changelog

关于网络渗透技术的详细讲解

2006-06-02 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/xlink2state.c:
      Fix potential buffer overflow read and a memory leak.  Thanks
      Jeffery Sumler for noticing the issues.

2006-05-24 Steven Sturges <ssturges@sourcefire.com>
    * etc/gen-msg.map:
    * src/generators.h:
    * src/preprocessors/spp_stream4.c:
      Fix potential evasion in Stream4.
    * src/preprocessors/HttpInspect/client/hi_client.c:
      Fix to HttpInspect to check for non-RFC whitespace (ie, CR) after URI.

2006-03-08 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Includes/config.h:
      Increment version number for Win32 builds relative to IP options
      handling fix.

2006-02-20 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_frag3.c:
    * configure.in:
      Fix ip options handling.  Thanks to Vyacheslav Burdjanadze for
      finding the issue.

2006-01-09 Steven Sturges <ssturges@sourcefire.com>
    * src/sfutil/mwm.c:
      Fixed bug with multiple recurring patterns in Wu-Manbher implementation.
      Thanks to Evan Stawnyczy for pointing it out an Marc Norton for the
      fix.
    * src/parser/IpAddrSet.c:
      Fixed problem with parsing conf file and rules when DNS is not working.
      Thanks Martin Olsson for mentioning this and testing the fix.
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/perf-base.c:
      Handle wrapping on 64-bit platforms

2005-11-17 Andrew Mullican <amullican@sourcefire.com>
    * src/sfutil/sfxhash.c:
    * src/preprocessors/portscan.c:
      Add tracker without using bogus data, to avoid internal buffer overrun.
      Thanks Sandro Poppi for the find.

2005-11-11 Steven Sturges <ssturges@sourcefire.com>
    * src/snort.c:
      Allow value of 0 to be used with -G flag
    * src/preprocessors/spp_bo.c:
      Code Cleanup
    * src/preprocessors/spp_frag3.c:
      Fix memory leak and mishandling of IP Options.  Thanks Yin
      Zhaohui for the find.
      
2005-10-16 Steven Sturges <ssturges@sourcefire.com>
    * etc/gen-msg.map:
    * etc/snort.conf:
    * src/generators.h:
    * src/preprocessors/spp_bo.c:
      Fixed potential buffer overflow in BackOrifice preprocessor and
      added an alert on attempt to overflow buffer in snort.  Thanks
      Andy Mullican for the fix.

2005-10-11 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Prj/snort_installer.nsi:
      Updated to mention WinPCAP 3.1 with correct website.  Thanks
      Gianluca Varenni for mentioning the discrepancy.

2005-10-04 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Libraries/libnet/LibnetNT.lib:
    * src/win32/WIN32-Prj/LibnetNT.dll:
      Rebuilt and updated LibnetNT linked with WinPCAP 3.1.
              
2005-09-23 Steven Sturges <ssturges@sourcefire.com>
    * src/output-plugins/spo_log_database.c:
    * schemas/create_mysql:
      Fixes to address schema being a keyword in MySQL 5.0.  Thanks Wes Young,
      Adolfo Gomez, and Aleem Mawji for the updates.

2005-09-19 mfr <roesch@sourcefire.com>
    * src/snort.h:
      bump build number
    * configure.in:
      incrementing to 2.4.2
    * src/output-plugins/spo_log_tcpdump.c:
      don't try to actually open the log file when in test mode

2005-09-19 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Includes/NETINET/IP.H:
    * src/win32/WIN32-Includes/NETINET/IP_VAR.H:
    * src/win32/WIN32-Includes/libnet/LibnetNT.h:
      Always use winsock2.h

2005-09-16 mfr <roesch@sourcefire.com>
    * src/snort.c:
      New command line switch, -K, to explicitly set logging mode.  Available
      arguments are "none", "pcap" and "ascii".
      Pcap mode is now the default logging mode of Snort.
      CheckLogDir() is no longer called in IDS mode until after reading in 
      the snort.conf file to prevent unncessary exiting due to logdir being
      specified in snort.conf and inadvertantly checking for the existence
      of /var/log/snort.
    * src/util.c:
      Included CheckLogDir() call in CreatePidFile() on the off chance
      we have to fall back to using pv.log_dir which can happen due to
      the IDS mode logdir check being removed in src/snort.c
    * src/decode.c:
      Added check for bad length of TCP SACK option.
    * snort.8:
      Updated for -K command line switch
    * doc/README:
      Updated for new command line options and default logging mode.
    * doc/USAGE:
      To be updated...

2005-09-16 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_frag3.c:
      Additional fixes to better handle various targets and extensions to
      the Shankar/Paxson model.  Thanks Judy Novak for all of the OS
      testing & pcap work.

2005-09-14 Andrew Mullican <amullican@sourcefire.com>
    * etc/gen-msg.map
    * src/generators.h
    * src/preprocessors/spp_rpc_decode.c:
      Added new alert on zero-length RPC fragment.

