changelog

关于网络渗透技术的详细讲解

    * src/preprocessors/HttpInspect/utils/Makefile.am:
      Remove references to files in other directories

2005-07-22 mfr <roesch@sourcefire.com>
    * rpm/snort.spec:
      Fixup the spec file to reflect new method of rules distribution

2005-07-22 mfr <roesch@sourcefire.com>
    * configure.in:
      Fix PostgreSQL support

2005-07-21 mfr <roesch@sourcefire.com>
    * src/snort.h:
      Bump build number

2005-07-21 mfr <roesch@sourcefire.com>
    * rpm/snort.spec:
    * rpm/generate-all-rpms:
      Setup for 2.4.0 release, removed inline build option from RPM generation
      for the time being

    * configure.in:
    * Makefile.am:
    * doc/Makefile.am:
      Updated for 2.4.0 release to remove references to sig docs and rules, 
      which are now external to the distro

    * etc/snort.conf:
      Updated snort.conf for 2.4 release

2005-07-20 mfr <roesch@sourcefire.com>
    * autojunk.sh:
      Added --copy switch to automake call, patch from 
      Jeff Nathan <jeff@snort.org>

    * congfigure.in:
      Added maintainer mode call to prevent endless configure reruns.  From
      Jeff Nathan <jeff@snort.org>

2005-07-20 Steven Sturges <ssturges@sourcefire.com>

    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf.c:
      Improved file handling of perfmon stats file rollover.

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Provided ability to use 2 sets of static flushpoints as well as
      random flushpoints for reassembly.  Thanks Jason Brvenik for the
      patch.

    * src/plugbase.c:
    * src/plugbase.h:
    * src/preprocessors/snort_stream4_session.h:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/spp_stream4.c:
    * src/snort.c:
    * src/snort.h:
      Added code to process unflushed Streams at snort exit
      and when stream is purged from cache because of memory
      issues.

    * src/preprocessors/spp_telnet_negotiation.c:
      Small fix for normalization of subnegotiation options.

2005-07-19 mfr <roesch@sourcefire.com>
    * doc/BUGS:
      Updated BUGS file for 2.4 release.

    * configure.in:
      Added PostgreSQL fixes and exit code patch from Javier 
      Fernandez-Sanguino Pena <jfs@computer.org>

2005-07-18 mfr <roesch@sourcefire.com>
    * doc/README:
      Updated the README file to reflect the current version of Snort and
      command line switches that are available (and the ones that no longer
      are available as well...)
       
2005-07-11 Steven Sturges <ssturges@sourcefire.com>

    * src/detection-plugins/sp_byte_jump.c:
      Fixed log message.

    * src/log.c:
      Convert ICMP Router Advertisement time to host byte order before
      printing.

    * src/snort.c:
    * src/snort.h:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf.h:
    * src/preprocessors/spp_perfmonitor.c:
      Use singal to rollover perf stats file without having to restart
      snort.  Thanks Andrew Mullican for the patch.

    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/spp_frag3.c:
      Performance update for Frag3.  Also added stats fields to Perfmon
      for Frag3.

    * src/sfutil/mwm.c:
      Fix to handle multiple instances (different case) of the same pattern
      when the matching one occurs later than the others.

    * src/snort.c:
    * src/output-plugins/spo_alert_prelude.c:
    * src/output-plugins/spo_alert_prelude.h:
      Fix to handle heartbeat and pthread issues with Prelude.  Thanks Yoann
      Vandoorselaere for the patch.

    * src/sfutil/mwm.c:
    * src/preprocessor/spp_sfportscan.c:
    * src/preprocessor/HttpInspect/normalization/hi_norm.c:
      Data initialization fixes.  Thanks Yoann Vandoorselaere
      for the patch.

    * src/output-plugins/spo_database.c:
      Update for Oracle output.  Thanks Joel Esler for the fix.
      
    * src/output-plugins/spo_unified.c:
      Provide additional reliabilty for NT_SPECIAL_OUTPUT.  Thanks
      Eriz Lauzon for the fix.

2005-06-10 Jeremy Hewlett <jh@snort.org>

    * src/output-plugins/spo_alert_prelude.c:
      Handle case when Packet pointer is NULL for Portscan alerts.

    * src/preprocessors/spp_frag3.c:
    * src/decode.c:
      Fixed processing of fragmented UDP traffic.

2005-05-20 Jeremy Hewlett <jh@snort.org>

    * src/preprocessors/spp_perfmonitor.c:
      Fixed misprinted filename (mnorton).

    * src/snort.c:
      Allow -T flag when MUST_SPECIFY_DEVICE is enabled (mnorton).

2005-05-19 Jeremy Hewlett <jh@snort.org>

    * src/parser/IpAddrSet.c:
      Fixed problem with parsing IP addresses of 255.255.255.255 for
      rules (ssturges).

2005-05-18 Jeremy Hewlett <jh@snort.org>

    * src/decode.h:
    * src/decode.c:
    * src/generators.h:
    * src/preprocessors/spp_frag3.c:
      Added processing of IP Options in fragmented packets (ssturges).
      Thanks Brice Cotte for getting us discussing this topic.

    * src/preprocessors/snort_stream4_session.c:
      Fixed potential memory corruption (ssturges).

2005-05-09 Jeremy Hewlett <jh@snort.org>

    * src/parser.c:
      Increase  limit  on  number  of rule options to 256 (was 64).
      Report error if limit is reached -- previously,  extra  options
      were ignored.  Also increased max line length to 4096 chars, from
      1024.

2005-05-09 Andrew Mullican <amullican@sourcefire.com>

    * src/preprocessors/xlink2state.c:
      Bugfix for PowerPC architecture.

2005-05-05 Jeremy Hewlett <jh@sourcefire.com>
    
    * src/preprocessors/perf-base.c:
      Updated  to  better  match  true  on  the  wire and user data
      values (Marc Norton).

2005-04-28 Jeremy Hewlett <jh@sourcefire.com>

    * src/snort.c:
      Added check for MUST_SPECIFY_DEVICE #ifdef, which if used,
      requires either a -i or -r commandline switch to start snort.  If
      not used, current behavior remains (Marc Norton).

    * autojunk.sh:
    * configure.in:
    * Makefile.am:
    * etc/snort.conf:
    * m4/libprelude.m4:
    * m4/Makefile.am:
    * src/plugbase.c:
    * src/output-plugins/Makefile.am:
    * src/output-plugins/spo_alert_prelude.c:
    * src/output-plugins/spo_alert_prelude.h:
      Added support for prelude, enable with --enable-prelude. Thanks
      Yoann Vandoorselaere!

2005-04-26 Jeremy Hewlett <jh@sourcefire.com>

    * src/parser/IpAddrSet.c:
      Fixed Snort not resolving hostnames that start with a numeric and
      also parsing of invalid CIDR blocks (Daniel Cid).

    * src/plugbase.c:
    * src/plugbase.h:
      Remove unused functions str2s, hex2s, and int2s (Andy Mullican).
      Thanks Jeff Nathan for pointing this out.

    * src/preprocessors/spp_rpc_decode.c:
      Ignore multiple rpc requests if in a rebuilt packet (Thanks Andy
      Mullican).

    * src/inline.c:
      File descriptor clean up from Will Metcalf.

2005-04-22 Andrew Mullican <amullican@sourcefire.com>

    * etc/gen-msg.map:
    * src/generators.h:
    * src/plugbase.c:
    * src/preprocessors/Makefile.am:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream4.h:
    * src/preprocessors/spp_xlink2state.c:
    * src/preprocessors/spp_xlink2state.h:
    * src/preprocessors/xlink2state.c:
    * src/preprocessors/xlink2state.h:
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
      Added xlink2state mini-preprocessor to catch MS Exchange buffer
      X-Link2State data overflow.

2005-04-11 Jeremy Hewlett <jh@sourcefire.com>

    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
      Fixed error messages in byte_jump & byte_test rule options (Marc
      Norton).

    * detection_plugins/sp_byte_jump.c:
      Fixed issue with 'multiplier' option.  It is now being done before
      the 'align' option.  This helps with rules that look at SMB
      traffic (Steve Sturges).

