Return to
ChangeLog
CVS log
Up to [cvs] / snort
|
Return to
ChangeLog
CVS log
|
Up to [cvs] / snort
|
|
File: [cvs] / snort / ChangeLog
(download)
Revision: 1.334.2.2, Wed Aug 4 20:29:00 2004 UTC (6 years ago) by jhewlett Branch: SNORT_2_2 CVS Tags: SNORT_v2_2_0 Changes since 1.334.2.1: +7 -2 lines * few more updates |
2004-07-28 Daniel Roelker <droelker@sourcefire.com>
* configure.in:
Added --include-pcre* configuration option to help cross compiling.
Thanks Erik de Castro Lopo.
* src/event_queue.c:
Fix bug in multi-event logging when thresholding/suppression was enabled
for events in the queue. Thanks Andreas Ostling.
* src/output-plugins/spo_log_tcpdump.c:
When a rebuilt stream causes an alert, log out the original packets
instead of the rebuilt packet. Thanks sekure@gmail.com for the report.
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Turn off some alerts in the profile that were causing false positives.
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
Turn off encoding alerts in HTTP parameter field. The parameter
field is still normalized, it just doesn't alert. This helps
reduce alerts that are generated from complex parameter queries.
* src/log.c:
Fixed memory leak in "fast" output. Thanks for your bug report
sekure@gmail.com.
2004-06-22 Chris Reid <chris.reid@codecraftconsultants.com>
* src/snort.c:
Clear error code which under Windows was causing a
subsequent false failure in parsing threshold rules.
(thanks to Rich Adamson)
2004-06-16 Daniel Roelker <droelker@sourcefire.com>
* src/sfutil/asn1.c:
* src/sfutil/asn1.h:
* src/detection-plugins/sp_asn1.c:
* src/detection-plugins/sp_asn1.h:
* src/debug.h:
* src/snort.c:
Added ASN.1 parsing and detection functionality to snort.
Please refer to README.asn1 for more information on rule
usage. (Roelker)
* src/parser.c:
Added parsing check from Andreas Ostling so that users don't
assume that destination port lists are allowed because no
error is given.
* src/preprocessors/spp_stream4.c:
Fixed rebuilt TCP packet munging reported by Steve Halligan.
Thanks a lot for getting this problem down to pcap so we could
analyze the problem.
* src/detect.c:
* src/event_queue.c:
* src/log.c:
* src/preprocessors/spp_stream4.c:
* src/sfutil/sfeventq.c:
Improve TCP reassembly flushing for TCP streams that have already
generated an alert. This was illustrated by Brian Bailey in his
SANS GIAC practical examination. Thanks for working with us on
this one.
2004-05-06 Daniel Roelker <droelker@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c:
Fixed rule read up error when parsing hexmode content options.
Thanks for pointing it out Marty. (Roelker)
* src/preprocessors/spp_stream4.c:
Fixed null pointer dereference when detect_scans were enabled and
creating a new session that had funky flags. Thanks to Chad
Kreimendahl for reporting the bug and testing the fix. (Roelker)
* src/snort.h:
at build 28
2004-04-22 Daniel Roelker <droelker@sourcefire.com>
* src/decode.c:
* src/detect.c:
* src/event_queue.c:
* src/event_queue.h:
* src/event_wrapper.c:
* src/event_wrapper.h:
* src/fpcreate.c:
* src/fpcreate.h:
* src/parser.c:
* src/preprocessors/spp_arpspoof.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_conversation.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_stream4.c
* src/sfutil/sfeventq.c:
* src/sfutil/sfeventq.h:
* src/signature.c:
* src/signature.h:
* src/snort.c:
Added new event queueing algorithm, so Snort logs multiple events
per packet/stream. The algorithm uses two ordering methods: priority
and content length. (Roelker)
* src/fpcreate.c:
* src/fpcreate.h:
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx2.h:
* src/sfutil/acsmx.c:
* src/sfutil/acsmx.h:
* src/sfutil/mpse.c:
* src/sfutil/mpse.h:
New Aho-Corasick pattern matchers (Norton). Added content length
tracking on otnx structures.
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
* src/preprocessors/snort_httpinspect.c:
Added webroot alert. This alert is generated when a URL directory
traversal traverses past the webroot. Added new URI discovery
technique pointed out by Kanatoko.
* src/tag.c:
Revert to old tagging behavior. Will add new functionality in a future
version.
* src/util.c:
Changed Snort post-processing stats to unsigned so users won't get
negative stats. Thanks to various people from the community for
reporting this.
2004-03-22 Chris Reid <chris.reid@codecraftconsultants.com>
* src/plugbase.c:
* src/plugbase.h:
* src/output-plugins/spo_database.c:
Updated how current/utc times are calculated, as well
as how they are formatted (thanks Marcus Janoski)
2004-03-18 mfr <roesch@sourcefire.com>
* src/sfutil/acsmx2.c:
Fixed _toupper/_tolower calls on non-Win32 machines (again).
* src/preprocessors/spp_stream4.c:
Uncommented ssnptr set in BuildPacket() for Dan
2004-03-17 mfr <roesch@sourcefire.com>
* src/parser.c:
Added FatalError() in ProcessIP if closing IP-list '[' isn't found
* src/util.c:
Revamped DropStats() function to use screen real estate more efficiently
* src/event_wrapper.c:
QueueEvent checks to see if we're in MODE_IDS before queuing events and
ClearEventQueue() checks to make sure that the event_list has been
initialized.
* src/sfutil/acsmx2.c:
Fixed _toupper/_tolower calls on non-Win32 machines.
* src/sfutil/acsmx2.c:
Fixed acsmx.h call to acsmx2.h.
* doc/Makefile.am:
Mark snort_manual.pdf for cleanup too.
2004-03-16 Jeremy Hewlett <jh@sourcefire.com>
* src/snort.c:
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx2.h:
* src/sfutil/Makefile.am:
New Aho-Corasick pattern matcher from Marc Norton - memory usage reduced by 75%.
* src/snort.h:
Build 26
2004-03-15 Jeremy Hewlett <jh@sourcefire.com>
* src/parser.c:
"config checksum_mode" now supports multiple arguments on one line
instead of multiple lines.
2004-03-15 Daniel Roelker <droelker@sourcefire.com>
* src/util.c:
Calculate dropped packets and received packets correctly. Thanks
Yoann Vandoorselaere for pointing this out.
2004-03-08 Daniel Roelker <droelker@sourcefire.com>
* configure.in:
Thanks to Erik de Castro Lopo for removing warnings.
* src/decode.c:
* src/decode.h:
* src/detect.c:
* src/event_wrapper.c:
* src/event_wrapper.h:
* src/snort.c:
New event queuing and logging for decoder and stream4 events (Marty).
* src/fpdetect.c:
Return value for fpEvalPacket and reset BITOP array on HTTP
pipelines (Marty/Roelker).
* src/generators.h:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/client/hi_client_norm.c:
* src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
* src/preprocessors/HttpInspect/include/hi_eo_events.h:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Added non-rfc chunk length encoding support, thanks for pointing it out
H.D. Moore, and added webroot alert which alerts on webroot directory
traversals (Roelker).
* src/debug.h:
* src/preprocessors/Makefile.am:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream4.h:
* src/preprocessors/stream.h:
Added new TCP state engine (Marty).
* src/output-plugins/spo_unified.c:
Added stream packet logging for unified output, when alerting on
rebuilt streams (Marty).
* src/preprocessors/spp_conversation.c:
Fixed conversation parsing faults so users can operate this
preprocessor (Roelker).
* src/snort_packet_header.h:
Added for future support (Marty).
* src/snort.h:
Now on build 25.
>>>>>>> 1.326
2004-02-25 Jeremy Hewlett <jh@sourcefire.com>
* src/output-plugins/spo_csv.c:
Additional fixes from Alan Milligan with CSV output, thanks!
* src/sfutil/bitop.h:
Cleaning up unsigned/signed warnings
* src/snort.h:
Moving to build 24
2004-02-25 Chris Reid <chris.reid@codecraftconsultants.com>
* src/output-plugins/spo_database.c:
Removed escaping of '%' and '_' characters in MySQL (thanks
Kristofer Karas).
2004-02-23 Jeremy Hewlett <jh@sourcefire.com>
* snort.8:
Updated -T info to include where snort looks for "snort.conf." Thanks
Drew Smith for pointing that out.
* doc/snort_manual.tex:
Doc updates for thresholding - rule thresholds must contain a sid.
* src/detect.c:
* src/plugbase.c:
Changed some startup messages from printf to LogMessage to be more
consistent. Thanks for the patch, nnposter(at)users.sourceforge.net.
* src/snort.h:
Touched source code - bumping to 23
2004-02-17 Jeremy Hewlett <jh@sourcefire.com>
* src/output-plugins/spo_csv.c:
Fixed minor problems with CSV output not printing out src,srcport,
dst,dstport properly. Thanks for the patch, Bill Guyton. Good spot!
* src/snort.h:
Now at build 22
2004-02-13 mfr <roesch@sourcefire.com>
* templates/sp_template.h:
* templates/sp_template.c:
* templates/spp_template.h:
* templates/spp_template.c:
Updated to match the current reality of Snort.
2004-02-10 Jeremy Hewlett <jh@sourcefire.com>
* src/bounds.h:
* src/event.h:
* src/signature.h:
Added fix for compiling on Tru64 - bitypes.h now wrapped in an ifdef.
Thanks Hari Gopal and Darryl Cook for pointing out the problem and
testing.
* etc/snort.conf:
* doc/snort_manual.tex:
Various fixes pointed out by JP Vossen and Felipe Franciosi.
2004-02-09 Jeremy Hewlett <jh@sourcefire.com>
* src/Makefile.am:
Removed unnecessary libintsnort.a, which was causing problems for some
trying to compile on Solaris without the default system tools (ie: the
"ar" problem).
2004-02-05 Jeremy Hewlett <jh@sourcefire.com>
* Makefile.am:
Fixed tab vs space problem on Solaris. Thanks for the report, Chad
Kreimendahl!
2004-02-05 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/flow/portscan/flowps.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
Fixed alert_once bug that was discovered by Kevin Amorin. Thanks for
pointing out the particulars of the problem, so we could do a quick
fix.
2004-01-30 Daniel Roelker <droelker@sourcefire.com>
* src/decode.h:
* src/detection-plugins/Makefile.am:
* src/detection-plugins/sp_flowbits.c:
* src/detection-plugins/sp_flowbits.h:
* src/parser.c:
* src/plugbase.c:
* src/preprocessors/flow/flow_cache.c:
* src/preprocessors/flow/flow_cache.h:
* src/preprocessors/flow/flow.h:
* src/preprocessors/spp_flow.c:
* src/preprocessors/spp_flow.h:
* src/sfutil/bitop.h:
* src/snort.c:
Added Flowbits detection functionality. Thanks Brian Caswell for
initial code prototype.
* src/sys_include.h:
* src/ubi_BinTree.c:
* src/ubi_BinTree.h:
* src/ubi_SplayTree.c:
* src/ubi_SplayTree.h:
No more Log variables. Die, die, die . . .
2004-01-21 Jeremy Hewlett <jh@sourcefire.com>
* contrib/perfstats.c:
Added utility to parse out perfmon stats
* RELEASE.NOTES:
Added file to keep track of release notes. ChangeLog will migrate to
more detailed, code-oriented comments.
2004-01-20 Jeremy Hewlett <jh@sourcefire.com>
* src/detect.c:
Tagged Packets no longer have NULL msg name.
* src/output-plugins/spo_csv.c:
Minor CSV fixes from Elias Levy (Thanks Elias!)
* doc/snort_manual.pdf:
* doc/snort_manual.tex:
Minor LaTeX fixes from Jen Harvey (Thanks Jen!)
2004-01-16 Jeremy Hewlett <jh@sourcefire.com>
* src/decode.h:
* src/preprocessors/spp_stream4.c:
Fixed http_inspect double alerting on pkts and rebuilt streams. (Thanks
Andreas Ostling)
* src/detect.c:
Fixed double incrementing of pc.log_pkts on non-rule events.
* src/detect.h:
Removed duplicated SnortEvent() function.
* src/event_wrapper.c:
Added additional checks to GenerateSnortEvent().
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/include/hi_si.h:
* src/preprocessors/HttpInspect/session_inspection/hi_si.c:
* src/preprocessors/snort_httpinspect.c:
http_inspect proxy_alert now supports normal proxy networks setups.
http_inspect default server only valid if specified in config. (Thanks
Brent Erickson)
* src/snort.c:
Error on multiple interfaces on command line.
Corrected pcap_compile error. (Thanks Andreas Ostling).
* src/output-plugins/spo_csv.c:
Added string escaping for the msg.
2004-01-13 Chris Reid <chris.reid@codecraftconsultants.com>
* Added Oracle support into Win32 version. Much appreciation
to Adam Peterson and SPL Worldgroup Inc. for sponsoring this
development! This option will now be available within the
Win32 installer thanks to their contribution.
2004-1-13 Jeremy Hewlett <jh@sourcefire.com>
* src/detection-plugins/sp_session.c:
Fixed vague error message with directory creation problems (Thanks
Kenneth Ingham)
* src/event_wrapper.c:
* src/event_wrapper.h:
* src/preprocessors/flow/flow.c:
* src/preprocessors/flow/flow_cache.h:
* src/preprocessors/flow/flow_callback.h:
* src/preprocessors/flow/flow.h:
* src/preprocessors/flow/flow_stat.c:
* src/preprocessors/flow/flow_stat.h:
* src/preprocessors/flow/portscan/flowps.c:
* src/preprocessors/flow/portscan/flowps.h:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/preprocessors/flow/portscan/scoreboard.c:
* src/preprocessors/flow/portscan/scoreboard.h:
* src/preprocessors/flow/portscan/server_stats.c:
* src/preprocessors/flow/portscan/server_stats.h:
* src/preprocessors/flow/portscan/unique_tracker.c:
* src/sfutil/util_net.c:
* src/sfutil/util_net.h:
Fixed compilation problems on Solaris and some versions of BSD.
Thanks to the Snort community for your support. These fixes change the
variable type to u_int32 to remove the need for stdint.h
* src/output-plugins/spo_alert_unixsock.c:
Close Socket when Snort receives SIGHUP (Based on patch submitted by
Neetu Nangia)
* src/output-plugins/spo_csv.c:
Added GID, SID, and Rev to csv output (Thanks Brennen Reynolds)
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/spp_stream4.c:
Fixed build warnings on FreeBSD 5.0
* src/parser.c:
config chroot readded
* src/parser.c:
* src/parser.h:
Added additional error checking for custom rules (Thanks Andreas
Ostling)
* src/preprocessors/flow/flow_print.c:
Flow now honors -q (quiet)
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
Fixed issue with no_alert not quieting some alerts
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Removed non_rfc_chars from default profiles
* src/sfthreshold.c:
* src/sfutil/sfthd.c:
* src/sfutil/sfthd.h:
Added suppression negation (Thanks Andreas Ostling)
* src/sfthreshold.c:
Fixed backwards display of IP addresses on Solaris
* doc/FAQ:
* doc/README.csv:
* doc/README.http_inspect:
* doc/README.thresholding:
* doc/snort_manual.pdf:
* doc/snort_manual.tex:
Minor clarifications and additions.
2004-1-5 Daniel Roelker <droelker@sourcefire.com>
* src/fpdetect.c:
Fixes the signature error that user's were getting after changes
to the AddMatch and SelectEvent routines. Thanks Andreas Ostling,
Ron Shuck, Jon Hart, and Chris Keladis.
2003-12-22 Daniel Roelker <droelker@sourcefire.com>
* src/parser.c:
Andreas Ostling parser fixes and updated error messages.
2003-12-20 Chris Reid <chris.reid@codecraftconsultants.com>
* Win32 version wouldn't run as a service. Thanks to
Michael Steele for pointing this out.
2003-12-17 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated Win32 to 2.1.
* src/output-plugins/spo_database.c:
Better support for ODBC. Better memory management (thanks
Jeff Nathan). Improved escaping of SQL strings.
2003-12-17 Daniel Roelker <droelker@sourcefire.com>
* Snort 2.1 Release
* src/decode.h:
Options struct element len, changed to octet. Thanks
Andrew Rucker.
* src/detection-plugins/sp_pattern_match.c:
Infinite looping patch during specific recursion processing.
Thanks Lawrence Reed.
* src/detection-plugins/sp_pcre.c:
Fixed pcre URI matching. Thanks Jeremy Hewlett.
* sp_respond.c:
Fixes to help respond actions to correlate more closely to
RFCs and now doesn't allow users to shoot themselves in
the foot.
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
Only log DOUBLE DECODE alerts if it's in the URL and not
the parameter section.
* src/preprocessors/spp_stream4.c:
Sync stream4 up with the various versions of it. Fix
problem of out-of-order ACKS that was recognized by
Andrew Rucker. Also fixed off-by-one bug on reassembled
streams that was introduced by previous stream4 patch.
* src/sfutil/mwm.c:
* src/sfutil/mwm.h:
Fixed memory access bug in mwm content matching that multiple
users were able to reproduce.
* src/tag.c:
Pkt tagging configuration now works correctly. Thanks Jeremy
Hewlett for pointing this out.
2003-12-08 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated Snort 2.1 Win32 installer
* Updated spo_database.c to escape sensor name strings.
This had been causing a problem under Windows with MySQL
because of WinPcap sensor names having embedded backslashes.
2003-12-03 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated Snort 2.1 beta to support Win32
2003-11-18 Daniel Roelker <droelker@sourcefire.com>
* src/detection-plugins/sp_ip_proto.c:
Re-added ip_proto structure to ds_list so that the high-speed
detection engine once again optimizes on ip_proto rules.
2003-11-14 Chris Green <cmg@sourcefire.com>
* src/preprocessors/flow/portscan/flowps_snort.c:
* when using pktkludge output format, make destination address
the last one seen.
2003-11-07 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Added some additional config options to server profiles all and iis.
* src/preprocessors/HttpInspect/client/hi_client.c:
Return invalid URI for configs that don't allow a tab as a URI
delimiter instead of processing. This helps reduce false positives
for servers that won't accept tabs as valid.
* autojunk.sh:
Added --add-missing to automake so the flow dependencies get installed.
* src/detection-plugins/sp_dsize_check.c:
Validate dsize argument so that it is a decimal number and a
positive integer.
2003-11-07 Martin Roesch <roesch@sourcefire.com>
* src/sfthreshold.c (print_thresholding):
Cleaned up linewrapped separators, cosmetic cleanup for 80-col
terminals
2003-11-06 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c (CheckANDPatternMatch):
Fixed a bug in sp_pattern_match that was introduced with the
recursive processing in 2.0.3 that resulted in a core dump due
to an OOB read
2003-11-04 Chris Green <cmg@sourcefire.com>
* src/log.c (PrintIPHeader): print frag size as the size of the
datagram - header
2003-11-04 Marc Norton <mnorton@sourcefire.com>
* src/snort.c (SnortMain): display thresholding information at
start up
2003-10-30 Chris Green <cmg@sourcefire.com>
* src/log.c (PrintIPHeader):
make fragsize print out the size of the payload rather than the
size of the header
2003-10-28 Marc Norton <mnorton@sourcefire.com>
* src/sfutil/mwm.c:
fixed bug with search-method mwm resulting in retesting removing
an active rule on occasion (Thanks to Raul Siles & David Perez
for a reproducible test case!)
2003-10-28 Chris Green <cmg@sourcefire.com>
* src/util.c (read_infile): make snort FatalErrror on bpf filter
problems (reported by Fran Loehmann)
2003-10-27 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_flow.c
(DEFAULT_MEMCAP):
make default memcaps much smaller
(FlowInit):
display correct memcap
2003-10-20 Chris Green <cmg@sourcefire.com>
* configure.in:
- removed smb alerting since it should be moved to barnyard
Major 2.1 Features
- Suppression/Thresholding by
- HttpInspect replaces http_decode by Dan
- Flow ( replaces spp_conversation )
- Flow-Portscan
- PCRE (www.pcre.org) is now required to build
- pcre keyword for regular expressions incorporated
- isdataat keyword to help with rule writing
See the doc/ subdirectory for more details
2003-10-02 Chris Green <cmg@sourcefire.com>
* src/parser.c (RuleType): func == NULL bug fix for Bart Haagdorens
* Incorporated Steve Grubb's HUP fix for -u users that aren't
doing Chroot.
2003-09-22 Chris Green <cmg@sourcefire.com>
* back from honeymoon
* src/preprocessors/spp_stream4.c (BuildPacket):
fixed DEBUG compilation/zero_flushed_buffers option
2003-09-10 Chris Green <cmg@sourcefire.com>
* Snort 2.0.2
* added flush_data_diff_size and zero_flushed_buffers for
stream4_reassemble
* added threhsolding (see doc/README.thresholding) from
Sourcefire/Marc Norton
2003-09-02 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated Win32 code to properly support logging to
the Windows Event Log without including the Microsoft-
generated warning, as was previously observed.
2003-08-06 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeTCP):
fixed TCP_LARGE_OFFSET with patch from Bob Perkins
2003-07-28 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated sp_pattern_match.c and win32_service.c to play nice with
Visual Studio .NET (thanks for feedback from Louis Jagoe).
2003-07-25 Chris Green <cmg@sourcefire.com>
* Makefile.am (dist-hook):
- add signatures kludges to fix up official tarballs
- fixed verstuff.pl to interpolate variables
* spp_arpspoof patches from Jeff Nathan
- Replaced unchecked malloc() calls with SnortAlloc
- Changed the parameter name ipmel to ip_mac_entry_list in functions
operating on this list for clarity
- Re-ordered sanity tests in the preprocessor function to prevent a null
pointer dereference and to identify early exit conditions
- Minor optimization to the overwrite detection code: if the overwrite list
hasn't been initialized return when entering the overwrite condition tests
- Use FreeToks instead of for() and free() for mSplit tokens.
- Implemented a CleanExit function suitable for CleanExit and Restart.
- Added CallLogFuncs calls to accompany all CallAlertFuncs calls (previously
CallLogFuncs was not used at all).
* src/decode.c (DecodeVlan):
- compile with --enable-debug
2003-07-22 Chris Green <cmg@sourcefire.com>
* Shortly after release:
- added verstuff.pl
- added dist-hook to run verstuff.pl to make the published
tarballs up to date on snort version
* Snort 2.0.1 Released
2003-07-18 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeUDP):
- fixed UDP checksums to not incorrectly calculate with a header
in host byte order
Thanks to Marc Norton & Jeremy Hewlett for helping
* src/detect.c (Preprocess):
- completely ignore invalid IP checksums throughout snort if we
are checking them.
2003-07-09 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeIEEE80211Pkt):
- fixed vlan decoding on lots of advice + patch from Michael
J. Pomraning over at SecurePipe. Thanks!
2003-07-03 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeIP):
- removed redundant flag setting operation
2003-07-01 Chris Green <cmg@sourcefire.com>
* src/preprocessors/http-resp.c (IsHttpServerData):
- ensure TCP state on discarded traffic
* src/preprocessors/spp_stream4.c (GetDirection):
- switch to using IP addresses
* src/preprocessors/spp_frag2.c (Frag2Defrag):
- ignore packets with bad checksums
2003-06-09 Marc Norton <marc.norton@sourcefire.com>
* src/fpdetect.c:
fixed pass not always superceding Alert when rule order was
Pass-Alert-Log
* src/fpcreate.c:
This fixes an initialization problem with the iBirDirection flag.
2003-06-04 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_bo.c:
log packet data
2003-05-30 Chris Green <cmg@sourcefire.com>
* src/snort.c: removed obsolete global flow variable
2003-05-28 Chris Reid <chris.reid@codecraftconsultants.com>
* Win32 patches from Fulvio Risso (of WinPcap) so -i parameter
can support both "-i 1" format, and also support named interfaces
like "-i \Device\Packet_{12345678-90AB-CDEF-1234567890AB}".
Fulvio also provided a more streamlined Win32 print_interface().
2003-05-27 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_alert_sf_socket.c:
- made compile w/ debug
* src/detection-plugins/sp_session.c (OpenSessionFile):
refactored to do fatal error inside the lower level function
where filename is defined. Bug Reported by Jon Werrett.
2003-05-27 Andrew R. Baker <andrewb@sourcefire.com>
* Changed evalIndex to give precendence to help work around
problems with rule ordering when not using -o
2003-05-14 Andrew R. Baker <andrewb@sourcefire.com>
* src/Makefile.in:
* src/plugbase.h:
* src/spo_plugbase.h:
* src/output-plugins/spo_alert_fast.c:
* src/output-plugins/spo_alert_full.c:
* src/output-plugins/spo_alert_sf_socket.c:
* src/output-plugins/spo_alert_smb.c:
* src/output-plugins/spo_alert_syslog.c:
* src/output-plugins/spo_alert_unixsock.c:
* src/output-plugins/spo_csv.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_log_ascii.c:
* src/output-plugins/spo_log_null.c:
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
Relocated Output Plugin API definitions to spo_plugbase.h
* src/detect.c:
* src/rules.h:
added support for per OptTreeNode output functions
* src/plugbase.c:
* src/output-plugins/Makefile.in:
* src/output-plugins/spo_alert_sf_socket.c:
* src/output-plugins/spo_alert_sf_socket.h:
Sourcefire UNIX datagram socket output plugin
2003-05-16 Chris Green <cmg@sourcefire.com>
* patches from jeff nathan
- config.h before HAVE's in strc*
- add OSX kludged support for /sw/include to libnet defaults
* added doc/signatures to Makefile.am
2003-05-13 Chris Reid <chris.reid@codecraftconsultants.com>
* Added sanity check in CleanExit() to prevent double-freeing
of memory during recursive call to CleanExit(). (Mark Scott)
2003-05-13 Chris Green <cmg@sourcefire.com>
* patches from Jeff Nathan
- calloc checks in detection-plugins
- old version of autoheader doesn't like arguments to
* add timersub.h to Makefile.am
* src/detection-plugins/sp_byte_check.c (ByteTest):
- FatalError if hex/oct are used w/o specifying the string parameter
* src/detection-plugins/sp_byte_jump.c (ByteTest):
- FatalError if hex/oct are used w/o specifying the string parameter
* src/preprocessors/spp_frag2.c (RebuildFrag):
fix integer wrap around on large packets resulting in invalid IP
dgrm lengths with large packets for frag2. Thanks to Jason Royes for
pointing it out.
will truncate large packets so that the total resulting frame is
less than 65535 unless you define DONT_TRUNCATE in config.h
This is unfortunately required for compatiblity for other pcap
applications.
* src/decode.c (DecodeTCP):
move port number assignment above option decoding so people don't
complain about decoder events on port 0.
2003-05-02 Chris Reid <chris.reid@codecraftconsultants.com>
* updated Win32 LibnetNT.dll (tested by Rich Adamson)
2003-04-28 Chris Green <cmg@sourcefire.com>
* updated create_postgresql (Frank Knobbe)
* solaris forte C compiler patches from Taso Devetzis)
2003-04-25 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_tcp_win_check.c (SetupTcpWinCheck):
- removed initialization message in debug
2003-04-24 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeTCPOptions):
- only alert on T/TCP if there is a CCECHO
* src/detection-plugins/sp_byte_check.c:
* src/detection-plugins/sp_byte_jump.c:
* src/byte_extract.c:
* src/byte_extract.h:
- move the common extraction code to a single place
- fix 2 byte extraction code on little endian architectures
(Thanks to Jason Miller)
* src/bounds.h (inBounds):
- remove #include <snort.h>
2003-04-21 Chris Green <cmg@sourcefire.com>
* src/mwm.c (mwmPrepHashedPatternGroups):
- upon a fatal error, yell about
config detection: search-method lowmem
2003-04-16 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c (ParsePattern):
- u_int -> int for size check
- (slightly) more readable string handling code
* src/timersub.h:
import timersub macro from glibc and upcased it
* src/snort.c (InterfaceThread):
- Use TIMERSUB
* src/detect.c (AlertAction):
AlertFlushStream takes one argument now
* src/parser.c (ParseConfig):
disable_tcpopt_ttcp_alerts parsing --
Thanks for pointing it out Jeff Dell
* src/preprocessors/spp_stream4.c:
- removed unused argument to DeleteSpd
(AlertFlushStream):
- get the ssnptr variable from the packet structure
- unified logic for server and client side
- removed memthresholding because of large delays
* src/decode.h
(_Stream):
- get rid of dataPtr ( it's always the same thing as &s->data )
- add bytes_tracked variable for more memory protection
* src/preprocessors/spp_stream4.c:
- macroize sequence number type checks
(StoreStreamPkt):
- watch for how many packets we accept
2003-04-14 Chris Green <cmg@sourcefire.com>
* Snort 2.0.0 Released
2003-04-09 Chris Green <cmg@sourcefire.com>
* src/log.c,spo_database.c
(PrintTcpOptions):
(PrintIpOptions):
- correctly print out
* src/log.c,spo_database.c
(PrintTcpOptions):
(PrintIpOptions):
- correctly print out
* src/decode.c:
Last bastions of ErrorMessage @ decode in non-verbose mode
2003-04-09 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_byte_jump.c:
- another argument parsing bug ( Thanks Judy )
2003-04-07 Chris Green <cmg@sourcefire.com>
* src/decode.c:
Change all classifications to DECODE_CLASS
* src/detection-plugins/sp_byte_check.c (ByteJump/ByteCheck) - do
not SetUseDoe() for these functions. Doe is set automatically and
use_doe is only needed to be set by people wishing to make the
previous pattern match relative.
Build 69
* src/decode.h
- handle more FIN conditions
* src/preprocessors/spp_stream4.c (ReassembleStream4):
- adjusted established check
* src/preprocessors/spp_stream4.c (NotForStream4):
- refactoring
2003-04-04 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_byte_jump.c (ByteJump):
- make offsets work for byte_test and byte_jump
(Thanks Judy and Dan)
2003-04-03 Chris Green <cmg@sourcefire.com>
2.0.0rc3
* etc/snort.conf:
config detection: search-method lowmem
Incorporates a lower memory pattern matcher from Marc Norton for
people running into not being able to update to 2.0 due to
memory issues.
* src/snort.c (SnortMain):
- move InitOutputPlugins down ( 1.9 forward fix from Nick )
2003-04-01 Chris Green <cmg@sourcefire.com>
Build 67
* src/output-plugins/spo_alert_unixsock.c:
- moved unix socket format to .h
- moved default socket location to the logdir
( patches from Nick Zitzmann <dreamless@attbi.com>)
2.0.0 RC2
2003-03-31 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (CreateNewSession):
- don't act like a happy wallaby if the IP transport doesn't support
ECN but the reserved flags make it through crystal clear
* src/preprocessors/spp_frag2.c (_FragTracker):
only do 1 fragment tracker alert for things like teardrop
* src/preprocessors/spp_stream4.c:
- DisableDetect() instead of do_detect()
- flush on write ssn stats (andrewb fix)
* src/decode.c (DecodeUDP):
- correctly decode UDP packets (andrewb fix)
2003-03-27 Chris Reid <chris.reid@codecraftconsultants.com>
* src/tag.c
#ifdef should have been #ifndef
* src/acsmx.h
Have WIN32 use definition of "inline" from config.h
instead of a locally defined one
* src/output-plugins/spo_alert_syslog.c
* etc/snort.conf
Changed Win32 default host to "127.0.0.1"
(thanks to Rich Adamson)
* src/win32/WIN32-Prj/snort_installer.nsi
Added further installation instructions to help cut
down on the number of 'newbie' questions.
2003-03-28 Chris Green <cmg@sourcefire.com>
* src/parser.c (ParseConfig):
- make disable ipopt work (Thanks Tim Slighter)
* src/tag.c
(PrintTagNode):
new f()
- added static cling
(ParseTag): fixed parser
(AddTagNode):
- fixed src/dst tagging
- unified both tag cache logics
* src/debug.h:
* src/debug.c:
added DebugThis()
* etc/snort.conf
make the config options do what they say
* src/output-plugins/spo_alert_syslog.c (ParseSyslogArgs):
- only warn if we are parsing snort.conf ( -s )
* src/tag.h (SetTags):
- damn #if 0
* configure.in:
- remove snmp/ssl
2003-03-27 Chris Reid <chris.reid@codecraftconsultants.com>
Build 63
* src/snort.c
* src/output-plugins/spo_alert_syslog.c
Win32 '-s' now takes no arguments. Host/port info is
configured only within snort.conf (output alert_syslog).
2003-03-27 Chris Green <cmg@sourcefire.com>
* configure.in:
- changed to make DEBUG do -O0 and -g with gcc
(-ggdb makes gdb confused. go fig.)
* src/snort.c (ParseCmdLine):
-s means syslog() not -s args on win32
* src/output-plugins/spo_alert_syslog.c (ParseSyslogArgs):
- SnortAlloc
- allow -s to work again
2003-03-26 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeTCP):
- bad format args (thanks Tim!)
RC1
* Incorporated Patches from Jeff Nathan
- libnet configure should work again
- randomize flexible response ttls
- add stop descriptor leaking
* src/decode.c (DecodeIPOptions):
truncation alerts for IP options too!
(InitDecoderFlags):
added decoder flags function
* src/log.c (Print(I|Tc)cpOptions):
- print out everything that I can
2003-03-25 Chris Green <cmg@sourcefire.com>
* src/signature.c (ReferenceSystemAdd):
- fixed the dang linked list
* rules/Makefile.in (EXTRA_DIST):
added pop2.rules
* src/decode.h (_Stream):
- removed current_seq to save memory
* src/preprocessors/spp_stream4.c
- added isBetween inline function
(UpdateState):
- incorrect ACTION_ACK_CLIENT_DATA
(StoreStreamPkt):
- comment clarification
* src/bounds.h:
- added new file
- moved standard bounds checking functions to this file
* src/detection-plugins/sp_react.c (ParseReact):
- give react a half a chance of working
(SendTCP):
- see above
* src/detection-plugins/sp_clientserver.c (ParseFlowArgs):
- fatal error on unknown option
* src/output-plugins/spo_database.c
(UpdateLastCid):
- added missing free()
(Database):
- correctly write out the class_id junk
* src/output-plugins/spo_alert_smb.c
(AlertSmb):
- print out the ports like was intended
* src/preprocessors/spp_portscan2.c (SLog):
- use fprintf for what it was designed for
* src/preprocessors/spp_portscan.c (LogScanInfoToSeparateFile):
- use fprintf for what it was designed for
* src/log.c
(PrintArpHeader):
- wireless arp printing fix
(PrintTcpOptions):
- strncpy -> memcpy
(PrintEapolKey):
- aligned printf
* src/decode.c (DecodeTRPkt):
- more truncation style alerts
2003-03-24 mfr <roesch@sourcefire.com>
* src/preprocessors/spp_stream4.c:
- changed PruneSessionCache() to only do timeout flushes if
we're over 50% of the memcap (should help performance)
* src/log.c:
- fixed broken Frag Size calculation in IP header printout routine
2003-03-21 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_session.c:
- fixed memory leak on filename creation
* src/preprocessors/spp_stream4.c (Stream4InitReassembler):
- make serveronly work
* src/preprocessors/spp_telnet_negotiation.c (NormalizeTelnet):
- check the byte, then increment
* src/detection-plugins/sp_byte_check.c (ByteTestParse):
more input validation for byte_check/byte_jump
* src/log.c (PrintWifiHeader):
- watch out for NULL bssid's
* src/tag.c
(TagHost):
- removed redundant check
(AddTagNode):
- accumulate the tag seconds rather than the idx->seconds
* src/detection-plugins/sp_pattern_match.c (PayloadSearchRegex):
- actually die on a regex option
( might actually get it developed later )
* src/decode.c
(DecodeIEEE80211Pkt):
- more truncated packet alerts
(DecodePPPoEPkt):
- alert on truncated pppoe pkts
- separate decoder for encapsulated PPP
(DecodeVlan):
- alert on truncated Vlan headers
(DecodeUDP):
- use the UDP header length field
instead of capture length
* src/detection-plugins/sp_byte_jump.c:
src/detection-plugins/sp_byte_check.c:
- protect against negative offsets
( don't rely on negative offsets working in the long term )
- don't continue when we can't parse string numbers
* src/detection-plugins/sp_respond.c (Respond):
- missing iph check
* src/detection-plugins/sp_ip_proto.c (IpProtoDetectorFunction):
- missing iph check
* sspp_asn1, fnord, spo_xml, spo_SnmpTrap
- removed ( will be available later as a contrib )
* src/preprocessors/spp_http_decode.c:
- switch to using chars for lookup tables
- removed extraneous sprintfing
- removed old TBD feature code
2003-03-17 Chris Green <cmg@sourcefire.com>
* src/snort.c (FPUTS_WIN32):
- changed to blank space rather than NULL
Build 60
New Options added to snort.conf
config: disable_tcpopt_experimental_alerts
config: disable_tcpopt_obsolete_alerts
config: disable_ttcp_alerts
config: disable_tcpopt_alerts
* src/preprocessors/spp_stream4.c
(ReassembleStream4):
- DisableDetect only if the emergency_status is NULL.
(CreateNewSession):
- fixed return logic with detect scans
* etc/gen-msg.map: WARNINGS: -> snort_decoder:
- new tcpopt events
* src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- change to use DisableDetect() instead of do_detect = 0;
(disables futher preprocessors)
(RPC_CLASS): Use the same classification as the other decoder alerts
* src/snort.h (_progvars):
- added DecoderFlags structure for enabling/disabling decoder alerts
* src/snort.h (_progvars):
- added tcpopt_alert_flag
* src/decode.c (DecodeTCP):
- print out warnings on bad header lengths in verbose mode
(DecodeTCPOptions):
- nearly complete rewrite to identify whizbang things like
bubba and skeeter options!
2003-03-14 Chris Reid <chris.reid@codecraftconsultants.com>
Build 59 (really this time)
* src/detect.c
- corrected un-initialized memory in CreateRuleType()
* src/snort.c
- rationalize Unix vs. Win32 command-line options
- add optarg for Win32 syslog '-s' parameter
- bugfix for Win32 syslog initialization
- thanks to Rich Adamson and L. Christopher Luther for helping
with the syslog fixes
* src/util.c
- provide Win32 fix for SetChroot()
* many files
- added missing CVS ID tags
- added missing copyrights
2003-03-13 Chris Green <cmg@sourcefire.com>
Build 59
* src/preprocessors/spp_stream4.c(TcpActionAsync):
- update server side seq numbers on Async State machine
* src/preprocessors/spp_stream4.c
(BuildPacket):
- Use Constants for IP Lens
- Move SPARC_TWIDDLE to only initialization
* src/preprocessors/spp_frag2.c
- removed killme variable from InsertFrag
- untabified
(RebuildFrag):
- converted to creating fake packets the same way as stream4
2003-03-10 Chris Green <cmg@sourcefire.com>
Build 58
* src/util.c:
- new functions SetChroot, CurrentWorkingDir,
SigChrootHupHandler, GetAbsolutePath
- Chroot + HUP == "tough luck for now
* src/snort.c (SnortMain):
- Chroot after parsing the rules file
- use fully qualified pathname for logdir in chroot case
* src/output-plugins/spo_unified.c (UnifiedInitAlertFile):
- removed a printf
2003-03-05 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_byte_check.c (ByteTest):
- never touch doe_ptr on a successful match
- inBounds check off by one when seeing if enough to read
* src/detection-plugins/sp_byte_jump.c (ByteJump):
- inBounds check off by one when seeing if enough to read
* src/detection-plugins/sp_pattern_match.c (uniSearchReal):
- inBounds check off by one when seeing if enough to read
2003-03-04 Chris Green <cmg@sourcefire.com>
* src/util.h (inBounds):
end is always dsize + len so it should be p < end
* src/preprocessors/spp_stream4.c (UpdateState):
- added return ACTION_ACK_CLIENT_DATA
* src/detection-plugins/sp_pattern_match.h (_PatternMatchData):
- changed check_distance to use_doe ( check_distance was not used )
* src/detection-plugins/sp_pattern_match.c
(uniSearchReal):
- new function to unify uniSearchCI & uniSearch
- all "work" related to distance, within, depth, and offset done
in one place now
(CheckANDPatternMatch):
- condensed this down to be a very small wrapper around uniSearch
( now !content will alert with offset on small packets)
(CheckUriPatternMatch):
- condensed this down to be a very small wrapper around uniSearch
* src/detection-plugins/sp_byte_check.c:
* src/detection-plugins/sp_byte_jump.c:
- inBounds function
- doe_ptr
- SetUseDoe
- TEXTLEN constant
* src/generators.h (RPC_MULTIPLE_RECORD_STR):
fixed cut and pasto
* src/util.h (inBounds):
added new inBounds function to check a ptr position against a
known start and end location
* src/mstring.c (mSearch):
subsequent offsets adjusted correctly (Marty)
* src/preprocessors/spp_rpc_decode.c
- redefine MSB
- write fraghdr back into pkt
- removed extraneous printf
* src/preprocessors/spp_rpc_decode.c:
- readded config.h and strings.h (Thanks Chad)
* src/preprocessors/spp_stream4.c
- suspend renabling mode fixes
2003-03-03 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- alignment errors on non-x86 platforms
- added new space delimited options
alert_fragments
no_alert_multiple_requests
no_alert_large_fragments
no_alert_incomplete
- corrected buffer overflow in fragment normalization
2003-02-28 Daniel Roelker <droelker@sourcefire.com>
* src/bitop.h:
* src/fpcreate.c:
* src/fpdetect.c:
- Fixed a problem when snort runs with only uricontent matches
and no contents. In this case an element in the bitop structure
never got initialized, so it's not good to reference that.
Problem was caught by Chris Green doing some unit testing.
2003-02-27 Chris Reid <chris.reid@codecraftconsultants.com>
* src/win32/WIN32-Prj/snort.dsp
* src/win32/WIN32-Prj/snort.mak
* src/win32/WIN32-Prj/snort.dep
- Removed an unnecessary file from the project (name.mc)
* src/win32/WIN32-Prj/build_releases.bat
- Script to easily compile all configurations of snort.
* src/win32/WIN32-Prj/snort_installer.nsi
* src/win32/WIN32-Prj/snort_installer_options.ini
- Scripts to build a Win32 installation program for snort.
Thanks to Chris Green for suggesting we use NSIS!
2003-02-19 Chris Reid <chris.reid@codecraftconsultants.com>
* src/snort.c
- Win32 '-s' parameter wasn't configured to accept an optarg,
but code expected one, causing null-pointer violation.
2003-02-16 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
* remove broken checks.
* src/preprocessors/spp_telnet_negotiation.c (NormalizeTelnet):
* remove broken checks.
2003-02-15 bmc <bmc@snort.org>
* src/preprocessors/spp_asn1.c
- don't bother decodeing the packet if its 0 bytes
* src/preprocessors/spp_fnord.c
- don't bother decodeing the packet if its 0 bytes
- set DEBUG to DEBUG_PLUGIN instead of DEBUG_STREAM
* src/preprocessors/spp_http_decode.c
- don't bother decodeing the packet if its 0 bytes
- if stream4 is enabled, only decode if if is client data
on an established session
(This makes using internal_alerts useful)
* src/preprocessors/spp_rpc_decode.c
- don't bother decodeing the packet if its 0 bytes
- if stream4 is enabled, only decode if if is client data
on an established session
* src/preprocessors/spp_telnet_negotiation.c
- don't bother decodeing the packet if its 0 bytes
- if stream4 is enabled, only decode if if is client data
on an established session
2003-02-15 bmc <bmc@snort.org>
* src/detection-plugins/sp_byte_jump.c
actually verify that it needs aligning before aligning.
(more than 0 doesn't need aligned)
2003-02-15 bmc <bmc@snort.org>
* src/detection-plugins/sp_byte_jump.c
0 is already aligned to a 32-bit boundry...
2003-02-14 bmc <bmc@snort.org>
* src/mstring.c
Fix so --enable-debug actually compiles
2003-02-14 mfr <roesch@sourcefire.com>
* src/parser.c
Fixed XferHeader() function to copy the not_*p_flag to the RTNs...
* src/detection-plugins/sp_ip_proto.c
ip_proto options can now be stacked
2003-02-14 mfr <roesch@sourcefire.com>
* src/fpdetect.c
src/mstring.c
src/detection-plugins/sp_byte_check.c
src/detection-plugins/sp_byte_jump.c
src/detection-plugins/sp_pattern_match.c
Fixed distance/within/byte_test/byte_jump relative (stateful)
pattern matching and the like. Complete reimplementation of
payload position tracking. Tested with several different attack
scenarios with 100% detection rate, please test!
2003-02-04 Chris Reid <chris.reid@codecraftconsultants.com>
* src/snort.c
Added sanity checks on command-line parameters, for whenever a user
forgets to put spaces between (ie.) /SERVICE/INSTALL. This only
applies to /SERVICE parameter for Win32.
* src/util.c
- Updated Win32 banner for version 2.0
- Modified FatalError to generate a Win32 EventLog entry
if this is a Win32 Service build, otherwise no errors
are ever presented to the user.
* src/mwm.c
- Added an include of config.h, for Windows build.
- Changed variable names "small" and "large" into "small_value"
and "large_value" to prevent compile errors under Visual C++.
* src/mpse.c
* src/pcrm.c
- Added an include of config.h, for Windows build.
* src/parser/IpAddrSet.c
* src/preprocessors/perf-flow.c
- Added ifndef/endif around non-Win32 header files.
* src/preprocessors/perf-base.c
- Added changes to allow it to compile under Win32.
* src/preprocessors/perf.h
- Prevent definition of UINT64 under Win32.
* src/preprocessors/spp_asn1.c
* src/preprocessors/spp_bo.c
* src/preprocessors/spp_fnord.c
- Added documentation.
* src/win32/WIN32-Includes/config.h
- Added definition for UINT64 and uint64
- Changed VERSION to '2.0.0beta'
* src/win32/WIN32-Code/win32_service.c
- Changed how Win32 registry is opened for reading (was KEY_ALL_ACCESS,
now is KEY_READ). Problem (and patch) was reported by Michael Miller.
* src/win32/WIN32-Prj/snort.dsp
- Removed all references to SFStats compile options, since these stats
provide little useful information under Win32 due to API differences
between Win32 and Unix, specifically the lack of a native getrusage().
* src/win32/WIN32-Prj/snort.ncb
src/win32/WIN32-Prj/snort.opt
src/win32/WIN32-Prj/snort.plg
- Truncated the contents of these files.
2003-01-26 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
(AlertFlushStream):
- Fixed problem where an alert on a stream
would update sequence numbers incorrenctly
- moved StoreStreamPkt up to avoid crash
Thanks to Lawrence Reed for pointing out problems and almost
perfect solutions
* src/detection-plugins/sp_clientserver.c (CheckForReassembled):
missing return in opt node check
affects only flow: only_stream
2002-1-17 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/spp_perfmonitor.c:
Added 'snortfile' parameter to perfmonitor so users can use the
default snort directory to log performance statistics. Suggested
by L. Reed.
* src/preprocessors/spp_stream4.c:
Fixed performance statistic counter for total stream4 sessions. When
a new session is created, we make sure that it was created before
incrementing the counter. Fixed by L. Reed.
2003-01-07 mfr <roesch@sourcefire.com>
* configure.in
Added patch from Jeff Nathan to fix libnet detection
2003-01-05 mfr <roesch@sourcefire.com>
* src/util.h
Added self preservation control struct for the new SPAlloc function.
* src/util.c
Added self preservation-aware memory allocator, this allows coders
to add new subsystems requiring self preservation techniques using
a single allocation interface and management mechanism.
* src/detection-plugins
Changed the URI and AND checking modules to use the context pointer
on the fp_list struct instead of the ds_list. This will cause
all content/uricontent checks to be checked in the sequence that
they appear in a rule so that all the distance/within and
relative byte_test/byte_jump stuff will work properly. Merry Xmas
cazz!
* src/preprocessors/spp_frag2.c
Changed frag2 to use the new SPAlloc mechanism as a testing
platform. If this works right I'll convert all the other stuff
over to it as well.
2002-12-19 Andrew R. Baker <andrewb@sourcefire.com>
* src/detect.c:
* src/fpdetect.c:
* src/fpdetect.h:
* src/parser.h:
* src/rules.h:
* src/snort.c:
* src/snort.h:
Fix custom rule types and arbitrary rule ordering that were broken
with the new detection engine.
2002-12-13 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c (Frag2Defrag):
- added "state_protection" config mechanism to enable/disable
the thresholding operations
* src/preprocessors/spp_stream4.c:
- mark sessions that have been picked up midstream
- protect against people setting up snort behind a tap without
setting asynchronous link
- added "state_protection" config mechanism to enable/disable
the thresholding operations
* src/decode.h (SSNFLAG_MIDSTREAM): added a midstream pickup flag
2002-12-12 Daniel J. Roelker <droelker@sourcefire.com>
* src/fpcreate.c:
* src/fpdetect.c:
Fixed bi-directional rule functionality when unique port was the
destination port in a bi-directional rule. Reported by Brian
Caswell.
2002-11-26 Andrew R. Baker <andrewb@sourcefire.com>
* src/parser.c:
fixed argument handling bugs for snaplen and read_bin_file config
directives in snort.conf
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/util.h:
Modifications to signal handling and CleanExit/Restart
2002-11-26 Daniel Roelker <droelker@sourcefire.com>
* src/checksum.h:
Problem with ICMP checksum. Routine did not return the compliment
of the checksum. Thanks to Del Armstrong for point this out.
* src/decode.c:
Also, UDP checksums are only done if the checksum is 0. Otherwise,
we don't do them, even if the config is set for that. Again,
thanks to Del Armstrong for pointing this out.
2002-11-26 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_database.c (BeginTransaction):
* removing BEGIN for oracle ( Chad Kreimendahl )
2002-11-25 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
(TcpActionAsync):
(TcpAction):
-- removed extra decrements for last_ack
was causing a high false alarm rate for new \r\n rules.
Thanks to Jens Krabbenhoeft for helping on this one
-- disable nmap scans from alerting when we don't use detect_scans.
Thanks to Chad Kreimendahl for this one
2002-11-24 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c:
- fix argument parsing for emergency modes
* src/preprocessors/spp_frag2.c (ParseFrag2Args):
- fix argument parsing for emergency modes
2002-11-19 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c:
fixed a bug where we would shift to suspend mode if
stream4_reassemble wasn't enabled
2002-11-18 Chris Green <cmg@sourcefire.com>
Merging in mfr/cmg mitigations for extreme bogus session loads
* src/preprocessors/spp_stream4.c:
self_preservation_threshold: <bare new sessions/second>
self_preservation_period: <duration of SP mode>
suspend_threshold: <bare new sessions/second>
suspend_period: <duration of suspended operations>
emergency_ports: <port list> <-- port list that will be reassembled
* src/preprocessors/spp_frag2.c:
self_preservation_threshold: <bare new sessions/second>
self_preservation_period: <duration of SP mode>
suspend_threshold: <bare new sessions/second>
suspend_period: <duration of suspended operations>
added Emergency / Suspend mode
* src/generators.h: added Emergency / Suspend alerts to
stream4/frag2 - in the future, these should not generate packet
log alerts but they are required to for the current view of the
world
* src/detect.h (DisableDetect): added function
2002-11-16 Chris Green <cmg@sourcefire.com>
* src/snort.h:
- added a define SNORT_20 so that code will be easier to merge around
2002-11-13 Andrew R. Baker <andrewb@sourcefire.com>
* src/log.c:
* src/parser.c:
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/output-plugins/spo_log_ascii.c:
* src/output-plugins/spo_log_tcdump.c:
* src/output-plugins/spo_unified.c:
* src/output-plugins/spo_xml.c:
* src/preprocessors/spp_portscan.c:
* src/preprocessors/spp_stream4.c:
Changes to cleanup the chroot process
2002-11-12 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_log_ascii.c:
fixed output file issues for ascii logging
2002-11-11 Andrew R. Baker <andrewb@sourcefire.com>
* src/log.h:
* src/parser.c:
* src/plugbase.c:
* src/snort.c:
* src/snort.h:
Cleanup command line alert and log configuration
* src/decode.c:
* src/snort.c:
* src/snort.h:
updated run mode determination and representation
relocated log_dir sanity check
relocated test_mode_flag check to outside InterfaceThread
moved global variable declarations into snort.c from snort.h
* src/snort.c:
replaced ReadConfFile with ConfigFileSearch. The configuration file
is now only read in once place.
* src/log.c:
* src/parser.c:
* src/snort.c:
* src/snort.h:
* src/output-plugins/spo_alert_fast.c:
* src/output-plugins/spo_alert_full.c:
* src/output-plugins/spo_alert_syslog.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_unified.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/spp_portscan.c:
removed more vestiges of the multiple interface pthread support
2002-11-10 Brian Caswell <bmc@snort.org>
* src/detection_plugins/sp_byte_test.c:
added support for & and ^
2002-11-07 Daniel J. Roelker <droelker@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
Fixed an infinite loop bug that occurred in my last update to
http_decode that dealt with an off-by-one bug. Fixed now. Pointed
out by Jens Krabbenhoeft and Nathan Labadie.
2002-11-07 Andrew R. Baker <andrewb@sourcefire.com>
* src/snort.c:
* src/snort.h:
Removed unused MTU support code
2002-11-06 Daniel J. Roelker <droelker@sourcefire.com>
* src/mwm.c:
* src/mwm.h:
Fixed another bug in mwm search routines when dealing with identical
one byte patterns in multiple rules. There was a theoretical
possibility of overwriting a one byte rule group (example: "~") with
another rule group of ("|00 7e|"). This has now been fixed and
should be the last of the one byte pattern problems.
2002-11-06 Daniel J. Roelker <droelker@sourcefire.com>
* src/mwm.c:
* src/mwm.h:
Fixed bug when comparing multiple one byte rules with the same one
byte pattern. Problem pointed out by Brian Caswell.
2002-11-06 Andrew R. Baker <andrewb@sourcefire.com>
* src/snort.c:
* src/snort.h:
* src/decode.c:
* doc/README:
removed -6 (show IPv6) and -x (show IPX) command line options (they
never did much anyway)
cleaned up ARP, IPv6, and IPX packet counting
* src/preprocessors/Makefile.am:
add missing header (perf-event.h) to libspp_a_SOURCES
2002-11-05 mfr <roesch@sourcefire.com>
* src/plugbase.c:
* src/detection_plugins/sp_byte_jump.c:
* src/detection_plugins/sp_byte_jump.h:
Added byte_jump, we can now decode a length from the app layer and jump
the detect_offset_end (last match pointer) up that number of bytes,
great for decoding RPC with Snort rules
2002-11-04 mfr <roesch@sourcefire.com>
* src/detect.c:
* src/fpdetect.c:
fixed case where multiple rules can have partial matches on content and
fuxor the detect_offset_end calculations (i.e. reset the offset for
every OTN in the system)
2002-11-04 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_byte_check.c:
Make big,little arguments actually interpret the data correctly
2002-11-04 Andrew R. Baker <andrewb@sourcefire.com>
* src/parser.c:
* src/rules.h:
* src/snort.c:
* src/snort.h:
* snort.8:
remove ghetto message reference option (it has not worked since May)
* src/output-plugins/spo_alert_fast.c:
* src/snort.c:
added "-A cmg" alerting mode
2002-11-02 Chris Green <cmg@sourcefire.com>
* HAVE_STRINGS_H all over the place for bzero/Solaris
first reported by John Whitson
2002-11-1 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
Fixed potential off-by-one bugs. Also fixed %25xx encoding and
%uxxxx encoding for ascii characters. Still much work to be done
but most of this will be added in the next version.
2002-11-01 mfr <roesch@sourcefire.com>
* src/detection_plugins/sp_byte_test.c:
fixed range checks, inclusion of strings.h, byte boundry checks
2002-11-01 mfr <roesch@sourcefire.com>
* src/detection_plugins/sp_byte_test.c:
added test rules to the sp_byte_test.c header comment block
2002-11-01 mfr <roesch@sourcefire.com>
* src/detect.c:
* src/mstring.c:
* src/detection_plugins/sp_pattern_match.c:
fixed various "issues" with the distance/within code, should work
much better now
also removed redundent calls to pattern matcher for rules with mlutiple
content checks
* src/plugbase.c:
* src/plugbase.h:
* src/plugin_enum.h:
* src/detection_plguins/sp_byte_test.c:
* src/detection_plguins/sp_byte_test.h:
added sp_byte_test, detection plugin that let's us perform discrete
value checks on numbers that are encoded in packet payloads, either
in straight binary representation or as strings
2002-11-01 Andrew R. Baker <andrewb@snort.org>
* src/decode.c:
fix logic for generating decoder alerts
* src/decode.c:
* src/parser.c:
* src/snort.c:
* src/snort.h:
* doc/README:
removed broken support for the "-a" (show arp) command line switch
2002-10-31 Andrew R. Baker <andrewb@snort.org>
* src/util.c (GenHomenet & GenObfuscationMask):
fix invalid reference to optarg
* configure.in:
* src/snort.h:
* src/snort.c:
removed pthread support (still need to remove MAX_INTERFACES cruft)
2002-10-30 Chris Green <cmg@sourcefire.com>
* (Repository): removed autogenerated files
use sh autojunk.sh to recreate them if you are using
CVS to compile
2002-10-30 Andrew R. Baker <andrewb@snort.org>
* src/parser/IpAddrSet.c:
* src/parser/IpAddrSet.h:
add API for IpAddrSet data structure
* removed "extern char *file_name" and "extern int file_line" from
scattered places in the source
2002-10-29 Andrew R. Baker <andrewb@snort.org>
* src/detection-plugins/*.c:
add multiple options checks for plugins
2002-10-23 Chris Green <cmg@snort.org>
* src/log.c more output clean ups from James Hoagland
2002-10-22 Chris Green <cmg@snort.org>
* strtol fixes ( Dave Ockwell-Jenner )
* Merged in Glenns changes for net-snmp port declartion
* src/parser.c (ParseRuleOptions):
threshold added back
* src/preprocessors/spp_portscan2.c (DEFAULT_MAX_SCANNER):
change defaults back down
2002-10-22 Daniel Roelker <droelker@sourcefire.com>
* src/fpdetect.c:
Bogus port 0 initialization in fpEvalHeaderTcp/Udp. (Dirk Geschke)
2002-10-18 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_clientserver.c (CheckFromClient):
hide this under a DEBUG_CS
* src/preprocessors/spp_stream4.c (AlertFlushStream):
make AlertFlushStream adjust the base_seq upon a flush point
(Thanks so much to qru for a reproducable test case... this was
a PITA)
2002-10-16 Chris Green <cmg@sourcefire.com>
* src/util.c (CreatePidFile):
use pv.log_dir instead of local variable (Cameron Humpries)
* src/log.c (PrintICMPHeader):
Removed newline amidst a sea of complains from James Hoagland & other
users :)
2002-10-16 Roman Danyliw <roman@danylw.com>
* src/output-plugin/database.c:
- escape the signature name before trying to write it to the
signature.sig_name field (Dirk Geschke)
2002-10-16 Dan Roelker <droelker@sourcefire.com>
* src/fpdetect.c:
- Reverted no content rule checks back to the original
snort behavior. Reassembled packets are now inspected
against no content rules.
(Jens Krabbenhoeft)
* src/preprocessors/spp_perfmonitor.c:
- Adjusted newlines for console statistics prettiness.
2002-10-14 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/database.c:
- Transaction abstraction functions (Begin/Commit/Rollback)
- Fixed transaction SQL for MS-SQL
- Fixed incorrect return value for MS-SQL Insert()
(Hans Nilsson)
2002-10-13 Chris Green <cmg@sourcefire.com>
* src/log.c (PrintXrefs):
newlines on Xrefs... pointed out by too many people to count :)
* src/preprocessors/spp_portscan2.c (targetCompareFunc):
- target compare function incorrect logic
(pointed out by Pat Gorman)
2002-10-12 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/database.c:
- Fixed (PostgreSQL) sensor initialization to the sensor table
by setting a default last_cid value
- Fixed schema detection bug on MS-SQL enabled builds
2002-10-09 Chris Green <cmg@sourcefire.com>
* changed FatalError/exit codes
* merged Sourcefire modifications into snort-head
* kick off of snort-2.0 dev cycle
win32 probably doesn't work yet. :-)
2002-10-09 Marc Norton <mnorton@sourcefire.com>
Daniel Roelker <droelker@sourcefire.com>
* src/decode.h:
p->preprocessors for enable/disable status
* src/fpcreate.c, src/fpcreate.h, src/fpdetect.c, src/fpdetect.h:
Added new detection engine. fpcreate.* creates the new detection
engine and intializes the detection engine components. fpdetect.*
analyzes packets as they come in and decides what happens to them.
* src/pcrm.c, src/pcrm.h:
Added new signature detection classification.
* src/mpse.c, src/mpse.h (Norton):
Added an interface for multi-pattern match routines.
* src/mwm.c, src/mwm.h (Norton):
Added modified Wu-Manber style multi-pattern matcher.
* src/acsmx.c, src/acsmx.h (Norton):
Added Aho-Corasick state machine, using a deterministic finite
automata.
* src/bitop.h:
Added inline functionality for bit operations. Used in the new
detection engine.
* src/preprocessors/spp_httpflow.*, src/preprocessors/http-resp.*:
Added an http protocol flow preprocessor that analyzes client
and server traffic. Useful for HTTP performance.
* src/preprocessors/spp_perfmonitor.*, src/preprocessors/perf*.*:
Added a performance monitor that keeps stats on snort. Some of
those stats are Mbits/sec, Alerts/sec, TCP state information,
network traffic flows and percentages, etc.
* src/preprocessors/sfprocpidstats.c:
Added functionality for multiple CPU stats on linux. For use in
spp_perfmonitor, etc.
* src/parser.c:
Added a new config option, 'detection'. This option allows the
user to configure certain aspects of the detection engine.
* src/checksum.h:
Added new optimized inline checksumming routines.
* src/mstring.c:
Optimized mSearch and mSearchCI.
2002-10-09 Chris Green <cmg@sourcefire.com>
* src/snort.c (ParseCmdLine):
- syslog option on non-win32 does not take the extra argument
(Andrea Barisani)
* updated snort.dsp to not require getrusage
2002-10-01 Chris Green <cmg@sourcefire.com>
* Fixes from Chris Reid
- varchar sql arguments for mssql
- usertime -> systemtime misses
- snort project file updates
2002-09-26 Chris Green <cmg@sourcefire.com>
* configure scripts updated to handle net-snmp as well as ucd
(Glenn Mansfield Keeni and Abe Katsuhisa)
2002-09-25 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
moved setting the uri_count to this preprocessor to handle false
alerts on reassembled packets.
2002-09-17 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/spo_database.c
- make sure that a packet payload larger than those supported
in the SQL INSERT are properly terminated.
2002-09-12 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/spo_database.c
- made the updating of the sensor.last_cid more efficient by
only storing the new cid value at shutdown
- removed extranous CR/LF from sensor name
2002-09-05 Chris Green <cmg@sourcefire.com>
* src/log.c (PrintICMPHeader): off by one error in printing
Thanks to Dave Goldsmith
2002-09-05 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/spo_database.c: (DatabaseInit)
- added ignore_bpf configuration option (from Michael Boman)
ignore_bpf - Do we want to create a new sensor definition everytime
the BPF filter is changed? The options are:
[no|0]: (default) Create a new sensor definition if BPF
filter has been modified
[yes|1]: Ignore the BPF part when looking for the server
definition
2002-09-03 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/spo_database.c
- DB schema v106
- Added the sensor.last_cid field to the schema so the
database can store the last used cid for a given sensor.
This field will ensure that a cid will never be reused.
Upgrading from v105 -> v106 is as simple as:
mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL;
mysql> UPDATE schema SET vseq=106;
psql> ALTER TABLE sensor ADD last_cid INT8;
psql> UPDATE schema SET vseq=106;
- Improved error messages
2002-09-02 Chris Green <cmg@sourcefire.com>
* configure.in:
- cleaned up win32 source packaging
2002-08-27 Andrew R. Baker <andrewb@sourcefire.com>
* src/preprocessors/spp_asn1.c:
do not check fragments
2002-08-26 mfr <roesch@sourcefire.com>
* src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c
added thresholds to snort rules language, docs to come
2002-08-26 Andrew R. Baker <andrewb@sourcefire.com>
* src/util.c:
fix GenHomenet and GetObsfMask functions
2002-08-19 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_perfmonitor.c (ParsePerfMonitorArgs): typo in fmt string
2002-08-18 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_rpc_decode.c:
Port changes from Andreas Ostling ( just like all the other ones now )
* win32/perf stuff from Chris Reid
Will probably break again later
the perf stuff is very highly subject to change
* project fixes from Chris Reid
2002-08-16 Brian Caswell <bmc@snort.org>
* src/util.c
- allow daemon mode to dump stats to syslog
2002-08-15 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
(ParseStream4Args):
- FatalError on unknown argument
(ReassembleStream4):
- Correctly mark sessigons as established with
asynchronous_link enabled
2002-08-14 Chris Green <cmg@sourcefire.com>
* src/snort.c (ParseCmdLine):
-R <id> Include 'id' in snort_intf<id>.pid file name
(Phil Wood)
* src/snort.c (ProcessPacket):
reset uri_count (test case pointed out by Dan Roelker/Sourcefire)
* src/preprocessors/spp_http_decode.c:
uri_count set if not alerting.
2002-08-13 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_conversation.c:
new option alert_odd_protocols
set allowed_ip_protocols to the numbers you like and it will alert on all bad protocols
* src/detection-plugins/sp_session.c (LogSessionData):
sp_session.c:221: warning: suggest parentheses around && within ||
* src/detection-plugins/sp_pattern_match.c (CheckANDPatternMatch):
bug with mutliple decoded alternative contents
2002-08-13 Roman Danyliw <roman@danyliw.com>
* src/output-plugins/spo_database.c (CheckDBVersion):
fixed logic to detect the DB schema version correctly when support for
MS-SQL and another database are present
2002-08-13 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_telnet_negotiation.c:
- cleaner alt_dsize checks
- make sure that we don't decode 1 byte
past the end of the buffer
-(SetTelnetPorts):
preprocessor telnet_decode: 21 23 25 119
(now with port lists!)
* src/detection-plugins/sp_pattern_match.c (PayloadSearchRawbytes):
new pattern match option!
rawbytes -- used to inspect the raw packet data instead of the
alternatively decode application packet buffer
* src/decode.h (DECODE_BLEN): my favorite constant typo.
* src/preprocessors/spp_stream4.c (Stream4InitReassembler):
turning off server side reassembly by default ( was what the
default said it was )
* src/detection-plugins/sp_tcp_flag_check.c (ParseTCPFlags):
adding mask bits to the flag checks
(limitation pointed out by Dirk Mueller)
example: flags: S,12
This checks the SYN flag is set regardless of the values of the
ECN bits. tcp_flags & (0xFF ^ tcp_mask); for those of you that
like to think in C
* src/detection-plugins/sp_pattern_match.c (Check{AND|OR}PatternMatch):
- normalization of telnet stuff into a separate buffer
(this means logged packets will now look like they should on the wire)
2002-08-12 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_telnet_negotiation.c (SetupTelNeg):
- only allow this to be called telnet_decode
- removing redundant function calls
* src/perf-event.c (ProcessEventStats):
- set to 0 (djr@sourcefire)
2002-08-12 Roman Danyliw <roman@danyliw.com>
* src/output-plugins/spo_database.c (Database)
- Fixed length bug in code that generates the SQL INSERT statement
into signature table
2002-08-08 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_arpspoof.c (ARPspoofPreprocFunction):
- include packet w/ alert (Jeff Nathan)
2002-08-07 Chris Green <cmg@sourcefire.com>
* preprocessor perfmonitor
--enable-perfmonitor
lots of statistics from Dan/Marc/Sourcefire
2002-08-06 Chris Green <cmg@sourcefire.com>
* src/checksum.h:
Integrated fix from Marc Norton/Sourcefire
occasional endianess bug in checksum routines
inlined checksum
2002-08-05 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (UpdateState):
make session initiators more lenient
2002-08-04 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (BuildPacket):
- Session fix ( a different approach from Andreas Ostling )
(UpdateState)
(UpdateStateAsync)
- Move == TH_ACK checks to nearly the last of the checks and make catch all
odder flag combinations
- ttl_limit will only alert if the packet ttl is less than 10
(TcpAction*):
- removed stream_pkt->packet_flag sets new ( makes
no sense because we overwrite the packet_flags in BuildPacket
( pointed out by arron walters -- ended up
being the source of a few other bugs )
2002-07-30 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (BuildPacket):
- Mark the session direction establishments correctly
(thanks to Andreas Ostling for noticing )
2002-07-29 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (ReassembleStream4):
- make unestablished sessions and established sessions mutually
exclusive
- use &
2002-07-26 Chris Green <cmg@sourcefire.com>
* src/decode.c:
added decode_alert_flag
one may disable decoder alerts by using
config disable_decode_alerts
* src/preprocessors/spp_portscan2.c (PrunePortscanners):
Portscan2 fixes from Jed Haile ( thanks :-) )
* src/decode.c (DecodeICMP):
8 bytes of extra info in a redirect, not 4
2002-07-23 Chris Green <cmg@sourcefire.com>
* Phil Wood ASN.1 fix
* Phil Wood Classification fix
* Andreas Ostling's BPF comment improvement
* Just for the record, marty added distance/width as content options
distance means there must be atleast N bytes between 2 matches
width means that there must be a match within N bytes
2002-07-23 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_SnmpTrap.c:
- fix null pointer dereference for non-IP packets
2002-07-09 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_dsize_check.c (CheckDsizeRange):
- changed dsize check to always return 0 on fake tcp pkts
( mirrors change made on all other functions .. )
2002-07-08 Chris Green <cmg@sourcefire.com>
* Merged in win32 fixes from Chris Reid (thanks again!)
2002-07-05 Andrew R. Baker <andrewb@sourcefire.com>
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_stream4.c:
- fixed packet_flags problem with rebuilt packets
2002-07-03 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_SnmpTrap.c:
- lots of *nArgs = 0 instead of NULL
- added prototype for ipv6_print_hashing
2002-07-02 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (TcpAction):
- switched to using psuedo random flush points
* src/preprocessors/spp_portscan2.c (PrunePortscanners):
- fixed double delete of a tree node
* compilation fixes from Chris Reid for win32 (Thanks!)
2002-07-01 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_conversation.c
(ConvCompareFunc):
- fixed session equalness bug ( portscan2
should actually seem reasonable now )
(ConvFunc):
- changed to use conf_flags for session initiation
2002-06-28 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
* src/decode.h (PKT_STREAM_INSERT):
added a packet marker for inserted stream packets
2002-06-27 Chris Green <cmg@sourcefire.com>
* src/util.c (FatalError): fflush(*)
* src/detection-plugins/sp_dsize_check.c:
dsize checks always will return 0 for
rebuilt stream packets
(CheckDsizeRange):
added min<>max range support for dsize option
Thanks to Andreas Östling
* src/parser.c (ParseConfig): missing return
for config daemon
thanks to Bill McCarty <bmccarty@apu.edu>
2002-06-26 Chris Green <cmg@sourcefire.com>
* From Jeff Nathan:
Moved resp* stuff to the OTN instead of RTN
* spp_conversation rewrite
* portscan2
* SNMP updates from Glenn Mansfield Keeni <glenn@cysols.com>
2002-06-24 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_icmp_seq_check.c (ParseIcmpSeq):
htons(ds_ptr->icmp_seq) from Andereas Ostling
2002-06-20 Andrew R. Baker <andrewb@sourcefire.com>
* src/detect.c:
fix event reference time for unified output
2002-06-20 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_portscan2.c
- parsing fixes from Phil Wood
* src/util.c:
- FreeToks fixes from Phil Wood
2002-06-16 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
Andrew Hintz bug reports
(BuildPacket):
- reinjected packets are now marked as established as well as rebuilt
(UpdateState):
- Server initiated: APF -> AF -> A was not
properly terminating session
2002-06-13 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_log_tcpdump.c (LogTcpdump):
fixed broken -b -l . mode
( assuming iph is set doesn't work )
2002-06-12 Chris Green <cmg@sourcefire.com>
* src/util.c (read_infile):
close fd for -F
2002-06-11 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_arpspoof.c:
Fixes from Jeff Nathan
* src/preprocessors/spp_asn1.c (ASN1Decode):
ASN1 fix from Chris Reid
2002-06-08 Chris Green <cmg@sourcefire.com>
* src/generators.h (FRAG2_TTL_EVASION_STR):
changed TTL Limit exceeded message to make more clear
2002-06-08 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_log_tcpdump.c:
* src/detect.c:
* src/decode.h:
make obfuscation work for all output plugins
2002-06-07 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (ReassembleStream4):
- accidentally inverted logic for async/normal sessions
- marking streams as established correctly
2002-06-05 Chris Green <cmg@sourcefire.com>
* src/generators.h (STREAM4_TTL_EVASION_STR):
changed so that people recognize message as ttl_limit related
and not message related
2002-06-04 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
- fixed include order ( fixes compile on FreeBSD )
* src/preprocessors/spp_frag2.c (InsertFrag):
- allow duplicate first fragment to be disabled
2002-06-03 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_clientserver.c (ParseFlowArgs):
- added {no_stream,only_stream} keywords to flow:
used to suppress reassembled streams from being alerted on
* src/plugbase.h: changed machine/param.h -> sys/param.h
2002-06-03 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/log_tcpdump.c:
fix obfuscation
2002-06-02 Chris Green <cmg@sourcefire.com>
* src/Makefile.am:
added plug_base.h ( pointed out by Jeff Nathan )
2002-05-30 mfr <roesch@sourcefire.com>
* src/log.c
src/decode.c:
Fixed non-functional embedded packet decode and printout for ICMP
UNREACH and REDIRECT packets
2002-05-30 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c (Frag2Init):
- left frag2 alerts on by default by accident
(diabled)
2002-05-28 Chris Green <cmg@sourcefire.com>
* src/detect.c (CallLogFuncs):
moved the traversal of the plugins ahead of the setting the
packet logged flag since both check ( should both check? )
2002-05-28 Andrew R. Baker <andrewb@sourcefire.com>
* src/log.c:
fix NULL pointer deref problem printing priority/class info
2002-05-27 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c
(SetPorts):
- fatal error on invalid port description
* rules.c
(VarGet):
- fatal error if undefined variable is called
(ExpandVars):
- don't expand variables inside "'s
2002-05-21 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (StoreStreamPkt):
- sheltered fast restransmission under evasion_alerts
- missing returns
2002-05-20 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
- added newer unidecode function from rfp
- added "internal_alerts" keyword
2002-05-19 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_log_ascii.c:
* src/preprocessors/spp_conversation.c:
* src/preprocessors/spp_conversation.h:
* src/preprocessors/spp_portscan2.c:
* src/preprocessors/spp_portscan2.h:
- corrected some global namespace pollution
2002-05-15 mfr <roesch@sourcefire.com>
* looked over and indented the hell out of spp_conversation and
spp_portscan2
* put a FreeToks() function into util.c to clean up after mSplit()'s
* other sundry stuff, conversation and portscan2 should be ready for
testing from what I can see now
2002-05-15 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_SnmpTrap.c:
* src/output-plugins/spo_alert_smb.c:
* src/detections-plugins/sp_react.c:
- fixes for new SigInfo system
* src/output-plugins/spo_idmef.c:
* src/output-plugins/spo_idmef.h:
* doc/README.IDMEF:
* src/plugbase.c:
* src/plugin_enum.h:
- remove IDMEF instead of leaving it in a broken state
2002-05-14 Chris Green <cmg@sourcefire.com>
* src/util.h (GenObfuscationMask):
make compile on OS X
2002-05-14 Andrew R. Baker <andrewb@sourcefire.com>
* *.[ch]:
- proper implementation of priority and reference signature metadata
- other work surrouding signature metadata
2002-05-14 Chris Green <cmg@sourcefire.com>
* templates/sp_template.[ch]:
- updated template for plugbase and modularity
* src/preprocessors/spp_stream4.c (CreateNewSession):
- added SYN_SENT initialization state
* src/preprocessors/spp_http_decode.c:
- fixed includes for WIN32 (Chris Reid)
* src/preprocessors/spp_stream4.c (_Stream4Data):
- added asynchronous_link
useful for places that only see one side of a conversation
- (UpdateState):
mark session as established on asynch links
2002-05-13 Chris Green <cmg@sourcefire.com>
* src/snort.c (ProcessPacket):
- added min_ttl check in front of Preprocess Check
* src/snort.h (_progvars):
- added min_ttl as a snort-wide configuration option
config min_ttl: 1 to drop all things less than 1
config min_ttl: 0 to have none (default)
* src/decode.c
(DecodeTCP):
- fixed bug where we didn't just toss invalid packet after
alerting on it in decoder
(DecodeEapolKey):
- removed CallLogPlugins redundant call
* src/generators.h
- moved all plugin alert descriptions here
* src/plugin_enum.h:
- moved all PLUGIN_ constants to a single header
* src/detection-plugins/sp_pattern_match.h:
- cleaned up commented define
* src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
- commented out spurious debug code
* src/preprocessors/spp_stream4.c (StoreStreamPkt):
- disable evasion alerts
2002-05-12 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c
(PreprocUrlDecode):
- more debug code
- set p->uri_count
* src/parser.c (ParseConfig):
- cleaned up some NULL dereferences
2002-05-09 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c:
- moved SSNFLAG defines to decode.h so that we have access to the
Session data outside of spp_stream4
- added SSNFLAG_HTTP_1_1, SSNFLAG_SEEN_PMATCH
- moved Session,Stream to decode.h
(ReassembleStream4):
session_flags converted to & check instead of == for establishment
* src/decode.h
- added HTTP version constants
2002-05-08 Chris Green <cmg@sourcefire.com>
* src/decode.h
(_Packet):
- removed URI
- added uri_count
(_HttpUri):
- changed to added parameters
(_UriParam):
- added parameter datastructure
(VTH_VLAN):
- fixed missing paren
* src/preprocessors/spp_http_decode.c
(SetPorts):
- removing strncasecmp
(PreprocUrlDecode):
- moved to using UriBufs
* src/decode.c:
Added UriBufs
* src/decode.h:
- changed to use TRH and VLAN macros
bitpacked notation expunging should be done
2002-05-07 Chris Green <cmg@sourcefire.com>
* src/decode.h (_TCPHdr):
- changed to use TCP_OFFSET, TCP_X2 Macros
* src/parser.c (ParseConfig):
* src/snort.c (ParseCmdLine):
- Fixed notcp,noicmp,noudp,noip to only disable
- strcasecmp instead of strncasecmp
* src/preprocessors/spp_http_decode.c:
integrated spp_http_decode.c from rfp
new option set:
* unicode: decode unicode
* iis_alt_unicode: %u000 encoding
* double_encode : detect IIS decoding
* abort_invalid_hex: detect only up
until the first broken encoding
* drop_url_parm: don't decode the stuff following ?
* iis_flip_slash: substitute / for \ ( C:\DOS\RUN )
* full_whitespace: treat \r and <tab> as <space>
2002-05-06 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c:
fixed retranmission checksum alerts to live under evasion
* src/detection-plugins/sp_pattern_match.h:
commented out PATTERN_FAST until it works
* src/generators.h:
internal alerts from spp_http_decode
2002-05-01 Andrew R. Baker <andrewb@sourcefire.com>
* src/plugbase.c:
* src/output-plugins/spo_unified.c:
cleaned up startup message printing
2002-04-25 Chris Green <cmg@sourcefire.com>
* Introduced IP_VER, IP_HLEN, SET_IP_VER, SET_IP_HLEN after
thinking about tcpdump and what Fyodor had talked to me about
months ago regarding cross platform compatiblity. No more
twiddling.
Plugins that use ip_ver, ip_hlen should be tested. No more bit
packed notation allowed in the source tree.
* src/preprocessors/spp_stream4.c:
separated evasion alerts from retransmission/state
evasion alerts default to being on now
disable with disable_evasion_alerts
2002-04-24 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c (Frag2Init):
fixex argument parsing
* src/preprocessors/spp_http_decode.c:
don't process fragments
* src/preprocessors/spp_frag2.c
(InsertFrag):
make sure that we don't run out of memory if someone sends us the
same fragment over and over again
duplicate first frag is a special case
2002-04-23 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c
(InsertFrag):
- adding detection of attack where we would start
reassembling packet fully before the full fragtracker is there
* src/detect.c (EvalPacket):
- fixed alert ip rules
(got clobbered when playing detection engine optimizations )
- generate proper events when decode errors happen
* src/plugbase.c (InitPlugIns): SetupFragOffset()
* src/detection-plugins/sp_ip_fragbits.c:
- added fragoffset:
fragoffset: [!<>] <integer>
defined in fragbits so that I can backport it.
* src/preprocessors/spp_frag2.c (InsertFrag):
- alert on frag2 overlaps
To do this requires keeping the packets around for a while
longer to detect all the multiple fragments and overlaps
Changed the PruneCache to notice when things are completed and
prune them in addition to just by time. Frag mem faults are
going to increase because of this but each time one occurs,
there should be plenty to expire.
2002-04-22 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c
(Frag2Defrag):
Warn/Discard on fragments with IP Options set.
(ParseFrag2Args):
min_ttl
ttl_limit
detect_state_problems
* src/debug.h
DEBUG_FRAG2
* src/preprocessors/spp_stream4.c
(TraverseFunc):
- added next seq check on reassembly
- added alerts on retransmitted sequences...
its ugly as sin right now
(_Stream):
- next_seq added
(StoreStreamPkt):
- added check for restranmitting too fast w/ a different data size
- added tcp checksum retransmission checking
(how much do I need to worry about
data with the same checksum and different payloads...
just throw it away for the moment)
2002-04-19 Chris Green <cmg@sourcefire.com>
* More win32 Service patches from Chris Reid ( Thanks! )
2002-04-18 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c (Frag2Defrag):
added ttl_limit detection
* src/generators.h (FRAG2_TTL_EVASION): added
* src/preprocessors/spp_stream4.c (StoreStreamPkt):
-- first cut at TTL evasion detection
keyword: ttl_limit <count> for TCP Sessions
2002-04-16 Andrew R. Baker <andrewb@sourcefire.com>
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_asn1.c:
* src/log.c:
* src/detect.c:
fix broken event reference info for unified output
2002-04-15 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (ParseStream4Args):
added missing parsing line back in
2002-04-10 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_unified.c:
fix unified brokeness
2002-04-10 Andrew R. Baker <andrewb@sourcefire.com>
* src/plugbase.h:
* src/plugbase.c:
* src/parser.h:
* src/parser.c:
Plugin API cleanup
* src/output-plugins/spo_log_tcpdump.c:
make log file timestamps work the same as in unified
2002-04-09 Chris Green <cmg@sourcefire.com>
* src/spp_portscan2.c: new changes from Jed/Jason
2002-04-08 Andrew R. Baker <andrewb@sourcefire.com>
* add profiling configuration option
* src/parser.c:
correct NULL pointer dereference
2002-04-08 Chris Green <cmg@sourcefire.com>
* src/debug.c (GetDebugLevel):
accidenatlly returning debuglevel instead of debug_level
* src/log.c (PrintIPHeader):
Modified fragment offset calculation (reported by Judy Novak)
2002-04-07 Chris Green <cmg@sourcefire.com>
* Fixed --enable-debug
* src/preprocessors/spp_asn1.c:
Missing includes
2002-04-06 Chris Green <cmg@sourcefire.com>
* src/detect.c (EvalHeader):
Corrected incorrect ignore with -z est and PKT_REBUILT_STREAM
* src/detection-plugins/sp_tcp_ack_check.c (ParseTcpAck):
* src/detection-plugins/sp_tcp_seq_check.c (ParseTcpSeq):
Phil Wood's Parsing Change
2002-04-05 Martin Roesch <roesch@sourcefire.com>
* detection engine now walks RTN and OTN lists iteratively instead of
recursively, I guess we should cowtow to the x86 crowd...
* RTNs are now sorted by destination port number allowing for earlier exit
from the detection engine in the average case and improving performance
* destination port is now the first thing checked when an RTN is processed
(for UDP/TCP traffic)
2002-04-05 Chris Green <cmg@sourcefire.com>
* Merged in Nick L. Petroni, Jr.'s 802.11b stuff
* src/detection-plugins/sp_pattern_match.c:
Integrated Mike Fisk's SetMatch stuff ( large performance
increase -- thanks for being so patient with me )
2002-04-04 Chris Green <cmg@sourcefire.com>
* src/snort.c (SnortMain):
Extra call to initoutput plugins commented out..
* src/detect.c (CallAlertPlugins):
DEBUG_WRAPPED Andrew's printfs'
2002-04-03 Chris Green <cmg@sourcefire.com>
* src/debug.h:
DEBUG_WRAP defined
DEBUG WRAP used everywhere...
* src/preprocessors/spp_conversation.c:
ignore rebuilt stream
2002-04-02 Andrew R. Baker <andrewb@sourcefire.com>
* Modularization cleanup
2002-04-02 Chris Green <cmg@sourcefire.com>
* src/debug.c (GetDebugLevel):
only initialize debug_level once ( now easier to use gdb set command )
* src/preprocessors/spp_portscan.c:
No processing on reassembled stream packets
* lots of compilation fixes
* started added spp_conversation
2002-04-01 Andrew R. Baker <andrewb@sourcefire.com>
* config.h should be included almost everywhere....
2002-03-31 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c (CheckUriPatternMatch):
Check for URI.uri with a packet flag
* src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
- Moved decode ignore check up ( I don't think this is actually
used anywhere )
- Moved somefunctions into CheckHTTPDecode
* decode.h:
- Changed URI.uri to u_int_8t[URI_SIZE]
- URI_SIZE is 512 (should create an alert when that size is exceeded)
- Added PKT_HTTP_DECODE to show if URI was filled in
2002-03-31 Andrew R. Baker <andrewb@sourcefire.com>
* start work on cleaning up the output API
2002-03-30 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_alert_unixsock.c:
lots more checking for valid packets on
things like portscan alerts
2002-03-29 Andrew R. Baker <andrewb@sourcefire.com>
* src/parser.c :
Add support for "special" output plugins
* src/output-plugins/spo_unified.h :
* src/output-plugins/spo_unified.c :
Initial work towards a true unified output.
2002-03-29 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (ReassembleStream4):
* src/snort.h:
removed pv.fake_packet check (old stream stuff)
2002-03-27 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c :
More debug messages in Stream4
* doc/PROBLEMS:
Added file to document bugs that we really can't work
around easily and aren't necessarily ours.
* src/parser.c (ParseRuleOptions): filename -> file_name for compilation
2003-03-26 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_unified.c:
fix file rotation bug in spo_unified
write IPs in host order like everything else is
* src/parser.c:
updates to the rule parser. now we only complain for unrecognized
rule options.
2002-03-26 Chris Green <cmg@sourcefire.com>
* src/detect.c (DumpChain):
DebugMessage stuff..
2002-03-25 Chris Green <cmg@sourcefire.com>
* stop stream4 from clobbering itself (Pascal Bouchaeine)
2002-03-24 Chris Green <cmg@sourcefire.com>
* src/plugbase.c (RegisterPlugin):
- allow multiple plugins to start with same prefix
2002-03-23 Brian Caswell <bmc@snort.org>
* initial add of flow: to signatures
2002-03-21 Chris Green <cmg@sourcefire.com>
* Place IP checks after port checks for 1.9
(based on patch from Christian Mock)
* Fixed test header checks (greatly responsible for
slowness on multiple CIDR blocks) (Christian Mock)
2002-03-19 Chris Green <cmg@sourcefire.com>
* Fixed Teardrop detection in frag2 ( Forward bugfix from Marty )
* Replaced most instances of #ifdef DEBUG\nprintf(...) with
DebugMessage
2002-03-11 bmc <bmc@snort.org>
* readded this file :)
* renabled udp portscan detection
* updated ICMP text printing (few bugs, few new features)
* updated BUGS for jackasses on Bugtraq
* fixed a bunch of stream4 stuff
* cleaned a ton of signatures (see signature CVS logs for info)
* number of FAQ updates
* removed unstable/orphaned/unmaintained/deprecated code as we
get ready for 2.0
* massive directory structure reordering
* frag2 options code cleanup (cmg)
* fixed pattern match exit conditions (cmg)
* improved stats calculation (phil wood)
* tweaked decoder code
* improved ICMP ASCII output
* fixed no-packet bug in spo_unified
* moved alert code in spp_frag2 so packet is logged for teardrop
* many stream4 fixes
* added sp_clientserver (to client, to server, from client, from server)
* cleaned infinate loop in regex
* fix double PID write (reported by phil wood)
* updated docs
* ton of new signatures
* split rules.c into parser.c|h and detect.c|h
* smarter pruning for segments that have only partially been streamed
* ethernet headers are now filled in for rebuilt packets
* added case for stream segments that hadn't been completely handled in
previous flush
* added another interface init call when entering daemon mode for linux
boxen that lose promisc mode when the process forks
* strncat in sp_reference
* opts[1] fix to plugin args passing
* updated changes to db stuff from Roman
* removed $default_directory from mysql_directory definition to allow
--with-mysql to work again and select a non-default installation
* fixed calloc call for PPPoE debug #ifdef DEBUG
* Fixed pointer math for Stream4 sesesion
( IOU: Phil Wood; 1 Bar tab )
* Fixed suicidal tree pruning
* ifdef AF_INET6 for decode.c and removal of spp_asn1.h from plugbase.h
* cleaned up decode.c indentation, etc
* added classifications for spp_fnord
* mods to icmp ASCII log code for more informational printouts
* added enhanced conf file parsing for frag2 (Chris Green)
* added pattern match fixes (Chris Green)
* other stuff that escapes me right now
* pflog decoder support from Robert Fleck <rfleck@cigital.com> added
* cleaned up decode.c indentation, etc
* added classifications for spp_fnord
* mods to icmp ASCII log code for more informational printouts
* added enhanced conf file parsing for frag2 (Chris Green)
* added pattern match fixes (Chris Green)
* added enhanced resolution of TCP retransmissions to stream4
* changed default behavior of frag2 to favor old data over new
* fixed screwed up fragbits printout
* Fixed pointer arithmetic in calls to PrintNetData (thanks to Andreas
Östling bugreports)
* ntohs(p->iph->ip_len) -- should we have a p->ip_len?
* don't complain about NULL ptr if p->dsize == 0
* Still has one nit in that a badly framed packet is counted twice in -v
mode2
2001-11-29 bmc <bmc@snort.org>
* Fixed crash in frag2 under Linux
* Fixed flexresp code, session sniping should work again and be faster
to boot
* Fixed ICMP decoder and printout routines for new ICMP header data
structs in decode.h
* Added -B command line switch to translate IP addresses in pcap files
from one subnet to another (see the man page).
* Added spo_log_null to give users an option to deactivate logging
output from the snort.conf file.
2001-11-02 mfr <roesch@sourcefire.com>
* fixed UTC timestamps
* fixed SIGUSR1 handling, should reset properly now after getting a signal
* fixed PID path generation code, PID files go in the right place now
* fixed stability problems in stream4
* fixed stability problems in frag2
* tweaks to spo_unified for better integration with barnyard
* added -f switch to turn off fflush() calls in binary logging mode
* added new config keyword to stream4, "log_flushed_streams", which causes
all buffered packets in the stream reassembler for that session to be
logged in the event of an event on that stream (must be used in
conjunction with spo_log_tcpdump)
* added packet precacheing for flexresp TCP packets, responses should be
generated more quickly
* fixed rules parser code for various failure modes
* several new rules files and a new classification system
2001-08-14 mfr <roesch@sourcefire.com>
* SNMP alerting support added by Glenn Mansfield Keeni & K. Jayanthi
* IDMEF output support compiled in by default now
* regex keyword code repaired, limited wildcard regex now available
* new packet counters added to Snort stats output for frags and streams
* http_decode preprocessor modified to normalize %u encoding
* new detection modes in frag2, Snort picks up fragmentation
attacks (teardrop, etc) much better now
* repaired frag2 IP defragmenter, now 100% stable and functional
* tweaks made to stream4 TCP stream reassembler, now 100% stable
* Win32 code integrated with main Snort source now
* fix for -r mode crash when no other command line options specified
* fix for logfile names using ":" under win32
* tag code repaired
* spp_arpspoof repaired
* stream4 alerts are now off by default
* syslog alerts now support standard GEN:SID:REV data
2001-08-04 fy <fygrave@tigerteam.net>
* A couple of coredump fixes from Phil Wood
* Solaris compilation fixes (and other minor tweaks I don't
remember)
* Incorporated WIN32 patches (and fixes) from Chris Reid
* ms-sql support from Chris Reid
* contrib/create_mssql
2001-07-09 mfr <roesch@sourcefire.com>
* added new IP defragmenter, spp_frag2
* added new stateful inspection/tcp stream reassembly plugin, spp_stream4
* Snort can now statefully detect ECN traffic (less false alarms)
* stream4 can now keep session statistics in a "session.log" file
* added new high-speed unified binary output system, spo_unified
* added new data structs/management for tag code
* added -k switch to tune checksum verification behavior
* added -z switch to provide stateful verification of alerts
* modified bahavior of http_decode, now only alerts once per packet
* added unique Snort ID's to every Snort rule, plus generator, revision
and event ID info to each alert
* detection engine only alerts once per packet now, tcp stream code doesn't
generate another alert packet if a previous one already alerted for that
stream
* fixed signal handling on svr4 systems
* added enhanced cross reference printout to full/fast/syslog alert modes
* added new high speed checksum verification (on x86) routines
* added new ARP spoof detection preprocessor from Jeff
Nathan <jeff@wwti.com>
2001-04-20 fy <fygrave@tigerteam.net>
* a couple of fixes in spp_defrag.c
* spelling fixes in 'classification.config' file
2001-04-19 bmc <bmc@mitre.org>
* added ability to tag sessions & hosts (By Seconds, Bytes, and Packets)
* ip protocol rule support
* added 802.1q VLAN support
* extensive configuration file config options (you can put your
commandline options in snort.conf now)
* priority & classification plugin by Brian Caswell
* output plugin support for priority, classification, and refs
* rpc_decode plugin (Defeats attacks laid out by Robert Graham's SideStep)
* telnet negotiation normalization plugin (Defeats attacks laid out
by Robert Graham's SideStep)
* BackOrifice plugin (Can bruteforce BO keys. Defeats attacks laid out
by Robert Graham's SideStep)
* uricontent keyword pattern match. (Now you can look at the URL instead
of the entire packet)
* added -T commandline option (Does entire setup process, but stops
after its done setting up) great for snort.conf testing!!
* added -L commandline option. Specify filename of the binary output
log when combined with "-b"
* added -G commandline option. Turn on "ghetto" backwards
compatability for people that need
references in the MSG field
* added -I commandline option. Prints the interface that the
alert was received on
* added -y commandline option. Adds YEAR to the timestamps
* Fixed timestamp output problem on some ARCHs
* ability for non-root users to sniff. (If the user can usually
sniff from pcap) By Brian Caswell
* Improved UNICODE detection by Koji Shikata
* added sp_tcp_win_check. TCP Window Size can be looked now
* added CSV output (see README.csv for more information) By Brian Caswell
* added sp_same_ip_check. Checks for the same SRC & DST (Usually sign
of a DOS attack) by Phil Wood
* added variable lookups for include directives (eg 'include
$RULESPATH/myrules.rules')
* linux_sll (interface 'any') support fixed (According to the new
libpcap spec) By Fyodor
* new debugging code. No more #ifdef DEBUG. (see debug.c for more
info) Idea from Eugene Tsyrklevich
* strl* family functions (mostly for future developers, we'd encourage
these to be used) (original code also supplied by Eugene)
* new tcp stream reassembly module by Chris Cramer
* include directives now are relative to snort.conf file location
(unless full path in a config file is given)
* snort will look for /etc/snort.conf and ./snort.conf if no config
is given on the commandline
* minor null ptr fixes and patches there and here (thanks to all of
you guys who helped tracking them down, really :-) - Fyodor)
* optiomized database schema (Support for references, added
signature normalization, ....)
* UTC cleanup by Andrew Baker
* http_ignorehosts added from Matt Wachinski
2001-03-14 fy <fygrave@tigerteam.net>
* tcp stream reassembly updates by Chris Cramer
* path fixes for include <file> (now relative path'es will be substituted
by path of the main file)
* DLT_LINUX_SLL support fixes
* strlcat/stlcpy functions are being incorporated
* Attempt to support MacOS platform.
* A bunch of fixes for MTU dicovery routine
* New debugging routines. (see BUGS file for more info).
2001-01-02 mfr <roesch@md.prestige.net> fy <fygrave@tigerteam.net>
* tcp stream reassembly preprocessor (beta) by Chris Cramer
* Defragmentation plugin is now fully functional on all architectures
* SPADE (Statistical anomaly detection) preprocessor has been added by
James Hoagland
* Added IIS/UNICODE attack detection to HTTP decoder
* Reference plugin has been added by Joe McAlerney
* New active response module: sp_react
* Added "any" keyword to IP options (ipopts) plugin
* IP fragmentation bits detection plugin added
* Added TOS detection plugin from Erich Meier
<Erich.Meier@informatik.uni-erlangen.de>
* Database output plugin improved in many ways by Jed Pickel
* Oracle support added to database output plugin
* XML output plugin by Jed Pickel/Roman Danyliw/CERT
* IP address list support added with lots of help from Phil Wood
* <interface>_ADDRESS variable implementation, specifying an interface name
in the rules file as part of this variable automatically sets the IP/mask
as the IP address/netmask of the specified interface
* Rule parser is more anal about rule verification now, doesn't crash as
readily
* Arbitrary output types support added by Andrew Baker
* Activate/dynamic rules allow rules to turn on/off other rules!
* ICMP unreach. printout dumps encapsulated headers now
* Improved TCP/IP options printout code, doesn't flood on 0 length options
* Packet checksumming implemented for all supported protocols by Chris
Cramer
* TCP flags now print out in proper (bitwise) order
* Added new fields to the packet header dumps including IP header length,
TCP/UDP header length, Urgent pointer printout, IP Reserved bit printout,
ICMP Type/Code explicit value printout
* -X switch dumps packet byte data for data link through application layer
* -L switch to privde a filename for binary log files specified with the -b
switch
* Added -I switch to print interface name in Snort alerts (first i/f only)
* Fixed -S command line switch so it isn't overridden by variables in the
rules file
* Corrected PID file misadventures
* Added a bunch of new statistics to the packet stats printout
* Added SIGUSR1 handler, Snort will dump packet stats to console/syslog
when it receives a SIGUSR1
* Memory management cleaned up/lots more free()'s to match up with
malloc()'s
* Added snprintf code to the distro for safety
* UID = 0 code added for sniffer mode
* fixed default alert filename for daemon mode
* Updated USAGE file to resemble Snort's current reality
* Changed snort-lib to snort.conf, Jed Pickel added lots of documentation
to the file as well (thanks Jed!)
* Pid file will not be created if -D switch is not used.
* chroot behaviour has been changed, now, if chroot is used, you have
to have snort.conf file within chroot directory (and all the other
relevant files as well). The only file which will be placed outside
chroot directory is snort pid file.
2000-07-22 mfr <roesch@md.prestige.net>
* Fixed compilation problems on all non-BSD operating systems
* Added better configuration support for locating libpcap
* Fixed ICMP ping packet id/sequence printouts
* Made allowances for 64-bit machines in the decoders
* Updated the portscan detector to the latest version
* Disabled the defragmenter by default (in the rules file)
* Added a patch from Dave Dittrich to make daemon mode alerts
filenames conform to the data in the documentation
* Revamped the ICMP data structures to mimic those found in *BSD
and provide for higher fidelity decoding/printout in the future
* Repaired the output plugins so that they operate properly now
* For the record, the payload dump conforms to the length of the
IP datagram now and does not show pad bytes added by the minimum
Ethernet frame size
2000-07-08 mfr <roesch@md.prestige.net>
* Fixed Tru64 u_int* type declarations
* Added check for pcap.h into configuration script
* Fixed timeval problems on Linux boxen
2000-07-06 mfr <roesch@md.prestige.net>
* New preprocessor plugin: IP defragmentation!!
* New output plugins cover all old logging and alerting options
* New output plugin now logs to MySQL, PostgreSQL, unixODBC databases
* Updated portscan detection functionality
* Added quote removal for most plugin parsers
* -C crash bug fixed
* PID/PATH_VARRUN file fixes
* Converted many putc(3) calls to fputc(3) for portability
* Transport layer decoders use ip_len field for length metric now
* String tokenizer code modified for more reliable operation
* Fixed flexible response code sequence prediction
* Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
platforms
* Set automake options so that people don't need gmake anymore to build
Snort on BSD systems
* Fixed SMB alert code large tmp file hole
* Added sigsetmask code to fix SIGHUP weirdness
* Added execvp option for SIGHUP restart code
* Added ARP header printout validation
* Added Session logging file integrity checking
* Added -u/-g setuid/gid capability switches
* Added -O IP address obfuscation switch
* Added -t chroot switch
* Fixed non-TCP/UDP/ICMP transport layer decoding & logging
* Fixes and additions to the portscan preprocessor
* Database logging plugin has been modified extensively, see the
www.incident.org website for more information
* Switched TCP flags printout routine to ensure proper RFP output
scan output. ;)
* Fixed default log/alert function code so that these functions are
never NULL
2000-03-20 mfr <roesch@md.prestige.net>
* Version 1.6 released!
2000-03-18 mfr <roesch@md.prestige.net>
* Modified the PID write out code to work in all run modes, and made
the system detect/verify the _PATH_VARRUN variable and define it
if necessary.
* Integrated a HUP patch from J Cheeseman to prevent the command line
parser from screwing up the command line at HUP time.
* Added a little tweak from Fyodor for Makefile.in
* Made exit code delete the PID file in all run modes.
2000-03-16 mfr <roesch@md.prestige.net>
* Activated the BPF compiler optimization switch in snort.c
* Added support for unconfigured/stealthed network interfaces
* CP added a default definition for _PATH_VARRUN
* CP added checks for paths.h existence
2000-03-15 mfr <roesch@md.prestige.net>
* Moved the "session" keyword code to a plugin
* Added Postgres database logging module from Jed Pickel
* Added Token Ring layer 2 printout routine
* Added "-q" support to the output plugin modules
* Revamped the output plugin subsystem so that it conforms to the
API standards laid out in the rest of Snort
* CP set defaults for the alerting and logging facilities
* Added Tru64/Alpha support
2000-02-26 mfr <roesch@md.prestige.net>
* modified minfrag proprocessor to only catch tiny frags on the home
net ("home" keyword) or any traffic ("any" keyword)
* implemented command line override of output plugins, alert and log
switches on the command line will disable output plugins in favor of
their configured activity
* added -C command line switch to print packet payloads as ASCII only,
with no hexdump
* fixed a stupid crash bug on the "logto" keyword parser
* put in a couple of command line switch validators to catch potential
invalid arguments
* fixed a potential crash bug in the ClearDumpBuf() function
2000-02-07 mfr <roesch@md.prestige.net>
* Added INADDR_BROADCAST patch from Steve Beaty <beaty@emess.mscd.edu>
* Added syslog PID patch from Ralf Hildebrant
* Added IPv6 counter from Erich Meier
<Erich.Meier@informatik.uni-erlangen.de>
* Added SunOS patch from Denis Ducamp <Denis.Ducamp@hsc.fr>
* Added content-list rules from
2000-01-17 cp <fygrave@tigerteam.net>
* Update of Patrick's portscan preprocessor. (and apropriate fixes)
* Minor fix to configure.in from Herb Commodore.
2000-01-12 cp <fygrave@tigerteam.net>
* John Wilson's update to insensitive pattern match code added.
* Patrick Mullen's patch to log.c applied.
* Patrick Mullen's changes to rules.c added.
* Source Port traffic rules ajusted not to pull alerts on 53<-->53 UDP
traffic.
* Changed name ParseFlags to --> ParseTCPFlags in sp_tcp_flag_check.*
since that's what it really is.
* Added RCS Id tags to all the files and libs. Once they are commited
at md.prestige.net, they should take proper values. :)
2000-01-08 cp <fygrave@tigerteam.net>
* Patch from Herb Commodore <herb@nc.rr.com> to configure applied
* Imrovements to content-matching code and implementation of
case-insensitive matching from John Wilson <tug@wilson.co.uk)
are added.
* "zero netmask" problem fixed.
* Patrick Mullen's portscan preprocessor is added. log.c routines
have been fixed to handle NULL pointers.
* binary logging routines have been changed to use libpcap procedures
which should fix certain problems with binary logging.
* Fix in rules.c to complain about bogus preprocessor names.
2000-01-03 mfr <roesch@clark.net>
* fixed a problem with pass rules not being applied properly
* fixed a #include ordering statement for Slackware 4.0 installs
* fixed banner output for the -V option
* Token Ring decoding is now fully functional
* Added packet buffer cleanup code to all protocol decoders
* fixed a problem with improper TCP option output
* Added a Snort man page
1999-12-08 mfr <roesch@clark.net>
* preprocessor plugins (major new functionality!)
* detection plugins (major new functionality!)
* variables can now be specified in the rules file
* include files can now be specified in the rules file
* Session recording capability
* Rules may now contain multiple "content" match keywords
* New IP options detection module, allows IP option inspection
* New HTTP decoder preprocessor defeats evasive web scans (whisker.pl)
* detection engine has been heavily modified to implement the new
"linked-list-of-function-pointers" concept, which makes the detection
engine more efficient, more flexible, and faster!
* TCP options decoder split into decode/log modules and recoded
* IP options decoder split into decode/log modules and recoded
* Token Ring layer 2 decoder (still in development)
* ISDN-Raw layer 2 decoder (I4L)
* ISDN-IP layer 2 decode (I4L)
* ISDN-Cisco layer 2 decode (I4L)
* Fixed PPP layer 2 decoder
* NULL/Loopback layer 2 decoder
* daemon mode code cleanup
* tcpdump readback mode code cleanup
* experimental support for UNIX socket alerting
* fixed C++ comments in snort.c
* binary log files now update properly (fflush added)
* internal rules list integrity testing
* IP fragments are no longer sent to the detection engine, just
the preprocessor's. This is incentive for me (or someone) to write
an IP defragmentation preprocessor!
* post-decode call function call sequence has been modified to go into
the preprocessor system instead of the detection engine
1999-10-18 mfr <roesch@clark.net>
* snort.c: * added session dump command line switch
* log.c: * added sesion data logging functionsi: OpenSessionFile(),
DumpSessionData().
* decode.c: * fixes snaplen issues with reading back tcpdump files.
1999-10-13 mfr <roesch@clark.net>
* snort.c: * threw out tcpdump file readback code and implemented
open_pcap_offline solution. Has addded benefit of
allowing BPF filters to be used to modify file readback
streams.
* Fixed MTU snafu.
* decode.c: * Rewrote ARP decoder. The decoder is much simpler (but
the log routines are far more complex)
* Horsed around with the TCP and IP option decoders. I
think they work better now...
* log.c: * Added ARP printout and logging routines. ARP is now
handled in a much more consistent and correct manner.
* Fixed stupid crash bug in LogPkt()
* rules.c: * Added in greater-than and less-than modifiers for dsize
option keyword. You now have another (cheap!) way to look
for buffer overflows
* Removed range checking for the ICMP icode and itype
option keywords so that DoS attacks and covert activity
could be more easily filtered/monitored
1999-09-26 mfr <roesch@clark.net>
* snort.c: * new command line options -A, -F, -N, -p, -b
* logging and alerting functions are now selected and
assigned to function pointers for faster/more efficient
logging
* got rid of -f command line option (superceded by -b)
* put in new cleanup code for readback mode
* ripped read_infile from tcpdump to read BPF filter files
* decode.c: * code cleanup in support of new functionality
* rules.c: * added support for the exception operator to work for ports
* fixed stupid pointer initialization bug in
ProcessHeadNode() file, fixed crashes on non-PC arch.
* new option keywords: dsize, offset, depth
* cleaned up crappy logic around the logging functions with
nice clean function pointers (aaaahhhh....)
* added bidirectional rules functionality (now Snort goes
both ways....)
* log.c: * broke out alerting function into seperate subfunctions
* ditto logging functions
* fixed string termination code in the SMB alerter so that it
can now alert to more than one box at a time
* cleaned up syslog messages
* finally fixed the SMB "alert once" problem (kudos to Gandalf
Schaufelberger for that one)
1999-08-06 mfr <roesch@clark.net>
* log.c: * added code to AlertMsg to make sure that there was in fact
an alert message to print out
* libraries: * fixed the backdoor and scan libraries so they should
flase alarm less often
1999-08-05 mfr <roesch@clark.net>
* snort.c: * activated CyberPsychotic's daemon mode code (use the
-D switch for daemon mode
* default logging directory changed from "." to
/var/log/snort
* sanity checks performed on the default log dir now
* decode.c: * changed the truncated Ethernet header notification to
only go off in verbose mode
* removed cruft
* rules.c: * Added Ron Snyder's "address negation" patch. Rules may
now contain "!" on the IP addresses to indicate anything
BUT the given address
* log.c: * added support for the new default logging directory
* configure.in: * fixed some more sparc configuration problems
* other: * CyberPsychotic sent a new ftp buffer overflow rule in
1999-08-04 mfr <roesch@clark.net>
* snort.c: * fixed some DEBUG statements
* enabled the daemon mode code (this is still
experimental)
* decode.c: * fixed various and sundry DEBUG code
* fixed the TCP option decoder so it wouldn't overflow
its prinout buffer and cleaned up the temp buffer
* rules.c: * fixed some DEBUG code
* log.c: * fixed a buffer copy problem with the daemon mode alert
logging
* fixed the SMB alerting code and the standard log output
when in SMB alerting mode
* cleaned up some of the fragment logging code
* fixed the logto rules option coding to work properly
* configure.in: * fixed a whole bunch of little problems that are
screwing up big endian/non-PC machines. This
version should work and compile much more cleanly
on all architectures!
* other: fixed a bad rule in the RULES.SAMPLE file and another bad
one in the misc-lib file
1999-08-01 mfr <roesch@clark.net>
* rules.c: Wrote brand new detection engine. The new engine uses
a 2-dimensional linked list with recursive node walking.
Rules are grouped by address/port commonality and then
option chains are linked to common head blocks. This
reduces the number of tests required to find a specific
test to perform, and reduces the total number of tests
performed on a given packet in all cases by 200-500%
over version 1.1.
* decode.c: Rewrote the packet decode engine. The new engine
performs far fewer copies and tries to set pointers
to defer expensive function calls as late as possible.
The PrintIP and Net data structures have been eliminated
so that there is no global data required to perform tests
or log a given packet. This will make any future multi-
threading efforts much easier.
* log.c: * Much of the logging system was rewritten to take advantage
of the new detection and decoding engines.
* Made the SMB alerting a configure-time option. If you
want to use the SMB alerting feature, you need to specify
a "--enable-smbalerts" when you run configure. This is a
safety measure, read the INSTALL file for the reasons why!
* snort.c: Fixed a bug in the netmask generation code that wouldn't
allow certain CIDR blocks to be represented. Thanks to
Nick Rogness <nick@trinux.rapidnet.com> for the heads
up on this one!
1999-06-21 mfr <roesch@clark.net>
* snort.c: * Added new command line switches: -f, -M, -r.
-f: Record fragmented packets in tcpdump format
-M: Send alerts via WinPopup messages (requires Samba)
-r: Read and process files generated by tcpdump
* Fixed startup dumpout code to not drop people if they just
want to log all packets to the system
* Added static netmask generation, this rids Snort of the
need to link to libm, which makes it more Trinux friendly.
* rules.c: * Added new rule option types:
logto: log packets matching this rule to the specified
log file
minfrag: set the minimum size of fragmented packets, which
allows alerts to be generated for traffic coming
from things like nmap or fragrouter
tcp flags: Added the ability to include the reserved bits
of the tcp flags into the rules set. These
flags are specified with a "1" and "2.
Inclusion of these flags allows Queso
fingerprinting attempts to be detected.
id: The IP ID field may be specified. This is nice for
picking up handcrafted packets with recognizable ID
fields, like 31337 or other "elite" numbers.
ack: The TCP ack field. Using this, nmap tcp "pings" may
be detected.
seq: The TCP sequence number. This is provided for
completeness (I figured since I was putting in the
ack field, I may as well include the sequence as
well)
* Rewrote the content parser. It now accepts "\" as a
literal character, so things like "\|" or "\~" will work
properly.
* fixed the parenthesis finder for the options code
* adjusted the acceptable character range in the rule
parsers
* log.c: * fragment logging more descriptive and correct
* fixed IP header logging for ICMP and fragmented packets
* improved "bad packet" printing/logging
* fixed IP option output code
* IP packet ID field now displayed
* decode.c: * fixed IP fragment decoders and logic streams.
* fragments are now fed thru the rules set (sorta)
1999-05-17 mfr <roesch@clark.net>
* snort.c: Added "-x" command line switch to explicitly activate IPX
packet notification so people in mixed protocol environments
can maintain sanity. Also added in the new packet counter to
generate statistics on exit of the number/percentage of
each type of packet that Snort sees.
* decode.h: Removed the references to u_int16_t and u_int32_t and
replaced them with u_short and u_long. The u_int*_t
variables caused portability headaches. Also added in the
new patch from Chris S. for the WORDS_MUSTALIGN definition
for S/Linux version.
* log.h: Fixed the LOG_AUTH/LOG_AUTHPRIV problem that Solaris users
were having.
* decode.c: Added the new packet statistics counters throughout the
code. Cleaned up the IPX code a bit.
* rules.c: Cleaned up the isspace(3) (et al) calls.
* etc: Made lots of tweaks to the autoconf stuff to get the S/Linux
and HP-UX versions to compile cleanly out of the box.
1999-04-28 mfr <roesch@clark.net>
* rules.c: Added the code to change the order the rules are applied in.
* snort.c: Added two new command line switches: "-o" and "-s".
* decode.c: Added in new layer 2 decoding for SLIP and RAW packet
types.
* log.c: Added code to send alert notification to syslog.
1999-04-17 mfr <roesch@clark.net>
* rules.c: Rewrote the rules option parser. It's now a much more
consistant interface for both reading rules into the program
and writing them as a user. Added in new rule types to
alert on TTL values, and ICMP types/codes.
* log.c: Most of the logging code has been dramatically rewritten as
well, and it now works much better.
* mstring.c: Added the notion of a meta character to mSplit() so that
it was possible to not split on every single occurence of
a character in a string.
* decode.c: Smoothed out all the logging system calls to work nicely
with the new log code.
1999-04-08 mfr <roesch@clark.net>
* rules.c: Moved AlertPkt() and LogPkt() to log.c
* log.c: Totally revamped the logging code to be more logical and
have less duplication in the code. There are now seperate
logging functions for each of the layers of the packet.
PrintIPPkt() has been totally rewritten, PrintFragHeader has
been eliminated, and two functions have been moved over from
rules.c and completely rewritten as well.
* decode.c: Reworked the routines which called the logging functions.
1999-04-06 mfr <roesch@clark.net>
* decode.c: added code to display/log the Fragment ID field of the IP
header. Got a nice patch from Sebastian to add in TOS
decoding as well. Added ethernet header logging and
display code.
* mstring.c: fixed the match() routine. It had a tendency to miss some
things some of the time. (oops!) Content based matching
should work all the time now.
* log.c: added code to display some of the new stuff that's decoded.
* snort.c: add a new command line switch: "-e". This will display the
ethernet header data in both the log files and on the screen.
1999-03-24 mfr <roesch@clark.net>
* decode.c: fixed the damned TCP and IP options decoders. These things
were a friggin pain in the ass to program up properly.
Recoding them stopped the huge loop that they had a bad
tendancy to get stuck in, thereby making the rest of the
program nigh infinitely more useful for just about any
friggin problem under the friggin sun. Frig it.
* log.c: Stopped the insanity of unnessary carriage returns in the log
files and on screen printouts. Another PITA.
* rules.c: Fixed output formatting yet again.
1999-03-21 mfr <roesch@clark.net>
* snort.c: fixed a bug in the timestamp code so the month prints out
right
* decode.c: added code to detect and decode IP and TCP Options. Also
added code to print packet fragments with truncated headers
into a PACKET_FRAG file which gets dumped in the default log
directory.
* log.c: added code and data structures to print out IP and TCP Options
plus I fixed the f'd up fragment print out logic. Changed
OpenLogFile() to include a mode argument for packet fragment
print out.
* rules.c: rewired the entire rules test routine and added some long
needed goto's into the program. I feel manly now. Also
added a new rule field: TCP flags. This allows us to
alert/log/pass on tcp flags. Also added in port range
functionality, you can now specify a range of ports, or
greater than/less than a specified port.
1999-03-08 mfr <roesch@clark.net>
* snort.c: Ripped off the timestamp printout routines from tcpdump
and stuffed them into snort.c, yum yum. This gives us
millisecond timestamping on the packets for those of you
interested in such things.
1999-03-06 mfr <roesch@clark.net>
* mstring.c: mContainsSubstring has been replaced. mContainsSubstring
is a brute force pattern matcher, and is therefore very
slow and not too efficient. The new routine, match(),
implements a Boyer-Moore string search algorithm and is
much faster in the general case and much more tolerent of
"poor" pattern selection.
* log.c: PrintNetData has been completely rewritten. It should now be
much faster and only needs to generate the print out buffer
once per packet. This routine was a major source of slow
down/dropped packets before. You still shouldn't use verbose
mode with the "-d" command line switch if you're using Snort
as an IDS, because it's still slow enough to drop some large
packets. Packet print out has changed as well, with the
different packet layers seperated by onto their own lines
(well, mostly). Fragmented packets are now recorded in a
"FRAG" file.
* decode.c: Snort now detects fragmented packets, plus the DF and MF
bits, and decodes the fragment offset.
* snort.c: Now displays packet collected/dropped statistics when
shutting down.
1999-02-18 mfr <roesch@clark.net>
* snort.c: Code cleanup and some error checking was added. The system
now accepts the interface name you give it at the command
line. Fixed a problem with underallocating the interface
name buffer for names specified on the command line.
Suprisingly, this only came to light when tested on the
Sparc architecture.
* log.c: ICMP logging now includes the ICMP code description in the
filename. This makes it easier to see what you're interested
in without having to go digging into the log files.
* decode.c: Made the ICMP types and codes a little more compatible with
being used as a filename.
1999-01-28 mfr <roesch@clark.net>
* rules.c: Rules sorting is now implemented. There are actually three
seperate lists (Pass, Log, Alert) now, with the rules being
placed on to the lists in the order they're read from the
rules file. The rule execution order was changed, now
Alert rules are applied first, then Pass Rules, the Log
rules. Content based rules are available now, the actual
application layer data can be searched, both binary and
text, for a specific pattern to activate a rule on.
* decode.c: Minor changes to reflect the new rules structure.
1999-01-19 mfr <roesch@clark.net>
* snort.c: Modularized the code, big time! New source modules are log,
rules, decode, and mstring. Dumped SetFlow() for now.
* rules.c: Rules based packet logging now enabled!
* log.c: Now keeps track of TCP/UDP conversations better!
* decode.c: Enhanced decoding of packets, including ICMP ECHO seq and
id!
1999-01-08 mfr <roesch@clark.net>
* snort.c: Made a fix to SetFlow() so that it wouldn't dump the
program if it got traffic from 0.0.0.0 or 255.255.255.255.
* snort.h: Removed the "#define VERSION" since it's handled in config.h.
* README: Proper README file included with this distro
1998-12-21 mfr <roesch@clark.net>
* snort.c: Made this file, figured out autoconf
| snort-team@sourcefire.com |