📄 changelog
字号:
* decode.c: * fixed various and sundry DEBUG code * fixed the TCP option decoder so it wouldn't overflow its prinout buffer and cleaned up the temp buffer * rules.c: * fixed some DEBUG code * log.c: * fixed a buffer copy problem with the daemon mode alert logging * fixed the SMB alerting code and the standard log output when in SMB alerting mode * cleaned up some of the fragment logging code * fixed the logto rules option coding to work properly * configure.in: * fixed a whole bunch of little problems that are screwing up big endian/non-PC machines. This version should work and compile much more cleanly on all architectures! * other: fixed a bad rule in the RULES.SAMPLE file and another bad one in the misc-lib file1999-08-01 mfr <roesch@clark.net> * rules.c: Wrote brand new detection engine. The new engine uses a 2-dimensional linked list with recursive node walking. Rules are grouped by address/port commonality and then option chains are linked to common head blocks. This reduces the number of tests required to find a specific test to perform, and reduces the total number of tests performed on a given packet in all cases by 200-500% over version 1.1. * decode.c: Rewrote the packet decode engine. The new engine performs far fewer copies and tries to set pointers to defer expensive function calls as late as possible. The PrintIP and Net data structures have been eliminated so that there is no global data required to perform tests or log a given packet. This will make any future multi- threading efforts much easier. * log.c: * Much of the logging system was rewritten to take advantage of the new detection and decoding engines. * Made the SMB alerting a configure-time option. If you want to use the SMB alerting feature, you need to specify a "--enable-smbalerts" when you run configure. This is a safety measure, read the INSTALL file for the reasons why! * snort.c: Fixed a bug in the netmask generation code that wouldn't allow certain CIDR blocks to be represented. Thanks to Nick Rogness <nick@trinux.rapidnet.com> for the heads up on this one!1999-06-21 mfr <roesch@clark.net> * snort.c: * Added new command line switches: -f, -M, -r. -f: Record fragmented packets in tcpdump format -M: Send alerts via WinPopup messages (requires Samba) -r: Read and process files generated by tcpdump * Fixed startup dumpout code to not drop people if they just want to log all packets to the system * Added static netmask generation, this rids Snort of the need to link to libm, which makes it more Trinux friendly. * rules.c: * Added new rule option types: logto: log packets matching this rule to the specified log file minfrag: set the minimum size of fragmented packets, which allows alerts to be generated for traffic coming from things like nmap or fragrouter tcp flags: Added the ability to include the reserved bits of the tcp flags into the rules set. These flags are specified with a "1" and "2. Inclusion of these flags allows Queso fingerprinting attempts to be detected. id: The IP ID field may be specified. This is nice for picking up handcrafted packets with recognizable ID fields, like 31337 or other "elite" numbers. ack: The TCP ack field. Using this, nmap tcp "pings" may be detected. seq: The TCP sequence number. This is provided for completeness (I figured since I was putting in the ack field, I may as well include the sequence as well) * Rewrote the content parser. It now accepts "\" as a literal character, so things like "\|" or "\~" will work properly. * fixed the parenthesis finder for the options code * adjusted the acceptable character range in the rule parsers * log.c: * fragment logging more descriptive and correct * fixed IP header logging for ICMP and fragmented packets * improved "bad packet" printing/logging * fixed IP option output code * IP packet ID field now displayed * decode.c: * fixed IP fragment decoders and logic streams. * fragments are now fed thru the rules set (sorta)1999-05-17 mfr <roesch@clark.net> * snort.c: Added "-x" command line switch to explicitly activate IPX packet notification so people in mixed protocol environments can maintain sanity. Also added in the new packet counter to generate statistics on exit of the number/percentage of each type of packet that Snort sees. * decode.h: Removed the references to u_int16_t and u_int32_t and replaced them with u_short and u_long. The u_int*_t variables caused portability headaches. Also added in the new patch from Chris S. for the WORDS_MUSTALIGN definition for S/Linux version. * log.h: Fixed the LOG_AUTH/LOG_AUTHPRIV problem that Solaris users were having. * decode.c: Added the new packet statistics counters throughout the code. Cleaned up the IPX code a bit. * rules.c: Cleaned up the isspace(3) (et al) calls. * etc: Made lots of tweaks to the autoconf stuff to get the S/Linux and HP-UX versions to compile cleanly out of the box.1999-04-28 mfr <roesch@clark.net> * rules.c: Added the code to change the order the rules are applied in. * snort.c: Added two new command line switches: "-o" and "-s". * decode.c: Added in new layer 2 decoding for SLIP and RAW packet types. * log.c: Added code to send alert notification to syslog.1999-04-17 mfr <roesch@clark.net> * rules.c: Rewrote the rules option parser. It's now a much more consistant interface for both reading rules into the program and writing them as a user. Added in new rule types to alert on TTL values, and ICMP types/codes. * log.c: Most of the logging code has been dramatically rewritten as well, and it now works much better. * mstring.c: Added the notion of a meta character to mSplit() so that it was possible to not split on every single occurence of a character in a string. * decode.c: Smoothed out all the logging system calls to