You are on page 1of 239

2012-1-17 16:16 Hui Cao <> Snort All files: updated copyright to 2012 * src/build.

h: pdated build number to 107 * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed building when -DREG_TEST not used with --enable-debug. Tweaked r_win_base initialization upon midstream pickup to work with tig hter sequence number validation. Updated TCP session tracking to avoid requeuing retransmitted data Add tweaks for paf_max flushing of chunked http data * src/dynamic-preprocessors/reputation/shmem/: shmem_config.c, shmem_config.h, shmem_mgmt.c, shmem_mgmt.h: Avoided writer updating reader's zero segment pointer. Changed shared memory update timeout to a larger value. * src/generators.h, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/utils/hi_paf.c, doc/README.http_inspect, etc/, preproc_rules/preprocessor.rules: Added an alert on http/0.9 simple requests (119:32) * preproc_rules/: decoder.rules, preprocessor.rules: Bump a few rule rev's that were out of sync w/ VRT * src/preprocessors/Stream5/snort_stream5_tcp.c: Changed Warning -> WARNING Don't attempt to flush if the grinder failed when pruning a session * src/: preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_common.h, sfutil/test/unit_hacks.c: Auto-disable stream reassembly on paf abort if auto-enabled * src/: detection-plugins/sp_dsize_check.c, dynamic-preprocessors/dnp3/spp_dnp3.c, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_paf.c: Fixed handling PAF flushing anomalies but purging afflicted segments * src/sfutil/: sfrt_dir.c, sfrt_flat_dir.c, sfrt_flat_dir.h: Fixed the wrong value of calculating memory allocated. Changed sfrt length field from char to uint8_t * src/: decode.c, dynamic-preprocessors/gtp/gtp_parser.c: Added checking invalid extension header length for GTPv1 * src/: preprocessors/stream_expect.c, profiler.h: Fixed some compiler warnings * src/: decode.c, dynamic-preprocessors/gtp/gtp_parser.c Added checking invalid extension header length * doc/: README.GTP, snort_manual.pdf, snort_manual.tex: Added a simple user case to the GTP document.

* src/dynamic-preprocessors/modbus/modbus_decode.c: Fixed a couple errors in modbus request/response length checking. * etc/reference.config: Added 'msb' to reference.conf for Microsoft Bulletin url * src/detection-plugins/sp_flowbits.c: When same flowbit is defined both in default group and user specified gr oup, that flowbit will be changed to specified group. * src/dynamic-preprocessors/dnp3/: dnp3_paf.c, dnp3_reassembly.c, spp_dnp3.c, spp_dnp3.h: Added #define statements for several "magic numbers" in DNP3 code * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c: Fixed a bug where the DNP3 preprocessor would generate alerts for "reser ved function" on valid DNP3 functions. * src/dynamic-preprocessors/dnp3/dnp3_roptions.c: Added parser errors for missing dnp3_func and dnp3_ind arguments. * src/: generators.h, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/event_output/hi_eo_log.c, preprocessors/HttpInspect/include/hi_eo_events.h: Bugs Added a preprocessor alert to alert when a HTTP method being parsed is n ot a GET or a POST or not defined by the user. * src/preprocessors/HttpInspect/: client/hi_client.c, server/hi_server.c: Added checking bounds before unfolding. *, Cleanup very dated rules files. * src/: snort.c, win32/WIN32-Includes/stdint.h: Don't add handlers signal values that aren't supported on Windows. * src/dynamic-preprocessors/reputation/reputation_config.c: Corrected the variable name called to create IP talbe. 2011-12-14 Ryan Jordan <> Snort 2.9.2 * src/build.h: updating build number to 78 * snort.8: Fixed spelling errors. Thanks to Neline van Ginkel for the report. * src/: snort.c, preprocessors/spp_perfmonitor.c: Perfmonitor "now" files are created after Snort drops privileges. * src/output-plugins/spo_unified2.c: Only log IPv6 extra data when the packet is IPv6. * src/preprocessors/HttpInspect/: server/hi_server.c, client/hi_client.c: Fixed unfolding of HTTP Headers across packet boundaries.

Thanks to Jim Hranicky for reporting this issue on the RC build. * src/preprocessors/spp_httpinspect.c: HTTP Inspect should check for hi_swap_config in HttpInspectInit() only when snort is compiled with --enable-reload. Fixed build errors on Win32. * src/preprocessors/Stream5/snort_stream5_tcp.c: When pruning a session, don't attempt to flush if the grinder failed to decode a TCP header. Thanks to Jim Hranicky for reporting this issue on the RC build. 2011-11-23 Ryan Jordan <> Snort 2.9.2 RC * src/build.h: updating build number to 75 * src/preprocessors/spp_httpinspect.c: Fixed an issue with HTTP Inspect server conf reload (when the HTTP Inspect is turned on from off between a reload) * src/preprocessors/spp_stream5.c: Fixed a memory leak caused by initializing the expected channel more than once. * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Fixed a segfault during dcerpc2 startup when stream5 is not enabled. * src/preprocessors/spp_normalize.c: Added support to turn normalization off or on during a Snort reload. * src/dynamic-preprocessors/modbus/spp_modbus.c: Moved the check for truncated PDUs past the port check, to avoid false positives. * src/sfutil/bitop_funcs.h: Fixed an error in the allocation of flowbit groups, where bytes were interpreted as bits. * src/detection-plugins/sp_flowbits.c: Fixed a flowbits issue where the "isset" operation failed when there was only a single flowbit in a group. Fixed the error message logged when the same flowbit is added to two groups. * src/ipv6_port.h: * src/: dynamic-preprocessors/gtp/gtp_parser.c, dynamic-preprocessors/gtp/gtp_roptions.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/reputation/reputation_config.c, sfutil/segment_mem.c, encode.c: Compiler warning cleanup. * doc/: README.reload, snort_manual.pdf, snort_manual.tex: Updated the reload documentation to mention the caveat that exists with reload and fail-open in OpenBSD when Snort is run on primary network interface. * src/dynamic-preprocessors/dnp3/: dnp3_reassembly.c, dnp3_reassembly.h, dnp3_roptions.c, spp_dnp3.c:

Added support for multiple DNP3 PDUs in a single DNP3 payload. Fixed an issue where the DNP3 preprocessor only identified the minimum reserved address, instead of all reserved addresses. * src/dynamic-preprocessors/dnp3/spp_dnp3.h: Updated an incorrect minimum DNP3 memcap to match the documented minimum of 4144 bytes. * src/output-plugins/spo_unified2.c: Snort will fatal error when the user configures the same filename for options "alert_unified2" and "log_unified2". * src/sfutil/: sfrt.c, sfrt.h, sfrt_dir.c, sfrt_dir.h: Added the ability to delete entries in the sfrt table. * src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_normalize.c, src/preprocessors/spp_stream5.c, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/stream5_common.c, src/dynamic-preprocessors/reputation/reputation_config.c, etc/, src/detection-plugins/sp_flowbits.c, src/detection-plugins/sp_replace.c, src/output-plugins/spo_alert_sf_socket.c, src/decode.c, src/detect.c, src/generators.h, src/sfdaq.c, src/snort.c, src/tag.c, src/util.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/sfutil/acsmx2.c,, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/target-based/sftarget_protocol_reference.c: * src/dynamic-preprocessors/dnp3/dnp3_roptions.c: Made the format of warning messages consistent. * src/dynamic-preprocessors/: dnp3/spp_dnp3.c, modbus/spp_modbus.c: Providing an empty port list now causes a fatal error. * src/dynamic-preprocessors/dnp3/spp_dnp3.h: Fixed reserved address check on big-endian machines. * src/preprocessors/Stream5/snort_stream5_tcp.c: Changed identification of TCP retransmits by comparing payloads instead of TCP checksums. * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/smtp_util.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/output-plugins/spo_unified2.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/sfutil/Unified2_common.h, tools/u2spewfoo/u2spewfoo.c: Enable logging of normalized JavaScript to unified2 when built without --enable-sourcefire. - Changed extra data logging to log packet-specific data (gzip/normalized) after each packet. - Updated u2spewfoo to read the normalized JavaScript extra data.

src/detection-plugins/sp_dsize_check. * src/target-based/sf_attribute_table.c. Thanks to Dave Bertouille for reporting this problem.* src/dynamic-preprocessors/dnp3/dnp3_reassembly. doc/snort_manual.c. * src/output-plugins/spo_unified2.c: Change the printing function of tracker/session sizes (TcpSession/UdpSession/StreamLWSession/FragTarcker) from fprintf to LogMessage. could cause the stream5 segmentation list to get out of order.y: Allow empty attribute_value in attribute table.c: Fixed a bug where "dnp3_data" rules would not work if the content was broken up by CRCs or split across multiple DNP3 segments. * src/detection-plugins/: sp_asn1_detect.c.8: Updated the man page to include more signals that have been used. spp_stream5. Thanks again to Dave Bertouille for the suggestion.c.h: Increased the URI buffer size from 4096 to 8192 to normalize and detect longer URIs.pdf. src/dynamic-preprocessors/dnp3/spp_dnp3.c: Added new Unified2 event structs with extra application ID data.c: Allow rule evaluation to continue if the doe_ptr reaches the end of a As a result. preproc_rules/preprocessor. * snort. * src/detection_util. * src/preprocessors/: spp_frag3.c: Added Protocol-Aware Flushing support for FTP. The old 145:5 was never able to be triggered.c.h: Removed DNP3 rule 145:5. * configure.tex. Stream5/snort_stream5_tcp. and decremented the SIDs of rules 145:6 and 145:7. * doc/snort_manual. * src/dynamic-preprocessors/modbus/modbus_decode.spec: Updated the RPM spec file to use wildcards for linking and installing preprocessors.c: Added length checking for Modbus "Read File Record" and "Write File Record" requests. Updated references for rules 119:15 and 137:1. Thanks to Tim Brigham for the suggestion. * etc/gen-msg. if it is the start of a PDU. sp_isdataat. . sp_byte_check.c.c. DNP3 rules that inspect the DNP3 headers now require "rawbytes" to work correctly. Stream5/snort_stream5_udp. src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Enable the "dsize" rule option with rebuilt packets. Fix handling of "first" and "vista" policies in stream5 that. as the DNP3 reassembly buffer is inspected by default. but a negative offset brings it back in-bounds. src/sfutil/Unified2_common.h. * rpm/snort. tools/u2spewfoo/u2spewfoo. under certain circumstances with overlaps and gaps. Updated u2spewfoo to read these fields.

gtp_config.h. spp_dnp3. src/Makefile. * doc/faq. HttpInspect/user_interface/hi_ui_config. HttpInspect/include/hi_ui_config. src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h. These support detecting attacks over GTP (GPRS Tunneling Protocol). See the Snort Manual and README. for more details.modbus: * src/dynamic-preprocessors/modbus/: Makefile.c. spp_dnp3. src/dynamic-preprocessors/dcerpc2/dce2_paf. which decodes the DNP3 protocol and provides new rule options for some protocol fields. HttpInspect/server/hi_server_norm.9.h. modbus_paf. dnp3_map. spp_modbus.c. See the Snort Manual and> Snort 2. modbus_roptions.jordan@sourcefire.h. spp_modbus.c. src/ modbus_paf. src/snort. * doc/ Fixed an error while running "make distcleancheck". See the Snort Manual and README.h.c.c. src/control/sfcontrol.c. src/ some format changes.c: * src/dynamic-preprocessors/gtp/: Makefile. See the Snort Manual and README. src/dynamic-plugins/sf_dynamic_common.h. doc/snort_manual. spp_gtp.c: Redefined default signals.2 Beta * src/build. sf_dnp3.dsp.c.h. gtp_roptions. modbus_roptions.h: Updated the HTTP preprocessor to normalize HTTP responses that include javascript escaped data in their bodies. src/win32/WIN32-Includes/config. * doc/snort_manual. sf_gtp. and added support for signal customization. src/smalloc.pdf.h: Added the Modbus preprocessor.dnp3 for more details.c.c.c. dnp3_paf. * doc/README. gtp_parser.c: * src/sfutil/: util_jsnorm.c. src/target-based/sftarget_reader.gtp: * src/decode.c. dnp3_reassembly. modbus_decode. dnp3_reassembly. * doc/README.h: Added the DNP3 preprocessor.http_inspect for configuration details.tex.h.c.dnp3: * src/dynamic-preprocessors/dnp3/: Makefile.dsp.h. HttpInspect/server/hi_server. gtp_config. This expands Snort's coverage in detecting HTTP client-side attacks.c.h.pdf. src/dynamic-preprocessors/gtp/gtp_debug. thanks to Markus Lude. src/util.c.dsp. sf_modbus. dnp3_roptions. doc/faq.c.h.c.h. dnp3_map. spp_gtp.c. gtp_parser. configure. modbus_decode.h Added a packet decoder and preprocessor for the GTP protocol. gtp_debug.h.h.h.c. gtp_roptions.c.tex. which decodes the Modbus protocol and provides new rule options for some protocol fields. . 2011-10-28 Ryan Jordan <ryan. src/debug. * doc/Makefile.gtp for more details.h. The preprocessor also performs reassembly of segmented DNP3 traffic.h: updating build number to 64 * src/preprocessors/: snort_httpinspect.c.

c. Updated the names of contributors to match those found on snort. * src/parser. * src/preprocessors/: stream_expect.h.c. Stream5/stream5_common.tex: Updated the Snort manual for new features.c: Expanded the debug bits from 32 to 64 bits.h.c.c.h. stream_api.c. spp_frag3.c. Fixed a crash in the normalizer during Snort reload.c: Added counters to bypass the work queue mutex when nothing is queued.h. * src/preprocessors/HttpInspect/server/hi_server.c.c. Cleaned up compiler warnings. * src/preprocessors/HttpInspect/client/hi_client.h. stream_expect. spp_frag3. Stream5/snort_stream5_icmp. perf. Stream5/snort_stream5_tcp.c: Don't register the packet callback if Snort is not inline.h.nsi: Updated Windows project files for new preprocessors. snort. * doc/: snort_manual. * src/preprocessors/Stream5/stream5_paf. * src/preprocessors/: perf-base. Described the FlowIP CSV file format.h.h.c: HTTP responses with incorrect status messages are now inspected. the duplicate entries are freed from memory.h. Updated the 'config cs_dir' path to be relative to pid-path. Thanks to Elof for reporting this issue.c: Negative memcap numbers are no longer allowed. Stream5/snort_stream5_icmp.c. spp_stream5. Stream5/snort_stream5_session. Stream5/snort_stream5_ip.h. snort_manual. * src/preprocessors/spp_sfportscan.src/dynamic-preprocessors/sip/sip_debug.c. perf. * src/: sfdaq. * src/control/sfcontrol. src/preprocessors/HttpInspect/utils/hi_paf. * src/preprocessors/: spp_stream5.c.c: Fixed crash when setting HOME_NET to an empty variable. Stream5/snort_stream5_ip. * src/preprocessors/spp_normalize.c: When the same IP is parsed multiple times for XFF/True-client-IP .pdf.c: Fixed PAF callback registration during Snort reload. * src/win32/WIN32-Prj/snort_installer.c: Fixed a possible segfault upon fatal error during Snort reload. src/parser/ perf-base.c. util. Stream5/snort_stream5_udp.h: . src/preprocessors/Stream5/stream5_paf. Stream5/snort_stream5_session.c: Added frag3 and stream5 memory usage to perfmon output. Thanks to Eoin Miller for pointing out the lack of documentation.c.c. sfdaq. snort. Stream5/snort_stream5_udp.h.h: Cleaned up application data for non-TCP sessions after a block or timeout.

c.h. decode.c. * src/dynamic-preprocessors/sip/spp_sip.c: Where possible. dynamic-preprocessors/smtp/snort_smtp. Thanks to Joshua Kinard for providing a patch for this issue.c: Fix PPPoE support and active responses to ICMP. dynamic-preprocessors/smtp/smtp_util. * src/detection-plugins/sp_react.h.c.h. preprocessors/Stream5/stream5_common. src/util. dynamic-preprocessors/smtp/spp_smtp. preprocessors/snort_httpinspect.h.c. src/preprocessors/HttpInspect/include/hi_eo_events. preprocessors/spp_httpinspect.c. dynamic-preprocessors/smtp/snort_smtp. dynamic-preprocessors/imap/snort_imap. preprocessors/snort_httpinspect. preprocessors/Stream5/snort_stream5_tcp.c.c: Changed a description in the SIP exit stats.c.h. preproc_rules/preprocessor.h. preprocessors/Stream5/snort_stream5_tcp.h. * etc/gen-msg. src/target-based/sftarget_reader. snort.c. src/generators.c. preprocessors/HttpInspect/include/hi_ui_config.c: Added a content-length header to the react responses. * src/preprocessors/: perf-flow. perf-flow.c.c. * src/util.h.Changed instances of "char" to "uint8_t" when dealing with protocol numbers. src/snort. sigaction() is used instead of signal() to establish signal handlers. Thanks to Eric Lauzon for identifying an issue with PPPoE traffic.rules. sf_protocols. preprocessors/stream_api.h: Added new preprocessor alerts: 1) Both true-client-ip and XFF headers exist in single packet 2) Multiple client-ips with different values in the same session * etc/gen-msg.c. preventing a potential issue when Snort supports protocols > 128. Thanks to Will Metcalf for identifying the issue.c. src/preprocessors/HttpInspect/include/ .h. * src/: decode.c. output-plugins/spo_unified2.h. dynamic-preprocessors/smtp/smtp_config. preprocessors/spp_stream5. * src/: active.h: Fixed a bug where packets longer than 4500 bytes were not logged in the perfmon flow stats. src/preprocessors/HttpInspect/event_output/hi_eo_log. dynamic-preprocessors/pop/snort_pop.c.h.c. src/preprocessors/HttpInspect/client/hi_client. encode.c. decode. dynamic-preprocessors/smtp/ parser.c: Fixed an error in the calculation of dropped dynamic-plugins/sf_engine/sf_snort_packet.c.h. * configure.c.h: Reduced the memory usage per TCP session for extra data event logging.

encode.c: Don't prune blocked sessions if pruning for memcap.tex. Thanks to rmkml for identifying the issue.h: The paths to whitelist & blacklist files are now relative to the location of snort. encode.h.c.conf. dynamic-preprocessors/reputation/reputation_config. doc/snort_manual. dynamic-preprocessors/reputation/shmem/shmem_datamgmt.ipv6. dynamic-preprocessors/dcerpc2/dce2_smb.c. dynamic-plugins/sf_dynamic_preprocessor. snort.c.c.c. preprocessors/Stream5/stream5_common. preprocessors/spp_frag3. dynamic-plugins/sf_dynamic_preprocessor.c.c.database. dynamic-preprocessors/sdf/spp_sdf. dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h. * etc/: sf_rule_options. * src/preprocessors/Stream5/snort_stream5_session.c. src/output-plugins/spo_alert_arubaaction.c. snort.c: Added deprecation warnings for database. detection-plugins/detection_options. preprocessors/spp_sfportscan. and alert_prelude output plugins.c: Fixed compiler warnings. plugbase.c. preprocessors/spp_rpc_decode. doc/README. Added new packet flags for raw in-order stream segment discrimination.c. * src/: decode. preprocessors/Stream5/snort_stream5_tcp.c.c: Fixed an issue where gzip logging code misinterpreted the data being passed to it.c: Fixed code defined by #ifdef ALLOW_NFA_FULL to compile and run. * src/: dynamic-plugins/sf_dynamic_plugins. * src/sfutil/bnfa_search. doc/README.c. Thanks to Eric Olsen for identifying the issue.c. * src/preprocessors/snort_httpinspect.h. doc/INSTALL. dynamic-plugins/sf_dynamic_plugins.c.h.c. dynamic-preprocessors/dcerpc2/snort_dce2.ARUBA.h. dynamic-plugins/sf_engine/sf_snort_packet.h.c.c: Fixed session data lookup for meta data src/output-plugins/spo_alert_prelude.conf: Updated rule validation files with new rule options. alert_aruba_action. src/output-plugins/spo_database. These output plugins are . * configure. plugbase. preprocessors/stream_api. * src/: preprocessors/spp_rpc_decode. sf_rule_validation. * src/preprocessors/spp_stream5. dynamic-plugins/sp_dynamic.c.h. Thanks to Brian Hwang for reporting the issue.c: Refactored packet flags.Fixed an error with incorrect SID numbers for some SMTP preprocessor rules. doc/README. Increased max_method_len to 256.c.c. dynamic-preprocessors/dcerpc2/dce2_roptions. detect. output-plugins/spo_alert_fast.h.

c. Build 84. plugbase. Support locating utf charset when spaces are present.c: Fixed an issue where Snort would sometimes stop processing traffic in a persistent HTTP 1. preprocessors/Stream5/snort_stream5_icmp.9. snort.1 * src/decode.nsi: Incremented version numbers to Snort 2. profiler. preprocids. snort.c. * src/sfdaq. * src/preprocessors/snort_httpinspect.h: Added "Byte Order Mark" support for unicode in http_inspect. preprocessors/Stream5/snort_stream5_session. src/build. * src/detection-plugins/sp_urilen_check.c. preprocessors/snort_httpinspect. 2011-10-05 Ryan Jordan <ryan. sfdaq.c to allow building with --enable-debug.3.9.1. sfdaq.1.h. src/win32/WIN32-Includes/config.1 connection with a UTF-32 encoded response followed by a UTF-16 encoded response.c.h. * src/: plugbase. src/sfutil/util_utf.c. dynamic-plugins/sf_dynamic_plugins.jordan@sourcefire.spec. preprocessors/Stream5/> Snort 2.c. dynamic-plugins/sf_dynamic_preprocessor.h.h.h.9. Thanks to Hussein Bahaidarah for reporting this issue.c: Prevent underflow when calculating outstanding packets.c. preprocessors/HttpInspect/server/hi_server.c.c.c. * src/: dynamic-plugins/sf_engine/sf_decompression. sfutil/util_utf.c. dynamic-plugins/sf_dynamic_plugins.jordan@sourcefire.c: Fixed src/win32/WIN32-Prj/snort_installer.h: Snort dynamic API changes to inject response packets.c.considered deprecated with this release and will be removed in Snort 2.h.c. * src/: active. .h: Added API and DAQ functions to get flow start and end events directly from the DAQ when no stream data is available. preprocessors/Stream5/> Snort 2. 2011-10-20 Ryan Jordan <ryan. Don't unload daq modules if --disable-dlclose was a configure option. preprocessors/stream_api.h.2 * configure.2.c: Fixed http_inspect decompression and decompression API to decompress both raw and zlib deflated data. dynamic-plugins/sf_engine/sf_decompression.c: Fixed potential false positives when using urilen detection option. rpm/snort.h.9. dynamic-plugins/sf_dynamic_preprocessor. * src/: preprocessors/HttpInspect/server/hi_server_norm. preprocessors/spp_stream5.h.c.

h. src/dynamic-preprocessors/reputation/shmem/shmem_config.h. src/snort. src/sfutil/sfrt_flat_dir. Preprocessor rule 120:8 is fired at end of headers if content-length and transfer-encoding: chunked are not present.h. src/dynamic-preprocessors/reputation/spp_reputation. * src/dynamic-preprocessors/reputation/ responses without length indicators ( Fixed an issue with SMTP logging while running in inline mode. * src/dynamic-preprocessors/smtp/smtp_util. src/control/sfcontrol_funcs. src/control/sfcontrol. src/idle_processing. src/control/sfcontrol.h. src/idle_processing.c: Free application and protocol state when a session is 304. src/sfutil/sfrt_flat.h. src/sfutil/Makefile.c.pdf.h. * doc/README.c.c. * src/preprocessors/HttpInspect/utils/hi_paf.h. src/idle_processing_funcs.c. .am: . Verify paf configuration before enabling.h. 304) are flushed at the end of the headers. src/dynamic-preprocessors/reputation/shmem/sflinux_helpers. src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt. src/dynamic-plugins/sf_dynamic_plugins.c.* src/preprocessors/Stream5/stream5_paf.snort_control. src/sfutil/sfrt_flat. .c.h. src/dynamic-examples/Makefile. src/util. src/dynamic-preprocessors/reputation/shmem/shmem_mgmt. src/dynamic-preprocessors/reputation/reputation_config.h.c.h. src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt. doc/snort_manual. src/dynamic-preprocessors/reputation/shmem/shmem_lib.h.h.tex: Updated Snort documentation. src/snort. src/sfutil/segment_mem. tools/control/README. Ensure that seglist_next is NULL after being freed. but not for response codes 1XX. src/dynamic-preprocessors/reputation/reputation_config. * src/preprocessors/Stream5/ added documentation for Shared Memory and the Control Socket. src/ src/dynamic-preprocessors/Makefile. src/ src/util.h. src/dynamic-plugins/sf_dynamic_preprocessor.c.Added support for shared memory between Snort processes.c. src/dynamic-preprocessors/reputation/shmem/shmem_config. src/sfutil/sfrt_flat_dir. 204.h. src/dynamic-preprocessors/reputation/shmem/shmem_mgmt. src/sfutil/segment_mem.c. tools/control/Makefile.g.Added a control channel. This is used in the IP Reputation preprocessor to share a single copy of IP whitelists & blacklists. doc/snort_manual. src/dynamic-preprocessors/reputation/spp_reputation. src/dynamic-preprocessors/reputation/shmem/shmem_common.c.c. src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c.c.c: Fixed flushing beyond "paf_max". src/control/Makefile.c: Ensure HTTP 1. configure. so that commands may be issued to a running Snort process by way of a Unix socket. src/dynamic-preprocessors/reputation/shmem/shmem_lib. src/plugbase. tools/control/sfcontrol. tools/Makefile.

src/generators. dynamic-preprocessors/ssl/sf_ssl.1 * src/build.dsp. dynamic-preprocessors/reputation/sf_reputation. src/preprocessors/HttpInspect/include/hi_eo_events. src/decode. dynamic-preprocessors/ftptelnet/sf_ftptelnet. dynamic-preprocessors/smtp/sf_smtp. dynamic-preprocessors/sdf/sf_sdf.dsp. src/generators. dynamic-preprocessors/isakmp/sf_isakmp. * src/detection-plugins/sp_urilen_check.h.h.dsp.c. dynamic-preprocessors/dns/sf_dns.9.h: Fixed the urilen rule option to look at reassembled packets. win32/WIN32-Includes/stdint. src/snort. etc/gen-msg.dsp.dsp: Fixed a bug where the sensitive_data preprocessor gave an error while loading sensitive data rules. dynamic-preprocessors/ssh/sf_ssh. Added an extra parameter to specify whether to check raw or normalized uri buffer. src/ Will check raw uri buffer by default.h: Fixed an issue with decoding large numbers of IPv6 extension headers.dsp.dsp.dsp.rules.dsp.rules: .* src/: dynamic-preprocessors/reputation/sf_reputation.dsp. * etc/> Snort 2. Thanks to Martin Sch�tte for reporting the issue.c: Fixed a bug where Snort wouldn't reload.c. src/detection-plugins/sp_urilen_check.dsp. src/preprocessors/HttpInspect/utils/hi_paf.h: Updated build number to 71. * etc/ * preproc_rules/preprocessor. preproc_rules/preprocessor. win32/WIN32-Prj/snort.jordan@sourcefire. dynamic-preprocessors/imap/sf_imap. src/preprocessors/HttpInspect/event_output/ win32/WIN32-Prj/snort. * doc/README. because they were not yet implemented.dsp.c: Added two HTTP Inspect preprocessor rules: 119:28 . dynamic-preprocessors/pop/sf_pop.dsp. * src/: dynamic-preprocessors/dcerpc2/sf_dce2. dynamic-preprocessors/sip/ Commented out four rules from gen-msg. src/dynamic-plugins/sf_engine/sf_snort_packet.dsw: Updated Win32 build files.dsp. src/preprocessors/snort_httpinspect. Added rule 116:456 to safeguard against too many IPv6 extension headers.h.h. dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.rules.h. win32/WIN32-Prj/sf_engine.dsp. 2011-08-23 Ryan Jordan <ryan. giving the error that "Changing decompress_depth requries a restart". 133:44 through 133:47.message with invalid content-length or chunk size * src/preprocessors/ w/o content-length or transfer-encoding: chunked 120:8 . preproc_rules/decoder.c.

pdf. src/dynamic-preprocessors/sip/sip_parser. This fixes a problem with DCE autodetect using the same ports as HTTP. a preprocessor rule.h: Allow multiple preprocs to scan for PDUs on the same port. win32/WIN32-Prj/snort_installer. include/hi_client.c.reputation. * src/build. dynamic-plugins/sf_engine/sf_snort_plugin_pcre. preprocessors/spp_normalize.c. * src/preprocessors/Stream5/snort_stream5_tcp.nsi: Fixed the IP Reputation preprocessor so that it would build on Windows.rules. detection-plugins/ Added three new SIP preprocessor alerts. server/hi-server.h: Updated build number to 63. log. doc/snort_manual. 125:9.dsp.Added Added Added alert a CVE reference for Rule 119:19.tex: Added a use case in the IP Reputation preprocessor documentation.c.dsw. utils/hi_paf.c. * src/: detection-plugins/detection_options. etc/gen-msg.1 RC * doc/README. doc/snort_manual.c: PAF tweak for single-segment full PDUs matching only-stream * src/snort.> Snort 2.c: Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD. dynamic-plugins/sf_engine/sf_snort_plugin_content. stream5_paf. snort_manual. src/dynamic-preprocessors/sip/spp_sip.c. .sip. * tools/u2spewfoo/Makefile. stream5_paf.c.c: Fixed some compiler warnings.c.tex.c. * src/: dynamic-preprocessors/reputation/reputation_config. * doc/: Added the u2spewfoo Windows project file to the Snort source tarball. a reference to SMTP preprocessor rule 124:4.pdf. win32/WIN32-Prj/snort.c.c. preproc_rules/preprocessor.h.9. * src/: fpcreate.c.c: Support up to full 32-bit content-lengths * src/preprocessors/Stream5/stream5_paf.h. 2011-07-19 Ryan Jordan <ryan. * src/preprocessors/Stream5/: snort_stream5_tcp. for an FTPTelnet preprocessor that was missing the corresponding rule.c.c: Fixed compilation with the options "--disable-target-based --enable-paf" . * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. detection-plugins/sp_byte_extract. * src/preprocessors/HttpInspect: client/hi_client.c: Fixed an error in IDS mode when segments overlap and the sequence number wraps. dynamic-preprocessors/reputation/sf_reputation.jordan@sourcefire. Set default paf_max to 16K.

dynamic-preprocessors/ssl/sf_ssl. * src/: dynamic-preprocessors/dcerpc2/ preproc_rules/preprocessor. * src/output-plugins/spo_alert_sf_socket.dsp. with preprocessor rules for both client and server. pop/Makefile.dsp.c. win32/WIN32-Prj/sf_engine. ssh/Makefile. This rule checks for 200+ whitespaces in a folded header line from an HTTP request. sdf/Makefile. doc/snort_manual. src/generators. sip/Makefile. reputation/Makefile.c. src/preprocessors/snort_httpinspect. rzb_saac/Makefile. dynamic-preprocessors/sdf/sf_sdf. win32/WIN32-Prj/ Fixed dynamic preprocesor Makefiles so that they can be built in parallel. * doc/ dns/ src/preprocessors/HttpInspect/include/hi_eo_events. smtp/Makefile. src/sfutil/util_unfold.dsp.dsp.c: . dynamic-plugins/sf_engine/examples/web-client_test.h. imap/ Only set/clear/toggle/unset a flowbit when all of the rule matches.tex.dsp. dynamic-preprocessors/ftptelnet/ dynamic-preprocessors/sip/sf_sip. ftptelnet/Makefile.h. src/preprocessors/HttpInspect/user_interface/hi_ui_config. * src/dynamic-preprocessors/: Makefile. dynamic-preprocessors/ssh/sf_ssh. dynamic-preprocessors/imap/sf_imap. dynamic-preprocessors/dns/sf_dns.c. win32/WIN32-Prj/sf_engine_initialize.pch.http_inspect.dsp.h.dsp: Fixed the Win32 build to (1) not use . doc/snort_manual.dsp.detection-plugins/sp_flowbits. dynamic-preprocessors/smtp/sf_smtp.h.c.dsp. dynamic-plugins/sf_engine/sf_snort_detection_engine. win32/WIN32-Prj/snort. See dcerpc2/ Thanks to Eoin Miller for reporting the issue.http_inspect for more information. GID 119 SID 26. dynamic-plugins/sf_engine/examples/Makefile. src/preprocessors/ dynamic-plugins/sf_engine/examples/flowbits_test. dynamic-preprocessors/isakmp/sf_isakmp.rules. including the IPs and Ports. src/preprocessors/HttpInspect/include/hi_ui_config.dsp.h. src/preprocessors/HttpInspect/include/hi_util. dynamic-plugins/sf_engine/examples/rules.h. src/preprocessors/HttpInspect/client/hi_client. Added a new configuration option to http_inspect server configuration: "small_chunk_length { <chunk_size> <num_consec_chunks> }".h.dsp.c: Added a new HTTP Inspect preprocessor and (2) correct sed patterns on ipv6_port. ssl/Makefile. etc/gen-msg.c. A new config option was added to configure the allowable amount whitespace. Consecutive chunk lengths less than or equal to <chunk_size> will cause an event to be src/preprocessors/HttpInspect/event_output/hi_eo_log. dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize. to match the unicode standard on Windows 7 SP1. * src/snort. * src/snort. perf-flow.sip.c. * src/sfutil/: sfrt. spp_perfmonitor.c.h.c: Tweaked the preprocessing loop to bypass app preprocs if no app data. .c: Fixed a couple spots where the "1" and "2" flags weren't renamed to "C" and "E".tex. src/dynamic-preprocessors/sip/spp_sip. preproc_rules/preprocessor. perf-event. * configure.c. flush at paf_max. * src/detection-plugins/sp_tcp_flag_check.h: Fixed a bug where Snort wouldn't daemonize on OpenBSD if the process was running as root. When aborting PAF. stream5_common.c. Thanks to Joshua Kinard for reporting the issue and supplying a patch. * src/sfutil/ Add check for pkg-config and provide instructions to get it if pkg-config is not installed. perf-flow. * src/preprocessors/Stream5/: snort_stream5_tcp.c. perf-base. doc/snort_manual. and is guaranteed to use uint32_t IPv4 addresses for interoperability.h.h: Optimized some memory Updated unicode.pdf. etc/gen-msg. Fixed an issue where the SIP preprocessor checked for Stream5 even if the SIP preprocessor was disabled.rules.Fixed a problem where Snort's generic IP address structure was being sent by the socket output plugin. * etc/snort.c.conf: Sync'ed to VRT's latest snort. Previously. * src/preprocessors/: perf-base. perf-event.c: Fixed a compilation error when active response is disabled. detect. The output plugin now only generates events for IPv4 packets. src/sfutil/sfrt_dir. * etc/unicode. * src/: decode. src/sfutil/sf_ip. sfrt. so that everything is initialized when the Perfmonitor preprocessor is initialized.c: Split out Perfmon submodule Init and Reset.c. Added a new SIP preprocessor alert for missing content type headers. * doc/README.h.c.conf. src/dynamic-preprocessors/sip/sip_parser.h.h. some data was initialized on the first packet.h.h: Show single segment PAF packets and only short-circuit at correct sequence. doc/snort_manual. Changed the pseudo-random flush point after each flush. perf. Thanks to Olaf Schreck for reporting this issue.c. Tweaked retransmission check to use actual sequence numbers instead of the adjusted sequence numbers.

c. HttpInspect/include/hi_paf.h.h.tex. doc/snort_manual. src/dynamic-preprocessors/reputation/spp_reputation.jordan@sourcefire.h. * src/dynamic-plugins/sf_convert_dynamic.h. dynamic-preprocessors/dcerpc2/dce2_config.c.h. dynamic-preprocessors/dcerpc2/Makefile. * src/dynamic-plugins/sf_engine/examples: all rule files: Fixed compiler warnings.c. src/dynamic-preprocessors/smtp/snort_smtp.9. src/preprocids.c: Fixed performance issue: allocate the buffers used for filename.c. and flush/abort when exceeded. src/dynamic-preprocessors/smtp/smtp_util.h. * doc/README. src/dynamic-preprocessors/reputation/sf_reputation.c: Added protocol-aware flushing support for the dcerpc2 doc/Makefile. mailfrom and rcptto logging using mempool ('memcap' used to allocate the mempool). 2011-06-13 Ryan Jordan <ryan.dsp. See README. This preprocessor provides the ability to whitelist and blacklist packets based on IP> Snort 2. Added a fatal error when b64_decode_depth is used with src/dynamic-preprocessors/reputation/reputation_debug. Support full 32-bit content-lengths and chunk sizes. etc/ dynamic-plugins/sf_dynamic_plugins.c.rules. * src/preprocessors/: snort_httpinspect. dynamic-preprocessors/dcerpc2/dce2_paf. src/dynamic-preprocessors/reputation/reputation_utils.c: Don't enable paf unless stream ports configured for the given direction. src/dynamic-preprocessors/reputation/spp_reputation.h.c.reputation for more information. and only register port for given direction if corresponding flow depth is set. src/dynamic-preprocessors/smtp/spp_smtp.src/dynamic-preprocessors/reputation/Makefile. * src/: sf_types. dynamic-preprocessors/dcerpc2/ doc/README. src/dynamic-preprocessors/reputation/reputation_utils. HttpInspect/utils/hi_paf.h. preproc_rules/preprocessor.pdf. dynamic-preprocessors/dcerpc2/sf_dce2. add "(PAF)" to http inspect ports output to indicate when enabled. configure.h. dynamic-preprocessors/dcerpc2/dce2_paf. src/dynamic-preprocessors/reputation/ .dsp.reputation.c. spp_httpinspect.c. src/dynamic-preprocessors/smtp/ Added the IP Reputation preprocessor.c.SMTP. src/dynamic-preprocessors/smtp/smtp_config.c. doc/snort_manual. Stream5/snort_stream5_tcp. src/dynamic-preprocessors/reputation/reputation_config. doc/ Beta * configure. dynamic-preprocessors/dcerpc2/dce2_debug.c. src/dynamic-preprocessors/Makefile.c: Added the ability to convert shared object rules that use the preprocessor rule option.

Changed the default .http_inspect. . "string. * doc/snort_manual.Specifying one of "hex". preprocessor.Added a new option. Added decoder rules 116:453. configure should fail./configure options to match the requirements for the bundled snort.Updates to configure.Writing "string" without a number type defaults to decimal.http_inspect with memcap information. * etc/snort.tex: Updated documentation for Snort 2. and documentation for "log_uri" and "log_hostname". SMTP.string".Updated README.rules Added new preprocessor rules for SIP.pop.tag. README. Added configurations for new preprocessors. etc. . . README. * src/build. * src/detection-plugins/sp_cvs. README.Updated README.rules. These rules were formerly covered by VRT rules. The "config enable_decode_oversized_alerts" option now applies to packets where the UDP header claims there is more data than actually exi sts. . README. README. * preproc_rules/: decoder.Fixed a typo in README.stream5. clarified "http_cookie" information. src/detection-plugins/sp_byte_extract. which allows Snort to read pcap files that are larger than 2 GB.c: Fixed a false positive in the CVS detection plugin. "dec". "--enable-large-pcap". and "oct" without using "string" results in an error.Fix zlib checks to use correctly named variable for checking zlib header and library existence.c: Made some changes to the byte_extract syntax: . README.relative. README.h: Updated build number to 46 * src/decode.counts . Can use --disable-ipv6 to turn it o ff. You can write "string.conf * doc/: INSTALL. POP and IMAP preprocessors .imap. . ESP decoding is now configurable.c: TCP and UDP decoder rules that require a fully-decoded packet will only fire if the checksum is correct and the port number is not ignored. which is now configurable . and IMAP. using --enable-zlib.tex.byte_extract options can no longer be delimited by spaces.dec". README.Updated "byte_extract" section to reflect syntax changes . . . 116:454. snort -V should show IPv6 by default and VRT config should load without modification.tag. and off by default.1: . .conf: Synced snort.Improved the explanation of "rawbytes" .stream5 with documentation for Protocol Aware Flushing (PAF) .counts. snort_manual.Enable IPv6 by default in builds.Added documentation for the ESP decoder. The Teredo decoder now only processes packets in the Teredo prefix (2001:0000::/32) or the link-local prefix (fe80::/16). like in byte_test and byte_jump.Fixed an incorrect example in README. and 116:455. snort_manual.pdf.Improved the explanation of "max_queued_events" .oct". README. .normalize. "hex.sip.9.Added documentation for new SIP.The "string" and "hex/dec/oct" options are now independent of each other.conf with VRT's latest version.

c. .h: Changes include the following: . preprocessors/spp_frag3.c: .8. preprocessors/Stream5/stream5_common.c.c. regardless of whether there is TCP/UDP/etc.h. * src/output-plugins/spo_alert_full.h. Packets will no longer be tagged or logged if they are filtered or passe d. Fixed an issue with reloading Snort while the default output options were used.c. util.Updated Stream5 to print that there are more ports than those printed.unfolding : trim spaces when required. sf_snort_detection_engine. sfutil/sf_ipvar. sfutil/sf_base64decode.This does not affect "align <num>" or "multiplier <num>".h for more details. preprocessors/HttpInspect/server/hi_server. * src/snort.c.h. * src/dynamic-plugins/sf_engine/: Makefile. detection-plugins/sp_base64_decode. .h.Override the content length with transfer encoding .am. The message "additional ports configured but not printed" is only printe d when that is actually the case. fpdetect. sf_snort_plugin_api. See sf_decompression.h: Added a Decompression API that wraps Zlib for use with dynamic plugins. * src/preprocessors/Stream5: Ensured that reassembly doesn't require packet dropping in IPS mode.Attempt dechunkind only when transfer-encoding: chunked is present. sf_decompression.2 addition of rule option tree).c. dynamic-plugins/sp_dynamic. * src/output-plugins/spo_log_tcpdump.c.c.c.h. preprocessors/Stream5/snort_stream5_tcp.Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds . .h. sfutil/sf_ipvar. * src/: pcap_pkthdr32. * src/: fpcreate. dynamic-plugins/sf_dynamic_preprocessor.c: fix output of filename / shutdown alerts sequence when iterating over mu ltiple pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or -A console:test).c. dynamic-preprocessors/smtp/smtp_util. sf_decompression. treenodes.c. Added a warning when max-pattern-len is defined twice.c. util.c. sfutil/sf_vartable. sfutil/sf_base64decode. preprocessors/HttpInspect/client/hi_client. Snort will move on to the next file if one fails to load.SnortStrcasestr uses slen now.c.c: Update Frag3/Stream5 to print bound addresses. better descriptsions of d etect anomalies and port lists. When reading several pcap files with --pcap-dir. * src/: parser. dynamic-plugins/sf_dynamic_plugins.c.c: Update alert_full to print rule references.Updated Frag3 to print meaningful detect anomalies configuration .c.h: Update pattern matcher and sort functions to correctly sort by priority as well as implement sorting by content_length (which was never done with 2.

c.c. detection-plugins/sp_pkt_data. dynamic-plugins/sf_engine/sf_snort_plugin_content. parser.c.c. detection-plugins/sp_pkt_data.c. dynamic-plugins/sp_dynamic. preprocessors/HttpInspect/server/hi_server_norm. log. This is configured with "config log_ipv6_extra_dat a".c. dynamic-plugins/sf_engine/sf_snort_plugin_api. e. detection-plugins/sp_base64_data. src/output-plugins/ preprocessors/Stream5/snort_stream5_tcp.6} to DLT_RAW for compatibility with libpcap 1. detection-plugins/sp_byte_extract.c.convert DLT_IPV{4.c.h. * src/parser. dynamic-preprocessors/ftptelnet/pp_telnet. dynamic-preprocessors/smtp/snort_smtp.c.c."Alt Detect": set by file_data. src/snort. HTTP Inspect .c. preprocessors/ detection-plugins/sp_ftpbounce.c. preprocessors/spp_rpc_decode.h. detection-plugins/sp_byte_check.c. rule_option_types.c.c. detection-plugins/sp_pcre. detection_util.h.h. detection-plugins/sp_byte_jump.c: The "file_data" and "base64_data" rule options now set the buffer for any rule options that follow them.h.c. detection-plugins/sp_file_data.h.dsp.c. dynamic-plugins/sf_engine/sf_snort_packet. detection-plugins/sp_isdataat. preprocessors/HttpInspect/server/hi_server.h. detect. . base64_data. .c.c.c. dynamic-plugins/sf_dynamic_plugins. detection-plugins/Makefile.c. detection-plugins/detection_options. src/dynamic-preprocessors/sip/sf_sip.c. detection_util.c. dynamic-preprocessors/ftptelnet/snort_ftptelnet. dynamic-plugins/sf_convert_dynamic.c.h.c.c.h."Alt Decode": set by preprocessor normalization. dynamic-plugins/sf_dynamic_engine.Raw packet data The AltDetect buffer can also be set by custom .h: IPv6 source and destination addresses are now logged in Unified2 as extra data events.c.c. dynamic-plugins/sp_dynamic. src/parser.c. The detection code now uses 3 separate buffers: . preprocessors/snort_httpinspect. dynamic-plugins/ rules. dynamic-preprocessors/ftptelnet/pp_ftp.h. dynamic-preprocessors/smtp/smtp_util. dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c.h. plugbase. fpcreate. detection-plugins/sp_pattern_match.c.h. fpdetect.c. dynamic-plugins/sf_engine/sf_snort_detection_engine.c .c.h.h.h.c. This applies to both relative and non-relative rule options.c.h. src/dynamic-preprocessors/sip/sip_config.0 fix 'mixed decls and code' compiler warning * src/: decode. dynamic-plugins/sf_dynamic_preprocessor. * src/dynamic-preprocessors/sip/Makefile. dynamic-plugins/sf_dynamic_define. etc. dynamic-preprocessors/smtp/snort_smtp.c. dynamic-plugins/sf_engine/examples/detection_lib_meta. log_text. src/sfutil/Unified2_common.

dynamic-plugins/sf_engine/ Added a new preprocessor for SIP traffic.h.c.c.c.c: Make Frag3 OpenBSD Vuln alert only happen if the frag policy is 'linux' (which includes OpenBSD).c. src/dynamic-preprocessors/sip/sip_roptions.c.src/dynamic-preprocessors/sip/sip_config.h. src/dynamic-preprocessors/sip/sip_utils. ByteTest. dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c. src/dynamic-preprocessors/sip/test/Makefile. src/dynamic-preprocessors/sip/spp_sip. src/dynamic-preprocessors/Makefile. Added support for ByteExtract variables to the . detection-plugins/sp_pattern_match.c.h.c. src/dynamic-preprocessors/sip/sip_debug. dynamic-plugins/sf_engine/sf_snort_plugin_api. dynamic-plugins/sf_dynamic_define. dynamic-plugins/sf_engine/ Fixed the TTL on encoded response packets. detection-plugins/sp_pattern_match.c.c. and isdataat. detection-plugins/sp_byte_extract.c. * src/: dynamic-preprocessors/dcerpc2/dce2_utils. dynamic-plugins/sf_engine/ src/dynamic-preprocessors/sip/sip_roptions. preprocessors/Stream5/snort_stream5_tcp. src/dynamic-preprocessors/sip/sip_parser. configure.c. * src/: fpcreate. preprocessors/spp_normalize. dynamic-plugins/sf_engine/sf_snort_detection_engine. preprocessors/spp_frag3.sip. This reduces false positives to only occur when frag3 policy is linux and its an actual linux system. dynamic-preprocessors/dcerpc2/spp_dce2. src/dynamic-preprocessors/sip/sip_dialog. which is the only OS on which the vulnerability was present.c.sip and the Snort Manual for more dynamic-plugins/sf_engine/sf_snort_detection_engine. fpdetect. doc/README.h.c. dynamic-plugins/sf_engine/sf_snort_plugin_api. src/dynamic-preprocessors/sip/sip_parser.h. dynamic-plugins/sf_engine/sf_snort_plugin_loop.c. src/dynamic-preprocessors/sip/spp_sip. detection-plugins/sp_byte_extract.c. The 'bsd' policy is NOT used for OpenBSD. * src/: encode. src/dynamic-preprocessors/sip/test/sip_test. * src/dynamic-preprocessors/pop/: all files . dynamic-plugins/sf_engine/sf_snort_detection_engine.h. etc/ rule versions of rather than the alert occuring regardless of frag policy. src/dynamic-preprocessors/sip/ src/dynamic-preprocessors/sip/sip_utils.c.h.h: Update to not inspect HTTP method buffer with Snort's fast pattern engin e.c. preprocessors/Stream5/stream5_common.h. Rules with only HTTP method content end up as non-content rules.c. See README.c. * src/: detection-plugins/Makefile.c.c.h. dynamic-plugins/sf_convert_dynamic.h. dynamic-plugins/sf_engine/Makefile. dynamic-plugins/sf_engine/sf_snort_plugin_pcre.h. ByteJump.c. This eliminates a short cycle of searches with fast pattern on every initial HTTP request.c.

c. for use by the new email preprocessors. preprocessors/spp_stream5. For DAQ modules and hardware that supports it.Added a new preprocessor for POP traffic.h.c. src/log_text. * src/util.h. src/preprocessors/Stream5/snort_stream5_icmp.c. src/sfdaq.h: Added support in Stream5 for Protocol Aware Flushing (PAF). src/preprocessors/snort_httpinspect. src/preprocessors/Stream5/snort_stream5_udp.h.c.c.c. src/dynamic-plugins/sf_dynamic_define. src/preprocessors/Stream5/stream5_common.h. src/preprocessors/HttpInspect/include/hi_paf. src/preprocessors/Stream5/stream5_paf. * src/sfutil/: sf_email_attach_decode. src/ Added support for uuencoded email attachments.h. * configure. src/preprocessors/HttpInspect/mode_inspection/hi_mi.c. src/snort_debug.h. src/preprocessors/HttpInspect/utils/ src/parser. src/dynamic-plugins/sf_engine/sf_snort_packet. src/ src/sfdaq.h.h.c. src/snort. See README.h. src/preprocessors/HttpInspect/Makefile. src/decode. See README.c.h.c.imap for more information.pop for more src/preprocessors/Stream5/snort_stream5_tcp.c. src/encode. src/sfutil/sf_textlog.h: Update Snort to return a DAQ verdict of whitelist (meaning don't send Snort any more packets) for sessions that are being ignored in both directions or ports that are configured to ignore. this should result in a performance gain because Snort no longer has to decode packets that are part of that connection.h. src/active.c: Added an error message when opening a pid file fails.c.c. * src/dynamic-preprocessors/imap/: all files Added a new preprocessor for IMAP traffic.h.h: Base64 decoding was moved to its own section in sfutil.c. src/preprocessors/stream_api.c. PAF allows Snort to statefully scan a stream and reassemble a complete PDU regardless of segmentation. . src/encode. * src/dynamic-preprocessors/sdf/spp_sdf. src/preprocessors/HttpInspect/utils/hi_paf.c.c.c.h. src/active. use d for HTTP response bodies & decoded email attachments.h. src/detection-plugins/sp_respond3. server/hi_server.c. src/detection-plugins/sp_react.c.h.c: The Sensitive Data preprocessor now inspects the "file_data" buffer. src/preprocessors/Stream5/snort_stream5_tcp.c: The Set-Cookie: and Cookie: headers wont be included in the cookie buffe rs.h.c. src/log_text. preprocessors/stream_api. src/preprocessors/HttpInspect/server/hi_server. src/preprocessors/Stream5/stream5_common. sf_email_attach_decode. src/preprocessors/HttpInspect/include/Makefile. src/preprocessors/Stream5/Makefile. * src/preprocessors/HttpInspect/: client/hi_client. * src/: snort. src/preprocessors/Stream5/stream5_paf.c. src/preprocessors/spp_httpinspect. src/preprocessors/Stream5/snort_stream5_session. src/preprocessors/spp_stream5.

Stream5/snort_stream5_session.pdf.h: * src/preprocessors/: spp_sfportscan.h.c: * src/output-plugins/: spo_alert_fast.c.c. Trimming is now configurable with the "normalize_ip4: trim.c: added support for ignoring UDP channels. The IPS mode reassembly policy has been refactored to do stream normalization within the first policy. * src/preprocessors/: stream_ignore. doc/snort_manual. Packets can no longer be trimmed below the minimum ethernet frame length.h. preprocessors/spp_normalize. preprocessors/perf-base. snort_manual.h.c. src/: snort.c.c: * src/dynamic-plugins/sf_engine/: sf_snort_packet.jordan@sourcefire.c: Update perfmonitor to create now files prior to dropping privs 2011-03-16 Ryan Jordan <ryan.c.5 * src/build. parser.tex: Fixed the normalization preprocessor to call its post-initialization config functions during a policy reload.c: TCP timestamp options are only NOPed by the Normalization preprocessor if Stream5 has seen a full 3-way> Snort> * src/build.c: Improve handling of DAQ failure codes when Snort is shutting down.h: Increment Snort build number to 132 * src/snort. spp_frag3.stream5 for more details. Light weight session will be created to track UDP channel. snort_manual.c. stream_ignore. perf-base.c: Updated portscan to set protocol correctly in raw packet for IPv6 and changed the encoder to recognize portscan packets as pseudo packets so that the checksum isn't calculated * src/: sfdaq. even ports are not monitored.c: Added a "config vlan_agnostic" setting that globally disables Stream's use of vlan tag in session tracking." option. allowing the preprocessor to determin e when HTTP sessions are flushed by Stream5.c. Stream5/snort_stream5_udp. and timestamps weren't negotiated.h.c.Added PAF support to HTTP Inspect.c. encode.h: doc/: README. * * * * * .tex: src/: parser.c. Packets injected by the normalization preprocessor are now counted in the packet statistics.normalize.h: Increment Snort build number to 134 * src/: decode.c: * src/preprocessors/Stream5/: stream5_common.h: src/preprocessors/: spp_frag3. See README. * src/win32/: most files Updated Snort and its libraries to build/link against MFC. 2011-03-23 Steven Sturges <ssturges@sourcefire.c: * src/preprocessors/: normalize. util. Stream5/snort_stream5_tcp. * src/preprocessors/spp_perfmonitor. preprocessors/perf-base.9.0.". preprocessors/normalize. perf-base. preprocessors/spp_normalize. TOS clearing is now configurable with "normalize_ip4: tos.

Thanks to Jason Wallace for reporting this issue.http_inspect.c: HTTP Inspect's "unlimited_decompress" option now requires that "compress_depth" and "decompress_depth" are set to their max values. Belated thanks to Dwane Atkins and Parker Crook for reporting a related issue that was fixed in Snort 2. This caused the active response feature to generate incorrect RST packets if the original packet had a VLAN tag. dynamic-plugins/sf_dynamic_engine. Thanks to Cleber S.c: Fixed a false positive in the CVS detection plugin.h. spp_ftptelnet.8: Fixed the man page's URL regarding the location of Snort rules. instead waiting for the reassembled packet. doc/snort_manual. It was incorrectly parsing CVS entries that had a '+' in between the 3rd and 4th slashes. preproc_rules/preprocessor. src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c. * src/decode. snort. Thanks to Dwane Atkins for reporting this issue. etc/snort. This behavior is consistent with IPv4 decoding. The Teredo proto bit was not unset after hitting the limit on IP layers.tex.rules: Updated references to rule 125:1:1 src/preprocessors/spp_perfmonitor. src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib. dynamic-plugins/sf_dynamic_define. The decoder no longer attempts to decode Teredo packets inside of IPv4 fragments. src/preprocessors/snort_httpinspect.c.4 build 111.c: Fixed a problem where encoded packets had their lengths calculated incorrectly.c: * * * * * * * * * . Updated documentation regarding these changes.The "normalize_ip4: trim" option is automatically disabled if the DAQ can't inject packets.conf: Updated the default snort. src/: fpcreate. src/encode.c: Fixed the size formatting of an error message argument when compiling with --enable-rzb-saac.conf with max compress and decompress depths to enable unlimited decompression of gzipped HTTP responses. If the DAQ tries and fails to inject a given packet. * src/detection-plugins/sp_cvs.0. snort_ftptelnet. Thanks to Michael Scheidell for reporting an out-of-date man page section. Moved the zlib initialization such that gzipped responses are still inspected if the zipped data starts after the first Stream-reassembled packet is inspected.9.h.c: Changed a pointer comparison to a size check for code readability. Brand�o for reporting this issue.h. * src/preprocessors/HttpInspect/: client/hi_client.c: Fixed an error that prevented compiling with --disable-dynamicplugin. doc/README. IPv6 fragmented packets are no longer inspected unless they have an offset of zero and the next layer is UDP. Thanks to Martin Sch�tte for reporting an issue where fragged ICMPv6 packets were being inspected.c: Fixed an issue with decoding too many IP layers in a single packet. the wire packet is not blocked.c: Perfmonitor files are now created after Snort changes uid/gid. server/hi_server.c. preprocessors/Stream5/snort_stream5_tcp.

4 * src/build. perf-flow. snort_manual. doc/Makefile. Re-worded uricontent's description.jordan@sourcefire. so that they can be applied to the raw Thanks to Bruce Corwin for reporting this src/dynamic-plugins/sf_engine/examples/Makefile.h: Increment Snort build number to 111. README. 2011-02-28 Ryan Jordan <ryan. The verdict from defragged packets are no longer perf-base. Added "--enable-sourcefire" description. Added missing semicolons to rule option examples.pdf: Added documentation for the option "small-segments".stream5. perf-base. * configure. which lead to a faulty length check. README.Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside the ftp_telnet preprocessor to avoid a naming conflict with similar functions in HTTP Inspect. * src/preprocessors/HttpInspect/client/hi_client. * src/fpcreate. snort_manual. 2011-02-10 Ryan Jordan <ryan. src/ Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this issue.c: Fixed a FIN sequence number handling issue. src/snort.frag3.c: Deletec the call to fpDeletePortGroup() prior to calling FatalError().am. src/snort. Thanks to Jason Wallace for pointing out the issue. Thanks to Markus Lude for submitting a patch that fixed errors in the man page.9. where RST after FIN caused a false positive on Stream5 preprocessor rule 129:15. README.0. Removed "-o" from the list of valid options.rzb_saac. * src/parser. Updated team members. src/dynamic-preprocessors/Makefile. . * src/preprocessors/: perf.c. Thanks to Joshua Kinard for sending in several patches to the manual. README.jordan@sourcefire.9.c: src/preprocessors/HttpInspect/server/hi_server.h: Fixed comparisons between signed and unsigned int.c: Updated Snort man page to match the output of "snort --help". src/dynamic-preprocessors/dns/spp_dns. doc/README. Clarified some undocumented "flow" options.c. Improved the description of the "disable" keyword.0.c.h: Increment Snort build number to 110 * snort.c. * doc/: INSTALL. * src/preprocessors/Stream5/snort_stream5_tcp. * doc/:> Snort> Snort 2.c: Fixed a bug in the way partial HTTP headers are handled.http_inspect.c: Fixed portvar parsing code to correctly dislpay names of undefined portvars.c. src/dynamic-preprocessors/rzb_saac/Makefile. Minor edits to punctuation on "ssl_version" examples.rzb_saac: Added SaaC readme. perf-flow. src/util.4 * src/build.tex. Updated "enable_cookie" documentation. Added documentation for "iis_encode" in http_encode keywords. since it was removed a while ago.

c: Added startup log message to show that the preprocessors are inactive when added to snort. src/dynamic-preprocessors/rzb_saac/rzb_http-server.c.c.c.h.c: Updated the Frag3KeyCmp and Stream5KeyCmp functions to handle 32bit sparc platforms where 64bit pointer comparisons can cause bus errors.c: Rules that use a "depth" value lower than the length of their content now cause an error.c. Stream5/snort_stream5_session. snort_manual. preproc_rules/preprocessor. src/dynamic-plugins/sf_engine/examples/: detection_lib_meta. instead of counting all packets to enter the intiial function.h. 2" to "C. src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h.c: Added Razorback SaaC to the dynamic-preprocessors. src/: preprocessors/portscan. Depth should be >= the content length. src/detection-plugins/sp_pattern_match.* * * * * * * * * * * * * src/dynamic-preprocessors/rzb_saac/rzb_debug.http_inspect. preprocessors/spp_sfportscan. Use --enable-rzb-saac to build it. dce2_smb. Updated frag3 startup log to indicate the memcap frmo which prealloc fragments were generated. dynamic-preprocessors/dcerpc2/dce2_config. they will be discarded. . faq. E". instead of being the same size. src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo. If extra bytes at the end of a request corrupt the next request. src/dynamic-preprocessors/rzb_saac/rzb_debug.c. src/dynamic-preprocessors/rzb_saac/ reorganization.c: Fixed a bug that caused dcerpc2 to reassemble some segments incorrectly. win32/WIN32-Includes/config.h: Portscan preprocessor's hash table is now allocated based on the memcap.c.pdf. src/dynamic-preprocessors/rzb_saac/rzb_http.c.c: Changed the reserved bits flags "1. src/detection-plugins/sp_tcp_flag_check.tex.c: Fixed the error message during parsing of HTTP inspect server config. Cookie buffer includes "Cookie" header name for HTTP requests and "Set-Cookie" for HTTP responses. The old values can still be used for backwards compatability. src/dynamic-preprocessors/rzb_saac/rzb_http-client. doc/: faq. src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h. Moved the initgroups call to a separate function and call it from the main thread. src/preprocessors/: spp_frag3. src/dynamic-preprocessors/rzb_saac/spp_rzb-saac. cookie buffer points to the HTTP header src/preprocessors/snort_httpinspect.c. src/dynamic-preprocessors/ssl/spp_ssl.h.tex: Updated cookie documentation. Thanks to Stephan for reporting this issue. src/detection-plugins/sp_clientserver. src/dynamic-preprocessors/rzb_saac/sf_preproc_info. src/dynamic-preprocessors/rzb_saac/rzb_http-collector.h.conf as "disabled".h. src/dynamic-preprocessors/rzb_saac/rzb_http-server. src/dynamic-preprocessors/rzb_saac/rzb_http-client.c.h: Removed extraneous ifdef src/: preprocessors/spp_frag3. Make it a warning.c: Updated the SSL preproc to count the packets it processes. snort_manual. doc/: README.pdf: Updated FAQ based on snort.h. src/dynamic-preprocessors/dcerpc2/: dce2_co. dce2_utils.c. When enable_cookie is disabled.rules: Added references to FTP and SMTP preprocessor rules.c.c: Fixed an erroneous error check so that "no_frag" and "no_stream" can be used in the same "flow" rule option.

c: Update content to check for HTTP_RESP_BODY in packet flag if option is relative and not using rawbytes. preprocessors/HttpInspect/normalization/hi_norm.h.rules: Added a reference to preprocessor. * preproc_rules/preprocessor. preprocessors/HttpInspect/include/hi_norm.c: Truncated ESP traffic is now handled correctly.pdf: Fixed Snort manual descriptions of some rule options.h: Increment Snort build number to 98 * doc/: snort_manual.jordan@sourcefire. preprocessors/snort_httpinspect. * src/dynamic-preprocessors/smtp/smtp_config. it no longer requires Stream5.c: When the SMTP preprocessor is started in a "disabled" state. Moved the Initialize function out of hi_ui_config. sp_byte_jump. * src/detection-plugins/: detection_options. Moved the lookup table such that they are initialized only once. it no longer requires Stream5. preprocessors/HttpInspect/include/hi_ui_config.c: discriminate between ip4 and ip6 raw packets Thanks to Gerald Maziarski for reporting this issue.c.tex. * doc/INSTALL: Update doc/INSTALL with instructions for building on OpenBSD. snort_manual.rules references to match VRT. * src/detection-plugins/: detection_options. Changed whitespace in several areas to be more consistent.c. * src/decode. 2010-12-20 Ryan Jordan <ryan.h.conf: Update with snort. * src/: decode.3 * src/build.c. preprocessors/HttpInspect/server/hi_server.h.c.c. Print the SMTP MIME config details with snort output. CRLFs are no longer placed in the status message buffer.conf from VRT .c.c.c. decode. preprocessors/spp_httpinspect. the data is now inspected as a normal body.h.c.c: Fixed a false positive due to a large chunk length followed by a small> Snort 2. * src/dynamic-preprocessors/smtp/spp_smtp. * etc/snort. preprocessors/HttpInspect/client/hi_client. preprocessors/HttpInspect/include/hi_client.c: When the SMTP preprocessor is started in a "disabled" state.h. Thanks to rmkml for bringing the issue to our attention.c: Fixed a problem with handling UDP/IPv6 over Teredo where the inner UDP header was malformed.* src/: detection_util. snort.9. * preproc_rules/preprocessor. * src/dynamic-preprocessors/smtp/spp_smtp.c: Print alert_unknown_commands in SMTP config of snort output. * src/: decode.rules: Updated preprocessor.h. Max mime mem example changed from 1000 to 4000. Updated manual for distance / within / offset / depth combos.rules. * many files: Updated all Sourcefire copyright notices to the year 2011.0. fpdetect. sp_pattern_match. sp_pattern_match. When de-chunking returns error. Thanks to Joshua Kinard for submitting several fixes.c: restore doe flags along with doe pointer.

c: Fix return value for SSL rule options * src/: plugbase. remove the stream5 alerts.9. * src/preprocessors/spp_frag3. Randall Rioux. content matches following file_data:mime should not enter fast pattern matcher. snort_manual. distance.h: Fixed overlaps in various flags in the Shared Object rule API.0 versions need to be recompiled.c.h. * doc/: README. HttpInspect/mode_inspection/hi_mi. The IPFW DAQ now builds on OpenBSD. Thanks to Dave Bertouille and Daniel Clemens for pointing out issues> Snort 2. * src/: snort.c: Set the dce preproc bit in HTTP only when server flow depth is -1 * src/dynamic-preprocessors/dcerpc2/: dce2_co. * src/detection_util. and many others for reporting this.2 * preproc_rules/preprocessor. preprocessors/snort_httpinspect. This fixes the use of depth.9.h: write correct pid to file for glibc2.c.pdf. sf_snort_plugin_api. Previous code was blindly copying new IP options over top of existing ones. * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine. and within on uricontent options.h: Bumped minor version number in example detection lib. dce2_utils. * src/build.c: Fixed a couple of memory leaks.c.c: Moved non-zero initializations in the PatternMatchData struct to the NewNode() function. * src/preprocessors/HttpInspect/mode_inspection/hi_mi.0. util.2 / linux threads * src/preprocessors/: snort_httpinspect. * src/dynamic-preprocessors/ssl/spp_ssl.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/preprocessors/Stream5/snort_stream5_tcp.jordan@sourcefire. * src/detection-plugins/sp_pattern_match.rules: Added a reference to an 0day ProFTP bug in a FTP preprocessor dce2_utils. Thanks to Eoin Miller for helping track this issue and provide test scenarios.c: Fixed an instance where HTTP session data was not checked.5 * daq/os-daq-modules/Makefile. util. Reject invalid combinations of distance/within and offset/depth including repeated keywords. includes/smb. DAQ 0. Shared Object rules from previous 2. Thanks to Ross Lawrie.tex: Update to the snort manual. Reset file_data_ ptr once stream flush is done and stream reassembled packet is processed.c: * src/preprocessors/HttpInspect/client/hi_client. dce2_smb.c: Count only acked segs for flushing post-ack.* src/dynamic-plugins/sf_engine/examples/detection_lib_meta. offset.c: Fix memory leak when there are two zero offset fragments with different IP options.h: Increment Snort build number to 92 * src/preprocessors/Stream5/snort_stream5_tcp.c.h: use offset or remaining fields and overwrite as appropriate instead of always appending data * src/preprocessors/HttpInspect/server/hi_server. 2010-11-15 Ryan Jordan <ryan. reference the gen-msg.c: Fixed an error in the handling of HTTP Session Data.c: fix file_data:mime in So rules.

h. src/preprocessors/spp_stream5.c. win32/WIN32-Libraries/> Snort 2. server/hi_server.c in terms o f how Snort is interpreting the ovector from pcre_exec. win32/WIN32-Includes/pcreposix. * src/: decode.h. * src/preprocessors/Stream5/snort_stream5_tcp. * etc/gen-msg. * src/detection-plugins/sp_pcre. * src/preprocessors/HttpInspect/: client/hi_client. As is.jordan@sourcefire.9.tex: Added "flush_factor".* preprocessors/Stream5/snort_stream5_tcp. * src/target-based/sf_attribute_table.c: urgent pointer handling corrected for one byte of urgent data at the start of a segment. Fixed incorrect line wrap (thx Shawn Thompson).h.c: fix flush after initial when acks are withheld conditional on NORMALIZER . preprocessors/HttpInspect/server/hi_server.lib: Update Win32 libpcre to newer version and use --enable-newline-is-cr instead of --enable-newline-is-any. preprocessors/snort_httpinspect. * src/parser.c.c.y: Set YYMAXDEPTH to something that covers large number of services for a single win32/WIN32-Includes/pcre. snort_manual.h. preprocessors/snort_httpinspect.pdf. The general case of an N-byte urgent payload prefix would be handled here by removing the == 1 limit in urg_offset == 1 but that restrictio is not safe until we flush urgent data. plugbase.h: Increment Snort build number to 82.c: Fix issue when handling overlap limit enforcement.c: Correct calculation of offset to its original now that libpcre is fix ed. * src/preprocessors/Stream5/snort_stream5_tcp.1 * doc/: snort_manual. 2010-11-01 Ryan Jordan <ryan.tex: Fix use of config flowbits_size and update default to 1024. values for within and depth updated * src/build.c. This change improves the performance by disabling detect on packet when the packet is beyond the specified flow depth. urgent data is never flushed in reassembled packets and can only be detected i raw packets. Apply server flow depth on a session basis rather than per packet basis. pointer handling. detection_util.h.0.c.h. doc/ Added rules 120:4 and 120:5 to gen-msg. Thanks to rmk ml and Miguel Alvarez for pointing out the issue.c: Correct setting of dup_opt_func and cleanup existing opt_func list bef ore hand to address parse-time leak.c. server_flow_depth now takes values from -1 to 65535 * src/parser. Also added comments to sp_pcre. * src/: detection-plugins/sp_pcre. doc/snort_manual.c: HTTP header buffers (raw/normalized) now include the missing \n (of \ r\n\r\n).

mstring. detection-plugins/sp_ftpbounce. src/decode.c.process stream after window slam unless normalizing fully separate pre-ack flush from post-ack flush to ensure switching on policy for listener direction.c. detection-plugins/sp_react. snort_manual. detection_util. window slam * src/preprocessors/Stream5/: rule for ICMP DOS to decoder.pdf. * etc/gen-msg. If present. preprocessors/HttpInspect/server/hi_server.c.c: don't calculate checksum for pseudo-packets * src/: decode. detection-plugins/sp_asn1.h.c: inspect stream inserted packets to check if they have a valid HTTP res ponse. add stream5_tcp: flush_factor <#> * doc/snort_manual. . decode. encode. detection-plugins/sp_base64_data.h. detection-plugins/sp_byte_extract. added preprocessor rule 129:19.c.c. detect. stream5_common.http_inspect * src/signature.c: When extended_response_inspection is not enabled check for "HTTP" Update Makefile to include docdir * src/encode.c: remove commented out printfs * src/preprocessors/HttpInspect/server/hi_server. server/hi_server.c. detection-plugins/detection_options. tweak flush point tracing.h: Ported .c. fpdetect. * doc/: README. use the ttl passed as an argument instead of t he packet's IP header. src/generators. * src/decode. * preproc_rules/preprocessor.c.c: Make parent_wait variable volatile so it doesn't get optimized out.c: In CheckIPv4_MinTTL(). preprocessors/snort_httpinspect.h. src/detection-plugins/sp_ttl_check. * tools/u2boat/Makefile.rules: adds preprocessor rule 129:19 * etc/gen-msg.c.c.http_inspect. fpdetect. snort_manual. allow window limit greater than 16-bit.rules. When there is a single segment HTTP response inspect the body. * src/preprocessors/HttpInspect/: client/hi_client. preproc_rules/decoder. Update manual * src/util.c. detection-plugins/sp_isdataat.c.tex: Update Manual and README. detection-plugins/sp_pattern_match. detection-plugins/sp_byte_check.c. src/generators.c: file data ptr should be set to the decode buffer when the http respons e body is normalized.c. apply flow depth otherwise do not disable detect and dont apply flow depth. Dont wait for the reassembled packet ( due to flush point issues) * src/: detection_util.c.c.c: inspect stream reassembled packets only when stream reassembly is turn ed on. Also fix the parsing for ttl. detection-plugins/sp_pcre.c.tex.c.c. detection-plugins/sp_byte_jump.c: set ack number appropriately * src/preprocessors/snort_httpinspect.c.c.h.c: Allow >= and <= with ttl keyword. log_text.c. * src/: active.

c. * src/preprocessors/Stream5/snort_stream5_tcp.c. detection-plugins/sp_urilen_check.h. . dynamic-plugins/sf_engine/sf_snort_plugin_content. dynamic-plugins/sf_dynamic_preprocessor.9. preprocessors/ * doc/README. preprocessors/HttpInspect/server/ rules to reference a single soid metadata. preprocessors/HttpInspect/server/hi_server.http_inspect: * doc/README.tex: clarify use of multiple --daq and config daq.c.c. README. signature. detection-plugins/sp_byte_check.c.c. * src/: parser.c.c: error on multiple --daq args 2010-10-04 Ryan Jordan <ryan.c.c: add buffer length attribute to alt decode buffer and don't set alt dec ode flag for alt_dsize changes which are indicated by that value being non-zero.c. Updated README.c. preprocessors/spp_httpinspect.wireless: * doc/snort_manual. preprocessors/HttpInspect/normalization/hi_norm.c.ipv6.INLINE: * doc/README.c. dynamic-plugins/sf_engine/sf_snort_plugin_api. * src/: decode.c.detection-plugins/sp_base64_decode.c.h: Allow multiple .c.ipv6: * doc/README.0 * doc/Makefile.FLEXRESP2: * doc/README. preprocessors/Stream5/snort_stream5_tcp. preprocessors/HttpInspect/client/hi_client.c. output-plugins/spo_unified2. detection-plugins/sp_byte_extract. detection-plugins/sp_pattern_match. * src/parser. dynamic-preprocessors/smtp/smtp_util.c.c.c. snort_manual. dynamic-plugins/sf_engine/sf_snort_detection_engine. dynamic-preprocessors/ftptelnet/pp_ftp. preprocessors/spp_httpinspect. dynamic-plugins/sf_dynamic_engine.c.c.FLEXRESP: * doc/> Snort 2.c. signature.tex: Removed obsolete README files. dynamic-plugins/sf_dynamic_common.c.c. detection-plugins/sp_pcre.stream5: * doc/README.pdf.c. detection-plugins/sp_ftpbounce.h. detection-plugins/sp_file_data.h.c: purge listener for pre-ack Flip the direction to match that the configurations in stream5_tcp.c: add new keyword to http_encode to detect ascii encoding * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. dynamic-preprocessors/ftptelnet/snort_ftptelnet. preprocessors/HttpInspect/normalization/hi_norm. detection-plugins/sp_isdataat.h.daq. dynamic-preprocessors/ftptelnet/pp_telnet.c: Propigate noalert back to detection option tree. detection-plugins/sp_byte_jump. dynamic-plugins/sf_dynamic_plugins. preprocessors/ * doc/: README. dynamic-plugins/sf_engine/sf_snort_plugin_pcre. dynamic-preprocessors/smtp/snort_smtp.c. snort_manual.c.c.

h: Updated version numbers.c: * src/fpcreate.Documented other changes made below.h: src/sfutil/Makefile.h: src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Shared Object rules which use HTTP Content as their Fast Pattern should now work * preproc_rules/preprocessor.l: Miscellaneous code cleanup. src/preprocessors/HttpInspect/client/hi_client.rules: * src/generators.h: src/preprocessors/HttpInspect/include/hi_norm. * etc/gen-msg.h: src/detection-plugins/detection_options.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config.dsp: HTTP Inspect now handles "chunked" Transfer-Encoding for any Content-Encod * * * * * * * * * * * * * * * * * ing.c: src/sfutil/util_utf. * src/dynamic-plugins/sp_dynamic.c: src/preprocessors/HttpInspect/event_output/hi_eo_log.c: src/preprocessors/HttpInspect/include/hi_eo_events.h: src/preprocessors/HttpInspect/include/hi_server_norm.c: src/parser.c: src/dynamic-preprocessors/sdf/sdf_detection_option.c: src/preprocessors/HttpInspect/server/hi_server.c: src/target-based/sf_attribute_table_parser.c: src/dynamic-preprocessors/ssl/spp_ssl.c: src/dynamic-preprocessors/sdf/spp_sdf.c: src/ppm.c: src/dynamic-preprocessors/sdf/sdf_pattern_match.h: src/preprocessors/HttpInspect/normalization/hi_norm.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: src/ppm.h: src/dynamic-plugins/sp_preprocopt.spec: * src/build.h: src/profiler.h: Added new preprocessor rules for HTTP Inspect and Frag3.c: src/dynamic-plugins/sf_dynamic_engine. Removed an old preprocessor rule for the already-removed dcerpc preprocessor.c: src/preprocessors/HttpInspect/server/hi_server_norm.c: src/preprocessors/snort_httpinspect.h: src/preprocessors/spp_httpinspect.c: src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: src/preprocessors/snort_httpinspect.h: src/preprocessors/HttpInspect/include/hi_ui_config.c: src/dynamic-plugins/sf_engine/sf_snort_packet. * * * * * * * * * * * * * * * * * * * src/decode. . Other preprocessor rules had to be modified as part of the new Stream5 rule option listed snort_head/snort/src/win32/WIN32-Prj/snort. * rpm/snort.c: src/sfutil/util_utf.c: src/decode.

* Added a new decoder alert for IPv6 extension headers that don't follow the RFC's recommended order. enabled by Stream5.jordan@sourcefire. * Teredo packets with another layer of UDP on top will now display the corre ct port numbers in console output. * Fixed tagging to log tagged packets regardless of filtering. * Documentation Updates: Updates to HTTP inspect README and Snort Manual. * The Sensitive Data preprocessor no longer searches HTTP headers for PII. 2010-06-23 Steven Sturges <ssturges@sourcefire. * Fixed a bug in the validation of IPv6 option lengths. < and > operators are used with each other. 2010-09-03 Ryan Jordan <ryan.not just for gzipped responses. a s this introduced unnecessary false positives. * Snort resized packets are now dropped and injected as required by> .9. * Fixed a problem with evaulating UDP rules on Teredo traffic.<client server both> [. but in a "disabled" state. * More informative dynamic preprocessor loading error messages. HTTP Inspect now normalizes server responses that use UTF-16 or UTF-32 charsets. Fixed a bug where Stream5 reassembled on all ports when sfportscan was in snort.0 RC * Fixed clean shutdown after reload. * src/preprocessors/portscan.c: * src/preprocessors/spp_sfportscan. * Fixed Snort I/O Totals reporting injected packets with IPFW when NO packets are injected externally. It enables/disable s Stream reassembly for the session that matches the rule. where the res ult of rule evaluation on the outer UDP * Changed the default search methond in> Snort Added a preprocessor rule option. Fixed a bug that caused false positives on Stream5 rule 129:4. HTTP Inspect now decompresses responses with "Content-Encoding: deflate". * Fixed mempool initialization of free list count bug reported by zhangz@risinginfo. * Added preprocessor alerts added to alert when Snort sees a client hello after a server hello or when Snort sees a server hello without a client hello when trustservers is disabled.c: Fixed an issue with some Stream5 sessions not being cleared until shutdown .noalert]". In addition. * Updated README for daq with updated information on firewalls with FreeBSD and OpenBSD * Added more complete error checking to "byte_extract" rule option parsing. the "us_social_nodashes" rule is now off by default to avoid false positives.conf. * Fixed a bug in the normalization of HTTP responses with both gzipped Content-Encoding and chunked Transfer-Encoding. The syntax is "reassembly: <on off>.c: * src/preprocessors/Stream5/snort_stream5_tcp. * Reduced false positives on decoder alerts when "config deep_teredo_inspect ion" is enabled. * Tweaked Snort's dynamic preprocessor example. * Added parser error to fragoffset: Error when !.conf from "ac-bnfa" to "ac-spl it".

active: * doc/README.c: * src/ * src/win32/WIN32-Includes/libnet/Devioctl.h: * src/win32/WIN32-Includes/mysql/libmysqld.h: * src/win32/WIN32-Includes/mysql/raid.h: * src/win32/WIN32-Includes/libnet/libnet.c: * src/preprocessors/normalize.h: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.h: * src/win32/WIN32-Includes/libnet/libnet-ospf.h: * src/win32/WIN32-Includes/libnet/IPExport.h: * src/win32/WIN32-Includes/mysql/config-os2. * src/active.lib: * src/inline.h: * src/win32/WIN32-Includes/libnet/libnet-headers.h: * src/win32/WIN32-Includes/libnet/gnuc.h: * src/win32/WIN32-Includes/libnet/LibnetNT.h: * src/win32/WIN32-Includes/mysql/my_dbug.c: * src/decode.h: * src/win32/WIN32-Includes/mysql/my_global.h: * src/win32/WIN32-Includes/libnet/NTDDNDIS.http_inspect: * doc/README.h: * src/win32/WIN32-Includes/libnet/Ntddpack.tex: Updated descripgions of rule options.def: * src/win32/WIN32-Includes/mysql/m_ctype.h: .h: * src/log_text.h: * src/win32/WIN32-Includes/libnet/libnet-asn1.c: * src/log_text.h * src/win32/WIN32-Includes/mysql/my_pthread.h: * src/win32/WIN32-Includes/mysql/my_sys.H: * src/win32/WIN32-Includes/libnet/PACKET32.c: * src/inline.c: * src/log.ssl: * doc/snort_manual.h: * src/win32/WIN32-Includes/libnet/ Update messages for IPv6 decoder events.h: * src/win32/WIN32-Includes/mysql/my_getopt.h: * src/win32/WIN32-Includes/mysql/mysqld_error.h: * src/win32/WIN32-Libraries/libnet/LibnetNT.def: * src/win32/WIN32-Includes/mysql/libmysql.h: * src/win32/WIN32-Includes/mysql/config-win.h: * src/win32/WIN32-Includes/libnet/ifaddrlist.H: * src/win32/WIN32-Includes/mysql/config-netware.h: * src/win32/WIN32-Includes/mysql/mysql_embed.h: * src/win32/WIN32-Includes/mysql/m_string.h: IPv6 decoding updates * src/decode.c: * src/preprocessors/spp_normalize.c: Remove dead files. * etc/gen-msg.h: * src/win32/WIN32-Includes/libnet/libnet-macros.h: * src/win32/WIN32-Includes/libnet/libnet-structures.c: DAQ capability updates * src/decode. * src/win32/Makefile.h: * src/win32/WIN32-Includes/libnet/packet_types.h: * src/generators.h: * src/win32/WIN32-Includes/libnet/libnet-functions.h: * src/win32/WIN32-Includes/libnet/IPHlpApi.* doc/README.

2010-06-16 Ryan Jordan <ryan.h: * src/snort.Improvement of packet output when obfuscating IP addresses.h: * src/preprocessors/spp_httpinspect. Use .c: * src/preprocessors/HttpInspect/server/hi_server.daq t here for * src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c: Updated state tracking for FIN_WAIT_2 and LAST_ACK * src/sfdaq.c: Updates to handling of SSL rule options when handshake says SSLv2 but certificate is SSLv3 and interaction with Stream reassembled packets. * src/parser. * src/detection-plugins/sp_byte_jump.c: * src/preprocessors/HttpInspect/include/hi_ui_config.c: Update to handling string format detection.c: Improved handling of gzip decoded buffer for fast pattern searches./configur .c: Chunk encoding processing updates.h: * src/preprocessors/HttpInspect/Makefile. ./configure --enable-flexresp --enable-flexresp2 are deprecated. Use .c: * src/sfdaq. * src/detection-plugins/sp_react. * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/dynamic-preprocessors/ssl/spp_ssl.c: Use lookup for HTTP method validation.h: * src/preprocessors/HttpInspect/include/Makefile.c: Updates to parsing of IP variables with negated IP ranges.c: * src/preprocessors/HttpInspect/utils/Makefile.c: * src/preprocessors/snort_httpinspect.0 Beta * Snort uses the DAQ library for packet acquisition and> Snort 2.normalize for more.c: * src/preprocessors/snort_httpinspect.c: Added HTTP header to response payload. * src/dynamic-preprocessors/libs/ssl. * src/fpdetect.c: Updates to multiplier parameter handling.c: Handle -g/-u limited with DAQ modules that require root privs.c: * src/util.c: Display configuration information at startup./configure --enable-inline and --enable-ipfw are deleted. * src/preprocessors/HttpInspect/client/hi_client./sno rt -Q to activate inline mode for DAQs that support it. . * src/dynamic-preprocessors/ftptelnet/pp_ftp. * A normalizer preprocessor has been added to help minimize evasion vectors. * The react rule option has been rewritten to correct a number of issues.jordan@sourcefire. Just run .9. See README. * Flexresp and flexresp2 have been replaced with a new flexresp3 module that supports the rule keywords from each. Y ou can also customize the injected content with config * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/dynamic-preprocessors/libs/ssl. * src/dynamic-preprocessors/sdf/ * src/preprocessors/HttpInspect/include/hi_cmd_lookup./configure --enable-normalizer to build and config normalize_* to enable. See the README. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.

* The Sensitive Data preprocessor now prints its configuration on startup. * Fixed an issue where copying an SO rule stub to modify the rule action. * Added 18 decoder rules for different types of malformed IPv6 headers. This saves bytes from the packe t into variables for use by other options. Also. In addition. * Added a tools directory. These programs can be used to turn Unified2 files into pcaps and console output. * . block and sblock rules have been added as synonyms for drop a nd sdrop to help avoid confusion between dropped packets and blocked packets. within) * byte_test (offset. * Snort has a new active response capability. You can also set a normalization value with config new_ttl. Added dynamic allocation functions allocRuleData() and freeRuleData() mainly for data stored on a stream session and to utilize a new configuration option to put a memcap on the amount of data SO rules allocate. For example. depth. respectively. * Snort shutdown output now includes new counts so you can see if any events are not being reported due to event queue and pattern matching configurations. * Snort will print encapsulated layers in text output. * Added support for byte_extract variables in the following rule options * content (offset. * Added negation support to SSL preprocessor rule options ssl_state and ssl_version * Added support for Intel's Soft CPM for use as a fast pattern matcher. IPs and/or ports didn't work as expected. * Fixed the Snort RPM so that it installs the Sensitive Data preprocessor. sdrop. Updated storeRuleData() and getRuleData() API functions. Configure with config response. * Moved 24 content-less rules into the packet decoder. * BPFs can be written for IPv6. and reject rule s. * Fixed issue when specifying a --pcap-dir where Snort would fatal error if there was a broken symbolic link under the directory. Build it with . * Fixed possible non-runtime memory leak in SO rule preprocessor rule options. * Added decoder support for Encapsulated Security Payload (ESP) with NULL en cryption.conf. * SO rule updates. This mode enables automatically sending TCP res ets and ICMP unreachables. distance. * Moved the rules/ directory into its own separate tarball. * Added the "byte_extract" detection option./configure --enable-active-response. * Passive mode Snort can now inject packets for drop. .e --enable-react to for more. comparison value) * byte_jump (offset) * isdataat (offset) * Added decoder support for Teredo tunneling (IPv6 over UDP over IPv4). you can now validate BPFs. * Updated the description of the "-h" option in the Snort help output./snort -T has bee expanded to validate more than just the conf. See README. * Snort no longer depends on libnet and uses libdnet instead. * Initial iteration of DCE/RPC preprocessor removed. with "u2boat" and "u2spewfoo"./configure --enable-timestats has been eliminated but the shutdown output of packet rates has been made standard. * Replaced Unified with Unified2 in snort. * config min_ttl is now policy specific. .

New config options "enable_mime_decoding". Gz ip decompressed Data. * Snort will now throw validation error for ipvar definition with negated ip list that is more general that other ip list in definition. 2010-04-16 Ryan Jordan <ryan. This client IP will now be logged to the unifie d2 output when HTTP Inspect is configured with enable_xff.* Set state in SSL preprocessor even if record is truncated.dcerpc2: * doc/README.sensitive_data: * doc/README. "max_mime_dept h" and "max_mime_mem" are added to SMTP configuration to support this feature .stream5: * doc/snort_manual. This argument will set the doe_ptr to the start of the base64 decoded MIME attachment.PerfProfiling: * doc/README. * Added a new argument "mime" to the detection option "file_data". * Fixed false positives caused by using the fast_pattern option with the "only" argument on an http content in a rule.config: * etc/gen-msg. * Added a new mode "inline-test". * Created new decoder event for ICMP PATH MTU denial of service attempt.frag3: * doc/README. * Added support to u2spewfoo to read the Orginal Client IP.tex: Updated Snort documentation * etc/classification. The "base64_data" points the doe_ptr to the start of the base64 decoded buffer. Wdrop Alerts. The drop rules will be loaded and will be triggered as a Wdrop (Would Drop)> * doc/README. stream5 now resets flowbits on a timeout.flowbits: * doc/ . * Fixed SSL preprocessor to potentially update state before reassmebled packet is decoded.dcerpc: * doc/README. * Added support for IP variable substitution. This mode simulates the inline mode of sno rt. * Added the support to extract the original client IP from the X-Forwarded-F or or True-Client-IP headers. The "base64_decode" decodes the base64 encoded data. * Added support to print the Gzip decompressed data with cmg output. The comm and line option --enable-inline-test and snort config option policy_mode:inlin e_test added to support this feature. * Fixed inconsistencies in behaviour with user defined rule types. * Fix OpenBSD compile with --enable-prelude.jordan@sourcefire. * Fixed issue in SO rules converted to text rules that were not setting mutliplier correctly. allowing evaluation of inline behavior without affecting traffic. * Added the "base64_decode" and "base64_data" detection option.http_inspect: * doc/README.sfportscan: * doc/README. * Snort will now fatal error if adaptive profiles is enabled in any policy other than the default policy. * Fixed inconsistency with flowbits behaviour if stream session timed out.

h: src/preprocessors/HttpInspect/include/hi_mi. src/dynamic-preprocessors/sdf/sdf_credit_card.c: For byte_test.conf: Replaced snort.c: src/detection-plugins/sp_byte_check. * src/detection-plugins/sp_pattern_match.c: src/preprocessors/HttpInspect/include/hi_include.c: src/preprocessors/HttpInspect/client/hi_client.h: src/dynamic-preprocessors/sdf/sdf_us_ssn.c: Removed instances of the word "porn" from Snort.h: src/preprocessors/HttpInspect/mode_inspection/hi_mi. Fixed the ability to reload Snort with sensitive_data turned on.c: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: src/preprocessors/HttpInspect/include/hi_util. Adaptive profiling must be turned on for this. byte_jump.c: src/dynamic-preprocessors/sdf/sdf_detection_option.h: src/preprocessors/stream_ignore. and isdataat.h: src/preprocessors/HttpInspect/include/hi_server. * src/dynamic-plugins/sf_convert_dynamic.* etc/snort.c: * src/decode.c: src/preprocessors/HttpInspect/server/hi_server. Fixed bugs in the parsing of "sd_pattern" rules that overlapped. * * * * src/detection-plugins/detection_options. * * * * * * src/dynamic-preprocessors/ftptelnet/pp_ftp.S. only do an in bounds check of the doe_ptr if the rule option is relative and will be using the doe_ptr.c: * * * * * * * * * * * * * * * * * * * * . Social Security numbers are now required to have non-digits on either side in order to cause a match.c: src/preprocessors/snort_httpinspect. * src/decode.c: src/dynamic-preprocessors/sdf/sdf_pattern_match.h: src/preprocessors/HttpInspect/include/hi_ui_config. src/mempool.c: src/dynamic-preprocessors/sdf/spp_sdf.h: src/generators. U.c: src/detection-plugins/sp_byte_jump.c: The FTP preprocessor now marks data channels with the "ftp-data" service identifier. Fixed a duplicate entry in * src/detection-plugins/sp_react.h: * src/dynamic-plugins/sp_dynamic.h: src/target-based/sftarget_protocol_reference.h: Moved the sensitive data preprocessor's preproc rule to GID 139.c: src/preprocessors/spp_stream5.c: src/dynamic-preprocessors/sdf/spp_sdf.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config.h: Added alert for IPv6/UDP packets with zero checksum.c: src/preprocessors/HttpInspect/normalization/hi_norm.c: Changed the parsing of dynamic detection plugins to register dynamic rules per policy.c: src/preprocessors/stream_api.c: src/dynamic-preprocessors/sdf/sdf_pattern_match.conf with the version we ship in the rules tarball.c: src/detection-plugins/sp_isdataat.c: Fixed a valgrind error.

c: * src/preprocessors/sfprocpidstats.def: src/win32/WIN32-Includes/mysql/libmysql.http_inspect: Added support for extended ascii codes in HTTP request URI using a new co nfigurable option "extended_ascii_uri" src/win32/Makefile.h: src/win32/WIN32-Includes/mysql/my_list.h: src/win32/WIN32-Includes/mysql/config-win.dsw: src/win32/WIN32-Prj/snort_installer.h: src/win32/WIN32-Includes/mysql/mysql_com. * * * * * * * * * * * * * * * * * * * * * * * * * * * .h: src/win32/WIN32-Includes/mysql/config-netware. Use this to set the maximum amount of memory used for gzip decompression.h: src/win32/WIN32-Includes/mysql/libmysqld.jordan@sourcefire.c: * src/preprocessors/Stream5/snort_stream5_tcp.def: src/win32/WIN32-Includes/mysql/m_ctype.h: src/win32/WIN32-Includes/mysql/mysqld_error.dcerpc2: Removed "events" from default configuration.h: src/win32/WIN32-Includes/mysql/mysql.h: src/win32/WIN32-Includes/mysql/config-os2.h: src/win32/WIN32-Includes/mysql/raid. Fixed a conflict between MSSQL headers and the newer Windows Platform SDK .c: Fixed a memory leak.h: src/win32/WIN32-Includes/mysql/my_global.h: src/win32/WIN32-Includes/mysql/my_dbug.h: src/win32/WIN32-Includes/mysql/mysql_version.h: src/win32/WIN32-Includes/mysql/my_alloc. The "+" sign is now normalized to a space.h: src/win32/WIN32-Includes/mysql/my_pthread.c: Fixed an issue that could cause Snort to take minutes to reload.nsi: Updated the MySQL client library in the Windows build.c: Unblocked signals that Snort does not handle src/win32/WIN32-Includes/config. * src/preprocessors/sfprocpidstats.h: src/win32/WIN32-Includes/mysql/mysql_embed.h: src/win32/WIN32-Includes/mysql/my_sys.h: Added a "max_gzip_mem" option to http_inspect.* src/preprocessors/snort_httpinspect.sensitive_data * doc/README. 2010-01-27 Ryan Jordan <ryan.c: * src/preprocessors/Stream5/snort_stream5_udp.h: src/win32/WIN32-Prj/snort.h: src/win32/WIN32-Includes/mysql/errmsg.h: src/win32/WIN32-Includes/mysql/mysql_time.h: src/win32/WIN32-Includes/mysql/m_string.h: * src/preprocessors/spp_perfmonitor. Added a "disable" option to http_inspect so that a memcap can be set without enabling http_inspect across all VLANs.h: src/win32/WIN32-Includes/mysql/typelib. * doc/README. * src/> * doc/ Added README.h: src/win32/WIN32-Includes/mysql/my_getopt. * src/preprocessors/Stream5/snort_stream5_session.

map: Added sig ID for http_inspect's chunk size Updated makefile/configure script to optionally build dynamic examples.h: Updated build number. * doc/README.INLINE: Content replacement now allows replacement strings of varying sizes. * src/dynamic-plugins/sf_dynamic_plugins. Thanks to Guise McAllaster for reportin g this issue. Thanks to Markus Lude for raising the issue. also fixed a warning in hi_client . * src/detection-plugins/sp_pcre.c * src/dynamic-examples/Makefile.conf: Fixed typos.c: checksum calculation for icmpv6 added . Rioux for reporting this issue. also fixed a warning in hi_client. * etc/gen-msg. * src/decode. * src/checksum. * etc/snort. * doc/snort_manual.multipleconfigs: Limit number of individual networks per line to 512.c: checksum calculation for icmpv6 added . * src/detection-plugins/sp_pattern_match.stream5: Removed "min_ttl" option.h: checksum calculation for icmpv6 added . * src/detection-plugins/sp_replace. updated the Snort manual to match the README updates. Default "dynamicengine" entry is now specified by directory. Also copy only the decompressed data into t he decode buffer. Eliminated the kick-ass and the lotion. added the latest stream alerts.c: Check if file_data is within the packet boundaries and set the search dep th accordingly. * src/detect. * src/detection-plugins/sp_asn1. Also copy only the decompressed data into the decode buffer. also fixed a warning in hi_client.c: Formatting changes.c: .am: Update makefile/configure script to optionally build dynamic examples.tex: Fixed typos. Thanks to Randal T.config. c * src/decode.h: * src/event_queue.c: Pcre new options fix. Updated with new PCRE options. * doc/README.c: * src/detection-plugins/sp_ip_proto. * doc/README. Raw options and status options werent matching as e xpected. * src/dynamic-plugins/sf_dynamic_preprocessor.c: Replaced strol and strtoul with inline functions that reset errno first. * etc/classification.c: * src/detection-plugins/sp_byte_check.h: Change the pattern match to search only the HTTP response body when extend ed response inspection is enabled. * src/ * src/Makefile.c: Replaced strol and strtoul with inline functions that reset errno first.Changed the pattern match to search only the HTTP response body when exte nded response inspection is enabled. c * src/configure. Fixed linker option on Solaris 10 to use nanosleep.config: Cleaned up classification.

c: * src/dynamic-preprocessors/sdf/sdf_pattern_match. * src/obfuscation. * src/dynamic-preprocessors/sdf/sdf_detection_option. * src/output-plugins/spo_log_tcpdump.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.h: * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/preprocessors/HttpInspect/include/hi_ui_config.c: * src/dynamic-preprocessors/sdf/sdf_credit_card. Thanks to Allan Adkins for reporting this issue.src/event_queue. * src/fpcreate.h: src/snort. * src/dynamic-preprocessors/sdf/spp_sdf.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Made a debug message optionally compilable.h: Fixed a bug where Snort would log a packet other than the one triggering the alert.h: * src/dynamic-preprocessors/dns/sf_preproc_info.c: * src/dynamic-preprocessors/sdf/spp_sdf.h: Updated build version number.h: * src/preprocessors/HttpInspect/include/hi_include. * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: * src/preprocessors/HttpInspect/include/hi_eo_events.h: Added license text. Sensitive data rules must use the preprocessor's generator ID.c: * src/dynamic-preprocessors/libs/sfparser. * src/dynamic-preprocessors/dcerpc2/dce2_debug.c: src/dynamic-preprocessors/dcerpc2/snort_dce2.c: src/sfutil/sfeventq.h: Added alert for HTTP chunk size mismatch. Added the ability to search HTTP Uri buffers for sensitive data.h: * src/dynamic-preprocessors/sdf/sdf_pattern_match. Added check for the Issuer Number in credit card numbers. * src/dynamic-preprocessors/sdf/.c: * src/dynamic-preprocessors/sdf/sdf_detection_option. Fixed the pcap header for pseudo-packets generated by the preprocessor.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.h: * src/dynamic-preprocessors/ssh/sf_preproc_info.h: Fixed double-free when the preprocessor was enabled in multiple policies.cvsignore: Added .h: src/preprocessors/spp_frag3. * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h: * src/preprocessors/HttpInspect/include/hi_util.h: * * * * * * .c: Replaced strol and strtoul with inline functions that reset errno first. * src/preprocessors/HttpInspect/client/hi_client.cvsignore file * src/dynamic-preprocessors/sdf/sdf_credit_card.c: * src/preprocessors/spp_perfmonitor.h: * src/dynamic-preprocessors/ssl/sf_preproc_info. Fixed error when using the same sensitive data rule in multiple policies.h: Added license text.c: * src/output-plugins/spo_unified2.c: * src/parser.h: Added license text.c: * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: OpenBSD update * src/generators.c: Fix use of -L option to work correctly.h: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.c: src/snort.c: * src/preprocessors/Stream5/snort_stream5_tcp.

* src/win32/WIN32-Prj/snort_installer. * src/preprocessors/perf. Added support for extended ascii codes in HTTP request URI using a new configurable option "extended_ascii_uri" Added an alert for incorrect chunk size fields. which is no longer the current version.h: Updated build number. 2009-12-21 Ryan Jordan <ryan. * doc/README.h: * src/win32/WIN32-Prj/snort.h: * src/win32/WIN32-Includes/zlib/zlib.c: Fixed null deref when "rotate stats" signal was caught w/out perfmon enab led.c: attribute table printing .3 to Win32 build. * src/preprocessors/spp_httpinspect.h: . * doc/snort_manual.filters: Slight change to indicate that filters were introduced in 2.dsp: Add zlib 1. * rpm/snort.conf: Fixed typos.8.h: adding zlib version information for snort -V * src/win32/Makefile.* src/preprocessors/HttpInspect/server/hi_server.5.dcerpc: Added deprecation Add zlib 1. * doc/README. * etc/gen-msg. * src/win32/WIN32-Includes/config.spec: Updated version number. * src/build.c: Moved definition for snort_conf. * src/debug. Added "SafeMemCheck" function.c: Added http response stats.c: Fixed a case where the HTTP Inspect preprocessor would disable the Sensit ive Data preprocessor. Added examples for Unified2 output and Sensitive Data preprocessor config.3 to Win32 build.tex: Updated for HTTP rule options and other cleanup. * doc/README.nsi: Added Sensitive Data preproc to Windows installer script.flowbits: Added documentation for flowbit groups. * src/preprocessors/snort_httpinspect.http_inspect: Added documentation for new HTTP rule options. Modified "SafeMemcpy" and "SafeMemset" to use it.jordan@sourcefire.dcerpc2: Added note about fast pattern> * doc/README. * doc/README.c: Decompressed bytes read will now be based on the total out of zstream. * src/decode.c: * src/util. * doc/TODO: Removed obfuscation code from the TODO.2.h: * src/win32/WIN32-Includes/zlib/zconf. * src/target-based/sftarget_reader.2.converting to host order before printing the i p address * src/util. * src/bounds.h: Formatting Added new Stream5 alert for the "TCP 4-way handshake" * etc/snort.

c: * src/detection-plugins/sp_ip_fragbits. allow replace with different size strings.c: * src/detection-plugins/sp_dsize_check.h: Moved option_type_t to its own header file.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_clientserver.h: * src/rule_option_types.c: * src/detection-plugins/sp_icmp_type_check.h: allowing flowbits group name only with set and toggle operations check if the content rules have http modifiers.c: Updated to use new Obfuscation API.h: .c: * src/detection-plugins/sp_ftpbounce.c: * src/sfutil/mpse.c: * src/event_wrapper.h: * src/sfutil/acsmx2.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_ip_proto.c: need to check from the relative depth for bounds adjust the bounds while replacing to prevent buffer overflow. * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_icmp_seq_check. * src/detection-plugins/sp_replace. * src/sfutil/mpse.h: * src/rules.h: * src/tag.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_icmp_id_check.c: * src/rate_filter.h: * src/fpcreate. * src/detection-plugins/sp_isdataat. * src/detection-plugins/detection_options. * src/detection-plugins/sp_asn1. * src/detection-plugins/detection_options.h: OTNs and RTNs were moved to their own header file.c: * src/detection-plugins/sp_byte_jump. * src/detection-plugins/sp_flowbits.c: negated isdataat support.h: Added support for ac "split" pattern matcher to use less memory with improved performance over * src/detection-plugins/sp_file_data.c: * src/detection-plugins/sp_ipoption_check.h: * src/treenodes.c: * src/profiler.c: * src/detection-plugins/sp_ip_id_check.c: * src/fpcreate.c: * src/tag.c: * src/detection-plugins/sp_file_data.h: * src/event_wrapper.c: * src/detection-plugins/Makefile.h: * src/inline. enhancement to replace. Thanks to Charlie Lasswell for the ideas! * src/detect.c: * src/detection-plugins/sp_pattern_match.Made changes for HTTP response gzip support. * src/detect.h: Update pattern match parsing to error on invalid rules.c: * src/detection-plugins/sp_cvs.h: New detection option "file_data" was added.c: * src/sfutil/acsmx2.c: * src/detection-plugins/sp_icmp_code_check.

h: Added missing Packet member to SFSnortPacket.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/detection-plugins/sp_ip_same_check.c: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Updated conversion of Content and PCRE rule options to match HTTP changes.h: src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: src/detection-plugins/sp_session.c: src/dynamic-preprocessors/dcerpc2/snort_dce2. dcerpc. src/dynamic-plugins/sf_dynamic_plugins.c: src/detection-plugins/sp_ip_tos_check.c: src/detection-plugins/sp_respond.c: src/dynamic-plugins/sp_preprocopt.h: src/dynamic-plugins/sp_preprocopt.c: src/dynamic-plugins/sp_dynamic.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_api. src/dynamic-preprocessors/dcerpc/dcerpc_config.c: src/dynamic-preprocessors/ssl/spp_ssl. src/dynamic-plugins/sf_dynamic_engine.c: src/dynamic-plugins/sp_dynamic.c: src/detection-plugins/sp_ttl_check.c: src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: Updated HTTP flags.c: Added several items to DynamicPreprocessorData. src/dynamic-plugins/sf_dynamic_common.c: Updated calls to RegisterRuleOption() to match new definiton.c: src/detection-plugins/sp_tcp_win_check.c: src/dynamic-preprocessors/dcerpc2/dce2_co.c: src/detection-plugins/sp_rpc_check.c: src/preprocessors/portscan. A detection option or preprocessor can register one of these to get the OTN of any rule using its rule option. src/dynamic-plugins/sf_engine/sf_snort_packet.h: Added definition of OTN Handler.c: src/detection-plugins/sp_pcre. src/dynamic-plugins/sf_engine/sf_snort_detection_engine. src/dynamic-plugins/sf_convert_dynamic.c: src/detection-plugins/sp_tcp_flag_check. stream5_global.c: src/dynamic-plugins/sf_dynamic_preprocessor.c: src/detection-plugins/sp_tcp_seq_check.h: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib. portscan.h: Moved DCERPC_FragType definition. .c: src/detection-plugins/sp_pcre. to allow dynamic preprocessors to call more Snort functions. and dcerpc2 preprocessor configurations so that memcaps can be specified in the default configuration w/o enabling that preprocessor.c: src/dynamic-preprocessors/dcerpc/dcerpc.h: Check for HTTP modifiers to Content and PCRE options in shared object rules.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: src/detection-plugins/sp_respond2.h: src/preprocessors/spp_frag3.c: src/detection-plugins/sp_urilen_check.c: src/dynamic-preprocessors/dcerpc2/dce2_config.c: Added "disabled" option to frag3_global.c: src/detection-plugins/sp_tcp_ack_check.h: src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre. This allows specification of the preprocessors only in the desired configuration.c: src/preprocessors/spp_sfportscan. src/dynamic-preprocessors/dcerpc/dcerpc.h: src/detection-plugins/sp_react.

c: src/dynamic-preprocessors/sdf/spp_sdf. src/dynamic-preprocessors/Makefile.dsp: src/dynamic-preprocessors/sdf/spp_sdf.dsp: src/preprocids. src/dynamic-preprocessors/dcerpc2/snort_dce2.h: src/dynamic-preprocessors/smtp/snort_smtp.h: src/fpdetect.h: doc/README.c: src/dynamic-preprocessors/sdf/sdf_us_ssn.h: src/dynamic-preprocessors/sf_dynamic_initialize/ src/dynamic-preprocessors/sdf/sdf_credit_card.h: src/dynamic-preprocessors/dcerpc2/includes/dcerpc. src/dynamic-preprocessors/dcerpc2/dce2_roptions.h: src/dynamic-preprocessors/dcerpc2/dce2_config.dsp: Fix make dist to include all required files. src/dynamic-preprocessors/ssh/spp_ssh.h: .h: src/dynamic-preprocessors/sdf/sf_preproc_info.c: src/dynamic-preprocessors/sdf/sdf_detection_option.sed: Included more header files for use in dynamic preprocessors. src/dynamic-preprocessors/dcerpc2/ src/dynamic-preprocessors/dcerpc2/ src/dynamic-preprocessors/treenodes.h: src/dynamic-preprocessors/sdf/sdf_us_ssn.c: src/dynamic-preprocessors/dcerpc2/dce2_list. src/dynamic-preprocessors/sdf/ src/dynamic-preprocessors/dns/Makefile.c: Content rules with the new HTTP modifiers can use the fast pattern src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.h: src/dynamic-preprocessors/sdf/sdf_detection_option.h: src/dynamic-preprocessors/dcerpc2/dce2_utils.dsp: src/dynamic-preprocessors/ssh/sf_ssh.c: Removed config file/line from error message since not set at this src/dynamic-preprocessors/ssh/ src/dynamic-preprocessors/smtp/sf_smtp.c: src/fpcreate.S. src/dynamic-preprocessors/dcerpc2/spp_dce2. such as credit card numbers and U. src/fpcreate.sensitive_data: doc/snort_manual.dsp: src/dynamic-preprocessors/ssl/ src/dynamic-preprocessors/ssl/Makefile.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/dynamic-preprocessors/dcerpc/Makefile. src/generators.h: Changed use of some integers to enumerated types. It performs detection of Personally Identifiable Information. Social Security numbers.c: Formatting change.h: src/dynamic-preprocessors/sdf/sf_sdf.dsp: src/dynamic-preprocessors/smtp/Makefile. Also removed redundant "dcerpc2 configuration" text.c: src/dynamic-preprocessors/dcerpc2/dce2_utils.c: src/dynamic-preprocessors/sdf/ src/dynamic-preprocessors/dns/sf_dns.dsp: src/dynamic-preprocessors/ftptelnet/Makefile.c: src/dynamic-preprocessors/sdf/sdf_pattern_match.h: src/dynamic-preprocessors/sdf/sdf_pattern_match.tex: Added Sensitive Data preprocessor.c: Added dce_iface options to the fast pattern matcher.c: Added sensitive data to the list of preprocs that get re-enabled after disabling detection.

c: * src/output-plugins/spo_log_tcpdump. * src/pcrm.c: * src/ppm.c: * src/output-plugins/spo_log_null.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_server_norm.c: * src/util.h: * src/output-plugins/spo_alert_fast. * src/preprocessors/HttpInspect/client/hi_client.Added SIDs for new preprocessor alerts.c: * src/ * src/preprocessors/HttpInspect/Makefile.c: * src/plugbase. Added support for using new http content options with the fast pattern matcher.h: * src/preprocessors/HttpInspect/include/hi_server.c: * src/output-plugins/ Added new files to Makefile.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/util.c: * src/output-plugins/spo_unified2.c: * src/preprocessors/HttpInspect/server/hi_server_norm.h: * src/preprocessors/HttpInspect/include/Makefile. * src/ * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: Modified several output plugins to print obfuscated data using the new Obfuscation API.c: * src/log.c: * src/preprocessors/HttpInspect/server/hi_server.h: * src/log_text. * src/obfuscation.h: Added support for OTN handlers.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_client.c: * src/output-plugins/spo_alert_test.c: * src/output-plugins/spo_log_ascii. * src/ppm.c: * src/obfuscation.h: Remove non-portlists code.c: * src/output-plugins/spo_unified. * src/plugbase. * src/ .c: * src/output-plugins/spo_csv.h: Added OTN handler argument to the RegisterRuleOption() function.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_full.h: Fixed output obfuscation. and added an Obfuscation API for use in preprocessors & output plugins.c: * src/log_text.h: Formatting changes.h: * src/preprocessors/HttpInspect/include/hi_ui_config.c: * src/parser.c: * src/preprocessors/HttpInspect/server/Makefile.c: * src/output-plugins/spo_database.h: * src/preprocessors/HttpInspect/include/hi_eo_events. Initialized the "file_data" rule option. * src/log.

c: src/preprocessors/perf-flow.c: New feature for HTTP Inspect to split requests into 5 components Method. Added "disabled" option so that memcaps can be configured in the default policy w/out enabling the preprocessor. Header (non-cookie).c: src/sfutil/acsmx2.h: src/sys_include.c: src/preprocessors/spp_perfmonitor.c: src/sfutil/sfPolicyUserData.c: src/sfutil/ src/sfutil/mpse.h: src/sfutil/sfportobject.c: src/sfutil/sfrf. Added content modifier to allow rule writer to specify content to be used for fast pattern matcher.h: src/preprocessors/Stream5/snort_stream5_tcp.c: Add Flow-IP stats to the Performance Monitor preprocessor.h: Added detection of "4-way TCP Handshake" when require_3whs is enabled.c: src/preprocessors/Stream5/snort_stream5_session.c: src/preprocessors/Stream5/snort_stream5_tcp. src/preprocessors/perf.c: src/preprocessors/snort_httpinspect.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/HttpInspect/session_inspection/hi_si.h: src/sfutil/Makefile.c: src/sfutil/sf_ip. src/preprocessors/sfprocpidstats.c: src/sfutil/ipobj.c: src/sfutil/mpse.c: src/sfutil/sfxhash. URI.c: src/preprocessors/snort_httpinspect. Provided content and PCRE modifiers to allow searches within one or more of those individual buffers.h: Removed more obsolete/unused files.h: src/sfutil/bnfa_search. Cookies.h: src/preprocessors/spp_httpinspect.h: src/sfutil/sf_ip.h: src/preprocessors/perf.c: Changed GetCpuName() to catch errno when sscanf() sets it.c: Fixed warnings when compiled in Win32.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config.h: src/preprocessors/Stream5/snort_stream5_udp. src/prototypes.h: . src/sfthreshold.h: src/preprocessors/stream_api. Added HTTP server specific configurations to normalize HTTP header and/or cookie buffers. Updated dynamic rule API to allow searches within the new buffers. Added support for output obfuscation.c: src/preprocessors/Stream5/stream5_common.h: src/sfutil/sf_iph.c: src/sfutil/sf_ipvar.c: src/sfutil/sfksearch.c: src/sfutil/sfPolicyUserData. Body. src/preprocessors/spp_stream5.c: src/preprocessors/perf-flow.c: src/sfutil/ipobj. src/preprocessors/spp_rpc_decode. Write out a commented line to the now file the first time perfmon Reduce performance overhead when FlowIP stats aren't enabled.h: src/preprocessors/Stream5/stream5_common.c: src/sfutil/acsmx2.

dsw: * src/win32/WIN32-Prj/snort_installer. * etc/gen-msg.nsi: Win32 project files updated to reflect Makefile changes.h: * src/preprocessors/HttpInspect/client/hi_client.h: * src/preprocessors/HttpInspect/include/hi_eo_events.jordan@sourcefire.h: Updated build number * src/codes.h: * src/detection-plugins/sp_respond2. * src/preprocessors/snort_httpinspect. Thanks to Rnadall Rioux for reporting the AIX issues.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2. * src/dynamic-preprocessors/Makefile.c: * src/dynamic-preprocessors/ssh/spp_ssh. * src/signature.c: * src/signature. * src/sfutil/util_net. * src/build.c: * src/preprocessors/HttpInspect/include/hi_client. * src/preprocessors/spp_rpc_decode. 2009-12-15 Ryan Jordan < * src/generators.* src/sfutil/sf_vartable.c: .h: Changes to improve handling of pipelined requests and chunked encodings based on content length header field. * src/win32/WIN32-Code/syslog.c: Fix error message for validation of Exported more files to allow re-building of some . * src/output-plugins/spo_alert_prelude.h: * src/snort.c: Set IPv6 UDP DCE/RPC reassembly headers.c: * src/sfutil/util_net.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log. * src/dynamic-preprocessors/dcerpc2/dce2_smb.h: * src/win32/WIN32-Prj/snort. Added documentation for log limits.c: Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed.dsp: * src/win32/WIN32-Prj/> * doc/ files on NetBSD. or with --enable-prelude and --enable-ipv6. * src/log.h: Fixed an issue where the SSH preprocessor would erroneously alert on "protocol mismatch" when autodetect was turned on. alert_full.l: * src/target-based/sftarget_reader.c: * src/win32/WIN32-Includes/config.h: Removed unused code.h: Fix ip obfuscation to not modify packet data and only obfuscate for text outputs. * src/target-based/sf_attribute_table_parser.c: Cleaned up warnings.c: * src/win32/WIN32-Code/win32_service.c: Fixed compiling on AIX 6.h: Remove non-portlists code. log_tcpdump. and alert_csv. Thanks to Markus Lude for reporting the prelude & IPv6 issues.h: * src/parser.c: * src/codes. * src/dynamic-preprocessors/ssh/spp_ssh. Thanks to Pablo Catalina for reporting this issue.c: * src/snort.tex: Clarified the documentation for output plugins alert_fast.c: Fixed reloading of auto-iface variables after privileges had been dropped. especially when compiled with ICC.

c: .c: src/sfutil/sfPolicy. and resp2 independent except that libnet is only initialized/closed once regardless of build combinations.conf reload. * src/decode. src/util.c: * src/dynamic-preprocessors/dns/spp_dns.3) & linux threads.h: More compile fixes on AIX 6.c: * src/dynamic-preprocessors/smtp/spp_smtp. and updated the example preprocessor to support multiple policies & config reloading.h: Set smaller flush point appropriate for RPC header.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Fixed a bug where dynamic rules were not initialized correctly after a snort.c: Added the dynamic-examples back to the Makefile.c: src/preprocessors/Stream5/snort_stream5_tcp. src/sfutil/Makefile.h: src/sfutil/sfrt_trie. * src/build.c: Fixed an error where negative IP lists were not always being checked.h: Added a function prototype for InitTimeStats.c: src/target-based/sftarget_reader. iRet should be set based on the payload type * src/configure.h: Fix to return correct vlan/ip id. * src/detection-plugins/ * src/Makefile.c: When label > * src/dynamic-examples/Makefile.c: * src/dynamic-preprocessors/ftptelnet/ * src/dynamic-examples/dynamic-preprocessor/spp_example.h: src/preprocessors/stream_api. resp.h: Updated build number. src/sfutil/sfrt. src/sfutil/ * src/dynamic-examples/dynamic-preprocessor/Makefile.c: * src/dynamic-preprocessors/ssl/spp_ssl.* * * * * * * * * * * * * * src/preprocessors/spp_stream5. 2.h: separate flexresp interface from implementation Made react. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine. * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/codes. src/win32/WIN32-Includes/ src/sfutil/sf_ipvar. src/snort.c: * src/dynamic-preprocessors/dcerpc2/dce2_config. Fixed typos.c: fixed warning: ISO C90 forbids mixed declarations and code * src/detection-plugins/> * doc/README. * doc/snort_manual.c: Fix issues at startup and perfstats rotation with old versions of libc (2.c: src/preprocessors/Stream5/snort_stream5_tcp.2.filters: added missing _.jordan@sourcefire. 2009-10-21 Ryan Jordan <ryan.h: Formatting changes.h: Removed unused code.8. * src/codes.tex: Update to add PCRE modifiers that were left out of table 3.

c: src/preprocessors/spp_rpc_decode.c: Make log message a debug message src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: src/win32/WIN32-Code/syslog.dsp: src/output-plugins/spo_alert_syslog.c: Check if packet is stream rebuilt.c: changing the return value src/dynamic-preprocessors/ssh/spp_ssh.dsp: src/win32/WIN32-Prj/snort_initialize. src/preprocessors/perf-base.dsp: Fix syslog output under Windows.c: src/preprocessors/spp_stream5.c: src/preprocessors/Stream5/snort_stream5_session.y: src/target-based/sftarget_reader. src/preprocessors/spp_perfmonitor.c: Updated previous bugfix to check for more possible return values.h: src/preprocessors/Stream5/snort_stream5_tcp. src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize. src/preprocessors/HttpInspect/client/hi_client.0.c: src/preprocessors/Stream5/snort_stream5_session. src/sfutil/sf_ip.c: Fixed inaccurate wire speed stats. src/output-plugins/spo_database. src/log.h: processing of 0. change text to be more accurrate.0.h: Handled MPLS BOS. as opposed to "FLPOLICY_NONE" src/fpcreate. src/snort.h: src/preprocessors/stream_api.c: fixed segfault when more than 10 policies were applied.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/parser. Only 0.0/32 is considered as "any".c: fixed otn lookup.h: src/preprocessors/Stream5/snort_stream5_udp.c: Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed .c: use orig api and family for embedded icmp packet printing.c: Updated uses of IPPROTO_IP to ETHERNET_TYPE_IP src/output-plugins/spo_alert_sf_socket. src/target-based/sf_attribute_table_parser.c: enable -Q output with --help for !IPFW && !WIN32 builds. Fixed out-of-bounds access when printing IPv6 packets using -v. due to not calling "first" function the configured gid/sids would not be found and so no no alerts would go out the socket and no errors reported.c: Fixed SSH preprocessor to use "FLPOLICY_IGNORE" when turning off Stream reassembly.h: src/preprocessors/Stream5/stream5_common.l: src/target-based/sf_attribute_table.c: src/preprocessors/Stream5/snort_stream5_tcp.0.h: Fixed segfault when adding policies on reload Fixed potentially freed stream5 configuration being read on clean exit Fixed potentially wrong stream5 configuration being used during reload src/dynamic-preprocessors/dcerpc2/dce2_co.c: src/win32/WIN32-Prj/sf_engine_initialize. Don't include in stats.c: src/preprocessors/Stream5/snort_stream5_udp.c: src/preprocessors/spp_httpinspect.0.0/x enabled.c: Included missing "last_cid" column when inserting a new sensor into the table while "ignore_bpf" was turned on. src/snort.c: src/profiler. src/sfutil/sfPolicy.

* doc/README.dsp: Made react. * src/codes.h: * src/detection-plugins/sp_react.conf: Fix the example SSH configuration.h: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.c: * src/codes.c: * src/sfutil/sfportobject.jordan@sourcefire.ssh: Fixed the documentation to reflect changes in SSH for 2. * src/detection-plugins/detection_options.h: .c: Added a new check to handle loading of older libraries.c: * src/snort.frag3: Removed ttl_limit option.c: * src/detection-plugins/sp_react. * src/decode. resp. and resp2 independent except that libnet is only initialized/closed once regardless of build combinations.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_pattern_match.8. * etc/gen-msg.c: Allow support for label values of 0 or 2 at locations other than bottom of stack.h: * src/detection-plugins/Makefile.spec: Updated version * src/detection-plugins/sp_pattern_match. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.Free host entries that are not inserted into routing table due to max_attribute_hosts limit 2009-09-15 Ryan Jordan <ryan. This should increase performance in situations where a lot of SSH traffic was inspected. and turn it on by default.tex: Duplicated the above doc changes for the manual. Clarified order of rule actions.ftptelnet: Added the ignore_telnet_erase_cmds option.h: * src/detection-plugins/sp_respond. * src/debug.h: Removed old/unused code. as it has been deprecated.h: * src/util. * Added configure switch to disable core files. * etc/snort.h: * src/win32/WIN32-Prj/snort_installer. * src/build.c: redirect stdin/stdout/stderr to /dev/null for debug write to file and change ownership of file to dropped privs * src/decode.nsi: Moved a couple rules into the decoder. * doc/snort_manual. * src/dynamic-plugins/sf_dynamic_preprocessor. * rpm/snort.c: * src/detection-plugins/sp_respond2.h: Updated build number.5.c: * src/snort.c: * src/win32/WIN32-Prj/snort.c: * src/detection-plugins/> * doc/README. * doc/README.h: * src/detection-plugins/sp_respond2.h: * src/detection-plugins/ Punctuation changes.

c: Fixed potential segfault with multiplie policies.h: Fixed compile warnings.c: src/sfutil/acsmx2. src/preprocessors/Stream5/snort_stream5_icmp. src/preprocessors/spp_sfportscan.h: src/dynamic-preprocessors/ssh/sf_preproc_info.c: src/dynamic-preprocessors/smtp/sf_preproc_info.h: .c: src/dynamic-preprocessors/dns/sf_preproc_info.h: src/dynamic-preprocessors/smtp/smtp_xlink2state.h: Changed the build numbers of preprocessors.c: src/parser.c: src/sfutil/acsmx2.c: src/dynamic-preprocessors/smtp/spp_smtp. src/mempool.h: src/preprocessors/perf-base.h: src/dynamic-preprocessors/ssl/sf_preproc_info.c: Fixed memory leaks.c: src/parser.c: Clean up preprocessor profiler formatting.c: src/preprocessors/spp_stream5.c: IPv6-related changes.c: Check return values from mempool_init and fatal if bad when freeing pools.h: src/dynamic-preprocessors/dcerpc2/snort_dce2.c: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Added additional error-checking.c: src/preprocessors/spp_perfmonitor.c: src/preprocessors/spp_arpspoof. src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: src/preprocessors/perf-event. set to NULL.c: Don't include vlan header in portscan event/log packet. src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Changed limit on max_server_version_len to 255.h: src/preprocessors/perf-flow.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: src/preprocessors/perf-event. src/preprocessors/Stream5/snort_stream5_tcp.c: src/preprocessors/perf. src/fpdetect.h: src/dynamic-preprocessors/ssh/spp_ssh.h: src/preprocessors/spp_frag3.c: src/dynamic-preprocessors/ftptelnet/ftpp_si.c: src/sfutil/sfActionQueue.c: src/preprocessors/Stream5/snort_stream5_tcp.c: src/dynamic-preprocessors/dcerpc2/spp_dce2.c: src/sfutil/sfPolicy.h: Gave xlink2state smtp preprocessor alert a unique sid.c: src/preprocessors/Stream5/snort_stream5_udp.c: src/fpdetect. src/dynamic-preprocessors/ssh/spp_ssh.h: src/dynamic-preprocessors/dns/spp_dns.c: src/preprocessors/perf-flow. src/output-plugins/spo_unified. src/fpcreate.c: src/dynamic-preprocessors/dcerpc2/sf_preproc_info.c: src/generators. src/dynamic-preprocessors/smtp/smtp_log.c: Fix core by adjusting IPv6 buffer size src/profiler.

* src/decode.jordan@sourcefire.8.ftptelnet: Indentation changes * doc/README.c: * src/signature.filters * doc/README.5 * doc/README.8. Gave xlink2state smtp preprocessor alert unique sid.dsp: * src/win32/WIN32-Prj/snort.tex: Updated to include 2. * doc/ Update for module pack confliction.dsp: * src/win32/WIN32-Prj/snort. * etc/threshold. update for Mac * doc/Makefile.h: New build number.8.c: Check configuration for all policies. Removed a couple poorly-performing rules and made them into decoder checks instead.frag3: Added the overlap_limit and min_fragment_length options * doc/ Added README.* src/signature. deprecation notice for "threshold" * src/ Moved XMAS attack handling to decoder.INLINE: Changed "snort_inline" to "Snort Inline" * doc/README. * snort_head/snort/snort. * src/plugbase. * doc/snort_manual.5 * doc/README.5 * doc/README.8: Updated man page to reflect doc changes.http_inspect: Added post_depth option.PerfProfiling: Updated stats output to reflect "Rev" column * doc/README. * etc/gen-msg.h: Removed unused files.c: * src/decode. formatting updates.5 features.8.conf: Updated with formatting changes. * configure.c: .5 work * doc/INSTALL: Indentation changes. * snort.thresholding: Updated to indicate that "threshold" is deprecated in favor of "event_fil ter".filters: New README. 2009-07-13 Ryan Jordan <ryan.reload: New README. * src/detect.8. describes the new filtering features in Snort 2.h: Fixed a couple invalid reads & writes.ssh: Updated the README to reflect changes in the SSH preprocessor for 2.c: * src/codes.dsw: Win32 updates.h: Made some options> * src/win32/WIN32-Prj/sf_testdetect. Removed old references to Stream4.8: Removed obsolete option -o * doc/CREDITS: Updated credits to reflect Snort 2. * src/codes. describes how to reload a Snort configuration in 2.

c: * src/detection-plugins/sp_respond.h: * src/ipv6_port.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: Fixed some FTP false positives.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: * src/detection-plugins/sp_replace.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h: * src/sfutil/sf_ip.c: * src/dynamic-plugins/sf_convert_dynamic.c: .* src/ppm.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: Added detection for DCE/RPC server->client attacks. * src/detection-plugins/sp_pattern_match.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-plugins/sp_preprocopt. which are incompatible.h: Changed variables from "uintX_t" to "u_intX_t".c: Renamed respond's config so it didn't conflict with gloabl Snort config.c: * src/dynamic-plugins/sf_dynamic_preprocessor.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: Fixed memory leak.h: Don't reset packet time * src/detection-plugins/sp_asn1.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/dcerpc2/dce2_stats. * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup. * src/dynamic-plugins/sf_dynamic_engine. * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_replace.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/detection-plugins/ rules.c: * src/detection-plugins/sp_isdataat.c: * src/dynamic-preprocessors/dcerpc2/dce2_co. * src/dynamic-preprocessors/ftptelnet/pp_ftp. * src/detection-plugins/sp_isdataat.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Removed redundant check.h: * src/dynamic-plugins/sf_dynamic_plugins.h: * src/dynamic-plugins/sp_preprocopt.h: Moved flags & struct to header file.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sp_dynamic. * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/sfutil/sf_ip.c: * src/dynamic-plugins/sp_dynamic. * src/dynamic-plugins/sf_convert_dynamic.h: Check for combination of "replace" and "http_*" options.h: * src/dynamic-preprocessors/dcerpc2/dce2_event.h: * src/dynamic-preprocessors/dcerpc2/snort_dce2.h: Added a missing handler for "isdataat" options in .

c: Fixed problem where Snort wouldn't reload if prealloc_memcap was specifie d.h: * src/target-based/sftarget_reader. Only useful for repeatability while testing Snort. * src/parser/IpAddrSet.c: * src/parser/IpAddrSet. * src/fpdetect.c: * src/dynamic-preprocessors/ssh/spp_ssh. * src/profiler.c: * src/rate_filter.c: Fixed issue with verbose output while in IDS mode.h: Used 104 and 105 for the VLAN+MPLS event records.h: One rule can have different actions in different policies. * src/preprocessors/spp_stream5.c: Added rule revision to profiling output.h: Update for linuxthreads.c: * src/sfutil/sfportobject.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/sfutil/sfthd.c: * src/rules. * src/preprocessors/spp_perfmonitor.h: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/spp_httpinspect.c: HTTP Inspect now allows 1024 server profiles. Uses 192 for all TCP flushpoints.h: Fixed warnings * src/preprocessors/HttpInspect/include/hi_ui_config.c: Fixed multiple policy support in these preprocessors.c: * src/sfutil/sfActionQueue.h: Fixed memory leaks.h: Automatically enable "session delete" events with "session add" events.c: * src/preprocessors/snort_httpinspect. * src/preprocessors/spp_frag3.c: * src/sfutil/sfthd.c: * src/parser.c: Fixed problem where "now" file stopped updating after a reload.h: Clean up IpAddrSet in rate filter and suppress * src/parser.c: * src/sfutil/sfPolicyUserData.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.h: Made several config options specific to bound policies.c: * src/mempool. * src/preprocessors/spp_sfportscan.c: Win32 updates * src/log.c: * src/sfutil/sfrf.* src/dynamic-preprocessors/smtp/ * src/sfutil/sfActionQueue. * src/mempool. . The storage size was reduced. * src/preprocessors/Stream5/snort_stream5_tcp. * src/output-plugins/spo_unified2.h: Changed SSL preprocessor's ID to avoid conflict with DCE/RPC 2 * src/inline.h: * src/preprocessors/portscan. * src/generators.c: * src/target-based/sftarget_reader.c: * src/sfutil/Makefile.c: * src/sfutil/sfPolicyUserData.c: Added -H command-line option. * src/rate_filter.

jordan@sourcefire.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h: Packet structure Added support for detection_filter.c: * src/detection-plugins/sp_flowbits.h: * src/dynamic-plugins/ * src/dynamic-preprocessors/ssh/sf_preproc_info.dsp: . * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_pcre. * src/ Added new messages for MPLS and Frag3.h: * src/> * etc/gen-msg.h: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-preprocessors/ssh/sf_ssh. updated references to snort. * src/detection-plugins/Makefile.* src/sf_sdlist.c: * src/snort.h: * src/detection-plugins/ rules are handled.filters for more info. * src/detect.c: * src/dynamic-plugins/sf_convert_dynamic.c: * src/detection_filter.h: PCRE matches are no lnoger repeated if anchored.h: * src/rate_filter. See doc/README. 2009-05-06 Ryan Jordan <ryan.h: * src/dynamic-plugins/sf_engine/sf_snort_packet. * src/decode.{c. and event_filter. * src/dynamic-preprocessors/ssh/Makefile. and other code cleanup.h: Win32 updates * src/snort.h: * src/detection_filter. * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match. * src/detection-plugins/sp_flowbits.c: * src/sfutil/ * src/dynamic-plugins/sf_convert_dynamic.c: * src/sfthreshold.c: * src/detect. * etc/snort.c: * src/detection-plugins/sp_replace.h} * src/detection-plugins/sp_pcre. rate_filter. and added overlap_limit to the default frag3_engine config.c: * src/detection-plugins/sp_hdr_opt_wrap.c: * src/rate_filter.h: Added support for ">=" and "<=" test options.c: Changed the way .h: Several fixes involving policy reload * src/util.h: Don't allow 0 for threshold count or seconds.c: Formatting changes * src/sf_types.conf: Modified an example port * src/detection-plugins/sp_hdr_opt_wrap. to take advantage of the Rule Option Tree.h: Content replacement code moved out to sp_replace.c: * src/detection-plugins/sp_byte_check.c: Formatting changes.c: Flowbits are now part of the rule stub that gets generated when dumping dynamic rules.

h: * src/win32/WIN32-Includes/stdint.h: * src/detection-plugins/sp_cvs.nsi: Updated Win32 installer to include new Snort files.spec: Updated RPM to include new Snort files.h: * src/detection-plugins/ * src/win32/WIN32-Code/inet_aton.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/detection_options.c: Fixed handling of IP lists with mis-matched brackets.dsp: * src/win32/WIN32-Prj/snort_installer. * src/output-plugins/spo_unified2.h: Updated SSH preprocessor.c: * src/detection-plugins/sp_dsize_check.h: * src/cpuclock. In addition.Compiler warning clean-up * src/bounds. the following files were modified to enable: .Reloading snort.h: MPLS and VLAN records have been consolidated into Unified2Event_v2.h: * src/detection-plugins/sp_asn1. see README. * src/parser.confs on a per-vlan or per-CIDR block basis .c: * src/win32/WIN32-Code/misc.thresholding: * doc/snort_manual. * doc/CREDITS: * doc/README.h: * src/byte_extract.c: * src/win32/WIN32-Includes/config. * rpm/snort.h: * src/detection-plugins/sp_asn1.conf without restarting Snort .dsp: * src/win32/WIN32-Prj/snort. * src/win32/Makefile.h: * src/checksum.c: * src/win32/WIN32-Code/syslog.c: .* src/dynamic-preprocessors/ssh/spp_ssh.c: * src/detection-plugins/sp_asn1_detect.ssh for details.Applying multiple snort.dsp: * src/win32/WIN32-Prj/sf_engine_initialize.h: * src/detection-plugins/sp_dsize_check. Config options have been modified.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/win32/WIN32-Code/win32_service.c: * src/decode.c: * src/detection-plugins/sp_asn1_detect.dsw: * src/win32/WIN32-Prj/snort_initialize.h: * src/win32/WIN32-Prj/build_all.h: * src/detection-plugins/sp_clientserver.c: * src/byte_extract.http_inspect: * doc/README.filters: * doc/README.c: * src/detection-plugins/sp_clientserver.h: * src/detection-plugins/sp_byte_jump.h: * src/debug.c: * src/detection-plugins/detection_options.c: * src/detection-plugins/sp_byte_jump.frag3: * doc/README.ssh: * doc/README.c: * src/output-plugins/spo_unified2.tex: Documentation updates.dsp: * src/win32/WIN32-Prj/snort.

c: src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.h: src/dynamic-plugins/sf_engine/Makefile.c: src/detection-plugins/sp_icmp_seq_check.c: src/dynamic-plugins/sf_dynamic_preprocessor.c: .c: src/detection-plugins/sp_respond2.h: src/detection-plugins/sp_tcp_ack_check.c: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: src/detection-plugins/sp_ip_same_check.c: src/detection-plugins/sp_tcp_flag_check.h: src/detection-plugins/sp_react.c: src/detection-plugins/sp_icmp_id_check.h: src/detection-plugins/sp_ip_proto.h: src/detection-plugins/sp_tcp_win_check.c: src/detection-plugins/sp_tcp_ack_check.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: src/dynamic-plugins/sf_dynamic_plugins.h: src/dynamic-plugins/sf_dynamic_detection.c: src/detection-plugins/sp_icmp_type_check.h: src/dynamic-plugins/sf_dynamic_common.h: src/detection-plugins/sp_icmp_id_check.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_content.h: src/detection-plugins/sp_ip_id_check.c: src/detection-plugins/sp_icmp_code_check.c: src/detection-plugins/sp_respond.h: src/detection-plugins/sp_tcp_flag_check.c: src/dynamic-plugins/sf_engine/ src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: src/detection-plugins/sp_urilen_check.c: src/detection-plugins/sp_tcp_seq_check.h: src/detection-plugins/sp_ttl_check.h: src/detection-plugins/sp_icmp_seq_check.h: src/detection-plugins/sp_session.h: src/dynamic-plugins/sf_dynamic_define.c: src/detection-plugins/sp_react.h: src/detection-plugins/sp_respond.h: src/detection-plugins/sp_icmp_type_check.c: src/detection-plugins/sp_ip_same_check.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/detection-plugins/sp_ftpbounce.h: src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: src/detection-plugins/sp_ttl_check.h: src/detection-plugins/sp_isdataat.h: src/detection-plugins/sp_tcp_seq_check.h: src/detection-plugins/sp_ip_fragbits.c: src/detection-plugins/sp_ip_id_check.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.h: src/dynamic-plugins/sf_dynamic_engine.h: src/detection-plugins/sp_ipoption_check.c: src/detection-plugins/sp_rpc_check.h: src/detection-plugins/sp_ip_tos_check.c: src/detection-plugins/sp_ip_tos_check.c: src/detection-plugins/sp_ipoption_check.c: src/detection-plugins/sp_tcp_win_check.c: src/detection-plugins/sp_isdataat.h: src/detection-plugins/sp_rpc_check.h: src/detection-plugins/sp_icmp_code_check.c: src/detection-plugins/sp_ip_fragbits.c: src/detection-plugins/sp_session.h: src/detection-plugins/sp_respond2.c: src/detection-plugins/sp_urilen_check.

h: src/dynamic-preprocessors/dcerpc2/includes/smb.c: src/dynamic-preprocessors/dcerpc/dcerpc_config.c: .h: src/dynamic-preprocessors/dcerpc2/dce2_smb.h: src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: src/dynamic-preprocessors/dcerpc2/spp_dce2.dsp: src/dynamic-preprocessors/dcerpc2/snort_dce2.c: src/dynamic-preprocessors/dcerpc2/dce2_session.c: src/dynamic-preprocessors/dcerpc2/dce2_co.c: src/dynamic-preprocessors/dcerpc2/dce2_stats.c: src/dynamic-preprocessors/dns/spp_dns.c: src/dynamic-preprocessors/dcerpc2/snort_dce2.h: src/dynamic-preprocessors/dcerpc2/dce2_event.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h: src/dynamic-preprocessors/dcerpc2/dce2_http.h: src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h: src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: src/dynamic-preprocessors/dynamic_preprocessors.c: src/dynamic-preprocessors/dcerpc2/dce2_config.h: src/dynamic-preprocessors/dcerpc2/dce2_tcp.h: src/dynamic-plugins/sp_dynamic.dsp: src/dynamic-preprocessors/dns/sf_preproc_info.dsp: src/dynamic-preprocessors/dcerpc/sf_preproc_info.c: src/dynamic-preprocessors/dcerpc2/dce2_utils.h: src/dynamic-preprocessors/dcerpc/smb_structs.h: src/dynamic-plugins/sp_preprocopt.h: src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: src/dynamic-preprocessors/dcerpc/dcerpc.c: src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: src/dynamic-preprocessors/dcerpc2/dce2_config.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: src/dynamic-preprocessors/ftptelnet/ftpp_si.c: src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h: src/dynamic-preprocessors/dcerpc2/dce2_debug.h: src/dynamic-preprocessors/dcerpc/smb_file_decode.c: src/dynamic-preprocessors/dcerpc2/dce2_event.h: src/dynamic-preprocessors/dcerpc/dcerpc.h: src/dynamic-preprocessors/dcerpc2/Makefile.c: src/dynamic-preprocessors/dcerpc2/dce2_debug.h: src/dynamic-preprocessors/dcerpc/dcerpc_util.c: src/dynamic-preprocessors/dns/Makefile.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: src/dynamic-preprocessors/dcerpc/ src/dynamic-preprocessors/dns/sf_dns.c: src/dynamic-preprocessors/dcerpc/smb_file_decode.h: src/dynamic-preprocessors/dcerpc/Makefile.c: src/dynamic-preprocessors/dcerpc/dcerpc_util.c: src/dynamic-preprocessors/ftptelnet/ftpp_si.h: src/dynamic-preprocessors/dns/spp_dns.h: src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: src/dynamic-preprocessors/dcerpc/ src/dynamic-preprocessors/dcerpc2/sf_dce2.c: src/dynamic-plugins/sp_preprocopt.h: src/dynamic-preprocessors/dcerpc2/dce2_cl.h: src/dynamic-preprocessors/dcerpc/smb_file_structs.h: src/dynamic-preprocessors/dcerpc/ src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h: src/dynamic-preprocessors/dcerpc/smb_andx_structs.c: src/dynamic-preprocessors/dcerpc2/dce2_list.

h: src/dynamic-preprocessors/smtp/sf_smtp.c: src/dynamic-preprocessors/smtp/smtp_normalize.dsp: src/dynamic-preprocessors/smtp/Makefile.dsp: src/dynamic-preprocessors/smtp/smtp_config.h: src/dynamic-preprocessors/smtp/smtp_util.h: src/dynamic-preprocessors/Makefile.h: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: src/log.c: src/ src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/dynamic-preprocessors/smtp/smtp_normalize.h: src/dynamic-preprocessors/smtp/spp_smtp.dsp: src/dynamic-preprocessors/libs/sfparser.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h: src/dynamic-preprocessors/smtp/smtp_xlink2state.c: src/dynamic-preprocessors/ssl/Makefile.h: src/dynamic-preprocessors/libs/sfcommon.h: src/dynamic-preprocessors/smtp/snort_smtp.h: src/log_text.c: src/dynamic-preprocessors/ftptelnet/ src/dynamic-preprocessors/ssl/sf_preproc_info.h: src/event_queue.c: src/dynamic-preprocessors/libs/ssl.c: src/inline.c: .am: src/dynamic-preprocessors/smtp/sf_preproc_info.dsp: src/dynamic-preprocessors/ftptelnet/sf_preproc_info.c: src/fpcreate.dsp: src/dynamic-preprocessors/ssl/spp_ssl.c: src/dynamic-preprocessors/smtp/smtp_config.h: src/fpcreate.h: src/generators.h: src/output-plugins/spo_alert_arubaaction.c: src/dynamic-preprocessors/ftptelnet/pp_telnet.c: src/fpdetect.c: src/dynamic-preprocessors/smtp/smtp_xlink2state.h: src/dynamic-preprocessors/ssl/ src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.c: src/dynamic-preprocessors/libs/ssl.c: src/dynamic-preprocessors/ftptelnet/pp_telnet.c: src/mstring.c: src/dynamic-preprocessors/ssl/spp_ssl.h: src/Makefile.h: src/fpdetect.h: src/inline.c: src/dynamic-preprocessors/smtp/snort_smtp.c: src/event_queue.h: src/event.h: src/event_wrapper.h: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: src/dynamic-preprocessors/smtp/smtp_log.h: src/dynamic-preprocessors/ftptelnet/ src/mempool.c: src/event_wrapper.c: src/log_text.h: src/ipv6_port.c: src/dynamic-preprocessors/smtp/smtp_util.c: src/mstring.h: src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.h: src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.

h: src/preprocessors/perf.h: src/preprocessors/HttpInspect/include/hi_include.h: src/preprocessors/spp_arpspoof.h: src/preprocessors/HttpInspect/normalization/hi_norm.c: src/parser/IpAddrSet.h: src/ppm.h: src/preprocessors/spp_frag3.c: src/output-plugins/spo_log_null.h: src/pcrm.h: src/parser/IpAddrSet.c: src/output-plugins/spo_alert_test.c: src/preprocessors/perf-base.h: src/preprocessors/HttpInspect/include/hi_si.c: .h: src/output-plugins/spo_log_ascii.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/output-plugins/spo_alert_fast.h: src/preprocessors/HttpInspect/client/hi_client.c: src/preprocessors/snort_httpinspect.c: src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c: src/preprocessors/spp_bo.c: src/preprocessors/perf-event.c: src/output-plugins/spo_unified.c: src/output-plugins/spo_database.c: src/output-plugins/spo_unified.h: src/preprocessors/HttpInspect/include/hi_uri.c: src/preprocessors/portscan.c: src/plugbase.h: src/preprocessors/HttpInspect/include/hi_reqmethod_check.h: src/preprocessors/HttpInspect/include/hi_util_xmalloc.c: src/output-plugins/spo_alert_prelude.c: src/preprocessors/snort_httpinspect.h: src/pcap_pkthdr32.h: src/preprocessors/perf-flow.c: src/ppm.c: src/preprocessors/HttpInspect/utils/hi_util_kmap.h: src/parser.c: src/output-plugins/spo_log_ascii.c: src/preprocessors/perf-flow.c: src/output-plugins/spo_alert_sf_socket.c: src/preprocessors/perf-event.h: src/preprocessors/perf.c: src/output-plugins/spo_database.c: src/preprocessors/spp_bo.c: src/preprocessors/HttpInspect/session_inspection/hi_si.h: src/preprocessors/portscan.h: src/preprocessors/sfprocpidstats.h: src/preprocessors/HttpInspect/include/hi_ui_config.c: src/output-plugins/spo_alert_unixsock.h: src/preprocessors/HttpInspect/include/hi_urilen_check.c: src/output-plugins/spo_alert_full.h: src/output-plugins/spo_log_null.c: src/output-plugins/spo_alert_unixsock.h: src/plugbase.c: src/preprocessors/HttpInspect/include/hi_client_stateful.c: src/output-plugins/spo_alert_syslog.c: src/preprocessors/perf-base.h: src/output-plugins/spo_log_tcpdump.h: src/output-plugins/spo_csv.h: src/preprocessors/HttpInspect/include/hi_stateful_inspect.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: src/pcrm.

c: src/sfutil/sfksearch.h: src/sfutil/sfeventq.h: src/sfutil/bnfa_search.c: src/preprocessors/spp_sfportscan.h: src/preprocessors/Stream5/snort_stream5_session.c: src/sfutil/acsmx2.h: src/sfutil/acsmx2.h: src/preprocessors/str_search.h: src/sfutil/sfhashfcn.c: src/sfutil/asn1.c: src/profiler.h: src/preprocessors/Stream5/snort_stream5_udp.c: src/sfutil/acsmx.h: src/rules.c: src/sfutil/ src/sfutil/mpse.h: src/sfutil/sfportobject.h: src/sfutil/acsmx.h: src/sfutil/sfPolicy.h: src/profiler.h: src/sfutil/sf_iph.c: src/sfutil/sfksearch.h: src/sfutil/sfPolicyUserData.h: src/sfutil/sflsq.c: src/sfutil/sflsq.c: src/sfutil/sf_ipvar.h: src/preprocessors/Stream5/stream5_common.h: src/preprocessors/stream_api.c: src/preprocessors/spp_httpinspect.c: src/sfutil/sfPolicy.h: src/sfutil/asn1.c: src/sfutil/sf_ip.c: src/preprocessors/Stream5/snort_stream5_session.c: src/preprocessors/Stream5/snort_stream5_udp.h: src/preprocids.c: src/sfutil/ipobj.h: src/preprocessors/spp_httpinspect.h: src/sf_types.h: src/preprocessors/spp_rpc_decode.c: src/sfutil/mpse.h: src/preprocessors/spp_perfmonitor.c: src/preprocessors/Stream5/stream5_common.h: src/preprocessors/spp_stream5.c: src/preprocessors/spp_sfportscan.h: src/sfutil/sfrf.h: src/sfutil/sfghash.c: src/preprocessors/Stream5/snort_stream5_tcp.h: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/stream_ignore.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/spp_frag3.c: src/preprocessors/spp_stream5.h: src/preprocessors/stream_ignore.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/spp_perfmonitor.c: src/sfutil/sfportobject.h: src/preprocessors/Stream5/snort_stream5_tcp.c: .c: src/sfutil/Makefile.c: src/sfutil/sf_ip.c: src/sfutil/sfPolicyUserData.c: src/sfutil/sfeventq.

h: src/signature. * src/sfthreshold.h: 2009-04-20 Ryan Jordan <ryan. * src/parser.h: src/sfutil/sfrt.c: src/snort.c: src/sfutil/sfrt_lctrie. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/sfutil/sfrt_dir.c: src/sfutil/util_math.h: src/sfutil/util_net. no session has been created and an ACK is received with a RST flag.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/sfutil/sfrf.h: src/sfutil/sf_vartable.c: src/sfutil/sf_vartable. when IPv6 was enabled.h: src/sfutil/sfxhash.h: src/sfutil/sf_textlog. Thanks to Jeff Johnson for reporting the problem.jordan@sourcefire.c: src/sfutil/util_math.h: src/target-based/sf_attribute_table_parser.c: Changed DCE2 configuration such that events are disabled by default.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.y: src/target-based/sftarget_hostentry.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: Fixed infinite loop when parsing SSH configuration.c: * src/sfutil/sf_ipvar.c: src/sfutil/sfthd. * src/output-plugins/spo_database. Thanks to David Cecchino for pointing out this issue.h: src/tag.c: src/sfutil/util_net.h: src/sfutil/sfrt.l: src/target-based/sf_attribute_table. * src/dynamic-preprocessors/ssh/spp_ssh.c: src/tag.h: src/sfutil/sfthd.c: src/target-based/sftarget_reader.c: src/target-based/sftarget_protocol_reference.c: src/util.c: src/signature.c: Handle case where require_3whs is configured.c: src/spo_plugbase. * src/preprocessors/Stream5/snort_stream5_tcp.h: src/> * src/dynamic-preprocessors/dcerpc2/dce2_config.c: src/target-based/sftarget_hostentry.c: * src/sfutil/ipobj.c: src/sfutil/sfrt_dir.c: Fixed false positive when an additional /r/n followed the QUIT command.c: Fixed handling of IP lists that begin with variables.c: Fixed an issue that prevented Snort from inserting records into the sensor table of a MySQL database.h: src/target-based/sftarget_reader.h: src/target-based/sftarget_protocol_reference.h: src/util.c: .h: src/sfutil/sfrt_trie.h: src/snprintf.h: src/sfutil/sfrt_lctrie.

c: * src/dynamic-preprocessors/dcerpc2/dce2_smb. Added and updated unit test code. newest member of Snort Team. * src/dynamic-plugins/sf_dynamic_define. * src/dynamic-preprocessors/ftptelnet/ftpp_si. * src/output-plugins/spo_unified2. * src/fpcreate.c: Address False positives seen in testing.dsp: .c: * src/parser. * src/generators.dsp: * src/dynamic-preprocessors/dcerpc/sf_dcerpc. Fix misnamed macro.h: * src/preprocessors/Stream5/snort_stream5_tcp. and Andrew Pendray for reporting this.c: src/> * src/util.c: unlink output file in test mode. * src/sfutil/sf_ip. c0uch.c: Fix for IPv6 on Win32 to define interface variables.c: Correctly pass operation to allow flowbits checked-but-not-set and set-but-not-checked validation to work between text and shared rules.c: Fixed issues with use of IPv6 address variables. Allow overriding of this configuration on a port basis via an ignore_ports option.c: Fix handling of EPRT command for IPv6.c: * src/fpdetect.c: * src/dynamic-preprocessors/dcerpc2/dce2_event.tex: Updated to add Bhagyasree Bantwal. Thanks to Scott Fabbri.sid:12) when that limit is exceeded.spec: Added DCE2 preprocessor to RPM spec file.h: Fixed issues w/ IPv6 comparisons and /32 used with IPv6.c: Handle relative PCREs the same as text rules. 2009-03-10 Steven Sturges <ssturges@sourcefire.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre. Generate alert ( forums for pointing out the problem.h: * etc/gen-msg. 2009-03-11 Steven Sturges <ssturges@sourcefire.nsi: * src/win32/WIN32-Prj/snort_installer_options.c: Fix logging to syslog for rule counts at startup. * src/win32/WIN32-Prj/snort_installer.c: * src/dynamic-plugins/sf_engine/ Add stream5 option to restrict the number of consecutive small TCP segments inserted for reassembly without seeing an ACK.dsp: * src/dynamic-preprocessors/dcerpc2/sf_dce2.c: Add missing attribute check when FTP traffic is picked up mid-TCP stream. * src/dynamic-preprocessors/dcerpc2/dce2_co.* * * * src/sfutil/sfportobject.c: * src/preprocessors/Stream5/stream5_common.ini: * src/win32/WIN32-Prj/sf_engine.ini: Update for IPv6 intalls.c: src/sfutil/sf_vartable.c: src/sfutil/sfthd. * rpm/snort. * src/dynamic-preprocessors/ftptelnet/pp_ftp. Thanks to mamcmil on> * src/dynamic-plugins/sf_engine/sf_snort_detection_engine. * doc/snort_manual.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. * src/win32/WIN32-Prj/snort_installer_options.c: * src/sfutil/sf_ip.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.

h: Fix compilation issue with --disable-dynamicplugin.spec: src/win32/WIN32-Includes/config.c: * src/snort.h: .c: * src/dynamic-preprocessors/smtp/smtp_util.dsp: src/dynamic-preprocessors/ftptelnet/ rpm/snort.c: * src/sfutil/bnfa_search.dsp: src/dynamic-preprocessors/ssh/sf_ssh. * src/detection-plugins/detection_options. max_queued_segs and max_queued_bytes.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Add checks for header and method buffers when fast pattern is not specified in dynamic detection rules.c: Update smtp preprocessor to use stream5 direction data when determining if preprocessor is configured to process traffic.tex: * src/preprocessors/spp_stream5. * src/preprocessors/Stream5/snort_stream5_tcp. Thanks to Lothar Braun for bringing this to our attention.c: * src/sfutil/sf_ip.h: Added command line option "--require-rule-sid" to require every rule have an sid.c: Update to stream5 preprocessor to handle ECN and CWR bits in the SYN packet.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/decode.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.dsp: src/dynamic-preprocessors/ssl/sf_ssl.c: Add range checking in stream5 preprocessor for prune_log_max and update error messages to indicate 0 is a valid value for prune_log_max.h: * src/detect.8: * src/parser. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine. * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. * src/decode.c: * src/detection-plugins/detection_options.dsp: src/dynamic-preprocessors/smtp/sf_smtp.c: Update uses of isprint() to check for isascii() as well where only printable ascii characters are relevant. * src/dynamic-preprocessors/smtp/snort_smtp.c: Push dynamic engine minor version to 10 and build version to 16.8. 2009-02-06 Todd Wease <twease@sourcefire.dsp: configure.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.c: * src/sfutil/acsmx2.h: 2. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine. Allow IPv6 to be installed via windows> * snort.c: * src/snort.c: * src/detect. * src/sfutil/sf_ip.stream5: * doc/snort_manual.* * * * * * * * src/dynamic-preprocessors/dns/sf_dns. Thanks to Jason Wallace for bringing this to our attention. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.4 Final build changes. * doc/README.h: Fix preprocessor rule option processing for dynamic detection rules.h: Fix configuration parsing of IPv6 addresses to allow /32 cidr.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/detection-plugins/sp_ip_proto.c: doc/snort_manual.c: src/preprocessors/spp_frag3.c: src/dynamic-preprocessors/ssh/spp_ssh.c: src/preprocessors/Stream5/snort_stream5_tcp. where ICMP (not ICMP6) over IPv6 would cause a segfault.c: src/dynamic-plugins/sf_dynamic_preprocessor. src/decode.h: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib. src/detection-plugins/sp_byte_jump.tex: doc/snort_manual.c: src/plugbase.c: src/fpcreate.c: Added rule and preprocessor filtering by protocol so that traffic will not be evaluated for which there are no rules or preprocessors interested in that traffic.c: src/sfutil/sf_iph. src/dynamic-plugins/sf_dynamic_plugins.h: src/log_text.h: src/fpdetect.h: src/profiler.h: Added functionality to the dynamic-plugin API to check whether adaptive profiles is configured and to check whether or not a preprocessor is .c: src/dynamic-preprocessors/dcerpc2/snort_dce2.c: src/preprocessors/spp_httpinspect.c: src/plugbase.c: src/plugbase.c: src/preprocessors/spp_perfmonitor.c: src/profiler.pdf: Added new "post_offset" argument to byte jump rule option to move some designated amount after the byte jump.c: src/dynamic-preprocessors/dns/spp_dns.c: src/target-based/sftarget_reader.h: src/snort.c: src/rules.c: src/preprocessors/spp_sfportscan.h: src/preprocessors/spp_arpspoof.c: Fixed issue in IPv6 enabled binary.c: src/preprocessors/spp_rpc_decode.c: src/detection-plugins/detection_options.c: src/preprocessors/spp_stream5.c: src/target-based/sftarget_reader.h: src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: src/parser.c: src/fpcreate. src/decode.h: Fixed inconsistent results in rule profiling.c: src/dynamic-preprocessors/ssl/spp_ssl.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_api. src/detection-plugins/detection_options.c: src/preprocessors/spp_bo.c: src/detection-plugins/sp_ip_proto.c: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h: src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.h: src/dynamic-plugins/sf_engine/sf_snort_packet.c: Fixed IPv6 decoder for Sparc memory alignment in IPv6 enabled binary. Thanks to Geoff Whittington for bringing this to our attention.h: src/dynamic-plugins/sf_engine/sf_snort_packet.c: src/dynamic-preprocessors/smtp/spp_smtp.c: src/dynamic-preprocessors/dcerpc2/dce2_roptions.

configured. * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Fatal error if both dcerpc and dcerpc2 preprocessors are configured. * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_rpc_decode.c: Updates to stream5 filtering so that stream5 does not track sessions for which there are no rules that could fire on that traffic or preprocessors that are interested in that traffic. * doc/README.dcerpc2: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/ * etc/snort.conf: Added dcerpc2 preprocessor documentation. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Added performance profiling statistics to the dcerpc2 preprocessor. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h: * src/dynamic-preprocessors/dcerpc2/includes/smb.h: Fix for architectures requiring strict memory alignment such as Sparc in the dcerpc2 preprocessor. * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.h: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.h: Updated configuration error reporting in the dcerpc2 preprocessor. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.h: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.h: * src/dynamic-preprocessors/dcerpc2/dce2_tcp.h: * src/dynamic-preprocessors/dcerpc2/dce2_udp.h: * src/dynamic-preprocessors/dcerpc2/dce2_session.h: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.h: Updated dcerpc2 preprocessor autodetection and handling of missed packets to limit false positives. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/dce2_debug.c: * src/dynamic-preprocessors/dcerpc2/dce2_list.c:

* * * * * * * * * * * * * * * * * * * * *

* * * * * * * * * * * * * *

src/dynamic-preprocessors/dcerpc2/dce2_memory.c: src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: src/dynamic-preprocessors/dcerpc2/dce2_smb.c: src/dynamic-preprocessors/dcerpc2/dce2_stats.c: src/dynamic-preprocessors/dcerpc2/dce2_utils.c: src/dynamic-preprocessors/dcerpc2/dce2_utils.h: src/dynamic-preprocessors/dcerpc2/snort_dce2.c: src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Updated dcerpc2 preprocessor logging. preproc_rules/preprocessor.rules: src/dynamic-preprocessors/dcerpc2/dce2_co.c: src/dynamic-preprocessors/dcerpc2/dce2_event.c: src/dynamic-preprocessors/dcerpc2/dce2_event.h: src/generators.h: Added new preprocessor event to the dcerpc2 preprocessor to alert on Bind or Alter Context PDUs that don't have any context items. src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Updated ftp_telnet preprocessor to consider the AUTH command as the beginning of a possibly encrypted session. src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: Pushed the ftp_telnet preprocessor minor version to 2 and build version to 11. src/decode.c: src/snort.h: src/util.c: Added additional ethertypes to Vlan decoder. src/output-plugins/spo_database.c: Added reconnect capability to MySQL database output plugin. Thanks to Ian Mitchell and other users on the lists for bringing this to our attention. src/output-plugins/spo_unified2.c: src/output-plugins/spo_unified2.h: Added code to better handle logging to an NFS mounted share. src/parser.c: Command line BPF filter now overrides configuration in snort.conf. src/parser.c: Command line log directory now overrides configuration in snort.conf. src/parser.c: src/snort.c: Fixed read back mode to reallow reading from stdin. Thanks to John Gerber for bringing this to our attention. src/plugbase.c: src/util.c: Fixed compilation on HPUX 11.11. Thanks to Lars Ebeling for bringing this to our attention. src/preprocessors/spp_rpc_decode.c: Continue defragmentation even when alerting on fragmentation in the rpc_decode preprocessor. src/preprocessors/spp_stream5.c: Stream5 will now fatal error if there isn't at least one of track tcp, track udp or track icmp. src/sfthreshold.c: src/sfutil/sfthd.c: src/sfutil/sfthd.h: Allow a count of -1 to threshold configuration option to disable all thresholding for that object. src/snort.c: Fixed issue with SIGHUP and handling of daemonize flag.

* preproc_rules/decoder.rules: * preproc_rules/preprocessor.rules: Added decoder/preprocessor rules for MPLS and DCE/RPC. * snort.8: Update manpage for "-x", "--conf-error-out" and "--exit-check" command line options. 2008-12-30 Steven Sturges <> * src/output-plugins/spo_database.c: Update to check for a missing host name when connecting to a MySQL database and fail gracefully. Thanks to Chris Benedict for the report. * doc/README.stream5: * doc/snort_manual.pdf: * doc/snort_manual.tex: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/stream5_common.h: Update Stream5 to better handle out-of-sequence server responses when not doing server-side reassembly. Add limits on number of bytes and segments queued to prevent one session from consuming all memory. * src/target-based/sf_attribute_table.y: Force bison to use malloc/free instead of alloca for older versions of bison. * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Don't fatal error when reloading an attribute table beyond the configured limit. Only display warning to syslog/console. 2008-10-03 Todd Wease <> * * src/decode.c: * src/decode.h: * src/detection-plugins/sp_pattern_match.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/ * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/fpdetect.c:

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

src/generators.h: src/ipv6_port.h: src/log.c: src/log_text.c: src/output-plugins/spo_alert_test.c: src/output-plugins/spo_csv.c: src/preprocessors/HttpInspect/session_inspection/hi_si.c: src/preprocessors/snort_httpinspect.c: src/preprocessors/spp_frag3.c: src/preprocessors/spp_sfportscan.c: src/preprocessors/Stream5/snort_stream5_session.c: src/preprocessors/stream_ignore.c: src/sfutil/ipobj.c: src/sfutil/ipobj.h: src/sfutil/sf_ip.c: src/sfutil/sf_ip.h: src/sfutil/sf_iph.c: src/sfutil/sf_ipvar.c: src/sfutil/sfrt.c: src/sfutil/sfrt.h: src/sfutil/sfrt_dir.c: src/sfutil/sfrt_dir.h: src/snort.c: src/target-based/sf_attribute_table.y: src/target-based/sftarget_reader.c: src/target-based/sftarget_reader.h: src/win32/WIN32-Prj/sf_engine.dsp: IPv6 updates and support for sfportscan, ftp_telnet, frag3 and dns preprocessors and adaptive IPS. etc/ src/decode.h: src/detect.c: src/detection-plugins/sp_byte_check.c: src/detection-plugins/sp_byte_jump.c: src/dynamic-plugins/sf_engine/sf_snort_packet.h: src/dynamic-preprocessors/dcerpc2/dce2_cl.c: src/dynamic-preprocessors/dcerpc2/dce2_cl.h: src/dynamic-preprocessors/dcerpc2/dce2_co.c: src/dynamic-preprocessors/dcerpc2/dce2_co.h: src/dynamic-preprocessors/dcerpc2/dce2_config.c: src/dynamic-preprocessors/dcerpc2/dce2_config.h: src/dynamic-preprocessors/dcerpc2/dce2_debug.c: src/dynamic-preprocessors/dcerpc2/dce2_debug.h: src/dynamic-preprocessors/dcerpc2/dce2_event.c: src/dynamic-preprocessors/dcerpc2/dce2_event.h: src/dynamic-preprocessors/dcerpc2/dce2_http.c: src/dynamic-preprocessors/dcerpc2/dce2_http.h: src/dynamic-preprocessors/dcerpc2/dce2_list.c: src/dynamic-preprocessors/dcerpc2/dce2_list.h: src/dynamic-preprocessors/dcerpc2/dce2_memory.c: src/dynamic-preprocessors/dcerpc2/dce2_memory.h: src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: src/dynamic-preprocessors/dcerpc2/dce2_roptions.h: src/dynamic-preprocessors/dcerpc2/dce2_session.h: src/dynamic-preprocessors/dcerpc2/dce2_smb.c: src/dynamic-preprocessors/dcerpc2/dce2_smb.h: src/dynamic-preprocessors/dcerpc2/dce2_stats.c: src/dynamic-preprocessors/dcerpc2/dce2_stats.h: src/dynamic-preprocessors/dcerpc2/dce2_tcp.c: src/dynamic-preprocessors/dcerpc2/dce2_tcp.h:

h: src/dynamic-preprocessors/dcerpc2/spp_dce2.h: src/dynamic-preprocessors/Makefile.c: src/win32/WIN32-Prj/snort.c: src/dynamic-preprocessors/dcerpc2/spp_dce2.c: src/target-based/sftarget_protocol_reference.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/dynamic-preprocessors/dcerpc2/dce2_udp.h: src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h: src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: src/sfutil/sfrt.h: src/preprocessors/HttpInspect/session_inspection/hi_si. Addition of new rule options supported by preprocessor.c: src/dynamic-preprocessors/dcerpc/dcerpc.h: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: src/preprocessors/spp_rpc_decode.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: src/dynamic-preprocessors/dcerpc2/snort_dce2.h: src/output-plugins/spo_alert_fast. dns.c: src/dynamic-preprocessors/dcerpc2/dce2_udp.h: src/preprocessors/HttpInspect/include/hi_ui_config.c: src/target-based/sftarget_protocol_reference. dcerpc.c: src/sf_types.h: src/sfutil/sfrt.c: src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: src/preprocessors/spp_stream5.c: src/dynamic-preprocessors/smtp/snort_smtp.h: src/dynamic-preprocessors/dcerpc2/includes/smb.h: src/dynamic-plugins/sf_dynamic_plugins.c: src/dynamic-preprocessors/ssl/spp_ssl.h: src/dynamic-preprocessors/dcerpc2/ src/dynamic-preprocessors/dcerpc2/sf_dce2.c: src/preprocessors/HttpInspect/include/hi_si. src/detect. ftp_telnet.c: src/detect. ssh and ssl preprocessors.c: src/dynamic-preprocessors/dcerpc/snort_dcerpc.dsw: Addition of dcerpc2 preprocessor.c: src/preprocessors/Stream5/snort_stream5_session.c: src/dynamic-preprocessors/ssh/spp_ssh.c: src/preprocessors/snort_httpinspect.h: src/dynamic-preprocessors/dcerpc2/dce2_utils.c: . dcerpc2.h: src/preprocessors/Stream5/snort_stream5_tcp. rpc.h: src/dynamic-preprocessors/smtp/spp_smtp.dsp: src/win32/WIN32-Prj/snort.h: src/util.dsp: src/dynamic-preprocessors/dcerpc2/sf_preproc_info. smtp.c: src/fpdetect.h: Add adaptive support for http_inspect. configure.c: src/dynamic-preprocessors/dcerpc2/snort_dce2.c: src/parser.c: src/dynamic-preprocessors/dcerpc2/dce2_utils.c: src/dynamic-preprocessors/smtp/snort_smtp.c: src/dynamic-plugins/sf_dynamic_preprocessor.c: src/dynamic-preprocessors/dns/spp_dns.c: src/dynamic-preprocessors/ftptelnet/ src/detect.c: src/preprocessors/spp_httpinspect.h: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: src/dynamic-preprocessors/dcerpc/ src/generators.

h: src/detection-plugins/sp_icmp_id_check.c: .h: src/detection-plugins/sp_tcp_win_check.c: src/detection-plugins/sp_dsize_check.c: src/detection-plugins/sp_pattern_match.h: src/detection-plugins/sp_tcp_flag_check.c: src/detection-plugins/sp_ip_fragbits.c: src/detection-plugins/sp_ip_same_check.h: src/detection-plugins/sp_cvs.h: src/detection-plugins/sp_respond2.h: src/detection-plugins/sp_tcp_seq_check.c: src/detection-plugins/sp_icmp_type_check.c: src/detection-plugins/sp_flowbits.h: src/detection-plugins/sp_icmp_seq_check.h: src/detection-plugins/sp_rpc_check.c: src/detection-plugins/sp_rpc_check.c: src/detection-plugins/sp_ip_id_check.c: src/detection-plugins/sp_byte_check.c: src/detection-plugins/sp_icmp_id_check.c: src/detection-plugins/sp_ip_tos_check.c: src/detection-plugins/sp_asn1.h: src/detection-plugins/sp_ip_fragbits.h: src/detection-plugins/sp_pattern_match.c: src/detection-plugins/sp_tcp_ack_check.h: src/detection-plugins/sp_byte_jump.h: src/detection-plugins/sp_ip_tos_check.h: src/detection-plugins/sp_ip_proto.h: src/detection-plugins/sp_session.h: src/detection-plugins/sp_tcp_ack_check.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/detection-plugins/detection_options.h: src/detection-plugins/sp_ip_id_check.c: src/detection-plugins/sp_respond.h: src/detection-plugins/sp_flowbits.c: src/detection-plugins/sp_isdataat.h: src/detection-plugins/sp_dsize_check.c: src/detection-plugins/sp_respond2.c: src/detection-plugins/sp_tcp_seq_check.c: src/detection-plugins/sp_byte_jump.h: src/detection-plugins/sp_byte_check.h: src/detection-plugins/sp_isdataat.c: src/detection-plugins/sp_tcp_flag_check.c: src/detection-plugins/sp_cvs.h: src/detection-plugins/sp_ipoption_check.h: src/detection-plugins/sp_icmp_type_check.c: src/detection-plugins/sp_ftpbounce.c: src/detection-plugins/sp_icmp_seq_check.c: src/detection-plugins/sp_session.c: src/detection-plugins/sp_clientserver.c: src/detection-plugins/sp_pcre.h: src/detection-plugins/sp_ip_same_check.h: src/detection-plugins/sp_react.c: src/detection-plugins/sp_ipoption_check.h: src/detection-plugins/sp_respond.c: src/detection-plugins/sp_icmp_code_check.c: src/detection-plugins/sp_react.h: src/detection-plugins/sp_clientserver.c: src/detection-plugins/sp_ip_proto.h: src/detection-plugins/sp_ftpbounce.h: src/detection-plugins/sp_pcre.h: src/detection-plugins/sp_icmp_code_check.c: src/detection-plugins/sp_asn1.

c: src/sfutil/acsmx2.c: src/dynamic-plugins/sp_preprocopt.h: src/rules.tex: doc/README.dsp: src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.sfportscan: src/detect.h: src/sfutil/acsmx.dsp: src/dynamic-preprocessors/dns/sf_dns.h: src/parser.h: src/detection-plugins/ doc/snort_manual.h: src/Makefile.c (removed): src/preprocessors/flow/flow_cache.c: src/win32/WIN32-Prj/sf_engine.h: src/sfutil/sfksearch.c: src/detection-plugins/sp_clientserver.c: src/pcrm.c: src/preprocessors/spp_frag3.c: src/pcrm.c: src/ppm.h: src/plugbase.dsp: Harden rule option tree code.c: src/preprocessors/flow/common_defs.dsp: src/fpcreate.h: src/dynamic-plugins/sp_dynamic.dsp: src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.c: src/ src/parser.c: src/ppm. configure.h (removed): src/preprocessors/flow/flow.dsp: src/win32/WIN32-Prj/snort.c (removed): .h: src/preprocessors/str_search.c: src/sfutil/mpse.c: src/detection-plugins/sp_urilen_check.c: src/detection-plugins/sp_flowbits.c: src/profiler.h: src/snort.c: src/dynamic-plugins/ doc/Makefile.c: src/sfutil/acsmx.c: src/sfutil/bnfa_search.c: src/plugbase.h: src/detection-plugins/sp_urilen_check.c: src/fatal.dsp: src/dynamic-preprocessors/ssl/sf_ssl.h: src/preprocessors/spp_frag3.h: src/sfutil/bnfa_search.h: src/sfutil/mpse.h: src/fpdetect.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/detection-plugins/sp_tcp_win_check.c: src/sfutil/sfksearch.dsp: src/dynamic-preprocessors/smtp/sf_smtp.h: src/sfutil/acsmx2.h: src/dynamic-preprocessors/dcerpc/sf_dcerpc.h: src/generators.dsp: src/dynamic-preprocessors/ssh/sf_ssh.c: src/fpcreate.c: src/fpdetect.c: src/detection-plugins/sp_ttl_check.

c (removed): src/preprocessors/flow/flow_callback.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/flow/flow_cache. src/tag.h: src/fpdetect.c: src/fpdetect.h (removed): src/preprocessors/flow/flow_error.c (removed): src/preprocessors/flow/flow_hash.h (removed): src/preprocessors/flow/flow_stat.h: src/sfutil/acsmx2.h: src/ubi_BinTree.h: src/snort.c (removed): src/preprocessors/flow/flow_stat.c (removed): src/preprocessors/flow/flow_print.c (removed): src/preprocessors/flow/flow_class.h (removed): src/preprocessors/flow/flow_print.h (removed): Tagging now uses a hash table instead of a splay tree for data storage.c: src/preprocessors/str_search.h: src/dynamic-preprocessors/smtp/snort_smtp. src/detection-plugins/detection_options.h: src/sfutil/mpse.h (removed): src/preprocessors/flow/flow_config.h (removed): src/preprocessors/flow/int-snort (removed): src/preprocessors/flow/ (removed): src/preprocessors/flow/portscan (removed): src/preprocessors/Makefile.c: src/sfutil/acsmx2.dsp: Removal of stream4 and flow preprocessors from code base.c: src/fpcreate.c (removed): src/preprocessors/snort_httpinspect.h (removed): src/ubi_SplayTree.c (removed): src/preprocessors/spp_stream4.h: src/sfutil/acsmx.c (removed): src/preprocessors/snort_stream4_session.c (removed): src/ubi_SplayTree.c: src/preprocessors/str_search.c: src/preprocessors/snort_stream4_session.c (removed): src/preprocessors/snort_stream4_udp.h (removed): src/preprocessors/spp_flow.h: src/plugbase.h (removed): src/preprocids.h (removed): src/preprocessors/stream.c: src/sfutil/bnfa_search.h: .h (removed): src/preprocessors/flow/flow_class.h (removed): src/preprocessors/spp_stream4.c: src/detection-plugins/sp_pattern_match.h (removed): src/preprocessors/snort_stream4_udp.c: src/fpcreate.c: src/tag.c (removed): src/ubi_BinTree.c: src/win32/WIN32-Prj/snort.c: src/sfutil/mpse.c: src/sfutil/acsmx.h: src/sfutil/bnfa_search.c: src/detection-plugins/sp_pattern_match.h (removed): src/preprocessors/flow/flow.h (removed): src/preprocessors/flow/ src/preprocessors/portscan.c (removed): src/preprocessors/spp_flow.h (removed): src/preprocessors/flow/flow_hash.

c: * src/detection-plugins/sp_ttl_check.c: * src/dynamic-plugins/sp_preprocopt.c: * src/detection-plugins/sp_isdataat. * src/detection-plugins/detection_options.c: * src/dynamic-plugins/sf_dynamic_preprocessor.c: * src/plugbase.* src/sfutil/sfksearch.c: * src/detection-plugins/sp_respond2. * src/detection-plugins/detection_options.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/preprocessors/snort_httpinspect.c: * src/detection-plugins/sp_icmp_code_check.c: * src/dynamic-plugins/sp_preprocopt.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_icmp_seq_check.h: * src/plugbase.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_ip_tos_check.c: * src/dynamic-plugins/sp_dynamic. Argument to a rule option can be overriden and processed elsewhere.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ipoption_check.c: * src/dynamic-plugins/sf_dynamic_plugins.h: Make sure Stream5 is enabled when parsing most arguments to flow rule .c: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_ip_proto.h: Support rules with content rule options that are only not contents.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_urilen_check.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/dynamic-plugins/sp_dynamic.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_rpc_check.h: Add hash and compare functions for preprocessors to rule option tree.c: * src/preprocessors/spp_httpinspect.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_pattern_match. Added for support of new byte_test and byte_jump rule option argument "dce".c: * src/detection-plugins/sp_ftpbounce.h: * src/dynamic-plugins/sf_dynamic_common.c: Add override keyword support. * src/detection-plugins/sp_clientserver.h: * src/dynamic-plugins/sp_preprocopt.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.h: * src/dynamic-plugins/sp_preprocopt.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_dsize_check.c: * src/sfutil/sfksearch.

h: src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: src/dynamic-preprocessors/ssl/spp_ssl.c: src/preprocessors/snort_httpinspect.c: http_inspect preprocessor server configurations now support multiple IP addresses and netmasks.c: .c: src/preprocessors/perf-base.h: src/preprocessors/spp_httpinspect.tex: src/generators.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.stream5: doc/snort_manual.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: src/preprocessors/Stream5/snort_stream5_session. Stream5 will ignore traffic (if it is configured to do so) for which there are no rules or preprocessors configured to look at this traffic.c: src/dynamic-preprocessors/smtp/spp_smtp.h: src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: src/preprocessors/Stream5/stream5_common.h: src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: src/preprocessors/Stream5/stream5_common.h: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h: src/preprocessors/Stream5/snort_stream5_tcp.c: src/dynamic-preprocessors/dns/spp_dns.c: ftp_telnet_protocol server configurations now support multiple IP addresses and netmasks.c: src/preprocessors/HttpInspect/include/hi_eo_events.h: src/dynamic-preprocessors/ftptelnet/Makefile.c: src/preprocessors/snort_httpinspect.c: src/preprocessors/Stream5/snort_stream5_tcp.c: src/dynamic-preprocessors/ssh/spp_ssh.c: src/preprocessors/spp_httpinspect.c: Added dynamic callbacks for logging and resetting event queue.c: src/preprocessors/spp_rpc_decode.c: src/preprocessors/Stream5/snort_stream5_udp.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: Port and service based filtering to improve performance.h: src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config. src/dynamic-plugins/sf_dynamic_plugins.h: src/preprocessors/Stream5/snort_stream5_udp.http_inspect: doc/snort_manual.h: src/preprocessors/HttpInspect/client/hi_client.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * option.c: Added no_frag and only_frag arguments to flow rule option. Make sure http_inspect is enabled when parsing uricontent or http content modifiers.h: src/preprocessors/stream_api.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet. src/preprocessors/HttpInspect/include/hi_ui_config.c: src/dynamic-plugins/sf_dynamic_preprocessor. src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup. doc/README.tex: src/dynamic-preprocessors/dcerpc/spp_dcerpc. src/detection-plugins/sp_clientserver.c: src/preprocessors/perf-base.h: src/preprocessors/ src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: src/preprocessors/spp_stream5.c: src/preprocessors/HttpInspect/event_output/hi_eo_log. doc/README.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.

tex: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/win32/WIN32-Includes/WinPCAP/pcap-stdinc.c: Fix to alert on dropped packet in midstream session.stream4: * doc/snort_manual.h: * src/ppm. * etc/snort.tex: * doc/snort_manual. * doc/README.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util. * doc/CREDITS: * doc/snort_manual.pdf: The flow and stream4 preprocessors will be deprecated in a future release.h: * src/fpcreate.tex: Update for new members of Snort team .h: * src/profiler.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc. 2008-08-12 Todd Wease <twease@sourcefire. * src/profiler.h: * src/ppm.conf: Add "trustservers" do default ssl preprocessor configuration.flow: * doc/README.c: * src/preprocessors/spp_stream5.c: * src/> * src/bounds.c: Add a "max_headers" and "max_header_length" options to http_inspect server configuration. 2008-09-15 Todd Wease <twease@sourcefire.c: * src/detection-plugins/detection_options.h: * etc/gen-msg.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: . * src/preprocessors/spp_flow.c: * src/preprocessors/spp_stream4.ftptelnet: * doc/snort_manual.c: Fix to correctly identify end of http client body request.c: * doc/README.c: * src/dynamic-preprocessors/dcerpc/ Update rule latency thresholding.c: * src/generators.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.h: Updates to compile in Visual Studio> * src/detection-plugins/detection_options.c: * src/ppm.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.* src/preprocessors/snort_httpinspect.c: Added "ignore_data_chan" option to ftp_telnet preprocessor to deprecate confusing "data_chan" option.h: * src/dynamic-preprocessors/dcerpc/dcerpc.flow-portscan: * doc/README.Dilbagh Chahal and Ryan Jordan. * src/win32/WIN32-Includes/config.c: * src/ppm.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/profiler. * src/preprocessors/spp_stream5. * src/preprocessors/HttpInspect/client/hi_client.h: Update to handle rule latency threhsolding with rule option tree.

Many thanks to Bamm Visscher for doing the research. * src/detection-plugins/sp_pattern_match.c: * doc/> * src/byte_extract.c: Added checks to only allow one rule without an SID defined.c: .c: * src/preprocessors/perf-base.c: Added check to not register so rule if it has already been registered. whether compiled for MPLS or not. Fixed handling of 'filename' option in the rule profiling configuration.c: * doc/README.h: * src/preprocessors/Stream5/snort_stream5_session. Added option to reassemble fragmentation buffers early.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix issue with rule option "dsize" range check. Thanks to Bhadresh Patel for bringing this to our attention. 2008-07-11 Todd Wease <twease@sourcefire. 2008-07-18 Todd Wease <twease@sourcefire.PerfProfiling: Updated performance profiling README to document new 'filename' option.dcerpc: * doc/snort_manual.tex: Fixed some spelling errors and confusing syntax.tex: DCE/RPC preprocessor changes to handle abnormal TCP segmentation. * doc/README. * src/plugbase. finding the offending rule and producing the test case necessary to track down and fix the issue.c: Changed plugins startup output to use log function instead of printf(). * src/preprocessors/perf-base. Updated documentation.c: Fix issue with evaluating PCRE rule options with /U modifier that are followed by a relative content rule option. Thanks to Christian Mock for bringing this to our attention. * src/event_queue.c: Fixed checksum calculation for IPv6 case for 'replace' rule option.c: * src/decode. * doc/CREDITS: Credits updates. * src/debug. * src/dynamic-preprocessors/smtp/snort_smtp. * src/parser. * src/detection-plugins/sp_pcre.c: Fixes to avoid false positives on http_inspect preprocessor events for bare byte encoding and oversize request-uri directory. Also thanks to others on the snort users list .* src/preprocessors/Stream5/snort_stream5_tcp.h: Added better handling of SMTP data header options to avoid false positives occuring with data header buffer overlflow smtp preprocessor event. * src/preprocessors/HttpInspect/client/> * src/detection-plugins/sp_dsize_check.craig for starting a thread and JJ Cummings for confirming it was not a logging issue. Thanks to Hari Sekhon for pointing many of these out.c: * src/signature.c: Added byte test for 3 bytes.c: Fixed handling of MPLS label in checking Stream session uniqueness when IPv4 packets are received and build is IPv6. Thanks to rmkml for bringing this to our attention. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine. * src/decode.h: MPLS stats are now printed.decode: * doc/snort_manual.

c: src/sfutil/sfhashfcn.c: src/dynamic-plugins/sp_preprocopt.c: src/snort.c: src/dynamic-plugins/sp_dynamic.c: src/detection-plugins/sp_ttl_check.c: src/detection-plugins/sp_react.c: src/detection-plugins/sp_ip_id_check.c: src/detection-plugins/sp_icmp_code_check.c: src/preprocessors/spp_frag3.dsp: src/win32/WIN32-Prj/sf_engine.h: src/dynamic-preprocessors/ssl/sf_preproc_info.dsp: src/dynamic-preprocessors/ssh/sf_ssh.c: src/detection-plugins/sp_isdataat.c: src/detection-plugins/sp_ip_tos_check.c: src/parser.c: src/dynamic-preprocessors/libs/ssl. src/detection-plugins/detection_options.dsp: .c: src/detection-plugins/sp_icmp_type_check.c: src/detection-plugins/sp_clientserver.c: src/detection-plugins/sp_pcre.c: src/detection-plugins/sp_rpc_check.c: src/detection-plugins/sp_tcp_ack_check.dsp: src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.c: src/detection-plugins/sp_tcp_win_check.c: src/detection-plugins/sp_ipoption_check.c: src/detection-plugins/sp_pattern_match.c: src/detection-plugins/sp_ip_proto.h: Move hash rot macros.c: src/detection-plugins/sp_byte_jump.c: src/detection-plugins/detection_options.c: src/detection-plugins/sp_session.c: src/detection-plugins/sp_respond. src/dynamic-preprocessors/dcerpc/sf_dcerpc. multiple handshake records and disabling detection.c: src/detection-plugins/sp_urilen_check.c: src/snort.c: src/detection-plugins/sp_tcp_flag_check.h: Updates to SSL preprocessor to make it work with stream reassembly.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/debug.c: src/dynamic-preprocessors/ssl/spp_ssl.c: src/detection-plugins/sp_ftpbounce.c: src/detection-plugins/sp_icmp_id_check.c: src/detection-plugins/sp_flowbits.c: src/detection-plugins/sp_tcp_seq_check.c: src/detection-plugins/sp_byte_check.h: src/detection-plugins/sp_asn1.c: src/preprocessors/Stream5/snort_stream5_session.dsp: src/dynamic-preprocessors/ssl/sf_ssl.c: src/detection-plugins/sp_respond2.c: src/detection-plugins/sp_icmp_seq_check.c: src/detection-plugins/sp_ip_fragbits. src/decode.h: Fix MPLS fragmentation reassembly issue.c: src/detection-plugins/sp_dsize_check.h: src/dynamic-preprocessors/ssl/spp_ssl.dsp: src/dynamic-preprocessors/smtp/sf_smtp.c: src/detection-plugins/sp_cvs.dsp: src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.h: src/dynamic-preprocessors/libs/ssl.dsp: src/dynamic-preprocessors/dns/sf_dns.

h: * src/generators. * etc/ Fixed alert message for IP datagram being greater than captured length.h: * src/ Updates.dsp: Update Win32 project files to include MPLS.c: * src/generators.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. * src/decode.h: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_pattern_match.c: * src/preprocessors/perf-base.c: .c: * src/preprocessors/HttpInspect/include/hi_client. Thanks to Pavan Raj and Jaipal Reddy for pointing this out.c: * src/snort.h: * src/detection-plugins/sp_pattern_match.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/fpcreate.c: * configure.h: * src/preprocessors/HttpInspect/include/hi_include.pdf: * doc/README.c: * src/parser.c: * src/preprocessors/perf-base.h: * src/snort.tex: * doc/snort_manual.* src/win32/WIN32-Prj/snort.h: Fixed compilation issue on HPUX machines related to performance profiling and the assembly instructions used for getting cpu clock ticks.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.h: * etc/gen-msg.c: * src/preprocessors/Stream5/ * doc/> * src/cpuclock.h: * src/log.h: * src/preprocessors/HttpInspect/include/hi_ui_config.mpls: Added MPLS decoding support. 2008-06-16 Todd Wease <twease@sourcefire.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/preprocessors/Stream5/snort_stream5_session. reset errno after gathering pcaps from a directory.h: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: For read mode.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content. * src/decode.h: * src/output-plugins/spo_unified2.h: * src/preprocessors/spp_frag3.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_dynamic_common. * src/util.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/fpdetect. * src/decode.c: * src/log.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.

URI.c: Fixed some configuration error checking.c: Update Stream5 to flush bytes up to ACK if ACK falls in the middle of a segment instead of including entire segment in reassembled packet.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/HttpInspect/session_inspection/hi_si.c: Packet size distribution reported by snort flow stats do not count reassmbled packets anymore. Updated dynamic rule API to allow searches within the new buffers.h: src/sfutil/mpse.c: src/snort. src/detection-plugins/sp_flowbits.h: src/sfutil/sfksearch.pdf: New Feature for HTTP Inspect to split requests into 5 components Method. events were getting logged using both the default log method and the ruletype log method.c: src/preprocessors/spp_httpinspect.c: src/util.c: src/preprocessors/spp_httpinspect.c: src/sfutil/mpse.c: src/sfutil/sfksearch.c: src/sfutil/acsmx2.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config. Added content modifier to allow rule writer to specify content to be used for fast pattern matcher.h: doc/README.pdf: Provided option to rule and preprocessor profiling configurations to log to file instead of syslog.c: src/sfutil/acsmx2.h: Provided command line switch to bail on rule parsing failure. Body.c: src/snort.tex: doc/snort_manual. Thanks to Agent Smith for pointing this out. src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: src/profiler.h: src/sfutil/acsmx.c: src/preprocessors/snort_httpinspect.c: Fixed issue where when using the 'ruletype' keyword with database output. src/output-plugins/spo_database. src/preprocessors/Stream5/snort_stream5_tcp. src/parser.c: src/sfutil/bnfa_search. src/dynamic-preprocessors/ssl/spp_ssl. Cookies.c: Fixed false negative when using 'trustservers' option.tex: doc/snort_manual.http_inspect: doc/snort_manual. Added HTTP server specific configurations to normalize HTTP header and/or cookie buffers.c: Fixed issue in unified2 code where the timestamp of an event on a stream reassembled packet was using the last stream segment instead of the first. .c: src/parser.h: doc/snort_manual. src/preprocessors/perf-flow.c: src/snort.h: src/util. Header (non-cookie).c: src/dynamic-plugins/sp_dynamic.c: src/sfutil/acsmx. src/output-plugins/spo_unified2. Provided content and PCRE modifiers to allow searches within one or more of those individual buffers.h: src/sfutil/bnfa_search.

c: * src/decode. This is to address false positives and false negatives in IP rules. * src/detection-plugins/sp_pcre. then evaluating matching rules against IP header & payload of inner & outer IP.h: * src/preprocessors/spp_frag3. * doc/README.c: .h: * src/dynamic-plugins/sf_dynamic_engine.c: Reset data link for new pcap when reading multiple pcaps.h: * src/profiler. * src/detection-plugins/sp_cvs. 2008-05-07 Todd Wease <twease@sourcefire.c: * src/detection-plugins/detection_options. * src/detection-plugins/> * src/decode.c: * src/ Add IPv6 decoder events. 2008-04-30 Todd Wease <twease@sourcefire. Thanks to rmkml for pointing this out. * doc/snort_manual.c: * src/profiler.c: * src/profiler.c: Fix issue where pass rules weren't getting precedence over alert> * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/detection-plugins/sp_cvs. Thanks to Jason Haar for pointing this out.decoder_preproc_rules: Add documentation on the use of decoder and preprocessor rules.* src/snort.h: Pattern Matcher Caching & Rule Processing Performance Improvements. * src/preprocessors/HttpInspect/include/hi_eo_events.c: Process IP rules by fast pattern searching payload of outer IP.c: * src/dynamic-plugins/sf_dynamic_define.c: * src/detection-plugins/detection_options. * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/fpcreate. * etc/gen-msg.c: * src/log_text.c: Reset packet processor when reading multiple pcaps and pcap reset option is used.h: * src/log.decode: Update GRE decoder alerts.h: Fix issue in ICMP6 code that made an incorrect calculation when the ICMP6 type was an echo or an echo> * src/fpdetect.c: Fix typos. * src/snort.pdf: * doc/README.c: Update log to correct datagram length macro for IPv6.c: Fix memory leak caused by missed or dropped traffic.h: Remove redundant macro.tex: * doc/snort_manual.h: * src/dynamic-plugins/sf_engine/sf_snort_packet. 2008-06-04 Todd Wease <twease@sourcefire. * src/ipv6_port.

h: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_pcre.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_icmp_id_check.h: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/ * src/detection-plugins/detection_options.h: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_flowbits.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ftpbounce.h: * src/detection-plugins/sp_byte_jump.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/ * src/detect.c: * src/detection-plugins/sp_ip_fragbits.h: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_icmp_code_check.h: * src/detection-plugins/sp_ip_tos_check.h: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_icmp_type_check.c: Expose a pcre wrapper function to detection library rules via plugin api.h: * src/detection-plugins/sp_ip_fragbits. 2008-04-14 Todd Wease <twease@sourcefire.c: * src/detection-plugins/sp_icmp_seq_check.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.h: * src/detection-plugins/sp_respond.h: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_cvs.h: * src/detection-plugins/Makefile.c: * src/detection-plugins/sp_byte_jump.h: * src/detection-plugins/sp_icmp_code_check.h: * src/detection-plugins/sp_flowbits.h: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ip_same_check.h: * src/detection-plugins/sp_cvs.h: * src/detection-plugins/sp_icmp_seq_check.h: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_byte_check.* src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_clientserver.h: * src/detection-plugins/sp_clientserver.h: * src/detection-plugins/sp_respond2.h: .c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_ip_tos_check.h: * src/detection-plugins/sp_pcre.h: * src/detection-plugins/sp_isdataat.h: * src/detection-plugins/> * configure.c: * src/detect.c: * src/detection-plugins/detection_options.

h: src/parser.h: Pattern Matcher Caching & Rule Processing Performance Improvements.h: src/detection-plugins/sp_session.h: src/detection-plugins/sp_tcp_seq_check.h: src/dynamic-plugins/sp_preprocopt.c: src/detection-plugins/sp_rpc_check.h: src/sfutil/sfksearch.h: src/ppm.c: src/detection-plugins/sp_session.c: src/fpcreate. configure.c: src/fpdetect.c: src/sfutil/bnfa_search.h: src/detection-plugins/sp_tcp_win_check.c: src/dynamic-plugins/sp_dynamic.h: src/sfutil/acsmx2.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/detection-plugins/sp_rpc_check.h: src/dynamic-preprocessors/smtp/snort_smtp.c: src/sfutil/sfksearch.c: src/plugbase.h: src/sfutil/mpse.h: src/fpdetect.c: src/sfutil/mpse.h: src/rules.h: src/preprocessors/spp_frag3.h: src/detection-plugins/sp_ttl_check.c: src/event_wrapper.h: src/detection-plugins/sp_urilen_check.c: src/fpcreate.h: src/parser/IpAddrSet.h: src/detection-plugins/sp_tcp_ack_check.c: src/parser.c: src/detection-plugins/sp_tcp_ack_check.h: src/plugbase.h: src/sfutil/bnfa_search.h: src/sfutil/acsmx.c: src/detection-plugins/sp_tcp_flag_check.h: src/dynamic-plugins/sp_dynamic.c: src/pcrm.c: src/parser.c: src/detection-plugins/sp_urilen_check.c: src/detection-plugins/sp_ttl_check.c: src/preprocessors/str_search.c: .c: src/sfutil/acsmx2.h: src/detection-plugins/sp_tcp_flag_check.c: src/sfutil/ src/dynamic-plugins/sf_dynamic_plugins.c: src/event_queue.c: src/detection-plugins/sp_tcp_win_check.c: src/preprocessors/spp_frag3.h: src/fpdetect.c: src/fpcreate.c: src/dynamic-plugins/sp_preprocopt.c: src/plugbase.c: src/fpdetect.c: src/fpcreate.c: src/detection-plugins/sp_tcp_seq_check.c: src/ppm.h: src/pcrm.h: src/preprocessors/str_search.

h: src/profiler.c: src/sfutil/sfthd.h: src/sfutil/sfportobject.c: src/signature.c: src/sfutil/sfksearch.c: src/sfutil/sf_vartable.c: src/preprocessors/Stream5/snort_stream5_tcp.dsp: src/win32/WIN32-Prj/snort.c: .c: Fixed issue where some FTP traffic was being labeled as encrypted when it was not.c: src/sfutil/mpse.c: src/sfthreshold.h: src/sfutil/sfthd.h: src/sfutil/bnfa_search.c: src/spo_plugbase.c: src/preprocessors/spp_stream4.c: src/target-based/sftarget_protocol_reference.h: src/target-based/sftarget_reader.h: src/target-based/sftarget_protocol_reference. src/target-based/sf_attribute_table_parser.c: src/preprocessors/stream_ignore. src/snort.h: src/sfutil/sfksearch.h: src/sfutil/sf_vartable.c: src/sfutil/sfportobject.c: Add counter for HTTP pipeline requests. print to stdout instead of stderr. snort. doc/snort_manual. src/dynamic-preprocessors/ftptelnet/pp_ftp. Thanks to Carter Browne for pointing this out.h: src/sfutil/mpse.tex: src/snort.h: src/sfutil/acsmx2.c: Print log message with BPF filter passed to Snort.c: src/util.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/plugbase.c: src/preprocessors/stream_ignore.c: src/util.c: src/preprocessors/spp_stream5.dsp: Added configuration option to clean up all initialization memory at shutdown. src/decode.c: src/sfthreshold.c: Free SQL statement. src/snort.h: src/preprocessors/spp_httpinspect.c: src/sfutil/acsmx2.c: For --pcap-show option.l: Allow ! character in attribute table grammar for string values.tex: src/snort.c: src/win32/WIN32-Prj/sf_engine.c: Update to indicate --pid-path specifies the directory for the PID file.h: src/signature. src/output-plugins/spo_database. src/sfutil/mpse.h: src/snort.h: src/preprocessors/snort_httpinspect.h: Set minimum max attribute hosts to 32 instead of 8192. Thanks to Lee Clemens for pointing out the ambiguity.8: doc/snort_manual.c: src/sfutil/bnfa_search.

c: * doc/README.pdf: * etc/gen-msg. * doc/README.tex: * doc/snort_manual. * src/generators. e.h: * src/preprocessors/spp_frag3. Thanks to Wang Zhen for pointing this out.ipip: * doc/Makefile.spec: Add ssl preprocessor. doc/README. 2008-03-12 Todd Wease < Fixed some typos. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * doc/README.tex: * doc/snort_manual. Thanks fo Andrew Pendray for noticing.tex: * doc/snort_manual. * src/dynamic-preprocessors/dcerpc/smb_structs. 2008-03-05 Steven Sturges <> * src/decode.frag3: * doc/snort_manual. src/parser.* * * * Fix issue with default case (which isn't ever hit) of pattern matcher performance stats not being calculated correctly. doc/INSTALL: Update MAC OSX install notes.stream4: * etc/gen-msg.pdf: Fix a few misspellings.c: Fix issue where FTPTelnet sometimes determines incorrect direction with midstream> * rpm/snort.tex: * doc/snort_manual.g. . SPARC machines.arpspoof: Update arpspoof Update frag3 to remove enforcement of ttl_limit. Add preprocessor alert for min_ttl anomaly. Indicate that trustservers option only makes sense when noinspect_encrypted is used. etc/snort.ssl: * doc/> * doc/> * src/dynamic-preprocessors/ssl/spp_ssl.gre: * doc/snort_manual.c: Fixed string comparison for "portvar" and "ipvar" to use correct string length.h: Fix endian issue when determining if SMB is using unicode strings. 2008-03-06 Steven Sturges <ssturges@sourcefire. 2008-04-03 Steven Sturges <ssturges@sourcefire.pdf: Improve handling for change cipher records and rule options.c: * doc/ Disable PPP decoding if architecture requires word Added README doc for IP in IP decoding.variables: * doc/snort_manual. Thanks to Markus Lude for letting us know.conf: Update frag3_global configuration example.pdf: * doc/Makefile. Thanks to rmkml for pointing this out. Thanks to Eric Duda for pointing this out. * doc/README.

com> * configure.dsp: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/ * src/dynamic-plugins/sf_dynamic_plugins.h: * src/dynamic-plugins/sf_dynamic_common. * src/preprocids.c: * src/snort.h: * src/sfutil/sf_iph.h: * src/dynamic-plugins/sf_engine/Makefile.1 RC prep * doc/snort_manual.c: * src/sfutil/bitop_funcs.c: * src/output-plugins/spo_alert_fast. * src/decode.c: .http_inspect: * doc/README.c: * src/sfutil/sfportobject. * src/decode.c: * src/preprocessors/Stream5/snort_stream5_tcp.8: Document new multiple pcap command line options and ARP Spoof preprocessor configuration.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/detection-plugins/sp_cvs.h: * src/preprocessors/spp_frag3.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: Update to logging of DCE/RPC defragmented packets when using console/fast output modes.pcap_readmode (added): * snort.dsp: Reorganize to provide better compatibility with shared libraries.c: * src/plugbase.stream4: Update to include information about alerts generated from various preprocessors.h: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.h: * src/plugbase.c: * src/log_text.spec: * src/win32/WIN32-Includes/config. * doc/README.tex: * doc/snort_manual.c: * src/parser.8.nsi: * rpm/snort.pdf: * doc/README.h: * src/win32/WIN32-Prj/sf_engine.c: * src/dynamic-preprocessors/libs/sfcommon.dcerpc: * doc/README.c: * src/dynamic-preprocessors/dcerpc/ * src/win32/WIN32-Prj/snort_installer.h: Win32 compiler warning cleanup.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.h: 2.c: * src/win32/WIN32-Includes/rpc/types. * src/detect.c: * src/profiler.c: * src/snort.h: * src/dynamic-plugins/sf_dynamic_engine.c: * src/target-based/sftarget_reader.c: * src/dynamic-preprocessors/dcerpc/dcerpc.2008-03-04 Steven Sturges <ssturges@sourcefire.arpspoof (added): * doc/README.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.

thanks to Rmkml for bringing this to our attention. * src/dynamic-preprocessors/ssl/spp_ssl. * src/parser.c: Enforce stricter versioning when loading shared objects.* * * * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h: * src/preprocessors/spp_frag3.h: * src/util. * src/target-based/sftarget_reader. Thanks to Chris Rohlf for bring this to our attention.h: * src/preprocessors/Stream5/snort_stream5_tcp. Update to handle open port ranges (ie.c: * etc/gen-msg.c: * etc/gen-msg.c: * src/> * src/ Update Stream5 to alert on data without TCP flags when non-linux policy.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/sfutil/sfportobject. Naval Postgraduate School. Use more compatible strrchr() instead of rindex(). * src/parser.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.tex: * doc/snort_manual. * src/target-based/sftarget_reader.h: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.engine and dynamic preprocessors .c: Set uid and gid of target-based thread if not already set. Added support for handling embedded lists with negations.c: Update default configuration for FTP's STRU command.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.c: * src/snort.c: Fix compile warning with older versions of PCRE library.will not load if from an older version of Snort.c: Add ability for dynamic rules to store and retrieve data on stream session. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet. Vesions of shared libraries .c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine. * doc/snort_manual. for bringing this to our Added IP in IP encapsulation support for both IPv4 and IPv6. * src/dynamic-plugins/sf_dynamic_engine.h: Various port object changes. * src/detection-plugins/sp_pcre. 1024:) and print error lines from config file parsing.c: * src/decode. Thanks to Chris Rohlf for bringing this to our attention.pdf: .c: * src/snort. * src/generators. 2008-01-27 Todd Wease <twease@sourcefire.c: * src/util. Add stricter configuration checks .c: Fatal error if commas are not used in SSL dynamic preprocessor configuration.c: * src/sfutil/sfportobject.h: * src/generators.c: Generate a parsing error if an empty IP list is used (this is equivalent to !any).h: * src/dynamic-plugins/sf_dynamic_plugins.c: Use inet_pton() instead of inet_aton. Thanks to Chris Eagle.

c: Added format string to prevent messages with certain format from crashing Snort.tex: Add info on stream_size option added with Stream5. * src/log_text. * src/profiler.c: Add Percent of Total column to output.c: * src/preprocessors/Stream5/snort_stream5_tcp.dns: * doc/README.5.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: Correctly handle rule-type keyword.h: Reduce command line and response line overflow false positives in SMTP preprocessor when Snort is missing packets. * doc/README. * configure. * src/sfutil/ * src/dynamic-preprocessors/smtp/smtp_log. Only alert on one unique SMTP event per session.c: Correctly set the max_size when a longer pattern.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. Thanks to Martin Fong for bringing this to our attention. Thanks to John Hally for bringing this to our attention.c: * src/dynamic-preprocessors/smtp/snort_smtp. * src/fpcreate.Update to describe new pcre match limit options.h: * src/preprocessors/stream_api.asn1: * doc/README. Thanks to Tung Tran for bringing this to our attention.h: Allow specifying metadata within a shared library rule.c: * src/preprocessors/ Add check for Phil Woods pcap so that pcap stats are computed correctly. * etc/gen-msg.dcerpc: * doc/README.dsp * src/preprocessors/spp_stream4.stream5: Update to include information about alerts generated from various preprocessors.c: * src/parser.flow-portscan: * doc/README.pdf: * doc/snort_manual.dsp: Remove system dependent Oracle paths from project. * src/> * Update to include GRE alerts * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.frag3: * doc/README. * src/decode.c: * src/dynamic-preprocessors/smtp/snort_smtp. * doc/snort_manual.c: .in: Require PCRE version 6 or better * src/dynamic-preprocessors/smtp/Makefile. 2007-12-10 Todd Wease <twease@sourcefire.ssh: * doc/README.c: * src/dynamic-preprocessors/smtp/sf_smtp. * doc/INSTALL: Update for building on Mac OSX 10.c: * src/preprocessors/Stream5/snort_stream5_tcp. * src/win32/WIN32-Prj/snort.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: Update for decoding IP6 header lengths.

c: * src/detection-plugins/sp_asn1.c: * src/preprocessors/stream.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_same_check.h: Fix misaligned structures for Sparc 64bit OpenBSD.* src/log.c: * src/detection-plugins/sp_ipoption_check.c: Code cleanup for IPv6 related changes. * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/sfutil/sf_iph.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/detection-plugins/sp_isdataat.c: * src/sfutil/sf_ipvar. * src/fpcreate. * src/preprocessors/snort_httpinspect.c: Code cleanup.c: * src/detection-plugins/sp_flowbits.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/dynamic-preprocessors/libs/ssl.c: * src/detection-plugins/sp_clientserver.c: Update default configuration to allow optional string to STRU command.c: .c: * src/detection-plugins/sp_icmp_id_check.h: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_pattern_match.c: Warn if configured with stream4 & target-based attributes.c: Better handling for starting attribute reload thread and logging parsing errors.c: * src/detection-plugins/sp_icmp_seq_check. * src/dynamic-preprocessors/libs/sfparser.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_ip_tos_check.c: Add checks for missing packets in reassembly.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_ip_id_check.c: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.c: * src/detection-plugins/sp_byte_jump. * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/detection-plugins/sp_icmp_type_check.c: Updates to better handle SSLv2 recognition.c: * src/dynamic-preprocessors/libs/ssl.c: Fix issue with printing IPv6 addresses.c: * src/detection-plugins/sp_dsize_check. * src/preprocessors/snort_stream4_session.l: * src/target-based/sftarget_reader. * src/sfutil/sfportobject.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_cvs. * src/preprocessors/spp_stream4.c: * src/fpdetect.c: * src/sfutil/sfxhash. Thanks to Markus Lude for helping us track down the problem.c: * src/detection-plugins/sp_icmp_code_check. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet. * src/target-based/sf_attribute_table_parser.c: Handle additional cases of multiple sequences of TCP SYN packets on a session that has previously been reset.

h: * src/util.gre: * src/generators. Integrate with IPv6 codebase.* * * * * * src/detection-plugins/sp_respond.h: Update decoder to work will all 3 versions of pflog files. * src/decode. * src/decode.c: * src/snort.c: src/parser.c: * src/plugbase.c: src/snort.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_urilen_check. * src/cpuclock.h: * src/decode.c: src/snort.c: Allow byte_jump 'string' option to support variable-length numeric data.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/ Update GRE decoder to support PPTP GRE v.c: * src/detection-plugins/sp_session.h: Added performance profiling stats for rule option evaluation.h: * src/util. 2007-11-12 Todd Wease <twease@sourcefire.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: src/dynamic-plugins/sp_preprocopt.c: * src/detection-plugins/sp_respond2. Add new GRE decoder alerts and README.c: * src/parser.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/detection-plugins/sp_tcp_win_check.c: * src/preprocessors/perf. Thanks to Ronaldo Maia for reporting this> * src/byte_extract.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_byte_check.c: * src/decode.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/mempool.h: * configure.h: * configure.h: * src/preprocessors/Stream5/snort_stream5_tcp.1 header.c: .c: * src/detection-plugins/sp_tcp_flag_check.c: * doc/README.h: * src/decode.h: * src/ Add support for rule and preprocessor profiling times for Sparc v9 processors.c: * src/detection-plugins/sp_byte_jump. * src/parser.h: * src/plugbase.c: * src/snort.c: * src/util. Add limits to pcre matching that could affect performance.c: * src/detection-plugins/sp_tcp_ack_check.c: src/dynamic-plugins/sp_dynamic.

c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/spp_stream4.c: src/sfthreshold.c: src/fpcreate.h: src/sfutil/sfportobject.h: src/parser. Multiple filters can be used and an option to reset Snort to a post initialization state for each pcap read can be given.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/spp_httpinspect.c: src/sfutil/sfxhash.h: src/tag. src/detect.h: src/dynamic-preprocessors/ftptelnet/ftpp_si.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: src/profiler.h: src/dynamic-preprocessors/ftptelnet/pp_ftp. a file containing pcaps to read and/or a directory to recurse through gathering pcaps.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/perf-flow.c: src/preprocessors/Stream5/snort_stream5_tcp.c: src/fpcreate.h: src/preprocessors/Stream5/snort_stream5_tcp.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: src/tag.c: src/preprocessors/spp_frag3.h: src/profiler.h: src/sfthreshold.c: src/fpdetect.c: src/preprocessors/spp_sfportscan.h: Snort can now read multiple pcaps on the command line.c: src/preprocessors/spp_stream5.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: src/output-plugins/spo_alert_sf_socket.h: src/preprocessors/Stream5/snort_stream5_udp.h: Portlists code consolidation and general cleanup.c: src/detection-plugins/sp_respond2.c: src/preprocessors/perf.c: src/preprocessors/spp_perfmonitor.h: src/sfutil/sfrim.h: src/sfutil/sfxhash.c: src/parser.c: src/dynamic-plugins/sf_dynamic_preprocessor.c: src/output-plugins/spo_log_ascii. as well as options for reading a list of pcaps on the command line.c: src/sfutil/sfportobject.c: src/preprocessors/portscan.c: . The '-r' flag can be given multiple times.c: src/preprocessors/Stream5/snort_stream5_udp.c: src/detection-plugins/sp_respond. src/detect.c: src/output-plugins/spo_unified.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: src/preprocessors/Stream5/snort_stream5_session.c: src/ipv6_port.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: src/preprocessors/Stream5/snort_stream5_session.c: src/output-plugins/spo_unified2.h: src/preprocessors/spp_flow.h: src/preprocessors/portscan.

src/dynamic-plugins/Makefile.h: src/preprocessors/stream_ignore.c: src/dynamic-plugins/sp_dynamic.h: src/dynamic-plugins/sp_dynamic.h: src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: src/preprocessors/stream_api.c: src/preprocessors/Stream5/snort_stream5_udp.c: Fixed issue where some rules will continue to match on a Uri.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/portscan.dsp: src/dynamic-preprocessors/ssh/sf_ssh.c: src/preprocessors/spp_stream4.tex: etc/snort.h: src/preprocessors/Stream5/stream5_common.c: src/sfutil/sfthd.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/snort_stream4_session.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/HttpInspect/include/hi_si.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: src/preprocessors/stream_ignore.h: src/preprocessors/stream. src/dynamic-preprocessors/ftptelnet/pp_ftp. src/detection-plugins/sp_pattern_match.dsp: src/dynamic-preprocessors/smtp/sf_smtp.h: src/preprocessors/HttpInspect/include/hi_ui_config.c: src/rules.c: src/preprocessors/spp_stream5.ssl: doc/snort_manual.h: src/fpcreate.h: src/tag.dsp: src/dynamic-preprocessors/dns/ src/dynamic-plugins/sf_dynamic_engine.dsp: Update Win32 project files to include target-based and GRE defines.c: IPv6 data type name changes to avoid library namespace conflicts.c: src/preprocessors/Stream5/snort_stream5_udp.c: src/preprocessors/spp_sfportscan.conf: . even after the first packet.h: src/sf_sdlist.h: src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.h: Fix compiler warnings.c: Enabled target-based code to properly assess dynamic rule flow. src/preprocids.h: doc/README.c: src/sf_types.dsp: src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.c: src/sfutil/sfthd.h: src/sfthreshold.c: src/fpdetect.c: src/sfutil/sf_ip.c: Allow white space prior to FTP command.h: src/preprocessors/Stream5/snort_stream5_tcp.h: src/sfutil/sf_ip.c: src/preprocessors/portscan. src/detection-plugins/sp_pcre.dsp: src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.c: src/sfthreshold.c: src/preprocessors/snort_stream4_udp.h: src/preprocessors/snort_httpinspect.h: src/sfutil/sf_ipvar. src/dynamic-preprocessors/dcerpc/sf_dcerpc.

dsw: src/dynamic-preprocessors/ssl/Makefile. src/preprocessors/perf-base. log_tcpdump. src/ppm. Currently only looks for an invalid entry.h: Added SSL preprocessor. alert_csv.h: src/preprocessors/HttpInspect/include/hi_ui_config.tex: etc/gen-msg.c: src/detection-plugins/sp_cvs.h: .c: src/ src/win32/WIN32-Prj/snort.h: src/sfutil/sf_textlog. Ports 514 and 2401 added to default ports for stream reassembly.c: src/output-plugins/spo_log_tcpdump.tex: Fix microseconds calculations. Add documentation to Snort Manual.c: doc/README.h: src/win32/WIN32-Includes/config.h: src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: src/output-plugins/spo_alert_fast.c: src/log_text.tex: etc/snort.h: CVS detection plugin.c: src/preprocessors/HttpInspect/include/hi_eo_events.h: Update IP_CLEAR to clear all fields. Update IP_COPY_VALUE to copy each field individually.c: src/preprocessors/ Added overly long http header detection.stream5: doc/snort_manual.c: src/dynamic-preprocessors/ssl/spp_ssl.applies to alert_full.h: Added rollover of logs upon reaching configured limit .* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * configure.h: src/output-plugins/spo_csv.dsp: src/detection-plugins/sp_cvs.c: src/win32/WIN32-Prj/snort.c: src/preprocessors/Stream5/snort_stream5_tcp.c: Added IP obfuscation for IPv6 addresses.c: src/ppm. src/log.h: src/profiler.h: src/dynamic-preprocessors/ssl/sf_ssl. Add ability to use ppm with readback mode.dsp: src/log_text.stream4: doc/README.c: src/sfutil/sf_textlog. src/preprocessors/HttpInspect/client/hi_client. alert_fast.c: src/preprocessors/HttpInspect/event_output/hi_eo_log.c: src/log_text.c: src/output-plugins/spo_alert_full. src/log. src/ipv6_port.http_inspect: doc/ src/dynamic-preprocessors/ssl/sf_preproc_info. src/plugbase.c: src/snort.c: src/output-plugins/spo_database.c: doc/README.c: doc/snort_manual.c: src/preprocessors/snort_httpinspect.conf: src/win32/WIN32-Prj/snort.dsp: src/dynamic-preprocessors/ssl/spp_ssl.c: src/preprocessors/spp_perfmonitor.

c: * src/preprocessors/Stream5/snort_stream5_tcp. * doc/INSTALL: * doc/README.h: * src/preprocessors/stream_api.sfportscan: * doc/README.tex: Documentation updates. Thanks to Jerry Litteer for reporting this. 2007-11-06 Steven Sturges <ssturges@sourcefire.c: Fixed incorrect calculation of pcap recevied and dropped. Thanks to rmkml for reporting the * src/target-based/sf_attribute_table_parser.variables: * doc/snort_manual.dsp: * src/win32/WIN32-Prj/snort. * src/target-based/Makefile.ftptelnet: * doc/README.h: * doc/README.c: Fix debug to correctly call inet_ntoa.c: * src/preprocessors/spp_stream5. running in inline mode.h: Added function to stream api for returning whether or not there are missing segments. Thanks to Jeff Dell for pointing out unified/unified2 errors in Snort Manual and inconsistencies in sfportscan documentation.dsp: Added GRE and target-based to default Win32 build.c: * src/sfutil/> .h: * src/win32/WIN32-Includes/pcreposix.h: Fixed issue where MPSE global counter was being reset by SMTP for each new pattern matcher it created. * src/preprocessors/spp_sfportscan.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed issue where packets were being blocked when Snort. * src/util. * src/sfutil/sf_vartable. Only supported in stream5.h: * src/win32/WIN32-Libraries/pcre.l: * src/target-based/sftarget_reader. * src/preprocessors/str_search.4.lib: Update Win32 LibPCRE to version 7.stream4: * doc/README. 2007-11-05 Steven Sturges <ssturges@sourcefire.c: Fixed issue where frag3 does not initialize correctly without any configuration arguments. was shutting down.c: * src/sfutil/sf_vartable. * src/preprocessors/spp_frag3.c: Fix endian issue in sfportscan when IP addresses are logged.http_inspect: * doc/README.tex: Fix segfault with duplicate variables in IPv6 code (enabled with --enable-ipv6).variables: * doc/snort_manual.c: Target based> * src/preprocessors/Stream5/snort_stream5_tcp. Thanks to Jason Carr for reporting this.* src/util. * src/preprocessors/spp_stream4. 2007-09-07 Steven Sturges <ssturges@sourcefire.stream5: * doc/README. * src/win32/WIN32-Prj/> * src/win32/WIN32-Includes/pcre.c: * src/sfutil/mpse.

src/output-plugins/spo_unified2. src/preprocessors/spp_frag3.c: Improve checking on ftp commands from src/build. src/dynamic-preprocessors/ftptelnet/spp_ftptelnet. Update spec file to relocate installed schemas and be more consistent with location of docs.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * configure.c: src/plugbase. src/output-plugins/spo_alert_prelude. Thanks rmkml for reviewing.c: src/preprocessors/portscan. Thanks to Siim Poder for reporting the problem.c: After logging alert for BSD IPv6 Fragmentation vulnerability. src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/sfutil/sf_iph. src/detection-plugins/sp_pcre.c: src/preprocessors/Stream5/snort_stream5_udp. src/preprocessors/portscan. src/signature.nsi: rpm/snort.8: 2. src/preprocessors/spp_stream5. src/preprocessors/Stream5/snort_stream5_icmp. Thanks to JJC & Shane Castle for helping us troubleshoot these issues and testing the patches. Handle byte alignment issue on Solaris with the flowbits data structure used by Stream5.8.c: Code cleanup. src/dynamic-preprocessors/smtp/snort_smtp.c: Complete initialization after rules are read for specific GID/SID alerts to log via sf socket.h: src/preprocessors/spp_sfportscan.c: src/preprocessors/Stream5/stream5_common.c: src/snort.c: Fix typos in comments. src/parser. reset the pseudo packet that is used for logging purposes.c: Handle VLAN tags in fragmented traffic and include in rebuilt packets if part of original traffic.c: src/preprocessors/Stream5/snort_stream5_tcp. src/output-plugins/spo_alert_sf_socket. Thanks to Ken Steele for pointing it out.c: Initialize rule_count variables.c: Disable ftptelnet when compiled with IPv6. as config flowbitsize option might change default.h: Handle strange sequences of multiple TCP Reset packets on the same session when some of those Resets also contain other flags.c: src/preprocessors/stream_api. src/decode.c: Initialize memory for flowbits after all configuration is processed.c: Memory cleanup of mime boundary regular expressions at Snort exit.c: Memory cleanup of portscan hash table at Snort exit.0 Final release prep.c: src/detection-plugins/sp_urilen_check.c: src/sfutil/sf_ip. .c: Cleanup printing of IPv6 Addresses.spec: snort.c: Correctly get IP Header length for logging.h: src/win32/WIN32-Includes/config. src/tag.h: src/win32/WIN32-Prj/snort_installer.c: Initialize the found offset so that it contains correct value when not found.

* etc/snort.h (added): * src/preprocessors/Stream5/snort_stream5_tcp. * src/output-plugins/spo_unified2. * src/sfutil/sfportobject.c: Updates to write GID in alert data. 2007-08-20 Steven Sturges <ssturges@sourcefire.c: * src/ Include README. 2007-08-22 Steven Sturges <ssturges@sourcefire.c: * src/preprocessors/spp_sfportscan. var and ipvar.c: * src/preprocessors/flow/portscan/flowps_snort.nsi: * rpm/snort.0 Beta on OpenBSD.h: * src/dynamic-preprocessors/smtp/> * configure.h: * src/win32/WIN32-Prj/snort_installer.c: * src/output-plugins/spo_unified2.c: * src/output-plugins/spo_unified.8. * src/output-plugins/spo_alert_prelude.spec:> * src/parser. * src/Makefile.c: Fixes to build 2. ORACLE_PORTS.0 Beta prep.conf: Update to use new portvar syntax for> * configure. Thanks to rmkml for mentioning this.2007-08-31 Steven Sturges <ssturges@sourcefire.c: Fix copying of IP address from packet when determining client config that resulted from IPv6 port.variables: * doc/snort_manual.c: * src/preprocessors/ * src/ * src/dynamic-preprocessors/Makefile. Packets that are part of stream reassembly refer to the original event directly from the packet record header.h: * src/output-plugins/spo_log_tcpdump.c: * src/preprocessors/stream.c: * src/event. * RELEASE.h: * src/win32/WIN32-Includes/config.c: Updates to prevent variable defintions of the same name as a portvar.h: .pdf: Update PortList documentation.tex: * doc/ * src/dynamic-preprocessors/smtp/smtp_xlink2state.8.c: Don't write tagged packets the same as unified. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet. Thanks rmkml for pointing it out. Thanks to Yoann Vandoorselaere for the update.c: * src/sfutil/ * src/build.h: Code cleanup and free data correctly on parsing errors. 2007-08-30 Steven Sturges <ssturges@sourcefire.c: * src/preprocessors/> * doc/Makefile.variables in the distribution tarball. * doc/README. and SHELLCODE_PORTS. Thanks to Jeff Dell for pointing out that it was missing.ipv6 & README.NOTES: Fix some spelling errors.

c: src/detection-plugins/ src/dynamic-preprocessors/smtp/sf_smtp.c: src/detection-plugins/sp_ip_id_check.c: src/detection-plugins/sp_respond.c: src/preprocessors/spp_stream5.c: src/detection-plugins/sp_ip_proto.c: src/preprocessors/spp_httpinspect.c: src/dynamic-plugins/sf_dynamic_preprocessor.h: src/util.dsp: src/dynamic-preprocessors/ftptelnet/ftpp_include. src/detection-plugins/sp_pattern_match.h and changed instances of SnortPktHdr with pcap_pkthdr except in Event struct and unified code where pcap_pkthdr32 is used because 32 bit timevals are required.h: src/dynamic-preprocessors/dynamic_preprocessors.c: Renamed snort_packet_header.dsp: src/snort.c: src/detect.c: src/snort.c: src/detection-plugins/sp_ip_tos_check.c: src/preprocessors/spp_httpinspect. Preprocessors register a function that will print the stats and they will be printed when DropStats() is called.h: src/detection-plugins/sp_icmp_id_check.h: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h: .c: src/preprocessors/spp_flow.h: src/preprocessors/spp_stream4.c: src/dynamic-plugins/sf_dynamic_plugins.c: src/plugbase.h (removed): src/win32/WIN32-Prj/snort.c: Commented out 'content-list' rule option code since it is broken and there are no plans in the near future to fix it.c: src/detection-plugins/sp_icmp_type_check.c: src/detection-plugins/sp_ip_same_check.c: src/detection-plugins/sp_ttl_check.c: src/dynamic-plugins/sf_dynamic_preprocessor.c: src/preprocessors/spp_frag3.h: src/detect.c: src/detection-plugins/sp_ip_fragbits.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/stream_api.h: src/snort_packet_header.c: src/preprocessors/snort_httpinspect.dsp: src/dynamic-preprocessors/dns/ src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.h to pcap_pkthdr32.dsp: src/dynamic-preprocessors/ssh/sf_ssh.c: src/detection-plugins/sp_pattern_match.dsp: src/dynamic-preprocessors/ftptelnet/Makefile.dsp: src/dynamic-preprocessors/Makefile.c: src/plugbase.c: src/detection-plugins/sp_icmp_seq_check.h: src/decode. src/dynamic-plugins/sf_dynamic_plugins.h: src/dynamic-plugins/sf_engine/Makefile.c: src/decode.dsp: src/dynamic-preprocessors/ src/dynamic-preprocessors/dcerpc/sf_dcerpc. src/checksum.dsp: src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.c: src/detection-plugins/ src/dynamic-plugins/sf_engine/sf_snort_packet.c: Added framework for preprocessors to print stats at exit or USR1 signal.

c: src/parser/IpAddrSet.c: src/output-plugins/spo_unified2.c: src/preprocessors/spp_httpinspect.c: src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/output-plugins/spo_alert_fast.h: src/parser.c (removed): src/ipv6.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: src/fpdetect.c: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/dynamic-preprocessors/ftptelnet/ftpp_si.h (removed): src/ipv6_port.c: src/preprocessors/portscan.h: src/preprocessors/HttpInspect/include/hi_ui_server_lookup.c: src/preprocessors/snort_stream4_session.c: src/output-plugins/spo_log_tcpdump.c: src/preprocessors/snort_stream4_udp.c: src/output-plugins/spo_alert_full.h: src/preprocessors/snort_httpinspect.c: src/parser.h: src/preprocessors/HttpInspect/session_inspection/hi_si.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: src/preprocessors/portscan.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: src/output-plugins/spo_alert_sf_socket.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: src/output-plugins/spo_alert_syslog.h: src/preprocessors/Stream5/snort_stream5_session.c: src/output-plugins/spo_alert_unixsock.c: src/output-plugins/spo_database.c: src/preprocessors/spp_stream5.c: src/preprocessors/Stream5/snort_stream5_session.c: src/output-plugins/spo_log_ascii.c: src/output-plugins/spo_unified.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: .c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: src/preprocessors/HttpInspect/include/hi_ui_config.c: src/dynamic-preprocessors/ftptelnet/ftpp_si.h: src/plugbase.c: src/Makefile.c: src/parser/IpAddrSet.c: src/preprocessors/spp_frag3.c: src/preprocessors/HttpInspect/include/hi_include.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/fpdetect.h (added): src/log.h: src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/output-plugins/spo_alert_prelude.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: src/preprocessors/spp_stream4.h: src/generators.h: src/preprocessors/HttpInspect/include/hi_si.c: src/preprocessors/ src/output-plugins/spo_alert_arubaaction.c: src/preprocessors/flow/portscan/flowps_snort.h: src/ipv6.c: src/dynamic-preprocessors/ftptelnet/pp_telnet.c: src/output-plugins/spo_csv.

h (added): src/sfutil/sfthd.c: src/preprocessors/Stream5/snort_stream5_tcp.tex: doc/snort_manual.and cannot be turned on with an IPv6 enabled snort.h: src/preprocessors/Stream5/snort_stream5_udp.c: src/preprocessors/Stream5/snort_stream5_udp. src/cpuclock.pdf: Added unified2 logging/output format.h: src/sfthreshold.c: Added configuration option to not append timestamps to unified log/alert files.h: src/preprocessors/stream. Certain preprocessors are not supported -.h: src/preprocessors/stream_ignore.ipv6 for specifics on what portions of Snort fully support IPv6. Allows Snort to be .c: src/fpdetect.h: src/sfutil/ipobj.c (added): src/sfutil/sf_iph.h (added): src/detect. Added support for ip variables and improved IP address list handling.dsp: src/win32/WIN32-Prj/sf_engine.c: src/snort. See README.h: src/tag.c (added): src/sfutil/sf_vartable.h (added): src/profiler.h: src/preprocessors/stream_api.c: src/sfutil/Makefile.nsi: doc/README.h (added): src/plugbase.c: src/sfutil/sfthd.c: doc/ src/parser.c (added): src/output-plugins/ src/sfutil/sf_ip. src/output-plugins/spo_unified.c (added): src/ppm.c: src/util.h (added): src/sfutil/sf_ipvar.ipv6: Added 1st phase of support for IPv6.h: src/Makefile.h (added): src/sfutil/sf_iph.h: src/sfutil/sf_vartable.c (added): src/sfutil/sf_ipvar.dsp: src/win32/WIN32-Prj/snort.dsw: src/win32/WIN32-Prj/snort_installer.h: src/preprocessors/Stream5/stream5_common.c: src/ppm.h (added): src/snort.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/Stream5/snort_stream5_tcp.h: src/rules.h: src/rules.h: src/snort.c: src/preprocessors/stream_ignore.c: src/sfthreshold.c: Added support for packet performance monitoring.dsp: src/win32/WIN32-Prj/snort.c (added): src/sfutil/sf_ip.c: src/win32/WIN32-Prj/build_all.c: src/fpdetect. src/output-plugins/spo_unified2.

c: src/byte_extract.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * configured to only spend a certain time period on a given packet and/or rule and automatically suspend performance-intensive rules.h: src/dynamic-plugins/sf_engine/bmh.c: src/detection-plugins/sp_isdataat.c: src/dynamic-preprocessors/dcerpc/dcerpc.h: src/dynamic-plugins/sf_dynamic_preprocessor.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_content.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: src/dynamic-preprocessors/dcerpc/dcerpc_util.h: src/detection-plugins/sp_asn1.h: src/dynamic-preprocessors/dcerpc/dcerpc_util.c: src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: src/decode.h: src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: src/log.c: src/detection-plugins/sp_asn1_detect.c: src/dynamic-preprocessors/dns/spp_dns.h: src/dynamic-plugins/sp_preprocopt.c: src/detection-plugins/sp_clientserver. src/bounds.c: src/detection-plugins/sp_pattern_match.h: src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: src/dynamic-preprocessors/ftptelnet/ftp_client.c: src/dynamic-plugins/sf_dynamic_engine.h: src/byte_extract.c: src/dynamic-plugins/sf_engine/bmh.h: src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h: src/detection-plugins/sp_byte_check.c: src/detection-plugins/sp_respond.h: src/debug.c: src/detection-plugins/sp_asn1_detect.ppm for details.c: src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: src/dynamic-preprocessors/ssh/spp_ssh.c: src/detection-plugins/sp_session.c: src/dynamic-plugins/sp_dynamic.h: src/decode.c: src/debug.c: src/dynamic-preprocessors/ftptelnet/pp_telnet.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: src/detection-plugins/sp_respond2.h: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: src/dynamic-plugins/sf_engine/sf_snort_plugin_byte. See README.c: src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: .c: src/detection-plugins/sp_byte_jump.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.h: src/detection-plugins/sp_pcre.c: src/detection-plugins/sp_pattern_match.h: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: src/dynamic-plugins/sp_dynamic.c: src/detection-plugins/sp_react.c: src/dynamic-preprocessors/dcerpc/dcerpc.h: src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/detection-plugins/sp_flowbits.c: src/dynamic-plugins/sf_engine/sf_snort_packet.

c: src/preprocessors/perf.pdf: .c: src/preprocessors/perf-flow.c: src/sfutil/mpse.c: src/preprocessors/spp_sfportscan.c: src/preprocessors/HttpInspect/client/hi_client_norm.c: src/preprocessors/HttpInspect/include/hi_ad. doc/snort_manual.h: src/sfutil/asn1. src/debug.c: src/preprocessors/str_search.h: src/preprocessors/HttpInspect/include/hi_include.h: src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h: src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: src/preprocessors/HttpInspect/include/hi_server.c: src/preprocessors/spp_arpspoof.c: Fixed a few typos in comments.c: src/sfutil/asn1.h: src/snort.c: src/preprocessors/spp_bo.c: Cleanup memory at Snort exit from session & client configurations.c: src/preprocessors/spp_stream4.c: src/preprocessors/Stream5/snort_stream5_tcp.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/log.c: src/preprocessors/spp_stream5.c: src/preprocessors/spp_perfmonitor.c: src/preprocessors/Stream5/snort_stream5_udp.h: src/generators.h: src/preprocessors/HttpInspect/util/hi_util_kmap.c: src/preprocessors/spp_rpc_decode. Thanks to rmkml for pointing them out.h: src/preprocessors/HttpInspect/include/hi_mi.c: src/preprocessors/spp_frag3.c: src/preprocessors/spp_httpinspect.h: src/preprocessors/HttpInspect/include/hi_util.h: src/sfutil/bitop_funcs.c: src/preprocessors/str_search. src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4. src/preprocessors/HttpInspect/include/hi_util_kmap.h: src/preprocessors/HttpInspect/include/hi_client.h: src/preprocessors/portscan.h: src/mstring.tex: doc/snort_manual.c: Changed packet payload pointers to use const qualifier to eliminate inadvertant writes to the packet buffer.c: src/mstring.h: src/preprocessors/HttpInspect/include/hi_norm.c: src/preprocessors/HttpInspect/server/hi_server.h: src/preprocessors/HttpInspect/anomaly_detection/hi_ad.h: src/preprocessors/HttpInspect/include/hi_util_xmalloc.c: src/preprocessors/HttpInspect/normalization/hi_norm.c: src/preprocessors/Stream5/snort_stream5_icmp.h: src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: src/preprocessors/spp_flow.c: src/preprocessors/HttpInspect/client/hi_client.h: src/sfutil/mpse.c: src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: src/preprocessors/perf-flow.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_content.h: src/preprocessors/perf.h: Added defines for SKYPE.h: src/preprocids.

c: src/fpcreate.h: src/fpcreate.h: src/pcrm.h (added): src/sfutil/sfrt_trie.c (added): src/target-based/sftarget_reader.c: src/preprocessors/spp_stream5.h: src/preprocessors/Stream5/snort_stream5_udp.h: src/preprocessors/spp_stream4.c: src/preprocessors/Stream5/snort_stream5_tcp. A thread is created to reload the attribute table upon receipt of a signal 30.h: src/preprocessors/Stream5/snort_stream5_udp.l (added): src/target-based/sf_attribute_table.h: src/preprocessors/Stream5/stream5_common.c (added): src/target-based/sftarget_hostentry.h (added): src/sfutil/sfrt_dir.c: src/fpcreate.h: src/parser.h: src/detect.c: src/fpcreate.c: src/ (added): src/target-based/sf_attribute_table_parser.c: src/preprocessors/perf-base.c (added): src/sfutil/sfrt.h: src/parser. src/detect.c: src/preprocessors/spp_frag3. Enable via --enable-targetbased option to configure.c: . IP Frag reassembly. src/decode.c: src/preprocessors/perf-base.h: src/preprocessors/spp_frag3.h: src/target-based/Makefile.c: src/detect.y (added): src/target-based/sftarget_hostentry.c: src/fpdetect.h (added): src/target-based/sftarget_protocol_reference.h: src/rules.c: src/snort.c: Added experimental support for Target-Based processing for Stream reassembly.c: src/preprocessors/Stream5/snort_stream5_tcp.h (added): src/util.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Cleaned up a few typos in various sections.h: src/fpdetect.c (added): src/target-based/sftarget_protocol_reference.h (added): src/target-based/sftarget_reader.h: src/detection-plugins/sp_clientserver.h: src/preprocessors/stream_api.h: src/sfutil/ src/sfutil/sfrt.c: src/pcrm.h (added): src/signature. Thanks to rmkml.c: src/signature.h: src/fpdetect.c: src/parser. and rule processing.h: src/snort.c (added): src/sfutil/sfrt_dir. Joel Ebrahimi for pointing out the misspellings & errors.c: src/preprocessors/Stream5/stream5_common.c: src/detection-plugins/sp_clientserver.c: src/preprocessors/Stream5/snort_stream5_udp.

c: src/util.c: src/detection-plugins/sp_ip_optioncheck.c: src/detection-plugins/sp_ip_fragbits.c: src/detection-plugins/sp_urilen_check.c: src/detection-plugins/sp_ip_tos_check.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/rules.c (added): src/sfutil/sfportobject.h (added): src/signature.h: src/parser.c: src/detection-plugins/sp_icmp_type_check. logto.h: src/snort. etc) may not.c: src/detection-plugins/sp_ip_id_check.c: src/event_wrapper.c: src/detection-plugins/sp_icmp_id_check.c: src/detection-plugins/sp_isdataat.c: src/detection-plugins/sp_icmp_code_check.rules: preproc_rules/ configure.c: src/event_wrapper.c: src/signature.c: src/detection-plugins/sp_pattern_match.conf: src/detection-plugins/sp_asn1.c: src/detection-plugins/sp_tcp_win_check. while other options that relate to data inspection (content.c: src/detection-plugins/sp_dsize_check.c: src/detection-plugins/sp_tcp_seq_check.h: src/sfutil/sfportobject.c: src/event_queue. These rules do not include IP addresses as the individual preprocessor/decoder configuration dictates the traffic to which an event applies.c: src/detection-plugins/sp_byte_check.rules: preproc_rules/decoder.c: src/detection-plugins/sp_respond. byte_test.c: src/detection-plugins/sp_flowbits.c: src/detection-plugins/sp_byte_jump. etc) may be added to those rules.c: src/detection-plugins/sp_ttl_check. etc) over preprocessor and decoder generated etc/snort.c: src/detection-plugins/sp_tcp_flag_check.c: Added Port Lists & Port Range functionality and added port variable handling.c (added): src/sfutil/sfrim. certain post-processing rule options (tag.c: src/detection-plugins/sp_respond2.c: src/detection-plugins/sp_react.c: src/detection-plugins/sp_session.h (added): src/sfutil/sfrim.c: src/dynamic-plugins/sp_dynamic.c: src/plugbase.c: src/detection-plugins/sp_ip_same_check. pass.c: src/plugbase. drop. preproc_rules/preprocessor.c: src/detection-plugins/sp_ip_proto. In conjunction with this. Enable via .c: src/detection-plugins/sp_pcre.c: src/detection-plugins/sp_icmp_seq_check.c: src/detection-plugins/sp_tcp_ack_check.h: Added support to provide action control (alert. as well as references and classifications via a rule.c: src/detection-plugins/sp_rpc_check.

c: * src/preprocessors/Stream5/snort_stream5_tcp. Updates to config parsing and console startup output.h: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: Search for other shared library extensions on OpenBSD.h: * src/preprocessors/flow/portscan/flowps. * src/sf_types.h: * src/dynamic-preprocessors/smtp/snort_smtp.--enable-decoder-preprocessor-rules option to configure.h (added): * src/preprocessors/flow/ * src/dynamic-preprocessors/smtp/Makefile.c: * src/dynamic-preprocessors/smtp/spp_smtp.h: Improved detection for encrypted ftp sessions.h: * src/preprocessors/Stream5/stream5_common.h: * src/dynamic-preprocessors/smtp/smtp_log. * src/dynamic-plugins/sf_dynamic_plugins.SMTP: * etc/snort. * src/parser.c: * src/preprocessors/flow/flow_cache. Detection based on MAC address used during TCP 3-way handshake and MAC address in subsequent packets. Thanks to Nikns Siankin for the request. * src/dynamic-preprocessors/ftptelnet/pp_ftp.pdf: Added basic TCP session hijacking * src/dynamic-preprocessors/dcerpc/Makefile.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/smtp_util.pdf: Added stream_size rule option (only supported by Stream5).c: Handle duplicate rules by using the newer revision or the earlier appearing rule (if same revision).c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/ * src/dynamic-preprocessors/ftptelnet/Makefile. Added detection of subnegotiation begin commands without matching subnegotiation end (evasion attempt).c: * src/dynamic-preprocessors/smtp/snort_smtp. * src/dynamic-plugins/sf_engine/Makefile. reducing false Fixes to correct shared library extension on MAC OS.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.h: * doc/snort_manual. Alert on header name length (Exim exploit) and check for valid mime headers.conf: * src/generators.h: * src/dynamic-preprocessors/smtp/spp_smtp. * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/dynamic-preprocessors/smtp/smtp_config.c: . * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/generators.c: * src/dynamic-preprocessors/smtp/smtp_log.tex: * doc/snort_manual. Updates include changes to handle case insensitive * src/dynamic-preprocessors/ssh/Makefile. Add port 587 (see RFC 2476) to default ports.c: * doc/README.stream5: * doc/snort_manual. * src/dynamic-preprocessors/smtp/smtp_config.h: * doc/ * src/dynamic-preprocessors/dns/Makefile.h: Rework much of preprocessor to improve searches. additional vulnerability checks.tex: * doc/snort_manual. Improved normalization to separate commands and data.

c: src/util.c: src/sfutil/acsmx2.h: Improve performance of pattern match engines to not evaluate a rule with a pattern that has already been seen and the rule already processed.c: src/sfutil/sfxhash.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/flow/portscan/flowps_snort.c: src/sfutil/sfhashfcn.c: src/preprocessors/flow/portscan/scoreboard.h: src/win32/WIN32-Includes/stdint.c: Fix printing of threshold counts until after all rules are read.c: src/sfutil/bnfa_search.c: src/sfutil/util_math.h: src/snprintf.h: src/profiler.conf: Turn off flow since Stream5 is now enabled by default. This changes takes into account if that rule fails because of an unset flowbit (which may have been set by another rule). configure.c: src/sfutil/acsmx.c: Added PCRE library version information to Snort startup banner.c: src/sfutil/sfhashfcn.c: src/preprocessors/spp_perfmonitor.h: src/sfutil/sfprimetable.h: Updated logging to print 64bit values on various platforms in a more portable manner.c: src/snort. src/sfutil/acsmx2.c: src/preprocessors/perf. src/util.h: src/win32/WIN32-Includes/config. 2007-07-27 Steven Sturges <ssturges@sourcefire.c (added): src/sfutil/sfprimetable.c: src/preprocessors/flow/portscan/unique_tracker.c: src/preprocessors/perf-base.c: src/preprocessors/perf-base.c: src/snort.h: src/win32/WIN32-Includes/WinPCAP/ src/decode.c: src/preprocessors/perf-event.h: src/util.c: src/preprocessors/perf-event.c: src/sfutil/util_math. Pcap versions 0.h (added): src/sfutil/> * etc/snort.9 & higher accumulate stats.h: src/util.c: src/preprocessors/flow/portscan/server_stats.h: src/sfutil/sfghash. .h: src/sfutil/bnfa_search.h: Fixed issue with various versions of pcap reporting received & dropped stats differently.h: src/sfutil/acsmx.c: src/sfutil/sfksearch.c: src/util.h: src/snort.h: src/sfutil/sfxhash. Changed hash table hash functions to use power of two computations instead of prime numbers. whereas earlier versions do not. * src/snort.

