Contents

Overview

Snort 3.0 is an updated version of the Snort Intrusion Prevention System (IPS) which features a new design that provides a superset of Snort 2.X functionality with better efficacy, performance, scalability, usability, and extensibility. Some of the key features of Snort 3.0 are:

  • Support multiple packet processing threads

  • Use a shared configuration and attribute table

  • Autodetect services for portless configuration

  • Modular design

  • Plugin framework with over 200 plugins

  • More scalable memory profile

  • LuaJIT configuration, loggers, and rule options

  • Hyperscan support

  • Rewritten TCP handling

  • New rule parser and syntax

  • Service rules like alert http

  • Rule "sticky" buffers

  • Way better SO rules

  • New HTTP inspector

  • New performance monitor

  • New time and space profiling

  • New latency monitoring and enforcement

  • Piglets to facilitate component testing

  • Inspection Events

  • Automake and Cmake

  • Autogenerate reference documentation

Efficacy

  • Detects and blocks all but 10 HTTP Evader tests (see https://noxxi.de/research/http-evader.html).

  • Autodetection of services reduces misses due to incorrect or out of date port configurations and improves detection on unexpected command and control channels.

Performance

  • Vastly improved throughput over Snort 2 for deep flow inspection.

  • Many more fast pattern buffers means fewer non-fast pattern rules.

  • Hyperscan is used for faster fast patterns, content literals and (optionally) compatible PCRE during signature evaluation, and various searches done by inspectors.

  • sd_pattern rules have normal fast patterns, don’t require extra searches.

  • The snort3_demo repo has a performance suite that can be used to compare Snort 2 and Snort 3.

  • The DAQ 3 interface facilitates leveraging your data plane for maximum throughput including checksum offload and acquisition of a vector of packets.

  • Snort 3 is not run-to-completion, making it possible to detain packets for lookaside acceleration and other new features.

Scalability

  • Much easier to leverage multiple cores.

  • All packet threads share configuration and rule engine which frees up much more memory for packet processing.

Usability

  • Sticky buffers make it easier to write correct rules.

  • Autodetection eliminates much port configuration maintenance.

  • Service-based detection doesn’t preclude port-based detection.

  • Builtin defaults and policy tweaks make effective tuning much simpler.

  • Command line help and generated reference documentation make it easy to get the correct configuration details.

  • A trace mechanism is provided to make it easy to see how packets are processed.

  • Build a scaled down image and configure for smaller systems such as IoT devices.

  • The snort2lua utility (described later) makes it easy to convert your local rules.

  • Extensive peg counts capture the important events and actions to provide more detailed insight into your deployment.

Extensibility

  • Several plugin types are defined and over 220 plugins are available.

  • Inspection events make collaboration among plugins possible without framework updates.

  • All plugins, including SO rules, can be mixed in the same library.

  • A command line shell is available for reloads and other operations.

  • The snort3_extra repo has examples to each plugin type to help you get started.

  • Easy to add SO rules for 0-day attacks.

Snort 3 vs Snort 2

Features New to Snort 3

Some things Snort++ can do today that Snort can not do:

  • regex fast patterns, not just literals

  • FlatBuffers and JSON perf monitor logs

  • LuaJIT scriptable rule options and loggers

  • pub/sub inspection events (currently used by sip and http_inspect to appid)

  • JIT buffer stuffers (notably with new http_inspect)

  • C-style comments in rules

  • #begin … #end comment blocks in rules

  • rule remarks (comment is part of rule, not just in it)

  • process raw files (eg read a PDF and do file processing)

  • process raw payload (eg bridge 2 sockets and do inspection)

  • fast pattern offload to separate thread (experimental)

  • add or override any config item on command line

  • set CPU affinity

  • pause and resume commands

Features Improved over Snort 2

Some things Snort++ can do today that Snort can not do as well:

Feature

Snort 2

Snort 3

Packet Threads

1 per process

N per process

Config Memory Use

N processes * M GB

M GB total, more for packets

Config Reload

N processes, slower

1 thread, can be pinned to separate core

Startup

Single threaded, slower

Multithreaded, faster

Plugins

Limited to preprocs and outputs

Full plugin system with over 230 plugins

Plugin Examples

DPX preproc

snort3_extra repo, all types, LuaJIT

DAQ

2.X, run to completion

3.X, vector input, multiple outstanding packets

DAQ Modules

Legacy modules

Stacked modules, IOCTLs, file, socket, text modules

Pcap Readback Speed

X Mbits/sec for Max-Detect

2X with ac, 4X with hyperscan

IP Layers

2 max

Arbitrary / configurable limits

IP Reputation

Complex, shared memory

Simplified process memory

Stream TCP

Complex implementation

New and improved implementation

Service detection

appid only, port configs required

Autodetection, most port configs optional

HTTP inspector

Partly stateful

Fully stateful

HTTP Evader

65 misses

10 misses

Port Scan Detection

High, medium, low thresholds only

Fully configurable detection thresholds

Config parsing

Report one error and quit

Report all errors

Config syntax

Irregular, static, limited variables

Lua, fully scriptable, arbitrary variables

Command Line

Some overlap with config file

Set or override any config from command line

Default Config

Complex, needs tuning

Simplified, effective default config

Policy Examples

None

Tweaks for all standard Talos policies

Policy Bindings

One level

Nested

Rule syntax

Inconsistent, requires line escapes

Uniform syntax, arbitrary whitespace

Rule parsing

Buggy, limited warnings

Robust, many optional warnings

Rule comments

# comments only

#, #begin/#end, C-style, rem option

Rule input

Config includes only

Includes, external file or path, stdin

Hyperscan

External patch available

Native support, regex fast patterns

Sensitive Data

Requires a slow, extra search

Normal fast pattern rule

alert file rules

No

Yes

alert service rules

No

Yes

fast_pattern_only

Hand optimization

Automatic optimization

Fast Pattern Buffers

6 available

14 available

Elided rule headers

No

Yes (omit nets and/or ports)

Rule sticky buffers

Some

All buffers are sticky

SO rule features

Restricted functionality

True superset of text rules

Simple SO rules

No (based on tedious C-structs)

Yes (based on text rule)

Dump builtin stubs

No (SO stubs only)

Yes

Runtime tracing

No (debug traces and misc logs only)

Yes

Event Logging

Legacy unified2 recommended

JSON recommended, integrates with ELK stack, etc.

Statistics

Limited counts, fixed perf monitor

2X counts, configurable perf monitor

Control interface

Limited binary interface

Extensible text shell, socket access

Documentation

LaTeX-based PDF, READMEs

Asciidoc text, html, and PDF (user, ref, dev, upgrade)

Command line help

No

Extensive, supports data driven management

Build system

Automake, Linux, *BSD, Windows

Cmake, Linux, *BSD, Mac

Startup / Shutdown

Noisy, limited

Clean, extensible, non-zero counts only

Sig Quit

Same as Sig Term and Sig Int

Quick exit

Source Code

470K lines C, avg 400 lines/file

389K lines C++, avg 200 lines/file

Tests

A few unit tests

Many unit tests, snort3_demo suite

Distribution

snort.org tarballs, ~6 month updates

github repo, ~2 week updates

Build Options

  • configure --with-lib{pcap,pcre}-* → --with-{pcap,pcre}-*

  • control socket, cs_dir, and users were deleted

  • POLICY_BY_ID_ONLY code was deleted

  • hardened --enable-inline-init-failopen / INLINE_FAILOPEN

Command Line

  • --pause loads config and waits for resume before processing packets

  • --require-rule-sid is hardened

  • --shell enables interactive Lua shell

  • -T is assumed if no input given

  • added --help-config prefix to dump all matching settings

  • added --script-path

  • added -L none|dump|pcap

  • added -z <#> and --max-packet-threads <#>

  • delete --enable-mpls-multicast, --enable-mpls-overlapping-ip, --max-mpls-labelchain-len, --mpls-payload-type

  • deleted --pid-path and --no-interface-pidfile

  • deleting command line options which will be available with --lua or some such including: -I, -h, -F, -p, --disable-inline-init-failopen

  • hardened -n < 0

  • removed --search-method

  • replaced "unknown args are bpf" with --bpf

  • replaced --dynamic-*-lib[-dir] with --plugin-path (with : separators)

  • removed -b, -N, -Z and, --perfmon-file options

Conf File

  • Snort 3 has a default unicode.map

  • Snort 3 will not enforce an upper bound on memcaps and the like within 64 bits

  • Snort 3 will supply a default *_global config if not specified (Snort 2 would fatal; e.g. http_inspect_server w/o http_inspect_global)

  • address list syntax changes: [[ and ]] must be [ [ and ] ] to avoid Lua string parsing errors (unless in quoted string)

  • because the Lua conf is live code, we lose file:line locations in app error messages (syntax errors from Lua have file:line)

  • changed search-method names for consistency

  • delete config include_vlan_in_alerts (not used in code)

  • delete config so_rule_memcap (not used in code)

  • deleted --disable-attribute-table-reload-thread

  • deleted config decode_*_{alerts,drops} (use rules only)

  • deleted config dump-dynamic-rules-path

  • deleted config ipv6_frag (not actually used)

  • deleted config threshold and ips rule threshold (→ event_filter)

  • eliminated ac-split; must use ac-full-q split-any-any

  • frag3 → defrag, arpspoof → arp_spoof, sfportscan → port_scan, perfmonitor → perf_monitor, bo → back_orifice

  • limits like "1234K" are now "limit = 1234, units = K"

  • lua field names are (lower) case sensitive; snort.conf largely wasn’t

  • module filenames are not configurable: always <log-dir>/<module-name><suffix> (suffix is determined by module)

  • no positional parameters; all name = value

  • perf_monitor configuration was simplified

  • portscan.detect_ack_scans deleted (exact same as include_midstream)

  • removed various run modes - now just one

  • frag3 default policy is Linux not bsd

  • lowmem* search methods are now in snort_examples

  • deleted unused http_inspect stateful mode

  • deleted stateless inspection from ftp and telnet

  • deleted http and ftp alert options (now strictly rule based)

  • preprocessor disabled settings deleted since no longer relevant

  • sessions are always created; snort config stateful checks eliminated

  • stream5_tcp: prune_log_max deleted; to be replaced with histogram

  • stream5_tcp: max_active_responses, min_response_seconds moved to active.max_responses, min_interval

  • ips policies support snort variables (_PATH, _PORT, _NET, _SERVER), ips = { variables = { var1 = expr1, var2 = expr2, … } }

Rules

  • all rules must have a sid

  • sid == 0 not allowed

  • deleted activate / dynamic rules

  • deleted unused rule_state.action

  • deleted metadata engine shared

  • deleted metadata: rule-flushing (with PDU flushing rule flushing can cause missed attacks, the opposite of its intent)

  • changed metadata:service one[, service two]; to service:one[, two];

  • soid is now a non-metadata option

  • metadata is now truly metadata with no impact on detection (Snort doesn’t care about metadata internal structure / syntax)

  • deleted fast_pattern:only; use fast_pattern, nocase (option is not added to detection tree if not required)

  • changed fast_pattern:<offset>,<length> to fast_pattern,fast_pattern_offset <offset>,fast_pattern_length <length>

  • fast pattern sensitive data with sd_pattern using hyperscan

  • hyperscan regex fast patterns with regex:"<regex>", fast_pattern;

  • no ; separated content suboptions

  • offset, depth, distance, and within must use a space separator not colon (e.g. offset:5; becomes offset 5;)

  • content suboptions http_* are now full options

  • added sticky buffers: buffer selector options must precede contents and remain in effect until changed

  • the following pcre options have been deleted: use sticky buffers instead B, U, P, H, M, C, I, D, K, S, Y

  • deleted uricontent option; use sticky buffer uricontent:"foo" -→ http_uri; content:"foo"

  • deleted urilen raw and norm; must use http_raw_uri and http_uri instead

  • deleted unused http_encode option

  • urilen replaced with generic bufferlen which applies to current sticky buffer

  • added optional selector to http_header, e.g. http_header:User-Agent;

  • the all new http_inspect has new buffers and rule options

  • added alert file and alert service rules (service in body not required if there is only one and it is in header; alert service / file rules disable fast pattern searching of raw packets)

  • rule option sequence: <stub> soid <hidden>

  • arbitrary whitespace and multiline rules w/o \n

  • #begin … #end comments to easily comment out multiple lines

  • add rule remarks option with rem:"arbitrary comment"

  • nets and/or ports may be omitted from rule headers (matches any)

  • parse all rules and output all errors before quitting

  • read rules from conf, separate rules file, or stdin

  • The symbol =< in a byte test is recognized as a syntax error. The correct symbol is <=.

Output

  • alert_fast includes packet data by default

  • all text mode outputs default to stdout

  • changed default logging mode to -L none

  • deleted layer2resets and flexresp2_*

  • deleted log_ascii

  • general output guideline: don’t print zero counts

  • Snort 3 queues decoder and inspector events to the main event queue before ips policy is selected; since some events may not be enabled, the queue needs to be sized larger than with Snort 2 which used an intermediate queue for decoder events.

  • deleted the intermediate http and ftp_telnet event queues

  • alert_unified2 and log_unified2 have been deleted

Sensitive Data

The Snort 2.X SDF Preprocessor is gone, replaced by ips option sd_pattern. The sd_pattern rule option is synonymous with the sd_pattern option used for gid:138 rules, but has a different syntax. A major difference in syntax is the use of Hyperscan pattern matching library which provides a regex language similar to PCRE.

To facilitate continued performance, sd_pattern rule option is implemented with Hyperscan pattern matching library. The rule option is now also utilized as a "fast pattern" in the Snort engine which provides a significant performance improvement over the separate detection step of earlier implementations.

The preprocessor alert SDF_COMBO_ALERT (139:1) has been removed and has no replacement in Snort 3.X. This is because the rule offered no additional value over gid:138 rules and was difficult to interpret the result of.

For more information, See Features > Sensitive Data Filtering for details.

Features Not Yet Supported by Snort 3

  • Support in http_inspect for Original Client IP is limited to the X-Forwarded-For and True-Client-IP headers in that order. It is not possible to configure additional custom headers to search for Original Client IP.

Snort2Lua

One of the major differences between Snort 2 and Snort 3 is the configuration. Snort 2 configuration files are written in Snort-specific syntax while Snort 3 configuration files are written in Lua. Snort2Lua is a program specifically designed to convert valid Snort 2 configuration files into Lua files that Snort 3 can understand.

Snort2Lua reads your legacy Snort conf file(s) and generates Snort 3 Lua and rules files. When running this program, the only mandatory option is to provide Snort2Lua with a Snort 2 configuration file. The default output file file is snort.lua, the default error file will be snort.rej, and the default rule file is the output file (default is snort.lua). When Snort2Lua finishes running, the resulting configuration file can be successfully run as the Snort3.0 configuration file. The sole exception to this rule is when Snort2Lua cannot find an included file. If that occurs, the file will still be included in the output file and you will need to manually adjust or comment the file name. Additionally, if the exit code is not zero, some of the information may not be successfully converted. Check the error file for all of the conversion problems.

Those errors can occur for a multitude of reasons and are not necessarily bad. Snort2Lua expects a valid Snort 2 configuration. Therefore, if the configuration is invalid or has questionable syntax, Snort2Lua may fail to parse the configuration file or create an invalid Snort 3 configuration file.

There are a also few peculiarities of Snort2Lua that may be confusing to a first time user:

  • Aside from an initial configuration file (which is specified from the command line or as the file in ‘config binding’), every file that is included into Snort 3 must be either a Lua file or a rule file; the file cannot contain both rules and Lua syntax. Therefore, when parsing a file specified with the ‘include’ command, Snort2Lua will output both a Lua file and a rule file.

  • Any line that is a comment in a configuration file will be added in to a comments section at the bottom of the main configuration file.

  • Rules that contain unsupported options will be converted to the best of Snort2Lua’s capability and then printed as a comment in the rule file.

  • Files with a .rules suffix are assumed to be Talos 2.X rules files and converted line-by-line. In this case, lines starting with alert are converted as usual but lines starting with # alert are assumed to be commented out rules which are converted to 3.0 format and remain comments in the output file. All other comments are passed through directly. There is no support for other commented rule actions since these do not appear in Talos rules files.

Snort2Lua Command Line

By default, Snort2Lua will attempt to parse every ‘include’ file and every ‘binding’ file. There is an option to change this functionality.

When specifying a rule file with one of the command line options, Snort2Lua will output all of the converted rules to that specified rule file. This is especially useful when you are only interesting in converting rules since there is no Lua syntax in rule files. There is also an option that tells Snort2Lua to output every rule for a given configuration into a single rule file. Similarly, there is an option pull all of the Lua syntax from every ‘include’ file into the output file.

There are currently three output modes: default, quiet, and differences. As expected, quiet mode produces a Snort configuration. All errors (aside from Fatal Snort2Lua errors), differences, and comments will omitted from the final output file. Default mode will print everything. That mean you will be able to see exactly what changes have occurred between Snort 2 and Snort 3 in addition to the new syntax, the original file’s comments, and all errors that have occurred. Finally, differences mode will not actually output a valid Snort 3 configuration. Instead, you can see the exact options from the input configuration that have changed.

Usage: snort2lua [OPTIONS]… -c <snort_conf> …

Converts the Snort configuration file specified by the -c or --conf-file options into a Snort++ configuration file

Options:
  • -? show usage

  • -h this overview of snort2lua

  • -a default option. print all data

  • -c <snort_conf> The Snort <snort_conf> file to convert

  • -d print the differences, and only the differences, between the Snort and Snort++ configurations to the <out_file>

  • -e <error_file> output all errors to <error_file>

  • -i if <snort_conf> file contains any <include_file> or <policy_file> (i.e. include path/to/conf/other_conf), do NOT parse those files

  • -m add a remark to the end of every converted rule

  • -o <out_file> output the new Snort++ lua configuration to <out_file>

  • -q quiet mode. Only output valid configuration information to the <out_file>

  • -r <rule_file> output any converted rule to <rule_file>

  • -s when parsing <include_file>, write <include_file>'s rules to <rule_file>. Meaningless if -i provided

  • -t when parsing <include_file>, write <include_file>'s information, excluding rules, to <out_file>. Meaningless if -i provided

  • -V Print the current Snort2Lua version

  • --bind-wizard Add default wizard to bindings

  • --bind-port Convert port bindings

  • --conf-file Same as -c. A Snort <snort_conf> file which will be converted

  • --dont-parse-includes Same as -p. if <snort_conf> file contains any <include_file> or <policy_file> (i.e. include path/to/conf/other_conf), do NOT parse those files

  • --dont-convert-max-sessions do not convert max_tcp, max_udp, max_icmp, max_ip to max_session

  • --error-file=<error_file> Same as -e. output all errors to <error_file>

  • --help Same as -h. this overview of snort2lua

  • --ips-policy-pattern Convert config bindings matching this path to ips policy bindings

  • --markup print help in asciidoc compatible format

  • --output-file=<out_file> Same as -o. output the new Snort++ lua configuration to <out_file>

  • --print-all Same as -a. default option. print all data

  • --print-differences Same as -d. output the differences, and only the differences, between the Snort and Snort++ configurations to the <out_file>

  • --quiet Same as -q. quiet mode. Only output valid configuration information to the <out_file>

  • --remark same as -m. add a remark to the end of every converted rule

  • --rule-file=<rule_file> Same as -r. output any converted rule to <rule_file>

  • --single-conf-file Same as -t. when parsing <include_file>, write <include_file>'s information, excluding rules, to <out_file>

  • --single-rule-file Same as -s. when parsing <include_file>, write <include_file>'s rules to <rule_file>.

  • --version Same as -V. Print the current Snort2Lua version

Required option:
  • A Snort configuration file to convert. Set with either -c or --conf-file

Default values:
  • <out_file> = snort.lua

  • <rule_file> = <out_file> = snort.lua. Rules are written to the local_rules variable in the <out_file>

  • <error_file> = snort.rej. This file will not be created in quiet mode.

Known Problems

  • Any Snort 2 ‘string’ which is dependent on a variable will no longer have that variable in the Lua string.

  • Snort2Lua currently does not handle variables well. First, that means variables will not always be parsed correctly. Second, sometimes a variables value will be output in the lua file rather than a variable For instance, if Snort2Lua attempted to convert the line include $RULE_PATH/example.rule, the output may output include /etc/rules/example.rule instead.

  • When Snort2Lua parses a ‘binding’ configuration file, the rules and configuration will automatically be combined into the same file. Also, the new files name will automatically become the old file’s name with a .lua extension. There is currently no way to specify or change that files name.

  • If a rule’s action is a custom ruletype, that rule action will be silently converted to the rule’s type. No warnings or errors are currently emitted. Additionally, the custom ruletypes outputs will be silently discarded.

  • If the original configuration contains a binding that points to another file and the binding file contains an error, Snort2Lua will output the number of rejects for the binding file in addition to the number of rejects in the main file. The two numbers will eventually be combined into one output.

  • If the original configuration contains a replace rule with alert action, Snort2Lua won’t translate the rule from alert to rewrite action. It will keep the action as alert, which does not actually replace the content in Snort 3. To replace content, the rule action needs to be rewrite, which can be added manually or by tooling.

Usage

Snort2Lua is included in the Snort 3 distribution. The Snort2Lua source code is located in the tools/snort2lua directory. The program is automatically built and installed.

Translating your configuration

To run Snort2Lua, the only requirement is a file containing Snort 2 syntax. Assuming your configuration file is named snort.conf, run the command

snort2lua –c snort.conf

Snort2Lua will output a file named snort.lua. Assuming your snort.conf file is a valid Snort 2 configuration file, than the resulting snort.lua file will always be a valid Snort 3 configuration file; any errors that occur are because Snort 3 currently does not support all of the Snort 2 options.

Every keyword from the Snort configuration can be found in the output file. If the option or keyword has changed, then a comment containing both the option or keyword’s old name and new name will be present in the output file.

Translating a rule file

Snort2Lua can also accommodate translating individual rule files. Assuming the Snort 2 rule file is named snort.rules and you want the new rule file to be name updated.rules, run the command

snort2lua –c snort.rules -r updated.rules

Snort2Lua will output a file named updated.rules. That file, updated.rules, will always be a valid Snort 3 rule file. Any rule that contains unsupported options will be a comment in the output file.

Understanding the Output

Although Snort2Lua outputs very little to the console, there are several things that occur when Snort2Lua runs. This is a list of Snort2Lua outputs.

The console. Every line that Snort2Lua is unable to translate from the Snort 2.X format to the Snort 3 format is considered an error. Upon exiting, Snort2Lua will print the number of errors that occurred. Snort2Lua will also print the name of the error file.

The output file. As previously mentioned, Snort2Lua will create a Lua file with valid Snort 3 syntax. The default Lua file is named snort.lua. This file is the equivalent of your main Snort 2 configuration file.

The rule file. By default, all rules will be printed to the Lua file. However, if a rule file is specified on the command line, any rules found in the Snort 2 configuration will be written to the rule file instead

The error file. By default, the error file is snort.rej. It will only be created if errors exist. Every error referenced on the command line can be found in this file. There are two reasons an error can occur.

  • The Snort 2 configuration file has invalid syntax. If Snort 2 cannot parse the configuration file, neither can Snort2Lua. In the example below, Snort2Lua could not convert the line config bad_option. Since that is not valid Snort 2 syntax, this is a syntax error.

  • The Snort 2 configuration file contains preprocessors and rule options that are not supported in Snort 3. If Snort 2 can parse a line that Snort2Lua cannot parse, than Snort 3 does not support something in the line. As Snort 3 begins supporting these preprocessors and rule options, Snort2Lua will also begin translating these lines. One example of such an error is dcerpc2.

Additional .lua and .rules files. Every time Snort2Lua parses the include or binding keyword, the program will attempt to parse the file referenced by the keyword. Snort2Lua will then create one or two new files. The new files will have a .lua or .rules extension appended to the original filename.

Configuration Changes

change ->  dynamicdetection ==> 'snort.--plugin_path=<path>'
change ->  dynamicengine ==> 'snort.--plugin_path=<path>'
change ->  dynamicpreprocessor ==> 'snort.--plugin_path=<path>'
change ->  dynamicsidechannel ==> 'snort.--plugin_path=<path>'
change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy'
change -> attribute_table: 'filename <file_name>' ==> 'hosts[]'
change -> config ' addressspace_agnostic'  ==> ' packets. address_space_agnostic'
change -> config ' checksum_mode'  ==> ' network. checksum_eval'
change -> config ' daq_dir'  ==> ' daq. module_dirs, true'
change -> config ' detection_filter'  ==> ' alerts. detection_filter_memcap'
change -> config ' enable_deep_teredo_inspection'  ==> ' udp. deep_teredo_inspection'
change -> config ' event_filter'  ==> ' alerts. event_filter_memcap'
change -> config ' max_attribute_hosts'  ==> ' attribute_table. max_hosts'
change -> config ' max_attribute_services_per_host'  ==> ' attribute_table. max_services_per_host'
change -> config ' nopcre'  ==> ' detection. pcre_enable'
change -> config ' pkt_count'  ==> ' packets. limit'
change -> config ' rate_filter'  ==> ' alerts. rate_filter_memcap'
change -> config ' react'  ==> ' react. page'
change -> config ' threshold'  ==> ' alerts. event_filter_memcap'
change -> converter: 'gen_id' ==> 'gid'
change -> converter: 'sid_id' ==> 'sid'
change -> csv: 'csv' ==> 'fields'
change -> csv: 'dgmlen' ==> 'pkt_len'
change -> csv: 'dst' ==> 'dst_addr'
change -> csv: 'dstport' ==> 'dst_port'
change -> csv: 'ethdst' ==> 'eth_dst'
change -> csv: 'ethlen' ==> 'eth_len'
change -> csv: 'ethsrc' ==> 'eth_src'
change -> csv: 'ethtype' ==> 'eth_type'
change -> csv: 'icmpcode' ==> 'icmp_code'
change -> csv: 'icmpid' ==> 'icmp_id'
change -> csv: 'icmpseq' ==> 'icmp_seq'
change -> csv: 'icmptype' ==> 'icmp_type'
change -> csv: 'id' ==> 'ip_id'
change -> csv: 'iplen' ==> 'ip_len'
change -> csv: 'sig_generator' ==> 'gid'
change -> csv: 'sig_id' ==> 'sid'
change -> csv: 'sig_rev' ==> 'rev'
change -> csv: 'src' ==> 'src_addr'
change -> csv: 'srcport' ==> 'src_port'
change -> csv: 'tcpack' ==> 'tcp_ack'
change -> csv: 'tcpflags' ==> 'tcp_flags'
change -> csv: 'tcplen' ==> 'tcp_len'
change -> csv: 'tcpseq' ==> 'tcp_seq'
change -> csv: 'tcpwindow' ==> 'tcp_win'
change -> csv: 'udplength' ==> 'udp_len'
change -> daq: 'config daq:' ==> 'name'
change -> daq_mode: 'config daq_mode:' ==> 'mode'
change -> daq_var: 'config daq_var:' ==> 'variables'
change -> detection: 'ac' ==> 'ac_full'
change -> detection: 'ac-banded' ==> 'ac_banded'
change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'
change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'
change -> detection: 'ac-nq' ==> 'ac_full'
change -> detection: 'ac-q' ==> 'ac_full'
change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'
change -> detection: 'ac-split' ==> 'ac_full'
change -> detection: 'ac-split' ==> 'split_any_any'
change -> detection: 'ac-std' ==> 'ac_std'
change -> detection: 'acs' ==> 'ac_sparse'
change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'
change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'
change -> detection: 'intel-cpm' ==> 'hyperscan'
change -> detection: 'lowmem-nq' ==> 'lowmem'
change -> detection: 'lowmem-q' ==> 'lowmem'
change -> detection: 'max-pattern-len' ==> 'max_pattern_len'
change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'
change -> detection: 'search-method' ==> 'search_method'
change -> detection: 'search-optimize' ==> 'search_optimize'
change -> detection: 'split-any-any' ==> 'split_any_any = true by default'
change -> detection: 'split-any-any' ==> 'split_any_any'
change -> dnp3: 'ports' ==> 'bindings'
change -> dns: 'ports' ==> 'bindings'
change -> event_filter: 'gen_id' ==> 'gid'
change -> event_filter: 'sig_id' ==> 'sid'
change -> event_filter: 'threshold' ==> 'event_filter'
change -> file: 'config file: file_block_timeout' ==> 'block_timeout'
change -> file: 'config file: file_capture_block_size' ==> 'capture_block_size'
change -> file: 'config file: file_capture_max' ==> 'capture_max_size'
change -> file: 'config file: file_capture_memcap' ==> 'capture_memcap'
change -> file: 'config file: file_capture_min' ==> 'capture_min_size'
change -> file: 'config file: file_type_depth' ==> 'type_depth'
change -> file: 'config file: signature' ==> 'enable_signature'
change -> file: 'config file: type_id' ==> 'enable_type'
change -> file: 'ver' ==> 'version'
change -> frag3_engine: 'min_fragment_length' ==> 'min_frag_length'
change -> frag3_engine: 'overlap_limit' ==> 'max_overlaps'
change -> frag3_engine: 'policy bsd-right' ==> 'policy = bsd_right'
change -> frag3_engine: 'timeout' ==> 'session_timeout'
change -> ftp_telnet_protocol: 'alt_max_param_len' ==> 'cmd_validity'
change -> ftp_telnet_protocol: 'data_chan' ==> 'ignore_data_chan'
change -> ftp_telnet_protocol: 'ports' ==> 'bindings'
change -> gtp: 'ports' ==> 'bindings'
change -> http_inspect_server: 'bare_byte' ==> 'utf8_bare_byte'
change -> http_inspect_server: 'client_flow_depth' ==> 'request_depth'
change -> http_inspect_server: 'double_decode' ==> 'iis_double_decode'
change -> http_inspect_server: 'http_inspect_server' ==> 'http_inspect'
change -> http_inspect_server: 'iis_backslash' ==> 'backslash_to_slash'
change -> http_inspect_server: 'inspect_gzip' ==> 'unzip'
change -> http_inspect_server: 'non_rfc_char' ==> 'bad_characters'
change -> http_inspect_server: 'ports' ==> 'bindings'
change -> http_inspect_server: 'u_encode' ==> 'percent_u'
change -> http_inspect_server: 'utf_8' ==> 'utf8'
change -> imap: 'ports' ==> 'bindings'
change -> modbus: 'ports' ==> 'bindings'
change -> na_policy_mode: 'na_policy_mode' ==> 'mode'
change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:32768]'
change -> perfmonitor: 'console' ==> 'format = 'text''
change -> perfmonitor: 'console' ==> 'output = 'console''
change -> perfmonitor: 'file' ==> 'format = 'csv''
change -> perfmonitor: 'file' ==> 'output = 'file''
change -> perfmonitor: 'flow-file' ==> 'format = 'csv''
change -> perfmonitor: 'flow-file' ==> 'output = 'file''
change -> perfmonitor: 'flow-ip' ==> 'flow_ip'
change -> perfmonitor: 'flow-ip-file' ==> 'format = 'csv''
change -> perfmonitor: 'flow-ip-file' ==> 'output = 'file''
change -> perfmonitor: 'flow-ip-memcap' ==> 'flow_ip_memcap'
change -> perfmonitor: 'flow-ports' ==> 'flow_ports'
change -> perfmonitor: 'pktcnt' ==> 'packets'
change -> perfmonitor: 'snortfile' ==> 'format = 'csv''
change -> perfmonitor: 'snortfile' ==> 'output = 'file''
change -> perfmonitor: 'time' ==> 'seconds'
change -> policy_mode: 'inline_test' ==> 'inline-test'
change -> pop: 'ports' ==> 'bindings'
change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath'
change -> ppm: 'max-pkt-time' ==> 'packet.max_time'
change -> ppm: 'max-rule-time' ==> 'rule.max_time'
change -> ppm: 'ppm' ==> 'latency'
change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend'
change -> ppm: 'suspend-timeout' ==> 'max_suspend_time'
change -> ppm: 'threshold' ==> 'rule.suspend_threshold'
change -> preprocessor 'normalize_ icmp4' ==> 'normalize. icmp4'
change -> preprocessor 'normalize_ icmp6' ==> 'normalize. icmp6'
change -> preprocessor 'normalize_ ip6' ==> 'normalize. ip6'
change -> profile: 'print' ==> 'count'
change -> profile: 'sort avg_ticks' ==> 'sort = avg_check'
change -> profile: 'sort total_ticks' ==> 'sort = total_time'
change -> rate_filter: 'gen_id' ==> 'gid'
change -> rate_filter: 'sig_id' ==> 'sid'
change -> reputation: 'shared_mem' ==> 'list_dir'
change -> rule_state: 'enabled/disabled' ==> 'enable'
change -> rule_state: 'sdrop' ==> 'drop'
change -> sfportscan: 'proto' ==> 'protos'
change -> sfportscan: 'scan_type' ==> 'scan_types'
change -> sip: 'ports' ==> 'bindings'
change -> smtp: 'ports' ==> 'bindings'
change -> ssh: 'server_ports' ==> 'bindings'
change -> ssl: 'ports' ==> 'bindings'
change -> stream5_global: 'max_active_responses' ==> 'max_responses'
change -> stream5_global: 'min_response_seconds' ==> 'min_interval'
change -> stream5_global: 'tcp_cache_nominal_timeout' ==> 'idle_timeout'
change -> stream5_global: 'udp_cache_nominal_timeout' ==> 'idle_timeout'
change -> stream5_ha: 'min_session_lifetime' ==> 'min_age'
change -> stream5_ha: 'min_sync_interval' ==> 'min_sync'
change -> stream5_ha: 'stream5_ha' ==> 'high_availability'
change -> stream5_ha: 'use_daq' ==> 'daq_channel'
change -> stream5_ip: 'timeout' ==> 'session_timeout'
change -> stream5_tcp: 'bind_to' ==> 'bindings'
change -> stream5_tcp: 'dont_reassemble_async' ==> 'reassemble_async'
change -> stream5_tcp: 'max_queued_bytes' ==> 'queue_limit.max_bytes'
change -> stream5_tcp: 'max_queued_segs' ==> 'queue_limit.max_segments'
change -> stream5_tcp: 'policy hpux' ==> 'stream_tcp.policy = hpux11'
change -> stream5_tcp: 'timeout' ==> 'session_timeout'
change -> stream5_udp: 'timeout' ==> 'session_timeout'
change -> suppress: 'gen_id' ==> 'gid'
change -> suppress: 'sig_id' ==> 'sid'
change -> syslog: 'log_alert' ==> 'level = alert'
change -> syslog: 'log_auth' ==> 'facility = auth'
change -> syslog: 'log_authpriv' ==> 'facility = authpriv'
change -> syslog: 'log_cons' ==> 'options = cons'
change -> syslog: 'log_crit' ==> 'level = crit'
change -> syslog: 'log_daemon' ==> 'facility = daemon'
change -> syslog: 'log_debug' ==> 'level = debug'
change -> syslog: 'log_emerg' ==> 'level = emerg'
change -> syslog: 'log_err' ==> 'level = err'
change -> syslog: 'log_info' ==> 'level = info'
change -> syslog: 'log_local0' ==> 'facility = local0'
change -> syslog: 'log_local1' ==> 'facility = local1'
change -> syslog: 'log_local2' ==> 'facility = local2'
change -> syslog: 'log_local3' ==> 'facility = local3'
change -> syslog: 'log_local4' ==> 'facility = local4'
change -> syslog: 'log_local5' ==> 'facility = local5'
change -> syslog: 'log_local6' ==> 'facility = local6'
change -> syslog: 'log_local7' ==> 'facility = local7'
change -> syslog: 'log_ndelay' ==> 'options = ndelay'
change -> syslog: 'log_notice' ==> 'level = notice'
change -> syslog: 'log_perror' ==> 'options = perror'
change -> syslog: 'log_pid' ==> 'options = pid'
change -> syslog: 'log_user' ==> 'facility = user'
change -> syslog: 'log_warning' ==> 'level = warning'
change -> threshold: 'ips_option: threshold' ==> 'event_filter'
change -> unified2: ' alert_unified2' ==> 'unified2'
change -> unified2: ' log_unified2' ==> 'unified2'
change -> unified2: ' unified2' ==> 'unified2'
deleted -> arpspoof: 'unicast'
deleted -> attribute_table: '<FRAG_POLICY>hpux</FRAG_POLICY>'
deleted -> attribute_table: '<FRAG_POLICY>irix</FRAG_POLICY>'
deleted -> attribute_table: '<FRAG_POLICY>old-linux</FRAG_POLICY>'
deleted -> attribute_table: '<FRAG_POLICY>unknown</FRAG_POLICY>'
deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>'
deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>'
deleted -> config ' cs_dir'
deleted -> config ' decode_data_link'
deleted -> config ' disable_attribute_reload_thread'
deleted -> config ' disable_decode_alerts'
deleted -> config ' disable_decode_drops'
deleted -> config ' disable_inline_init_failopen'
deleted -> config ' disable_ipopt_alerts'
deleted -> config ' disable_ipopt_drops'
deleted -> config ' disable_tcpopt_alerts'
deleted -> config ' disable_tcpopt_drops'
deleted -> config ' disable_tcpopt_experimental_alerts'
deleted -> config ' disable_tcpopt_experimental_drops'
deleted -> config ' disable_tcpopt_obsolete_alerts'
deleted -> config ' disable_tcpopt_obsolete_drops'
deleted -> config ' disable_tcpopt_ttcp_alerts'
deleted -> config ' disable_ttcp_alerts'
deleted -> config ' disable_ttcp_drops'
deleted -> config ' dump_dynamic_rules_path'
deleted -> config ' enable_decode_drops'
deleted -> config ' enable_decode_oversized_alerts'
deleted -> config ' enable_decode_oversized_drops'
deleted -> config ' enable_gtp'
deleted -> config ' enable_ipopt_drops'
deleted -> config ' enable_tcpopt_drops'
deleted -> config ' enable_tcpopt_experimental_drops'
deleted -> config ' enable_tcpopt_obsolete_drops'
deleted -> config ' enable_tcpopt_ttcp_drops'
deleted -> config ' enable_ttcp_drops'
deleted -> config ' flexresp2_attempts'
deleted -> config ' flexresp2_interface'
deleted -> config ' flexresp2_memcap'
deleted -> config ' flexresp2_rows'
deleted -> config ' flowbits_size'
deleted -> config ' include_vlan_in_alerts'
deleted -> config ' interface'
deleted -> config ' layer2resets'
deleted -> config ' log_ipv6_extra_data'
deleted -> config ' no_promisc'
deleted -> config ' nolog'
deleted -> config ' protected_content'
deleted -> config ' sidechannel'
deleted -> config ' so_rule_memcap'
deleted -> config 'dynamicoutput'
deleted -> config 'sfalert_unified2'
deleted -> config 'sflog_unified2'
deleted -> config 'sidechannel'
deleted -> csv: '<filename> can no longer be specific'
deleted -> csv: 'default'
deleted -> csv: 'trheader'
deleted -> detection: 'mwm'
deleted -> dnp3: 'disabled'
deleted -> dnp3: 'memcap'
deleted -> dns: 'enable_experimental_types'
deleted -> dns: 'enable_obsolete_types'
deleted -> dns: 'enable_rdata_overflow'
deleted -> event_trace: 'file'
deleted -> fast: '<filename> can no longer be specific'
deleted -> frag3_engine: 'detect_anomalies'
deleted -> frag3_global: 'disabled'
deleted -> ftp_telnet_protocol: 'detect_anomalies'
deleted -> full: '<filename> can no longer be specific'
deleted -> http_inspect: 'detect_anomalous_servers'
deleted -> http_inspect: 'disabled'
deleted -> http_inspect: 'proxy_alert'
deleted -> http_inspect_server: 'allow_proxy_use'
deleted -> http_inspect_server: 'enable_cookie'
deleted -> http_inspect_server: 'enable_xff'
deleted -> http_inspect_server: 'extended_ascii_uri'
deleted -> http_inspect_server: 'extended_response_inspection'
deleted -> http_inspect_server: 'iis_unicode_map not allowed in sever'
deleted -> http_inspect_server: 'inspect_uri_only'
deleted -> http_inspect_server: 'log_hostname'
deleted -> http_inspect_server: 'log_uri'
deleted -> http_inspect_server: 'no_alerts'
deleted -> http_inspect_server: 'no_pipeline_req'
deleted -> http_inspect_server: 'non_strict'
deleted -> http_inspect_server: 'normalize_cookies'
deleted -> http_inspect_server: 'normalize_headers'
deleted -> http_inspect_server: 'small_chunk_length'
deleted -> http_inspect_server: 'tab_uri_delimiter'
deleted -> http_inspect_server: 'unlimited_decompress'
deleted -> imap: 'disabled'
deleted -> imap: 'max_mime_mem'
deleted -> imap: 'memcap'
deleted -> perfmonitor: 'accumulate'
deleted -> perfmonitor: 'atexitonly'
deleted -> perfmonitor: 'atexitonly: base-stats'
deleted -> perfmonitor: 'atexitonly: events-stats'
deleted -> perfmonitor: 'atexitonly: flow-ip-stats'
deleted -> perfmonitor: 'atexitonly: flow-stats'
deleted -> perfmonitor: 'atexitonly: reset'
deleted -> perfmonitor: 'events'
deleted -> perfmonitor: 'max'
deleted -> pop: 'disabled'
deleted -> pop: 'max_mime_mem'
deleted -> pop: 'memcap'
deleted -> ppm: 'debug-pkts'
deleted -> reputation: 'shared_max_instances'
deleted -> reputation: 'shared_refresh'
deleted -> rpc_decode: 'alert_fragments'
deleted -> rpc_decode: 'no_alert_incomplete'
deleted -> rpc_decode: 'no_alert_large_fragments'
deleted -> rpc_decode: 'no_alert_multiple_requests'
deleted -> sfportscan: 'detect_ack_scans'
deleted -> sfportscan: 'disabled'
deleted -> sfportscan: 'logfile'
deleted -> sfportscan: 'sense_level'
deleted -> sip: 'disabled'
deleted -> sip: 'max_sessions'
deleted -> smtp: 'alert_unknown_cmds'
deleted -> smtp: 'disabled'
deleted -> smtp: 'enable_mime_decoding'
deleted -> smtp: 'inspection_type'
deleted -> smtp: 'max_mime_depth'
deleted -> smtp: 'max_mime_mem'
deleted -> smtp: 'memcap'
deleted -> smtp: 'no_alerts'
deleted -> smtp: 'print_cmds'
deleted -> ssh: 'autodetect'
deleted -> ssh: 'enable_badmsgdir'
deleted -> ssh: 'enable_paysize'
deleted -> ssh: 'enable_protomismatch'
deleted -> ssh: 'enable_recognition'
deleted -> ssh: 'enable_respoverflow'
deleted -> ssh: 'enable_srvoverflow'
deleted -> ssh: 'enable_ssh1crc32'
deleted -> ssl: 'noinspect_encrypted'
deleted -> stream5_global: 'disabled'
deleted -> stream5_global: 'flush_on_alert'
deleted -> stream5_global: 'memcap'
deleted -> stream5_global: 'no_midstream_drop_alerts'
deleted -> stream5_tcp: 'check_session_hijacking'
deleted -> stream5_tcp: 'detect_anomalies'
deleted -> stream5_tcp: 'dont_store_large_packets'
deleted -> stream5_tcp: 'ignore_any_rules'
deleted -> stream5_tcp: 'log_asymmetric_traffic'
deleted -> stream5_tcp: 'policy noack'
deleted -> stream5_tcp: 'policy unknown'
deleted -> stream5_udp: 'ignore_any_rules'
deleted -> tcpdump: '<filename> can no longer be specific'
deleted -> test: 'file'
deleted -> test: 'stdout'
deleted -> unified2: 'filename'
deleted -> unified2: 'mpls_event_types'
deleted -> unified2: 'vlan_event_types'