CVS log for snort/etc/gen-msg.map
	Help

Request diff between arbitrary revisions

Updating open-source CVS for Snort 2.8.5 beta release.

* Add stream5 option to restrict the number of consecutive
  small TCP segments inserted for reassembly without seeing an ACK.
  Generate alert (gid:129,sid:12) when that limit is exceeded.
  Allow overriding of this configuration on a port basis via an
  ignore_ports option.

* Add stream5 option to restrict the number of consecutive
  small TCP segments inserted for reassembly without seeing an ACK.
  Generate alert (gid:129,sid:12) when that limit is exceeded.
  Allow overriding of this configuration on a port basis via an
  ignore_ports option.

Thought I was checking into 2_8_4 and HEAD but 2.8.4 was actually head.  Anyway, not going through the business again.  See HEAD checkins for comments

Added dcerpc2 preprocessor documentation.

Added dcerpc2 preprocessor documentation.

* Addition of dcerpc2 preprocessor. Addition of new rule options supported by preprocessor.

Update rule latency thresholding.

Update rule latency thresholding.

Updates

Updates

* Fixed alert message for IP datagram being greater than captured length.

Add IPv6 decoder events.

Add IPv6 decoder events.

Update frag3 to remove enforcement of ttl_limit. Add preprocessor alert for min_ttl anomaly.
Fixed some typos.  Thanks to rmkml for pointing this out.

Update frag3 to remove enforcement of ttl_limit. Add preprocessor alert for min_ttl anomaly.
Fixed some typos.  Thanks to rmkml for pointing this out.

Added IP in IP encapsulation support for both IPv4 and IPv6.
Update Stream5 to alert on data without TCP flags when non-linux policy.  Thanks to Chris Eagle, Naval Postgraduate School, for bringing this to our attention.

Added IP in IP encapsulation support for both IPv4 and IPv6.
Update Stream5 to alert on data without TCP flags when non-linux policy.  Thanks to Chris Eagle, Naval Postgraduate School, for bringing this to our attention.

Update to include GRE alerts

Update to include GRE alerts

* Added overly long http header detection.

* 2.8.0 beta prep.

* 2.8.0 beta prep.

* Update gen-msg.map

* Update gen-msg.map

* Handle TCP window scale option that is > 14.  Added decoder alert for
  this and adjust the scale per RFC 1323 in Stream5.

* Handle TCP window scale option that is > 14.  Added decoder alert for
  this and adjust the scale per RFC 1323 in Stream5.

* Added ability for Snort to track fragmented ICMPv6 to check for the
  remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).

* Added ability for Snort to track fragmented ICMPv6 to check for the
  remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).

* Added ability for Snort to track fragmented ICMPv6 to check for the
  remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).

* Add Stream5 alert.

Add DCE/RPC alert.

Add DCE/RPC alert.

* Added additional TCP length checking and UDP length checking and new
  decode alerts for anomalous lengths.

* Added additional TCP length checking and UDP length checking and new
  decode alerts for anomalous lengths.

* Fix Stream4 to handle duplicate SYN packets by purging existing
  packets queued for reassembly after the seq of the SYN.  Also,
  properly handle retransmitted data that is overlapping the current
  packet and when trimmed overlapping the next packet.

* Fix Stream4 to handle duplicate SYN packets by purging existing
  packets queued for reassembly after the seq of the SYN.  Also,
  properly handle retransmitted data that is overlapping the current
  packet and when trimmed overlapping the next packet.

* Added support to decode GRE encapsulated traffic.  Only IP as transport
  protocol is supported and only one layer of encapsulation will be
  decoded - packets with multiple GRE headers will be discarded.
* Added support for communcation with an Aruba Networks wireless
  mobility authentication/access control system.

* Added support to decode GRE encapsulated traffic.  Only IP as transport
  protocol is supported and only one layer of encapsulation will be
  decoded - packets with multiple GRE headers will be discarded.
* Added support for communcation with an Aruba Networks wireless
  mobility authentication/access control system.

* Added code to print original datagram for all ICMP error types if
  alerted on.
* Fix to print original datagram on alert if original datagram was ICMP.
* Added additional decoder alerts for ICMP error types.
* Removed fragtracking of ICMP original datagram - it never made sense
  since only an ICMP response to the first frag is ever returned.
* Fixed issue where data and size pointers were not set correctly for
  ICMP error types.

* Added code to print original datagram for all ICMP error types if
  alerted on.
* Fix to print original datagram on alert if original datagram was ICMP.
* Added additional decoder alerts for ICMP error types.
* Removed fragtracking of ICMP original datagram - it never made sense
  since only an ICMP response to the first frag is ever returned.
* Fixed issue where data and size pointers were not set correctly for
  ICMP error types.

* Cleanup some code, DNS Rdata client overflow is not microsoft
  specific (also vuln on some linux via UDP).

* Cleanup some code, DNS Rdata client overflow is not microsoft
  specific (also vuln on some linux via UDP).

* Cleanup some code, DNS Rdata client overflow is not microsoft
  specific (also vuln on some linux via UDP).

* Add a dynamic preprocessor to decode and analyze DNS responses
  over TCP and UDP.  The TCP portion is stateful and requires
  stream is enabled.

* Add a dynamic preprocessor to decode and analyze DNS responses
  over TCP and UDP.  The TCP portion is stateful and requires
  stream is enabled.

* Add a dynamic preprocessor to decode and analyze DNS responses
  over TCP and UDP.  The TCP portion is stateful and requires
  stream is enabled.

* New target-based Stream module.  Moved flow & flowbits to
  be part of Stream API.

* New target-based Stream module.  Moved flow & flowbits to
  be part of Stream API.

* Fix potential evasion in Stream4.

* Fix potential evasion in Stream4.

* Fix potential evasion in Stream4.

* Added generator IDs for new preprocessors.

Update gen-msg.map

* Fix buffer overflow in Back Orifice preprocessor

* Fix buffer overflow in Back Orifice preprocessor

Add new RPC alert for zero-length fragment.

Add new alert to RPC on zero-length fragment.

* Added xlink2state mini-preprocessor to catch MS Exchange buffer
X-Link2State data overflow (amullican).

* Added xlink2state mini-preprocessor to catch MS Exchange buffer
X-Link2State data overflow (amullican).

* Added xlink2state mini-preprocessor to catch MS Exchange buffer
  X-Link2State data overflow (amullican).
* Bump to 2.3.3.

* Updates/Fixes to Frag3 IP reassembler (thanks ssturges):
  1) Push first fragmented UDP packet through, but do not inspect
  other fragmented packets (until rebuilt).
  2) Printing of Configuration Info
  3) Code readability
* Removal of comment parsing code added for 2.3.1.
* Added support for detection of Lookback & Same src/dest attacks in
  the packet decoder. This obsoletes sids 527, 528. Thanks Marc
  Norton for the feature.
* Added FTP Bounce detection Plugin. Thanks Steve Sturges.
* Increased Flowbits hash table size. Thanks Marc Norton.
* Performance improvement in pattern matcher from Marc Norton.
* Eliminate duplicate alerts on Rebuilt Streams/IP reassembled packets.
* Patch from Andy Mullican and Steve Sturges.
* Added handling of midstream sessions in portscan preprocessors.
  Thanks Andy Mullican.
* Stream4 fixes - Handle PAWS, NULL TCP Flags in established session,
  limit overlaps in established session, update ACK when server sends
  RST. Performance changes for cleaning up session cache. Thanks
  Steve Sturges and Andy Mullican for the patches.
* Added uri_tab_delimiter option to HttpInspect. Patch from Andy
  Mullican.
* Updates to PerfMon to handle multiple CPUs properly. Thanks Steve Sturges.
* Fixed telnet decoder bug when ignoring Sub-negotiation end command.
  Thanks Steve Sturges.

* Snort 2.4 CVS branch, build 1.
* Added support for detection of Lookback & Same src/dest attacks in
  the packet decoder. This obsoletes sids 527, 528. Thanks Marc
  Norton for the feature.
* Added global ignore ports feature. Thanks Andy Mullican for the feature. Usage:
* Provide ability for 3rd party code to take action when Snort
  indicates a packet should be dropped. Thanks Marc Norton.
* Added FTP Bounce detection Plugin. Thanks Steve Sturges for this feature.
* Performance improvement in pattern matcher from Marc Norton.
* Eliminate duplicate alerts on rebuilt streams/IP reassembled packets.
  Thanks Andy Mullican and Steve Sturges.
* Added better determination of direction for Back Orifice packets.
  Thanks Andy Mullican.
* Added handling of midstream sessions in portscan preprocessors.
  Thanks Andy Mullican.
* Stream4 fixes - Handle PAWS, NULL TCP Flags in established session,
  limit overlaps in established session, update ACK when server sends
  RST. Performance changes for cleaning up session cache. Thanks
  Steve Sturges and Andy Mullican for the patches.
* Added uri_tab_delimiter option to HttpInspect. Thanks Andy
  Mullican.
* Added categories (wire, ip defrag, tcp rebuilt, app layer) to
  PerfMon.  Also added atexitonly option to dump stats for entire life
  of snort. Thanks Steve Sturges.
* Fixed telnet decoder bug when ignoring Sub-negotiation end command.
  Thanks Steve Sturges.

add frag3 alerts to gen-msg.map

* Change version 2.3->2.3.0
* verstuff now mods snort ver in snort.conf. /wave bmc
* Fixed 116:109 in gen-msg.map

* Change version 2.3->2.3.0
* verstuff now mods snort ver in snort.conf. /wave bmc
* Fixed 116:109 in gen-msg.map

* more better

* more better

* more better

* sync 2.3 code

* sync fixes from stable into head.

* add the http inspect "WEBROOT DIRECTORY TRAVERSAL" alert

* Major add/commit of 2.1 feature set...

  Will do a tag and then remove the "moved" files

* correcting gen-msg.map from ARB

* misc andrewb fixes

* removed extra quotes from gen-msg.map

* rc1 -- dear god that took a long time.
  see snort-users for annouce
  changelog for details

* logic errors in spp_stream4, detect_scans
* DisableDetect in rpc_decode()
* new TCP options decoder -- anomaly detection added :^)

* rpc fixes
* suspend mode fixes

* rpc fixes
* snort 1.9.1

* fix id for "spp_frag2: Shifting to Suspend Mode"

* updating to placate Phil Wood :)

* Emergency mode/Suspend modes for stream4/frag2

* preprocessor conversation: allowed_ip_protocols 1 6 17, alert_odd_protocols
* explicit parens for sp_session

yes, lets keep it up to date.

BTW, if you add anything to generators.h and don't add it here, I will beat
you with a baseball bat.

* yeap, lets support this via snort now.