work nicely with the new log code.1999-04-08 mfr <roesch@clark.net> * rules.c: Moved AlertPkt() and LogPkt() to log.c * log.c: Totally revamped the logging code to be more logical and have less duplication in the code. There are now seperate logging functions for each of the layers of the packet. PrintIPPkt() has been totally rewritten, PrintFragHeader has been eliminated, and two functions have been moved over from rules.c and completely rewritten as well. * decode.c: Reworked the routines which called the logging functions.1999-04-06 mfr <roesch@clark.net> * decode.c: added code to display/log the Fragment ID field of the IP header. Got a nice patch from Sebastian to add in TOS decoding as well. Added ethernet header logging and display code. * mstring.c: fixed the match() routine. It had a tendency to miss some things some of the time. (oops!) Content based matching should work all the time now. * log.c: added code to display some of the new stuff that's decoded. * snort.c: add a new command line switch: "-e". This will display the ethernet header data in both the log files and on the screen.1999-03-24 mfr <roesch@clark.net> * decode.c: fixed the damned TCP and IP options decoders. These things were a friggin pain in the ass to program up properly. Recoding them stopped the huge loop that they had a bad tendancy to get stuck in, thereby making the rest of the program nigh infinitely more useful for just about any friggin problem under the friggin sun. Frig it. * log.c: Stopped the insanity of unnessary carriage returns in the log files and on screen printouts. Another PITA. * rules.c: Fixed output formatting yet again.1999-03-21 mfr <roesch@clark.net> * snort.c: fixed a bug in the timestamp code so the month prints out right * decode.c: added code to detect and decode IP and TCP Options. Also added code to print packet fragments with truncated headers into a PACKET_FRAG file which gets dumped in the default log directory. * log.c: added code and data structures to print out IP and TCP Options plus I fixed the f'd up fragment print out logic. Changed OpenLogFile() to include a mode argument for packet fragment print out. * rules.c: rewired the entire rules test routine and added some long needed goto's into the program. I feel manly now. Also added a new rule field: TCP flags. This allows us to alert/log/pass on tcp flags. Also added in port range functionality, you can now specify a range of ports, or greater than/less than a specified port. 1999-03-08 mfr <roesch@clark.net> * snort.c: Ripped off the timestamp printout routines from tcpdump and stuffed them into snort.c, yum yum. This gives us millisecond timestamping on the packets for those of you interested in such things.1999-03-06 mfr <roesch@clark.net> * mstring.c: mContainsSubstring has been replaced. mContainsSubstring is a brute force pattern matcher, and is therefore very slow and not too efficient. The new routine, match(), implements a Boyer-Moore string search algorithm and is much faster in the general case and much more tolerent of "poor" pattern selection. * log.c: PrintNetData has been completely rewritten. It should now be much faster and only needs to generate the print out buffer once per packet. This routine was a major source of slow down/dropped packets before. You still shouldn't use verbose mode with the "-d" command line switch if you're using Snort as an IDS, because it's still slow enough to drop some large packets. Packet print out has changed as well, with the different packet layers seperated by onto their own lines (well, mostly). Fragmented packets are now recorded in a "FRAG" file. * decode.c: Snort now detects fragmented packets, plus the DF and MF bits, and decodes the fragment offset. * snort.c: Now displays packet collected/dropped statistics when shutting down.1999-02-18 mfr <roesch@clark.net> * snort.c: Code cleanup and some error checking was added. The system now accepts the interface name you give it at the command line. Fixed a problem with underallocating the interface name buffer for names specified on the command line. Suprisingly, this only came to light when tested on the Sparc architecture. * log.c: ICMP logging now includes the ICMP code description in the filename. This makes it easier to see what you're interested in without having to go digging into the log files. * decode.c: Made the ICMP types and codes a little more compatible with being used as a filename.1999-01-28 mfr <roesch@clark.net> * rules.c: Rules sorting is now implemented. There are actually three seperate lists (Pass, Log, Alert) now, with the rules being placed on to the lists in the order they're read from the rules file. The rule execution order was changed, now Alert rules are applied first, then Pass Rules, the Log rules. Content based rules are available now, the actual application layer data can be searched, both binary and text, for a specific pattern to activate a rule on. * decode.c: Minor changes to reflect the new rules structure.1999-01-19 mfr <roesch@clark.net> * snort.c: Modularized the code, big time! New source modules are log, rules, decode, and mstring. Dumped SetFlow() for now. * rules.c: Rules based packet logging now enabled! * log.c: Now keeps track of TCP/UDP conversations better! * decode.c: Enhanced decoding of packets, including ICMP ECHO seq and id! 1999-01-08 mfr <roesch@clark.net> * snort.c: Made a fix to SetFlow() so that it wouldn't dump the program if it got traffic from 0.0.0.0 or 255.255.255.255. * snort.h: Removed the "#define VERSION" since it's handled in config.h. * README: Proper README file included with this distro1998-12-21 mfr <roesch@clark.net> * snort.c: Made this file, figured out autoconf ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -