📄 changelog
字号:
2000-07-22 mfr <roesch@hiverworld.com>
* Fixed compilation problems on all non-BSD operating systems
* Added better configuration support for locating libpcap
* Fixed ICMP ping packet id/sequence printouts
* Made allowances for 64-bit machines in the decoders
* Updated the portscan detector to the latest version
* Disabled the defragmenter by default (in the rules file)
* Added a patch from Dave Dittrich to make daemon mode alerts
filenames conform to the data in the documentation
* Revamped the ICMP data structures to mimic those found in *BSD
and provide for higher fidelity decoding/printout in the future
* Repaired the output plugins so that they operate properly now
* For the record, the payload dump conforms to the length of the
IP datagram now and does not show pad bytes added by the minimum
Ethernet frame size
2000-07-08 mfr <roesch@hiverworld.com
* Fixed Tru64 u_int* type declarations
* Added check for pcap.h into configuration script
* Fixed timeval problems on Linux boxen
2000-07-06 mfr <roesch@hiverworld.com>
* New preprocessor plugin: IP defragmentation!!
* New output plugins cover all old logging and alerting options
* New output plugin no logs to MySQL, PostgreSQL, unixODBC databases
* Updated portscan detection functionality
* Added quote removal for most plugin parsers
* -C crash bug fixed
* PID/PATH_VARRUN file fixes
* Converted many putc(3) calls to fputc(3) for portability
* Transport layer decoders use ip_len field for length metric now
* String tokenizer code modified for more reliable operation
* Fixed flexible response code sequence prediction
* Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
platforms
* Set automake options so that people don't need gmake anymore to build
Snort on BSD systems
* Fixed SMB alert code large tmp file hole
* Added sigsetmask code to fix SIGHUP weirdness
* Added execvp option for SIGHUP restart code
* Added ARP header printout validation
* Added Session logging file integrity checking
* Added -u/-g setuid/gid capability switches
* Added -O IP address obfuscation switch
* Added -t chroot switch
* Fixed non-TCP/UDP/ICMP transport layer decoding & logging
* Fixes and additions to the portscan preprocessor
* Database logging plugin has been modified extensively, see the
www.incident.org website for more information
* Switched TCP flags printout routine to ensure proper RFP output
scan output. ;)
* Fixed default log/alert function code so that these functions are
never NULL
2000-03-20 mfr <roesch@hiverworld.com>
* Version 1.6 released!
2000-03-18 mfr <roesch@hiverworld.com>
* Modified the PID write out code to work in all run modes, and made
the system detect/verify the _PATH_VARRUN variable and define it
if necessary.
* Integrated a HUP patch from J Cheeseman to prevent the command line
parser from screwing up the command line at HUP time.
* Added a little tweak from Fyodor for Makefile.in
* Made exit code delete the PID file in all run modes.
2000-03-16 mfr <roesch@hiverworld.com>
* Activated the BPF compiler optimization switch in snort.c
* Added support for unconfigured/stealthed network interfaces
* CP added a default definition for _PATH_VARRUN
* CP added checks for paths.h existence
2000-03-15 mfr <roesch@hiverworld.com>
* Moved the "session" keyword code to a plugin
* Added Postgres database logging module from Jed Pickel
* Added Token Ring layer 2 printout routine
* Added "-q" support to the output plugin modules
* Revamped the output plugin subsystem so that it conforms to the
API standards laid out in the rest of Snort
* CP set defaults for the alerting and logging facilities
* Added Tru64/Alpha support
2000-02-26 mfr <roesch@hiverworld.com>
* modified minfrag proprocessor to only catch tiny frags on the home
net ("home" keyword) or any traffic ("any" keyword)
* implemented command line override of output plugins, alert and log
switches on the command line will disable output plugins in favor of
their configured activity
* added -C command line switch to print packet payloads as ASCII only,
with no hexdump
* fixed a stupid crash bug on the "logto" keyword parser
* put in a couple of command line switch validators to catch potential
invalid arguments
* fixed a potential crash bug in the ClearDumpBuf() function
2000-02-07 mfr <roesch@hiverworld.com>
* Added INADDR_BROADCAST patch from Steve Beaty <beaty@emess.mscd.edu>
* Added syslog PID patch from Ralf Hildebrant
* Added IPv6 counter from Erich Meier
<Erich.Meier@informatik.uni-erlangen.de>
* Added SunOS patch from Denis Ducamp <Denis.Ducamp@hsc.fr>
* Added content-list rules from
2000-01-17 cp <fygrave@tigerteam.net>
* Update of Patrick's portscan preprocessor. (and apropriate fixes)
* Minor fix to configure.in from Herb Commodore.
2000-01-12 cp <fygrave@tigerteam.net>
* John Wilson's update to insensitive pattern match code added.
* Patrick Mullen's patch to log.c applied.
* Patrick Mullen's changes to rules.c added.
* Source Port traffic rules ajusted not to pull alerts on 53<-->53 UDP
traffic.
* Changed name ParseFlags to --> ParseTCPFlags in sp_tcp_flag_check.*
since that's what it really is.
* Added RCS Id tags to all the files and libs. Once they are commited
at hiverworld.com, they should take proper values. :)
2000-01-08 cp <fygrave@tigerteam.net>
* Patch from Herb Commodore <herb@nc.rr.com> to configure applied
* Imrovements to content-matching code and implementation of
case-insensitive matching from John Wilson <tug@wilson.co.uk)
are added.
* "zero netmask" problem fixed.
* Patrick Mullen's portscan preprocessor is added. log.c routines
have been fixed to handle NULL pointers.
* binary logging routines have been changed to use libpcap procedures
which should fix certain problems with binary logging.
* Fix in rules.c to complain about bogus preprocessor names.
2000-01-03 mfr <roesch@clark.net>
* fixed a problem with pass rules not being applied properly
* fixed a #include ordering statement for Slackware 4.0 installs
* fixed banner output for the -V option
* Token Ring decoding is now fully functional
* Added packet buffer cleanup code to all protocol decoders
* fixed a problem with improper TCP option output
* Added a Snort man page
1999-12-08 mfr <roesch@clark.net>
* preprocessor plugins (major new functionality!)
* detection plugins (major new functionality!)
* variables can now be specified in the rules file
* include files can now be specified in the rules file
* Session recording capability
* Rules may now contain multiple "content" match keywords
* New IP options detection module, allows IP option inspection
* New HTTP decoder preprocessor defeats evasive web scans (whisker.pl)
* detection engine has been heavily modified to implement the new
"linked-list-of-function-pointers" concept, which makes the detection
engine more efficient, more flexible, and faster!
* TCP options decoder split into decode/log modules and recoded
* IP options decoder split into decode/log modules and recoded
* Token Ring layer 2 decoder (still in development)
* ISDN-Raw layer 2 decoder (I4L)
* ISDN-IP layer 2 decode (I4L)
* ISDN-Cisco layer 2 decode (I4L)
* Fixed PPP layer 2 decoder
* NULL/Loopback layer 2 decoder
* daemon mode code cleanup
* tcpdump readback mode code cleanup
* experimental support for UNIX socket alerting
* fixed C++ comments in snort.c
* binary log files now update properly (fflush added)
* internal rules list integrity testing
* IP fragments are no longer sent to the detection engine, just
the preprocessor's. This is incentive for me (or someone) to write
an IP defragmentation preprocessor!
* post-decode call function call sequence has been modified to go into
the preprocessor system instead of the detection engine
1999-10-18 mfr <roesch@clark.net>
* snort.c: * added session dump command line switch
* log.c: * added sesion data logging functionsi: OpenSessionFile(),
DumpSessionData().
* decode.c: * fixes snaplen issues with reading back tcpdump files.
1999-10-13 mfr <roesch@clark.net>
* snort.c: * threw out tcpdump file readback code and implemented
open_pcap_offline solution. Has addded benefit of
allowing BPF filters to be used to modify file readback
streams.
* Fixed MTU snafu.
* decode.c: * Rewrote ARP decoder. The decoder is much simpler (but
the log routines are far more complex)
* Horsed around with the TCP and IP option decoders. I
think they work better now...
* log.c: * Added ARP printout and logging routines. ARP is now
handled in a much more consistent and correct manner.
* Fixed stupid crash bug in LogPkt()
* rules.c: * Added in greater-than and less-than modifiers for dsize
option keyword. You now have another (cheap!) way to look
for buffer overflows
* Removed range checking for the ICMP icode and itype
option keywords so that DoS attacks and covert activity
could be more easily filtered/monitored
1999-09-26 mfr <roesch@clark.net>
* snort.c: * new command line options -A, -F, -N, -p, -b
* logging and alerting functions are now selected and
assigned to function pointers for faster/more efficient
logging
* got rid of -f command line option (superceded by -b)
* put in new cleanup code for readback mode
* ripped read_infile from tcpdump to read BPF filter files
* decode.c: * code cleanup in support of new functionality
* rules.c: * added support for the exception operator to work for ports
* fixed stupid pointer initialization bug in
ProcessHeadNode() file, fixed crashes on non-PC arch.
* new option keywords: dsize, offset, depth
* cleaned up crappy logic around the logging functions with
nice clean function pointers (aaaahhhh....)
* added bidirectional rules functionality (now Snort goes
both ways....)
* log.c: * broke out alerting function into seperate subfunctions
* ditto logging functions
* fixed string termination code in the SMB alerter so that it
can now alert to more than one box at a time
* cleaned up syslog messages
* finally fixed the SMB "alert once" problem (kudos to Gandalf
Schaufelberger for that one)
1999-08-06 mfr <roesch@clark.net>
* log.c: * added code to AlertMsg to make sure that there was in fact
an alert message to print out
* libraries: * fixed the backdoor and scan libraries so they should
flase alarm less often
1999-08-05 mfr <roesch@clark.net>
* snort.c: * activated CyberPsychotic's daemon mode code (use the
-D switch for daemon mode
* default logging directory changed from "." to
/var/log/snort
* sanity checks performed on the default log dir now
* decode.c: * changed the truncated Ethernet header notification to
only go off in verbose mode
* removed cruft
* rules.c: * Added Ron Snyder's "address negation" patch. Rules may
now contain "!" on the IP addresses to indicate anything
BUT the given address
* log.c: * added support for the new default logging directory
* configure.in: * fixed some more sparc configuration problems
* other: * CyberPsychotic sent a new ftp buffer overflow rule in
1999-08-04 mfr <roesch@clark.net>
* snort.c: * fixed some DEBUG statements
* enabled the daemon mode code (this is still
experimental)
* decode.c: * fixed various and sundry DEBUG code
* fixed the TCP option decoder so it wouldn't overflow
its prinout buffer and cleaned up the temp buffer
* rules.c: * fixed some DEBUG code
* log.c: * fixed a buffer copy problem with the daemon mode alert
logging
* fixed the SMB alerting code and the standard log output
when in SMB alerting mode
* cleaned up some of the fragment logging code
* fixed the logto rules option coding to work properly
* configure.in: * fixed a whole bunch of little problems that are
screwing up big endian/non-PC machines. This
version should work and compile much more cleanly
on all architectures!
* other: fixed a bad rule in the RULES.SAMPLE file and another bad
one in the misc-lib file
1999-08-01 mfr <roesch@clark.net>
* rules.c: Wrote brand new detection engine. The new engine uses
a 2-dimensional linked list with recursive node walking.
Rules are grouped by address/port commonality and then
option chains are linked to common head blocks. This
reduces the number of tests required to find a specific
test to perform, and reduces the total number of tests
performed on a given packet in all cases by 200-500%
over version 1.1.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -