changelog

关于网络渗透技术的详细讲解

2004-09-07 Daniel Roelker <droelker@sourcefire.com>

    * src/inline.c:
    * src/inline.h:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      Make reject rule type work with linux bridging.  Added config option
      'layer2resets', which by default uses the interface specified by
      the ipq packet.  In addition, you can also specify a src mac address
      so the sensor interface information is not apparent.  Thanks to 
      William Metcalf and Victor Julien for this feature.

2004-09-02 Daniel Roelker <droelker@sourcefire.com>

    * src/detect.c:
    * src/fpdetect.c:
    * src/preprocessors/spp_stream4.c:
      Add inline state configuration for stream4, so we will drop packets that
      are not part of an existing TCP session and are not valid TCP
      initiators.  Thanks Will Metcalf and Victor Julien for the initial
      implementation.  Add functionality for drop/sdrop rules that will still
      drop a packet if the rule specifies "flow: established".  We silently
      drop the packet, so as not to be DOS'd by stick/snot attacks.  If the
      user wants the alerts, then add in the stream4 configuration of
      'midstream_drop_alerts'.

    * src/rules.h:
    * src/detection_plugins/sp_clientserver.c:
      Add not_established keyword to the flow detection option.  This allows
      snort to do dynamic firewall rulesets.  Experimental for now, so if
      any wants to try let me know.

    * src/preprocessors/snort_httpinspect.c:
      Fix conditions where snort would log double web alerts that contained
      only content options (no uricontents).  Thanks to kawa for finding and
      reporting this bug.

2004-08-31 Daniel Roelker <droelker@sourcefire.com>

    * src/fpdetect.c:
      If InlineMode() is set, than the flow: established check will also
      look to see if the TCP stream was picked up in midstream.  If it was,
      then we assume it's established.  This also blocks packets that are
      generated by stick/snot type attacks, whereas before these packets
      were just being passed through because flow: established was not valid.

2004-08-27 Daniel Roelker <droelker@sourcefire.com>

    * src/sfutil/sfmemcap.c:
      Fix 64-bit bug found and tested by Ryan Matteson (matty91@bellsouth.net)
      and Clay McClure (clay@daemons.net).  Thanks guys.

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/snort_httpinspect.c:
      When we pick up TCP sessions in midstream, don't use stream4 direction
      to tell us how to inspect client and server traffic.  Performance
      enhancement for some sites.

    * src/preprocessors/portscan.c:
      Add more comments and make portscan detail printouts more readable.

2004-08-20 Daniel Roelker <droelker@sourcefire.com>

    * src/util.c:
      Make ts_print work correctly with timezones.  Thanks to Dagobert
      Kellner for the fix.

2004-08-19 Daniel Roelker <droelker@sourcefire.com>

    * src/util.c:
      Log an error when the user tries to setuid/gid and snort is being
      run in inline.  Thanks Matt Brannigan for finding this bug.

2004-08-13 Daniel Roelker <droelker@sourcefire.com>

    * src/detection-plugins/sp_pattern_match.c:
      Ignore replace rule options when snort isn't in GIDS mode. (Roelker)

    * src/decode.h:
    * src/detect.h:
      Set a packet_flag for drop alerts.  This lets the output plugins
      know that we just dropped the packet that we logged.  (Roelker)

2004-08-11 Daniel Roelker <droelker@sourcefire.com>

    * src/inline.c:
    * src/spo_unified.c:
      Make inline alerts work with unified output.  Thanks for the help
      in unified format Andrew Baker.

    * src/util.c:
      Added ASCII pig (thanks Dug Song) and snort team to snort initialization 
      printout.

    * src/output-plugins/spo_log_tcpdump.c:
      Check to make sure we have a pointer before we reference a structure
      element.

2004-08-05 Daniel Roelker <droelker@sourcefire.com>

    * src/log.c:
    * src/detect.c:
      Make tagging work for more than 1 second.  (Daniel Roelker)
    
    * src/detect.c:
    * src/fpdetect.c:
      Get thresholding/suppression to work for alerts that do not
      contain an iph header (primarily decode alerts).  Thanks
      Brian Caswell.

2004-08-04 Daniel Roelker <droelker@sourcefire.com>

    * src/snort.c:
      Fix inline printf's during initialize.  Also fix return code on
      invalid input for startup.  This helps scripts so it returns
      an error if the command line arguments in the script are wrong.
      Thank you Matt Brannigan for this fix.

2004-07-28 Daniel Roelker <droelker@sourcefire.com>

    * configure.in:
      Added --include-pcre* configuration option to help cross compiling.
      Thanks Erik de Castro Lopo.

    * src/event_queue.c:
      Fix bug in multi-event logging when thresholding/suppression was enabled
      for events in the queue.  Thanks once again to Andreas Ostling.

    * src/output-plugins/spo_log_tcpdump.c:
      When a rebuilt stream causes an alert, log out the original packets
      instead of the rebuilt packet.  Thanks Marty Roesch.

    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
      Turn off some alerts in the profile that were causing false positives.

    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
      Turn off encoding alerts in HTTP parameter field.  The parameter field
      is still normalized, it just doesn't alert.  This helps reduce alerts
      that are generated from complex parameter queries.

2004-07-08 Daniel Roelker <droelker@sourcefire.com>

    * etc/gen-msg.map:
    * src/generators.h:
    * src/plugbase.c:
    * src/decode.h:
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_sfportscan.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/flow/flow.h:
      Added new portscan detector.  We now detect tcp, udp, icmp, and
      ip protocol scans.  Along with the following scan types (using
      nmap terminology): portscan, decoy portscan, portsweep, and
      distributed portscan.  The initial version will have three sensitivity
      levels, so if you want to change values manually go to portscan.c and
      change the values there.  I don't want to confuse people out of the
      gate with lots of value configurations, so try these preset levels
      and give us feedback.  (Daniel Roelker)

2004-07-06 Daniel Roelker <droelker@sourcefire.com>

    * configure.in:
    * src/decode.c:
    * src/decode.h:
    * src/detect.c:
    * src/detect.h:
    * src/fpdetect.c:
    * src/inline.c:
    * src/inline.h:
    * src/mstring.c:
    * src/parser.c:
    * src/rules.h:
    * src/snort.c:
    * src/snort.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/output-plugins/spo_database.c:
    * src/preprocessors/spp_stream4.c:
      Added IPS functionality from snort_inline.  Thanks everyone that was
      involved in that project.  For more info, go check out
      http://snort-inline.sourceforge.net.

    * src/log.c:
      Fixed memory leak in "fast" output.  Thanks for your bug report
      sekure@gmail.com.

2004-06-22 Chris Reid <chris.reid@codecraftconsultants.com>

    * src/snort.c:
      Clear error code which under Windows was causing a
      subsequent false failure in parsing threshold rules.
      (thanks to Rich Adamson)

2004-06-16 Daniel Roelker <droelker@sourcefire.com>

    * src/sfutil/asn1.c:
    * src/sfutil/asn1.h:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_asn1.h:
    * src/debug.h:
    * src/snort.c:
      Added ASN.1 parsing and detection functionality to snort.
      Please refer to README.asn1 for more information on rule
      usage. (Roelker)

    * src/parser.c:
      Added parsing check from Andreas Ostling so that users don't
      assume that destination port lists are allowed because no
      error is given.

    * src/preprocessors/spp_stream4.c:
      Fixed rebuilt TCP packet munging reported by Steve Halligan.
      Thanks a lot for getting this problem down to pcap so we could
      analyze the problem.

    * src/detect.c:
    * src/event_queue.c:
    * src/log.c:
    * src/preprocessors/spp_stream4.c:
    * src/sfutil/sfeventq.c:
      Improve TCP reassembly flushing for TCP streams that have already
      generated an alert.  This was illustrated by Brian Bailey in his
      SANS GIAC practical examination.  Thanks for working with us on
      this one.

2004-05-06 Daniel Roelker <droelker@sourcefire.com>

    * src/detection-plugins/sp_pattern_match.c:
      Fixed rule read up error when parsing hexmode content options.
      Thanks for pointing it out Marty.  (Roelker)

    * src/preprocessors/spp_stream4.c:
      Fixed null pointer dereference when detect_scans were enabled and
      creating a new session that had funky flags.  Thanks to Chad
      Kreimendahl for reporting the bug and testing the fix.  (Roelker)

    * src/snort.h:
      at build 28

2004-04-22 Daniel Roelker <droelker@sourcefire.com>

    * src/decode.c:
    * src/detect.c:
    * src/event_queue.c:
    * src/event_queue.h:
    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/parser.c:
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_conversation.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_stream4.c
    * src/sfutil/sfeventq.c:
    * src/sfutil/sfeventq.h:
    * src/signature.c:
    * src/signature.h:
    * src/snort.c:
      Added new event queueing algorithm, so Snort logs multiple events 
      per packet/stream.  The algorithm uses two ordering methods:  priority
      and content length.  (Roelker)

    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
      New Aho-Corasick pattern matchers (Norton).  Added content length
      tracking on otnx structures.

    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/snort_httpinspect.c:
      Added webroot alert.  This alert is generated when a URL directory
      traversal traverses past the webroot.  Added new URI discovery 
      technique pointed out by Kanatoko.

    * src/tag.c:
      Revert to old tagging behavior.  Will add new functionality in a future 
      version.

    * src/util.c:
      Changed Snort post-processing stats to unsigned so users won't get
      negative stats.  Thanks to various people from the community for
      reporting this.

2004-03-22 Chris Reid <chris.reid@codecraftconsultants.com>

    * src/plugbase.c:
    * src/plugbase.h:
    * src/output-plugins/spo_database.c:
      Updated how current/utc times are calculated, as well
      as how they are formatted (thanks Marcus Janoski)

2004-03-18 mfr <roesch@sourcefire.com>

    * src/sfutil/acsmx2.c:
      Fixed _toupper/_tolower calls on non-Win32 machines (again).

    * src/preprocessors/spp_stream4.c:
      Uncommented ssnptr set in BuildPacket() for Dan

2004-03-17 mfr <roesch@sourcefire.com>

    * src/parser.c:
      Added FatalError() in ProcessIP if closing IP-list '[' isn't found

    * src/util.c:
      Revamped DropStats() function to use screen real estate more efficiently

    * src/event_wrapper.c:
      QueueEvent checks to see if we're in MODE_IDS before queuing events and
      ClearEventQueue() checks to make sure that the event_list has been 
      initialized.

    * src/sfutil/acsmx2.c:
      Fixed _toupper/_tolower calls on non-Win32 machines.

    * src/sfutil/acsmx2.c:
      Fixed acsmx.h call to acsmx2.h.

    * doc/Makefile.am:
      Mark snort_manual.pdf for cleanup too.


2004-03-16 Jeremy Hewlett <jh@sourcefire.com>

    * src/snort.c:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/Makefile.am:
      New Aho-Corasick pattern matcher from Marc Norton - memory usage reduced by 75%.

    * src/snort.h:
      Build 26

2004-03-15 Jeremy Hewlett <jh@sourcefire.com>

    * src/parser.c:
      "config checksum_mode" now supports multiple arguments on one line
      instead of multiple lines.

2004-03-15 Daniel Roelker <droelker@sourcefire.com>

    * src/util.c:
      Calculate dropped packets and received packets correctly.  Thanks
      Yoann Vandoorselaere for pointing this out.

2004-03-08 Daniel Roelker <droelker@sourcefire.com>

    * configure.in:
      Thanks to Erik de Castro Lopo for removing warnings.

    * src/decode.c:
    * src/decode.h:
    * src/detect.c:
    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/snort.c:
      New event queuing and logging for decoder and stream4 events (Marty).