news

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

Version 0.5.2
=============
 BUGS FIXED
  * UDP packets weren't being matched at all since 0.5.1
  * TCP state was fucked up in elog files
  * Fixed various bugs in TCP state tracking logic
  * 802.3-novell frames weren't being decoded properly
  * Fixed a lot of potential bugs in matchers
  * Fixed bug in linux capture where HUPing caused infinite loop
 NEW FEATURES
  * Alerts on suspicious TCP state violations
  * Restored vim syntax file
  * Can now specify log directory
  * Released first cut of firestorm user manual
  * TCP SYN timeouts
  * Buffered I/O for alerts, utilise full disk bandwidth

Version 0.5.1
=============
 BUGS FIXED
  * Fix bugs in http decode
  * Fixed ipfrag alerts
  * Fixed log target to work for all IP packets
 NEW FEATURES
  * Back to a single, simple config file
  * Session data saved in alert log files
  * Built-in alerts are now appropriately rate-limited
  * Made firecat more user friendly

Version 0.5.0
=============
 BUGS FIXED
  * Fix IP address matching on big-endian machines
  * Handle ip_proto and ttl correctly for less-than/greater-than
  * IP address lists work properly with negation
  * Fix silly bugs in ipfrag which crept in with the last release
  * Fix content match for IP packets with no encapsulated headers
  * Fix some other minor bugs in content matching
  * Fixed improper state tracking of half closed TCP connections
  * Fixed lots of potential decoding bugs all over the map
 NEW FEATURES
  * Now differenciates 802.3 from Ethernet II
  * Support for LLC, SNAP and 802.3 IPX frames
  * tcpdump capdev module can handle byte-swapped files
  * New faster and simpler packet classifier
  * If a packet matches two signatures an alert is generated on the most specific
  * RPC matcher finally implemented
  * Fully support alert priorities and classifications
  * tcpstream supports window scaling and PAWS
  * Support for ratelimiting alerts (per-alert, burstable)

Version 0.4.6
=============
 BUGS FIXED
  * Fix trivial memory leak in signature loading
  * Don't clobber existing logfiles in dump output module
  * Fix (very rare) infinite loop condition in string matcher
  * Fixed bug in snort rule parsing
 NEW FEATURES
  * Brand new TCP state tracking code, much more accurate and efficient
  * Decode IGMP and IrDA packets
  * New simplified log output plugin, one line per alert
  * New extended log output plugin (native firestorm format)
  * First stab at implementing uricontent properly
  * Implement dns_recursive matcher (triggers on recursive dns queries)
  * Implement dns_iterative matcher (triggers on iterative dns queries)
  * Real sid/rev support in snort signatures
  * Match on HTTP methods in HTTP requests
  * Bundle snort rules with the default distribution
  * Updated RPM to be easier to configure
  * Actually implement the SIGHUP handler for log rotation
  * Calculate checksums on TCP segments

Version 0.4.5
=============
 BUGS FIXED
  * Fix permissions of ascii logfile (john@ecsc.co.uk)
  * Fixed bug where 'depth' modifier for string match didn't work
  * Fixed compile bug if using Linux without mmap packet socket()
 NEW FEATURES
  * Support IP address lists in snort rulesets
  * Impelement 'flow' keyword
  * Firestorm can now act as a prelude NIDS sensor (http://www.prelude-nids.org/)
  * Snort 'regex' modifier now fully supported
  * More options available for output modules
  * More options available for capture modules

Version 0.4.4
=============
 BUGS FIXED
  * pcapfile would loop forever at the end of the file
  * snort parser failed if you used a variable for a port
  * IP fragments not containing headers would be matched
  * SLL decode reported pkttype incorrectly
  * Esacped characters from snort files were ignored in content strings
 NEW FEATURES
  * Match IP fragmet offsets ('fragoffset')
  * TCP connection tracking / stateful inspection
  * Implement the 'stateless' keyword
  * IP fragmentation module now performs even better when under DoS attack
  * IP fragmentation module now supports timeouts
  * Snort variables can now be negated (var EXTERNAL_NET !$HOME_NET).

Version 0.4.3
=============
 BUGS FIXED
  * potential insertion attack in IP decode
  * potential crash in ipopts decode
  * ipfrag queued truncated packets
  * ipfrag could match reassembled packets twice with 'linux' capture
  * ipfrag could crash with live captures
  * ipfrag didn't account memory for fragment payloads
  * RPM would overwrite firestorm.conf
 NEW FEATURES
  * 802.1q (vlan) decode plugin
  * 'ascii' output module can log to a seperate file
  * 'linux' capdev allows you to specify an interface (or 'any')
  * 'linux' capdev detects MTUs when you specify an interface
  * Can log alerts as tcpdump files ('dump' plugin)
  * ipfrag can ignore packets with ttls that are too low (minttl option)
  * Choose different output formats depending on type of alert

Version 0.4.2
=============
 BUGS FIXED
  * reassembled fragments were incorrectly decoded
  * reassembled fragments didn't have checksums
  * Hi/Lo watermark values in ipfrag were faulty
  * Fragments inside other fragments would be tracked
  * Ignore IP fragments with bad checksums
  * Fix crash bug in IP matching code
  * Fix decode bug for TCP
  * Fix decode bug for IP
  * Make sure content and dsize matchers match data not headers
 NEW FEATURES
  * Case insensitive string matching
  * Select output/alert plugins from config file
  * IP fragmentation configuration is tunable
  * Linux SLL protocol (for pcap:any)
  * Allow plugins to be 'required'
  * Catch SIGHUP to rotate logs
  * Add --with-libpcap-includes to configure
  * Add --with-libpcap-libraries to configure
  * ipfrag detects fragmentation attacks
  * IP decoder detects tcpdump exploits
  * Some optimisations here and there

Version 0.4.1
=============
 BUGS FIXED
  * tcpdump capture would pause a while before starting big files
  * ip address and port negation false negatives
  * negation was broken on bi-directional snort rules
  * fix bad decode (tcp/udp/icmp) where the application layer wasn't added
  * IP ID matcher wasn't implemented
  * Binary builds linked to stupid libraries
 NEW FEATURES
  * depth/offset support for 'content' keyword
  * IP options matcher (ipopts)
  * Match ICMP packets
  * ICMP ID and ICMP sequence matchers (icmp_id, icmp_seq)
  * 'require' keyword in config file

--- OLD CHANGELOGS

Version 0.4.0
- Rewrote from scratch.
- New, much more flexible, more efficient decoder
- New, much more flexible plugin system
- Capture plugins get more control
- New packet structure
- Support for preprocessors
- IP defragmentation preprocessor
- OS specific capture device for Linux (v. fast)
- Signal handler works properly
- Seperate packet matching for seperate protocols
- firestat: Displays details of firestorm plugins
- Faster, nicer snort parser
- Implement 'sameip'
- Implement snort variables as the 'var' keyword

Version 0.3.1 (the version that never was)
- Removed malloc/free/strdup cruft
- Stricter with plugin loading
- Removed loads of stuff from g_globals.h
- Added support for (flags: 0;)
- Moved PC in to classifier.c
- Cosmetic fiddling

Version 0.3.0
- gcc3 compile fix. <sean_boyle@mentorg.org>
- Got rid of ugly old btree stuff
- Inlined demultiplexing and a few other bits and bobs
- Added libpcap_pfile capture engine which uses libpcap
- Removed redundant list_prepend function
- Got rid of generic list stuff for cleanup, capdevs, matchers
- Removed time() syscalls from all over the place
- Converted libpcap_file to use mmap() - MUCH faster!
- Removed ALL threading and locking, multiple captures broken
- Removed dependency on pthreads
- Removed static sized buffer from packet_t, now a pointer
- Improved build process for plugins and documentation
- Stopped memseting packet buffers
- Lots of portability fixes
- Sane exit codes
- Removed signal handlers
- Fix crash bug in ICMP reporting in alert target
- Removed stormwall/report stuff
- Removed leak checker
- Use snort style packet classifier, much faster

