changelog

关于网络渗透技术的详细讲解

    * src/generators.h:
      Added support for detection of Lookback & Same src/dest attacks in
      the packet decoder. This obsoletes sids 527, 528. Thanks Marc
      Norton for the feature.

    * src/decode.c:
    * src/decode.h:
    * src/parser.c
    * src/snort.c:
    * src/snort.h:
      Added global ignore ports feature. Thanks Andy Mullican for the feature. Usage:
        config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
        config ignore_ports: tcp 21 6667:6671 1356
        config ignore_ports: udp 1:17 53

    * src/detect.c:
    * src/detect.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/inline.c:
      Provide ability for 3rd party code to take action when Snort
      indicates a packet should be dropped. Thanks Marc Norton.

    * src/detection-plugins/Makefile.am:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_ftpbounce.h:
      Added FTP Bounce detection Plugin. Thanks Steve Sturges for this feature.

    * src/fpcreate.c:
      Performance improvement in pattern matcher from Marc Norton.

    * src/fpdetect.c:
    * src/snort.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Eliminate duplicate alerts on rebuilt streams/IP reassembled packets.
      Thanks Andy Mullican and Steve Sturges.

    * src/generators.h:
    * src/preprocessors/spp_bo.c:
    * etc/gen-msg.map:
      Added better determination of direction for Back Orifice packets.
      Thanks Andy Mullican.

    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/sfportscan.c:
    * src/preprocessors/sfportscan.h:
    * doc/README.sfportscan:
    * etc/generators:
    * etc/gen-msg.map:
      Added handling of midstream sessions in portscan preprocessors.
      Thanks Andy Mullican.

    * src/generators.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/ubi_BinTree.c:
    * src/ubi_BinTree.h:
    * src/ubi_SplayTree.c:
    * src/ubi_SplayTree.h:
    * etc/gen-msg.map:
    * etc/snort.conf:
      Stream4 fixes - Handle PAWS, NULL TCP Flags in established session,
      limit overlaps in established session, update ACK when server sends
      RST. Performance changes for cleaning up session cache. Thanks
      Steve Sturges and Andy Mullican for the patches.

    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
    * doc/README.http_inspect:
      Added uri_tab_delimiter option to HttpInspect. Thanks Andy
      Mullican.

    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf.h:
    * src/preprocessors/spp_perfmonitor.c:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * etc/snort.conf:
     Added categories (wire, ip defrag, tcp rebuilt, app layer) to
     PerfMon.  Also added atexitonly option to dump stats for entire life
     of snort. Thanks Steve Sturges.

    * src/preprocessors/spp_telnet_negotiation.c:
      Fixed telnet decoder bug when ignoring Sub-negotiation end command.
      Thanks Steve Sturges.

    * src/snort.h:
      Make this 2.4-CVS, build 1.

2005-03-10 Jeremy Hewlett <jh@sourcefire.com>

    * src/parser.c:
      Removed end-of-line parser fix in favor of completely reworking
      this at the next parser overhaul.

2005-03-08 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_flow.c:
    * src/detection-plugins/sp_flowbits.c:
      Increased number of flowbits (mnorton)

2005-03-08 Steven Sturges <ssturges@sourcefire.com>

    * src/parser.c:
      Fixed parsing of comments at end of line in config file.   In
      snort.conf, anything that follows a # on a line is considered a
      comment.

2005-03-04 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_sfportscan.c:
      Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX.
      Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and
      Jonathan Miner for working with us on this.

2005-01-13 Marc Norton <mnorton@sourcefire.com>

    * src/preprocessors/spp_sfportscan.c:
      Fixed arithmetic to correctly set the ip packet length in the ip
      header prior to writing the portscan info to the packet. Thanks Jon
      Hart for the test case and finding the bug.

2004-12-23 Steven Sturges <ssturges@sourcefire.com>

    * src/detect.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/parser.c:
    * src/plugbase.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_conversation.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/sfthreshold.c:
    * src/snort.c:
    * src/util.c:
    * src/util.h:
    * src/sfutil/Makefile.am:
    * src/sfutil/sfsnprintfappend.c:
    * src/sfutil/sfsnprintfappend.h:
      Fixed problem with logging that appeared in Snort 2.3.0 RC2, where
      single lines were broken up when sent to syslog. Thanks Sekure for
      pointing out the problem with thresholding.

    * src/sfthreshold.c:
      Fixed xatou function to check for non-digit parameter. Thanks nnposter for submitting
      a patch!

2004-12-20 Jeremy Hewlett <jh@sourcefire.com>

    * src/decode.h:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Includes/stdint.h:
    * src/win32/WIN32-Includes/syslog.h:
      Reduces the number of warning on MingW/gcc. Thanks Gisle Vanem for
      the patch!

2004-12-17 Jeremy Hewlett <jh@sourcefire.com>

    * src/decode.c:
      Fixed issue with snort not properly decoding ppp links on MacOS X.
      Thanks Allan Jensen for reporting this and working with us on the
      fix (Roelker).

2004-12-09 Jeremy Hewlett <jh@sourcefire.com>

    * doc/README.http_inspect:
      Updated documentation on flow_depth and HTTP headers per
      conversations with Joe Patterson. Thanks Joe!

    * src/preprocessors/spp_arpspoof.c:
      Added variable names to function prototypes and made cosmetic
      changes to debug messages.  In ARPspoofHostInit() fixed a problem
      where the list of configured IP/MAC entries would contain only one
      entry and leaked memory.  In DetectARPattacks() made a small
      performance improvement by eliminating a copy of the ARP source
      protocol (IP) address (Jeff Nathan).

    * src/snort.h:
    * src/snort.c:
    * src/parser.c:
      Fixed a problem affecting MacOS X where linking may fail with
      non-standard libraries when global symbols are encountered multiple
      times. Removed duplicate globals and externed globals in headers.
      Defined globals in source.  (Jeff Nathan).

    * src/snort.h:
      Snort 2.3.0 RC2

2004-12-08 Daniel Roelker <djr@sourcefire.com>

    * src/preprocessors/snort_httpinspect.c:
      Update error message when IIS Unicode map file is not found.

    * src/preprocessors/spp_stream4.c:
      Ignore RST|ACK midstream pickup case so we don't get an evasive TCP
      alert.  Thanks for the report, Sekure.

    * src/util.c:
    * src/util.h:
    * src/snort.c:
      Change SanityChecks() to CheckLogDir() so the function name now
      makes sense.  Move CheckLogDir() to after parsing snort.conf (for
      IDS mode), so the logdir config will work if the default or
      command-line logdir does not exist on the system.

2004-11-18 Steve Sturges <ssturges@sourcefire.com>

    * src/detection-plugins/sp_pcre.c:
      Fixed bug when setting the doe_ptr on a successful pcre match.
      It is now set relative to base_ptr.

    * src/detection-plugins/sp_byte_jump.c:
      Added from_beginning and multiplier options for byte_jump.
      from_beginning skips bytes from the beginning of the content,
      instead of from the location immediately following the number
      of bytes to skip.  multiplier takes a numeric argument, and
      skips x times that number of bytes.

2004-11-04 Andrew Mullican <amullican@sourcefire.com>

    * src/detect.c:
    * src/detect.h:
    * src/log.c:
      In "fast" output, now log only actual packet contents when UDP 
      data length is greater than actual data length. Thanks Brian
      Caswell for spotting this.

2004-11-04 Jeremy Hewlett <jh@sourcefire.com>

    * configure.in:
      Added --enable-64bit-gcc to set up the build environment for 64bit
      (tested only on Solaris9). Still are some memory alignment issues
      to work out before 64bit mode is fully functional, Patches are
      welcomed. Thanks Chris Baker for doing 64bit testing.

    * src/sfutil/sfmemcap.c:
      Better support for 64bit Snort (mnorton).

    * src/snort.h:
      2.3.0 RC1

2004-11-04 Andrew Mullican <amullican@sourcefire.com>

    * src/output-plugins/spo_unified.c:
      Fixed reference times to match log time for first packet, for an event
      generated by a reassembled packet.  Incremented event ID to give 
      unique ID for each packet.  Also made unified logging compatible with 
      Windows.

2004-11-02 Jeremy Hewlett <jh@sourcefire.com>

    * configure.in:
      Changed linking order of libmysqlclient.

    * src/detection-plugins/sp_rpc_check.c:
    * src/preprocessors/spp_frag2.c:
    * src/sfutil/acsmx2.c:
      Fixes for compilation on 64-bit Solaris.  Snort 2_3 branch compiles
      cleanly (jhewlett, mnorton). Should be a few more changes coming
      shortly.

    * src/plugbase.c:
      Compilation fix for AIX. Thanks Markus Waldeck.

    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf.h:
      perfmonitor config line can now be configured with accumulate or
      reset. (mnorton). Thanks Barry Basselgia for pointing out the
      issue.  Thanks Scott Dexter and Andreas Ostling for doing some
      initial testing.

2004-10-21 Daniel Roelker <droelker@sourcefire.com>

    * src/preprocessors/HttpInspect/client/hi_client.c:
      Don't include the version string length as part of the
      directory length.  Caused some false positives if the oversize
      directory length was set to small numbers.  Thanks Jeremy
      Hewlett for catching this one.

    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/snort_httpinspect.c:
      Fix false positives that were occurring on some events.  Thanks
      to Vjay Larosa for the report.

    * src/preprocessors/perf-base.c:
    * src/preprocessors/sfprocpidstats.c:
      Fix linux perfmonitoring stats for the 2.6 kernel.  Thanks to 
      everyone that reported this bug. 

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Add an enforce_state keyword to stream4 so we won't pick up midstream
      sessions.  This works well for asynchronous links and also for
      just monitoring legitimate traffic.  

2004-10-13 Daniel Roelker <droelker@sourcefire.com>

    * src/detect.c:
      Fix suppression/thresholding bug for non-rule alerts.  Thanks to
      Alex Butcher for reporting it to us.

2004-10-05 Daniel Roelker <droelker@sourcefire.com>

    * src/parser.c:
      Fix bug in preprocessor error statement that referenced freed
      memory.  Thanks to Dennis George for submitting fix.

    * src/detection-plugins/sp_pattern_match.c:
      Fix content option modifiers so that they check the option specified
      and not offset.  Thanks to Petr Kurtin for pointing out this bug.

2004-10-04 Daniel Roelker <droelker@sourcefire.com>

    * src/decode.c:
      Fix TCP/IP options print bug that was found by Marcin Zgorecki.  

    * src/plugbase.c:
      Move portscan initialization into preprocessors, not plugins.

    * preprocessors/portscan.c:
      Inspect invalid TCP initiators that stream4 doesn't track for portscans.
      Log open ports on TCP portsweeps when we can.  Thanks to #snort and
      SGUIL guys for their comments and feedback.  Also, thanks to David
      Lowless for his portscan testing in the UK.

2004-09-20 Daniel Roelker <droelker@sourcefire.com>

    * src/util.c:
      Fix ts_print to work correctly for localtime logging.

    * src/fpdetect.c:
      Thresholded drop/sdrop rules should still drop the packet, but we
      just won't alert on them.  Thanks to Brian Starrfield for finding
      this bug.

2004-09-17 Daniel Roelker <droelker@sourcefire.com>

    * src/detect.c:
      Fix tagging issue that would tag rebuilt TCP streams, which for most
      output plugins this means we just relog the packets that we've 
      already logged.  Thanks Jeremy Hewlett and Daniel Cid for finding
      this bug.

    * src/event_queue.c:
    * src/event_queue.h:
      Only flush a TCP stream on rule alerts and not on preprocessor alerts.
      Thanks Jeremy Hewlett and Daniel Cid for finding this bug.

2004-09-08 Daniel Roelker <droelker@sourcefire.com>

    * src/decode.c:
      Drop bad checksums if we're in inline mode and we're doing checksums.
      Thanks to William Metcalf and Victor Julien for this patch.

    * doc/CREDITS:
      Updated CREDITS with some major SourceFire contributors that were
      not mentioned.