changelog

入侵检测源代码,参考snort结构编程. 可修改,编译连接.

/* $Id: ChangeLog,v 1.6 2001/01/18 08:30:29 fygrave Exp $ */

2001-01-02  mfr <roesch@md.prestige.net> fy <fygrave@tigerteam.net>
    * tcp stream reassembly preprocessor (beta) by Chris Cramer
    * Defragmentation plugin is now fully functional on all architectures
    * SPADE (Statistical anomaly detection) preprocessor has been added by
      James Hoagland
    * Added IIS/UNICODE attack detection to HTTP decoder
    * Reference plugin has been added by Joe McAlerney
    * New active response module: sp_react
    * Added "any" keyword to IP options (ipopts) plugin
    * IP fragmentation bits detection plugin added
    * Added TOS detection plugin from Erich Meier 
      <Erich.Meier@informatik.uni-erlangen.de> 
    * Database output plugin improved in many ways by Jed Pickel
    * Oracle support added to database output plugin
    * XML output plugin by Jed Pickel/Roman Danyliw/CERT
    * IP address list support added with lots of help from Phil Wood
    * <interface>_ADDRESS variable implementation, specifying an interface name
      in the rules file as part of this variable automatically sets the IP/mask
      as the IP address/netmask of the specified interface
    * Rule parser is more anal about rule verification now, doesn't crash as 
      readily
    * Arbitrary output types support added by Andrew Baker
    * Activate/dynamic rules allow rules to turn on/off other rules!
    * ICMP unreach. printout dumps encapsulated headers now
    * Improved TCP/IP options printout code, doesn't flood on 0 length options
    * Packet checksumming implemented for all supported protocols by Chris 
      Cramer
    * TCP flags now print out in proper (bitwise) order
    * Added new fields to the packet header dumps including IP header length,
      TCP/UDP header length, Urgent pointer printout, IP Reserved bit printout,
      ICMP Type/Code explicit value printout
    * -X switch dumps packet byte data for data link through application layer
    * -L switch to privde a filename for binary log files specified with the -b
      switch
    * Added -I switch to print interface name in Snort alerts (first i/f only)
    * Fixed -S command line switch so it isn't overridden by variables in the
      rules file
    * Corrected PID file misadventures
    * Added a bunch of new statistics to the packet stats printout
    * Added SIGUSR1 handler, Snort will dump packet stats to console/syslog 
      when it receives a SIGUSR1
    * Memory management cleaned up/lots more free()'s to match up with 
      malloc()'s
    * Added snprintf code to the distro for safety
    * UID = 0 code added for sniffer mode
    * fixed default alert filename for daemon mode
    * Updated USAGE file to resemble Snort's current reality
    * Changed snort-lib to snort.conf, Jed Pickel added lots of documentation
      to the file as well (thanks Jed!)
    * Pid file will not be created if -D switch is not used.
    * chroot behaviour has been changed, now, if chroot is used, you have
      to have snort.conf file within chroot directory (and all the other
      relevant files as well). The only file which will be placed outside
      chroot directory is snort pid file.

2000-07-22  mfr <roesch@md.prestige.net>
    * Fixed compilation problems on all non-BSD operating systems
    * Added better configuration support for locating libpcap
    * Fixed    ICMP ping packet id/sequence printouts
    * Made allowances for 64-bit machines in the decoders
    * Updated the portscan detector to the latest version
    * Disabled the defragmenter by default (in the rules file)
    * Added a patch from Dave Dittrich to make daemon mode alerts 
      filenames conform to the data in the documentation
    * Revamped the ICMP data structures to mimic those found in *BSD
      and provide for higher fidelity decoding/printout in the future
    * Repaired the output plugins so that they operate properly now
    * For the record, the payload dump conforms to the length of the 
      IP datagram now and does not show pad bytes added by the minimum
      Ethernet frame size

2000-07-08  mfr <roesch@md.prestige.net>
    * Fixed Tru64 u_int* type declarations
    * Added check for pcap.h into configuration script
    * Fixed timeval problems on Linux boxen

2000-07-06  mfr <roesch@md.prestige.net>
    * New preprocessor plugin: IP defragmentation!!
    * New output plugins cover all old logging and alerting options
        * New output plugin now logs to MySQL, PostgreSQL, unixODBC databases 
    * Updated portscan detection functionality
        * Added quote removal for most plugin parsers
        * -C crash bug fixed
        * PID/PATH_VARRUN file fixes
        * Converted many putc(3) calls to fputc(3) for portability
        * Transport layer decoders use ip_len field for length metric now
        * String tokenizer code modified for more reliable operation
        * Fixed flexible response code sequence prediction
        * Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
          platforms
        * Set automake options so that people don't need gmake anymore to build
          Snort on BSD systems
        * Fixed SMB alert code large tmp file hole
        * Added sigsetmask code to fix SIGHUP weirdness
        * Added execvp option for SIGHUP restart code
        * Added ARP header printout validation
        * Added Session logging file integrity checking
        * Added -u/-g setuid/gid capability switches
        * Added -O IP address obfuscation switch
        * Added -t chroot switch
        * Fixed non-TCP/UDP/ICMP transport layer decoding & logging
        * Fixes and additions to the portscan preprocessor
        * Database logging plugin has been modified extensively, see the 
          www.incident.org website for more information
        * Switched TCP flags printout routine to ensure proper RFP output
          scan output. ;)
        * Fixed default log/alert function code so that these functions are
          never NULL

2000-03-20  mfr <roesch@md.prestige.net>
    * Version 1.6 released!

2000-03-18  mfr <roesch@md.prestige.net>
    * Modified the PID write out code to work in all run modes, and made
      the system detect/verify the _PATH_VARRUN variable and define it
      if necessary.
    * Integrated a HUP patch from J Cheeseman to prevent the command line
      parser from screwing up the command line at HUP time.
    * Added a little tweak from Fyodor for Makefile.in
    * Made exit code delete the PID file in all run modes.

2000-03-16  mfr <roesch@md.prestige.net>
    * Activated the BPF compiler optimization switch in snort.c
    * Added support for unconfigured/stealthed network interfaces
    * CP added a default definition for _PATH_VARRUN
    * CP added checks for paths.h existence
     
2000-03-15  mfr <roesch@md.prestige.net>
    * Moved the "session" keyword code to a plugin
    * Added Postgres database logging module from Jed Pickel
    * Added Token Ring layer 2 printout routine
    * Added "-q" support to the output plugin modules
    * Revamped the output plugin subsystem so that it conforms to the
      API standards laid out in the rest of Snort
    * CP set defaults for the alerting and logging facilities
    * Added Tru64/Alpha support

2000-02-26  mfr <roesch@md.prestige.net>
    * modified minfrag proprocessor to only catch tiny frags on the home 
      net ("home" keyword) or any traffic ("any" keyword)
    * implemented command line override of output plugins, alert and log
      switches on the command line will disable output plugins in favor of
      their configured activity
    * added -C command line switch to print packet payloads as ASCII only,
      with no hexdump
    * fixed a stupid crash bug on the "logto" keyword parser
    * put in a couple of command line switch validators to catch potential
      invalid arguments
    * fixed a potential crash bug in the ClearDumpBuf() function

2000-02-07  mfr <roesch@md.prestige.net>
    * Added INADDR_BROADCAST patch from Steve Beaty <beaty@emess.mscd.edu>
    * Added syslog PID patch from Ralf Hildebrant
    * Added IPv6 counter from Erich Meier 
      <Erich.Meier@informatik.uni-erlangen.de>
    * Added SunOS patch from Denis Ducamp <Denis.Ducamp@hsc.fr>
    * Added content-list rules from 

2000-01-17 cp <fygrave@tigerteam.net>
    * Update of Patrick's portscan preprocessor. (and apropriate fixes)
    * Minor fix to configure.in from Herb Commodore.

2000-01-12 cp <fygrave@tigerteam.net>
    * John Wilson's update to insensitive pattern match code added.
    * Patrick Mullen's patch to log.c applied.
    * Patrick Mullen's changes to rules.c added.
    * Source Port traffic rules ajusted not to pull alerts on 53<-->53 UDP 
      traffic.
    * Changed name ParseFlags to --> ParseTCPFlags in sp_tcp_flag_check.*
      since that's what it really is.
    * Added RCS Id tags to all the files and libs. Once they are commited
      at md.prestige.net, they should take proper values. :)

2000-01-08 cp <fygrave@tigerteam.net>
    * Patch from Herb Commodore <herb@nc.rr.com> to configure applied
    * Imrovements to content-matching code and implementation of
      case-insensitive matching from John Wilson <tug@wilson.co.uk)
      are added.
    * "zero netmask" problem fixed.
    * Patrick Mullen's portscan preprocessor is added. log.c routines
      have been fixed to handle NULL pointers.
    * binary logging routines have been changed to use libpcap procedures
      which should fix certain problems with binary logging.
    * Fix in rules.c to complain about bogus preprocessor names.

2000-01-03  mfr  <roesch@clark.net>
        * fixed a problem with pass rules not being applied properly
        * fixed a #include ordering statement for Slackware 4.0 installs
        * fixed banner output for the -V option
        * Token Ring decoding is now fully functional
        * Added packet buffer cleanup code to all protocol decoders
        * fixed a problem with improper TCP option output
        * Added a Snort man page
    
1999-12-08  mfr  <roesch@clark.net>
    * preprocessor plugins (major new functionality!)
    * detection plugins (major new functionality!)
    * variables can now be specified in the rules file
    * include files can now be specified in the rules file
    * Session recording capability
    * Rules may now contain multiple "content" match keywords
    * New IP options detection module, allows IP option inspection
    * New HTTP decoder preprocessor defeats evasive web scans (whisker.pl)
    * detection engine has been heavily modified to implement the new 
      "linked-list-of-function-pointers" concept, which makes the detection
      engine more efficient, more flexible, and faster!
    * TCP options decoder split into decode/log modules and recoded 
    * IP options decoder split into decode/log modules and recoded 
    * Token Ring layer 2 decoder (still in development)
    * ISDN-Raw layer 2 decoder (I4L)
    * ISDN-IP layer 2 decode (I4L)
    * ISDN-Cisco layer 2 decode (I4L)
    * Fixed PPP layer 2 decoder
    * NULL/Loopback layer 2 decoder
    * daemon mode code cleanup
    * tcpdump readback mode code cleanup
    * experimental support for UNIX socket alerting
    * fixed C++ comments in snort.c
    * binary log files now update properly (fflush added)
    * internal rules list integrity testing
    * IP fragments are no longer sent to the detection engine, just
      the preprocessor's.  This is incentive for me (or someone) to write
      an IP defragmentation preprocessor!
    * post-decode call function call sequence has been modified to go into 
      the preprocessor system instead of the detection engine

1999-10-18  mfr  <roesch@clark.net>
    * snort.c: * added session dump command line switch

    * log.c: * added sesion data logging functionsi: OpenSessionFile(),
           DumpSessionData().
    
    * decode.c: * fixes snaplen issues with reading back tcpdump files.


1999-10-13  mfr  <roesch@clark.net>
    * snort.c: * threw out tcpdump file readback code and implemented
             open_pcap_offline solution.  Has addded benefit of 
             allowing BPF filters to be used to modify file readback
             streams.  
           * Fixed MTU snafu.

    * decode.c: * Rewrote ARP decoder.  The decoder is much simpler (but 
              the log routines are far more complex)
            * Horsed around with the TCP and IP option decoders.  I 
              think they work better now...

    * log.c: * Added ARP printout and logging routines.  ARP is now 
           handled in a much more consistent and correct manner.
         * Fixed stupid crash bug in LogPkt()

    * rules.c: * Added in greater-than and less-than modifiers for dsize
             option keyword.  You now have another (cheap!) way to look
             for buffer overflows

           * Removed range checking for the ICMP icode and itype
             option keywords so that DoS attacks and covert activity 
             could be more easily filtered/monitored

1999-09-26  mfr  <roesch@clark.net>
    * snort.c: * new command line options -A, -F, -N, -p, -b
           * logging and alerting functions are now selected and 
             assigned to function pointers for faster/more efficient
             logging
           * got rid of -f command line option (superceded by -b)
           * put in new cleanup code for readback mode
           * ripped read_infile from tcpdump to read BPF filter files
    
    * decode.c: * code cleanup in support of new functionality

    * rules.c: * added support for the exception operator to work for ports
           * fixed stupid pointer initialization bug in 
             ProcessHeadNode() file, fixed crashes on non-PC arch.
           * new option keywords: dsize, offset, depth
           * cleaned up crappy logic around the logging functions with
             nice clean function pointers (aaaahhhh....)
           * added bidirectional rules functionality (now Snort goes
             both ways....)

    * log.c: * broke out alerting function into seperate subfunctions
         * ditto logging functions
         * fixed string termination code in the SMB alerter so that it
           can now alert to more than one box at a time
         * cleaned up syslog messages
         * finally fixed the SMB "alert once" problem (kudos to Gandalf
           Schaufelberger for that one)

1999-08-06  mfr  <roesch@clark.net>
    * log.c: * added code to AlertMsg to make sure that there was in fact
           an alert message to print out

    * libraries: * fixed the backdoor and scan libraries so they should 
               flase alarm less often

1999-08-05  mfr  <roesch@clark.net>
    * snort.c: * activated CyberPsychotic's daemon mode code (use the 
             -D switch for daemon mode
           * default logging directory changed from "." to 
             /var/log/snort
                   * sanity checks performed on the default log dir now

    * decode.c: * changed the truncated Ethernet header notification to
              only go off in verbose mode
            * removed cruft

    * rules.c: * Added Ron Snyder's "address negation" patch.  Rules may
             now contain "!" on the IP addresses to indicate anything
             BUT the given address

    * log.c: * added support for the new default logging directory

    * configure.in: * fixed some more sparc configuration problems

    * other: * CyberPsychotic sent a new ftp buffer overflow rule in

1999-08-04  mfr  <roesch@clark.net>
    * snort.c: * fixed some DEBUG statements
           * enabled the daemon mode code (this is still 
             experimental)