Version 0.2.2
- Command line options for stormwall
- Report target can be configured using config globals
- Experimental XML output plugin
- Made sniffer fallback more robust with $DEFAULT_TARGET variable
- Added more error messages
- Fixed snort_flip_rule(), no barfing over perfectly good snort rules
- Snort rule parsing fixes and tidyups
- Snort(1.8) fix. Numerical IP_PROTO now accepted
- Snort(1.8) fix. Extraneous new fields ignored instead of barfed on.
- Snort(any) fix. Protocol is omitted if its "ip"
- Fixed potential stack buffer overflow in config file parser
- Fixed memory leak in string matcher (added more error messages too)
- Fixed heap corruption in snort ruleset handling, removed a hack too...
- EXPERIMENTAL rule compiler (FAST) [see bottom of includes/g_globals.h]

Version 0.2.1
- Simple template bugfix
- Added ZLIB compression of network data
- Started firestorm daemon, provides only debug output
- Started report plugin, sends packets out on UDP (EXPERIMENTAL)
- Fixed so that logfiles are opened O_TRUNC
- Removed top layer hack for matchers, which are now just dumb
- Sniffer fallback mode, if no rules, all packets get sent to alert
- Fixed GRE handler and added alert support for it.

Version 0.2.0 (Vegas)
- Packet decode engine re-desgined, now supports encapsulation
- Final few issues in snort parser resolved
- Log target (logs to tcpdump files)
- Alert target supports Ethernet II and ICMP
- Netlink capture bugfix, reports link proto correct
- Documented firestorm config in SGML docs
- GRE encapsulation support
- Firestorm daemonizes and prints output to a file (specified on cmd line)
- Alert dumps to its own file
- plugin_require now works
- ICMP plugin demultiplexes original packet
- Fixed heap corruption bug in snort parser

Version 0.1.6
- libpcap_file understands RedHat "Extended" capfiles
- Linux firewall netlink capture.
- Optional internal leak checker.
- Fixed a memory leak in ip matcher!
- Some better macros for plugin hackers.
- Uncommented locking code in print functions (oops)
- Changed lots of print_out()s to print_raw()s (more efficient)
- Removed stupid fsync() in print_???, less syscalls, more efficient
- Tidied up code by wrapping it all before 80 chars
- Installer and RPM spec file
- Alert target yet more verbose, prints time etc..

Version 0.1.5
- String match bugfix
- TCP flags bugfix
- Keep better track of internal resources
- VIM syntax file for config files included
- Targets get access to rule
- Matchers need not have match functions (ie: they are metadata)
- Added some better cleanup templates
- Aggregated tcp/ip headers to improve cross platform support
- Added TCP flags display to alert target
- Fixed chroot/drop privs to warn if not superuser
- Added IP TOS matcher, like snorts, not very user friendly
- IP fragbits matcher

Version 0.1.4
- Plugin dirs, capture devices, etc.. can all be configureed from config file
- Can now drop root privileges (not tested)
- Sensor can run chrooted (not tested)
- Libpcap live capture plugin
- Plugin configuration via global variables
- Snort parser bug fix
- Snort parser understands variables
- Snort strings allow embedding binary data

Version 0.1.3
- Lots of compile fixes, FreeBSD, and SunOS/Solaris now supported
- Removed dependency on libpcap
- configure has --with-libpcap-includes option
- TCP flags, urgent pointer, window size, seq and ack matchers
- DSIZE matcher, matches total packet data size
- Favour BSD style tcphdr struct
- Targets can let packets continue
- ICMP SEQ/ID matchers
- IP ID match bug fix
- Alert slightly more verbose

Version 0.1.2
- Allow negation of rule criteria
- Snort rules support negation
- Added string (content) match, with depth and offset
- Warn better in the case of syntax err in snort ruleset
- Support for bi-directional snort rules
- Strip quote marks off of strings in snort rule values
- TTL match
- IP ID match
- Attempt to better the documentation