, headers, cookie (when enable\_cookie is configured) and body are extracted and saved into buffers. Different rule options are provided to inspect these buffers. This option must be enabled to make use of the decompress\_swf or decompress\_pdf options. \begin{note} When this option is turned on, if the HTTP response packet has a body then any content pattern matches ( without http modifiers ) will search the response body ((decompressed in case of gzip) and not the entire packet payload. To search for patterns in the header of the response, one should use the http modifiers with content such as \texttt{http\_header}, \texttt{http\_stat\_code}, \texttt{http\_stat\_msg} and \texttt{http\_cookie}. \end{note} \item \texttt{enable\_cookie} This options turns on the cookie extraction from HTTP requests and HTTP response. By default the cookie inspection and extraction will be turned off. The cookie from the \texttt{Cookie} header line is extracted and stored in HTTP Cookie buffer for HTTP requests and cookie from the \texttt{Set-Cookie} is extracted and stored in HTTP Cookie buffer for HTTP responses. The \texttt{Cookie:} and \texttt{Set-Cookie:} header names itself along with leading spaces and the CRLF terminating the header line are stored in the HTTP header buffer and are not stored in the HTTP cookie buffer. \begin{verbatim} Ex: Set-Cookie: mycookie \r\n In this case, Set-Cookie: \r\n will be in the HTTP header buffer and the pattern mycookie will be in the HTTP cookie buffer. \end{verbatim} \item \texttt{inspect\_gzip} This option specifies the HTTP inspect module to uncompress the compressed data(gzip/deflate) in HTTP response. You should select the config option "extended\_response\_inspection" before configuring this option. Decompression is done across packets. So the decompression will end when either the 'compress\_depth' or 'decompress\_depth' is reached or when the compressed data ends. When the compressed data is spanned across multiple packets, the state of the last decompressed packet is used to decompressed the data of the next packet. But the decompressed data are individually inspected. (i.e. the decompressed data from different packets are not combined while inspecting). Also the amount of decompressed data that will be inspected depends on the 'server\_flow\_depth' configured. Http Inspect generates a preprocessor alert with gid 120 and sid 6 when the decompression fails. When the decompression fails due to a CRC error encountered by zlib, HTTP Inspect will also provide the detection module with the data that was decompressed by zlib. \item \texttt{unlimited\_decompress} This option enables the user to decompress unlimited gzip data (across multiple packets).Decompression will stop when the compressed data ends or when a out of sequence packet is received. To ensure unlimited decompression, user should set the 'compress\_depth' and 'decompress\_depth' to its maximum values in the default policy. The decompression in a single packet is still limited by the 'compress\_depth' and 'decompress\_depth'. \item \texttt{decompress\_swf $\{ mode [mode] \}$ } This option will enable decompression of compressed SWF (Adobe Flash content) files encountered as the HTTP Response body in a GET transaction. The available decompression modes are 'deflate' and 'lzma'. A prerequisite is enabling extended\_response\_inspection (described above). When enabled, the preprocessor will examine the response body for the corresponding file signature. 'CWS' for Deflate/ZLIB compressed and 'ZWS' for LZMA compressed. Each decompression mode can be individually enabled. e.g. ... { lzma } or { deflate } or { lzma deflate }. The compressed content is decompressed 'in-place' with the content made available to the detection/rules 'file\_data' option. If enabled and located, the compressed SWF file signature is converted to 'FWS' to indicate an uncompressed file. The 'decompress\_depth', 'compress\_depth', and 'unlimited\_decompress' are optionally used to place limits on the decompression process. The semantics for SWF files are similar to the gzip decompression process. During the decompression process, the preprocessor may generate alert 120:12 if Deflate decompression fails or alert 120:13 if LZMA decompression fails. \begin{note} LZMA decompression is only available if Snort is built with the liblzma package present and functional. If the LZMA package is not present, then the { lzma } option will indicate a fatal parsing error. If the liblzma package IS present, but one desires to disable LZMA support, then the --disable-lzma option on configure will disable usage of the library. \end{note} \item \texttt{decompress\_pdf $\{ mode [mode] \}$ } This option will enable decompression of the compressed portions of PDF files encountered as the HTTP Response body in a GET transaction. A prerequisite is enabling extended\_response\_inspection (described above). When enabled, the preprocessor will examine the response body for the '%PDF-' file signature. PDF files are then parsed, locating PDF 'streams' with a single '/FlateDecode' filter. These streams are decompressed in-place, replacing the compressed content. The 'decompress\_depth', 'compress\_depth', and 'unlimited\_decompress' are optionally used to place limits on the decompression process. The semantics for PDF files are similar to the gzip decompression process. During the file parsing/decompression process, the preprocessor may generate several alerts: \begin{center} \begin{tabular}{| l | p{4.5in} |} \hline \textbf{Alert} & \textbf{Description}\\ \hline \hline 120:14 & Deflate decompression failure \\ \hline 120:15 & Located a 'stream' with an unsupported compression ('/Filter') algorithm \\ \hline 120:16 & Located a 'stream' with unsupported cascaded '/FlateDecode' options, e.g.: \begin{verbatim}/Filter [ /FlateDecode /FlateDecode ]\end{verbatim} \\ \hline 120:17 & PDF File parsing error \\ \hline \end{tabular} \end{center} \item \texttt{normalize\_javascript} This option enables the normalization of Javascript within the HTTP response body. You should select the config option \texttt{extended\_response\_inspection} before configuring this option. When this option is turned on, Http Inspect searches for a Javascript within the HTTP response body by searching for the $<$script$>$ tags and starts normalizing it. When Http Inspect sees the $<$script$>$ tag without a type, it is considered as a javascript. The obfuscated data within the javascript functions such as unescape, String.fromCharCode, decodeURI, decodeURIComponent will be normalized. The different encodings handled within the unescape/ decodeURI/decodeURIComponent are \texttt{\%XX}, \texttt{\%uXXXX}, \texttt{\\XX} and \texttt{\\uXXXXi}. Apart from these encodings, Http Inspect will also detect the consecutive whitespaces and normalize it to a single space. Http Inspect will also normalize the plus and concatenate the strings. The rule option \texttt{file\_data} can be used to access this normalized buffer from the rule. A preprocessor alert with SID 9 and GID 120 is generated when the obfuscation levels within the Http Inspect is equal to or greater than 2. \begin{verbatim} Example: HTTP/1.1 200 OK\r\n Date: Wed, 29 Jul 2009 13:35:26 GMT\r\n Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch10 mod_ssl/2.2.3 OpenSSL/0.9.8c\r\n Last-Modified: Sun, 20 Jan 2008 12:01:21 GMT\r\n Accept-Ranges: bytes\r\n Content-Length: 214\r\n Keep-Alive: timeout=15, max=99\r\n Connection: Keep-Alive\r\n Content-Type: application/octet-stream\r\n\r\n FIXME \end{verbatim} The above javascript will generate the preprocessor alert with SID 9 and GIDF 120 when \texttt{normalize\_javascript} is turned on. Http Inspect will also generate a preprocessor alert with GID 120 and SID 11 when there are more than one type of encodings within the escaped/encoded data. \begin{verbatim} For example: unescape("%48\x65%6C%6C%6F%2C%20%73%6E%6F%72%74%20%74%65%61%6D%21"); String.fromCharCode(0x48, 0x65, 0x6c, 0x6c, 111, 44, 32, 115, 110, 111, 114, 116, 32, 116, 101, 97, 109, 33) \\end{verbatim} The above obfuscation will generate the preprocessor alert with GID 120 and SID 11. This option is turned off by default in HTTP Inspect. \item \texttt{max\_javascript\_whitespaces $<$positive integer up to 65535$>$} This option takes an integer as an argument. The integer determines the maximum number of consecutive whitespaces allowed within the Javascript obfuscated data in a HTTP response body. The config option \texttt{normalize\_javascript} should be turned on before configuring this config option. When the whitespaces in the javascript obfuscated data is equal to or more than this value a preprocessor alert with GID 120 and SID 10 is generated. The default value for this option is 200. To enable, specify an integer argument to \texttt{max\_javascript\_spaces} of 1 to 65535. Specifying a value of 0 is treated as disabling the alert. \item \texttt{enable\_xff} This option enables Snort to parse and log the original client IP present in the X-Forwarded-For or True-Client-IP HTTP request headers along with the generated events. The XFF/True-Client-IP Original client IP address is logged only with unified2 output and is not logged with console (-A cmg) output. \item \texttt{xff\_headers} If/When the \texttt{enable\_xff} option is present, the \texttt{xff\_headers} option specifies a set of custom 'xff' headers. This option allows the definition of up to six custom headers in addition to the two default (and always present) X-Forwarded-For and True-Client-IP headers. The option permits both the custom and default headers to be prioritized. The headers/priority pairs are specified as a list. Lower numerical values imply a higher priority. The headers do not need to be specified in priority order. Nor do the priorities need to be contiguous. Priority values can range from 1 to 255. The priority values and header names must be unique. The header names must not collide with known http headers such as 'host', 'cookie', 'content-length', etc. A example of the \texttt{xff\_header} syntax is: \begin{verbatim} xff_headers { [ x-forwarded-highest-priority 1 ] [ x-forwarded-second-highest-priority 2 ] \ [ x-forwarded-lowest-priority-custom 3 ] } \end{verbatim} The default X-Forwarded-For and True-Client-IP headers are always present. They may be explicitly specified in the \texttt{xff\_headers} config in order to determine their priority. If not specified, they will be automatically added to the xff list as the lowest priority headers. For example, let us say that we have the following (abbreviated) HTTP request header: \begin{verbatim} ... Host: www.snort.org X-Forwarded-For: 192.168.1.1 X-Was-Originally-Forwarded-From: 10.1.1.1 ... \end{verbatim} With the default xff behavior (no \texttt{xff\_headers}), the 'X-Forwarded-For' header would be used to provide a 192.168.1.1 Original Client IP address in the unified2 log. Custom headers are not parsed. With: \begin{verbatim} xff_headers { [ x-was-originally-forwarded-from 1 ] [ x-another-forwarding-header 2 ] \ [ x-forwarded-for 3 ] } \end{verbatim} The X-Was-Originally-Forwarded-From header is the highest priority present and its value of 10.1.1.1 will be logged as the Original Client IP in the unified2 log. But with: \begin{verbatim} xff_headers { [ x-was-originally-forwarded-from 3 ] [ x-another-forwarding-header 2 ] \ [ x-forwarded-for 1 ] } \end{verbatim} Now the X-Forwarded-For header is the highest priority and its value of 192.168.1.1 is logged. \begin{note} The original client IP from XFF/True-Client-IP in unified2 logs can be viewed using the tool u2spewfoo. This tool is present in the tools/u2spewfoo directory of snort source tree. \end{note} \item \texttt{server\_flow\_depth $<$integer$>$} This specifies the amount of server response payload to inspect. When \texttt{extended\_response\_inspection} is turned on, it is applied to the HTTP response body (decompressed data when \texttt{inspect\_gzip} is turned on) and not the HTTP headers. When \texttt{extended\_response\_inspection} is turned off the \texttt{server\_flow\_depth} is applied to the entire HTTP response (including headers). Unlike \texttt{client\_flow\_depth} this option is applied per TCP session. This option can be used to balance the needs of IDS performance and level of inspection of HTTP server response data. Snort rules are targeted at HTTP server response traffic and when used with a small flow\_depth value may cause false negatives. Most of these rules target either the HTTP header, or the content that is likely to be in the first hundred or so bytes of non-header data. Headers are usually under 300 bytes long, but your mileage may vary. It is suggested to set the \texttt{server\_flow\_depth} to its maximum value. This value can be set from -1 to 65535. A value of -1 causes Snort to ignore all server side traffic for ports defined in \texttt{ports} when \texttt{extended\_response\_inspection} is turned off. When the \texttt{extended\_response\_inspection} is turned on, value of -1 causes Snort to ignore the HTTP response body data and not the HTTP headers. Inversely, a value of 0 causes Snort to inspect all HTTP server payloads defined in "ports" (note that this will likely slow down IDS performance). Values above 0 tell Snort the number of bytes to inspect of the server response (excluding the HTTP headers when \texttt{extended\_response\_inspection} is turned on) in a given HTTP session. Only packets payloads starting with 'HTTP' will be considered as the first packet of a server response. If less than flow\_depth bytes are in the payload of the HTTP response packets in a given session, the entire payload will be inspected. If more than flow\_depth bytes are in the payload of the HTTP response packet in a session only flow\_depth bytes of the payload will be inspected for that session. Rules that are meant to inspect data in the payload of the HTTP response packets in a session beyond 65535 bytes will be ineffective unless flow\_depth is set to 0. The default value for \texttt{server\_flow\_depth} is 300. Note that the 65535 byte maximum flow\_depth applies to stream reassembled packets as well. It is suggested to set the \texttt{server\_flow\_depth} to its maximum value. \begin{note} \texttt{server\_flow\_depth} is the same as the old \texttt{flow\_depth} option, which will be deprecated in a future release. \end{note} \item \texttt{client\_flow\_depth $<$integer$>$} This specifies the amount of raw client request payload to inspect. This value can be set from -1 to 1460. Unlike \texttt{server\_flow\_depth} this value is applied to the first packet of the HTTP request. It is not a session based flow depth. It has a default value of 300. It primarily eliminates Snort from inspecting larger HTTP Cookies that appear at the end of many client request Headers. A value of -1 causes Snort to ignore all client side traffic for ports defined in "ports." Inversely, a value of 0 causes Snort to inspect all HTTP client side traffic defined in "ports" (note that this will likely slow down IDS performance). Values above 0 tell Snort the number of bytes to inspect in the first packet of the client request. If less than flow\_depth bytes are in the TCP payload (HTTP request) of the first packet, the entire payload will be inspected. If more than flow\_depth bytes are in the payload of the first packet only flow\_depth bytes of the payload will be inspected. Rules that are meant to inspect data in the payload of the first packet of a client request beyond 1460 bytes will be ineffective unless flow\_depth is set to 0. Note that the 1460 byte maximum flow\_depth applies to stream reassembled packets as well. It is suggested to set the \texttt{client\_flow\_depth} to its maximum value. \item \texttt{post\_depth $<$integer$>$} This specifies the amount of data to inspect in a client post message. The value can be set from -1 to 65495. The default value is -1. A value of -1 causes Snort to ignore all the data in the post message. Inversely, a value of 0 causes Snort to inspect all the client post message. This increases the performance by inspecting only specified bytes in the post message. \item \texttt{ascii $<$yes$|$no$>$} The \texttt{ascii} decode option tells us whether to decode encoded ASCII chars, a.k.a \%2f = /, \%2e = ., etc. It is normal to see ASCII encoding usage in URLs, so it is recommended that you disable HTTP Inspect alerting for this option. \item \texttt{extended\_ascii\_uri} This option enables the support for extended ASCII codes in the HTTP request URI. This option is turned off by default and is not supported with any of the profiles. \item \texttt{utf\_8 $<$yes$|$no$>$} The \texttt{utf-8} decode option tells HTTP Inspect to decode standard UTF-8 Unicode sequences that are in the URI. This abides by the Unicode standard and only uses \% encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. As for alerting, you may be interested in knowing when you have a UTF-8 encoded URI, but this will be prone to false positives as legitimate web clients use this type of encoding. When \texttt{utf\_8} is enabled, ASCII decoding is also enabled to enforce correct functioning. \item \texttt{u\_encode $<$yes$|$no$>$} This option emulates the IIS \%u encoding scheme. How the \%u encoding scheme works is as follows: the encoding scheme is started by a \%u followed by 4 characters, like \%uxxxx. The xxxx is a hex-encoded value that correlates to an IIS Unicode codepoint. This value can most definitely be ASCII. An ASCII character is encoded like \%u002f = /, \%u002e = ., etc. If no iis\_unicode\_map is specified before or after this option, the default codemap is used. You should alert on \%u encodings, because we are not aware of any legitimate clients that use this encoding. So it is most likely someone trying to be covert. \item \texttt{bare\_byte $<$yes$|$no$>$} Bare byte encoding is an IIS trick that uses non-ASCII characters as valid values when decoding UTF-8 values. This is not in the HTTP standard, as all non-ASCII values have to be encoded with a \%. Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings correctly. The alert on this decoding should be enabled, because there are no legitimate clients that encode UTF-8 this way since it is non-standard. \item \texttt{iis\_unicode $<$yes$|$no$>$} The \texttt{iis\_unicode} option turns on the Unicode codepoint mapping. If there is no iis\_unicode\_map option specified with the server config, \texttt{iis\_unicode} uses the default codemap. The \texttt{iis\_unicode} option handles the mapping of non-ASCII codepoints that the IIS server accepts and decodes normal UTF-8 requests. You should alert on the \texttt{iis\_unicode option}, because it is seen mainly in attacks and evasion attempts. When \texttt{iis\_unicode} is enabled, ASCII and UTF-8 decoding are also enabled to enforce correct decoding. To alert on UTF-8 decoding, you must enable also enable \texttt{utf\_8 yes}. \item \texttt{double\_decode $<$yes$|$no$>$} The \texttt{double\_decode} option is once again IIS-specific and emulates IIS functionality. How this works is that IIS does two passes through the request URI, doing decodes in each one. In the first pass, it seems that all types of iis encoding is done: utf-8 unicode, ASCII, bare byte, and \%u. In the second pass, the following encodings are done: ASCII, bare byte, and \%u. We leave out utf-8 because I think how this works is that the \% encoded utf-8 is decoded to the Unicode byte in the first pass, and then UTF-8 is decoded in the second stage. Anyway, this is really complex and adds tons of different encodings for one character. When \texttt{double\_decode} is enabled, so ASCII is also enabled to enforce correct decoding. \item \texttt{non\_rfc\_char $\{ <$byte$> [<$byte ...$>] \}$} This option lets users receive an alert if certain non-RFC chars are used in a request URI. For instance, a user may not want to see null bytes in the request URI and we can alert on that. Please use this option with care, because you could configure it to say, alert on all `/' or something like that. It's flexible, so be careful. \item \texttt{multi\_slash $<$yes$|$no$>$} This option normalizes multiple slashes in a row, so something like: ``foo/////////bar'' get normalized to ``foo/bar.'' If you want an alert when multiple slashes are seen, then configure with a \texttt{yes}; otherwise, use \texttt{no}. \item \texttt{iis\_backslash $<$yes$|$no$>$} Normalizes backslashes to slashes. This is again an IIS emulation. So a request URI of ``/foo$\backslash$bar'' gets normalized to ``/foo/bar.'' \item \texttt{directory $<$yes$|$no$>$} This option normalizes directory traversals and self-referential directories. The directory: \begin{verbatim} /foo/fake\_dir/../bar \end{verbatim} gets normalized to: \begin{verbatim} /foo/bar \end{verbatim} The directory: \begin{verbatim} /foo/./bar \end{verbatim} gets normalized to: \begin{verbatim} /foo/bar \end{verbatim} If you want to configure an alert, specify \texttt{yes}, otherwise, specify \texttt{no}. This alert may give false positives, since some web sites refer to files using directory traversals. \item \texttt{apache\_whitespace $<$yes$|$no$>$} This option deals with the non-RFC standard of using tab for a space delimiter. Apache uses this, so if the emulated web server is Apache, enable this option. Alerts on this option may be interesting, but may also be false positive prone. \item \texttt{iis\_delimiter $<$yes$|$no$>$} This started out being IIS-specific, but Apache takes this non-standard delimiter was well. Since this is common, we always take this as standard since the most popular web servers accept it. But you can still get an alert on this option. \item \texttt{chunk\_length $<$non-zero positive integer$>$} This option is an anomaly detector for abnormally large chunk sizes. This picks up the Apache chunk encoding exploits, and may also alert on HTTP tunneling that uses chunk encoding. \item \texttt{small\_chunk\_length \{ $<$chunk size$>$ $<$consecutive chunks$>$ \} } This option is an evasion detector for consecutive small chunk sizes when either the client or server use \texttt{Transfer-Encoding: chunked}. $<$chunk size$>$ specifies the maximum chunk size for which a chunk will be considered small. $<$consecutive chunks$>$ specifies the number of consecutive small chunks $<$= $<$chunk size$>$ before an event will be generated. This option is turned off by default. Maximum values for each are 255 and a $<$chunk size$>$ of 0 disables. Events generated are gid:119, sid:26 for client small chunks and gid:120, sid:7 for server small chunks. Example: \begin{verbatim} small_chunk_length { 10 5 } \end{verbatim} Meaning alert if we see 5 consecutive chunk sizes of 10 or less. \item \texttt{no\_pipeline\_req} This option turns HTTP pipeline decoding off, and is a performance enhancement if needed. By default, pipeline requests are inspected for attacks, but when this option is enabled, pipeline requests are not decoded and analyzed per HTTP protocol field. It is only inspected with the generic pattern matching. \item \texttt{non\_strict} This option turns on non-strict URI parsing for the broken way in which Apache servers will decode a URI. Only use this option on servers that will accept URIs like this: "get /index.html alsjdfk alsj lj aj la jsj s$\backslash$n". The non\_strict option assumes the URI is between the first and second space even if there is no valid HTTP identifier after the second space. \item \texttt{allow\_proxy\_use} By specifying this keyword, the user is allowing proxy use on this server. This means that no alert will be generated if the \texttt{proxy\_alert} global keyword has been used. If the proxy\_alert keyword is not enabled, then this option does nothing. The \texttt{allow\_proxy\_use} keyword is just a way to suppress unauthorized proxy use for an authorized server. \item \texttt{no\_alerts} This option turns off all alerts that are generated by the HTTP Inspect preprocessor module. This has no effect on HTTP rules in the rule set. No argument is specified. \item \texttt{oversize\_dir\_length $<$non-zero positive integer$>$} This option takes a non-zero positive integer as an argument. The argument specifies the max char directory length for URL directory. If a url directory is larger than this argument size, an alert is generated. A good argument value is 300 characters. This should limit the alerts to IDS evasion type attacks, like whisker -i 4. \item \texttt{inspect\_uri\_only} This is a performance optimization. When enabled, only the URI portion of HTTP requests will be inspected for attacks. As this field usually contains 90-95\% of the web attacks, you'll catch most of the attacks. So if you need extra performance, enable this optimization. It's important to note that if this option is used without any \texttt{uricontent} rules, then no inspection will take place. This is obvious since the URI is only inspected with \texttt{uricontent} rules, and if there are none available, then there is nothing to inspect. For example, if we have the following rule set: \begin{verbatim} alert tcp any any -> any 80 ( msg:"content"; content: "foo"; ) \end{verbatim} and the we inspect the following URI: \begin{verbatim} get /foo.htm http/1.0\r\n\r\n \end{verbatim} No alert will be generated when \texttt{inspect\_uri\_only} is enabled. The \texttt{inspect\_uri\_only} configuration turns off all forms of detection except \texttt{uricontent} inspection. \item \texttt{max\_header\_length $<$positive integer up to 65535$>$} This option takes an integer as an argument. The integer is the maximum length allowed for an HTTP client request header field. Requests that exceed this length will cause a "Long Header" alert. This alert is off by default. To enable, specify an integer argument to max\_header\_length of 1 to 65535. Specifying a value of 0 is treated as disabling the alert. \item \texttt{max\_spaces $<$positive integer up to 65535$>$} This option takes an integer as an argument. The integer determines the maximum number of whitespaces allowed with HTTP client request line folding. Requests headers folded with whitespaces equal to or more than this value will cause a "Space Saturation" alert with SID 26 and GID 119. The default value for this option is 200. To enable, specify an integer argument to \texttt{max\_spaces} of 1 to 65535. Specifying a value of 0 is treated as disabling the alert. \item \texttt{webroot $<$yes$|$no$>$} This option generates an alert when a directory traversal traverses past the web server root directory. This generates much fewer false positives than the directory option, because it doesn't alert on directory traversals that stay within the web server directory structure. It only alerts when the directory traversals go past the web server root directory, which is associated with certain web attacks. \item \texttt{tab\_uri\_delimiter} This option turns on the use of the tab character (0x09) as a delimiter for a URI. Apache accepts tab as a delimiter; IIS does not. For IIS, a tab in the URI should be treated as any other character. Whether this option is on or not, a tab is treated as whitespace if a space character (0x20) precedes it. No argument is specified. \item \texttt{normalize\_headers} This option turns on normalization for HTTP Header Fields, not including Cookies (using the same configuration parameters as the URI normalization (i.e., multi-slash, directory, etc.). It is useful for normalizing Referrer URIs that may appear in the HTTP Header. \item \texttt{normalize\_cookies} This option turns on normalization for HTTP Cookie Fields (using the same configuration parameters as the URI normalization (i.e., multi-slash, directory, etc.). It is useful for normalizing data in HTTP Cookies that may be encoded. \item \texttt{normalize\_utf} This option turns on normalization of HTTP response bodies where the Content-Type header lists the character set as "utf-16le", "utf-16be", "utf-32le", or "utf-32be". HTTP Inspect will attempt to normalize these back into 8-bit encoding, generating an alert if the extra bytes are non-zero. \item \texttt{max\_headers $<$positive integer up to 1024$>$} This option takes an integer as an argument. The integer is the maximum number of HTTP client request header fields. Requests that contain more HTTP Headers than this value will cause a "Max Header" alert. The alert is off by default. To enable, specify an integer argument to max\_headers of 1 to 1024. Specifying a value of 0 is treated as disabling the alert. \item \texttt{http\_methods $\{ cmd [cmd] \}$ } This specifies additional HTTP Request Methods outside of those checked by default within the preprocessor (GET and POST). The list should be enclosed within braces and delimited by spaces, tabs, line feed or carriage return. The config option, braces and methods also needs to be separated by braces. \begin{verbatim} http_methods { PUT CONNECT } \end{verbatim} \begin{note} Please note the maximum length for a method name is 256. \end{note} \item \texttt{log\_uri} This option enables HTTP Inspect preprocessor to parse the URI data from the HTTP request and log it along with all the generated events for that session. Stream reassembly needs to be turned on HTTP ports to enable the logging. If there are multiple HTTP requests in the session, the URI data of the most recent HTTP request during the alert will be logged. The maximum URI logged is 2048. \begin{note} Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). \texttt{u2spewfoo} can be used to read this data from the unified2. \end{note} \item \texttt{log\_hostname} This option enables HTTP Inspect preprocessor to parse the hostname data from the "Host" header of the HTTP request and log it along with all the generated events for that session. Stream reassembly needs to be turned on HTTP ports to enable the logging. If there are multiple HTTP requests in the session, the Hostname data of the most recent HTTP request during the alert will be logged. In case of multiple "Host" headers within one HTTP request, a preprocessor alert with sid 24 is generated. The maximum hostname length logged is 256. \begin{note} Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). \texttt{u2spewfoo} can be used to read this data from the unified2. \end{note} \end{slist} \subsubsection{Examples} \begin{verbatim} preprocessor http_inspect_server: \ server 10.1.1.1 \ ports { 80 3128 8080 } \ server_flow_depth 0 \ ascii no \ double_decode yes \ non_rfc_char { 0x00 } \ chunk_length 500000 \ non_strict \ no_alerts preprocessor http_inspect_server: \ server default \ ports { 80 3128 } \ non_strict \ non_rfc_char { 0x00 } \ server_flow_depth 300 \ apache_whitespace yes \ directory no \ iis_backslash no \ u_encode yes \ ascii no \ chunk_length 500000 \ bare_byte yes \ double_decode yes \ iis_unicode yes \ iis_delimiter yes \ multi_slash no preprocessor http_inspect_server: \ server default \ profile all \ ports { 80 8080 } \end{verbatim} \subsection{SMTP Preprocessor} \label{SMTP} The SMTP preprocessor is an SMTP decoder for user applications. Given a data buffer, SMTP will decode the buffer and find SMTP commands and responses. It will also mark the command, data header data body sections, and TLS data. SMTP handles stateless and stateful processing. It saves state between individual packets. However maintaining correct state is dependent on the reassembly of the client side of the stream (i.e., a loss of coherent stream data results in a loss of state). \subsubsection{Configuration} SMTP has the usual configuration items, such as \texttt{port} and \texttt{inspection\_type}. Also, SMTP command lines can be normalized to remove extraneous spaces. TLS-encrypted traffic can be ignored, which improves performance. In addition, regular mail data can be ignored for an additional performance boost. Since so few (none in the current snort rule set) exploits are against mail data, this is relatively safe to do and can improve the performance of data inspection. The configuration options are described below: \begin{slist} \item \texttt{ports \{ [] ... \}} This specifies on what ports to check for SMTP data. Typically, this will include 25 and possibly 465, for encrypted SMTP. \item \texttt{inspection\_type } Indicate whether to operate in stateful or stateless mode. \item \texttt{normalize } This turns on normalization. Normalization checks for more than one space character after a command. Space characters are defined as space (ASCII 0x20) or tab (ASCII 0x09). \texttt{all} checks all commands \texttt{none} turns off normalization for all commands. \texttt{cmds} just checks commands listed with the \texttt{normalize\_cmds} parameter. \item \texttt{ignore\_data} Ignore data section of mail (except for mail headers) when processing rules. \item \texttt{ignore\_tls\_data} Ignore TLS-encrypted data when processing rules. \item \texttt{max\_command\_line\_len } Alert if an SMTP command line is longer than this value. Absence of this option or a "0" means never alert on command line length. RFC 2821 recommends 512 as a maximum command line length. \item \texttt{max\_header\_line\_len } Alert if an SMTP DATA header line is longer than this value. Absence of this option or a "0" means never alert on data header line length. RFC 2821 recommends 1024 as a maximum data header line length. \item \texttt{max\_response\_line\_len } Alert if an SMTP response line is longer than this value. Absence of this option or a "0" means never alert on response line length. RFC 2821 recommends 512 as a maximum response line length. \item \texttt{alt\_max\_command\_line\_len \{ [] \}} Overrides \texttt{max\_command\_line\_len} for specific commands. \item \texttt{no\_alerts} Turn off all alerts for this preprocessor. \item \texttt{invalid\_cmds \{ \}} Alert if this command is sent from client side. Default is an empty list. \item \texttt{valid\_cmds \{ \}} List of valid commands. We do not alert on commands in this list. Default is an empty list, but preprocessor has this list hard-coded: \begin{itemize} \item[] \{ ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY EXPN HELO HELP IDENT MAIL NOOP QUIT RCPT RSET SAML SOML SEND ONEX QUEU STARTTLS TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR \} \end{itemize} \item \texttt{data\_cmds \{ \}} List of commands that initiate sending of data with an end of data delimiter the same as that of the DATA command per RFC 5321 - \texttt{"."}. Default is \{ DATA \}. \item \texttt{binary\_data\_cmds \{ \}} List of commands that initiate sending of data and use a length value after the command to indicate the amount of data to be sent, similar to that of the BDAT command per RFC 3030. Default is \{ BDAT XEXCH50 \}. \item \texttt{auth\_cmds \{ \}} List of commands that initiate an authentication exchange between client and server. Default is \{ AUTH XAUTH X-EXPS \}. \item \texttt{alert\_unknown\_cmds} Alert if we don't recognize command. Default is off. \item \texttt{normalize\_cmds \{ \}} Normalize this list of commands Default is \{ RCPT VRFY EXPN \}. \item \texttt{xlink2state \{ enable | disable [drop] \}} Enable/disable xlink2state alert. Drop if alerted. Default is \texttt{enable}. \item \texttt{print\_cmds} List all commands understood by the preprocessor. This not normally printed out with the configuration because it can print so much data. \item \texttt{disabled} Disables the SMTP preprocessor in a config. This is useful when specifying the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, \texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for decoding \texttt{max\_mime\_mem} in default config without turning on the SMTP preprocessor. \item \texttt{b64\_decode\_depth} This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A SMTP preprocessor alert with sid 10 is generated (if enabled) when the decoding fails. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. This option replaces the deprecated options, \texttt{enable\_mime\_decoding} and \texttt{max\_mime\_depth}. It is recommended that user inputs a value that is a multiple of 4. When the value specified is not a multiple of 4, the SMTP preprocessor will round it up to the next multiple of 4. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{qp\_decode\_depth} This config option is used to turn off/on or set the Quoted-Printable decoding depth used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. A SMTP preprocessor alert with sid 11 is generated (if enabled) when the decoding fails. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{bitenc\_decode\_depth} This config option is used to turn off/on or set the non-encoded MIME extraction depth used to extract the non-encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. A value other than 0 or -1 restricts the extraction of these MIME attachments, and applies per attachment. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the non-encoded MIME attachments/data across multiple packets are extracted too. The extracted data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{uu\_decode\_depth} This config option is used to turn off/on or set the Unix-to-Unix decoding depth used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges from -1 to 65535. A value of -1 turns off the UU decoding of SMTP attachments. The value of 0 sets the decoding of UU encoded SMTP attachments to unlimited. A value other than 0 or -1 restricts the decoding of UU SMTP attachments, and applies per attachment. A SMTP preprocessor alert with sid 13 is generated (if enabled) when the decoding fails. Multiple UU attachments/data in one packet are pipelined. When stateful inspection is turned on the UU encoded SMTP attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{enable\_mime\_decoding} Enables Base64 decoding of Mime attachments/data. Multiple base64 encoded MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. The decoding of base64 encoded attachments/data ends when either the \texttt{max\_mime\_depth} or maximum MIME sessions (calculated using \texttt{max\_mime\_depth} and \texttt{max\_mime\_mem}) is reached or when the encoded data ends. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. This option is deprecated. Use the option \texttt{b64\_decode\_depth} to turn off or on the base64 decoding instead. \item \texttt{max\_mime\_depth } Specifies the maximum number of base64 encoded data to decode per SMTP attachment. The option take values ranging from 4 to 20480 bytes. The default value for this in snort in 1460 bytes. It is recommended that user inputs a value that is a multiple of 4. When the value specified is not a multiple of 4, the SMTP preprocessor will round it up to the next multiple of 4. This option is deprecated. Use the option \texttt{b64\_decode\_depth} to turn off or on the base64 decoding instead. \item \texttt{max\_mime\_mem } This option determines (in bytes) the maximum amount of memory the SMTP preprocessor will use for decoding base64 encoded/quoted-printable/non-encoded MIME attachments/data or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. This option along with the maximum of the decoding depths will determine the SMTP sessions that will be decoded at any given instant. The default value for this option is 838860. Note: It is suggested to set this value such that the max smtp session calculated as follows is at least 1. max smtp session = \texttt{max\_mime\_mem} /(2 * max of (\texttt{b64\_decode\_depth}, \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} or \texttt{bitenc\_decode\_depth})) For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and \texttt{qp\_decode\_depth} is 100, then max smtp session = \texttt{max\_mime\_mem}/2*65535 (max value for \texttt{b64\_decode\_depth}) In case of multiple configs, the \texttt{max\_mime\_mem} of the non-default configs will be overwritten by the default config's value. Hence user needs to define it in the default config with the new keyword disabled (used to disable SMTP preprocessor in a config). \item \texttt{log\_mailfrom} This option enables SMTP preprocessor to parse and log the sender's email address extracted from the "MAIL FROM" command along with all the generated events for that session. The maximum number of bytes logged for this option is 1024. Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). u2spewfoo can be used to read this data from the unified2. \item \texttt{log\_rcptto} This option enables SMTP preprocessor to parse and log the recipient's email addresses extracted from the "RCPT TO" command along with all the generated events for that session. Multiple recipients are appended with commas. The maximum number of bytes logged for this option is 1024. Please note, this is logged only with the unified2 output and is not logged with console output (-A cmg). u2spewfoo can be used to read this data from the unified2. \item \texttt{log\_filename} This option enables SMTP preprocessor to parse and log the MIME attachment filenames extracted from the Content-Disposition header within the MIME body along with all the generated events for that session. Multiple filenames are appended with commas. The maximum number of bytes logged for this option is 1024. Please note, this is logged only with the unified2 output and is not logged with the console output (-A cmg). u2spewfoo can be used to read this data from the unified2. \item \texttt{log\_email\_hdrs} This option enables SMTP preprocessor to parse and log the SMTP email headers extracted from SMTP data along with all generated events for that session. The number of bytes extracted and logged depends upon the \texttt{email\_hdrs\_log\_depth}. Please note, this is logged only with the unified2 output and is not logged with the console output (-A cmg). u2spewfoo can be used to read this data from the unified2. \item \texttt{email\_hdrs\_log\_depth } This option specifies the depth for logging email headers. The allowed range for this option is 0 - 20480. A value of 0 will disable email headers logging. The default value for this option is 1464. Please note, in case of multiple policies, the value specified in the default policy is used and the values specified in the targeted policies are overwritten by the default value. This option must be configured in the default policy even if the SMTP configuration is disabled. \item \texttt{memcap } This option determines in bytes the maximum amount of memory the SMTP preprocessor will use for logging of filename, MAIL FROM addresses, RCPT TO addresses and email headers. This value along with the buffer size used to log MAIL FROM, RCPT TO, filenames and \texttt{email\_hdrs\_log\_depth} will determine the maximum SMTP sessions that will log the email headers at any given time. When this memcap is reached SMTP will stop logging the filename, MAIL FROM address, RCPT TO addresses and email headers until memory becomes available. Max SMTP sessions logging email headers at any given time = memcap/(1024 + 1024 + 1024 + \texttt{email\_hdrs\_log\_depth}) The size 1024 is the maximum buffer size used for logging filename, RCPTTO and MAIL FROM addresses. Default value for this option is 838860. The allowed range for this option is 3276 to 104857600. The value specified in the default config is used when this option is specified in multiple configs. This option must be configured in the default config even if the SMTP configuration is disabled. Please note, in case of multiple policies, the value specified in the default policy is used and the values specified in the targeted policies are overwritten by the default value. This option must be configured in the default policy even if the SMTP configuration is disabled. \end{slist} \subsubsection{Example} \begin{verbatim} preprocessor SMTP: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ ignore_data \ ignore_tls_data \ max_command_line_len 512 \ max_header_line_len 1024 \ max_response_line_len 512 \ no_alerts \ alt_max_command_line_len 300 { RCPT } \ invalid_cmds { } \ valid_cmds { } \ xlink2state { disable } \ print_cmds \ log_filename \ log_email_hdrs \ log_mailfrom \ log_rcptto \ email_hdrs_log_depth 2920 \ memcap 6000 preprocessor SMTP: \ b64_decode_depth 0\ max_mime_mem 4000 \ memcap 6000 \ email_hdrs_log_depth 2920 \ disabled \end{verbatim} \subsubsection{Default} \begin{verbatim} preprocessor SMTP: \ ports { 25 } \ inspection_type stateful \ normalize cmds \ normalize_cmds { EXPN VRFY RCPT } \ alt_max_command_line_len 260 { MAIL } \ alt_max_command_line_len 300 { RCPT } \ alt_max_command_line_len 500 { HELP HELO ETRN } \ alt_max_command_line_len 255 { EXPN VRFY } \end{verbatim} \subsubsection{Note} \texttt{RCPT TO:} and \texttt{MAIL FROM:} are SMTP commands. For the preprocessor configuration, they are referred to as RCPT and MAIL, respectively. Within the code, the preprocessor actually maps RCPT and MAIL to the correct command name. \subsection{POP Preprocessor} \label{POP} POP is an POP3 decoder for user applications. Given a data buffer, POP will decode the buffer and find POP3 commands and responses. It will also mark the command, data header data body sections and extract the POP3 attachments and decode it appropriately. POP will handle stateful processing. It saves state between individual packets. However maintaining correct state is dependent on the reassembly of the server side of the stream (i.e., a loss of coherent stream data results in a loss of state). Stream should be turned on for POP. Please ensure that the POP ports are added to the stream5 ports for proper reassembly. The POP preprocessor uses GID 142 to register events. \subsubsection{Configuration} The configuration options are described below: \begin{slist} \item \texttt{ports \{ [] ... \}} This specifies on what ports to check for POP data. Typically, this will include 110. Default ports if none are specified are 110 . \item \texttt{disabled} Disables the POP preprocessor in a config. This is useful when specifying the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, \texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for decoding \texttt{memcap} in default config without turning on the POP preprocessor. \item \texttt{b64\_decode\_depth} This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A POP preprocessor alert with sid 4 is generated (if enabled) when the decoding fails. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. It is recommended that user inputs a value that is a multiple of 4. When the value specified is not a multiple of 4, the POP preprocessor will round it up to the next multiple of 4. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{qp\_decode\_depth} This config option is used to turn off/on or set the Quoted-Printable decoding depth used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. A POP preprocessor alert with sid 5 is generated (if enabled) when the decoding fails. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{bitenc\_decode\_depth} This config option is used to turn off/on or set the non-encoded MIME extraction depth used to extract the non-encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. A value other than 0 or -1 restricts the extraction of these MIME attachments, and applies per attachment. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the non-encoded MIME attachments/data across multiple packets are extracted too. The extracted data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{uu\_decode\_depth} This config option is used to turn off/on or set the Unix-to-Unix decoding depth used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges from -1 to 65535. A value of -1 turns off the UU decoding of POP attachments. The value of 0 sets the decoding of UU encoded POP attachments to unlimited. A value other than 0 or -1 restricts the decoding of UU POP attachments, and applies per attachment. A POP preprocessor alert with sid 7 is generated (if enabled) when the decoding fails. Multiple UU attachments/data in one packet are pipelined. When stateful inspection is turned on the UU encoded POP attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{memcap } This option determines (in bytes) the maximum amount of memory the POP preprocessor will use for decoding base64 encoded/quoted-printable/non-encoded MIME attachments/data or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. This option along with the maximum of the decoding depths will determine the POP sessions that will be decoded at any given instant. The default value for this option is 838860. Note: It is suggested to set this value such that the max pop session calculated as follows is at least 1. max pop session = \texttt{memcap} /(2 * max of (\texttt{b64\_decode\_depth}, \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} or \texttt{bitenc\_decode\_depth})) For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and \texttt{qp\_decode\_depth} is 100, then max pop session = \texttt{memcap}/2*65535 (max value for \texttt{b64\_decode\_depth}) In case of multiple configs, the \texttt{memcap} of the non-default configs will be overwritten by the default config's value. Hence user needs to define it in the default config with the new keyword disabled (used to disable POP preprocessor in a config). When the memcap for decoding (\texttt{memcap}) is exceeded the POP preprocessor alert with sid 3 is generated (when enabled). \end{slist} \subsubsection{Example} \begin{verbatim} preprocessor pop: \ ports { 110 } \ memcap 1310700 \ qp_decode_depth -1 \ b64_decode_depth 0 \ bitenc_decode_depth 100 preprocessor pop: \ memcap 1310700 \ qp_decode_depth 0 \ disabled \end{verbatim} \subsubsection{Default} \begin{verbatim} preprocessor pop: \ ports { 110 } \ b64_decode_depth 1460 \ qp_decode_depth 1460 \ bitenc_decode_depth 1460 \ uu_decode_depth 1460 \end{verbatim} \subsection{IMAP Preprocessor} \label{IMAP} IMAP is an IMAP4 decoder for user applications. Given a data buffer, IMAP will decode the buffer and find IMAP4 commands and responses. It will also mark the command, data header data body sections and extract the IMAP4 attachments and decode it appropriately. IMAP will handle stateful processing. It saves state between individual packets. However maintaining correct state is dependent on the reassembly of the server side of the stream (i.e., a loss of coherent stream data results in a loss of state). Stream should be turned on for IMAP. Please ensure that the IMAP ports are added to the stream5 ports for proper reassembly. The IMAP preprocessor uses GID 141 to register events. \subsubsection{Configuration} The configuration options are described below: \begin{slist} \item \texttt{ports \{ [] ... \}} This specifies on what ports to check for IMAP data. Typically, this will include 143. Default ports if none are specified are 143 . \item \texttt{disabled} Disables the IMAP preprocessor in a config. This is useful when specifying the decoding depths such as \texttt{b64\_decode\_depth}, \texttt{qp\_decode\_depth}, \texttt{uu\_decode\_depth}, \texttt{bitenc\_decode\_depth} or the memcap used for decoding \texttt{memcap} in default config without turning on the IMAP preprocessor. \item \texttt{b64\_decode\_depth} This config option is used to turn off/on or set the base64 decoding depth used to decode the base64 encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the base64 decoding of MIME attachments. The value of 0 sets the decoding of base64 encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of base64 MIME attachments, and applies per attachment. A IMAP preprocessor alert with sid 4 is generated (if enabled) when the decoding fails. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the base64 encoded MIME attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. It is recommended that user inputs a value that is a multiple of 4. When the value specified is not a multiple of 4, the IMAP preprocessor will round it up to the next multiple of 4. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{qp\_decode\_depth} This config option is used to turn off/on or set the Quoted-Printable decoding depth used to decode the Quoted-Printable(QP) encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the QP decoding of MIME attachments. The value of 0 sets the decoding of QP encoded MIME attachments to unlimited. A value other than 0 or -1 restricts the decoding of QP MIME attachments, and applies per attachment. A IMAP preprocessor alert with sid 5 is generated (if enabled) when the decoding fails. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the QP encoded MIME attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{bitenc\_decode\_depth} This config option is used to turn off/on or set the non-encoded MIME extraction depth used to extract the non-encoded MIME attachments. The value ranges from -1 to 65535. A value of -1 turns off the extraction of these MIME attachments. The value of 0 sets the extraction of these MIME attachments to unlimited. A value other than 0 or -1 restricts the extraction of these MIME attachments, and applies per attachment. Multiple MIME attachments/data in one packet are pipelined. When stateful inspection is turned on the non-encoded MIME attachments/data across multiple packets are extracted too. The extracted data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{uu\_decode\_depth} This config option is used to turn off/on or set the Unix-to-Unix decoding depth used to decode the Unix-to-Unix(UU) encoded attachments. The value ranges from -1 to 65535. A value of -1 turns off the UU decoding of IMAP attachments. The value of 0 sets the decoding of UU encoded IMAP attachments to unlimited. A value other than 0 or -1 restricts the decoding of UU IMAP attachments, and applies per attachment. A IMAP preprocessor alert with sid 7 is generated (if enabled) when the decoding fails. Multiple UU attachments/data in one packet are pipelined. When stateful inspection is turned on the UU encoded IMAP attachments/data across multiple packets are decoded too. The decoded data is available for detection using the rule option \texttt{file\_data}. See \ref{sub:file_data} rule option for more details. In case of multiple configs, the value specified in the non-default config cannot exceed the value specified in the default config. \item \texttt{memcap } This option determines (in bytes) the maximum amount of memory the IMAP preprocessor will use for decoding base64 encoded/quoted-printable/non-encoded MIME attachments/data or Unix-to-Unix encoded attachments. This value can be set from 3276 bytes to 100MB. This option along with the maximum of the decoding depths will determine the IMAP sessions that will be decoded at any given instant. The default value for this option is 838860. Note: It is suggested to set this value such that the max imap session calculated as follows is at least 1. max imap session = \texttt{memcap} /(2 * max of (\texttt{b64\_decode\_depth}, \texttt{uu\_decode\_depth}, \texttt{qp\_decode\_depth} or \texttt{bitenc\_decode\_depth})) For example, if \texttt{b64\_decode\_depth} is 0 (indicates unlimited decoding) and \texttt{qp\_decode\_depth} is 100, then max imap session = \texttt{memcap}/2*65535 (max value for \texttt{b64\_decode\_depth}) In case of multiple configs, the \texttt{memcap} of the non-default configs will be overwritten by the default config's value. Hence user needs to define it in the default config with the new keyword disabled (used to disable IMAP preprocessor in a config). When the memcap for decoding (\texttt{memcap}) is exceeded the IMAP preprocessor alert with sid 3 is generated (when enabled). \end{slist} \subsubsection{Example} \begin{verbatim} preprocessor imap: \ ports { 110 } \ memcap 1310700 \ qp_decode_depth -1 \ b64_decode_depth 0 \ bitenc_decode_depth 100 preprocessor imap: \ memcap 1310700 \ qp_decode_depth 0 \ disabled \end{verbatim} \subsubsection{Default} \begin{verbatim} preprocessor imap: \ ports { 110 } \ b64_decode_depth 1460 \ qp_decode_depth 1460 \ bitenc_decode_depth 1460 \ uu_decode_depth 1460 \end{verbatim} \subsection{FTP/Telnet Preprocessor} \label{sub:ftptelnet} FTP/Telnet is an improvement to the Telnet decoder and provides stateful inspection capability for both FTP and Telnet data streams. FTP/Telnet will decode the stream, identifying FTP commands and responses and Telnet escape sequences and normalize the fields. FTP/Telnet works on both client requests and server responses. FTP/Telnet has the capability to handle stateless processing, meaning it only looks for information on a packet-by-packet basis. The default is to run FTP/Telnet in stateful inspection mode, meaning it looks for information and handles reassembled data correctly. FTP/Telnet has a very ``rich'' user configuration, similar to that of HTTP Inspect (See \ref{sub:http-inspect}). Users can configure individual FTP servers and clients with a variety of options, which should allow the user to emulate any type of FTP server or FTP Client. Within FTP/Telnet, there are four areas of configuration: Global, Telnet, FTP Client, and FTP Server. \begin{note} Some configuration options have an argument of \texttt{yes} or \texttt{no}. This argument specifies whether the user wants the configuration option to generate a ftptelnet alert or not. The presence of the option indicates the option itself is on, while the \texttt{yes/no} argument applies to the alerting functionality associated with that option. \end{note} \subsubsection{Global Configuration} The global configuration deals with configuration options that determine the global functioning of FTP/Telnet. The following example gives the generic global configuration format: \subsubsection{Format} \begin{verbatim} preprocessor ftp_telnet: \ global \ inspection_type stateful \ encrypted_traffic yes \ check_encrypted \end{verbatim} You can only have a single global configuration, you'll get an error if you try otherwise. The FTP/Telnet global configuration must appear before the other three areas of configuration. \paragraph{Configuration} \begin{slist} \item \texttt{inspection\_type} This indicates whether to operate in stateful or stateless mode. \item \texttt{encrypted\_traffic $<$yes|no$>$} This option enables detection and alerting on encrypted Telnet and FTP command channels. \begin{note} When \texttt{inspection\_type} is in stateless mode, checks for encrypted traffic will occur on every packet, whereas in stateful mode, a particular session will be noted as encrypted and not inspected any further. \end{note} \item \texttt{check\_encrypted} Instructs the preprocessor to continue to check an encrypted session for a subsequent command to cease encryption. \end{slist} \subsubsection{Example Global Configuration} \begin{verbatim} preprocessor ftp_telnet: \ global inspection_type stateful encrypted_traffic no \end{verbatim} \subsubsection{Telnet Configuration} The telnet configuration deals with configuration options that determine the functioning of the Telnet portion of the preprocessor. The following example gives the generic telnet configuration format: \subsubsection{Format} \begin{verbatim} preprocessor ftp_telnet_protocol: \ telnet \ ports { 23 } \ normalize \ ayt_attack_thresh 6 \ detect_anomalies \end{verbatim} There should only be a single telnet configuration, and subsequent instances will override previously set values. \paragraph{Configuration} \begin{slist} \item \texttt{ports $\{ <$port$> [<$port$> <...>] \}$} This is how the user configures which ports to decode as telnet traffic. SSH tunnels cannot be decoded, so adding port 22 will only yield false positives. Typically port 23 will be included. \item \texttt{normalize} This option tells the preprocessor to normalize the telnet traffic by eliminating the telnet escape sequences. It functions similarly to its predecessor, the telnet\_decode preprocessor. Rules written with 'raw' content options will ignore the normalized buffer that is created when this option is in use. \item \texttt{ayt\_attack\_thresh $<$ number $>$} This option causes the preprocessor to alert when the number of consecutive telnet Are You There (AYT) commands reaches the number specified. It is only applicable when the mode is stateful. \item \texttt{detect\_anomalies} In order to support certain options, Telnet supports subnegotiation. Per the Telnet RFC, subnegotiation begins with SB (subnegotiation begin) and must end with an SE (subnegotiation end). However, certain implementations of Telnet servers will ignore the SB without a corresponding SE. This is anomalous behavior which could be an evasion case. Being that FTP uses the Telnet protocol on the control connection, it is also susceptible to this behavior. The \texttt{detect\_anomalies} option enables alerting on Telnet SB without the corresponding SE. \end{slist} \subsubsection{Example Telnet Configuration} \begin{verbatim} preprocessor ftp_telnet_protocol: \ telnet ports { 23 } normalize ayt_attack_thresh 6 \end{verbatim} \subsubsection{FTP Server Configuration} There are two types of FTP server configurations: default and by IP address. \paragraph{Default} This configuration supplies the default server configuration for any FTP server that is not individually configured. Most of your FTP servers will most likely end up using the default configuration. \subsubsection{Example Default FTP Server Configuration} \begin{verbatim} preprocessor ftp_telnet_protocol: \ ftp server default ports { 21 } \end{verbatim} Refer to \pageref{sub:default ftp server config} for the list of options set in default ftp server configuration. \paragraph{Configuration by IP Address} This format is very similar to ``default'', the only difference being that specific IPs can be configured. \subsubsection{Example IP specific FTP Server Configuration} \begin{verbatim} preprocessor _telnet_protocol: \ ftp server 10.1.1.1 ports { 21 } ftp_cmds { XPWD XCWD } \end{verbatim} \subsubsection{FTP Server Configuration Options} \begin{slist} \item \texttt{ports $\{ <$port$> [<$port$> <...>] \}$} This is how the user configures which ports to decode as FTP command channel traffic. Typically port 21 will be included. \item \texttt{print\_cmds} During initialization, this option causes the preprocessor to print the configuration for each of the FTP commands for this server. \item \texttt{ftp\_cmds $\{ cmd [cmd] \}$ } The preprocessor is configured to alert when it sees an FTP command that is not allowed by the server. This option specifies a list of additional commands allowed by this server, outside of the default FTP command set as specified in RFC 959. This may be used to allow the use of the 'X' commands identified in RFC 775, as well as any additional commands as needed. For example: \begin{verbatim} ftp_cmds { XPWD XCWD XCUP XMKD XRMD } \end{verbatim} \item \texttt{def\_max\_param\_len $<$number$>$} This specifies the default maximum allowed parameter length for an FTP command. It can be used as a basic buffer overflow detection. \item \texttt{alt\_max\_param\_len $<$number$>$ $\{ cmd [cmd] \}$} This specifies the maximum allowed parameter length for the specified FTP command(s). It can be used as a more specific buffer overflow detection. For example the USER command -- usernames may be no longer than 16 bytes, so the appropriate configuration would be: \begin{verbatim} alt_max_param_len 16 { USER } \end{verbatim} \item \texttt{chk\_str\_fmt $\{ cmd [cmd] \}$} This option causes a check for string format attacks in the specified commands. \item \texttt{cmd\_validity cmd $<$ fmt $>$} This option specifies the valid format for parameters of a given command. fmt must be enclosed in $<>$'s and may contain the following: \begin{center} \begin{tabular}{| l | p{3in} |} \hline \textbf{Value} & \textbf{Description} \\ \hline \hline int & Parameter must be an integer \\ \hline number & Parameter must be an integer between 1 and 255 \\ \hline char $<$chars$>$ & Parameter must be a single character, one of $<$chars$>$ \\ \hline date $<$datefmt$>$ & Parameter follows format specified, where: \begin{tabular}{ l l } n & Number \\ C & Character \\ $[]$ & optional format enclosed \\ $|$ & OR \\ $\{\}$ & choice of options \\ . + - & literal \\ \end{tabular} \\ \hline string & Parameter is a string (effectively unrestricted) \\ \hline host\_port & Parameter must be a host/port specified, per RFC 959 \\ \hline long\_host\_port & Parameter must be a long host port specified, per RFC 1639 \\ \hline extended\_host\_port & Parameter must be an extended host port specified, per RFC 2428 \\ \hline $\{\}$, $|$ & One of choices enclosed within, separated by $|$ \\ \hline $\{\}$, $[]$ & One of the choices enclosed within $\{\}$, optional value enclosed within $[]$ \\ \hline \end{tabular} \end{center} Examples of the cmd\_validity option are shown below. These examples are the default checks, per RFC 959 and others performed by the preprocessor. \begin{verbatim} cmd_validity MODE cmd_validity STRU cmd_validity ALLO < int [ char R int ] > cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > cmd_validity PORT < host_port > \end{verbatim} A cmd\_validity line can be used to override these defaults and/or add a check for other commands. \begin{verbatim} # This allows additional modes, including mode Z which allows for # zip-style compression. cmd_validity MODE < char ASBCZ > # Allow for a date in the MDTM command. cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \end{verbatim} MDTM is an off case that is worth discussing. While not part of an established standard, certain FTP servers accept MDTM commands that set the modification time on a file. The most common among servers that do, accept a format using YYYYMMDDHHmmss[.uuu]. Some others accept a format using YYYYMMDDHHmmss[+|-]TZ format. The example above is for the first case (time format as specified in http://www.ietf.org/internet-drafts/draft-ietf-ftpext-mlst-16.txt) To check validity for a server that uses the TZ format, use the following: \begin{verbatim} cmd_validity MDTM < [ date nnnnnnnnnnnnnn[{+|-}n[n]] ] string > \end{verbatim} \item \texttt{telnet\_cmds $<$yes$|$no$>$} This option turns on detection and alerting when telnet escape sequences are seen on the FTP command channel. Injection of telnet escape sequences could be used as an evasion attempt on an FTP command channel. \item \texttt{ignore\_telnet\_erase\_cmds $<$yes|no$>$} This option allows Snort to ignore telnet escape sequences for erase character (TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel. Some FTP servers do not process those telnet escape sequences. \item \texttt{data\_chan} This option causes the rest of snort (rules, other preprocessors) to ignore FTP data channel connections. Using this option means that \textbf{NO INSPECTION} other than TCP state will be performed on FTP data transfers. It can be used to improve performance, especially with large file transfers from a trusted source. If your rule set includes virus-type rules, it is recommended that this option not be used. Use of the "data\_chan" option is deprecated in favor of the "ignore\_data\_chan" option. "data\_chan" will be removed in a future release. \item \texttt{ignore\_data\_chan $<$yes$|$no$>$} This option causes the rest of Snort (rules, other preprocessors) to ignore FTP data channel connections. Setting this option to "yes" means that \textbf{NO INSPECTION} other than TCP state will be performed on FTP data transfers. It can be used to improve performance, especially with large file transfers from a trusted source. If your rule set includes virus-type rules, it is recommended that this option not be used. \end{slist} \subsubsection{FTP Server Base Configuration Options} \label{sub:default ftp server config} The base FTP server configuration is as follows. Options specified in the configuration file will modify this set of options. FTP commands are added to the set of allowed commands. The other options will override those in the base configuration. \begin{verbatim} def_max_param_len 100 ftp_cmds { USER PASS ACCT CWD CDUP SMNT QUIT REIN TYPE STRU MODE RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD LIST NLST SITE SYST STAT HELP NOOP } ftp_cmds { AUTH ADAT PROT PBSZ CONF ENC } ftp_cmds { PORT PASV LPRT LPSV EPRT EPSV } ftp_cmds { FEAT OPTS } ftp_cmds { MDTM REST SIZE MLST MLSD } alt_max_param_len 0 { CDUP QUIT REIN PASV STOU ABOR PWD SYST NOOP } cmd_validity MODE < char SBC > cmd_validity STRU < char FRPO [ string ] > cmd_validity ALLO < int [ char R int ] > cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } > cmd_validity PORT < host_port > cmd_validity LPRT < long_host_port > cmd_validity EPRT < extd_host_port > cmd_validity EPSV < [ { '1' | '2' | 'ALL' } ] > \end{verbatim} \subsubsection{FTP Client Configuration} Similar to the FTP Server configuration, the FTP client configurations has two types: default, and by IP address. \paragraph{Default} This configuration supplies the default client configuration for any FTP client that is not individually configured. Most of your FTP clients will most likely end up using the default configuration. \subsubsection{Example Default FTP Client Configuration} \begin{verbatim} preprocessor ftp_telnet_protocol: \ ftp client default bounce no max_resp_len 200 \end{verbatim} \paragraph{Configuration by IP Address} This format is very similar to ``default'', the only difference being that specific IPs can be configured. \subsubsection{Example IP specific FTP Client Configuration} \begin{verbatim} preprocessor ftp_telnet_protocol: \ ftp client 10.1.1.1 bounce yes max_resp_len 500 \end{verbatim} \subsubsection{FTP Client Configuration Options} \begin{slist} \item \texttt{max\_resp\_len $<$number$>$} This specifies the maximum allowed response length to an FTP command accepted by the client. It can be used as a basic buffer overflow detection. \item \texttt{bounce $<$yes|no$>$} This option turns on detection and alerting of FTP bounce attacks. An FTP bounce attack occurs when the FTP PORT command is issued and the specified host does not match the host of the client. \item \texttt{bounce\_to $<$ CIDR,[port$|$portlow,porthi] $>$} When the bounce option is turned on, this allows the PORT command to use the IP address (in CIDR format) and port (or inclusive port range) without generating an alert. It can be used to deal with proxied FTP connections where the FTP data channel is different from the client. A few examples: \begin{itemize} \item Allow bounces to 192.162.1.1 port 20020 -- i.e., the use of \texttt{PORT 192,168,1,1,78,52}. \begin{verbatim} bounce_to { 192.168.1.1,20020 } \end{verbatim} \item Allow bounces to 192.162.1.1 ports 20020 through 20040 -- i.e., the use of \texttt{PORT 192,168,1,1,78,xx}, where xx is 52 through 72 inclusive. \begin{verbatim} bounce_to { 192.168.1.1,20020,20040 } \end{verbatim} \item Allow bounces to 192.162.1.1 port 20020 and 192.168.1.2 port 20030. \begin{verbatim} bounce_to { 192.168.1.1,20020 192.168.1.2,20030 } \end{verbatim} \item Allows bounces to IPv6 address fe8::5 port 59340. \begin{verbatim} bounce_to { fe8::5,59340 } \end{verbatim} \end{itemize} \item \texttt{telnet\_cmds $<$yes|no$>$} This option turns on detection and alerting when telnet escape sequences are seen on the FTP command channel. Injection of telnet escape sequences could be used as an evasion attempt on an FTP command channel. \item \texttt{ignore\_telnet\_erase\_cmds $<$yes|no$>$} This option allows Snort to ignore telnet escape sequences for erase character (TNC EAC) and erase line (TNC EAL) when normalizing FTP command channel. Some FTP clients do not process those telnet escape sequences. \end{slist} \subsubsection{Examples/Default Configuration from snort.conf} \begin{verbatim} preprocessor ftp_telnet: \ global \ encrypted_traffic yes \ inspection_type stateful preprocessor ftp_telnet_protocol:\ telnet \ normalize \ ayt_attack_thresh 200 # This is consistent with the FTP rules as of 18 Sept 2004. # Set CWD to allow parameter length of 200 # MODE has an additional mode of Z (compressed) # Check for string formats in USER & PASS commands # Check MDTM commands that set modification time on the file. preprocessor ftp_telnet_protocol: \ ftp server default \ def_max_param_len 100 \ alt_max_param_len 200 { CWD } \ cmd_validity MODE < char ASBCZ > \ cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \ chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \ telnet_cmds yes \ ignore_data_chan yes preprocessor ftp_telnet_protocol: \ ftp client default \ max_resp_len 256 \ bounce yes \ telnet_cmds yes \end{verbatim} \subsection{SSH} \label{sub:ssh} The SSH preprocessor detects the following exploits: Challenge-Response Buffer Overflow, CRC 32, Secure CRT, and the Protocol Mismatch exploit. Both Challenge-Response Overflow and CRC 32 attacks occur after the key exchange, and are therefore encrypted. Both attacks involve sending a large payload (20kb+) to the server immediately after the authentication challenge. To detect the attacks, the SSH preprocessor counts the number of bytes transmitted to the server. If those bytes exceed a predefined limit within a predefined number of packets, an alert is generated. Since the Challenge-Response Overflow only effects SSHv2 and CRC 32 only effects SSHv1, the SSH version string exchange is used to distinguish the attacks. The Secure CRT and protocol mismatch exploits are observable before the key exchange. \subsubsection{Configuration} By default, all alerts are disabled and the preprocessor checks traffic on port 22. The available configuration options are described below. \begin{slist} \item \texttt{server\_ports $\{ <$port$> [<$port$> <...>] \}$} This option specifies which ports the SSH preprocessor should inspect traffic to. \item \texttt{max\_encrypted\_packets $<$ number $>$} The number of stream reassembled encrypted packets that Snort will inspect before ignoring a given SSH session. The SSH vulnerabilities that Snort can detect all happen at the very beginning of an SSH session. Once max\_encrypted\_packets packets have been seen, Snort ignores the session to increase performance. The default is set to 25. This value can be set from 0 to 65535. \item \texttt{max\_client\_bytes $<$ number $>$} The number of unanswered bytes allowed to be transferred before alerting on Challenge-Response Overflow or CRC 32. This number must be hit before max\_encrypted\_packets packets are sent, or else Snort will ignore the traffic. The default is set to 19600. This value can be set from 0 to 65535. \item \texttt{max\_server\_version\_len $<$ number $>$} The maximum number of bytes allowed in the SSH server version string before alerting on the Secure CRT server version string overflow. The default is set to 80. This value can be set from 0 to 255. \item \texttt{autodetect} Attempt to automatically detect SSH. \item \texttt{enable\_respoverflow} Enables checking for the Challenge-Response Overflow exploit. \item \texttt{enable\_ssh1crc32} Enables checking for the CRC 32 exploit. \item \texttt{enable\_srvoverflow} Enables checking for the Secure CRT exploit. \item \texttt{enable\_protomismatch} Enables checking for the Protocol Mismatch exploit. \item \texttt{enable\_badmsgdir} Enable alerts for traffic flowing the wrong direction. For instance, if the presumed server generates client traffic, or if a client generates server traffic. \item \texttt{enable\_paysize} Enables alerts for invalid payload sizes. \item \texttt{enable\_recognition} Enable alerts for non-SSH traffic on SSH ports. \end{slist} The SSH preprocessor should work by default. After max\_encrypted\_packets is reached, the preprocessor will stop processing traffic for a given session. If Challenge-Response Overflow or CRC 32 false positive, try increasing the number of required client bytes with max\_client\_bytes. \subsubsection{Example Configuration from snort.conf} Looks for attacks on SSH server port 22. Alerts at 19600 unacknowledged bytes within 20 encrypted packets for the Challenge-Response Overflow/CRC32 exploits. \begin{verbatim} preprocessor ssh: \ server_ports { 22 } \ max_client_bytes 19600 \ max_encrypted_packets 20 \ enable_respoverflow \ enable_ssh1crc32 \end{verbatim} \subsection{DNS} \label{sub:dns} The DNS preprocessor decodes DNS Responses and can detect the following exploits: DNS Client RData Overflow, Obsolete Record Types, and Experimental Record Types. DNS looks at DNS Response traffic over UDP and TCP and it requires Stream preprocessor to be enabled for TCP decoding. \subsubsection{Configuration} By default, all alerts are disabled and the preprocessor checks traffic on port 53. The available configuration options are described below. \begin{slist} \item \texttt{ports $\{ <$port$> [<$port$> <...>] \}$} This option specifies the source ports that the DNS preprocessor should inspect traffic. \item \texttt{enable\_obsolete\_types} Alert on Obsolete (per RFC 1035) Record Types \item \texttt{enable\_experimental\_types} Alert on Experimental (per RFC 1035) Record Types \item \texttt{enable\_rdata\_overflow} Check for DNS Client RData TXT Overflow \end{slist} The DNS preprocessor does nothing if none of the 3 vulnerabilities it checks for are enabled. It will not operate on TCP sessions picked up midstream, and it will cease operation on a session if it loses state because of missing data (dropped packets). \subsubsection{Examples/Default Configuration from snort.conf} Looks for traffic on DNS server port 53. Check for the DNS Client RData overflow vulnerability. Do not alert on obsolete or experimental RData record types. \begin{verbatim} preprocessor dns: \ ports { 53 } \ enable_rdata_overflow \end{verbatim} \subsection{SSL/TLS} \label{sub:SSL/TLS} Encrypted traffic should be ignored by Snort for both performance reasons and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP) decodes SSL and TLS traffic and optionally determines if and when Snort should stop inspection of it. Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to inspect port 443 and enabling the noinspect\_encrypted option, only the SSL handshake of each connection will be inspected. Once the traffic is determined to be encrypted, no further inspection of the data on the connection is made. By default, SSLPP looks for a handshake followed by encrypted traffic traveling to both sides. If one side responds with an indication that something has failed, such as the handshake, the session is not marked as encrypted. Verifying that faultless encrypted traffic is sent from both endpoints ensures two things: the last client-side handshake packet was not crafted to evade Snort, and that the traffic is legitimately encrypted. In some cases, especially when packets may be missed, the only observed response from one endpoint will be TCP ACKs. Therefore, if a user knows that server-side encrypted data can be trusted to mark the session as encrypted, the user should use the 'trustservers' option, documented below. \subsubsection{Configuration} \begin{slist} \item \texttt{ports $\{ <$port$> [<$port$> <...>] \}$} This option specifies which ports SSLPP will inspect traffic on. By default, SSLPP watches the following ports: \begin{itemize} \item \texttt{443} HTTPS \item \texttt{465} SMTPS \item \texttt{563} NNTPS \item \texttt{636} LDAPS \item \texttt{989} FTPS \item \texttt{992} TelnetS \item \texttt{993} IMAPS \item \texttt{994} IRCS \item \texttt{995} POPS \end{itemize} \item \texttt{noinspect\_encrypted} Disable inspection on traffic that is encrypted. Default is off. \item \texttt{max\_heartbeat\_length} Maximum length of heartbeat record allowed. This config option is used to detect the heartbleed attacks. The allowed range is 0 to 65535. Setting the value to 0 turns off the heartbeat length checks. For heartbeat requests, if the payload size of the request record is greater than the max\_heartbeat\_length an alert with sid 3 and gid 137 is generated. For heartbeat responses, if the record size itself is greater than the max\_heartbeat\_length an alert with sid 4 and gid 137 is generated. Default is off. \item \texttt{trustservers} Disables the requirement that application (encrypted) data must be observed on both sides of the session before a session is marked encrypted. Use this option for slightly better performance if you trust that your servers are not compromised. This requires the \texttt{noinspect\_encrypted} option to be useful. Default is off. \end{slist} \subsubsection{Examples/Default Configuration from snort.conf} Enables the SSL preprocessor and tells it to disable inspection on encrypted traffic. \begin{verbatim} preprocessor ssl: noinspect_encrypted \end{verbatim} \subsubsection{Rule Options} The following rule options are supported by enabling the \texttt{ssl} preprocessor: \begin{itemize} \item[] \begin{verbatim} ssl_version ssl_state \end{verbatim} \end{itemize} \texttt{ssl\_version} \label{ssl:ssl_version} \begin{itemize} \item[] The \texttt{ssl\_version} rule option tracks the version negotiated between the endpoints of the SSL encryption. The list of version identifiers are below, and more than one identifier can be specified, via a comma separated list. Lists of identifiers are OR'ed together. The option will match if any one of the OR'ed versions are used in the SSL connection. To check for two or more SSL versions in use simultaneously, multiple \texttt{ssl\_version} rule options should be used. \textit{Syntax} \footnotesize \begin{verbatim} ssl_version: version-list = version | version , version-list version = ["!"] "sslv2" | "sslv3" | "tls1.0" | "tls1.1" | "tls1.2" \end{verbatim} \textit{Examples} \begin{verbatim} ssl_version:sslv3; ssl_version:tls1.0,tls1.1,tls1.2; ssl_version:!sslv2; \end{verbatim} \end{itemize} \texttt{ssl\_state} \label{ssl:ssl_state} \begin{itemize} \item[] The \texttt{ssl\_state} rule option tracks the state of the SSL encryption during the process of hello and key exchange. The list of states are below. More than one state can be specified, via a comma separated list, and are OR'ed together. The option will match if the connection is currently in any one of the OR'ed states. To ensure the connection has reached each of a set of states, multiple rules using the \texttt{ssl\_state} rule option should be used. \textit{Syntax} \footnotesize \begin{verbatim} ssl_state: state-list = state | state , state-list state = ["!"] "client_hello" | "server_hello" | "client_keyx" | "server_keyx" | "unknown" \end{verbatim} \textit{Examples} \begin{verbatim} ssl_state:client_hello; ssl_state:client_keyx,server_keyx; ssl_state:!server_hello; \end{verbatim} \end{itemize} \subsection{ARP Spoof Preprocessor} \label{sub:arpspoof} The ARP spoof preprocessor decodes ARP packets and detects ARP attacks, unicast ARP requests, and inconsistent Ethernet to IP mapping. When no arguments are specified to arpspoof, the preprocessor inspects Ethernet addresses and the addresses in the ARP packets. When inconsistency occurs, an alert with GID 112 and SID 2 or 3 is generated. When "\texttt{-unicast}" is specified as the argument of arpspoof, the preprocessor checks for unicast ARP requests. An alert with GID 112 and SID 1 will be generated if a unicast ARP request is detected. Specify a pair of IP and hardware address as the argument to \texttt{arpspoof\_detect\_host}. The host with the IP address should be on the same layer 2 segment as Snort is. Specify one host IP MAC combo per line. The preprocessor will use this list when detecting ARP cache overwrite attacks. Alert SID 4 is used in this case. \subsubsection{Format} \begin{verbatim} preprocessor arpspoof[: -unicast] preprocessor arpspoof_detect_host: ip mac \end{verbatim} \begin{table}[h] \begin{center} \begin{tabular}{| l | l |} \hline \textbf{Option} & \textbf{Description}\\ \hline \hline \texttt{ip} & IP address.\\ \hline \texttt{mac} & The Ethernet address corresponding to the preceding IP. \\ \hline \end{tabular} \end{center} \end{table} \subsubsection{Example Configuration} The first example configuration does neither unicast detection nor ARP mapping monitoring. The preprocessor merely looks for Ethernet address inconsistencies. \begin{verbatim} preprocessor arpspoof \end{verbatim} The next example configuration does not do unicast detection but monitors ARP mapping for hosts 192.168.40.1 and 192.168.40.2. \begin{verbatim} preprocessor arpspoof preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01 \end{verbatim} The third example configuration has unicast detection enabled. \begin{verbatim} preprocessor arpspoof: -unicast preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 preprocessor arpspoof_detect_host: 192.168.40.2 f0:0f:00:f0:0f:01 \end{verbatim} \subsection{DCE/RPC 2 Preprocessor} \label{sub:dcerpc2} The main purpose of the preprocessor is to perform SMB desegmentation and DCE/RPC defragmentation to avoid rule evasion using these techniques. SMB desegmentation is performed for the following commands that can be used to transport DCE/RPC requests and responses: \texttt{Write}, \texttt{Write Block Raw}, \texttt{Write and Close}, \texttt{Write AndX}, \texttt{Transaction}, \texttt{Transaction Secondary}, \texttt{Read}, \texttt{Read Block Raw} and \texttt{Read AndX}. The following transports are supported for DCE/RPC: SMB, TCP, UDP and RPC over HTTP v.1 proxy and server. New rule options have been implemented to improve performance, reduce false positives and reduce the count and complexity of DCE/RPC based rules. \subsubsection{Dependency Requirements} For proper functioning of the preprocessor: \begin{itemize} \item Stream session tracking must be enabled, i.e. \texttt{stream5}. The preprocessor requires a session tracker to keep its data. \item Stream reassembly must be performed for TCP sessions. If it is decided that a session is SMB or DCE/RPC, either through configured ports, servers or autodetecting, the \texttt{dcerpc2} preprocessor will enable stream reassembly for that session if necessary. \item IP defragmentation should be enabled, i.e. the \texttt{frag3} preprocessor should be enabled and configured. \end{itemize} \subsubsection{Target Based} There are enough important differences between Windows and Samba versions that a target based approach has been implemented. Some important differences:\\ \textit{Named pipe instance tracking} \begin{itemize} \item[] A combination of valid login handle or UID, share handle or TID and file/named pipe handle or FID must be used to write data to a named pipe. The binding between these is dependent on OS/software version. \begin{itemize} \item[] Samba 3.0.22 and earlier \begin{itemize} \item[] Any valid UID and TID, along with a valid FID can be used to make a request, however, if the TID used in creating the FID is deleted (via a tree disconnect), the FID that was created using this TID becomes invalid, i.e. no more requests can be written to that named pipe instance. \end{itemize} \item[] Samba greater than 3.0.22 \begin{itemize} \item[] Any valid TID, along with a valid FID can be used to make a request. However, only the UID used in opening the named pipe can be used to make a request using the FID handle to the named pipe instance. If the TID used to create the FID is deleted (via a tree disconnect), the FID that was created using this TID becomes invalid, i.e. no more requests can be written to that named pipe instance. If the UID used to create the named pipe instance is deleted (via a \texttt{Logoff AndX}), since it is necessary in making a request to the named pipe, the FID becomes invalid. \end{itemize} \item[] Windows 2003 \item[] Windows XP \item[] Windows Vista \begin{itemize} \item[] These Windows versions require strict binding between the UID, TID and FID used to make a request to a named pipe instance. Both the UID and TID used to open the named pipe instance must be used when writing data to the same named pipe instance. Therefore, deleting either the UID or TID invalidates the FID. \end{itemize} \item[] Windows 2000 \begin{itemize} \item[] Windows 2000 is interesting in that the first request to a named pipe must use the same binding as that of the other Windows versions. However, requests after that follow the same binding as Samba 3.0.22 and earlier, i.e. no binding. It also follows Samba greater than 3.0.22 in that deleting the UID or TID used to create the named pipe instance also invalidates it. \end{itemize} \end{itemize} \end{itemize} \textit{Accepted SMB commands} \begin{itemize} \item[] Samba in particular does not recognize certain commands under an \texttt{IPC\$} tree. \begin{itemize} \item[] Samba (all versions) \begin{itemize} \item[] Under an \texttt{IPC\$} tree, does not accept: \begin{itemize} \item[] \texttt{Open} \item[] \texttt{Write And Close} \item[] \texttt{Read} \item[] \texttt{Read Block Raw} \item[] \texttt{Write Block Raw} \end{itemize} \end{itemize} \item[] Windows (all versions) \begin{itemize} \item[] Accepts all of the above commands under an \texttt{IPC\$} tree. \end{itemize} \end{itemize} \end{itemize} \textit{AndX command chaining} \begin{itemize} \item[] Windows is very strict in what command combinations it allows to be chained. Samba, on the other hand, is very lax and allows some nonsensical combinations, e.g. multiple logins and tree connects (only one place to return handles for these), login/logoff and tree connect/tree disconnect. Ultimately, we don't want to keep track of data that the server won't accept. An evasion possibility would be accepting a fragment in a request that the server won't accept that gets sandwiched between an exploit. \end{itemize} \textit{Transaction tracking} \begin{itemize} \item[] The differences between a \texttt{Transaction} request and using one of the \texttt{Write*} commands to write data to a named pipe are that (1) a \texttt{Transaction} performs the operations of a write and a read from the named pipe, whereas in using the \texttt{Write*} commands, the client has to explicitly send one of the \texttt{Read*} requests to tell the server to send the response and (2) a \texttt{Transaction} request is not written to the named pipe until all of the data is received (via potential \texttt{Transaction Secondary} requests) whereas with the \texttt{Write*} commands, data is written to the named pipe as it is received by the server. Multiple Transaction requests can be made simultaneously to the same named pipe. These requests can also be segmented with \texttt{Transaction Secondary} commands. What distinguishes them (when the same named pipe is being written to, i.e. having the same FID) are fields in the SMB header representing a process id (PID) and multiplex id (MID). The PID represents the process this request is a part of. An MID represents different sub-processes within a process (or under a PID). Segments for each "thread" are stored separately and written to the named pipe when all segments are received. It is necessary to track this so as not to munge these requests together (which would be a potential evasion opportunity). \begin{itemize} \item[] Windows (all versions) \begin{itemize} \item[] Uses a combination of PID and MID to define a "thread". \end{itemize} \item[] Samba (all versions) \begin{itemize} \item[] Uses just the MID to define a "thread". \end{itemize} \end{itemize} \end{itemize} \textit{Multiple Bind Requests} \begin{itemize} \item[] A \texttt{Bind} request is the first request that must be made in a connection-oriented DCE/RPC session in order to specify the interface/interfaces that one wants to communicate with. \begin{itemize} \item[] Windows (all versions) \begin{itemize} \item[] For all of the Windows versions, only one \texttt{Bind} can ever be made on a session whether or not it succeeds or fails. Any binding after that must use the \texttt{Alter Context} request. If another \texttt{Bind} is made, all previous interface bindings are invalidated. \end{itemize} \item[] Samba 3.0.20 and earlier \begin{itemize} \item[] Any amount of \texttt{Bind} requests can be made. \end{itemize} \item[] Samba later than 3.0.20 \begin{itemize} \item[] Another \texttt{Bind} request can be made if the first failed and no interfaces were successfully bound to. If a \texttt{Bind} after a successful \texttt{Bind} is made, all previous interface bindings are invalidated. \end{itemize} \end{itemize} \end{itemize} \textit{DCE/RPC Fragmented requests - Context ID} \begin{itemize} \item[] Each fragment in a fragmented request carries the context id of the bound interface it wants to make the request to. \begin{itemize} \item[] Windows (all versions) \begin{itemize} \item[] The context id that is ultimately used for the request is contained in the first fragment. The context id field in any other fragment can contain any value. \end{itemize} \item[] Samba (all versions) \begin{itemize} \item[] The context id that is ultimately used for the request is contained in the last fragment. The context id field in any other fragment can contain any value. \end{itemize} \end{itemize} \end{itemize} \textit{DCE/RPC Fragmented requests - Operation number} \begin{itemize} \item[] Each fragment in a fragmented request carries an operation number (opnum) which is more or less a handle to a function offered by the interface. \begin{itemize} \item[] Samba (all versions) \item[] Windows 2000 \item[] Windows 2003 \item[] Windows XP \begin{itemize} \item[] The opnum that is ultimately used for the request is contained in the last fragment. The opnum field in any other fragment can contain any value. \end{itemize} \item[] Windows Vista \begin{itemize} \item[] The opnum that is ultimately used for the request is contained in the first fragment. The opnum field in any other fragment can contain any value. \end{itemize} \end{itemize} \end{itemize} \textit{DCE/RPC Stub data byte order} \begin{itemize} \item[] The byte order of the stub data is determined differently for Windows and Samba. \begin{itemize} \item[] Windows (all versions) \begin{itemize} \item[] The byte order of the stub data is that which was used in the \texttt{Bind} request. \end{itemize} \item[] Samba (all versions) \begin{itemize} \item[] The byte order of the stub data is that which is used in the request carrying the stub data. \end{itemize} \end{itemize} \end{itemize} \subsubsection{Configuration} The \texttt{dcerpc2} preprocessor has a global configuration and one or more server configurations. The global preprocessor configuration name is \texttt{dcerpc2} and the server preprocessor configuration name is \texttt{dcerpc2\_server}.\\ \underline{Global Configuration} \begin{verbatim} preprocessor dcerpc2 \end{verbatim} The global \texttt{dcerpc2} configuration is required. Only one global \texttt{dcerpc2} configuration can be specified.\\ \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{memcap} & \texttt{} & NO & \texttt{memcap 102400}\\ \hline \texttt{disable\_defrag} & NONE & NO & OFF\\ \hline \texttt{max\_frag\_len} & \texttt{} & NO & OFF\\ \hline \texttt{events} & \texttt{} & NO & OFF\\ \hline \texttt{reassemble\_threshold} & \texttt{} & NO & OFF\\ \hline \texttt{disabled} & NONE & NO & OFF\\ \hline \texttt{smb\_fingerprint\_policy} & \texttt{} & NO & OFF\\ \hline \end{tabular} \end{itemize} \footnotesize \begin{verbatim} memcap = 1024-4194303 (kilobytes) max-frag-len = 1514-65535 events = pseudo-event | event | '[' event-list ']' pseudo-event = "none" | "all" event-list = event | event ',' event-list event = "memcap" | "smb" | "co" | "cl" re-thresh = 0-65535 fp-policy = "server" | "client" | "both" \end{verbatim} \normalsize \textit{Option explanations} \begin{itemize} \item[] \texttt{memcap} \begin{itemize} \item[] Specifies the maximum amount of run-time memory that can be allocated. Run-time memory includes any memory allocated after configuration. Default is 100 MB. \end{itemize} \item[] \texttt{disabled} \begin{itemize} \item[] Disables the preprocessor. By default this value is turned off. When the preprocessor is disabled only the memcap option is applied when specified with the configuration. \end{itemize} \item[] \texttt{disable\_defrag} \begin{itemize} \item[] Tells the preprocessor not to do DCE/RPC defragmentation. Default is to do defragmentation. \end{itemize} \item[] \texttt{max\_frag\_len} \begin{itemize} \item[] Specifies the maximum fragment size that will be added to the defragmentation module. If a fragment is greater than this size, it is truncated before being added to the defragmentation module. The allowed range for this option is 1514 - 65535. \end{itemize} \item[] \texttt{events} \begin{itemize} \item[] Specifies the classes of events to enable. (See Events section for an enumeration and explanation of events.) \begin{itemize} \item[] \texttt{memcap} \begin{itemize} \item[] Only one event. If the memcap is reached or exceeded, alert. \end{itemize} \item[] \texttt{smb} \begin{itemize} \item[] Alert on events related to SMB processing. \end{itemize} \item[] \texttt{co} \begin{itemize} \item[] Stands for connection-oriented DCE/RPC. Alert on events related to connection-oriented DCE/RPC processing. \end{itemize} \item[] \texttt{cl} \begin{itemize} \item[] Stands for connectionless DCE/RPC. Alert on events related to connectionless DCE/RPC processing. \end{itemize} \end{itemize} \end{itemize} \item[] \texttt{reassemble\_threshold} \begin{itemize} \item[] Specifies a minimum number of bytes in the DCE/RPC desegmentation and defragmentation buffers before creating a reassembly packet to send to the detection engine. This option is useful in inline mode so as to potentially catch an exploit early before full defragmentation is done. A value of 0 supplied as an argument to this option will, in effect, disable this option. Default is disabled. \end{itemize} \item[] \texttt{smb\_fingerprint\_policy} \begin{itemize} \item[] In the initial phase of an SMB session, the client needs to authenticate with a SessionSetupAndX. Both the request and response to this command contain OS and version information that can allow the preprocessor to dynamically set the policy for a session which allows for better protection against Windows and Samba specific evasions. \end{itemize} \end{itemize} \textit{Option examples} \footnotesize \begin{verbatim} memcap 30000 max_frag_len 16840 events none events all events smb events co events [co] events [smb, co] events [memcap, smb, co, cl] reassemble_threshold 500 smb_fingerprint_policy both smb_fingerprint_policy client \end{verbatim} \normalsize \textit{Configuration examples} \footnotesize \begin{verbatim} preprocessor dcerpc2 preprocessor dcerpc2: memcap 500000 preprocessor dcerpc2: max_frag_len 16840, memcap 300000, events smb preprocessor dcerpc2: memcap 50000, events [memcap, smb, co, cl], max_frag_len 14440 preprocessor dcerpc2: disable_defrag, events [memcap, smb] preprocessor dcerpc2: reassemble_threshold 500 preprocessor dcerpc2: memcap 50000, events [memcap, smb, co, cl], max_frag_len 14440, smb_fingerprint_policy both \end{verbatim} \normalsize \textit{Default global configuration} \footnotesize \begin{verbatim} preprocessor dcerpc2: memcap 102400 \end{verbatim} \normalsize \underline{Server Configuration} \begin{verbatim} preprocessor dcerpc2_server \end{verbatim} The \texttt{dcerpc2\_server} configuration is optional. A \texttt{dcerpc2\_server} configuration must start with \texttt{default} or \texttt{net} options. The \texttt{default} and \texttt{net} options are mutually exclusive. At most one default configuration can be specified. If no \texttt{default} configuration is specified, default values will be used for the \texttt{default} configuration. Zero or more \texttt{net} configurations can be specified. For any \texttt{dcerpc2\_server} configuration, if non-required options are not specified, the defaults will be used. When processing DCE/RPC traffic, the \texttt{default} configuration is used if no net configurations match. If a \texttt{net} configuration matches, it will override the \texttt{default} configuration. A \texttt{net} configuration matches if the packet's server IP address matches an IP address or net specified in the \texttt{net} configuration. The \texttt{net} option supports IPv6 addresses. Note that port and ip variables defined in \texttt{snort.conf} \textsc{cannot} be used. \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{default} & NONE & YES & NONE\\ \hline \texttt{net} & \texttt{} & YES & NONE\\ \hline \texttt{policy} & \texttt{} & NO & \texttt{policy WinXP}\\ \hline \texttt{detect} & \texttt{} & NO & \texttt{detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593]}\\ \hline \texttt{autodetect} & \texttt{} & NO & \texttt{autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:]}\\ \hline \texttt{no\_autodetect\_http\_proxy\_ports} & NONE & NO & DISABLED (The preprocessor autodetects on all proxy ports by default)\\ \hline \texttt{smb\_invalid\_shares} & \texttt{} & NO & NONE\\ \hline \texttt{smb\_max\_chain} & \texttt{} & NO & \texttt{smb\_max\_chain 3}\\ \hline \texttt{smb\_file\_inspection} & \texttt{} & NO & \texttt{smb\_file\_inspection off}\\ \hline \end{tabular} \end{itemize} \footnotesize \begin{verbatim} net = ip | '[' ip-list ']' ip-list = ip | ip ',' ip-list ip = ip-addr | ip-addr '/' prefix | ip4-addr '/' netmask ip-addr = ip4-addr | ip6-addr ip4-addr = a valid IPv4 address ip6-addr = a valid IPv6 address (can be compressed) prefix = a valid CIDR netmask = a valid netmask policy = "Win2000" | "Win2003" | "WinXP" | "WinVista" | "Samba" | "Samba-3.0.22" | "Samba-3.0.20" detect = "none" | detect-opt | '[' detect-list ']' detect-list = detect-opt | detect-opt ',' detect-list detect-opt = transport | transport port-item | transport '[' port-list ']' transport = "smb" | "tcp" | "udp" | "rpc-over-http-proxy" | "rpc-over-http-server" port-list = port-item | port-item ',' port-list port-item = port | port-range port-range = ':' port | port ':' | port ':' port port = 0-65535 shares = share | '[' share-list ']' share-list = share | share ',' share-list share = word | '"' word '"' | '"' var-word '"' word = graphical ASCII characters except ',' '"' ']' '[' '$' var-word = graphical ASCII characters except ',' '"' ']' '[' max-chain = 0-255 file-inspect = file-arg | '[' file-list ']' file-arg = "off" | "on" | "only" file-list = file-arg [ ',' "file-depth" ] \end{verbatim} \normalsize \begin{itemize} \item[] Because the Snort main parser treats '\$' as the start of a variable and tries to expand it, shares with '\$' must be enclosed quotes. \end{itemize} \textit{Option explanations} \begin{itemize} \item[] \texttt{default} \begin{itemize} \item[] Specifies that this configuration is for the default server configuration. \end{itemize} \item[] \texttt{net} \begin{itemize} \item[] Specifies that this configuration is an IP or net specific configuration. The configuration will only apply to the IP addresses and nets supplied as an argument. \end{itemize} \item[] \texttt{policy} \begin{itemize} \item[] Specifies the target-based policy to use when processing. Default is "WinXP". \end{itemize} \item[] \texttt{detect} \begin{itemize} \item[] Specifies the DCE/RPC transport and server ports that should be detected on for the transport. Defaults are ports 139 and 445 for SMB, 135 for TCP and UDP, 593 for RPC over HTTP server and 80 for RPC over HTTP proxy. \end{itemize} \item[] \texttt{autodetect} \begin{itemize} \item[] Specifies the DCE/RPC transport and server ports that the preprocessor should attempt to autodetect on for the transport. The autodetect ports are only queried if no detect transport/ports match the packet. The order in which the preprocessor will attempt to autodetect will be - TCP/UDP, RPC over HTTP server, RPC over HTTP proxy and lastly SMB. Note that most dynamic DCE/RPC ports are above 1024 and ride directly over TCP or UDP. It would be very uncommon to see SMB on anything other than ports 139 and 445. Defaults are 1025-65535 for TCP, UDP and RPC over HTTP server. \end{itemize} \item[] \texttt{no\_autodetect\_http\_proxy\_ports} \begin{itemize} \item[] By default, the preprocessor will always attempt to autodetect for ports specified in the detect configuration for rpc-over-http-proxy. This is because the proxy is likely a web server and the preprocessor should not look at all web traffic. This option is useful if the RPC over HTTP proxy configured with the detect option is only used to proxy DCE/RPC traffic. Default is to autodetect on RPC over HTTP proxy detect ports. \end{itemize} \item[] \texttt{smb\_invalid\_shares} \begin{itemize} \item[] Specifies SMB shares that the preprocessor should alert on if an attempt is made to connect to them via a \texttt{Tree Connect} or \texttt{Tree Connect AndX}. Default is empty. \end{itemize} \item[] \texttt{smb\_max\_chain} \begin{itemize} \item[] Specifies the maximum amount of AndX command chaining that is allowed before an alert is generated. Default maximum is 3 chained commands. A value of 0 disables this option. This value can be set from 0 to 255. \end{itemize} \item[] \texttt{smb\_file\_inspection} \begin{itemize} \item[] Instructs the preprocessor to do inspection of normal SMB file transfers. This includes doing file type and signature through the file API as well as setting a pointer for the \texttt{file\_data} rule option. Note that the \texttt{file-depth} option only applies to the maximum amount of file data for which it will set the pointer for the \texttt{file\_data} rule option. For file type and signature it will use the value configured for the file API. If \texttt{only} is specified, the preprocessor will only do SMB file inspection, i.e. it will not do any DCE/RPC tracking or inspection. If \texttt{on} is specified with no arguments, the default file depth is 16384 bytes. An argument of -1 to \texttt{file-depth} disables setting the pointer for \texttt{file\_data}, effectively disabling SMB file inspection in rules. An argument of 0 to \texttt{file-depth} means unlimited. Default is \texttt{off}, i.e. no SMB file inspection is done in the preprocessor. \end{itemize} \end{itemize} \textit{Option examples} \footnotesize \begin{verbatim} net 192.168.0.10 net 192.168.0.0/24 net [192.168.0.0/24] net 192.168.0.0/255.255.255.0 net feab:45b3:ab92:8ac4:d322:007f:e5aa:7845 net feab:45b3:ab92:8ac4:d322:007f:e5aa:7845/128 net feab:45b3::/32 net [192.168.0.10, feab:45b3::/32] net [192.168.0.0/24, feab:45b3:ab92:8ac4:d322:007f:e5aa:7845] policy Win2000 policy Samba-3.0.22 detect none detect smb detect [smb] detect smb 445 detect [smb 445] detect smb [139,445] detect [smb [139,445]] detect [smb, tcp] detect [smb 139, tcp [135,2103]] detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server [593,6002:6004]] autodetect none autodetect tcp autodetect [tcp] autodetect tcp 2025: autodetect [tcp 2025:] autodetect tcp [2025:3001,3003:] autodetect [tcp [2025:3001,3003:]] autodetect [tcp, udp] autodetect [tcp 2025:, udp 2025:] autodetect [tcp 2025:, udp, rpc-over-http-server [1025:6001,6005:]] smb_invalid_shares private smb_invalid_shares "private" smb_invalid_shares "C$" smb_invalid_shares [private, "C$"] smb_invalid_shares ["private", "C$"] smb_max_chain 1 smb_file_inspection on smb_file_inspection off smb_file_inspection [ on, file-depth -1 ] smb_file_inspection [ on, file-depth 0 ] smb_file_inspection [ on, file-depth 4294967296 ] smb_file_inspection [ only, file-depth -1 ] \end{verbatim} \normalsize \textit{Configuration examples} \footnotesize \begin{verbatim} preprocessor dcerpc2_server: \ default preprocessor dcerpc2_server: \ default, policy Win2000 preprocessor dcerpc2_server: \ default, policy Win2000, detect [smb, tcp], autodetect tcp 1025:, \ smb_invalid_shares ["C$", "D$", "ADMIN$"] preprocessor dcerpc2_server: net 10.4.10.0/24, policy Win2000 preprocessor dcerpc2_server: \ net [10.4.10.0/24,feab:45b3::/126], policy WinVista, smb_max_chain 1 preprocessor dcerpc2_server: \ net [10.4.10.0/24,feab:45b3::/126], policy WinVista, \ detect [smb, tcp, rpc-over-http-proxy 8081], autodetect [tcp, rpc-over-http-proxy [1025:6001,6005:]], \ smb_invalid_shares ["C$", "ADMIN$"], no_autodetect_http_proxy_ports preprocessor dcerpc2_server: \ net [10.4.11.56,10.4.11.57], policy Samba, detect smb, autodetect none preprocessor dcerpc2_server: default, policy WinXP, \ smb_file_inspection [ on, file-depth 0 ] \end{verbatim} \normalsize \textit{Default server configuration} \footnotesize \begin{verbatim} preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ smb_max_chain 3, smb_file_inspection off \end{verbatim} \normalsize \underline{Complete \texttt{dcerpc2} default configuration} \footnotesize \begin{verbatim} preprocessor dcerpc2: memcap 102400 preprocessor dcerpc2_server: \ default, policy WinXP, \ detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \ autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \ smb_max_chain 3, smb_file_inspection off \end{verbatim} \normalsize \subsubsection{Events} The preprocessor uses GID 133 to register events.\\ \textit{Memcap events} \begin{itemize} \item[] \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline \hline 1 & If the memory cap is reached and the preprocessor is configured to alert.\\ \hline \end{longtable} \end{itemize} \textit{SMB events} \begin{itemize} \item[] \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline \hline 2 & An invalid NetBIOS Session Service type was specified in the header. Valid types are: \texttt{Message}, \texttt{Request} (only from client), \texttt{Positive Response} (only from server), \texttt{Negative Response} (only from server), \texttt{Retarget Response} (only from server) and \texttt{Keep Alive}.\\ \hline 3 & An SMB message type was specified in the header. Either a request was made by the server or a response was given by the client.\\ \hline 4 & The SMB id does not equal \texttt{\textbackslash xffSMB}. Note that since the preprocessor does not yet support SMB2, id of \texttt{\textbackslash xfeSMB} is turned away before an eventable point is reached.\\ \hline 5 & The word count of the command header is invalid. SMB commands have pretty specific word counts and if the preprocessor sees a command with a word count that doesn't jive with that command, the preprocessor will alert.\\ \hline 6 & Some commands require a minimum number of bytes after the command header. If a command requires this and the byte count is less than the minimum required byte count for that command, the preprocessor will alert.\\ \hline 7 & Some commands, especially the commands from the SMB Core implementation require a data format field that specifies the kind of data that will be coming next. Some commands require a specific format for the data. The preprocessor will alert if the format is not that which is expected for that command.\\ \hline 8 & Many SMB commands have a field containing an offset from the beginning of the SMB header to where the data the command is carrying starts. If this offset puts us before data that has already been processed or after the end of payload, the preprocessor will alert.\\ \hline 9 & Some SMB commands, such as \texttt{Transaction}, have a field containing the total amount of data to be transmitted. If this field is zero, the preprocessor will alert.\\ \hline 10 & The preprocessor will alert if the NetBIOS Session Service length field contains a value less than the size of an SMB header.\\ \hline 11 & The preprocessor will alert if the remaining NetBIOS packet length is less than the size of the SMB command header to be decoded.\\ \hline 12 & The preprocessor will alert if the remaining NetBIOS packet length is less than the size of the SMB command byte count specified in the command header.\\ \hline 13 & The preprocessor will alert if the remaining NetBIOS packet length is less than the size of the SMB command data size specified in the command header.\\ \hline 14 & The preprocessor will alert if the total data count specified in the SMB command header is less than the data size specified in the SMB command header. (Total data count must always be greater than or equal to current data size.)\\ \hline 15 & The preprocessor will alert if the total amount of data sent in a transaction is greater than the total data count specified in the SMB command header.\\ \hline 16 & The preprocessor will alert if the byte count specified in the SMB command header is less than the data size specified in the SMB command. (The byte count must always be greater than or equal to the data size.)\\ \hline 17 & Some of the Core Protocol commands (from the initial SMB implementation) require that the byte count be some value greater than the data size exactly. The preprocessor will alert if the byte count minus a predetermined amount based on the SMB command is not equal to the data size.\\ \hline 18 & For the \texttt{Tree Connect} command (and not the \texttt{Tree Connect AndX} command), the preprocessor has to queue the requests up and wait for a server response to determine whether or not an IPC share was successfully connected to (which is what the preprocessor is interested in). Unlike the \texttt{Tree Connect AndX} response, there is no indication in the \texttt{Tree Connect} response as to whether the share is IPC or not. There should be under normal circumstances no more than a few pending tree connects at a time and the preprocessor will alert if this number is excessive.\\ \hline 19 & After a client is done writing data using the \texttt{Write*} commands, it issues a \texttt{Read*} command to the server to tell it to send a response to the data it has written. In this case the preprocessor is concerned with the server response. The \texttt{Read*} request contains the file id associated with a named pipe instance that the preprocessor will ultimately send the data to. The server response, however, does not contain this file id, so it need to be queued with the request and dequeued with the response. If multiple \texttt{Read*} requests are sent to the server, they are responded to in the order they were sent. There should be under normal circumstances no more than a few pending \texttt{Read*} requests at a time and the preprocessor will alert if this number is excessive.\\ \hline 20 & The preprocessor will alert if the number of chained commands in a single request is greater than or equal to the configured amount (default is 3).\\ \hline 21 & With \texttt{AndX} command chaining it is possible to chain multiple \texttt{Session Setup AndX} commands within the same request. There is, however, only one place in the SMB header to return a login handle (or Uid). Windows does not allow this behavior, however Samba does. This is anomalous behavior and the preprocessor will alert if it happens.\\ \hline 22 & With \texttt{AndX} command chaining it is possible to chain multiple \texttt{Tree Connect AndX} commands within the same request. There is, however, only one place in the SMB header to return a tree handle (or Tid). Windows does not allow this behavior, however Samba does. This is anomalous behavior and the preprocessor will alert if it happens.\\ \hline 23 & When a \texttt{Session Setup AndX} request is sent to the server, the server responds (if the client successfully authenticates) which a user id or login handle. This is used by the client in subsequent requests to indicate that it has authenticated. A \texttt{Logoff AndX} request is sent by the client to indicate it wants to end the session and invalidate the login handle. With commands that are chained after a \texttt{Session Setup AndX} request, the login handle returned by the server is used for the subsequent chained commands. The combination of a \texttt{Session Setup AndX} command with a chained \texttt{Logoff AndX} command, essentially logins in and logs off in the same request and is anomalous behavior. The preprocessor will alert if it sees this.\\ \hline 24 & A \texttt{Tree Connect AndX} command is used to connect to a share. The \texttt{Tree Disconnect} command is used to disconnect from that share. The combination of a \texttt{Tree Connect AndX} command with a chained \texttt{Tree Disconnect} command, essentially connects to a share and disconnects from the same share in the same request and is anomalous behavior. The preprocessor will alert if it sees this.\\ \hline 25 & An \texttt{Open AndX} or \texttt{Nt Create AndX} command is used to open/create a file or named pipe. (The preprocessor is only interested in named pipes as this is where DCE/RPC requests are written to.) The \texttt{Close} command is used to close that file or named pipe. The combination of a \texttt{Open AndX} or \texttt{Nt Create AndX} command with a chained \texttt{Close} command, essentially opens and closes the named pipe in the same request and is anomalous behavior. The preprocessor will alert if it sees this.\\ \hline 26 & The preprocessor will alert if it sees any of the invalid SMB shares configured. It looks for a \texttt{Tree Connect} or \texttt{Tree Connect AndX} to the share.\\ \hline 48 & The preprocessor will alert if a data count for a Core dialect write command is zero.\\ \hline 49 & For some of the Core dialect commands such as \texttt{Write} and \texttt{Read}, there are two data count fields, one in the main command header and one in the data format section. If these aren't the same, the preprocessor will alert.\\ \hline 50 & In the initial negotiation phase of an SMB session, the server in a \texttt{Negotiate} response and the client in a \texttt{SessionSetupAndX} request will advertise the maximum number of outstanding requests supported. The preprocessor will alert if the lesser of the two is exceeded.\\ \hline 51 & When a client sends a request it uses a value called the MID (multiplex id) to match a response, which the server is supposed to echo, to a request. If there are multiple outstanding requests with the same MID, the preprocessor will alert.\\ \hline 52 & In the \texttt{Negotiate} request a client gives a list of SMB dialects it supports, normally in order from least desirable to most desirable and the server responds with the index of the dialect to be used on the SMB session. Anything less than "NT LM 0.12" would be very odd these days (even Windows 98 supports it) and the preprocessor will alert if the client doesn't offer it as a supported dialect or the server chooses a lesser dialect.\\ \hline 53 & There are a number of commands that are considered deprecated and/or obsolete by Microsoft (see MS-CIFS and MS-SMB). If the preprocessor detects the use of a deprecated/obsolete command used it will alert.\\ \hline 54 & There are some commands that can be used that can be considered unusual in the context they are used. These include some of the transaction commands such as: \texttt{SMB\_COM\_TRANSACTION / TRANS\_READ\_NMPIPE} \texttt{SMB\_COM\_TRANSACTION / TRANS\_WRITE\_NMPIPE} \texttt{SMB\_COM\_TRANSACTION2 / TRANS2\_OPEN2} \texttt{SMB\_COM\_NT\_TRANSACT / NT\_TRANSACT\_CREATE} The preprocessor will alert if it detects unusual use of a command.\\ \hline 55 & Transaction commands have a setup count field that indicates the number of 16bit words in the transaction setup. The preprocessor will alert if the setup count is invalid for the transaction command / sub command.\\ \hline 56 & There can be only one Negotiate transaction per session and it is the first thing a client and server do to determine the SMB dialect each supports. The preprocessor will alert if the client attempts multiple dialect negotiations.\\ \hline 57 & Malware will often set a file's attributes to ReadOnly/Hidden/System if it is successful in installing itself as a Windows service or is able to write an autorun.inf file since it doesn't want the user to see the file and the default folder options in Windows is not to display Hidden files. The preprocessor will alert if it detects a client attempt to set a file's attributes to ReadOnly/Hidden/System.\\ \hline \end{longtable} \end{itemize} \textit{Connection-oriented DCE/RPC events} \begin{itemize} \item[] \begin{longtable}[h]{|r|p{13.5cm}|} \hline SID & Description\\ \hline \hline 27 & The preprocessor will alert if the connection-oriented DCE/RPC major version contained in the header is not equal to 5.\\ \hline 28 & The preprocessor will alert if the connection-oriented DCE/RPC minor version contained in the header is not equal to 0.\\ \hline 29 & The preprocessor will alert if the connection-oriented DCE/RPC PDU type contained in the header is not a valid PDU type.\\ \hline 30 & The preprocessor will alert if the fragment length defined in the header is less than the size of the header.\\ \hline 31 & The preprocessor will alert if the remaining fragment length is less than the remaining packet size.\\ \hline 32 & The preprocessor will alert if in a \texttt{Bind} or \texttt{Alter Context} request, there are no context items specified.\\ \hline 33 & The preprocessor will alert if in a \texttt{Bind} or \texttt{Alter Context} request, there are no transfer syntaxes to go with the requested interface.\\ \hline 34 & The preprocessor will alert if a non-last fragment is less than the size of the negotiated maximum fragment length. Most evasion techniques try to fragment the data as much as possible and usually each fragment comes well below the negotiated transmit size.\\ \hline 35 & The preprocessor will alert if a fragment is larger than the maximum negotiated fragment length.\\ \hline 36 & The byte order of the request data is determined by the Bind in connection-oriented DCE/RPC for Windows. It is anomalous behavior to attempt to change the byte order mid-session.\\ \hline 37 & The call id for a set of fragments in a fragmented request should stay the same (it is incremented for each complete request). The preprocessor will alert if it changes in a fragment mid-request.\\ \hline 38 & The operation number specifies which function the request is calling on the bound interface. If a request is fragmented, this number should stay the same for all fragments. The preprocessor will alert if the opnum changes in a fragment mid-request.\\ \hline 39 & The context id is a handle to a interface that was bound to. If a request if fragmented, this number should stay the same for all fragments. The preprocessor will alert if the context id changes in a fragment mid-request.\\ \hline \end{longtable} \end{itemize} \textit{Connectionless DCE/RPC events} \begin{itemize} \item[] \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline \hline 40 & The preprocessor will alert if the connectionless DCE/RPC major version is not equal to 4.\\ \hline 41 & The preprocessor will alert if the connectionless DCE/RPC PDU type is not a valid PDU type.\\ \hline 42 & The preprocessor will alert if the packet data length is less than the size of the connectionless header.\\ \hline 43 & The preprocessor will alert if the sequence number uses in a request is the same or less than a previously used sequence number on the session. In testing, wrapping the sequence number space produces strange behavior from the server, so this should be considered anomalous behavior.\\ \hline \end{longtable} \end{itemize} \subsubsection{Rule Options} New rule options are supported by enabling the \texttt{dcerpc2} preprocessor: \begin{itemize} \item[] \begin{verbatim} dce_iface dce_opnum dce_stub_data \end{verbatim} \end{itemize} New modifiers to existing \texttt{byte\_test} and \texttt{byte\_jump} rule options: \begin{itemize} \item[] \begin{verbatim} byte_test:dce byte_jump:dce \end{verbatim} \end{itemize} \texttt{dce\_iface} \label{dcerpc2:dce_iface} \begin{itemize} \item[] For DCE/RPC based rules it has been necessary to set flow-bits based on a client bind to a service to avoid false positives. It is necessary for a client to bind to a service before being able to make a call to it. When a client sends a bind request to the server, it can, however, specify one or more service interfaces to bind to. Each interface is represented by a UUID. Each interface UUID is paired with a unique index (or context id) that future requests can use to reference the service that the client is making a call to. The server will respond with the interface UUIDs it accepts as valid and will allow the client to make requests to those services. When a client makes a request, it will specify the context id so the server knows what service the client is making a request to. Instead of using flow-bits, a rule can simply ask the preprocessor, using this rule option, whether or not the client has bound to a specific interface UUID and whether or not this client request is making a request to it. This can eliminate false positives where more than one service is bound to successfully since the preprocessor can correlate the bind UUID to the context id used in the request. A DCE/RPC request can specify whether numbers are represented as big endian or little endian. The representation of the interface UUID is different depending on the endianness specified in the DCE/RPC previously requiring two rules - one for big endian and one for little endian. The preprocessor eliminates the need for two rules by normalizing the UUID. An interface contains a version. Some versions of an interface may not be vulnerable to a certain exploit. Also, a DCE/RPC request can be broken up into 1 or more fragments. Flags (and a field in the connectionless header) are set in the DCE/RPC header to indicate whether the fragment is the first, a middle or the last fragment. Many checks for data in the DCE/RPC request are only relevant if the DCE/RPC request is a first fragment (or full request), since subsequent fragments will contain data deeper into the DCE/RPC request. A rule which is looking for data, say 5 bytes into the request (maybe it's a length field), will be looking at the wrong data on a fragment other than the first, since the beginning of subsequent fragments are already offset some length from the beginning of the request. This can be a source of false positives in fragmented DCE/RPC traffic. By default it is reasonable to only evaluate if the request is a first fragment (or full request). However, if the \texttt{any\_frag} option is used to specify evaluating on all fragments.\\ \textit{Syntax} \footnotesize \begin{verbatim} dce_iface:[, ][, any_frag]; uuid = hexlong '-' hexshort '-' hexshort '-' 2hexbyte '-' 6hexbyte hexlong = 4hexbyte hexshort = 2hexbyte hexbyte = 2HEXDIGIT operator = '<' | '>' | '=' | '!' version = 0-65535 \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, <2; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, any_frag; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188, =1, any_frag; \end{verbatim} \normalsize This option is used to specify an interface UUID. Optional arguments are an interface version and operator to specify that the version be less than ('\textless'), greater than ('\textgreater'), equal to ('=') or not equal to ('!') the version specified. Also, by default the rule will only be evaluated for a first fragment (or full request, i.e. not a fragment) since most rules are written to start at the beginning of a request. The \texttt{any\_frag} argument says to evaluate for middle and last fragments as well. This option requires tracking client \texttt{Bind} and \texttt{Alter Context} requests as well as server \texttt{Bind Ack} and \texttt{Alter Context} responses for connection-oriented DCE/RPC in the preprocessor. For each \texttt{Bind} and \texttt{Alter Context} request, the client specifies a list of interface UUIDs along with a handle (or context id) for each interface UUID that will be used during the DCE/RPC session to reference the interface. The server response indicates which interfaces it will allow the client to make requests to - it either accepts or rejects the client's wish to bind to a certain interface. This tracking is required so that when a request is processed, the context id used in the request can be correlated with the interface UUID it is a handle for. \texttt{hexlong} and \texttt{hexshort} will be specified and interpreted to be in big endian order (this is usually the default way an interface UUID will be seen and represented). As an example, the following Messenger interface UUID as taken off the wire from a little endian \texttt{Bind} request: \begin{verbatim} |f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 4f b6 e6 fc| \end{verbatim} must be written as: \begin{verbatim} 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc \end{verbatim} The same UUID taken off the wire from a big endian \texttt{Bind} request: \begin{verbatim} |5a 7b 91 f8 ff 00 11 d0 a9 b2 00 c0 4f b6 e6 fc| \end{verbatim} must be written the same way: \begin{verbatim} 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc \end{verbatim} This option matches if the specified interface UUID matches the interface UUID (as referred to by the context id) of the DCE/RPC request and if supplied, the version operation is true. This option will not match if the fragment is not a first fragment (or full request) unless the \texttt{any\_frag} option is supplied in which case only the interface UUID and version need match. Note that a defragmented DCE/RPC request will be considered a full request. \begin{note} Using this rule option will automatically insert fast pattern contents into the fast pattern matcher. For UDP rules, the interface UUID, in both big and little endian format will be inserted into the fast pattern matcher. For TCP rules, (1) if the rule option \texttt{flow:to\_server|from\_client} is used, $|$05 00 00$|$ will be inserted into the fast pattern matcher, (2) if the rule option \texttt{flow:from\_server|to\_client} is used, $|$05 00 02$|$ will be inserted into the fast pattern matcher and (3) if the flow isn't known, $|$05 00$|$ will be inserted into the fast pattern matcher. Note that if the rule already has content rule options in it, the best (meaning longest) pattern will be used. If a content in the rule uses the \texttt{fast\_pattern} rule option, it will unequivocally be used over the above mentioned patterns. \end{note} \end{itemize} \texttt{dce\_opnum} \label{dcerpc2:dce_opnum} \begin{itemize} \item[] The opnum represents a specific function call to an interface. After is has been determined that a client has bound to a specific interface and is making a request to it (see above - \texttt{dce\_iface}) usually we want to know what function call it is making to that service. It is likely that an exploit lies in the particular DCE/RPC function call.\\ \textit{Syntax} \footnotesize \begin{verbatim} dce_opnum:; opnum-list = opnum-item | opnum-item ',' opnum-list opnum-item = opnum | opnum-range opnum-range = opnum '-' opnum opnum = 0-65535 \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} dce_opnum:15; dce_opnum:15-18; dce_opnum:15, 18-20; dce_opnum:15, 17, 20-22; \end{verbatim} \normalsize This option is used to specify an opnum (or operation number), opnum range or list containing either or both opnum and/or opnum-range. The opnum of a DCE/RPC request will be matched against the opnums specified with this option. This option matches if any one of the opnums specified match the opnum of the DCE/RPC request. \end{itemize} \texttt{dce\_stub\_data} \label{dcerpc2:dce_stub_data} \begin{itemize} \item[] Since most netbios rules were doing protocol decoding only to get to the DCE/RPC stub data, i.e. the remote procedure call or function call data, this option will alleviate this need and place the cursor at the beginning of the DCE/RPC stub data. This reduces the number of rule option checks and the complexity of the rule. This option takes no arguments.\\ \textit{Example} \footnotesize \begin{verbatim} dce_stub_data; \end{verbatim} \normalsize This option is used to place the cursor (used to walk the packet payload in rules processing) at the beginning of the DCE/RPC stub data, regardless of preceding rule options. There are no arguments to this option. This option matches if there is DCE/RPC stub data. The cursor is moved to the beginning of the stub data. All ensuing rule options will be considered "sticky" to this buffer. The first rule option following \texttt{dce\_stub\_data} should use absolute location modifiers if it is position-dependent. Subsequent rule options should use a relative modifier if they are meant to be relative to a previous rule option match in the stub data buffer. Any rule option that does not specify a relative modifier will be evaluated from the start of the stub data buffer. To leave the stub data buffer and return to the main payload buffer, use the \texttt{pkt\_data} rule option - see section \ref{sub:pkt_data} for details). \end{itemize} \texttt{byte\_test} and \texttt{byte\_jump} with \texttt{dce}\label{dcerpc2:byte_test_jump} \begin{itemize} \item[] A DCE/RPC request can specify whether numbers are represented in big or little endian. These rule options will take as a new argument \texttt{dce} and will work basically the same as the normal \texttt{byte\_test}/\texttt{byte\_jump}, but since the DCE/RPC preprocessor will know the endianness of the request, it will be able to do the correct conversion. \texttt{byte\_test} \begin{itemize} \item[] \textit{Syntax} \footnotesize \begin{verbatim} byte_test:, [!], , [, relative], dce; convert = 1 | 2 | 4 (only with option "dce") operator = '<' | '=' | '>' | '<=' | '>=' | '&' | '^' value = 0 - 4294967295 offset = -65535 to 65535 \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} byte_test:4, >, 35000, 0, relative, dce; byte_test:2, !=, 2280, -10, relative, dce; \end{verbatim} \normalsize When using the \texttt{dce} argument to a \texttt{byte\_test}, the following normal \texttt{byte\_test} arguments will not be allowed: \texttt{big}, \texttt{little}, \texttt{string}, \texttt{hex}, \texttt{dec} and \texttt{oct}. \end{itemize} \texttt{byte\_jump} \begin{itemize} \item[] \textit{Syntax} \footnotesize \begin{verbatim} byte_jump:, [, relative][, multiplier ] \ [, align][, post_offset ], dce; convert = 1 | 2 | 4 (only with option "dce") offset = -65535 to 65535 mult_value = 0 - 65535 adjustment_value = -65535 to 65535 \end{verbatim} \normalsize \textit{Example} \footnotesize \begin{verbatim} byte_jump:4,-4,relative,align,multiplier 2,post_offset -4,dce; \end{verbatim} \normalsize When using the \texttt{dce} argument to a \texttt{byte\_jump}, the following normal \texttt{byte\_jump} arguments will not be allowed: \texttt{big}, \texttt{little}, \texttt{string}, \texttt{hex}, \texttt{dec}, \texttt{oct} and \texttt{from\_beginning}. \end{itemize} \end{itemize} \textit{Example of rule complexity reduction} \begin{itemize} \item[] The following two rules using the new rule options replace 64 (set and isset flowbit) rules that are necessary if the new rule options are not used: \footnotesize \begin{verbatim} alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] \ (msg:"dns R_Dnssrv funcs2 overflow attempt"; flow:established,to_server; \ dce_iface:50abc2a4-574d-40b3-9d66-ee4fd5fba076; dce_opnum:0-11; dce_stub_data; \ pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; \ byte_test:4,>,256,4,relative,dce; reference:bugtraq,23470; reference:cve,2007-1748; \ classtype:attempted-admin; sid:1000068;) alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] \ (msg:"dns R_Dnssrv funcs2 overflow attempt"; flow:established,to_server; \ dce_iface:50abc2a4-574d-40b3-9d66-ee4fd5fba076; dce_opnum:0-11; dce_stub_data; \ pcre:"/^.{12}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; \ byte_test:4,>,256,4,relative,dce; reference:bugtraq,23470; reference:cve,2007-1748; \ classtype:attempted-admin; sid:1000069;) \end{verbatim} \normalsize \end{itemize} \subsection{Sensitive Data Preprocessor} \label{sub:sensitive_data} The Sensitive Data preprocessor is a Snort module that performs detection and filtering of Personally Identifiable Information (PII). This information includes credit card numbers, U.S. Social Security numbers, and email addresses. A limited regular expression syntax is also included for defining your own PII. \subsubsection{Dependencies} The Stream preprocessor must be enabled for the Sensitive Data preprocessor to work. \subsubsection{Preprocessor Configuration} Sensitive Data configuration is split into two parts: the preprocessor config, and the rule options. The preprocessor config starts with: \begin{verbatim} preprocessor sensitive_data: \end{verbatim} \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{alert\_threshold} & \texttt{} & NO & \texttt{alert\_threshold 25}\\ \hline \texttt{mask\_output} & NONE & NO & OFF\\ \hline \texttt{ssn\_file} & \texttt{} & NO & OFF\\ \hline \end{tabular} \end{itemize} \footnotesize \begin{verbatim} alert_threshold = 1 - 65535 \end{verbatim} \normalsize \textit{Option explanations} \begin{itemize} \item[] \texttt{alert\_threshold} \begin{itemize} \item[] The preprocessor will alert when any combination of PII are detected in a session. This option specifies how many need to be detected before alerting. This should be set higher than the highest individual count in your "sd\_pattern" rules. \end{itemize} \item[] \texttt{mask\_output} \begin{itemize} \item[] This option replaces all but the last 4 digits of a detected PII with "X"s. This is only done on credit card \& Social Security numbers, where an organization's regulations may prevent them from seeing unencrypted numbers. \end{itemize} \item[] \texttt{ssn\_file} \begin{itemize} \item[] A Social Security number is broken up into 3 sections: Area (3 digits), Group (2 digits), and Serial (4 digits). On a monthly basis, the Social Security Administration publishes a list of which Group numbers are in use for each Area. These numbers can be updated in Snort by supplying a CSV file with the new maximum Group numbers to use. By default, Snort recognizes Social Security numbers issued up through November 2009. \end{itemize} \end{itemize} \textit{Example preprocessor config} \begin{verbatim} preprocessor sensitive_data: alert_threshold 25 \ mask_output \ ssn_file ssn_groups_Jan10.csv \end{verbatim} \subsubsection{Rule Options} Snort rules are used to specify which PII the preprocessor should look for. A new rule option is provided by the preprocessor: \begin{verbatim} sd_pattern \end{verbatim} This rule option specifies what type of PII a rule should detect. \textit{Syntax} \begin{verbatim} sd_pattern:, ; \end{verbatim} \footnotesize \begin{verbatim} count = 1 - 255 pattern = any string \end{verbatim} \normalsize \textit{Option Explanations} \begin{itemize} \item[] \texttt{count} \begin{itemize} \item[] This dictates how many times a PII pattern must be matched for an alert to be generated. The count is tracked across all packets in a session. \end{itemize} \item[] \texttt{pattern} \begin{itemize} \item[] This is where the pattern of the PII gets specified. There are a few built-in patterns to choose from: \begin{itemize} \item[] \texttt{credit\_card} \begin{itemize} \item[] The "credit\_card" pattern matches 15- and 16-digit credit card numbers. These numbers may have spaces, dashes, or nothing in between groups. This covers Visa, Mastercard, Discover, and American Express. Credit card numbers matched this way have their check digits verified using the Luhn algorithm. \end{itemize} \item[] \texttt{us\_social} \begin{itemize} \item[] This pattern matches against 9-digit U.S. Social Security numbers. The SSNs are expected to have dashes between the Area, Group, and Serial sections. SSNs have no check digits, but the preprocessor will check matches against the list of currently allocated group numbers. \end{itemize} \item[] \texttt{us\_social\_nodashes} \begin{itemize} \item[] This pattern matches U.S. Social Security numbers without dashes separating the Area, Group, and Serial sections. \end{itemize} \item[] \texttt{email} \begin{itemize} \item[] This pattern matches against email addresses. \end{itemize} \end{itemize} \item[] If the pattern specified is not one of the above built-in patterns, then it is the definition of a custom PII pattern. Custom PII types are defined using a limited regex-style syntax. The following special characters and escape sequences are supported: \item[] \begin{tabular}{|c|p{10cm}|} \hline \texttt{\textbackslash d} & matches any digit\\ \hline \texttt{\textbackslash D} & matches any non-digit\\ \hline \texttt{\textbackslash l} & matches any letter\\ \hline \texttt{\textbackslash L} & matches any non-letter\\ \hline \texttt{\textbackslash w} & matches any alphanumeric character\\ \hline \texttt{\textbackslash W} & matches any non-alphanumeric character\\ \hline \texttt{\{num\}} & used to repeat a character or escape sequence "num" times. example: "\d\{3\}" matches 3 digits.\\ \hline \texttt{?} & makes the previous character or escape sequence optional. example: " ?" matches an optional space. This behaves in a greedy manner.\\ \hline \texttt{\textbackslash\textbackslash} & matches a backslash\\ \hline \textbackslash \{, \textbackslash \} & matches \{ and \}\\ \hline \textbackslash ? & matches a question mark.\\ \hline \end{tabular} \item[] Other characters in the pattern will be matched literally. \begin{note} Unlike PCRE, \texttt{\textbackslash w} in this rule option does NOT match underscores. \end{note} \end{itemize} \item[] \textit{Examples} \begin{verbatim} sd_pattern: 2,us_social; \end{verbatim} Alerts when 2 social security numbers (with dashes) appear in a session. \begin{verbatim} sd_pattern: 5,(\d{3})\d{3}-\d{4}; \end{verbatim} Alerts on 5 U.S. phone numbers, following the format (123)456-7890 Whole rule example: \begin{verbatim} alert tcp $HOME_NET $HIGH_PORTS -> $EXTERNAL_NET $SMTP_PORTS \ (msg:"Credit Card numbers sent over email"; gid:138; sid:1000; rev:1; \ sd_pattern:4,credit_card; metadata:service smtp;) \end{verbatim} \item[] \textit{Caveats} \begin{itemize} \item[] \texttt{sd\_pattern} is not compatible with other rule options. Trying to use other rule options with \texttt{sd\_pattern} will result in an error message. Rules using \texttt{sd\_pattern} must use GID 138. \end{itemize} \end{itemize} \subsection{Normalizer} When operating Snort in inline mode, it is helpful to normalize packets to help minimize the chances of evasion. To enable the normalizer, use the following when configuring Snort: \begin{verbatim} ./configure --enable-normalizer \end{verbatim} The normalize preprocessor is activated via the conf as outlined below. There are also many new preprocessor and decoder rules to alert on or drop packets with "abnormal" encodings. Note that in the following, fields are cleared only if they are non-zero. Also, normalizations will only be enabled if the selected DAQ supports packet replacement and is operating in inline mode. If a policy is configured for \texttt{inline\_test} or passive mode, any normalization statements in the policy config are ignored. \subsubsection{IP4 Normalizations} IP4 normalizations are enabled with: \begin{verbatim} preprocessor normalize_ip4: [df], [rf], [tos], [trim] \end{verbatim} Base normalizations enabled with "preprocessor \texttt{normalize\_ip4}" include: \begin{itemize} \item TTL normalization if enabled (explained below). \item Clear the differentiated services field (formerly TOS). \item NOP all options octets. \end{itemize} Optional normalizations include: \begin{itemize} \item \texttt{df} don't fragment: clear this bit on incoming packets. \item \texttt{rf} reserved flag: clear this bit on incoming packets. \item \texttt{tos} type of service (differentiated services): clear this byte. \item \texttt{trim} truncate packets with excess payload to the datagram length specified in the IP header + the layer 2 header (e.g. ethernet), but don't truncate below minimum frame length. This is automatically disabled if the DAQ can't inject packets. \end{itemize} \subsubsection{IP6 Normalizations} IP6 normalizations are enabled with: \begin{verbatim} preprocessor normalize_ip6 \end{verbatim} Base normalizations enabled with "preprocessor \texttt{normalize\_ip6}" include: \begin{itemize} \item Hop limit normalization if enabled (explained below). \item NOP all options octets in hop-by-hop and destination options extension headers. \end{itemize} \subsubsection{ICMP4/6 Normalizations} ICMP4 and ICMP6 normalizations are enabled with: \begin{verbatim} preprocessor normalize_icmp4 preprocessor normalize_icmp6 \end{verbatim} Base normalizations enabled with the above include: \begin{itemize} \item Clear the code field in echo requests and replies. \end{itemize} \subsubsection{TCP Normalizations} TCP normalizations are enabled with: \begin{verbatim} preprocessor normalize_tcp: \ [block], [rsv], [pad], \ [req_urg], [req_pay], [req_urp], \ [ips], [urp], [trim], \ [trim_syn], [trim_rst], \ [trim_win], [trim_mss], \ [ecn ], \ [opts [allow +]] ::= stream | packet ::= \ sack | echo | partial_order | conn_count | alt_checksum | md5 | ::= { 4, 5 } ::= { 6, 7 } ::= { 9, 10 } ::= { 11, 12, 13 } ::= { 14, 15 } ::= { 19 } ::= (3..255) \end{verbatim} Normalizations include: \begin{itemize} \item \texttt{block} allow packet drops during TCP normalization. \item \texttt{rsv} clear the reserved bits in the TCP header. \item \texttt{pad} clear any option padding bytes. \item \texttt{req\_urg} clear the urgent pointer if the urgent flag is not set. \item \texttt{req\_pay} clear the urgent pointer and the urgent flag if there is no payload. \item \texttt{req\_urp} clear the urgent flag if the urgent pointer is not set. \item \texttt{ips} ensure consistency in retransmitted data (also forces reassembly policy to "first"). Any segments that can't be properly reassembled will be dropped. \item \texttt{trim\_syn} remove data on SYN. \item \texttt{trim\_rst} remove any data from RST packet. \item \texttt{trim\_win} trim data to window. \item \texttt{trim\_mss} trim data to MSS. \item \texttt{trim} enable all of the above trim options. \item \texttt{ecn packet} clear ECN flags on a per packet basis (regardless of negotiation). \item \texttt{ecn stream} clear ECN flags if usage wasn't negotiated. Should also enable \texttt{require\_3whs}. \item \texttt{opts} NOP all option bytes other than maximum segment size, window scaling, timestamp, and any explicitly allowed with the allow keyword. You can allow options to pass by name or number. \item \texttt{opts} if timestamp is present but invalid, or valid but not negotiated, NOP the timestamp octets. \item \texttt{opts} if timestamp was negotiated but not present, block the packet. \item \texttt{opts} clear TS ECR if ACK flag is not set. \item \texttt{opts} MSS and window scale options are NOP'd if SYN flag is not set. \end{itemize} \subsubsection{TTL Normalization} TTL normalization pertains to both IP4 TTL (time-to-live) and IP6 (hop limit) and is only performed if both the relevant base normalization is enabled (as described above) and the minimum and new TTL values are configured, as follows: \begin{verbatim} config min_ttl: config new_ttl: ::= (1..255) ::= (+1..255) \end{verbatim} If \texttt{new\_ttl }$>$ \texttt{min\_ttl}, then if a packet is received with a TTL $<$ \texttt{min\_ttl}, the TTL will be set to \texttt{new\_ttl}. Note that this configuration item was deprecated in 2.8.6: \begin{verbatim} preprocessor stream5_tcp: min_ttl <#> \end{verbatim} By default \texttt{min\_ttl} = 1 (TTL normalization is disabled). When TTL normalization is turned on the \texttt{new\_ttl} is set to 5 by default. \subsection{SIP Preprocessor} \label{sub:sip} Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences. SIP Preprocessor provides ways to tackle Common Vulnerabilities and Exposures (CVEs) related with SIP found over the past few years. It also makes detecting new attacks easier. \subsubsection{Dependency Requirements} For proper functioning of the preprocessor: \begin{itemize} \item Stream session tracking must be enabled, i.e. stream5. Both TCP and UDP must be enabled in stream5. The preprocessor requires a session tracker to keep its data. In addition, Stream API is able to provide correct support for ignoring audio/video data channel. \item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be enabled and configured. \end{itemize} \subsubsection{Configuration} The preprocessor configuration name is \texttt{sip}.\\ \begin{verbatim} preprocessor sip \end{verbatim} \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{disabled} & NONE & NO & OFF\\ \hline \texttt{max\_sessions} & \texttt{} & NO & \texttt{max\_sessions 10000}\\ \hline \texttt{max\_dialogs} & \texttt{} & NO & \texttt{max\_dialogs 4}\\ \hline \texttt{ports} & \texttt{} & NO & \texttt{ports \{ 5060 5061 \} }\\ \hline \texttt{methods} & \texttt{} & NO & \texttt{methods \{ invite cancel ack bye register options \} }\\ \hline \texttt{max\_uri\_len} & \texttt{} & NO & \texttt{max\_uri\_len 256 }\\ \hline \texttt{max\_call\_id\_len} & \texttt{} & NO & \texttt{max\_call\_id\_len 256 }\\ \hline \texttt{max\_requestName\_len} & \texttt{} & NO & \texttt{max\_requestName\_len 20 }\\ \hline \texttt{max\_from\_len} & \texttt{} & NO & \texttt{max\_from\_len 256 }\\ \hline \texttt{max\_to\_len} & \texttt{} & NO & \texttt{max\_to\_len 256 }\\ \hline \texttt{max\_via\_len} & \texttt{} & NO & \texttt{max\_via\_len 1024 }\\ \hline \texttt{max\_contact\_len} & \texttt{} & NO & \texttt{max\_contact\_len 256 }\\ \hline \texttt{max\_content\_len} & \texttt{} & NO & \texttt{max\_content\_len 1024 }\\ \hline \texttt{ignore\_call\_channel} & NONE & NO & OFF\\ \hline \end{tabular} \end{itemize} \footnotesize \begin{verbatim} max_sessions = 1024-4194303 max_dialogs = 1-4194303 methods = "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ |"refer" |"subscribe"|"update"|"join"|"info"|"message"\ |"notify"|"prack" max_uri_len = 0-65535 max_call_id_len = 0-65535 max_requestName_len = 0-65535 max_from_len = 0-65535 max_to_len = 0-65535 max_via_len = 0-65535 max_contact_len = 0-65535 max_content_len = 0-65535 \end{verbatim} \normalsize \textit{Option explanations} \begin{itemize} \item[] \texttt{disabled} \begin{itemize} \item[] SIP dynamic preprocessor can be enabled/disabled through configuration. By default this value is turned off. When the preprocessor is disabled, only the max\_sessions option is applied when specified with the configuration. \end{itemize} \item[] \texttt{max\_sessions} \begin{itemize} \item[] This specifies the maximum number of sessions that can be allocated. Those sessions are stream sessions, so they are bounded by maximum number of stream sessions. Default is 10000. \end{itemize} \item[] \texttt{max\_dialogs} \begin{itemize} \item[] This specifies the maximum number of dialogs within one stream session. If exceeded, the oldest dialog will be dropped. Default is 4. \end{itemize} \item[] \texttt{ports} \begin{itemize} \item[] This specifies on what ports to check for SIP messages. Typically, this will include 5060, 5061. \item[] \textit{Syntax} \begin{verbatim} ports { [< ... >] } \end{verbatim} \item[] \textit{Examples} \begin{verbatim} ports { 5060 5061 } \end{verbatim} \item[] Note: there are spaces before and after `\{' and `\}'. \end{itemize} \item[] \texttt{methods} \begin{itemize} \item[] This specifies on what methods to check for SIP messages: (1) invite, (2) cancel, (3) ack, (4) bye, (5) register, (6) options, (7) refer, (8) subscribe, (9) update (10) join (11) info (12) message (13) notify (14) prack. Note: those 14 methods are up to date list (Feb. 2011). New methods can be added to the list. Up to 32 methods supported. \item[] \textit{Syntax} \begin{verbatim} methods { } method-list = method|method method-list methods = "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ |"refer"|"subscribe"|"update"|"join"|"info"|"message"\ |"notify"|"prack" \end{verbatim} \item[] \textit{Examples} \begin{verbatim} methods { invite cancel ack bye register options } methods { invite cancel ack bye register options information } \end{verbatim} \item[] Note: there are spaces before and after `\{' and `\}'. \end{itemize} \item[] \texttt{max\_uri\_len} \begin{itemize} \item[] This specifies the maximum Request URI field size. If the Request URI field is greater than this size, an alert is generated. Default is set to 256. The allowed range for this option is 0 - 65535. ``0'' means never alert. \end{itemize} \item[] \texttt{max\_call\_id\_len} \begin{itemize} \item[] This specifies the maximum Call-ID field size. If the Call-ID field is greater than this size, an alert is generated. Default is set to 256. The allowed range for this option is 0 - 65535. ``0'' means never alert. \end{itemize} \item[] \texttt{max\_requestName\_len} \begin{itemize} \item[] This specifies the maximum request name size that is part of the CSeq ID. If the request name is greater than this size, an alert is generated. Default is set to 20. The allowed range for this option is 0 - 65535. ``0'' means never alert. \end{itemize} \item[] \texttt{max\_from\_len} \begin{itemize} \item[] This specifies the maximum From field size. If the From field is greater than this size, an alert is generated. Default is set to 256. The allowed range for this option is 0 - 65535. ``0'' means never alert. \end{itemize} \item[] \texttt{max\_to\_len} \begin{itemize} \item[] This specifies the maximum To field size. If the To field is greater than this size, an alert is generated. Default is set to 256. The allowed range for this option is 0 - 65535. ``0'' means never alert. \end{itemize} \item[] \texttt{max\_via\_len} \begin{itemize} \item[] This specifies the maximum Via field size. If the Via field is greater than this size, an alert is generated. Default is set to 1024. The allowed range for this option is 0 - 65535. ``0'' means never alert. \end{itemize} \item[] \texttt{max\_contact\_len} \begin{itemize} \item[] This specifies the maximum Contact field size. If the Contact field is greater than this size, an alert is generated. Default is set to 256. The allowed range for this option is 0 - 65535. ``0'' means never alert. \end{itemize} \item[] \texttt{max\_content\_len} \begin{itemize} \item[] This specifies the maximum content length of the message body. If the content length is greater than this number, an alert is generated. Default is set to 1024. The allowed range for this option is 0 - 65535. ``0'' means never alert. \end{itemize} \item[] \texttt{ignore\_call\_channel} \begin{itemize} \item[] This enables the support for ignoring audio/video data channel (through Stream API). By default, this is disabled. \end{itemize} \end{itemize} \textit{Option examples} \footnotesize \begin{verbatim} max_sessions 30000 disabled ports { 5060 5061 } methods { invite cancel ack bye register options } methods { invite cancel ack bye register options information } max_uri_len 1024 max_call_id_len 1024 max_requestName_len 10 max_from_len 1024 max_to_len 1024 max_via_len 1024 max_contact_len 1024 max_content_len 1024 max_content_len ignore_call_channel \end{verbatim} \normalsize \textit{Configuration examples} \footnotesize \begin{verbatim} preprocessor sip preprocessor sip: max_sessions 500000 preprocessor sip: max_contact_len 512, max_sessions 300000, methods { invite \ cancel ack bye register options } , ignore_call_channel preprocessor sip: ports { 5060 49848 36780 10270 }, max_call_id_len 200, \ max_from_len 100, max_to_len 200, max_via_len 1000, \ max_requestName_len 50, max_uri_len 100, ignore_call_channel,\ max_content_len 1000 preprocessor sip: disabled preprocessor sip: ignore_call_channel \end{verbatim} \normalsize \textit{Default configuration} \footnotesize \begin{verbatim} preprocessor sip \end{verbatim} \normalsize \subsubsection{Events} The preprocessor uses GID 140 to register events. \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline 1 & If the memory cap is reached and the preprocessor is configured to alert, this alert will be created. \\ \hline 2 & Request URI is required. When Request URI is empty, this alert will be created. \\ \hline 3 & The Request URI is larger than the defined length in configuration.\\ \hline 4 & When Call-ID is empty, this alert will be created.\\ \hline 5 & The Call-ID is larger than the defined length in configuration.\\ \hline 6 & The sequence e number value MUST be expressible as a 32-bit unsigned integer and MUST be less than $2^{31}$.\\ \hline 7 & The request name in the CSeq is larger than the defined length in configuration.\\ \hline 8 & From field is empty.\\ \hline 9 & From field is larger than the defined length in configuration.\\ \hline 10 & To field is empty.\\ \hline 11 & To field is larger than the defined length in configuration.\\ \hline 12 & Via filed is empty.\\ \hline 13 & Via filed is larger than the defined length in configuration.\\ \hline 14 & Contact is empty, but it is required non-empty for the message.\\ \hline 15 & The Contact is larger than the defined length in configuration. \\ \hline 16 & The content length is larger than the defined length in configuration or is negative. \\ \hline 17 & There are multiple requests in a single packet. Old SIP protocol supports multiple sip messages within one packet.\\ \hline 18 & There are inconsistencies between Content-Length in SIP header and actual body data.\\ \hline 19 & Request name is invalid in response.\\ \hline 20 & Authenticated invite message received, but no challenge from server received. This is the case of InviteReplay billing attack.\\ \hline 21 & Authenticated invite message received, but session information has been changed. This is different from re-INVITE, where the dialog has been established. and authenticated. This is can prevent FakeBusy billing attack.\\ \hline 22 & Response status code is not a 3 digit number.\\ \hline 23 & Content type header field is required if the message body is not empty.\\ \hline 24 & SIP version other than 2.0, 1.0, and 1.1 is invalid \\ \hline 25 & Mismatch in Method of request and the CSEQ header\\ \hline 26 & The method is unknown \\ \hline 27 & The number of dialogs in the stream session exceeds the maximal value. \\ \hline \end{longtable} \subsubsection{Rule Options} New rule options are supported by enabling the \texttt{sip} preprocessor: \begin{itemize} \item[] \begin{verbatim} sip_method sip_stat_code sip_header sip_body \end{verbatim} \end{itemize} Overload modifiers to existing \texttt{pcre} rule options: \begin{itemize} \item[] H: Match SIP request or SIP response header, Similar to \texttt{sip\_header}. \item[] P: Match SIP request or SIP response body, Similar to \texttt{sip\_body}. \end{itemize} \texttt{sip\_method} \label{sip:sip_method} \begin{itemize} \item[] The \texttt{sip\_method} keyword is used to check for specific SIP request methods. The list of methods is: invite, cancel, ack, bye, register, options, refer, subscribe, update, join, info, message, notify, prack. More than one method can be specified, via a comma separated list, and are OR'ed together. It will be applied in fast pattern match if available. If the method used in this rule is not listed in the preprocessor configuration, it will be added to the preprocessor configuration for the associated policy.\\ \textit{Syntax} \footnotesize \begin{verbatim} sip_method:; method-list = method|method, method-list method = ["!"] "invite"|"cancel"|"ack"|"bye"|"register"| "options"\ |"refer"|"subscribe"|"update"|"join"|"info"|"message"\ |"notify"|"prack" Note: if "!" is used, only one method is allowed in sip_method. \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} sip_method:invite, cancel sip_method:!invite Note: If a user wants to use "and", they can use something like this: sip_method:!invite; sip_method:!bye \end{verbatim} \normalsize \end{itemize} \texttt{sip\_stat\_code} \label{sip:sip_stat_code} \begin{itemize} \item[] The \texttt{sip\_stat\_code} is used to check the SIP response status code. This option matches if any one of the state codes specified matches the status codes of the SIP response.\\ \textit{Syntax} \footnotesize \begin{verbatim} sip_stat_code: ; code_list = state_code|state_code, code_list code = "100-999"|"1-9" \end{verbatim} \item[] Note: 1,2,3,4,5,6... mean to check for "1xx", "2xx", '3xx', '4xx', '5xx', '6xx'... responses. \\ \normalsize \textit{Examples} \footnotesize \begin{verbatim} sip_stat_code:200 sip_stat_code: 2 sip_stat_code: 200, 180 \end{verbatim} \normalsize \end{itemize} \texttt{sip\_header} \label{sip:sip_header} \begin{itemize} \item[] The \texttt{sip\_header} keyword restricts the search to the extracted Header fields of a SIP message request or a response. This works similar to \texttt{file\_data}. \\ \textit{Syntax} \footnotesize \begin{verbatim} sip_header; \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} alert udp any any -> any 5060 (sip_header; content:"CSeq"; ) \end{verbatim} \normalsize \end{itemize} \texttt{sip\_body} \label{sip:sip_body} \begin{itemize} \item[] The \texttt{sip\_body} keyword places the cursor at the beginning of the Body fields of a SIP message. This works similar to \texttt{file\_data} and \texttt{dce\_stub\_data}. The message body includes channel information using SDP protocol (Session Description Protocol).\\ \textit{Syntax} \footnotesize \begin{verbatim} sip_body; \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} alert udp any any -> any 5060 (sip_body; content:"C=IN 0.0.0.0"; within 100;) \end{verbatim} \normalsize \end{itemize} \texttt{pcre} \label{sip:pcre} \begin{itemize} \item[] SIP overloads two options for \texttt{pcre}:\\ \begin{itemize} \item H: Match SIP header for request or response , Similar to \texttt{sip\_header}.\\ \item P: Match SIP body for request or response , Similar to \texttt{sip\_body}.\\ \end{itemize} \textit{Examples} \footnotesize \begin{verbatim} alert udp any any -> any 5060 (pcre:"/INVITE/H"; sid:1000000;) alert udp any any -> any 5060 (pcre:"/m=/P"; sid:2000000;) \end{verbatim} \normalsize \end{itemize} \subsection{Reputation Preprocessor} \label{sub:reputation} Reputation preprocessor provides basic IP blacklist/whitelist capabilities, to block/drop/pass traffic from IP addresses listed. In the past, we use standard Snort rules to implement Reputation-based IP blocking. This preprocessor will address the performance issue and make the IP reputation management easier. This preprocessor runs before other preprocessors. \subsubsection{Configuration} The preprocessor configuration name is \texttt{reputation}.\\ \begin{verbatim} preprocessor reputation \end{verbatim} \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{memcap} & \texttt{} & NO & \texttt{memcap 500}\\ \hline \texttt{scan\_local} & NONE & NO & OFF\\ \hline \texttt{blacklist} & \texttt{} & NO & NONE\\ \hline \texttt{whitelist} & \texttt{} & NO & NONE\\ \hline \texttt{priority} & [blacklist whitelist] & NO & \texttt{priority whitelist}\\ \hline \texttt{nested\_ip} & [inner outer both] & NO & \texttt{nested\_ip inner}\\ \hline \texttt{white} & [unblack trust] & NO & \texttt{white unblack}\\ \hline \end{tabular} \end{itemize} \footnotesize \begin{verbatim} memcap = 1-4095 Mbytes \end{verbatim} \normalsize \textit{Option explanations} \begin{itemize} \item[] \texttt{memcap} \begin{itemize} \item[] Maximum total memory supported. It can be set up to 4095 Mbytes. \end{itemize} \item[] \texttt{scan\_local} \begin{itemize} \item[] Enable to inspect local address defined in RFC 1918: \begin{itemize} \item[] 10.0.0.0 - 10.255.255.255 (10/8 prefix) \item[] 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) \item[] 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) \end{itemize} \end{itemize} \item[] \texttt{blacklist/whitelist} \begin{itemize} \item[] The IP lists are loaded from external files. It supports relative paths for inclusion and \$variables for path. Multiple blacklists or whitelists are supported. \item[] Note: if the same IP is redefined later, it will overwrite the previous one. In other words, IP lists always favors the last file or entry processed. \end{itemize} \item[] \texttt{priority} \begin{itemize} \item[] Specify either blacklist or whitelist has higher priority when source/destination is on blacklist while destination/source is on whitelist. By default, whitelist has higher priority. In other words, the packet will be passed when either source or destination is whitelisted. \item[] Note: this only defines priority when there is a decision conflict, during run-time. During initialization time, if the same IP address is defined in whitelist and blacklist, whoever the last one defined will be the final one. Priority does not work on this case. \end{itemize} \item[] \texttt{nested\_ip} \begin{itemize} \item[] Specify which IP address to be used when there is IP encapsulation. \end{itemize} \item[] \texttt{white} \begin{itemize} \item[] Specify the meaning of whitelist. When white means unblack, it unblacks IPs that are in blacklists; when white means trust, the packet gets bypassed, without further detection by snort. You can only specify either unblack or trust. \item[] Note: when white means unblack, whitelist always has higher priority than blacklist. \end{itemize} \end{itemize} \textit{Configuration examples} \footnotesize \begin{verbatim} preprocessor reputation:\ blacklist /etc/snort/default.blacklist, \ whitelist /etc/snort/default.whitelist preprocessor reputation: \ nested_ip both, \ blacklist /etc/snort/default.blacklist, \ whitelist /etc/snort/default.whitelist preprocessor reputation: \ memcap 4095, scan_local, nested_ip both, \ priority whitelist, \ blacklist /etc/snort/default.blacklist, \ whitelist /etc/snort/default.whitelist, white trust $REP_BLACK_FILE1 = ../dshield.list $REP_BLACK_FILE2 = ../snort.org.list preprocessor reputation: \ blacklist $REP_BLACK_FILE1,\ blacklist $REP_BLACK_FILE2 \end{verbatim} \normalsize \textit{IP List File Format} \begin{itemize} \item[] \texttt{Syntax} \begin{itemize} \item[] The IP list file has 1 entry per line. The entry can be either IP entry or comment. \end{itemize} \begin{itemize} \item[] \texttt{IP Entry} \begin{itemize} \item[] CIDR notation $<$comments$>$ line break. \item[] Example: \footnotesize \begin{verbatim} 172.16.42.32/32 172.33.42.32/16 \end{verbatim} \normalsize \end{itemize} \item[] \texttt{Comment} \begin{itemize} \item[] The comment start with \# \item[] \# $<$comments$>$ \item[] Example \footnotesize \begin{verbatim} # This is a full line comment 172.33.42.32/16 # This is a in-line comment \end{verbatim} \normalsize \end{itemize} \end{itemize} \item[] \texttt{IP List File Example} \begin{itemize} \item[] \footnotesize \begin{verbatim} # This is a full line comment 172.16.42.32/32 # This is an inline comment, line with single CIDR block 172.33.42.32/16 \end{verbatim} \normalsize \end{itemize} \end{itemize} \textit{Use case} \begin{itemize} \item[] A user wants to protect his/her network from unwanted/unknown IPs, only allowing some trusted IPs. Here is the configuration: \item[] \footnotesize \begin{verbatim} preprocessor reputation: \ blacklist /etc/snort/default.blacklist whitelist /etc/snort/default.whitelist In file "default.blacklist" # These two entries will match all ipv4 addresses 1.0.0.0/1 128.0.0.0/1 In file "default.whitelist" 68.177.102.22 # sourcefire.com 74.125.93.104 # google.com \end{verbatim} \end{itemize} \normalsize \subsubsection{Events} Reputation preprocessor uses GID 136 to register events. \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline 1 & Packet is blacklisted. \\ \hline 2 & Packet is whitelisted. \\ \hline 3 & Packet is inspected. \\ \hline \end{longtable} \subsubsection{Shared memory support} \begin{itemize} \item[] In order to minimize memory consumption when multiple Snort instances are running concurrently, we introduce the support of shared memory. After configured, all the snort instances share the same IP tables in shared memory. \item[]\textit{System requirement} \begin{itemize} \item[]This feature is supported only in Linux. \end{itemize} \item[]\textit{Build configuration} \begin{itemize} \item[]A new option, \texttt{--enable-shared-rep} is introduced to \texttt{./configure} command. This option enables the support for shared memory. \end{itemize} \item[]\textit{Configuration} \begin{itemize} \item[]\texttt{shared\_mem} \begin{itemize} \item[] If the build supports shared memory, this configuration will enable shared memory. If this option isn't set, standard memory is used. This option must specify a path or directory where IP lists will be loaded in shared memory. One snort instance will create and maintain the shared IP lists. We use instance ID 1, specified in the snort \texttt{-G} option to be the master snort. All the other snort instances are clients (readers). \item[] \textit{Syntax} \begin{verbatim} shared_mem: path \end{verbatim} \item[] \textit{Examples} \begin{verbatim} shared_mem /user/reputation/iplists \end{verbatim} \end{itemize} \item[]\texttt{shared\_refresh} \begin{itemize} \item[]This option changes the period of checking new shared memory segment, in the unit of second. By default, the refresh rate is $60$ seconds. \item[]\textit{Syntax} \begin{verbatim} shared_refresh period = "1 - 4294967295" \end{verbatim} \item[]\textit{Examples} \begin{verbatim} shared_refresh 60 \end{verbatim} \end{itemize} \end{itemize} \item[]\textit{Steps to configure shared memory} \begin{itemize} \item When building Snort, add option \texttt{--enable-shared-rep} to \texttt{./configure}\\ For example: \begin{verbatim} ./configure --enable-gre --enable-sourcefire --enable-flexresp3 --enable-pthread --enable-linux-smp-stats --enable-targetbased --enable-shared-rep --enable-control-socket \end{verbatim} \item Put your IP list file into a directory, where snort has full access. \\ For example: \begin{verbatim} /user/reputation/iplists \end{verbatim} In order to separate whitelist with blacklist, you need to specify whitelist with \texttt{.wlf} extension and blacklist with \texttt{.blf} extension. \item In snort config file, specify shared memory support with the path to IP files.\\ For example: \begin{verbatim} shared_mem /user/reputation/iplists \end{verbatim} If you want to change the period of checking new IP lists, add refresh period.\\ For example: \begin{verbatim} shared_refresh 300 \end{verbatim} \item Start shared memory master(writer) with \texttt{-G} 0 option. Note: only one master should be enabled. \item Start shared memory clients (readers) with \texttt{-G} 1 or other IDs. Note: for one ID, only one snort instance should be enabled. \item You will see the IP lists got loaded and shared across snort instances! \end{itemize} \item[]\textit{Reload IP lists using control socket} \begin{itemize} \item Run snort using command line with option \texttt{--cs-dir } or configure snort with: \begin{verbatim} config cs_dir: \end{verbatim} \item (Optional) you can create a version file named ``IPRVersion.dat'' in the IP list directory. This file helps managing reloading IP lists, by specifying a version. When the version isn't changed, IP lists will not be reloaded if they are already in shared memory. The version number should be a 32 bit number.\\ For example: \begin{verbatim} VERSION=1 \end{verbatim} \item In the \texttt{/src/tools/control} directory, you will find \texttt{snort\_control} command if built with \texttt{--enable-control-socket} option. \item Type the following command to reload IP lists. Before typing this command, make sure to update version file if you are using version file. The \texttt{} is the same path in first step.\\ \begin{verbatim} /src/tools/control/snort_control 1361 \end{verbatim} \end{itemize} \item[]\textit{Using manifest file to manage loading (optional)} \begin{itemize} \item[] Using manifest file, you can control the file loading sequence, action taken, and support zone based detection. You can create a manifest file named ``zone.info'' in the IP list directory.\\ \item[] When Snort is signaled to load new lists, a manifest file is read first to determine which zones the IPs in each list are applicable to and what action to take per list (Block, White, Monitor). \\ \item[] Files listed in manifest are loaded from top to bottom. You should put files that have higher priority first. In manifest file, you can put up to 255 files. Without manifest file, files will be loaded in alphabet order.\\ \item[] Here's the format of the manifest file. Each line of the file has the following format:\\ \begin{verbatim} , ,[, ]+ ::= 32 bit integer ::= "monitor"|"block"|"white" ::= [0-1051] \end{verbatim} \item[] Using manifest file, you can specify a new action called ``monitor'', which indicates a packet needs to be inspected, but does not disable detection. This is different from ``block'' action, which disables further detection. This new action helps users evaluate their IP lists before applying it. \item[] An example manifest file: \begin{verbatim} #ipreputation manifest file white.wlf, 111 ,white, black1.blf, 1112, black, 3, 12 black2.blf, 1113, black, 3, 12 monitor.blf,2222, monitor, 0, 2, 8 \end{verbatim} \end{itemize} \end{itemize} \subsection{GTP Decoder and Preprocessor} \label{sub:gtp} GTP (GPRS Tunneling Protocol) is used in core communication networks to establish a channel between GSNs (GPRS Serving Node). GTP decoding preprocessor provides ways to tackle intrusion attempts to those networks through GTP. It also makes detecting new attacks easier. Two components are developed: GTP decoder and GTP preprocessor. \begin{itemize} \item GTP decoder extracts payload inside GTP PDU; \item GTP preprocessor inspects all the signaling messages and provide keywords for further inspection \end{itemize} When the decoder is enabled and configured, the decoder strips the GTP headers and parses the underlying IP/TCP/UDP encapsulated packets. Therefore all rules and detection work as if there was no GTP header. Example: \begin{itemize} \item[] Most GTP packets look like this \begin{verbatim} IP -> UDP -> GTP -> IP -> TCP -> HTTP \end{verbatim} If you had a standard HTTP rule: \begin{verbatim} alert tcp any any -> any $HTTP_PORTS (msg:"Test HTTP"; flow:to_server,established; content:"SOMETHINGEVIL"; http_uri; .... sid:X; rev:Y;) \end{verbatim} it would alert on the inner HTTP data that is encapsulated in GTP without any changes to the rule other than enabling and configuring the GTP decoder. \end{itemize} \subsubsection{Dependency Requirements} For proper functioning of the preprocessor: \begin{itemize} \item Stream session tracking must be enabled, i.e. stream5. UDP must be enabled in stream5. The preprocessor requires a session tracker to keep its data. \item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be enabled and configured. \end{itemize} \subsubsection{GTP Data Channel Decoder Configuration} GTP decoder extracts payload from GTP PDU. The following configuration sets GTP decoding: \begin{verbatim} config enable_gtp \end{verbatim} By default, GTP decoder uses port number $2152$ (GTPv1) and $3386$ (GTPv0). If users want to change those values, they can use \texttt{portvar GTP\_PORTS}: \begin{verbatim} portvar GTP_PORTS [2152,3386] \end{verbatim} \subsubsection{GTP Control Channel Preprocessor Configuration} Different from GTP decoder, GTP preprocessor examines all signaling messages. The preprocessor configuration name is \texttt{gtp}. \begin{verbatim} preprocessor gtp \end{verbatim} \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{ports} & \texttt{} & NO & \texttt{ports \{ 2123 3386 \} }\\ \hline \end{tabular} \end{itemize} \normalsize \textit{Option explanations} \begin{itemize} \item[] \texttt{ports} \begin{itemize} \item[] This specifies on what ports to check for GTP messages. Typically, this will include 5060, 5061. \item[] \textit{Syntax} \begin{verbatim} ports { [< ... >] } \end{verbatim} \item[] \textit{Examples} \begin{verbatim} ports { 2123 3386 2152 } \end{verbatim} \item[] Note: there are spaces before and after `\{' and `\}'. \end{itemize} \end{itemize} \normalsize \textit{Default configuration} \footnotesize \begin{verbatim} preprocessor gtp \end{verbatim} \normalsize \subsubsection{GTP Decoder Events} \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline 297 & Two or more GTP encapsulation layers present \\ \hline 298 & GTP header length is invalid \\ \hline \end{longtable} \subsubsection{GTP Preprocessor Events} \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline 1 & Message length is invalid. \\ \hline 2 & Information element length is invalid. \\ \hline 3 & Information elements are out of order. \\ \hline \end{longtable} \subsubsection{Rule Options} New rule options are supported by enabling the \texttt{gtp} preprocessor: \begin{itemize} \item[] \begin{verbatim} gtp_type gtp_info gtp_version \end{verbatim} \end{itemize} \texttt{gtp\_type} \label{gtp:gtp_method} \begin{itemize} \item[] The \texttt{gtp\_type} keyword is used to check for specific GTP types. User can input message type value, an integer in [0, 255], or a string defined in the Table below. More than one type can be specified, via a comma separated list, and are OR'ed together. If the type used in a rule is not listed in the preprocessor configuration, an error will be thrown. \item[] A message type can have different type value in different GTP versions. For example, \texttt{sgsn\_\-context\_\-request} has message type value $50$ in GTPv0 and GTPv1, but $130$ in GTPv2. \texttt{gtp\_type} will match to a different value depending on the version number in the packet. In this example, evaluating a GTPv0 or GTPv1 packet will check whether the message type value is $50$; evaluating a GTPv2 packet will check whether the message type value is $130$. When a message type is not defined in a version, any packet in that version will always return ``No match''. \item[] If an integer is used to specify message type, every GTP packet is evaluated, no matter what version the packet is. If the message type matches the value in packet, it will return ``Match''. \\ \textit{Syntax} \footnotesize \begin{verbatim} gtp_type:; type-list = type|type, type-list type = "0-255"| | "echo_request" | "echo_response" ... \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} gtp_type:10, 11, echo_request; \end{verbatim} \normalsize \textit{GTP message types} \small \begin{longtable}{|r|c|c|c|p{13.5cm}|} \hline Type & GTPv0 & GTPv1 & GTPv2\\ \hline 0 & N/A & N/A & N/A\\ \hline 1 & echo\_request & echo\_request & echo\_request\\ \hline 2 & echo\_response & echo\_response & echo\_response\\ \hline 3 & version\_not\_supported & version\_not\_supported & version\_not\_supported\\ \hline 4 & node\_alive\_request & node\_alive\_request & N/A\\ \hline 5 & node\_alive\_response & node\_alive\_response & N/A\\ \hline 6 & redirection\_request & redirection\_request & N/A\\ \hline 7 & redirection\_response & redirection\_response & N/A \\ \hline 16 & create\_pdp\_context\_request & create\_pdp\_context\_request & N/A\\ \hline 17 & create\_pdp\_context\_response & create\_pdp\_context\_response & N/A \\ \hline 18 & update\_pdp\_context\_request & update\_pdp\_context\_request & N/A\\ \hline 19 & update\_pdp\_context\_response & update\_pdp\_context\_response & N/A\\ \hline 20 & delete\_pdp\_context\_request & delete\_pdp\_context\_request & N/A\\ \hline 21 & delete\_pdp\_context\_response & delete\_pdp\_context\_response & N/A\\ \hline 22 & create\_aa\_pdp\_context\_request & init\_pdp\_context\_activation\_request & N/A\\ \hline 23 & create\_aa\_pdp\_context\_response & init\_pdp\_context\_activation\_response & N/A\\ \hline 24 & delete\_aa\_pdp\_context\_request & N/A & N/A\\ \hline 25 & delete\_aa\_pdp\_context\_response & N/A & N/A\\ \hline 26 & error\_indication & error\_indication & N/A\\ \hline 27 & pdu\_notification\_request & pdu\_notification\_request & N/A\\ \hline 28 & pdu\_notification\_response & pdu\_notification\_response & N/A\\ \hline 29 & pdu\_notification\_reject\_request & pdu\_notification\_reject\_request & N/A\\ \hline 30 & pdu\_notification\_reject\_response & pdu\_notification\_reject\_response & N/A\\ \hline 31 & N/A & supported\_ext\_header\_notification & N/A \\ \hline 32 & send\_routing\_info\_request & send\_routing\_info\_request & create\_session\_request \\ \hline 33 & send\_routing\_info\_response & send\_routing\_info\_response & create\_session\_response \\ \hline 34 & failure\_report\_request & failure\_report\_request & modify\_bearer\_request \\ \hline 35 & failure\_report\_response & failure\_report\_response & modify\_bearer\_response \\ \hline 36 & note\_ms\_present\_request & note\_ms\_present\_request & delete\_session\_request \\ \hline 37 & note\_ms\_present\_response & note\_ms\_present\_response & delete\_session\_response \\ \hline 38 & N/A & N/A & change\_notification\_request \\ \hline 39 & N/A & N/A & change\_notification\_response \\ \hline 48 & identification\_request & identification\_request & N/A \\ \hline 49 & identification\_response & identification\_response & N/A \\ \hline 50 & sgsn\_context\_request & sgsn\_context\_request & N/A \\ \hline 51 & sgsn\_context\_response & sgsn\_context\_response & N/A \\ \hline 52 & sgsn\_context\_ack & sgsn\_context\_ack & N/A \\ \hline 53 & N/A & forward\_relocation\_request & N/A \\ \hline 54 & N/A & forward\_relocation\_response & N/A \\ \hline 55 & N/A & forward\_relocation\_complete & N/A \\ \hline 56 & N/A & relocation\_cancel\_request & N/A \\ \hline 57 & N/A & relocation\_cancel\_response & N/A \\ \hline 58 & N/A & forward\_srns\_contex & N/A \\ \hline 59 & N/A & forward\_relocation\_complete\_ack & N/A \\ \hline 60 & N/A & forward\_srns\_contex\_ack & N/A \\ \hline 64 & N/A & N/A & modify\_bearer\_command \\ \hline 65 & N/A & N/A & modify\_bearer\_failure\_indication \\ \hline 66 & N/A & N/A & delete\_bearer\_command \\ \hline 67 & N/A & N/A & delete\_bearer\_failure\_indication \\ \hline 68 & N/A & N/A & bearer\_resource\_command \\ \hline 69 & N/A & N/A & bearer\_resource\_failure\_indication \\ \hline 70 & N/A & ran\_info\_relay & downlink\_failure\_indication \\ \hline 71 & N/A & N/A & trace\_session\_activation \\ \hline 72 & N/A & N/A & trace\_session\_deactivation \\ \hline 73 & N/A & N/A & stop\_paging\_indication \\ \hline 95 & N/A & N/A & create\_bearer\_request \\ \hline 96 & N/A & mbms\_notification\_request & create\_bearer\_response \\ \hline 97 & N/A & mbms\_notification\_response & update\_bearer\_request \\ \hline 98 & N/A & mbms\_notification\_reject\_request & update\_bearer\_response \\ \hline 99 & N/A & mbms\_notification\_reject\_response & delete\_bearer\_request \\ \hline 100 & N/A & create\_mbms\_context\_request & delete\_bearer\_response \\ \hline 101 & N/A & create\_mbms\_context\_response & delete\_pdn\_request \\ \hline 102 & N/A & update\_mbms\_context\_request & delete\_pdn\_response \\ \hline 103 & N/A & update\_mbms\_context\_response & N/A \\ \hline 104 & N/A & delete\_mbms\_context\_request & N/A \\ \hline 105 & N/A & delete\_mbms\_context\_response & N/A \\ \hline 112 & N/A & mbms\_register\_request & N/A \\ \hline 113 & N/A & mbms\_register\_response & N/A \\ \hline 114 & N/A & mbms\_deregister\_request & N/A \\ \hline 115 & N/A & mbms\_deregister\_response & N/A \\ \hline 116 & N/A & mbms\_session\_start\_request & N/A \\ \hline 117 & N/A & mbms\_session\_start\_response & N/A \\ \hline 118 & N/A & mbms\_session\_stop\_request & N/A \\ \hline 119 & N/A & mbms\_session\_stop\_response & N/A \\ \hline 120 & N/A & mbms\_session\_update\_request & N/A \\ \hline 121 & N/A & mbms\_session\_update\_response & N/A \\ \hline 128 & N/A & ms\_info\_change\_request & identification\_request \\ \hline 129 & N/A & ms\_info\_change\_response & identification\_response \\ \hline 130 & N/A & N/A & sgsn\_context\_request \\ \hline 131 & N/A & N/A & sgsn\_context\_response \\ \hline 132 & N/A & N/A & sgsn\_context\_ack \\ \hline 133 & N/A & N/A & forward\_relocation\_request \\ \hline 134 & N/A & N/A & forward\_relocation\_response \\ \hline 135 & N/A & N/A & forward\_relocation\_complete \\ \hline 136 & N/A & N/A & forward\_relocation\_complete\_ack \\ \hline 137 & N/A & N/A & forward\_access \\ \hline 138 & N/A & N/A & forward\_access\_ack \\ \hline 139 & N/A & N/A & relocation\_cancel\_request \\ \hline 140 & N/A & N/A & relocation\_cancel\_response \\ \hline 141 & N/A & N/A & configuration\_transfer\_tunnel \\ \hline 149 & N/A & N/A & detach \\ \hline 150 & N/A & N/A & detach\_ack \\ \hline 151 & N/A & N/A & cs\_paging \\ \hline 152 & N/A & N/A & ran\_info\_relay \\ \hline 153 & N/A & N/A & alert\_mme \\ \hline 154 & N/A & N/A & alert\_mme\_ack \\ \hline 155 & N/A & N/A & ue\_activity \\ \hline 156 & N/A & N/A & ue\_activity\_ack \\ \hline 160 & N/A & N/A & create\_forward\_tunnel\_request \\ \hline 161 & N/A & N/A & create\_forward\_tunnel\_response \\ \hline 162 & N/A & N/A & suspend \\ \hline 163 & N/A & N/A & suspend\_ack \\ \hline 164 & N/A & N/A & resume \\ \hline 165 & N/A & N/A & resume\_ack \\ \hline 166 & N/A & N/A & create\_indirect\_forward\_tunnel\_request \\ \hline 167 & N/A & N/A & create\_indirect\_forward\_tunnel\_response \\ \hline 168 & N/A & N/A & delete\_indirect\_forward\_tunnel\_request \\ \hline 169 & N/A & N/A & delete\_indirect\_forward\_tunnel\_response \\ \hline 170 & N/A & N/A & release\_access\_bearer\_request \\ \hline 171 & N/A & N/A & release\_access\_bearer\_response \\ \hline 176 & N/A & N/A & downlink\_data \\ \hline 177 & N/A & N/A & downlink\_data\_ack \\ \hline 178 & N/A & N/A & N/A \\ \hline 179 & N/A & N/A & pgw\_restart \\ \hline 199 & N/A & N/A & pgw\_restart\_ack \\ \hline 200 & N/A & N/A & update\_pdn\_request \\ \hline 201 & N/A & N/A & update\_pdn\_response \\ \hline 211 & N/A & N/A & modify\_access\_bearer\_request \\ \hline 212 & N/A & N/A & modify\_access\_bearer\_response \\ \hline 231 & N/A & N/A & mbms\_session\_start\_request \\ \hline 232 & N/A & N/A & mbms\_session\_start\_response \\ \hline 233 & N/A & N/A & mbms\_session\_update\_request \\ \hline 234 & N/A & N/A & mbms\_session\_update\_response \\ \hline 235 & N/A & N/A & mbms\_session\_stop\_request \\ \hline 236 & N/A & N/A & mbms\_session\_stop\_response \\ \hline 240 & data\_record\_transfer\_request & data\_record\_transfer\_request & N/A \\ \hline 241 & data\_record\_transfer\_response & data\_record\_transfer\_response & N/A \\ \hline 254 & N/A & end\_marker & N/A \\ \hline 255 & pdu & pdu & N/A \\ \hline \end{longtable} \end{itemize} \texttt{gtp\_info} \label{gtp:gtp_info} \begin{itemize} \item[] The \texttt{gtp\_info} keyword is used to check for specific GTP information element. This keyword restricts the search to the information element field. User can input information element value, an integer in $[0, 255]$, or a string defined in the Table below. If the information element used in this rule is not listed in the preprocessor configuration, an error will be thrown. \item[] When there are several information elements with the same type in the message, this keyword restricts the search to the total consecutive buffer. Because the standard requires same types group together, this feature will be available for all valid messages. In the case of ``out of order information elements'', this keyword restricts the search to the last buffer. \item[] Similar to message type, same information element might have different information element value in different GTP versions. For example, \texttt{cause} has value $1$ in GTPv0 and GTPv1, but $2$ in GTPv2. \texttt{gtp\_info} will match to a different value depending on the version number in the packet. When an information element is not defined in a version, any packet in that version will always return ``No match''. If an integer is used to specify information element type, every GTP packet is evaluated, no matter what version the packet is. If the message type matches the value in packet, it will return ``Match''.