2005-09-14 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Includes/pcap-namedb.h (removed):
    * src/win32/WIN32-Includes/pcap.h (removed):
    * src/win32/WIN32-Includes/WinPCAP/Devioctl.h:
    * src/win32/WIN32-Includes/WinPCAP/Gnuc.h:
    * src/win32/WIN32-Includes/WinPCAP/Ntddndis.h:
    * src/win32/WIN32-Includes/WinPCAP/Ntddpack.h:
    * src/win32/WIN32-Includes/WinPCAP/Packet32.h:
    * src/win32/WIN32-Includes/WinPCAP/Win32-Extensions.h:
    * src/win32/WIN32-Includes/WinPCAP/bittypes.h:
    * src/win32/WIN32-Includes/WinPCAP/bucket_lookup.h:
    * src/win32/WIN32-Includes/WinPCAP/count_packets.h:
    * src/win32/WIN32-Includes/WinPCAP/ip6_misc.h:
    * src/win32/WIN32-Includes/WinPCAP/memory_t.h:
    * src/win32/WIN32-Includes/WinPCAP/normal_lookup.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap-bpf.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap-int.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap-stdinc.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap.h:
    * src/win32/WIN32-Includes/WinPCAP/pthread.h:
    * src/win32/WIN32-Includes/WinPCAP/remote-ext.h:
    * src/win32/WIN32-Includes/WinPCAP/sched.h:
    * src/win32/WIN32-Includes/WinPCAP/semaphore.h:
    * src/win32/WIN32-Includes/WinPCAP/tcp_session.h:
    * src/win32/WIN32-Includes/WinPCAP/time_calls.h:
    * src/win32/WIN32-Includes/WinPCAP/tme.h:
    * src/win32/WIN32-Includes/mysql/Libmysql.def (removed):
    * src/win32/WIN32-Includes/mysql/config-netware.h:
    * src/win32/WIN32-Includes/mysql/config-os2.h:
    * src/win32/WIN32-Includes/mysql/config-win.h:
    * src/win32/WIN32-Includes/mysql/dbug.h (removed):
    * src/win32/WIN32-Includes/mysql/errmsg.h:
    * src/win32/WIN32-Includes/mysql/libmysql.def:
    * src/win32/WIN32-Includes/mysql/libmysqld.def:
    * src/win32/WIN32-Includes/mysql/m_ctype.h:
    * src/win32/WIN32-Includes/mysql/m_string.h:
    * src/win32/WIN32-Includes/mysql/my_alloc.h:
    * src/win32/WIN32-Includes/mysql/my_dbug.h:
    * src/win32/WIN32-Includes/mysql/my_getopt.h:
    * src/win32/WIN32-Includes/mysql/my_global.h:
    * src/win32/WIN32-Includes/mysql/my_list.h:
    * src/win32/WIN32-Includes/mysql/my_pthread.h:
    * src/win32/WIN32-Includes/mysql/my_sys.h:
    * src/win32/WIN32-Includes/mysql/mysql.h:
    * src/win32/WIN32-Includes/mysql/mysql_com.h:
    * src/win32/WIN32-Includes/mysql/mysql_embed.h:
    * src/win32/WIN32-Includes/mysql/mysql_time.h:
    * src/win32/WIN32-Includes/mysql/mysql_version.h:
    * src/win32/WIN32-Includes/mysql/mysqld_error.h:
    * src/win32/WIN32-Includes/mysql/raid.h:
    * src/win32/WIN32-Includes/mysql/typelib.h:
    * src/win32/WIN32-Libraries/Packet.lib:
    * src/win32/WIN32-Libraries/wpcap.lib:
    * src/win32/WIN32-Libraries/mysql/mysqlclient.lib:
    * src/win32/WIN32-Prj/snort.dsp:
      Updated to use WinPCAP 3.1 and MySql client 4.13.  Preparation for
      Snort 2.4.1 release on Win32.

    * src/snort.c:
      Mark -z option as to be deprecated.

    * src/preprocessors/spp_frag3.c:
      Fix issue with Teardrop alerts introduced with last update.

2005-09-01 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
    * src/decode.h:
      Fix snort decoder to correctly handle PPP over Ethernet decoding.
      Thanks Aristeu Gil Alves Jr for the pcap.

    * src/snort.c:
    * src/util.c:
    * configure.in:
      Added patch for time stats from Bill Parker.  Enable with
      configure --enable-timestats.

    * src/snort.c:
      Do not allow -T (test mode) & -D (daemonize) together.

    * src/preprocessors/spp_frag3.c:
      Fix issue with Teardrop alerts.

    * src/preprocessors/spp_portscan.c:
    * src/preprocessors/spp_portscan2.c:
      Add deprecation warning.  These will be deprecated in the next
      snort build.

2005-08-31 Steven Sturges <ssturges@sourcefire.com>
    * src/snort.c:
    * src/decode.c:
    * src/decode.h:
      Added decoder for IPEnc for Open BSD.  Thanks Jason Ish for the
      patch (long time ago) and Chris Kuethe for reraising the issue.

    * src/snort.c:
      Allow snort to use usernames (-u) and groupnames (-g) that include
      numbers.  Thanks to Shaick for the patch.

2005-08-29 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_sfportscan.c:
    * etc/snort.conf:
    * doc/README.sfportscan:
      Change ip_proto to ip for portscan configuration.  Thanks David Bianco
      for pointing this out and Andy Mullican for the updates.

    * src/snort.c:
      Fix broken -T option.  Thanks Andy Mullican for the fix.

    * src/output-plugins/spo_alert_prelude.c:
      Fix for prelude initialization.  Thanks Yoann Vandoorselaere for the
      update.

    * src/preprocessors/spp_frag3.c:
    * doc/README.frag3:
      Update to address Solaris reassembly issues.  Update README to
      include info about new target-based policy.

2005-08-23 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_frag3.c:

      for windows and solaris (since they are actually different in
      certain cases). 

    * src/preprocessors/stream.h:
      Added data structure padding to fix issues with 64bit Solaris.

    * src/log.c:
      Fix problem in sniffer mode when incomplete TCP option data is received.
      Thanks A Hernandez for the find.

    * src/decode.c:
      Set the source & dest ports used for logging before doing checksum
      verification.  If invalid checksum, ports will be logged (even though
      they may be invalid).
      Wrapped alerts for same src/dst and loopback in mode==IDS & decoder
      alert checks.

    * src/plugbase.h:
      Use hex values for preprocessor bitmask constants instead of the
      decimal equivalent.

    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_byte_check.c:
      Allow for signed offset values to handle negative offset in
      rules.  Fixes potential issue on 64-bit architectures.

    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
      For content matches, when subsequent rule options fail, start searching
      again in correct location instead of again at end of the currently
      found pattern.

    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/perf.h:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_xlink2state.c:
    * src/preprocessors/str_search.c:
    * src/preprocessors/xlink2state.c:
    * src/sfutil/asn1.c:
    * src/sfutil/mpse.h:
    * src/plugbase.c:
    * src/snort.c:
      Code/compiler warning cleanup.

2005-08-15 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
    * src/win32/WIN32-Includes/NETINET/IN_SYSTM.H:
      Updated Win32 to handle pflog patch.

2005-08-15 Steven Sturges <ssturges@sourcefire.com>
    * src/output-plugins/spo_alert_prelude.c:
    * etc/snort.conf:
      Fix GCC4 warning, make the arguments parser more robust and
      less fault tolerant. Correct parsing of IDMEF severity mapping.
      Don't try to initialize Prelude support when 'output alert_prelude'
      is not specified.  Removed deprecated documentation from the conf
      file.  Thanks Yoann Vandoorselaere for the updates.

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/stream.h:
      Fixed problem on Solaris when reassembling at exit.
      Thanks Andrew Rucker Jones for identifying the issue.

    * src/decode.c:
    * src/decode.h:
    * src/snort.c:
      Added support for new OpenBSD pflog format.  Older pflog format,
      OpenBSD 3.3 and earlier, is still supported.  Thanks Breno Leitao
      and Christian Reis for the patch.

    * src/decode.c:
    * src/decode.h:
    * src/util.c:
      Added statistics counter for ETH_LOOPBACK packets.  Thanks rmkml
      for the patch.

2005-07-29 mfr <roesch@sourcefire.com>
    * rpm/snort.spec:
      Fix epoch inclusion for RPM generation

2005-07-29 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
      Fixed debug prints for new flush behavior changes.

    * src/detection-plugins/sp_pattern_match.c:
      Added checks to ensure some syntax correctness for content
      rules.  Thanks Erik de Castro Lopo for the patch.

2005-07-27 mfr <roesch@sourcefire.com>
    * etc/snort.conf:
      Changed snort.conf to reflect flush_behavior changes

2005-07-24 mfr <roesch@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
      Fix parsing problem in the flush_behavior config directive

    * etc/snort.conf:
      Turn perfmonitor off by default

2005-07-22 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
      Changed flush_behavior to use names instead of numeric value.
      New behaviors names are 'default', 'large_window', and 'random'

2005-07-22 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Includes/config.h:
      Changed Snort version number

    * src/detection-plugins/sp_pattern_match.c:
      Fixed error message for replace

2005-07-22 mfr <roesch@sourcefire.com>
    * src/preprocessors/HttpInspect/client/Makefile.am:
    * src/preprocessors/HttpInspect/event_output/Makefile.am:
      More cleanup

2005-07-22 mfr <roesch@sourcefire.com>
    * src/preprocessors/HttpInspect/anomaly_detection/Makefile.am:
    * src/preprocessors/HttpInspect/mode_inspection/Makefile.am:
    * src/preprocessors/HttpInspect/normalization/Makefile.am:
    * src/preprocessors/HttpInspect/server/Makefile.am:
    * src/preprocessors/HttpInspect/session_inspection/Makefile.am:
    * src/preprocessors/HttpInspect/user_interface/Makefile.am: