CVS log for snort/doc/README.http_inspect
	Help

Request diff between arbitrary revisions

New Feature for HTTP Inspect to split requests into 5 components - Method, URI, Header (non-cookie), Cookies, Body.  Added HTTP server specific configurations to normalize HTTP header and/or cookie buffers.  Provided content and PCRE modifiers to allow searches within one or more of those individual buffers.  Added content modifier to allow rule writer to specify content to be used for fast pattern matcher.  Updated dynamic rule API to allow searches within the new buffers.

* Update to include information about alerts generated from various
  preprocessors.

* Update to include information about alerts generated from various
  preprocessors.

* Added overly long http header detection.

* 2.8.0 Prep

* 2.8.0 Prep

* Code & warning cleanup.

* Code & warning cleanup.

* Update documents for 2.7.0.

* Update documents for 2.7.0.

* Updated stream4 documentation in the Snort manual to reflect
  new UDP options and inline option updates.  Corrected error with
  event_queue parameter - changed max_events to max_queue.
* Updated FAQ to reflect disuse of ACID in favor of BASE.
  Added references to FLoP and Mudpit as output systems for Snort.
  Added references to two IDS books.
* Added README file for the Snort decoder
* Added commented out decoder options with description -
  enable_decode_oversized_alerts and enable_decode_oversized_drops
* Updated tab_uri_delimiter section in document to reflect deprecation.
* Added documentation on Telnet configuration option detect_anomalies

* Updated stream4 documentation in the Snort manual to reflect
  new UDP options and inline option updates.  Corrected error with
  event_queue parameter - changed max_events to max_queue.
* Updated FAQ to reflect disuse of ACID in favor of BASE.
  Added references to FLoP and Mudpit as output systems for Snort.
  Added references to two IDS books.
* Added README file for the Snort decoder
* Added commented out decoder options with description -
  enable_decode_oversized_alerts and enable_decode_oversized_drops
* Updated tab_uri_delimiter section in document to reflect deprecation.
* Added documentation on Telnet configuration option detect_anomalies

* Split the IIS profile in the HTTP inspect preprocessor into
  IIS, ISS4, and ISS5_0.  ISS 4.0 and ISS 5.0  both support double
  decoding, but ISS 5.1 and beyond do not.  Double decoding alerts
  are now disabled in the ISS profile, but remain enabled for the
  IIS 4.0 and IIS 5.0 profiles.
* Fixed issue where iface_ADDRESS variable wasn't getting set before
  configuration file was read. Now all up interfaces will get a
  variable created.  Note that these will NOT get set if the
  readmode flag is set.
* Fix problem with relative options not being marked as relative (for
  distance/within keywords).

* Split the IIS profile in the HTTP inspect preprocessor into
  IIS, ISS4, and ISS5_0.  ISS 4.0 and ISS 5.0  both support double
  decoding, but ISS 5.1 and beyond do not.  Double decoding alerts
  are now disabled in the ISS profile, but remain enabled for the
  IIS 4.0 and IIS 5.0 profiles.
* Fixed issue where iface_ADDRESS variable wasn't getting set before
  configuration file was read. Now all up interfaces will get a
  variable created.  Note that these will NOT get set if the
  readmode flag is set.
* Fix problem with relative options not being marked as relative (for
  distance/within keywords).

* Add create_db2 srcipt to be included in distro.
* Fix issue with daemonization on MAC OSX and parent not exiting cleanly.
* Provide support for locking the PID file so that no additional snort
  process is able to start using the same PID file.  Can be overridden
  with --nolock-pidfile.
* Fix issue with replace option and replaced data always being placed
  at the beginning of the packet.
* FTPTelnet: Fix issue with parsing default server configuration on Win32
  platform for FTPTelnet.
* SMTP: Fix potential read beyond end of buffer and update configuration to
  use less memory.
* Fix Stream reassembly issue at session purge/end of pcap.
* HTTP: Handle additional whitespace characters on a per server configured
  basis.  Defaults are to treat Htab (\t, 9), VTab (\v, 11), Form
  Feed (\f, 12), and CR (\r, 13) as whitespace.
* Revise IP list parsing code.

* Add create_db2 srcipt to be included in distro.
* Fix issue with daemonization on MAC OSX and parent not exiting cleanly.
* Provide support for locking the PID file so that no additional snort
  process is able to start using the same PID file.  Can be overridden
  with --nolock-pidfile.
* Fix issue with replace option and replaced data always being placed
  at the beginning of the packet.
* FTPTelnet: Fix issue with parsing default server configuration on Win32
  platform for FTPTelnet.
* SMTP: Fix potential read beyond end of buffer and update configuration to
  use less memory.
* Fix Stream reassembly issue at session purge/end of pcap.
* HTTP: Handle additional whitespace characters on a per server configured
  basis.  Defaults are to treat Htab (\t, 9), VTab (\v, 11), Form
  Feed (\f, 12), and CR (\r, 13) as whitespace.
* Revise IP list parsing code.

* Update to handle CR as whitespace.

* Update to handle CR as whitespace.

* Update to handle CR as whitespace.

* Added processing of IP Options in fragmented packets.
* Fixed potential stream4 memory corruption.
* Fixed problem with parsing IP addresses of 255.255.255.255 for rules.
* Fixed compile warnings on some architectures.

* Added processing of IP Options in fragmented packets.
* Fixed potential stream4 memory corruption.
* Fixed problem with parsing IP addresses of 255.255.255.255 for rules.
* Fixed compile warnings on some architectures.

* Added a -G flag that specifies an instance identifier for the event
  logs.  Can be used when running multiple instances of snort, either
  on different CPUs or on same CPU but different interface.  Each
  snort instance will use the value specified to generate unique
  event ids.  Can specify either a decimal value (-G 1) or hex value
  preceeded by 0x (-G 0x11). Thanks Steve Sturges.
* Fix to remove unnecessary ICMP echo extension, and update output
  plugins to use ICMP header info. Thanks Kevin Douglas for finding
* Add option to Stream4 to limit server-side inspection for improved
  performance.  Similar to HttpInspect's flow-depth, this option
  limits rule-inspection of server traffic to the set number of bytes
  (in 1 or more packets) until another client request is seen.  Thanks
  Steve Sturges & Marc Norton
* Fix issue generating ascii strings.  Thanks Sandro Poppi for the fix.

* Added a -G flag that specifies an instance identifier for the event
  logs.  Can be used when running multiple instances of snort, either
  on different CPUs or on same CPU but different interface.  Each
  snort instance will use the value specified to generate unique
  event ids.  Can specify either a decimal value (-G 1) or hex value
  preceeded by 0x (-G 0x11). Thanks Steve Sturges.
* Fix to remove unnecessary ICMP echo extension, and update output
  plugins to use ICMP header info. Thanks Kevin Douglas for finding
* Add option to Stream4 to limit server-side inspection for improved
  performance.  Similar to HttpInspect's flow-depth, this option
  limits rule-inspection of server traffic to the set number of bytes
  (in 1 or more packets) until another client request is seen.  Thanks
  Steve Sturges & Marc Norton
* Fix issue generating ascii strings.  Thanks Sandro Poppi for the fix.

* Updates/Fixes to Frag3 IP reassembler (thanks ssturges):
  1) Push first fragmented UDP packet through, but do not inspect
  other fragmented packets (until rebuilt).
  2) Printing of Configuration Info
  3) Code readability
* Removal of comment parsing code added for 2.3.1.
* Added support for detection of Lookback & Same src/dest attacks in
  the packet decoder. This obsoletes sids 527, 528. Thanks Marc
  Norton for the feature.
* Added FTP Bounce detection Plugin. Thanks Steve Sturges.
* Increased Flowbits hash table size. Thanks Marc Norton.
* Performance improvement in pattern matcher from Marc Norton.
* Eliminate duplicate alerts on Rebuilt Streams/IP reassembled packets.
* Patch from Andy Mullican and Steve Sturges.
* Added handling of midstream sessions in portscan preprocessors.
  Thanks Andy Mullican.
* Stream4 fixes - Handle PAWS, NULL TCP Flags in established session,
  limit overlaps in established session, update ACK when server sends
  RST. Performance changes for cleaning up session cache. Thanks
  Steve Sturges and Andy Mullican for the patches.
* Added uri_tab_delimiter option to HttpInspect. Patch from Andy
  Mullican.
* Updates to PerfMon to handle multiple CPUs properly. Thanks Steve Sturges.
* Fixed telnet decoder bug when ignoring Sub-negotiation end command.
  Thanks Steve Sturges.

* Snort 2.4 CVS branch, build 1.
* Added support for detection of Lookback & Same src/dest attacks in
  the packet decoder. This obsoletes sids 527, 528. Thanks Marc
  Norton for the feature.
* Added global ignore ports feature. Thanks Andy Mullican for the feature. Usage:
* Provide ability for 3rd party code to take action when Snort
  indicates a packet should be dropped. Thanks Marc Norton.
* Added FTP Bounce detection Plugin. Thanks Steve Sturges for this feature.
* Performance improvement in pattern matcher from Marc Norton.
* Eliminate duplicate alerts on rebuilt streams/IP reassembled packets.
  Thanks Andy Mullican and Steve Sturges.
* Added better determination of direction for Back Orifice packets.
  Thanks Andy Mullican.
* Added handling of midstream sessions in portscan preprocessors.
  Thanks Andy Mullican.
* Stream4 fixes - Handle PAWS, NULL TCP Flags in established session,
  limit overlaps in established session, update ACK when server sends
  RST. Performance changes for cleaning up session cache. Thanks
  Steve Sturges and Andy Mullican for the patches.
* Added uri_tab_delimiter option to HttpInspect. Thanks Andy
  Mullican.
* Added categories (wire, ip defrag, tcp rebuilt, app layer) to
  PerfMon.  Also added atexitonly option to dump stats for entire life
  of snort. Thanks Steve Sturges.
* Fixed telnet decoder bug when ignoring Sub-negotiation end command.
  Thanks Steve Sturges.

* Updated documentation on flow_depth and HTTP headers per
  conversations with Joe Patterson. Thanks Joe!

* Updated error message when IIS Unicode map file is not found.
* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP
  alert.  Thanks for the report, Sekure.
* Fix "config logdir:" so that this works correctly when /var/log/snort
  does not exist.
* Fixed bug when setting the doe_ptr on a successful pcre match.  It is
  now set relative to base_ptr.
* Added from_beginning and multiplier options for byte_jump.
  from_beginning skips bytes from the beginning of the content,
  instead of from the location immediately following the number of
  bytes to skip.  multiplier takes a numeric argument, and skips x
  times that number of bytes.
* In "fast" output, now log only actual packet contents when UDP
  data length is greater than actual data length. Thanks Brian
  Caswell for spotting this.
* Arpspoof fixes from Jeff Nathan. Thanks Jeff.
* Updated documentation on flow_depth and HTTP headers per
  conversations with Joe Patterson. Thanks Joe!

* slight fixes to mysql detection in configure
* banner update

* Bringing win32 up to RC1 for release (thanks Chris Reid)

* English error fix - thanks Alex Kirk

* English error fix - thanks Alex Kirk

* minor updates to http_inspect profiles in docs
* added chunked encoding to iis profile
* removed alerting for delimiter and apache whitespace under 'all'

* minor updates to http_inspect profiles in docs
* added chunked encoding to iis profile
* removed alerting for delimiter and apache whitespace under 'all'

* doc updates

Added documentation for webroot parameter in http_inspect.

* 2.1.1-RC1

* Minor doc updates.

* Speeling and grammar fixes from Mike Poor. Yay Mike!

* Moving 2.1.0 to 2.1.1-RC1 (to be merged into STABLE)

* Doc updates for http_inspect

* Major add/commit of 2.1 feature set...

  Will do a tag and then remove the "moved" files