2007-06-20 Steven Sturges <ssturges@sourcefire. 2007-07-06 Steven Sturges <ssturges@sourcefire.c: Properly handle UDP checksum if checksum value is 0 in header (do not calculate).am: * src/dynamic-examples/Makefile.c: Fixed invalid session pointer when rule tries to use flowbits after session ends. Thanks to Jeffrey Denton for reporting the problem. 2007-06-19 Steven Sturges <ssturges@sourcefire.c: Fixed potential invalid memory access when require 3whs option is used. * src/decode.c: Performance improvement to track the last state of a pattern that match.h: * src/event_wrapper.h: * src/event_queue. Thanks to Keith Pachulski for reporting the issue.c: Revert previous changes as they resulted in some false negatives with mixed case patterns and rules. Thanks Yoann Vandoorselaere for the patch. Will address in a future release.c: Add /P flag to PCRE detection to check HTTP inspect's normalized client request body. use flow:stateless.h: * src/ipv6.c: * src/detect. so if it hits that state again immediately.c: Fixed problem with segfault with flexresp. * src/parser.c: Fix free of invalid pointer when using a negated IP> * src/byte_extract. ICMP was attempting to lookup TCP or UDP sessions from uninitialized session Fix header file replication.c: Update to write data at Snort exit. * src/output-plugins/spo_alert_prelude.c: * src/sfutil/> * src/sfutil/acsmx2.c: * src/snort.h: * src/inline.c: .h: * src/sfutil/bnfa_search. * src/preprocessors/Stream5/snort_stream5_tcp. only display of thresholding.c: Update to max line length. don't go re-evaluate all of the same rules. * src/sfutil/ipobj. This is used by sfportscan preprocessor configuration parsing. Thanks to Anders Ostrem for reporting the problem.h: * src/util. Mark 'stateless' option to be deprecated. 2007-06-28 Steven Sturges <ssturges@sourcefire. * src/detection-plugins/sp_react. Thanks to rmkml for initially reporting the problem. * src/dynamic-preprocessors/Makefile.c: * src/sfutil/bnfa_search. Thanks to Koji Shikata for reporting the problem. * src/preprocessors/Stream5/snort_stream5_session.c: Fixed issue when experimental ICMP tracking is used without using the TCP or UDP session> * src/sfutil/> * src/preprocessors/Stream5/snort_stream5_tcp.This issue did not affect thresholding. Add stat that tracks number of failed checksums. * src/detection-plugins/sp_pcre.

h: src/preprocessors/HttpInspect/anomaly_detection/hi_ad.h: src/preprocessors/spp_httpinspect.h: src/preprocids.h: src/preprocessors/snort_stream4_udp.h: src/preprocessors/HttpInspect/include/ src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h: src/preprocessors/portscan.c: src/dynamic-examples/dynamic-rule/sid109.h: src/preprocessors/HttpInspect/include/hi_server.h: .h: src/preprocessors/HttpInspect/include/hi_ui_server_lookup.c: src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: src/preprocessors/HttpInspect/include/hi_client.h: src/preprocessors/HttpInspect/include/hi_eo.h: src/preprocessors/HttpInspect/include/hi_util_kmap.h: src/preprocessors/HttpInspect/include/hi_mi.c: src/preprocessors/str_search.h: src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: src/sfthreshold.c: src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: src/preprocessors/HttpInspect/include/hi_util.h: src/packet_time.h: src/preprocessors/HttpInspect/include/hi_return_codes.h: src/detection-plugins/sp_ip_proto.c: src/preprocessors/spp_httpinspect.c: src/dynamic-examples/dynamic-rule/detection_lib_meta.c: src/preprocessors/str_search.h: src/preprocessors/HttpInspect/include/hi_norm.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/ipv6.c: src/preprocessors/portscan.h: src/preprocessors/spp_stream5.h: src/preprocessors/spp_sfportscan.h: src/preprocessors/snort_httpinspect.c: src/preprocessors/HttpInspect/client/hi_client_norm.h: src/detection-plugins/sp_asn1.c: src/preprocessors/spp_sfportscan.h: src/preprocessors/HttpInspect/include/hi_include.h: src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: src/preprocessors/HttpInspect/client/hi_client.h: src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.c: src/preprocessors/HttpInspect/include/hi_ad.h: src/preprocessors/HttpInspect/include/hi_si.c: src/preprocessors/HttpInspect/event_output/hi_eo_log.h: src/preprocessors/HttpInspect/include/hi_util_hbm.h: src/preprocessors/stream.c: src/dynamic-examples/dynamic-rule/sid637.h: src/preprocessors/HttpInspect/include/hi_eo_events.c: src/preprocessors/snort_httpinspect.h: src/preprocessors/spp_flow.c: src/dynamic-examples/Makefile.c: src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: src/detection-plugins/sp_flowbits.h: src/dynamic-examples/dynamic-preprocessor/spp_example.h: src/preprocessors/HttpInspect/include/hi_client_norm.h: src/detection-plugins/sp_asn1_detect.h: src/plugin_enum.h: src/dynamic-examples/dynamic-rule/rules.h: src/dynamic-preprocessors/smtp/sf_preproc_info.h: src/preprocessors/snort_stream4_session.h: src/snort_packet_header.h: src/preprocessors/HttpInspect/include/hi_ui_config.

h: src/sfutil/sfghash.c: src/preprocessors/HttpInspect/utils/hi_util_kmap.c: src/preprocessors/flow/flow_print.c: src/sfutil/ipobj.h: src/preprocessors/flow/portscan/server_stats.h: src/preprocessors/flow/flow_config.c: src/preprocessors/Stream5/stream5_common.h: src/preprocessors/flow/flow_cache.c: src/preprocessors/HttpInspect/session_inspection/hi_si.c: src/preprocessors/flow/portscan/flowps.c: src/preprocessors/flow/portscan/scoreboard.h: src/preprocessors/flow/flow_print.h: src/preprocessors/flow/portscan/unique_tracker.h: src/sfutil/acsmx2.c: src/preprocessors/flow/flow_cache.h: src/preprocessors/flow/portscan/flowps.h: src/sfutil/sflsq.c: src/preprocessors/flow/flow.h: src/preprocessors/flow/flow_error.h: src/preprocessors/flow/flow_callback.c: src/preprocessors/flow/portscan/unique_tracker.c: src/preprocessors/Stream5/snort_stream5_tcp.c: src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.h: src/preprocessors/flow/portscan/flowps_snort.h: src/preprocessors/flow/int-snort/flow_packet.c: src/sfutil/sfeventq.c: src/sfutil/asn1.c: src/preprocessors/flow/flow_stat.h: src/preprocessors/flow/flow_hash.c: src/preprocessors/flow/int-snort/flow_packet.h: src/preprocessors/Stream5/snort_stream5_udp.c: src/preprocessors/flow/flow_class.h: src/preprocessors/flow/flow_class.h: src/preprocessors/flow/portscan/scoreboard.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config.h: src/sfutil/sfhashfcn.h: src/preprocessors/Stream5/stream5_common.c: src/sfutil/sfhashfcn.c: .h: src/preprocessors/flow/flow_stat.c: src/preprocessors/HttpInspect/server/hi_server.h: src/preprocessors/Stream5/snort_stream5_session.c: src/preprocessors/flow/flow_hash.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/Stream5/snort_stream5_udp.h: src/sfutil/ipobj.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/HttpInspect/mode_inspection/hi_mi.h: src/sfutil/sfeventq.c: src/preprocessors/flow/portscan/server_stats.h: src/sfutil/asn1.h: src/preprocessors/Stream5/snort_stream5_tcp.h: src/preprocessors/flow/flow.c: src/preprocessors/flow/portscan/flowps_snort.c: src/preprocessors/flow/flow_callback.c: src/preprocessors/HttpInspect/utils/hi_util_xmalloc.h: src/preprocessors/flow/common_defs.c: src/preprocessors/HttpInspect/normalization/hi_norm.c: src/sfutil/sfghash.c: src/preprocessors/HttpInspect/utils/hi_util_hbm.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.

h: Update Stream5 to use 65535 << 14 as max allowable value for the 'max_window' option. prealloc_frags. use a pseudo packet with false IPv4 headers for logging purposes rather than writing the IPv4 header within the original packet buffer.c: .com> * src/preprocessors/spp_frag3. max_frags.h: src/sfutil/util_net.h: When checking for IPv6 BSD frag vulnerability.c: * src/dynamic-preprocessors/smtp/snort_smtp. 2007-06-01 Steven Sturges <ssturges@sourcefire.c: Fix configuration parsing to validate parameters for memcap.c: src/sfutil/sfxhash.* * * * * * * * * * * * * * * * * src/sfutil/sflsq.tex: * doc/snort_manual.h: src/sfutil/sfsnprintfappend. * src/preprocessors/spp_rpc_decode.c: src/sfutil/sfmemcap.stream5: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_tcp.h: src/sfutil/sfthd.c: Cleanup xlink2state processing and remove potential read beyond end of packet. Thanks to Joel Ebrahimi for pointing out the issue.c: src/sfutil/util_net.c: * src/preprocessors/Stream5/stream5_common.pdf: * doc/README.h: src/win32/WIN32-Code/inet_aton.c: src/sfutil/sfsnprintfappend.c: Update handling of timed out session cleanup when the 'same' (IPs/ports) session is picked up midstream.c: src/sfutil/util_str.c: * src/snort.c: src/sfutil/util_math. 2007-06-01 Steven Sturges <> * doc/snort_manual.c: Update to hourly timestats from Bill Parker. * src/preprocessors/stream_api.h: src/sfutil/sfxhash. * src/preprocessors/spp_frag3.h: src/sfutil/sfmemcap.c: * src/dynamic-preprocessors/smtp/> * src/util.c: * src/snort. 2007-05-30 Steven Sturges <ssturges@sourcefire. * src/decode. 2007-05-23 Steven Sturges <ssturges@sourcefire.c: * src/detect.h: Update copyright dates & info and add GPL> * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: src/win32/WIN32-Code/name.c: Update to not change original packet buffer when rebuilding fragments with IP options.h: src/sfutil/util_math.c: src/sfutil/sfthd.h: src/sfutil/util_str.

h: * src/dynamic-plugins/sf_dynamic_plugins.c: Update to timestamp writing on 64bit platforms.c: * src/preprocessors/Stream5/snort_stream5_session.5 and others.c: * src/dynamic-preprocessors/smtp/smtp_util. * src/dynamic-preprocessors/smtp/smtp_normalize. 2007-05-22 Steven Sturges <ssturges@sourcefire.c: * src/dynamic-plugins/sp_preprocopt.7.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/parser.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/sfutil/sfeventq. Fixes builds on OpenBSD 3. .c: * src/ipv6.c: * src/sfutil/sfksearch.h: * src/mempool.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.pdf: Update for 2.c: * src/sfutil/asn1.* src/preprocessors/spp_rpc_decode.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet. * src/output-plugins/spo_log_tcpdump.h and don't try to use it if not present.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/debug.c: * src/preprocessors/spp_httpinspect.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/event_queue.h: * src/sfutil/sfksearch.c: * src/snort.c: * src/preprocessors/spp_frag3.h: * src/dynamic-preprocessors/ftptelnet/ppftp.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/win32/WIN32-Includes/config.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/asn1.tex: * doc/snort_manual.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/ * src/debug.c: Added code to cleanup memory at Snort exit/restart.h: * src/ipv6. * src/dynamic-plugins/sf_dynamic_detection.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-plugins/sf_dynamic_preprocessor.c: * src/dynamic-plugins/> * doc/snort_manual.h: * src/dynamic-preprocessors/smtp/snort_smtp.h: Check for wchar.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/event_queue.h: Update to use the altdecode buffer for normalization.h: * src/sfutil/sfeventq. * configure.c: Update normalization for postfix and sendmail servers that normalize any space except '\n'.h: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/sfutil/sfxhash.0.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.

h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/detection-plugins/sp_pattern_match.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/snort_httpinspect.tex: * doc/snort_manual.c: * src/preprocessors/HttpInspect/client/> * src/preprocessors/HttpInspect/client/hi_client.c: * doc/snort_manual.h: Add --loop option to be used with -r for pcap readback mode. * src/preprocessors/snort_stream4_udp.c: Fixed pointer initialization relating to POST normalization.c: Update to normalize the body of a client request to allow rules to check specifically for parameters of a POST or GET request.c: Update way in which Body vs URI's are> * src/decode.c: Fix use of ignore_any keyword when dealing with portscan and/or rules that have flow/flowbits.h: * src/preprocessors/HttpInspect/normalization/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/dynamic-plugins/sf_dynamic_common.c: * src/preprocessors/spp_httpinspect.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine. Also add stats that are part of the hourly stats that track various .c: Added code to prevent URI-related alerts from firing when the body is being normalized.c: * src/preprocessors/HttpInspect/client/hi_client_norm.* src/preprocessors/str_search. checked for anomalies and alerted on. * src/util.c: * src/preprocessors/HttpInspect/include/hi_eo_log. 2007-04-27 Steven Sturges <ssturges@sourcefire. * src/snort.c: * src/preprocessors/HttpInspect/include/hi_client.c: * src/snort.h: * src/preprocessors/HttpInspect/normalization/hi_norm.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/client/hi_client_norm.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/sfutil/bnfa_search. smaller memory footprint for searches from SMTP.c: Update to timestamp handling and anomaly detection with invalid timestamps on RST> * src/preprocessors/HttpInspect/client/hi_client_norm.h: * src/preprocessors/HttpInspect/include/hi_si. 2007-05-08 Adam Keeton <akeeton@sourcefire.h: * src/preprocessors/HttpInspect/include/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup. * src/preprocessors/HttpInspect/client/hi_client.pdf: Provide new rule keyword modifier for content option that allows a rule to search for a pattern in the body of an HTTP client request. 2007-05-09 Adam Keeton <akeeton@sourcefire.c: * src/preprocessors/HttpInspect/include/hi_si.c: * src/detection-plugins/sp_pattern_match.c: Use BNFA.c: * src/sfutil/mpse.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.

h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Fix potential memory leak.c: Handle TCP window scale option that is > 14.c: Update to track additional stats for TCP session cache and session states.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Update Timestats to include Wifi.h: * src/util. Frag & TCP Stream info.tex: * configure.c: * src/preprocessors/Stream5/snort_stream5_tcp. Thanks Vladimir Shcherbakov for the request. * doc/faq.HTTP encodings and normalizations that have occured.c: .c: * src/detection-plugins/sp_icmp_type_check. * src/preprocessors/perf-base. * src/decode.c: Fix behaviour of 'accumlate' option.c: Update to parsing of icmp rule options for better grammar enforcement. * src/parser.c: * src/preprocessors/stream_api. * src/preprocessors/spp_stream4. * src/snort.c: * src/dynamic-plugins/sf_dynamic_preprocessor.c: Add alert for multiple GRE encapsulations. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/snort. * src/util.c: * src/preprocessors/perf-base. * src/preprocessors/spp_stream4. * etc/ Add minimal PCRE version. default is 3600 seconds (1 hour) when enabled via --enable-timestats.c: * src/preprocessors/spp_stream4. * src/preprocessors/spp_perfmonitor.c: Code cleanup and a minor reorganization. * src/ipv6. Added ability to configure Timestats interval. * src/detection-plugins/sp_icmp_code_check. * doc/README.c: Fix truncated buffer in when compiled in debug mode. Added decoder alert for this and adjust the scale per RFC 1323 in * src/decode. * src/dynamic-preprocessors/dcerpc/dcerpc. GRE. * etc/snort. * src/dynamic-preprocessors/smtp/snort_smtp.c: Additional structure name changes to avoid conflicts on Win32.ipv6: Updates for clarity.c: * src/dynamic-preprocessors/dcerpc/dcerpc. * src/detection-plugins/sp_respond.h: * src/dynamic-preprocessors/sf_dynamic_preproc_lib.h: Revised signal handler for Timestats.c: Update the maximum number of entries in an IP List to 1024 (was 128).c: * src/detection-plugins/sp_respond2.conf: Make Stream5 the default stream engine.c: Specify TCP window of 0 for RST packets that are sent. Thanks to Bill Parker for the update.h: * src/preprocessors/Stream5/snort_stream5_session.c: Make Preprocess() function available to dynamic preprocessors.c: * src/generators.h: * src/preprocessors/snort_stream4_session.

c: * src/win32/WIN32-Code/win32_service. * src/dynamic-plugins/> * rpm/snort.h: * src/preprocessors/spp_flow.h: * src/win32/WIN32-Prj/snort.c: * src/plugbase.stream5: Updates to config validation.h: * src/dynamic-preprocessors/dcerpc/sf_preproc_info. use calloc or SnortAlloc.* src/preprocessors/Stream5/snort_stream5_tcp. 2007-03-28 Steven Sturges <ssturges@sourcefire.c: * src/preprocessors/Stream5/snort_stream5_session. * doc/README.spec: Remove smp_flags from spec file to not parallelize building.dsp: Added ability for Snort to track fragmented ICMPv6 to check for the remote BSD exploit (Bugtraq ID 22901.h: * src/ipv6.c: * src/decode. * src/parser.c (added): * src/ipv6. CVE-2007-1365).c: * src/snort.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Changed structure declaration and usage to not conflict with OpenBSD.c: Fix miscalculation of processor time attributable to flow. * src/profiler.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sp_dynamic.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/decode.c: * src/preprocessors/ * src/decode.c: Fix issue with printing rule information twice. Code cleanup for readability.h: .map: * src/Makefile. check return values of SafeMemcpy. ByteTest. * src/preprocessors/spp_stream5.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/snort.ipv6 * etc/gen-msg.c: * src/profiler.c: * src/preprocessors/perf-base. and PCRE.c: Added hasXXX functions for Content. * src/win32/WIN32-Code/syslog.c: Cleanup to use safe snprintf and strncpy> * src/decode.c: * src/snort. Update TCP Window Scale use and sequence validation to be RFC 1323 compliant. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util. and other static size buffer bounds checks.c: * src/ipv6.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * doc/README.h (added): * src/parser. 2007-04-13 Steven Sturges <ssturges@sourcefire.c: Update for 64bit platforms. etc. Document min/max values for parameters.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/generators.

h: src/dynamic-preprocessors/dcerpc/smb_structs. UDP configurations are within reasonable limits. src/preprocessors/Stream5/snort_stream5_icmp. src/sfutil/sfxhash.h: src/dynamic-preprocessors/dcerpc/smb_andx_structs. src/dynamic-preprocessors/dns/sf_preproc_info.pdf: Add verification of options for ICMP.h: src/dynamic-preprocessors/smtp/smtp_config.c: src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: src/dynamic-preprocessors/smtp/smtp_normalize. src/dynamic-preprocessors/smtp/sf_preproc_info.h: src/dynamic-preprocessors/dns/spp_dns. src/dynamic-preprocessors/ftptelnet/ftpp_si.h: src/debug.c: Code cleanup for initialization of memory allocations. Update session timeout handling.h: src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Code cleanup for initialization of memory allocations and add early termination when at end of packet payload.c: src/pcrm.c: src/fpdetect.c: src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/preprocessors/Stream5/stream5_common. src/bounds.c: Further update to handle iptables (and other datalink layers) that do not have ethernet headers to be included in rebuilt fragment. fix normalization to prevent read beyond packet payload.c: Code cleanup for initialization of memory allocations and remove dead/unused code for directory and user state tracking. TCP. validation of memcpy success.c: src/log.c: src/sfutil/sfxhash. Print list of UDP rules that are effectively ignored with ignore_any_rules option.c: src/preprocessors/Stream5/snort_stream5_udp.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Code cleanup to perform bounds checking.c: src/dynamic-preprocessors/smtp/smtp_log.c: . Code readability improvements and update DCE endianness checks.stream5: doc/snort_manual.tex: doc/snort_manual.h: src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: src/parser.c: src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: src/detect.c: src/preprocessors/Stream5/stream5_common.h: doc/README.h: src/preprocessors/snort_stream4_session. Reorganize reassembly flush initialization. Generate SMTP command overflow even if packet payload doesn't contain complete command (missing LF). remove potential memory leak.c: src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: src/dynamic-preprocessors/ftptelnet/ftpp_si.c: src/dynamic-preprocessors/smtp/smtp_normalize.c: Allow use of limit on number of nodes in hash table instead of relying on memcap for limiting sessions.h: src/dynamic-preprocessors/smtp/snort_smtp.c: src/preprocessors/Stream5/snort_stream5_tcp.c: src/dynamic-preprocessors/ftptelnet/sf_preproc_info.c: src/preprocessors/Stream5/snort_stream5_session.h: src/dynamic-preprocessors/ftptelnet/hi_util_kmap. src/preprocessors/spp_frag3.

c: src/profiler.c: src/preprocessors/HttpInspect/event_output/hi_eo_log.c: Update copyright date to include 2007.h: src/dynamic-plugins/sf_dynamic_plugins.c: src/output-plugins/spo_log_ascii. check of SafeMemcpy.c: src/preprocessors/spp_stream5.c: src/dynamic-plugins/sf_dynamic_preprocessor.c: src/preprocessors/Stream5/snort_stream5_udp.c: src/preprocessors/Stream5/snort_stream5_tcp.h: src/dynamic-preprocessors/ssh/spp_ssh.c: src/util. 2007-02-17 Steven Sturges <ssturges@sourcefire.c: src/dynamic-plugins/sf_dynamic_engine.c: src/output-plugins/spo_alert_syslog.c: src/output-plugins/spo_unified.c: src/preprocessors/HttpInspect/client/hi_client.c: src/preprocessors/spp_sfportscan.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/plugbase. Add handling for FatalError not returning code analysis tools.c: src/preprocessors/stream_api.c: src/util. 2007-02-20 Steven Sturges <ssturges@sourcefire.c: src/sfutil/sfmemcap.c: src/detection-plugins/sp_react.c: src/preprocessors/flow/flow_print. Thanks Boris Lytochkin this out.c: src/sfutil/sfghash.c: src/sfutil/sfxhash.h: src/preprocessors/stream_ignore.c: src/preprocessors/spp_frag3.c: src/output-plugins/spo_alert_prelude.c: src/detection-plugins/sp_session.c: src/snort.c: Cleanup to use safe snprintf and strncpy functions.c: src/preprocessors/spp_bo.c: src/sfutil/ipobj.c: Fix memory leak in global config.c: src/preprocessors/> * src/util.c: src/preprocessors/HttpInspect/utils/> return values size buffer for static for pointing .c: src/preprocessors/snort_stream4_session.c: src/output-plugins/spo_log_tcpdump.c: src/preprocessors/flow/flow_print.c: src/parser/IpAddrSet.c: src/preprocessors/spp_stream4.c: src/output-plugins/spo_database.c: src/ubi_BinTree. and other static bounds checks.c: src/preprocessors/snort_stream4_udp.c: src/output-plugins/spo_alert_unixsock.h: src/detection-plugins/sp_pattern_match.c: src/preprocessors/perf-base.c: src/preprocessors/snort_httpinspect.h: src/sfutil/acsmx2. * src/sfutil/sfthd. use calloc or SnortAlloc.c: src/preprocessors/perf.c: src/sfthreshold.

c: * src/plugbase.c: Code & warning cleanup.c: * src/detection-plugins/ * src/dynamic-preprocessors/dcerpc/dcerpc.c: Add bounds checking to ReassembleSMBWriteX.c: * src/preprocessors/spp_bo.c: .c: * src/dynamic-plugins/sf_dynamic_plugins. * src/output-plugins/spo_database.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/dynamic-preprocessors/smtp/smtp_util. remove tab characters going to syslog.* src/parser. 2007-02-05 Steven Sturges <ssturges@sourcefire. 2007-02-07 Steven Sturges <ssturges@sourcefire.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/snort.c: Code cleanup to check that a query was not truncated when using snprintf and guarantee NULL terminated string. * src/detection-plugins/sp_clientserver. use Safememcpy for calculated length buffer copies. thanks to James Affeld for that> * src/dynamic-plugins/sf_dynamic_engine.c: * src/tag. Thanks to Jason Wallace for the patch.c: * src/preprocessors/flow/portscan/scoreboard.c: * src/dynamic-preprocessors/ssh/ Added support for libpcap that depends on libpfring.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/dynamic-preprocessors/dcerpc/> * configure.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/win32/WIN32-Code/misc.c: * src/preprocessors/spp_stream4. 2007-02-09 Steven Sturges <ssturges@sourcefire.c: * src/detection-plugins/sp_ip_same_check.c: * src/dynamic-preprocessors/dns/spp_dns.c: Add file and line number to an error message.c: Code cleanup.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/detection-plugins/sp_pattern_match.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/preprocessors/snort_httpinspect. * src/preprocessors/spp_stream5. Also updated description as to why libpcap check might fail and what files might be missing. * src/dynamic-preprocessors/Makefile.c: Update configuration parsing and validation checks and fix issue with static flushpoints not really being static.c: Handle flow keyword with Stream5 UDP sessions.c: * src/parser. Thanks to rmkml for pointing out the omission.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc. * src/parser.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/> * src/decode.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/preprocessors/flow/flow_print.

c: src/preprocessors/HttpInspect/normalization/hi_norm.c: src/sfutil/ipobj.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config. causing snort to dereference an invalid pointer.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/dynamic-plugins/sp_preprocopt.c: src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: src/output-plugins/spo_log_ascii.c: src/tag.c: src/output-plugins/spo_csv.c: src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: src/fpdetect.c: src/parser/> * doc/README.c: src/dynamic-preprocessors/smtp/smtp_config.c: src/preprocessors/HttpInspect/client/hi_client.c: src/preprocessors/spp_bo.c: src/preprocessors/spp_httpinspect.c: src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: src/preprocessors/Stream5/snort_stream5_tcp.c: src/ubi_BinTree. The Ethernet header doesn't exist in the packet received by Snort.c: src/dynamic-preprocessors/ftptelnet/ftpp_si.c: src/dynamic-preprocessors/ftptelnet/pp_ftp. without either the ipconntrack or NAT modules.c: src/sfutil/acsmx2.h: More code cleanup.c: src/output-plugins/spo_database.stream5: Cleanup spelling. since the OS is supposed to handle IP fragment reassembly.c: src/preprocessors/HttpInspect/client/hi_client_norm.h (removed): * src/preprocessors/Makefile.c: Fix issue when Snort is inline using iptables. This should not occur using the recommended snort inline configuration.c: src/signature.c: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet. etc.c: src/parser. * src/ .c: src/preprocessors/spp_stream4.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: src/snort.c: src/util. eliminate warnings on Win32 platform.c: * src/preprocessors/spp_telnet_negotiation.c (removed): * src/preprocessors/spp_telnet_negotiation.h: * src/preprocessors/spp_frag3. 2007-02-02 Steven Sturges <ssturges@sourcefire. Thanks to Panda Software and Joel Ebrahimi for reporting the issue.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: src/preprocessors/HttpInspect/server/hi_server. * src/bounds.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: src/plugbase.c: src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: src/preprocessors/HttpInspect/event_output/hi_eo_log." * src/parser.c: Fix benign warning when using -E on Win32.c: src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: src/preprocessors/spp_sfportscan.c: src/preprocessors/snort_httpinspect.c: src/preprocessors/HttpInspect/session_inspection/hi_si.

c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/ubi_BinTree.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/mstring.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/output-plugins/spo_log_ascii.c: .c: * src/output-plugins/spo_database. * src/decode.c: * src/detection-plugins/sp_pcre.c: * src/fpdetect.c: * src/strlcatu.c: * src/preprocessors/snort_httpinspect.c: * src/detection-plugins/sp_react.c: * src/preprocessors/snort_stream4_udp.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-plugins/sf_engine/bmh.h: Added profiling code for 64 bit Intel and PPC platforms.c: * src/preprocessors/perf-base.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/output-plugins/spo_unified.h: * src/dynamic-plugins/sp_dynamic.dsp: Removed deprecated telnet preprocessor.* src/win32/WIN32-Prj/snort.c: * src/snort.c: * src/dynamic-plugins/sf_dynamic_preprocessor.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/parser.c: * src/profiler.c: * src/detection-plugins/sp_respond.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/output-plugins/spo_log_tcpdump.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/preprocessors/spp_perfmonitor.c: * src/util.c: * src/profiler.h: * src/detect.c: * src/strlcpyu.c: * src/detection-plugins/sp_pattern_match.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/detection-plugins/sp_flowbits.c: * src/preprocessors/perf.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/output-plugins/spo_alert_fast.c: * src/util.c: * src/plugbase.c: * src/preprocessors/portscan.c: * src/profiler.c: * src/signature.c: * src/detection-plugins/sp_ttl_check.c: * src/dynamic-plugins/sf_dynamic_engine.c: * src/preprocessors/perf-flow.h: * src/dynamic-plugins/sf_dynamic_plugins. * src/profiler.c: * src/log.h: * src/sfthreshold.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.

c: src/preprocessors/Stream5/stream5_common. . SnortStrncpy. src/dynamic-preprocessors/dcerpc/dcerpc.h: src/preprocessors/Stream5/snort_stream5_session. update calculating for valid length to handle alternate padding. Update to use safer functions.c: src/preprocessors/spp_stream5.c: src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: src/sfutil/acsmx2. Thanks Hideki Saito for pointing out the problem.h: src/preprocessors/spp_stream4.c: Code cleanup.c: src/preprocessors/HttpInspect/utils/hi_util_kmap.c: src/sfutil/sfxhash. use safer functions SnortSnprintf.h: src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: src/sfutil/sfsnprintfappend. etc).c: src/preprocessors/Stream5/snort_stream5_udp.c: src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix issue with service initialization and parameter validation.h: src/preprocessors/flow/portscan/flowps.c: src/win32/WIN32-Code/misc.c: src/dynamic-preprocessors/dcerpc/dcerpc_util.c: src/sfutil/ipobj.h: src/preprocessors/Stream5/snort_stream5_udp. Check option parameters for reasonable values (prevent huge memcaps.c: src/sfutil/sflsq. src/preprocessors/spp_stream5.c: src/win32/WIN32-Code/syslog. etc.h: src/preprocessors/Stream5/snort_stream5_tcp.c: src/preprocessors/spp_stream5.c: src/preprocessors/flow/flow.c: src/preprocessors/Stream5/snort_stream5_tcp. src/preprocessors/portscan.h: src/dynamic-preprocessors/dcerpc/dcerpc_config.c: src/preprocessors/HttpInspect/event_output/hi_eo_log.c: Allow portscan to work with Stream5 UDP session tracking (because it replaces flow preprocessor).h: src/preprocessors/flow/int-snort/flow_packet.h: src/preprocessors/HttpInspect/client/hi_client. change malloc/calloc to SnortAlloc.c: src/preprocessors/Stream5/snort_stream5_session.c: src/sfutil/bitop_funcs.c: src/preprocessors/spp_stream4.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/stream_api. Added API function to get direction of packet (not supported in Stream4).c: src/dynamic-preprocessors/dcerpc/dcerpc.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/preprocessors/spp_sfportscan.c: src/win32/WIN32-Code/win32_service.h: Stream5 config parsing improvements.h: src/sfutil/getopt_long. Check pointers before use.c: src/dynamic-preprocessors/dcerpc/dcerpc_util.c: src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map. src/win32/WIN32-Code/win32_service.c: Code cleanup.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/preprocessors/portscan.c: src/sfutil/acsmx.c: src/preprocessors/flow/portscan/flowps_snort.c: src/sfutil/sfghash.c: src/preprocessors/stream.c: src/preprocessors/str_search.

tex: * doc/snort_manual. stream reassembled or not and that rules written to inspect more than flow_depth bytes will be> * src/debug.pdf: Added info on snort. * doc/README. * doc/> *> * etc/generators: * src/generators. Thanks to Christian Seifert for pointing this out.dsp: Always use DYNAMIC_PLUGIN.h: Remove generator IDs that are no longer used.c: * src/preprocessors/spp_stream5.tex: * doc/snort_manual.h: Use 64 bit values to store profiling counters.h: * src/profiler.stream4: * doc/README.NOTES: * etc/ * snort.http_inspect: * doc/snort_manual.stream5: Cleanup. Thanks to Nathan Ching for pointing out the issue.c: Fix to allow dynamic rules to load correctly. * doc/README.pdf: Emphasized in httpinspect documentation that a flow_depth between 1 and 1460 will only inspect at most that many bytes of a server's response.h: Code cleanup. * src/snort.nsi: * doc/snort_manual.h: * src/win32/WIN32-Prj/snort_installer.tag info file for the tag option in rules.1 from preprocessor to detection plugins section. Removed old preprocessor sections and moved ASN.pdf: Added a table for content modifiers and links to their respective Handle platforms that don't support vswprintf and vwprintf. * src/win32/WIN32-Prj/snort.h: * src/win32/WIN32-Includes/LibnetNT. * doc/README.2007-01-29 Steven Sturges <ssturges@sourcefire.spec: * src/win32/WIN32-Includes/config. * src/detection-plugins/sp_flowbits.tex: * doc/snort_manual.c: * src/rules.tex: .conf config option tagged_packet_limit and added README.8: * RELEASE. Will be removed when Flow preprocessor and Stream4 are deprecated.tag * doc/snort_manual. 2007-01-17 Steven Sturges <ssturges@sourcefire. * src/profiler.c: * configure. * src/detection-plugins/sp_flowbits.c: Add check when stream4 or stream5 are not enabled to still support flowbits.c: Fix issue with flowbits for UDP streams. 2007-01-18 Steven Sturges <ssturges@sourcefire.conf: * rpm/snort. Added section for Stream5. * src/win32/WIN32-Includes/config. Thanks Nikns Siankin for pointing that out for OpenBSD.

c: * src/dynamic-preprocessors/ftptelnet/ftpp_include.conf: * src/preprocessors/spp_frag2.c: Add handling of IP Option ESEC (Extended Security).c: * src/preprocessors/spp_stream4.h: Move definition of INLINE for inline functions to a common place.c: * src/decode.pdf: Update for 2.h: Add DebugWideMessageFunc for use with Wide Character sets.h: * src/win32/WIN32-Prj/.h: * src/decode.c: .c: * src/preprocessors/HttpInspect/include/hi_include.h: * src/fpdetect.7.h: * src/preprocessors/snort_stream4_udp.h: * src/fpcreate.h: Remove deprecated Frag2.c: * src/log.stream5: * doc/README.h: * src/tag.c (removed): * src/preprocessors/spp_frag2.h: * src/dynamic-plugins/sf_dynamic_preprocessor.c: * src/win32/WIN32-Includes/config.c: * src/detection-plugins/sp_respond2.cvsignore: * src/win32/WIN32-Prj/ * src/win32/WIN32-Code/getopt.h: * src/win32/WIN32-Includes/getopt.c: * src/plugbase.h: * src/win32/WIN32-Includes/stdint.h: * src/bounds.c: * src/ * src/plugbase. * src/detection-plugins/sp_ipoption_check.h: * src/preprocessors/flow/common_defs.dsp: * src/win32/WIN32-Prj/snort.h: * src/fpcreate.h (removed): Remove deprecated mwm pattern matcher.c (removed): * src/sfutil/mwm. * src/debug. * src/sfutil/mwm. * etc/snort. * src/ * etc/generators. however it does not write to syslog.dsw: Update Win32 build enviornment for 2. * etc/gen-msg.ftptelnet: Fix a few typos and add better descriptions for alerts.c: * src/win32/WIN32-Code/getopt_long.dsp: * src/win32/WIN32-Prj/snort.h: * src/sfutil/bitop_funcs.0.c: * src/debug.h: Add Stream5 alert.h: * src/win32/WIN32-Includes/getopt1.c: * src/detect.h: * src/preprocessors/portscan.* doc/ * src/win32/Makefile.h (removed): * src/preprocessors/Makefile. * doc/README.c: * src/decode. * src/debug.0 Beta * src/dynamic-plugins/sf_engine/Makefile.

c: src/log.c: src/sfutil/mwm.h: src/sfutil/ipobj.h: src/preprocessors/spp_arpspoof.c: src/sfutil/asn1.c: src/sfutil/acsmx.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: src/sfutil/sflsq.c: src/sfthreshold.c: src/parser.h: src/sfutil/sfeventq.h: src/sfutil/acsmx2.c: src/profiler.c: src/sfutil/sfghash.c: src/dynamic-preprocessors/ssh/spp_ssh.c: src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: src/util.c: src/dynamic-preprocessors/ssh/spp_ssh.c: src/preprocessors/str_search.c: src/sfutil/sfghash.h: src/sfutil/asn1.h: src/sfutil/mwm.c: src/dynamic-plugins/sf_engine/sf_snort_packet.c: src/sfutil/acsmx2.c: src/sfutil/mpse.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/fpdetect.c: src/dynamic-preprocessors/smtp/smtp_confic.c: src/preprocessors/spp_flow.c: src/detection-plugins/sp_pcre.c: src/dynamic-plugins/sf_dynamic_plugins.c: src/dynamic-preprocessors/dcerpc/dcerpc_util.c: src/snort.c: src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: src/dynamic-preprocessors/dcerpc/dcerpc.c: src/preprocessors/spp_stream4.c: src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/dynamic-preprocessors/ftptelnet/ftpp_si.c: .h: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: src/pcrm.c: src/dynamic-plugins/sp_preprocopt.c: src/sfutil/sfksearch.c: src/preprocessors/spp_frag3.c: src/preprocessors/stream_ignore.h: src/sf_sdlist.c: src/plugbase.c: src/sfutil/sfksearch.c: src/sfutil/mpse.c: src/detection-plugins/sp_rpc_check.h: src/tag.c: src/util.c: src/snort.h: src/detection-plugins/sp_ip_fragbits.c: src/sfthreshold.c: src/mstring.c: src/sfutil/acsmx.h: src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.h: src/sfutil/sfhashfcn.h: src/signature.c: src/sfutil/bnfa_search.h: src/sfutil/bnfa_search.

c: src/event_wrapper.c: src/dynamic-plugins/sp_preprocopt.h: src/sfutil/sfmemcap.c: src/sfutil/sfxhash.c: src/preprocessors/Stream5/snort_stream5_icmp.c: src/sfutil/sfxhash.c: src/sfutil/acsmx. use safer functions SnortAlloc.c: src/parser.conf at startup. src/snort.c: src/sfutil/util_net.c: src/sfutil/mpse.h: src/sfutil/bnfa_search.c: Improve dynamicengine keyword and commandline option to allow for specifying directory or file.h: Unify logging to a single code path and added ability to have rule stubs for preprocessor and decoder events.h: src/fpcreate.h: src/sfutil/mpse. make 2 passes through snort.snortrc.c: src/signature.c: Code cleanup.c: src/sfutil/bnfa_search.c: src/sfutil/sfsnprintfappend. SnortStrdup.h: src/event_wrapper.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/sfutil/sflsq.c: .h: src/sfutil/acsmx2.c: src/event_queue.c: src/sfutil/acsmx2.c: src/signature.c: src/preprocessors/spp_sfportscan.c: Fix false alert where destination IP was not in range reported by sfportscan alert.h: src/sfutil/mwm.h: src/preprocessors/Stream5/snort_stream5_session.c: Cleanup of GRE code for GRE nested fragments. Thanks to Benjamin Bennett for pointing out the issue.c: Reset threshold checking at end of portscan alerting so that other events generated for packet wouldn't use old value returned from testing portscan thresholding/suppression. src/parser. change malloc to calloc.c: src/snort. src/preprocessors/spp_sfportscan. src/detect.h: To better handle rule options that are provided by dynamic preprocessors.c: src/preprocessors/Stream5/snort_stream5_icmp. Check pointers before use.c: Fix code that looks for . src/sfutil/acsmx. src/preprocessors/spp_frag3.c: src/parser. src/preprocessors/portscan.h: src/sfutil/util_match. src/preprocessors/spp_stream5. Thanks to Andreas Ostling for pointing this out.c: src/event_queue.h: Added caller usable state tracking to pattern matcher.c: src/sfutil/mwm. src/parser.c: src/sfutil/sfthd.h: src/dynamic-plugins/sp_preprocopt.

Grab the patch from here: http://secure. TCP Resets.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet. 2006-12-04 Steven Sturges <ssturges@sourcefire. Reduced memory consumption of session tracking data structures.c: Configuration validation update.h: src/preprocessors/Stream5/stream5_common. Improved Session cache management.pdf: Added an option to specify rawbytes for the buffer. was then checked to see if it was less than zero.h: src/preprocessors/Stream5/snort_stream5_tcp.h: src/preprocessors/Stream5/snort_stream5_udp. Thanks to Chris Rohlf for pointing this out. * src/dynamic-preprocessors/dcerpc/dcerpc. This value. Windows 2003.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config. Thanks Nikns Siankin for the report. 2007-01-07 Steven Sturges <ssturges@sourcefire. Set tcp policy for both sides of session. * src/detection-plugins/sp_isdataat. and repeated SYN packets. Improved handling of midstream session establishment.c: src/preprocessors/Stream5/stream5_common. Code cleanup to use safe functions for memory allocation. 2006-11-30 Steven Sturges <ssturges@sourcefire. which would indicate whether the calculated length of the header was greater than the length of the rest of the packet> * src/tag.h: Reorganize code for inline fail-open to create pattern matcher rule groups in the thread. * src/util. Added target-based reassembly for HPUX 11. leading to a potential dereferning of invalid memory.diff * src/snort. correctly does target-based reassembly for each side. HPUX 10. Windows Vista.h: * src/snort_packet_header. Nikns provides a patch to barnyard that may be required to use this functionality on a 64bit systems.c: src/preprocessors/Stream5/snort_stream5_tcp. rather that by first packet seen.c: Additional updates for bounds checking.c: * doc/snort_manual.c: src/preprocessors/Stream5/snort_stream5_udp. Added target-based support for processing of TCP timestamps.c: Fix unified to work correctly on 64bit> * src/decode.* * * * * * * src/preprocessors/Stream5/snort_stream5_session. * src/> * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/decode.2.c: Fix logging of tagged packets when -G (event source ID) is used. Update flushpoint management. which would then be positive.h: Fixed issue where GRE decoder was attempting to assign a potentially negative value to an unsigned integer. Simplify code handling sessions to ignore. This would always return false and the assumed length of the packet would potentially be larger than the actual length.c: Code cleanup .c: * src/ * doc/snort_manual.c: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: Added memcap for TCP reassembly packet storage.h: * src/output-plugins/spo_unified.

c: Fix problem with snort using high CPU and reprocessing the same rebuilt packets at session end or ACK in middle of packet when there are gaps in the packet sequence. 2006-11-16 Andrew Mullican <amullican@sourcefire. . 2006-10-30 Steven Sturges <ssturges@sourcefire. 2006-10-27 Steven Sturges <ssturges@sourcefire.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc. * doc/README. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet. Improved TCP Timestamp Add DCE/RPC preprocessor alert. * src/snort.c: Updates to inline thread initialization. * src/detection-plugins/sp_isdataat. This change should've been made with changes for not rechecking non-relative options on 2006-08-16.c: src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/> * src/dynamic-preprocessors/dcerpc/dcerpc. * src/preprocessors/> * src/preprocessors/snort_httpinspect. Improved performance of session pruning. as they differ> * preprocessors/spp_stream4. 2006-11-22 Steven Sturges <ssturges@sourcefire.h: Output user-selected server profile at startup.c: Fix debug prints.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: Add capability to have multiple application layer preprocessors store data within the stream to better handle autodetection and multi-protocol packets.c: * src/preprocessors/stream.* * * * * src/dynamic-preprocessors/dcerpc/dcerpc.c: src/dynamic-preprocessors/dcerpc/sf_preproc_info.c: Detect corrupt files and handle mixed windows and unix line endings.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/HttpInspect/include/hi_ui_config.c: src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: Add print for config option.h: src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Updates for printing of options and handling of memcap.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc. * src/preprocessors/spp_stream4. Fix additional issue with high CPU and reprocessing rebuilt packets that are split across a sequence wrap. 2006-11-07 Steven Sturges <ssturges@sourcefire.c: * src/preprocessors/Stream5/snort_stream5_udp.c: Fix problem with this option not being marked as relative when 'relative' is used. Seperate MacOS policy from> * src/dynamic-preprocessors/dcerpc/dcerpc.c: Add UDP session tracking stats.c: Fix segfault caused by integer overflow and add additional checks to protect against other underflow/overflow> * etc/gen-msg. * src/parser.dcerpc: Update description of DCE/RPC auto-detect.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.

Tabs aren't compliant with syslog RFC. * src/detection-plugins/sp_pattern_match. 2006-10-13 Steven Sturges <ssturges@sourcefire. * doc/faq.pdf: Added documentation on Telnet configuration option detect_anomalies * src/preprocessors/spp_stream4.h: src/dynamic-preprocessors/dcerpc/smb_structs. bounds-checking.c: . * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.pdf: Updated stream4 documentation in the Snort manual to reflect new UDP options and inline option updates. and SMB chained AndX commands.ftptelnet: * doc/snort_manual.tex: * doc/snort_manual. Added references to FLoP and Mudpit as output systems for Snort.c: Fixed potential for infinite loop when only part of a packet being used in reassembly is ACK'd.c: Updated tab_uri_delimiter section in document to reflect deprecation.tex: * doc/snort_manual.changed max_events to max_queue. Removed the deprecated tab_uri_delimiter from server profiles since it's redundant with whitespace_chars.c: Fix error message with max pattern size.c: src/dynamic-preprocessors/dcerpc/smb_andx_decode.decode: Added README file for the Snort decoder * doc/README.c: * src/dynamic-preprocessors/dns/spp_dns. * src/dynamic-preprocessors/dcerpc/dcerpc_config. Added references to two IDS books.c: Fixed an off-by-one error message that prevented the maximum number of flowbits from being used. ntohs.c: Allow user-specified ports to override internal defaults. Include number of flowbits used in summary of flowbits usage. * src/dynamic-preprocessors/dns/spp_dns. * doc/README.stream4: Made minor changes to language * etc/snort.c: Fixed packet count stats when in readback mode.tex: Updated FAQ to reflect disuse of ACID in favor of BASE. Corrected error with event_queue parameter .c: Print out mempcap and max_frag_size on startup.conf: Added commented out decoder options with description enable_decode_oversized_alerts and enable_decode_oversized_drops * doc/README. * src/preprocessors/snort_httpinspect.* * * * * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: src/dynamic-preprocessors/dcerpc/smb_andx_structs.c: Removed tabs from preprocessor stats output. * src/> * src/detection-plugins/sp_flowbits.c: Fix various bugs relating to> * doc/snort_manual. * src/preprocessors/perf-base.h: src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix spelling of DETECT_ANOMALIES macro. 2006-10-23 Steven Sturges <ssturges@sourcefire.http_inspect: * src/preprocessors/HttpInspect/user_interface/hi_ui_config. * src/dynamic-preprocessors/dns/spp_dns.h: Fix spelling of obsolete in macros. * doc/README.

c: Fix problem with reassembly of server side traffic.c: Allow for variable metadata in rule options.6.c: * src/snort. Disable by --disable-inline-init-failopen commandline option or 'config disable_inline_init_failopen' in snort.c: Update UDP session stats (packet count. * etc/gen-msg.NOTES: Prepare for 2.c: * src/snort. properly handle retransmitted data that is overlapping the current packet and when trimmed overlapping the next packet.c: * src/signature.tex: * doc/snort_manual.conf in the case that the interface is fail-closed. * src/dynamic-preprocessors/ssh/ * src/decode. start/end time. * src/decode.c: * src/ Fix Stream4 to handle duplicate SYN packets by purging existing packets queued for reassembly after the seq of the SYN.* src/dynamic-preprocessors/dns/spp_dns.h: Added additional TCP length checking and UDP length checking and new decode alerts for anomalous lengths.h: Fix parser to properly error if misconfigured ports. creating pattern matcher. Ignore unknown metadata fields.h: Start a thread if running in inline mode that passes traffic through once pcap is opened and snort is not ready to start inspection (ie. * src/preprocessors/snort_stream4_udp.c: * src/generators.c: * src/ * src/parser. Thanks rmkml and Crusoe Researchers for notifying us of the issue. etc).1> * src/preprocessors/spp_stream4.h: * etc/> . Thanks Todd! * src/parser. Compiled in via --enable-inline-init-failopen option to configure script. Version string bounds checking now uses the length of the version string versus the length of the entire payload.h: * src/parser. * doc/README.stream4: * doc/Makefile. Requires libpthread. bytes.conf/user.c: Verifies that the stream preprocessor is> * doc/snort_manual. * src/parser. * configure. Thread is terminated when snort is ready to process packets. 2006-10-09 Steven Sturges <ssturges@sourcefire.pdf: * RELEASE.c: Added new config option "enable_decode_oversized_alerts" and "enable_decode_oversized_drops" to allow alerting on packets with extra bytes at the end of their payload 2006-10-12 Steven Sturges < Finally a description for Stream4.c: Require a sid for every rule. Also. 2006-10-04 Steven Sturges <ssturges@sourcefire. loading rules. etc). * src/preprocessors/spp_stream4.

but remain enabled for the IIS 4.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/preprocessors/stream.c: * src/preprocessors/stream.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: Fix issue with use of Stream4 cache_clean_percent option that resulted in a segfault when the max session limit was reached.1 and beyond do not. * src/parser.h: Add stats tracking for UDP sessions to perfmonitor and stream4's session stats (keepstats option). * src/preprocessors/Stream5/snort_stream5_session. Thanks to Pratap Ramamurthy for pointing out that IIS 5.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.* src/decode.h: * src/util.c: Fixes for CORE SMB fragmentation. Double decoding alerts are now disabled in the ISS profile. Note that these will NOT get set if the readmode flag is set.c: * src/preprocessors/HttpInspect/include/hi_ui_config.c: * src/util. * src/dynamic-preprocessors/dcerpc/dcerpc. Now all up interfaces will get a variable created.h: Fixed issue where iface_ADDRESS variable wasn't getting set before configuration file was> * src/preprocessors/snort_stream4_session.0 both support double decoding.c: * src/snort. . and ISS5_0. Also. so some rules might fail).c: * src/preprocessors/snort_stream4_session.0 and ISS 5.h: Handle reassembly of first packet for midstream pickups (first packet wasn't part of an established session at that point. Update Stream4 to purge UDP session cache on a timeout basis.c: * src/sfutil/sfxhash.c: * src/preprocessors/stream.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode. * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_stream4.0 profiles. Thanks to Jason Ish for reporting the problem. * src/preprocessors/perf-base. 2006-09-27 Steven Sturges <ssturges@sourcefire. similar to the way TCP session cache is purged. Remove cache_clean_percent option.c: Fixed issue in GRE code where data could potentially be dereferenced past the end of the packet.1 does not support double decoding * src/snort.h: * src/preprocessors/snort_stream4_session.http_inspect: Split the IIS profile in the HTTP inspect preprocessor into IIS.c: Fix log message. * src/preprocessors/spp_stream4.0 and IIS 5.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Fix handling of cache clean by percent. ISS4. ISS 4.h: * src/preprocessors/snort_stream4_udp. Thanks to Paul Melson for reporting the problem.c: * src/preprocessors/perf-base. but ISS 5. fix for perf-profiling.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * doc/README.c: * src/preprocessors/spp_stream4.h: * src/sfutil/sfxhash.

in: GCC * doc/README. Snort uses aliases in a number of places.c: * src/detection-plugins/ * src/decode.c: * src/preprocessors/spp_stream4.c: Fix issue with alerts missing in DEBUG * doc/snort_manual.packets with multiple GRE headers will be discarded. 2006-09-18 Steven Sturges <ssturges@sourcefire.c: * src/ * doc/INSTALL: * gen-msg.c: * src/output-plugins/spo_alert_arubaaction.h: Added support for communcation with an Aruba Networks wireless mobility authentication/access control system. and 'ignore_scanned' options are used * src/output-plugins/> * src/generators. Thanks Todd Wease (and welcome to the Snort team!) for this contribution. Thanks to Ronald Henderson and Keith Konecnik for simultaneously (and independently) discovering and reporting this issue. * configure.c: Added support to decode GRE encapsulated traffic.h: * src/snort.h: * src/preprocessors/spp_frag3.c: * src/decode.h: Fix signedness issue that caused HttpInspect to miss certain oversized chunk alerts.c: * src/preprocessors/HttpInspect/include/> * configure. configure now checks the gcc compiler version for 4 and disables strict aliasing with -fno-strict-aliasing.h: * src/snort.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix parsing that prevented multiple IP lists from being parsed correctly.h: * src/util.tex: * src/plugbase.ARUBA: * doc/Makefile.c: Update for GRE additions and compilation on Win32. * src/preprocessors/spp_stream4. * configure. Thanks to Rob Sharp and Husnu Demir for reporting the bug.x has strict aliasing on by default with optimization level 2. * src/preprocessors/HttpInspect/client/hi_client.c: * src/sfutil/bitop_funcs. This fixes a problem with sfportscan configuration when 'watch_ip'. However. 2006-09-15 Steven Sturges <ssturges@sourcefire. Only IP as transport protocol is supported and only one layer of encapsulation will be decoded .c: * src/dynamic-plugins/sf_engine/sf_snort_packet. * src/sfutil/ipobj.h: * src/generators.h: Fix problem with relative options not being marked as relative (for distance/within keywords).c: * src/output-plugins/Makefile.* src/detection-plugins/> . 'ignore_scanners'. 2006-09-21 Steven Sturges <ssturges@sourcefire.

* src/detection-plugins/sp_pattern_match.h: * src/sfutil/acsmx.c: Fix to remove uses of strlen or wcslen. Add config item to enable alerting on exceeded memcap.c: Cleanly fail with content patterns that are > 2048 bytes.h: Fix memcap to be Added code to print original datagram for all ICMP error types if alerted on. Thanks to Greg Baran for pointing this> * src/dynamic-preprocessors/dcerpc/dcerpc. 2006-09-11 Steven Sturges <ssturges@sourcefire. * src/parser. * src/parser.c: Fix output for the USR1 signal when calculating statistics for pcap counts.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/decode. Added additional decoder alerts for ICMP error types.c: * src/sfutil/mpse. Removed fragtracking of ICMP original datagram .c: * src/dynamic-preprocessors/dcerpc/dcerpc. Thanks to John Papapanos for pointing out the above 2> * src/decode.c: * src/log. Fixed issue where data and size pointers were not set correctly for ICMP error types. as this is now handled within the general alerting mechanism and session tracking. rather than the 'most recent' value when determining percentages after each USR1 signal.h: * etc/gen-msg.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: When a variable was redefined.h: * src/log.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util. Turn off memcap alerts by default. Fix bug in DCE/RPC fragment reassembly.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/generators.c: Code cleanup 2006-09-13 Steven Sturges <ssturges@sourcefire. Keep a tally of packets seen/dropped/etc and use deltas. * src/dynamic-preprocessors/dcerpc/dcerpc.c: . 2006-09-07 Steven Sturges <ssturges@sourcefire.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Remove checks for duplicate alerts within a given session.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config. * src/dynamic-preprocessors/ftptelnet/ never made sense since only an ICMP response to the first frag is ever returned.c: * src/sfutil/acsmx2. Thanks to Colin Grady for pointing out the issue. Properly validate andXOffset.c: * src/dynamic-preprocessors/dcerpc/> * src/util. Fix to print original datagram on alert if original datagram was ICMP. a call to LogMessage() was missing a parameter. * src/sfutil/acsmx2.

h: * src/dynamic-preprocessors/Makefile.Allow for a line without an end of line marker in snort.c: * src/preprocessors/spp_stream4.dns: * doc/snort_manual. It has been replaced by a hash table and is no longer * doc/README. Thanks Bamm Visscher for pointing out the issue.c: * src/detection-plugins/sp_respond2.h: * src/preprocessors/snort_stream4_session. * src/preprocessors/spp_stream4.c: Fix memory leak in ascii and cmg output * src/build.c: * src/log.c: * src/detect. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Treat spaces as part of a filename in 'string' parameter validation.h: .c: * src/detection-plugins/sp_respond.h: Remove the ifdef'd splay tree code for packet and session storage. 2006-08-30 Steven Sturges <ssturges@sourcefire.stream5: Add Stream5 README.h: * src/preprocessors/Stream5/stream5_common.spec: * etc/snort. 2006-08-31 Steven Sturges <ssturges@sourcefire.h: Add a few functions to the Stream API to allow a protocol analyzer to change the reassembly characteristics (direction.c: * src/preprocessors/> * src/sfutil/ipobj. as it is no longer needed.h: * src/ * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/preprocessors/stream_api. * src/preprocessors/spp_stream4.c: * src/snort.conf: Add DNS preprocessor to packaging and> * src/decode. * * doc/ * src/dynamic-preprocessors/dns/> * rpm/snort.pdf: * etc/gen-msg.h: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/stream.c: * src/preprocessors/spp_frag3.tex: * doc/snort_manual.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_frag2. 2006-09-06 Steven Sturges <ssturges@sourcefire.c: * src/preprocessors/Stream5/ * doc/README.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/debug. Remove calls to ClearDumpBuf() from related calls PrintIPPkt() and PrintNetData(). flush policy) for an individual session. * doc/Makefile.c: Additional fix for parsing of IP lists that are not space seperated.

pdf: * doc/snort_manual. * configure. * snort.c: * src/sfutil/Makefile.dsp: Remove obsolete> * doc/> * src/detection-plugins/sp_pattern_match. Thanks to Randy Smith for pointing out the> * src/rules. This was broken with the addition of the smaller memory Aho-Corasick pattern matcher.c: * src/detection-plugins/ Enable dynamicplugins by default. 200-08-24 Steven Sturges <ssturges@sourcefire.h: * src/detection-plugins/sp_asn1. 2006-08-16 Steven Sturges <ssturges@sourcefire.dcerpc: * etc/snort.c: * src/sfutil/mpse.conf: * src/win32/WIN32-Prj/snort_installer. Can override with --disable-dynamicplugin. The TCP portion is stateful and requires stream is> * src/dynamic-preprocessors/dcerpc/sf_dcerpc.pdf: * etc/snort. * src/sfutil/> * src/fpcreate. 2006-08-15 Steven Sturges <ssturges@sourcefire.c: * src/detection-plugins/sp_byte_check.nsi: Added SSH and DCE/RPC preprocessor sections and description of new command line .* src/dynamic-preprocessors/dns/spp_dns.ssh: * doc/README.tex: * doc/ * doc/README.8: * doc/snort_manual.dcerpc: * doc/snort_manual. 2006-08-29 Steven Sturges <ssturges@sourcefire. It was reporting an out of memory error.tex: * doc/Makefile.h: Add a dynamic preprocessor to decode and analyze DNS responses over TCP and UDP. Thanks Krzysztof Burghardt for pointing out the problem. * src/preprocessors/Stream5/Makefile.h: Change config option max_memory to memcap for DCE/RPC. 2006-08-17 Steven Sturges <ssturges@sourcefire.c: * src/dynamic-preprocessors/dns/spp_dns. Only recheck if the next option is relative.c: Resolve issue with rechecking rule options that follow a content or PCRE that are Fix issues with using lowmem.conf: * src/dynamic-preprocessors/dcerpc/dcerpc_config.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/detection-plugins/sp_byte_jump.c: Fix unchecked free.c: Fixed off by one to sparse index calculation and off by 2 ps increment for SparseBands.c: * src/detection-plugins/sp_pattern_match.

conf: * src/detection-plugins/sp_flowbits.c: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/preprocessors/spp_stream5. Moved flow & flowbits to be part of Stream API.h: * src/dynamic-preprocessors/dcerpc/ * src/dynamic-preprocessors/dcerpc/Makefile.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/ * src/preprocessors/spp_stream5.c: * src/detection-plugins/sp_flowbits.c: .c: * src/dynamic-preprocessors/dcerpc/ * src/preprocessors/Makefile.h: * src/dynamic-preprocessors/dcerpc/smb_file_structs.h: * src/preprocessors/Stream5/Makefile.Update to include header files.h: * src/generators.h: * src/Makefile.dsp: * src/dynamic-preprocessors/ * etc/snort. * * * * 2006-08-14 Steven Sturges <ssturges@sourcefire. src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.c: * src/win32/WIN32-Prj/snort.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/plugbase.dsp: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: Cleanup Win32 warnings.c: src/sfutil/util_math.c: * src/dynamic-preprocessors/dcerpc/ * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.dsw: Remove references to MWM and sfksearch.h: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: src/preprocessors/flow/flow_cache.c: src/sfutil/util_math.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/preprocessors/Stream5/ * src/preprocessors/stream_api.h: New target-based Stream * etc/gen-msg.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/> * configure. * src/sfutil/mpse. * src/debug.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/win32/WIN32-Prj/snort.h: * src/preprocids.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/smb_file_decode.h: * src/dynamic-preprocessors/ * src/plugin_enum.h: * src/dynamic-plugins/sf_dynamic_engine.

h: * src/rules.h: New dynamic DCE/RPC protocol normalizer.c: Improved handling for stateless rules.h: Remove use of ifdefs for rule state.c: * src/sfutil/Makefile.h: * src/fpdetect.h: Added smaller memory consumption pattern matcher.c: * src/sfutil/bnfa_search.h: * src/fpdetect. * src/dynamic-preprocessors/Makefile.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: Stream4 UDP session tracking support. Could result in an evasion over the FTP command channel. * src/snort.c: * src/preprocessors/Makefile. Reassembly performance improvements.dsp: * src/dynamic-preprocessors/ssh/Makefile.* src/dynamic-preprocessors/dcerpc/snort_dcerpc. * src/parser.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/pcrm. Add ability to block TCP * src/preprocessors/snort_stream4_session.c: * src/ * src/sfutil/bnfa_search.c: * src/parser. * src/detection-plugins/sp_clientserver. * configure. * src/ * src/ * src/dynamic-preprocessors/ssh/sf_ssh. * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. * src/decode.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/snort.c: Add alerts and normalization for telnet subnegotiation begin that doesn't have a matching end.h: * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c: * src/fpcreate.c: .h: Add ability to give directory or specific library for dynamic engine.c: Added RC4 dynamic rule * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/inline.h: * src/snort.c: * src/preprocessors/snort_stream4_udp.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-preprocessors/ssh/sf_preproc_info.c: * src/preprocessors/snort_stream4_udp.h: New dynamic ssh protocol normalizer.h: * src/sfutil/mpse.c: * src/snort.c: * src/preprocessors/stream.h: * src/preprocessors/spp_stream4.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/sfutil/mpse.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc. * src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.

c: * src/dynamic-preprocessors/smtp/snort_smtp. * src/snort.c: Eliminate spurious log messages. * src/detect.h: * src/dynamic-plugins/sf_dynamic_engine.pdf: Add information on snort responding to kill signal.h: * src/util.c: Fix to HttpInspect to check for non-RFC whitespace (> * src/decode.c: * src/util.c: * src/sfutil/acsmx. 2. 2006-07-14 Steven Sturges <ssturges@sourcefire.* src/snort.c: * src/dynamic-plugins/sf_engine/bmh. * src/preprocessors/spp_frag3.c: * src/dynamic-plugins/sf_dynamic_preprocessor.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.h: * src/dynamic-plugins/sf_engine/> * src/dynamic-preprocessors/smtp/snort_smtp.1 Beta prep. * src/snort.h: .c: Code> * src/output-plugins/spo_alert_prelude. Thanks to Pratap Ramamurthy for pointing out the potential issue.c: * src/preprocessors/spp_perfmonitor.6. Aaron Pendergrass for raising the HP issues and testing.c: Added counter for segments queued for reassembly. * src/dynamic-plugins/sf_dynamic_plugins. CR) after URI.c: * src/preprocessors/spp_frag3. 2006-08-02 Steven Sturges <ssturges@sourcefire.c: * src/dynamic-plugins/sf_dynamic_detection.h: Improved handling of different versions of same shared library.c: Update to provide links to Snort classification reference information. Thanks Yoann Vandoorselaere.h: * src/dynamic-plugins/sf_dynamic_plugins. 2006-07-25 Andrew Mullican * src/preprocessors/HttpInspect/client/hi_client. Some servers (such as ArGoSoft) don't require it. * src/sfutil/ipobj. 2006-08-09 Steven Sturges <ssturges@sourcefire. * src/dynamic-preprocessors/ftptelnet/pp_telnet.h: * src/output-plugins/spo_alert_fast. Thanks J. 2006-07-20 Steven Sturges <ssturges@sourcefire.c: * src/dynamic-plugins/sf_engine/bmh.tex: * doc/faq.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: No longer require HELO (or EHLO) first in an SMTP> * doc/faq.c: Update for shared library extensions on HP & MAC.c: Fix race condition with daemonization.c: Fix parsing of IP lists that are not space seperated.c: Handle normalization when Subnegotiation Begin doesn't have a matching Subnegotiation End command by normalizing just the Update for HPUX 11. * src/configure.

* src/preprocessors/spp_frag3.h: * src/util.c: Performance improvement for logging tagged packets. * src/sfthreshold. * src/snort.c: * src/tag. 2006-06-30 Steven Sturges <ssturges@sourcefire.c: * src/util.h: * doc/snort_manual. * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/fpdetect.c: Fix issue with parsing default server configuration on Win32 platform. invalid IP & TCP options and invalid checksums. * src/output-plugins/spo_csv.c: * src/win32/WIN32-Includes/stdint.c: * src/snort. * src/snort.* src/detect. noted in the Snort Manual. * src/preprocessors/spp_stream4.c: Address potential read overflow.c: Handle pass rule that hits a pipelined URI and an alert that matches a secondary pipelined URI. Thanks Russ S for sending in the bug report.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.pdf: Change default inline behaviour to not drop packets with decoder> * schemas/Makefile.c: * src/util.c: * src/snort.c: Fix issue with daemonization on MAC OSX and parent not exiting cleanly. * src/mstring.8: * doc/snort_manual.tex: * doc/snort_manual. Thanks to Nikns Siankin for the patch.c: * src/parser.c: Update to gracefully disconnect from Oracle Add create_db2 srcipt to be included in> * src/output-plugins/spo_database. * src/decode.c: Fix issue with replace option and replaced data always being placed at the beginning of the packet. Can be overridden with --nolock-pidfile.h: Code cleanup.c: .c: Fix potential access violation. * src/detection-plugins/sp_pattern_match. Drop behaviour can be enabled by using new options.c: Fix issue with First policy when dealing with whole overlaps. * src/dynamic-preprocessors/ftptelnet/pp_ftp.h: * src/win32/WIN32-Includes/NETINET/IN_SYSTM.h: * snort. Thanks Victor Julien for pointing out the area for improvement. 2006-07-12 Steven Sturges <ssturges@sourcefire.c: Fix issue with parsing config other than default.tex: * doc/snort_manual. * src/dynamic-preprocessors/smtp/smtp_config.pdf: Provide support for locking the PID file so that no additional snort process is able to start using the same PID file.

c: * src/dynamic-plugins/sf_engine/bmh. and CR (\r.c: Fix problem when parsing multiple hosts in an IP list.h: src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api. Thanks Nikns Siankin for pointing out the issue. Thanks Victor Julien for the patch. 2006-05-31 Steven Sturges <> * src/detection-plugins/sp_rpc_check. 2006-05-17 Steven Sturges <ssturges@sourcefire.h: * src/preprocessors/spp_stream4. * src/sfutil/ipobj. Form Feed (\f. * src/snort. * configure. 9).c: src/dynamic-preprocessors/smtp/smtp_util.h: src/dynamic-preprocessors/smtp/snort_smtp.c: Fix to HttpInspect to check for non-RFC whitespace (ie.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/spp_stream4.c: * src/output-plugins/spo_log_tcpdump.h: src/preprocessors/str_search. Defaults are to treat Htab (\t.c: * src/preprocessors/flow/portscan/server_stats.c: Update to handle signals received when no traffic is flowing when snort is compiled with inline ipq.* * * * * * * * * * * * src/dynamic-preprocessors/smtp/smtp_util.h: Further code review> * etc/gen-msg.c: * src/sfutil/acsmx2.c: * src/preprocessors/spp_sfportscan. src/preprocessors/spp_stream4. Thanks Brandon Franklin for the find.c: * src/preprocessors/HttpInspect/utils/> * src/inline.c: src/preprocessors/HttpInspect/client/hi_client.c: Revise IP list parsing code. Thanks to Blake Hartstein for mentioning the problem.c: src/preprocessors/HttpInspect/include/hi_ui_config.c: . CR) after URI.c: Handle additional whitespace characters on a per server configured basis. Cleanup possible null pointer dereferences. memory Fix issue with using postgresql and dynamic plugins. VTab (\v.c: src/dynamic-preprocessors/smtp/snort_smtp. 2006-05-24 Steven Sturges <ssturges@sourcefire. * src/preprocessors/HttpInspect/client/hi_client. src/preprocessors/snort_httpinspect. src/sfutil/ipobj. 11).c: * src/sfthreshold. etc.c: * src/preprocessors/flow/flow_cache. 12). 13) as whitespace.c: * src/preprocessors/flow/portscan/flowps_snort.c: src/preprocessors/str_search.c: * src/parser.c: Fix potential evasion in Stream4.c: Fix reassembly * src/generators.h: Fix potential read beyond end of buffer and update configuration to use less memory.

c: * src/preprocessors/perf. * src/parser.c: * src/preprocessors/spp_stream4.sfportscan: Proofreading updates. * src/snort.c: src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: src/sfutil/sfthd.c: * src/preprocessors/perf. * src/detect. src/decode.c: src/preprocessors/spp_frag3. etc.c: src/dynamic-plugins/sf_engine/bmh.c: src/preprocessors/spp_stream4.h: src/preprocessors/spp_frag2.spec: * etc/> * rpm/snort.c: src/sfutil/acsmx.c: src/sfutil/mwm.c: src/preprocessors/HttpInspect/utils/hi_util_hbm.c: Move SPARC_TWIDDLE to common place. Define CATCHSEGV in snort.c: * src/preprocessors/perf.tex: * doc/snort_manual. * src/preprocessors/spp_perfmonitor.pdf: * doc/README. memory leaks.c: Fix variable definition parsing code to handle user supplied value if variable isn't defined.c to trap segv signals.h: Correctly close performance stats file on HUP and exit. Cleanup possible null pointer dereferences.h: * src/preprocessors/spp_frag3. etc.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si. Cleanup possible null pointer dereferences.c: .c: * src/preprocessors/spp_perfmonitor. 2006-05-01 Steven Sturges <ssturges@sourcefire. memory leaks.c: * src/pcrm.h: * configure. Can also define NOCOREFILE to prevent snort from leaving a core file on receipt of a segv.conf: Include a default path for the dynamicpreprocessors and engine.c: Further code review cleanup. 2006-05-12 Steven Sturges <ssturges@sourcefire.c: src/preprocessors/ Signal handler updates for SEGV and HUP. * src/snort.c: Further code review cleanup.c: * src/sfutil/mwm.c: * src/> * doc/snort_manual.h: src/preprocessors/spp_sfportscan.c: * src/sfthreshold.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap. Thanks to Jeremey Hewlett for pointing out the problem.c: src/sfutil/event_wrapper.c: * src/parser.c: * src/preprocessors/perf.c: * src/output-plugins/spo_unified.* * * * * * * * * * * * * * src/dynamic-plugins/sf_engine/bmh.c: * src/detection-plugins/sp_session.c: * src/output-plugins/spo_csv.

com> * RELEASE.tex: * doc/snort_manual.c: src/sfutil/sfghash. Thanks to Adam Keeton (and welcome to the project)! 2006-04-27 Steven Sturges <ssturges@sourcefire.c: src/sfutil/ipobj.c: src/output-plugins/spo_csv.c: src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map. etc.c: Update rule performance profiling to handle flowbits:noalert option correctly (it is a match even though there wasn't an alert). 2006-04-11 Steven Sturges <ssturges@sourcefire.c: src/output-plugins/spo_unified.c: src/sfutil/mpse.pdf: Update to list all options for pattern matching and note that Wu-Manber is going to be deprecated. Thanks Vlatko Kosturjak for the update. * src/output-plugins/spo_database. Update to handle when interface isn't specified in config or commandline (finial initialization done post PCAP initialization).c: src/preprocessors/spp_stream4.* * * * * * * * * * * * * * * * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: src/preprocessors/HttpInspect/utils/hi_util_kmap. * src/preprocessors/str_search. Thanks Axton Grams for the patch and Nikns Siankin and Vlatko Kosturjak for testing. Corrected protocol breakdown. memory leaks.c: * src/preprocessors/str_search.c: src/output-plugins/spo_database.h: * src/rules.c: src/sfutil/sfxhash.c: Update to correctly strip timestamp precision for MySQL.c: src/preprocessors/> * src/fpdetect.c: src/preprocessors/flow/flow_cache. .c: src/sfutil/sfksearch. * doc/snort_manual.c: Updates to be ANSI SQL compiliant. Thanks Vlatko Kosturjak for the updates.c: * src/profiler. * src/output-plugins/spo_database.c: Code review cleanup. * schemas/create_db2: Updated to include gid in schema and version 107 to match the other schemas. Cleanup possible null pointer dereferences.c: src/preprocessors/flow/portscan/server_stats. * src/preprocessors/spp_stream4. Thanks Jonathan Miner for pointing out the problem.c: * src/sfutil/acsmx2.c: Update output info to account for packets buffered by pcap but not yet received by snort.h: Fix compilation problems with Sun CC and others that support C99 standard. Thanks Chris Kern for noticing the problem.c: src/output-plugins/spo_log_tcpdump. * src/util.h: * src/detection-plugins/sp_flowbits.NOTES: Add information about memory consumption with pattern matching engines.h: Fix compilation problems with Sun CC compiler.

Disable detection for to-be-rebuilt packets.h: * src/preprocessors/stream_api. Move debug code inside DEBUG ifdef.c: Correctly calculate the number of preallocated frags when preallocating based on a memory limit.c: Display warnings with configurations that are required for other detection capabilities (ie. Was causing performance problems on certain OSs. normalization is required for ayt threshold and encryption detection).com> * src/snort. Thanks Nikns Siankin for the updates and all the> * schemas/create_mssql: * schemas/create_mysql: * schemas/create_oracle.c: * src/preprocessors/stream. * src/preprocessors/spp_frag3.h: * src/preprocessors/stream_api.h: Updates to previous checks for duplicate alerts. * src/dynamic-preprocessors/smtp/smtp_config. * configure. 2006-03-24 Steven Sturges <> * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Update to fix signal handling issue with libprelude and to disable segv signal handler when compiled for Debug * src/snort. Reverts change made with previous checkins. * src/preprocessors/spp_stream4.c: Free SMTP session memory.c: Clear default ports if ports are specified.c: Fix incorrectly ignored Reset packets with overlapped/retransmitted data. Schema version 107. fix possible SEGV in debug code. * doc/snort_manual. * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/preprocessors/stream.c: Remove pcap_setnonblock() call. Fix cleanup when stream is flushed. * src/dynamic-preprocessors/smtp/snort_smtp. 2006-03-29 Steven Sturges <ssturges@sourcefire.h: * src/fpdetect.pdf: Proofreading..c: * src/preprocessors/stream.tex: * doc/snort_manual. * src/preprocessors/spp_stream4. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Do not check beyond 4 characters for an FTP command.c: * src/preprocessors/spp_stream4. * src/inline.c: Fix alerts possibly giving incorrect information. .h: Allow retransmitted packets through in inline mode if they have not been ACK'd by other side. Better performance. 2006-03-15 Steven Sturges <ssturges@sourcefire.c: Fix potential issue for duplicate alerts on the same data in the original packet and the Stream reassembled packet. Correctly handle specifying valid commands as invalid.* src/preprocessors/spp_stream4..sql: * schemas/create_postgresql: Updated to include gid in schemas.

* src/profiler.h: Add support for AMD processor. Thanks Alex Kirk for trying this out. * * src/snort.c: Use pcap_setnonblock() if available to help with snort exiting on SIGTERM (and others) when no traffic is flowing. * src/decode.c: Fix pflog decoding for OpenBSD platforms. * src/dynamic-plugins/sf_engine/ * doc/INSTALL: Updates for FreeBSD 6.x compilation. Thanks Richard Bejtlich for testing. * doc/snort_manual.tex: * doc/snort_manual.pdf: Fixed a few typos and added a warning about the to be deprecated telnet decode preprocessor. 2006-03-07 Steven Sturges <> * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fixed potential segfault condition in stateless mode. * src/preprocessors/spp_frag3.c: Added Fatal error messages for unknown config options. * src/snort.c: * src/preprocessors/spp_perfmonitor.c: Code cleanup 2006-03-02 Steven Sturges <> * * src/output-plugins/spo_alert_prelude.c: Additional fixes from Yoann Vandoorselaere. Require libprelude version 0.9.6. * src/preprocessors/spp_perfmonitor.c: Initialize the pcap counters the first time we get a packet. * src/fpdetect.c: Fix leaking of classification info between rules and preprocessor/decoder alerts. 2006-02-28 Steven Sturges <> * src/dynamic-preprocessors/ Install required header files when --enable-dynamicplugin used with configure. * src/preprocessors/spp_stream4.c: If ignoring a packet because it is a duplicate (retransmitted), drop it if in inline mode. Original packet was either dropped or passed through. 2006-02-27 Steven Sturges <> * src/detection-plugion/sp_flowbits.c: Update parsing to handle spaces and correct keyword checking. 2006-02-23 Steven Sturges <> * src/snort.c: * src/snort.h: * src/fpdetect.c: * src/parser.c: * src/event_queue.h: * doc/README: * doc/snort_manual.tex: * doc/snort_manual.pdf: * snort.8:

* * * * *

Changed command line options --flush-all-events to --process-all-events and --alert-on-drop to --treat-drop-as-alert. Updated docs/manpage. src/output-plugins/spo_unified.c: Fix unified log file rollover to correctly write magic numbers. src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: Update some comments relative to endianness. src/dynamic-preprocessors/smtp/snort_smtp.c: src/dynamic-preprocessors/smtp/spp_smtp.c: Fix issues with SMTP preprocessor causing rules to not fire. Thanks Andy Mullican for the fix.

2006-02-22 Steven Sturges <> * src/preprocessors/spp_frag3.c: * doc/README.frag3: Added option to preallocate frags based on a memcap (combination of memcap and prealloc_frags options). Perform preallocation post-pcap open because of memory issues with certain versions of pcap. 2006-02-21 Steven Sturges <> * src/output-plugins/spo_alert_prelude.c: packet_to_data() Standardize AdditionalData fields name. Support more packet fields, remove unused one. Send rule revision and TCP/IP options code/value as AdditionalData. Thanks Yoann Vandoorselaere for the updates. event_to_reference() Double check that system->url is not NULL. Support ICMP headers, patch from Andrea Barisani. * src/snort.c: * src/snort.h: * src/util.c: Updates to signal handlers to better deal with reentrant issues in syslog and libc. * src/dynamic-plugins/sf_dynamic_plugins.c: Print warning if dynamic library directory doesnt exist or is empty. Thanks Andy Mullican for the fix. 2006-02-20 Steven Sturges <> * src/sfutil/sfeventq.c: Fix issue when more than max events are added to event queue. * src/parser.c: * src/plugbase.c: * src/plugbase.h: * src/snort.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_log_tcpdump.c: Fix issue with output plugins that depend on datalink and snaplen (which are set in OpenPcap). Caused by reordering of initialization on 2006-01-26. Thanks Matt Bedynek and Jeremy Hewlett for the find. 2006-02-17 Steven Sturges <> * doc/INSTALL: Updated to include current options and added a section for compilation on MAC OSX. * src/signature.c: Strip whitespaces from reference system and id. This fixes a reference lookup problem resulting in an invalid URL in case the reference begins with a space character (example:

reference: x,y; would fail). Thanks Yoann Vandoorselaere for the patch. 2006-02-16 Steven Sturges <> * src/preprocessors/spp_frag3.c: Fix ip options handling. Thanks to Vyacheslav Burdjanadze for finding the issue. * src/dynamicpreprocessors/ftptelnet/snort_ftptelnet.c: Fix processing of configuration without options. * src/snort.c: Fix OpenPcap merge issue. 2006-02-15 Steven Sturges <> * doc/snort_manual.tex: * doc/snort_manual.pdf: Update perfmonitor section. Thanks to Passreality for pointing out the omissions. * src/preprocessors/spp_stream4.c: Only increment memory counter once per allocation. 2006-02-14 Steven Sturges <> * doc/snort_manual.tex: * doc/snort_manual.pdf: Updates to manual for 2.6.0 * src/win32/WIN32-Prj/snort.dsp: Added missing files. 2006-02-13 Steven Sturges <> * src/parser.c: Handle longer lines for config * src/sfutil/acsmx2.c: Change visual name of Aho-Corasick sparse bands. * src/preprocessors/spp_frag3.c: When a timeout occurs on a Fragmented session, purge the existing fragments and treat it as a new session. Allows for proper defragmentation, per OS target configuration. 2006-02-09 Steven Sturges <> * src/util.c: Fix -M flag to log Fatal and regular Error messages to syslog as well. Thanks Andy Mullican. * snort.8: * doc/README: * src/snort.c: Add info on additional commandline switches. * src/preprocessors/spp_stream4.c: Fix compilation issue on some platforms. 2006-02-08 Steven Sturges <> * src/parser.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Allow default configuration without options 2006-02-06 Steven Sturges <> * etc/snort.conf: * src/dynamic-examples/dynamic-preprocessor/ * src/dynamic-examples/dynamic-rule/ * src/dynamic-plugins/sf_engine/ * src/dynamic-preprocessors/ftptelnet/

* src/dynamic-preprocessors/smtp/ Add info to snort.conf on how to load dynamic libraries and update Makefiles to use path similar t othat of snort.conf. * src/parser.c: Fixed error message when dynamic<xxx> token is used. 2006-02-03 Steven Sturges <> * src/dynamic-examples/dynamic-preprocessor/ * src/dynamic-examples/dynamic-rule/ * src/dynamic-plugins/sf_engine/ * src/dynamic-preprocessors/ftptelnet/ * src/dynamic-preprocessors/smtp/ * src/dynamic-plugins/sf_dynamic_plugins.c: Fix installation directories * src/preprocessors/ * src/preprocessors/stream_api.h: * src/preprocessors/stream_api.c: Fixes for MacOS X compilation. 2006-02-02 Steven Sturges <> * src/detect.c: * src/event_queue.c: * src/event_queue.h: * src/fpdetect.c: * src/parser.c: * src/snort.c: * src/snort.h: * src/sfutil/sfeventq.c: Changed rule ordering to better handle drop and pass rules when other alerts trigger on the same packet. Thanks Marc Norton for the changes. * src/profiler.c: * src/profiler.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Win32 fixes. * src/snort.c: Fix SigHup processing. * src/util.c: Code Cleanup. * src/detection-plugins/sp_pattern_match.c: Return non-zero when search goes out-of-bounds. * src/preprocessors/snort_httpinspect.c: Fix from Chris Sherwin for pipelined requests. * src/preprocessors/spp_frag3.c: Change noisy LogMessage to Debug. 2006-01-30 Steven Sturges <> * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Include config.h if required. * * src/ * src/dynamic-examples/.cvsignore: * src/dynamic-examples/ * src/dynamic-examples/dynamic-preprocessor/.cvsignore: * src/dynamic-examples/dynamic-preprocessor/ * src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h: * src/dynamic-examples/dynamic-preprocessor/spp_example.c:

* * * * * *

src/dynamic-examples/dynamic-rule/.cvsignore: src/dynamic-examples/dynamic-rule/ src/dynamic-examples/dynamic-rule/detection_lib_meta.h: src/dynamic-examples/dynamic-rule/rules.c: src/dynamic-examples/dynamic-rule/sid109.c: src/dynamic-examples/dynamic-rule/sid637.c: Added examples for manual of dynamic preprocessor and dynamic rule library. * src/dynamic-preprocessors/ftptelnet/ * src/dynamic-preprocessors/smtp/ More fixes to cleanup. 2006-01-26 Steven Sturges <> * src/preprocessors/spp_stream4.c: Fixed a few retranmission alerts that are not toggled off by diasble_evasion_alerts config. * src/parser.c: * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: Addressed some startup issues when running daemon mode. Configuration is validated prior to daemonizing, therefore if config errors exist, snort will exit, returning error to initialization script/process. Parent process doesn't exit until config file is read and a child is forked and has created its pid file. Thanks to Marc Norton and Chris Sherwin for their work on this. Fixed issue with opening pcap prior to reading it from a config file. Thanks Martin Olsson for noting this. * src/dynamic-preprocessors/ * src/dynamic-preprocessors/smtp/ * src/dynamic-preprocessors/ftptelnet/ Fixed builds on FreeBSD. 2006-01-24 Steven Sturges <> * src/win32/ Win32 Updates. * doc/ Added files. * src/win32/WIN32-Prj/snort.dsp: Removed deprecated src files. * src/win32/WIN32-Prj/snort_installer.nsi: Added dynamic modules, updated version number. 2006-01-23 Steven Sturges <> * src/preprocessors/spp_flow.c: Fixed error message when parsing flow configuration. * src/snort.c: * src/snort.h: Fixed issue with creating PID files. * src/util.c: Fixed issue with DropStats and unopened pcap. * src/ * src/dynamic-plugins/ * src/dynamic-plugins/sf_engine/ * src/dynamic-preprocessors/ * src/dynamic-preprocessors/smtp/ * src/dynamic-preprocessors/ftptelnet/ * src/sfutil/

Updates to handle make dist and make distcheck. Win32 Updates. 2006-01-20 Steven Sturges <> * schemas/create_mysql: * src/output-plugins/spo_database.c: Updated to write GID when logging events. Thanks to Graham Keeling for the patch and Kevin Johnson for helping test. * src/snort.c: * doc/README: * snort.8: Added info on new command line options. * src/snort.c: Updated CreatePidFile to use interface name if available when in inline mode (and using a bridging interface). 2006-01-19 Steven Sturges <> * src/util.c: Updated Timestats to print packet stats per hour and breakdown per protocol. Thanks Bill Parker for the update. To use this feature, use --enable-timestats. * src/sfutil/sfthd.c: Fix parameter ordering in test routine. Thanks Yin Zhaohui for the find. * src/detect.c: Fixed DEBUG_WRAP statement. Thanks Yin Zhaohui for pointing this out. 2006-01-19 Steven Sturges <> * * Added use of libtool to build dynamically loadable modules, --enable-dynamicplugin. Added performance profiling, --enable-perfprofiling. Added separation of rules being enabled from them appearing in snort.conf, --enable-rulestate. Added pthread linkage, --enable-pthread. * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: * src/win32/WIN32-Prj/build_all.dsp: Added dynamically loadable modules and updated workspace for other project files (new preprocessors, DLLs, and utility project to build everything). * RELEASE.NOTES: * doc/ * doc/README: Updated for new files and 2.6.0 release preparation. * doc/README.PerfProfiling: * src/profiler.c: * src/profiler.h: Added performance profiling metrics. Can measure both rules and preprocessor performance. Enable via --enable-perfprofiling. See profiler.h for MACROs to use and various preprocessors for examples. * doc/README.SMTP: * src/dynamic-preprocessors/smtp/.cvsignore: * src/dynamic-preprocessors/smtp/ * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_config.h: * src/dynamic-preprocessors/smtp/smtp_log.c:

* * * * * * * * * * * * * * *

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

src/dynamic-preprocessors/smtp/smtp_log.h: src/dynamic-preprocessors/smtp/smtp_normalize.c: src/dynamic-preprocessors/smtp/smtp_normalize.h: src/dynamic-preprocessors/smtp/smtp_util.c: src/dynamic-preprocessors/smtp/smtp_util.h: src/dynamic-preprocessors/smtp/smtp_xlink2state.c: src/dynamic-preprocessors/smtp/smtp_xlink2state.h: src/dynamic-preprocessors/smtp/snort_smtp.c: src/dynamic-preprocessors/smtp/snort_smtp.h: src/dynamic-preprocessors/smtp/spp_smtp.c: src/dynamic-preprocessors/smtp/spp_smtp.h: src/preprocessors/spp_xlink2state.c (removed): src/preprocessors/spp_xlink2state.h (removed): src/preprocessors/xlink2state.c (removed): src/preprocessors/xlink2state.h (removed): Added dynamically loadable SMTP preprocessor. Thanks Andy Mullican for the work and research. Renders xlink2state mini preprocessor defunct. doc/README.ftptelnet: src/dynamic-preprocessors/ftptelnet/.cvsignore: src/dynamic-preprocessors/ftptelnet/ src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h: src/dynamic-preprocessors/ftptelnet/ftp_client.h: src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h: src/dynamic-preprocessors/ftptelnet/ftp_server.h: src/dynamic-preprocessors/ftptelnet/ftpp_eo.h: src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h: src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c: src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h: src/dynamic-preprocessors/ftptelnet/ftpp_include.h: src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h: src/dynamic-preprocessors/ftptelnet/ftpp_si.c: src/dynamic-preprocessors/ftptelnet/ftpp_si.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: src/dynamic-preprocessors/ftptelnet/ftpp_util_kmap.h: src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h: src/dynamic-preprocessors/ftptelnet/pp_ftp.c: src/dynamic-preprocessors/ftptelnet/pp_ftp.h: src/dynamic-preprocessors/ftptelnet/pp_telnet.c: src/dynamic-preprocessors/ftptelnet/pp_telnet.h: src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h: src/preprocessors/spp_telnet_negotiation.c: Added dynamically loadable FTP/Telnet preprocessor. Thanks Steven Sturges for the work and research. Replaces telnet decoder.

* doc/README.sfportscan: * src/preprocessors/spp_sfportscan.c: Updated for preprocessor protocol ordering. Added performance measurements. Added ACK scan detection and false positive prevention with sessions picked up midstream and dropped packets. * etc/ * etc/generators: * src/generators.h: Added generator IDs for new preprocessors. * etc/snort.conf: Added examples for new preprocessors * src/ Added performance metric modules, new subdirs. * src/build.h: Seperated build version from snort.h. * src/debug.h: Added new preprocessors. * src/decode.c: * src/detect.c: Performance measurments of packet decoder, detection, rule evaluation and preprocessors. * src/decode.h: * src/detect.h Change to use dynamicly sized preprocessor array since more than 32 preprocessors may be loaded. * src/inline.c: * src/inline.h: Updated to always set drop flag for packets that are dropped for logging purposes. * src/plugbase.c: * src/plugbase.h: * src/plugin_enum.h: * src/preprocids.h: Support for new preprocessors, added checks to verify preprocessor configuration. Removed deprecated preprocessors. Added cleanup and shutdown functionality for preprocessors. Move preprocessor bitmasks from plugbase.h into preprocids.h. Added protocol stack based ordering of preprocessors, so that IP-layer preprocessors are run before TCP/UDP layer ones. * src/snort.c: * src/snort.h: Added longname option support. Added dynamic module commandline options, see README for details. Updated signal handling and exit/restart code. Switched to using pcap_dispatch from pcap_loop for better control of packet processing. Added performance measurements. Fixed -T flag and commandline help functionality. Added -M flag to write messages/warnings to syslog (doesn't write alert data there) when not in daemon mode. * src/tag.c: Put limit on tagging to alleviate overloaded databases that result in every packet being tagged on high bandwidth sensors. Prevents database DoS with tagging rules. * src/util.c: * src/util.h: Fixed issue with reentrant signal handlers. At exit because of signal, snort now logs to snort_exit file instead of syslog. Updated pid file creation when in Inline mode. * src/detection-plugins/ * src/detection-plugins/sp_asn1.c

Steven Sturges and Marc Norton.dsp: src/dynamic-preprocessors/initialize_headers.c: src/signature.c: src/dynamic-plugins/sf_engine/bmh.c: src/dynamic-plugins/sp_dynamic. src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts. Can write compiled rules that are "blackboxed". src/detection-plugins/sp_pcre.cvsignore: src/dynamic-preprocessors/Makefile. src/parser.h: src/dynamic-plugins/sf_dynamic_engine. Added URI Length check rule src/dynamic-plugins/sf_dynamic_common. and fix issue with non-content rules not being evaluated. src/signature.c: src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h: src/dynamic-plugins/sf_engine/ src/dynamic-plugins/sf_engine/bmh. Thanks Andy Mullican.c: src/detection-plugins/sp_asn1_detect.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_content.h: Added dynamically loadable rule detection capability.cvsignore: src/dynamic-plugins/Makefile.dsp: Added dynamically loadable preprocessor support.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_loop. Thanks to Chris Sherwin for the new functionality.c: src/parser.c: src/dynamic-plugins/sf_dynamic_preprocessor.cvsignore: src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.h: src/dynamic-plugins/ src/dynamic-preprocessors/sf_dynamic_initialize/.h: Added 'gid' and 'metadata' fields to rules. performance profiling src/dynamic-preprocessors/dynamic_preprocessors.h: src/dynamic-plugins/sf_dynamic_detection.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Performance measurments. added support for dynamic rule detection.c: Provide ability to turn off PCRE checks via config nopcre.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/detection-plugins/sp_asn1_detect.h: Added dynamic rule and preprocessor parsing.c: src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre. src/fpcreate.c: src/dynamic-plugins/sp_preprocopt.c: src/detection-plugins/sp_urilen_check.h: src/detection-plugins/sp_urilen_check. yet still loaded at runtime.c: src/win32/WIN32-Prj/sf_engine.h: src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: src/fpcreate. Simplifies .h: src/dynamic-plugins/sf_engine/sf_snort_plugin_api.dsp: src/rules.h: src/dynamic-plugins/sf_engine/.h: src/dynamic-plugins/sp_dynamic. src/dynamic-plugins/.cvsignore: src/dynamic-plugins/sf_engine/Makefile.h: src/fpdetect.h: Modularized ASN1 detection code. rule state parsing.h: src/dynamic-plugins/sf_dynamic_meta.h: src/dynamic-preprocessors/.c: src/dynamic-plugins/sf_engine/sf_snort_packet.h: src/dynamic-plugins/sf_dynamic_plugins.

c: Added code to ignore certain ports. src/detection-plugins/sp_flowbits.c: src/preprocessors/str_search.c: Updated for preprocessor protocol ordering. Updated output plugins to use Stream api for logging reassembled packets.h: src/preprocessors/perf.c: src/detection-plugins/sp_flowbits. src/preprocessors/str_search.h: src/sfutil/getopt_long. Added performance measurements.c: src/preprocessors/spp_perfmonitor. src/preprocessors/spp_arpspoof.c: src/output-plugins/spo_alert_sf_socket.c: src/preprocessors/spp_sfportscan.c: src/preprocessors/spp_frag3.c: src/preprocessors/stream. Thanks Andy Mullican.c: src/preprocessors/perf-flow. src/preprocessors/spp_frag2.c: src/preprocessors/spp_stream4. Added performance measurements.h: src/preprocessors/snort_stream4_session. Flowbits are now stored as part of the Stream. src/preprocessors/portscan.c: src/preprocessors/perf-base.h (removed): Deprecated old portscan preprocessors. src/preprocessors/Makefile. Added performance measurements. src/sfutil/Makefile.h: src/preprocessors/stream_ignore.h: src/preprocessors/stream_api.h: Added better performance tracking for flow data for ports under 1024 and those above. .c: src/preprocessors/spp_stream4.h: Added api for Stream4 to help with development of next generation Stream src/preprocessors/spp_portscan. To be deprecated in next release. src/preprocessors/perf-base.c: src/preprocessors/stream_ignore.h (removed): src/preprocessors/spp_portscan2.c: Updated for stream API.c: Updated for preprocessor protocol ordering. Added performance measurements.c: Added longname commandline option support.c: src/preprocessors/spp_rpc_decode.c: src/output-plugins/spo_log_tcpdump.c: Added metric for inline blocked packets.c: src/preprocessors/spp_flow. src/preprocessors/snort_httpinspect.c (removed): src/preprocessors/spp_portscan2.c (removed): src/preprocessors/spp_conversation. Steven Sturges and Marc Norton.c: src/preprocessors/ src/sfutil/getopt.h: Modularized this code for use by the dynamic SMTP preprocessor.h: src/event_wrapper.c: src/output-plugins/spo_unified.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * development of preprocessors for quicker release of new preprocessor code. Added performance measurements.h (removed): src/preprocessors/spp_conversation. src/preprocessors/perf-flow.c: src/preprocessors/spp_bo.c (removed): src/preprocessors/spp_portscan.h: src/sfutil/getopt1.

to avoid internal buffer overrun.c: * src/preprocessors/flow/portscan/server_stats.h: * src/sfutil/sfksearch.c: Added performance measurements.c: Fix memory leak and mishandling of IP Options.c: * src/preprocessors/flow/portscan/flowps. 2005-11-11 Steven Sturges <ssturges@sourcefire.h: Updated IP Set to include port sets. * src/sfutil/mpse. Thanks Yin Zhaohui for the find.c: Fixed bug with multiple recurring patterns in Wu-Manbher implementation. Thanks Martin Olsson for mentioning this and testing the> * etc/gen-msg.h: * src/.c: * src/preprocessors/flow/portscan/flowps_snort. Thanks Andy Mullican for the fix. 2005-10-11 Steven Sturges < * etc/snort.c: Allow value of 0 to be used with -G flag * src/preprocessors/spp_bo.h: * src/preprocessors/spp_bo.c: * src/preprocessors/flow/flow_cache.c: Handle wrapping on 64-bit platforms 2005-11-17 Andrew Mullican <amullican@sourcefire.c: * src/sfutil/sfksearch.h: * src/sfutil/> * src/sfutil/mwm.h: * src/sfutil/sfghash.conf: * src/generators.c: * src/sfutil/ipobj.c: * src/preprocessors/portscan.c: * src/sfutil/bitop.c: Fixed problem with parsing conf file and rules when DNS is not working. Thanks Sandro Poppi for the find. 2006-01-09 Steven Sturges <ssturges@sourcefire.c: Code Cleanup * src/preprocessors/> * src/sfutil/> * src/snort.c: Add tracker without using bogus data. * src/preprocessors/spp_perfmonitor.c: * src/detection-plugins/sp_pattern_match.* src/sfutil/ipobj.c: * src/output-plugins/spo_alert_prelude. * src/parser/IpAddrSet.h: * src/sfutil/mwm.h: * src/> .c: * src/preprocessors/perf-base.cvsignore: Misc code cleanup. 2005-10-16 Steven Sturges <ssturges@sourcefire. * src/snort_packet_header. Thanks to Evan Stawnyczy for pointing it out and Marc Norton for the fix.c: Fixed potential buffer overflow in BackOrifice preprocessor and added an alert on attempt to overflow buffer in snort.h: * src/win32/WIN32-Includes/libnet/gnuc.

c * src/decode. to explicitly set logging mode. * src/util. 2005-09-19 mfr <roesch@sourcefire.c: * schemas/create_mysql: Fixes to address schema being a keyword in MySQL 5.c: don't try to actually open the log file when in test mode 2005-09-19 Steven Sturges <ssturges@sourcefire.H: * src/win32/WIN32-Includes/libnet/LibnetNT. Thanks Gianluca Varenni for mentioning the discrepancy.h 2005-09-16 mfr <roesch@sourcefire.c: Additional fixes to better handle various targets and extensions to the Shankar/Paxson model. and Aleem Mawji for the updates. Available arguments are "none". 2005-09-14 Steven Sturges <ssturges@sourcefire. Thanks Judy Novak for all of the OS testing & pcap> * src/win32/WIN32-Includes/NETINET/> * src/preprocessors/spp_frag3.conf file to prevent unncessary exiting due to logdir being specified in snort.log_dir which can happen due to the IDS mode logdir check being removed in src/snort.0. 2005-09-14 Andrew Mullican <amullican@sourcefire.c: Included CheckLogDir() call in CreatePidFile() on the off chance we have to fall back to using pv. 2005-09-16 Steven Sturges <ssturges@sourcefire. Thanks Wes Young. "pcap" and "ascii".1 with correct website.8: Updated for -K command line switch * doc/README: Updated for new command line options and default logging mode.h (removed): .h * src/preprocessors/spp_rpc_decode.lib: * src/win32/WIN32-Prj/LibnetNT. 2005-09-23 Steven Sturges <ssturges@sourcefire.H: * src/win32/WIN32-Includes/NETINET/> * src/snort. Pcap mode is now the default logging mode of * src/> * etc/gen-msg. Adolfo Gomez.c: Added check for bad length of TCP SACK option.h: Always use winsock2. CheckLogDir() is no longer called in IDS mode until after reading in the snort.c: New command line switch. 2005-10-04 Steven Sturges <ssturges@sourcefire.dll: Rebuilt and updated LibnetNT linked with WinPCAP 3.nsi: Updated to mention WinPCAP 3.* src/win32/WIN32-Prj/> * src/output-plugins/> * src/output-plugins/spo_log_tcpdump.conf and inadvertantly checking for the existence of /var/log/> * src/win32/WIN32-Libraries/libnet/LibnetNT. * snort.c: Added new alert on zero-length RPC fragment.h (removed): * src/win32/WIN32-Includes/pcap.> * src/win32/WIN32-Includes/pcap-namedb.

h: src/win32/WIN32-Includes/mysql/libmysql.4.h: src/win32/WIN32-Includes/mysql/m_string.lib: src/win32/WIN32-Libraries/wpcap.lib: src/win32/WIN32-Libraries/mysql/mysqlclient.h: src/win32/WIN32-Includes/mysql/mysql_com.def (removed): src/win32/WIN32-Includes/mysql/config-netware.1 release on Win32.h: src/win32/WIN32-Includes/mysql/typelib.h: src/win32/WIN32-Includes/WinPCAP/Gnuc.def: src/win32/WIN32-Includes/mysql/m_ctype.h: src/win32/WIN32-Includes/WinPCAP/tcp_session. * src/preprocessors/spp_frag3.h: src/win32/WIN32-Includes/WinPCAP/Packet32.h: src/win32/WIN32-Includes/WinPCAP/bittypes.h (removed): src/win32/WIN32-Includes/mysql/errmsg.h: src/win32/WIN32-Includes/WinPCAP/Win32-Extensions.h: src/win32/WIN32-Includes/mysql/my_list.h: src/win32/WIN32-Includes/WinPCAP/ip6_misc.dsp: Updated to use WinPCAP 3.h: src/win32/WIN32-Includes/mysql/mysqld_error.h: src/win32/WIN32-Includes/WinPCAP/> * src/snort.h: src/win32/WIN32-Includes/WinPCAP/memory_t.1 and MySql client 4.h: src/win32/WIN32-Includes/WinPCAP/pthread.h: src/win32/WIN32-Includes/mysql/my_sys.* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * src/win32/WIN32-Includes/WinPCAP/Devioctl.h: src/win32/WIN32-Includes/mysql/my_getopt.h: src/win32/WIN32-Libraries/Packet.h: src/win32/WIN32-Includes/WinPCAP/normal_lookup.h: src/win32/WIN32-Includes/WinPCAP/time_calls.h: src/win32/WIN32-Includes/mysql/config-win.c: Mark -z option as to be deprecated.h: src/win32/WIN32-Includes/mysql/my_global. Preparation for Snort 2.def: src/win32/WIN32-Includes/mysql/libmysqld.13.h: src/win32/WIN32-Includes/WinPCAP/sched.h: src/win32/WIN32-Includes/WinPCAP/pcap-int.h: src/win32/WIN32-Includes/WinPCAP/pcap.h: src/win32/WIN32-Includes/mysql/Libmysql.h: src/win32/WIN32-Includes/WinPCAP/pcap-bpf.h: src/win32/WIN32-Includes/mysql/config-os2.h: src/win32/WIN32-Includes/WinPCAP/tme.h: src/win32/WIN32-Includes/mysql/mysql_time.h: src/win32/WIN32-Includes/WinPCAP/remote-ext. 2005-09-14 Steven Sturges <ssturges@sourcefire.h: src/win32/WIN32-Includes/mysql/raid.h: src/win32/WIN32-Includes/mysql/mysql_embed.c: .h: src/win32/WIN32-Includes/WinPCAP/pcap-stdinc.lib: src/win32/WIN32-Prj/snort.h: src/win32/WIN32-Includes/mysql/mysql_version.h: src/win32/WIN32-Includes/mysql/my_dbug.h: src/win32/WIN32-Includes/WinPCAP/count_packets.h: src/win32/WIN32-Includes/mysql/mysql.h: src/win32/WIN32-Includes/mysql/dbug.h: src/win32/WIN32-Includes/mysql/my_pthread.h: src/win32/WIN32-Includes/mysql/my_alloc.h: src/win32/WIN32-Includes/WinPCAP/bucket_lookup.h: src/win32/WIN32-Includes/WinPCAP/Ntddpack.h: src/win32/WIN32-Includes/WinPCAP/Ntddndis.

* src/snort.c: Fix broken -T option. Thanks Andy Mullican for the fix.c: * configure. Update README to include info about new target-based policy.c: * etc/snort.c: * src/preprocessors/spp_portscan2.Fix issue with Teardrop alerts introduced with last update.frag3: Update to address Solaris reassembly Added patch for time stats from Bill Parker.c: Add deprecation warning. * src/snort. 2005-09-01 Steven Sturges <ssturges@sourcefire. multiple fragments with MoreFrags bit not set and added target based policies for windows and solaris (since they are actually different in .c: * src/decode. * src/snort. 2005-08-31 Steven Sturges <ssturges@sourcefire. Thanks David Bianco for pointing this out and Andy Mullican for the updates.c: Fix issue with Teardrop alerts.c: * src/decode. Enable with configure --enable-timestats. Thanks to Shaick for the patch.h: Fix snort decoder to correctly handle PPP over Ethernet decoding.c: * doc/> * src/preprocessors/spp_frag3. 2005-08-29 Steven Sturges <ssturges@sourcefire. Thanks Jason Ish for the patch (long time ago) and Chris Kuethe for reraising the issue.c: Resolve some issues with handling of overlap conditions. 2005-08-23 Steven Sturges <ssturges@sourcefire.h: Added decoder for IPEnc for Open BSD.sfportscan: Change ip_proto to ip for portscan configuration.conf: * doc/README. * src/preprocessors/spp_portscan. These will be deprecated in the next snort build.c: Allow snort to use usernames (-u) and groupnames (-g) that include> * src/snort.c: Fix for prelude initialization.c: Do not allow -T (test mode) & -D (daemonize)> * src/> * src/preprocessors/spp_sfportscan. Thanks Yoann Vandoorselaere for the update. Thanks Aristeu Gil Alves Jr for the pcap. * src/preprocessors/spp_frag3. * src/snort. * src/preprocessors/spp_frag3.c: * src/decode.c: * src/util. * src/output-plugins/spo_alert_prelude.

h: For content matches.h: Added data structure padding to fix issues with 64bit Solaris. start searching again in correct location instead of again at end of the currently found pattern. Thanks A Hernandez for the find.certain cases). * src/detection-plugins/sp_pattern_match.h: Use hex values for preprocessor bitmask constants instead of the decimal equivalent. when subsequent rule options fail.H: Updated Win32 to handle pflog patch. * src/preprocessors/stream.c: Fix problem in sniffer mode when incomplete TCP option data is received.c: src/preprocessors/perf-base. Don't try to initialize Prelude support when 'output alert_prelude' is not specified.h: src/plugbase.c: src/> * src/output-plugins/spo_alert_prelude. make the arguments parser more robust and less fault tolerant. Wrapped alerts for same src/dst and loopback in mode==IDS & decoder alert checks.c: src/preprocessors/spp_perfmonitor. * src/detection-plugins/sp_byte_jump. 2005-08-15 Steven Sturges <ssturges@sourcefire.h: src/preprocessors/snort_httpinspect. ports will be logged (even though they may be invalid). 2005-08-15 Steven Sturges <ssturges@sourcefire. Fixes potential issue on 64-bit architectures. * src/> * src/decode.c: * etc/snort. Thanks Yoann Vandoorselaere for the updates.c: Code/compiler warning cleanup.c: Set the source & dest ports used for logging before doing checksum verification.c: src/sfutil/mpse. If invalid checksum.c: * src/win32/WIN32-Includes/NETINET/IN_SYSTM.c: src/preprocessors/xlink2state.c: * src/detection-plugins/sp_pattern_match.h: src/preprocessors/perf.c: src/preprocessors/spp_xlink2state.c: Allow for signed offset values to handle negative offset in rules.c: src/preprocessors/str_search. Correct parsing of IDMEF severity mapping. * src/decode. Removed deprecated documentation from the conf file.c: src/sfutil/asn1. .conf: Fix GCC4 warning. * src/plugbase.c: * src/detection-plugins/sp_byte_check. * * * * * * * * * * * * * src/preprocessors/perf-base.c: src/preprocessors/spp_frag2.

com> * src/preprocessors/HttpInspect/client/Makefile.h: Changed Snort version number * src/detection-plugins/> * etc/snort.conf: Changed snort.c: Fix parsing problem in the flush_behavior config directive * etc/snort.c: Fixed error message for replace 2005-07-22 mfr <roesch@sourcefire.c: Added support for new OpenBSD pflog format.conf to reflect flush_behavior changes 2005-07-24 mfr <roesch@sourcefire. * src/decode.h: * src/snort.* src/preprocessors/spp_stream4. OpenBSD 3.spec: Fix epoch inclusion for RPM generation 2005-07-29 Steven Sturges <ssturges@sourcefire. Thanks Erik de Castro Lopo for the> * src/preprocessors/spp_stream4. Thanks Andrew Rucker Jones for identifying the issue.conf: Turn perfmonitor off by default 2005-07-22 Steven Sturges <> * src/preprocessors/ * src/preprocessors/HttpInspect/event_output/Makefile. * src/decode. is still supported.3 and earlier.c: Added statistics counter for ETH_LOOPBACK packets.c: Fixed debug prints for new flush behavior changes. Thanks Breno Leitao and Christian Reis for the patch.c: Added checks to ensure some syntax correctness for content rules. and 'random' 2005-07-22 Steven Sturges <> * rpm/snort. New behaviors names are 'default'. * src/detection-plugins/ More cleanup .h: Fixed problem on Solaris when reassembling at exit.c: * src/decode. Thanks rmkml for the patch. 2005-07-27 mfr <> * src/win32/WIN32-Includes/config.c: * src/preprocessors/stream. 2005-07-29 mfr <> * src/preprocessors/spp_stream4.c: * src/decode.c: * src/preprocessors/snort_stream4_session.h: * src/util. Older pflog format. 'large_window'.c: Changed flush_behavior to use names instead of numeric value.

com> * src/preprocessors/ * src/preprocessors/HttpInspect/session_inspection/> 2005-07-20 Steven Sturges < * doc/Makefile.2005-07-22 mfr <roesch@sourcefire.spec: * rpm/generate-all-rpms: Setup for Updated for * src/preprocessors/HttpInspect/server/> * autojunk.4. * src/preprocessors/ * src/preprocessors/HttpInspect/user_interface/Makefile. From Jeff Nathan <jeff@snort. * src/plugbase.h: Provided ability to use 2 sets of static flushpoints as well as random flushpoints for * src/preprocessors/HttpInspect/normalization/Makefile.conf: Updated Added maintainer mode call to prevent endless configure reruns.c: Improved file handling of perfmon stats file * Makefile. Thanks Jason Brvenik for the patch. patch from Jeff Nathan < Remove references to files in other directories 2005-07-22 mfr <roesch@sourcefire.h: .c: * src/preprocessors/perf.h: Bump build number 2005-07-21 mfr <> * rpm/snort.0> *> * rpm/snort.c: * src/preprocessors/stream. removed inline build option from RPM generation for the time being * * src/preprocessors/HttpInspect/utils/Makefile.4 release 2005-07-20 mfr <roesch@sourcefire.c: * src/ * src/preprocessors/HttpInspect/mode_inspection/Makefile.4.conf for 2.spec: Fixup the spec file to reflect new method of rules distribution 2005-07-22 mfr < Added --copy switch to automake call.0 release to remove references to sig docs and rules. which are now external to the distro * etc/ Fix PostgreSQL support 2005-07-21 mfr <> * src/> *> * src/preprocessors/HttpInspect/anomaly_detection/Makefile.

* * * * * src/preprocessors/snort_stream4_session.c: src/snort. Thanks Andrew Mullican for the patch.c: * src/preprocessors/perf-base.c: * src/output-plugins/spo_alert_prelude. * src/sfutil/mwm.c: Use singal to rollover perf stats file without having to restart snort.h: src/preprocessors/ Added PostgreSQL fixes and exit code patch from Javier Fernandez-Sanguino Pena <jfs@computer.h: * src/preprocessors/spp_frag3. Also added stats fields to Perfmon for Frag3.) 2005-07-11 Steven Sturges <ssturges@sourcefire.c: * src/output-plugins/spo_alert_prelude.c: Small fix for normalization of subnegotiation> * doc/BUGS: Updated BUGS file for 2.c: src/snort.c: src/> 2005-07-18 mfr <roesch@sourcefire. * src/snort.h: src/preprocessors/spp_perfmonitor.h: Added code to process unflushed Streams at snort exit and when stream is purged from cache because of memory issues.c: Fix to handle multiple instances (different case) of the same pattern when the matching one occurs later than the others.h: Fix to handle heartbeat and pthread issues with> * doc/README: Updated the README file to reflect the current version of Snort and command line switches that are available (and the ones that no longer are available as well.c: Fixed log message. * configure.. * * * * * src/snort.c: src/preprocessors/spp_stream4. * src/preprocessors/perf-base. * src/log. 2005-07-19 mfr <roesch@sourcefire.c: Convert ICMP Router Advertisement time to host byte order before printing.c: Performance update for Frag3.4 release.c: src/preprocessors/perf. * src/preprocessors/spp_telnet_negotiation.c: .h: src/preprocessors/> * src/detection-plugins/sp_byte_jump. Thanks Yoann Vandoorselaere for the patch. * src/sfutil/mwm.

com> * src/preprocessors/xlink2state. .255 for rules (ssturges).c: Increase limit on number of rule options to 256 (was 64).previously. * src/preprocessors/spp_frag3.c: * src/decode. extra options were> * src/preprocessors/spp_perfmonitor.c: Fixed problem with parsing IP addresses of 255. 2005-05-19 Jeremy Hewlett <jh@snort.c: Fixed potential memory corruption (ssturges).c: Handle case when Packet pointer is NULL for Portscan alerts.c: Allow -T flag when MUST_SPECIFY_DEVICE is enabled (mnorton). 2005-05-18 Jeremy Hewlett <jh@snort.c: Fixed misprinted filename (mnorton). from 1024.255.* src/preprocessor/> * src/output-plugins/spo_alert_prelude.c: Provide additional reliabilty for NT_SPECIAL_OUTPUT.c: Fixed processing of fragmented UDP> * src/parser. Report error if limit is reached -. 2005-06-10 Jeremy Hewlett <> * src/parser/IpAddrSet.c: Added processing of IP Options in fragmented packets (ssturges).c: Data initialization fixes. Thanks Brice Cotte for getting us discussing this topic.c: Bugfix for PowerPC architecture.255. * src/snort. * src/output-plugins/spo_unified. 2005-05-20 Jeremy Hewlett <jh@snort.h: src/preprocessors/> * * * * src/decode.c: src/generators. Thanks Joel Esler for the fix. 2005-05-09 Jeremy Hewlett <jh@snort. Thanks Yoann Vandoorselaere for the patch. 2005-05-09 Andrew Mullican <amullican@sourcefire. Thanks Eric Lauzon for the fix. * src/output-plugins/spo_database. Also increased max line length to 4096 chars.c: * src/preprocessor/HttpInspect/normalization/hi_norm.h: src/decode. * src/preprocessors/snort_stream4_session.c: Update for Oracle output.

.c: Updated to better match true on the wire and user data values (Marc Norton).com> * src/ configure. * * * * * * * * * * autojunk.c: src/preprocessors/ src/output-plugins/ src/plugbase.h: Remove unused functions str2s. enable with --enable-prelude.c: Added check for MUST_SPECIFY_DEVICE #ifdef.h: src/plugbase.h: src/preprocessors/spp_xlink2state. Thanks Yoann Vandoorselaere! 2005-04-26 Jeremy Hewlett <jh@sourcefire.conf: m4/libprelude.c: src/output-plugins/Makefile.c: * src/plugbase. * src/ src/preprocessors/spp_stream4.c: src/preprocessors/xlink2state.c: Fixed Snort not resolving hostnames that start with a numeric and also parsing of invalid CIDR blocks (Daniel Cid). If not used.c: src/output-plugins/spo_alert_prelude. which if used. Thanks Jeff Nathan for pointing this out.h: src/preprocessors/str_search.c: File descriptor clean up from Will Metcalf. * src/preprocessors/spp_rpc_decode. and int2s (Andy Mullican).com> * src/parser/IpAddrSet. * src/inline.c: src/preprocessors/stream4.c: src/preprocessors/str_search.2005-05-05 Jeremy Hewlett <jh@sourcefire. 2005-04-28 Jeremy Hewlett <jh@sourcefire.c: Ignore multiple rpc requests if in a rebuilt packet (Thanks Andy Mullican).m4: m4/Makefile.c: src/preprocessors/ src/ Makefile. current behavior remains (Marc Norton). 2005-04-22 Andrew Mullican <> * * * * * * * * * * * * etc/gen-msg.h: src/preprocessors/ etc/snort.h: Added support for prelude.h: Added xlink2state mini-preprocessor to catch MS Exchange buffer X-Link2State data> * src/preprocessors/perf-base. requires either a -i or -r commandline switch to start snort. hex2s.

Can be used when running multiple instances of snort.c: Fixed error messages in byte_jump & byte_test rule options (Marc Norton). It is now being done before the 'align' option.c: Added a -G flag that specifies an instance identifier for the event logs.c: src/ src/preprocessors/snort_stream4_session.c: Added -Z flag to set full path name to PerfMonitor stats file. Also added limit to number of active sessions for Stream4.h: src/preprocessors/spp_stream4. Thanks Kevin Douglas for finding this and Andrew Mullican for the> * * * * * * * src/detect.c: src/output-plugins/spo_unified.conf: Performance Improvements to Flow & Stream4 session management.2005-04-11 Jeremy Hewlett <jh@sourcefire.h: etc/snort.c: src/preprocessors/snort_stream4_session.h: * src/detect.c: src/log.conf (Steve Sturges). * detection_plugins/sp_byte_jump. Old memcap value now only applies to packets stored for reassembly.c: * src/preprocessor/spp_perfmonitor.c: Fix to remove unnecessary ICMP echo extension.h: * src/output-plugins/spo_csv. 2005-04-05 Jeremy Hewlett <jh@sourcefire. either on different CPUs or on same CPU but different interface.c: .c: src/snort.c: src/preprocessors/stream4. This will override the file or snortfile configuration option (Marc Norton). Each snort instance will use the value specified to generate unique event ids. This helps with rules that look at SMB traffic (Steve Sturges).h: src/tag. * src/decode.c: src/sfutil/sfxhash.c: * src/output-plugins/> * src/detection-plugins/sp_byte_check.h: src/sfutil/sfxhash. default of 8192. and update output plugins to use ICMP header info. Configure using preprocessor stream4: max_sessions 16384 in snort. * src/decode.c: * src/detection-plugins/sp_byte_jump. Can specify either a decimal value (-G 1) or hex value preceeded by 0x (-G 0x11).h: * src/snort.c: Fixed issue with 'multiplier' option.c: src/snort. * src/preprocessor/spp_perfmonitor. Thanks Steve Sturges. * * * * * * * * * src/preprocessors/flow/flow_cache.c: src/preprocessors/Makefile.

thanks Steve Sturges.c: Added detail to config error messages for thresholding. 2005-03-15 Jeremy Hewlett <jh@sourcefire. General clean up of spec file. * rpm/snort.c: * src/preprocessors/> * src/preprocessors/spp_sfportscan.c: src/preprocessors/spp_sfportscan.c: Added packet dump (debug only) to> * src/output-plugins/spo_alert_syslog. Thanks Steve Sturges.logrotate: Added schemas to distro. Thanks Steve Sturges.* src/preprocessors/spp_stream4.c: * src/> * * * * * src/decode. Thanks Sandro Poppi for the fix. * src/preprocessors/spp_stream4.c: Add snort's PID to syslog.c: Code Cleanup (general).org. Thanks Steve Sturges & Marc Norton * src/plugbase.c: src/parser/IpAddrSet.c: Additional fixes for suppression issue with sfPortscan and Open Ports. 2005-03-25 Jeremy Hewlett <jh@sourcefire. this option limits rule-inspection of server traffic to the set number of bytes (in 1 or more packets) until another client request is seen. Thanks Andy Mullican. * src/sfthreshold.spec: * rpm/snort.h: src/detection-plugins/sp_flowbits.c: Fix issue generating ascii strings. * * * * src/fpdetect. 2005-03-25 Jeremy Hewlett <jh@sourcefire. Patch from Andy Mullican.h: * etc/snort. Thanks Josh Kelley for pointing this> * src/preprocessors/spp_sfportscan. Fix for packets logged with bogus ip lengths (related to Open Port alerts). * src/preprocessors/spp_frag3. and 'sharedscripts' to logrotate.c: Added to default ports in Stream4 and cleaned up Stream4 configuration processing. 2005-04-01 Jeremy Hewlett <jh@sourcefire.h: src/preprocessors/spp_frag3. Patch from Steve Sturges.conf: Add option to Stream4 to limit server-side inspection for improved performance.c: src/parser/IpAddrSet.c: etc/generators: .c: Fixed suppression issue with sfPortscan and Open Ports. Patch from Steve Sturges. Similar to HttpInspect's flow-depth.c: src/plugbase.

c: src/detection-plugins/sp_ftpbounce.c: src/decode. Patch from Andy Mullican and Steve Added handling of midstream sessions in portscan preprocessors. NULL TCP Flags in established etc/snort.h: src/preprocessors/spp_stream4.Handle PAWS.sfportscan: etc/generators: etc/gen-msg.h: src/fpdetect. but do not inspect other fragmented packets (until rebuilt).h: etc/gen-msg. Thanks Marc Norton for the feature.c: src/preprocessors/stream.c: * src/generators. limit overlaps in established session.h: src/snort. Performance changes for cleaning up session cache.c: src/preprocessors/stream.c: doc/README. 2) Printing of Configuration Info 3) Code readability * src/parser. Thanks * * * * * * * * * * * * * * . * src/decode. * src/fpcreate.c: src/preprocessors/ src/plugbase.h: Eliminate duplicate alerts on Rebuilt Streams/IP reassembled packets.1. update ACK when server sends RST.c: src/detection-plugins/sp_ftpbounce.3.Updates/Fixes to Frag3 IP reassembler (thanks ssturges): 1) Push first fragmented UDP packet through. src/generators.h: src/ubi_BinTree.c: src/snort. This obsoletes sids 527.c: Increased Flowbits hash table size.c: src/preprocessors/sfportscan.c: src/preprocessors/spp_frag3. * * * * * * * * * * src/decode.conf: Stream4 fixes .c: src/ubi_BinTree.h: Added support for detection of Lookback & Same src/dest attacks in the packet decoder. Thanks Andy Mullican. Thanks Steve Sturges. src/preprocessors/portscan.h: src/preprocessors/spp_stream4. * src/detection-plugins/sp_flowbits.c: Performance improvement in pattern matcher from Marc Norton. * * * * src/detection-plugins/Makefile.c: src/preprocessors/spp_frag2. 528.c: Removal of comment parsing code added for 2.h: src/ubi_SplayTree.h: Added FTP Bounce detection Plugin.c: src/ubi_SplayTree. Thanks Marc Norton.

c: Fixed compiler warnings and code formatting (tabs to spaces). Thanks Steve Sturges.c: Fixed telnet decoder bug when ignoring Sub-negotiation end command.c: src/preprocessors/HttpInspect/utils/hi_util_kmap. 1 server) so that some alerts can be> * src/> * src/preprocessors/spp_flow. * src/preprocessors/perf-base.c: src/sfthreshold. 2005-03-08 Jeremy Hewlett <jh@sourcefire.c: * src/plugbase.h: . Thanks Andy Mullican for the fix.http_inspect: Added uri_tab_delimiter option to HttpInspect.c: src/preprocessors/spp_sfportscan.c: * src/detection-plugins/sp_flowbits. 2005-01-18 Steven Sturges <ssturges@sourcefire.c: src/preprocessors/portscan.h: src/preprocessors/HttpInspect/user_interface/hi_ui_config. Patch from Andy Mullican. Thanks Senthil Prabu.h: src/preprocessors/spp_rpc_decode. 2005-01-28 Jeremy Hewlett <jh@sourcefire.c: Added 2 BackOrifice alerts (1 client.c: src/preprocessors/portscan.c: Fixed parsing of comments at end of line in config file. 2005-01-20 Andrew Mullican <amullican@sourcefire.c: Fixed alignment issue causing sfPortscan to crash on Solaris/> * src/generators. anything that follows a # on a line is considered a comment.c: src/preprocessors/snort_httpinspect.c: doc/README. In snort.h: * src/preprocessors/> * src/preprocessors/> * * * * * * * * * src/decode.Steve Sturges and Andy Mullican for the patches.c: Increased number of flowbits (mnorton) 2005-03-08 Steven Sturges <ssturges@sourcefire.c: src/decode. * * * * src/preprocessors/HttpInspect/include/hi_ui_config. Thanks Steve Sturges.S and Jonathan Miner for working with us on this. * src/preprocessors/spp_telnet_negotiation.h: src/output-plugins/> * src/parser. 2005-03-04 Jeremy Hewlett <jh@sourcefire.c: Updates to PerfMon to handle multiple CPUs properly.

c: Performance fixes to get correct 'on-the-wire'> * src/preprocessors/spp_sfportscan.c: Fixed parsing of frag3 options to use space delimited options to handle IP address lists correctly. Syntax in snort.c: src/preprocessors/snort_httpinspect.c: src/preprocessors/> .conf: Updated example options for frag3 2005-01-13 Marc Norton <> * * * * * * * * * * * src/inline. 2004-12-23 Steven Sturges <ssturges@sourcefire.* * * * * src/preprocessors/snort_httpinspect.c: Fixes to Frag3 to only have one instance of preprocessor.c: src/snort. Added 'atexitonly' option for perfmonitor that results in performance stats only being dumped when snort> * src/decode.h: * src/parser. 2005-01-13 Steven Sturges <ssturges@sourcefire. * src/preprocessors/spp_frag3.c: Added ability to ignore packets based on port.h: src/preprocessors/spp_frag3.c: src/snort.c: src/preprocessors/spp_frag2.c: src/snort. each Frag3 Policy would result in a separate preprocessor instance. 2005-01-18 Andrew Mullican <amullican@sourcefire.c: src/preprocessors/spp_perfmonitor. Also fixed use of ttl_limit option. 2005-01-17 Steven Sturges <ssturges@sourcefire.h: src/preprocessors/> * src/preprocessors/spp_frag3. Previously.c: src/preprocessors/perf-base.c: Fixed arithmetic to correctly set the ip packet length in the ip header prior to writing the portscan info to the packet. rather than periodically throughout snort's lifetime.c: Change to verify that preprocessors have sufficient configuration data to correctly operate. Uses policy context internally based on destination address of packet.h: src/preprocessors/sfprocpidstats.h: src/util. Thanks Jon Hart for the test case and finding the bug.conf is config ignore_ports: <tcp udp> <list of ports separated by whitespace> where list of ports can also include port ranges (ports separated by :).c: src/preprocessors/spp_httpinspect.c: src/preprocessors/spp_frag3. * etc/snort.c: * src/decode.

c: . In ARPspoofHostInit() fixed a problem where the list of configured IP/MAC entries would contain only one entry and leaked memory. * src/snort.c: src/preprocessors/spp_stream4.http_inspect: Updated documentation on flow_depth and HTTP headers per conversations with Joe> * doc/README.c: Fixed xatou function to check for non-digit parameter.c: src/> * * * * src/decode.0 RC2. Thanks Gisle Vanem for the patch! 2004-12-17 Jeremy Hewlett <jh@sourcefire.c: src/sfthreshold. In DetectARPattacks() made a small performance improvement by eliminating a copy of the ARP source protocol (IP) address (Jeff Nathan).c: src/preprocessors/snort_httpinspect.c: Added variable names to function prototypes and made cosmetic changes to debug messages.c: src/detection-plugins/sp_byte_jump.c: src/parser. Thanks Sekure for pointing out the problem with thresholding. * src/> * src/preprocessors/spp_arpspoof.h: src/win32/WIN32-Includes/syslog.c: src/preprocessors/perf-base.3.c: src/sfutil/> * src/decode.h: src/win32/WIN32-Includes/stdint.h: * src/snort. where single lines were broken up when sent to syslog.c: src/snort.c: src/preprocessors/spp_sfportscan.h: Fixed problem with logging that appeared in Snort 2. Thanks Allan Jensen for reporting this and working with us on the fix (Roelker).c: src/plugbase.c: src/preprocessors/spp_conversation. Thanks Joe! 2004-12-09 Jeremy Hewlett <jh@sourcefire. 2004-12-14 Jeremy Hewlett <jh@sourcefire.h: src/win32/WIN32-Includes/config.h: src/sfutil/Makefile.h: Reduces the number of warning on MingW/gcc.c: src/util.* * * * * * * * * * * * * * * * * src/detect. Thanks nnposter for submitting a patch! 2004-12-20 Jeremy Hewlett <jh@sourcefire.c: Fixed issue with snort not properly decoding ppp links on MacOS X.c: src/detection-plugins/ src/sfutil/sfsnprintfappend.

Defined globals in source.* src/> * src/detection-plugins/sp_pcre.h: * src/snort. Thanks for the report.c: Added from_beginning and multiplier options for byte_jump.h: If the 'Q' option (inline) is set.h: * src/log. instead of from the location immediately following the number of bytes to skip. so the logdir config will work command-line logdir does not exist on the the function name now parsing snort. from_beginning skips bytes from the beginning of the content.conf (for if the default or system. 2004-12-08 Daniel Roelker <djr@sourcefire. 2004-11-18 Steve Sturges <ssturges@sourcefire.c: src/> * src/preprocessors/spp_telnet_negotiation. set a global variable that can be used externally.c: src/detection-plugins/sp_pattern_match. Move CheckLogDir() to after IDS mode).c: src/snort. Thanks Brian . multiplier takes a numeric argument. now log only actual packet contents when UDP data length is greater than actual data length.c: Fixed issues with how telnet options are handled.c: src/parser.h: src/fpdetect. 2004-11-19 Steven Sturges <ssturges@sourcefire. * src/preprocessors/snort_httpinspect.c: Fixed bug when setting the doe_ptr on a successful pcre match.c: src/snort.c: Update error message when IIS Unicode map file is not found. * src/util.c: src/detection-plugins/sp_pattern_match. It is now set relative to base_ptr.c: Change SanityChecks() to CheckLogDir() so makes sense. * src/detection-plugins/> * * * * * * * * src/detect. and skips x times that number of bytes. Sekure.c: Fixed a problem affecting MacOS X where linking may fail with non-standard libraries when global symbols are encountered multiple> * src/detect. 2004-11-04 Andrew Mullican <amullican@sourcefire.c: Ignore RST ACK midstream pickup case so we don't get an evasive TCP alert. Removed duplicate globals and externed globals in headers.c: * src/util.c: * src/detect. Made sure frag2 is only linked once (Jeff Nathan).c: In "fast" output. * src/preprocessors/spp_stream4.

Caswell for spotting this. 2004-11-04 Andrew Mullican <amullican@sourcefire.c: src/preprocessors/perf.c: Fix false positives that were occurring on some events.c: * src/preprocessors/snort_httpinspect. Thanks Jeremy Hewlett for catching this one. Also made unified logging compatible with Windows. * src/preprocessors/HttpInspect/session_inspection/hi_si.c: Better support for 64bit Snort (mnorton). Thanks Markus Waldeck. mnorton).h: src/preprocessors/perf.c: Fixes for compilation on 64-bit Solaris. * src/detection-plugins/sp_rpc_check. Incremented event ID to give unique ID for each packet. Caused some false positives if the oversize directory length was set to small numbers. Still are some memory alignment issues to work out before 64bit mode is fully functional. Thanks to Vjay Larosa for the report.c: * src/preprocessors/> * configure. Patches are welcomed.c: Compilation fix for AIX. Thanks Scott Dexter and Andreas Ostling for doing some initial testing.h: perfmonitor config line can now be configured with accumulate or reset. Snort 2_3 branch compiles cleanly (jhewlett.c: Fixed reference times to match log time for first Added --enable-64bit-gcc to set up the build environment for 64bit (tested only on Solaris9).c: .c: src/preprocessors/perf-base. Thanks Barry Basselgia for pointing out the issue.c: Don't include the version string length as part of the directory length. Thanks Chris Baker for doing 64bit Changed linking order of libmysqlclient. (mnorton). 2004-10-21 Daniel Roelker <droelker@sourcefire. 2004-11-02 Jeremy Hewlett <> * configure. * src/sfutil/sfmemcap.c: * src/sfutil/acsmx2. * src/preprocessors/> * src/preprocessors/HttpInspect/client/> * src/output-plugins/spo_unified. * * * * * src/preprocessors/spp_perfmonitor. Should be a few more changes coming shortly. * src/plugbase. 2004-11-04 Jeremy Hewlett <jh@sourcefire. for an event generated by a reassembled packet.c: src/preprocessors/perf-base.

Thanks to Dennis George for submitting fix. Thanks to everyone that reported this bug. Thanks to Alex Butcher for reporting it to us.c: Fix divide by zero bug in TimeStats() 2004-10-05 Daniel Roelker <droelker@sourcefire. Thanks to Petr Kurtin for pointing out this bug.* src/preprocessors/sfprocpidstats.c: Fix content option modifiers so that they check the option specified and not offset. Thanks to #snort and SGUIL guys for their comments and feedback.c: Fix TCP/IP options print bug that was found by Marcin Zgorecki.c: Reformatted output printing for flowcache_stats() function .6 kernel. * src/preprocessors/spp_stream4. 2004-10-04 Daniel Roelker <droelker@sourcefire.c: Move portscan initialization into preprocessors.h: * src/generators. thanks to David Lowless for his portscan testing in the UK.h: New target-based IP defragmenter for Snort. generation.c: Inspect invalid TCP initiators that stream4 doesn't track for portscans.c: Fix linux perfmonitoring stats for the 2.h: Add an enforce_state keyword to stream4 so we won't pick up midstream sessions. 2004-10-04 mfr <roesch@sourcefire. not plugins.c: * src/preprocessor/spp_frag3. * src/parser/IpAddrSet. * src/detection-plugins/sp_pattern_match. * preprocessors/portscan.c: Added functions for improved set parsing.c: * src/preprocessors/stream.h: * src/parser/> * src/> * src/decode. Log open ports on TCP portsweeps when we> * src/parser. This works well for asynchronous links and also for just monitoring legitimate traffic. Also. 2004-10-13 Daniel Roelker <droelker@sourcefire. 2004-10-11 mfr <roesch@sourcefire. finding * src/preprocessors/flow/flow_cache.c: Fix suppression/thresholding bug for non-rule alerts.c: * src/plugbase.h: * src/> * src/> * src/preprocessor/spp_frag3.c: Fix bug in preprocessor error statement that referenced freed memory. * src/plugbase.

c: Fix tagging issue that would tag rebuilt TCP streams.c: src/preprocessor/spp_portscan.c: Exposed sfxhash_free_node() function as a public function * src/util.c: Added a couple a list node delete and add function for the current ptr * src/sfutil/sfxhash.h: Wrap sp_react in #ifdef tests so it can be enabled concurrently with sp_respond2 (Jeff Nathan).c: * src/> * src/detect. * src/detection_plugins/> * src/> * src/detection_plugins/sp_react. * src/event_queue. 2004-09-13 Jeremy Hewlett <jh@sourcefire. Thanks Jeremy Hewlett and Daniel Cid for finding this bug.c: Added context pointer handling to PreprocessorFunctionNode calls * src/sfutil/sflsq.h: * src/sfutil/sflsq.c: src/preprocessor/spp_httpinspect.c: Thresholded drop/sdrop rules should still drop the packet. Thanks Jeremy Hewlett and Daniel Cid for finding this bug.c: src/preprocessor/spp_flow.c: src/preprocessor/spp_conversation.c: src/preprocessor/spp_telnet_negotiation.c: src/preprocessor/spp_stream4.h: Only flush a TCP stream on rule alerts and not on preprocessor alerts.c: src/preprocessor/spp_perfmonitor.c: Fix ts_print to work correctly for localtime logging.c: * src/event_queue.h: Wrap sp_respond in #ifdef tests so it is mutually exclusive of .c: src/preprocessor/spp_bo.* * * * * * * * * * * * src/preprocessor/spp_arpspoof. Thanks to Brian Starrfield for finding this bug.c: * src/detection_plugins/sp_react.h: * src/sfutil/sfxhash.c: src/preprocessor/spp_rpc_decode. but we just won't alert on them. 2004-09-17 Daniel Roelker <droelker@sourcefire.c: * src/detection_plugins/> run timing patch 2004-09-20 Daniel Roelker <droelker@sourcefire.c: src/preprocessor/spp_frag2.c: src/preprocessor/spp_stream4.c: Added a modified version of Bill Parker's <dogbert@netnevada. * src/fpdetect. which for most output plugins this means we just relog the packets that we've already logged.

Thanks to William Metcalf and Victor Julien for this feature.c: src/detection_plugins/sp_respond2. so if any wants to try let me doc/Makefile.c: src/snort. * src/preprocessors/ doc/README.h: src/parser. If the user wants the> * src/decode. so as not to be DOS'd by stick/snot attacks.h: Import version 2 of the flexible response system written by Jeff Nathan 2004-09-08 Daniel Roelker <droelker@sourcefire. 2004-09-07 Daniel Roelker <droelker@sourcefire. We silently drop the packet. Thanks to William Metcalf and Victor Julien for this patch.c: Fix conditions where snort would log double web alerts that contained only content options (no uricontents). This allows snort to do dynamic firewall rulesets. .h: * src/detection_plugins/sp_clientserver. which by default uses the interface specified by the ipq packet. you can also specify a src mac address so the sensor interface information is not apparent. so we will drop packets that are not part of an existing TCP session and are not valid TCP initiators. Thanks Will Metcalf and Victor Julien for the initial implementation.h: Make reject rule type work with linux bridging.c: Drop bad checksums if we're in inline mode and we're doing checksums. 2004-09-02 Daniel Roelker <droelker@sourcefire. Thanks to kawa for finding and reporting this bug. * doc/CREDITS: Updated CREDITS with some major SourceFire contributors that were not mentioned.FLEXRESP2: src/parser.c: Add inline state configuration for> * * * * * src/inline.c: * src/fpdetect. In addition.sp_respond2 (Jeff Nathan). * src/rules.c: src/inline.c: src/snort. Added config option 'layer2resets'.com> * src/ src/detection_plugins/sp_respond2.c: * src/preprocessors/spp_stream4. then add in the stream4 configuration of 'midstream_drop_alerts'. Experimental for now.c: src/snort. * * * * * * * * configure.h: src/detection_plugins/Makefile. Add functionality for drop/sdrop rules that will still drop a packet if the rule specifies "flow: established".c: Add not_established keyword to the flow detection option.

c: Add more comments and make portscan detail printouts more readable.c: When we pick up TCP sessions in midstream. whereas before these packets were just being passed through because flow: established was not valid. Performance enhancement for some sites. (Roelker) 2004-08-11 Daniel Roelker <> * src/sfutil/sfmemcap.c: Fix 64-bit bug found and tested by Ryan Matteson (matty91@bellsouth. 2004-08-20 Daniel Roelker <droelker@sourcefire. then we assume it's established. * src/util.c: * src/> * src/inline.c: Make inline alerts work with unified output. (Roelker) * src/decode.c: Ignore replace rule options when snort isn't in GIDS mode. * src/preprocessors/portscan.c: Log an error when the user tries to setuid/gid and snort is being run in inline.h: * src/detect. don't use stream4 direction to tell us how to inspect client and server traffic. 2004-08-13 Daniel Roelker <droelker@sourcefire. than the flow: established check will also look to see if the TCP stream was picked up in midstream. Thanks Matt Brannigan for finding this> * src/fpdetect.h: Set a packet_flag for drop alerts.c: Added ASCII pig (thanks Dug Song) and snort team to snort initialization printout. This lets the output plugins know that we just dropped the packet that we> * src/util. * src/preprocessors/spp_stream4. Thanks guys. * src/output-plugins/spo_log_tcpdump. Thanks to Dagobert Kellner for the> * src/util.2004-08-31 Daniel Roelker < and Clay McClure (clay@daemons.c: If InlineMode() is set. 2004-08-19 Daniel Roelker < This also blocks packets that are generated by stick/snot type attacks.c: * src/preprocessors/snort_httpinspect. 2004-08-27 Daniel Roelker <droelker@sourcefire.c: Check to make sure we have a pointer before we reference a structure .c: Make ts_print work correctly with> * src/detection-plugins/sp_pattern_match. Thanks for the help in unified format Andrew Baker. If it was.

element. 2004-08-05 Daniel Roelker <> * src/log.c: * src/detect.c: Make tagging work for more than 1 second. (Daniel Roelker) * src/detect.c: * src/fpdetect.c: Get thresholding/suppression to work for alerts that do not contain an iph header (primarily decode alerts). Thanks Brian Caswell. 2004-08-04 Daniel Roelker <> * src/snort.c: Fix inline printf's during initialize. Also fix return code on invalid input for startup. This helps scripts so it returns an error if the command line arguments in the script are wrong. Thank you Matt Brannigan for this fix. 2004-07-28 Daniel Roelker <> * Added --include-pcre* configuration option to help cross compiling. Thanks Erik de Castro Lopo. * src/event_queue.c: Fix bug in multi-event logging when thresholding/suppression was enabled for events in the queue. Thanks once again to Andreas Ostling. * src/output-plugins/spo_log_tcpdump.c: When a rebuilt stream causes an alert, log out the original packets instead of the rebuilt packet. Thanks Marty Roesch. * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Turn off some alerts in the profile that were causing false positives. * src/preprocessors/HttpInspect/normalization/hi_norm.c: Turn off encoding alerts in HTTP parameter field. The parameter field is still normalized, it just doesn't alert. This helps reduce alerts that are generated from complex parameter queries. 2004-07-08 Daniel Roelker <> * * * * * * * * * * * etc/ src/generators.h: src/plugbase.c: src/decode.h: src/preprocessors/portscan.c: src/preprocessors/portscan.h: src/preprocessors/spp_sfportscan.c: src/preprocessors/spp_sfportscan.h: src/preprocessors/spp_stream4.c: src/preprocessors/spp_flow.c: src/preprocessors/flow/flow.h: Added new portscan detector. We now detect tcp, udp, icmp, and ip protocol scans. Along with the following scan types (using nmap terminology): portscan, decoy portscan, portsweep, and

distributed portscan. The initial version will have three sensitivity levels, so if you want to change values manually go to portscan.c and change the values there. I don't want to confuse people out of the gate with lots of value configurations, so try these preset levels and give us feedback. (Daniel Roelker) 2004-07-06 Daniel Roelker <> * * * * * * * * * * * * * * * * * src/decode.c: src/decode.h: src/detect.c: src/detect.h: src/fpdetect.c: src/inline.c: src/inline.h: src/mstring.c: src/parser.c: src/rules.h: src/snort.c: src/snort.h: src/detection-plugins/sp_pattern_match.c: src/detection-plugins/sp_pattern_match.h: src/output-plugins/spo_database.c: src/preprocessors/spp_stream4.c: Added IPS functionality from snort_inline. Thanks everyone that was involved in that project. For more info, go check out

* src/log.c: Fixed memory leak in "fast" output. Thanks for your bug report 2004-06-22 Chris Reid <> * src/snort.c: Clear error code which under Windows was causing a subsequent false failure in parsing threshold rules. (thanks to Rich Adamson) 2004-06-16 Daniel Roelker <> * * * * * * src/sfutil/asn1.c: src/sfutil/asn1.h: src/detection-plugins/sp_asn1.c: src/detection-plugins/sp_asn1.h: src/debug.h: src/snort.c: Added ASN.1 parsing and detection functionality to snort. Please refer to README.asn1 for more information on rule usage. (Roelker)

* src/parser.c: Added parsing check from Andreas Ostling so that users don't assume that destination port lists are allowed because no error is given. * src/preprocessors/spp_stream4.c: Fixed rebuilt TCP packet munging reported by Steve Halligan. Thanks a lot for getting this problem down to pcap so we could

analyze the problem. * * * * * src/detect.c: src/event_queue.c: src/log.c: src/preprocessors/spp_stream4.c: src/sfutil/sfeventq.c: Improve TCP reassembly flushing for TCP streams that have already generated an alert. This was illustrated by Brian Bailey in his SANS GIAC practical examination. Thanks for working with us on this one.

2004-05-06 Daniel Roelker <> * src/detection-plugins/sp_pattern_match.c: Fixed rule read up error when parsing hexmode content options. Thanks for pointing it out Marty. (Roelker) * src/preprocessors/spp_stream4.c: Fixed null pointer dereference when detect_scans were enabled and creating a new session that had funky flags. Thanks to Chad Kreimendahl for reporting the bug and testing the fix. (Roelker) * src/snort.h: at build 28 2004-04-22 Daniel Roelker <> * * * * * * * * * * * * * * * * * * * * src/decode.c: src/detect.c: src/event_queue.c: src/event_queue.h: src/event_wrapper.c: src/event_wrapper.h: src/fpcreate.c: src/fpcreate.h: src/parser.c: src/preprocessors/spp_arpspoof.c: src/preprocessors/spp_bo.c: src/preprocessors/spp_conversation.c: src/preprocessors/spp_frag2.c: src/preprocessors/spp_rpc_decode.c: src/preprocessors/spp_stream4.c src/sfutil/sfeventq.c: src/sfutil/sfeventq.h: src/signature.c: src/signature.h: src/snort.c: Added new event queueing algorithm, so Snort logs multiple events per packet/stream. The algorithm uses two ordering methods: priority and content length. (Roelker) src/fpcreate.c: src/fpcreate.h: src/sfutil/acsmx2.c: src/sfutil/acsmx2.h: src/sfutil/acsmx.c: src/sfutil/acsmx.h: src/sfutil/mpse.c: src/sfutil/mpse.h:

* * * * * * * *

New Aho-Corasick pattern matchers (Norton). Added content length tracking on otnx structures. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/snort_httpinspect.c: Added webroot alert. This alert is generated when a URL directory traversal traverses past the webroot. Added new URI discovery technique pointed out by Kanatoko. * src/tag.c: Revert to old tagging behavior. Will add new functionality in a future version. * src/util.c: Changed Snort post-processing stats to unsigned so users won't get negative stats. Thanks to various people from the community for reporting this. 2004-03-22 Chris Reid <> * src/plugbase.c: * src/plugbase.h: * src/output-plugins/spo_database.c: Updated how current/utc times are calculated, as well as how they are formatted (thanks Marcus Janoski) 2004-03-18 mfr <> * src/sfutil/acsmx2.c: Fixed _toupper/_tolower calls on non-Win32 machines (again). * src/preprocessors/spp_stream4.c: Uncommented ssnptr set in BuildPacket() for Dan 2004-03-17 mfr <> * src/parser.c: Added FatalError() in ProcessIP if closing IP-list '[' isn't found * src/util.c: Revamped DropStats() function to use screen real estate more efficiently * src/event_wrapper.c: QueueEvent checks to see if we're in MODE_IDS before queuing events and ClearEventQueue() checks to make sure that the event_list has been initialized. * src/sfutil/acsmx2.c: Fixed _toupper/_tolower calls on non-Win32 machines. * src/sfutil/acsmx2.c: Fixed acsmx.h call to acsmx2.h. * doc/ Mark snort_manual.pdf for cleanup too. 2004-03-16 Jeremy Hewlett <>

c: src/event_wrapper. Thanks Yoann Vandoorselaere for pointing this out.c: Calculate dropped packets and received packets correctly.h: src/preprocessors/HttpInspect/include/hi_ui_config.memory usage reduced b * src/ src/preprocessors/spp_stream4.c: src/decode. 2004-03-15 Daniel Roelker <droelker@sourcefire. * * * * * * src/decode.c: src/preprocessors/HttpInspect/user_interface/hi_ui_config. * * * * * * src/output-plugins/spo_unified.h: src/preprocessors/ Thanks to Erik de Castro Lopo for removing warnings.c: src/preprocessors/HttpInspect/include/hi_eo_events.c: src/preprocessors/spp_stream4.D.c: src/sfutil/acsmx2.c: src/sfutil/acsmx2.h: src/snort.c: src/event_wrapper.h: Added new TCP state engine (Marty). 2004-03-08 Daniel Roelker <droelker@sourcefire.c: Added stream packet logging for unified output.c: Return value for fpEvalPacket and reset BITOP array on HTTP pipelines (Marty/Roelker).c: Added non-rfc chunk length encoding support.c: src/preprocessors/HttpInspect/event_output/hi_eo_log.h: src/preprocessors/HttpInspect/normalization/hi_norm. when alerting on .* * * * y 75%.c: New event queuing and logging for decoder and stream4 events (Marty).h: src/sfutil/Makefile. thanks for pointing it out New Aho-Corasick pattern matcher from Marc Norton . * * * * * * * * src/generators.h: src/detect.c: src/preprocessors/HttpInspect/client/hi_client_norm.h: src/preprocessors/HttpInspect/client/> * src/parser. * src/fpdetect. Moore.h: src/preprocessors/Makefile. and added webroot alert which alerts on webroot directory traversals (Roelker).com> * src/util. src/snort. src/debug.h: Build 26 2004-03-15 Jeremy Hewlett <> * configure.c: "config checksum_mode" now supports multiple arguments on one line instead of multiple lines.

com> * src/output-plugins/spo_csv.c: * src/plugbase.c: Additional fixes from Alan Milligan with CSV output. Bill Guyton.h: Cleaning up unsigned/signed warnings * src/snort.c: Removed escaping of '%' and '_' characters in MySQL (thanks Kristofer Karas). * doc/> * src/output-plugins/> * src/output-plugins/spo_database.rebuilt streams (Marty).h: * templates/sp_template.c: * templates/spp_template.bumping to 23 2004-02-17 Jeremy Hewlett <jh@sourcefire. 2004-02-25 Jeremy Hewlett <jh@sourcefire. thanks! * src/sfutil/bitop. * src/snort.tex: Doc updates for thresholding . * src/preprocessors/spp_conversation.h: Now on build 25. Thanks for the patch.c: Fixed conversation parsing faults so users can operate this preprocessor (Roelker).reid@codecraftconsultants. * src/snort_packet_header.c: .dstport properly." Thanks Drew Smith for pointing that out.h: Touched source code .c: Fixed minor problems with CSV output not printing out src.h: Added for future support (Marty).srcport.rule thresholds must contain a sid.8: Updated -T info to include where snort looks for "snort. dst. nnposter(at)users.h: * templates/spp_template.sourceforge. * src/detect. 2004-02-23 Jeremy Hewlett <> * templates/sp_template.conf.c: Changed some startup messages from printf to LogMessage to be more consistent.h: Now at build 22 2004-02-13 mfr <roesch@sourcefire. Good spot! * src/snort.h: Moving to build 24 2004-02-25 Chris Reid < * src/snort. Thanks for the> * snort.

.com> * Makefile. 2004-02-10 Jeremy Hewlett <jh@sourcefire.h: src/snort.h: src/ubi_SplayTree.a.Updated to match the current reality of Snort.h: * src/signature.c: src/preprocessors/flow/flow_cache. 2004-02-05 Jeremy Hewlett <jh@sourcefire.bitypes. Thanks for the report.h: src/parser.c: Fixed alert_once bug that was discovered by Kevin Amorin.c: src/plugbase.c: src/preprocessors/flow/flow_cache.c: src/ubi_BinTree. src/ Fixed tab vs space problem on Solaris. 2004-02-09 Jeremy Hewlett <jh@sourcefire. Thanks Brian Caswell for initial code prototype.c: src/detection-plugins/sp_flowbits. Thanks Hari Gopal and Darryl Cook for pointing out the problem and testing. Die.c: src/ubi_SplayTree. * * * * * .com> * * * * * * * * * * * * * src/decode.c: * src/preprocessors/flow/portscan/flowps_snort.h: src/ubi_BinTree.h: src/sfutil/bitop.tex: Various fixes pointed out by JP Vossen and Felipe Franciosi.h: * src/> * src/bounds. Chad Kreimendahl! 2004-02-05 Daniel Roelker <droelker@sourcefire. Thanks for pointing out the particulars of the problem. .com> * src/Makefile.h: src/preprocessors/flow/flow.c: src/preprocessors/spp_flow. which was causing problems for some trying to compile on Solaris without the default system tools (ie: the "ar" problem). 2004-01-30 Daniel Roelker <droelker@sourcefire.conf: * doc/snort_manual. * etc/snort.h: src/detection-plugins/> * src/preprocessors/flow/portscan/flowps.h: Added fix for compiling on Tru64 .c: Added Flowbits detection src/detection-plugins/sp_flowbits.h now wrapped in an ifdef. so we could do a quick fix.h: No more Log variables.h: src/preprocessors/spp_flow. die. die .am: Removed unnecessary libintsnort.

Much appreciation to Adam Peterson and SPL Worldgroup Inc. * src/output-plugins/spo_csv.h: Removed duplicated SnortEvent() function. ChangeLog will migrate to more detailed. http_inspect default server only valid if specified in config.c: Added string escaping for the msg. * src/event_wrapper.c: Minor CSV fixes from Elias Levy (Thanks Elias!) * doc/snort_manual. * src/output-plugins/spo_csv. 2004-01-13 Chris Reid <chris.h: * src/preprocessors/spp_stream4. for sponsoring this development! This option will now be available within the Win32 installer thanks to their> * src/detect.c: Fixed double incrementing of pc. code-oriented comments. (Thanks Andreas Ostling).reid@codecraftconsultants.c: Tagged Packets no longer have NULL msg name. .com> * contrib/perfstats.tex: Minor LaTeX fixes from Jen Harvey (Thanks Jen!) 2004-01-16 Jeremy Hewlett <jh@sourcefire. * src/detect.pdf: * doc/snort_manual.c: Added utility to parse out perfmon stats * RELEASE.c: Fixed http_inspect double alerting on pkts and rebuilt streams. (Thanks Andreas Ostling) * src/detect.2004-01-21 Jeremy Hewlett <jh@sourcefire. (Thanks Brent Erickson) * src/snort.c: http_inspect proxy_alert now supports normal proxy networks setups. * * * * src/preprocessors/HttpInspect/client/hi_client.NOTES: Added file to keep track of release notes. 2004-01-20 Jeremy Hewlett <jh@sourcefire. Corrected pcap_compile error.c: Error on multiple interfaces on command> * Added Oracle support into Win32 version.c: Added additional checks to GenerateSnortEvent().h: src/preprocessors/HttpInspect/session_inspection/hi_si.c: src/preprocessors/> * src/decode.log_pkts on non-rule events.c: src/preprocessors/HttpInspect/include/hi_si.

c: .c: Fixed issue with no_alert not quieting some alerts * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: src/sfutil/util_net.c: src/sfutil/util_net.h: src/preprocessors/flow/flow_callback.c: Added GID.c: src/preprocessors/flow/flow_stat.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: src/output-plugins/spo_unified.c: Flow now honors -q (quiet) * src/preprocessors/HttpInspect/client/hi_client.h: Added additional error checking for custom rules (Thanks Andreas Ostling) * src/preprocessors/flow/flow_print.h: src/preprocessors/flow/flow_stat.c: Close Socket when Snort receives SIGHUP (Based on patch submitted by Neetu Nangia) * src/output-plugins/spo_csv.0 * src/parser.c: src/preprocessors/perf-base.h: src/preprocessors/flow/portscan/flowps_snort. Thanks to the Snort community for your support. These fixes change the variable type to u_int32 to remove the need for stdint.c: src/preprocessors/flow/portscan/scoreboard. and Rev to csv output (Thanks Brennen Reynolds) * * * * src/output-plugins/spo_log_tcpdump.c: Fixed build warnings on FreeBSD 5.2004-1-13 Jeremy Hewlett <jh@sourcefire.c: src/event_wrapper.c: src/preprocessors/flow/portscan/server_stats.h: src/preprocessors/flow/portscan/unique_tracker.h: src/preprocessors/flow/portscan/flowps.c: src/preprocessors/spp_stream4. SID.c: config chroot readded * src/parser.c: Fixed vague error message with directory creation problems (Thanks Kenneth Ingham) * * * * * * * * * * * * * * * * * * src/> * src/detection-plugins/sp_session.h * src/output-plugins/spo_alert_unixsock.h: src/preprocessors/flow/portscan/server_stats.h: src/preprocessors/flow/flow.c: Removed non_rfc_chars from default profiles * src/sfthreshold.c: src/preprocessors/flow/portscan/flowps.h: Fixed compilation problems on Solaris and some versions of BSD.c: src/preprocessors/flow/flow_cache.c: * src/parser.h: src/preprocessors/flow/flow.c: src/preprocessors/flow/portscan/scoreboard.

reid@codecraftconsultants.tex: Minor clarifications and additions. Thanks Lawrence Reed.h: Added suppression negation (Thanks Andreas Ostling) * src/sfthreshold. 2003-12-22 Daniel Roelker <droelker@sourcefire. Improved escaping of SQL> * src/parser. 2003-12-20 Chris Reid <chris.c: Fixes to help respond actions to correlate more closely to RFCs and now doesn't allow users to shoot themselves in the foot. * src/output-plugins/spo_database.thresholding: doc/snort_manual. Thanks Jeremy Hewlett.csv: doc/README.1 Release * src/decode.pdf: doc/snort_manual.c: Fixes the signature error that user's were getting after changes to the AddMatch and SelectEvent routines. Jon Hart. Better memory management (thanks Jeff Nathan).c: Fixed backwards display of IP addresses on Solaris * * * * * * doc/FAQ: doc/README.1.h: Options struct element len. Thanks Andreas Ostling. Ron> * Snort 2.http_inspect: doc/README.c: * src/sfutil/sfthd. *> * Win32 version wouldn't run as a service.* src/sfutil/sfthd. * src/preprocessors/HttpInspect/normalization/hi_norm.reid@codecraftconsultants. and Chris Keladis. 2003-12-17 Chris Reid <chris.c: Andreas Ostling parser fixes and updated error messages. 2003-12-17 Daniel Roelker <droelker@sourcefire. * src/detection-plugins/> * Updated Win32 to 2. Thanks Andrew> * src/fpdetect. changed to octet.c: Better support for ODBC.c: Fixed pcre URI matching. * src/detection-plugins/sp_pcre. 2004-1-5 Daniel Roelker <droelker@sourcefire.c: Infinite looping patch during specific recursion processing. Thanks to Michael Steele for pointing this out.c: .

c to escape sensor name strings.c: * src/sfutil/mwm.c: Sync stream4 up with the various versions of it. Also fixed off-by-one bug on reassembled streams that was introduced by previous stream4> . 2003-11-07 Martin Roesch <roesch@sourcefire.c: Return invalid URI for configs that don't allow a tab as a URI delimiter instead of processing.c: * when using pktkludge output format. This had been causing a problem under Windows with MySQL because of WinPcap sensor names having embedded backslashes. * src/sfutil/mwm. * src/detection-plugins/sp_dsize_check.1 Win32 installer * Updated spo_database. * src/tag.h: Fixed memory access bug in mwm content matching that multiple users were able to reproduce.reid@codecraftconsultants. 2003-12-08 Chris Reid <> * src/preprocessors/flow/portscan/flowps_snort.c: Re-added ip_proto structure to ds_list so that the high-speed detection engine once again optimizes on ip_proto rules. 2003-11-07 Daniel Roelker <droelker@sourcefire. * src/preprocessors/spp_stream4. Fix problem of out-of-order ACKS that was recognized by Andrew Rucker.c: Validate dsize argument so that it is a decimal number and a positive integer. Thanks Jeremy Hewlett for pointing this out. 2003-12-03 Chris Reid <> * src/preprocessors/HttpInspect/user_interface/> * Updated Snort 2.c: Added some additional config options to server profiles all and Added --add-missing to automake so the flow dependencies get installed. * src/preprocessors/HttpInspect/client/> * Updated Snort 2.c: Pkt tagging configuration now works correctly. This helps reduce false positives for servers that won't accept tabs as valid. 2003-11-14 Chris Green <cmg@sourcefire.Only log DOUBLE DECODE alerts if it's in the URL and not the parameter section.1 beta to support Win32 2003-11-18 Daniel Roelker <droelker@sourcefire. make destination address the last one> * src/detection-plugins/sp_ip_proto. * autojunk.

com> * src/preprocessors/spp_flow.PCRE (> * src/detection-plugins/> * src/ .c (print_thresholding): Cleaned up linewrapped separators.Flow ( replaces spp_conversation ) .pcre.c (PrintIPHeader): make fragsize print out the size of the payload rather than the size of the header 2003-10-28 Marc Norton <mnorton@sourcefire. cosmetic cleanup for 80-col terminals 2003-11-06 Chris Green <> * src/util.c: fixed bug with search-method mwm resulting in retesting removing an active rule on occasion (Thanks to Raul Siles & David Perez for a reproducible test case!) 2003-10-28 Chris Green <cmg@sourcefire.pcre keyword for regular expressions incorporated .Flow-Portscan .com> * src/sfutil/> * configure.c (PrintIPHeader): print frag size as the size of the datagram .org) is now required to build .Suppression/Thresholding by .com> * src/> * src/log.1 Features .* src/sfthreshold.HttpInspect replaces http_decode by Dan .c (DEFAULT_MEMCAP): make default memcaps much smaller (FlowInit): display correct memcap 2003-10-20 Chris Green <cmg@sourcefire.header 2003-11-04 Marc Norton <mnorton@sourcefire.3 that resulted in a core dump due to an OOB read 2003-11-04 Chris Green <cmg@sourcefire.0.removed smb alerting since it should be moved to barnyard Major 2.c (SnortMain): display thresholding information at start up 2003-10-30 Chris Green <cmg@sourcefire.c (read_infile): make snort FatalErrror on bpf filter problems (reported by Fran Loehmann) 2003-10-27 Chris Green <cmg@sourcefire.c (CheckANDPatternMatch): Fixed a bug in sp_pattern_match that was introduced with the recursive processing in 2.

2003-08-06 Chris Green <cmg@sourcefire.c to play nice with Visual Studio . as was previously> * Snort> *> * src/> * back from honeymoon * src/preprocessors/spp_stream4.NET (thanks for feedback from Louis Jagoe).isdataat keyword to help with rule writing See the doc/ subdirectory for more details 2003-10-02 Chris Green <cmg@sourcefire.Minor optimization to the overwrite detection code: if the overwrite list .pl to interpolate variables * spp_arpspoof patches from Jeff Nathan . 2003-07-25 Chris Green <> * Updated sp_pattern_match.Re-ordered sanity tests in the preprocessor function to prevent a nu ll pointer dereference and to identify early exit conditions .com> * Updated Win32 code to properly support logging to the Windows Event Log without including the Microsoftgenerated warning.fixed verstuff.Replaced unchecked malloc() calls with SnortAlloc .thresholding) from Sourcefire/Marc Norton 2003-09-02 Chris Reid <chris.c (DecodeTCP): fixed TCP_LARGE_OFFSET with patch from Bob Perkins 2003-07-28 Chris Reid < (dist-hook): .2 * added flush_data_diff_size and zero_flushed_buffers for stream4_reassemble * added threhsolding (see doc/README.c and win32_service.c (RuleType): func == NULL bug fix for Bart Haagdorens * Incorporated Steve Grubb's HUP fix for -u users that aren't doing Chroot.add signatures kludges to fix up official tarballs . 2003-09-22 Chris Green <cmg@sourcefire.reid@codecraftconsultants.Changed the parameter name ipmel to ip_mac_entry_list in functions operating on this list for clarity .0.c (BuildPacket): fixed DEBUG compilation/zero_flushed_buffers option 2003-09-10 Chris Green <> * src/decode.

added dist-hook to run verstuff.compile with --enable-debug 2003-07-22 Chris Green <cmg@sourcefire. . * src/decode.removed redundant flag setting operation 2003-07-01 Chris Green <cmg@sourcefire. .c (DecodeIEEE80211Pkt): .c (Frag2Defrag): .norton@sourcefire. Pomraning over at to make the published tarballs up to date on snort version * Snort> * src/decode. Thanks! 2003-07-03 Chris Green <> * src/fpdetect.c (IsHttpServerData): .c (GetDirection): .com> * src/decode.Implemented a CleanExit function suitable for CleanExit and Restart.c (DecodeUDP): .Use FreeToks instead of for() and free() for mSplit tokens.hasn't been initialized return when entering the overwrite condition tests .com> * src/preprocessors/http-resp.ensure TCP state on discarded traffic * src/preprocessors/spp_stream4.c: fixed pass not always superceding Alert when rule order was Pass-Alert-Log * src/fpcreate. 2003-07-09 Chris Green <cmg@sourcefire.c (DecodeIP):> * Shortly after release: .1 Released 2003-07-18 Chris Green <cmg@sourcefire.Added CallLogFuncs calls to accompany all CallAlertFuncs calls (prev iously CallLogFuncs was not used at all).fixed vlan decoding on lots of advice + patch from Michael J.switch to using IP addresses * src/preprocessors/spp_frag2.added verstuff.ignore packets with bad checksums 2003-06-09 Marc Norton <marc.completely ignore invalid IP checksums throughout snort if we are checking them.fixed UDP checksums to not incorrectly calculate with a header in host byte order Thanks to Marc Norton & Jeremy Hewlett for helping * src/ .c: .com> * src/decode.c (Preprocess): .c (DecodeVlan): .

c: * src/> * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_csv. and also support named interfaces like "-i \Device\Packet_{12345678-90AB-CDEF-1234567890AB}". Baker <andrewb@sourcefire.c: * src/output-plugins/spo_unified.h: * src/spo_plugbase.c: * src/output-plugins/spo_log_null. Baker <andrewb@sourcefire.h: * src/output-plugins/spo_alert_fast. Fulvio also provided a more streamlined Win32 print_interface().com> * Changed evalIndex to give precendence to help work around problems with rule ordering when not using -o 2003-05-14 Andrew R. 2003-06-04 Chris Green <cmg@sourcefire.h * src/detect.c: removed obsolete global flow variable 2003-05-28 Chris Reid <> * src/snort.c: Relocated Output Plugin API definitions to spo_plugbase.c: src/output-plugins/Makefile.c (OpenSessionFile): refactored to do fatal error inside the lower level function where filename is defined.c: * src/output-plugins/ * src/> * src/Makefile.c: .made compile w/ debug * src/detection-plugins/> * Win32 patches from Fulvio Risso (of WinPcap) so -i parameter can support both "-i 1" format.c: * src/output-plugins/spo_alert_full. Bug Reported by Jon Werrett.c: * src/output-plugins/spo_alert_unixsock.This fixes an initialization problem with the iBirDirection flag. 2003-05-27 Chris Green <cmg@sourcefire.reid@codecraftconsultants.c: src/output-plugins/spo_alert_sf_socket.c: log packet data 2003-05-30 Chris Green < src/output-plugins/spo_alert_sf_socket. 2003-05-27 Andrew R.c: * src/output-plugins/spo_alert_sf_socket.h: Sourcefire UNIX datagram socket output plugin .h: added support for per OptTreeNode output functions * * * * src/plugbase.c: * src/output-plugins/> * src/preprocessors/spp_bo.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_alert_smb.c: * src/output-plugins/spo_database.

config.FatalError if hex/oct are used w/o specifying the string parameter * src/preprocessors/ 2003-05-13 Chris Reid <chris. (Mark Scott) 2003-05-13 Chris Green <> * src/detection-plugins/sp_tcp_win_check.c (RebuildFrag): fix integer wrap around on large packets resulting in invalid IP dgrm lengths with large packets for frag2. Thanks to Jason Royes for pointing it out.c (ByteTest): .c (DecodeTCP): move port number assignment above option decoding so people don't complain about decoder events on port 0.c (ByteTest): .calloc checks in detection-plugins .reid@codecraftconsultants.FatalError if hex/oct are used w/o specifying the string parameter * src/detection-plugins/> * patches from Jeff Nathan .reid@codecraftconsultants.h to Makefile.2003-05-16 Chris Green <> * updated Win32> * Added sanity check in CleanExit() to prevent double-freeing of memory during recursive call to CleanExit(). will truncate large packets so that the total resulting frame is less than 65535 unless you define DONT_TRUNCATE in config.c (DecodeTCPOptions): .com> * src/> * patches from jeff nathan .removed initialization message in debug 2003-04-24 Chris Green <cmg@sourcefire. * src/> * updated create_postgresql (Frank Knobbe) * solaris forte C compiler patches from Taso Devetzis) 2003-04-25 Chris Green <cmg@sourcefire. 2003-05-02 Chris Reid <chris.c (SetupTcpWinCheck): .old version of autoheader doesn't like arguments to * add timersub.add OSX kludged support for /sw/include to libnet defaults * added doc/signatures to Makefile.h before HAVE's in strc* .am * src/detection-plugins/sp_byte_check.dll (tested by Rich Adamson) 2003-04-28 Chris Green <cmg@sourcefire.h This is unfortunately required for compatiblity for other pcap applications.

unified logic for server and client side .com> * src/mwm.upon a fatal error.Use TIMERSUB * src/detect.removed unused argument to DeleteSpd (AlertFlushStream): .add bytes_tracked variable for more memory protection * src/preprocessors/spp_stream4.removed memthresholding because of large delays * src/decode.c: src/detection-plugins/sp_byte_jump.h (_Stream): .c: .get rid of dataPtr ( it's always the same thing as &s->data ) .get the ssnptr variable from the packet structure .h> 2003-04-21 Chris Green <cmg@sourcefire. yell about config detection: search-method lowmem 2003-04-16 Chris Green <cmg@sourcefire.c: .c (AlertAction): AlertFlushStream takes one argument now * src/parser.move the common extraction code to a single place .h: import timersub macro from glibc and upcased it * src/snort.only alert on T/TCP if there is a CCECHO * * * * src/detection-plugins/sp_byte_check.c (mwmPrepHashedPatternGroups): .c (ParseConfig): disable_tcpopt_ttcp_alerts parsing -Thanks for pointing it out Jeff Dell * src/preprocessors/spp_stream4.u_int -> int for size check .c: src/byte_extract.c (ParsePattern): .watch for how many packets we accept 2003-04-14 Chris Green <cmg@sourcefire..0 Released 2003-04-09 Chris Green <> * Snort 2.h: .fix 2 byte extraction code on little endian architectures (Thanks to Jason Miller) * src/bounds.macroize sequence number type checks (StoreStreamPkt): .com> .remove #include <snort.0.(slightly) more readable string handling code * src/> * src/detection-plugins/sp_pattern_match.h (inBounds): .c (InterfaceThread): .c: src/byte_extract.

c (ByteJump/ByteCheck) .c (SnortMain): . Doe is set automatically and use_doe is only needed to be set by people wishing to make the previous pattern match> * src/decode.0.c: Change all classifications to DECODE_CLASS * src/detection-plugins/sp_byte_check.c (PrintTcpOptions): (PrintIpOptions): .c (PrintTcpOptions): (PrintIpOptions): .adjusted established check * src/preprocessors/spp_stream4.9 forward fix from Nick ) .* src/log.c (ByteJump): .c.spo_database.h .0rc3 * etc/> 2.correctly print out * src/log.spo_database.correctly print out * src/decode.c: Last bastions of ErrorMessage @ decode in non-verbose mode 2003-04-09 Chris Green <cmg@sourcefire. Build 69 * src/decode.c (ReassembleStream4): .handle more FIN conditions * src/preprocessors/spp_stream4.0 due to memory not SetUseDoe() for these> * src/detection-plugins/sp_byte_jump.c (NotForStream4): .refactoring 2003-04-04 Chris Green <cmg@sourcefire.c.conf: config detection: search-method lowmem Incorporates a lower memory pattern matcher from Marc Norton for people running into not being able to update to 2.move InitOutputPlugins down (> * src/detection-plugins/sp_byte_jump.c: .another argument parsing bug ( Thanks Judy ) 2003-04-07 Chris Green <cmg@sourcefire.make offsets work for byte_test and byte_jump (Thanks Judy and Dan) 2003-04-03 Chris Green <cmg@sourcefire. * src/snort.

com> * src/tag.h .c (ParseConfig): .0.c #ifdef should have been #ifndef * src/acsmx.c (DecodeUDP): .h instead of a locally defined one * src/output-plugins/> * src/preprocessors/spp_stream4.0.0.flush on write ssn stats (andrewb fix) * src/decode.don't act like a happy wallaby if the IP transport doesn't support ECN but the reserved flags make it through crystal clear * src/preprocessors/spp_frag2.conf Changed Win32 default host to "127.DisableDetect() instead of do_detect() .c (CreateNewSession): .h Have WIN32 use definition of "inline" from> * src/parser.c: .moved default socket location to the logdir ( patches from Nick Zitzmann <dreamless@attbi.moved unix socket format to .2003-04-01 Chris Green <cmg@sourcefire.c * etc/>) 2.fixed src/dst tagging . 2003-03-28 Chris Green <cmg@sourcefire.added static cling (ParseTag): fixed parser (AddTagNode): .c (PrintTagNode): new f() .nsi Added further installation instructions to help cut down on the number of 'newbie' questions.unified both tag cache logics .reid@codecraftconsultants.0 RC2 2003-03-31 Chris Green <cmg@sourcefire.c (_FragTracker): only do 1 fragment tracker alert for things like teardrop * src/preprocessors/spp_stream4.make disable ipopt work (Thanks Tim Slighter) * src/tag.correctly decode UDP packets (andrewb fix) 2003-03-27 Chris Reid <chris.c: .1" (thanks to Rich Adamson) * src/win32/WIN32-Prj/> Build 67 * src/output-plugins/spo_alert_unixsock.

SnortAlloc .com> * src/decode.h: * src/debug.c (ParseSyslogArgs): .com> .changed to make DEBUG do -O0 and -g with gcc (-ggdb makes gdb confused.remove snmp/ssl 2003-03-27 Chris Reid <chris.c Win32 '-s' now takes no arguments.c * src/output-plugins/spo_alert_syslog. 2003-03-27 Chris Green <> * configure.c (ParseSyslogArgs): .com> Build 63 * src/ .damn #if 0 * configure.randomize flexible response ttls .c (DecodeTCP): .* src/debug.only warn if we are parsing snort.print out everything that I can 2003-03-25 Chris Green <cmg@sourcefire. Host/port info is configured only within snort.conf ( -s ) * src/tag.c (Print(I Tc)cpOptions): . go fig.bad format args (thanks Tim!) RC1 * Incorporated Patches from Jeff Nathan .reid@codecraftconsultants.c: added DebugThis() * etc/snort.conf (output alert_syslog).c (ParseCmdLine): -s means syslog() not -s args on win32 * src/output-plugins/spo_alert_syslog.c (DecodeIPOptions): truncation alerts for IP options too! (InitDecoderFlags): added decoder flags function * src/log.h (SetTags): .conf make the config options do what they say * src/output-plugins/spo_alert_syslog.add stop descriptor leaking * src/decode.libnet configure should work again .) * src/ .allow -s to work again 2003-03-26 Chris Green <cmg@sourcefire.

added missing free() (Database): .aligned printf * src/decode.* src/signature.added isBetween inline function (UpdateState): .c (LogScanInfoToSeparateFile): .c (SLog): .moved standard bounds checking functions to this file * src/detection-plugins/sp_react.see above * src/detection-plugins/sp_clientserver.c (UpdateLastCid): .c (DecodeTRPkt): .c .changed PruneSessionCache() to only do timeout flushes if we're over 50% of the memcap (should help performance) .wireless arp printing fix (PrintTcpOptions): .fixed the dang linked list * rules/Makefile.h (_Stream): .strncpy -> memcpy (PrintEapolKey): .use fprintf for what it was designed for * src/preprocessors/ (EXTRA_DIST): added pop2.fatal error on unknown option * src/output-plugins/spo_database.comment clarification * src/bounds.c (ParseReact): .c (ParseFlowArgs): .c (PrintArpHeader): .c (ReferenceSystemAdd): .incorrect ACTION_ACK_CLIENT_DATA (StoreStreamPkt): .more truncation style alerts 2003-03-24 mfr <roesch@sourcefire.give react a half a chance of working (SendTCP): .c: .print out the ports like was intended * src/preprocessors/spp_portscan2.rules * src/decode.correctly write out the class_id junk * src/output-plugins/spo_alert_smb.added new file .c (AlertSmb): .com> * src/preprocessors/spp_stream4.h: .use fprintf for what it was designed for * src/log.removed current_seq to save memory * src/preprocessors/spp_stream4.

switch to using chars for lookup tables .com> * src/detection-plugins/sp_session.c: .use the UDP header length field instead of capture length * src/detection-plugins/sp_byte_jump.c (NormalizeTelnet): .c: .c (TagHost): .c (Stream4InitReassembler): .c: src/detection-plugins/sp_byte_check. spo_xml.don't continue when we can't parse string numbers * src/detection-plugins/sp_respond.more truncated packet alerts (DecodePPPoEPkt): . spo_SnmpTrap .removed redundant check (AddTagNode): .c (PayloadSearchRegex): .alert on truncated pppoe pkts .removed ( will be available later as a contrib ) * src/preprocessors/spp_http_decode.c (Respond): .c: .* src/ out for NULL bssid's * src/tag.check the byte.c (ByteTestParse): more input validation for byte_check/byte_jump * src/log.c (DecodeIEEE80211Pkt): .protect against negative offsets ( don't rely on negative offsets working in the long term ) . then increment * src/detection-plugins/sp_byte_check.actually die on a regex option ( might actually get it developed later ) * src/decode.fixed broken Frag Size calculation in IP header printout routine 2003-03-21 Chris Green <cmg@sourcefire.missing iph check * src/detection-plugins/sp_ip_proto.c (IpProtoDetectorFunction): .make serveronly work * src/preprocessors/spp_telnet_negotiation.c (PrintWifiHeader): .alert on truncated Vlan headers (DecodeUDP): .accumulate the tag seconds rather than the idx->seconds * src/detection-plugins/sp_pattern_match.fixed memory leak on filename creation * src/preprocessors/spp_stream4.separate decoder for encapsulated PPP (DecodeVlan): .missing iph check * sspp_asn1. fnord.c: .

reid@codecraftconsultants.added DecoderFlags structure for enabling/disabling decoder alerts * src/snort.h (_progvars): .c .c .h (_progvars): .print out warnings on bad header lengths in verbose mode (DecodeTCPOptions): .added missing CVS ID tags .rationalize Unix vs.removed extraneous sprintfing .c (DecodeTCP): . Win32 command-line options .c (FPUTS_WIN32): . Christopher Luther for helping with the syslog fixes * src/util.change to use DisableDetect() instead of do_detect = 0.corrected un-initialized memory in CreateRuleType() * src/snort.conf disable_tcpopt_experimental_alerts disable_tcpopt_obsolete_alerts disable_ttcp_alerts disable_tcpopt_alerts * src/preprocessors/ tcpopt events * src/preprocessors/spp_rpc_decode.nearly complete rewrite to identify whizbang things like bubba and skeeter options! 2003-03-14 Chris Reid <chris.c .com> * src/snort.removed old TBD feature code 2003-03-17 Chris Green < WARNINGS: -> snort_decoder: . (CreateNewSession): .c (ReassembleStream4): .added tcpopt_alert_flag * src/decode.bugfix for Win32 syslog initialization .changed to blank space rather than NULL Build 60 New Options config: config: config: config: added to snort.add optarg for Win32 syslog '-s' parameter . (disables futher preprocessors) (RPC_CLASS): Use the same classification as the other decoder alerts * src/snort.thanks to Rich Adamson and L.fixed return logic with detect scans * etc/gen-msg..c (PreprocRpcDecode): .com> Build 59 (really this time) * src/detect.DisableDetect only if the emergency_status is NULL.provide Win32 fix for SetChroot() * many files .

c (uniSearchReal): .c (ByteJump): .inBounds check off by one when seeing if enough to read * src/detection-plugins/sp_pattern_match. CurrentWorkingDir.Chroot + HUP == "tough luck for now * src/snort.Move SPARC_TWIDDLE to only initialization * src/preprocessors/spp_frag2.c (uniSearchReal): .c (BuildPacket): .com> * src/detection-plugins/sp_byte_check.update server side seq numbers on Async State machine * src/preprocessors/spp_stream4.inBounds check off by one when seeing if enough to read * src/detection-plugins/> * src/util.all "work" related to distance.c (SnortMain): . depth.added missing copyrights 2003-03-13 Chris Green <cmg@sourcefire.changed check_distance to use_doe ( check_distance was not used ) * src/detection-plugins/sp_pattern_match.Use Constants for IP Lens .added return ACTION_ACK_CLIENT_DATA * src/detection-plugins/ function to unify uniSearchCI & uniSearch .com> Build 59 * src/preprocessors/spp_stream4.c (UpdateState): .new functions SetChroot.c: .c .never touch doe_ptr on a successful match .c (ByteTest): . within..untabified (RebuildFrag): .removed a printf 2003-03-05 Chris Green <cmg@sourcefire.c (UnifiedInitAlertFile): .use fully qualified pathname for logdir in chroot case * src/output-plugins/spo_unified.inBounds check off by one when seeing if enough to read 2003-03-04 Chris Green <> Build 58 * src/util.h (inBounds): end is always dsize + len so it should be p < end * src/preprocessors/spp_stream4.converted to creating fake packets the same way as stream4 2003-03-10 Chris Green <cmg@sourcefire.h (_PatternMatchData): .removed killme variable from InsertFrag . GetAbsolutePath .Chroot after parsing the rules file .c(TcpActionAsync): . SigChrootHupHandler. and offset done .

h: * src/fpcreate.c .in one place now (CheckANDPatternMatch): .alignment errors on non-x86 platforms . Problem was caught by Chris Green doing some unit testing.c (PreprocRpcDecode): .h (RPC_MULTIPLE_RECORD_STR): fixed cut and pasto * src/util.suspend renabling mode fixes 2003-03-03 Chris Green <cmg@sourcefire.write fraghdr back into pkt .com> * src/bitop.dsp * src/win32/WIN32-Prj/snort.c (mSearch): subsequent offsets adjusted correctly (Marty) * src/preprocessors/spp_rpc_decode.condensed this down to be a very small wrapper around uniSearch * src/detection-plugins/sp_byte_check.dep .mak * src/win32/WIN32-Prj/snort.c .c: .condensed this down to be a very small wrapper around uniSearch ( now !content will alert with offset on small packets) (CheckUriPatternMatch): .readded config.h (Thanks Chad) * src/preprocessors/spp_stream4. In this case an element in the bitop structure never got initialized.h and> * src/win32/WIN32-Prj/snort.c: .c: * src/fpdetect.c: inBounds function doe_ptr SetUseDoe TEXTLEN constant * src/generators.removed extraneous printf * src/preprocessors/spp_rpc_decode.corrected buffer overflow in fragment normalization 2003-02-28 Daniel Roelker <droelker@sourcefire.reid@codecraftconsultants.redefine MSB .h (inBounds): added new inBounds function to check a ptr position against a known start and end location * src/mstring. so it's not good to reference that.c: * src/detection-plugins/sp_byte_jump. 2003-02-27 Chris Reid <> * src/preprocessors/spp_rpc_decode.Fixed a problem when snort runs with only uricontent matches and no contents.added new space delimited options alert_fragments no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete .

com> * src/parser.c .don't bother decodeing the packet if its 0 bytes .set DEBUG to DEBUG_PLUGIN instead of DEBUG_STREAM * src/preprocessors/spp_http_decode.Removed an unnecessary file from the project (name..reid@codecraftconsultants.c 0 is already aligned to a 32-bit boundry.bat .c> * src/mstring.c Fix so --enable-debug actually compiles 2003-02-14 mfr < * src/win32/WIN32-Prj/build_releases.Script to easily compile all configurations of snort.ini .don't bother decodeing the packet if its 0 bytes * src/preprocessors/spp_fnord. 2003-02-16 Chris Green <cmg@sourcefire..Win32 '-s' parameter wasn't configured to accept an optarg. only decode if if is client data on an established session 2003-02-15 bmc <bmc@snort.c (PreprocUrlDecode): * remove broken checks.c .don't bother decodeing the packet if its 0 bytes .c . but code expected one. 2003-02-15 bmc <bmc@snort.nsi * src/win32/WIN32-Prj/> * src/preprocessors/spp_asn1. * src/preprocessors/spp_telnet_negotiation. Thanks to Chris Green for suggesting we use NSIS! 2003-02-19 Chris Reid <chris.c (NormalizeTelnet): * remove broken checks. 2003-02-14 bmc <bmc@snort.. causing null-pointer> * src/detection-plugins/sp_byte_jump.if stream4 is enabled.c Fixed XferHeader() function to copy the not_*p_flag to the> * src/preprocessors/spp_http_decode.don't bother decodeing the packet if its 0 bytes . only decode if if is client data on an established session * src/preprocessors/spp_telnet_negotiation.c . (more than 0 doesn't need aligned) 2003-02-15 bmc <bmc@snort.Scripts to build a Win32 installation program for snort. * src/detection-plugins/sp_ip_proto.c . * src/win32/WIN32-Prj/snort_installer. only decode if if is client data on an established session (This makes using internal_alerts useful) * src/preprocessors/spp_rpc_decode.don't bother decodeing the packet if its 0 bytes .com> * src/> * src/detection-plugins/sp_byte_jump..if stream4 is enabled.c actually verify that it needs aligning before aligning.c ip_proto options can now be stacked .if stream4 is enabled.

* src/preprocessors/perf-base. * src/mpse.Added documentation.0.c src/detection-plugins/sp_pattern_match.Added an include of config.c * src/preprocessors/spp_bo.0beta' * src/win32/WIN32-Code/win32_service.h . for whenever a user forgets to put spaces between (ie.Changed VERSION to '2. now is KEY_READ).h .Added an include of config. otherwise no errors are ever presented to the user. for Windows build. .c * src/preprocessors/spp_fnord.c src/mstring.) /SERVICE/INSTALL. * src/parser/IpAddrSet. Complete reimplementation of payload position tracking.Prevent definition of UINT64 under> * src/fpdetect.Added definition for UINT64 and uint64 .Changed variable names "small" and "large" into "small_value" and "large_value" to prevent compile errors under Visual C++.Added changes to allow it to compile under Win32.c .c Fixed distance/within/byte_test/byte_jump relative (stateful) pattern matching and the like.Modified FatalError to generate a Win32 EventLog entry if this is a Win32 Service build.c .c src/detection-plugins/sp_byte_check.Updated Win32 banner for version 2. for Windows build. * src/preprocessors/spp_asn1. * src/win32/WIN32-Includes/config.0 . since these stats provide little useful information under Win32 due to API differences .h.c * src/pcrm. * src/mwm.Removed all references to SFStats compile options. Problem (and patch) was reported by Michael Miller.c . * src/win32/WIN32-Prj/snort. please test! 2003-02-04 Chris Reid <chris.h.c Added sanity checks on command-line parameters.c .c .2003-02-14 mfr <roesch@sourcefire.c src/detection-plugins/sp_byte_jump.Added ifndef/endif around non-Win32 header files.c . This only applies to /SERVICE parameter for Win32.c * src/preprocessors/> * src/snort.c . * src/util.Changed how Win32 registry is opened for reading (was KEY_ALL_ACCESS. * src/preprocessors/perf.dsp .reid@codecraftconsultants. Tested with several different attack scenarios with 100% detection rate.

* src/preprocessors/spp_stream4. Baker <> * src/preprocessors/spp_stream4. * src/> * configure. Reed.plg . Reed. we make sure that it was created before incrementing the counter. * src/win32/WIN32-Prj/> .c (CheckForReassembled): missing return in opt node check affects only flow: only_stream 2002-1-17 Daniel Roelker <droelker@sourcefire.Truncated the contents of these files.c Changed frag2 to use the new SPAlloc mechanism as a testing platform.c (AlertFlushStream): .opt src/win32/WIN32-Prj/> * src/util.c Added self preservation-aware memory allocator. * src/detection-plugins Changed the URI and AND checking modules to use the context pointer on the fp_list struct instead of the ds_list. When a new session is created. specifically the lack of a native getrusage().in Added patch from Jeff Nathan to fix libnet detection 2003-01-05 mfr <roesch@sourcefire.c: Added 'snortfile' parameter to perfmonitor so users can use the default snort directory to log performance statistics.Fixed problem where an alert on a stream would update sequence numbers incorrenctly .h Added self preservation control struct for the new SPAlloc function. this allows coders to add new subsystems requiring self preservation techniques using a single allocation interface and management mechanism. If this works right I'll convert all the other stuff over to it as well. 2003-01-26 Chris Green <cmg@sourcefire. 2003-01-07 mfr <roesch@sourcefire. Merry Xmas cazz! * src/preprocessors/spp_frag2.c: Fixed performance statistic counter for total stream4 sessions. This will cause all content/uricontent checks to be checked in the sequence that they appear in a rule so that all the distance/within and relative byte_test/byte_jump stuff will work properly.ncb src/win32/WIN32-Prj/snort. 2002-12-19 Andrew R.between Win32 and Unix.moved StoreStreamPkt up to avoid crash Thanks to Lawrence Reed for pointing out problems and almost perfect solutions * src/detection-plugins/> * src/preprocessors/spp_perfmonitor. Suggested by L. Fixed by L.

Thanks to Del Armstrong for point this out.c (BeginTransaction): * removing BEGIN for oracle ( Chad Kreimendahl ) . Roelker <droelker@sourcefire. thanks to Del Armstrong for pointing this out. 2002-11-26 Andrew R.h: Problem with ICMP checksum.h: src/> * src/fpcreate. Baker <andrewb@sourcefire.c: src/> * src/parser.c: Fixed bi-directional rule functionality when unique port was the destination port in a bi-directional rule.h: src/> * src/preprocessors/spp_frag2.c: src/fpdetect.h (SSNFLAG_MIDSTREAM): added a midstream pickup flag 2002-12-12 Daniel J.c: src/fpdetect.added "state_protection" config mechanism to enable/disable the thresholding operations * src/decode.h: src/rules.mark sessions that have been picked up midstream .c: src/> * src/checksum. Otherwise.h: Fix custom rule types and arbitrary rule ordering that were broken with the new detection engine.* * * * * * * src/detect.h: Modifications to signal handling and CleanExit/Restart 2002-11-26 Daniel Roelker <droelker@sourcefire.c: fixed argument handling bugs for snaplen and read_bin_file config directives in snort.h: src/snort.added "state_protection" config mechanism to enable/disable the thresholding operations * src/preprocessors/spp_stream4.c: src/util. we don't do them.protect against people setting up snort behind a tap without setting asynchronous link .conf * * * * src/snort. Reported by Brian Caswell. Routine did not return the compliment of the checksum. Again. even if the config is set for that.c: * src/> * src/output-plugins/spo_database.c (Frag2Defrag): .c: .c: Also. UDP checksums are only done if the checksum is 0. 2002-12-13 Chris Green <cmg@sourcefire. 2002-11-26 Chris Green <cmg@sourcefire. * src/decode.

c: .removed extra decrements for last_ack was causing a high false alarm rate for new \r\n> * src/snort.disable nmap scans from alerting when we don't use detect_scans.h (DisableDetect): added function 2002-11-16 Chris Green <cmg@sourcefire.port list that will be reassembled * src/preprocessors/> * src/preprocessors/spp_stream4.c: fixed a bug where we would shift to suspend mode if stream4_reassemble wasn't enabled 2002-11-18 Chris Green <cmg@sourcefire. Thanks to Jens Krabbenhoeft for helping on this one -.fix argument parsing for emergency modes 2002-11-19 Chris Green < the future.fix argument parsing for emergency modes * src/preprocessors/spp_frag2.h: .com> * src/preprocessors/> * src/preprocessors/spp_stream4. Thanks to Chad Kreimendahl for this one 2002-11-24 Chris Green <cmg@sourcefire.c (TcpActionAsync): (TcpAction): -.c: self_preservation_threshold: <bare new sessions/second> self_preservation_period: <duration of SP mode> suspend_threshold: <bare new sessions/second> suspend_period: <duration of suspended operations> emergency_ports: <port list> <-.c: self_preservation_threshold: <bare new sessions/second> self_preservation_period: <duration of SP mode> suspend_threshold: <bare new sessions/second> suspend_period: <duration of suspended operations> added Emergency / Suspend mode * src/> Merging in mfr/cmg mitigations for extreme bogus session loads * src/preprocessors/spp_stream4.c (ParseFrag2Args): .2002-11-25 Chris Green <cmg@sourcefire. these should not generate packet log alerts but they are required to for the current view of the world * src/detect.h: added Emergency / Suspend alerts to stream4/frag2 .

.org> * src/detection_plugins/sp_byte_test.h * src/snort.c: src/output-plugins/spo_database.c: * src/output-plugins/spo_unified. Roelker <droelker@sourcefire.c: * src/output-plugins/spo_xml.c from snort.h: * src/util.c: * src/preprocessors/spp_portscan.c: * src/snort.h: updated run mode determination and representation relocated log_dir sanity check relocated test_mode_flag check to outside InterfaceThread moved global variable declarations into snort.c: added support for & and ^ 2002-11-07 Daniel J.c: * src/snort. Baker <andrewb@sourcefire.c: fixed output file issues for ascii logging 2002-11-11 Andrew R.c: * src/snort.c: Changes to cleanup the chroot process 2002-11-12 Andrew R.c: src/preprocessors/spp_portscan.h: Cleanup command line alert and log configuration * src/decode. The configuration file is now only read in once place.c: * src/output-plugins/spo_log_tcdump.c: src/preprocessors/perf-base.c: * src/plugbase.c: src/snort.c: * src/snort.c: Fixed an infinite loop bug that occurred in my last update to .c: src/output-plugins/> * src/output-plugins/spo_log_ascii.c: src/output-plugins/spo_unified.c: src/output-plugins/> * src/> * src/log. Baker <> * src/preprocessors/spp_http_decode.c: * src/snort.c: * src/preprocessors/spp_stream4.c: * src/output-plugins/spo_log_ascii.c: src/parser. * * * * * * * * * * * src/log.c: * src/snort. Baker <andrewb@sourcefire.h: src/output-plugins/spo_alert_fast.h: * src/parser.c: replaced ReadConfFile with ConfigFileSearch.c: removed more vestiges of the multiple interface pthread support 2002-11-10 Brian Caswell <bmc@snort.c: src/snort.added a define SNORT_20 so that code will be easier to merge around 2002-11-13 Andrew R.c: * src/parser.

com> * src/parser. Fixed now.c: * src/fpdetect.c: * src/> * src/detection-plugins/sp_byte_check.c: * src/mwm. Baker <andrewb@sourcefire. 2002-11-06 Daniel J.c: Make big.http_decode that dealt with an off-by-one bug.c: * src/detection_plugins/sp_byte_jump. There was a theoretical possibility of overwriting a one byte rule group (example: "~") with another rule group of (" 00 7e "). 2002-11-06 Andrew R.h: Added byte_jump.c: fixed case where multiple rules can have partial matches on content and fuxor the detect_offset_end calculations (> * src/> * src/> * src/mwm. great for decoding RPC with Snort rules 2002-11-04 mfr <roesch@sourcefire.h: * src/decode.h: Fixed another bug in mwm search routines when dealing with identical one byte patterns in multiple rules. Baker <andrewb@sourcefire. we can now decode a length from the app layer and jump the detect_offset_end (last match pointer) up that number of bytes. Problem pointed out by Brian Caswell.c: * src/rules.little arguments actually interpret the data correctly 2002-11-04 Andrew R. This has now been fixed and should be the last of the one byte pattern problems.e. and IPX packet counting * src/preprocessors/Makefile.h: Fixed bug when comparing multiple one byte rules with the same one byte> * src/snort. add missing header (perf-event.c: * src/snort.c: .com> * src/detect. Roelker <droelker@sourcefire. reset the offset for every OTN in the system) 2002-11-04 Chris Green <> * src/mwm.h: * src/snort.h: Removed unused MTU support code 2002-11-06 Daniel J.c: * doc/README: removed -6 (show IPv6) and -x (show IPX) command line options (they never did much anyway) cleaned up ARP. Pointed out by Jens Krabbenhoeft and Nathan Labadie. Baker <andrewb@sourcefire. 2002-11-07 Andrew R. Roelker <droelker@sourcefire.h) to libspp_a_SOURCES 2002-11-05 mfr <roesch@sourcefire.c: * src/mwm.c: * src/detection_plugins/sp_byte_jump.

Also fixed %25xx encoding and %uxxxx encoding for ascii characters. either in straight binary representation or as strings 2002-11-01 Andrew R.c: Fixed potential off-by-one bugs.c header comment block 2002-11-01 mfr <roesch@sourcefire. byte boundry checks 2002-11-01 mfr <roesch@sourcefire.c: * src/detection_plugins/sp_pattern_match.c: fixed various "issues" with the distance/within code.* src/snort. 2002-11-01 mfr <roesch@sourcefire.c: fix logic for generating decoder alerts * * * * * src/decode. Baker <andrewb@snort. Baker <> * src/detection_plugins/sp_byte_test.h: src/plugin_enum. detection plugin that let's us perform discrete value checks on numbers that are encoded in packet payloads.c: added test rules to the sp_byte_test.c: src/parser.c: * src/> * src/preprocessors/> . Still much work to be done but most of this will be added in the next version.h: doc/README: removed broken support for the "-a" (show arp) command line switch 2002-10-31 Andrew R.c: src/> * HAVE_STRINGS_H all over the place for bzero/Solaris first reported by John Whitson 2002-11-1 Daniel Roelker <droelker@sourcefire.h: * snort.c: added "-A cmg" alerting mode 2002-11-02 Chris Green <cmg@sourcefire.c: src/plugbase.8: remove ghetto message reference option (it has not worked since May) * src/output-plugins/spo_alert_fast.c: src/detection_plguins/sp_byte_test.c: fixed range> * src/decode. should work much better now also removed redundent calls to pattern matcher for rules with mlutiple content checks * * * * * src/> * src/detect.h: added sp_byte_test.c: src/snort.h: src/detection_plguins/> * src/detection_plugins/sp_byte_test. inclusion of strings.c: * src/snort.

c (AlertFlushStream): make AlertFlushStream adjust the base_seq upon a flush point (Thanks so much to qru for a reproducable test> * strtol fixes ( Dave Ockwell-Jenner ) * Merged in Glenns changes for net-snmp port declartion * src/parser.c: removed pthread support (still need to remove MAX_INTERFACES cruft) 2002-10-30 Chris Green <cmg@sourcefire.c (GenHomenet & GenObfuscationMask): fix invalid reference to optarg * configure. Baker <> * src/fpdetect.c: add multiple options checks for plugins 2002-10-23 Chris Green <> * src/detection-plugins/*.c: * src/parser/> * src/> * src/detection-plugins/sp_clientserver.c (ParseRuleOptions): threshold added back * src/preprocessors/ * src/snort.c: Bogus port 0 initialization in fpEvalHeaderTcp/Udp.* src/util. (Dirk Geschke) 2002-10-18 Chris Green <cmg@sourcefire...h: add API for IpAddrSet data structure * removed "extern char *file_name" and "extern int file_line" from scattered places in the source 2002-10-29 Andrew R.h: * src/> * src/parser/IpAddrSet.c (CheckFromClient): hide this under a DEBUG_CS * src/preprocessors/spp_stream4.c (DEFAULT_MAX_SCANNER): change defaults back down 2002-10-22 Daniel Roelker <> * (Repository): removed autogenerated files use sh autojunk. this was a PITA) . Baker <andrewb@snort.c more output clean ups from James Hoagland 2002-10-22 Chris Green < to recreate them if you are using CVS to compile 2002-10-30 Andrew R.

h: . Reassembled packets are now inspected against no content> * src/log. (Jens Krabbenhoeft) * src/preprocessors/spp_perfmonitor. src/fpcreate.2002-10-16 Chris Green <cmg@sourcefire.c.c: .log_dir instead of local variable (Cameron Humpries) * src/log..sig_name field (Dirk Geschke) 2002-10-16 Dan Roelker <droelker@sourcefire.Fixed schema detection bug on MS-SQL enabled builds 2002-10-09 Chris Green <cmg@sourcefire.Transaction abstraction functions (Begin/Commit/Rollback) .com> * src/output-plugin/database.escape the signature name before trying to write it to the signature. 2002-10-14 Roman Danyliw <roman@danyliw.Reverted no content rule checks back to the original snort behavior.0 dev cycle win32 probably doesn't work yet.Fixed transaction SQL for MS-SQL .com> * src/output-plugin/> * src/decode.c: .com> * src/> * src/fpdetect.c (targetCompareFunc): .h: p->preprocessors for enable/disable status * src/fpcreate. :-) 2002-10-09 Marc Norton <mnorton@sourcefire.c (CreatePidFile): use> * src/output-plugin/database.Fixed incorrect return value for MS-SQL Insert() (Hans Nilsson) 2002-10-13 Chris Green <cmg@sourcefire.c (PrintXrefs): newlines on Xrefs.Fixed (PostgreSQL) sensor initialization to the sensor table by setting a default last_cid value . src/> * changed FatalError/exit codes * merged Sourcefire modifications into snort-head * kick off of snort-2.c (PrintICMPHeader): Removed newline amidst a sea of complains from James Hoagland & other users :) 2002-10-16 Roman Danyliw <> Daniel Roelker <droelker@sourcefire. src/ compare function incorrect logic (pointed out by Pat Gorman) 2002-10-12 Roman Danyliw <roman@danyliw.Adjusted newlines for console statistics prettiness.c: ..h.c: .c: . pointed out by too many people to count :) * src/preprocessors/spp_portscan2.

src/mwm.h (Norton): Added Aho-Corasick state machine.c (ParseCmdLine): . This option allows the user to configure certain aspects of the detection engine. TCP state information.c. src/mpse. src/preprocessors/perf*.h: Added new optimized inline checksumming routines. fpcreate.h (Norton): Added an interface for multi-pattern match routines. * src/preprocessors/spp_httpflow. 'detection'. 2002-10-09 Chris Green <cmg@sourcefire.dsp to not require getrusage 2002-10-01 Chris Green <cmg@sourcefire.snort project file updates . src/preprocessors/http-resp. fpdetect.* analyzes packets as they come in and decides what happens to them.c: Added functionality for multiple CPU stats on linux. network traffic flows and percentages. * src/parser.*. * src/bitop. src/pcrm.*: Added an http protocol flow preprocessor that analyzes client and server traffic.varchar sql arguments for mssql .h: Added inline functionality for bit operations. Some of those stats are Mbits/sec. src/acsmx. * src/preprocessors/> * src/snort.h (Norton): Added modified Wu-Manber style multi-pattern matcher. * src/mstring. * src/> * Fixes from Chris Reid . * src/acsmx. etc.c. Alerts/sec. * src/mwm.Added new detection engine. Useful for HTTP performance.*. * src/pcrm.syslog option on non-win32 does not take the extra argument (Andrea Barisani) * updated snort.usertime -> systemtime misses .c. For use in spp_perfmonitor.* creates the new detection engine and intializes the detection engine components.c: Added a new config option. Used in the new detection engine. etc.*: Added a performance monitor that keeps stats on snort. * src/preprocessors/sfprocpidstats. using a deterministic finite automata.c: Optimized mSearch and mSearchCI. * src/mpse.h: Added new signature detection classification.

c .com> * src/log. mysql> UPDATE schema SET> * src/output-plugin/spo_database.DB schema v106 .make sure that a packet payload larger than those supported in the SQL INSERT are properly terminated.added ignore_bpf configuration option (from Michael Boman) ignore_bpf .c: moved setting the uri_count to this preprocessor to handle false alerts on reassembled packets. 2002-09-17 Roman Danyliw <roman@danyliw. .last_cid more efficient by only storing the new cid value at shutdown . 2002-09-12 Roman Danyliw <roman@danyliw.2002-09-26 Chris Green <cmg@sourcefire. psql> UPDATE schema SET vseq=106.c (PrintICMPHeader): off by one error in printing Thanks to Dave Goldsmith 2002-09-05 Roman Danyliw <roman@danyliw.made the updating of the> * src/output-plugin/spo_database.removed extranous CR/LF from sensor name 2002-09-05 Chris Green <cmg@sourcefire. This field will ensure that a cid will never be reused. Upgrading from v105 -> v106 is as simple as: mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL.Added the sensor.Do we want to create a new sensor definition everytime the BPF filter is changed? The options are: [no 0]: (default) Create a new sensor definition if BPF filter has been modified [yes 1]: Ignore the BPF part when looking for the server definition 2002-09-03 Roman Danyliw <> * src/preprocessors/> * src/output-plugin/spo_database.c . psql> ALTER TABLE sensor ADD last_cid> * src/output-plugin/spo_database.c .com> * configure scripts updated to handle net-snmp as well as ucd (Glenn Mansfield Keeni and Abe Katsuhisa) 2002-09-25 Chris Green <cmg@sourcefire.last_cid field to the schema so the database can store the last used cid for a given sensor.c: (DatabaseInit) .

c: fix GenHomenet and GetObsfMask functions 2002-08-19 Chris Green <cmg@sourcefire.c .c (ParseCmdLine): -R <id> Include 'id' in snort_intf<id>. docs to come 2002-08-26 Andrew> * configure.c added thresholds to snort rules language.FatalError on unknown argument (ReassembleStream4): .pid file name (Phil Wood) * src/> * src/preprocessors/spp_stream4.c (ParseStream4Args): . .Improved error messages 2002-09-02 Chris Green <> * src/preprocessors/spp_perfmonitor.c: uri_count set if not alerting.c: Port changes from Andreas Ostling ( just like all the other ones now ) * win32/perf stuff from Chris Reid Will probably break again later the perf stuff is very highly subject to change * project fixes from Chris Reid 2002-08-16 Brian Caswell <> * src/preprocessors/> * src/util.Correctly mark sessigons as established with asynchronous_link enabled 2002-08-14 Chris Green <cmg@sourcefire. Baker <andrewb@sourcefire.c src/threshold.c (ProcessPacket): reset uri_count (test case pointed out by Dan Roelker/Sourcefire) * src/preprocessors/spp_http_decode.c (ParsePerfMonitorArgs): typo in fmt st ring 2002-08-18 Chris Green <cmg@sourcefire.c: do not check fragments 2002-08-26 mfr <roesch@sourcefire.c src/rules.allow daemon mode to dump stats to syslog 2002-08-15 Chris Green <> * src/threshold.cleaned up win32 source packaging 2002-08-27 Andrew> * src/util.h src/> * src/preprocessors/spp_rpc_decode. Baker <> * src/snort.h src/ .

12 This checks the SYN flag is set regardless of the values of the ECN bits.c (LogSessionData): sp_session.c (SetupTelNeg): .c (PayloadSearchRawbytes): new pattern match option! rawbytes -. for those of you that like to think in C * src/detection-plugins/sp_pattern_match.cleaner alt_dsize checks .c (CheckANDPatternMatch): bug with mutliple decoded alternative contents 2002-08-13 Roman Danyliw <roman@danyliw.normalization of telnet stuff into a separate buffer (this means logged packets will now look like they should on the wire) 2002-08-12 Chris Green <> * src/preprocessors/spp_telnet_negotiation.2002-08-13 Chris Green <cmg@sourcefire.h (DECODE_BLEN): my favorite constant typo.c (Check{AND OR}PatternMatch): .used to inspect the raw packet data instead of the alternatively decode application packet buffer * src/decode.c (CheckDBVersion): fixed logic to detect the DB schema version correctly when support for MS-SQL and another database are present 2002-08-13 Chris Green <cmg@sourcefire.c: new option alert_odd_protocols set allowed_ip_protocols to the numbers you like and it will alert on all bad protocols * src/detection-plugins/> * src/preprocessors/> * src/preprocessors/spp_telnet_negotiation.only allow this to be called telnet_decode .make sure that we don't decode 1 byte past the end of the buffer -(SetTelnetPorts): preprocessor telnet_decode: 21 23 25 119 (now with port lists!) * src/detection-plugins/sp_pattern_match.c: . * src/preprocessors/> * src/output-plugins/spo_database.removing redundant function calls .c (ParseTCPFlags): adding mask bits to the flag checks (limitation pointed out by Dirk Mueller) example: flags: S.c (Stream4InitReassembler): turning off server side reassembly by default ( was what the default said it was ) * src/detection-plugins/sp_tcp_flag_check.c:221: warning: suggest parentheses around && within * src/detection-plugins/sp_pattern_match. tcp_flags & (0xFF ^ tcp_mask).

com> * src/preprocessors/> * preprocessor perfmonitor --enable-perfmonitor lots of statistics from Dan/Marc/Sourcefire 2002-08-06 Chris Green <cmg@sourcefire.c (ARPspoofPreprocFunction): .make unestablished sessions and established sessions mutually exclusive .com> * src/preprocessors/spp_stream4.ttl_limit will only alert if the packet ttl is less than 10 (TcpAction*): .com> * src/preprocessors/spp_stream4.ended up being the source of a few other bugs ) 2002-07-30 Chris Green <cmg@sourcefire.c (BuildPacket): .removed stream_pkt->packet_flag sets new ( makes no sense because we overwrite the packet_flags in BuildPacket ( pointed out by arron walters -.* src/perf-event.Session fix ( a different approach from Andreas Ostling ) (UpdateState) (UpdateStateAsync) .Mark the session direction establishments correctly (thanks to Andreas Ostling for noticing ) 2002-07-29 Chris Green <cmg@sourcefire.c (BuildPacket): .set to 0 (djr@sourcefire) 2002-08-12 Roman Danyliw <roman@danyliw.include packet w/ alert (Jeff Nathan) 2002-08-07 Chris Green <cmg@sourcefire.c (UpdateState): make session initiators more lenient 2002-08-04 Chris Green <> * src/preprocessors/spp_stream4.c (ReassembleStream4): .com> * src/preprocessors/> * src/output-plugins/spo_database.h: Integrated fix from Marc Norton/Sourcefire occasional endianess bug in checksum routines inlined checksum 2002-08-05 Chris Green <cmg@sourcefire.Move == TH_ACK checks to nearly the last of the checks and make catch al l odder flag combinations .com> * src/checksum.c (Database) .Fixed length bug in code that generates the SQL INSERT statement into signature table 2002-08-08 Chris Green <cmg@sourcefire.c (ProcessEventStats): .

marty added distance/width as content options distance means there must be atleast N bytes between 2 matches width means that there must be a match within N bytes 2002-07-23 Andrew> * src/preprocessors/spp_frag2. Baker <andrewb@sourcefire. not 4 2002-07-23 Chris Green <> * src/> * Merged in win32 fixes from Chris Reid (thanks again!) 2002-07-05 Andrew R.c: .com> * * * * Phil Wood ASN. Baker <andrewb@sourcefire.1 fix Phil Wood Classification fix Andreas Ostling's BPF comment improvement Just for the record.c (PrunePortscanners): .c (PrunePortscanners): Portscan2 fixes from Jed Haile ( thanks :-) ) * src/decode.fixed packet_flags problem with rebuilt packets 2002-07-03 Chris Green <cmg@sourcefire.fix null pointer dereference for non-IP packets 2002-07-09 Chris Green <cmg@sourcefire.lots of *nArgs = 0 instead of NULL .c (DecodeICMP): 8 bytes of extra info in a redirect.use & 2002-07-26 Chris Green <> * src/preprocessors/> * src/output-plugins/spo_SnmpTrap.c (CheckDsizeRange): .changed dsize check to always return 0 on fake tcp pkts ( mirrors change made on all other functions . ) 2002-07-08 Chris Green <cmg@sourcefire.added prototype for ipv6_print_hashing 2002-07-02 Chris Green <cmg@sourcefire.c: .c: * src/preprocessors/spp_stream4..switched to using psuedo random flush points * src/preprocessors/spp_portscan2..c (TcpAction): .com> * src/detection-plugins/> * src/output-plugins/spo_SnmpTrap.c: .c: added decode_alert_flag one may disable decoder alerts by using config disable_decode_alerts * src/preprocessors/spp_portscan2.

c (ParseIcmpSeq): htons(ds_ptr->icmp_seq) from Andereas Ostling 2002-06-20 Andrew R.c (ConvCompareFunc): .com> * From Jeff Nathan: Moved resp* stuff to the OTN instead of RTN * spp_conversation rewrite * portscan2 * SNMP updates from Glenn Mansfield Keeni <glenn@cysols.changed to use conf_flags for session initiation 2002-06-28 Chris Green <cmg@sourcefire.c (ParseConfig): missing return for config daemon thanks to Bill McCarty <bmccarty@apu.c (FatalError): fflush(*) * src/detection-plugins/sp_dsize_check. Baker <andrewb@sourcefire.h (PKT_STREAM_INSERT): added a packet marker for inserted stream packets 2002-06-27 Chris Green <cmg@sourcefire.c: fix event reference time for unified output 2002-06-20 Chris Green <> 2002-06-24 Chris Green <> * src/detection-plugins/> 2002-06-26 Chris Green <cmg@sourcefire.c * src/decode.fixed session equalness bug ( portscan2 should actually seem reasonable now ) (ConvFunc): .com> * src/preprocessors/> * src/> * src/> .c: dsize checks always will return 0 for rebuilt stream packets (CheckDsizeRange): added min<>max range support for dsize option Thanks to Andreas �stling * src/> * src/preprocessors/spp_conversation.fixed double delete of a tree node * compilation fixes from Chris Reid for win32 (Thanks!) 2002-07-01 Chris Green <cmg@sourcefire.

c (ReassembleStream4): .com> * src/preprocessors/spp_arpspoof. Baker <andrewb@sourcefire.c (read_infile): close fd for -F 2002-06-11 Chris Green <cmg@sourcefire.c (ASN1Decode): ASN1 fix from Chris Reid 2002-06-08 Chris Green <cmg@sourcefire.reinjected packets are now marked as established as well as rebuilt (UpdateState): .c Andrew Hintz bug reports (BuildPacket): .com> * src/preprocessors/spp_stream4.c: * src/decode.c: .* src/preprocessors/> * src/output-plugins/spo_log_tcpdump.h: make obfuscation work for all output plugins 2002-06-07 Chris Green <cmg@sourcefire. mode ( assuming iph is set doesn't work ) 2002-06-12 Chris Green <cmg@sourcefire.h (STREAM4_TTL_EVASION_STR): changed so that people recognize message as ttl_limit related and not message related 2002-06-04 Chris Green <cmg@sourcefire.c: * src/detect.h (FRAG2_TTL_EVASION_STR): changed TTL Limit exceeded message to make more clear 2002-06-08 Andrew> * src/generators.FreeToks fixes from Phil Wood 2002-06-16 Chris Green <cmg@sourcefire.c .parsing fixes from Phil Wood * src/util.c (LogTcpdump): fixed broken -b -l .c: Fixes from Jeff Nathan * src/preprocessors/spp_asn1.Server initiated: APF -> AF -> A was not properly terminating session 2002-06-13 Chris Green <> .com> * src/preprocessors/spp_stream4.accidentally inverted logic for async/normal sessions .marking streams as established correctly 2002-06-05 Chris Green <> * src/output-plugins/> * src/> * src/util.

c: fix obfuscation 2002-06-02 Chris Green <cmg@sourcefire.don't expand variables inside "'s 2002-05-21 Chris Green <cmg@sourcefire.c (InsertFrag): .c src/decode.c (Frag2Init): .c (CallLogFuncs): moved the traversal of the plugins ahead of the setting the packet logged flag since both check ( should both check? ) 2002-05-28 Andrew> .com> * src/log.* src/preprocessors/spp_http_decode.c: fix NULL pointer deref problem printing priority/class info 2002-05-27 Chris Green <> * src/output-plugins/log_tcpdump. Baker < added> * src/Makefile.fixed include order ( fixes compile on FreeBSD ) * src/preprocessors/> * src/preprocessors/spp_http_decode.c (VarGet): .c (ParseFlowArgs): .com> * src/> * src/preprocessors/spp_frag2.added {no_stream.h ( pointed out by Jeff Nathan ) 2002-05-30 mfr <roesch@sourcefire.allow duplicate first fragment to be disabled 2002-06-03 Chris Green <cmg@sourcefire.fatal error if undefined variable is called (ExpandVars): .h -> sys/> * src/log.left frag2 alerts on by default by accident (diabled) 2002-05-28 Chris Green <cmg@sourcefire.c (SetPorts): .only_stream} keywords to flow: used to suppress reassembled streams from being alerted on * src/plugbase.c: .c: Fixed non-functional embedded packet decode and printout for ICMP UNREACH and REDIRECT packets 2002-05-30 Chris Green <cmg@sourcefire.fatal error on invalid port description *> * src/detection-plugins/sp_clientserver. Baker <andrewb@sourcefire.h: changed machine/param.h 2002-06-03 Andrew R.

c (StoreStreamPkt): .c: .corrected some global namespace pollution 2002-05-15 mfr <roesch@sourcefire.c: * src/preprocessors/> * *.other work surrouding signature metadata 2002-05-14 Chris Green <cmg@sourcefire.remove IDMEF instead of leaving it in a broken state 2002-05-14 Chris Green <cmg@sourcefire.c: * src/preprocessors/spp_conversation.c to clean up after mSplit()'s * other sundry stuff. Baker <andrewb@sourcefire.[ch]: .h: .missing returns 2002-05-20 Chris Green <cmg@sourcefire.sheltered fast restransmission under evasion_alerts .com> * src/output-plugins/> * templates/sp_template.c: src/output-plugins/spo_idmef. Baker <andrewb@sourcefire.c: .c: src/> * looked over and indented the hell out of spp_conversation and spp_portscan2 * put a FreeToks() function into util.fixes for new SigInfo system * * * * * src/output-plugins/spo_idmef.c: * src/output-plugins/spo_alert_smb.c: * src/detections-plugins/sp_react.c: .added newer unidecode function from rfp .h: * src/preprocessors/spp_portscan2.IDMEF: src/plugbase.proper implementation of priority and reference signature metadata .c: * src/preprocessors/spp_portscan2.updated template for plugbase and modularity * src/preprocessors/spp_stream4.h: doc/README.h: . conversation and portscan2 should be ready for testing from what I can see now 2002-05-15 Andrew> * src/util.added SYN_SENT initialization state * src/preprocessors/> * src/preprocessors/spp_http_decode. Baker <andrewb@sourcefire.h (GenObfuscationMask): make compile on OS X 2002-05-14 Andrew R.[ch]: .com> * src/output-plugins/spo_log_ascii.added "internal_alerts" keyword 2002-05-19 Andrew R.c (CreateNewSession): .* src/preprocessors/spp_stream4.

moved all plugin alert descriptions here * src/plugin_enum.commented out spurious debug code * src/preprocessors/spp_stream4.cleaned up some NULL dereferences 2002-05-09 Chris Green <cmg@sourcefire.added SSNFLAG_HTTP_1_1.c (_Stream4Data): . SSNFLAG_SEEN_PMATCH .h (ReassembleStream4): session_flags converted to & check instead of == for establishment .more debug code .com> * src/snort.c (ProcessPacket): .disable evasion alerts 2002-05-12 Chris Green <cmg@sourcefire.moved SSNFLAG defines to decode.h (_progvars): ..c (DecodeTCP): .com> * src/preprocessors/spp_http_decode.c (StoreStreamPkt): .removed CallLogPlugins redundant call * src/generators.moved all PLUGIN_ constants to a single header * src/detection-plugins/sp_pattern_match.set p->uri_count * src/> * src/preprocessors/spp_stream4.h so that we have access to the Session data outside of spp_stream4 .moved Session.h: .added asynchronous_link useful for places that only see one side of a conversation .added min_ttl as a snort-wide configuration option config min_ttl: 1 to drop all things less than 1 config min_ttl: 0 to have none (default) * src/decode.c (ParseConfig): .fixed bug where we didn't just toss invalid packet after alerting on it in decoder (DecodeEapolKey): .c (PreprocUrlDecode): .c (PreprocUrlDecode): .c: .Stream to decode.added min_ttl check in front of Preprocess Check * src/snort.(UpdateState): mark session as established on asynch links 2002-05-13 Chris Green <cmg@sourcefire.cleaned up commented define * src/preprocessors/spp_http_decode.h .h: .fixed includes for WIN32 (Chris Reid) * src/preprocessors/spp_stream4.

changed to use TRH and VLAN macros bitpacked notation expunging should be done 2002-05-07 Chris Green <cmg@sourcefire.added uri_count (_HttpUri): .added HTTP version constants 2002-05-08 Chris Green <cmg@sourcefire.Fixed notcp.changed to added parameters (_UriParam): .com> * src/decode.c: integrated spp_http_decode.strcasecmp instead of strncasecmp * src/preprocessors/spp_http_decode.h .h: .noip to only disable .removed URI .com> * src/decode.added parameter datastructure (VTH_VLAN): .c (ParseConfig): * src/snort.h (_TCPHdr): . TCP_X2 Macros * src/> * src/preprocessors/spp_stream4.h (_Packet): .fixed missing paren * src/preprocessors/spp_http_decode.noudp.removing strncasecmp (PreprocUrlDecode): .c from rfp new option set: * unicode: decode unicode * iis_alt_unicode: %u000 encoding * double_encode : detect IIS decoding * abort_invalid_hex: detect only up until the first broken encoding * drop_url_parm: don't decode the stuff following ? * iis_flip_slash: substitute / for \ ( C:\DOS\RUN ) * full_whitespace: treat \r and <tab> as <space> 2002-05-06 Chris Green <cmg@sourcefire.changed to use TCP_OFFSET.c (ParseCmdLine): .* src/decode.c: fixed retranmission checksum alerts to live under evasion * src/detection-plugins/sp_pattern_match.c: Added UriBufs * src/decode.moved to using UriBufs * src/decode.c (SetPorts): .noicmp.h: commented out PATTERN_FAST until it works .

Plugins that use ip_ver.c: .c: don't process fragments * src/preprocessors/spp_frag2.c (EvalPacket): . No more bit packed notation allowed in the source tree.c (Frag2Init): fixex argument parsing * src/preprocessors/> * src/preprocessors/> * src/preprocessors/spp_frag2.h: internal alerts from spp_http_decode 2002-05-01 Andrew R.c: * src/output-plugins/spo_unified. SET_IP_HLEN after thinking about tcpdump and what Fyodor had talked to me about months ago regarding cross platform compatiblity.fixed alert ip rules (got clobbered when playing detection engine optimizations ) . SET_IP_VER.c: separated evasion alerts from retransmission/state evasion alerts default to being on now disable with disable_evasion_alerts 2002-04-24 Chris Green <cmg@sourcefire. ip_hlen should be tested.c (InsertFrag): .* src/> * src/plugbase.adding detection of attack where we would start reassembling packet fully before the full fragtracker is there * src/detect. Baker <andrewb@sourcefire.generate proper events when decode errors happen * src/plugbase. * src/preprocessors/spp_stream4.c (InsertFrag): make sure that we don't run out of memory if someone sends us the same fragment over and over again duplicate first frag is a special case 2002-04-23 Chris Green <> * Introduced IP_VER.c (InitPlugIns): SetupFragOffset() * src/detection-plugins/sp_ip_fragbits.added fragoffset: fragoffset: [!<>] <integer> . No more twiddling.c: cleaned up startup message printing 2002-04-25 Chris Green <cmg@sourcefire. IP_HLEN.

c (TraverseFunc): ..added check for restranmitting too fast w/ a different data size .h DEBUG_FRAG2 * src/preprocessors/> * More win32 Service patches from Chris Reid ( Thanks! ) 2002-04-18 Chris Green <cmg@sourcefire. Frag mem faults are of this but each time one occurs..c (Frag2Defrag): added ttl_limit detection * src/generators.added next seq check on reassembly . expire.alert on frag2 overlaps To do this requires keeping the packets around for a while longer to detect all the multiple fragments and overlaps Changed the PruneCache to prune them in addition to going to increase because there should be plenty to notice when things are completed and just by time.c (StoreStreamPkt): -.c (Frag2Defrag): Warn/Discard on fragments with IP Options set.h (FRAG2_TTL_EVASION): added * src/preprocessors/spp_stream4.next_seq added (StoreStreamPkt): ..first cut at TTL evasion detection keyword: ttl_limit <count> for TCP Sessions . its ugly as sin right now (_Stream): . just throw it away for the moment) 2002-04-19 Chris Green <cmg@sourcefire.defined in fragbits so that I can backport it.added alerts on retransmitted sequences.c (InsertFrag): .com> * src/preprocessors/spp_frag2.added tcp checksum retransmission checking (how much do I need to worry about data with the same checksum and different payloads. * src/preprocessors/spp_frag2. 2002-04-22 Chris Green <cmg@sourcefire.. (ParseFrag2Args): min_ttl ttl_limit detect_state_problems * src/> * src/preprocessors/spp_frag2.

c: src/preprocessors/> * add profiling configuration option * src/parser.c: src/> * src/debug.c (PrintIPHeader): Modified fragment offset calculation (reported by Judy Novak) 2002-04-07 Chris Green <cmg@sourcefire.c (GetDebugLevel): accidenatlly returning debuglevel instead of debug_level * src/log.h: * src/parser.c: Missing includes 2002-04-06 Chris Green <> * * * * * src/preprocessors/spp_stream4.c: fix unified brokeness 2002-04-10 Andrew> * src/spp_portscan2.c: src/preprocessors/spp_frag2. Baker <andrewb@sourcefire.c: src/log.c (ParseStream4Args): added missing parsing line back in 2002-04-10 Andrew R. Baker <andrewb@sourcefire.2002-04-16 Andrew R.c: correct NULL pointer dereference 2002-04-08 Chris Green <cmg@sourcefire.h: * src/> * src/detect. Baker <andrewb@sourcefire.c: * src/parser.c (ParseTcpAck): * src/detection-plugins/sp_tcp_seq_check.c: make log file timestamps work the same as in unified 2002-04-09 Chris Green <cmg@sourcefire.c: Plugin API cleanup * src/output-plugins/spo_log_tcpdump.c (ParseTcpSeq): Phil Wood's Parsing Change 2002-04-05 Martin Roesch <> * src/preprocessors/spp_stream4.c: fix broken event reference info for unified output 2002-04-15 Chris Green <> * src/output-plugins/spo_unified. Baker <> * Fixed --enable-debug * src/preprocessors/> * src/plugbase.c: new changes from Jed/Jason 2002-04-08 Andrew> .c (EvalHeader): Corrected incorrect ignore with -z est and PKT_REBUILT_STREAM * src/detection-plugins/sp_tcp_ack_check.

.. Baker <andrewb@sourcefire. Baker <> * src/> * Modularization cleanup 2002-04-02 Chris Green <> * config.. I guess we should cowtow to the x86 crowd.c (GetDebugLevel): only initialize debug_level once ( now easier to use gdb set command ) * src/preprocessors/spp_portscan.* detection engine now walks RTN and OTN lists iteratively instead of recursively...h: DEBUG_WRAP defined DEBUG WRAP used everywhere.uri with a packet flag * src/preprocessors/spp_http_decode. 2002-03-31 Chris Green <cmg@sourcefire. * RTNs are now sorted by destination port number allowing for earlier exit from the detection engine in the average case and improving performance * destination port is now the first thing checked when an RTN is processed (for UDP/TCP traffic) 2002-04-05 Chris Green <> * src/debug. * src/preprocessors/spp_conversation.11b stuff * src/detection-plugins/sp_pattern_match. Jr.thanks for being so patient with me ) 2002-04-04 Chris Green <cmg@sourcefire.c: Integrated Mike Fisk's SetMatch stuff ( large performance increase -..c (PreprocUrlDecode): .c (SnortMain): Extra call to initoutput plugins commented out.. * src/detect.h should be included almost everywhere.'s> * src/> * src/detection-plugins/> * Merged in Nick L.c (CheckUriPatternMatch): Check for URI.c: ignore rebuilt stream 2002-04-02 Andrew R.c (CallAlertPlugins): DEBUG_WRAPPED Andrew's printfs' 2002-04-03 Chris Green <cmg@sourcefire.Moved decode ignore check up ( I don't think this is actually .c: No processing on reassembled stream packets * lots of compilation fixes * started added spp_conversation 2002-04-01 Andrew R. Petroni.

Baker <andrewb@sourcefire.c: fix file rotation bug in spo_unified write IPs in host order like everything else is * src/parser.c (ParseRuleOptions): filename -> file_name for compilation 2003-03-26 Andrew R.fake_packet check (old stream stuff) 2002-03-27 Chris Green <cmg@sourcefire.h: ..uri to u_int_8t[URI_SIZE] .h: removed> * src/preprocessors/> * src/detect.c (DumpChain): DebugMessage stuff. 2002-03-29 Chris Green <cmg@sourcefire.used anywhere ) .Added PKT_HTTP_DECODE to show if URI was filled in 2002-03-31 Andrew R. now we only complain for unrecognized rule options. * src/parser. Baker <andrewb@sourcefire.c : Initial work towards a true unified output.Changed URI.c : More debug messages in Stream4 * doc/PROBLEMS: Added file to document bugs that we really can't work around easily and aren't necessarily> * src/output-plugins/spo_alert_unixsock.c (ReassembleStream4): * src/> * stop stream4 from clobbering itself (Pascal Bouchaeine) . 2002-03-25 Chris Green <> * start work on cleaning up the output API 2002-03-30 Chris Green <> * src/output-plugins/> * src/parser.URI_SIZE is 512 (should create an alert when that size is exceeded) .c : Add support for "special" output plugins * src/output-plugins/spo_unified.c: updates to the rule parser.h : * src/output-plugins/spo_unified. Baker <andrewb@sourcefire.Moved somefunctions into CheckHTTPDecode * decode. 2002-03-26 Chris Green <cmg@sourcefire.c: lots more checking for valid packets on things like portscan alerts 2002-03-29 Andrew> * src/preprocessors/spp_stream4.

c into parser. from> * src/plugbase. from server) * cleaned infinate loop in regex * fix double PID write (reported by phil wood) * updated docs * ton of new signatures * split> * Place IP checks after port checks for 1..c h * smarter pruning for segments that have only partially been streamed * ethernet headers are now filled in for rebuilt packets * added case for stream segments that hadn't been completely handled in previous flush * added another interface init call when entering daemon mode for linux boxen that lose promisc mode when the process forks * strncat in sp_reference * opts[1] fix to plugin args passing * updated changes to db stuff from Roman * removed $default_directory from mysql_directory definition to allow --with-mysql to work again and select a non-default installation * fixed calloc call for PPPoE debug #ifdef DEBUG . few new features) * updated BUGS for jackasses on Bugtraq * fixed a bunch of stream4 stuff * cleaned a ton of signatures (see signature CVS logs for info) * number of FAQ updates * removed unstable/orphaned/unmaintained/deprecated code as we get ready for> * initial add of flow: to signatures 2002-03-21 Chris Green <cmg@sourcefire. to server.c h and> * readded this file :) * renabled udp portscan detection * updated ICMP text printing (few bugs.allow multiple plugins to start with same prefix 2002-03-23 Brian Caswell <bmc@snort.2002-03-24 Chris Green <> * Fixed Teardrop detection in frag2 ( Forward bugfix from Marty ) * Replaced most instances of #ifdef DEBUG\nprintf(.c (RegisterPlugin): ..9 (based on patch from Christian Mock) * Fixed test header checks (greatly responsible for slowness on multiple CIDR blocks) (Christian Mock) 2002-03-19 Chris Green <cmg@sourcefire.) with DebugMessage 2002-03-11 bmc <bmc@snort.0 * massive directory structure reordering * frag2 options code cleanup (cmg) * fixed pattern match exit conditions (cmg) * improved stats calculation (phil wood) * tweaked decoder code * improved ICMP ASCII output * fixed no-packet bug in spo_unified * moved alert code in spp_frag2 so packet is logged for teardrop * many stream4 fixes * added sp_clientserver (to client.

etc added classifications for spp_fnord mods to icmp ASCII log code for more informational printouts added enhanced conf file parsing for frag2 (Chris Green) added pattern match fixes (Chris Green) added enhanced resolution of TCP retransmissions to stream4 changed default behavior of frag2 to favor old data over new * fixed screwed up fragbits printout * Fixed pointer arithmetic in calls to PrintNetData (thanks to Andreas �stling bugreports) * ntohs(p->iph->ip_len)> * Fixed crash in frag2 under Linux * Fixed flexresp code. PID files go in the right place now * fixed stability problems in stream4 * fixed stability problems in frag2 * tweaks to spo_unified for better integration with barnyard * added -f switch to turn off fflush() calls in binary logging mode * added new config keyword to stream4. 2001-11-02 mfr <roesch@sourcefire.should we have a p->ip_len? * don't complain about NULL ptr if p->dsize == 0 * Still has one nit in that a badly framed packet is counted twice in -v mode2 2001-11-29 bmc <bmc@snort. should reset properly now after getting a signal * fixed PID path generation code.c> added * * * * * * * cleaned up decode.h * cleaned up decode.conf file. * Added spo_log_null to give users an option to deactivate logging output from the snort.h * Added -B command line switch to translate IP addresses in pcap files from one subnet to another (see the man page).com> * SNMP alerting support added by Glenn Mansfield Keeni & K. Jayanthi * IDMEF output support compiled in by default now * regex keyword code repaired. responses should be generated more quickly * fixed rules parser code for various failure modes * several new rules files and a new classification system 2001-08-14 mfr <roesch@sourcefire. limited wildcard regex now available .c and removal of spp_asn1.* Fixed pointer math for Stream4 sesesion ( IOU: Phil Wood. which causes all buffered packets in the stream reassembler for that session to be logged in the event of an event on that stream (must be used in conjunction with spo_log_tcpdump) * added packet precacheing for flexresp TCP packets.c indentation. 1 Bar tab ) * Fixed suicidal tree pruning * ifdef AF_INET6 for decode. "log_flushed_streams". etc * added classifications for spp_fnord * mods to icmp ASCII log code for more informational printouts * added enhanced conf file parsing for frag2 (Chris Green) * added pattern match fixes (Chris Green) * other stuff that escapes me right now * pflog decoder support from Robert Fleck <rfleck@cigital. session sniping should work again and be faster to boot * Fixed ICMP decoder and printout routines for new ICMP header data structs in decode.h from> * fixed UTC timestamps * fixed SIGUSR1 handling.

config' file 2001-04-19 bmc <bmc@mitre. spp_stream4 * Snort can now statefully detect ECN traffic (less false alarms) * stream4 can now keep session statistics in a "> 2001-04-20 fy <fygrave@tigerteam. revision and event ID info to each alert * detection engine only alerts once per packet now. Bytes. etc) much better now * repaired frag2 IP> * a couple of fixes in> * added new IP defragmenter. spp_frag2 * added new stateful inspection/tcp stream reassembly plugin. and refs * rpc_decode plugin (Defeats attacks laid out by Robert Graham's SideStep) * telnet negotiation normalization plugin (Defeats attacks laid out by Robert Graham's SideStep) * BackOrifice plugin (Can bruteforce BO keys. classification. Snort picks up fragmentation attacks (teardrop. tcp stream code doesn't generate another alert packet if a previous one already alerted for that stream * fixed signal handling on svr4 systems * added enhanced cross reference printout to full/fast/syslog alert modes * added new high speed checksum verification (on x86) routines * added new ARP spoof detection preprocessor from Jeff Nathan <> * A couple of coredump fixes from Phil Wood * Solaris compilation fixes (and other minor tweaks I don't remember) * Incorporated WIN32 patches (and fixes) from Chris Reid * ms-sql support from Chris Reid * contrib/create_mssql 2001-07-09 mfr <roesch@sourcefire. now 100% stable and functional * tweaks made to stream4 TCP stream reassembler. now 100% stable * Win32 code integrated with main Snort source now * fix for -r mode crash when no other command line options specified * fix for logfile names using ":" under win32 * tag code repaired * spp_arpspoof repaired * stream4 alerts are now off by default * syslog alerts now support standard GEN:SID:REV data 2001-08-04 fy <fygrave@tigerteam.* new packet counters added to Snort stats output for frags and streams * http_decode preprocessor modified to normalize %u encoding * new detection modes in frag2. plus generator. Defeats attacks laid out by Robert Graham's SideStep) . now only alerts once per packet * added unique Snort ID's to every Snort rule.c * spelling fixes in 'classification.conf now) * priority & classification plugin by Brian Caswell * output plugin support for> * added ability to tag sessions & hosts (By Seconds. spo_unified * added new data structs/management for tag code * added -k switch to tune checksum verification behavior * added -z switch to provide stateful verification of alerts * modified bahavior of http_decode. and Packets) * ip protocol rule support * added 802.1q VLAN support * extensive configuration file config options (you can put your commandline options in snort.log" file * added new high-speed unified binary output system.

really :-) .. Specify filename of the binary output log when combined with "-b" * added -G commandline option. * A bunch of fixes for MTU dicovery routine * New debugging routines. Turn on "ghetto" backwards compatability for people that need references in the MSG field * added -I commandline option.Fyodor) * optiomized database schema (Support for> * tcp stream reassembly updates by Chris Cramer * path fixes for include <file> (now relative path'es will be substituted by path of the main file) * DLT_LINUX_SLL support fixes * strlcat/stlcpy functions are being incorporated * Attempt to support MacOS platform..* uricontent keyword pattern match.rules') * linux_sll (interface 'any') support fixed (According to the new libpcap spec) By Fyodor * new debugging code. TCP Window Size can be looked now * added CSV output (see README.csv for more information) By Brian Caswell * added sp_same_ip_check.c for more info) Idea from Eugene Tsyrklevich * strl* family functions (mostly for future developers. (see BUGS file for more info). (If the user can usually sniff from pcap) By Brian Caswell * Improved UNICODE detection by Koji Shikata * added sp_tcp_win_check. we'd encourage these to be used) (original code also supplied by Eugene) * new tcp stream reassembly module by Chris Cramer * include directives now are relative to snort.conf testing!! * added -L commandline option.prestige. Checks for the same SRC & DST (Usually sign of a DOS attack) by Phil Wood * added variable lookups for include directives (eg 'include $RULESPATH/myrules.) * UTC cleanup by Andrew Baker * http_ignorehosts added from Matt Wachinski 2001-03-14 fy <fygrave@tigerteam.. 2001-01-02 mfr <roesch@md. No more #ifdef> * tcp stream reassembly preprocessor (beta) by Chris Cramer * Defragmentation plugin is now fully functional on all architectures * SPADE (Statistical anomaly detection) preprocessor has been added by James Hoagland * Added IIS/UNICODE attack detection to HTTP decoder * Reference plugin has been added by Joe McAlerney * New active response module: sp_react * Added "any" keyword to IP options (ipopts) plugin * IP fragmentation bits detection plugin added .net> fy <fygrave@tigerteam./snort. Prints the interface that the alert was received on * added -y commandline option.conf file location (unless full path in a config file is given) * snort will look for /etc/snort. Adds YEAR to the timestamps * Fixed timestamp output problem on some ARCHs * ability for non-root users to sniff. (Now you can look at the URL instead of the entire packet) * added -T commandline option (Does entire setup process. added signature normalization. but stops after its done setting up) great for snort.conf and . .conf if no config is given on the commandline * minor null ptr fixes and patches there and here (thanks to all of you guys who helped tracking them down. (see debug.

uni-erlangen. printout dumps encapsulated headers now * Improved TCP/IP options printout code.conf file within chroot directory (and all the other relevant files as well). you have to have snort. 2000-07-22 mfr <roesch@md. now. Urgent pointer> * Database output plugin improved in many ways by Jed Pickel * Oracle support added to database output plugin * XML output plugin by Jed Pickel/Roman Danyliw/CERT * IP address list support added with lots of help from Phil Wood * <interface>_ADDRESS variable implementation. The only file which will be placed outside chroot directory is snort pid file. doesn't crash as readily * Arbitrary output types support added by Andrew Baker * Activate/dynamic rules allow rules to turn on/off other rules! * ICMP unreach. specifying an interface name in the rules file as part of this variable automatically sets the IP/mask as the IP address/netmask of the specified interface * Rule parser is more anal about rule verification now.conf. if chroot is used. * chroot behaviour has been changed.Meier@informatik. Snort will dump packet stats to console/syslog when it receives a SIGUSR1 * Memory management cleaned up/lots more free()'s to match up with malloc()'s * Added snprintf code to the distro for safety * UID = 0 code added for sniffer mode * fixed default alert filename for daemon mode * Updated USAGE file to resemble Snort's current reality * Changed snort-lib to snort. TCP/UDP header length. Jed Pickel added lots of documentation to the file as well (thanks Jed!) * Pid file will not be created if -D switch is not> * Fixed compilation problems on all non-BSD operating systems * Added better configuration support for locating libpcap * Fixed ICMP ping packet id/sequence printouts * Made allowances for 64-bit machines in the decoders * Updated the portscan detector to the latest version * Disabled the defragmenter by default (in the rules file) * Added a patch from Dave Dittrich to make daemon mode alerts filenames conform to the data in the documentation * Revamped the ICMP data structures to mimic those found in *BSD and provide for higher fidelity decoding/printout in the future * Repaired the output plugins so that they operate properly now * For the record. IP Reserved bit printout. ICMP Type/Code explicit value printout * -X switch dumps packet byte data for data link through application layer * -L switch to privde a filename for binary log files specified with the -b switch * Added -I switch to print interface name in Snort alerts (first i/f only) * Fixed -S command line switch so it isn't overridden by variables in the rules file * Corrected PID file misadventures * Added a bunch of new statistics to the packet stats printout * Added SIGUSR1 handler.* Added TOS detection plugin from Erich Meier <Erich. the payload dump conforms to the length of the IP datagram now and does not show pad bytes added by the minimum Ethernet frame size . doesn't flood on 0 length options * Packet checksumming implemented for all supported protocols by Chris Cramer * TCP flags now print out in proper (bitwise) order * Added new fields to the packet header dumps including IP header length.

unixODBC databases * Updated portscan detection functionality * Added quote removal for most plugin parsers * -C crash bug fixed * PID/PATH_VARRUN file fixes * Converted many putc(3) calls to fputc(3) for portability * Transport layer decoders use ip_len field for length metric now * String tokenizer code modified for more reliable operation * Fixed flexible response code sequence prediction * Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all platforms * Set automake options so that people don't need gmake anymore to build Snort on BSD systems * Fixed SMB alert code large tmp file hole * Added sigsetmask code to fix SIGHUP weirdness * Added execvp option for SIGHUP restart code * Added ARP header printout validation * Added Session logging file integrity checking * Added -u/-g setuid/gid capability switches * Added -O IP address obfuscation switch * Added -t chroot switch * Fixed non-TCP/UDP/ICMP transport layer decoding & logging * Fixes and additions to the portscan preprocessor * Database logging plugin has been modified extensively.6 released! 2000-03-18 mfr <> Tru64 u_int* type declarations check for> * New preprocessor plugin: IP defragmentation!! * New output plugins cover all old logging and alerting options * New output plugin now logs to> * Activated the BPF compiler optimization switch in * Made exit code delete the PID file in all run modes.h existence 2000-03-15 mfr <roesch@md.prestige. PostgreSQL.2000-07-08 * Fixed * Added * Fixed mfr <> * Moved the "session" keyword code to a plugin * Added Postgres database logging module from Jed Pickel .c * Added support for unconfigured/stealthed network interfaces * CP added a default definition for _PATH_VARRUN * CP added checks for> * Modified the PID write out code to work in all run modes. 2000-03-16 mfr <roesch@md. .h into configuration script timeval problems on Linux boxen 2000-07-06 mfr <roesch@md.prestige. * Integrated a HUP patch from J Cheeseman to prevent the command line parser from screwing up the command line at HUP website for more information * Switched TCP flags printout routine to ensure proper RFP output scan output. and made the system detect/verify the _PATH_VARRUN variable and define it if> * Version 1. * Added a little tweak from Fyodor for Makefile. see the www.) * Fixed default log/alert function code so that these functions are never NULL 2000-03-20 mfr <roesch@md.prestige.

net> * modified minfrag proprocessor to only catch tiny frags on the home net ("home" keyword) or any traffic ("any" keyword) * implemented command line override of output> * John Wilson's update to insensitive pattern match code added. * Patrick Mullen's patch to> * Added syslog PID patch from Ralf Hildebrant * Added IPv6 counter from Erich Meier < are from Herb Commodore. * Fix in rules.c routines have been fixed to handle NULL pointers. 2000-01-12 cp <fygrave@tigerteam. * Patrick Mullen's changes to> * Added INADDR_BROADCAST patch from Steve Beaty <beaty@emess. (and apropriate fixes) * Minor fix to configure. 2000-01-03 mfr * fixed * fixed * fixed * Token <roesch@clark. alert and log switches on the command line will disable output plugins in favor of their configured activity * added -C command line switch to print packet payloads as ASCII only.prestige.c> to configure applied * Imrovements to content-matching code and implementation of case-insensitive matching from John Wilson <tug@wilson. Once they are commited at applied.rr.c to complain about bogus preprocessor installs banner output for the -V option Ring decoding is now fully functional . they should take proper values. * binary logging routines have been changed to use libpcap procedures which should fix certain problems with binary logging. * "zero netmask" problem> * Added SunOS patch from Denis Ducamp <> * Update of Patrick's portscan preprocessor. * Changed name ParseFlags to --> ParseTCPFlags in sp_tcp_flag_check.* Added Token Ring layer 2 printout routine * Added "-q" support to the output plugin modules * Revamped the output plugin subsystem so that it conforms to the API standards laid out in the rest of Snort * CP set defaults for the alerting and logging facilities * Added Tru64/Alpha support 2000-02-26 mfr <> * Patch from Herb Commodore <herb@nc. :) 2000-01-08 cp <fygrave@tigerteam. log.* since that's what it really is. * Source Port traffic rules ajusted not to pull alerts on 53<-->53 UDP> * Added content-list rules from 2000-01-17 cp <fygrave@tigerteam. with no hexdump * fixed a stupid crash bug on the "logto" keyword parser * put in a couple of command line switch validators to catch potential invalid arguments * fixed a potential crash bug in the ClearDumpBuf() function 2000-02-07 mfr <roesch@md.prestige. * Added RCS Id tags to all the files and> a problem with pass rules not being applied properly a #include ordering statement for Slackware 4.uni-erlangen. * Patrick Mullen's portscan preprocessor is added.mscd.

net> * snort. ARP is now handled in a much more consistent and correct manner. * decode. which makes the detection engine more efficient.* Added packet buffer cleanup code to all protocol decoders * fixed a problem with improper TCP option output * Added a Snort man page 1999-12-08 mfr <roesch@clark.c * binary log files now update properly (fflush added) * internal rules list integrity testing * IP fragments are no longer sent to the detection engine.c: * fixes snaplen issues with reading back tcpdump files. * log.c: * added session dump command line switch *> * snort. The decoder is much simpler (but the log routines are far more complex) * Horsed around with the TCP and IP option decoders. This is incentive for me (or someone) to write an IP defragmentation preprocessor! * post-decode call function call sequence has been modified to go into the preprocessor system instead of the detection engine 1999-10-18 mfr <roesch@clark.c: * Added ARP printout and logging routines. just the preprocessor's. DumpSessionData(). 1999-10-13 mfr <roesch@clark. more flexible.. I think they work better now. * Fixed stupid crash bug in LogPkt() .c: * added sesion data logging functionsi: OpenSessionFile().net> * preprocessor plugins (major new functionality!) * detection plugins (major new functionality!) * variables can now be specified in the rules file * include files can now be specified in the rules file * Session recording capability * Rules may now contain multiple "content" match keywords * New IP options detection module. * Fixed MTU snafu. allows IP option inspection * New HTTP decoder preprocessor defeats evasive web scans (whisker. Has addded benefit of allowing BPF filters to be used to modify file readback streams..c: * Rewrote ARP decoder. and faster! * TCP options decoder split into decode/log modules and recoded * IP options decoder split into decode/log modules and recoded * Token Ring layer 2 decoder (still in development) * ISDN-Raw layer 2 decoder (I4L) * ISDN-IP layer 2 decode (I4L) * ISDN-Cisco layer 2 decode (I4L) * Fixed PPP layer 2 decoder * NULL/Loopback layer 2 decoder * daemon mode code cleanup * tcpdump readback mode code cleanup * experimental support for UNIX socket alerting * fixed C++ comments in snort. * * detection engine has been heavily modified to implement the new "linked-list-of-function-pointers" concept.c: * threw out tcpdump file readback code and implemented open_pcap_offline solution.

.net> * snort. -N.c: * broke out alerting function into seperate subfunctions * ditto logging functions * fixed string termination code in the SMB alerter so that it can now alert to more than one box at a time * cleaned up syslog messages * finally fixed the SMB "alert once" problem (kudos to Gandalf Schaufelberger for that one) 1999-08-06 mfr <roesch@clark.c: * activated CyberPsychotic's daemon mode code (use the -D switch for daemon mode * default logging directory changed from ". depth * cleaned up crappy logic around the logging functions with nice clean function pointers (aaaahhhh. Rules may now contain "!" on the IP addresses to indicate anything BUT the given address *> * snort. offset.) * added bidirectional rules functionality (now Snort goes both ways..c: * added support for the exception operator to work for ports * fixed stupid pointer initialization bug in ProcessHeadNode() file." to /var/log/snort * sanity checks performed on the default log dir now * decode.c: * added support for the new default logging directory .c: * changed the truncated Ethernet header notification to only go off in verbose mode * removed cruft * rules. -b * logging and alerting functions are now selected and assigned to function pointers for faster/more efficient logging * got rid of -f command line option (superceded by -b) * put in new cleanup code for readback mode * ripped read_infile from tcpdump to read BPF filter files * decode.c: * Added in greater-than and less-than modifiers for dsize option keyword. fixed crashes on non-PC arch.c: * new command line options -A.. -p. You now have another (cheap!) way to look for buffer overflows * Removed range checking for the ICMP icode and itype option keywords so that DoS attacks and covert activity could be more easily filtered/monitored 1999-09-26 mfr <roesch@clark.* rules.c: * added code to AlertMsg to make sure that there was in fact an alert message to print out * libraries: * fixed the backdoor and scan libraries so they should flase alarm less often 1999-08-05 mfr <roesch@clark..> * log..c: * code cleanup in support of new functionality * rules.) * log. * new option keywords: dsize.c: * Added Ron Snyder's "address negation" patch..

The new engine performs far fewer copies and tries to set pointers to defer expensive function calls as late as possible.rapidnet. This is a safety measure. If you want to use the SMB alerting feature.c: * fixed a buffer copy problem with the daemon mode alert logging * fixed the SMB alerting code and the standard log output when in SMB alerting mode * cleaned up some of the fragment logging code * fixed the logto rules option coding to work properly * * fixed a whole bunch of little problems that are screwing up big endian/non-PC machines. and reduces the total number of tests performed on a given packet in all cases by 200-500% over version 1. This version should work and compile much more cleanly on all architectures! * other: fixed a bad rule in the RULES.c: * fixed some DEBUG code * log. Rules are grouped by address/port commonality and then option chains are linked to common head blocks.c: Fixed a bug in the netmask generation code that wouldn't allow certain CIDR blocks to be * fixed some more sparc configuration problems * other: * CyberPsychotic sent a new ftp buffer overflow rule in 1999-08-04 mfr <roesch@clark.SAMPLE file and another bad one in the misc-lib file 1999-08-01 mfr <roesch@clark.c: * fixed some DEBUG statements * enabled the daemon mode code (this is still experimental) * decode. The PrintIP and Net data structures have been eliminated so that there is no global data required to perform tests or log a given packet. The new engine uses a 2-dimensional linked list with recursive node> * snort. This reduces the number of tests required to find a specific test to perform.1. Thanks to Nick Rogness <> *> for the heads up on this one! 1999-06-21 mfr <roesch@clark.c: * Much of the logging system was rewritten to take advantage of the new detection and decoding engines. read the INSTALL file for the reasons why! * snort. This will make any future multithreading efforts much> . * log.* configure. * decode.c: Rewrote the packet decode engine.c: * fixed various and sundry DEBUG code * fixed the TCP option decoder so it wouldn't overflow its prinout buffer and cleaned up the temp buffer * rules. you need to specify a "--enable-smbalerts" when you run configure. * Made the SMB alerting a configure-time option.c: Wrote brand new detection engine.

-M. I may as well include the sequence as well) * Rewrote the content parser.c: * Added new rule option types: logto: log packets matching this rule to the specified log file minfrag: set the minimum size of fragmented packets. this rids Snort of the need to link to libm. nmap tcp "pings" may be detected. * rules. These flags are specified with a "1" and "2.c: * Added new command line switches: -f. Inclusion of these flags allows Queso fingerprinting attempts to be detected. Using this.c: * fixed IP fragment decoders and logic streams. which allows alerts to be generated for traffic coming from things like nmap or fragrouter tcp flags: Added the ability to include the reserved bits of the tcp flags into the rules set. which makes it more Trinux friendly. like 31337 or other "elite" numbers. This is provided for completeness (I figured since I was putting in the ack field. * fragments are now fed thru the rules set (sorta) 1999-05-17 mfr <roesch@clark. seq: The TCP sequence number.c: * fragment logging more descriptive and correct * fixed IP header logging for ICMP and fragmented packets * improved "bad packet" printing/logging * fixed IP option output code * IP packet ID field now displayed * decode. ack: The TCP ack field.* snort. -f: Record fragmented packets in tcpdump format -M: Send alerts via WinPopup messages (requires Samba) -r: Read and process files generated by tcpdump * Fixed startup dumpout code to not drop people if they just want to log all packets to the system * Added static netmask generation.c: Added "-x" command line switch to explicitly activate IPX packet notification so people in mixed protocol environments can maintain sanity. id: The IP ID field may be specified. so things like "\ " or "\~" will work properly. It now accepts "\" as a literal character. Also added in the new packet counter to .net> * snort. * fixed the parenthesis finder for the options code * adjusted the acceptable character range in the rule parsers * log. -r. This is nice for picking up handcrafted packets with recognizable ID fields.

PrintIPPkt() has been totally rewritten.h: Fixed the LOG_AUTH/LOG_AUTHPRIV problem that Solaris users were having. * mstring. The u_int*_t variables caused portability headaches. * log. * decode. * snort.generate statistics on exit of the number/percentage of each type of packet that Snort sees.c: Added in new layer 2 decoding for SLIP and RAW packet types.c and completely rewritten as well. * rules.c: Smoothed out all the logging system calls to work nicely with the new log code. . * log. and it now works much better. There are now seperate logging functions for each of the layers of the packet.c: Added the code to change the order the rules are applied in. * etc: Made lots of tweaks to the autoconf stuff to get the S/Linux and HP-UX versions to compile cleanly out of the box.c: Rewrote the rules option parser. * decode. * log. and ICMP types/codes. 1999-04-28 mfr <> * rules.c: Moved AlertPkt() and LogPkt() to log.c: Most of the logging code has been dramatically rewritten as well.c: Added code to send alert notification to syslog. and two functions have been moved over from rules.c: Added the notion of a meta character to mSplit() so that it was possible to not split on every single occurence of a character in a string.c: Totally revamped the logging code to be more logical and have less duplication in the code. for the WORDS_MUSTALIGN definition for S/Linux version. * decode. * decode. 1999-04-08 mfr <roesch@clark.c: Added two new command line switches: "-o" and "-s".net> * rules.c * log. It's now a much more consistant interface for both reading rules into the program and writing them as a user.c: Added the new packet statistics counters throughout the code.c: Cleaned up the isspace(3) (et al) calls. Cleaned up the IPX code a bit. 1999-04-17 mfr <roesch@clark.c: Reworked the routines which called the logging functions. PrintFragHeader has been eliminated. Also added in the new patch from Chris S.h: Removed the references to u_int16_t and u_int32_t and replaced them with u_short and> * rules. * decode. Added in new rule types to alert on TTL values.

c: Fixed output formatting yet again.c.c: Ripped off the timestamp printout routines from tcpdump and stuffed them into snort.c: added code to display/log the Fragment ID field of the IP header. or greater than/less than a specified port.1999-04-06 mfr <roesch@clark.c: fixed the match() routine.c: add a new command line switch: "-e". (oops!) Content based matching should work all the time now. * log.c: fixed the damned TCP and IP options decoders.c: rewired the entire rules test routine and added some long needed goto's into the program. Frig it. This will display the ethernet header data in both the log files and on the screen. yum yum. Got a nice patch from Sebastian to add in TOS decoding as well. It had a tendency to miss some things some of the> * decode. Also added in port range functionality.c: added code and data structures to print out IP and TCP Options plus I fixed the f'd up fragment print out logic. I feel manly now. 1999-03-08 mfr <roesch@clark.c: fixed a bug in the timestamp code so the month prints out right *> * snort.c: added code to display some of the new stuff that's decoded. Another> * snort. Also added code to print packet fragments with truncated headers into a PACKET_FRAG file which gets dumped in the default log directory. * log. These things were a friggin pain in the ass to program up properly. This allows us to alert/log/pass on tcp flags. you can now specify a range of ports. thereby making the rest of the program nigh infinitely more useful for just about any friggin problem under the friggin sun. Also added a new rule field: TCP flags.c: added code to detect and decode IP and TCP Options. * rules. * log. * snort. Added ethernet header logging and display code. Changed OpenLogFile() to include a mode argument for packet fragment print out. 1999-03-24 mfr <roesch@clark. * mstring. 1999-03-21 mfr <roesch@clark.c: Stopped the insanity of unnessary carriage returns in the log files and on screen printouts. * rules. This gives us millisecond timestamping on the packets for those of you .net> * decode. Recoding them stopped the huge loop that they had a bad tendancy to get stuck in.

Packet print out has changed as well. This makes it easier to see what you're interested in without having to go digging into the log files. mContainsSubstring is a brute force pattern matcher. * log. and is therefore very slow and not too efficient. 1999-03-06 mfr <roesch@clark. * log. this only came to light when tested on the Sparc architecture. the Log rules.c: Snort now detects fragmented packets. mostly).c: Now displays packet collected/dropped statistics when shutting down. The new routine. It should now be much faster and only needs to generate the print out buffer once per packet.c: Rules sorting is now implemented. . *> * mstring. * decode. * decode.c: Minor changes to reflect the new rules structure. Fragmented packets are now recorded in a "FRAG" file. both binary and text. the actual application layer data can be searched. Content based rules are available now. with the rules being placed on to the lists in the order they're read from the rules file. 1999-01-28 mfr <roesch@clark. plus the DF and MF bits. * snort.c: PrintNetData has been completely rewritten. then Pass Rules. There are actually three seperate lists (Pass.c: mContainsSubstring has been> * rules. The system now accepts the interface name you give it at the command line. implements a Boyer-Moore string search algorithm and is much faster in the general case and much more tolerent of "poor" pattern selection. match(). This routine was a major source of slow down/dropped packets before. now Alert rules are applied first. because it's still slow enough to drop some large packets.c: Code cleanup and some error checking was added. Fixed a problem with underallocating the interface name buffer for names specified on the command line. and decodes the fragment offset. You still shouldn't use verbose mode with the "-d" command line switch if you're using Snort as an IDS.c: Made the ICMP types and codes a little more compatible with being used as a filename. 1999-02-18 mfr <roesch@clark. Suprisingly. for a specific pattern to activate a rule on. Log. with the different packet layers seperated by onto their own lines (> * snort.interested in such things. Alert) now. The rule execution order was changed.c: ICMP logging now includes the ICMP code description in the filename.

decode. including ICMP ECHO seq and id! 1999-01-08 mfr <> * snort. big time! New source modules are log. and> * snort.h: Removed the "#define VERSION" since it's handled in config.255.c: Modularized the code.c: Made this file.0 or 255. * snort. Dumped SetFlow() for now.0. *> * snort.1999-01-19 mfr <roesch@clark.h. rules.c: Now keeps track of TCP/UDP conversations better! * decode.c: Rules based packet logging now enabled! * log. figured out autoconf .0.255. * README: Proper README file included with this distro 1998-12-21 mfr <roesch@clark.c: Enhanced decoding of packets.255.c: Made a fix to SetFlow() so that it wouldn't dump the program if it got traffic from 0.