    * src/preprocessors/flow/flow_cache.c:
    * src/preprocessors/Makefile.am:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/snort_stream4_session.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream4.h:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
    * etc/snort.conf:
      Performance Improvements to Flow & Stream4 session management.
      Also added limit to number of active sessions for Stream4, default
      of 8192.  Old memcap value now only applies to packets stored for
      reassembly.  Configure using preprocessor stream4: max_sessions
      16384 in snort.conf (Steve Sturges).

    * src/preprocessor/spp_perfmonitor.c:
    * src/preprocessor/spp_perfmonitor.h:
    * src/snort.c:
      Added -Z flag to set full path name to PerfMonitor stats file.
      This will override the file or snortfile configuration option
      (Marc Norton).

2005-04-05 Jeremy Hewlett <jh@sourcefire.com>

    * src/detect.c:
    * src/fpdetect.c:
    * src/log.c:
    * src/snort.c:
    * src/snort.h:
    * src/tag.c:
    * src/output-plugins/spo_unified.c:
      Added a -G flag that specifies an instance identifier for the event
      logs.  Can be used when running multiple instances of snort, either
      on different CPUs or on same CPU but different interface.  Each
      snort instance will use the value specified to generate unique
      event ids.  Can specify either a decimal value (-G 1) or hex value
      preceeded by 0x (-G 0x11). Thanks Steve Sturges.

    * src/decode.h:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
      Fix to remove unnecessary ICMP echo extension, and update output
      plugins to use ICMP header info. Thanks Kevin Douglas for finding
      this and Andrew Mullican for the fix.

    * src/decode.h:
    * src/detect.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * etc/snort.conf:
      Add option to Stream4 to limit server-side inspection for improved
      performance.  Similar to HttpInspect's flow-depth, this option
      limits rule-inspection of server traffic to the set number of bytes
      (in 1 or more packets) until another client request is seen.  Thanks
      Steve Sturges & Marc Norton

    * src/plugbase.c:
      Fix issue generating ascii strings.  Thanks Sandro Poppi for the fix.

2005-04-01 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_sfportscan.c:
      Additional fixes for suppression issue with sfPortscan and Open
      Ports.  Fix for packets logged with bogus ip lengths (related to
      Open Port alerts). Thanks Andy Mullican.

2005-03-25 Jeremy Hewlett <jh@sourcefire.com>

    * src/output-plugins/spo_alert_syslog.c:
    * src/snort.c:
      Add snort's PID to syslog. Thanks Steve Sturges.

    * src/preprocessors/spp_stream4.c:
      Added to default ports in Stream4 and cleaned up Stream4
      configuration processing. Thanks Steve Sturges.

    * src/preprocessors/spp_frag3.c:
      Added packet dump (debug only) to Frag3. Patch from Steve Sturges.

    * src/sfthreshold.c:
      Added detail to config error messages for thresholding. Patch from
      Steve Sturges.

    * src/fpdetect.c:
    * src/plugbase.h:
    * src/detection-plugins/sp_flowbits.c:
    * src/preprocessors/spp_sfportscan.c:
      Code Cleanup (general), thanks Steve Sturges.

    * rpm/snort.org.spec:
    * rpm/snort.logrotate:
      Added schemas to distro, and 'sharedscripts' to logrotate. General
      clean up of spec file. Thanks Josh Kelley for pointing this out.

2005-03-25 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_sfportscan.c:
      Fixed suppression issue with sfPortscan and Open Ports. Patch from
      Andy Mullican.

2005-03-15 Jeremy Hewlett <jh@sourcefire.com>

    * src/debug.h:
    * src/decode.c:
    * src/detect.c:
    * src/generators.h:
    * src/IpAddrSetCreate.c:
    * src/IpAddrSetCreate.h:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/preprocessors/Makefile.am:
    * src/preprocessors/spp_frag2.c:
    * src/sfutil/sflsq.c:
    * src/sfutil/sflsq.h:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
    * etc/generators:
    * etc/gen-msg.map:
    * etc/snort.conf:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_frag3.h:
    * doc/README.frag3:
      Added Frag3 IP reassembler from Marty Roesch. 

    * src/decode.c: