changelog

入侵检测系统.linux下与MySql连用的例子

/* $Id: ChangeLog,v 1.13 2001/08/15 05:54:35 roesch Exp $ */
2001-08-14 mfr <roesch@sourcefire.com>
    * SNMP alerting support added by Glenn Mansfield Keeni & K. Jayanthi
    * IDMEF output support compiled in by default now
    * regex keyword code repaired, limited wildcard regex now available 
    * new packet counters added to Snort stats output for frags and streams
    * http_decode preprocessor modified to normalize %u encoding
    * new detection modes in frag2, Snort picks up fragmentation 
      attacks (teardrop, etc) much better now
    * repaired frag2 IP defragmenter, now 100% stable and functional
    * tweaks made to stream4 TCP stream reassembler, now 100% stable
    * Win32 code integrated with main Snort source now
    * fix for -r mode crash when no other command line options specified
    * fix for logfile names using ":" under win32
    * tag code repaired
    * spp_arpspoof repaired
    * stream4 alerts are now off by default
    * syslog alerts now support standard GEN:SID:REV data

2001-08-04 fy <fygrave@tigerteam.net>
    * A couple of coredump fixes from Phil Wood
    * Solaris compilation fixes (and other minor tweaks I don't
      remember)
    * Incorporated WIN32 patches (and fixes) from Chris Reid
    * ms-sql support from Chris Reid
    * contrib/create_mssql

2001-07-09 mfr <roesch@sourcefire.com>
    * added new IP defragmenter, spp_frag2
    * added new stateful inspection/tcp stream reassembly plugin, spp_stream4
    * Snort can now statefully detect ECN traffic (less false alarms)
    * stream4 can now keep session statistics in a "session.log" file
    * added new high-speed unified binary output system, spo_unified
    * added new data structs/management for tag code
    * added -k switch to tune checksum verification behavior
    * added -z switch to provide stateful verification of alerts
    * modified bahavior of http_decode, now only alerts once per packet
    * added unique Snort ID's to every Snort rule, plus generator, revision
      and event ID info to each alert
    * detection engine only alerts once per packet now, tcp stream code doesn't
      generate another alert packet if a previous one already alerted for that
      stream
    * fixed signal handling on svr4 systems
    * added enhanced cross reference printout to full/fast/syslog alert modes
    * added new high speed checksum verification (on x86) routines
    * added new ARP spoof detection preprocessor from Jeff 
      Nathan <jeff@wwti.com>

2001-04-20 fy <fygrave@tigerteam.net>
    * a couple of fixes in spp_defrag.c
    * spelling fixes in 'classification.config' file

2001-04-19 bmc <bmc@mitre.org>
    * added ability to tag sessions & hosts (By Seconds, Bytes, and Packets) 
    * ip protocol rule support 
    * added 802.1q VLAN support  
    * extensive configuration file config options (you can put your 
      commandline options in snort.conf now)
    * priority & classification plugin by Brian Caswell
    * output plugin support for priority, classification, and refs  
    * rpc_decode plugin (Defeats attacks laid out by Robert Graham's SideStep) 
    * telnet negotiation normalization plugin (Defeats attacks laid out 
      by Robert Graham's SideStep) 
    * BackOrifice plugin (Can bruteforce BO keys.  Defeats attacks laid out 
      by Robert Graham's SideStep) 
    * uricontent keyword pattern match.  (Now you can look at the URL instead 
      of the entire packet) 
    * added -T commandline option  (Does entire setup process, but stops 
      after its done setting up) great for snort.conf testing!! 
    * added -L commandline option.  Specify filename of the binary output 
      log when combined with "-b"
    * added -G commandline option.  Turn on "ghetto" backwards 
      compatability for people that need
      references in the MSG field
    * added -I commandline option.  Prints the interface that the 
      alert was received on
    * added -y commandline option.  Adds YEAR to the timestamps
    * Fixed timestamp output problem on some ARCHs
    * ability for non-root users to sniff.  (If the user can usually 
      sniff from pcap) By Brian Caswell
    * Improved UNICODE detection by Koji Shikata
    * added sp_tcp_win_check.  TCP Window Size can be looked now 
    * added CSV output (see README.csv for more information) By Brian Caswell
    * added sp_same_ip_check.  Checks for the same SRC & DST (Usually sign 
      of a DOS attack) by Phil Wood
    * added variable lookups for include directives (eg 'include 
      $RULESPATH/myrules.rules')
    * linux_sll (interface 'any') support fixed (According to the new 
      libpcap spec) By Fyodor
    * new debugging code.  No more #ifdef DEBUG.  (see debug.c for more 
      info) Idea from Eugene Tsyrklevich
    * strl* family functions (mostly for future developers, we'd encourage 
      these to be used) (original code also supplied by Eugene)
    * new tcp stream reassembly module by Chris Cramer
    * include directives now are relative to snort.conf file location 
      (unless full path in a config file is given) 
    * snort will look for /etc/snort.conf and ./snort.conf if no config 
      is given on the commandline 
    * minor null ptr fixes and patches there and here (thanks to all of 
      you guys who helped tracking them down, really :-) - Fyodor)
    * optiomized database schema (Support for references, added 
      signature normalization, ....)
    * UTC cleanup by Andrew Baker
    * http_ignorehosts added from Matt Wachinski

2001-03-14 fy <fygrave@tigerteam.net>
    * tcp stream reassembly updates by Chris Cramer
    * path fixes for include <file> (now relative path'es will be substituted 
      by path of the main file)
    * DLT_LINUX_SLL support fixes
    * strlcat/stlcpy functions are being incorporated
    * Attempt to support MacOS platform. 
    * A bunch of fixes for MTU dicovery routine
    * New debugging routines. (see BUGS file for more info). 

2001-01-02  mfr <roesch@md.prestige.net> fy <fygrave@tigerteam.net>
    * tcp stream reassembly preprocessor (beta) by Chris Cramer
    * Defragmentation plugin is now fully functional on all architectures
    * SPADE (Statistical anomaly detection) preprocessor has been added by
      James Hoagland
    * Added IIS/UNICODE attack detection to HTTP decoder
    * Reference plugin has been added by Joe McAlerney
    * New active response module: sp_react
    * Added "any" keyword to IP options (ipopts) plugin
    * IP fragmentation bits detection plugin added
    * Added TOS detection plugin from Erich Meier 
      <Erich.Meier@informatik.uni-erlangen.de> 
    * Database output plugin improved in many ways by Jed Pickel
    * Oracle support added to database output plugin
    * XML output plugin by Jed Pickel/Roman Danyliw/CERT
    * IP address list support added with lots of help from Phil Wood
    * <interface>_ADDRESS variable implementation, specifying an interface name
      in the rules file as part of this variable automatically sets the IP/mask
      as the IP address/netmask of the specified interface
    * Rule parser is more anal about rule verification now, doesn't crash as 
      readily
    * Arbitrary output types support added by Andrew Baker
    * Activate/dynamic rules allow rules to turn on/off other rules!
    * ICMP unreach. printout dumps encapsulated headers now
    * Improved TCP/IP options printout code, doesn't flood on 0 length options
    * Packet checksumming implemented for all supported protocols by Chris 
      Cramer
    * TCP flags now print out in proper (bitwise) order
    * Added new fields to the packet header dumps including IP header length,
      TCP/UDP header length, Urgent pointer printout, IP Reserved bit printout,
      ICMP Type/Code explicit value printout
    * -X switch dumps packet byte data for data link through application layer
    * -L switch to privde a filename for binary log files specified with the -b
      switch
    * Added -I switch to print interface name in Snort alerts (first i/f only)
    * Fixed -S command line switch so it isn't overridden by variables in the
      rules file
    * Corrected PID file misadventures
    * Added a bunch of new statistics to the packet stats printout
    * Added SIGUSR1 handler, Snort will dump packet stats to console/syslog 
      when it receives a SIGUSR1
    * Memory management cleaned up/lots more free()'s to match up with 
      malloc()'s
    * Added snprintf code to the distro for safety
    * UID = 0 code added for sniffer mode
    * fixed default alert filename for daemon mode
    * Updated USAGE file to resemble Snort's current reality
    * Changed snort-lib to snort.conf, Jed Pickel added lots of documentation
      to the file as well (thanks Jed!)
    * Pid file will not be created if -D switch is not used.
    * chroot behaviour has been changed, now, if chroot is used, you have
      to have snort.conf file within chroot directory (and all the other
      relevant files as well). The only file which will be placed outside
      chroot directory is snort pid file.

2000-07-22  mfr <roesch@md.prestige.net>
    * Fixed compilation problems on all non-BSD operating systems
    * Added better configuration support for locating libpcap
    * Fixed    ICMP ping packet id/sequence printouts
    * Made allowances for 64-bit machines in the decoders
    * Updated the portscan detector to the latest version
    * Disabled the defragmenter by default (in the rules file)
    * Added a patch from Dave Dittrich to make daemon mode alerts 
      filenames conform to the data in the documentation
    * Revamped the ICMP data structures to mimic those found in *BSD
      and provide for higher fidelity decoding/printout in the future
    * Repaired the output plugins so that they operate properly now
    * For the record, the payload dump conforms to the length of the 
      IP datagram now and does not show pad bytes added by the minimum
      Ethernet frame size

2000-07-08  mfr <roesch@md.prestige.net>
    * Fixed Tru64 u_int* type declarations
    * Added check for pcap.h into configuration script
    * Fixed timeval problems on Linux boxen

2000-07-06  mfr <roesch@md.prestige.net>
    * New preprocessor plugin: IP defragmentation!!
    * New output plugins cover all old logging and alerting options
        * New output plugin now logs to MySQL, PostgreSQL, unixODBC databases 
    * Updated portscan detection functionality
        * Added quote removal for most plugin parsers
        * -C crash bug fixed
        * PID/PATH_VARRUN file fixes
        * Converted many putc(3) calls to fputc(3) for portability
        * Transport layer decoders use ip_len field for length metric now
        * String tokenizer code modified for more reliable operation
        * Fixed flexible response code sequence prediction
        * Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
          platforms
        * Set automake options so that people don't need gmake anymore to build
          Snort on BSD systems
        * Fixed SMB alert code large tmp file hole
        * Added sigsetmask code to fix SIGHUP weirdness
        * Added execvp option for SIGHUP restart code
        * Added ARP header printout validation
        * Added Session logging file integrity checking
        * Added -u/-g setuid/gid capability switches
        * Added -O IP address obfuscation switch
        * Added -t chroot switch
        * Fixed non-TCP/UDP/ICMP transport layer decoding & logging
        * Fixes and additions to the portscan preprocessor
        * Database logging plugin has been modified extensively, see the 
          www.incident.org website for more information
        * Switched TCP flags printout routine to ensure proper RFP output
          scan output. ;)
        * Fixed default log/alert function code so that these functions are
          never NULL

2000-03-20  mfr <roesch@md.prestige.net>
    * Version 1.6 released!

2000-03-18  mfr <roesch@md.prestige.net>
    * Modified the PID write out code to work in all run modes, and made
      the system detect/verify the _PATH_VARRUN variable and define it
      if necessary.
    * Integrated a HUP patch from J Cheeseman to prevent the command line
      parser from screwing up the command line at HUP time.
    * Added a little tweak from Fyodor for Makefile.in
    * Made exit code delete the PID file in all run modes.

2000-03-16  mfr <roesch@md.prestige.net>
    * Activated the BPF compiler optimization switch in snort.c
    * Added support for unconfigured/stealthed network interfaces
    * CP added a default definition for _PATH_VARRUN
    * CP added checks for paths.h existence
     
2000-03-15  mfr <roesch@md.prestige.net>
    * Moved the "session" keyword code to a plugin
    * Added Postgres database logging module from Jed Pickel
    * Added Token Ring layer 2 printout routine
    * Added "-q" support to the output plugin modules
    * Revamped the output plugin subsystem so that it conforms to the
      API standards laid out in the rest of Snort
    * CP set defaults for the alerting and logging facilities
    * Added Tru64/Alpha support