changelog

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

Version 0.5.2
 * Use list head for LRU in tcpstream
 * Manual page updates (John Leach)
 * Obfuscate email addys in changelog - they are published on the web
 * Fixed bug where tcp_match was being called instead of udp_match
 * Fixed firestat
 * Fixed bug in tcp serialization
 * Fixed bugs in tcp state tracking logic
 * Don't inline tcpstream_tcpseg
 * Alert on suspicious TCP state violations
 * Fix0r vlan and ipx decodes (John Leach)
 * Add arp printing (John Leach)
 * Don't put in redundant "0/0" ip address nodes (spotted by John Leach)
 * Fix 802.3-novell encapsulation hack
 * Always check for NULL args in matchers
 * Use slab cache for tcp sessions
 * Restore vim syntax file
 * Overhaul plugin API, a bit better now
 * Fix minor bug in detect routines (spotted by John Leach)
 * Unfuck capdev/capture header dependencies
 * Neaten up plugin error messages
 * Lots of internal and plugin API cleanups
 * Change logging semantics, choose spool dir only
 * Start the firestorm user manual in docbook
 * TCP SYN timeouts
 * Fix timestamping on diagnostic logs
 * Buffer alert I/O, massive throughput increase
 * Run preprocessors in dispatch() again

Version 0.5.1
 * Rewrite configuration code, back to a single config file
 * Use hash table for matchers
 * Split mesg() out in to its own file, tidied and optimised
 * Fix shutdown sequence for linux capdev
 * Bring back the man pages
 * Don't make a application data layer if zero len
 * Infrastructure to serialize session data
 * Serialize tcp and http state information
 * Allow generator-wide rate-limiting
 * Remove debugging cruft from string matchers
 * Fix parsing of 'rate' in snort signatures
 * Made log target more robust
 * Made firecat more user friendly
 * Go back to a dispatcher model
 * Fix ominous bug in string matching, dont match TCP headers!
 * Audit decode plugins for common mistakes

Version 0.5.0
 * Support alert prioritisation
 * Add support for 802.3, 802.3-novell, LLC and SNAP
 * Make 802.1q plugin use ethernet registrations
 * Fix IP address matching for big-endian machines
 * Fix tcpdump plugin when using byte-swapped files
 * Fix depth/offset/nocase/regex to work with multiple content matches
 * Split up matchers in to seperate files (greg at ecsc dot co dot uk)
 * New rule matching code for tcp/ip snort signatures
 * Alerts on most specific rule if it matches more than one
 * Beef up strtouint (hex and octal encodings)
 * Implement matcher comparisons everywhere
 * Use automake 1.6, set default prefix to /usr
 * Fix crash bug and memory leak in ipfrag introduced in 0.4.6
 * Remove strtoul() from all over the place
 * allow less-than/greater-than for ttl and ip_proto
 * Fix ip address lists to work with negation
 * Detect errors in hex chars in content rules
 * Resolve IP protocols from names (won't work in a chroot)
 * Use autoconf for plugins
 * Add RPC matcher
 * Support snort classtypes
 * Add some new fields to log target
 * Remove pluggable logging, replace with elog
 * Do file-size based log rotation with upper bounds on time
 * Centralise output routines to prepare for GUI apps
 * Add firecat - a tool for converting elogs to other types of data
 * Overhaul configuration, startup order and installation
 * Remove delta2 heuristic in booyer moore, use less mem, just as fast
 * Fix a bunch of bugs in string matching generally
 * IPX / SAP decoders
 * Add stormwall daemon to monitor logfiles etc...
 * Support RFC1323 window scaling
 * Support RFC1323 PAWS (bugs and all)
 * Fix tcpstream to support half closed connections
 * Catch errors on poll() in linux capdev
 * Remove preproc_dispatch() do everything in decode
 * Fix many potential bugs with decoding
 * Add burstable token-bucket rate-limiting to alert subsystem

Version 0.4.6
 * Substantially cleanup the capture subsystem.
 * Cleanup use of serial numbers in capdev code
 * Return void from decode functions
 * Call preproc_dispatch() from inside decode functions
 * Remove realm bitmasks, stop the voices!
 * Move ipfrag and tcpstream in to tcpip plugin
 * Don't split up tcp rules if stateful inspection is off
 * Fix memory leak in signature committal
 * Added memprof hack
 * Re-write of tcp state tracking code
 * Add IGMP decode plugin
 * Removed concept of realms just use protos
 * Add mtu option to linux mmap capdev
 * Add IrDA decoder plugin
 * Pass private data to args_parse() and to callbacks
 * Fix crash bug if no captures are specified in the config
 * Add new log output plugin
 * Always check for libprelude
 * Add extended log output plugin (firestorm native files)
 * Add boolean data types to args_parse
 * Add http decoder (primitive)
 * Implement uricontent properly
 * Add DNS matching module (dns_recursive/dns_iterative)
 * Snort sid/rev support
 * Make log target log http_method, http_uri, sid and rev work
 * Add http_method matcher
 * Fix file clobbering bug in dump (greg at ecsc dot co dot uk)
 * Fix various bugs in dump output module (greg at ecsc dot co dot uk)
 * Fix infinite loop bug (VERY rare) in string matching
 * Add rest of GPL license to COPYING (as pointed out by the FSF)
 * Add snort-rules, add Makefile to install them
 * Add really cool RPM spec - configures stuff for you
 * Handle HUP signal to rotate logs (greg at ecsc dot co dot uk)
 * Checksum TCP segments
 * Fix some minor issues in snort parsing

Version 0.4.5
 * Support IP address lists in snort rules
 * Fix permissions of ascii logfile (john at ecsc dot co dot uk)
 * Make 'depth' modifier actually work - oops!
 * Test for mmap packet socket in configure
 * Check for sigaction() in configure, else use signal()
 * TCP matching now keeps seperate rule chains for state/direction
 * Implemented the 'flow' keyword
 * gcc3 warning fixes
 * Added libprelude output plugin
 * Added acinclude.m4 to be able to check for libprelude
 * Better error reporting in snort parsing (john at ecsc dot co dot uk)
 * Added new argument parsing library for consistent plugin options
 * Moved ipfrag over to args_parse()
 * Linux capdev can now configure number of blocks to use
 * Add contrib/hier.sh to make hacking setup easier
 * Some build fixes (amr-aysha at medracen dot net)
 * Added regex match (snort style regex, not PCRE or anything)
 * Count number of criteria as we go in signature_criteria()
 * Allow specification of dump format in dump output plugin
 * Check for uio/writev, dump just does 2 write()s if not present
 * specify --with-prelude to check for prelude libs etc..
 * Use array instead of linked list in tcpip signature engine
 * Parse options for ascii output plugin, add nohex and len options
 * Remove unused matcher compare functions
 * Change captures over to arguments

Version 0.4.4
 * Fix pcapfile bug
 * added fragoffset matcher
 * Allow variables for ports in snort rules
 * TCP connection tracking / stateful inspection
 * Added 'stateless' keyword support
 * IP headers inside ICMP are decoded fully
 * Figure out pkttype from linux SLL if possible
 * Added cleanup handlers to preprocessors
 * Use LRU for ipfrag eviction, much faster
 * Timeout ip fragments, configurable timeout
 * Allow variable negation
 * Hack icmp matching to alert like snort
 * Only match the first ip-fragment!
 * Fix linux SLL decode bug
 * Support escaped characters in string match
 * Change args_parse api, return -1 on error, 0 on user error

ersion 0.4.3
 * Check ihl<=tot_len in ip decode
 * Check packet length in ipopts decode
 * Check we have the whole packet in ifprag
 * Fix bug where reassembled fragments could get matched twice
 * Fix interactions between linux capture and ipfrag
 * Lots of fixes for ipfrag
 * Actually account memory for fragment payloads
 * Add 802.1q (vlan) decoder
 * Allow 'ascii' logging to file
 * Timestamp ascii alerts
 * linux capdev allows interface specification
 * dump output, to log to tcpdump files
 * Finally get timestamp code correct!
 * Marked firestorm.conf as config in RPM
 * Implement minttl option for ipfrag
 * extend 'output' config to make it per-generator

Version 0.4.2
 * Fix two decoding bugs for reassembled ip fragments
 * Fix timestamp for reassembled ipfrag fragments
 * Quote author email address in plugin error messages
 * Allow require for plugins
 * Fix hi/lo watermark default values for ipfrag
 * Parse hi/lo watermark values for ipfrag
 * Restructure alerting subsystem
 * Catch SIGHUP to rotate logs (not firestorm.log)
 * Implement 'output' keyword in config file
 * icmp_id/icmp_seq only checks echo/echoreply packets
 * Get rid of atoi() everywhere. Use strtouint() instead.
 * Add --with-libpcap-libraries and --with-libpcap-includes
 * Implement nocase string matcher
 * IP fragmentation attacks detected by preprocessor
 * tcpdump exploits detected by ip decoder
 * Some optimisations in the signature engine
 * Fix crash bug in IP decoder
 * Make sure content and dsize matchers match data not headers
 * Put serial numbers on packets
 * Don't track ip fragments inside fragments, wait for a reassemble
 * Linux SLL protocol now implemented
 * Check TCP packet lengths better
 * Do IP checksums. Still match packets but don't use them in ipfrag
 * Calculate checksums on reassembled IP fragments (dunno why)

Version 0.4.1
 * Get rid of madvise() in capdev.tcpdump
 * Fix ipaddr/port negation bug in tcp/ip/udp matching
 * Negation of ipaddr/port works on bidirectional snort rules
 * Centralised alerting subsystem
 * Finished ICMP matching code
 * Implement icmp_id and icmp_seq (can be ranges)
 * Fix TCP,UDP,ICMP decode bug
 * Micro-optimisations in TCP and ICMP matching code
 * Implement 'require' keyword in config file
 * Split string matching in to seperate plugin
 * Oops, actually implement IP ID matcher!
 * IP Options matcher
 * Depth and Offset supported in content matcher
 * Fix RPM and tarball binary builds