| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
Lots of new rules, extended analyzing of packages etc.
Fixes PR 18637 by Adrian Portelli <adrianp@stindustries.net>
|
|
|
|
|
|
include this file.
|
|
Changes:
The main purpose of this release is a stable target with many fragroute
and tcp connection oriented fixes. This is also the last release of the
1.8.7 line and signals the start of the beta cycle for the 1.9 branch.
|
|
package. For that purpose, move most of Makefile into a new
Makefile.common.
|
|
the appropriate dependency). Patch provided by ww@GROOVY.NET
|
|
<mipam@ibb.net>. From the release notes:
1.8.4 and 1.8.5 both had bugs that were found right as we were ready
to do a full release and represented good midway points but 1.8.6
should be the stable target.
Changes include:
* The ICMP decoders have been rewritten.
* (This is a summary of recent changes -- not all mine)
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snort-db schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to lost
frags
* double PID file write
* S4 alignment problems on SPARC fixed ( rpc_decode still has SPARC
alignment errors )
* new snmptrap code
* documentation updates
* Stability fixes in frag2
* SEQ / ACK checking should be correct
* Reassembled packets with stream4 will now also be inspected when
using -z est
* ip fragments are now calculated correctly
* rule headers correctly matched
( multiple CIDR performance greatly increased )
|
|
private mail -- thanks!)
Changes are:
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snortdb schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to
lost packets werwerwerwerwer
* double PID file write
* S4 alignment problems on Sparc fixed
* new snmptrap code
* documentation updates
* Stability fixes in frag2
|
|
|
|
|
|
rmdir -> ${RMDIR}
rm -> ${RM} (${RM} added to PLIST_SUBST)
chmod -> ${CHMOD}
chown -> ${CHOWN}
|
|
the definition is available in all the defs.${OPSYS}.mk files.
|
|
Major repairs include a fix to frag2 on Linux platforms, the icmp
decoder and printout routines were updated to match the data
structures that I implemented in 1.8.1 and the flexresp code was
repaired and should now be faster, plus the usual rule updates. I
also added a new "-B" command line switch to convert IP addresses
in a pcap file to a new specified IP subnet addresses.
|
|
* fixed UTC timestamps
* fixed SIGUSR1 handling, should reset properly now after getting
a signal
* fixed PID path generation code, PID files go in the right place
now
* fixed stability problems in stream4
* fixed stability problems in frag2
* tweaks to spo_unified for better integration with barnyard
* added -f switch to turn off fflush() calls in binary logging mode
* added new config keyword to stream4, "log_flushed_streams", which
causes all buffered packets in the stream reassembler for that
session to be logged in the event of an event on that stream
(must be used in conjunction with spo_log_tcpdump)
* added packet precacheing for flexresp TCP packets, responses
should be generated more quickly
* fixed rules parser code for various failure modes
* several new rules files and a new classification system
|
|
(i.e. on 1.5 and up). (I *love* digging such stuff out of CVS
logs...)
Requested by wiz in private mail.
|
|
|
|
|
|
|
|
* SNMP alerts
* IDMEF XML output (the Silicon Defense plugin is integrated into
the main codebase now)
* Limited regex support in the rules language
* New packet counters for stream4 and frag2
* New normalization mode for http_decode
|
|
|
|
|
|
for list of changes, see http://www.snort.org/snort-files.htm
default rule files are now named *.rules, not *-lib.
|
|
|
|
+ move the patch digest/checksum values from files/patch-sum to distinfo
|
|
Changes: lots of bugfixes, many new plugins, SPADE (statistical anomaly
detector), and more.
|
|
|
|
Fixes and additions:
* Fixed compilation problems on all non-BSD operating systems
* Added better configuration support for locating libpcap
* Fixed ICMP ping packet id/sequence printouts
* Made allowances for 64-bit machines in the decoders
* Updated the portscan detector to the latest version
* Disabled the defragmenter by default (in the rules file)
* Added a patch from Dave Dittrich to make daemon mode alerts
filenames conform
* to the data in the documentation
* Revamped the ICMP data structures to mimic those found in *BSD
and provide for higher fidelity decoding/printout in the future
* Repaired the output plugins so that they operate properly now
* For the record, the payload dump conforms to the length of the IP
datagram now and does not show pad bytes added by the minimum
Ethernet frame size
* Applied Chris Cramer's byte ordering patch to the flexresp code
Other updates and changes since version 1.6:
* New preprocessor plugin: IP defragmentation!!
* New output plugins cover all old logging and alerting options
* New output plugin no logs to MySQL, PostgreSQL, unixODBC databases
* Updated portscan detection functionality
* Added quote removal for most plugin parsers
* -C crash bug fixed
* PID/PATH_VARRUN file fixes
* Converted many putc(3) calls to fputc(3) for portability
* Transport layer decoders use ip_len field for length metric now
* String tokenizer code modified for more reliable operation
* Fixed flexible response code sequence prediction
* Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
platforms
* Set automake options so that people don't need gmake anymore to
build Snort on BSD systems
* Fixed SMB alert code large tmp file hole
* Added sigsetmask code to fix SIGHUP weirdness
* Added execvp option for SIGHUP restart code
* Added ARP header printout validation
* Added Session logging file integrity checking
* Added -u/-g setuid/gid capability switches
* Added -O IP address obfuscation switch
* Added -t chroot switch
* Fixed non-TCP/UDP/ICMP transport layer decoding & logging
* Fixes and additions to the portscan preprocessor
* Fixed Tru64 u_int* type declarations
* Added check for pcap.h into configuration script
* Fixed timeval problems on Linux boxen
* Database logging plugin has been modified extensively, see the
www.incident.org website for more information
* Switched TCP flags printout routine to ensure proper RFP output
scan output. ;)
* Fixed default log/alert function code so that these functions are
never NULL
|
|
|
|
New features:
* Token Ring and FDDI decoder support
* Snort ported to Tru64/Alpha, IRIX 6.X, and AIX
* Output plugins added (modular output system)
* John Wilson greatly improved the speed of the content pattern matcher
* Added FlexResp (active response) plugin from Christian Lademann
* Snort man page now ships with the distribution
* Snort now generates a PID file for easier integration with scripting
* Added support for "stealthed" network interfaces
New command line switches:
* -q => quiet mode (no stdout printing)
* -C => print payload ASCII content only
* -P => set explicit snaplen for packet collection
Plugins:
* Added Postgres SQL DB logging output module from Jed Pickel
* Added portscan detection plugin from Patrick Mullen
* HTTP decode preprocessor largely rewritten and much more accurate
* Minfrag rule moved to preprocessor module
* Added ICMP ECHO ID check plugin
* Added ICMP ECHO sequence check plugin
* Added RPC analysis plugin from Mark Hindess
* Added IP option analysis plugin
* Added nocase plugin (makes content rules work with case insensitivity)
* Added syslog output module with user definable syslog facility
* Added tcpdump output module
(and building without patches on Solaris).
|
|
Changes are:
* fixed a problem with pass rules not being applied properly
* fixed a #include ordering statement for Slackware 4.0 installs
* fixed banner output for the -V option
* Token Ring decoding is now fully functional
* Added packet buffer cleanup code to all protocol decoders
* fixed a problem with improper TCP option output
* Added a Snort man page
|
|
|
|
From the Readme:
Version 1.5 adds major new functionality! Detection and preprocessing plugins,
session logging, rules file variables and includes, five new network layer
decoders including ISDN and Token Ring support, new detection functionality,
and a bunch of other cool stuff.
|
|
|
|
|
