2007-11-13 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Handle additional cases of multiple sequences of TCP SYN packets
on a session that has previously been reset.
* src/ipv6_port.h:
Update IPv6 CLEAR macro to clear the family & bit count.
* src/fpcreate.c:
* src/preprocessors/str_search.c:
* src/sfutil/mpse.c:
* src/sfutil/mpse.h:
Fix a stat counter in calculating the pattern match percentage.
2007-11-06 Steven Sturges <ssturges@sourcefire.com>
* src/win32/WIN32-Includes/pcre.h:
* src/win32/WIN32-Includes/pcreposix.h:
* src/win32/WIN32-Libraries/pcre.lib:
Update Win32 LibPCRE to version 7.4.
2007-11-05 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Fix debug to correctly call inet_ntoa. Thanks to rmkml for reporting
the problem.
2007-09-07 Steven Sturges <ssturges@sourcefire.com>
* configure.in:
* src/build.h:
* src/win32/WIN32-Includes/config.h:
* src/win32/WIN32-Prj/snort_installer.nsi:
* rpm/snort.spec:
* snort.8:
2.8.0 Final release prep. Update spec file to relocate installed
schemas and be more consistent with location of docs.
* src/parser.c:
Initialize rule_count variables. Thanks to Ken Steele for pointing
it out.
* src/signature.c:
* src/detection-plugins/sp_urilen_check.c:
* src/plugbase.c:
Fix typos in comments. Thanks rmkml for reviewing.
* src/tag.c:
* src/sfutil/sf_ip.c:
* src/sfutil/sf_iph.c:
Cleanup printing of IPv6 Addresses.
* src/detection-plugins/sp_pcre.c:
Initialize the found offset so that it contains correct value
when not found.
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
Improve checking on ftp commands from client.
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
Disable ftptelnet when compiled with IPv6.
* src/decode.c:
* src/snort.c:
After logging alert for BSD IPv6 Fragmentation vulnerability,
reset the pseudo packet that is used for logging purposes.
* src/dynamic-preprocessors/smtp/snort_smtp.c:
Memory cleanup of mime boundary regular expressions at Snort exit.
* src/preprocessors/portscan.c:
* src/preprocessors/portscan.h:
* src/preprocessors/spp_sfportscan.c:
Memory cleanup of portscan hash table at Snort exit.
* src/output-plugins/spo_alert_prelude.c:
Correctly get IP Header length for logging.
* src/output-plugins/spo_alert_sf_socket.c:
Complete initialization after rules are read for specific GID/SID
alerts to log via sf socket.
* src/output-plugins/spo_unified2.c:
Code cleanup.
* src/preprocessors/spp_frag3.c:
Handle VLAN tags in fragmented traffic and include in rebuilt packets
if part of original traffic.
* src/preprocessors/spp_stream5.c:
Initialize memory for flowbits after all configuration is processed,
as config flowbitsize option might change default. Handle byte
alignment issue on Solaris with the flowbits data structure used
by Stream5. Thanks to JJC & Shane Castle for helping us troubleshoot
these issues and testing the patches.
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/stream5_common.c:
* src/preprocessors/stream_api.h:
Handle strange sequences of multiple TCP Reset packets on the same
session when some of those Resets also contain other flags. Thanks
to Siim Poder for reporting the problem.
2007-08-31 Steven Sturges <ssturges@sourcefire.com>
* src/parser.c:
Updates to prevent variable defintions of the same name as a portvar,
var and ipvar.
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Fix copying of IP address from packet when determining client config
that resulted from IPv6 port.
* src/output-plugins/spo_alert_prelude.c:
Updates to write GID in alert data. Thanks to Yoann Vandoorselaere
for the update.
* src/output-plugins/spo_unified2.c:
Don't write tagged packets the same as unified. Packets that are
part of stream reassembly refer to the original event directly from
the packet record header.
* src/sfutil/sfportobject.c:
* src/sfutil/sfportobject.h:
Code cleanup and free data correctly on parsing errors.
2007-08-30 Steven Sturges <ssturges@sourcefire.com>
* doc/Makefile.am:
Include README.ipv6 & README.variables in the distribution tarball.
Thanks to Jeff Dell for pointing out that it was missing.
* RELEASE.NOTES:
Fix some spelling errors. Thanks rmkml for pointing it out.
* etc/snort.conf:
Update to use new portvar syntax for HTTP_PORTS, ORACLE_PORTS,
and SHELLCODE_PORTS. Thanks to rmkml for mentioning this.
2007-08-22 Steven Sturges <ssturges@sourcefire.com>
* configure.in:
* src/sf_types.h:
* src/dynamic-preprocessors/smtp/snort_smtp.c:
Fixes to build 2.8.0 Beta on OpenBSD.
* doc/README.variables:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Update PortList documentation.
2007-08-20 Steven Sturges <ssturges@sourcefire.com>
* configure.in:
* src/build.h:
* src/win32/WIN32-Includes/config.h:
* src/win32/WIN32-Prj/snort_installer.nsi:
* rpm/snort.spec:
2.8.0 Beta prep.
* src/Makefile.am:
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
* src/event.h:
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
* src/output-plugins/spo_unified2.c:
* src/pcap_pkthdr32.h (added):
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* src/preprocessors/stream_api.h:
* src/snort_packet_header.h (removed):
* src/win32/WIN32-Prj/snort.dsp:
* src/snort.c:
Renamed snort_packet_header.h to pcap_pkthdr32.h and changed instances of
SnortPktHdr with pcap_pkthdr except in Event struct and unified code where
pcap_pkthdr32 is used because 32 bit timevals are required.
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
* src/plugbase.c:
* src/plugbase.h:
* src/util.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_flow.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_httpinspect.c:
* src/preprocessors/spp_httpinspect.h:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream5.c:
* src/snort.c:
Added framework for preprocessors to print stats at exit or USR1 signal.
Preprocessors register a function that will print the stats and they will
be printed when DropStats() is called.
* src/detection-plugins/sp_pattern_match.c:
Commented out 'content-list' rule option code since it is
broken and there are no plans in the near future to fix it.
* src/checksum.h:
* src/decode.c:
* src/decode.h:
* src/detect.c:
* src/detect.h:
* src/detection-plugins/sp_icmp_id_check.c:
* src/detection-plugins/sp_icmp_seq_check.c:
* src/detection-plugins/sp_icmp_type_check.c:
* src/detection-plugins/sp_ip_fragbits.c:
* src/detection-plugins/sp_ip_id_check.c:
* src/detection-plugins/sp_ip_proto.c:
* src/detection-plugins/sp_ip_same_check.c:
* src/detection-plugins/sp_ip_tos_check.c:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_respond.c:
* src/detection-plugins/sp_respond2.c:
* src/detection-plugins/sp_session.c:
* src/detection-plugins/sp_ttl_check.c:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-plugins/sf_engine/Makefile.am:
* src/dynamic-plugins/sf_engine/sf_snort_packet.h:
* src/dynamic-preprocessors/dynamic_preprocessors.dsp:
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
* src/dynamic-preprocessors/dns/sf_dns.dsp:
* src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
* src/dynamic-preprocessors/ftptelnet/Makefile.am:
* src/dynamic-preprocessors/smtp/sf_smtp.dsp:
* src/dynamic-preprocessors/ssh/sf_ssh.dsp:
* src/dynamic-preprocessors/ftptelnet/ftpp_include.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
* src/fpdetect.c:
* src/fpdetect.h:
* src/generators.h:
* src/ipv6.c (removed):
* src/ipv6.h (removed):
* src/ipv6_port.h (added):
* src/log.c:
* src/Makefile.am:
* src/output-plugins/spo_alert_arubaaction.c:
* src/output-plugins/spo_alert_fast.c:
* src/output-plugins/spo_alert_full.c:
* src/output-plugins/spo_alert_prelude.c:
* src/output-plugins/spo_alert_sf_socket.c:
* src/output-plugins/spo_alert_syslog.c:
* src/output-plugins/spo_alert_unixsock.c:
* src/output-plugins/spo_csv.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_log_ascii.c:
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
* src/output-plugins/spo_unified2.c:
* src/parser/IpAddrSet.c:
* src/parser/IpAddrSet.h:
* src/parser.c:
* src/parser.h:
* src/plugbase.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/preprocessors/HttpInspect/include/hi_include.h:
* src/preprocessors/HttpInspect/include/hi_si.h:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
* src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h:
* src/preprocessors/HttpInspect/session_inspection/hi_si.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
* src/preprocessors/portscan.c:
* src/preprocessors/portscan.h:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/snort_stream4_udp.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_httpinspect.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_icmp.h:
* src/preprocessors/Stream5/snort_stream5_session.c:
* src/preprocessors/Stream5/snort_stream5_session.h:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.h:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/snort_stream5_udp.h:
* src/preprocessors/Stream5/stream5_common.h:
* src/preprocessors/stream_api.h:
* src/preprocessors/stream.h:
* src/preprocessors/stream_ignore.c:
* src/preprocessors/stream_ignore.h:
* src/rules.h:
* src/sfthreshold.c:
* src/sfthreshold.h:
* src/sfutil/ipobj.c:
* src/sfutil/Makefile.am:
* src/sfutil/sf_ip.c (added):
* src/sfutil/sf_ip.h (added):
* src/sfutil/sf_iph.c (added):
* src/sfutil/sf_iph.h (added):
* src/sfutil/sf_ipvar.c (added):
* src/sfutil/sf_ipvar.h (added):
* src/sfutil/sfthd.c:
* src/sfutil/sfthd.h:
* src/sfutil/sf_vartable.c (added):
* src/sfutil/sf_vartable.h (added):
* src/snort.c:
* src/snort.h:
* src/tag.c:
* src/util.c:
* src/win32/WIN32-Prj/build_all.dsp:
* src/win32/WIN32-Prj/sf_engine.dsp:
* src/win32/WIN32-Prj/snort.dsp:
* src/win32/WIN32-Prj/snort.dsw:
* src/win32/WIN32-Prj/snort_installer.nsi:
* doc/README.ipv6:
Added 1st phase of support for IPv6. Added support for ip variables
and improved IP address list handling. See README.ipv6 for specifics
on what portions of Snort fully support IPv6. Certain preprocessors
are not supported -- and cannot be turned on with an IPv6 enabled
snort.
* src/output-plugins/spo_unified.c:
Added configuration option to not append timestamps to unified log/alert
files.
* src/output-plugins/spo_unified2.c (added):
* src/output-plugins/spo_unified2.h (added):
* src/plugbase.c:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Added unified2 logging/output format.
* src/cpuclock.h (added):
* src/detect.c:
* src/fpdetect.c:
* src/fpdetect.h:
* src/Makefile.am:
* src/parser.c:
* src/ppm.c (added):
* src/ppm.h (added):
* src/profiler.h:
* src/rules.h:
* src/snort.c:
Added support for packet performance monitoring. Allows Snort to be
configured to only spend a certain time period on a given packet
and/or rule and automatically suspend performance-intensive rules.
See README.ppm for details.
* src/bounds.h:
* src/byte_extract.c:
* src/byte_extract.h:
* src/debug.c:
* src/debug.h:
* src/decode.c:
* src/decode.h:
* src/detection-plugins/sp_asn1.c:
* src/detection-plugins/sp_asn1_detect.c:
* src/detection-plugins/sp_asn1_detect.h:
* src/detection-plugins/sp_byte_check.c:
* src/detection-plugins/sp_byte_jump.c:
* src/detection-plugins/sp_clientserver.c:
* src/detection-plugins/sp_flowbits.c:
* src/detection-plugins/sp_isdataat.c:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pattern_match.h:
* src/detection-plugins/sp_pcre.c:
* src/detection-plugins/sp_react.c:
* src/detection-plugins/sp_respond.c:
* src/detection-plugins/sp_respond2.c:
* src/detection-plugins/sp_session.c:
* src/dynamic-plugins/sf_dynamic_engine.h:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-plugins/sf_engine/bmh.c:
* src/dynamic-plugins/sf_engine/bmh.h:
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
* src/dynamic-plugins/sf_engine/sf_snort_packet.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
* src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
* src/dynamic-plugins/sp_dynamic.c:
* src/dynamic-plugins/sp_dynamic.h:
* src/dynamic-plugins/sp_preprocopt.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.h:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
* src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
* src/dynamic-preprocessors/dns/spp_dns.c:
* src/dynamic-preprocessors/ftptelnet/ftp_client.h:
* src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h:
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
* src/dynamic-preprocessors/ssh/spp_ssh.c:
* src/log.c:
* src/log.h:
* src/mstring.c:
* src/mstring.h:
* src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/client/hi_client_norm.c:
* src/preprocessors/HttpInspect/include/hi_ad.h:
* src/preprocessors/HttpInspect/include/hi_client.h:
* src/preprocessors/HttpInspect/include/hi_include.h:
* src/preprocessors/HttpInspect/include/hi_mi.h:
* src/preprocessors/HttpInspect/include/hi_norm.h:
* src/preprocessors/HttpInspect/include/hi_server.h:
* src/preprocessors/HttpInspect/include/hi_util.h:
* src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
* src/preprocessors/HttpInspect/server/hi_server.c:
* src/preprocessors/perf.c:
* src/preprocessors/perf-flow.c:
* src/preprocessors/perf-flow.h:
* src/preprocessors/perf.h:
* src/preprocessors/portscan.c:
* src/preprocessors/spp_arpspoof.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_flow.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/str_search.c:
* src/preprocessors/str_search.h:
* src/sfutil/asn1.c:
* src/sfutil/asn1.h:
* src/sfutil/bitop_funcs.h:
* src/sfutil/mpse.c:
* src/sfutil/mpse.h:
* src/snort.c:
Changed packet payload pointers to use const qualifier to
eliminate inadvertant writes to the packet buffer.
* src/preprocessors/HttpInspect/include/hi_util_kmap.h:
* src/preprocessors/HttpInspect/include/hi_util_xmalloc.h:
* src/preprocessors/HttpInspect/util/hi_util_kmap.c:
* src/preprocessors/spp_httpinspect.c:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h:
* src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
Cleanup memory at Snort exit from session & client configurations.
* src/debug.h:
* src/preprocids.h:
* src/generators.h:
Added defines for SKYPE.
* src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
Fixed a few typos in comments. Thanks to rmkml for pointing them out.
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Cleaned up a few typos in various sections. Thanks to rmkml, Joel
Ebrahimi for pointing out the misspellings & errors.
* src/decode.h:
* src/detect.c:
* src/fpcreate.c:
* src/fpcreate.h:
* src/fpdetect.c:
* src/fpdetect.h:
* src/parser.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-base.h:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_frag3.h:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.h:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/snort_stream5_udp.h:
* src/preprocessors/Stream5/stream5_common.c:
* src/preprocessors/Stream5/stream5_common.h:
* src/preprocessors/stream_api.h:
* src/rules.h:
* src/sfutil/Makefile.am:
* src/sfutil/sfrt.c (added):
* src/sfutil/sfrt.h (added):
* src/sfutil/sfrt_dir.c (added):
* src/sfutil/sfrt_dir.h (added):
* src/sfutil/sfrt_trie.h (added):
* src/signature.c:
* src/signature.h:
* src/snort.c:
* src/snort.h:
* src/target-based/Makefile.am (added):
* src/target-based/sf_attribute_table_parser.l (added):
* src/target-based/sf_attribute_table.y (added):
* src/target-based/sftarget_hostentry.c (added):
* src/target-based/sftarget_hostentry.h (added):
* src/target-based/sftarget_protocol_reference.c (added):
* src/target-based/sftarget_protocol_reference.h (added):
* src/target-based/sftarget_reader.c (added):
* src/target-based/sftarget_reader.h (added):
* src/util.c:
Added experimental support for Target-Based processing for Stream
reassembly, IP Frag reassembly, and rule processing. Enable via
--enable-targetbased option to configure. A thread is created to
reload the attribute table upon receipt of a signal 30.
* src/detect.c:
* src/detect.h:
* src/detection-plugins/sp_clientserver.c:
* src/detection-plugins/sp_clientserver.h:
* src/fpcreate.c:
* src/fpcreate.h:
* src/fpdetect.c:
* src/fpdetect.h:
* src/parser.c:
* src/parser.h:
* src/pcrm.c:
* src/pcrm.h:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/rules.h:
* src/sfutil/sfportobject.c (added):
* src/sfutil/sfportobject.h (added):
* src/sfutil/sfrim.c (added):
* src/sfutil/sfrim.h (added):
* src/signature.c:
* src/signature.h:
* src/snort.c:
* src/util.c:
Added Port Lists & Port Range functionality and added port variable
handling.
* preproc_rules/preprocessor.rules:
* preproc_rules/decoder.rules:
* preproc_rules/Makefile.am:
* configure.in:
* etc/snort.conf:
* src/detection-plugins/sp_asn1.c:
* src/detection-plugins/sp_byte_check.c:
* src/detection-plugins/sp_byte_jump.c:
* src/detection-plugins/sp_dsize_check.c:
* src/detection-plugins/sp_flowbits.c:
* src/detection-plugins/sp_icmp_code_check.c:
* src/detection-plugins/sp_icmp_id_check.c:
* src/detection-plugins/sp_icmp_seq_check.c:
* src/detection-plugins/sp_icmp_type_check.c:
* src/detection-plugins/sp_ip_fragbits.c:
* src/detection-plugins/sp_ip_id_check.c:
* src/detection-plugins/sp_ip_optioncheck.c:
* src/detection-plugins/sp_ip_proto.c:
* src/detection-plugins/sp_ip_same_check.c:
* src/detection-plugins/sp_ip_tos_check.c:
* src/detection-plugins/sp_isdataat.c:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pcre.c:
* src/detection-plugins/sp_react.c:
* src/detection-plugins/sp_respond.c:
* src/detection-plugins/sp_respond2.c:
* src/detection-plugins/sp_rpc_check.c:
* src/detection-plugins/sp_session.c:
* src/detection-plugins/sp_tcp_ack_check.c:
* src/detection-plugins/sp_tcp_flag_check.c:
* src/detection-plugins/sp_tcp_seq_check.c:
* src/detection-plugins/sp_tcp_win_check.c:
* src/detection-plugins/sp_ttl_check.c:
* src/detection-plugins/sp_urilen_check.c:
* src/dynamic-plugins/sp_dynamic.c:
* src/event_queue.c:
* src/event_wrapper.c:
* src/event_wrapper.h:
* src/parser.c:
* src/plugbase.c:
* src/plugbase.h:
Added support to provide action control (alert, drop, pass, etc)
over preprocessor and decoder generated events, as well as references
and classifications via a rule. These rules do not include IP
addresses as the individual preprocessor/decoder configuration
dictates the traffic to which an event applies. In conjunction
with this, certain post-processing rule options (tag, logto, etc)
may be added to those rules, while other options that relate to data
inspection (content, byte_test, etc) may not. Enable via
--enable-decoder-preprocessor-rules option to configure.
* src/dynamic-plugins/sf_dynamic_plugins.c:
Search for other shared library extensions on OpenBSD. Thanks to
Nikns Siankin for the request.
* src/dynamic-plugins/sf_engine/Makefile.am:
* src/dynamic-preprocessors/dcerpc/Makefile.am:
* src/dynamic-preprocessors/dns/Makefile.am:
* src/dynamic-preprocessors/ftptelnet/Makefile.am:
* src/dynamic-preprocessors/smtp/Makefile.am:
* src/dynamic-preprocessors/ssh/Makefile.am:
Fixes to correct shared library extension on MAC OS.
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.h:
* src/preprocessors/Stream5/stream5_common.h:
* src/generators.h:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Added basic TCP session hijacking detection. Detection based on MAC
address used during TCP 3-way handshake and MAC address in subsequent
packets.
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* doc/README.stream5:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Added stream_size rule option (only supported by Stream5).
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/generators.h:
Improved detection for encrypted ftp sessions, reducing false positives.
Added detection of subnegotiation begin commands without matching
subnegotiation end (evasion attempt).
* src/dynamic-preprocessors/smtp/smtp_config.c:
* src/dynamic-preprocessors/smtp/smtp_config.h:
* src/dynamic-preprocessors/smtp/smtp_log.c:
* src/dynamic-preprocessors/smtp/smtp_log.h:
* src/dynamic-preprocessors/smtp/smtp_normalize.c:
* src/dynamic-preprocessors/smtp/smtp_normalize.h:
* src/dynamic-preprocessors/smtp/smtp_util.c:
* src/dynamic-preprocessors/smtp/smtp_util.h:
* src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
* src/dynamic-preprocessors/smtp/smtp_xlink2state.h:
* src/dynamic-preprocessors/smtp/snort_smtp.c:
* src/dynamic-preprocessors/smtp/snort_smtp.h:
* src/dynamic-preprocessors/smtp/spp_smtp.c:
* src/dynamic-preprocessors/smtp/spp_smtp.h:
* doc/README.SMTP:
* etc/snort.conf:
* src/generators.h:
Rework much of preprocessor to improve searches, additional
vulnerability checks. Updates include changes to handle case
insensitive searches. Alert on header name length (Exim exploit) and
check for valid mime headers. Add port 587 (see RFC 2476) to
default ports. Improved normalization to separate commands and data.
Updates to config parsing and console startup output.
* src/parser.c:
Handle duplicate rules by using the newer revision or the earlier
appearing rule (if same revision).
* src/sf_types.h (added):
* src/preprocessors/flow/flow_cache.c:
* src/preprocessors/flow/flow_cache.h:
* src/preprocessors/flow/portscan/flowps.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/preprocessors/flow/portscan/scoreboard.c:
* src/preprocessors/flow/portscan/server_stats.c:
* src/preprocessors/flow/portscan/unique_tracker.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/perf.c:
* src/preprocessors/perf-event.c:
* src/preprocessors/perf-event.h:
* src/profiler.c:
* src/sfutil/util_math.c:
* src/sfutil/util_math.h:
* src/snort.h:
* src/snprintf.h:
* src/util.c:
* src/util.h:
* src/win32/WIN32-Includes/stdint.h:
* src/win32/WIN32-Includes/WinPCAP/time_calls.h:
Updated logging to print 64bit values on various platforms in a more
portable manner.
* configure.in:
* src/decode.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/spp_perfmonitor.c:
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/util.h:
* src/win32/WIN32-Includes/config.h:
Fixed issue with various versions of pcap reporting received &
dropped stats differently. Pcap versions 0.9 & higher accumulate
stats, whereas earlier versions do not.
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx2.h:
* src/sfutil/acsmx.c:
* src/sfutil/acsmx.h:
* src/sfutil/bnfa_search.c:
* src/sfutil/bnfa_search.h:
* src/sfutil/sfghash.c:
* src/sfutil/sfhashfcn.c:
* src/sfutil/sfhashfcn.h:
* src/sfutil/sfprimetable.c (added):
* src/sfutil/sfprimetable.h (added):
* src/sfutil/sfksearch.c:
* src/sfutil/sfksearch.h:
* src/sfutil/sfxhash.c:
* src/sfutil/sfxhash.h:
Improve performance of pattern match engines to not evaluate a rule
with a pattern that has already been seen and the rule already
processed. This changes takes into account if that rule fails because of
an unset flowbit (which may have been set by another rule). Changed hash
table hash functions to use power of two computations instead of prime
numbers.
* src/util.c:
Added PCRE library version information to Snort startup banner.
2007-07-27 Steven Sturges <ssturges@sourcefire.com>
* etc/snort.conf:
Turn off flow since Stream5 is now enabled by default.
* src/snort.c:
Fix printing of threshold counts until after all rules are read.
This issue did not affect thresholding, only display of thresholding.
Thanks to Jeffrey Denton for reporting the problem.
* src/sfutil/ipobj.c:
Fix free of invalid pointer when using a negated IP list.
This is used by sfportscan preprocessor configuration parsing.
Thanks to Anders Ostrem for reporting the problem.
* src/preprocessors/Stream5/snort_stream5_session.c:
Fixed issue when experimental ICMP tracking is used without using
the TCP or UDP session tracking. ICMP was attempting to lookup
TCP or UDP sessions from uninitialized session cache. Thanks to
Koji Shikata for reporting the problem.
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Fixed invalid session pointer when rule tries to use flowbits after
session ends. Thanks to rmkml for initially reporting the problem.
2007-07-06 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Fixed potential invalid memory access when require 3whs option is used.
2007-06-28 Steven Sturges <ssturges@sourcefire.com>
* src/sfutil/acsmx2.c:
* src/sfutil/bnfa_search.c:
Revert previous changes as they resulted in some false negatives
with mixed case patterns and rules. Will address in a future release.
* src/detection-plugins/sp_react.c:
Fixed problem with segfault with flexresp. Thanks to Keith Pachulski
for reporting the issue.
2007-06-20 Steven Sturges <ssturges@sourcefire.com>
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx.h:
* src/sfutil/bnfa_search.c:
Performance improvement to track the last state of a pattern that
match, so if it hits that state again immediately, don't go
re-evaluate all of the same rules.
* src/decode.c:
* src/detect.c:
* src/snort.h:
* src/util.c:
Properly handle UDP checksum if checksum value is 0 in header (do not
calculate). Add stat that tracks number of failed checksums.
* src/detection-plugins/sp_pcre.c:
Add /P flag to PCRE detection to check HTTP inspect's normalized
client request body.
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-examples/Makefile.am:
Fix header file replication.
* src/output-plugins/spo_alert_prelude.c:
Update to write data at Snort exit. Thanks Yoann Vandoorselaere for
the patch.
* src/parser.c:
Update to max line length. Mark 'stateless' option to be deprecated,
use flow:stateless.
2007-06-19 Steven Sturges <ssturges@sourcefire.com>
* src/byte_extract.h:
* src/event_queue.h:
* src/event_wrapper.h:
* src/inline.h:
* src/ipv6.c:
* src/ipv6.h:
* src/packet_time.h:
* src/plugin_enum.h:
* src/preprocids.h:
* src/sfthreshold.h:
* src/snort_packet_header.h:
* src/detection-plugins/sp_asn1.h:
* src/detection-plugins/sp_asn1_detect.h:
* src/detection-plugins/sp_flowbits.h:
* src/detection-plugins/sp_ip_proto.c:
* src/dynamic-examples/Makefile.am:
* src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h:
* src/dynamic-examples/dynamic-preprocessor/spp_example.c:
* src/dynamic-examples/dynamic-rule/detection_lib_meta.h:
* src/dynamic-examples/dynamic-rule/rules.c:
* src/dynamic-examples/dynamic-rule/sid109.c:
* src/dynamic-examples/dynamic-rule/sid637.c:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h:
* src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c:
* src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
* src/dynamic-preprocessors/smtp/sf_preproc_info.h:
* src/preprocessors/portscan.c:
* src/preprocessors/portscan.h:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/snort_httpinspect.h:
* src/preprocessors/snort_stream4_session.h:
* src/preprocessors/snort_stream4_udp.h:
* src/preprocessors/spp_flow.h:
* src/preprocessors/spp_httpinspect.c:
* src/preprocessors/spp_httpinspect.h:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_sfportscan.h:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/str_search.c:
* src/preprocessors/str_search.h:
* src/preprocessors/stream.h:
* src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/client/hi_client_norm.c:
* src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
* src/preprocessors/HttpInspect/include/hi_ad.h:
* src/preprocessors/HttpInspect/include/hi_client.h:
* src/preprocessors/HttpInspect/include/hi_client_norm.h:
* src/preprocessors/HttpInspect/include/hi_eo.h:
* src/preprocessors/HttpInspect/include/hi_eo_events.h:
* src/preprocessors/HttpInspect/include/hi_eo_log.h:
* src/preprocessors/HttpInspect/include/hi_include.h:
* src/preprocessors/HttpInspect/include/hi_mi.h:
* src/preprocessors/HttpInspect/include/hi_norm.h:
* src/preprocessors/HttpInspect/include/hi_return_codes.h:
* src/preprocessors/HttpInspect/include/hi_server.h:
* src/preprocessors/HttpInspect/include/hi_si.h:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
* src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h:
* src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h:
* src/preprocessors/HttpInspect/include/hi_util.h:
* src/preprocessors/HttpInspect/include/hi_util_hbm.h:
* src/preprocessors/HttpInspect/include/hi_util_kmap.h:
* src/preprocessors/HttpInspect/include/hi_util_xmalloc.h:
* src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
* src/preprocessors/HttpInspect/server/hi_server.c:
* src/preprocessors/HttpInspect/session_inspection/hi_si.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
* src/preprocessors/HttpInspect/utils/hi_util_hbm.c:
* src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
* src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c:
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_icmp.h:
* src/preprocessors/Stream5/snort_stream5_session.h:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.h:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/snort_stream5_udp.h:
* src/preprocessors/Stream5/stream5_common.c:
* src/preprocessors/Stream5/stream5_common.h:
* src/preprocessors/flow/common_defs.h:
* src/preprocessors/flow/flow.c:
* src/preprocessors/flow/flow.h:
* src/preprocessors/flow/flow_cache.c:
* src/preprocessors/flow/flow_cache.h:
* src/preprocessors/flow/flow_callback.c:
* src/preprocessors/flow/flow_callback.h:
* src/preprocessors/flow/flow_class.c:
* src/preprocessors/flow/flow_class.h:
* src/preprocessors/flow/flow_config.h:
* src/preprocessors/flow/flow_error.h:
* src/preprocessors/flow/flow_hash.c:
* src/preprocessors/flow/flow_hash.h:
* src/preprocessors/flow/flow_print.c:
* src/preprocessors/flow/flow_print.h:
* src/preprocessors/flow/flow_stat.c:
* src/preprocessors/flow/flow_stat.h:
* src/preprocessors/flow/int-snort/flow_packet.c:
* src/preprocessors/flow/int-snort/flow_packet.h:
* src/preprocessors/flow/portscan/flowps.c:
* src/preprocessors/flow/portscan/flowps.h:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/preprocessors/flow/portscan/flowps_snort.h:
* src/preprocessors/flow/portscan/scoreboard.c:
* src/preprocessors/flow/portscan/scoreboard.h:
* src/preprocessors/flow/portscan/server_stats.c:
* src/preprocessors/flow/portscan/server_stats.h:
* src/preprocessors/flow/portscan/unique_tracker.c:
* src/preprocessors/flow/portscan/unique_tracker.h:
* src/sfutil/acsmx2.h:
* src/sfutil/asn1.c:
* src/sfutil/asn1.h:
* src/sfutil/ipobj.c:
* src/sfutil/ipobj.h:
* src/sfutil/sfeventq.c:
* src/sfutil/sfeventq.h:
* src/sfutil/sfghash.c:
* src/sfutil/sfghash.h:
* src/sfutil/sfhashfcn.c:
* src/sfutil/sfhashfcn.h:
* src/sfutil/sflsq.c:
* src/sfutil/sflsq.h:
* src/sfutil/sfmemcap.c:
* src/sfutil/sfmemcap.h:
* src/sfutil/sfsnprintfappend.c:
* src/sfutil/sfsnprintfappend.h:
* src/sfutil/sfthd.c:
* src/sfutil/sfthd.h:
* src/sfutil/sfxhash.c:
* src/sfutil/sfxhash.h:
* src/sfutil/util_math.c:
* src/sfutil/util_math.h:
* src/sfutil/util_net.c:
* src/sfutil/util_net.h:
* src/sfutil/util_str.c:
* src/sfutil/util_str.h:
* src/win32/WIN32-Code/inet_aton.c:
* src/win32/WIN32-Code/name.h:
Update copyright dates & info and add GPL header.
2007-06-01 Steven Sturges <ssturges@sourcefire.com>
* src/util.c:
Update to hourly timestats from Bill Parker.
2007-06-01 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_frag3.c:
Fix configuration parsing to validate parameters for memcap,
max_frags, prealloc_frags. Thanks to Joel Ebrahimi for pointing
out the issue.
2007-05-30 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/smtp/smtp_util.c:
* src/dynamic-preprocessors/smtp/smtp_util.h:
* src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
* src/dynamic-preprocessors/smtp/snort_smtp.c:
Cleanup xlink2state processing and remove potential read beyond
end of packet.
* src/preprocessors/stream_api.h:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Update handling of timed out session cleanup when the 'same' (IPs/ports)
session is picked up midstream.
2007-05-23 Steven Sturges <ssturges@sourcefire.com>
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
* doc/README.stream5:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/stream5_common.h:
Update Stream5 to use 65535 << 14 as max allowable value for
the 'max_window' option.
* src/decode.c:
* src/detect.c:
* src/snort.c:
* src/snort.h:
When checking for IPv6 BSD frag vulnerability, use a pseudo packet
with false IPv4 headers for logging purposes rather than writing
the IPv4 header within the original packet buffer.
* src/preprocessors/spp_frag3.c:
Update to not change original packet buffer when rebuilding fragments
with IP options.
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_rpc_decode.h:
Update to use the altdecode buffer for normalization.
2007-05-22 Steven Sturges <ssturges@sourcefire.com>
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Update for 2.7.0.
* configure.in:
* src/debug.c:
* src/debug.h:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/win32/WIN32-Includes/config.h:
Check for wchar.h and don't try to use it if not present.
Fixes builds on OpenBSD 3.5 and others.
* src/dynamic-plugins/sf_dynamic_detection.h:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sp_preprocopt.c:
* src/dynamic-plugins/sp_preprocopt.h:
* src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
* src/dynamic-preprocessors/ftptelnet/ppftp.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h:
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
* src/dynamic-preprocessors/smtp/smtp_util.c:
* src/dynamic-preprocessors/smtp/smtp_util.h:
* src/dynamic-preprocessors/smtp/snort_smtp.c:
* src/event_queue.c:
* src/event_queue.h:
* src/ipv6.c:
* src/ipv6.h:
* src/mempool.c:
* src/parser.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_httpinspect.c:
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_session.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/sfutil/asn1.c:
* src/sfutil/asn1.h:
* src/sfutil/sfeventq.c:
* src/sfutil/sfeventq.h:
* src/sfutil/sfksearch.c:
* src/sfutil/sfksearch.h:
* src/sfutil/sfxhash.c:
* src/snort.c:
Added code to cleanup memory at Snort exit/restart.
* src/output-plugins/spo_log_tcpdump.c:
Update to timestamp writing on 64bit platforms.
* src/dynamic-preprocessors/smtp/smtp_normalize.c:
Update normalization for postfix and sendmail servers that
normalize any space except '\n'.
* src/preprocessors/str_search.c:
* src/sfutil/bnfa_search.c:
* src/sfutil/mpse.c:
Use BNFA, smaller memory footprint for searches from SMTP.
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/client/hi_client_norm.c:
* src/preprocessors/HttpInspect/include/hi_eo_log.h:
* src/preprocessors/HttpInspect/include/hi_si.h:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
Update way in which Body vs URI's are normalized, checked for
anomalies and alerted on.
* src/preprocessors/snort_stream4_udp.c:
Fix use of ignore_any keyword when dealing with portscan
and/or rules that have flow/flowbits.
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Update to timestamp handling and anomaly detection with invalid
timestamps on RST packets.
* src/snort.c:
* src/snort.h:
Add --loop option to be used with -r for pcap readback mode.
2007-05-09 Adam Keeton <akeeton@sourcefire.com>
* src/preprocessors/HttpInspect/client/hi_client_norm.c:
* src/preprocessors/HttpInspect/include/hi_si.h:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
Added code to prevent URI-related alerts from firing when the
body is being normalized.
2007-05-08 Adam Keeton <akeeton@sourcefire.com>
* src/preprocessors/HttpInspect/client/hi_client.c:
Fixed pointer initialization relating to POST normalization.
2007-04-27 Steven Sturges <ssturges@sourcefire.com>
* src/decode.h:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pattern_match.h:
* src/dynamic-plugins/sf_dynamic_common.h:
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Provide new rule keyword modifier for content option that allows a
rule to search for a pattern in the body of an HTTP client request.
* src/util.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_httpinspect.c:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/client/hi_client_norm.c:
* src/preprocessors/HttpInspect/include/hi_client.h:
* src/preprocessors/HttpInspect/include/hi_include.h:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
* src/preprocessors/HttpInspect/include/hi_util_xmalloc.h:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
* src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
Update to normalize the body of a client request to allow rules to
check specifically for parameters of a POST or GET request. Also
add stats that are part of the hourly stats that track various
HTTP encodings and normalizations that have occured.
* src/preprocessors/spp_stream4.c:
Fix potential memory leak.
* doc/README.ipv6:
Updates for clarity.
* doc/faq.tex:
* configure.in:
Add minimal PCRE version.
* etc/gen-msg.map:
* src/decode.c:
* src/generators.h:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Handle TCP window scale option that is > 14. Added decoder alert for
this and adjust the scale per RFC 1323 in Stream5.
* etc/snort.conf:
Make Stream5 the default stream engine.
* src/decode.c:
Add alert for multiple GRE encapsulations.
* src/ipv6.c:
Additional structure name changes to avoid conflicts on Win32.
* src/parser.c:
Update the maximum number of entries in an IP List to 1024 (was 128).
Added ability to configure Timestats interval, default is 3600 seconds
(1 hour) when enabled via --enable-timestats.
* src/snort.c:
* src/snort.h:
* src/util.h:
Revised signal handler for Timestats.
* src/util.c:
Update Timestats to include Wifi, GRE, Frag & TCP Stream info. Thanks
to Bill Parker for the update.
* src/detection-plugins/sp_icmp_code_check.c:
* src/detection-plugins/sp_icmp_type_check.c:
Update to parsing of icmp rule options for better grammar enforcement.
* src/detection-plugins/sp_respond.c:
* src/detection-plugins/sp_respond2.c:
Specify TCP window of 0 for RST packets that are sent.
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-preprocessors/sf_dynamic_preproc_lib.c:
Make Preprocess() function available to dynamic preprocessors. Thanks
Vladimir Shcherbakov for the request.
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
Code cleanup and a minor reorganization.
* src/dynamic-preprocessors/smtp/snort_smtp.c:
Fix truncated buffer in when compiled in debug mode.
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-base.h:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream_api.h:
* src/preprocessors/Stream5/snort_stream5_session.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Update to track additional stats for TCP session cache and session states.
* src/preprocessors/spp_perfmonitor.c:
Fix behaviour of 'accumlate' option.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Update for 64bit platforms.
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_session.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* doc/README.stream5:
Updates to config validation. Code cleanup for readability. Update
TCP Window Scale use and sequence validation to be RFC 1323 compliant.
Document min/max values for parameters, etc.
2007-04-13 Steven Sturges <ssturges@sourcefire.com>
* src/decode.h:
* src/decode.c:
* src/ipv6.c:
Changed structure declaration and usage to not conflict with OpenBSD.
2007-03-28 Steven Sturges <ssturges@sourcefire.com>
* rpm/snort.spec:
Remove smp_flags from spec file to not parallelize building.
* doc/README.ipv6
* etc/gen-msg.map:
* src/Makefile.am:
* src/decode.c:
* src/decode.h:
* src/generators.h:
* src/ipv6.c (added):
* src/ipv6.h (added):
* src/parser.c:
* src/snort.c:
* src/snort.h:
* src/win32/WIN32-Prj/snort.dsp:
Added ability for Snort to track fragmented ICMPv6 to check for the
remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).
* src/win32/WIN32-Code/syslog.c:
* src/win32/WIN32-Code/win32_service.c:
* src/plugbase.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/stream_ignore.c:
* src/profiler.c:
* src/snort.c:
Cleanup to use safe snprintf and strncpy functions, check return values
of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer
bounds checks.
* src/parser.c:
Fix issue with printing rule information twice.
* src/profiler.h:
* src/preprocessors/spp_flow.c:
Fix miscalculation of processor time attributable to flow.
* src/dynamic-plugins/sp_dynamic.c:
* src/dynamic-plugins/sp_dynamic.h:
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
Added hasXXX functions for Content, ByteTest, and PCRE.
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.h:
* src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
* src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_structs.h:
* src/dynamic-preprocessors/dcerpc/smb_structs.h:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
* src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
Code cleanup to perform bounds checking, validation of memcpy
success, remove potential memory leak. Code readability improvements
and update DCE endianness checks.
* src/dynamic-preprocessors/dns/sf_preproc_info.h:
* src/dynamic-preprocessors/dns/spp_dns.c:
Code cleanup for initialization of memory allocations and add
early termination when at end of packet payload.
* src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
* src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Code cleanup for initialization of memory allocations and remove
dead/unused code for directory and user state tracking.
* src/dynamic-preprocessors/smtp/sf_preproc_info.h:
* src/dynamic-preprocessors/smtp/smtp_config.c:
* src/dynamic-preprocessors/smtp/smtp_log.c:
* src/dynamic-preprocessors/smtp/smtp_normalize.c:
* src/dynamic-preprocessors/smtp/smtp_normalize.h:
* src/dynamic-preprocessors/smtp/snort_smtp.c:
Code cleanup for initialization of memory allocations, fix normalization
to prevent read beyond packet payload. Generate SMTP command overflow
even if packet payload doesn't contain complete command (missing LF).
* src/preprocessors/spp_frag3.c:
Further update to handle iptables (and other datalink layers) that
do not have ethernet headers to be included in rebuilt fragment.
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/stream5_common.c:
* src/preprocessors/Stream5/stream5_common.h:
* doc/README.stream5:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Add verification of options for ICMP, TCP, UDP configurations are
within reasonable limits. Reorganize reassembly flush initialization.
Print list of UDP rules that are effectively ignored with ignore_any_rules
option. Update session timeout handling.
* src/sfutil/sfxhash.c:
* src/sfutil/sfxhash.h:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/Stream5/snort_stream5_session.c:
Allow use of limit on number of nodes in hash table instead of
relying on memcap for limiting sessions.
* src/bounds.h:
* src/debug.c:
* src/detect.c:
* src/fpdetect.c:
* src/log.c:
* src/parser.c:
* src/pcrm.c:
* src/plugbase.c:
* src/profiler.c:
* src/sfthreshold.c:
* src/snort.c:
* src/ubi_BinTree.c:
* src/util.c:
* src/util.h:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_react.c:
* src/detection-plugins/sp_session.c:
* src/dynamic-plugins/sf_dynamic_engine.h:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-preprocessors/ssh/spp_ssh.c:
* src/output-plugins/spo_alert_prelude.c:
* src/output-plugins/spo_alert_syslog.c:
* src/output-plugins/spo_alert_unixsock.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_log_ascii.c:
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
* src/parser/IpAddrSet.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/perf.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
* src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/snort_stream4_udp.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/stream_api.h:
* src/preprocessors/stream_ignore.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/flow/flow_print.c:
* src/preprocessors/flow/flow_print.h:
* src/sfutil/acsmx2.c:
* src/sfutil/ipobj.c:
* src/sfutil/sfghash.c:
* src/sfutil/sfmemcap.c:
* src/sfutil/sfxhash.c:
Cleanup to use safe snprintf and strncpy functions, check return values
of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer
bounds checks. Add handling for FatalError not returning for static
code analysis tools.
* src/sfutil/sfthd.c:
Fix memory leak in global config. Thanks Boris Lytochkin for pointing
this out.
2007-02-20 Steven Sturges <ssturges@sourcefire.com>
* src/util.c:
Update copyright date to include 2007.
2007-02-17 Steven Sturges <ssturges@sourcefire.com>
* src/parser.c:
Code cleanup, remove tab characters going to syslog.
* src/detection-plugins/sp_clientserver.c:
Handle flow keyword with Stream5 UDP sessions.
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
Add bounds checking to ReassembleSMBWriteX; use Safememcpy for calculated
length buffer copies.
2007-02-09 Steven Sturges <ssturges@sourcefire.com>
* configure.in:
Added support for libpcap that depends on libpfring. Thanks to
Jason Wallace for the patch. Also updated description as to why
libpcap check might fail and what files might be missing, thanks
to James Affeld for that suggestion.
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Update configuration parsing and validation checks and fix issue
with static flushpoints not really being static.
* src/output-plugins/spo_database.c:
Code cleanup to check that a query was not truncated when using
snprintf and guarantee NULL terminated string.
2007-02-07 Steven Sturges <ssturges@sourcefire.com>
* src/decode.c:
* src/detection-plugins/sp_ip_same_check.c:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_react.c:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
* src/dynamic-preprocessors/dns/spp_dns.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/smtp/smtp_config.c:
* src/dynamic-preprocessors/smtp/smtp_util.c:
* src/dynamic-preprocessors/ssh/spp_ssh.c:
* src/parser.c:
* src/plugbase.c:
* src/preprocessors/flow/flow_print.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/preprocessors/flow/portscan/scoreboard.c:
* src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_stream4.c:
* src/snort.c:
* src/tag.c:
* src/win32/WIN32-Code/misc.c:
Code & warning cleanup.
* src/parser.c:
Add file and line number to an error message. Thanks to
rmkml for pointing out the omission.
2007-02-05 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-plugins/sf_dynamic_engine.h:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
* src/dynamic-plugins/sp_preprocopt.c:
* src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
* src/dynamic-preprocessors/smtp/smtp_config.c:
* src/fpdetect.c:
* src/output-plugins/spo_csv.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_log_ascii.c:
* src/parser/IpAddrSet.c:
* src/parser.c:
* src/plugbase.c:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/client/hi_client_norm.c:
* src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
* src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
* src/preprocessors/HttpInspect/server/hi_server.c:
* src/preprocessors/HttpInspect/session_inspection/hi_si.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_httpinspect.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/sfutil/acsmx2.c:
* src/sfutil/ipobj.c:
* src/signature.c:
* src/snort.c:
* src/tag.c:
* src/ubi_BinTree.c:
* src/util.h:
More code cleanup, eliminate warnings on Win32 platform.
2007-02-02 Steven Sturges <ssturges@sourcefire.com>
* doc/README.stream5:
Cleanup spelling, etc.
* src/bounds.h:
* src/preprocessors/spp_frag3.c:
Fix issue when Snort is inline using iptables, without either the
ipconntrack or NAT modules. This should not occur using the recommended
snort inline configuration, since the OS is supposed to handle IP
fragment reassembly. The Ethernet header doesn't exist in the packet
received by Snort, causing snort to dereference an invalid pointer.
Thanks to Panda Software and Joel Ebrahimi for reporting the issue."
* src/parser.c:
Fix benign warning when using -E on Win32.
* src/plugbase.c:
* src/preprocessors/spp_telnet_negotiation.c (removed):
* src/preprocessors/spp_telnet_negotiation.h (removed):
* src/preprocessors/Makefile.am:
* src/win32/WIN32-Prj/snort.dsp:
Removed deprecated telnet preprocessor.
* src/profiler.c:
* src/profiler.h:
Added profiling code for 64 bit Intel and PPC platforms.
* src/decode.h:
* src/detect.c:
* src/fpdetect.c:
* src/log.c:
* src/mstring.c:
* src/parser.c:
* src/plugbase.c:
* src/profiler.c:
* src/profiler.h:
* src/sfthreshold.c:
* src/signature.c:
* src/snort.c:
* src/strlcatu.c:
* src/strlcpyu.c:
* src/ubi_BinTree.c:
* src/util.c:
* src/util.h:
* src/detection-plugins/sp_flowbits.c:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pcre.c:
* src/detection-plugins/sp_react.c:
* src/detection-plugins/sp_respond.c:
* src/detection-plugins/sp_ttl_check.c:
* src/dynamic-plugins/sf_dynamic_engine.h:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-plugins/sp_dynamic.c:
* src/dynamic-plugins/sp_preprocopt.c:
* src/dynamic-plugins/sf_engine/bmh.c:
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
* src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
* src/dynamic-preprocessors/dns/spp_dns.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
* src/dynamic-preprocessors/smtp/smtp_config.c:
* src/dynamic-preprocessors/smtp/smtp_util.c:
* src/dynamic-preprocessors/smtp/snort_smtp.c:
* src/dynamic-preprocessors/ssh/spp_ssh.c:
* src/output-plugins/spo_alert_fast.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_log_ascii.c:
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-flow.c:
* src/preprocessors/perf.c:
* src/preprocessors/portscan.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/snort_stream4_udp.c:
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/str_search.c:
* src/preprocessors/stream.h:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
* src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/flow/flow.h:
* src/preprocessors/flow/int-snort/flow_packet.h:
* src/preprocessors/flow/portscan/flowps.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/sfutil/acsmx.c:
* src/sfutil/acsmx2.c:
* src/sfutil/bitop_funcs.h:
* src/sfutil/getopt_long.c:
* src/sfutil/ipobj.c:
* src/sfutil/sfghash.c:
* src/sfutil/sflsq.c:
* src/sfutil/sfsnprintfappend.c:
* src/sfutil/sfxhash.c:
* src/win32/WIN32-Code/misc.c:
* src/win32/WIN32-Code/syslog.c:
* src/win32/WIN32-Code/win32_service.c:
Code cleanup, change malloc/calloc to SnortAlloc, use safer functions
SnortSnprintf, SnortStrncpy, etc. Check pointers before use.
* src/win32/WIN32-Code/win32_service.c:
Fix issue with service initialization and parameter validation.
Thanks Hideki Saito for pointing out the problem.
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.h:
* src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
* src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
Code cleanup, update calculating for valid length to handle
alternate padding. Update to use safer functions.
* src/preprocessors/portscan.c:
* src/preprocessors/portscan.h:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/stream_api.h:
* src/preprocessors/Stream5/snort_stream5_udp.c:
Allow portscan to work with Stream5 UDP session tracking (because
it replaces flow preprocessor). Added API function to get direction
of packet (not supported in Stream4).
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_icmp.h:
* src/preprocessors/Stream5/snort_stream5_session.c:
* src/preprocessors/Stream5/snort_stream5_session.h:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/stream5_common.h:
Stream5 config parsing improvements. Check option parameters for
reasonable values (prevent huge memcaps, etc).
2007-01-29 Steven Sturges <ssturges@sourcefire.com>
* src/debug.c:
* configure.in:
Handle platforms that don't support vswprintf and vwprintf. Thanks
Nikns Siankin for pointing that out for OpenBSD.
* src/profiler.h:
* src/profiler.c:
* src/rules.h:
Use 64 bit values to store profiling counters.
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Added a table for content modifiers and links to their respective
sections. Removed old preprocessor sections and moved ASN.1 from
preprocessor to detection plugins section. Added section for Stream5.
* src/win32/WIN32-Prj/snort.dsp:
Always use DYNAMIC_PLUGIN.
* src/win32/WIN32-Includes/config.h:
* src/win32/WIN32-Includes/LibnetNT.h:
Code cleanup.
* src/detection-plugins/sp_flowbits.c:
* src/preprocessors/spp_stream5.c:
Fix issue with flowbits for UDP streams.
* src/detection-plugins/sp_flowbits.c:
Add check when stream4 or stream5 are not enabled to still support
flowbits. Will be removed when Flow preprocessor and Stream4 are
deprecated. Thanks to Nathan Ching for pointing out the issue.
* src/snort.c:
Fix to allow dynamic rules to load correctly.
* doc/README.stream4:
* doc/README.stream5:
Cleanup.
2007-01-18 Steven Sturges <ssturges@sourcefire.com>
* etc/generators:
* src/generators.h:
Remove generator IDs that are no longer used.
* doc/README.tag
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Added info on snort.conf config option tagged_packet_limit and added
README.tag info file for the tag option in rules.
* doc/README.http_inspect:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Emphasized in httpinspect documentation that a flow_depth between
1 and 1460 will only inspect at most that many bytes of a server's
response, stream reassembled or not and that rules written to inspect
more than flow_depth bytes will be ineffective. Thanks to Christian
Seifert for pointing this out.
2007-01-17 Steven Sturges <ssturges@sourcefire.com>
* configure.in:
* snort.8:
* RELEASE.NOTES:
* etc/snort.conf:
* rpm/snort.spec:
* src/win32/WIN32-Includes/config.h:
* src/win32/WIN32-Prj/snort_installer.nsi:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Update for 2.7.0 Beta
* src/dynamic-plugins/sf_engine/Makefile.am:
* src/win32/Makefile.am:
* src/win32/WIN32-Code/getopt.c:
* src/win32/WIN32-Code/getopt_long.c:
* src/win32/WIN32-Includes/config.h:
* src/win32/WIN32-Includes/getopt.h:
* src/win32/WIN32-Includes/getopt1.h:
* src/win32/WIN32-Includes/stdint.h:
* src/win32/WIN32-Prj/.cvsignore:
* src/win32/WIN32-Prj/sf_engine.dsp:
* src/win32/WIN32-Prj/snort.dsp:
* src/win32/WIN32-Prj/snort.dsw:
Update Win32 build enviornment for 2.7.0.
* doc/README.stream5:
* doc/README.ftptelnet:
Fix a few typos and add better descriptions for alerts.
* etc/gen-msg.map:
* etc/generators.h:
Add Stream5 alert.
* etc/snort.conf:
* src/preprocessors/spp_frag2.c (removed):
* src/preprocessors/spp_frag2.h (removed):
* src/preprocessors/Makefile.am:
* src/plugbase.c:
* src/plugbase.h:
Remove deprecated Frag2.
* src/sfutil/mwm.c (removed):
* src/sfutil/mwm.h (removed):
Remove deprecated mwm pattern matcher.
* src/detection-plugins/sp_ipoption_check.c:
* src/decode.h:
* src/decode.c:
* src/log.c:
Add handling of IP Option ESEC (Extended Security).
* src/debug.h:
* src/bounds.h:
* src/fpcreate.h:
* src/fpdetect.h:
* src/tag.c:
* src/detection-plugins/sp_respond2.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_include.h:
* src/preprocessors/portscan.h:
* src/preprocessors/snort_stream4_udp.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/HttpInspect/include/hi_include.h:
* src/preprocessors/flow/common_defs.h:
* src/sfutil/bitop_funcs.h:
Move definition of INLINE for inline functions to a common place.
* src/debug.c:
* src/debug.h:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
Add DebugWideMessageFunc for use with Wide Character sets, however
it does not write to syslog.
* src/debug.c:
* src/decode.c:
* src/detect.c:
* src/detect.h:
* src/fpcreate.c:
* src/fpdetect.c:
* src/log.c:
* src/mstring.c:
* src/parser.c:
* src/pcrm.c:
* src/plugbase.c:
* src/profiler.h:
* src/sf_sdlist.c:
* src/sfthreshold.c:
* src/sfthreshold.h:
* src/signature.c:
* src/snort.c:
* src/snort.h:
* src/tag.c:
* src/util.c:
* src/util.h:
* src/detection-plugins/sp_ip_fragbits.c:
* src/detection-plugins/sp_pcre.c:
* src/detection-plugins/sp_rpc_check.c:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sp_preprocopt.c:
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
* src/dynamic-plugins/sf_engine/sf_snort_packet.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/smtp/smtp_confic.c:
* src/dynamic-preprocessors/ssh/spp_ssh.c:
* src/dynamic-preprocessors/ssh/spp_ssh.h:
* src/preprocessors/spp_arpspoof.c:
* src/preprocessors/spp_flow.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/str_search.c:
* src/preprocessors/stream_ignore.c:
* src/sfutil/acsmx.c:
* src/sfutil/acsmx.h:
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx2.h:
* src/sfutil/asn1.c:
* src/sfutil/asn1.h:
* src/sfutil/bnfa_search.c:
* src/sfutil/bnfa_search.h:
* src/sfutil/ipobj.c:
* src/sfutil/mpse.c:
* src/sfutil/mpse.h:
* src/sfutil/mwm.c:
* src/sfutil/mwm.h:
* src/sfutil/sfeventq.c:
* src/sfutil/sfghash.c:
* src/sfutil/sfghash.h:
* src/sfutil/sfhashfcn.c:
* src/sfutil/sfksearch.c:
* src/sfutil/sfksearch.h:
* src/sfutil/sflsq.c:
* src/sfutil/sflsq.h:
* src/sfutil/sfmemcap.c:
* src/sfutil/sfsnprintfappend.c:
* src/sfutil/sfthd.c:
* src/sfutil/sfxhash.c:
* src/sfutil/sfxhash.h:
* src/sfutil/util_match.c:
* src/sfutil/util_net.c:
Code cleanup, change malloc to calloc, use safer functions
SnortAlloc, SnortStrdup. Check pointers before use.
* src/sfutil/acsmx.c:
* src/sfutil/acsmx.h:
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx2.h:
* src/sfutil/bnfa_search.c:
* src/sfutil/bnfa_search.h:
* src/sfutil/mpse.c:
* src/sfutil/mpse.h:
* src/sfutil/mwm.c:
* src/sfutil/mwm.h:
Added caller usable state tracking to pattern matcher.
* src/parser.c:
* src/parser.h:
* src/dynamic-plugins/sp_preprocopt.c:
* src/dynamic-plugins/sp_preprocopt.h:
To better handle rule options that are provided by dynamic
preprocessors, make 2 passes through snort.conf at startup.
* src/parser.c:
* src/snort.c:
Improve dynamicengine keyword and commandline option to allow for
specifying directory or file.
* src/detect.c:
* src/event_queue.c:
* src/event_queue.h:
* src/event_wrapper.c:
* src/event_wrapper.h:
* src/fpcreate.c:
* src/parser.c:
* src/signature.c:
* src/signature.h:
Unify logging to a single code path and added ability to have
rule stubs for preprocessor and decoder events.
* src/snort.c:
Fix code that looks for .snortrc. Thanks to Benjamin Bennett
for pointing out the issue.
* src/preprocessors/portscan.c:
* src/preprocessors/spp_sfportscan.c:
Fix false alert where destination IP was not in range reported by
sfportscan alert.
* src/preprocessors/spp_sfportscan.c:
Reset threshold checking at end of portscan alerting so that other
events generated for packet wouldn't use old value returned from
testing portscan thresholding/suppression. Thanks to Andreas
Ostling for pointing this out.
* src/preprocessors/spp_frag3.c:
Cleanup of GRE code for GRE nested fragments.
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_icmp.h:
* src/preprocessors/Stream5/snort_stream5_session.c:
* src/preprocessors/Stream5/snort_stream5_session.h:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.h:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/snort_stream5_udp.h:
* src/preprocessors/Stream5/stream5_common.c:
* src/preprocessors/Stream5/stream5_common.h:
Added memcap for TCP reassembly packet storage. Reduced memory
consumption of session tracking data structures. Added target-based
reassembly for HPUX 11, HPUX 10.2, Windows 2003, Windows Vista.
Added target-based support for processing of TCP timestamps, TCP
Resets, and repeated SYN packets. Improved Session cache management.
Update flushpoint management. Improved handling of midstream
session establishment. Code cleanup to use safe functions for
memory allocation. Set tcp policy for both sides of session,
rather that by first packet seen, correctly does target-based
reassembly for each side. Simplify code handling sessions to ignore.
2007-01-07 Steven Sturges <ssturges@sourcefire.com>
* src/decode.c:
* src/decode.h:
Fixed issue where GRE decoder was attempting to assign a potentially
negative value to an unsigned integer. This value, which would then
be positive, was then checked to see if it was less than zero, which
would indicate whether the calculated length of the header was greater
than the length of the rest of the packet capture. This would always
return false and the assumed length of the packet would potentially
be larger than the actual length, leading to a potential dereferning
of invalid memory. Thanks to Chris Rohlf for pointing this out.
2006-12-04 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Configuration validation update.
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
Additional updates for bounds checking.
* src/detection-plugins/sp_isdataat.c:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Added an option to specify rawbytes for the buffer.
2006-11-30 Steven Sturges <ssturges@sourcefire.com>
* src/tag.c:
Fix logging of tagged packets when -G (event source ID) is used.
* src/event.h:
* src/snort_packet_header.h:
* src/output-plugins/spo_unified.c:
Fix unified to work correctly on 64bit platforms. Thanks Nikns Siankin
for the report. Nikns provides a patch to barnyard that may be
required to use this functionality on a 64bit systems. Grab the
patch from here: http://secure.lv/~nikns/stuff/barnyard_64bit.diff
* src/snort.c:
* src/snort.h:
Reorganize code for inline fail-open to create pattern matcher rule
groups in the thread.
* src/util.c:
Code cleanup
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
* src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
Fix segfault caused by integer overflow and add additional checks
to protect against other underflow/overflow conditions.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
Add capability to have multiple application layer preprocessors store
data within the stream to better handle autodetection and multi-protocol
packets. Fix additional issue with high CPU and reprocessing rebuilt
packets that are split across a sequence wrap.
2006-11-22 Steven Sturges <ssturges@sourcefire.com>
* preprocessors/spp_stream4.c:
Fix problem with snort using high CPU and reprocessing the same
rebuilt packets at session end or ACK in middle of packet when
there are gaps in the packet sequence.
2006-11-16 Andrew Mullican <amullican@sourcefire.com>
* etc/gen-msg.map:
Add DCE/RPC preprocessor alert.
2006-11-07 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
* src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
Updates for printing of options and handling of memcap.
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Add print for config option.
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_session.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_udp.c:
Add UDP session tracking stats. Improved TCP Timestamp handling.
Seperate MacOS policy from BSD, as they differ slightly. Improved
performance of session pruning.
* src/snort.c:
Updates to inline thread initialization.
2006-10-30 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
Fix debug prints.
* src/detection-plugins/sp_isdataat.c:
Fix problem with this option not being marked as relative when
'relative' is used. This change should've been made with changes
for not rechecking non-relative options on 2006-08-16.
2006-10-27 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
Output user-selected server profile at startup.
* src/parser.c:
Detect corrupt files and handle mixed windows and unix line endings.
* doc/README.dcerpc:
Update description of DCE/RPC auto-detect.
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_structs.h:
* src/dynamic-preprocessors/dcerpc/smb_structs.h:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
Fix various bugs relating to unicode, ntohs, bounds-checking,
and SMB chained AndX commands.
* src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
Print out mempcap and max_frag_size on startup.
2006-10-23 Steven Sturges <ssturges@sourcefire.com>
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Updated stream4 documentation in the Snort manual to reflect
new UDP options and inline option updates. Corrected error with
event_queue parameter - changed max_events to max_queue.
* doc/faq.tex:
Updated FAQ to reflect disuse of ACID in favor of BASE.
Added references to FLoP and Mudpit as output systems for Snort.
Added references to two IDS books.
* doc/README.decode:
Added README file for the Snort decoder
* doc/README.stream4:
Made minor changes to language
* etc/snort.conf:
Added commented out decoder options with description -
enable_decode_oversized_alerts and enable_decode_oversized_drops
* doc/README.http_inspect:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Updated tab_uri_delimiter section in document to reflect deprecation.
Removed the deprecated tab_uri_delimiter from server profiles since
it's redundant with whitespace_chars.
* src/preprocessors/snort_httpinspect.c:
Allow user-specified ports to override internal defaults.
* src/detection-plugins/sp_pattern_match.c:
Fix error message with max pattern size.
* src/dynamic-preprocessors/dns/spp_dns.c:
* src/dynamic-preprocessors/dns/spp_dns.h:
Fix spelling of obsolete in macros.
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Fix spelling of DETECT_ANOMALIES macro.
* src/profiler.c:
Removed tabs from preprocessor stats output. Tabs aren't compliant
with syslog RFC.
* doc/README.ftptelnet:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Added documentation on Telnet configuration option detect_anomalies
* src/preprocessors/spp_stream4.c:
Fixed potential for infinite loop when only part of a packet being
used in reassembly is ACK'd.
* src/preprocessors/perf-base.c:
Fixed packet count stats when in readback mode.
2006-10-13 Steven Sturges <ssturges@sourcefire.com>
* src/detection-plugins/sp_flowbits.c:
Fixed an off-by-one error message that prevented the maximum number
of flowbits from being used. Include number of flowbits used in
summary of flowbits usage.
* src/dynamic-preprocessors/dns/spp_dns.c:
* src/dynamic-preprocessors/dns/spp_dns.h:
Fix parser to properly error if misconfigured ports.
* src/decode.c:
* src/decode.h:
* src/parser.c:
Added new config option "enable_decode_oversized_alerts" and
"enable_decode_oversized_drops" to allow alerting on packets with
extra bytes at the end of their payload
2006-10-12 Steven Sturges <ssturges@sourcefire.com>
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
* RELEASE.NOTES:
Prepare for 2.6.1 RC.
* configure.in:
* src/parser.c:
* src/snort.c:
* src/snort.h:
Start a thread if running in inline mode that passes traffic through
once pcap is opened and snort is not ready to start inspection (ie,
loading rules, creating pattern matcher, etc). Thread is terminated
when snort is ready to process packets.
Compiled in via --enable-inline-init-failopen option to configure
script. Disable by --disable-inline-init-failopen commandline option or
'config disable_inline_init_failopen' in snort.conf/user.conf in the
case that the interface is fail-closed. Requires libpthread.
* src/parser.c:
Require a sid for every rule.
* src/dynamic-preprocessors/ssh/spp_ssh.c:
Verifies that the stream preprocessor is enabled.
Version string bounds checking now uses the length of the version
string versus the length of the entire payload.
* src/preprocessors/snort_stream4_udp.c:
Update UDP session stats (packet count, start/end time, bytes, etc).
* doc/README.stream4:
* doc/Makefile.am:
Finally a description for Stream4. Thanks Todd!
* src/parser.c:
* src/signature.c:
Allow for variable metadata in rule options. Ignore unknown metadata
fields.
* etc/gen-msg.map:
* src/decode.c:
* src/generators.h:
Added additional TCP length checking and UDP length checking and new
decode alerts for anomalous lengths.
2006-10-09 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_stream4.c:
Fix problem with reassembly of server side traffic. Thanks
rmkml and Crusoe Researchers for notifying us of the issue.
* src/preprocessors/spp_stream4.c:
* src/generators.h:
* etc/gen-msg.map:
Fix Stream4 to handle duplicate SYN packets by purging existing
packets queued for reassembly after the seq of the SYN. Also,
properly handle retransmitted data that is overlapping the current
packet and when trimmed overlapping the next packet.
2006-10-04 Steven Sturges <ssturges@sourcefire.com>
* src/decode.c:
Fixed issue in GRE code where data could
potentially be dereferenced past the end
of the packet.
* src/parser.c:
Fix log message.
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-base.h:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/snort_stream4_session.h:
* src/preprocessors/snort_stream4_udp.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
Add stats tracking for UDP sessions to perfmonitor and stream4's
session stats (keepstats option). Update Stream4 to purge
UDP session cache on a timeout basis, similar to the way TCP
session cache is purged. Remove cache_clean_percent option.
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
* src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
Fixes for CORE SMB fragmentation. Also, fix for perf-profiling.
2006-09-27 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* src/sfutil/sfxhash.c:
* src/sfutil/sfxhash.h:
Fix issue with use of Stream4 cache_clean_percent option
that resulted in a segfault when the max session limit was
reached. Thanks to Jason Ish for reporting the problem.
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
* doc/README.http_inspect:
Split the IIS profile in the HTTP inspect preprocessor into
IIS, ISS4, and ISS5_0. ISS 4.0 and ISS 5.0 both support double
decoding, but ISS 5.1 and beyond do not. Double decoding alerts
are now disabled in the ISS profile, but remain enabled for the
IIS 4.0 and IIS 5.0 profiles. Thanks to Pratap Ramamurthy for
pointing out that IIS 5.1 does not support double decoding
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/util.h:
Fixed issue where iface_ADDRESS variable wasn't getting set before
configuration file was read. Now all up interfaces will get a
variable created. Note that these will NOT get set if the
readmode flag is set. Thanks to Paul Melson for reporting the
problem.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
Handle reassembly of first packet for midstream pickups (first packet
wasn't part of an established session at that point, so some rules
might fail).
* src/preprocessors/Stream5/snort_stream5_session.c:
Fix handling of cache clean by percent.
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pattern_match.h:
Fix problem with relative options not being marked as relative (for
distance/within keywords).
2006-09-21 Steven Sturges <ssturges@sourcefire.com>
* src/generators.h:
* src/snort.c:
* src/sfutil/bitop_funcs.h:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Update for GRE additions and compilation on Win32.
* src/preprocessors/spp_stream4.c:
Fix issue with alerts missing in DEBUG mode.
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
Fix signedness issue that caused HttpInspect to miss certain
oversized chunk alerts.
* src/sfutil/ipobj.c:
Fix parsing that prevented multiple IP lists from being parsed
correctly. This fixes a problem with sfportscan configuration when
'watch_ip', 'ignore_scanners', and 'ignore_scanned' options are
used together. Thanks to Rob Sharp and Husnu Demir for reporting
the bug.
2006-09-18 Steven Sturges <ssturges@sourcefire.com>
* configure.in:
* doc/INSTALL:
* gen-msg.map:
* src/decode.c:
* src/decode.h:
* src/generators.h:
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/dynamic-plugins/sf_engine/sf_snort_packet.h:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_stream4.c:
Added support to decode GRE encapsulated traffic. Only IP as transport
protocol is supported and only one layer of encapsulation will be
decoded - packets with multiple GRE headers will be discarded. Thanks
Todd Wease (and welcome to the Snort team!) for this contribution.
* configure.in:
* doc/README.ARUBA:
* doc/Makefile.am:
* doc/snort_manual.tex:
* src/plugbase.c:
* src/output-plugins/Makefile.am:
* src/output-plugins/spo_alert_arubaaction.c:
* src/output-plugins/spo_alert_arubaaction.h:
Added support for communcation with an Aruba Networks wireless
mobility authentication/access control system.
* configure.in:
GCC 4.x.x has strict aliasing on by default with optimization level 2.
However, Snort uses aliases in a number of places. configure now checks
the gcc compiler version for 4 and disables strict aliasing with
-fno-strict-aliasing. Thanks to Ronald Henderson and Keith Konecnik
for simultaneously (and independently) discovering and reporting this
issue.
2006-09-15 Steven Sturges <ssturges@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c:
Cleanly fail with content patterns that are > 2048 bytes.
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
Fix memcap to be global. Turn off memcap alerts by default.
Add config item to enable alerting on exceeded memcap.
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx2.h:
* src/sfutil/acsmx.c:
* src/sfutil/mpse.c:
Code cleanup
2006-09-13 Steven Sturges <ssturges@sourcefire.com>
* src/decode.c:
* src/decode.h:
* src/log.c:
* src/log.h:
* src/generators.h:
* etc/gen-msg.map:
Added code to print original datagram for all ICMP error types if
alerted on.
Fix to print original datagram on alert if original datagram was ICMP.
Thanks to John Papapanos for pointing out the above 2 issues.
Added additional decoder alerts for ICMP error types.
Removed fragtracking of ICMP original datagram - it never made sense
since only an ICMP response to the first frag is ever returned.
Fixed issue where data and size pointers were not set correctly for
ICMP error types.