\\ \textit{Syntax} \footnotesize \begin{verbatim} gtp_info:; ie = "0-255"| "rai" | "tmsi"... \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} gtp_info: 16; gtp_info: tmsi \end{verbatim} \normalsize \textit{GTP information elements} \small \begin{longtable}{|r|c|c|c|p{13.5cm}|} \hline Type & GTPv0 & GTPv1 & GTPv2\\ \hline 0 & N/A & N/A & N/A \\ \hline 1 & cause & cause & imsi\\ \hline 2 & imsi & imsi & cause \\ \hline 3 & rai & rai & recovery\\ \hline 4 & tlli & tlli & N/A\\ \hline 5 & p\_tmsi & p\_tmsi & N/A\\ \hline 6 & qos & N/A & N/A\\ \hline 7 & N/A & N/A & N/A \\ \hline 8 & recording\_required & recording\_required & N/A\\ \hline 9 & authentication & authentication & N/A\\ \hline 10 & N/A & N/A & N/A\\ \hline 11 & map\_cause & map\_cause & N/A\\ \hline 12 & p\_tmsi\_sig & p\_tmsi\_sig & N/A\\ \hline 13 & ms\_validated & ms\_validated & N/A\\ \hline 14 & recovery & recovery & N/A\\ \hline 15 & selection\_mode & selection\_mode & N/A\\ \hline 16 & flow\_label\_data\_1 & teid\_1 & N/A\\ \hline 17 & flow\_label\_signalling & teid\_control & N/A\\ \hline 18 & flow\_label\_data\_2 & teid\_2 & N/A\\ \hline 19 & ms\_unreachable & teardown\_ind & N/A\\ \hline 20 & N/A & nsapi & N/A\\ \hline 21 & N/A & ranap & N/A\\ \hline 22 & N/A & rab\_context & N/A\\ \hline 23 & N/A & radio\_priority\_sms & N/A\\ \hline 24 & N/A & radio\_priority & N/A\\ \hline 25 & N/A & packet\_flow\_id & N/A\\ \hline 26 & N/A & charging\_char & N/A\\ \hline 27 & N/A & trace\_ref & N/A\\ \hline 28 & N/A & trace\_type & N/A\\ \hline 29 & N/A & ms\_unreachable & N/A\\ \hline 71 & N/A & N/A & apn\\ \hline 72 & N/A & N/A & ambr\\ \hline 73 & N/A & N/A & ebi\\ \hline 74 & N/A & N/A & ip\_addr\\ \hline 75 & N/A & N/A & mei\\ \hline 76 & N/A & N/A & msisdn\\ \hline 77 & N/A & N/A & indication\\ \hline 78 & N/A & N/A & pco\\ \hline 79 & N/A & N/A & paa\\ \hline 80 & N/A & N/A & bearer\_qos\\ \hline 81 & N/A & N/A & flow\_qos\\ \hline 82 & N/A & N/A & rat\_type\\ \hline 83 & N/A & N/A & serving\_network\\ \hline 84 & N/A & N/A & bearer\_tft\\ \hline 85 & N/A & N/A & tad\\ \hline 86 & N/A & N/A & uli\\ \hline 87 & N/A & N/A & f\_teid\\ \hline 88 & N/A & N/A & tmsi\\ \hline 89 & N/A & N/A & cn\_id\\ \hline 90 & N/A & N/A & s103pdf\\ \hline 91 & N/A & N/A & s1udf\\ \hline 92 & N/A & N/A & delay\_value\\ \hline 93 & N/A & N/A & bearer\_context\\ \hline 94 & N/A & N/A & charging\_id\\ \hline 95 & N/A & N/A & charging\_char\\ \hline 96 & N/A & N/A & trace\_info\\ \hline 97 & N/A & N/A & bearer\_flag\\ \hline 98 & N/A & N/A & N/A\\ \hline 99 & N/A & N/A & pdn\_type\\ \hline 100 & N/A & N/A & pti\\ \hline 101 & N/A & N/A & drx\_parameter\\ \hline 102 & N/A & N/A & N/A\\ \hline 103 & N/A & N/A & gsm\_key\_tri\\ \hline 104 & N/A & N/A & umts\_key\_cipher\_quin\\ \hline 105 & N/A & N/A & gsm\_key\_cipher\_quin\\ \hline 106 & N/A & N/A & umts\_key\_quin\\ \hline 107 & N/A & N/A & eps\_quad\\ \hline 108 & N/A & N/A & umts\_key\_quad\_quin\\ \hline 109 & N/A & N/A & pdn\_connection\\ \hline 110 & N/A & N/A & pdn\_number\\ \hline 111 & N/A & N/A & p\_tmsi\\ \hline 112 & N/A & N/A & p\_tmsi\_sig\\ \hline 113 & N/A & N/A & hop\_counter\\ \hline 114 & N/A & N/A & ue\_time\_zone\\ \hline 115 & N/A & N/A & trace\_ref\\ \hline 116 & N/A & N/A & complete\_request\_msg\\ \hline 117 & N/A & N/A & guti\\ \hline 118 & N/A & N/A & f\_container\\ \hline 119 & N/A & N/A & f\_cause\\ \hline 120 & N/A & N/A & plmn\_id\\ \hline 121 & N/A & N/A & target\_id\\ \hline 122 & N/A & N/A & N/A\\ \hline 123 & N/A & N/A & packet\_flow\_id\\ \hline 124 & N/A & N/A & rab\_contex\\ \hline 125 & N/A & N/A & src\_rnc\_pdcp\\ \hline 126 & N/A & N/A & udp\_src\_port\\ \hline 127 & charge\_id & charge\_id & apn\_restriction\\ \hline 128 & end\_user\_address & end\_user\_address & selection\_mode\\ \hline 129 & mm\_context & mm\_context & src\_id\\ \hline 130 & pdp\_context & pdp\_context & N/A\\ \hline 131 & apn & apn & change\_report\_action\\ \hline 132 & protocol\_config & protocol\_config & fq\_csid\\ \hline 133 & gsn & gsn & channel\\ \hline 134 & msisdn & msisdn & emlpp\_pri\\ \hline 135 & N/A & qos & node\_type\\ \hline 136 & N/A & authentication\_qu & fqdn\\ \hline 137 & N/A & tft & ti\\ \hline 138 & N/A & target\_id & mbms\_session\_duration\\ \hline 139 & N/A & utran\_trans & mbms\_service\_area\\ \hline 140 & N/A & rab\_setup & mbms\_session\_id\\ \hline 141 & N/A & ext\_header & mbms\_flow\_id\\ \hline 142 & N/A & trigger\_id & mbms\_ip\_multicast\\ \hline 143 & N/A & omc\_id & mbms\_distribution\_ack\\ \hline 144 & N/A & ran\_trans & rfsp\_index\\ \hline 145 & N/A & pdp\_context\_pri & uci\\ \hline 146 & N/A & addi\_rab\_setup & csg\_info\\ \hline 147 & N/A & sgsn\_number & csg\_id\\ \hline 148 & N/A & common\_flag & cmi\\ \hline 149 & N/A & apn\_restriction & service\_indicator\\ \hline 150 & N/A & radio\_priority\_lcs & detach\_type\\ \hline 151 & N/A & rat\_type & ldn\\ \hline 152 & N/A & user\_loc\_info & node\_feature\\ \hline 153 & N/A & ms\_time\_zone & mbms\_time\_to\_transfer\\ \hline 154 & N/A & imei\_sv & throttling\\ \hline 155 & N/A & camel & arp\\ \hline 156 & N/A & mbms\_ue\_context & epc\_timer\\ \hline 157 & N/A & tmp\_mobile\_group\_id & signalling\_priority\_indication\\ \hline 158 & N/A & rim\_routing\_addr & tmgi\\ \hline 159 & N/A & mbms\_config & mm\_srvcc\\ \hline 160 & N/A & mbms\_service\_area & flags\_srvcc\\ \hline 161 & N/A & src\_rnc\_pdcp & mmbr\\ \hline 162 & N/A & addi\_trace\_info & N/A\\ \hline 163 & N/A & hop\_counter & N/A\\ \hline 164 & N/A & plmn\_id & N/A\\ \hline 165 & N/A & mbms\_session\_id & N/A\\ \hline 166 & N/A & mbms\_2g3g\_indicator & N/A\\ \hline 167 & N/A & enhanced\_nsapi & N/A\\ \hline 168 & N/A & mbms\_session\_duration & N/A\\ \hline 169 & N/A & addi\_mbms\_trace\_info & N/A\\ \hline 170 & N/A & mbms\_session\_repetition\_num & N/A\\ \hline 171 & N/A & mbms\_time\_to\_data & N/A\\ \hline 173 & N/A & bss & N/A\\ \hline 174 & N/A & cell\_id & N/A\\ \hline 175 & N/A & pdu\_num & N/A\\ \hline 176 & N/A & N/A & N/A\\ \hline 177 & N/A & mbms\_bearer\_capab & N/A\\ \hline 178 & N/A & rim\_routing\_disc & N/A\\ \hline 179 & N/A & list\_pfc & N/A\\ \hline 180 & N/A & ps\_xid & N/A\\ \hline 181 & N/A & ms\_info\_change\_report & N/A\\ \hline 182 & N/A & direct\_tunnel\_flags & N/A\\ \hline 183 & N/A & correlation\_id & N/A\\ \hline 184 & N/A & bearer\_control\_mode & N/A\\ \hline 185 & N/A & mbms\_flow\_id & N/A\\ \hline 186 & N/A & mbms\_ip\_multicast & N/A\\ \hline 187 & N/A & mbms\_distribution\_ack & N/A\\ \hline 188 & N/A & reliable\_inter\_rat\_handover & N/A\\ \hline 189 & N/A & rfsp\_index & N/A\\ \hline 190 & N/A & fqdn & N/A\\ \hline 191 & N/A & evolved\_allocation1 & N/A\\ \hline 192 & N/A & evolved\_allocation2 & N/A\\ \hline 193 & N/A & extended\_flags & N/A\\ \hline 194 & N/A & uci & N/A\\ \hline 195 & N/A & csg\_info & N/A\\ \hline 196 & N/A & csg\_id & N/A\\ \hline 197 & N/A & cmi & N/A\\ \hline 198 & N/A & apn\_ambr & N/A\\ \hline 199 & N/A & ue\_network & N/A\\ \hline 200 & N/A & ue\_ambr & N/A\\ \hline 201 & N/A & apn\_ambr\_nsapi & N/A\\ \hline 202 & N/A & ggsn\_backoff\_timer & N/A\\ \hline 203 & N/A & signalling\_priority\_indication & N/A\\ \hline 204 & N/A & signalling\_priority\_indication\_nsapi & N/A\\ \hline 205 & N/A & high\_bitrate & N/A\\ \hline 206 & N/A & max\_mbr & N/A\\ \hline 250 & N/A & N/A & N/A\\ \hline & N/A & N/A & N/A\\ \hline 251 & charging\_gateway\_addr & charging\_gateway\_addr & N/A\\ \hline 255 & private\_extension & private\_extension & private\_extension\\ \hline \end{longtable} \end{itemize} \texttt{gtp\_version} \label{gtp:gtp_version} \begin{itemize} \item[] The \texttt{gtp\_version} keyword is used to check for specific GTP version. \item[] Because different GTP version defines different message types and information elements, this keyword should combine with \texttt{gtp\_type} and \texttt{gtp\_info.}\\ \textit{Syntax} \footnotesize \begin{verbatim} gtp_version:; version = "0, 1, 2' \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} gtp_version: 1; \end{verbatim} \normalsize \end{itemize} \subsection{Modbus Preprocessor} \label{sub:modbus} The Modbus preprocessor is a Snort module that decodes the Modbus protocol. It also provides rule options to access certain protocol fields. This allows a user to write rules for Modbus packets without decoding the protocol with a series of "content" and "byte\_test" options. Modbus is a protocol used in SCADA networks. If your network does not contain any Modbus-enabled devices, we recommend leaving this preprocessor turned off. \subsubsection{Dependency Requirements} For proper functioning of the preprocessor: \begin{itemize} \item Stream session tracking must be enabled, i.e. stream5. TCP must be enabled in stream5. The preprocessor requires a session tracker to keep its data. \item Protocol Aware Flushing (PAF) must be enabled. \item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be enabled and configured. \end{itemize} \subsubsection{Preprocessor Configuration} To get started, the Modbus preprocessor must be enabled. The preprocessor name is \texttt{modbus}. \begin{verbatim} preprocessor modbus \end{verbatim} \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{ports} & \texttt{} & NO & \texttt{ports \{ 502 \} }\\ \hline \end{tabular} \end{itemize} \normalsize \textit{Option explanations} \begin{itemize} \item[] \texttt{ports} \begin{itemize} \item[] This specifies on what ports to check for Modbus messages. Typically, this will include 502. \item[] \textit{Syntax} \begin{verbatim} ports { [< ... >] } \end{verbatim} \item[] \textit{Examples} \begin{verbatim} ports { 1237 3945 5067 } \end{verbatim} \item[] Note: there are spaces before and after `\{' and `\}'. \end{itemize} \end{itemize} \normalsize \textit{Default configuration} \footnotesize \begin{verbatim} preprocessor modbus \end{verbatim} \normalsize \subsubsection{Rule Options} The Modbus preprocessor adds 3 new rule options. These rule options match on various pieces of the Modbus headers: \begin{itemize} \item[] \begin{verbatim} modbus_func modbus_unit modbus_data \end{verbatim} \end{itemize} The preprocessor must be enabled for these rule option to work. \texttt{modbus\_func} \label{modbus:modbus_func} \begin{itemize} \item[] This option matches against the Function Code inside of a Modbus header. The code may be a number (in decimal format), or a string from the list provided below. \end{itemize} \textit{Syntax} \footnotesize \begin{verbatim} modbus_func: code = 0-255 | "read_coils" | "read_discrete_inputs" | "read_holding_registers" | "read_input_registers" | "write_single_coil" | "write_single_register" | "read_exception_status" | "diagnostics" | "get_comm_event_counter" | "get_comm_event_log" | "write_multiple_coils" | "write_multiple_registers" | "report_slave_id" | "read_file_record" | "write_file_record" | "mask_write_register" | "read_write_multiple_registers" | "read_fifo_queue" | "encapsulated_interface_transport" \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} modbus_func:1; modbus_func:write_multiple_coils; \end{verbatim} \normalsize \texttt{modbus\_unit} \label{modbus:modbus_unit} \begin{itemize} \item[] This option matches against the Unit ID field in a Modbus header. \end{itemize} \textit{Syntax} \footnotesize \begin{verbatim} modbus_unit: unit = 0-255 \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} modbus_unit:1; \end{verbatim} \normalsize \texttt{modbus\_data} \label{modbus:modbus_data} \begin{itemize} \item[] This rule option sets the cursor at the beginning of the Data field in a Modbus request/response. \end{itemize} \textit{Syntax} \footnotesize \begin{verbatim} modbus_data; \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} modbus_data; content:"badstuff"; \end{verbatim} \normalsize \subsubsection{Preprocessor Events} The Modbus preprocessor uses GID 144 for its preprocessor events. \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline 1 & The length in the Modbus header does not match the length needed \\ & by the Modbus function code. \\ &\\ & Each Modbus function has an expected format for requests and responses. \\ & If the length of the message does not match the expected format, this \\ & alert is generated. \\ \hline 2 & Modbus protocol ID is non-zero. \\ &\\ & The protocol ID field is used for multiplexing other protocols with \\ & Modbus. Since the preprocessor cannot handle these other protocols, \\ & this alert is generated instead. \\ \hline 3 & Reserved Modbus function code in use. \\ \hline \end{longtable} \subsection{DNP3 Preprocessor} \label{sub:dnp3} The DNP3 preprocessor is a Snort module that decodes the DNP3 protocol. It also provides rule options to access certain protocol fields. This allows a user to write rules for DNP3 packets without decoding the protocol with a series of "content" and "byte\_test" options. DNP3 is a protocol used in SCADA networks. If your network does not contain any DNP3-enabled devices, we recommend leaving this preprocessor turned off. \subsubsection{Dependency Requirements} For proper functioning of the preprocessor: \begin{itemize} \item Stream session tracking must be enabled, i.e. stream5. TCP or UDP must be enabled in stream5. The preprocessor requires a session tracker to keep its data. \item Protocol Aware Flushing (PAF) must be enabled. \item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be enabled and configured. \end{itemize} \subsubsection{Preprocessor Configuration} To get started, the DNP3 preprocessor must be enabled. The preprocessor name is \texttt{dnp3}. \begin{verbatim} preprocessor dnp3 \end{verbatim} \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{ports} & \texttt{} & NO & \texttt{ports \{ 20000 \} }\\ \texttt{memcap} & \texttt{ [< ... >] } \end{verbatim} \item[] \textit{Examples} \begin{verbatim} ports { 1237 3945 5067 } \end{verbatim} \item[] Note: there are spaces before and after `\{' and `\}'. \end{itemize} \item[] \texttt{memcap} \begin{itemize} \item[] This sets a maximum to the amount of memory allocated to the DNP3 preprocessor for session-tracking purposes. The argument is given in bytes. Each session requires about 4 KB to track, and the default is 256 kB. This gives the preprocessor the ability to track 63 DNP3 sessions simultaneously. Setting the memcap below 4144 bytes will cause a fatal error. When multiple configs are used, the memcap in the non-default configs will be overwritten by the memcap in the default config. If the default config isn't intended to inspect DNP3 traffic, use the "disabled" keyword. \end{itemize} \item[] \texttt{check\_crc} \begin{itemize} \item[] This option makes the preprocessor validate the checksums contained in DNP3 Link-Layer Frames. Frames with invalid checksums will be ignored. If the corresponding preprocessor rule is enabled, invalid checksums will generate alerts. The corresponding rule is GID 145, SID 1. \end{itemize} \item[] \texttt{disabled} \begin{itemize} \item[] This option is used for loading the preprocessor without inspecting any DNP3 traffic. The \texttt{disabled} keyword is only useful when the DNP3 preprocessor is turned on in a separate policy. \end{itemize} \end{itemize} \normalsize \textit{Default configuration} \footnotesize \begin{verbatim} preprocessor dnp3 \end{verbatim} \normalsize \subsubsection{Rule Options} The DNP3 preprocessor adds 4 new rule options. These rule options match on various pieces of the DNP3 headers: \begin{itemize} \item[] \begin{verbatim} dnp3_func dnp3_obj dnp3_ind dnp3_data \end{verbatim} \end{itemize} The preprocessor must be enabled for these rule option to work. \texttt{dnp3\_func} \label{dnp3:dnp3_func} \begin{itemize} \item[] This option matches against the Function Code inside of a DNP3 Application-Layer request/response header. The code may be a number (in decimal format), or a string from the list provided below. \end{itemize} \textit{Syntax} \footnotesize \begin{verbatim} dnp3_func: code = 0-255 | "confirm" | "read" | "write" | "select" | "operate" | "direct_operate" | "direct_operate_nr" | "immed_freeze" | "immed_freeze_nr" | "freeze_clear" | "freeze_clear_nr" | "freeze_at_time" | "freeze_at_time_nr" | "cold_restart" | "warm_restart" | "initialize_data" | "initialize_appl" | "start_appl" | "stop_appl" | "save_config" | "enable_unsolicited" | "disable_unsolicited" | "assign_class" | "delay_measure" | "record_current_time" | "open_file" | "close_file" | "delete_file" | "get_file_info" | "authenticate_file" | "abort_file" | "activate_config" | "authenticate_req" | "authenticate_err" | "response" | "unsolicited_response" | "authenticate_resp" \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} dnp3_func:1; dnp3_func:delete_file; \end{verbatim} \normalsize \texttt{dnp3\_ind} \label{dnp3:dnp3_ind} \begin{itemize} \item[] This option matches on the Internal Indicators flags present in a DNP3 Application Response Header. Much like the TCP flags rule option, providing multiple flags in one option will cause the rule to fire if \emph{ANY} one of the flags is set. To alert on a combination of flags, use multiple rule options. \end{itemize} \textit{Syntax} \footnotesize \begin{verbatim} dnp3_ind:{,...] flag = "all_stations" "class_1_events" "class_2_events" "class_3_events" "need_time" "local_control" "defice_trouble" "device_restart" "no_func_code_support" "object_unknown" "parameter_error" "event_buffer_overflow" "already_executing" "config_corrupt" "reserved_2" "reserved_1" \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} # Alert on reserved_1 OR reserved_2 dnp3_ind:reserved_1,reserved_2; # Alert on class_1 AND class_2 AND class_3 events dnp3_ind:class_1_events; dnp3_ind:class_2_events; dnp3_ind:class_3_events; \end{verbatim} \normalsize \texttt{dnp3\_obj} \label{dnp3:dnp3_obj} \begin{itemize} \item[] This option matches on DNP3 object headers present in a request or response. \end{itemize} \textit{Syntax} \footnotesize \begin{verbatim} dnp3_obj:, group = 0 - 255 var = 0 - 255 \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} # Alert on DNP3 "Date and Time" object dnp3_obj:50,1; \end{verbatim} \normalsize \texttt{dnp3\_data} \label{dnp3:dnp3_data} \begin{itemize} \item[] As Snort processes DNP3 packets, the DNP3 preprocessor collects Link-Layer Frames and reassembles them back into Application-Layer Fragments. This rule option sets the cursor to the beginning of an Application-Layer Fragment, so that other rule options can work on the reassembled data. With the dnp3\_data rule option, you can write rules based on the data within Fragments without splitting up the data and adding CRCs every 16 bytes. \end{itemize} \textit{Syntax} \footnotesize \begin{verbatim} dnp3_data; \end{verbatim} \normalsize \textit{Examples} \footnotesize \begin{verbatim} dnp3_data; content:"badstuff_longer_than_16chars"; \end{verbatim} \normalsize \subsubsection{Preprocessor Events} The DNP3 preprocessor uses GID 145 for its preprocessor events. \begin{longtable}{|r|p{13.5cm}|} \hline SID & Description\\ \hline 1 & A Link-Layer Frame contained an invalid CRC. \\ & (Enable \texttt{check\_crc} in the preprocessor config to get this alert.) \\ \hline 2 & A DNP3 Link-Layer Frame was dropped, due to an invalid length. \\ \hline 3 & A Transport-Layer Segment was dropped during reassembly. \\ & This happens when segments have invalid sequence numbers. \\ \hline 4 & The DNP3 Reassembly buffer was cleared before a complete fragment could \\ & be reassembled. \\ & This happens when a segment carrying the "FIR" flag appears after some \\ & other segments have been queued. \\ \hline 5 & A DNP3 Link-Layer Frame is larger than 260 bytes. \\ \hline 6 & A DNP3 Link-Layer Frame uses an address that is reserved. \\ \hline 7 & A DNP3 request or response uses a reserved function code. \\ \hline \end{longtable} \subsection{AppId Preprocessor} \label{sub:appid} With increasingly complex networks and growing network traffic, network administrators require application awareness in managing networks. An administrator may allow only applications that are business relevant, low bandwidth and/or deal with certain subject matter. AppId preprocessor adds application level view to manage networks. It does this by adding the following features \begin{itemize} \item Network control: The preprocessor provides simplified single point application awareness by making a set of application identifiers (AppId) available to Snort Rule writers. \item Network usage awareness: the preprocessor outputs statistics to show network bandwidth used by each application seen on network. Administrators can monitor bandwidth usage and may decide to block applications that are wasteful. \item Custom applications: The preprocessor enables administrators to create their own application detectors to detect new applications. The detectors are written in Lua and interface with Snort using a well-defined C-Lua API. \end{itemize} \subsubsection{Dependency Requirements} For proper functioning of the preprocessor: \begin{itemize} \item Stream session tracking must be enabled, i.e. stream5. TCP or UDP must be enabled in stream5. The preprocessor requires a session tracker to keep its data. \item Protocol Aware Flushing (PAF) must be enabled. \item IP defragmentation should be enabled, i.e. the frag3 preprocessor should be enabled and configured. \item HTTP preprocessor must be enabled and configured. The processor does not require any AppId specific configuration. The preprocessor provides parsed HTTP headers for application determination. Without HTTP preprocessor, AppId preprocessor will identify only non-HTTP applications. \item LuaJIT version 2.0.2 must be installed on host where snort is being compiled and run. Newer versions of LuaJIT are not tested for compatibility. \end{itemize} \subsubsection{Preprocessor Configuration} AppId dynamic preprocessor can be enabled during build time. The following options must be included in ./configure: --enable-open-appid The configuration name is "appid": The preprocessor name is \texttt{appid}. \begin{verbatim} preprocessor appid \end{verbatim} \textit{Option syntax} \begin{itemize} \item[] \begin{tabular}{|l|c|c|p{6cm}|} \hline Option & Argument & Required & Default\\ \hline \hline \texttt{app\_detector\_dir} & \texttt{} & NO & \texttt{app\_detector\_dir \{ /usr/local/etc/appid \} }\\ \texttt{app\_stats\_filename} & \texttt{} & NO & \texttt{NULL}\\ \texttt{app\_stats\_period} & \texttt{