news

入侵检测系统.linux下与MySql连用的例子

08-14-01    I was planning on getting this release out sooner than this (since
            it's largely a bugfix release) but my wife and I went and had a 
            baby 2 weeks ago, which effected the schedule a little. ;) Anyway,
            barring any major problems the Snort 1.x code will now be going
            into maintenance mode as we begin development on 2.0.

            This version adds the following:

            * SNMP alerts
            * IDMEF XML output (the Silicon Defense plugin is integrated into 
              the main codebase now)
            * Limited regex support in the rules language
            * New packet counters for stream4 and frag2
            * New normalization mode for http_decode

            And a slew of bug fixes.  We should get to work on 2.0 shortly, so
            hopefully the next release of this NEWS file will be talking about
            that!  (knock on wood...)
            
07-09-01    Well, this one was a long time coming, but I think it was worth the
            wait.  Snort can now perform stateful inspection, has improved 
            defragmentation capabilities, uses less memory, leaks less of the
            memory that it does use, is faster, and has a bunch of other good
            stuff.  Truely, this is probably the ultimate development of the
            1.X series of Snort.  After this version we will begin development
            on Snort 2.0, which will have a great many new features, be faster
            and more flexible, and generally be about the finest network 
            intrusion detection system that an open source community can build.

            See the Changelog (read all the way back to January of this year) 
            for changes and additions, there are far to many to list here.  
            Some of the highlights include

            * stateful inspection
            * new tcp stream reassembly code
            * new ip defragmenter
            * new protocol available for the rules language: ip
            * more extensive printouts of cross reference and info in alerts
            * new normalizer preprocessors for telnet, rpc
            * 2 new output plugins (unified, csv)
            * 5 new preprocessors (stream4, frag2, bo, telnet_decode, 
              rpc_decode)
            * 10 new rule options
            * unique rule IDs
            * A whole slew of command line options (7 at last count)
            * Mega bug-fixes from 1.7

            Snort can now leap tall buildings in a single bound.

            The future holds 2.0, which will revisit most of the code in Snort.
            It probably won't be released for another 6 months or so, but for 
            the time being I'm happy with what we've produced here and I think
            most people will be happy with it too.

            Please read the USAGE, FAQ, README, man page and any other docs you
            can before asking your questions, there's a good chance that the
            answer you're looking for is in there.

            Commercial plug: If you decide that you need or want to take your
            Snort installation to the next level, Sourcefire Inc. 
            (http://www.sourcefire.com) is now producing commercial network 
            intrusion detection appliances based on Snort with data analysis,
            management, and rules GUIs built-in.  See the web site for more
            information, if you want to have a commercially supported, 
            professional Snort deployment, Sourcefire is the company to call.
     
01-02-01    Welcome to version 1.7. This version features clean compiles
            on following architectures and platforms:

            * Linux 2.0.X, Linux 2.1.X, Linux 2.2.X (i386)
            * FreeBSD 3.x, 4.x (i386)
            * SunOS/gcc 5.5, 5.5.1, 5.6, 5.7, 5.8 (sparc)
            * OpenBSD 2.7, 2.8
            * Tru64/gcc 
            * HPUX 11.0/gcc

            Other platforms/architectures should be supported as well, we just 
            don't have them available for testing on the moment.  
        
            There are a ton of bug fixes and new features in this version, have
            a look at the ChangeLog to see many of them.  I think that this 
            will be the last full point release of the 1.X codebase, we're 
            starting design work on the 2.0 series and I hope that we'll be 
            putting it out there in the not too distant future (less than six
            months!).  

            It's been a long road to 1.7, the amount of code in the program 
            compared to the initial release over two years ago is incredible.
            We're just getting rolling though, and 2.0 is going to bring a 
            great number of changes including more plugin interfaces (packet
            acquisition and decode), faster/cleaner code (I hope ;) and a
            better design for performing more types of analysis.

            Big changes in this version: snort-lib renamed to snort.conf, IP
            defragmentation plugin now 100% on all architectures, tcp stream
            reassembly, statistical anomaly detection, three new command line
            switches (-L,-I,-X), IP address lists, a cool "automatic variable"
            in the rules file that automatically picks up the IP address and
            netmask of a named interface, more packet header printouts, 
            detection plugins for TOS and the IP fragment bits, as well as a
            plugin that allows reference data to be attached to rules and a 
            completely rewritten active response module, etc.

            I hope everyone likes this release, we've put a ton of work into it
            to make sure that it's functional and stable while still being 
            easy to use for everyone.
            
07-22-00    Welcome to version 1.6.3.  This version features clean compiles
            on all architectures and OS's that I have access to, some 
            elusive bug fixes in the decoders, a little bit better 
            packet printing, full-time ARP packet decoding (instead of only
            when the -a option is spec'd), and an upgraded portscan
            detector.  The moral of the story with the 1.6.1->1.6.2.2 
            release cycle was "don't release when you're working on the
            road".  This will be the last version release until the
            Hiverworld IDS ships as I need to dedicate myself fully to
            that cause.  Please watch http://www.snort.org for information
            on the availability for an upgraded defragmentation 
            preprocessor, the one shipping with this version should be
            treated as *beta* code!  

07-08-00    It wouldn't be a relase without a disaster, and in that vein
            we lost the ability to compile cleanly on Linux boxes with 
            version 1.6.1.  Typical.  Lessons learned: I need to reinstall
            a RedHat box at Snort Labs so that I can do compile tests
            before release.  C'est la vie.

07-06-00    Version 1.6.1 is finally ready to see the light of day.  This
            release is mostly a bug fix with a few minor feature additions
            for runtime security.  Version 1.7 is a few months behind in 
            development due to my busy schedule at Hiverworld where I'm 
            putting together a completely new (not Snort-based) IDS.

            Version 1.7 is in development and you can check the latest
            beta functionality by checking it out from the CVS repository.
            The features that have or are going to be added include dynamic
            rules (rules that turn on other rules), variable alert levels,
            port and IP sets for rules, and a few other goodies, plus
            a slew of new plugins.

            Additionally, the snort.org web site has gone live since the
            last release, and it's pretty much a one-stop-shop for all 
            things Snort related (that and www.whitehats.com).

            I hope to have version 1.7 available by the October SANS 
            Network Security 2000 conference.

03-20-00    Bang!  Here's version 1.6, marvel at its glory! :) I'm going
            to keep this short since it's 3AM, but I think that everyone
            is going to like the changes and additions since version 1.5.
            Be sure to check out the new rules writing document at 
            http://www.clark.net/~roesch/snort_rules.html! 

02-26-00    1.6 is still in the works, but this one fixes a few problems
            with people trying to compile on SunOS/Solaris/HP-UX boxes.
            This release really falls more into the "tweak" category, but I
            think it's important enough to put out.  Version 1.6 is coming
            RSN, but will probably be a couple more weeks!

01-03-00    This one is a minor bug fix in preparation for the impending
            release of version 1.6.  Version 1.6 is in beta, but I couldn't
            hold back doing a release of this bug fix version any longer.
            Speaking of 1.6, it should be out in about two weeks, and will
            incorporate a bunch of cool new functionality.  Stay tuned!

12-8-99     Wow, almost two months since the last major release.  Well, if
            you thought the last one was big, this one is HUGE!  There are
            nine major additions to this release, including plugins, 
            session recording, improved flexibility in the rules files,
            better packet content analysis, and a bunch of other stuff.
            Snort is faster, more efficient, more flexible, and more 
            powerful than 1.3.1.  Not bad for two month's work, eh? :)

            What's down the road from here?  Well, the Token Ring decoder
            needs to get finished, and then there are three big topics that
            Snort needs to address: IP defragmentation, TCP stream 
            reassembly, and port scan detection.  Fortunately, the new
            plugin architecture implemented in this version of Snort
            makes the addition of these huge features relatively painless
            from a development standpoint.  The modules can simpley be
            developed and then dropped right into every copy of Snort
            out there.

            The really cool functional (user level) things about version 
            1.5 are session logging with the new "session" keyword, 
            multiple content tests per rule, rules file variables, and the
            IP options inspection keyword "ipopts".  Check out the 
            RULES.SAMPLE file (at the bottom) for more info on the new
            stuff.

10-13-99    Welp, here's the bug fix release.  There was one really big
            stupid bug in this one plus some other minor annoying stuff, 
            so here's a patch to clean things up a bit.  I also added some
            functionality to the dsize option keyword, you can specify
            ">" or "<" now to select ranges.

            2.0 is progressing slowly in the face of various conference 
            activity I have over the next few months.  I'm looking at a late