* src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Remove checks for duplicate alerts within a given session, as
this is now handled within the general alerting mechanism
and session tracking.
* src/parser.c:
When a variable was redefined, a call to LogMessage() was missing a
parameter. Thanks to Greg Baran for pointing this out.
2006-09-11 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.h:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
Fix to remove uses of strlen or wcslen. Properly validate andXOffset.
Fix bug in DCE/RPC fragment reassembly.
2006-09-07 Steven Sturges <ssturges@sourcefire.com>
* src/util.c:
Fix output for the USR1 signal when calculating statistics for
pcap counts. Keep a tally of packets seen/dropped/etc and
use deltas, rather than the 'most recent' value when determining
percentages after each USR1 signal. Thanks to Colin Grady for
pointing out the issue.
* src/parser.c:
Allow for a line without an end of line marker in snort.conf.
2006-09-06 Steven Sturges <ssturges@sourcefire.com>
* src/decode.c:
* src/detect.c:
* src/log.c:
* src/snort.c:
* src/detection-plugins/sp_respond.c:
* src/detection-plugins/sp_respond2.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Fix memory leak in ascii and cmg output modules.
Remove calls to ClearDumpBuf() from related calls
PrintIPPkt() and PrintNetData(), as it is no longer
needed.
2006-08-31 Steven Sturges <ssturges@sourcefire.com>
* rpm/snort.spec:
* etc/snort.conf:
Add DNS preprocessor to packaging and config.
* doc/Makefile.am:
* doc/README.stream5:
Add Stream5 README.
2006-08-30 Steven Sturges <ssturges@sourcefire.com>
* src/sfutil/ipobj.c:
Additional fix for parsing of IP lists that are not space seperated.
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
Treat spaces as part of a filename in 'string' parameter validation.
Thanks Bamm Visscher for pointing out the issue.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/snort_stream4_session.h:
Remove the ifdef'd splay tree code for packet and session storage.
It has been replaced by a hash table and is no longer needed.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* src/preprocessors/stream_api.h:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.h:
* src/preprocessors/Stream5/stream5_common.h:
Add a few functions to the Stream API to allow a protocol
analyzer to change the reassembly characteristics (direction,
flush policy) for an individual session.
* configure.in:
* doc/Makefile.am:
* doc/README.dns:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
* etc/gen-msg.map:
* src/build.h:
* src/debug.h:
* src/generators.h:
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/dns/Makefile.am:
* src/dynamic-preprocessors/dns/sf_preproc_info.h:
* src/dynamic-preprocessors/dns/spp_dns.c:
* src/dynamic-preprocessors/dns/spp_dns.h:
Add a dynamic preprocessor to decode and analyze DNS responses
over TCP and UDP. The TCP portion is stateful and requires
stream is enabled.
2006-08-29 Steven Sturges <ssturges@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c:
Fix unchecked free. Thanks Krzysztof Burghardt for
pointing out the problem.
* src/sfutil/acsmx2.c:
Fixed off by one to sparse index calculation and off by 2 ps
increment for SparseBands.
200-08-24 Steven Sturges <ssturges@sourcefire.com>
* src/fpcreate.c:
* src/sfutil/mpse.c:
* src/sfutil/Makefile.am:
Fix issues with using lowmem. It was reporting an out of
memory error. This was broken with the addition of the
smaller memory Aho-Corasick pattern matcher.
2006-08-17 Steven Sturges <ssturges@sourcefire.com>
* doc/README.dcerpc:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
* etc/snort.conf:
* src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
Change config option max_memory to memcap for DCE/RPC.
2006-08-16 Steven Sturges <ssturges@sourcefire.com>
* src/rules.h:
* src/detection-plugins/sp_asn1.c:
* src/detection-plugins/sp_byte_check.c:
* src/detection-plugins/sp_byte_jump.c:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pcre.c:
Resolve issue with rechecking rule options that follow a content or
PCRE that are relative. Only recheck if the next option is relative.
Thanks to Randy Smith for pointing out the issue.
* configure.in:
Enable dynamicplugins by default. Can override
with --disable-dynamicplugin.
* snort.8:
* doc/snort_manual.pdf:
* doc/snort_manual.tex:
* doc/Makefile.am:
* doc/README.ssh:
* doc/README.dcerpc:
* etc/snort.conf:
* src/win32/WIN32-Prj/snort_installer.nsi:
Added SSH and DCE/RPC preprocessor sections and description of
new command line options.
2006-08-15 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
Remove obsolete file.
* src/preprocessors/Stream5/Makefile.am:
Update to include header files.
* src/preprocessors/Stream5/stream5_common.c:
* src/preprocessors/flow/flow_cache.c:
* src/sfutil/util_math.c:
* src/sfutil/util_math.h:
Cleanup Win32 warnings.
* src/sfutil/mpse.c:
* src/win32/WIN32-Prj/snort.dsp:
* src/win32/WIN32-Prj/snort.dsw:
Remove references to MWM and sfksearch.
2006-08-14 Steven Sturges <ssturges@sourcefire.com>
* configure.in:
* etc/gen-msg.map:
* etc/snort.conf:
* src/detection-plugins/sp_flowbits.c:
* src/detection-plugins/sp_flowbits.h:
* src/dynamic-plugins/sf_dynamic_engine.h:
* src/dynamic-plugins/sp_dynamic.c:
* src/dynamic-plugins/sp_dynamic.h:
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
* src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
* src/dynamic-preprocessors/Makefile.am:
* src/preprocessors/Makefile.am:
* src/preprocessors/spp_stream5.c:
* src/preprocessors/spp_stream5.h:
* src/preprocessors/Stream5/snort_stream5_tcp.c:
* src/preprocessors/Stream5/snort_stream5_tcp.h:
* src/preprocessors/Stream5/snort_stream5_udp.c:
* src/preprocessors/Stream5/snort_stream5_udp.h:
* src/preprocessors/Stream5/snort_stream5_icmp.c:
* src/preprocessors/Stream5/snort_stream5_icmp.h:
* src/preprocessors/Stream5/Makefile.am:
* src/preprocessors/stream_api.h:
* src/generators.h:
* src/plugbase.h:
* src/Makefile.am:
* src/plugin_enum.h:
New target-based Stream module. Moved flow & flowbits to
be part of Stream API.
* src/debug.h:
* src/generators.h:
* src/preprocids.h:
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/dcerpc/Makefile.am:
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.h:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
* src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
* src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
* src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
* src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.h:
* src/dynamic-preprocessors/dcerpc/smb_andx_structs.h:
* src/dynamic-preprocessors/dcerpc/smb_file_decode.c:
* src/dynamic-preprocessors/dcerpc/smb_file_decode.h:
* src/dynamic-preprocessors/dcerpc/smb_file_structs.h:
* src/dynamic-preprocessors/dcerpc/smb_structs.h:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
* src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
* src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
* src/dynamic-preprocessors/dcerpc/spp_dcerpc.h:
New dynamic DCE/RPC protocol normalizer.
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/ssh/sf_ssh.dsp:
* src/dynamic-preprocessors/ssh/Makefile.am:
* src/dynamic-preprocessors/ssh/spp_ssh.c:
* src/dynamic-preprocessors/ssh/spp_ssh.h:
* src/dynamic-preprocessors/ssh/sf_preproc_info.h:
New dynamic ssh protocol normalizer.
* src/detection-plugins/sp_clientserver.c:
* src/preprocessors/Makefile.am:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/snort_stream4_udp.c:
* src/preprocessors/snort_stream4_udp.h:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
Stream4 UDP session tracking support. Reassembly performance
improvements. Add ability to block TCP sessions.
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c:
Added RC4 dynamic rule option.
* src/fpcreate.c:
* src/fpcreate.h:
* src/fpdetect.c:
* src/pcrm.c:
* src/sfutil/Makefile.am:
* src/sfutil/bnfa_search.c:
* src/sfutil/bnfa_search.h:
* src/sfutil/mpse.c:
* src/sfutil/mpse.h:
Added smaller memory consumption pattern matcher.
* src/decode.h:
* src/fpdetect.c:
* src/inline.c:
Improved handling for stateless rules.
* configure.in:
* src/parser.c:
* src/parser.h:
* src/rules.h:
* src/snort.c:
* src/snort.h:
Remove use of ifdefs for rule state.
* src/parser.c:
* src/snort.c:
* src/snort.h:
Add ability to give directory or specific library for dynamic
engine.
* src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Add alerts and normalization for telnet subnegotiation begin
that doesn't have a matching end. Could result in an evasion
over the FTP command channel.
* src/snort.c:
* src/snort.h:
* src/util.c:
Added counter for segments queued for reassembly.
* src/snort.c:
* src/dynamic-plugins/sf_dynamic_detection.h:
* src/dynamic-plugins/sf_dynamic_engine.h:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
Improved handling of different versions of same shared library.
* src/detect.c:
* src/dynamic-plugins/sf_engine/bmh.c:
* src/dynamic-plugins/sf_engine/bmh.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
* src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
* src/dynamic-preprocessors/smtp/snort_smtp.h:
* src/output-plugins/spo_alert_fast.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_perfmonitor.c:
* src/sfutil/acsmx.c:
Code cleanup, 2.6.1 Beta prep.
2006-08-09 Steven Sturges <ssturges@sourcefire.com>
* doc/faq.tex:
* doc/faq.pdf:
Add information on snort responding to kill signal.
2006-08-02 Steven Sturges <ssturges@sourcefire.com>
* src/output-plugins/spo_alert_prelude.c:
Update to provide links to Snort classification reference information.
Thanks Yoann Vandoorselaere.
* src/sfutil/ipobj.c:
Fix parsing of IP lists that are not space seperated.
* src/configure.in:
Update for HPUX 11.
* src/snort.c:
* src/util.c:
Fix race condition with daemonization.
* src/dynamic-plugins/sf_dynamic_plugins.c:
Update for shared library extensions on HP & MAC. Thanks J. Aaron
Pendergrass for raising the HP issues and testing.
2006-07-25 Andrew Mullican
* src/preprocessors/HttpInspect/client/hi_client.c:
Fix to HttpInspect to check for non-RFC whitespace (ie, CR) after URI.
* src/preprocessors/spp_frag3.c:
Eliminate spurious log messages.
2006-07-20 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/smtp/snort_smtp.c:
* src/dynamic-preprocessors/smtp/snort_smtp.h:
No longer require HELO (or EHLO) first in an SMTP conversation.
Some servers (such as ArGoSoft) don't require it.
* src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
Handle normalization when Subnegotiation Begin doesn't have a
matching Subnegotiation End command by normalizing just the
begin. Thanks to Pratap Ramamurthy for pointing out the
potential issue.
2006-07-14 Steven Sturges <ssturges@sourcefire.com>
* src/decode.h:
* src/detect.c:
* src/fpdetect.c:
Handle pass rule that hits a pipelined URI and an alert
that matches a secondary pipelined URI.
* src/preprocessors/spp_frag3.c:
Fix issue with First policy when dealing with whole overlaps.
Thanks Russ S for sending in the bug report.
* src/preprocessors/spp_stream4.c:
Performance improvement for logging tagged packets. Thanks Victor
Julien for pointing out the area for improvement.
* src/dynamic-preprocessors/smtp/snort_smtp.c:
Fix potential access violation.
2006-07-12 Steven Sturges <ssturges@sourcefire.com>
* src/output-plugins/spo_database.c:
Update to gracefully disconnect from Oracle DB. Thanks to
Nikns Siankin for the patch.
* src/output-plugins/spo_csv.c:
Fix issue with parsing config other than default.
* src/decode.c:
* src/parser.c:
* src/snort.h:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Change default inline behaviour to not drop packets with decoder
errors, invalid IP & TCP options and invalid checksums. Drop
behaviour can be enabled by using new options, noted in the
Snort Manual.
2006-06-30 Steven Sturges <ssturges@sourcefire.com>
* schemas/Makefile.am:
Add create_db2 srcipt to be included in distro.
* src/mstring.c:
Address potential read overflow.
* src/sfthreshold.c:
* src/tag.c:
* src/win32/WIN32-Includes/stdint.h:
* src/win32/WIN32-Includes/NETINET/IN_SYSTM.h:
Code cleanup.
* src/snort.c:
* src/util.c:
Fix issue with daemonization on MAC OSX and parent not exiting
cleanly.
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/util.h:
* snort.8:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Provide support for locking the PID file so that no additional snort
process is able to start using the same PID file. Can be overridden
with --nolock-pidfile.
* src/detection-plugins/sp_pattern_match.c:
Fix issue with replace option and replaced data always being placed
at the beginning of the packet.
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Fix issue with parsing default server configuration on Win32 platform.
* src/dynamic-preprocessors/smtp/smtp_config.c:
* src/dynamic-preprocessors/smtp/smtp_util.c:
* src/dynamic-preprocessors/smtp/smtp_util.h:
* src/dynamic-preprocessors/smtp/snort_smtp.c:
* src/dynamic-preprocessors/smtp/snort_smtp.h:
* src/preprocessors/str_search.c:
* src/preprocessors/str_search.h:
Fix potential read beyond end of buffer and update configuration to
use less memory.
* src/preprocessors/spp_stream4.c:
Fix reassembly issue.
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Handle additional whitespace characters on a per server configured
basis. Defaults are to treat Htab (\t, 9), VTab (\v, 11),
Form Feed (\f, 12), and CR (\r, 13) as whitespace.
* src/sfutil/ipobj.c:
Revise IP list parsing code.
2006-05-31 Steven Sturges <ssturges@sourcefire.com>
* src/inline.c:
Update to handle signals received when no traffic is flowing
when snort is compiled with inline ipq. Thanks Victor Julien
for the patch.
* configure.in:
Fix issue with using postgresql and dynamic plugins.
Thanks Nikns Siankin for pointing out the issue.
* src/sfutil/ipobj.c:
Fix problem when parsing multiple hosts in an IP list.
2006-05-24 Steven Sturges <ssturges@sourcefire.com>
* etc/gen-msg.map:
* src/generators.h:
* src/preprocessors/spp_stream4.c:
Fix potential evasion in Stream4. Thanks Brandon Franklin for the
find.
* src/snort.c:
* src/parser.c:
* src/dynamic-plugins/sf_engine/bmh.c:
* src/preprocessors/HttpInspect/utils/hi_util_hbm.c:
* src/preprocessors/flow/flow_cache.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/sfutil/acsmx2.c:
* src/sfthreshold.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
* src/output-plugins/spo_log_tcpdump.c:
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/flow/portscan/server_stats.c:
* src/preprocessors/flow/portscan/server_stats.h:
Further code review cleanup. Cleanup possible null pointer
dereferences, memory leaks, etc.
* src/preprocessors/HttpInspect/client/hi_client.c:
Fix to HttpInspect to check for non-RFC whitespace (ie, CR) after URI.
Thanks to Blake Hartstein for mentioning the problem.
2006-05-17 Steven Sturges <ssturges@sourcefire.com>
* src/detection-plugins/sp_rpc_check.c:
* src/dynamic-plugins/sf_engine/bmh.c:
* src/dynamic-plugins/sf_engine/bmh.h:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
* src/preprocessors/HttpInspect/utils/hi_util_hbm.c:
* src/sfutil/acsmx.c:
* src/sfutil/event_wrapper.c:
* src/sfutil/mwm.c:
* src/sfutil/sfthd.c:
Further code review cleanup. Cleanup possible null pointer
dereferences, memory leaks, etc.
* src/decode.h:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream4.c:
Move SPARC_TWIDDLE to common place.
2006-05-12 Steven Sturges <ssturges@sourcefire.com>
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
* doc/README.sfportscan:
Proofreading updates.
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/perf.c:
* src/preprocessors/perf.h:
Correctly close performance stats file on HUP and exit.
* src/snort.c:
* src/snort.h:
* configure.in:
Signal handler updates for SEGV and HUP. Define CATCHSEGV in
snort.c to trap segv signals. Can also define NOCOREFILE to
prevent snort from leaving a core file on receipt of a segv.
* src/parser.c:
Fix variable definition parsing code to handle user supplied
value if variable isn't defined. Thanks to Jeremey Hewlett for
pointing out the problem.
* src/snort.c:
* src/detection-plugins/sp_session.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
* src/output-plugins/spo_csv.c:
* src/output-plugins/spo_unified.c:
* src/preprocessors/perf.c:
* src/preprocessors/perf.h:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
* src/sfutil/mwm.c:
Further code review cleanup. Cleanup possible null pointer
dereferences, memory leaks, etc.
2006-05-01 Steven Sturges <ssturges@sourcefire.com>
* rpm/snort.spec:
* etc/snort.conf:
Include a default path for the dynamicpreprocessors and engine.
* src/detect.c:
* src/parser.c:
* src/pcrm.c:
* src/sfthreshold.c:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
* src/output-plugins/spo_csv.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
* src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
* src/preprocessors/flow/flow_cache.c:
* src/preprocessors/flow/portscan/server_stats.c:
* src/sfutil/ipobj.c:
* src/sfutil/mpse.c:
* src/sfutil/sfghash.c:
* src/sfutil/sfksearch.c:
* src/sfutil/sfxhash.c:
Code review cleanup. Cleanup possible null pointer dereferences,
memory leaks, etc. Thanks to Adam Keeton (and welcome to the project)!
2006-04-27 Steven Sturges <ssturges@sourcefire.com>
* RELEASE.NOTES:
Add information about memory consumption with pattern matching
engines.
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Update to list all options for pattern matching and note that
Wu-Manber is going to be deprecated.
* src/util.c:
Update output info to account for packets buffered by pcap but
not yet received by snort. Corrected protocol breakdown.
* src/output-plugins/spo_database.c:
Update to correctly strip timestamp precision for MySQL.
Thanks Axton Grams for the patch and Nikns Siankin and
Vlatko Kosturjak for testing.
Update to handle when interface isn't specified in config or
commandline (finial initialization done post PCAP initialization).
Thanks Jonathan Miner for pointing out the problem.
* schemas/create_db2:
Updated to include gid in schema and version 107 to
match the other schemas. Thanks Vlatko Kosturjak for the
update.
* src/preprocessors/str_search.c:
* src/preprocessors/str_search.h:
Fix compilation problems with Sun CC and others that support C99
standard. Thanks Chris Kern for noticing the problem.
* src/preprocessors/spp_stream4.c:
* src/sfutil/acsmx2.h:
Fix compilation problems with Sun CC compiler.
2006-04-11 Steven Sturges <ssturges@sourcefire.com>
* src/fpdetect.c:
* src/profiler.h:
* src/rules.h:
* src/detection-plugins/sp_flowbits.c:
Update rule performance profiling to handle flowbits:noalert
option correctly (it is a match even though there wasn't an
alert).
* src/output-plugins/spo_database.c:
Updates to be ANSI SQL compiliant. Thanks Vlatko Kosturjak
for the updates.
* src/preprocessors/spp_stream4.c:
Fix incorrectly ignored Reset packets with overlapped/retransmitted
data.
* src/inline.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* src/preprocessors/stream_api.h:
Allow retransmitted packets through in inline mode if they have not
been ACK'd by other side.
2006-03-29 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
Do not check beyond 4 characters for an FTP command.
* src/dynamic-preprocessors/smtp/snort_smtp.c:
Free SMTP session memory.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
Updates to previous checks for duplicate alerts. Better
performance. Fix cleanup when stream is flushed.
2006-03-24 Steven Sturges <ssturges@sourcefire.com>
* src/snort.c:
Update to fix signal handling issue with libprelude and to
disable segv signal handler when compiled for Debug mode.
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Display warnings with configurations that are required
for other detection capabilities (ie, normalization is
required for ayt threshold and encryption detection).
* src/dynamic-preprocessors/smtp/smtp_config.c:
Clear default ports if ports are specified.
Correctly handle specifying valid commands as invalid.
* src/dynamic-preprocessors/smtp/snort_smtp.c:
Fix alerts possibly giving incorrect information.
Move debug code inside DEBUG ifdef; fix possible SEGV in
debug code. Disable detection for to-be-rebuilt packets.
* src/preprocessors/spp_frag3.c:
Correctly calculate the number of preallocated frags when
preallocating based on a memory limit.
* configure.in:
* src/snort.c:
Remove pcap_setnonblock() call. Was causing performance
problems on certain OSs. Reverts change made with previous
checkins.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* src/preprocessors/stream_api.h:
* src/fpdetect.c:
Fix potential issue for duplicate alerts on the same data in
the original packet and the Stream reassembled packet.
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Proofreading...
2006-03-15 Steven Sturges <ssturges@sourcefire.com>
* schemas/create_mssql:
* schemas/create_mysql:
* schemas/create_oracle.sql:
* schemas/create_postgresql:
Updated to include gid in schemas. Schema version 107.
Thanks Nikns Siankin for the updates and all the testing.
* src/profiler.h:
Add support for AMD processor. Thanks Alex Kirk for trying this out.
* configure.in:
* src/snort.c:
Use pcap_setnonblock() if available to help with snort exiting
on SIGTERM (and others) when no traffic is flowing.
* src/decode.c:
Fix pflog decoding for OpenBSD platforms.
* src/dynamic-plugins/sf_engine/Makefile.am:
* doc/INSTALL:
Updates for FreeBSD 6.x compilation. Thanks Richard Bejtlich for
testing.
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Fixed a few typos and added a warning about the to be deprecated
telnet decode preprocessor.
2006-03-07 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
Fixed potential segfault condition in stateless mode.
* src/preprocessors/spp_frag3.c:
Added Fatal error messages for unknown config options.
* src/snort.c:
* src/preprocessors/spp_perfmonitor.c:
Code cleanup
2006-03-02 Steven Sturges <ssturges@sourcefire.com>
* configure.in:
* src/output-plugins/spo_alert_prelude.c:
Additional fixes from Yoann Vandoorselaere. Require libprelude
version 0.9.6.
* src/preprocessors/spp_perfmonitor.c:
Initialize the pcap counters the first time we get a packet.
* src/fpdetect.c:
Fix leaking of classification info between rules and
preprocessor/decoder alerts.
2006-02-28 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-preprocessors/Makefile.am:
Install required header files when --enable-dynamicplugin used
with configure.
* src/preprocessors/spp_stream4.c:
If ignoring a packet because it is a duplicate (retransmitted),
drop it if in inline mode. Original packet was either dropped
or passed through.
2006-02-27 Steven Sturges <ssturges@sourcefire.com>
* src/detection-plugion/sp_flowbits.c:
Update parsing to handle spaces and correct keyword checking.
2006-02-23 Steven Sturges <ssturges@sourcefire.com>
* src/snort.c:
* src/snort.h:
* src/fpdetect.c:
* src/parser.c:
* src/event_queue.h:
* doc/README:
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
* snort.8:
Changed command line options --flush-all-events to --process-all-events
and --alert-on-drop to --treat-drop-as-alert. Updated docs/manpage.
* src/output-plugins/spo_unified.c:
Fix unified log file rollover to correctly write magic numbers.
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
Update some comments relative to endianness.
* src/dynamic-preprocessors/smtp/snort_smtp.c:
* src/dynamic-preprocessors/smtp/spp_smtp.c:
Fix issues with SMTP preprocessor causing rules to not fire.
Thanks Andy Mullican for the fix.
2006-02-22 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_frag3.c:
* doc/README.frag3:
Added option to preallocate frags based on a memcap (combination
of memcap and prealloc_frags options). Perform preallocation
post-pcap open because of memory issues with certain versions
of pcap.
2006-02-21 Steven Sturges <ssturges@sourcefire.com>
* src/output-plugins/spo_alert_prelude.c:
packet_to_data()
Standardize AdditionalData fields name. Support more packet fields,
remove unused one. Send rule revision and TCP/IP options code/value
as AdditionalData. Thanks Yoann Vandoorselaere for the updates.
event_to_reference()
Double check that system->url is not NULL.
Support ICMP headers, patch from Andrea Barisani.
* src/snort.c:
* src/snort.h:
* src/util.c:
Updates to signal handlers to better deal with reentrant
issues in syslog and libc.
* src/dynamic-plugins/sf_dynamic_plugins.c:
Print warning if dynamic library directory doesnt exist or is empty.
Thanks Andy Mullican for the fix.
2006-02-20 Steven Sturges <ssturges@sourcefire.com>
* src/sfutil/sfeventq.c:
Fix issue when more than max events are added to event queue.
* src/parser.c:
* src/plugbase.c:
* src/plugbase.h:
* src/snort.c:
* src/output-plugins/spo_unified.c:
* src/output-plugins/spo_log_tcpdump.c:
Fix issue with output plugins that depend on datalink and
snaplen (which are set in OpenPcap). Caused by reordering
of initialization on 2006-01-26. Thanks Matt Bedynek and
Jeremy Hewlett for the find.
2006-02-17 Steven Sturges <ssturges@sourcefire.com>
* doc/INSTALL:
Updated to include current options and added a
section for compilation on MAC OSX.
* src/signature.c:
Strip whitespaces from reference system and id. This fixes a
reference lookup problem resulting in an invalid URL in case
the reference begins with a space character (example:
reference: x,y; would fail). Thanks Yoann Vandoorselaere
for the patch.
2006-02-16 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_frag3.c:
Fix ip options handling. Thanks to Vyacheslav Burdjanadze for
finding the issue.
* src/dynamicpreprocessors/ftptelnet/snort_ftptelnet.c:
Fix processing of configuration without options.
* src/snort.c:
Fix OpenPcap merge issue.
2006-02-15 Steven Sturges <ssturges@sourcefire.com>
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Update perfmonitor section. Thanks to Passreality for
pointing out the omissions.
* src/preprocessors/spp_stream4.c:
Only increment memory counter once per allocation.
2006-02-14 Steven Sturges <ssturges@sourcefire.com>
* doc/snort_manual.tex:
* doc/snort_manual.pdf:
Updates to manual for 2.6.0
* src/win32/WIN32-Prj/snort.dsp:
Added missing files.
2006-02-13 Steven Sturges <ssturges@sourcefire.com>
* src/parser.c:
Handle longer lines for config
* src/sfutil/acsmx2.c:
Change visual name of Aho-Corasick sparse bands.
* src/preprocessors/spp_frag3.c:
When a timeout occurs on a Fragmented session, purge the existing
fragments and treat it as a new session. Allows for proper
defragmentation, per OS target configuration.
2006-02-09 Steven Sturges <ssturges@sourcefire.com>
* src/util.c:
Fix -M flag to log Fatal and regular Error messages to syslog as
well. Thanks Andy Mullican.
* snort.8:
* doc/README:
* src/snort.c:
Add info on additional commandline switches.
* src/preprocessors/spp_stream4.c:
Fix compilation issue on some platforms.
2006-02-08 Steven Sturges <ssturges@sourcefire.com>
* src/parser.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
Allow default configuration without options
2006-02-06 Steven Sturges <ssturges@sourcefire.com>
* etc/snort.conf:
* src/dynamic-examples/dynamic-preprocessor/Makefile.am:
* src/dynamic-examples/dynamic-rule/Makefile.am:
* src/dynamic-plugins/sf_engine/Makefile.am:
* src/dynamic-preprocessors/ftptelnet/Makefile.am:
* src/dynamic-preprocessors/smtp/Makefile.am:
Add info to snort.conf on how to load dynamic libraries
and update Makefiles to use path similar t othat of
snort.conf.
* src/parser.c:
Fixed error message when dynamic<xxx> token is used.
2006-02-03 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-examples/dynamic-preprocessor/Makefile.am:
* src/dynamic-examples/dynamic-rule/Makefile.am:
* src/dynamic-plugins/sf_engine/Makefile.am:
* src/dynamic-preprocessors/ftptelnet/Makefile.am:
* src/dynamic-preprocessors/smtp/Makefile.am:
* src/dynamic-plugins/sf_dynamic_plugins.c:
Fix installation directories
* src/preprocessors/Makefile.am:
* src/preprocessors/stream_api.h:
* src/preprocessors/stream_api.c:
Fixes for MacOS X compilation.
2006-02-02 Steven Sturges <ssturges@sourcefire.com>
* src/detect.c:
* src/event_queue.c:
* src/event_queue.h:
* src/fpdetect.c:
* src/parser.c:
* src/snort.c:
* src/snort.h:
* src/sfutil/sfeventq.c:
Changed rule ordering to better handle drop and pass rules
when other alerts trigger on the same packet. Thanks Marc
Norton for the changes.
* src/profiler.c:
* src/profiler.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
Win32 fixes.
* src/snort.c:
Fix SigHup processing.
* src/util.c:
Code Cleanup.
* src/detection-plugins/sp_pattern_match.c:
Return non-zero when search goes out-of-bounds.
* src/preprocessors/snort_httpinspect.c:
Fix from Chris Sherwin for pipelined requests.
* src/preprocessors/spp_frag3.c:
Change noisy LogMessage to Debug.
2006-01-30 Steven Sturges <ssturges@sourcefire.com>
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
* src/dynamic-plugins/sf_engine/sf_snort_packet.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
Include config.h if required.
* configure.in:
* src/Makefile.am:
* src/dynamic-examples/.cvsignore:
* src/dynamic-examples/Makefile.am:
* src/dynamic-examples/dynamic-preprocessor/.cvsignore:
* src/dynamic-examples/dynamic-preprocessor/Makefile.am:
* src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h:
* src/dynamic-examples/dynamic-preprocessor/spp_example.c:
* src/dynamic-examples/dynamic-rule/.cvsignore:
* src/dynamic-examples/dynamic-rule/Makefile.am:
* src/dynamic-examples/dynamic-rule/detection_lib_meta.h:
* src/dynamic-examples/dynamic-rule/rules.c:
* src/dynamic-examples/dynamic-rule/sid109.c:
* src/dynamic-examples/dynamic-rule/sid637.c:
Added examples for manual of dynamic preprocessor and dynamic rule
library.
* src/dynamic-preprocessors/ftptelnet/Makefile.am:
* src/dynamic-preprocessors/smtp/Makefile.am:
More fixes to cleanup.
2006-01-26 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_stream4.c:
Fixed a few retranmission alerts that are not toggled
off by diasble_evasion_alerts config.
* src/parser.c:
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/util.h:
Addressed some startup issues when running daemon mode.
Configuration is validated prior to daemonizing, therefore
if config errors exist, snort will exit, returning error to
initialization script/process. Parent process doesn't exit
until config file is read and a child is forked and has
created its pid file. Thanks to Marc Norton and Chris Sherwin
for their work on this.
Fixed issue with opening pcap prior to reading it from a
config file. Thanks Martin Olsson for noting this.
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/smtp/Makefile.am:
* src/dynamic-preprocessors/ftptelnet/Makefile.am:
Fixed builds on FreeBSD.
2006-01-24 Steven Sturges <ssturges@sourcefire.com>
* src/win32/Makefile.am:
Win32 Updates.
* doc/Makefile.am:
Added files.
* src/win32/WIN32-Prj/snort.dsp:
Removed deprecated src files.
* src/win32/WIN32-Prj/snort_installer.nsi:
Added dynamic modules, updated version number.
2006-01-23 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_flow.c:
Fixed error message when parsing flow configuration.
* src/snort.c:
* src/snort.h:
Fixed issue with creating PID files.
* src/util.c:
Fixed issue with DropStats and unopened pcap.
* src/Makefile.am:
* src/dynamic-plugins/Makefile.am:
* src/dynamic-plugins/sf_engine/Makefile.am:
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/smtp/Makefile.am:
* src/dynamic-preprocessors/ftptelnet/Makefile.am:
* src/sfutil/Makefile.am:
Updates to handle make dist and make distcheck.
Win32 Updates.
2006-01-20 Steven Sturges <ssturges@sourcefire.com>
* schemas/create_mysql:
* src/output-plugins/spo_database.c:
Updated to write GID when logging events. Thanks to Graham Keeling
for the patch and Kevin Johnson for helping test.
* src/snort.c:
* doc/README:
* snort.8:
Added info on new command line options.
* src/snort.c:
Updated CreatePidFile to use interface name if available when in
inline mode (and using a bridging interface).
2006-01-19 Steven Sturges <ssturges@sourcefire.com>
* src/util.c:
Updated Timestats to print packet stats per hour and breakdown
per protocol. Thanks Bill Parker for the update. To use this
feature, use --enable-timestats.
* src/sfutil/sfthd.c:
Fix parameter ordering in test routine. Thanks Yin Zhaohui for the find.
* src/detect.c:
Fixed DEBUG_WRAP statement. Thanks Yin Zhaohui for pointing this out.
2006-01-19 Steven Sturges <ssturges@sourcefire.com>
* autojunk.sh:
* configure.in:
Added use of libtool to build dynamically loadable modules,
--enable-dynamicplugin.
Added performance profiling, --enable-perfprofiling.
Added separation of rules being enabled from them appearing in
snort.conf, --enable-rulestate.
Added pthread linkage, --enable-pthread.
* src/win32/WIN32-Prj/snort.dsp:
* src/win32/WIN32-Prj/snort.dsw:
* src/win32/WIN32-Prj/build_all.dsp:
Added dynamically loadable modules and updated workspace for
other project files (new preprocessors, DLLs, and utility project
to build everything).
* RELEASE.NOTES:
* doc/Makefile.am:
* doc/README:
Updated for new files and 2.6.0 release preparation.
* doc/README.PerfProfiling:
* src/profiler.c:
* src/profiler.h:
Added performance profiling metrics. Can measure both rules
and preprocessor performance. Enable via --enable-perfprofiling.
See profiler.h for MACROs to use and various preprocessors for
examples.
* doc/README.SMTP:
* src/dynamic-preprocessors/smtp/.cvsignore:
* src/dynamic-preprocessors/smtp/Makefile.am:
* src/dynamic-preprocessors/smtp/sf_preproc_info.h:
* src/dynamic-preprocessors/smtp/sf_smtp.dsp:
* src/dynamic-preprocessors/smtp/smtp_config.c:
* src/dynamic-preprocessors/smtp/smtp_config.h:
* src/dynamic-preprocessors/smtp/smtp_log.c:
* src/dynamic-preprocessors/smtp/smtp_log.h:
* src/dynamic-preprocessors/smtp/smtp_normalize.c:
* src/dynamic-preprocessors/smtp/smtp_normalize.h:
* src/dynamic-preprocessors/smtp/smtp_util.c:
* src/dynamic-preprocessors/smtp/smtp_util.h:
* src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
* src/dynamic-preprocessors/smtp/smtp_xlink2state.h:
* src/dynamic-preprocessors/smtp/snort_smtp.c:
* src/dynamic-preprocessors/smtp/snort_smtp.h:
* src/dynamic-preprocessors/smtp/spp_smtp.c:
* src/dynamic-preprocessors/smtp/spp_smtp.h:
* src/preprocessors/spp_xlink2state.c (removed):
* src/preprocessors/spp_xlink2state.h (removed):
* src/preprocessors/xlink2state.c (removed):
* src/preprocessors/xlink2state.h (removed):
Added dynamically loadable SMTP preprocessor. Thanks Andy Mullican
for the work and research. Renders xlink2state mini preprocessor
defunct.
* doc/README.ftptelnet:
* src/dynamic-preprocessors/ftptelnet/.cvsignore:
* src/dynamic-preprocessors/ftptelnet/Makefile.am:
* src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h:
* src/dynamic-preprocessors/ftptelnet/ftp_client.h:
* src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h:
* src/dynamic-preprocessors/ftptelnet/ftp_server.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_eo.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_include.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
* src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h:
* src/dynamic-preprocessors/ftptelnet/ftpp_util_kmap.h:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
* src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h:
* src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c:
* src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
* src/dynamic-preprocessors/ftptelnet/pp_ftp.h:
* src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
* src/dynamic-preprocessors/ftptelnet/pp_telnet.h:
* src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
* src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h:
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
* src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h:
* src/preprocessors/spp_telnet_negotiation.c:
Added dynamically loadable FTP/Telnet preprocessor. Thanks
Steven Sturges for the work and research. Replaces telnet
decoder.
* doc/README.sfportscan:
* src/preprocessors/spp_sfportscan.c:
Updated for preprocessor protocol ordering.
Added performance measurements.
Added ACK scan detection and false positive prevention with
sessions picked up midstream and dropped packets.
* etc/gen-msg.map:
* etc/generators:
* src/generators.h:
Added generator IDs for new preprocessors.
* etc/snort.conf:
Added examples for new preprocessors
* src/Makefile.am:
Added performance metric modules, new subdirs.
* src/build.h:
Seperated build version from snort.h.
* src/debug.h:
Added new preprocessors.
* src/decode.c:
* src/detect.c:
Performance measurments of packet decoder, detection, rule evaluation
and preprocessors.
* src/decode.h:
* src/detect.h
Change to use dynamicly sized preprocessor array since more than 32
preprocessors may be loaded.
* src/inline.c:
* src/inline.h:
Updated to always set drop flag for packets that are dropped
for logging purposes.
* src/plugbase.c:
* src/plugbase.h:
* src/plugin_enum.h:
* src/preprocids.h:
Support for new preprocessors, added checks to verify preprocessor
configuration. Removed deprecated preprocessors. Added cleanup
and shutdown functionality for preprocessors. Move preprocessor
bitmasks from plugbase.h into preprocids.h. Added protocol stack
based ordering of preprocessors, so that IP-layer preprocessors are
run before TCP/UDP layer ones.
* src/snort.c:
* src/snort.h:
Added longname option support. Added dynamic module commandline
options, see README for details. Updated signal handling and
exit/restart code. Switched to using pcap_dispatch from pcap_loop
for better control of packet processing. Added performance measurements.
Fixed -T flag and commandline help functionality. Added -M flag
to write messages/warnings to syslog (doesn't write alert data there)
when not in daemon mode.
* src/tag.c:
Put limit on tagging to alleviate overloaded databases that result
in every packet being tagged on high bandwidth sensors. Prevents
database DoS with tagging rules.
* src/util.c:
* src/util.h:
Fixed issue with reentrant signal handlers. At exit because of signal,
snort now logs to snort_exit file instead of syslog. Updated pid
file creation when in Inline mode.
* src/detection-plugins/Makefile.am:
* src/detection-plugins/sp_asn1.c
* src/detection-plugins/sp_asn1_detect.c:
* src/detection-plugins/sp_asn1_detect.h:
* src/detection-plugins/sp_urilen_check.c:
* src/detection-plugins/sp_urilen_check.h:
Modularized ASN1 detection code.
Added URI Length check rule keyword. Thanks to Chris Sherwin
for the new functionality.
* src/dynamic-plugins/.cvsignore:
* src/dynamic-plugins/Makefile.am:
* src/dynamic-plugins/sf_dynamic_common.h:
* src/dynamic-plugins/sf_dynamic_detection.h:
* src/dynamic-plugins/sf_dynamic_engine.h:
* src/dynamic-plugins/sf_dynamic_meta.h:
* src/dynamic-plugins/sf_dynamic_plugins.c:
* src/dynamic-plugins/sf_dynamic_preprocessor.h:
* src/dynamic-plugins/sp_dynamic.c:
* src/dynamic-plugins/sp_dynamic.h:
* src/dynamic-plugins/sp_preprocopt.c:
* src/dynamic-plugins/sp_preprocopt.h:
* src/dynamic-plugins/sf_engine/.cvsignore:
* src/dynamic-plugins/sf_engine/Makefile.am:
* src/dynamic-plugins/sf_engine/bmh.c:
* src/dynamic-plugins/sf_engine/bmh.h:
* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
* src/dynamic-plugins/sf_engine/sf_snort_packet.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
* src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
* src/win32/WIN32-Prj/sf_engine.dsp:
* src/rules.h:
Added dynamically loadable rule detection capability.
Can write compiled rules that are "blackboxed", yet still loaded
at runtime. Thanks Andy Mullican, Steven Sturges and Marc Norton.
* src/fpcreate.c:
* src/fpcreate.h:
* src/fpdetect.c:
Performance measurments, added support for dynamic rule detection,
and fix issue with non-content rules not being evaluated.
* src/parser.c:
* src/parser.h:
Added dynamic rule and preprocessor parsing, rule state parsing,
performance profiling parsing.
* src/signature.c:
* src/signature.h:
Added 'gid' and 'metadata' fields to rules.
* src/detection-plugins/sp_pcre.c:
Provide ability to turn off PCRE checks via config nopcre.
* src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
* src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h:
* src/dynamic-preprocessors/.cvsignore:
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/dynamic_preprocessors.dsp:
* src/dynamic-preprocessors/initialize_headers.sh:
* src/dynamic-preprocessors/sf_dynamic_initialize/.cvsignore:
* src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
Added dynamically loadable preprocessor support. Simplifies
development of preprocessors for quicker release of new preprocessor
code. Thanks Andy Mullican, Steven Sturges and Marc Norton.
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-base.h:
* src/preprocessors/perf.c:
Added metric for inline blocked packets.
* src/preprocessors/perf-flow.c:
* src/preprocessors/perf-flow.h:
Added better performance tracking for flow data for ports under 1024
and those above.
* src/preprocessors/portscan.c:
Added code to ignore certain ports. Added performance measurements.
* src/preprocessors/snort_httpinspect.c:
Updated for stream API. Added performance measurements.
* src/preprocessors/spp_frag2.c:
Updated for preprocessor protocol ordering.
To be deprecated in next release. Added performance measurements.
* src/preprocessors/spp_arpspoof.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_flow.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_httpinspect.c:
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_sfportscan.c:
Updated for preprocessor protocol ordering.
Added performance measurements.
* src/preprocessors/Makefile.am:
* src/preprocessors/spp_portscan.c (removed):
* src/preprocessors/spp_portscan.h (removed):
* src/preprocessors/spp_portscan2.c (removed):
* src/preprocessors/spp_portscan2.h (removed):
* src/preprocessors/spp_conversation.c (removed):
* src/preprocessors/spp_conversation.h (removed):
Deprecated old portscan preprocessors.
* src/preprocessors/str_search.c:
* src/preprocessors/str_search.h:
Modularized this code for use by the dynamic SMTP preprocessor.
* src/detection-plugins/sp_flowbits.c:
* src/detection-plugins/sp_flowbits.h:
* src/event_wrapper.c:
* src/output-plugins/spo_alert_sf_socket.c:
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
* src/preprocessors/stream.h:
* src/preprocessors/stream_api.h:
* src/preprocessors/stream_ignore.c:
* src/preprocessors/stream_ignore.h:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream4.h:
Added api for Stream4 to help with development of next generation
Stream processing. Flowbits are now stored as part of the Stream.
Updated output plugins to use Stream api for logging reassembled
packets. Added performance measurements.
* src/sfutil/Makefile.am:
* src/sfutil/getopt.h:
* src/sfutil/getopt1.h:
* src/sfutil/getopt_long.c:
Added longname commandline option support.
* src/sfutil/ipobj.c:
* src/sfutil/ipobj.h:
Updated IP Set to include port sets.
* src/sfutil/mpse.c:
Added performance measurements.
* src/snort_packet_header.h:
* src/win32/WIN32-Includes/libnet/gnuc.h:
* src/debug.c:
* src/detection-plugins/sp_pattern_match.c:
* src/output-plugins/spo_alert_prelude.c:
* src/preprocessors/flow/flow_cache.c:
* src/preprocessors/flow/portscan/flowps.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/preprocessors/flow/portscan/server_stats.c:
* src/sfutil/bitop.h:
* src/sfutil/bitop_funcs.h:
* src/sfutil/mwm.h:
* src/sfutil/sfghash.h:
* src/sfutil/sfksearch.c:
* src/sfutil/sfksearch.h:
* src/.cvsignore:
Misc code cleanup.
2006-01-09 Steven Sturges <ssturges@sourcefire.com>
* src/sfutil/mwm.c:
Fixed bug with multiple recurring patterns in Wu-Manbher implementation.
Thanks to Evan Stawnyczy for pointing it out and Marc Norton for the
fix.
* src/parser/IpAddrSet.c:
Fixed problem with parsing conf file and rules when DNS is not working.
Thanks Martin Olsson for mentioning this and testing the fix.
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/perf-base.c:
Handle wrapping on 64-bit platforms
2005-11-17 Andrew Mullican <amullican@sourcefire.com>
* src/sfutil/sfxhash.c:
* src/preprocessors/portscan.c:
Add tracker without using bogus data, to avoid internal buffer overrun.
Thanks Sandro Poppi for the find.
2005-11-11 Steven Sturges <ssturges@sourcefire.com>
* src/snort.c:
Allow value of 0 to be used with -G flag
* src/preprocessors/spp_bo.c:
Code Cleanup
* src/preprocessors/spp_frag3.c:
Fix memory leak and mishandling of IP Options. Thanks Yin
Zhaohui for the find.
2005-10-16 Steven Sturges <ssturges@sourcefire.com>
* etc/gen-msg.map:
* etc/snort.conf:
* src/generators.h:
* src/preprocessors/spp_bo.c:
Fixed potential buffer overflow in BackOrifice preprocessor and
added an alert on attempt to overflow buffer in snort. Thanks
Andy Mullican for the fix.
2005-10-11 Steven Sturges <ssturges@sourcefire.com>
* src/win32/WIN32-Prj/snort_installer.nsi:
Updated to mention WinPCAP 3.1 with correct website. Thanks
Gianluca Varenni for mentioning the discrepancy.
2005-10-04 Steven Sturges <ssturges@sourcefire.com>
* src/win32/WIN32-Libraries/libnet/LibnetNT.lib:
* src/win32/WIN32-Prj/LibnetNT.dll:
Rebuilt and updated LibnetNT linked with WinPCAP 3.1.
2005-09-23 Steven Sturges <ssturges@sourcefire.com>
* src/output-plugins/spo_log_database.c:
* schemas/create_mysql:
Fixes to address schema being a keyword in MySQL 5.0. Thanks Wes Young,
Adolfo Gomez, and Aleem Mawji for the updates.
2005-09-19 mfr <roesch@sourcefire.com>
* src/output-plugins/spo_log_tcpdump.c:
don't try to actually open the log file when in test mode
2005-09-19 Steven Sturges <ssturges@sourcefire.com>
* src/win32/WIN32-Includes/NETINET/IP.H:
* src/win32/WIN32-Includes/NETINET/IP_VAR.H:
* src/win32/WIN32-Includes/libnet/LibnetNT.h:
Always use winsock2.h
2005-09-16 mfr <roesch@sourcefire.com>
* src/snort.c:
New command line switch, -K, to explicitly set logging mode. Available
arguments are "none", "pcap" and "ascii".
Pcap mode is now the default logging mode of Snort.
CheckLogDir() is no longer called in IDS mode until after reading in
the snort.conf file to prevent unncessary exiting due to logdir being
specified in snort.conf and inadvertantly checking for the existence
of /var/log/snort.
* src/util.c:
Included CheckLogDir() call in CreatePidFile() on the off chance
we have to fall back to using pv.log_dir which can happen due to
the IDS mode logdir check being removed in src/snort.c
* src/decode.c:
Added check for bad length of TCP SACK option.
* snort.8:
Updated for -K command line switch
* doc/README:
Updated for new command line options and default logging mode.
2005-09-16 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_frag3.c:
Additional fixes to better handle various targets and extensions to
the Shankar/Paxson model. Thanks Judy Novak for all of the OS
testing & pcap work.
2005-09-14 Andrew Mullican <amullican@sourcefire.com>
* etc/gen-msg.map
* src/generators.h
* src/preprocessors/spp_rpc_decode.c:
Added new alert on zero-length RPC fragment.
2005-09-14 Steven Sturges <ssturges@sourcefire.com>
* src/win32/WIN32-Includes/pcap-namedb.h (removed):
* src/win32/WIN32-Includes/pcap.h (removed):
* src/win32/WIN32-Includes/WinPCAP/Devioctl.h:
* src/win32/WIN32-Includes/WinPCAP/Gnuc.h:
* src/win32/WIN32-Includes/WinPCAP/Ntddndis.h:
* src/win32/WIN32-Includes/WinPCAP/Ntddpack.h:
* src/win32/WIN32-Includes/WinPCAP/Packet32.h:
* src/win32/WIN32-Includes/WinPCAP/Win32-Extensions.h:
* src/win32/WIN32-Includes/WinPCAP/bittypes.h:
* src/win32/WIN32-Includes/WinPCAP/bucket_lookup.h:
* src/win32/WIN32-Includes/WinPCAP/count_packets.h:
* src/win32/WIN32-Includes/WinPCAP/ip6_misc.h:
* src/win32/WIN32-Includes/WinPCAP/memory_t.h:
* src/win32/WIN32-Includes/WinPCAP/normal_lookup.h:
* src/win32/WIN32-Includes/WinPCAP/pcap-bpf.h:
* src/win32/WIN32-Includes/WinPCAP/pcap-int.h:
* src/win32/WIN32-Includes/WinPCAP/pcap-stdinc.h:
* src/win32/WIN32-Includes/WinPCAP/pcap.h:
* src/win32/WIN32-Includes/WinPCAP/pthread.h:
* src/win32/WIN32-Includes/WinPCAP/remote-ext.h:
* src/win32/WIN32-Includes/WinPCAP/sched.h:
* src/win32/WIN32-Includes/WinPCAP/semaphore.h:
* src/win32/WIN32-Includes/WinPCAP/tcp_session.h:
* src/win32/WIN32-Includes/WinPCAP/time_calls.h:
* src/win32/WIN32-Includes/WinPCAP/tme.h:
* src/win32/WIN32-Includes/mysql/Libmysql.def (removed):
* src/win32/WIN32-Includes/mysql/config-netware.h:
* src/win32/WIN32-Includes/mysql/config-os2.h:
* src/win32/WIN32-Includes/mysql/config-win.h:
* src/win32/WIN32-Includes/mysql/dbug.h (removed):
* src/win32/WIN32-Includes/mysql/errmsg.h:
* src/win32/WIN32-Includes/mysql/libmysql.def:
* src/win32/WIN32-Includes/mysql/libmysqld.def:
* src/win32/WIN32-Includes/mysql/m_ctype.h:
* src/win32/WIN32-Includes/mysql/m_string.h:
* src/win32/WIN32-Includes/mysql/my_alloc.h:
* src/win32/WIN32-Includes/mysql/my_dbug.h:
* src/win32/WIN32-Includes/mysql/my_getopt.h:
* src/win32/WIN32-Includes/mysql/my_global.h:
* src/win32/WIN32-Includes/mysql/my_list.h:
* src/win32/WIN32-Includes/mysql/my_pthread.h:
* src/win32/WIN32-Includes/mysql/my_sys.h:
* src/win32/WIN32-Includes/mysql/mysql.h:
* src/win32/WIN32-Includes/mysql/mysql_com.h:
* src/win32/WIN32-Includes/mysql/mysql_embed.h:
* src/win32/WIN32-Includes/mysql/mysql_time.h:
* src/win32/WIN32-Includes/mysql/mysql_version.h:
* src/win32/WIN32-Includes/mysql/mysqld_error.h:
* src/win32/WIN32-Includes/mysql/raid.h:
* src/win32/WIN32-Includes/mysql/typelib.h:
* src/win32/WIN32-Libraries/Packet.lib:
* src/win32/WIN32-Libraries/wpcap.lib:
* src/win32/WIN32-Libraries/mysql/mysqlclient.lib:
* src/win32/WIN32-Prj/snort.dsp:
Updated to use WinPCAP 3.1 and MySql client 4.13. Preparation for
Snort 2.4.1 release on Win32.
2005-09-14 Steven Sturges <ssturges@sourcefire.com>
* src/snort.c:
Mark -z option as to be deprecated.
* src/preprocessors/spp_frag3.c:
Fix issue with Teardrop alerts introduced with last update.
2005-09-01 Steven Sturges <ssturges@sourcefire.com>
* src/decode.c:
* src/decode.h:
Fix snort decoder to correctly handle PPP over Ethernet decoding.
Thanks Aristeu Gil Alves Jr for the pcap.
* src/snort.c:
* src/util.c:
* configure.in:
Added patch for time stats from Bill Parker. Enable with
configure --enable-timestats.
* src/snort.c:
Do not allow -T (test mode) & -D (daemonize) together.
* src/preprocessors/spp_frag3.c:
Fix issue with Teardrop alerts.
* src/preprocessors/spp_portscan.c:
* src/preprocessors/spp_portscan2.c:
Add deprecation warning. These will be deprecated in the next
snort build.
2005-08-31 Steven Sturges <ssturges@sourcefire.com>
* src/snort.c:
* src/decode.c:
* src/decode.h:
Added decoder for IPEnc for Open BSD. Thanks Jason Ish for the
patch (long time ago) and Chris Kuethe for reraising the issue.
* src/snort.c:
Allow snort to use usernames (-u) and groupnames (-g) that include
numbers. Thanks to Shaick for the patch.
2005-08-29 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_sfportscan.c:
* etc/snort.conf:
* doc/README.sfportscan:
Change ip_proto to ip for portscan configuration. Thanks David Bianco
for pointing this out and Andy Mullican for the updates.
* src/snort.c:
Fix broken -T option. Thanks Andy Mullican for the fix.
* src/output-plugins/spo_alert_prelude.c:
Fix for prelude initialization. Thanks Yoann Vandoorselaere for the
update.
* src/preprocessors/spp_frag3.c:
* doc/README.frag3:
Update to address Solaris reassembly issues. Update README to
include info about new target-based policy.
2005-08-23 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_frag3.c:
Resolve some issues with handling of overlap conditions, multiple
fragments with MoreFrags bit not set and added target based policies
for windows and solaris (since they are actually different in
certain cases).
* src/preprocessors/stream.h:
Added data structure padding to fix issues with 64bit Solaris.
* src/log.c:
Fix problem in sniffer mode when incomplete TCP option data is received.
Thanks A Hernandez for the find.
* src/decode.c:
Set the source & dest ports used for logging before doing checksum
verification. If invalid checksum, ports will be logged (even though
they may be invalid).
Wrapped alerts for same src/dst and loopback in mode==IDS & decoder
alert checks.
* src/plugbase.h:
Use hex values for preprocessor bitmask constants instead of the
decimal equivalent.
* src/detection-plugins/sp_byte_jump.c:
* src/detection-plugins/sp_byte_check.c:
Allow for signed offset values to handle negative offset in
rules. Fixes potential issue on 64-bit architectures.
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pattern_match.h:
For content matches, when subsequent rule options fail, start searching
again in correct location instead of again at end of the currently
found pattern.
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-base.h:
* src/preprocessors/perf.h:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/spp_xlink2state.c:
* src/preprocessors/str_search.c:
* src/preprocessors/xlink2state.c:
* src/sfutil/asn1.c:
* src/sfutil/mpse.h:
* src/plugbase.c:
* src/snort.c:
Code/compiler warning cleanup.
2005-08-15 Steven Sturges <ssturges@sourcefire.com>
* src/decode.c:
* src/win32/WIN32-Includes/NETINET/IN_SYSTM.H:
Updated Win32 to handle pflog patch.
2005-08-15 Steven Sturges <ssturges@sourcefire.com>
* src/output-plugins/spo_alert_prelude.c:
* etc/snort.conf:
Fix GCC4 warning, make the arguments parser more robust and
less fault tolerant. Correct parsing of IDMEF severity mapping.
Don't try to initialize Prelude support when 'output alert_prelude'
is not specified. Removed deprecated documentation from the conf
file. Thanks Yoann Vandoorselaere for the updates.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/stream.h:
Fixed problem on Solaris when reassembling at exit.
Thanks Andrew Rucker Jones for identifying the issue.
* src/decode.c:
* src/decode.h:
* src/snort.c:
Added support for new OpenBSD pflog format. Older pflog format,
OpenBSD 3.3 and earlier, is still supported. Thanks Breno Leitao
and Christian Reis for the patch.
* src/decode.c:
* src/decode.h:
* src/util.c:
Added statistics counter for ETH_LOOPBACK packets. Thanks rmkml
for the patch.
2005-07-29 mfr <roesch@sourcefire.com>
* rpm/snort.spec:
Fix epoch inclusion for RPM generation
2005-07-29 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_stream4.c:
Fixed debug prints for new flush behavior changes.
* src/detection-plugins/sp_pattern_match.c:
Added checks to ensure some syntax correctness for content
rules. Thanks Erik de Castro Lopo for the patch.
2005-07-27 mfr <roesch@sourcefire.com>
* etc/snort.conf:
Changed snort.conf to reflect flush_behavior changes
2005-07-24 mfr <roesch@sourcefire.com>
* src/preprocessors/spp_stream4.c:
Fix parsing problem in the flush_behavior config directive
* etc/snort.conf:
Turn perfmonitor off by default
2005-07-22 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_stream4.c:
Changed flush_behavior to use names instead of numeric value.
New behaviors names are 'default', 'large_window', and 'random'
2005-07-22 Steven Sturges <ssturges@sourcefire.com>
* src/win32/WIN32-Includes/config.h:
Changed Snort version number
* src/detection-plugins/sp_pattern_match.c:
Fixed error message for replace
2005-07-22 mfr <roesch@sourcefire.com>
* src/preprocessors/HttpInspect/client/Makefile.am:
* src/preprocessors/HttpInspect/event_output/Makefile.am:
More cleanup
2005-07-22 mfr <roesch@sourcefire.com>
* src/preprocessors/HttpInspect/anomaly_detection/Makefile.am:
* src/preprocessors/HttpInspect/mode_inspection/Makefile.am:
* src/preprocessors/HttpInspect/normalization/Makefile.am:
* src/preprocessors/HttpInspect/server/Makefile.am:
* src/preprocessors/HttpInspect/session_inspection/Makefile.am:
* src/preprocessors/HttpInspect/user_interface/Makefile.am:
* src/preprocessors/HttpInspect/utils/Makefile.am:
Remove references to files in other directories
2005-07-22 mfr <roesch@sourcefire.com>
* rpm/snort.spec:
Fixup the spec file to reflect new method of rules distribution
2005-07-22 mfr <roesch@sourcefire.com>
* configure.in:
Fix PostgreSQL support
2005-07-21 mfr <roesch@sourcefire.com>
* src/snort.h:
Bump build number
2005-07-21 mfr <roesch@sourcefire.com>
* rpm/snort.spec:
* rpm/generate-all-rpms:
Setup for 2.4.0 release, removed inline build option from RPM generation
for the time being
* configure.in:
* Makefile.am:
* doc/Makefile.am:
Updated for 2.4.0 release to remove references to sig docs and rules,
which are now external to the distro
* etc/snort.conf:
Updated snort.conf for 2.4 release
2005-07-20 mfr <roesch@sourcefire.com>
* autojunk.sh:
Added --copy switch to automake call, patch from
Jeff Nathan <jeff@snort.org>
* congfigure.in:
Added maintainer mode call to prevent endless configure reruns. From
Jeff Nathan <jeff@snort.org>
2005-07-20 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/perf-base.c:
* src/preprocessors/perf.c:
Improved file handling of perfmon stats file rollover.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
Provided ability to use 2 sets of static flushpoints as well as
random flushpoints for reassembly. Thanks Jason Brvenik for the
patch.
* src/plugbase.c:
* src/plugbase.h:
* src/preprocessors/snort_stream4_session.h:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/spp_stream4.c:
* src/snort.c:
* src/snort.h:
Added code to process unflushed Streams at snort exit
and when stream is purged from cache because of memory
issues.
* src/preprocessors/spp_telnet_negotiation.c:
Small fix for normalization of subnegotiation options.
2005-07-19 mfr <roesch@sourcefire.com>
* doc/BUGS:
Updated BUGS file for 2.4 release.
* configure.in:
Added PostgreSQL fixes and exit code patch from Javier
Fernandez-Sanguino Pena <jfs@computer.org>
2005-07-18 mfr <roesch@sourcefire.com>
* doc/README:
Updated the README file to reflect the current version of Snort and
command line switches that are available (and the ones that no longer
are available as well...)
2005-07-11 Steven Sturges <ssturges@sourcefire.com>
* src/detection-plugins/sp_byte_jump.c:
Fixed log message.
* src/log.c:
Convert ICMP Router Advertisement time to host byte order before
printing.
* src/snort.c:
* src/snort.h:
* src/preprocessors/perf.c:
* src/preprocessors/perf.h:
* src/preprocessors/spp_perfmonitor.c:
Use singal to rollover perf stats file without having to restart
snort. Thanks Andrew Mullican for the patch.
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-base.h:
* src/preprocessors/spp_frag3.c:
Performance update for Frag3. Also added stats fields to Perfmon
for Frag3.
* src/sfutil/mwm.c:
Fix to handle multiple instances (different case) of the same pattern
when the matching one occurs later than the others.
* src/snort.c:
* src/output-plugins/spo_alert_prelude.c:
* src/output-plugins/spo_alert_prelude.h:
Fix to handle heartbeat and pthread issues with Prelude. Thanks Yoann
Vandoorselaere for the patch.
* src/sfutil/mwm.c:
* src/preprocessor/spp_sfportscan.c:
* src/preprocessor/HttpInspect/normalization/hi_norm.c:
Data initialization fixes. Thanks Yoann Vandoorselaere
for the patch.
* src/output-plugins/spo_database.c:
Update for Oracle output. Thanks Joel Esler for the fix.
* src/output-plugins/spo_unified.c:
Provide additional reliabilty for NT_SPECIAL_OUTPUT. Thanks
Eriz Lauzon for the fix.
2005-06-10 Jeremy Hewlett <jh@snort.org>
* src/output-plugins/spo_alert_prelude.c:
Handle case when Packet pointer is NULL for Portscan alerts.
* src/preprocessors/spp_frag3.c:
* src/decode.c:
Fixed processing of fragmented UDP traffic.
2005-05-20 Jeremy Hewlett <jh@snort.org>
* src/preprocessors/spp_perfmonitor.c:
Fixed misprinted filename (mnorton).
* src/snort.c:
Allow -T flag when MUST_SPECIFY_DEVICE is enabled (mnorton).
2005-05-19 Jeremy Hewlett <jh@snort.org>
* src/parser/IpAddrSet.c:
Fixed problem with parsing IP addresses of 255.255.255.255 for
rules (ssturges).
2005-05-18 Jeremy Hewlett <jh@snort.org>
* src/decode.h:
* src/decode.c:
* src/generators.h:
* src/preprocessors/spp_frag3.c:
Added processing of IP Options in fragmented packets (ssturges).
Thanks Brice Cotte for getting us discussing this topic.
* src/preprocessors/snort_stream4_session.c:
Fixed potential memory corruption (ssturges).
2005-05-09 Jeremy Hewlett <jh@snort.org>
* src/parser.c:
Increase limit on number of rule options to 256 (was 64).
Report error if limit is reached -- previously, extra options
were ignored. Also increased max line length to 4096 chars, from
1024.
2005-05-09 Andrew Mullican <amullican@sourcefire.com>
* src/preprocessors/xlink2state.c:
Bugfix for PowerPC architecture.
2005-05-05 Jeremy Hewlett <jh@sourcefire.com>
* src/preprocessors/perf-base.c:
Updated to better match true on the wire and user data
values (Marc Norton).
2005-04-28 Jeremy Hewlett <jh@sourcefire.com>
* src/snort.c:
Added check for MUST_SPECIFY_DEVICE #ifdef, which if used,
requires either a -i or -r commandline switch to start snort. If
not used, current behavior remains (Marc Norton).
* autojunk.sh:
* configure.in:
* Makefile.am:
* etc/snort.conf:
* m4/libprelude.m4:
* m4/Makefile.am:
* src/plugbase.c:
* src/output-plugins/Makefile.am:
* src/output-plugins/spo_alert_prelude.c:
* src/output-plugins/spo_alert_prelude.h:
Added support for prelude, enable with --enable-prelude. Thanks
Yoann Vandoorselaere!
2005-04-26 Jeremy Hewlett <jh@sourcefire.com>
* src/parser/IpAddrSet.c:
Fixed Snort not resolving hostnames that start with a numeric and
also parsing of invalid CIDR blocks (Daniel Cid).
* src/plugbase.c:
* src/plugbase.h:
Remove unused functions str2s, hex2s, and int2s (Andy Mullican).
Thanks Jeff Nathan for pointing this out.
* src/preprocessors/spp_rpc_decode.c:
Ignore multiple rpc requests if in a rebuilt packet (Thanks Andy
Mullican).
* src/inline.c:
File descriptor clean up from Will Metcalf.
2005-04-22 Andrew Mullican <amullican@sourcefire.com>
* etc/gen-msg.map:
* src/generators.h:
* src/plugbase.c:
* src/preprocessors/Makefile.am:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream4.h:
* src/preprocessors/spp_xlink2state.c:
* src/preprocessors/spp_xlink2state.h:
* src/preprocessors/xlink2state.c:
* src/preprocessors/xlink2state.h:
* src/preprocessors/str_search.c:
* src/preprocessors/str_search.h:
Added xlink2state mini-preprocessor to catch MS Exchange buffer
X-Link2State data overflow.
2005-04-11 Jeremy Hewlett <jh@sourcefire.com>
* src/detection-plugins/sp_byte_check.c:
* src/detection-plugins/sp_byte_jump.c:
Fixed error messages in byte_jump & byte_test rule options (Marc
Norton).
* detection_plugins/sp_byte_jump.c:
Fixed issue with 'multiplier' option. It is now being done before
the 'align' option. This helps with rules that look at SMB
traffic (Steve Sturges).
* src/preprocessors/flow/flow_cache.c:
* src/preprocessors/Makefile.am:
* src/preprocessors/snort_stream4_session.c:
* src/preprocessors/snort_stream4_session.h:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream4.h:
* src/sfutil/sfxhash.c:
* src/sfutil/sfxhash.h:
* etc/snort.conf:
Performance Improvements to Flow & Stream4 session management.
Also added limit to number of active sessions for Stream4, default
of 8192. Old memcap value now only applies to packets stored for
reassembly. Configure using preprocessor stream4: max_sessions
16384 in snort.conf (Steve Sturges).
* src/preprocessor/spp_perfmonitor.c:
* src/preprocessor/spp_perfmonitor.h:
* src/snort.c:
Added -Z flag to set full path name to PerfMonitor stats file.
This will override the file or snortfile configuration option
(Marc Norton).
2005-04-05 Jeremy Hewlett <jh@sourcefire.com>
* src/detect.c:
* src/fpdetect.c:
* src/log.c:
* src/snort.c:
* src/snort.h:
* src/tag.c:
* src/output-plugins/spo_unified.c:
Added a -G flag that specifies an instance identifier for the event
logs. Can be used when running multiple instances of snort, either
on different CPUs or on same CPU but different interface. Each
snort instance will use the value specified to generate unique
event ids. Can specify either a decimal value (-G 1) or hex value
preceeded by 0x (-G 0x11). Thanks Steve Sturges.
* src/decode.h:
* src/output-plugins/spo_csv.c:
* src/output-plugins/spo_database.c:
Fix to remove unnecessary ICMP echo extension, and update output
plugins to use ICMP header info. Thanks Kevin Douglas for finding
this and Andrew Mullican for the fix.
* src/decode.h:
* src/detect.c:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* etc/snort.conf:
Add option to Stream4 to limit server-side inspection for improved
performance. Similar to HttpInspect's flow-depth, this option
limits rule-inspection of server traffic to the set number of bytes
(in 1 or more packets) until another client request is seen. Thanks
Steve Sturges & Marc Norton
* src/plugbase.c:
Fix issue generating ascii strings. Thanks Sandro Poppi for the fix.
2005-04-01 Jeremy Hewlett <jh@sourcefire.com>
* src/preprocessors/spp_sfportscan.c:
Additional fixes for suppression issue with sfPortscan and Open
Ports. Fix for packets logged with bogus ip lengths (related to
Open Port alerts). Thanks Andy Mullican.
2005-03-25 Jeremy Hewlett <jh@sourcefire.com>
* src/output-plugins/spo_alert_syslog.c:
* src/snort.c:
Add snort's PID to syslog. Thanks Steve Sturges.
* src/preprocessors/spp_stream4.c:
Added to default ports in Stream4 and cleaned up Stream4
configuration processing. Thanks Steve Sturges.
* src/preprocessors/spp_frag3.c:
Added packet dump (debug only) to Frag3. Patch from Steve Sturges.
* src/sfthreshold.c:
Added detail to config error messages for thresholding. Patch from
Steve Sturges.
* src/fpdetect.c:
* src/plugbase.h:
* src/detection-plugins/sp_flowbits.c:
* src/preprocessors/spp_sfportscan.c:
Code Cleanup (general), thanks Steve Sturges.
* rpm/snort.org.spec:
* rpm/snort.logrotate:
Added schemas to distro, and 'sharedscripts' to logrotate. General
clean up of spec file. Thanks Josh Kelley for pointing this out.
2005-03-25 Jeremy Hewlett <jh@sourcefire.com>
* src/preprocessors/spp_sfportscan.c:
Fixed suppression issue with sfPortscan and Open Ports. Patch from
Andy Mullican.
2005-03-15 Jeremy Hewlett <jh@sourcefire.com>
* src/decode.c:
* src/parser/IpAddrSet.c:
* src/parser/IpAddrSet.h:
* src/preprocessors/spp_frag3.c:
* etc/generators:
Updates/Fixes to Frag3 IP reassembler (thanks ssturges):
1) Push first fragmented UDP packet through, but do not inspect
other fragmented packets (until rebuilt).
2) Printing of Configuration Info
3) Code readability
* src/parser.c:
Removal of comment parsing code added for 2.3.1.
* src/decode.c:
* src/generators.h:
Added support for detection of Lookback & Same src/dest attacks in
the packet decoder. This obsoletes sids 527, 528. Thanks Marc
Norton for the feature.
* src/detection-plugins/Makefile.am:
* src/plugbase.c:
* src/detection-plugins/sp_ftpbounce.c:
* src/detection-plugins/sp_ftpbounce.h:
Added FTP Bounce detection Plugin. Thanks Steve Sturges.
* src/detection-plugins/sp_flowbits.c:
Increased Flowbits hash table size. Thanks Marc Norton.
* src/fpcreate.c:
Performance improvement in pattern matcher from Marc Norton.
* src/decode.c:
* src/decode.h:
* src/fpdetect.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_frag3.h:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* src/snort.c:
* src/snort.h:
Eliminate duplicate alerts on Rebuilt Streams/IP reassembled packets.
Patch from Andy Mullican and Steve Sturges.
* src/preprocessors/portscan.c:
* src/preprocessors/sfportscan.c:
* doc/README.sfportscan:
* etc/generators:
* etc/gen-msg.map:
Added handling of midstream sessions in portscan preprocessors.
Thanks Andy Mullican.
* src/generators.h:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
* src/ubi_BinTree.c:
* src/ubi_BinTree.h:
* src/ubi_SplayTree.c:
* src/ubi_SplayTree.h:
* etc/gen-msg.map:
* etc/snort.conf:
Stream4 fixes - Handle PAWS, NULL TCP Flags in established session,
limit overlaps in established session, update ACK when server sends
RST. Performance changes for cleaning up session cache. Thanks
Steve Sturges and Andy Mullican for the patches.
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
* src/preprocessors/snort_httpinspect.c:
* doc/README.http_inspect:
Added uri_tab_delimiter option to HttpInspect. Patch from Andy
Mullican.
* src/preprocessors/perf-base.c:
Updates to PerfMon to handle multiple CPUs properly. Thanks Steve Sturges.
* src/preprocessors/spp_telnet_negotiation.c:
Fixed telnet decoder bug when ignoring Sub-negotiation end command.
Thanks Steve Sturges.
2005-03-08 Jeremy Hewlett <jh@sourcefire.com>
* src/preprocessors/spp_flow.c:
* src/detection-plugins/sp_flowbits.c:
Increased number of flowbits (mnorton)
2005-03-08 Steven Sturges <ssturges@sourcefire.com>
* src/parser.c:
Fixed parsing of comments at end of line in config file. In
snort.conf, anything that follows a # on a line is considered a
comment.
2005-03-04 Jeremy Hewlett <jh@sourcefire.com>
* src/preprocessors/spp_sfportscan.c:
Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX.
Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and
Jonathan Miner for working with us on this.
2005-01-28 Jeremy Hewlett <jh@sourcefire.com>
* src/decode.c:
* src/decode.h:
* src/output-plugins/spo_unified.c:
* src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
* src/preprocessors/portscan.c:
* src/preprocessors/portscan.h:
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_sfportscan.c:
* src/sfthreshold.c:
Fixed compiler warnings and code formatting (tabs to spaces).
2005-01-20 Andrew Mullican <amullican@sourcefire.com>
* src/generators.h:
* src/preprocessors/spp_bo.c:
Added 2 BackOrifice alerts (1 client, 1 server) so that some alerts
can be suppressed.
2005-01-18 Steven Sturges <ssturges@sourcefire.com>
* src/plugbase.c:
* src/plugbase.h:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/snort_httpinspect.h:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_httpinspect.c:
* src/snort.c:
Change to verify that preprocessors have sufficient configuration
data to correctly operate.
* src/preprocessors/spp_frag3.c:
Fixes to Frag3 to only have one instance of preprocessor. Uses
policy context internally based on destination address of packet.
Previously, each Frag3 Policy would result in a separate
preprocessor instance. Also fixed use of ttl_limit option.
2005-01-18 Andrew Mullican <amullican@sourcefire.com>
* src/decode.c:
* src/decode.h:
* src/parser.c:
Added ability to ignore packets based on port. Syntax in
snort.conf is
config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
where list of ports can also include port ranges (ports separated by :).
2005-01-17 Steven Sturges <ssturges@sourcefire.com>
* src/inline.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-base.h:
* src/preprocessors/perf.h:
* src/preprocessors/sfprocpidstats.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_frag3.c:
* src/preprocessors/spp_perfmonitor.c:
* src/snort.c:
* src/snort.h:
* src/util.c:
Performance fixes to get correct 'on-the-wire' statistics. Added
'atexitonly' option for perfmonitor that results in performance
stats only being dumped when snort exits, rather than periodically
throughout snort's lifetime.
2005-01-13 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_frag3.c:
Fixed parsing of frag3 options to use space delimited options to
handle IP address lists correctly.
* etc/snort.conf:
Updated example options for frag3
2005-01-13 Marc Norton <mnorton@sourcefire.com>
* src/preprocessors/spp_sfportscan.c:
Fixed arithmetic to correctly set the ip packet length in the ip
header prior to writing the portscan info to the packet. Thanks Jon
Hart for the test case and finding the bug.
2004-12-23 Steven Sturges <ssturges@sourcefire.com>
* src/detect.c:
* src/detection-plugins/sp_byte_jump.c:
* src/detection-plugins/sp_pattern_match.c:
* src/parser.c:
* src/plugbase.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_conversation.c:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_stream4.c:
* src/sfthreshold.c:
* src/snort.c:
* src/util.c:
* src/util.h:
* src/sfutil/Makefile.am:
* src/sfutil/sfsnprintfappend.c:
* src/sfutil/sfsnprintfappend.h:
Fixed problem with logging that appeared in Snort 2.3.0 RC2, where
single lines were broken up when sent to syslog. Thanks Sekure for
pointing out the problem with thresholding.
* src/sfthreshold.c:
Fixed xatou function to check for non-digit parameter. Thanks nnposter for submitting
a patch!
2004-12-20 Jeremy Hewlett <jh@sourcefire.com>
* src/decode.h:
* src/win32/WIN32-Includes/config.h:
* src/win32/WIN32-Includes/stdint.h:
* src/win32/WIN32-Includes/syslog.h:
Reduces the number of warning on MingW/gcc. Thanks Gisle Vanem for
the patch!
2004-12-17 Jeremy Hewlett <jh@sourcefire.com>
* src/decode.c:
Fixed issue with snort not properly decoding ppp links on MacOS X.
Thanks Allan Jensen for reporting this and working with us on the
fix (Roelker).
2004-12-14 Jeremy Hewlett <jh@sourcefire.com>
* doc/README.http_inspect:
Updated documentation on flow_depth and HTTP headers per
conversations with Joe Patterson. Thanks Joe!
2004-12-09 Jeremy Hewlett <jh@sourcefire.com>
* src/preprocessors/spp_arpspoof.c:
Added variable names to function prototypes and made cosmetic
changes to debug messages. In ARPspoofHostInit() fixed a problem
where the list of configured IP/MAC entries would contain only one
entry and leaked memory. In DetectARPattacks() made a small
performance improvement by eliminating a copy of the ARP source
protocol (IP) address (Jeff Nathan).
* src/snort.h:
* src/snort.c:
* src/parser.c:
Fixed a problem affecting MacOS X where linking may fail with
non-standard libraries when global symbols are encountered multiple
times. Removed duplicate globals and externed globals in headers.
Defined globals in source. Made sure frag2 is only linked once
(Jeff Nathan).
2004-12-08 Daniel Roelker <djr@sourcefire.com>
* src/detect.c:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pattern_match.h:
* src/fpdetect.c:
* src/inline.c:
* src/parser.c:
* src/snort.c:
* src/snort.h:
If the 'Q' option (inline) is set, set a global variable that can
be used externally.
* src/preprocessors/snort_httpinspect.c:
Update error message when IIS Unicode map file is not found.
* src/preprocessors/spp_stream4.c:
Ignore RST|ACK midstream pickup case so we don't get an evasive TCP
alert. Thanks for the report, Sekure.
* src/util.c:
* src/util.h:
* src/snort.c:
Change SanityChecks() to CheckLogDir() so the function name now
makes sense. Move CheckLogDir() to after parsing snort.conf (for
IDS mode), so the logdir config will work if the default or
command-line logdir does not exist on the system.
2004-11-19 Steven Sturges <ssturges@sourcefire.com>
* src/preprocessors/spp_telnet_negotiation.c:
Fixed issues with how telnet options are handled.
2004-11-18 Steve Sturges <ssturges@sourcefire.com>
* src/detection-plugins/sp_pcre.c:
Fixed bug when setting the doe_ptr on a successful pcre match.
It is now set relative to base_ptr.
* src/detection-plugins/sp_byte_jump.c:
Added from_beginning and multiplier options for byte_jump.
from_beginning skips bytes from the beginning of the content,
instead of from the location immediately following the number
of bytes to skip. multiplier takes a numeric argument, and
skips x times that number of bytes.
2004-11-04 Andrew Mullican <amullican@sourcefire.com>
* src/detect.c:
* src/detect.h:
* src/log.c:
In "fast" output, now log only actual packet contents when UDP
data length is greater than actual data length. Thanks Brian
Caswell for spotting this.
2004-11-04 Jeremy Hewlett <jh@sourcefire.com>
* configure.in:
Added --enable-64bit-gcc to set up the build environment for 64bit
(tested only on Solaris9). Still are some memory alignment issues
to work out before 64bit mode is fully functional, Patches are
welcomed. Thanks Chris Baker for doing 64bit testing.
* src/sfutil/sfmemcap.c:
Better support for 64bit Snort (mnorton).
2004-11-04 Andrew Mullican <amullican@sourcefire.com>
* src/output-plugins/spo_unified.c:
Fixed reference times to match log time for first packet, for an event
generated by a reassembled packet. Incremented event ID to give
unique ID for each packet. Also made unified logging compatible with
Windows.
2004-11-02 Jeremy Hewlett <jh@sourcefire.com>
* configure.in:
Changed linking order of libmysqlclient.
* src/detection-plugins/sp_rpc_check.c:
* src/preprocessors/spp_frag2.c:
* src/sfutil/acsmx2.c:
Fixes for compilation on 64-bit Solaris. Snort 2_3 branch compiles
cleanly (jhewlett, mnorton). Should be a few more changes coming
shortly.
* src/plugbase.c:
Compilation fix for AIX. Thanks Markus Waldeck.
* src/preprocessors/spp_perfmonitor.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/perf-base.h:
* src/preprocessors/perf.c:
* src/preprocessors/perf.h:
perfmonitor config line can now be configured with accumulate or
reset. (mnorton). Thanks Barry Basselgia for pointing out the issue.
Thanks Scott Dexter and Andreas Ostling for doing some initial
testing.
2004-10-21 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/HttpInspect/client/hi_client.c:
Don't include the version string length as part of the
directory length. Caused some false positives if the oversize
directory length was set to small numbers. Thanks Jeremy
Hewlett for catching this one.
* src/preprocessors/HttpInspect/session_inspection/hi_si.c:
* src/preprocessors/snort_httpinspect.c:
Fix false positives that were occurring on some events. Thanks
to Vjay Larosa for the report.
* src/preprocessors/perf-base.c:
* src/preprocessors/sfprocpidstats.c:
Fix linux perfmonitoring stats for the 2.6 kernel. Thanks to
everyone that reported this bug.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/stream.h:
Add an enforce_state keyword to stream4 so we won't pick up midstream
sessions. This works well for asynchronous links and also for
just monitoring legitimate traffic.
2004-10-13 Daniel Roelker <droelker@sourcefire.com>
* src/detect.c:
Fix suppression/thresholding bug for non-rule alerts. Thanks to
Alex Butcher for reporting it to us.
2004-10-11 mfr <roesch@sourcefire.com>
* src/util.c:
Fix divide by zero bug in TimeStats()
2004-10-05 Daniel Roelker <droelker@sourcefire.com>
* src/parser.c:
Fix bug in preprocessor error statement that referenced freed
memory. Thanks to Dennis George for submitting fix.
* src/detection-plugins/sp_pattern_match.c:
Fix content option modifiers so that they check the option specified
and not offset. Thanks to Petr Kurtin for pointing out this bug.
2004-10-04 Daniel Roelker <droelker@sourcefire.com>
* src/decode.c:
Fix TCP/IP options print bug that was found by Marcin Zgorecki.
* src/plugbase.c:
Move portscan initialization into preprocessors, not plugins.
* preprocessors/portscan.c:
Inspect invalid TCP initiators that stream4 doesn't track for portscans.
Log open ports on TCP portsweeps when we can. Thanks to #snort and
SGUIL guys for their comments and feedback. Also, thanks to David
Lowless for his portscan testing in the UK.
2004-10-04 mfr <roesch@sourcefire.com>
* src/preprocessor/spp_frag3.c:
* src/preprocessor/spp_frag3.h:
* src/generators.h:
* src/plugbase.c:
* src/plugbase.h:
New target-based IP defragmenter for Snort.
* src/parser/IpAddrSet.h:
* src/parser/IpAddrSet.c:
Added functions for improved set parsing, generation, finding
* src/preprocessors/flow/flow_cache.c:
Reformatted output printing for flowcache_stats() function
* src/preprocessor/spp_arpspoof.c:
* src/preprocessor/spp_bo.c:
* src/preprocessor/spp_conversation.c:
* src/preprocessor/spp_flow.c:
* src/preprocessor/spp_frag2.c:
* src/preprocessor/spp_httpinspect.c:
* src/preprocessor/spp_perfmonitor.c:
* src/preprocessor/spp_portscan.c:
* src/preprocessor/spp_rpc_decode.c:
* src/preprocessor/spp_stream4.c:
* src/preprocessor/spp_telnet_negotiation.c:
* src/preprocessor/spp_stream4.c:
Added context pointer handling to PreprocessorFunctionNode calls
* src/sfutil/sflsq.h:
* src/sfutil/sflsq.c:
Added a couple a list node delete and add function for the current ptr
* src/sfutil/sfxhash.h:
* src/sfutil/sfxhash.c:
Exposed sfxhash_free_node() function as a public function
* src/util.c:
* src/snort.c:
Added a modified version of Bill Parker's <dogbert@netnevada.net> run
timing patch
2004-09-20 Daniel Roelker <droelker@sourcefire.com>
* src/util.c:
Fix ts_print to work correctly for localtime logging.
* src/fpdetect.c:
Thresholded drop/sdrop rules should still drop the packet, but we
just won't alert on them. Thanks to Brian Starrfield for finding
this bug.
2004-09-17 Daniel Roelker <droelker@sourcefire.com>
* src/detect.c:
Fix tagging issue that would tag rebuilt TCP streams, which for most
output plugins this means we just relog the packets that we've
already logged. Thanks Jeremy Hewlett and Daniel Cid for finding
this bug.
* src/event_queue.c:
* src/event_queue.h:
Only flush a TCP stream on rule alerts and not on preprocessor alerts.
Thanks Jeremy Hewlett and Daniel Cid for finding this bug.
2004-09-13 Jeremy Hewlett <jh@sourcefire.com>
* src/detection_plugins/sp_react.c:
* src/detection_plugins/sp_react.h:
Wrap sp_react in #ifdef tests so it can be enabled concurrently
with sp_respond2 (Jeff Nathan).
* src/detection_plugins/sp_respond.c:
* src/detection_plugins/sp_respond.h:
Wrap sp_respond in #ifdef tests so it is mutually exclusive of
sp_respond2 (Jeff Nathan).
* configure.in:
* doc/Makefile.am:
* doc/README.FLEXRESP2:
* src/parser.c:
* src/snort.h:
* src/detection_plugins/Makefile.am:
* src/detection_plugins/sp_respond2.c:
* src/detection_plugins/sp_respond2.h:
Import version 2 of the flexible response system written by
Jeff Nathan
2004-09-08 Daniel Roelker <droelker@sourcefire.com>
* src/decode.c:
Drop bad checksums if we're in inline mode and we're doing checksums.
Thanks to William Metcalf and Victor Julien for this patch.
* doc/CREDITS:
Updated CREDITS with some major SourceFire contributors that were
not mentioned.
2004-09-07 Daniel Roelker <droelker@sourcefire.com>
* src/inline.c:
* src/inline.h:
* src/parser.c:
* src/snort.c:
* src/snort.h:
Make reject rule type work with linux bridging. Added config option
'layer2resets', which by default uses the interface specified by
the ipq packet. In addition, you can also specify a src mac address
so the sensor interface information is not apparent. Thanks to
William Metcalf and Victor Julien for this feature.
2004-09-02 Daniel Roelker <droelker@sourcefire.com>
* src/detect.c:
* src/fpdetect.c:
* src/preprocessors/spp_stream4.c:
Add inline state configuration for stream4, so we will drop packets that
are not part of an existing TCP session and are not valid TCP
initiators. Thanks Will Metcalf and Victor Julien for the initial
implementation. Add functionality for drop/sdrop rules that will still
drop a packet if the rule specifies "flow: established". We silently
drop the packet, so as not to be DOS'd by stick/snot attacks. If the
user wants the alerts, then add in the stream4 configuration of
'midstream_drop_alerts'.
* src/rules.h:
* src/detection_plugins/sp_clientserver.c:
Add not_established keyword to the flow detection option. This allows
snort to do dynamic firewall rulesets. Experimental for now, so if
any wants to try let me know.
* src/preprocessors/snort_httpinspect.c:
Fix conditions where snort would log double web alerts that contained
only content options (no uricontents). Thanks to kawa for finding and
reporting this bug.
2004-08-31 Daniel Roelker <droelker@sourcefire.com>
* src/fpdetect.c:
If InlineMode() is set, than the flow: established check will also
look to see if the TCP stream was picked up in midstream. If it was,
then we assume it's established. This also blocks packets that are
generated by stick/snot type attacks, whereas before these packets
were just being passed through because flow: established was not valid.
2004-08-27 Daniel Roelker <droelker@sourcefire.com>
* src/sfutil/sfmemcap.c:
Fix 64-bit bug found and tested by Ryan Matteson (matty91@bellsouth.net)
and Clay McClure (clay@daemons.net). Thanks guys.
* src/preprocessors/spp_stream4.c:
* src/preprocessors/snort_httpinspect.c:
When we pick up TCP sessions in midstream, don't use stream4 direction
to tell us how to inspect client and server traffic. Performance
enhancement for some sites.
* src/preprocessors/portscan.c:
Add more comments and make portscan detail printouts more readable.
2004-08-20 Daniel Roelker <droelker@sourcefire.com>
* src/util.c:
Make ts_print work correctly with timezones. Thanks to Dagobert
Kellner for the fix.
2004-08-19 Daniel Roelker <droelker@sourcefire.com>
* src/util.c:
Log an error when the user tries to setuid/gid and snort is being
run in inline. Thanks Matt Brannigan for finding this bug.
2004-08-13 Daniel Roelker <droelker@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c:
Ignore replace rule options when snort isn't in GIDS mode. (Roelker)
* src/decode.h:
* src/detect.h:
Set a packet_flag for drop alerts. This lets the output plugins
know that we just dropped the packet that we logged. (Roelker)
2004-08-11 Daniel Roelker <droelker@sourcefire.com>
* src/inline.c:
* src/spo_unified.c:
Make inline alerts work with unified output. Thanks for the help
in unified format Andrew Baker.
* src/util.c:
Added ASCII pig (thanks Dug Song) and snort team to snort initialization
printout.
* src/output-plugins/spo_log_tcpdump.c:
Check to make sure we have a pointer before we reference a structure
element.
2004-08-05 Daniel Roelker <droelker@sourcefire.com>
* src/log.c:
* src/detect.c:
Make tagging work for more than 1 second. (Daniel Roelker)
* src/detect.c:
* src/fpdetect.c:
Get thresholding/suppression to work for alerts that do not
contain an iph header (primarily decode alerts). Thanks
Brian Caswell.
2004-08-04 Daniel Roelker <droelker@sourcefire.com>
* src/snort.c:
Fix inline printf's during initialize. Also fix return code on
invalid input for startup. This helps scripts so it returns
an error if the command line arguments in the script are wrong.
Thank you Matt Brannigan for this fix.
2004-07-28 Daniel Roelker <droelker@sourcefire.com>
* configure.in:
Added --include-pcre* configuration option to help cross compiling.
Thanks Erik de Castro Lopo.
* src/event_queue.c:
Fix bug in multi-event logging when thresholding/suppression was enabled
for events in the queue. Thanks once again to Andreas Ostling.
* src/output-plugins/spo_log_tcpdump.c:
When a rebuilt stream causes an alert, log out the original packets
instead of the rebuilt packet. Thanks Marty Roesch.
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Turn off some alerts in the profile that were causing false positives.
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
Turn off encoding alerts in HTTP parameter field. The parameter field
is still normalized, it just doesn't alert. This helps reduce alerts
that are generated from complex parameter queries.
2004-07-08 Daniel Roelker <droelker@sourcefire.com>
* etc/gen-msg.map:
* src/generators.h:
* src/plugbase.c:
* src/decode.h:
* src/preprocessors/portscan.c:
* src/preprocessors/portscan.h:
* src/preprocessors/spp_sfportscan.c:
* src/preprocessors/spp_sfportscan.h:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_flow.c:
* src/preprocessors/flow/flow.h:
Added new portscan detector. We now detect tcp, udp, icmp, and
ip protocol scans. Along with the following scan types (using
nmap terminology): portscan, decoy portscan, portsweep, and
distributed portscan. The initial version will have three sensitivity
levels, so if you want to change values manually go to portscan.c and
change the values there. I don't want to confuse people out of the
gate with lots of value configurations, so try these preset levels
and give us feedback. (Daniel Roelker)
2004-07-06 Daniel Roelker <droelker@sourcefire.com>
* configure.in:
* src/decode.c:
* src/decode.h:
* src/detect.c:
* src/detect.h:
* src/fpdetect.c:
* src/inline.c:
* src/inline.h:
* src/mstring.c:
* src/parser.c:
* src/rules.h:
* src/snort.c:
* src/snort.h:
* src/detection-plugins/sp_pattern_match.c:
* src/detection-plugins/sp_pattern_match.h:
* src/output-plugins/spo_database.c:
* src/preprocessors/spp_stream4.c:
Added IPS functionality from snort_inline. Thanks everyone that was
involved in that project. For more info, go check out
http://snort-inline.sourceforge.net.
* src/log.c:
Fixed memory leak in "fast" output. Thanks for your bug report
sekure@gmail.com.
2004-06-22 Chris Reid <chris.reid@codecraftconsultants.com>
* src/snort.c:
Clear error code which under Windows was causing a
subsequent false failure in parsing threshold rules.
(thanks to Rich Adamson)
2004-06-16 Daniel Roelker <droelker@sourcefire.com>
* src/sfutil/asn1.c:
* src/sfutil/asn1.h:
* src/detection-plugins/sp_asn1.c:
* src/detection-plugins/sp_asn1.h:
* src/debug.h:
* src/snort.c:
Added ASN.1 parsing and detection functionality to snort.
Please refer to README.asn1 for more information on rule
usage. (Roelker)
* src/parser.c:
Added parsing check from Andreas Ostling so that users don't
assume that destination port lists are allowed because no
error is given.
* src/preprocessors/spp_stream4.c:
Fixed rebuilt TCP packet munging reported by Steve Halligan.
Thanks a lot for getting this problem down to pcap so we could
analyze the problem.
* src/detect.c:
* src/event_queue.c:
* src/log.c:
* src/preprocessors/spp_stream4.c:
* src/sfutil/sfeventq.c:
Improve TCP reassembly flushing for TCP streams that have already
generated an alert. This was illustrated by Brian Bailey in his
SANS GIAC practical examination. Thanks for working with us on
this one.
2004-05-06 Daniel Roelker <droelker@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c:
Fixed rule read up error when parsing hexmode content options.
Thanks for pointing it out Marty. (Roelker)
* src/preprocessors/spp_stream4.c:
Fixed null pointer dereference when detect_scans were enabled and
creating a new session that had funky flags. Thanks to Chad
Kreimendahl for reporting the bug and testing the fix. (Roelker)
* src/snort.h:
at build 28
2004-04-22 Daniel Roelker <droelker@sourcefire.com>
* src/decode.c:
* src/detect.c:
* src/event_queue.c:
* src/event_queue.h:
* src/event_wrapper.c:
* src/event_wrapper.h:
* src/fpcreate.c:
* src/fpcreate.h:
* src/parser.c:
* src/preprocessors/spp_arpspoof.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_conversation.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_stream4.c
* src/sfutil/sfeventq.c:
* src/sfutil/sfeventq.h:
* src/signature.c:
* src/signature.h:
* src/snort.c:
Added new event queueing algorithm, so Snort logs multiple events
per packet/stream. The algorithm uses two ordering methods: priority
and content length. (Roelker)
* src/fpcreate.c:
* src/fpcreate.h:
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx2.h:
* src/sfutil/acsmx.c:
* src/sfutil/acsmx.h:
* src/sfutil/mpse.c:
* src/sfutil/mpse.h:
New Aho-Corasick pattern matchers (Norton). Added content length
tracking on otnx structures.
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
* src/preprocessors/snort_httpinspect.c:
Added webroot alert. This alert is generated when a URL directory
traversal traverses past the webroot. Added new URI discovery
technique pointed out by Kanatoko.
* src/tag.c:
Revert to old tagging behavior. Will add new functionality in a future
version.
* src/util.c:
Changed Snort post-processing stats to unsigned so users won't get
negative stats. Thanks to various people from the community for
reporting this.
2004-03-22 Chris Reid <chris.reid@codecraftconsultants.com>
* src/plugbase.c:
* src/plugbase.h:
* src/output-plugins/spo_database.c:
Updated how current/utc times are calculated, as well
as how they are formatted (thanks Marcus Janoski)
2004-03-18 mfr <roesch@sourcefire.com>
* src/sfutil/acsmx2.c:
Fixed _toupper/_tolower calls on non-Win32 machines (again).
* src/preprocessors/spp_stream4.c:
Uncommented ssnptr set in BuildPacket() for Dan
2004-03-17 mfr <roesch@sourcefire.com>
* src/parser.c:
Added FatalError() in ProcessIP if closing IP-list '[' isn't found
* src/util.c:
Revamped DropStats() function to use screen real estate more efficiently
* src/event_wrapper.c:
QueueEvent checks to see if we're in MODE_IDS before queuing events and
ClearEventQueue() checks to make sure that the event_list has been
initialized.
* src/sfutil/acsmx2.c:
Fixed _toupper/_tolower calls on non-Win32 machines.
* src/sfutil/acsmx2.c:
Fixed acsmx.h call to acsmx2.h.
* doc/Makefile.am:
Mark snort_manual.pdf for cleanup too.
2004-03-16 Jeremy Hewlett <jh@sourcefire.com>
* src/snort.c:
* src/sfutil/acsmx2.c:
* src/sfutil/acsmx2.h:
* src/sfutil/Makefile.am:
New Aho-Corasick pattern matcher from Marc Norton - memory usage reduced by 75%.
* src/snort.h:
Build 26
2004-03-15 Jeremy Hewlett <jh@sourcefire.com>
* src/parser.c:
"config checksum_mode" now supports multiple arguments on one line
instead of multiple lines.
2004-03-15 Daniel Roelker <droelker@sourcefire.com>
* src/util.c:
Calculate dropped packets and received packets correctly. Thanks
Yoann Vandoorselaere for pointing this out.
2004-03-08 Daniel Roelker <droelker@sourcefire.com>
* configure.in:
Thanks to Erik de Castro Lopo for removing warnings.
* src/decode.c:
* src/decode.h:
* src/detect.c:
* src/event_wrapper.c:
* src/event_wrapper.h:
* src/snort.c:
New event queuing and logging for decoder and stream4 events (Marty).
* src/fpdetect.c:
Return value for fpEvalPacket and reset BITOP array on HTTP
pipelines (Marty/Roelker).
* src/generators.h:
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/client/hi_client_norm.c:
* src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
* src/preprocessors/HttpInspect/include/hi_eo_events.h:
* src/preprocessors/HttpInspect/include/hi_ui_config.h:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Added non-rfc chunk length encoding support, thanks for pointing it out
H.D. Moore, and added webroot alert which alerts on webroot directory
traversals (Roelker).
* src/debug.h:
* src/preprocessors/Makefile.am:
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_stream4.h:
* src/preprocessors/stream.h:
Added new TCP state engine (Marty).
* src/output-plugins/spo_unified.c:
Added stream packet logging for unified output, when alerting on
rebuilt streams (Marty).
* src/preprocessors/spp_conversation.c:
Fixed conversation parsing faults so users can operate this
preprocessor (Roelker).
* src/snort_packet_header.h:
Added for future support (Marty).
* src/snort.h:
Now on build 25.
2004-02-25 Jeremy Hewlett <jh@sourcefire.com>
* src/output-plugins/spo_csv.c:
Additional fixes from Alan Milligan with CSV output, thanks!
* src/sfutil/bitop.h:
Cleaning up unsigned/signed warnings
* src/snort.h:
Moving to build 24
2004-02-25 Chris Reid <chris.reid@codecraftconsultants.com>
* src/output-plugins/spo_database.c:
Removed escaping of '%' and '_' characters in MySQL (thanks
Kristofer Karas).
2004-02-23 Jeremy Hewlett <jh@sourcefire.com>
* snort.8:
Updated -T info to include where snort looks for "snort.conf." Thanks
Drew Smith for pointing that out.
* doc/snort_manual.tex:
Doc updates for thresholding - rule thresholds must contain a sid.
* src/detect.c:
* src/plugbase.c:
Changed some startup messages from printf to LogMessage to be more
consistent. Thanks for the patch, nnposter(at)users.sourceforge.net.
* src/snort.h:
Touched source code - bumping to 23
2004-02-17 Jeremy Hewlett <jh@sourcefire.com>
* src/output-plugins/spo_csv.c:
Fixed minor problems with CSV output not printing out src,srcport,
dst,dstport properly. Thanks for the patch, Bill Guyton. Good spot!
* src/snort.h:
Now at build 22
2004-02-13 mfr <roesch@sourcefire.com>
* templates/sp_template.h:
* templates/sp_template.c:
* templates/spp_template.h:
* templates/spp_template.c:
Updated to match the current reality of Snort.
2004-02-10 Jeremy Hewlett <jh@sourcefire.com>
* src/bounds.h:
* src/event.h:
* src/signature.h:
Added fix for compiling on Tru64 - bitypes.h now wrapped in an ifdef.
Thanks Hari Gopal and Darryl Cook for pointing out the problem and
testing.
* etc/snort.conf:
* doc/snort_manual.tex:
Various fixes pointed out by JP Vossen and Felipe Franciosi.
2004-02-09 Jeremy Hewlett <jh@sourcefire.com>
* src/Makefile.am:
Removed unnecessary libintsnort.a, which was causing problems for some
trying to compile on Solaris without the default system tools (ie: the
"ar" problem).
2004-02-05 Jeremy Hewlett <jh@sourcefire.com>
* Makefile.am:
Fixed tab vs space problem on Solaris. Thanks for the report, Chad
Kreimendahl!
2004-02-05 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/flow/portscan/flowps.c:
* src/preprocessors/flow/portscan/flowps_snort.c:
Fixed alert_once bug that was discovered by Kevin Amorin. Thanks for
pointing out the particulars of the problem, so we could do a quick
fix.
2004-01-30 Daniel Roelker <droelker@sourcefire.com>
* src/decode.h:
* src/detection-plugins/Makefile.am:
* src/detection-plugins/sp_flowbits.c:
* src/detection-plugins/sp_flowbits.h:
* src/parser.c:
* src/plugbase.c:
* src/preprocessors/flow/flow_cache.c:
* src/preprocessors/flow/flow_cache.h:
* src/preprocessors/flow/flow.h:
* src/preprocessors/spp_flow.c:
* src/preprocessors/spp_flow.h:
* src/sfutil/bitop.h:
* src/snort.c:
Added Flowbits detection functionality. Thanks Brian Caswell for
initial code prototype.
* src/sys_include.h:
* src/ubi_BinTree.c:
* src/ubi_BinTree.h:
* src/ubi_SplayTree.c:
* src/ubi_SplayTree.h:
No more Log variables. Die, die, die . . .
2004-01-21 Jeremy Hewlett <jh@sourcefire.com>
* contrib/perfstats.c:
Added utility to parse out perfmon stats
* RELEASE.NOTES:
Added file to keep track of release notes. ChangeLog will migrate to
more detailed, code-oriented comments.
2004-01-20 Jeremy Hewlett <jh@sourcefire.com>
* src/detect.c:
Tagged Packets no longer have NULL msg name.
* src/output-plugins/spo_csv.c:
Minor CSV fixes from Elias Levy (Thanks Elias!)
* doc/snort_manual.pdf:
* doc/snort_manual.tex:
Minor LaTeX fixes from Jen Harvey (Thanks Jen!)
2004-01-16 Jeremy Hewlett <jh@sourcefire.com>
* src/decode.h:
* src/preprocessors/spp_stream4.c:
Fixed http_inspect double alerting on pkts and rebuilt streams. (Thanks
Andreas Ostling)
* src/detect.c:
Fixed double incrementing of pc.log_pkts on non-rule events.
* src/detect.h:
Removed duplicated SnortEvent() function.
* src/event_wrapper.c:
Added additional checks to GenerateSnortEvent().
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/include/hi_si.h:
* src/preprocessors/HttpInspect/session_inspection/hi_si.c:
* src/preprocessors/snort_httpinspect.c:
http_inspect proxy_alert now supports normal proxy networks setups.
http_inspect default server only valid if specified in config. (Thanks
Brent Erickson)
* src/snort.c:
Error on multiple interfaces on command line.
Corrected pcap_compile error. (Thanks Andreas Ostling).
* src/output-plugins/spo_csv.c:
Added string escaping for the msg.
2004-01-13 Chris Reid <chris.reid@codecraftconsultants.com>
* Added Oracle support into Win32 version. Much appreciation
to Adam Peterson and SPL Worldgroup Inc. for sponsoring this
development! This option will now be available within the
Win32 installer thanks to their contribution.
2004-1-13 Jeremy Hewlett <jh@sourcefire.com>
* src/detection-plugins/sp_session.c:
Fixed vague error message with directory creation problems (Thanks
Kenneth Ingham)
* src/event_wrapper.c:
* src/event_wrapper.h:
* src/preprocessors/flow/flow.c:
* src/preprocessors/flow/flow_cache.h:
* src/preprocessors/flow/flow_callback.h:
* src/preprocessors/flow/flow.h:
* src/preprocessors/flow/flow_stat.c:
* src/preprocessors/flow/flow_stat.h:
* src/preprocessors/flow/portscan/flowps.c:
* src/preprocessors/flow/portscan/flowps.h:
* src/preprocessors/flow/portscan/flowps_snort.c:
* src/preprocessors/flow/portscan/scoreboard.c:
* src/preprocessors/flow/portscan/scoreboard.h:
* src/preprocessors/flow/portscan/server_stats.c:
* src/preprocessors/flow/portscan/server_stats.h:
* src/preprocessors/flow/portscan/unique_tracker.c:
* src/sfutil/util_net.c:
* src/sfutil/util_net.h:
Fixed compilation problems on Solaris and some versions of BSD.
Thanks to the Snort community for your support. These fixes change the
variable type to u_int32 to remove the need for stdint.h
* src/output-plugins/spo_alert_unixsock.c:
Close Socket when Snort receives SIGHUP (Based on patch submitted by
Neetu Nangia)
* src/output-plugins/spo_csv.c:
Added GID, SID, and Rev to csv output (Thanks Brennen Reynolds)
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/spp_stream4.c:
Fixed build warnings on FreeBSD 5.0
* src/parser.c:
config chroot readded
* src/parser.c:
* src/parser.h:
Added additional error checking for custom rules (Thanks Andreas
Ostling)
* src/preprocessors/flow/flow_print.c:
Flow now honors -q (quiet)
* src/preprocessors/HttpInspect/client/hi_client.c:
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
Fixed issue with no_alert not quieting some alerts
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Removed non_rfc_chars from default profiles
* src/sfthreshold.c:
* src/sfutil/sfthd.c:
* src/sfutil/sfthd.h:
Added suppression negation (Thanks Andreas Ostling)
* src/sfthreshold.c:
Fixed backwards display of IP addresses on Solaris
* doc/FAQ:
* doc/README.csv:
* doc/README.http_inspect:
* doc/README.thresholding:
* doc/snort_manual.pdf:
* doc/snort_manual.tex:
Minor clarifications and additions.
2004-1-5 Daniel Roelker <droelker@sourcefire.com>
* src/fpdetect.c:
Fixes the signature error that user's were getting after changes
to the AddMatch and SelectEvent routines. Thanks Andreas Ostling,
Ron Shuck, Jon Hart, and Chris Keladis.
2003-12-22 Daniel Roelker <droelker@sourcefire.com>
* src/parser.c:
Andreas Ostling parser fixes and updated error messages.
2003-12-20 Chris Reid <chris.reid@codecraftconsultants.com>
* Win32 version wouldn't run as a service. Thanks to
Michael Steele for pointing this out.
2003-12-17 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated Win32 to 2.1.
* src/output-plugins/spo_database.c:
Better support for ODBC. Better memory management (thanks
Jeff Nathan). Improved escaping of SQL strings.
2003-12-17 Daniel Roelker <droelker@sourcefire.com>
* Snort 2.1 Release
* src/decode.h:
Options struct element len, changed to octet. Thanks
Andrew Rucker.
* src/detection-plugins/sp_pattern_match.c:
Infinite looping patch during specific recursion processing.
Thanks Lawrence Reed.
* src/detection-plugins/sp_pcre.c:
Fixed pcre URI matching. Thanks Jeremy Hewlett.
* sp_respond.c:
Fixes to help respond actions to correlate more closely to
RFCs and now doesn't allow users to shoot themselves in
the foot.
* src/preprocessors/HttpInspect/normalization/hi_norm.c:
Only log DOUBLE DECODE alerts if it's in the URL and not
the parameter section.
* src/preprocessors/spp_stream4.c:
Sync stream4 up with the various versions of it. Fix
problem of out-of-order ACKS that was recognized by
Andrew Rucker. Also fixed off-by-one bug on reassembled
streams that was introduced by previous stream4 patch.
* src/sfutil/mwm.c:
* src/sfutil/mwm.h:
Fixed memory access bug in mwm content matching that multiple
users were able to reproduce.
* src/tag.c:
Pkt tagging configuration now works correctly. Thanks Jeremy
Hewlett for pointing this out.
2003-12-08 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated Snort 2.1 Win32 installer
* Updated spo_database.c to escape sensor name strings.
This had been causing a problem under Windows with MySQL
because of WinPcap sensor names having embedded backslashes.
2003-12-03 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated Snort 2.1 beta to support Win32
2003-11-18 Daniel Roelker <droelker@sourcefire.com>
* src/detection-plugins/sp_ip_proto.c:
Re-added ip_proto structure to ds_list so that the high-speed
detection engine once again optimizes on ip_proto rules.
2003-11-14 Chris Green <cmg@sourcefire.com>
* src/preprocessors/flow/portscan/flowps_snort.c:
* when using pktkludge output format, make destination address
the last one seen.
2003-11-07 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
Added some additional config options to server profiles all and iis.
* src/preprocessors/HttpInspect/client/hi_client.c:
Return invalid URI for configs that don't allow a tab as a URI
delimiter instead of processing. This helps reduce false positives
for servers that won't accept tabs as valid.
* autojunk.sh:
Added --add-missing to automake so the flow dependencies get installed.
* src/detection-plugins/sp_dsize_check.c:
Validate dsize argument so that it is a decimal number and a
positive integer.
2003-11-07 Martin Roesch <roesch@sourcefire.com>
* src/sfthreshold.c (print_thresholding):
Cleaned up linewrapped separators, cosmetic cleanup for 80-col
terminals
2003-11-06 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c (CheckANDPatternMatch):
Fixed a bug in sp_pattern_match that was introduced with the
recursive processing in 2.0.3 that resulted in a core dump due
to an OOB read
2003-11-04 Chris Green <cmg@sourcefire.com>
* src/log.c (PrintIPHeader): print frag size as the size of the
datagram - header
2003-11-04 Marc Norton <mnorton@sourcefire.com>
* src/snort.c (SnortMain): display thresholding information at
start up
2003-10-30 Chris Green <cmg@sourcefire.com>
* src/log.c (PrintIPHeader):
make fragsize print out the size of the payload rather than the
size of the header
2003-10-28 Marc Norton <mnorton@sourcefire.com>
* src/sfutil/mwm.c:
fixed bug with search-method mwm resulting in retesting removing
an active rule on occasion (Thanks to Raul Siles & David Perez
for a reproducible test case!)
2003-10-28 Chris Green <cmg@sourcefire.com>
* src/util.c (read_infile): make snort FatalErrror on bpf filter
problems (reported by Fran Loehmann)
2003-10-27 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_flow.c
(DEFAULT_MEMCAP):
make default memcaps much smaller
(FlowInit):
display correct memcap
2003-10-20 Chris Green <cmg@sourcefire.com>
* configure.in:
- removed smb alerting since it should be moved to barnyard
Major 2.1 Features
- Suppression/Thresholding by
- HttpInspect replaces http_decode by Dan
- Flow ( replaces spp_conversation )
- Flow-Portscan
- PCRE (www.pcre.org) is now required to build
- pcre keyword for regular expressions incorporated
- isdataat keyword to help with rule writing
See the doc/ subdirectory for more details
2003-10-02 Chris Green <cmg@sourcefire.com>
* src/parser.c (RuleType): func == NULL bug fix for Bart Haagdorens
* Incorporated Steve Grubb's HUP fix for -u users that aren't
doing Chroot.
2003-09-22 Chris Green <cmg@sourcefire.com>
* back from honeymoon
* src/preprocessors/spp_stream4.c (BuildPacket):
fixed DEBUG compilation/zero_flushed_buffers option
2003-09-10 Chris Green <cmg@sourcefire.com>
* Snort 2.0.2
* added flush_data_diff_size and zero_flushed_buffers for
stream4_reassemble
* added threhsolding (see doc/README.thresholding) from
Sourcefire/Marc Norton
2003-09-02 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated Win32 code to properly support logging to
the Windows Event Log without including the Microsoft-
generated warning, as was previously observed.
2003-08-06 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeTCP):
fixed TCP_LARGE_OFFSET with patch from Bob Perkins
2003-07-28 Chris Reid <chris.reid@codecraftconsultants.com>
* Updated sp_pattern_match.c and win32_service.c to play nice with
Visual Studio .NET (thanks for feedback from Louis Jagoe).
2003-07-25 Chris Green <cmg@sourcefire.com>
* Makefile.am (dist-hook):
- add signatures kludges to fix up official tarballs
- fixed verstuff.pl to interpolate variables
* spp_arpspoof patches from Jeff Nathan
- Replaced unchecked malloc() calls with SnortAlloc
- Changed the parameter name ipmel to ip_mac_entry_list in functions
operating on this list for clarity
- Re-ordered sanity tests in the preprocessor function to prevent a null
pointer dereference and to identify early exit conditions
- Minor optimization to the overwrite detection code: if the overwrite list
hasn't been initialized return when entering the overwrite condition tests
- Use FreeToks instead of for() and free() for mSplit tokens.
- Implemented a CleanExit function suitable for CleanExit and Restart.
- Added CallLogFuncs calls to accompany all CallAlertFuncs calls (previously
CallLogFuncs was not used at all).
* src/decode.c (DecodeVlan):
- compile with --enable-debug
2003-07-22 Chris Green <cmg@sourcefire.com>
* Shortly after release:
- added verstuff.pl
- added dist-hook to run verstuff.pl to make the published
tarballs up to date on snort version
* Snort 2.0.1 Released
2003-07-18 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeUDP):
- fixed UDP checksums to not incorrectly calculate with a header
in host byte order
Thanks to Marc Norton & Jeremy Hewlett for helping
* src/detect.c (Preprocess):
- completely ignore invalid IP checksums throughout snort if we
are checking them.
2003-07-09 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeIEEE80211Pkt):
- fixed vlan decoding on lots of advice + patch from Michael
J. Pomraning over at SecurePipe. Thanks!
2003-07-03 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeIP):
- removed redundant flag setting operation
2003-07-01 Chris Green <cmg@sourcefire.com>
* src/preprocessors/http-resp.c (IsHttpServerData):
- ensure TCP state on discarded traffic
* src/preprocessors/spp_stream4.c (GetDirection):
- switch to using IP addresses
* src/preprocessors/spp_frag2.c (Frag2Defrag):
- ignore packets with bad checksums
2003-06-09 Marc Norton <marc.norton@sourcefire.com>
* src/fpdetect.c:
fixed pass not always superceding Alert when rule order was
Pass-Alert-Log
* src/fpcreate.c:
This fixes an initialization problem with the iBirDirection flag.
2003-06-04 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_bo.c:
log packet data
2003-05-30 Chris Green <cmg@sourcefire.com>
* src/snort.c: removed obsolete global flow variable
2003-05-28 Chris Reid <chris.reid@codecraftconsultants.com>
* Win32 patches from Fulvio Risso (of WinPcap) so -i parameter
can support both "-i 1" format, and also support named interfaces
like "-i \Device\Packet_{12345678-90AB-CDEF-1234567890AB}".
Fulvio also provided a more streamlined Win32 print_interface().
2003-05-27 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_alert_sf_socket.c:
- made compile w/ debug
* src/detection-plugins/sp_session.c (OpenSessionFile):
refactored to do fatal error inside the lower level function
where filename is defined. Bug Reported by Jon Werrett.
2003-05-27 Andrew R. Baker <andrewb@sourcefire.com>
* Changed evalIndex to give precendence to help work around
problems with rule ordering when not using -o
2003-05-14 Andrew R. Baker <andrewb@sourcefire.com>
* src/Makefile.in:
* src/plugbase.h:
* src/spo_plugbase.h:
* src/output-plugins/spo_alert_fast.c:
* src/output-plugins/spo_alert_full.c:
* src/output-plugins/spo_alert_sf_socket.c:
* src/output-plugins/spo_alert_smb.c:
* src/output-plugins/spo_alert_syslog.c:
* src/output-plugins/spo_alert_unixsock.c:
* src/output-plugins/spo_csv.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_log_ascii.c:
* src/output-plugins/spo_log_null.c:
* src/output-plugins/spo_log_tcpdump.c:
* src/output-plugins/spo_unified.c:
Relocated Output Plugin API definitions to spo_plugbase.h
* src/detect.c:
* src/rules.h:
added support for per OptTreeNode output functions
* src/plugbase.c:
* src/output-plugins/Makefile.in:
* src/output-plugins/spo_alert_sf_socket.c:
* src/output-plugins/spo_alert_sf_socket.h:
Sourcefire UNIX datagram socket output plugin
2003-05-16 Chris Green <cmg@sourcefire.com>
* patches from jeff nathan
- config.h before HAVE's in strc*
- add OSX kludged support for /sw/include to libnet defaults
* added doc/signatures to Makefile.am
2003-05-13 Chris Reid <chris.reid@codecraftconsultants.com>
* Added sanity check in CleanExit() to prevent double-freeing
of memory during recursive call to CleanExit(). (Mark Scott)
2003-05-13 Chris Green <cmg@sourcefire.com>
* patches from Jeff Nathan
- calloc checks in detection-plugins
- old version of autoheader doesn't like arguments to
* add timersub.h to Makefile.am
* src/detection-plugins/sp_byte_check.c (ByteTest):
- FatalError if hex/oct are used w/o specifying the string parameter
* src/detection-plugins/sp_byte_jump.c (ByteTest):
- FatalError if hex/oct are used w/o specifying the string parameter
* src/preprocessors/spp_frag2.c (RebuildFrag):
fix integer wrap around on large packets resulting in invalid IP
dgrm lengths with large packets for frag2. Thanks to Jason Royes for
pointing it out.
will truncate large packets so that the total resulting frame is
less than 65535 unless you define DONT_TRUNCATE in config.h
This is unfortunately required for compatiblity for other pcap
applications.
* src/decode.c (DecodeTCP):
move port number assignment above option decoding so people don't
complain about decoder events on port 0.
2003-05-02 Chris Reid <chris.reid@codecraftconsultants.com>
* updated Win32 LibnetNT.dll (tested by Rich Adamson)
2003-04-28 Chris Green <cmg@sourcefire.com>
* updated create_postgresql (Frank Knobbe)
* solaris forte C compiler patches from Taso Devetzis)
2003-04-25 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_tcp_win_check.c (SetupTcpWinCheck):
- removed initialization message in debug
2003-04-24 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeTCPOptions):
- only alert on T/TCP if there is a CCECHO
* src/detection-plugins/sp_byte_check.c:
* src/detection-plugins/sp_byte_jump.c:
* src/byte_extract.c:
* src/byte_extract.h:
- move the common extraction code to a single place
- fix 2 byte extraction code on little endian architectures
(Thanks to Jason Miller)
* src/bounds.h (inBounds):
- remove #include <snort.h>
2003-04-21 Chris Green <cmg@sourcefire.com>
* src/mwm.c (mwmPrepHashedPatternGroups):
- upon a fatal error, yell about
config detection: search-method lowmem
2003-04-16 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c (ParsePattern):
- u_int -> int for size check
- (slightly) more readable string handling code
* src/timersub.h:
import timersub macro from glibc and upcased it
* src/snort.c (InterfaceThread):
- Use TIMERSUB
* src/detect.c (AlertAction):
AlertFlushStream takes one argument now
* src/parser.c (ParseConfig):
disable_tcpopt_ttcp_alerts parsing --
Thanks for pointing it out Jeff Dell
* src/preprocessors/spp_stream4.c:
- removed unused argument to DeleteSpd
(AlertFlushStream):
- get the ssnptr variable from the packet structure
- unified logic for server and client side
- removed memthresholding because of large delays
* src/decode.h
(_Stream):
- get rid of dataPtr ( it's always the same thing as &s->data )
- add bytes_tracked variable for more memory protection
* src/preprocessors/spp_stream4.c:
- macroize sequence number type checks
(StoreStreamPkt):
- watch for how many packets we accept
2003-04-14 Chris Green <cmg@sourcefire.com>
* Snort 2.0.0 Released
2003-04-09 Chris Green <cmg@sourcefire.com>
* src/log.c,spo_database.c
(PrintTcpOptions):
(PrintIpOptions):
- correctly print out
* src/log.c,spo_database.c
(PrintTcpOptions):
(PrintIpOptions):
- correctly print out
* src/decode.c:
Last bastions of ErrorMessage @ decode in non-verbose mode
2003-04-09 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_byte_jump.c:
- another argument parsing bug ( Thanks Judy )
2003-04-07 Chris Green <cmg@sourcefire.com>
* src/decode.c:
Change all classifications to DECODE_CLASS
* src/detection-plugins/sp_byte_check.c (ByteJump/ByteCheck) - do
not SetUseDoe() for these functions. Doe is set automatically and
use_doe is only needed to be set by people wishing to make the
previous pattern match relative.
Build 69
* src/decode.h
- handle more FIN conditions
* src/preprocessors/spp_stream4.c (ReassembleStream4):
- adjusted established check
* src/preprocessors/spp_stream4.c (NotForStream4):
- refactoring
2003-04-04 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_byte_jump.c (ByteJump):
- make offsets work for byte_test and byte_jump
(Thanks Judy and Dan)
2003-04-03 Chris Green <cmg@sourcefire.com>
2.0.0rc3
* etc/snort.conf:
config detection: search-method lowmem
Incorporates a lower memory pattern matcher from Marc Norton for
people running into not being able to update to 2.0 due to
memory issues.
* src/snort.c (SnortMain):
- move InitOutputPlugins down ( 1.9 forward fix from Nick )
2003-04-01 Chris Green <cmg@sourcefire.com>
Build 67
* src/output-plugins/spo_alert_unixsock.c:
- moved unix socket format to .h
- moved default socket location to the logdir
( patches from Nick Zitzmann <dreamless@attbi.com>)
2.0.0 RC2
2003-03-31 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (CreateNewSession):
- don't act like a happy wallaby if the IP transport doesn't support
ECN but the reserved flags make it through crystal clear
* src/preprocessors/spp_frag2.c (_FragTracker):
only do 1 fragment tracker alert for things like teardrop
* src/preprocessors/spp_stream4.c:
- DisableDetect() instead of do_detect()
- flush on write ssn stats (andrewb fix)
* src/decode.c (DecodeUDP):
- correctly decode UDP packets (andrewb fix)
2003-03-27 Chris Reid <chris.reid@codecraftconsultants.com>
* src/tag.c
#ifdef should have been #ifndef
* src/acsmx.h
Have WIN32 use definition of "inline" from config.h
instead of a locally defined one
* src/output-plugins/spo_alert_syslog.c
* etc/snort.conf
Changed Win32 default host to "127.0.0.1"
(thanks to Rich Adamson)
* src/win32/WIN32-Prj/snort_installer.nsi
Added further installation instructions to help cut
down on the number of 'newbie' questions.
2003-03-28 Chris Green <cmg@sourcefire.com>
* src/parser.c (ParseConfig):
- make disable ipopt work (Thanks Tim Slighter)
* src/tag.c
(PrintTagNode):
new f()
- added static cling
(ParseTag): fixed parser
(AddTagNode):
- fixed src/dst tagging
- unified both tag cache logics
* src/debug.h:
* src/debug.c:
added DebugThis()
* etc/snort.conf
make the config options do what they say
* src/output-plugins/spo_alert_syslog.c (ParseSyslogArgs):
- only warn if we are parsing snort.conf ( -s )
* src/tag.h (SetTags):
- damn #if 0
* configure.in:
- remove snmp/ssl
2003-03-27 Chris Reid <chris.reid@codecraftconsultants.com>
Build 63
* src/snort.c
* src/output-plugins/spo_alert_syslog.c
Win32 '-s' now takes no arguments. Host/port info is
configured only within snort.conf (output alert_syslog).
2003-03-27 Chris Green <cmg@sourcefire.com>
* configure.in:
- changed to make DEBUG do -O0 and -g with gcc
(-ggdb makes gdb confused. go fig.)
* src/snort.c (ParseCmdLine):
-s means syslog() not -s args on win32
* src/output-plugins/spo_alert_syslog.c (ParseSyslogArgs):
- SnortAlloc
- allow -s to work again
2003-03-26 Chris Green <cmg@sourcefire.com>
* src/decode.c (DecodeTCP):
- bad format args (thanks Tim!)
RC1
* Incorporated Patches from Jeff Nathan
- libnet configure should work again
- randomize flexible response ttls
- add stop descriptor leaking
* src/decode.c (DecodeIPOptions):
truncation alerts for IP options too!
(InitDecoderFlags):
added decoder flags function
* src/log.c (Print(I|Tc)cpOptions):
- print out everything that I can
2003-03-25 Chris Green <cmg@sourcefire.com>
* src/signature.c (ReferenceSystemAdd):
- fixed the dang linked list
* rules/Makefile.in (EXTRA_DIST):
added pop2.rules
* src/decode.h (_Stream):
- removed current_seq to save memory
* src/preprocessors/spp_stream4.c
- added isBetween inline function
(UpdateState):
- incorrect ACTION_ACK_CLIENT_DATA
(StoreStreamPkt):
- comment clarification
* src/bounds.h:
- added new file
- moved standard bounds checking functions to this file
* src/detection-plugins/sp_react.c (ParseReact):
- give react a half a chance of working
(SendTCP):
- see above
* src/detection-plugins/sp_clientserver.c (ParseFlowArgs):
- fatal error on unknown option
* src/output-plugins/spo_database.c
(UpdateLastCid):
- added missing free()
(Database):
- correctly write out the class_id junk
* src/output-plugins/spo_alert_smb.c
(AlertSmb):
- print out the ports like was intended
* src/preprocessors/spp_portscan2.c (SLog):
- use fprintf for what it was designed for
* src/preprocessors/spp_portscan.c (LogScanInfoToSeparateFile):
- use fprintf for what it was designed for
* src/log.c
(PrintArpHeader):
- wireless arp printing fix
(PrintTcpOptions):
- strncpy -> memcpy
(PrintEapolKey):
- aligned printf
* src/decode.c (DecodeTRPkt):
- more truncation style alerts
2003-03-24 mfr <roesch@sourcefire.com>
* src/preprocessors/spp_stream4.c:
- changed PruneSessionCache() to only do timeout flushes if
we're over 50% of the memcap (should help performance)
* src/log.c:
- fixed broken Frag Size calculation in IP header printout routine
2003-03-21 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_session.c:
- fixed memory leak on filename creation
* src/preprocessors/spp_stream4.c (Stream4InitReassembler):
- make serveronly work
* src/preprocessors/spp_telnet_negotiation.c (NormalizeTelnet):
- check the byte, then increment
* src/detection-plugins/sp_byte_check.c (ByteTestParse):
more input validation for byte_check/byte_jump
* src/log.c (PrintWifiHeader):
- watch out for NULL bssid's
* src/tag.c
(TagHost):
- removed redundant check
(AddTagNode):
- accumulate the tag seconds rather than the idx->seconds
* src/detection-plugins/sp_pattern_match.c (PayloadSearchRegex):
- actually die on a regex option
( might actually get it developed later )
* src/decode.c
(DecodeIEEE80211Pkt):
- more truncated packet alerts
(DecodePPPoEPkt):
- alert on truncated pppoe pkts
- separate decoder for encapsulated PPP
(DecodeVlan):
- alert on truncated Vlan headers
(DecodeUDP):
- use the UDP header length field
instead of capture length
* src/detection-plugins/sp_byte_jump.c:
src/detection-plugins/sp_byte_check.c:
- protect against negative offsets
( don't rely on negative offsets working in the long term )
- don't continue when we can't parse string numbers
* src/detection-plugins/sp_respond.c (Respond):
- missing iph check
* src/detection-plugins/sp_ip_proto.c (IpProtoDetectorFunction):
- missing iph check
* sspp_asn1, fnord, spo_xml, spo_SnmpTrap
- removed ( will be available later as a contrib )
* src/preprocessors/spp_http_decode.c:
- switch to using chars for lookup tables
- removed extraneous sprintfing
- removed old TBD feature code
2003-03-17 Chris Green <cmg@sourcefire.com>
* src/snort.c (FPUTS_WIN32):
- changed to blank space rather than NULL
Build 60
New Options added to snort.conf
config: disable_tcpopt_experimental_alerts
config: disable_tcpopt_obsolete_alerts
config: disable_ttcp_alerts
config: disable_tcpopt_alerts
* src/preprocessors/spp_stream4.c
(ReassembleStream4):
- DisableDetect only if the emergency_status is NULL.
(CreateNewSession):
- fixed return logic with detect scans
* etc/gen-msg.map: WARNINGS: -> snort_decoder:
- new tcpopt events
* src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- change to use DisableDetect() instead of do_detect = 0;
(disables futher preprocessors)
(RPC_CLASS): Use the same classification as the other decoder alerts
* src/snort.h (_progvars):
- added DecoderFlags structure for enabling/disabling decoder alerts
* src/snort.h (_progvars):
- added tcpopt_alert_flag
* src/decode.c (DecodeTCP):
- print out warnings on bad header lengths in verbose mode
(DecodeTCPOptions):
- nearly complete rewrite to identify whizbang things like
bubba and skeeter options!
2003-03-14 Chris Reid <chris.reid@codecraftconsultants.com>
Build 59 (really this time)
* src/detect.c
- corrected un-initialized memory in CreateRuleType()
* src/snort.c
- rationalize Unix vs. Win32 command-line options
- add optarg for Win32 syslog '-s' parameter
- bugfix for Win32 syslog initialization
- thanks to Rich Adamson and L. Christopher Luther for helping
with the syslog fixes
* src/util.c
- provide Win32 fix for SetChroot()
* many files
- added missing CVS ID tags
- added missing copyrights
2003-03-13 Chris Green <cmg@sourcefire.com>
Build 59
* src/preprocessors/spp_stream4.c(TcpActionAsync):
- update server side seq numbers on Async State machine
* src/preprocessors/spp_stream4.c
(BuildPacket):
- Use Constants for IP Lens
- Move SPARC_TWIDDLE to only initialization
* src/preprocessors/spp_frag2.c
- removed killme variable from InsertFrag
- untabified
(RebuildFrag):
- converted to creating fake packets the same way as stream4
2003-03-10 Chris Green <cmg@sourcefire.com>
Build 58
* src/util.c:
- new functions SetChroot, CurrentWorkingDir,
SigChrootHupHandler, GetAbsolutePath
- Chroot + HUP == "tough luck for now
* src/snort.c (SnortMain):
- Chroot after parsing the rules file
- use fully qualified pathname for logdir in chroot case
* src/output-plugins/spo_unified.c (UnifiedInitAlertFile):
- removed a printf
2003-03-05 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_byte_check.c (ByteTest):
- never touch doe_ptr on a successful match
- inBounds check off by one when seeing if enough to read
* src/detection-plugins/sp_byte_jump.c (ByteJump):
- inBounds check off by one when seeing if enough to read
* src/detection-plugins/sp_pattern_match.c (uniSearchReal):
- inBounds check off by one when seeing if enough to read
2003-03-04 Chris Green <cmg@sourcefire.com>
* src/util.h (inBounds):
end is always dsize + len so it should be p < end
* src/preprocessors/spp_stream4.c (UpdateState):
- added return ACTION_ACK_CLIENT_DATA
* src/detection-plugins/sp_pattern_match.h (_PatternMatchData):
- changed check_distance to use_doe ( check_distance was not used )
* src/detection-plugins/sp_pattern_match.c
(uniSearchReal):
- new function to unify uniSearchCI & uniSearch
- all "work" related to distance, within, depth, and offset done
in one place now
(CheckANDPatternMatch):
- condensed this down to be a very small wrapper around uniSearch
( now !content will alert with offset on small packets)
(CheckUriPatternMatch):
- condensed this down to be a very small wrapper around uniSearch
* src/detection-plugins/sp_byte_check.c:
* src/detection-plugins/sp_byte_jump.c:
- inBounds function
- doe_ptr
- SetUseDoe
- TEXTLEN constant
* src/generators.h (RPC_MULTIPLE_RECORD_STR):
fixed cut and pasto
* src/util.h (inBounds):
added new inBounds function to check a ptr position against a
known start and end location
* src/mstring.c (mSearch):
subsequent offsets adjusted correctly (Marty)
* src/preprocessors/spp_rpc_decode.c
- redefine MSB
- write fraghdr back into pkt
- removed extraneous printf
* src/preprocessors/spp_rpc_decode.c:
- readded config.h and strings.h (Thanks Chad)
* src/preprocessors/spp_stream4.c
- suspend renabling mode fixes
2003-03-03 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- alignment errors on non-x86 platforms
- added new space delimited options
alert_fragments
no_alert_multiple_requests
no_alert_large_fragments
no_alert_incomplete
- corrected buffer overflow in fragment normalization
2003-02-28 Daniel Roelker <droelker@sourcefire.com>
* src/bitop.h:
* src/fpcreate.c:
* src/fpdetect.c:
- Fixed a problem when snort runs with only uricontent matches
and no contents. In this case an element in the bitop structure
never got initialized, so it's not good to reference that.
Problem was caught by Chris Green doing some unit testing.
2003-02-27 Chris Reid <chris.reid@codecraftconsultants.com>
* src/win32/WIN32-Prj/snort.dsp
* src/win32/WIN32-Prj/snort.mak
* src/win32/WIN32-Prj/snort.dep
- Removed an unnecessary file from the project (name.mc)
* src/win32/WIN32-Prj/build_releases.bat
- Script to easily compile all configurations of snort.
* src/win32/WIN32-Prj/snort_installer.nsi
* src/win32/WIN32-Prj/snort_installer_options.ini
- Scripts to build a Win32 installation program for snort.
Thanks to Chris Green for suggesting we use NSIS!
2003-02-19 Chris Reid <chris.reid@codecraftconsultants.com>
* src/snort.c
- Win32 '-s' parameter wasn't configured to accept an optarg,
but code expected one, causing null-pointer violation.
2003-02-16 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
* remove broken checks.
* src/preprocessors/spp_telnet_negotiation.c (NormalizeTelnet):
* remove broken checks.
2003-02-15 bmc <bmc@snort.org>
* src/preprocessors/spp_asn1.c
- don't bother decodeing the packet if its 0 bytes
* src/preprocessors/spp_fnord.c
- don't bother decodeing the packet if its 0 bytes
- set DEBUG to DEBUG_PLUGIN instead of DEBUG_STREAM
* src/preprocessors/spp_http_decode.c
- don't bother decodeing the packet if its 0 bytes
- if stream4 is enabled, only decode if if is client data
on an established session
(This makes using internal_alerts useful)
* src/preprocessors/spp_rpc_decode.c
- don't bother decodeing the packet if its 0 bytes
- if stream4 is enabled, only decode if if is client data
on an established session
* src/preprocessors/spp_telnet_negotiation.c
- don't bother decodeing the packet if its 0 bytes
- if stream4 is enabled, only decode if if is client data
on an established session
2003-02-15 bmc <bmc@snort.org>
* src/detection-plugins/sp_byte_jump.c
actually verify that it needs aligning before aligning.
(more than 0 doesn't need aligned)
2003-02-15 bmc <bmc@snort.org>
* src/detection-plugins/sp_byte_jump.c
0 is already aligned to a 32-bit boundry...
2003-02-14 bmc <bmc@snort.org>
* src/mstring.c
Fix so --enable-debug actually compiles
2003-02-14 mfr <roesch@sourcefire.com>
* src/parser.c
Fixed XferHeader() function to copy the not_*p_flag to the RTNs...
* src/detection-plugins/sp_ip_proto.c
ip_proto options can now be stacked
2003-02-14 mfr <roesch@sourcefire.com>
* src/fpdetect.c
src/mstring.c
src/detection-plugins/sp_byte_check.c
src/detection-plugins/sp_byte_jump.c
src/detection-plugins/sp_pattern_match.c
Fixed distance/within/byte_test/byte_jump relative (stateful)
pattern matching and the like. Complete reimplementation of
payload position tracking. Tested with several different attack
scenarios with 100% detection rate, please test!
2003-02-04 Chris Reid <chris.reid@codecraftconsultants.com>
* src/snort.c
Added sanity checks on command-line parameters, for whenever a user
forgets to put spaces between (ie.) /SERVICE/INSTALL. This only
applies to /SERVICE parameter for Win32.
* src/util.c
- Updated Win32 banner for version 2.0
- Modified FatalError to generate a Win32 EventLog entry
if this is a Win32 Service build, otherwise no errors
are ever presented to the user.
* src/mwm.c
- Added an include of config.h, for Windows build.
- Changed variable names "small" and "large" into "small_value"
and "large_value" to prevent compile errors under Visual C++.
* src/mpse.c
* src/pcrm.c
- Added an include of config.h, for Windows build.
* src/parser/IpAddrSet.c
* src/preprocessors/perf-flow.c
- Added ifndef/endif around non-Win32 header files.
* src/preprocessors/perf-base.c
- Added changes to allow it to compile under Win32.
* src/preprocessors/perf.h
- Prevent definition of UINT64 under Win32.
* src/preprocessors/spp_asn1.c
* src/preprocessors/spp_bo.c
* src/preprocessors/spp_fnord.c
- Added documentation.
* src/win32/WIN32-Includes/config.h
- Added definition for UINT64 and uint64
- Changed VERSION to '2.0.0beta'
* src/win32/WIN32-Code/win32_service.c
- Changed how Win32 registry is opened for reading (was KEY_ALL_ACCESS,
now is KEY_READ). Problem (and patch) was reported by Michael Miller.
* src/win32/WIN32-Prj/snort.dsp
- Removed all references to SFStats compile options, since these stats
provide little useful information under Win32 due to API differences
between Win32 and Unix, specifically the lack of a native getrusage().
* src/win32/WIN32-Prj/snort.ncb
src/win32/WIN32-Prj/snort.opt
src/win32/WIN32-Prj/snort.plg
- Truncated the contents of these files.
2003-01-26 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
(AlertFlushStream):
- Fixed problem where an alert on a stream
would update sequence numbers incorrenctly
- moved StoreStreamPkt up to avoid crash
Thanks to Lawrence Reed for pointing out problems and almost
perfect solutions
* src/detection-plugins/sp_clientserver.c (CheckForReassembled):
missing return in opt node check
affects only flow: only_stream
2002-1-17 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/spp_perfmonitor.c:
Added 'snortfile' parameter to perfmonitor so users can use the
default snort directory to log performance statistics. Suggested
by L. Reed.
* src/preprocessors/spp_stream4.c:
Fixed performance statistic counter for total stream4 sessions. When
a new session is created, we make sure that it was created before
incrementing the counter. Fixed by L. Reed.
2003-01-07 mfr <roesch@sourcefire.com>
* configure.in
Added patch from Jeff Nathan to fix libnet detection
2003-01-05 mfr <roesch@sourcefire.com>
* src/util.h
Added self preservation control struct for the new SPAlloc function.
* src/util.c
Added self preservation-aware memory allocator, this allows coders
to add new subsystems requiring self preservation techniques using
a single allocation interface and management mechanism.
* src/detection-plugins
Changed the URI and AND checking modules to use the context pointer
on the fp_list struct instead of the ds_list. This will cause
all content/uricontent checks to be checked in the sequence that
they appear in a rule so that all the distance/within and
relative byte_test/byte_jump stuff will work properly. Merry Xmas
cazz!
* src/preprocessors/spp_frag2.c
Changed frag2 to use the new SPAlloc mechanism as a testing
platform. If this works right I'll convert all the other stuff
over to it as well.
2002-12-19 Andrew R. Baker <andrewb@sourcefire.com>
* src/detect.c:
* src/fpdetect.c:
* src/fpdetect.h:
* src/parser.h:
* src/rules.h:
* src/snort.c:
* src/snort.h:
Fix custom rule types and arbitrary rule ordering that were broken
with the new detection engine.
2002-12-13 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c (Frag2Defrag):
- added "state_protection" config mechanism to enable/disable
the thresholding operations
* src/preprocessors/spp_stream4.c:
- mark sessions that have been picked up midstream
- protect against people setting up snort behind a tap without
setting asynchronous link
- added "state_protection" config mechanism to enable/disable
the thresholding operations
* src/decode.h (SSNFLAG_MIDSTREAM): added a midstream pickup flag
2002-12-12 Daniel J. Roelker <droelker@sourcefire.com>
* src/fpcreate.c:
* src/fpdetect.c:
Fixed bi-directional rule functionality when unique port was the
destination port in a bi-directional rule. Reported by Brian
Caswell.
2002-11-26 Andrew R. Baker <andrewb@sourcefire.com>
* src/parser.c:
fixed argument handling bugs for snaplen and read_bin_file config
directives in snort.conf
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/util.h:
Modifications to signal handling and CleanExit/Restart
2002-11-26 Daniel Roelker <droelker@sourcefire.com>
* src/checksum.h:
Problem with ICMP checksum. Routine did not return the compliment
of the checksum. Thanks to Del Armstrong for point this out.
* src/decode.c:
Also, UDP checksums are only done if the checksum is 0. Otherwise,
we don't do them, even if the config is set for that. Again,
thanks to Del Armstrong for pointing this out.
2002-11-26 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_database.c (BeginTransaction):
* removing BEGIN for oracle ( Chad Kreimendahl )
2002-11-25 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
(TcpActionAsync):
(TcpAction):
-- removed extra decrements for last_ack
was causing a high false alarm rate for new \r\n rules.
Thanks to Jens Krabbenhoeft for helping on this one
-- disable nmap scans from alerting when we don't use detect_scans.
Thanks to Chad Kreimendahl for this one
2002-11-24 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c:
- fix argument parsing for emergency modes
* src/preprocessors/spp_frag2.c (ParseFrag2Args):
- fix argument parsing for emergency modes
2002-11-19 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c:
fixed a bug where we would shift to suspend mode if
stream4_reassemble wasn't enabled
2002-11-18 Chris Green <cmg@sourcefire.com>
Merging in mfr/cmg mitigations for extreme bogus session loads
* src/preprocessors/spp_stream4.c:
self_preservation_threshold: <bare new sessions/second>
self_preservation_period: <duration of SP mode>
suspend_threshold: <bare new sessions/second>
suspend_period: <duration of suspended operations>
emergency_ports: <port list> <-- port list that will be reassembled
* src/preprocessors/spp_frag2.c:
self_preservation_threshold: <bare new sessions/second>
self_preservation_period: <duration of SP mode>
suspend_threshold: <bare new sessions/second>
suspend_period: <duration of suspended operations>
added Emergency / Suspend mode
* src/generators.h: added Emergency / Suspend alerts to
stream4/frag2 - in the future, these should not generate packet
log alerts but they are required to for the current view of the
world
* src/detect.h (DisableDetect): added function
2002-11-16 Chris Green <cmg@sourcefire.com>
* src/snort.h:
- added a define SNORT_20 so that code will be easier to merge around
2002-11-13 Andrew R. Baker <andrewb@sourcefire.com>
* src/log.c:
* src/parser.c:
* src/snort.c:
* src/snort.h:
* src/util.c:
* src/output-plugins/spo_log_ascii.c:
* src/output-plugins/spo_log_tcdump.c:
* src/output-plugins/spo_unified.c:
* src/output-plugins/spo_xml.c:
* src/preprocessors/spp_portscan.c:
* src/preprocessors/spp_stream4.c:
Changes to cleanup the chroot process
2002-11-12 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_log_ascii.c:
fixed output file issues for ascii logging
2002-11-11 Andrew R. Baker <andrewb@sourcefire.com>
* src/log.h:
* src/parser.c:
* src/plugbase.c:
* src/snort.c:
* src/snort.h:
Cleanup command line alert and log configuration
* src/decode.c:
* src/snort.c:
* src/snort.h:
updated run mode determination and representation
relocated log_dir sanity check
relocated test_mode_flag check to outside InterfaceThread
moved global variable declarations into snort.c from snort.h
* src/snort.c:
replaced ReadConfFile with ConfigFileSearch. The configuration file
is now only read in once place.
* src/log.c:
* src/parser.c:
* src/snort.c:
* src/snort.h:
* src/output-plugins/spo_alert_fast.c:
* src/output-plugins/spo_alert_full.c:
* src/output-plugins/spo_alert_syslog.c:
* src/output-plugins/spo_database.c:
* src/output-plugins/spo_unified.c:
* src/preprocessors/perf-base.c:
* src/preprocessors/spp_portscan.c:
removed more vestiges of the multiple interface pthread support
2002-11-10 Brian Caswell <bmc@snort.org>
* src/detection_plugins/sp_byte_test.c:
added support for & and ^
2002-11-07 Daniel J. Roelker <droelker@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
Fixed an infinite loop bug that occurred in my last update to
http_decode that dealt with an off-by-one bug. Fixed now. Pointed
out by Jens Krabbenhoeft and Nathan Labadie.
2002-11-07 Andrew R. Baker <andrewb@sourcefire.com>
* src/snort.c:
* src/snort.h:
Removed unused MTU support code
2002-11-06 Daniel J. Roelker <droelker@sourcefire.com>
* src/mwm.c:
* src/mwm.h:
Fixed another bug in mwm search routines when dealing with identical
one byte patterns in multiple rules. There was a theoretical
possibility of overwriting a one byte rule group (example: "~") with
another rule group of ("|00 7e|"). This has now been fixed and
should be the last of the one byte pattern problems.
2002-11-06 Daniel J. Roelker <droelker@sourcefire.com>
* src/mwm.c:
* src/mwm.h:
Fixed bug when comparing multiple one byte rules with the same one
byte pattern. Problem pointed out by Brian Caswell.
2002-11-06 Andrew R. Baker <andrewb@sourcefire.com>
* src/snort.c:
* src/snort.h:
* src/decode.c:
* doc/README:
removed -6 (show IPv6) and -x (show IPX) command line options (they
never did much anyway)
cleaned up ARP, IPv6, and IPX packet counting
* src/preprocessors/Makefile.am:
add missing header (perf-event.h) to libspp_a_SOURCES
2002-11-05 mfr <roesch@sourcefire.com>
* src/plugbase.c:
* src/detection_plugins/sp_byte_jump.c:
* src/detection_plugins/sp_byte_jump.h:
Added byte_jump, we can now decode a length from the app layer and jump
the detect_offset_end (last match pointer) up that number of bytes,
great for decoding RPC with Snort rules
2002-11-04 mfr <roesch@sourcefire.com>
* src/detect.c:
* src/fpdetect.c:
fixed case where multiple rules can have partial matches on content and
fuxor the detect_offset_end calculations (i.e. reset the offset for
every OTN in the system)
2002-11-04 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_byte_check.c:
Make big,little arguments actually interpret the data correctly
2002-11-04 Andrew R. Baker <andrewb@sourcefire.com>
* src/parser.c:
* src/rules.h:
* src/snort.c:
* src/snort.h:
* snort.8:
remove ghetto message reference option (it has not worked since May)
* src/output-plugins/spo_alert_fast.c:
* src/snort.c:
added "-A cmg" alerting mode
2002-11-02 Chris Green <cmg@sourcefire.com>
* HAVE_STRINGS_H all over the place for bzero/Solaris
first reported by John Whitson
2002-11-1 Daniel Roelker <droelker@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
Fixed potential off-by-one bugs. Also fixed %25xx encoding and
%uxxxx encoding for ascii characters. Still much work to be done
but most of this will be added in the next version.
2002-11-01 mfr <roesch@sourcefire.com>
* src/detection_plugins/sp_byte_test.c:
fixed range checks, inclusion of strings.h, byte boundry checks
2002-11-01 mfr <roesch@sourcefire.com>
* src/detection_plugins/sp_byte_test.c:
added test rules to the sp_byte_test.c header comment block
2002-11-01 mfr <roesch@sourcefire.com>
* src/detect.c:
* src/mstring.c:
* src/detection_plugins/sp_pattern_match.c:
fixed various "issues" with the distance/within code, should work
much better now
also removed redundent calls to pattern matcher for rules with mlutiple
content checks
* src/plugbase.c:
* src/plugbase.h:
* src/plugin_enum.h:
* src/detection_plguins/sp_byte_test.c:
* src/detection_plguins/sp_byte_test.h:
added sp_byte_test, detection plugin that let's us perform discrete
value checks on numbers that are encoded in packet payloads, either
in straight binary representation or as strings
2002-11-01 Andrew R. Baker <andrewb@snort.org>
* src/decode.c:
fix logic for generating decoder alerts
* src/decode.c:
* src/parser.c:
* src/snort.c:
* src/snort.h:
* doc/README:
removed broken support for the "-a" (show arp) command line switch
2002-10-31 Andrew R. Baker <andrewb@snort.org>
* src/util.c (GenHomenet & GenObfuscationMask):
fix invalid reference to optarg
* configure.in:
* src/snort.h:
* src/snort.c:
removed pthread support (still need to remove MAX_INTERFACES cruft)
2002-10-30 Chris Green <cmg@sourcefire.com>
* (Repository): removed autogenerated files
use sh autojunk.sh to recreate them if you are using
CVS to compile
2002-10-30 Andrew R. Baker <andrewb@snort.org>
* src/parser/IpAddrSet.c:
* src/parser/IpAddrSet.h:
add API for IpAddrSet data structure
* removed "extern char *file_name" and "extern int file_line" from
scattered places in the source
2002-10-29 Andrew R. Baker <andrewb@snort.org>
* src/detection-plugins/*.c:
add multiple options checks for plugins
2002-10-23 Chris Green <cmg@snort.org>
* src/log.c more output clean ups from James Hoagland
2002-10-22 Chris Green <cmg@snort.org>
* strtol fixes ( Dave Ockwell-Jenner )
* Merged in Glenns changes for net-snmp port declartion
* src/parser.c (ParseRuleOptions):
threshold added back
* src/preprocessors/spp_portscan2.c (DEFAULT_MAX_SCANNER):
change defaults back down
2002-10-22 Daniel Roelker <droelker@sourcefire.com>
* src/fpdetect.c:
Bogus port 0 initialization in fpEvalHeaderTcp/Udp. (Dirk Geschke)
2002-10-18 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_clientserver.c (CheckFromClient):
hide this under a DEBUG_CS
* src/preprocessors/spp_stream4.c (AlertFlushStream):
make AlertFlushStream adjust the base_seq upon a flush point
(Thanks so much to qru for a reproducable test case... this was
a PITA)
2002-10-16 Chris Green <cmg@sourcefire.com>
* src/util.c (CreatePidFile):
use pv.log_dir instead of local variable (Cameron Humpries)
* src/log.c (PrintICMPHeader):
Removed newline amidst a sea of complains from James Hoagland & other
users :)
2002-10-16 Roman Danyliw <roman@danylw.com>
* src/output-plugin/database.c:
- escape the signature name before trying to write it to the
signature.sig_name field (Dirk Geschke)
2002-10-16 Dan Roelker <droelker@sourcefire.com>
* src/fpdetect.c:
- Reverted no content rule checks back to the original
snort behavior. Reassembled packets are now inspected
against no content rules.
(Jens Krabbenhoeft)
* src/preprocessors/spp_perfmonitor.c:
- Adjusted newlines for console statistics prettiness.
2002-10-14 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/database.c:
- Transaction abstraction functions (Begin/Commit/Rollback)
- Fixed transaction SQL for MS-SQL
- Fixed incorrect return value for MS-SQL Insert()
(Hans Nilsson)
2002-10-13 Chris Green <cmg@sourcefire.com>
* src/log.c (PrintXrefs):
newlines on Xrefs... pointed out by too many people to count :)
* src/preprocessors/spp_portscan2.c (targetCompareFunc):
- target compare function incorrect logic
(pointed out by Pat Gorman)
2002-10-12 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/database.c:
- Fixed (PostgreSQL) sensor initialization to the sensor table
by setting a default last_cid value
- Fixed schema detection bug on MS-SQL enabled builds
2002-10-09 Chris Green <cmg@sourcefire.com>
* changed FatalError/exit codes
* merged Sourcefire modifications into snort-head
* kick off of snort-2.0 dev cycle
win32 probably doesn't work yet. :-)
2002-10-09 Marc Norton <mnorton@sourcefire.com>
Daniel Roelker <droelker@sourcefire.com>
* src/decode.h:
p->preprocessors for enable/disable status
* src/fpcreate.c, src/fpcreate.h, src/fpdetect.c, src/fpdetect.h:
Added new detection engine. fpcreate.* creates the new detection
engine and intializes the detection engine components. fpdetect.*
analyzes packets as they come in and decides what happens to them.
* src/pcrm.c, src/pcrm.h:
Added new signature detection classification.
* src/mpse.c, src/mpse.h (Norton):
Added an interface for multi-pattern match routines.
* src/mwm.c, src/mwm.h (Norton):
Added modified Wu-Manber style multi-pattern matcher.
* src/acsmx.c, src/acsmx.h (Norton):
Added Aho-Corasick state machine, using a deterministic finite
automata.
* src/bitop.h:
Added inline functionality for bit operations. Used in the new
detection engine.
* src/preprocessors/spp_httpflow.*, src/preprocessors/http-resp.*:
Added an http protocol flow preprocessor that analyzes client
and server traffic. Useful for HTTP performance.
* src/preprocessors/spp_perfmonitor.*, src/preprocessors/perf*.*:
Added a performance monitor that keeps stats on snort. Some of
those stats are Mbits/sec, Alerts/sec, TCP state information,
network traffic flows and percentages, etc.
* src/preprocessors/sfprocpidstats.c:
Added functionality for multiple CPU stats on linux. For use in
spp_perfmonitor, etc.
* src/parser.c:
Added a new config option, 'detection'. This option allows the
user to configure certain aspects of the detection engine.
* src/checksum.h:
Added new optimized inline checksumming routines.
* src/mstring.c:
Optimized mSearch and mSearchCI.
2002-10-09 Chris Green <cmg@sourcefire.com>
* src/snort.c (ParseCmdLine):
- syslog option on non-win32 does not take the extra argument
(Andrea Barisani)
* updated snort.dsp to not require getrusage
2002-10-01 Chris Green <cmg@sourcefire.com>
* Fixes from Chris Reid
- varchar sql arguments for mssql
- usertime -> systemtime misses
- snort project file updates
2002-09-26 Chris Green <cmg@sourcefire.com>
* configure scripts updated to handle net-snmp as well as ucd
(Glenn Mansfield Keeni and Abe Katsuhisa)
2002-09-25 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
moved setting the uri_count to this preprocessor to handle false
alerts on reassembled packets.
2002-09-17 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/spo_database.c
- make sure that a packet payload larger than those supported
in the SQL INSERT are properly terminated.
2002-09-12 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/spo_database.c
- made the updating of the sensor.last_cid more efficient by
only storing the new cid value at shutdown
- removed extranous CR/LF from sensor name
2002-09-05 Chris Green <cmg@sourcefire.com>
* src/log.c (PrintICMPHeader): off by one error in printing
Thanks to Dave Goldsmith
2002-09-05 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/spo_database.c: (DatabaseInit)
- added ignore_bpf configuration option (from Michael Boman)
ignore_bpf - Do we want to create a new sensor definition everytime
the BPF filter is changed? The options are:
[no|0]: (default) Create a new sensor definition if BPF
filter has been modified
[yes|1]: Ignore the BPF part when looking for the server
definition
2002-09-03 Roman Danyliw <roman@danyliw.com>
* src/output-plugin/spo_database.c
- DB schema v106
- Added the sensor.last_cid field to the schema so the
database can store the last used cid for a given sensor.
This field will ensure that a cid will never be reused.
Upgrading from v105 -> v106 is as simple as:
mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL;
mysql> UPDATE schema SET vseq=106;
psql> ALTER TABLE sensor ADD last_cid INT8;
psql> UPDATE schema SET vseq=106;
- Improved error messages
2002-09-02 Chris Green <cmg@sourcefire.com>
* configure.in:
- cleaned up win32 source packaging
2002-08-27 Andrew R. Baker <andrewb@sourcefire.com>
* src/preprocessors/spp_asn1.c:
do not check fragments
2002-08-26 mfr <roesch@sourcefire.com>
* src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c
added thresholds to snort rules language, docs to come
2002-08-26 Andrew R. Baker <andrewb@sourcefire.com>
* src/util.c:
fix GenHomenet and GetObsfMask functions
2002-08-19 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_perfmonitor.c (ParsePerfMonitorArgs): typo in fmt string
2002-08-18 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_rpc_decode.c:
Port changes from Andreas Ostling ( just like all the other ones now )
* win32/perf stuff from Chris Reid
Will probably break again later
the perf stuff is very highly subject to change
* project fixes from Chris Reid
2002-08-16 Brian Caswell <bmc@snort.org>
* src/util.c
- allow daemon mode to dump stats to syslog
2002-08-15 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
(ParseStream4Args):
- FatalError on unknown argument
(ReassembleStream4):
- Correctly mark sessigons as established with
asynchronous_link enabled
2002-08-14 Chris Green <cmg@sourcefire.com>
* src/snort.c (ParseCmdLine):
-R <id> Include 'id' in snort_intf<id>.pid file name
(Phil Wood)
* src/snort.c (ProcessPacket):
reset uri_count (test case pointed out by Dan Roelker/Sourcefire)
* src/preprocessors/spp_http_decode.c:
uri_count set if not alerting.
2002-08-13 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_conversation.c:
new option alert_odd_protocols
set allowed_ip_protocols to the numbers you like and it will alert on all bad protocols
* src/detection-plugins/sp_session.c (LogSessionData):
sp_session.c:221: warning: suggest parentheses around && within ||
* src/detection-plugins/sp_pattern_match.c (CheckANDPatternMatch):
bug with mutliple decoded alternative contents
2002-08-13 Roman Danyliw <roman@danyliw.com>
* src/output-plugins/spo_database.c (CheckDBVersion):
fixed logic to detect the DB schema version correctly when support for
MS-SQL and another database are present
2002-08-13 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_telnet_negotiation.c:
- cleaner alt_dsize checks
- make sure that we don't decode 1 byte
past the end of the buffer
-(SetTelnetPorts):
preprocessor telnet_decode: 21 23 25 119
(now with port lists!)
* src/detection-plugins/sp_pattern_match.c (PayloadSearchRawbytes):
new pattern match option!
rawbytes -- used to inspect the raw packet data instead of the
alternatively decode application packet buffer
* src/decode.h (DECODE_BLEN): my favorite constant typo.
* src/preprocessors/spp_stream4.c (Stream4InitReassembler):
turning off server side reassembly by default ( was what the
default said it was )
* src/detection-plugins/sp_tcp_flag_check.c (ParseTCPFlags):
adding mask bits to the flag checks
(limitation pointed out by Dirk Mueller)
example: flags: S,12
This checks the SYN flag is set regardless of the values of the
ECN bits. tcp_flags & (0xFF ^ tcp_mask); for those of you that
like to think in C
* src/detection-plugins/sp_pattern_match.c (Check{AND|OR}PatternMatch):
- normalization of telnet stuff into a separate buffer
(this means logged packets will now look like they should on the wire)
2002-08-12 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_telnet_negotiation.c (SetupTelNeg):
- only allow this to be called telnet_decode
- removing redundant function calls
* src/perf-event.c (ProcessEventStats):
- set to 0 (djr@sourcefire)
2002-08-12 Roman Danyliw <roman@danyliw.com>
* src/output-plugins/spo_database.c (Database)
- Fixed length bug in code that generates the SQL INSERT statement
into signature table
2002-08-08 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_arpspoof.c (ARPspoofPreprocFunction):
- include packet w/ alert (Jeff Nathan)
2002-08-07 Chris Green <cmg@sourcefire.com>
* preprocessor perfmonitor
--enable-perfmonitor
lots of statistics from Dan/Marc/Sourcefire
2002-08-06 Chris Green <cmg@sourcefire.com>
* src/checksum.h:
Integrated fix from Marc Norton/Sourcefire
occasional endianess bug in checksum routines
inlined checksum
2002-08-05 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (UpdateState):
make session initiators more lenient
2002-08-04 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (BuildPacket):
- Session fix ( a different approach from Andreas Ostling )
(UpdateState)
(UpdateStateAsync)
- Move == TH_ACK checks to nearly the last of the checks and make catch all
odder flag combinations
- ttl_limit will only alert if the packet ttl is less than 10
(TcpAction*):
- removed stream_pkt->packet_flag sets new ( makes
no sense because we overwrite the packet_flags in BuildPacket
( pointed out by arron walters -- ended up
being the source of a few other bugs )
2002-07-30 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (BuildPacket):
- Mark the session direction establishments correctly
(thanks to Andreas Ostling for noticing )
2002-07-29 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (ReassembleStream4):
- make unestablished sessions and established sessions mutually
exclusive
- use &
2002-07-26 Chris Green <cmg@sourcefire.com>
* src/decode.c:
added decode_alert_flag
one may disable decoder alerts by using
config disable_decode_alerts
* src/preprocessors/spp_portscan2.c (PrunePortscanners):
Portscan2 fixes from Jed Haile ( thanks :-) )
* src/decode.c (DecodeICMP):
8 bytes of extra info in a redirect, not 4
2002-07-23 Chris Green <cmg@sourcefire.com>
* Phil Wood ASN.1 fix
* Phil Wood Classification fix
* Andreas Ostling's BPF comment improvement
* Just for the record, marty added distance/width as content options
distance means there must be atleast N bytes between 2 matches
width means that there must be a match within N bytes
2002-07-23 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_SnmpTrap.c:
- fix null pointer dereference for non-IP packets
2002-07-09 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_dsize_check.c (CheckDsizeRange):
- changed dsize check to always return 0 on fake tcp pkts
( mirrors change made on all other functions .. )
2002-07-08 Chris Green <cmg@sourcefire.com>
* Merged in win32 fixes from Chris Reid (thanks again!)
2002-07-05 Andrew R. Baker <andrewb@sourcefire.com>
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_stream4.c:
- fixed packet_flags problem with rebuilt packets
2002-07-03 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_SnmpTrap.c:
- lots of *nArgs = 0 instead of NULL
- added prototype for ipv6_print_hashing
2002-07-02 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (TcpAction):
- switched to using psuedo random flush points
* src/preprocessors/spp_portscan2.c (PrunePortscanners):
- fixed double delete of a tree node
* compilation fixes from Chris Reid for win32 (Thanks!)
2002-07-01 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_conversation.c
(ConvCompareFunc):
- fixed session equalness bug ( portscan2
should actually seem reasonable now )
(ConvFunc):
- changed to use conf_flags for session initiation
2002-06-28 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
* src/decode.h (PKT_STREAM_INSERT):
added a packet marker for inserted stream packets
2002-06-27 Chris Green <cmg@sourcefire.com>
* src/util.c (FatalError): fflush(*)
* src/detection-plugins/sp_dsize_check.c:
dsize checks always will return 0 for
rebuilt stream packets
(CheckDsizeRange):
added min<>max range support for dsize option
Thanks to Andreas Östling
* src/parser.c (ParseConfig): missing return
for config daemon
thanks to Bill McCarty <bmccarty@apu.edu>
2002-06-26 Chris Green <cmg@sourcefire.com>
* From Jeff Nathan:
Moved resp* stuff to the OTN instead of RTN
* spp_conversation rewrite
* portscan2
* SNMP updates from Glenn Mansfield Keeni <glenn@cysols.com>
2002-06-24 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_icmp_seq_check.c (ParseIcmpSeq):
htons(ds_ptr->icmp_seq) from Andereas Ostling
2002-06-20 Andrew R. Baker <andrewb@sourcefire.com>
* src/detect.c:
fix event reference time for unified output
2002-06-20 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_portscan2.c
- parsing fixes from Phil Wood
* src/util.c:
- FreeToks fixes from Phil Wood
2002-06-16 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c
Andrew Hintz bug reports
(BuildPacket):
- reinjected packets are now marked as established as well as rebuilt
(UpdateState):
- Server initiated: APF -> AF -> A was not
properly terminating session
2002-06-13 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_log_tcpdump.c (LogTcpdump):
fixed broken -b -l . mode
( assuming iph is set doesn't work )
2002-06-12 Chris Green <cmg@sourcefire.com>
* src/util.c (read_infile):
close fd for -F
2002-06-11 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_arpspoof.c:
Fixes from Jeff Nathan
* src/preprocessors/spp_asn1.c (ASN1Decode):
ASN1 fix from Chris Reid
2002-06-08 Chris Green <cmg@sourcefire.com>
* src/generators.h (FRAG2_TTL_EVASION_STR):
changed TTL Limit exceeded message to make more clear
2002-06-08 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_log_tcpdump.c:
* src/detect.c:
* src/decode.h:
make obfuscation work for all output plugins
2002-06-07 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (ReassembleStream4):
- accidentally inverted logic for async/normal sessions
- marking streams as established correctly
2002-06-05 Chris Green <cmg@sourcefire.com>
* src/generators.h (STREAM4_TTL_EVASION_STR):
changed so that people recognize message as ttl_limit related
and not message related
2002-06-04 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
- fixed include order ( fixes compile on FreeBSD )
* src/preprocessors/spp_frag2.c (InsertFrag):
- allow duplicate first fragment to be disabled
2002-06-03 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_clientserver.c (ParseFlowArgs):
- added {no_stream,only_stream} keywords to flow:
used to suppress reassembled streams from being alerted on
* src/plugbase.h: changed machine/param.h -> sys/param.h
2002-06-03 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/log_tcpdump.c:
fix obfuscation
2002-06-02 Chris Green <cmg@sourcefire.com>
* src/Makefile.am:
added plug_base.h ( pointed out by Jeff Nathan )
2002-05-30 mfr <roesch@sourcefire.com>
* src/log.c
src/decode.c:
Fixed non-functional embedded packet decode and printout for ICMP
UNREACH and REDIRECT packets
2002-05-30 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c (Frag2Init):
- left frag2 alerts on by default by accident
(diabled)
2002-05-28 Chris Green <cmg@sourcefire.com>
* src/detect.c (CallLogFuncs):
moved the traversal of the plugins ahead of the setting the
packet logged flag since both check ( should both check? )
2002-05-28 Andrew R. Baker <andrewb@sourcefire.com>
* src/log.c:
fix NULL pointer deref problem printing priority/class info
2002-05-27 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c
(SetPorts):
- fatal error on invalid port description
* rules.c
(VarGet):
- fatal error if undefined variable is called
(ExpandVars):
- don't expand variables inside "'s
2002-05-21 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (StoreStreamPkt):
- sheltered fast restransmission under evasion_alerts
- missing returns
2002-05-20 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c:
- added newer unidecode function from rfp
- added "internal_alerts" keyword
2002-05-19 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_log_ascii.c:
* src/preprocessors/spp_conversation.c:
* src/preprocessors/spp_conversation.h:
* src/preprocessors/spp_portscan2.c:
* src/preprocessors/spp_portscan2.h:
- corrected some global namespace pollution
2002-05-15 mfr <roesch@sourcefire.com>
* looked over and indented the hell out of spp_conversation and
spp_portscan2
* put a FreeToks() function into util.c to clean up after mSplit()'s
* other sundry stuff, conversation and portscan2 should be ready for
testing from what I can see now
2002-05-15 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_SnmpTrap.c:
* src/output-plugins/spo_alert_smb.c:
* src/detections-plugins/sp_react.c:
- fixes for new SigInfo system
* src/output-plugins/spo_idmef.c:
* src/output-plugins/spo_idmef.h:
* doc/README.IDMEF:
* src/plugbase.c:
* src/plugin_enum.h:
- remove IDMEF instead of leaving it in a broken state
2002-05-14 Chris Green <cmg@sourcefire.com>
* src/util.h (GenObfuscationMask):
make compile on OS X
2002-05-14 Andrew R. Baker <andrewb@sourcefire.com>
* *.[ch]:
- proper implementation of priority and reference signature metadata
- other work surrouding signature metadata
2002-05-14 Chris Green <cmg@sourcefire.com>
* templates/sp_template.[ch]:
- updated template for plugbase and modularity
* src/preprocessors/spp_stream4.c (CreateNewSession):
- added SYN_SENT initialization state
* src/preprocessors/spp_http_decode.c:
- fixed includes for WIN32 (Chris Reid)
* src/preprocessors/spp_stream4.c (_Stream4Data):
- added asynchronous_link
useful for places that only see one side of a conversation
- (UpdateState):
mark session as established on asynch links
2002-05-13 Chris Green <cmg@sourcefire.com>
* src/snort.c (ProcessPacket):
- added min_ttl check in front of Preprocess Check
* src/snort.h (_progvars):
- added min_ttl as a snort-wide configuration option
config min_ttl: 1 to drop all things less than 1
config min_ttl: 0 to have none (default)
* src/decode.c
(DecodeTCP):
- fixed bug where we didn't just toss invalid packet after
alerting on it in decoder
(DecodeEapolKey):
- removed CallLogPlugins redundant call
* src/generators.h
- moved all plugin alert descriptions here
* src/plugin_enum.h:
- moved all PLUGIN_ constants to a single header
* src/detection-plugins/sp_pattern_match.h:
- cleaned up commented define
* src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
- commented out spurious debug code
* src/preprocessors/spp_stream4.c (StoreStreamPkt):
- disable evasion alerts
2002-05-12 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_http_decode.c
(PreprocUrlDecode):
- more debug code
- set p->uri_count
* src/parser.c (ParseConfig):
- cleaned up some NULL dereferences
2002-05-09 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c:
- moved SSNFLAG defines to decode.h so that we have access to the
Session data outside of spp_stream4
- added SSNFLAG_HTTP_1_1, SSNFLAG_SEEN_PMATCH
- moved Session,Stream to decode.h
(ReassembleStream4):
session_flags converted to & check instead of == for establishment
* src/decode.h
- added HTTP version constants
2002-05-08 Chris Green <cmg@sourcefire.com>
* src/decode.h
(_Packet):
- removed URI
- added uri_count
(_HttpUri):
- changed to added parameters
(_UriParam):
- added parameter datastructure
(VTH_VLAN):
- fixed missing paren
* src/preprocessors/spp_http_decode.c
(SetPorts):
- removing strncasecmp
(PreprocUrlDecode):
- moved to using UriBufs
* src/decode.c:
Added UriBufs
* src/decode.h:
- changed to use TRH and VLAN macros
bitpacked notation expunging should be done
2002-05-07 Chris Green <cmg@sourcefire.com>
* src/decode.h (_TCPHdr):
- changed to use TCP_OFFSET, TCP_X2 Macros
* src/parser.c (ParseConfig):
* src/snort.c (ParseCmdLine):
- Fixed notcp,noicmp,noudp,noip to only disable
- strcasecmp instead of strncasecmp
* src/preprocessors/spp_http_decode.c:
integrated spp_http_decode.c from rfp
new option set:
* unicode: decode unicode
* iis_alt_unicode: %u000 encoding
* double_encode : detect IIS decoding
* abort_invalid_hex: detect only up
until the first broken encoding
* drop_url_parm: don't decode the stuff following ?
* iis_flip_slash: substitute / for \ ( C:\DOS\RUN )
* full_whitespace: treat \r and <tab> as <space>
2002-05-06 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c:
fixed retranmission checksum alerts to live under evasion
* src/detection-plugins/sp_pattern_match.h:
commented out PATTERN_FAST until it works
* src/generators.h:
internal alerts from spp_http_decode
2002-05-01 Andrew R. Baker <andrewb@sourcefire.com>
* src/plugbase.c:
* src/output-plugins/spo_unified.c:
cleaned up startup message printing
2002-04-25 Chris Green <cmg@sourcefire.com>
* Introduced IP_VER, IP_HLEN, SET_IP_VER, SET_IP_HLEN after
thinking about tcpdump and what Fyodor had talked to me about
months ago regarding cross platform compatiblity. No more
twiddling.
Plugins that use ip_ver, ip_hlen should be tested. No more bit
packed notation allowed in the source tree.
* src/preprocessors/spp_stream4.c:
separated evasion alerts from retransmission/state
evasion alerts default to being on now
disable with disable_evasion_alerts
2002-04-24 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c (Frag2Init):
fixex argument parsing
* src/preprocessors/spp_http_decode.c:
don't process fragments
* src/preprocessors/spp_frag2.c
(InsertFrag):
make sure that we don't run out of memory if someone sends us the
same fragment over and over again
duplicate first frag is a special case
2002-04-23 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c
(InsertFrag):
- adding detection of attack where we would start
reassembling packet fully before the full fragtracker is there
* src/detect.c (EvalPacket):
- fixed alert ip rules
(got clobbered when playing detection engine optimizations )
- generate proper events when decode errors happen
* src/plugbase.c (InitPlugIns): SetupFragOffset()
* src/detection-plugins/sp_ip_fragbits.c:
- added fragoffset:
fragoffset: [!<>] <integer>
defined in fragbits so that I can backport it.
* src/preprocessors/spp_frag2.c (InsertFrag):
- alert on frag2 overlaps
To do this requires keeping the packets around for a while
longer to detect all the multiple fragments and overlaps
Changed the PruneCache to notice when things are completed and
prune them in addition to just by time. Frag mem faults are
going to increase because of this but each time one occurs,
there should be plenty to expire.
2002-04-22 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c
(Frag2Defrag):
Warn/Discard on fragments with IP Options set.
(ParseFrag2Args):
min_ttl
ttl_limit
detect_state_problems
* src/debug.h
DEBUG_FRAG2
* src/preprocessors/spp_stream4.c
(TraverseFunc):
- added next seq check on reassembly
- added alerts on retransmitted sequences...
its ugly as sin right now
(_Stream):
- next_seq added
(StoreStreamPkt):
- added check for restranmitting too fast w/ a different data size
- added tcp checksum retransmission checking
(how much do I need to worry about
data with the same checksum and different payloads...
just throw it away for the moment)
2002-04-19 Chris Green <cmg@sourcefire.com>
* More win32 Service patches from Chris Reid ( Thanks! )
2002-04-18 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_frag2.c (Frag2Defrag):
added ttl_limit detection
* src/generators.h (FRAG2_TTL_EVASION): added
* src/preprocessors/spp_stream4.c (StoreStreamPkt):
-- first cut at TTL evasion detection
keyword: ttl_limit <count> for TCP Sessions
2002-04-16 Andrew R. Baker <andrewb@sourcefire.com>
* src/preprocessors/spp_stream4.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/spp_asn1.c:
* src/log.c:
* src/detect.c:
fix broken event reference info for unified output
2002-04-15 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (ParseStream4Args):
added missing parsing line back in
2002-04-10 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_unified.c:
fix unified brokeness
2002-04-10 Andrew R. Baker <andrewb@sourcefire.com>
* src/plugbase.h:
* src/plugbase.c:
* src/parser.h:
* src/parser.c:
Plugin API cleanup
* src/output-plugins/spo_log_tcpdump.c:
make log file timestamps work the same as in unified
2002-04-09 Chris Green <cmg@sourcefire.com>
* src/spp_portscan2.c: new changes from Jed/Jason
2002-04-08 Andrew R. Baker <andrewb@sourcefire.com>
* add profiling configuration option
* src/parser.c:
correct NULL pointer dereference
2002-04-08 Chris Green <cmg@sourcefire.com>
* src/debug.c (GetDebugLevel):
accidenatlly returning debuglevel instead of debug_level
* src/log.c (PrintIPHeader):
Modified fragment offset calculation (reported by Judy Novak)
2002-04-07 Chris Green <cmg@sourcefire.com>
* Fixed --enable-debug
* src/preprocessors/spp_asn1.c:
Missing includes
2002-04-06 Chris Green <cmg@sourcefire.com>
* src/detect.c (EvalHeader):
Corrected incorrect ignore with -z est and PKT_REBUILT_STREAM
* src/detection-plugins/sp_tcp_ack_check.c (ParseTcpAck):
* src/detection-plugins/sp_tcp_seq_check.c (ParseTcpSeq):
Phil Wood's Parsing Change
2002-04-05 Martin Roesch <roesch@sourcefire.com>
* detection engine now walks RTN and OTN lists iteratively instead of
recursively, I guess we should cowtow to the x86 crowd...
* RTNs are now sorted by destination port number allowing for earlier exit
from the detection engine in the average case and improving performance
* destination port is now the first thing checked when an RTN is processed
(for UDP/TCP traffic)
2002-04-05 Chris Green <cmg@sourcefire.com>
* Merged in Nick L. Petroni, Jr.'s 802.11b stuff
* src/detection-plugins/sp_pattern_match.c:
Integrated Mike Fisk's SetMatch stuff ( large performance
increase -- thanks for being so patient with me )
2002-04-04 Chris Green <cmg@sourcefire.com>
* src/snort.c (SnortMain):
Extra call to initoutput plugins commented out..
* src/detect.c (CallAlertPlugins):
DEBUG_WRAPPED Andrew's printfs'
2002-04-03 Chris Green <cmg@sourcefire.com>
* src/debug.h:
DEBUG_WRAP defined
DEBUG WRAP used everywhere...
* src/preprocessors/spp_conversation.c:
ignore rebuilt stream
2002-04-02 Andrew R. Baker <andrewb@sourcefire.com>
* Modularization cleanup
2002-04-02 Chris Green <cmg@sourcefire.com>
* src/debug.c (GetDebugLevel):
only initialize debug_level once ( now easier to use gdb set command )
* src/preprocessors/spp_portscan.c:
No processing on reassembled stream packets
* lots of compilation fixes
* started added spp_conversation
2002-04-01 Andrew R. Baker <andrewb@sourcefire.com>
* config.h should be included almost everywhere....
2002-03-31 Chris Green <cmg@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c (CheckUriPatternMatch):
Check for URI.uri with a packet flag
* src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
- Moved decode ignore check up ( I don't think this is actually
used anywhere )
- Moved somefunctions into CheckHTTPDecode
* decode.h:
- Changed URI.uri to u_int_8t[URI_SIZE]
- URI_SIZE is 512 (should create an alert when that size is exceeded)
- Added PKT_HTTP_DECODE to show if URI was filled in
2002-03-31 Andrew R. Baker <andrewb@sourcefire.com>
* start work on cleaning up the output API
2002-03-30 Chris Green <cmg@sourcefire.com>
* src/output-plugins/spo_alert_unixsock.c:
lots more checking for valid packets on
things like portscan alerts
2002-03-29 Andrew R. Baker <andrewb@sourcefire.com>
* src/parser.c :
Add support for "special" output plugins
* src/output-plugins/spo_unified.h :
* src/output-plugins/spo_unified.c :
Initial work towards a true unified output.
2002-03-29 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c (ReassembleStream4):
* src/snort.h:
removed pv.fake_packet check (old stream stuff)
2002-03-27 Chris Green <cmg@sourcefire.com>
* src/preprocessors/spp_stream4.c :
More debug messages in Stream4
* doc/PROBLEMS:
Added file to document bugs that we really can't work
around easily and aren't necessarily ours.
* src/parser.c (ParseRuleOptions): filename -> file_name for compilation
2003-03-26 Andrew R. Baker <andrewb@sourcefire.com>
* src/output-plugins/spo_unified.c:
fix file rotation bug in spo_unified
write IPs in host order like everything else is
* src/parser.c:
updates to the rule parser. now we only complain for unrecognized
rule options.
2002-03-26 Chris Green <cmg@sourcefire.com>
* src/detect.c (DumpChain):
DebugMessage stuff..
2002-03-25 Chris Green <cmg@sourcefire.com>
* stop stream4 from clobbering itself (Pascal Bouchaeine)
2002-03-24 Chris Green <cmg@sourcefire.com>
* src/plugbase.c (RegisterPlugin):
- allow multiple plugins to start with same prefix
2002-03-23 Brian Caswell <bmc@snort.org>
* initial add of flow: to signatures
2002-03-21 Chris Green <cmg@sourcefire.com>
* Place IP checks after port checks for 1.9
(based on patch from Christian Mock)
* Fixed test header checks (greatly responsible for
slowness on multiple CIDR blocks) (Christian Mock)
2002-03-19 Chris Green <cmg@sourcefire.com>
* Fixed Teardrop detection in frag2 ( Forward bugfix from Marty )
* Replaced most instances of #ifdef DEBUG\nprintf(...) with
DebugMessage
2002-03-11 bmc <bmc@snort.org>
* readded this file :)
* renabled udp portscan detection
* updated ICMP text printing (few bugs, few new features)
* updated BUGS for jackasses on Bugtraq
* fixed a bunch of stream4 stuff
* cleaned a ton of signatures (see signature CVS logs for info)
* number of FAQ updates
* removed unstable/orphaned/unmaintained/deprecated code as we
get ready for 2.0
* massive directory structure reordering
* frag2 options code cleanup (cmg)
* fixed pattern match exit conditions (cmg)
* improved stats calculation (phil wood)
* tweaked decoder code
* improved ICMP ASCII output
* fixed no-packet bug in spo_unified
* moved alert code in spp_frag2 so packet is logged for teardrop
* many stream4 fixes
* added sp_clientserver (to client, to server, from client, from server)
* cleaned infinate loop in regex
* fix double PID write (reported by phil wood)
* updated docs
* ton of new signatures
* split rules.c into parser.c|h and detect.c|h
* smarter pruning for segments that have only partially been streamed
* ethernet headers are now filled in for rebuilt packets
* added case for stream segments that hadn't been completely handled in
previous flush
* added another interface init call when entering daemon mode for linux
boxen that lose promisc mode when the process forks
* strncat in sp_reference
* opts[1] fix to plugin args passing
* updated changes to db stuff from Roman
* removed $default_directory from mysql_directory definition to allow
--with-mysql to work again and select a non-default installation
* fixed calloc call for PPPoE debug #ifdef DEBUG
* Fixed pointer math for Stream4 sesesion
( IOU: Phil Wood; 1 Bar tab )
* Fixed suicidal tree pruning
* ifdef AF_INET6 for decode.c and removal of spp_asn1.h from plugbase.h
* cleaned up decode.c indentation, etc
* added classifications for spp_fnord
* mods to icmp ASCII log code for more informational printouts
* added enhanced conf file parsing for frag2 (Chris Green)
* added pattern match fixes (Chris Green)
* other stuff that escapes me right now
* pflog decoder support from Robert Fleck <rfleck@cigital.com> added
* cleaned up decode.c indentation, etc
* added classifications for spp_fnord
* mods to icmp ASCII log code for more informational printouts
* added enhanced conf file parsing for frag2 (Chris Green)
* added pattern match fixes (Chris Green)
* added enhanced resolution of TCP retransmissions to stream4
* changed default behavior of frag2 to favor old data over new
* fixed screwed up fragbits printout
* Fixed pointer arithmetic in calls to PrintNetData (thanks to Andreas
Östling bugreports)
* ntohs(p->iph->ip_len) -- should we have a p->ip_len?
* don't complain about NULL ptr if p->dsize == 0
* Still has one nit in that a badly framed packet is counted twice in -v
mode2
2001-11-29 bmc <bmc@snort.org>
* Fixed crash in frag2 under Linux
* Fixed flexresp code, session sniping should work again and be faster
to boot
* Fixed ICMP decoder and printout routines for new ICMP header data
structs in decode.h
* Added -B command line switch to translate IP addresses in pcap files
from one subnet to another (see the man page).
* Added spo_log_null to give users an option to deactivate logging
output from the snort.conf file.
2001-11-02 mfr <roesch@sourcefire.com>
* fixed UTC timestamps
* fixed SIGUSR1 handling, should reset properly now after getting a signal
* fixed PID path generation code, PID files go in the right place now
* fixed stability problems in stream4
* fixed stability problems in frag2
* tweaks to spo_unified for better integration with barnyard
* added -f switch to turn off fflush() calls in binary logging mode
* added new config keyword to stream4, "log_flushed_streams", which causes
all buffered packets in the stream reassembler for that session to be
logged in the event of an event on that stream (must be used in
conjunction with spo_log_tcpdump)
* added packet precacheing for flexresp TCP packets, responses should be
generated more quickly
* fixed rules parser code for various failure modes
* several new rules files and a new classification system
2001-08-14 mfr <roesch@sourcefire.com>
* SNMP alerting support added by Glenn Mansfield Keeni & K. Jayanthi
* IDMEF output support compiled in by default now
* regex keyword code repaired, limited wildcard regex now available
* new packet counters added to Snort stats output for frags and streams
* http_decode preprocessor modified to normalize %u encoding
* new detection modes in frag2, Snort picks up fragmentation
attacks (teardrop, etc) much better now
* repaired frag2 IP defragmenter, now 100% stable and functional
* tweaks made to stream4 TCP stream reassembler, now 100% stable
* Win32 code integrated with main Snort source now
* fix for -r mode crash when no other command line options specified
* fix for logfile names using ":" under win32
* tag code repaired
* spp_arpspoof repaired
* stream4 alerts are now off by default
* syslog alerts now support standard GEN:SID:REV data
2001-08-04 fy <fygrave@tigerteam.net>
* A couple of coredump fixes from Phil Wood
* Solaris compilation fixes (and other minor tweaks I don't
remember)
* Incorporated WIN32 patches (and fixes) from Chris Reid
* ms-sql support from Chris Reid
* contrib/create_mssql
2001-07-09 mfr <roesch@sourcefire.com>
* added new IP defragmenter, spp_frag2
* added new stateful inspection/tcp stream reassembly plugin, spp_stream4
* Snort can now statefully detect ECN traffic (less false alarms)
* stream4 can now keep session statistics in a "session.log" file
* added new high-speed unified binary output system, spo_unified
* added new data structs/management for tag code
* added -k switch to tune checksum verification behavior
* added -z switch to provide stateful verification of alerts
* modified bahavior of http_decode, now only alerts once per packet
* added unique Snort ID's to every Snort rule, plus generator, revision
and event ID info to each alert
* detection engine only alerts once per packet now, tcp stream code doesn't
generate another alert packet if a previous one already alerted for that
stream
* fixed signal handling on svr4 systems
* added enhanced cross reference printout to full/fast/syslog alert modes
* added new high speed checksum verification (on x86) routines
* added new ARP spoof detection preprocessor from Jeff
Nathan <jeff@wwti.com>
2001-04-20 fy <fygrave@tigerteam.net>
* a couple of fixes in spp_defrag.c
* spelling fixes in 'classification.config' file
2001-04-19 bmc <bmc@mitre.org>
* added ability to tag sessions & hosts (By Seconds, Bytes, and Packets)
* ip protocol rule support
* added 802.1q VLAN support
* extensive configuration file config options (you can put your
commandline options in snort.conf now)
* priority & classification plugin by Brian Caswell
* output plugin support for priority, classification, and refs
* rpc_decode plugin (Defeats attacks laid out by Robert Graham's SideStep)
* telnet negotiation normalization plugin (Defeats attacks laid out
by Robert Graham's SideStep)
* BackOrifice plugin (Can bruteforce BO keys. Defeats attacks laid out
by Robert Graham's SideStep)
* uricontent keyword pattern match. (Now you can look at the URL instead
of the entire packet)
* added -T commandline option (Does entire setup process, but stops
after its done setting up) great for snort.conf testing!!
* added -L commandline option. Specify filename of the binary output
log when combined with "-b"
* added -G commandline option. Turn on "ghetto" backwards
compatability for people that need
references in the MSG field
* added -I commandline option. Prints the interface that the
alert was received on
* added -y commandline option. Adds YEAR to the timestamps
* Fixed timestamp output problem on some ARCHs
* ability for non-root users to sniff. (If the user can usually
sniff from pcap) By Brian Caswell
* Improved UNICODE detection by Koji Shikata
* added sp_tcp_win_check. TCP Window Size can be looked now
* added CSV output (see README.csv for more information) By Brian Caswell
* added sp_same_ip_check. Checks for the same SRC & DST (Usually sign
of a DOS attack) by Phil Wood
* added variable lookups for include directives (eg 'include
$RULESPATH/myrules.rules')
* linux_sll (interface 'any') support fixed (According to the new
libpcap spec) By Fyodor
* new debugging code. No more #ifdef DEBUG. (see debug.c for more
info) Idea from Eugene Tsyrklevich
* strl* family functions (mostly for future developers, we'd encourage
these to be used) (original code also supplied by Eugene)
* new tcp stream reassembly module by Chris Cramer
* include directives now are relative to snort.conf file location
(unless full path in a config file is given)
* snort will look for /etc/snort.conf and ./snort.conf if no config
is given on the commandline
* minor null ptr fixes and patches there and here (thanks to all of
you guys who helped tracking them down, really :-) - Fyodor)
* optiomized database schema (Support for references, added
signature normalization, ....)
* UTC cleanup by Andrew Baker
* http_ignorehosts added from Matt Wachinski
2001-03-14 fy <fygrave@tigerteam.net>
* tcp stream reassembly updates by Chris Cramer
* path fixes for include <file> (now relative path'es will be substituted
by path of the main file)
* DLT_LINUX_SLL support fixes
* strlcat/stlcpy functions are being incorporated
* Attempt to support MacOS platform.
* A bunch of fixes for MTU dicovery routine
* New debugging routines. (see BUGS file for more info).
2001-01-02 mfr <roesch@md.prestige.net> fy <fygrave@tigerteam.net>
* tcp stream reassembly preprocessor (beta) by Chris Cramer
* Defragmentation plugin is now fully functional on all architectures
* SPADE (Statistical anomaly detection) preprocessor has been added by
James Hoagland
* Added IIS/UNICODE attack detection to HTTP decoder
* Reference plugin has been added by Joe McAlerney
* New active response module: sp_react
* Added "any" keyword to IP options (ipopts) plugin
* IP fragmentation bits detection plugin added
* Added TOS detection plugin from Erich Meier
<Erich.Meier@informatik.uni-erlangen.de>
* Database output plugin improved in many ways by Jed Pickel
* Oracle support added to database output plugin
* XML output plugin by Jed Pickel/Roman Danyliw/CERT
* IP address list support added with lots of help from Phil Wood
* <interface>_ADDRESS variable implementation, specifying an interface name
in the rules file as part of this variable automatically sets the IP/mask
as the IP address/netmask of the specified interface
* Rule parser is more anal about rule verification now, doesn't crash as
readily
* Arbitrary output types support added by Andrew Baker
* Activate/dynamic rules allow rules to turn on/off other rules!
* ICMP unreach. printout dumps encapsulated headers now
* Improved TCP/IP options printout code, doesn't flood on 0 length options
* Packet checksumming implemented for all supported protocols by Chris
Cramer
* TCP flags now print out in proper (bitwise) order
* Added new fields to the packet header dumps including IP header length,
TCP/UDP header length, Urgent pointer printout, IP Reserved bit printout,
ICMP Type/Code explicit value printout
* -X switch dumps packet byte data for data link through application layer
* -L switch to privde a filename for binary log files specified with the -b
switch
* Added -I switch to print interface name in Snort alerts (first i/f only)
* Fixed -S command line switch so it isn't overridden by variables in the
rules file
* Corrected PID file misadventures
* Added a bunch of new statistics to the packet stats printout
* Added SIGUSR1 handler, Snort will dump packet stats to console/syslog
when it receives a SIGUSR1
* Memory management cleaned up/lots more free()'s to match up with
malloc()'s
* Added snprintf code to the distro for safety
* UID = 0 code added for sniffer mode
* fixed default alert filename for daemon mode
* Updated USAGE file to resemble Snort's current reality
* Changed snort-lib to snort.conf, Jed Pickel added lots of documentation
to the file as well (thanks Jed!)
* Pid file will not be created if -D switch is not used.
* chroot behaviour has been changed, now, if chroot is used, you have
to have snort.conf file within chroot directory (and all the other
relevant files as well). The only file which will be placed outside
chroot directory is snort pid file.
2000-07-22 mfr <roesch@md.prestige.net>
* Fixed compilation problems on all non-BSD operating systems
* Added better configuration support for locating libpcap
* Fixed ICMP ping packet id/sequence printouts
* Made allowances for 64-bit machines in the decoders
* Updated the portscan detector to the latest version
* Disabled the defragmenter by default (in the rules file)
* Added a patch from Dave Dittrich to make daemon mode alerts
filenames conform to the data in the documentation
* Revamped the ICMP data structures to mimic those found in *BSD
and provide for higher fidelity decoding/printout in the future
* Repaired the output plugins so that they operate properly now
* For the record, the payload dump conforms to the length of the
IP datagram now and does not show pad bytes added by the minimum
Ethernet frame size
2000-07-08 mfr <roesch@md.prestige.net>
* Fixed Tru64 u_int* type declarations
* Added check for pcap.h into configuration script
* Fixed timeval problems on Linux boxen
2000-07-06 mfr <roesch@md.prestige.net>
* New preprocessor plugin: IP defragmentation!!
* New output plugins cover all old logging and alerting options
* New output plugin now logs to MySQL, PostgreSQL, unixODBC databases
* Updated portscan detection functionality
* Added quote removal for most plugin parsers
* -C crash bug fixed
* PID/PATH_VARRUN file fixes
* Converted many putc(3) calls to fputc(3) for portability
* Transport layer decoders use ip_len field for length metric now
* String tokenizer code modified for more reliable operation
* Fixed flexible response code sequence prediction
* Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
platforms
* Set automake options so that people don't need gmake anymore to build
Snort on BSD systems
* Fixed SMB alert code large tmp file hole
* Added sigsetmask code to fix SIGHUP weirdness
* Added execvp option for SIGHUP restart code
* Added ARP header printout validation
* Added Session logging file integrity checking
* Added -u/-g setuid/gid capability switches
* Added -O IP address obfuscation switch
* Added -t chroot switch
* Fixed non-TCP/UDP/ICMP transport layer decoding & logging
* Fixes and additions to the portscan preprocessor
* Database logging plugin has been modified extensively, see the
www.incident.org website for more information
* Switched TCP flags printout routine to ensure proper RFP output
scan output. ;)
* Fixed default log/alert function code so that these functions are
never NULL
2000-03-20 mfr <roesch@md.prestige.net>
* Version 1.6 released!
2000-03-18 mfr <roesch@md.prestige.net>
* Modified the PID write out code to work in all run modes, and made
the system detect/verify the _PATH_VARRUN variable and define it
if necessary.
* Integrated a HUP patch from J Cheeseman to prevent the command line
parser from screwing up the command line at HUP time.
* Added a little tweak from Fyodor for Makefile.in
* Made exit code delete the PID file in all run modes.
2000-03-16 mfr <roesch@md.prestige.net>
* Activated the BPF compiler optimization switch in snort.c
* Added support for unconfigured/stealthed network interfaces
* CP added a default definition for _PATH_VARRUN
* CP added checks for paths.h existence
2000-03-15 mfr <roesch@md.prestige.net>
* Moved the "session" keyword code to a plugin
* Added Postgres database logging module from Jed Pickel
* Added Token Ring layer 2 printout routine
* Added "-q" support to the output plugin modules
* Revamped the output plugin subsystem so that it conforms to the
API standards laid out in the rest of Snort
* CP set defaults for the alerting and logging facilities
* Added Tru64/Alpha support
2000-02-26 mfr <roesch@md.prestige.net>
* modified minfrag proprocessor to only catch tiny frags on the home
net ("home" keyword) or any traffic ("any" keyword)
* implemented command line override of output plugins, alert and log
switches on the command line will disable output plugins in favor of
their configured activity
* added -C command line switch to print packet payloads as ASCII only,
with no hexdump
* fixed a stupid crash bug on the "logto" keyword parser
* put in a couple of command line switch validators to catch potential
invalid arguments
* fixed a potential crash bug in the ClearDumpBuf() function
2000-02-07 mfr <roesch@md.prestige.net>
* Added INADDR_BROADCAST patch from Steve Beaty <beaty@emess.mscd.edu>
* Added syslog PID patch from Ralf Hildebrant
* Added IPv6 counter from Erich Meier
<Erich.Meier@informatik.uni-erlangen.de>
* Added SunOS patch from Denis Ducamp <Denis.Ducamp@hsc.fr>
* Added content-list rules from
2000-01-17 cp <fygrave@tigerteam.net>
* Update of Patrick's portscan preprocessor. (and apropriate fixes)
* Minor fix to configure.in from Herb Commodore.
2000-01-12 cp <fygrave@tigerteam.net>
* John Wilson's update to insensitive pattern match code added.
* Patrick Mullen's patch to log.c applied.
* Patrick Mullen's changes to rules.c added.
* Source Port traffic rules ajusted not to pull alerts on 53<-->53 UDP
traffic.
* Changed name ParseFlags to --> ParseTCPFlags in sp_tcp_flag_check.*
since that's what it really is.
* Added RCS Id tags to all the files and libs. Once they are commited
at md.prestige.net, they should take proper values. :)
2000-01-08 cp <fygrave@tigerteam.net>
* Patch from Herb Commodore <herb@nc.rr.com> to configure applied
* Imrovements to content-matching code and implementation of
case-insensitive matching from John Wilson <tug@wilson.co.uk)
are added.
* "zero netmask" problem fixed.
* Patrick Mullen's portscan preprocessor is added. log.c routines
have been fixed to handle NULL pointers.
* binary logging routines have been changed to use libpcap procedures
which should fix certain problems with binary logging.
* Fix in rules.c to complain about bogus preprocessor names.
2000-01-03 mfr <roesch@clark.net>
* fixed a problem with pass rules not being applied properly
* fixed a #include ordering statement for Slackware 4.0 installs
* fixed banner output for the -V option
* Token Ring decoding is now fully functional
* Added packet buffer cleanup code to all protocol decoders
* fixed a problem with improper TCP option output
* Added a Snort man page
1999-12-08 mfr <roesch@clark.net>
* preprocessor plugins (major new functionality!)
* detection plugins (major new functionality!)
* variables can now be specified in the rules file
* include files can now be specified in the rules file
* Session recording capability
* Rules may now contain multiple "content" match keywords
* New IP options detection module, allows IP option inspection
* New HTTP decoder preprocessor defeats evasive web scans (whisker.pl)
* detection engine has been heavily modified to implement the new
"linked-list-of-function-pointers" concept, which makes the detection
engine more efficient, more flexible, and faster!
* TCP options decoder split into decode/log modules and recoded
* IP options decoder split into decode/log modules and recoded
* Token Ring layer 2 decoder (still in development)
* ISDN-Raw layer 2 decoder (I4L)
* ISDN-IP layer 2 decode (I4L)
* ISDN-Cisco layer 2 decode (I4L)
* Fixed PPP layer 2 decoder
* NULL/Loopback layer 2 decoder
* daemon mode code cleanup
* tcpdump readback mode code cleanup
* experimental support for UNIX socket alerting
* fixed C++ comments in snort.c
* binary log files now update properly (fflush added)
* internal rules list integrity testing
* IP fragments are no longer sent to the detection engine, just
the preprocessor's. This is incentive for me (or someone) to write
an IP defragmentation preprocessor!
* post-decode call function call sequence has been modified to go into
the preprocessor system instead of the detection engine
1999-10-18 mfr <roesch@clark.net>
* snort.c: * added session dump command line switch
* log.c: * added sesion data logging functionsi: OpenSessionFile(),
DumpSessionData().
* decode.c: * fixes snaplen issues with reading back tcpdump files.
1999-10-13 mfr <roesch@clark.net>
* snort.c: * threw out tcpdump file readback code and implemented
open_pcap_offline solution. Has addded benefit of
allowing BPF filters to be used to modify file readback
streams.
* Fixed MTU snafu.
* decode.c: * Rewrote ARP decoder. The decoder is much simpler (but
the log routines are far more complex)
* Horsed around with the TCP and IP option decoders. I
think they work better now...
* log.c: * Added ARP printout and logging routines. ARP is now
handled in a much more consistent and correct manner.
* Fixed stupid crash bug in LogPkt()
* rules.c: * Added in greater-than and less-than modifiers for dsize
option keyword. You now have another (cheap!) way to look
for buffer overflows
* Removed range checking for the ICMP icode and itype
option keywords so that DoS attacks and covert activity
could be more easily filtered/monitored
1999-09-26 mfr <roesch@clark.net>
* snort.c: * new command line options -A, -F, -N, -p, -b
* logging and alerting functions are now selected and
assigned to function pointers for faster/more efficient
logging
* got rid of -f command line option (superceded by -b)
* put in new cleanup code for readback mode
* ripped read_infile from tcpdump to read BPF filter files
* decode.c: * code cleanup in support of new functionality
* rules.c: * added support for the exception operator to work for ports
* fixed stupid pointer initialization bug in
ProcessHeadNode() file, fixed crashes on non-PC arch.
* new option keywords: dsize, offset, depth
* cleaned up crappy logic around the logging functions with
nice clean function pointers (aaaahhhh....)
* added bidirectional rules functionality (now Snort goes
both ways....)
* log.c: * broke out alerting function into seperate subfunctions
* ditto logging functions
* fixed string termination code in the SMB alerter so that it
can now alert to more than one box at a time
* cleaned up syslog messages
* finally fixed the SMB "alert once" problem (kudos to Gandalf
Schaufelberger for that one)
1999-08-06 mfr <roesch@clark.net>
* log.c: * added code to AlertMsg to make sure that there was in fact
an alert message to print out
* libraries: * fixed the backdoor and scan libraries so they should
flase alarm less often
1999-08-05 mfr <roesch@clark.net>
* snort.c: * activated CyberPsychotic's daemon mode code (use the
-D switch for daemon mode
* default logging directory changed from "." to
/var/log/snort
* sanity checks performed on the default log dir now
* decode.c: * changed the truncated Ethernet header notification to
only go off in verbose mode
* removed cruft
* rules.c: * Added Ron Snyder's "address negation" patch. Rules may
now contain "!" on the IP addresses to indicate anything
BUT the given address
* log.c: * added support for the new default logging directory
* configure.in: * fixed some more sparc configuration problems
* other: * CyberPsychotic sent a new ftp buffer overflow rule in
1999-08-04 mfr <roesch@clark.net>
* snort.c: * fixed some DEBUG statements
* enabled the daemon mode code (this is still
experimental)
* decode.c: * fixed various and sundry DEBUG code
* fixed the TCP option decoder so it wouldn't overflow
its prinout buffer and cleaned up the temp buffer
* rules.c: * fixed some DEBUG code
* log.c: * fixed a buffer copy problem with the daemon mode alert
logging
* fixed the SMB alerting code and the standard log output
when in SMB alerting mode
* cleaned up some of the fragment logging code
* fixed the logto rules option coding to work properly
* configure.in: * fixed a whole bunch of little problems that are
screwing up big endian/non-PC machines. This
version should work and compile much more cleanly
on all architectures!
* other: fixed a bad rule in the RULES.SAMPLE file and another bad
one in the misc-lib file
1999-08-01 mfr <roesch@clark.net>
* rules.c: Wrote brand new detection engine. The new engine uses
a 2-dimensional linked list with recursive node walking.
Rules are grouped by address/port commonality and then
option chains are linked to common head blocks. This
reduces the number of tests required to find a specific
test to perform, and reduces the total number of tests
performed on a given packet in all cases by 200-500%
over version 1.1.
* decode.c: Rewrote the packet decode engine. The new engine
performs far fewer copies and tries to set pointers
to defer expensive function calls as late as possible.
The PrintIP and Net data structures have been eliminated
so that there is no global data required to perform tests
or log a given packet. This will make any future multi-
threading efforts much easier.
* log.c: * Much of the logging system was rewritten to take advantage
of the new detection and decoding engines.
* Made the SMB alerting a configure-time option. If you
want to use the SMB alerting feature, you need to specify
a "--enable-smbalerts" when you run configure. This is a
safety measure, read the INSTALL file for the reasons why!
* snort.c: Fixed a bug in the netmask generation code that wouldn't
allow certain CIDR blocks to be represented. Thanks to
Nick Rogness <nick@trinux.rapidnet.com> for the heads
up on this one!
1999-06-21 mfr <roesch@clark.net>
* snort.c: * Added new command line switches: -f, -M, -r.
-f: Record fragmented packets in tcpdump format
-M: Send alerts via WinPopup messages (requires Samba)
-r: Read and process files generated by tcpdump
* Fixed startup dumpout code to not drop people if they just
want to log all packets to the system
* Added static netmask generation, this rids Snort of the
need to link to libm, which makes it more Trinux friendly.
* rules.c: * Added new rule option types:
logto: log packets matching this rule to the specified
log file
minfrag: set the minimum size of fragmented packets, which
allows alerts to be generated for traffic coming
from things like nmap or fragrouter
tcp flags: Added the ability to include the reserved bits
of the tcp flags into the rules set. These
flags are specified with a "1" and "2.
Inclusion of these flags allows Queso
fingerprinting attempts to be detected.
id: The IP ID field may be specified. This is nice for
picking up handcrafted packets with recognizable ID
fields, like 31337 or other "elite" numbers.
ack: The TCP ack field. Using this, nmap tcp "pings" may
be detected.
seq: The TCP sequence number. This is provided for
completeness (I figured since I was putting in the
ack field, I may as well include the sequence as
well)
* Rewrote the content parser. It now accepts "\" as a
literal character, so things like "\|" or "\~" will work
properly.
* fixed the parenthesis finder for the options code
* adjusted the acceptable character range in the rule
parsers
* log.c: * fragment logging more descriptive and correct
* fixed IP header logging for ICMP and fragmented packets
* improved "bad packet" printing/logging
* fixed IP option output code
* IP packet ID field now displayed
* decode.c: * fixed IP fragment decoders and logic streams.
* fragments are now fed thru the rules set (sorta)
1999-05-17 mfr <roesch@clark.net>
* snort.c: Added "-x" command line switch to explicitly activate IPX
packet notification so people in mixed protocol environments
can maintain sanity. Also added in the new packet counter to
generate statistics on exit of the number/percentage of
each type of packet that Snort sees.
* decode.h: Removed the references to u_int16_t and u_int32_t and
replaced them with u_short and u_long. The u_int*_t
variables caused portability headaches. Also added in the
new patch from Chris S. for the WORDS_MUSTALIGN definition
for S/Linux version.
* log.h: Fixed the LOG_AUTH/LOG_AUTHPRIV problem that Solaris users
were having.
* decode.c: Added the new packet statistics counters throughout the
code. Cleaned up the IPX code a bit.
* rules.c: Cleaned up the isspace(3) (et al) calls.
* etc: Made lots of tweaks to the autoconf stuff to get the S/Linux
and HP-UX versions to compile cleanly out of the box.
1999-04-28 mfr <roesch@clark.net>
* rules.c: Added the code to change the order the rules are applied in.
* snort.c: Added two new command line switches: "-o" and "-s".
* decode.c: Added in new layer 2 decoding for SLIP and RAW packet
types.
* log.c: Added code to send alert notification to syslog.
1999-04-17 mfr <roesch@clark.net>
* rules.c: Rewrote the rules option parser. It's now a much more
consistant interface for both reading rules into the program
and writing them as a user. Added in new rule types to
alert on TTL values, and ICMP types/codes.
* log.c: Most of the logging code has been dramatically rewritten as
well, and it now works much better.
* mstring.c: Added the notion of a meta character to mSplit() so that
it was possible to not split on every single occurence of
a character in a string.
* decode.c: Smoothed out all the logging system calls to work nicely
with the new log code.
1999-04-08 mfr <roesch@clark.net>
* rules.c: Moved AlertPkt() and LogPkt() to log.c
* log.c: Totally revamped the logging code to be more logical and
have less duplication in the code. There are now seperate
logging functions for each of the layers of the packet.
PrintIPPkt() has been totally rewritten, PrintFragHeader has
been eliminated, and two functions have been moved over from
rules.c and completely rewritten as well.
* decode.c: Reworked the routines which called the logging functions.
1999-04-06 mfr <roesch@clark.net>
* decode.c: added code to display/log the Fragment ID field of the IP
header. Got a nice patch from Sebastian to add in TOS
decoding as well. Added ethernet header logging and
display code.
* mstring.c: fixed the match() routine. It had a tendency to miss some
things some of the time. (oops!) Content based matching
should work all the time now.
* log.c: added code to display some of the new stuff that's decoded.
* snort.c: add a new command line switch: "-e". This will display the
ethernet header data in both the log files and on the screen.
1999-03-24 mfr <roesch@clark.net>
* decode.c: fixed the damned TCP and IP options decoders. These things
were a friggin pain in the ass to program up properly.
Recoding them stopped the huge loop that they had a bad
tendancy to get stuck in, thereby making the rest of the
program nigh infinitely more useful for just about any
friggin problem under the friggin sun. Frig it.
* log.c: Stopped the insanity of unnessary carriage returns in the log
files and on screen printouts. Another PITA.
* rules.c: Fixed output formatting yet again.
1999-03-21 mfr <roesch@clark.net>
* snort.c: fixed a bug in the timestamp code so the month prints out
right
* decode.c: added code to detect and decode IP and TCP Options. Also
added code to print packet fragments with truncated headers
into a PACKET_FRAG file which gets dumped in the default log
directory.
* log.c: added code and data structures to print out IP and TCP Options
plus I fixed the f'd up fragment print out logic. Changed
OpenLogFile() to include a mode argument for packet fragment
print out.
* rules.c: rewired the entire rules test routine and added some long
needed goto's into the program. I feel manly now. Also
added a new rule field: TCP flags. This allows us to
alert/log/pass on tcp flags. Also added in port range
functionality, you can now specify a range of ports, or
greater than/less than a specified port.
1999-03-08 mfr <roesch@clark.net>
* snort.c: Ripped off the timestamp printout routines from tcpdump
and stuffed them into snort.c, yum yum. This gives us
millisecond timestamping on the packets for those of you
interested in such things.
1999-03-06 mfr <roesch@clark.net>
* mstring.c: mContainsSubstring has been replaced. mContainsSubstring
is a brute force pattern matcher, and is therefore very
slow and not too efficient. The new routine, match(),
implements a Boyer-Moore string search algorithm and is
much faster in the general case and much more tolerent of
"poor" pattern selection.
* log.c: PrintNetData has been completely rewritten. It should now be
much faster and only needs to generate the print out buffer
once per packet. This routine was a major source of slow
down/dropped packets before. You still shouldn't use verbose
mode with the "-d" command line switch if you're using Snort
as an IDS, because it's still slow enough to drop some large
packets. Packet print out has changed as well, with the
different packet layers seperated by onto their own lines
(well, mostly). Fragmented packets are now recorded in a
"FRAG" file.
* decode.c: Snort now detects fragmented packets, plus the DF and MF
bits, and decodes the fragment offset.
* snort.c: Now displays packet collected/dropped statistics when
shutting down.
1999-02-18 mfr <roesch@clark.net>
* snort.c: Code cleanup and some error checking was added. The system
now accepts the interface name you give it at the command
line. Fixed a problem with underallocating the interface
name buffer for names specified on the command line.
Suprisingly, this only came to light when tested on the
Sparc architecture.
* log.c: ICMP logging now includes the ICMP code description in the
filename. This makes it easier to see what you're interested
in without having to go digging into the log files.
* decode.c: Made the ICMP types and codes a little more compatible with
being used as a filename.
1999-01-28 mfr <roesch@clark.net>
* rules.c: Rules sorting is now implemented. There are actually three
seperate lists (Pass, Log, Alert) now, with the rules being
placed on to the lists in the order they're read from the
rules file. The rule execution order was changed, now
Alert rules are applied first, then Pass Rules, the Log
rules. Content based rules are available now, the actual
application layer data can be searched, both binary and
text, for a specific pattern to activate a rule on.
* decode.c: Minor changes to reflect the new rules structure.
1999-01-19 mfr <roesch@clark.net>
* snort.c: Modularized the code, big time! New source modules are log,
rules, decode, and mstring. Dumped SetFlow() for now.
* rules.c: Rules based packet logging now enabled!
* log.c: Now keeps track of TCP/UDP conversations better!
* decode.c: Enhanced decoding of packets, including ICMP ECHO seq and
id!
1999-01-08 mfr <roesch@clark.net>
* snort.c: Made a fix to SetFlow() so that it wouldn't dump the
program if it got traffic from 0.0.0.0 or 255.255.255.255.
* snort.h: Removed the "#define VERSION" since it's handled in config.h.
* README: Proper README file included with this distro
1998-12-21 mfr <roesch@clark.net>
* snort.c: Made this file, figured out autoconf
distrib
>
Mandriva
>
2008.1
>
x86_64
>
media
>
main-release
>
by-pkgid
>
ed16fde01eb46d18d025b68d04b42b63
>
files
>
31
