"Fossies" - the Fresh Open Source Software Archive 
Member "snort-2.9.17/ChangeLog" (30 Oct 2020, 959832 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "ChangeLog":
2.9.16.1_vs_2.9.17.
1 2020-10-30 Divakar Y <divakyad@cisco.com>
2 snort 2.9.17
3
4 * src/preprocessors/Stream6/snort_stream_tcp.c,
5 src/preprocessors/spp_stream6.c :
6 Fixed Memory leak in reassembly networks and ports config during reload.
7
8 * src/file-process/file_resume_block.c,
9 src/file-process/file_service.c,
10 src/file-process/file_lib.c,
11 src/file-process/file_lib.h :
12 Fixed resume-block for SMBv2 partial content retry and pending verdicts.
13
14 * src/win32/WIN32-Prj/snort_installer.nsi :
15 Added user visible message to choose 4.1.1 or any higher version of winpcap, in windows 32 installer.
16
17 * src/win32/WIN32-Prj/snort_installer_x64.nsi,
18 src/win32/WIN32-Prj/snort_installer.nsi :
19 Fixed popup message that was not honoring windows silent uninstaller option.
20
21 * src/preprocessors/snort_httpinspect.c :
22 Fix to populate original client IP for drop events, when inline normalization is disabled.
23
24 * src/dynamic-preprocessors/appid/luaDetectorApi.c :
25 Fixed AppID caching proxy IP instead of tunneled IP in the dynamic cache during ultrasurf traffic.
26
27 * src/detection-plugins/sp_react.c,
28 src/dynamic-preprocessors/sdf/spp_sdf.c,
29 src/parser.c,
30 src/preprocessors/Stream6/snort_stream_tcp.c,
31 tools/u2streamer/Unified2File.c,
32 src/dynamic-preprocessors/appid/luaDetectorApi.c,
33 src/dynamic-preprocessors/appid/appInfoTable.c,
34 snort/src/dynamic-plugins/sf_dynamic_plugins.c,
35 src/memory_stats.c,
36 src/sfutil/sfportobject.c,
37 src/snort.h :
38 Fixed multiple static analysis issues.
39
40 * src/dynamic-preprocessors/appid/appInfoTable.c :
41 Fixed a potential race condition.
42
43 * configure.in,
44 src/reload.c :
45 Fix to not rely on the last-modified-time for loading the dynamic detection libs.
46
47 * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c,
48 src/file-process/file_capture.c,
49 src/file-process/file_resume_block.c,
50 src/file-process/file_segment_process.c,
51 src/file-process/file_service.c :
52 Added debug messages in file-process packet flow.
53
54 * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c :
55 Fix to address cases of ambiguous codes between SMTP & FTP and when SMTP server does not support EHLO.
56
57 * src/file-process/file_segment_process.c :
58 Fixed issue of generating multiple events for a single file transfer over SMB.
59
60 * src/dynamic-preprocessors/appid/appIdConfig.h,
61 src/dynamic-preprocessors/appid/appInfoTable.c,
62 src/dynamic-preprocessors/appid/appInfoTable.h,
63 src/dynamic-preprocessors/appid/flow.h,
64 src/dynamic-preprocessors/appid/fw_appid.c,
65 src/dynamic-preprocessors/appid/flow.h :
66 Fixed false positives for ultrasurf.
67
68 * src/dynamic-preprocessors/sip/spp_sip.c :
69 Fixed SIP pre-processor to detect SSL encrypted SIP traffic better.
70
71 * src/dynamic-preprocessors/appid/luaDetectorApi.c,
72 etc/gen-msg.map,
73 preproc_rules/preprocessor.rules,
74 src/file-process/file_service.c,
75 src/generators.h,
76 src/preprocessors/HttpInspect/client/hi_client.c,
77 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
78 src/preprocessors/HttpInspect/include/hi_client.h,
79 src/preprocessors/HttpInspect/include/hi_eo_events.h,
80 src/preprocessors/HttpInspect/include/hi_server.h,
81 src/preprocessors/HttpInspect/server/hi_server.c,
82 src/preprocessors/snort_httpinspect.c,
83 src/preprocessors/snort_httpinspect.h :
84 Added support for HTTP range field parsing to detect if HTTP response/request is indeed partial or full content.
85
86 * src/preprocessors/spp_session.c :
87 Fixed TCP memcap oversize.
88
89 * src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
90 src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
91 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
92 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
93 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
94 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
95 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h,
96 src/preprocessors/HttpInspect/client/hi_client.c,
97 src/preprocessors/HttpInspect/client/hi_client_norm.c,
98 src/preprocessors/HttpInspect/include/hi_include.h,
99 src/preprocessors/HttpInspect/include/hi_paf.h,
100 src/preprocessors/HttpInspect/utils/hi_paf.c,
101 src/preprocessors/Stream6/snort_stream_icmp.c,
102 src/preprocessors/Stream6/snort_stream_icmp.h,
103 src/preprocessors/Stream6/snort_stream_ip.c,
104 src/preprocessors/Stream6/snort_stream_ip.h,
105 src/preprocessors/Stream6/snort_stream_tcp.c,
106 src/preprocessors/Stream6/snort_stream_tcp.h,
107 src/preprocessors/Stream6/snort_stream_udp.c,
108 src/preprocessors/Stream6/snort_stream_udp.h,
109 src/preprocessors/Stream6/stream_common.h,
110 src/preprocessors/snort_httpinspect.c,
111 src/preprocessors/snort_httpinspect.h,
112 src/preprocessors/spp_httpinspect.c,
113 src/preprocessors/spp_httpinspect.h,
114 src/preprocessors/spp_stream6.c,
115 src/dynamic-preprocessors/appid/fw_appid.c,
116 src/dynamic-preprocessors/appid/fw_appid.h,
117 src/dynamic-preprocessors/appid/spp_appid.c :
118 Enhanced statistics dumped during snort exit and SIGUSR1.
119
120 * src/dynamic-preprocessors/imap/imap_paf.c,
121 src/dynamic-preprocessors/imap/snort_imap.h,
122 src/dynamic-preprocessors/pop/pop_paf.c,
123 src/dynamic-preprocessors/pop/snort_pop.h,
124 src/dynamic-preprocessors/sip/spp_sip.h,
125 src/dynamic-preprocessors/smtp/smtp_paf.c,
126 src/dynamic-preprocessors/smtp/snort_smtp.h,
127 src/dynamic-preprocessors/appid/flow.h,
128 src/dynamic-preprocessors/appid/service_plugins/service_ssl.c,
129 src/dynamic-preprocessors/dcerpc2/dce2_list.h,
130 src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
131 src/file-process/file_segment_process.h,
132 src/file-process/libs/file_lib.h,
133 src/preprocessors/sip_common.h,
134 src/preprocessors/snort_httpinspect.h :
135 Optimized structures in several preprocessors.
136
137 * src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
138 src/dynamic-preprocessors/dcerpc2/dce2_smb.h
139 src/file-process/file_service.c :
140 Fixed SMBv1 file block for pending verdict retry packets.
141
142 * src/dynamic-preprocessors/dcerpc2/dce2_smb.c :
143 Fixed SMBv1 unknown file size upload block.
144
145 * src/detect.c,
146 src/detect.h,
147 src/parser.c,
148 src/parser.h,
149 src/preprocessors/Session/session_common.h,
150 src/preprocessors/Stream6/snort_stream_udp.c,
151 src/preprocessors/Stream6/snort_stream_udp.h,
152 src/preprocessors/spp_stream6.c,
153 src/preprocessors/Stream6/stream_common.c,
154 src/preprocessors/Stream6/stream_common.h,
155 src/preprocessors/spp_stream6.c,
156 src/reload.c,
157 src/snort.c,
158 src/snort.h :
159 Fixed incorrect filtering of UDP traffic when "ignore_any_rules" is configured.
160
161 * src/detection-plugins/sp_session.c,
162 src/detection-plugins/sp_session.h,
163 src/sfutil/util_jsnorm.c :
164 Fixed GCC 10.1.1 compilation issues.
165
166 * src/decode.c,
167 src/decode.h,
168 src/log_text.c,
169 src/log.c,
170 src/preprocessors/Stream6/snort_stream_tcp.c :
171 Added support to detect TCP Fast Open packets.
172
173 * src/preprocessors/Stream6/snort_stream_tcp.c :
174 Fixed TCP segment queue hole issue as per the RFC793 recommendation for OOO Ack packet handling.
175
176 * src/detection-plugins/detection_leaf_node.c,
177 src/detection-plugins/detection_options.c,
178 src/dynamic-preprocessors/appid/appInfoTable.c,
179 src/dynamic-preprocessors/appid/fw_appid.c,
180 src/dynamic-preprocessors/appid/service_plugins/service_base.c,
181 src/dynamic-preprocessors/appid/service_plugins/service_ftp.c,
182 src/dynamic-preprocessors/appid/service_plugins/service_rexec.c,
183 src/dynamic-preprocessors/appid/service_plugins/service_rpc.c,
184 src/dynamic-preprocessors/appid/service_plugins/service_rshell.c,
185 src/dynamic-preprocessors/appid/service_plugins/service_snmp.c,
186 src/dynamic-preprocessors/appid/service_plugins/service_tftp.c,
187 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
188 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
189 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
190 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
191 src/fpcreate.c,
192 src/parser.c,
193 src/preprocessors/Session/session_common.h,
194 src/preprocessors/spp_session.c,
195 src/reload.c,
196 src/snort.c :
197 Fixed build when some configure options were disabled.
198
199 * src/detection-plugins/sp_byte_math.c :
200 Fixed byte_math operation for multiplication integer overflow.
201
202 * src/dynamic-preprocessors/appid/appId.h,
203 src/dynamic-preprocessors/appid/service_plugins/service_ssl.c :
204 Fix to include 853 port in SSL detector for DNS over TLS runs on SSL.
205
206 * src/dynamic-plugins/sf_dynamic_plugins.c,
207 src/dynamic-plugins/sf_dynamic_preprocessor.h,
208 src/dynamic-preprocessors/appid/Makefile_defs,
209 src/dynamic-preprocessors/appid/luaDetectorApi.c,
210 src/dynamic-preprocessors/appid/util/common_util.h :
211 Fix for excessive logging of lua detector invalid LUA (null).
212
213 * snort/src/detection-plugins/sp_byte_check.c,
214 src/detection-plugins/sp_byte_extract.c,
215 src/detection-plugins/sp_byte_jump.c,
216 src/detection-plugins/sp_byte_math.c,
217 src/detection-plugins/sp_byte_math.h,
218 src/detection-plugins/sp_isdataat.c,
219 src/detection-plugins/sp_pattern_match.c :
220 Added support for allowing common names across rule options.
221
222 * src/memory_stats.c :
223 Removed a redundant log.
224
225 * spp_sip.c :
226 Fixed handling encrypted traffic by SIP preprocessor.
227
228 * snort/configure.in,
229 snort/doc/README.s7commplus,
230 snort/etc/sf_rule_options,
231 snort/etc/sf_rule_validation.conf,
232 snort/src/dynamic-preprocessors/Makefile.am,
233 snort/src/dynamic-preprocessors/s7commplus/Makefile.am,
234 snort/src/dynamic-preprocessors/s7commplus/s7comm_decode.c,
235 snort/src/dynamic-preprocessors/s7commplus/s7comm_decode.h,
236 snort/src/dynamic-preprocessors/s7commplus/s7comm_paf.c,
237 snort/src/dynamic-preprocessors/s7commplus/s7comm_paf.h,
238 snort/src/dynamic-preprocessors/s7commplus/s7comm_roptions.c,
239 snort/src/dynamic-preprocessors/s7commplus/s7comm_roptions.h,
240 snort/src/dynamic-preprocessors/s7commplus/spp_s7comm.c,
241 snort/src/dynamic-preprocessors/s7commplus/spp_s7comm.h,
242 snort/src/generators.h,
243 snort/src/preprocids.h :
244 Added support for s7Commplus protocol.
245
246 * src/preprocessors/Stream6/snort_stream_tcp.c :
247 Fixed out of order FIN packet leading to segment trimming.
248
249 * src/output-plugins/spo_unified2.c,
250 src/preprocessors/Stream6/snort_stream_tcp.c :
251 Fix to populate original IP in dropped events when inline normalization is enabled.
252
253 * snort/src/sfutil/sf_ip.h :
254 Fixed compiler warnings.
255
256 * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c :
257 Fixed DNS application detector failing to detect DNS traffic in some scenarios.
258
259 2020-07-24 Hariharan Chandrashekar <harchand@cisco.com>
260 snort 2.9.16.1
261
262 * src/dynamic-preprocessors/appid/appIdConfig.h,
263 src/dynamic-preprocessors/appid/appInfoTable.c,
264 src/dynamic-preprocessors/appid/flow.h,
265 src/dynamic-preprocessors/appid/fw_appid.c :
266 Added packet counters to make sure flows with one-way data don't pend forever.
267
268 * src/detection-plugins/sp_flowbits.c,
269 src/snort.c :
270 Fixed potential race condition between reload and exit path.
271
272 * src/detection-plugins/sp_session.c,
273 src/preprocessors/Stream6/stream_paf.h,
274 src/sfutil/util_jsnorm.c :
275 Added support for GCC version 10.1.1.
276
277 2020-03-15 Hariharan Chandrashekar <harchand@cisco.com>
278 snort 2.9.16
279
280 * src/preprocessors/Stream6/snort_stream_tcp.c :
281 Addressed an issue when out-of-order FIN is received by dropping it.
282
283 * src/output-plugins/spo_unified2.c,
284 src/preprocessors/Stream6/snort_stream_tcp.c :
285 Fixed an issue in which xtradata is not added to the alert in unified file.
286
287 * src/reload.c,
288 src/snort.c :
289 Fixed potential race condition between reload and exit path (main thread).
290
291 * etc/file_magic.conf :
292 Updated the file magic to detect ALZ file types.
293
294 * src/sfutil/sf_ip.h :
295 Added support for gcc version 9.2.1.
296
297 * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c :
298 Fixed an issue in which APPID returns no match.
299
300 * src/dynamic-preprocessors/dcerpc2/sf_dce2.vcxproj,
301 src/dynamic-preprocessors/dnp3/sf_dnp3.vcxproj,
302 src/dynamic-preprocessors/dns/sf_dns.vcxproj,
303 src/dynamic-preprocessors/dynamic_preprocessors.vcxproj,
304 src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.vcxproj,
305 src/dynamic-preprocessors/gtp/sf_gtp.vcxproj,
306 src/dynamic-preprocessors/imap/sf_imap.vcxproj,
307 src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.vcxproj,
308 src/dynamic-preprocessors/modbus/sf_modbus.vcxproj,
309 src/dynamic-preprocessors/pop/sf_pop.vcxproj,
310 src/dynamic-preprocessors/reputation/sf_reputation.vcxproj,
311 src/dynamic-preprocessors/sdf/sf_sdf.vcxproj,
312 src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.vcxproj,
313 src/dynamic-preprocessors/sip/sf_sip.vcxproj,
314 src/dynamic-preprocessors/smtp/sf_smtp.vcxproj,
315 src/dynamic-preprocessors/ssh/sf_ssh.vcxproj,
316 src/dynamic-preprocessors/ssl/sf_ssl.vcxproj,
317 src/win32/WIN32-Prj/build_all.vcxproj,
318 src/win32/WIN32-Prj/sf_engine.vcxproj,
319 src/win32/WIN32-Prj/sf_engine_initialize.vcxproj,
320 src/win32/WIN32-Prj/snort.vcxproj,
321 src/win32/WIN32-Prj/snort_initialize.vcxproj,
322 src/win32/WIN32-Prj/snort_installer_x64.nsi,
323 src/win32/WIN32-Prj/snort_x64.dsw,
324 src/win64/WIN64-Libraries/Packet.lib,
325 src/win64/WIN64-Libraries/libdnet/dnet.lib,
326 src/win64/WIN64-Libraries/pcre.lib,
327 src/win64/WIN64-Libraries/wpcap.lib,
328 src/win64/WIN64-Libraries/zlib.lib,
329 tools/u2spewfoo/u2spewfoo.vcxproj :
330 Added 64-bit support for Windows 10 operating system.
331
332 * src/dynamic-preprocessors/pop/snort_pop.c :
333 Fixed an issue where POP preprocessor was not generating alert in some cases.
334
335 * src/dynamic-preprocessors/gtp/gtp_parser.c :
336 Fixed the alerting logic for GTP v2 with missing TEID.
337
338 * src/preprocessors/HttpInspect/utils/hi_paf.c :
339 Fixed file policy not working with character prefix in chunk size.
340
341 * configure.in,
342 src/reload.c,
343 src/side-channel/sidechannel.c,
344 src/snort.c,
345 src/target-based/sftarget_reader.c,
346 src/util.h :
347 Added support for glibc version 2.30.
348
349 * src/decode.h,
350 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
351 src/preprocessors/HttpInspect/utils/hi_paf.c,
352 src/preprocessors/Stream6/snort_stream_tcp.c,
353 src/preprocessors/Stream6/stream_paf.c,
354 src/preprocessors/snort_httpinspect.c,
355 src/preprocessors/snort_httpinspect.h,
356 src/preprocessors/stream_api.h :
357 Added support for early inspection of HTTP payload before flushing in pre-ack mode.
358
359 * src/file-process/file_api.h,
360 src/file-process/file_service.c,
361 src/preprocessors/HttpInspect/include/hi_norm.h,
362 src/preprocessors/HttpInspect/include/hi_ui_config.h,
363 src/preprocessors/HttpInspect/server/hi_server_norm.c,
364 src/preprocessors/snort_httpinspect.c :
365 Normalize randomly encoded nulls interspersed in the HTTP server response to UTF-8.
366
367 2019-12-15 Hariharan Chandrashekar <harchand@cisco.com>
368 snort 2.9.15.1
369
370 * src/file-process/file_ss.c :
371 Fixed the right order of precedence. Thanks to David Binderman for reporting this.
372
373 * src/dynamic-preprocessors/ssl_common/ssl_config.c :
374 Fixed snort core seen during ssl re-configuration.
375
376 * src/fpdetect.c,
377 src/log_text.c, src/profiler.h :
378 Fixed compiler warnings.
379
380 * src/file-process/file_segment_process.c :
381 Fixed file access issues on files from SMB share.
382
383 * configure.in,
384 src/reload.c, src/side-channel/sidechannel.c,
385 src/snort.c, src/target-based/sftarget_reader.c, src/util.h :
386 Added support for glibc version 2.30.
387
388 2019-10-02 Hariharan Chandrashekar <harchand@cisco.com>
389 snort 2.9.15
390
391 * src/snort.c,
392 src/control/sfcontrol.c,
393 src/preprocessors/Session/stream5_ha.c,
394 src/preprocessors/session_api.h,
395 src/dynamic-plugins/sp_dynamic.c :
396 Fixed a potential race condition.
397
398 * src/detect.c :
399 Fixed static analysis issues.
400
401 * src/detect.c,
402 src/detect.h,
403 src/file-process/file_service.c,
404 src/reload.c,
405 src/sfdaq.h,
406 src/snort.c,
407 src/snort.h :
408 Added new debugs to print detection, file_processing and Preproc time consumption info and verdict.
409
410 * src/dynamic-preprocessors/appid/fw_appid.c :
411 Added NULL check before dereferencing tcp_header.
412
413 * src/file-process/libs/file_lib.h,
414 src/sfdaq.h :
415 Fix to make daq_pktHdr globally visible and removed the extra Packet variable from the FILE_PKT_DEBUG macro.
416
417 * snort/etc/file_magic.conf :
418 Added support to detect new Korean file formats .egg and .alz to the file preprocessor.
419
420 * src/dynamic-preprocessors/gtp/gtp_parser.c,
421 src/dynamic-preprocessors/gtp/spp_gtp.h :
422 Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets.
423
424 * src/detect.c :
425 Added a check before printing the Packet latency trace when detection is enabled or not.
426
427 * src/file-process/file_capture.c,
428 src/file-process/file_mime_process.c,
429 src/file-process/file_resume_block.c,
430 src/file-process/file_segment_process.c,
431 src/file-process/file_service.c,
432 src/file-process/libs/file_lib.c,
433 src/file-process/libs/file_lib.h,
434 src/sfdaq.h :
435 Added debug messages in file-process packet flow.
436
437 * src/dynamic-plugins/sp_dynamic.c,
438 src/reload.c,
439 src/reload.h,
440 src/snort.c :
441 Fixed dynamic rules from getting disabled after multiple reloads.
442
443 * src/pkt_tracer.c :
444 Fix to print packet trace information in the direction of the packet on the wire.
445
446 * etc/file_magic.conf :
447 Added new file magic to detect RAR file-type.
448
449 * src/dynamic-plugins/sf_dynamic_preprocessor.h :
450 Updated preproc version.
451
452 * src/dynamic-plugins/sf_dynamic_preprocessor.h :
453 Provided an API to query non-flow related information from DAQ.
454
455 * src/dynamic-plugins/sf_dynamic_plugins.c,
456 src/dynamic-plugins/sf_dynamic_preprocessor.h,
457 src/sfdaq.c,
458 src/sfdaq.h :
459 Added a generic api DAQ_Ioctl for dynamic preprocs to use for various daq clis.
460
461 * src/dynamic-preprocessors/appid/Makefile_defs,
462 src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c,
463 src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
464 src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c,
465 src/dynamic-preprocessors/appid/service_plugins/service_base.h,
466 src/dynamic-preprocessors/appid/service_plugins/service_ftp.c,
467 src/dynamic-preprocessors/appid/service_plugins/service_netbios.c,
468 src/dynamic-preprocessors/appid/service_plugins/service_nntp.c :
469 Fix to whitelist ftp data sessions when no file policy exists.
470
471 * src/dynamic-preprocessors/appid/fw_appid.c :
472 Fixed -Wparentheses warning.
473
474 * src/dynamic-preprocessors/appid/fw_appid.c :
475 Fixed the algorithm that triggers port only detection.
476
477 * src/preprocessors/HttpInspect/client/hi_client.c,
478 src/preprocessors/HttpInspect/include/hi_paf.h,
479 src/preprocessors/HttpInspect/utils/hi_paf.c :
480 Fixed an issue where HTTP was wrongly processing non HTTP traffic on port 443.
481
482 * src/dynamic-preprocessors/appid/appIdConfig.h,
483 src/dynamic-preprocessors/appid/fw_appid.c,
484 src/dynamic-preprocessors/appid/service_plugins/service_base.c,
485 src/dynamic-preprocessors/appid/service_plugins/service_base.h :
486 Fixed IPS alerts generation for ICMP packets.
487
488 * src/file-process/file_resume_block.c :
489 Fixed signature lookup when the context is not present.
490
491 * src/preprocessors/HttpInspect/utils/hi_paf.c :
492 Added a new state to handle HTTP responses, having no status message followed by status code.
493
494 * src/dynamic-plugins/sf_dynamic_plugins.c,
495 src/dynamic-plugins/sf_dynamic_preprocessor.h,
496 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
497 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h :
498 Added DPD callbacks for receiving ftp transfer mode before generating file events.
499
500 * snort/etc/file_magic.conf :
501 Fixed RTF file magic to a more generic value.
502
503 * src/preprocessors/spp_httpinspect.c :
504 Added debug logs during HTTP Reload.
505
506 * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c :
507 Fix to bypass munmap if shmemSegptr points to zeroSegptr.
508
509 * src/parser.c :
510 Added rule SID check during Snort validation.
511
512 * src/pkt_tracer.c :
513 Corrected endianness representation for some of the parameters in the debug log.
514
515 2019-07-26 Hariharan Chandrashekar <harchand@cisco.com>
516 snort 2.9.14.1
517 * src/sfdaq.c :
518 Fixed packet drop scenario.
519
520 2019-04-23 Hariharan Chandrashekar <harchand@cisco.com>
521 Snort 2.9.14.0
522 All files: updated copyright to 2019.
523
524 * src/build.h : updating build number to 15003.
525
526 * src/dynamic-preprocessors/appid/fw_appid.c :
527 Fix to block https traffic going through proxy.
528
529 * src/dynamic-preprocessors/appid/fw_appid.c :
530 Reset navl packet counters when shifting to new req/resp.
531
532 * src/file-process/file_ss.c :
533 Fixed enabling side channel during some race conditions.
534
535 * src/appIdApi.h,
536 src/dynamic-preprocessors/appid/detector_plugins/detector_http.c,
537 src/dynamic-preprocessors/appid/fw_appid.c,
538 src/dynamic-preprocessors/appid/thirdparty_appid_types.h :
539 Improving appId detection for proxied traffic.
540
541 * src/control/sfcontrol.c,
542 src/preprocessors/spp_httpinspect.c,
543 src/detection-plugins/sp_isdataat.c,
544 src/detection-plugins/sp_isdataat.h,
545 src/preprocessors/HttpInspect/include/hi_eo_log.h,
546 src/dynamic-preprocessors/appid/luaDetectorModule.c,
547 src/dynamic-preprocessors/appid/detector_plugins/detector_cip.c,
548 src/file-process/file_resume_block.c,
549 src/file-process/file_service.h,
550 src/file-process/file_service_config.c,
551 src/file-process/file_ss.c,
552 src/file-process/file_ss.h,
553 src/file-process/libs/file_config.h,
554 src/reload.c,
555 src/snort.c :
556 Fixed potential race conditions across snort code base.
557
558 * src/dynamic-preprocessors/appid/hostPortAppCache.c :
559 Added support for wild card port numbers in host cache and overwriting port service AppId.
560
561 * src/preprocessors/HttpInspect/utils/hi_paf.c :
562 Fixed the chunk extensions parsing in the HTTP responses leading to the correct construction of the PDU.
563
564 * src/preprocessors/Stream6/snort_stream_tcp.c :
565 Fixed missing inspection for out of order HTTP flows.
566
567 * src/dynamic-preprocessors/appid/appInfoTable.c :
568 Allow spaces in appid.conf and userappid.conf.
569
570 * src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c :
571 Added support for new STLS client patterns to help better detect POP3S over SSL.
572
573 * src/dynamic-preprocessors/dcerpc2/dce2_smb2.c,
574 src/file-process/file_segment_process.c :
575 Fixed decrement of segment_mem_in_use counter when no pruning is done.
576
577 * doc/README.http_inspect,
578 etc/gen-msg.map,
579 preproc_rules/preprocessor.rules,
580 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
581 src/preprocessors/HttpInspect/include/hi_eo_events.h,
582 src/preprocessors/HttpInspect/utils/hi_paf.c :
583 Fixed HTTP issue caused due to invalid versions.
584
585 * src/parser.c :
586 Fixed static analysis issues.
587
588 * src/decode.c :
589 Removed Duplicate length checks when decoding IPv6 Extensions.
590
591 * src/preprocessors/sfprocpidstats.c :
592 Changed the sfprocpidstat to calculate CPU statistics when --suppress-config-log option is not supplied.
593
594 * src/file-process/libs/file_lib.h :
595 Reset the max file id's default value.
596
597 * src/dynamic-preprocessors/appid/appId_ss.c,
598 src/dynamic-preprocessors/appid/appInfoTable.c :
599 Logging the aggressiveness setting for BitTorrent, Ultrasurf, Psiphon & fixing paranthesis in 'If' condition.
600
601 * src/dynamic-preprocessors/appid/service_plugins/service_ftp.c :
602 Fixed FTP detection issues when a multi-line server response is split across multiple packets.
603
604 * src/dynamic-preprocessors/appid/appIdConfig.c,
605 src/dynamic-preprocessors/appid/appIdConfig.h,
606 src/dynamic-preprocessors/appid/commonAppMatcher.c,
607 src/dynamic-preprocessors/appid/spp_appid.c,
608 src/dynamic-preprocessors/appid/thirdparty_appid_api.h,
609 src/dynamic-preprocessors/appid/thirdparty_appid_utils.c :
610 Added a new AppId preproc config option which specifies path to NAVL related cofiguration.
611
612 * src/dynamic-preprocessors/appid/fw_appid.c :
613 Fix to set TOR as payloadAppId if NAVL detects it over an HTTP SSL Tunnel.
614
615 * src/dynamic-preprocessors/imap/imap_config.c,
616 src/dynamic-preprocessors/pop/pop_config.c,
617 src/dynamic-preprocessors/smtp/smtp_config.c,
618 src/file-process/file_api.h,
619 src/file-process/file_mime_config.c,
620 src/file-process/file_mime_config.h,
621 src/preprocessors/perf_indicators.h,
622 src/preprocessors/snort_httpinspect.c,
623 src/preprocessors/snort_httpinspect.h,
624 src/preprocessors/spp_httpinspect.c :
625 Fix Snort2 with a newer ICC without fixing the [bad] binary-crossing strtok assumptions.
626
627 * src/preprocessors/spp_sfportscan.c :
628 Fix for filling the ip4hdr in the port scan packet creation.
629
630 * src/checksum.h,
631 src/encode.c :
632 Updated the checksum correctly for reset and locally modified packets for GRE flow.
633
634 * src/preprocessors/Stream6/snort_stream_tcp.c :
635 Fixed issue in handling TCP timestamp options in Snort.
636
637 * src/dynamic-preprocessors/appid/fw_appid.c :
638 Fixed compilation warning.
639
640 * src/dynamic-plugins/sf_dynamic_preprocessor.h,
641 src/dynamic-preprocessors/sdf/spp_sdf.c,
642 src/dynamic-preprocessors/sdf/spp_sdf.h :
643 Fixed Sensitive Data Threshold Configuration.
644
645 * src/dynamic-preprocessors/appid/fw_appid.c,
646 src/preprocessors/Session/session_expect.c :
647 Fix for setting application_protocol_ordinal by the caller.
648
649 * src/file-process/file_resume_block.c,
650 src/file-process/file_ss.c :
651 Removed unused variables.
652
653 * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c :
654 Added support for detecting Mac based SMTP Microsoft Outlook client application
655
656 * src/dynamic-preprocessors/sip/sip_config.c :
657 Fixed policy deployment failure due to SIP preprocessor config validation.
658
659 * src/dynamic-preprocessors/appid/luaDetectorApi.c :
660 Including more informations for lua errors while loading patterns.
661
662 * src/dynamic-preprocessors/sdf/sdf_credit_card.c,
663 src/dynamic-preprocessors/sdf/sdf_pattern_match.c :
664 Fix to treat any pii without following by non-digit as full pattern match and fire alert.
665
666 * src/dynamic-preprocessors/reputation/shmem/shmem_lib.c :
667 Fixed snort process exit when processing reputation and if another snort was launched that does the same work.
668
669 * src/preprocessors/Stream6/snort_stream_tcp.c :
670 Fix to not flush the urgent data to preprocs and the segment be trimmed.
671
672 * src/dynamic-preprocessors/appid/appIdApi.c :
673 Stop marking the HTTP inspection as done if the SSL detector is in progress and no URL is extracted.
674
675 * src/dynamic-preprocessors/appid/service_plugins/service_rexec.c,
676 src/dynamic-preprocessors/appid/service_plugins/service_rshell.c :
677 Fix here is to set the AppId for rsh/rexec control sessions initially to allow the data session
678 and doing the rest of the validation later.
679
680 * src/control/sfcontrol.h,
681 src/preprocessors/spp_perfmonitor.c :
682 Fix for enabling flow profiling mode without restarting snort detection engine.
683
684 * src/preprocessors/HttpInspect/client/hi_client.c,
685 src/preprocessors/HttpInspect/include/hi_client.h :
686 Fixed x-forward-for-like headers when there are multiple proxies.
687
688 * src/file-process/file_service.c :
689 Fix to update the file_config when we update the file_context.
690
691 * src/dynamic-preprocessors/appid/service_plugins/service_base.c :
692 Fix to prevent re-allocation of memory for SMB AppId data.
693
694 * src/dynamic-preprocessors/Makefile.am :
695 Add -f option to the mv command for fixing make distcheck failure during file overwrite.
696
697 * doc/README.http_inspect,
698 etc/gen-msg.map,
699 preproc_rules/preprocessor.rules,
700 src/preprocessors/HttpInspect/utils/hi_paf.c :
701 A new preprocessor alert is added 120:27 to alert if there is no proper end of header.
702
703 * src/preprocessors/Stream6/snort_stream_tcp.c :
704 Fixed uninitialized members of StreamTracker for midstream sessions.
705
706 * src/preprocessors/session_api.h,
707 src/preprocessors/spp_session.c :
708 Removal of Blocklist timeout code.
709
710 * src/preprocessors/spp_session.c :
711 Fix for snort to check for expired sessions and stop matching new packets with expired sessions.
712
713 * src/dynamic-plugins/sf_dynamic_plugins.c,
714 src/dynamic-plugins/sf_dynamic_preprocessor.h,
715 src/snort.c :
716 Fix to get daq capabilities for snort firewall in optimized way.
717
718 * tools/appid_detector_builder.sh :
719 Fixed API name used by OpenAppId LUA detector builder.
720
721 * src/dynamic-preprocessors/appid/luaDetectorApi.c,
722 src/dynamic-preprocessors/appid/luaDetectorModule.c :
723 Locking LUA detectors during snort reload free.
724
725 * src/dynamic-preprocessors/appid/luaDetectorApi.c,
726 src/dynamic-preprocessors/appid/luaDetectorFlowApi.c,
727 src/dynamic-preprocessors/appid/service_plugins/service_ssl.c :
728 Setting AppId for RSHELL/REXEC stderr data sessions.
729
730 * src/memory_stats.c,
731 src/memory_stats.h,
732 src/snort.c
733 src/preprocessors/HttpInspect/client/hi_client.c,
734 src/dynamic-preprocessors/appid/luaDetectorModule.c,
735 src/dynamic-preprocessors/appid/service_plugins/service_rpc.c,
736 src/dynamic-preprocessors/appid/spp_appid.c,
737 src/dynamic-preprocessors/appid/service_plugins/service_base.c :
738 Fixed issues reported by valgrind.
739
740 * src/dynamic-preprocessors/appid/appIdApi.c,
741 src/dynamic-preprocessors/appid/fw_appid.c :
742 Fix for FTP Active detection issues in case of multi-line server responses.
743
744 * src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
745 src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h,
746 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
747 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
748 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
749 src/file-process/file_api.h,
750 src/file-process/file_resume_block.c,
751 src/file-process/file_resume_block.h,
752 src/file-process/file_segment_process.c,
753 src/file-process/file_service.c,
754 src/preprocessors/Stream6/snort_stream_tcp.c :
755 Fixed File policy with the rule block with reset that was not blocking the file upload.
756
757 * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c :
758 Fixed snort process exit while processing Security Intelligence.
759
760 2019-03-21 Bhumika Sachdeva <bsachdev@cisco.com>
761 Snort 2.9.13.0
762
763 * src/dynamic-preprocessors/sip/sip_config.c :
764 Changed number of max sessions SIP can handle.
765
766 * src/dynamic-preprocessors/appid/luaDetectorModule.c :
767 Fixed an issue in loading of bunch of lua detector.
768
769 * src/dynamic-preprocessors/sdf/sdf_credit_card.c,
770 src/dynamic-preprocessors/sdf/sdf_pattern_match.c :
771 Fixed an issue with processing of pattern matching.
772
773 * src/dynamic-preprocessors/appid/appIdApi.c :
774 Fixed an issue with HTTP inspection in case SSL detector is in process and no URL has been extracted.
775
776 * src/preprocessors/HttpInspect/client/hi_client.c,
777 src/preprocessors/HttpInspect/include/hi_client.h :
778 Fixing of x-forward-for-like headers in case of multiple proxies by snort.
779
780 * src/preprocessors/Stream6/snort_stream_tcp.c :
781 Blocking the flush of urgent data to preprocs and trimming of segment in case urgent flag is set and urgent pointer > 0.
782
783 * src/dynamic-preprocessors/appid/service_plugins/service_rexec.c,
784 src/dynamic-preprocessors/appid/service_plugins/service_rshell.c :
785 Set the AppId for rsh/rexec control sessions initially to allow the data session and doing the rest of the validation.
786
787 * src/file-process/file_service.c :
788 Fixed the Snort process failure while processing file policy on SMB2 traffic.
789
790 * src/dynamic-preprocessors/appid/service_plugins/service_base.c :
791 Modified the prevention of re-allocation of memory for SMB AppId data.
792
793 * src/dynamic-preprocessors/appid/luaDetectorModule.c,
794 src/dynamic-preprocessors/appid/service_plugins/service_base.c :
795 Fixed memory leak issues.
796
797 * src/control/sfcontrol.c,
798 src/detection-plugins/Makefile.am,
799 src/dynamic-examples/Makefile.am,
800 src/dynamic-plugins/Makefile.am,
801 src/dynamic-plugins/sf_decompression_define.h,
802 src/dynamic-plugins/sf_dynamic_decompression.c,
803 src/dynamic-plugins/sf_dynamic_decompression.h,
804 src/dynamic-plugins/sf_dynamic_detection.h,
805 src/dynamic-plugins/sf_dynamic_engine.h,
806 src/dynamic-plugins/sf_dynamic_meta.h,
807 src/dynamic-plugins/sf_dynamic_plugins.c,
808 src/dynamic-plugins/sf_dynamic_preprocessor.h,
809 src/dynamic-plugins/sf_dynamic_side_channel.h,
810 src/dynamic-plugins/sf_engine/bmh.c,
811 src/dynamic-plugins/sf_engine/examples/12759.c,
812 src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
813 src/dynamic-plugins/sf_engine/examples/rule_storeandforward.c,
814 src/dynamic-plugins/sf_engine/examples/rule_storeandforward2.c,
815 src/dynamic-plugins/sf_engine/sf_decompression.c,
816 src/dynamic-plugins/sf_engine/sf_decompression.h,
817 src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
818 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
819 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
820 src/dynamic-plugins/so_rule_mem_adjust.h,
821 src/dynamic-plugins/sp_dynamic.c,
822 src/dynamic-preprocessors/Makefile.am,
823 src/dynamic-preprocessors/appid/service_plugins/service_netbios.c,
824 src/dynamic-preprocessors/appid/service_plugins/service_rpc.c,
825 src/dynamic-preprocessors/appid/thirdparty_appid_utils.c,
826 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
827 src/dynamic-preprocessors/dcerpc2/includes/smb.h,
828 src/dynamic-preprocessors/sip/sip_dialog.c,
829 src/dynamic-preprocessors/sip/sip_roptions.c,
830 src/preprocessors/HttpInspect/utils/hi_util_hbm.c,
831 src/preprocessors/spp_arpspoof.c,
832 src/reload.c,
833 src/snort.c,
834 src/snort.h,
835 snort_build/Makefile.common,
836 snort_build/common-snort-opts.makefile :
837 Snort now supports reload on snort rules update.
838
839 * configure.in,
840 src/control/sfcontrol.c :
841 Addressed FreeBSD Build error.
842
843 * src/preprocessors/perf-base.c :
844 Fixed an issue with Inspection engine performance statistics showing 0 drops in case of non-zero drops.
845
846 * src/control/sfcontrol.c :
847 Fixed an issue where snort was stuck in cleanup.
848
849 * preproc_rules/preprocessor.rules,
850 src/preprocessors/HttpInspect/include/hi_eo_events.h,
851 src/preprocessors/HttpInspect/utils/hi_paf.c :
852 Handling of junk characters after chunk size in HTTP response.
853
854 * src/detection-plugins/sp_byte_math.c :
855 Handled a zero value case with division operator.
856
857 * src/preprocessors/Stream6/snort_stream_tcp.c :
858 Updated TCP policy for client and server session while flushing the client or server segment list.
859
860 * doc/README.http_inspect,
861 etc/gen-msg.map,
862 preproc_rules/preprocessor.rules,
863 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
864 src/preprocessors/HttpInspect/include/hi_eo_events.h,
865 src/preprocessors/HttpInspect/utils/hi_paf.c :
866 Handled a new pre-processor alert in case of improper end of HTTP header.
867
868 * src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
869 src/detection-plugins/sp_isdataat.c,
870 src/detection-plugins/sp_isdataat.h :
871 Fixed a potential race condition.
872
873 * src/dynamic-preprocessors/appid/appIdStats.c,
874 src/dynamic-preprocessors/appid/appInfoTable.c,
875 src/dynamic-preprocessors/appid/detector_plugins/detector_http.c,
876 src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
877 src/dynamic-preprocessors/appid/fw_appid.c,
878 src/dynamic-preprocessors/appid/service_plugins/service_ssh.c,
879 src/dynamic-preprocessors/appid/service_plugins/service_ssl.c,
880 src/dynamic-preprocessors/appid/thirdparty_appid_utils.c,
881 src/dynamic-preprocessors/dnp3/spp_dnp3.c,
882 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
883 src/sfutil/bnfa_search.c,
884 src/sfutil/sf_textlog.c :
885 Validation of malloc return values.
886
887 * src/preprocessors/sfprocpidstats.c :
888 Modified the sfprocpidstat to only calculate CPU statistics when --suppress-config-log option is not supplied.
889
890
891 2018-09-18 Puneeth Kumar C V <puneetku@cisco.com>
892 Snort 2.9.12.0
893
894 * doc/README.http_inspect, etc/gen-msg.map,
895 preproc_rules/preprocessor.rules,
896 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
897 src/preprocessors/HttpInspect/include/hi_eo_events.h,
898 src/preprocessors/HttpInspect/server/hi_server.c,
899 src/preprocessors/HttpInspect/utils/hi_paf.c :
900 Fixed an issue where in if we have a junk line before HTTP response header, the header was wrongly parsed.
901 A new preprocessor alert with gid:120 and sid:26 is alerted if any junk lines before HTTP response header is detected.
902
903 * etc/gen-msg.map, preproc_rules/preprocessor.rules,
904 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
905 src/preprocessors/HttpInspect/include/hi_eo_events.h,
906 src/preprocessors/HttpInspect/include/hi_server.h,
907 src/preprocessors/HttpInspect/server/hi_server.c :
908 If any of the standard header fields like Transfer-Encoding, content-encoding, content-length,
909 content-type are preceded by \t, then a new alert is added with gid:120 and sid:25.
910
911 * doc/README.http_inspect, doc/snort_manual.pdf, etc/gen-msg.map,
912 preproc_rules/preprocessor.rules,
913 src/preprocessors/snort_httpinspect.h,
914 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
915 src/preprocessors/HttpInspect/include/hi_eo_events.h,
916 src/preprocessors/HttpInspect/server/hi_server.c,
917 src/preprocessors/HttpInspect/utils/hi_paf.c :
918 Fixed GZIP evasions wherein a HTTP response with content-encoding:gzip contains a body which has some gzip related anomaly.
919 A new alert with gid:120 and sid:24 has been added to detect mixed gzip encode and plain text response.
920
921 * src/preprocessors/HttpInspect/server/hi_server.c :
922 Memory leak in decompression when using zlib version 1.2.11. Thanks Elof for reporting it and Thanks Anuj Patel for sending the patch.
923
924 * src/: dynamic-preprocessors/dcerpc2/dce2_smb2.c,
925 dynamic-preprocessors/dcerpc2/dce2_smb.h,
926 dynamic-preprocessors/dcerpc2/dce2_smb2.c,
927 dynamic-preprocessors/dcerpc2/dce2_smb2.h,
928 dynamic-preprocessors/dcerpc2/dce2_paf.c, includes/smb.h,
929 dynamic-preprocessors/dcerpc2/spp_dce2.c,
930 file-process/file_api.h, file-process/file_segment_process.c,
931 file-process/file_segment_process.h,
932 SMB improvements for file processing.
933
934 * src/dynamic-preprocessors/appid/: appInfoTable.h, fw_appid.c,
935 fw_appid.h, hostPortAppCache.c, luaDetectorApi.c,
936 luaDetectorApi.h, luaDetectorFlowApi.c,
937 client_plugins/client_app_aim.c, client_plugins/client_app_api.h,
938 client_plugins/client_app_base.c,
939 client_plugins/client_app_base.h,
940 client_plugins/client_app_bit.c,
941 client_plugins/client_app_bit_tracker.c,
942 client_plugins/client_app_msn.c, client_plugins/client_app_rtp.c,
943 client_plugins/client_app_ssh.c,
944 client_plugins/client_app_timbuktu.c,
945 client_plugins/client_app_tns.c, client_plugins/client_app_vnc.c,
946 client_plugins/client_app_ym.c, detector_plugins/detector_http.c,
947 detector_plugins/detector_imap.c,
948 detector_plugins/detector_kerberos.c,
949 detector_plugins/detector_pattern.c,
950 detector_plugins/detector_pop3.c,
951 detector_plugins/detector_sip.c,
952 detector_plugins/detector_smtp.c, service_plugins/service_api.h,
953 service_plugins/service_base.c, service_plugins/service_base.h :
954 Fixed an issue in a scenario where BitTorrent pattern is seen only on the 3rd packet of the session because of which we miss our client detection.
955
956 * src/dynamic-preprocessors/appid/fw_appid.c :
957 Re-enabling third party AppId detection for out-of-order/not-ok flows.
958
959 * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c :
960 Added support for HTTP CONNECT command to handle BitTorrent connections over proxy.
961
962 * src/encode.c, src/reload.h, src/sfdaq.c,
963 src/dynamic-preprocessors/dcerpc2/dce2_co.c,
964 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
965 src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
966 src/dynamic-preprocessors/dcerpc2/dce2_smb2.c,
967 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
968 src/dynamic-preprocessors/sdf/spp_sdf.c,
969 src/preprocessors/spp_frag3.c, src/preprocessors/spp_session.c,
970 src/preprocessors/spp_sfportscan.c,
971 src/preprocessors/Stream6/snort_stream_ip.c,
972 src/preprocessors/Stream6/snort_stream_tcp.c, src/sfutil/acsmx.c,
973 src/sfutil/sfksearch.c, src/sfutil/sfportobject.c,
974 tools/u2spewfoo/u2spewfoo.c :
975 Fixed Snort warnings when compiled in OpenBSD with clang/llvm. Thanks to Markus for reporting this.
976
977 * src/dynamic-preprocessors/file/spp_file.c :
978 Fixed an issue where file inspect not working after reload.
979
980 * src/dynamic-preprocessors/Makefile.am :
981 Fixed an issue where snort was not coming up with AppId enabled on OpenBSD.
982
983 * src/: snort.c, dynamic-plugins/sf_dynamic_preprocessor.h,
984 preprocessors/perf.c, preprocessors/Stream6/snort_stream_icmp.c,
985 preprocessors/Stream6/snort_stream_ip.c,
986 preprocessors/Stream6/snort_stream_tcp.c,
987 preprocessors/Stream6/snort_stream_udp.c :
988 Fixed compilation issue with --disable-reload.
989
990 * configure.in, doc/README.appid, doc/snort_manual.tex,
991 rpm/README.build_rpms, rpm/generate-all-rpms, rpm/snort.spec,
992 src/dynamic-preprocessors/appid/Makefile_defs :
993 Compile AppID by default.
994
995 * src/dynamic-preprocessors/appid/fw_appid.c :
996 Changes to AppId to ignore malformed packets.
997
998 * src/: dynamic-preprocessors/dcerpc2/dce2_smb2.c,
999 file-process/file_segment_process.c,
1000 file-process/file_segment_process.h :
1001 Fix an issue where memory is over allocated due to SMB traffic.
1002
1003 * src/dynamic-preprocessors/appid/: appIdApi.c, appIdConfig.h,
1004 appInfoTable.c, fw_appid.c, hostPortAppCache.c :
1005 Added support for wild card port numbers in host cache and overwriting port service AppId.
1006
1007 * src/mstring.c :
1008 Fixed an issue with msplit() not behaving properly in some scenarios.
1009
1010 * src/dynamic-preprocessors/appid/: fw_appid.c, test/appIdTests.c :
1011 Fixed an issue where retransmitted packet incorrectly treated as out of order.
1012
1013 * src/preprocessors/spp_frag3.c :
1014 Fixed snort crash in some scenraios.
1015
1016 * src/dynamic-preprocessors/appid/: fw_appid.c,
1017 service_plugins/service_ssl.c :
1018 Fixed an issue wherein if we have multiple ssl certificates, they were concatinated.
1019
1020 * src/dynamic-preprocessors/appid/fw_appid.c :
1021 Using Inner IP header to determine the protocol & direction for AppId.
1022
1023 * src/: reload.c, preprocessors/spp_normalize.c,
1024 preprocessors/Stream6/snort_stream_tcp.c :
1025 Fixed an issue where snort cores due to wrong/stale policy IDs in the flush path.
1026
1027 * src/detection-plugins/sp_pattern_match.c :
1028 Fixed an issue with intrusion rule that was trigerring false negatives.
1029
1030 * src/sfutil/sfportobject.c, src/decode.c, src/fpcreate.c,
1031 src/plugbase.c, src/util.c,
1032 src/dynamic-preprocessors/sdf/sdf_us_ssn.c :
1033 Fixed static analysis issues.
1034
1035 * src/preprocessors/Stream6/: snort_stream_tcp.c, stream_common.c :
1036 Fixed early setting of PKT_STREAM_ORDER_BAD when out of order packet is seen.
1037
1038 * src/preprocessors/: session_api.h, spp_session.c :
1039 This change will allow us to use the session stream key to lookup the session instead
1040 of directly storing the S pointer
1041
1042 * src/: event_wrapper.c, event_wrapper.h, preprocessors/portscan.c :
1043 Fixed an issue where Port Scan doesn't block scans
1044
1045 * src/: obfuscation.c,
1046 dynamic-preprocessors/appid/detector_plugins/detector_http.c,
1047 dynamic-preprocessors/file/file_agent.c,
1048 dynamic-preprocessors/file/file_inspect_config.c,
1049 dynamic-preprocessors/sdf/sdf_us_ssn.c,
1050 file-process/file_capture.c :
1051 Fixed bugs reported by open source community. Thanks for David Binderman for reporting this.
1052
1053 * src/snort.c :
1054 Avoid possible double free and memory corruption in snortcleanup().
1055
1056 * doc/snort_manual.pdf, src/reg_test.h
1057 src/dynamic-preprocessors/reputation/spp_reputation.c :
1058 Prevent restart when Reputation memcap changes.
1059
1060 * src/dynamic-preprocessors/appid/luaDetectorModule.c :
1061 Fixed an issue where AppId continues to try & load the remaining detectors instead of returning after
1062 finding an invalid one.
1063
1064 * src/snort.c :
1065 Reduced the number of session prunings when snort is idle.
1066
1067 * src/dynamic-preprocessors/ftptelnet/pp_ftp.c :
1068 Fixed an issue which can cause buffer overflow and memory corruption in FTP control path.
1069
1070 * src/reload.c :
1071 Synchronise reload and restart in snort.
1072
1073 * src/snort_bounds.h :
1074 Fixed possible buffer overrun.
1075
1076 * src/dynamic-preprocessors/appid/: fw_appid.c, fw_appid.h,
1077 luaDetectorApi.c, spp_appid.c, client_plugins/client_app_base.c,
1078 service_plugins/service_base.c, test/Makefile.am :
1079 Remove misleading exit log about DetectorFini.
1080
1081 * src/dynamic-preprocessors/appid/:
1082 client_plugins/client_app_rtp.c, client_plugins/client_app_rtp.h,
1083 test/Makefile.am, test/appIdTests.c, test/client_app_rtp_test.c,
1084 test/client_app_rtp_test.h :
1085 Fix for the issue where RTP doesn't get detected when there is SSRC switch.
1086
1087 * src/dynamic-preprocessors/appid/: fw_appid.c,
1088 detector_plugins/detector_smtp.c, service_plugins/service_ftp.c :
1089 Fixed an issue where is SMTP is detected too late.
1090
1091 * src/: dynamic-plugins/sf_dynamic_plugins.c,
1092 dynamic-preprocessors/appid/appIdConfig.h,
1093 dynamic-preprocessors/appid/fw_appid.c :
1094 Added mutex protections into the framework API to protect against some thread contention.
1095
1096 * src/preprocessors/: session_api.h, spp_session.c,
1097 Session/session_expect.c :
1098 Changes to allow simulated packets to match an existing session.
1099
1100 * src/: snort.c, dynamic-plugins/sf_dynamic_plugins.c,
1101 dynamic-plugins/sf_dynamic_preprocessor.h,
1102 dynamic-preprocessors/reputation/spp_reputation.c,
1103 preprocessors/session_api.h, preprocessors/spp_session.c,
1104 preprocessors/Session/session_common.h, sfutil/sfPolicyData.h :
1105 Re-evaluate IP reputation on all flows except black listed flows after reputation update.
1106
1107 * doc/README.http_inspect, etc/gen-msg.map,
1108 preproc_rules/preprocessor.rules,
1109 src/preprocessors/HttpInspect/client/hi_client.c,
1110 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
1111 src/preprocessors/HttpInspect/include/hi_eo_events.h,
1112 src/preprocessors/HttpInspect/include/hi_paf.h,
1113 src/preprocessors/HttpInspect/server/hi_server.c,
1114 src/preprocessors/HttpInspect/utils/hi_paf.c :
1115 Added handling chunked encoding in HTTP1.0 request and response.
1116
1117 * src/preprocessors/: snort_httpinspect.c,
1118 HttpInspect/client/hi_client.c, HttpInspect/include/hi_client.h,
1119 Stream6/snort_stream_tcp.c, Stream6/stream_paf.c :
1120 Fixed an issue where in HTTPS post file detection not working.
1121
1122 * src/: parser.c, snort.h, detection-plugins/sp_pcre.c,
1123 dynamic-plugins/sf_convert_dynamic.c,
1124 dynamic-plugins/sf_dynamic_engine.h,
1125 dynamic-plugins/sf_dynamic_plugins.c,
1126 dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
1127 output-plugins/spo_log_tcpdump.c, preprocessors/spp_normalize.c,
1128 preprocessors/Stream6/snort_stream_tcp.c :
1129 Fixed an issue with Snort using incorrect snort config in reload path.
1130
1131 * src/: decode.c, preprocessors/portscan.c,
1132 preprocessors/spp_frag3.c :
1133 Fixed an issue with IP Protocol scanning not getting detected.
1134
1135 * src/decode.c :
1136 Fixed heap out of bounds read in DecodeCiscoMeta().
1137
1138 * src/decode.c :
1139 Fixed 1 byte buffer overflow in CheckIPV6HopOptions.
1140
1141 * src/dynamic-preprocessors/appid/: commonAppMatcher.c :
1142 Fix for the issue where hosts were not being discovered if the ND rule had IPv6 network and zone.
1143
1144 * src/sfutil/Unified2_common.h :
1145 Fixed an issue with Unified2IDSEventIPv6 structure's app_name field has incorrect size.
1146
1147 * src/util.c :
1148 Fixed an issue where logging packet can cause a segmentation fault in single-pcap mode when printing timestamp.
1149 Thanks to Stephan Zeisbarg for reporting this issue.
1150
1151 * src/preprocessors/portscan.c :
1152 Fix Protocol sweep alert.
1153
1154
1155 2017-12-06 Meghana R <meraghav@cisco.com>
1156 Snort 2.9.11.1
1157
1158 * sfeng/ims/sfsnort/snort/src/build.h : updating build number to 268
1159
1160 * sfeng/ims/sfsnort/snort/: src/encode.c, src/reload.h,
1161 src/sfdaq.c, src/dynamic-preprocessors/dcerpc2/dce2_co.c,
1162 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
1163 src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
1164 src/dynamic-preprocessors/dcerpc2/dce2_smb2.c,
1165 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
1166 src/dynamic-preprocessors/sdf/spp_sdf.c,
1167 src/preprocessors/spp_frag3.c, src/preprocessors/spp_session.c,
1168 src/preprocessors/spp_sfportscan.c,
1169 src/preprocessors/Stream6/snort_stream_ip.c,
1170 src/preprocessors/Stream6/snort_stream_tcp.c, src/sfutil/acsmx.c,
1171 src/sfutil/sfksearch.c, src/sfutil/sfportobject.c,
1172 tools/u2spewfoo/u2spewfoo.c :
1173 Fixed warnings when snort is compiled in OpenBSD with clang/llvm. Thanks to Markus Lude for noting the issue.
1174
1175 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/file/spp_file.c :
1176 Fixed issue of applying new configuration in file inspection after snort reload.
1177
1178 * sfeng/ims/sfsnort/snort/src/preprocessors/spp_session.c :
1179 Added null check before accessing session cache.
1180
1181 * sfeng/ims/sfsnort/snort/src/: appIdApi.h,
1182 dynamic-preprocessors/appid/appIdApi.c :
1183 Fixed issue where AppId was not setting HA flags correctly for unmonitored sessions.
1184
1185 * sfeng/ims/sfsnort/snort/src/: snort.c,
1186 dynamic-plugins/sf_dynamic_preprocessor.h, preprocessors/perf.c,
1187 preprocessors/Stream6/snort_stream_icmp.c,
1188 preprocessors/Stream6/snort_stream_ip.c,
1189 preprocessors/Stream6/snort_stream_tcp.c,
1190 preprocessors/Stream6/snort_stream_udp.c :
1191 Fixed issue in compilation of snort with --disable-reload option. Thanks to BlueSky for noting the issue.
1192
1193 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/Makefile.am :
1194 Fixed AppID compilation failure in OpenBSD platform.
1195
1196 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/fw_appid.c :
1197 Fixed issue to set correct flags when there is a need to ignore thirdparty detection for an SSL session.
1198
1199 * sfeng/ims/sfsnort/snort/src/: event_wrapper.c, event_wrapper.h,
1200 preprocessors/portscan.c :
1201 Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets, which means snort will block the packet and generate logs.
1202
1203 * sfeng/ims/sfsnort/snort/src/: obfuscation.c,
1204 dynamic-preprocessors/appid/detector_plugins/detector_http.c,
1205 dynamic-preprocessors/file/file_agent.c,
1206 dynamic-preprocessors/file/file_inspect_config.c,
1207 dynamic-preprocessors/sdf/sdf_us_ssn.c,
1208 file-process/file_capture.c :
1209 Fixed incorrect usage of bitwise-operator and removed dead code. Thanks to David Binderman for noting the issue and proposing the fix.
1210
1211 * sfeng/ims/sfsnort/snort/: doc/snort_manual.pdf, src/snort.c,
1212 src/dynamic-plugins/sf_dynamic_plugins.c,
1213 src/dynamic-plugins/sf_dynamic_preprocessor.h,
1214 src/dynamic-preprocessors/reputation/spp_reputation.c,
1215 src/preprocessors/session_api.h, src/preprocessors/spp_session.c,
1216 src/preprocessors/Session/session_common.h,
1217 src/sfutil/sfPolicyData.h :
1218 Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted.
1219
1220 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/:
1221 client_plugins/client_app_rtp.c, client_plugins/client_app_rtp.h :
1222 Fixed issue to detect RTP upto two SSRC switches in each traffic direction.
1223
1224 * sfeng/ims/sfsnort/snort/src/snort.c :
1225 Added changes to reduce the number of session pruning when snort is idle.
1226
1227 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/ftptelnet/pp_ftp.c :
1228 Fixed an issue related to setting of directory path when handling FTP sessions.
1229
1230 * sfeng/ims/sfsnort/snort/src/snort_bounds.h :
1231 Fixed an issue with the incorrect return in SafeSnprintf function.
1232
1233 * sfeng/ims/sfsnort/snort/src/preprocessors/: snort_httpinspect.c,
1234 HttpInspect/client/hi_client.c, HttpInspect/include/hi_client.h,
1235 Stream6/snort_stream_tcp.c, Stream6/stream_paf.c :
1236 Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive copy of segment data by not splitting them when flushing headers.
1237
1238 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c :
1239 Added changes to show missing session log message only when debugging mode is enabled.
1240
1241 * sfeng/ims/sfsnort/snort/: doc/snort_manual.pdf,
1242 src/preprocessors/portscan.c :
1243 Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan.
1244
1245 * sfeng/ims/sfsnort/snort/src/preprocessors/Stream6/snort_stream_tcp.c :
1246 Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels.
1247
1248 * sfeng/ims/sfsnort/snort/src/: decode.c, preprocessors/portscan.c,
1249 preprocessors/spp_frag3.c :
1250 Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets.
1251
1252 * sfeng/ims/sfsnort/snort/src/preprocessors/snort_httpinspect.c:
1253 Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup.
1254
1255
1256 2017-09-05 Meghana R <meraghav@cisco.com>
1257 Snort 2.9.11
1258
1259 * src/build.h : updating build number to 125.
1260
1261 * src/preprocessors/: spp_session.c, Stream6/snort_stream_tcp.c :
1262 Fixed issue with updation of global IPS id before packet processing.
1263
1264 * src/output-plugins/spo_unified2.c :
1265 Added changes to display AppId for IPv6 unified events.
1266
1267 * src/: dynamic-preprocessors/Makefile.am,
1268 reload-adjust/appdata_adjuster.c,
1269 sfutil/sfmemcap.c, sfutil/sfmemcap.h :
1270 Fixed dynamic preprocessor compilation failure in OpenBSD platform.
1271
1272 * src/: parser.c, snort.h, detection-plugins/sp_replace.c :
1273 Fixed issues while parsing rules in snort reload path.
1274
1275 * src/: appIdApi.h, dynamic-preprocessors/appid/appId.h,
1276 dynamic-preprocessors/appid/appIdApi.c,
1277 dynamic-preprocessors/appid/appIdConfig.h,
1278 dynamic-preprocessors/appid/appInfoTable.c,
1279 dynamic-preprocessors/appid/flow.h,
1280 dynamic-preprocessors/appid/fw_appid.c,
1281 dynamic-preprocessors/appid/hostPortAppCache.c,
1282 dynamic-preprocessors/appid/hostPortAppCache.h :
1283 Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent.
1284
1285 * src/preprocessors/spp_normalize.c :
1286 Fixed incorrect usage of snort configuration in snort reload path.
1287
1288 * src/dynamic-preprocessors/appid/: flow.c, flow.h, fw_appid.c :
1289 Fixed issues with printing of messages for out-of-order packets.
1290
1291 * src/: mempool.c, mempool.h, reg_test.h, reload.c,
1292 control/sfcontrol.c, control/sfcontrol.h,
1293 preprocessors/spp_session.c,
1294 preprocessors/Stream6/snort_stream_tcp.c :
1295 Added support for forced allocation of TCP protocol memory pool after maximum limit is reached.
1296
1297 * src/reload.c :
1298 Fixed synchronisation issue during snort reload.
1299
1300 * src/sfutil/: sf_ip.h, sf_ipvar.c, sf_ipvar.h :
1301 Added changes to improve performance of ipvar list comparison.
1302
1303 * src/: dynamic-output/plugins/output_lib.h,
1304 dynamic-output/plugins/output_plugin.c,
1305 dynamic-preprocessors/dcerpc2/dce2_smb.c,
1306 dynamic-preprocessors/dcerpc2/dce2_smb.h,
1307 dynamic-preprocessors/dcerpc2/dce2_smb2.c,
1308 dynamic-preprocessors/dcerpc2/spp_dce2.c,
1309 dynamic-preprocessors/file/file_event_log.c,
1310 file-process/file_api.h, file-process/file_service.c,
1311 file-process/file_stats.c, file-process/file_stats.h,
1312 sfutil/sf_textlog.c, sfutil/sf_textlog.h :
1313 Added support for storing filenames in unicode format for SMB protocol.
1314
1315 * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c :
1316 Enhanced SMTP client detection by allowing line folding and all authentication methods.
1317
1318 * src/: fpcreate.c, sfutil/sfthd.c, sfutil/sfxhash.c :
1319 Fixed issue in detection filter counter when rule is used in multiple configurations.
1320
1321
1322 2017-06-19 Meghana R <meraghav@cisco.com>
1323 Snort 2.9.11 Beta
1324
1325 *src/build.h : updating build number to 101
1326
1327 * configure.in :
1328 Control-socket and side-channel support for FreeBSD platform.
1329
1330 * src/snort.c :
1331 Fixed an issue where snort did not exit gracefully on SIGHUP during the initialisation.
1332
1333 * src/detect.c :
1334 Added a data length check before copying into memory during application detection.
1335
1336 * doc/snort_manual.pdf,
1337 src/dynamic-preprocessors/appid/appIdConfig.h,
1338 src/dynamic-preprocessors/appid/appInfoTable.c,
1339 src/dynamic-preprocessors/appid/commonAppMatcher.c,
1340 src/dynamic-preprocessors/appid/fw_appid.c,
1341 src/dynamic-preprocessors/appid/fw_appid.h,
1342 src/dynamic-preprocessors/appid/hostPortAppCache.c,
1343 src/dynamic-preprocessors/appid/hostPortAppCache.h,
1344 src/dynamic-preprocessors/appid/luaDetectorApi.c :
1345 Added new hostPortCache which can maintain runtime AppId entries.
1346
1347 * src/preprocessors/perf-flow.c :
1348 Added null check for individual sfFlow structure members.
1349
1350 * doc/snort_manual.tex :
1351 Fixed syntax error in snort_maual.tex
1352
1353 * src/dynamic-preprocessors/appid/test/Makefile.am,
1354 dynamic-preprocessors/dcerpc2/test/Makefile.am,
1355 sfutil/test/Makefile.am :
1356 Linked librt library in appidd and dcerpc2 modules.
1357
1358 * doc/snort_manual.pdf, doc/snort_manual.tex, src/decode.c,
1359 src/decode.h, src/detect.c, src/encode.c, src/reg_test.h,
1360 src/snort.c, src/snort.h, src/util.c, src/reload.c
1361 src/detection-plugins/sp_byte_math.c,
1362 src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
1363 src/dynamic-preprocessors/appid/appIdConfig.h,
1364 src/dynamic-preprocessors/appid/appInfoTable.c,
1365 src/dynamic-preprocessors/appid/commonAppMatcher.c,
1366 src/dynamic-preprocessors/appid/fw_appid.c,
1367 src/dynamic-preprocessors/appid/fw_appid.h,
1368 src/dynamic-preprocessors/appid/hostPortAppCache.c,
1369 src/dynamic-preprocessors/appid/hostPortAppCache.h,
1370 src/dynamic-preprocessors/appid/luaDetectorApi.c,
1371 src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
1372 src/dynamic-preprocessors/appid/test/Makefile.am,
1373 src/dynamic-preprocessors/dcerpc2/dce2_smb2.c,
1374 src/dynamic-preprocessors/dcerpc2/dce2_smb2.h,
1375 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
1376 src/dynamic-preprocessors/dcerpc2/test/Makefile.am,
1377 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
1378 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
1379 src/dynamic-preprocessors/reputation/spp_reputation.c,
1380 src/dynamic-preprocessors/imap/spp_imap.c,
1381 src/dynamic-preprocessors/pop/spp_pop.c,
1382 src/dynamic-preprocessors/smtp/spp_smtp.c,
1383 src/file-process/file_api.h,
1384 src/file-process/file_segment_process.c,
1385 src/file-process/file_segment_process.h,
1386 src/file-process/file_service.c, src/preprocessors/perf-base.c,
1387 src/preprocessors/perf-flow.c,
1388 src/preprocessors/perf_indicators.c,
1389 src/preprocessors/snort_httpinspect.c,
1390 src/preprocessors/spp_session.c, src/preprocessors/spp_stream6.c,
1391 src/preprocessors/HttpInspect/server/hi_server.c,
1392 src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c,
1393 src/preprocessors/Session/session_expect.c,
1394 src/preprocessors/Stream6/snort_stream_tcp.c,
1395 src/reload-adjust/appdata_adjuster.c, src/sfutil/sfrf.c,
1396 src/sfutil/sfrf.h, src/sfutil/test/Makefile.am,
1397 src/sfutil/test/unit_hacks.c, src/target-based/sftarget_reader.c,
1398 src/target-based/sftarget_reader.h :
1399 Changes to eliminate Snort restart when there are changes to the memory
1400 allocated for preprocessors, by releasing unused or least recently used memory
1401 when needed.
1402
1403 * src/encode.c, dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
1404 dynamic-preprocessors/ftptelnet/pp_ftp.c,
1405 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
1406 preprocessors/perf-base.c, preprocessors/perf_indicators.c,
1407 preprocessors/snort_httpinspect.c,
1408 preprocessors/HttpInspect/utils/hi_cmd_lookup.c :
1409 Fixed multiple issues reported by Coverity.
1410
1411 * src/preprocessors/Stream6/: snort_stream_tcp.c :
1412 Added a null check before retrieving tcpssn for getting re-built packets.
1413
1414 * src/dynamic-preprocessors/reputation/spp_reputation.c :
1415 Fixed double free issue in reputation module.
1416
1417 * src/detection-plugins/sp_byte_math.c,
1418 file-process/file_service.c :
1419 Fixed Coverity Issue - added null check before usage.
1420
1421 * src/dynamic-preprocessors/appid/fw_appid.c :
1422 Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
1423
1424 * src/dynamic-preprocessors/appid/fw_appid.c :
1425 Added a null check to prevent copy unless debugHostIp is configured in AppId.
1426
1427 * src/decode.c, decode.h, detect.c, snort.h, util.c,
1428 preprocessors/spp_session.c,
1429 preprocessors/Stream6/snort_stream_tcp.c, sfutil/sfrf.c,
1430 sfutil/sfrf.h :
1431 Performance improvement when SYN rate limit has reached and drop
1432 is configured as next action.
1433
1434 * src/preprocessors/HttpInspect/server/hi_server.c :
1435 Fixed issue of uninitialised value before usage.
1436
1437 * src/file-process/file_service.c :
1438 Fixed issue with SHA value display in File Events.
1439
1440 * src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c :
1441 Enhanced the processing of SIP/RTP future flows without ignoring them.
1442
1443 * src/preprocessors/snort_httpinspect.c :
1444 Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
1445
1446 * src/preprocessors/Stream6/snort_stream_tcp.c :
1447 Fixed stream5 to flush out ACK'ed segments using PAF when session is terminating.
1448
1449 * src/preprocessors/spp_session.c :
1450 Fixed issue with associating router solicit/reply packets to a single session.
1451
1452 * src/preprocessors/HttpInspect/server/hi_server_norm.c,
1453 sfutil/util_utf.c :
1454 Fixed issues with normalisation of unicode HTML pages that do not have unicode encoding specifiers.
1455
1456 * src/appIdApi.h, dynamic-plugins/sf_dynamic_plugins.c,
1457 dynamic-preprocessors/appid/appIdApi.c,
1458 dynamic-preprocessors/appid/appIdConfig.h,
1459 dynamic-preprocessors/appid/commonAppMatcher.c,
1460 dynamic-preprocessors/appid/fw_appid.c,
1461 dynamic-preprocessors/appid/fw_appid.h,
1462 dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
1463 dynamic-preprocessors/appid/service_plugins/service_base.h,
1464 dynamic-preprocessors/appid/service_plugins/service_ftp.c,
1465 dynamic-preprocessors/appid/service_plugins/service_rexec.c,
1466 dynamic-preprocessors/appid/service_plugins/service_rshell.c,
1467 dynamic-preprocessors/appid/service_plugins/service_snmp.c,
1468 dynamic-preprocessors/appid/service_plugins/service_tftp.c,
1469 dynamic-preprocessors/appid/test/appIdTests.c :
1470 Fixed the issue in FTP active traffic by copying the flags as is when expected flow is in the same direction as current flow, reversing the flags when expected flow is in opposite direction and not copying the flags when expected flow's direction is unknown.
1471
1472 * src/dynamic-plugins/sf_dynamic_plugins.c,
1473 dynamic-preprocessors/dcerpc2/spp_dce2.c
1474 Fixed issue of multiple allocation of ada cache in dcerpc2 module.
1475
1476 * src/preprocessors/spp_httpinspect.c :
1477 Made changes to take care of boundary conditions after mempool allocation.
1478
1479 * src/dynamic-preprocessors/appid/luaDetectorModule.c :
1480 Fixed Coverity Issues - Removed logically dead duplicate code that does NULL check after creating a new luaState.
1481
1482 * src/file-process/file_service.c,
1483 preprocessors/Stream6/snort_stream_tcp.c :
1484 Fixed issue in file signature lookup for retransmitted FTP packet.
1485
1486 * src/output-plugins/spo_log_buffer_dump.c :
1487 Changes to free HTTP buffers not used during processing.
1488
1489 * src/dynamic-plugins/sf_dynamic_plugins.c,
1490 dynamic-preprocessors/dcerpc2/spp_dce2.c,
1491 dynamic-preprocessors/dnp3/spp_dnp3.c,
1492 dynamic-preprocessors/sip/sip_config.c,
1493 dynamic-preprocessors/sip/spp_sip.c,
1494 reload-adjust/appdata_adjuster.c,
1495 reload-adjust/appdata_adjuster.h :
1496 Fixed issues in SIP related to reallocation of the same data structure multiple times and accessing numSessions which is asynchronously written by packet processing thread.
1497
1498 * src/dynamic-preprocessors/dcerpc2/spp_dce2.c :
1499 Added multiple null checks in dcerpc2 module.
1500
1501 * src/dynamic-preprocessors/dnp3/spp_dnp3.c,
1502 reload-adjust/appdata_adjuster.c,
1503 reload-adjust/appdata_adjuster.h :
1504 Added null pointer checks in DNP3CheckConfig.
1505
1506 * src/preprocessors/spp_session.c :
1507 Fixed Coverity issue - added null check before usage.
1508
1509 * src/build.h : updating build number to 42
1510
1511 * src/snort.c :
1512 Trigger Snort restart when `config disable-attribute-reload-thread` is
1513 turned on/off.
1514
1515 * src/preprocessors/Stream6/snort_stream_tcp.c :
1516 Fixed detection issue where wrong file signature calculation
1517 was done for secure-ftp.
1518
1519 * src/dynamic-preprocessors/ftptelnet/: ftpp_si.c, ftpp_si.h,
1520 pp_ftp.c :
1521 Fixed incorrect referencing of ftp_data_session after its pruned.
1522
1523 * src/dynamic-preprocessors/appid/fw_appid.c :
1524 Stability improvement by resolving valgrind reported issues in AppId.
1525
1526 * src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
1527 file-process/file_api.h, file-process/file_resume_block.h,
1528 file-process/file_service.c, preprocessors/Session/session_common.h,
1529 Session/session_expect.c, Stream6/snort_stream_tcp.c,
1530 Stream6/snort_stream_tcp.h, Stream6/stream_common.h, parser.c,
1531 parser.h, snort.c, snort.h, dynamic-preprocessors/dcerpc2/dce2_smb.c,
1532 dynamic-preprocessors/ftptelnet/ftpp_si.h,
1533 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
1534 dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
1535 file-process/file_mime_process.c, file-process/libs/file_lib.c,
1536 preprocessors/snort_httpinspect.c, preprocessors/spp_normalize.c,
1537 preprocessors/spp_normalize.h, preprocessors/spp_stream6.c,
1538 preprocessors/stream_api.h, preprocessors/HttpInspect/client/hi_client.c :
1539 Fixed issue where FTP file type block doesn't work on retried download.
1540
1541 * src/appIdApi.h, dynamic-plugins/sf_dynamic_plugins.c,
1542 dynamic-preprocessors/appid/appIdApi.c,
1543 dynamic-preprocessors/appid/flow.c,
1544 dynamic-preprocessors/appid/flow.h,
1545 dynamic-preprocessors/appid/fw_appid.c,
1546 dynamic-preprocessors/appid/fw_appid.h,
1547 dynamic-preprocessors/appid/detector_plugins/detector_sip.c :
1548 Fixed issue where Snort is inappropriately handling traffic for which AppId
1549 was creating future flow.
1550
1551 * src/file-process/file_segment_process.c :
1552 Fixed issue of updating the file session information for SMB2 file transfer
1553 spanning multiple TCP sessions.
1554
1555 * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c,
1556 luaDetectorApi.c, service_state.c, service_state.h,
1557 detector_plugins/detector_dns.c,
1558 detector_plugins/detector_http.c,
1559 detector_plugins/detector_imap.c,
1560 detector_plugins/detector_kerberos.c,
1561 detector_plugins/detector_pattern.c,
1562 detector_plugins/detector_pop3.c,
1563 detector_plugins/detector_sip.c,
1564 detector_plugins/detector_smtp.c, service_plugins/service_MDNS.c,
1565 service_plugins/service_api.h, service_plugins/service_base.c,
1566 service_plugins/service_base.h,
1567 service_plugins/service_battle_field.c,
1568 service_plugins/service_bgp.c, service_plugins/service_bit.c,
1569 service_plugins/service_bootp.c,
1570 service_plugins/service_dcerpc.c,
1571 service_plugins/service_direct_connect.c,
1572 service_plugins/service_flap.c, service_plugins/service_ftp.c,
1573 service_plugins/service_irc.c, service_plugins/service_lpr.c,
1574 service_plugins/service_mysql.c,
1575 service_plugins/service_netbios.c,
1576 service_plugins/service_nntp.c, service_plugins/service_ntp.c,
1577 service_plugins/service_radius.c,
1578 service_plugins/service_rexec.c, service_plugins/service_rfb.c,
1579 service_plugins/service_rlogin.c, service_plugins/service_rpc.c,
1580 service_plugins/service_rshell.c,
1581 service_plugins/service_rsync.c, service_plugins/service_rtmp.c,
1582 service_plugins/service_snmp.c, service_plugins/service_ssh.c,
1583 service_plugins/service_ssl.c, service_plugins/service_telnet.c,
1584 service_plugins/service_tftp.c,
1585 service_plugins/service_timbuktu.c,
1586 service_plugins/service_tns.c, test/appIdTests.c,
1587 test/sessionFile.c :
1588 Changes in AppId discovery to address session and services related issues.
1589
1590 * src/dynamic-preprocessors/appid/: appId.h, fw_appid.c :
1591 Performance improvements for SIP/RTP audio and video data flow in AppId .
1592
1593 * src/dynamic-preprocessors/appid/: fw_appid.c,
1594 thirdparty_appid_utils.c, test/appIdTests.c, test/externalApis.c :
1595 Fixed an issue related to incorrect processing of XFF addresses during
1596 Snort reload.
1597
1598 * src/dynamic-preprocessors/appid/luaDetectorModule.c :
1599 Improved error handling in luadetector when lua_State object is NULL.
1600
1601 * src/preprocessors/snort_httpinspect.c :
1602 Improved flushing mechanism for HTTP POST header.
1603
1604 * src/output-plugins/spo_log_buffer_dump.c :
1605 Fixed an issue where HTTP buffers were incorrectly dumped as
1606 DNS payload buffers.
1607
1608 * src/preprocessors/Stream6/snort_stream_tcp.c :
1609 Prevent application preprocessors from processing packets having end_sequence
1610 numbers less than current TCP window base.
1611
1612
1613 2016-11-07 Gagan Sachdeva <gagsachd@cisco.com>
1614 Snort 2.9.9.0
1615
1616 * src/build.h : updating build number to 56.
1617
1618 * tools/u2spewfoo/u2spewfoo.c :
1619 src/snort.c, win32/WIN32-Includes/config.h :
1620 Fixed Issue related to DLL-Load in Snort on Windows platforms For CVE-2016-1417, thanks to Secureworks for
1621 reporting this issue.
1622
1623 * src/: detection_filter.c, detection_filter.h, fpdetect.c,
1624 detection-plugins/detection_options.c,
1625 detection-plugins/detection_options.h, sfutil/sfthd.c,
1626 sfutil/sfthd.h, sfutil/test/sfthd_test.c :
1627 Incrementing detection_filter count on either raw packets or re-assembled packets but not on both.
1628
1629 * src/detection-plugins/sp_byte_jump.c :
1630 Fixed an issue where value present in the zero index of byte_extract array was incorrectly used when
1631 byte_extract rule option is not present.
1632
1633
1634 2016-09-08 Seshaiah Erugu <serugu@cisco.com>
1635 Snort 2.9.9
1636
1637 * src/build.h : Updated build number to 82.
1638
1639 * src/dynamic-preprocessors/appid/: appId.h, fw_appid.c, spp_appid.c:
1640 Improved handling of HTTP tunneling in AppId.
1641
1642 * src/detection-plugins/sp_byte_jump.c:
1643 Fixed a bug where byte_jump postoffset was incorrectly initialized leading
1644 to failure in rule matching in some scenarios.
1645
1646 * src/detection-plugins/sp_rpc_check.c:
1647 Fixed RPC decode plugin issue where rule context was missing and RPC
1648 values were not read correctly.
1649
1650 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/smtp/snort_smtp.c :
1651 Fixed an issue in mime data processing in case of stateless inspection.
1652
1653 * sfeng/ims/sfsnort/snort/src/preprocessors/: spp_session.c,
1654 Stream6/stream_paf.c :
1655 Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX.
1656
1657 * sfeng/ims/sfsnort/snort/src/output-plugins/spo_log_buffer_dump.c :
1658 Added banner message with packet timestamp for every buffer dump.
1659
1660 * sfeng/ims/sfsnort/snort/src/: snort.h,
1661 dynamic-preprocessors/dcerpc2/dce2_paf.c,
1662 dynamic-preprocessors/dnp3/dnp3_paf.c,
1663 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
1664 dynamic-preprocessors/imap/imap_paf.c,
1665 dynamic-preprocessors/modbus/modbus_paf.c,
1666 dynamic-preprocessors/modbus/modbus_paf.h,
1667 dynamic-preprocessors/pop/pop_paf.c,
1668 dynamic-preprocessors/sip/sip_paf.c,
1669 dynamic-preprocessors/smtp/smtp_paf.c,
1670 preprocessors/snort_httpinspect.c, preprocessors/spp_stream6.c,
1671 preprocessors/stream_api.h,
1672 preprocessors/HttpInspect/client/hi_client.c,
1673 preprocessors/HttpInspect/utils/hi_paf.c,
1674 preprocessors/Stream6/snort_stream_tcp.c,
1675 preprocessors/Stream6/stream_paf.c,
1676 preprocessors/Stream6/stream_paf.h :
1677 Generating an event when content-length in a POST request is greater than Payload.
1678
1679 * sfeng/ims/sfsnort/snort/src/decode.c :
1680 Decoding support for packets that contain VLAN and SGT.
1681
1682 * sfeng/ims/sfsnort/snort/src/preprocessors/HttpInspect/client/hi_client.c :
1683 Fixed Coverity issue - added null check before usage.
1684
1685 * sfeng/ims/sfsnort/snort/src/preprocessors/snort_httpinspect.c :
1686 Fixed Coverity issue - added null check for Field_Name.
1687
1688 * sfeng/ims/sfsnort/snort/src/preprocessors/Stream6/snort_stream_tcp.c :
1689 Fixed an issue where out-of-bounds memory access (is possible) due to incorrect length argument in memcpy.
1690
1691 * sfeng/ims/sfsnort/snort/src/preprocessors/spp_stream6.c :
1692 Resolved an issue where stream_config is not set (to) correct value in some cases after reload.
1693
1694 * sfeng/ims/sfsnort/snort/src/file-process/:
1695 file_segment_process.c, file_service.c :
1696 Changes done to avoid memory allocation for each signature callback and handle
1697 segments properly when file session has not been created yet.
1698
1699 * sfeng/ims/sfsnort/snort/preproc_rules/preprocessor.rules :
1700 Added new http prepreocessor alert for multiple content encoding.
1701 alert ( msg: "HI_SERVER_MULTIPLE_CONTENT_ENCODING"; sid:20; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ).
1702
1703 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/fw_appid.c :
1704 Changes done to handle empty HTTP XFF field.
1705
1706 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/service_plugins/service_base.c :
1707 Changed initiator_ip to be in sync with other ip's.
1708
1709 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/fw_appid.c :
1710 Fixed an issue where AppId was skipping inspection of some HTTP requests.
1711
1712 * sfeng/ims/sfsnort/snort/src/dynamic-plugins/sf_dynamic_plugins.c :
1713 Fixed compiler warning by changing the definition of dummyConsumeHAState() function.
1714
1715 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/:
1716 fw_appid.c, detector_plugins/detector_smtp.c :
1717 Fixed AppId compilation warnings.
1718
1719 * sfeng/ims/sfsnort/snort/src/: parser.c, parser.h, snort.c,
1720 snort.h, preprocessors/spp_normalize.c,
1721 preprocessors/spp_normalize.h, preprocessors/spp_stream6.c,
1722 preprocessors/stream_api.h,
1723 preprocessors/Session/session_common.h,
1724 preprocessors/Session/session_expect.c,
1725 preprocessors/Stream6/snort_stream_tcp.c :
1726 Fixed an issue where Malware files not getting dropped over FTP protocol.
1727
1728 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/appInfoTable.c :
1729 Fixed issue with using dynamic app ID names (not in appMapping.data) in Snort rules.
1730
1731 * sfeng/ims/sfsnort/snort/src/preprocessors/HttpInspect/utils/hi_paf.c :
1732 Handling HTTP header line containing \r or \r\r.
1733
1734 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/: flow.h,
1735 fw_appid.c, thirdparty_appid_types.h :
1736 Performance improvement in Appid.
1737
1738 * sfeng/ims/sfsnort/snort/src/: file-process/file_service.c,
1739 preprocessors/snort_httpinspect.c,
1740 preprocessors/snort_httpinspect.h :
1741 Added support to detect partial content when it starts in second reassembled packet.
1742
1743 * sfeng/ims/sfsnort/snort/src/preprocessors/: snort_httpinspect.c,
1744 snort_httpinspect.h, HttpInspect/client/hi_client.c
1745 HTTP preprocessor enhanced to handle the split of chunk length itself across different packets.
1746
1747 * sfeng/ims/sfsnort/snort/src/decode.c :
1748 Fixed an issue where single packet can cause a segmentation fault if there is a specific
1749 snort rule is in place. Thanks to Marcel da Silva for reporting this issue.
1750
1751 * sfeng/ims/sfsnort/snort/src/decode.c :
1752 Fixed an issue where incorrect byte order was been used for comparision with hard coded value.
1753 Thanks to Al Lewis who reported this issue on open source.
1754
1755 * sfeng/ims/sfsnort/snort/src/preprocessors/: spp_session.c,
1756 spp_stream6.c, Session/session_common.h,
1757 Stream6/snort_stream_tcp.c :
1758 This patch changes the logic in session to set a flag in the SCB
1759 for a flow on the first packet after a reload to indicate the
1760 stream config pointer is stale. Previously the pointer was set
1761 to NULL. Stream was changed to check this stale flag and, if true,
1762 the stream config pointer in the SCB is reinitialized.
1763 With this change the stream configuration pointer continues to
1764 point to the old configuration which will still be valid until
1765 the stream preproc runs. This ensures that the part of the SSL
1766 preproc that runs before Session/Stream have run will have a
1767 valid stream config pointer after a reload.
1768 In addition the StreamActivatePafTcp function, which is called by
1769 the SSL preproc and requires a valid stream configuration, was
1770 changed to check for the pointer being NULL and if it is it will
1771 reinitialize the pointer to valid value and log a warning
1772 message.
1773
1774 * sfeng/ims/sfsnort/snort/doc/snort_manual.tex :
1775 Snort manual updated with Buffer dump feature.
1776
1777 * sfeng/ims/sfsnort/snort/doc/snort_manual.tex :
1778 Snort manual changed with Rule Options Enhancement.
1779
1780 * sfeng/ims/sfsnort/snort/src/sfutil/sfghash.c :
1781 Added NULL check for SFGHASH.
1782
1783 * sfeng/ims/sfsnort/snort/etc/sf_rule_options :
1784 Error message is updated for byte_extract options.
1785 When creating a rule with byte_extract option an error message is sent
1786 when the rule doesn't include a variable name, which is mandatory.
1787
1788 * sfeng/ims/sfsnort/snort/src/: encode.c, preprocids.h,
1789 detection-plugins/sp_byte_math.c,
1790 dynamic-output/plugins/output_lib.h,
1791 dynamic-preprocessors/ftptelnet/pp_ftp.c,
1792 preprocessors/perf-base.c, preprocessors/snort_httpinspect.c,
1793 preprocessors/spp_stream6.c,
1794 preprocessors/HttpInspect/server/hi_server.c, sfutil/sf_ip.h,
1795 win32/WIN32-Prj/snort.dsp :
1796 Addressed issues in Snort Windows build.
1797
1798 * sfeng/ims/sfsnort/snort/src/detection-plugins/: sp_byte_check.c,
1799 sp_byte_jump.c, sp_byte_math.c :
1800 An error message is sent if string rule option is not present
1801 when bytes to grab are greater than 4 bytes in byte_math rule.
1802
1803 * sfeng/ims/sfsnort/snort/src/preprocessors/Stream6/snort_stream_tcp.c :
1804 Resolved an incorrect logging of source and destination ip when TCP stream queue is full.
1805
1806 * sfeng/ims/sfsnort/snort/src/detection-plugins/sp_byte_math.c :
1807 Error message is updated for byte_math options.
1808 When creating a rule with byte_math option an error message is sent
1809 when the rule doesn't include offset and rvalue.
1810
1811 * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/:
1812 Makefile_defs, fw_appid.c, client_plugins/client_app_base.c,
1813 client_plugins/client_app_smtp.c,
1814 client_plugins/client_app_smtp.h,
1815 detector_plugins/detector_base.c,
1816 detector_plugins/detector_smtp.c, service_plugins/service_base.c,
1817 service_plugins/service_smtp.c, service_plugins/service_smtp.h :
1818 Added SMTP detection to AppID, added detector_smtp.c file as part of this enhancement.
1819
1820 2016-05-12 Seshaiah Erugu <serugu@cisco.com>
1821 Snort 2.9.9 Beta
1822
1823 * src/build.h : Updated build number to 4065.
1824
1825 * src/dynamic-preprocessors/appid/fw_appid.c :
1826 Fix for handling bogus client AppIds for AppleCoreMedia.
1827
1828 * src/preprocessors/spp_arpspoof.c :
1829 Added 802.11/wifi header support in ARP Preprocessor.
1830
1831 * src/: detect.c, dynamic-plugins/sf_engine/sf_snort_packet.h,
1832 preprocessors/session_api.h,
1833 preprocessors/Stream6/snort_stream_tcp.c :
1834 Changed RST handling on closed tcp connection.
1835
1836 * src/dynamic-preprocessors/appid/appInfoTable.c :
1837 Fixed a compilation issue in AppId.
1838
1839 * src/: appIdApi.h, dynamic-preprocessors/appid/appIdApi.c,
1840 dynamic-preprocessors/appid/flow.h,
1841 dynamic-preprocessors/appid/fw_appid.c,
1842 dynamic-preprocessors/appid/httpCommon.h,
1843 dynamic-preprocessors/appid/luaDetectorApi.c,
1844 dynamic-preprocessors/appid/thirdparty_appid_types.h,
1845 dynamic-preprocessors/appid/detector_plugins/detector_http.c,
1846 dynamic-preprocessors/appid/detector_plugins/detector_http.h :
1847 Added support for Host, User-Agent, and Referer fields to be rewritten.
1848
1849 * src/dynamic-preprocessors/appid/: appIdApi.c, appInfoTable.h,
1850 fw_appid.c, luaDetectorApi.c, detector_plugins/detector_http.c,
1851 service_plugins/service_ftp.c, service_plugins/service_tftp.c :
1852 Fixed AppId compilation warnings.
1853
1854 * src/preprocessors/Session/stream5_ha.c :
1855 Fix updates HA sf_base counters during failover.
1856
1857 * src/dynamic-preprocessors/appid/fw_appid.c,
1858 src/dynamic-preprocessors/appid/: appId.h :
1859 Fix Reconstructed the call to port-service detection.
1860
1861 * src/dynamic-preprocessors/appid/test/appIdTests.c :
1862 Fixed an AppId compilation issue.
1863
1864 * src/dynamic-preprocessors/appid/appId.h :
1865 Revised appid.h to have APP_ID_ICMP and APP_ID_ICMPV6.
1866
1867 * src/dynamic-preprocessors/appid/: httpCommon.h, luaDetectorApi.c,
1868 detector_plugins/detector_http.c :
1869 Added DEFER_TO_SIMPLE_DETECT action to CHPAddAction.
1870
1871 * src/preprocessors/HttpInspect/: event_output/hi_eo_log.c,
1872 New HTTP prepocessor alert added for Multiple content encodings.
1873
1874 * src/preprocessors/Stream6/snort_stream_tcp.c :
1875 Fix populates DAQ_PktHdr_t of the packet generated while flushing queued
1876 segments with src and dst IP's.
1877
1878 * src/preprocessors/HttpInspect/: client/hi_client.c,
1879 event_output/hi_eo_log.c, include/hi_eo_events.h,
1880 server/hi_server.c :
1881 New HTTP preprocessor alert added for multiple content lengths.
1882
1883 * src/dynamic-preprocessors/appid/: fw_appid.c,
1884 service_plugins/service_rshell.c :
1885 Fix reduces extra service discovery to improve performance.
1886
1887 * src/preprocessors/HttpInspect/client/hi_client.c :
1888 Fix to handle chunk encoding followed by \r\r\r\n and \n\n\n\r\r\n.
1889 This issue was reported by Steffen Ullrich.
1890
1891 * src/: detection_filter.c, detection_filter.h, fpdetect.c,
1892 detection-plugins/detection_options.c,
1893 detection-plugins/detection_options.h, sfutil/sfthd.c,
1894 sfutil/sfthd.h, sfutil/test/sfthd_test.c :
1895 Fix related to detection_options.
1896 Added a new variable detection_filter_count to detection_option_eval_data_t
1897 data structure and set it when detection_filter_test is called for first time.
1898
1899 * src/dynamic-preprocessors/appid/: fw_appid.c, test/appIdTests.c :
1900 Fix picks last IP address in XFF address list.
1901 * src/decode.c :
1902 Added an additional check for divisibility of the length of the PGM header by 4.
1903 If it's not, then an error is returned instead of calculating the checksum.
1904
1905 * src/dynamic-preprocessors/appid/fw_appid.c :
1906 Changed ignore tp appid logic.
1907
1908 * src/preprocessors/HttpInspect/server/hi_server.c :
1909 File filled with delimiters now successfully gets detected.
1910
1911 * src/dynamic-preprocessors/appid/service_plugins/service_ftp.c :
1912 Fix ignores text after FTP response codes.
1913
1914 * src/preprocessors/HttpInspect/server/hi_server.c :
1915 Modified Http header parsing of multiline content-encoding header.
1916
1917 * src/: appIdApi.h, dynamic-preprocessors/appid/appIdApi.c,
1918 dynamic-preprocessors/appid/appInfoTable.h,
1919 dynamic-preprocessors/appid/flow.h,
1920 dynamic-preprocessors/appid/fw_appid.c,
1921 dynamic-preprocessors/appid/luaDetectorApi.c,
1922 dynamic-preprocessors/appid/detector_plugins/detector_http.c :
1923 Made changes in getHttpSearch() to return value based on any payloadAppId match,
1924 not just CHP patterns.
1925
1926 * src/preprocessors/: snort_httpinspect.c,
1927 HttpInspect/server/hi_server.c :
1928 Fixed Coverity issue - Unsigned compared against 0.
1929
1930 * src/preprocessors/: snort_httpinspect.c,
1931 HttpInspect/server/hi_server.c :
1932 Improved chunked gzip content handling.
1933
1934 * src/: dynamic-preprocessors/sdf/spp_sdf.c, obfuscation.c :
1935 Fix to mask sensitive data spanning multiple raw packets.
1936
1937 * src/sfutil/sfghash.c :
1938 Added NULL pointer checks to all the functions in sfghash.c.
1939
1940 * src/preprocessors/spp_httpinspect.c :
1941 Fix Sets file_depth after Snort reload.
1942
1943
1944 * src/dynamic-preprocessors/appid/: fw_appid.c, httpCommon.h,
1945 luaDetectorApi.c, detector_plugins/detector_http.c,
1946 detector_plugins/detector_http.h :
1947 Fix allows multiple key patterns per AppId instance in CHPMultiAddAction().
1948
1949 * src/preprocessors/HttpInspect/files/file_decomp_SWF.c :
1950 Fixed an issue with LZMA flash decompression.
1951
1952 * etc/sf_rule_options, src/detection-plugins/sp_byte_extract.c,
1953 src/detection-plugins/sp_byte_extract.h :
1954 Changed code to allow 1 to 10 bytes (bytes_to_extract )values in byte_extract rule.
1955
1956 * configure.in, doc/snort_manual.tex, etc/snort.conf,
1957 rpm/snort.spec, src/dynamic-plugins/sf_dynamic_meta.h,
1958 src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
1959 src/win32/WIN32-Includes/config.h,
1960 src/win32/WIN32-Prj/snort_installer.nsi :
1961 API version updated.
1962
1963 * src/dynamic-preprocessors/appid/fw_appid.c :
1964 Fix prevents bogus generic clients, and also prevents things like "MPEG"
1965 showing up as a client in case of AppleCoreMedia.
1966
1967 * src/detection-plugins/sp_byte_jump.c :
1968 Now from_end option acccepts 0-10 bytes in byte_jump rule.
1969
1970 * src/dynamic-preprocessors/appid/: fw_appid.c, httpCommon.h :
1971 Added more AppId instances for CHPMultixxx Lua api.
1972
1973 * configure.in, src/appIdApi.h, src/sfdaq.c, src/sfdaq.h,
1974 src/tag.c, src/dynamic-plugins/sf_dynamic_plugins.c,
1975 src/dynamic-preprocessors/appid/appIdApi.c,
1976 src/dynamic-preprocessors/appid/flow.c,
1977 src/dynamic-preprocessors/appid/flow.h,
1978 src/dynamic-preprocessors/appid/fw_appid.c,
1979 src/dynamic-preprocessors/appid/fw_appid.h,
1980 src/dynamic-preprocessors/appid/luaDetectorApi.c,
1981 src/dynamic-preprocessors/appid/luaDetectorApi.h,
1982 src/dynamic-preprocessors/appid/luaDetectorFlowApi.c,
1983 src/dynamic-preprocessors/appid/client_plugins/client_app_aim.c,
1984 src/dynamic-preprocessors/appid/client_plugins/client_app_base.c,
1985 src/dynamic-preprocessors/appid/client_plugins/client_app_bit.c,
1986 src/dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c,
1987 src/dynamic-preprocessors/appid/client_plugins/client_app_msn.c,
1988 src/dynamic-preprocessors/appid/client_plugins/client_app_rtp.c,
1989 src/dynamic-preprocessors/appid/client_plugins/client_app_smtp.c,
1990 src/dynamic-preprocessors/appid/client_plugins/client_app_ssh.c,
1991 src/dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c,
1992 src/dynamic-preprocessors/appid/client_plugins/client_app_tns.c,
1993 src/dynamic-preprocessors/appid/client_plugins/client_app_vnc.c,
1994 src/dynamic-preprocessors/appid/client_plugins/client_app_ym.c,
1995 src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c,
1996 src/dynamic-preprocessors/appid/detector_plugins/detector_http.c,
1997 src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c,
1998 src/dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c,
1999 src/dynamic-preprocessors/appid/detector_plugins/detector_pattern.c,
2000 src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
2001 src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
2002 src/dynamic-preprocessors/appid/service_plugins/service_MDNS.c,
2003 src/dynamic-preprocessors/appid/service_plugins/service_api.h,
2004 src/dynamic-preprocessors/appid/service_plugins/service_base.c,
2005 src/dynamic-preprocessors/appid/service_plugins/service_base.h,
2006 src/dynamic-preprocessors/appid/service_plugins/service_battle_field.c,
2007 src/dynamic-preprocessors/appid/service_plugins/service_bgp.c,
2008 src/dynamic-preprocessors/appid/service_plugins/service_bit.c,
2009 src/dynamic-preprocessors/appid/service_plugins/service_bootp.c,
2010 src/dynamic-preprocessors/appid/service_plugins/service_dcerpc.c,
2011 src/dynamic-preprocessors/appid/service_plugins/service_direct_connect.c,
2012 src/dynamic-preprocessors/appid/service_plugins/service_flap.c,
2013 src/dynamic-preprocessors/appid/service_plugins/service_ftp.c,
2014 src/dynamic-preprocessors/appid/service_plugins/service_irc.c,
2015 src/dynamic-preprocessors/appid/service_plugins/service_lpr.c,
2016 src/dynamic-preprocessors/appid/service_plugins/service_mysql.c,
2017 src/dynamic-preprocessors/appid/service_plugins/service_netbios.c,
2018 src/dynamic-preprocessors/appid/service_plugins/service_nntp.c,
2019 src/dynamic-preprocessors/appid/service_plugins/service_ntp.c,
2020 src/dynamic-preprocessors/appid/service_plugins/service_radius.c,
2021 src/dynamic-preprocessors/appid/service_plugins/service_rexec.c,
2022 src/dynamic-preprocessors/appid/service_plugins/service_rfb.c,
2023 src/dynamic-preprocessors/appid/service_plugins/service_rlogin.c,
2024 src/dynamic-preprocessors/appid/service_plugins/service_rpc.c,
2025 src/dynamic-preprocessors/appid/service_plugins/service_rshell.c,
2026 src/dynamic-preprocessors/appid/service_plugins/service_rsync.c,
2027 src/dynamic-preprocessors/appid/service_plugins/service_rtmp.c,
2028 src/dynamic-preprocessors/appid/service_plugins/service_smtp.c,
2029 src/dynamic-preprocessors/appid/service_plugins/service_snmp.c,
2030 src/dynamic-preprocessors/appid/service_plugins/service_ssh.c,
2031 src/dynamic-preprocessors/appid/service_plugins/service_ssl.c,
2032 src/dynamic-preprocessors/appid/service_plugins/service_telnet.c,
2033 src/dynamic-preprocessors/appid/service_plugins/service_tftp.c,
2034 src/dynamic-preprocessors/appid/service_plugins/service_timbuktu.c,
2035 src/dynamic-preprocessors/appid/service_plugins/service_tns.c,
2036 src/dynamic-preprocessors/appid/test/appIdTests.c,
2037 src/dynamic-preprocessors/appid/util/common_util.h,
2038 src/file-process/file_resume_block.c,
2039 src/preprocessors/Session/session_expect.c,
2040 src/preprocessors/Stream6/snort_stream_tcp.c :
2041 Added the flag to prevent third-party application identification
2042 to expected connections. Changed the internal and external flags
2043 field into one 64-bit flags field. Added address space and
2044 instance to AppID debug. Cleaned up some compiler warnings.
2045 Added the debugging flags and info to the service validator function to
2046 allow internal debugging. Fixed processing of packets without any payload.
2047 Fixed tftp and rshell detection. Fixed third-party application identification
2048 proto state for sessions after http. Fixed expected session allow for AppId
2049 continutation (tftp, snmp).
2050
2051 * src/dynamic-preprocessors/appid/: appInfoTable.c, appInfoTable.h,
2052 fw_appid.h :
2053 Fixed the issue where AppId for Facebook over SPDY/HTTP 1.1 is incorrect.
2054
2055 * src/dynamic-preprocessors/appid/fw_appid.c :
2056 Fixed Coverity warning for Uninitialized variable.
2057
2058 * src/dynamic-preprocessors/appid/: httpCommon.h, luaDetectorApi.c,
2059 detector_plugins/detector_http.c :
2060 Changed code in CHPAddAction to REWRITE/INSERT side effect.
2061
2062 * src/dynamic-preprocessors/appid/appInfoTable.c :
2063 Disabled internal AppID detectors for HTTP/2 by default.
2064
2065 * src/preprocessors/HttpInspect/: include/h2_common.h,
2066 utils/h2_common.c, utils/h2_paf.c :
2067 Added support for HTTP/2.
2068
2069 * src/dynamic-preprocessors/imap/imap_buffer_dump.c,
2070 src/dynamic-preprocessors/imap/imap_buffer_dump.h,
2071 src/dynamic-preprocessors/ftptelnet/ftptelnet_buffer_dump.c,
2072 src/dynamic-preprocessors/ftptelnet/ftptelnet_buffer_dump.h,
2073 src/dynamic-preprocessors/dcerpc2/dcerpc2_buffer_dump.c,
2074 src/dynamic-preprocessors/dcerpc2/dcerpc2_buffer_dump.h,
2075 src/dynamic-preprocessors/ssl/ssl_buffer_dump.c,
2076 src/dynamic-preprocessors/ssl/ssl_buffer_dump.h,
2077 src/dynamic-preprocessors/ssh/ssh_buffer_dump.c,
2078 src/dynamic-preprocessors/ssh/ssh_buffer_dump.h,
2079 src/dynamic-preprocessors/dns/dns_buffer_dump.c,
2080 src/dynamic-preprocessors/dns/dns_buffer_dump.h,
2081 src/dynamic-preprocessors/modbus/modbus_buffer_dump.c,
2082 src/dynamic-preprocessors/modbus/modbus_buffer_dump.h,
2083 src/preprocessors/HttpInspect/utils/hi_buffer_dump.c,
2084 src/preprocessors/HttpInspect/include/hi_buffer_dump.h,
2085 src/output-plugins/spo_log_buffer_dump.h,
2086 src/output-plugins/spo_log_buffer_dump.c,
2087 src/dynamic-preprocessors/smtp/smtp_buffer_dump.c,
2088 src/dynamic-preprocessors/smtp/smtp_buffer_dump.h,
2089 src/dynamic-preprocessors/sip/sip_buffer_dump.c,
2090 src/dynamic-preprocessors/sip/sip_buffer_dump.h,
2091 src/dynamic-preprocessors/pop/pop_buffer_dump.c,
2092 src/dynamic-preprocessors/pop/pop_buffer_dump.h,
2093 src/dynamic-preprocessors/dnp3/dnp3_buffer_dump.c,
2094 src/dynamic-preprocessors/dnp3/dnp3_buffer_dump.h,
2095 src/dynamic-preprocessors/gtp/gtp_buffer_dump.c,
2096 src/dynamic-preprocessors/gtp/gtp_buffer_dump.h,
2097 src/dynamic-preprocessors/imap/imap_buffer_dump.c :
2098 Added these files as part of Buffer-dump feature.
2099
2100 * src/detection-plugins/sp_byte_math.c,
2101 src/detection-plugins/sp_byte_math.h :
2102 Added new rule option "byte_math".
2103
2104
2105
2106 2016-04-26 Rahul Burman <rahburma@cisco.com>
2107 Snort 2.9.8.3
2108
2109 * src/build.h: updating build number to 383
2110
2111 * configure.in, src/preprocessors/HttpInspect/server/hi_server.c:
2112 Modified Http header parsing of multiline content-encoding header.
2113
2114 * src/preprocessors/: snort_httpinspect.c,
2115 HttpInspect/server/hi_server.c:
2116 Fixed an issue where file position pointer was incorrectly set for HTTP response
2117 containing chunked and gzip data.
2118
2119 * src/preprocessors/Stream6/: snort_stream_tcp.c
2120 Added sanity check to TCP trimming in out-of-order FIN case.
2121
2122 * src/parser.c:
2123 Disabled port groups that are not useful unless adapative profiling is enabled.
2124
2125 * src/: dynamic-preprocessors/sdf/spp_sdf.c, obfuscation.c:
2126 Fixed an issue of incorrect masking of sensitive data.
2127
2128 2016-03-18 Gaurav Nagare <gnagare@cisco.com>
2129 Snort 2.9.8.2
2130
2131 * src/build.h: updating build number to 335
2132
2133 * src/dynamic-plugins/: sf_engine/examples/detection_lib_meta.h,
2134 sf_dynamic_meta.h:
2135 Updated detection API version to 2.6 to use the latest snort SO rules.
2136
2137 * src/: dynamic-preprocessors/sdf/spp_sdf.c,
2138 preprocessors/Stream6/snort_stream_tcp.c, obfuscation.c:
2139 Fixed several issues with SDF and obfuscation.
2140
2141 * src/: profiler.h, preprocessors/perf_indicators.c,
2142 preprocessors/perf_indicators.h:
2143 Resolved snort build issue with "--disable-perfprofiling" configure
2144 option.
2145
2146 * src/: decode.c, decode.h:
2147 Added Double VLAN tagging support.
2148
2149 * src/file-process/file_mime_process.c:
2150 Enhanced mime parsing by adding support for detecting files
2151 after unknown headers and no headers.
2152
2153 * src/preprocessors/HttpInspect/server/hi_server.c:
2154 Fixed memory leak.
2155
2156 * src/preprocessors/HttpInspect/utils/hi_paf.c:
2157 Fixed issue with gzip decompression. If the server response specifies
2158 Content-Encoding as GZIP, but no Content-Length field for HTTP version 1.0.
2159
2160 * doc/snort_manual.pdf, src/preprocessors/snort_httpinspect.c,
2161 src/preprocessors/spp_httpinspect.c:
2162 Fixed Snort memory leak in parsing HTTP xff options.
2163
2164 * src/preprocessors/spp_httpinspect.c:
2165 Fixed Coverity issues.
2166
2167 * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h,
2168 HttpInspect/include/hi_paf.h, HttpInspect/server/hi_server.c,
2169 HttpInspect/utils/hi_paf.c:
2170 Improved End of Header(EOH) identification for response header spanning multiple
2171 reassembled packets.
2172
2173 * src/preprocessors/: HttpInspect/utils/hi_paf.c,
2174 Stream6/snort_stream_tcp.c, Stream6/stream_paf.c:
2175 Improved packet reassembly for HTTP, added code to purge segment correctly when
2176 PAF decides to ignore packet upon reaching paf_max.
2177
2178 * src/fpdetect.c:
2179 Fixed to use outer header callback functions when checking IP rule against outer IPs
2180 and inner header callback when checking against inner IPs.
2181
2182 * src/preprocessors/spp_httpinspect.c:
2183 Fixed an issue where http_inspect current and default config had
2184 different file depth.
2185
2186 * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c:
2187 Handled malformed DNS host in AppId.
2188
2189 * src/file-process/: file_api.h, file_segment_process.c, file_service.c:
2190 Prevented access to file contexts which are pruned when memcap is
2191 reached.
2192
2193 * src/dynamic-preprocessors/appid/: app_forecast.c, app_forecast.h,
2194 flow.h, fw_appid.c, spp_appid.c, thirdparty_appid_types.h:
2195 Performance improvements to AppID.
2196
2197 * src/dynamic-preprocessors/appid/luaDetectorApi.c:
2198 Created a future-flow API for lua detector.
2199 Exposed DNS API to lua detector.
2200
2201 * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
2202 Fixed an issue where unexpected SSL negotiation starts for FTP
2203 with explicit SSL.
2204
2205 * src/preprocessors/HttpInspect/utils/hi_paf.c:
2206 Updated HTTP PAF to accept all tokens between method and version
2207 string in request URI.
2208
2209 * src/preprocessors/HttpInspect/files/file_decomp_SWF.c:
2210 Fixed Flash LZMA decompression issue.
2211
2212 * src/preprocessors/spp_httpinspect.c:
2213 Fixed file_depth intialization issue during Snort reload.
2214
2215
2216 2015-11-18 Carter Waxman <cwaxman@cisco.com>
2217 Snort 2.9.8.0
2218
2219 * src/build.h: updating build number to 229
2220
2221 * src/preprocessors/: session_api.h, spp_session.c,
2222 Session/session_expect.c, Session/session_expect.h:
2223 Added support for multiple expected sessions created for
2224 a single packet.
2225
2226 * doc/: snort_manual.pdf, snort_manual.tex:
2227 Changed gtp ports in snort manual
2228
2229 * src/: dynamic-preprocessors/ftptelnet/ftpp_si.c,
2230 dynamic-preprocessors/ftptelnet/ftpp_si.h,
2231 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
2232 preprocessors/spp_session.c:
2233 Change setAppProcolId to update SFAT for non-TCP traffic
2234
2235 * src/dynamic-preprocessors/appid/spp_appid.c:
2236 Fixed reload issues
2237
2238 * src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c:
2239 Future flows are now created for both directions on SIP
2240
2241 * src/dynamic-preprocessors/smtp/smtp_paf.c:
2242 Improved reliability of SMTP PAF
2243
2244 * src/dynamic-preprocessors/appid/fw_appid.c: Bugs Fixed:
2245 Improved AppId detection on SSL/TLS protocols for decrypted
2246
2247 * src/: dynamic-plugins/sf_engine/sf_snort_packet.h,
2248 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
2249 preprocessors/Stream6/snort_stream_tcp.c:
2250 Fixed FTP file detection where server SYNs data channel before
2251 responding to PORT on command channel.
2252
2253 * src/dynamic-preprocessors/appid/: commonAppMatcher.c, fw_appid.c,
2254 fw_appid.h, service_plugins/service_ftp.c:
2255 Improved detection of data on FTPS data channel
2256
2257 * src/: encode.c, util.h,
2258 dynamic-preprocessors/appid/test/sessionFile.h,
2259 preprocessors/spp_session.c, preprocessors/spp_stream6.c,
2260 preprocessors/Session/session_common.h:
2261 Added support for MPLS active responses
2262
2263 * src/dynamic-preprocessors/appid/:
2264 detector_plugins/detector_pop3.c, service_plugins/service_ftp.c:
2265 Improved detection of POP3S
2266
2267 * src/detection-plugins/sp_appid.c:
2268 Fixed reliability issue with client AppID IPS rules
2269
2270 * preproc_rules/preprocessor.rules,
2271 src/dynamic-preprocessors/smtp/smtp_config.c,
2272 src/dynamic-preprocessors/smtp/smtp_config.h,
2273 src/dynamic-preprocessors/smtp/smtp_log.h,
2274 src/dynamic-preprocessors/smtp/smtp_paf.c:
2275 Added preproc alert for excessive data following "AUTH NTLM\r\n"
2276 "AUTH CRAM-MD5\r\n"
2277
2278 * src/dynamic-preprocessors/reputation/: reputation_config.c,
2279 shmem/shmem_mgmt.c:
2280 Improved reliability of reputation shared memory on single-cpu
2281 systems
2282
2283 * doc/: snort_manual.pdf, snort_manual.tex:
2284 Fix first/last typo in manual. Thanks Mohsen Abbaspour for reporting it.
2285
2286 * src/dynamic-preprocessors/appid/spp_appid.c:
2287 Update AppID to use only global snort config and only process IP packets
2288
2289 * src/dynamic-preprocessors/appid/service_plugins/service_tftp.c:
2290 Fixed reversal of TFTP detection had the source and destination
2291 address data
2292
2293 * src/: detection-plugins/sp_byte_jump.c,
2294 dynamic-plugins/sf_convert_dynamic.c,
2295 dynamic-preprocessors/appid/appIdConfig.c,
2296 dynamic-preprocessors/appid/commonAppMatcher.c,
2297 dynamic-preprocessors/appid/fw_appid.c,
2298 dynamic-preprocessors/appid/luaDetectorApi.c,
2299 dynamic-preprocessors/appid/client_plugins/client_app_smtp.c,
2300 dynamic-preprocessors/appid/detector_plugins/detector_http.c,
2301 dynamic-preprocessors/appid/service_plugins/service_MDNS.c,
2302 dynamic-preprocessors/ftptelnet/hi_util_kmap.c,
2303 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
2304 dynamic-preprocessors/reputation/reputation_config.c,
2305 dynamic-preprocessors/sdf/sdf_detection_option.c,
2306 dynamic-preprocessors/ssl_common/ssl_config.c,
2307 dynamic-preprocessors/ssl_common/ssl_ha.c,
2308 output-plugins/spo_csv.c, preprocessors/spp_arpspoof.c,
2309 preprocessors/spp_session.c,
2310 preprocessors/HttpInspect/utils/hi_util_kmap.c, sfutil/ipobj.c,
2311 sfutil/sfghash.c:
2312 Added error checks to improve reliability
2313
2314 * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c,
2315 service_plugins/service_ssl.c, service_plugins/service_ssl.h:
2316 Fixed issue where appid info was not populated for ssl
2317 sessions on non-standard ports
2318
2319 2015-08-28 Rahul Burman <rahburma@cisco.com>
2320 Snort 2.9.8_rc
2321 * src/build.h:
2322 updating build number to 195
2323
2324 * src/preprocessors/HttpInspect/: client/hi_client.c,
2325 server/hi_server.c:
2326 NULL check added for call to strndup function.
2327
2328 * src/output-plugins/spo_alert_unixsock.c:
2329 Resolved issue where output data is corrupted while writing to unix socket [reported by Alexander Bubnov].
2330
2331 * src/: dynamic-plugins/sf_dynamic_plugins.c,
2332 dynamic-plugins/sf_dynamic_preprocessor.h,
2333 dynamic-preprocessors/ftptelnet/ftpp_si.h,
2334 dynamic-preprocessors/ftptelnet/ftpp_ui_config.h,
2335 dynamic-preprocessors/ftptelnet/pp_ftp.c,
2336 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
2337 Improvements to FTP preprocessor to block malware when downloaded with a client that supports FTP REST.
2338
2339 * src/dynamic-preprocessors/appid/fw_appid.c:
2340 Resolved issue where squid detector is not showing expected alerts.
2341 Reset app ID when SSL is identified on an FTP data channel.
2342
2343 * src/preprocessors/spp_perfmonitor.c:
2344 Resolved snort output error issue in perfmonitor preprocessor
2345
2346 * src/preprocessors/Stream6/snort_stream_tcp.c:
2347 Resolved issue where snort marks retransmitted packet as bad segment.
2348 Fixed issue where XFF/ExtraData is not always logged when 'drop' rules trigger [reported by Mike Cox].
2349
2350 * src/dynamic-preprocessors/reputation/reputation_config.c:
2351 Fixed unexpected behaviour in reputation config where blacklist is displayed
2352 in priority field even though whitelist option is set [reported by Mike Cox].
2353
2354 * src/: decode.h, snort.c,
2355 dynamic-plugins/sf_engine/sf_snort_packet.h,
2356 preprocessors/Stream6/snort_stream_tcp.c:
2357 Improvements done to avoid RETRY verdict for re-transmitted packet.
2358
2359 * etc/gen-msg.map:
2360 Fixed a typo where ssp_ssl is renamed to spp_ssl
2361
2362 * src/preprocessors/spp_session.c:
2363 Changes done to avoid memory allocation for default no. of sessions when session tracking is disabled.
2364
2365 * doc/snort_manual.tex:
2366 Corrected errors in snort_manual.tex [reported by Gabriel Corre].
2367
2368 * src/dynamic-preprocessors/appid/: appId.h, appIdStats.c,
2369 service_plugins/service_ftp.c:
2370 Changes done to differentiate between active and passive FTP connections.
2371
2372 * src/dynamic-preprocessors/appid/: appIdApi.c, appIdConfig.h,
2373 appInfoTable.c, flow.h, fw_appid.c, thirdparty_appid_api.h,
2374 thirdparty_appid_utils.c, detector_plugins/detector_http.c,
2375 detector_plugins/detector_sip.c:
2376 Fixed issues reported by valgrind in AppID.
2377
2378 2015-08-05 Victor Roemer <viroemer@cisco.com>
2379 Snort 2.9.8 Beta
2380 * src/build.h:
2381 Update build number to 176
2382
2383 * src/dynamic-preprocessors/appid/service_plugins/service_ftp.c:
2384 Snort to support EPRT command for active FTP on IPv4 and IPv6
2385
2386 * src/dynamic-preprocessors/ftptelnet/: ftpp_si.c, ftpp_si.h, pp_ftp.c:
2387 Some PDF files were not blocked by snort.
2388
2389 * src/preprocessors/HttpInspect/client/hi_client.c:
2390 Check if packet has start of PDU before generating alert.
2391
2392 * src/dynamic-preprocessors/smtp/smtp_util.c:
2393 SMTP preprocessor email log buffer length update before copying to
2394 avoid assert failure.
2395
2396 * src/: active.c,
2397 decode.h,
2398 preprocids.h,
2399 detection-plugins/sp_react.c,
2400 dynamic-plugins/sf_engine/sf_snort_packet.h,
2401 dynamic-preprocessors/appid/spp_appid.c,
2402 dynamic-preprocessors/reputation/spp_reputation.c,
2403 preprocessors/spp_session.c:
2404 Sessions that are blocked and trusted. Fix sp_react when sending
2405 data.
2406
2407 * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c,
2408 detector_plugins/detector_http.c:
2409 Skip simple detection only for those CHP actions that could overrirde
2410 client ID, payload ID, etc.
2411
2412 * doc/snort_manual.tex:
2413 Correct Unified2 Packet content.
2414
2415 * etc/snort.conf,
2416 src/preprocessors/snort_httpinspect.c,
2417 src/preprocessors/snort_httpinspect.h,
2418 src/preprocessors/HttpInspect/client/hi_client.c,
2419 src/preprocessors/HttpInspect/server/hi_server.c,
2420 src/preprocessors/Stream6/stream_paf.c:
2421 Clear True-IP and XFF between HTTP transactions. Prevents Snort
2422 from logging extra data on transactions incorrectly.
2423
2424 * src/sfutil/sf_ip.h:
2425 Treat 0.0.0.0/0 as "any" ipv4 address, fixing rule matches on ip header
2426 leaf node.
2427
2428 * src/preprocessors/perf-base.c:
2429 Fixed macro usage to work with ICC and C89.
2430
2431 * src/preprocessors/perf-base.c:
2432 Fixed erroneous performance values being generated when Snort is idle.
2433
2434 * src/dynamic-preprocessors/appid/: service_plugins/service_api.h,
2435 util/NetworkSet.h:
2436 Fixed appid compilation issues for FreeBSD and OpenBSD.
2437
2438 * tools/appid_detector_builder.sh:
2439 Fix script shortcomings for HTTP URL, Copyright, DetectorClean() stub.
2440
2441 * src/decode.c:
2442 Snort min_ttl decoder rules drop regardless of alert/drop type.
2443
2444 * src/dynamic-preprocessors/appid/luaDetectorApi.c:
2445 Set active flag for sandboxing for SSL Lua detectors.
2446
2447 * src/: active.h, sfdaq.c, sfdaq.h, snort.c,
2448 dynamic-plugins/sf_dynamic_plugins.c,
2449 dynamic-plugins/sf_dynamic_preprocessor.h,
2450 file-process/file_service.c:
2451 Add support for DAQ Retry detection of the current packet.
2452
2453 This change adds active response api function to request a packet
2454 retry (method added to dpd struct as well) and to query if the
2455 packet disposition is ACTIVE_RETRY.
2456
2457 * src/preprocessors/: spp_session.c,
2458 Session/stream5_ha.c,
2459 Session/stream5_ha.h:
2460 preprocessors/Stream6/snort_stream_tcp.c:
2461 preprocessors/spp_session.c:
2462 If session lookup fails for a packet being processed
2463 by the Session preprocessor while DAQ HA is enabled and DAQ HA
2464 state is available for the packet, retrieve and process the HA
2465 state from the DAQ and retry the lookup. Do not store DAQ HA
2466 state when unsupported tunnel types are decoded that might make
2467 the underlying hardware's concept of flows not match Snort's.
2468
2469 * src/dynamic-preprocessors/file/: file_agent.c, file_agent.h,
2470 spp_file.c:
2471 Support daemon option with file_inspect preprocessor.
2472
2473 * src/preprocessors/Stream6/snort_stream_tcp.c:
2474 When processing asymmetric traffic, TCP segements are no longer
2475 queued indefinately, reducing session cache thrashing caused by
2476 excessive prunning.
2477
2478 * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
2479 Fix false positive on HI_ANOM_SERVER_ALERT.
2480
2481 * src/dynamic-preprocessors/appid/: detector_plugins/detector_pattern.c,
2482 service_plugins/service_api.h, service_plugins/service_base.c:
2483 C detectors were not enabled when testing with a pcap.
2484
2485 * src/: event.h, sfutil/Unified2_common.h:
2486 Increase max size for app ID names so they don't get truncated in alerts.
2487
2488 * src/dynamic-preprocessors/appid/commonAppMatcher.c:
2489 Fix an issue with old/new config and AppID reload swap.
2490
2491 * src/dynamic-preprocessors/appid/service_plugins/service_bootp.c:
2492 Fix in AppId bootp srevice plugin for packets without layer 2 header.
2493
2494 * snort.8:
2495 Updated -q and -M switch description in snort manpage.
2496
2497 * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c,
2498 detector_plugins/detector_pattern.h, util/NetworkSet.h,
2499 util/OutputFile.c, util/sfutil.c:
2500 Fix Snort compilation issues on OSX when AppID is enabled.
2501
2502 * src/: dynamic-plugins/sf_dynamic_define.h,
2503 dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
2504 dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h,
2505 dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h,
2506 dynamic-preprocessors/appid/appId.h, dynamic-preprocessors/appid/flow.h,
2507 dynamic-preprocessors/appid/host_tracker.h,
2508 dynamic-preprocessors/appid/rna_flow.h,
2509 dynamic-preprocessors/appid/service_state.h,
2510 dynamic-preprocessors/appid/spp_appid.c,
2511 dynamic-preprocessors/appid/thirdparty_appid_api.h,
2512 dynamic-preprocessors/appid/client_plugins/client_app_api.h,
2513 dynamic-preprocessors/appid/client_plugins/client_app_bit.c,
2514 dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c,
2515 dynamic-preprocessors/appid/client_plugins/client_app_rtp.c,
2516 dynamic-preprocessors/appid/client_plugins/client_app_ssh.c,
2517 dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c,
2518 dynamic-preprocessors/appid/client_plugins/client_app_tns.c,
2519 dynamic-preprocessors/appid/client_plugins/client_app_vnc.c,
2520 dynamic-preprocessors/appid/detector_plugins/detector_dns.c,
2521 dynamic-preprocessors/appid/detector_plugins/detector_imap.c,
2522 dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c,
2523 dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
2524 dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
2525 dynamic-preprocessors/appid/service_plugins/service_base.c,
2526 dynamic-preprocessors/appid/service_plugins/service_bit.c,
2527 dynamic-preprocessors/appid/service_plugins/service_timbuktu.c,
2528 dynamic-preprocessors/appid/service_plugins/service_tns.c,
2529 side-channel/dynamic-plugins/sf_dynamic_side_channel_lib.h:
2530 Rename SO_PUBLIC to SF_SO_PUBLIC.
2531 Removed unused appid/rna code.
2532
2533 * doc/README.appid, rpm/snort.spec, tools/Makefile.am,
2534 tools/appid_detector_builder.sh:
2535 Added shell script to build simple LUA detectors for Snort.
2536
2537 * src/dynamic-preprocessors/appid/: luaDetectorApi.c,
2538 client_plugins/client_app_base.c, client_plugins/client_app_base.h:
2539 Add sanity checks for lua client mod calls.
2540 Add function for service detectors to add clients.
2541 Open client-side API to allow clients to be added outside of client api.
2542
2543 * configure.in, src/dynamic-output/plugins/output_lib.h:
2544 Don't export visibility hidden or invalid daq include path.
2545
2546 * src/dynamic-preprocessors/appid/service_plugins/service_tftp.c:
2547 Switch source and destination when adding the expected flow.
2548
2549 * doc/README.stream5, doc/snort_manual.tex, etc/snort.conf,
2550 src/preprocessors/Stream6/snort_stream_tcp.c:
2551 Added a new configure option "log_asymmetric_traffic" to turn
2552 on/off logging the message for asymmetric traffic. By default, it
2553 will be turned off.
2554
2555 * src/detect.c:
2556 Call correct function to get app names for alerts.
2557
2558 * configure.in, src/dynamic-preprocessors/appid/dns_defs.h,
2559 src/dynamic-preprocessors/appid/client_plugins/client_app_rtp.c,
2560 src/dynamic-preprocessors/appid/service_plugins/service_api.h,
2561 src/dynamic-preprocessors/appid/service_plugins/service_netbios.c:
2562 Replace use of __BYTE_ORDER with use of WORDS_BIGENDIAN or SF_BIGENDIAN.
2563
2564 * src/dynamic-preprocessors/appid/fw_appid.c:
2565 Free http_session->new_uri and new_cookie before reassigning.
2566
2567 * src/: preprocessors/spp_normalize.c, snort.h:
2568 When normaization is removed from snort conf, a reload would not
2569 disable it in Stream.
2570
2571 * src/preprocessors/perf_indicators.h:
2572 Added a NULL check for a pointer argument in a perf_indicator utility
2573 inline function.
2574
2575 * src/: parser.c, preprocessors/Stream6/snort_stream_tcp.c,
2576 sfutil/sfPolicyUserData.h:
2577 Fixed an issue where stream fails during multiple-policy
2578 configuration if stream_tcp configs are present in the default, but
2579 not child policies.
2580
2581 * src/dynamic-preprocessors/appid/appInfoTable.c:
2582 App name(s) in Snort rules are now case insensitive.
2583
2584 * doc/snort_manual.tex,
2585 src/preprocessors/snort_httpinspect.c,
2586 src/preprocessors/snort_httpinspect.h,
2587 src/preprocessors/spp_httpinspect.c,
2588 src/preprocessors/stream_api.h,
2589 src/preprocessors/HttpInspect/include/hi_si.h,
2590 src/preprocessors/HttpInspect/include/hi_ui_config.h,
2591 src/preprocessors/HttpInspect/server/hi_server.c,
2592 src/preprocessors/HttpInspect/session_inspection/hi_si.c,
2593 src/preprocessors/HttpInspect/utils/hi_paf.c,
2594 src/preprocessors/Session/session_common.h,
2595 src/preprocessors/Stream6/snort_stream_tcp.c,
2596 src/preprocessors/Stream6/stream_paf.c,
2597 src/preprocessors/Stream6/stream_paf.h:
2598 Stop reassembly if HTTP flow depth has been reached.
2599
2600 * src/dynamic-preprocessors/appid/: fw_appid.c:
2601 Fix for core while processing SIP traffic from ignore sessions.
2602
2603 * src/dynamic-preprocessors/appid/service_plugins/service_ssl.c:
2604 Fix for parsing SSL client hello packet (do not assume that this
2605 packet always contains extensions field).
2606
2607 * src/: dynamic-preprocessors/dcerpc2/dce2_paf.c,
2608 dynamic-preprocessors/dnp3/dnp3_paf.c,
2609 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
2610 dynamic-preprocessors/imap/imap_paf.c,
2611 dynamic-preprocessors/pop/pop_paf.c,
2612 dynamic-preprocessors/sip/sip_paf.c,
2613 dynamic-preprocessors/smtp/smtp_paf.c,
2614 preprocessors/spp_stream6.c,
2615 preprocessors/stream_api.h,
2616 preprocessors/HttpInspect/utils/hi_paf.c,
2617 preprocessors/Session/session_common.h,
2618 preprocessors/Stream6/snort_stream_tcp.c,
2619 preprocessors/Stream6/snort_stream_tcp.h,
2620 preprocessors/Stream6/stream_paf.c,
2621 preprocessors/Stream6/stream_paf.h:
2622 Allow 2 PAF clients to be active at a time.
2623
2624 * src/detection-plugins/detection_options.c:
2625 Detection_filter events incorrect both raw and reassembled packets
2626 used. Added a check that, if session is being reassembled, consider
2627 reassembled packet. Else, consider raw packet for count.
2628
2629 When "no_stream" is present in the rule, need to consider raw packets
2630 only, even though session reassembly is happening. Took care of this
2631 case by adding OtnFlowIgnoreReassembled(otn) check.
2632
2633 * src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h:
2634 Filename parsed from Mime body for UUencoded file.
2635
2636 * src/: detect.c, detect.h, event_queue.c, event_queue.h,
2637 event_wrapper.c, event_wrapper.h, fpdetect.c, fpdetect.h,
2638 ppm.c, tag.c, tag.h, file-process/file_service.c,
2639 preprocessors/Stream6/snort_stream_tcp.c, sfutil/sfPolicyData.h,
2640 sfutil/sfrf.c:
2641 Internal (gid:135) rate filtering events now use runtime NAP instead
2642 of runtime IPS for rule tree lookups.
2643
2644 * src/dynamic-preprocessors/Makefile.am:
2645 Fix for Snort compilation issue on OSX.
2646
2647 * src/: appIdApi.h, decode.h, detect.c, snort.c, snort.h,
2648 dynamic-plugins/sf_dynamic_plugins.c,
2649 dynamic-plugins/sf_engine/sf_snort_packet.h,
2650 dynamic-preprocessors/appid/appIdApi.c,
2651 dynamic-preprocessors/appid/flow.c,
2652 dynamic-preprocessors/appid/flow.h,
2653 dynamic-preprocessors/appid/luaDetectorApi.c,
2654 dynamic-preprocessors/appid/luaDetectorApi.h,
2655 dynamic-preprocessors/appid/client_plugins/client_app_aim.c,
2656 dynamic-preprocessors/appid/client_plugins/client_app_api.h,
2657 dynamic-preprocessors/appid/client_plugins/client_app_base.c,
2658 dynamic-preprocessors/appid/client_plugins/client_app_base.h,
2659 dynamic-preprocessors/appid/client_plugins/client_app_bit.c,
2660 dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c,
2661 dynamic-preprocessors/appid/client_plugins/client_app_msn.c,
2662 dynamic-preprocessors/appid/client_plugins/client_app_rtp.c,
2663 dynamic-preprocessors/appid/client_plugins/client_app_smtp.c,
2664 dynamic-preprocessors/appid/client_plugins/client_app_ssh.c,
2665 dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c,
2666 dynamic-preprocessors/appid/client_plugins/client_app_tns.c,
2667 dynamic-preprocessors/appid/client_plugins/client_app_vnc.c,
2668 dynamic-preprocessors/appid/client_plugins/client_app_ym.c,
2669 dynamic-preprocessors/appid/detector_plugins/detector_dns.c,
2670 dynamic-preprocessors/appid/detector_plugins/detector_imap.c,
2671 dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c,
2672 dynamic-preprocessors/appid/detector_plugins/detector_pattern.c,
2673 dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
2674 dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
2675 dynamic-preprocessors/appid/service_plugins/service_api.h,
2676 dynamic-preprocessors/appid/service_plugins/service_base.c,
2677 dynamic-preprocessors/appid/service_plugins/service_base.h,
2678 dynamic-preprocessors/appid/service_plugins/service_rpc.c,
2679 dynamic-preprocessors/ftptelnet/pp_ftp.c,
2680 dynamic-preprocessors/sip/sip_dialog.c,
2681 preprocessors/session_api.h,
2682 preprocessors/sip_common.h,
2683 preprocessors/spp_session.c,
2684 preprocessors/spp_session.h,
2685 preprocessors/spp_stream6.c,
2686 preprocessors/stream_api.h,
2687 preprocessors/Session/session_expect.c,
2688 preprocessors/Session/session_expect.h:
2689 Allow all preprocessors to create expected session calls.
2690
2691 * src/dynamic-plugins/: sf_dynamic_plugins.c, sf_dynamic_preprocessor.h:
2692 Corrected function prototype definition for DP API method called to
2693 register an Active Response callback.
2694
2695 * src/snort.c:
2696 Clean up the inline failopen thread before calling DAQ_Stop in
2697 SnortCleanup(). Prevent running in daemon mode from killing these
2698 threads.
2699
2700 * src/preprocessors/: perf-base.h, perf.c:
2701 Don't clear procpidstats structure, so snort doesn't core.
2702
2703 * src/dynamic-preprocessors/appid/: service_state.h,
2704 service_plugins/service_base.c:
2705 Restart service search state machine if previous session was only
2706 partial.
2707
2708 * configure.in, src/sfdaq.c, src/sfdaq.h,
2709 src/dynamic-plugins/sf_dynamic_plugins.c,
2710 src/dynamic-plugins/sf_dynamic_preprocessor.h:
2711 Added accessor methods for DAQ query flow method.
2712
2713 * src/preprocessors/snort_httpinspect.c:
2714 Added checks to prevent raw packets from being used for file process
2715 in HTTP.
2716
2717 * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c:
2718 Fix for processing HTTPS data to extract client app id.
2719
2720 * src/preprocessors/: perf-base.c, Stream6/snort_stream_tcp.c:
2721 Prunes due to timouts will are now counted by perfmonitor as prunes.
2722
2723 * doc/snort_manual.tex, src/parser.c, src/parser.h, src/snort.h,
2724 src/detection-plugins/detection_options.c:
2725 Introduced config option `disable_replace.
2726
2727 * preproc_rules/preprocessor.rules,
2728 src/preprocessors/session_api.h,
2729 src/preprocessors/snort_httpinspect.c,
2730 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
2731 src/preprocessors/HttpInspect/include/hi_eo_events.h,
2732 src/preprocessors/Stream6/snort_stream_tcp.c
2733 etc/gen-msg.map:
2734 HI_EO_SERVER_PROTOCOL_OTHER alert is added to detect SSH tunneling over HTTP.
2735
2736 * configure.in:
2737 Remove unused declaration of ADD_WERROR.
2738
2739 * src/: active.c, detection-plugins/sp_react.c:
2740 Changed code to add FIN on last data packet and bump the seq for the
2741 FIN flag.
2742
2743 * src/active.c:
2744 Added a FIN packet after the last data packet and before the reset.
2745
2746 * src/dynamic-preprocessors/appid/fw_appid.c:
2747 Fixed HTTP header field offset calculation for fragmented HTTP headers.
2748
2749 * doc/: snort_manual.pdf, snort_manual.tex:
2750 Added note about fast pattern matcher being case insensitive.
2751
2752 * src/: dynamic-plugins/sf_dynamic_plugins.c,
2753 dynamic-plugins/sf_dynamic_preprocessor.h,
2754 dynamic-preprocessors/appid/spp_appid.c:
2755 Allow for multiple isAppIdRequired functions.
2756
2757 * doc/snort_manual.tex:
2758 When not set by preprocessor, set file_data pointer to beg. of
2759 payload. Also fixed an issue when doe_ptr is moved to http
2760 buffers, the length for those buffers is incorrect.
2761
2762 * src/: snort.c, preprocessors/perf.c, preprocessors/perf.h,
2763 preprocessors/spp_perfmonitor.c:
2764 Change the way perfmon dumps stats to ensure that multiple
2765 instances will dump stats at offsets from absolute time. This gives
2766 Snort the ability to dump stats asynchronously (when idle).
2767
2768 * src/snort.c:
2769 Change the order of permissions drop and chroot so that we set
2770 the uid and gid before creating the pid file.
2771
2772 * src/preprocessors/Stream6/snort_stream_tcp.c:
2773 Change PAF to handle full PDU in single tcp segment correctly.
2774
2775 * src/decode.c:
2776 Prevent duplicate alerting of decoder rule 116:296.
2777
2778 * src/dynamic-preprocessors/appid/fw_appid.c:
2779 Use memcpy instead of strdup.
2780
2781 * src/dynamic-preprocessors/appid/detector_plugins/detector_http.c:
2782 Fixed the calculation of 'end' index in http_header_pattern_match
2783 when HTTP header does not have a properly terminated 'Server'
2784 field.
2785
2786 * src/: log_text.c, log_text.h, output-plugins/spo_alert_fast.c,
2787 output-plugins/spo_alert_full.c:
2788 Add AppID to console alert logs.
2789
2790 * src/dynamic-preprocessors/appid/: service_state.c,
2791 service_plugins/service_base.c:
2792 Don't fail adding a service if the id_state is already in the host cache.
2793
2794 * src/dynamic-preprocessors/appid/fw_appid.c:
2795 Addressed pinhole issue not allowing FTP-Data sessions.
2796
2797 * src/: decode.c, parser.c, sfdaq.c, sfdaq.h, snort.c, snort.h:
2798 Update snort to handle the DAQ flags to determine which tunnels it
2799 can render flow verdicts to hardware.
2800
2801 * src/active.c:
2802 Included function for sending UDP response(s).
2803
2804 * src/: sfutil/sfrt_flat.c,
2805 dynamic-preprocessors/reputation/reputation_config.c:
2806 Limit number of IP entries based on memcap. Avoiding issue of sfrt table
2807 not being created in the first place.
2808
2809 * src/: tag.c, detection-plugins/detection_leaf_node.c,
2810 file-process/file_capture.c, file-process/file_mempool.c,
2811 file-process/file_resume_block.c,
2812 file-process/file_segment_process.c,
2813 file-process/file_segment_process.h, preprocessors/perf-flow.c,
2814 preprocessors/portscan.c, preprocessors/Session/session_expect.c,
2815 sfutil/sf_ip.h, sfutil/sfrf.c, sfutil/sfthd.c, sfutil/sfthd.h:
2816 Replaced all sfaddr_t occurrences in hash keys with struct in6_addr.
2817
2818 * src/sfutil/sfdebug.h, tools/control/sfcontrol.c:
2819 Fixed ascii output of file data.
2820
2821 * src/: profiler.h, snort.c, dynamic-plugins/sf_dynamic_plugins.c,
2822 dynamic-plugins/sf_dynamic_preprocessor.h,
2823 dynamic-preprocessors/Makefile.am, preprocessors/Makefile.am,
2824 preprocessors/perf_indicators.c,
2825 preprocessors/perf_indicators.h:
2826 New dynamic-preprocessor API hooks for fetching a set of snort
2827 performance indicators and the pcap readback mode bit.
2828
2829 * src/sfutil/sfdebug.h, tools/control/sfcontrol.c:
2830 Fixed string termination to only dump values that have been initialized.
2831
2832 * src/sfutil/: sfrt_flat.c, sfrt_flat.h, sfrt_flat_dir.c,
2833 sfrt_flat_dir.h:
2834 Memory optimizations for reputation preprocessor
2835
2836 * src/: decode.h, detect.c, detection_util.c, plugbase.c, plugbase.h,
2837 preprocids.h, snort.h, dynamic-plugins/sf_engine/Makefile.am,
2838 dynamic-plugins/sf_engine/sf_snort_packet.h,
2839 preprocessors/spp_frag3.c, preprocessors/spp_session.c,
2840 sfutil/sf_ip.c, sfutil/sf_ip.h:
2841 Changed the preprocessor mask from 32-bit to 64-bit.
2842 Changed all declarations to use PreprocEnableMask as the type.
2843
2844 * src/: file-process/file_resume_block.c, sfutil/sfxhash.c,
2845 sfutil/sfxhash.h:
2846 Added a memcap to sfxhash usage in file_resume_block.
2847
2848 * src/dynamic-preprocessors/dcerpc2/: dce2_smb2.c, dce2_smb2.h,
2849 dce2_stats.h, spp_dce2.c:
2850 Currently, we use file size to avoid processing pipe and print
2851 share data because file size is 0 in that case. However, for
2852 smbclient, it sets file size to be zero which snort fails to
2853 identify those files correctly.
2854
2855 * src/: dynamic-preprocessors/appid/commonAppMatcher.c,
2856 dynamic-preprocessors/appid/hostPortAppCache.c,
2857 dynamic-preprocessors/appid/lengthAppCache.c,
2858 dynamic-preprocessors/appid/service_state.c,
2859 dynamic-preprocessors/appid/util/NetworkSet.c,
2860 preprocessors/Session/session_expect.c, sfutil/sfxhash.c,
2861 sfutil/sfxhash.h:
2862 Create SFXHASH with non-negative sizes only.
2863
2864 * doc/snort_manual.tex:
2865 Documentation for new Port Override feature.
2866
2867 * src/dynamic-preprocessors/appid/: luaDetectorApi.c,
2868 luaDetectorApi.h, client_plugins/client_app_base.c,
2869 detector_plugins/detector_pattern.c,
2870 service_plugins/service_base.c:
2871 Fix memory leaks in detector_pattern.
2872
2873 * src/dynamic-preprocessors/appid/service_plugins/service_dns.c,
2874 src/dynamic-preprocessors/appid/service_plugins/service_base.c,
2875 src/dynamic-preprocessors/appid/service_plugins/service_api.h,
2876 src/dynamic-preprocessors/appid/fw_appid.h,
2877 src/dynamic-preprocessors/appid/fw_appid.c,
2878 src/dynamic-preprocessors/appid/appIdApi.c,
2879 src/dynamic-plugins/sf_dynamic_plugins.c,
2880 src/appIdApi.h:
2881 Included 2 new Appid Api calls for DNS_QUERY and DNS_QUERY_LEN.
2882
2883 * src/preprocessors/HttpInspect/client/hi_client.c:
2884 Enable publishing of host name from raw packets for Appid.
2885
2886 * src/: post_detection.c, post_detection.h:
2887 Inline modifier removed from post detection initialization function.
2888
2889 * src/post_detection.h:
2890 Remove static modifier from inline function definition.
2891
2892 * src/decode.c:
2893 FabricPath decoding modified the packet data pointer and length fields
2894 used to caluclate ethernet header offesets incorrectly.
2895
2896 * src/: Makefile.am, decode.h, detect.c, post_detection.c,
2897 post_detection.h, snort.c, dynamic-examples/Makefile.am,
2898 dynamic-plugins/sf_dynamic_plugins.c,
2899 dynamic-plugins/sf_dynamic_preprocessor.h,
2900 dynamic-plugins/sf_engine/sf_snort_packet.h,
2901 dynamic-preprocessors/Makefile.am:
2902 Provide an API method available to all preprocessors to register a
2903 callback function that is called post-detection processing of the
2904 packet on which the callback was registered.
2905
2906 * src/dynamic-preprocessors/appid/: commonAppMatcher.c,
2907 thirdparty_appid_api.h, thirdparty_appid_utils.c:
2908 Use Snort's logging facility for 3rd party AppID impls.
2909
2910 * src/: decode.c, decode.h, encode.c, generators.h, sf_protocols.h,
2911 dynamic-plugins/sf_engine/sf_snort_packet.h:
2912 Added a decoding for Cisco Metadata headers.
2913
2914 * src/dynamic-preprocessors/appid/: commonAppMatcher.c, fw_appid.c,
2915 fw_appid.h, client_plugins/client_app_api.h,
2916 client_plugins/client_app_base.c, detector_plugins/detector_pattern.c,
2917 detector_plugins/detector_sip.c, service_plugins/service_api.h,
2918 service_plugins/service_base.c, service_plugins/service_base.h,
2919 util/sf_mlmp.c, util/sf_mlmp.h:
2920 Fixes for sandboxing sip and http.
2921
2922 * src/dynamic-preprocessors/appid/: appIdConfig.c,
2923 luaDetectorApi.c,
2924 detector_plugins/detector_imap.c,
2925 detector_plugins/detector_kerberos.c,
2926 detector_plugins/detector_pop3.c,
2927 detector_plugins/detector_sip.c,
2928 service_plugins/service_MDNS.c,
2929 service_plugins/service_battle_field.c,
2930 service_plugins/service_bgp.c,
2931 service_plugins/service_bit.c,
2932 service_plugins/service_bootp.c,
2933 service_plugins/service_dcerpc.c,
2934 service_plugins/service_direct_connect.c,
2935 service_plugins/service_dns.c,
2936 service_plugins/service_flap.c,
2937 service_plugins/service_ftp.c,
2938 service_plugins/service_irc.c,
2939 service_plugins/service_lpr.c,
2940 service_plugins/service_mysql.c,
2941 service_plugins/service_netbios.c,
2942 service_plugins/service_nntp.c,
2943 service_plugins/service_ntp.c,
2944 service_plugins/service_radius.c,
2945 service_plugins/service_rexec.c,
2946 service_plugins/service_rfb.c,
2947 service_plugins/service_rlogin.c,
2948 service_plugins/service_rpc.c,
2949 service_plugins/service_rshell.c,
2950 service_plugins/service_rsync.c,
2951 service_plugins/service_rtmp.c,
2952 service_plugins/service_smtp.c,
2953 service_plugins/service_snmp.c,
2954 service_plugins/service_ssh.c,
2955 service_plugins/service_ssl.c,
2956 service_plugins/service_telnet.c,
2957 service_plugins/service_tftp.c,
2958 service_plugins/service_timbuktu.c,
2959 service_plugins/service_tns.c:
2960 Initialize current_ref_count for all service plugins.
2961
2962 * src/: detection-plugins/sp_appid.c, dynamic-preprocessors/appid/fw_appid.c:
2963 Fixed AppID in snort rules, trim appNames.
2964
2965 * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c, host_tracker.h,
2966 service_state.h, client_plugins/client_app_base.c,
2967 service_plugins/service_base.c:
2968 Allow multiple service and client detectors to be evaluated on that same flow.
2969
2970 * src/dynamic-preprocessors/appid/: Makefile.am,
2971 appIdConfig.h,
2972 commonAppMatcher.c,
2973 luaDetectorApi.c,
2974 luaDetectorApi.h,
2975 luaDetectorModule.c,
2976 client_plugins/client_app_base.c,
2977 client_plugins/client_app_base.h,
2978 detector_plugins/detector_base.c,
2979 detector_plugins/detector_pattern.c,
2980 detector_plugins/detector_pattern.h,
2981 service_plugins/service_api.h,
2982 service_plugins/service_base.c,
2983 service_plugins/service_base.h,
2984 service_plugins/service_pattern.c,
2985 service_plugins/service_pattern.h:
2986 Implemented new Lua API to inject pattern/port for client and server.
2987
2988 * src/dynamic-preprocessors/: appid/fw_appid.h,
2989 appid/luaDetectorApi.c,
2990 appid/luaDetectorApi.h,
2991 appid/luaDetectorModule.c,
2992 appid/spp_appid.c,
2993 appid/service_plugins/service_MDNS.c,
2994 dcerpc2/spp_dce2.c,
2995 dnp3/spp_dnp3.c,
2996 dns/spp_dns.c,
2997 ftptelnet/spp_ftptelnet.c,
2998 gtp/spp_gtp.c,
2999 imap/spp_imap.c,
3000 isakmp/spp_isakmp.c,
3001 modbus/spp_modbus.c,
3002 pop/spp_pop.c,
3003 reputation/spp_reputation.c,
3004 sdf/spp_sdf.c,
3005 sip/spp_sip.c,
3006 smtp/spp_smtp.c,
3007 ssh/spp_ssh.c,
3008 ssl_common/ssl_config.c,
3009 ssl_common/ssl_ha.c:
3010 Implemented lua detector performance profiling.
3011
3012 * src/generators.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c,
3013 src/dynamic-preprocessors/dcerpc2/dce2_event.h,
3014 src/dynamic-preprocessors/dcerpc2/dce2_smb2.c,
3015 doc/README.dcerpc2, doc/snort_manual.tex,
3016 preproc_rules/preprocessor.rules, etc/gen-msg.map:
3017 SMBv2 and SMBv3 preprocessor alerts update.
3018
3019 * src/encode.c:
3020 Use ip6h struct to reference the src/dst address bytes.
3021
3022 * configure.in,
3023 src/file-process/file_segment_process.c,
3024 src/file-process/file_segment_process.h,
3025 src/file-process/file_service.c,
3026 src/file-process/file_stats.c,
3027 src/file-process/libs/file_lib.c,
3028 src/file-process/Makefile.am,
3029 src/file-process/file_api.h,
3030 src/dynamic-preprocessors/sip/sip_utils.h,
3031 src/dynamic-preprocessors/dcerpc2/Makefile.am,
3032 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
3033 src/dynamic-preprocessors/dcerpc2/dce2_config.h,
3034 src/dynamic-preprocessors/dcerpc2/dce2_session.h,
3035 src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
3036 src/dynamic-preprocessors/dcerpc2/dce2_smb.h,
3037 src/dynamic-preprocessors/dcerpc2/dce2_smb2.c,
3038 src/dynamic-preprocessors/dcerpc2/dce2_smb2.h,
3039 src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
3040 src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
3041 src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
3042 doc/README.dcerpc2,
3043 doc/snort_manual.tex:
3044 SMBv2 and SMBv3 file inspection support.
3045
3046 * src/: Makefile.am,
3047 appIdApi.h,
3048 detect.c,
3049 event.h,
3050 sf_sdlist.c,
3051 snort_debug.h,
3052 detection-plugins/sp_appid.c,
3053 detection-plugins/sp_appid.h,
3054 dynamic-plugins/sf_dynamic_plugins.c,
3055 dynamic-plugins/sf_dynamic_preprocessor.h,
3056 dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
3057 dynamic-preprocessors/Makefile.am,
3058 dynamic-preprocessors/appid/Makefile.am,
3059 dynamic-preprocessors/appid/appId.c,
3060 dynamic-preprocessors/appid/appId.h,
3061 dynamic-preprocessors/appid/appIdApi.c,
3062 dynamic-preprocessors/appid/appIdConfig.c,
3063 dynamic-preprocessors/appid/appIdConfig.h,
3064 dynamic-preprocessors/appid/appIdStats.c,
3065 dynamic-preprocessors/appid/appInfoTable.c,
3066 dynamic-preprocessors/appid/appInfoTable.h,
3067 dynamic-preprocessors/appid/app_forecast.c,
3068 dynamic-preprocessors/appid/app_forecast.h,
3069 dynamic-preprocessors/appid/commonAppMatcher.c,
3070 dynamic-preprocessors/appid/commonAppMatcher.h,
3071 dynamic-preprocessors/appid/flow.c,
3072 dynamic-preprocessors/appid/flow.h,
3073 dynamic-preprocessors/appid/flow_error.h,
3074 dynamic-preprocessors/appid/fw_appid.c,
3075 dynamic-preprocessors/appid/fw_appid.h,
3076 dynamic-preprocessors/appid/hostPortAppCache.c,
3077 dynamic-preprocessors/appid/hostPortAppCache.h,
3078 dynamic-preprocessors/appid/host_tracker.h,
3079 dynamic-preprocessors/appid/httpCommon.h,
3080 dynamic-preprocessors/appid/lengthAppCache.c,
3081 dynamic-preprocessors/appid/lengthAppCache.h,
3082 dynamic-preprocessors/appid/luaDetectorApi.c,
3083 dynamic-preprocessors/appid/luaDetectorApi.h,
3084 dynamic-preprocessors/appid/luaDetectorFlowApi.c,
3085 dynamic-preprocessors/appid/luaDetectorFlowApi.h,
3086 dynamic-preprocessors/appid/luaDetectorModule.c,
3087 dynamic-preprocessors/appid/luaDetectorModule.h,
3088 dynamic-preprocessors/appid/rna_flow.h,
3089 dynamic-preprocessors/appid/service_state.c,
3090 dynamic-preprocessors/appid/service_state.h,
3091 dynamic-preprocessors/appid/spp_appid.c,
3092 dynamic-preprocessors/appid/thirdparty_appid_api.h,
3093 dynamic-preprocessors/appid/thirdparty_appid_types.h,
3094 dynamic-preprocessors/appid/thirdparty_appid_utils.c,
3095 dynamic-preprocessors/appid/thirdparty_appid_utils.h,
3096 dynamic-preprocessors/appid/client_plugins/clientAppConfig.h,
3097 dynamic-preprocessors/appid/client_plugins/client_app_aim.c,
3098 dynamic-preprocessors/appid/client_plugins/client_app_aim.h,
3099 dynamic-preprocessors/appid/client_plugins/client_app_api.h,
3100 dynamic-preprocessors/appid/client_plugins/client_app_base.c,
3101 dynamic-preprocessors/appid/client_plugins/client_app_base.h,
3102 dynamic-preprocessors/appid/client_plugins/client_app_bit.c,
3103 dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c,
3104 dynamic-preprocessors/appid/client_plugins/client_app_msn.c,
3105 dynamic-preprocessors/appid/client_plugins/client_app_msn.h,
3106 dynamic-preprocessors/appid/client_plugins/client_app_rtp.c,
3107 dynamic-preprocessors/appid/client_plugins/client_app_smtp.c,
3108 dynamic-preprocessors/appid/client_plugins/client_app_smtp.h,
3109 dynamic-preprocessors/appid/client_plugins/client_app_ssh.c,
3110 dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c,
3111 dynamic-preprocessors/appid/client_plugins/client_app_tns.c,
3112 dynamic-preprocessors/appid/client_plugins/client_app_vnc.c,
3113 dynamic-preprocessors/appid/client_plugins/client_app_ym.c,
3114 dynamic-preprocessors/appid/client_plugins/client_app_ym.h,
3115 dynamic-preprocessors/appid/detector_plugins/detector_api.h,
3116 dynamic-preprocessors/appid/detector_plugins/detector_base.c,
3117 dynamic-preprocessors/appid/detector_plugins/detector_http.c,
3118 dynamic-preprocessors/appid/detector_plugins/detector_http.h,
3119 dynamic-preprocessors/appid/detector_plugins/detector_imap.c,
3120 dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c,
3121 dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
3122 dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
3123 dynamic-preprocessors/appid/detector_plugins/detector_sip.h,
3124 dynamic-preprocessors/appid/detector_plugins/http_url_patterns.c,
3125 dynamic-preprocessors/appid/detector_plugins/http_url_patterns.h,
3126 dynamic-preprocessors/appid/service_plugins/serviceConfig.h,
3127 dynamic-preprocessors/appid/service_plugins/service_MDNS.c,
3128 dynamic-preprocessors/appid/service_plugins/service_MDNS.h,
3129 dynamic-preprocessors/appid/service_plugins/service_api.h,
3130 dynamic-preprocessors/appid/service_plugins/service_base.c,
3131 dynamic-preprocessors/appid/service_plugins/service_base.h,
3132 dynamic-preprocessors/appid/service_plugins/service_battle_field.c,
3133 dynamic-preprocessors/appid/service_plugins/service_battle_field.h,
3134 dynamic-preprocessors/appid/service_plugins/service_bgp.c,
3135 dynamic-preprocessors/appid/service_plugins/service_bgp.h,
3136 dynamic-preprocessors/appid/service_plugins/service_bit.c,
3137 dynamic-preprocessors/appid/service_plugins/service_bootp.c,
3138 dynamic-preprocessors/appid/service_plugins/service_bootp.h,
3139 dynamic-preprocessors/appid/service_plugins/service_dcerpc.c,
3140 dynamic-preprocessors/appid/service_plugins/service_dcerpc.h,
3141 dynamic-preprocessors/appid/service_plugins/service_direct_connect.c,
3142 dynamic-preprocessors/appid/service_plugins/service_direct_connect.h,
3143 dynamic-preprocessors/appid/service_plugins/service_dns.c,
3144 dynamic-preprocessors/appid/service_plugins/service_dns.h,
3145 dynamic-preprocessors/appid/service_plugins/service_flap.c,
3146 dynamic-preprocessors/appid/service_plugins/service_flap.h,
3147 dynamic-preprocessors/appid/service_plugins/service_ftp.c,
3148 dynamic-preprocessors/appid/service_plugins/service_ftp.h,
3149 dynamic-preprocessors/appid/service_plugins/service_irc.c,
3150 dynamic-preprocessors/appid/service_plugins/service_irc.h,
3151 dynamic-preprocessors/appid/service_plugins/service_lpr.c,
3152 dynamic-preprocessors/appid/service_plugins/service_lpr.h,
3153 dynamic-preprocessors/appid/service_plugins/service_mysql.c,
3154 dynamic-preprocessors/appid/service_plugins/service_mysql.h,
3155 dynamic-preprocessors/appid/service_plugins/service_netbios.c,
3156 dynamic-preprocessors/appid/service_plugins/service_netbios.h,
3157 dynamic-preprocessors/appid/service_plugins/service_nntp.c,
3158 dynamic-preprocessors/appid/service_plugins/service_nntp.h,
3159 dynamic-preprocessors/appid/service_plugins/service_ntp.c,
3160 dynamic-preprocessors/appid/service_plugins/service_ntp.h,
3161 dynamic-preprocessors/appid/service_plugins/service_pattern.c,
3162 dynamic-preprocessors/appid/service_plugins/service_pattern.h,
3163 dynamic-preprocessors/appid/service_plugins/service_radius.c,
3164 dynamic-preprocessors/appid/service_plugins/service_radius.h,
3165 dynamic-preprocessors/appid/service_plugins/service_rexec.c,
3166 dynamic-preprocessors/appid/service_plugins/service_rexec.h,
3167 dynamic-preprocessors/appid/service_plugins/service_rfb.c,
3168 dynamic-preprocessors/appid/service_plugins/service_rfb.h,
3169 dynamic-preprocessors/appid/service_plugins/service_rlogin.c,
3170 dynamic-preprocessors/appid/service_plugins/service_rlogin.h,
3171 dynamic-preprocessors/appid/service_plugins/service_rpc.c,
3172 dynamic-preprocessors/appid/service_plugins/service_rpc.h,
3173 dynamic-preprocessors/appid/service_plugins/service_rshell.c,
3174 dynamic-preprocessors/appid/service_plugins/service_rshell.h,
3175 dynamic-preprocessors/appid/service_plugins/service_rsync.c,
3176 dynamic-preprocessors/appid/service_plugins/service_rsync.h,
3177 dynamic-preprocessors/appid/service_plugins/service_rtmp.c,
3178 dynamic-preprocessors/appid/service_plugins/service_rtmp.h,
3179 dynamic-preprocessors/appid/service_plugins/service_smtp.c,
3180 dynamic-preprocessors/appid/service_plugins/service_smtp.h,
3181 dynamic-preprocessors/appid/service_plugins/service_snmp.c,
3182 dynamic-preprocessors/appid/service_plugins/service_snmp.h,
3183 dynamic-preprocessors/appid/service_plugins/service_ssh.c,
3184 dynamic-preprocessors/appid/service_plugins/service_ssh.h,
3185 dynamic-preprocessors/appid/service_plugins/service_ssl.c,
3186 dynamic-preprocessors/appid/service_plugins/service_ssl.h,
3187 dynamic-preprocessors/appid/service_plugins/service_telnet.c,
3188 dynamic-preprocessors/appid/service_plugins/service_telnet.h,
3189 dynamic-preprocessors/appid/service_plugins/service_tftp.c,
3190 dynamic-preprocessors/appid/service_plugins/service_tftp.h,
3191 dynamic-preprocessors/appid/service_plugins/service_timbuktu.c,
3192 dynamic-preprocessors/appid/service_plugins/service_tns.c,
3193 dynamic-preprocessors/appid/util/NetworkSet.c,
3194 dynamic-preprocessors/appid/util/NetworkSet.h,
3195 dynamic-preprocessors/appid/util/common_util.h,
3196 dynamic-preprocessors/appid/util/fw_avltree.c,
3197 dynamic-preprocessors/appid/util/ip_funcs.c,
3198 dynamic-preprocessors/appid/util/ip_funcs.h,
3199 dynamic-preprocessors/appid/util/sf_mlmp.c,
3200 dynamic-preprocessors/appid/util/sfutil.c,
3201 dynamic-preprocessors/appid/util/sfutil.h,
3202 preprocessors/session_api.h,
3203 preprocessors/spp_session.c,
3204 sfutil/Unified2_common.h:
3205 Snort side changes to openAppid to support openAVC
3206
3207 * src/dynamic-plugins/sf_dynamic_preprocessor.h,
3208 src/sfutil/sf_ip.h:
3209 Bump dpd version.
3210
3211 * configure.in, src/parser.c, src/fpcreate.c, src/fpdetect.c,
3212 src/fpdetect, src/parser.c, src/pcrm.c, src/pcrm.h, src/signature.c,
3213 src/signature.h, src/detection-plugins/Makefile.am,
3214 src/detection-plugins/detection_leaf_node.c,
3215 src/detection-plugins/detection_options.c,
3216 src/sfutil/sfportobject.h:
3217 NEW FEATURE Port Override. Adds new metadata keywords "else-ports",
3218 "or-ports" and "and-ports".
3219
3220 * src/sfdaq.c,
3221 src/sfdaq.h,
3222 src/dynamic-plugins/sf_dynamic_plugins.c,
3223 src/dynamic-plugins/sf_dynamic_preprocessor.h,
3224 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
3225 src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c,
3226 src/sfutil/sfPolicy.c,
3227 src/target-based/sftarget_reader.c:
3228 Add a generic DAQ modify flow function to dpd.
3229
3230 * configure.in,
3231 src/debug.c,
3232 src/decode.c,
3233 src/decode.h,
3234 src/detect.c,
3235 src/detection_filter.c,
3236 src/detection_filter.h,
3237 src/encode.c,
3238 src/fpcreate.c,
3239 src/fpdetect.c,
3240 src/ipv6_port.h,
3241 src/log.c,
3242 src/log_text.c,
3243 src/parser.c,
3244 src/ppm.c,
3245 src/rate_filter.c,
3246 src/sfdaq.c,
3247 src/sfdaq.h,
3248 src/sfthreshold.c,
3249 src/sfthreshold.h,
3250 src/snort.c,
3251 src/snort.h,
3252 src/snort_debug.h,
3253 src/tag.c,
3254 src/util.c,
3255 src/util.h,
3256 src/detection-plugins/sp_ftpbounce.c,
3257 src/detection-plugins/sp_session.c,
3258 src/dynamic-plugins/sf_dynamic_plugins.c,
3259 src/dynamic-plugins/sf_dynamic_preprocessor.h,
3260 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
3261 src/dynamic-preprocessors/appid/flow.c,
3262 src/dynamic-preprocessors/appid/flow.h,
3263 src/dynamic-preprocessors/appid/fw_appid.c,
3264 src/dynamic-preprocessors/appid/fw_appid.h,
3265 src/dynamic-preprocessors/appid/hostPortAppCache.c,
3266 src/dynamic-preprocessors/appid/hostPortAppCache.h,
3267 src/dynamic-preprocessors/appid/luaDetectorApi.c,
3268 src/dynamic-preprocessors/appid/luaDetectorFlowApi.c,
3269 src/dynamic-preprocessors/appid/rna_flow.h,
3270 src/dynamic-preprocessors/appid/service_state.c,
3271 src/dynamic-preprocessors/appid/service_state.h,
3272 src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
3273 src/dynamic-preprocessors/appid/service_plugins/service_api.h,
3274 src/dynamic-preprocessors/appid/service_plugins/service_base.c,
3275 src/dynamic-preprocessors/appid/service_plugins/service_ftp.c,
3276 src/dynamic-preprocessors/appid/service_plugins/service_rexec.c,
3277 src/dynamic-preprocessors/appid/service_plugins/service_rpc.c,
3278 src/dynamic-preprocessors/appid/service_plugins/service_rshell.c,
3279 src/dynamic-preprocessors/appid/service_plugins/service_snmp.c,
3280 src/dynamic-preprocessors/appid/service_plugins/service_ssl.c,
3281 src/dynamic-preprocessors/appid/service_plugins/service_tftp.c,
3282 src/dynamic-preprocessors/appid/util/ip_funcs.h,
3283 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
3284 src/dynamic-preprocessors/dcerpc2/dce2_config.h,
3285 src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c,
3286 src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h,
3287 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
3288 src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
3289 src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c,
3290 src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h,
3291 src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c,
3292 src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h,
3293 src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c,
3294 src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h,
3295 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
3296 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
3297 src/dynamic-preprocessors/imap/spp_imap.c,
3298 src/dynamic-preprocessors/reputation/reputation_config.c,
3299 src/dynamic-preprocessors/reputation/spp_reputation.c,
3300 src/dynamic-preprocessors/sip/sip_parser.c,
3301 src/dynamic-preprocessors/ssl_common/ssl_ha.c,
3302 src/dynamic-preprocessors/ssl_common/ssl_inspect.c,
3303 src/file-process/file_resume_block.c,
3304 src/output-plugins/spo_alert_sf_socket.c,
3305 src/output-plugins/spo_log_ascii.c,
3306 src/output-plugins/spo_unified2.c,
3307 src/preprocessors/perf-flow.c,
3308 src/preprocessors/perf-flow.h,
3309 src/preprocessors/portscan.c,
3310 src/preprocessors/portscan.h,
3311 src/preprocessors/session_api.h,
3312 src/preprocessors/sip_common.h,
3313 src/preprocessors/snort_httpinspect.c,
3314 src/preprocessors/snort_httpinspect.h,
3315 src/preprocessors/spp_arpspoof.c,
3316 src/preprocessors/spp_frag3.c,
3317 src/preprocessors/spp_session.c,
3318 src/preprocessors/spp_sfportscan.c,
3319 src/preprocessors/spp_stream6.c,
3320 src/preprocessors/stream_api.h,
3321 src/preprocessors/HttpInspect/client/hi_client.c,
3322 src/preprocessors/HttpInspect/files/file_decomp.c,
3323 src/preprocessors/HttpInspect/include/file_decomp.h,
3324 src/preprocessors/HttpInspect/include/hi_si.h,
3325 src/preprocessors/HttpInspect/include/hi_ui_config.h,
3326 src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h,
3327 src/preprocessors/HttpInspect/session_inspection/hi_si.c,
3328 src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
3329 src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c,
3330 src/preprocessors/Session/session_common.h,
3331 src/preprocessors/Session/session_expect.c,
3332 src/preprocessors/Session/session_expect.h,
3333 src/preprocessors/Session/stream5_ha.c,
3334 src/preprocessors/Session/stream5_ha.h,
3335 src/preprocessors/Stream6/snort_stream_icmp.c,
3336 src/preprocessors/Stream6/snort_stream_icmp.h,
3337 src/preprocessors/Stream6/snort_stream_tcp.c,
3338 src/preprocessors/Stream6/snort_stream_tcp.h,
3339 src/preprocessors/Stream6/snort_stream_udp.c,
3340 src/preprocessors/Stream6/snort_stream_udp.h,
3341 src/preprocessors/Stream6/stream_paf.c,
3342 src/sfutil/ipobj.c,
3343 src/sfutil/ipobj.h,
3344 src/sfutil/sfPolicy.c,
3345 src/sfutil/sfPolicy.h,
3346 src/sfutil/sf_ip.c,
3347 src/sfutil/sf_ip.h,
3348 src/sfutil/sf_iph.c,
3349 src/sfutil/sf_iph.h,
3350 src/sfutil/sf_ipvar.c,
3351 src/sfutil/sf_ipvar.h,
3352 src/sfutil/sf_vartable.c,
3353 src/sfutil/sfrf.c,
3354 src/sfutil/sfrf.h,
3355 src/sfutil/sfrt.c,
3356 src/sfutil/sfrt.h,
3357 src/sfutil/sfrt_dir.c,
3358 src/sfutil/sfrt_dir.h,
3359 src/sfutil/sfrt_flat.c,
3360 src/sfutil/sfrt_flat.h,
3361 src/sfutil/sfrt_flat_dir.c,
3362 src/sfutil/sfrt_flat_dir.h,
3363 src/sfutil/sfthd.c,
3364 src/sfutil/sfthd.h,
3365 src/sfutil/util_net.c,
3366 src/sfutil/util_net.h,
3367 src/sfutil/test/sf_ip_test.c,
3368 src/sfutil/test/sfrf_test.c,
3369 src/sfutil/test/sfrt_test.c,
3370 src/sfutil/test/sfthd_test.c,
3371 src/side-channel/sidechannel.c,
3372 src/target-based/sftarget_reader.c,
3373 src/target-based/sftarget_reader.h:
3374 Refactor sfip_t/sfaddr_t code to be compatible with struct in6_addr.
3375
3376 2015-08-13 Rahul Burman <rahburma@cisco.com>
3377 Snort 2.9.7.6
3378 * src/build.h:
3379 updating build number to 285
3380
3381 * src/dynamic-preprocessors/reputation/reputation_config.c:
3382 Fixed unexpected behaviour in reputation config where blacklist is displayed
3383 in priority field even though whitelist option is set [reported by Mike Cox].
3384
3385 * src/preprocessors/Stream6/snort_stream_tcp.c:
3386 Fixed issue where XFF/ExtraData is not always logged when 'drop' rules trigger [reported by Mike Cox].
3387 Fixed issue in TCP session deletion when being called from Stream5 HA.
3388
3389 * src/: active.h, file-process/file_service.c:
3390 ACTIVE_DROP is changed to ACTIVE_FORCE_DROP when file_verdict is pending.
3391
3392 * src/dynamic-preprocessors/appid/fw_appid.c:
3393 Fixed issue where openappid does not provide the Content-Type field for use with CHPAddAction.
3394
3395 * doc/snort_manual.tex:
3396 Corrected errors in snort_manual.tex [reported by Gabriel Corre].
3397
3398 * preproc_rules/preprocessor.rules
3399 src/preprocessors/: session_api.h, snort_httpinspect.c,
3400 HttpInspect/event_output/hi_eo_log.c, HttpInspect/include/hi_eo_events.h
3401 Stream6/snort_stream_tcp.c:
3402 Enhancement done to detect 'SSH tunneling over HTTP'.
3403
3404 * src/sfutil/sfportobject.c:
3405 Fixed Memory leaks [reported by Bill Parker].
3406
3407 * doc/snort_manual.tex:
3408 Corrected the information about unified2 record structure [reported by Avery Rozar].
3409
3410 * etc/snort.conf, src/preprocessors/snort_httpinspect.c,
3411 src/preprocessors/snort_httpinspect.h,
3412 src/preprocessors/HttpInspect/client/hi_client.c,
3413 src/preprocessors/HttpInspect/server/hi_server.c,
3414 src/preprocessors/Stream6/stream_paf.c:
3415 Fixed issue where original client IP in intrusion event is incorrectly
3416 populated with XFF of the last GET request.
3417
3418 * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h,
3419 HttpInspect/server/hi_server.c,
3420 snort_httpinspect.c, snort_httpinspect.h,
3421 HttpInspect/server/hi_server.c:
3422 Http unlimited decompression will now decompress the entire stream.
3423
3424 * src/decode.c:
3425 Added a check so that min_ttl decoder do not drop packet in alert mode.
3426
3427 * etc/snort.conf, src/preprocessors/snort_httpinspect.c,
3428 src/preprocessors/snort_httpinspect.h,
3429 src/preprocessors/HttpInspect/client/hi_client.c,
3430 src/preprocessors/HttpInspect/server/hi_server.c
3431 Fixed issue where original client IP in intrusion event is incorrectly populated with XFF of the last GET request.
3432
3433 2015-07-01 Carter Waxman <cwaxman@cisco.com>
3434 Snort 2.9.7.5
3435 * src/build.h:
3436 updating build number to 262
3437
3438 * src/preprocessors/Stream6/snort_stream_tcp.c:
3439 Improved handling of asymmetric traffic
3440
3441 * src/active.c:
3442 Active responses no longer set the FIN flag on the last segment
3443 transmitted
3444
3445 * src/dynamic-preprocessors/appid/luaDetectorApi.c:
3446 Added sanity checks to client api
3447
3448 * doc/snort_manual.pdf,
3449 src/: dynamic-preprocessors/dcerpc2/dce2_paf.c,
3450 dynamic-preprocessors/dnp3/dnp3_paf.c,
3451 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
3452 dynamic-preprocessors/imap/imap_paf.c,
3453 dynamic-preprocessors/pop/pop_paf.c,
3454 dynamic-preprocessors/sip/sip_paf.c,
3455 dynamic-preprocessors/smtp/smtp_paf.c,
3456 preprocessors/session_api.h, preprocessors/spp_stream6.c,
3457 preprocessors/stream_api.h,
3458 preprocessors/HttpInspect/utils/hi_paf.c,
3459 preprocessors/Session/session_common.h,
3460 preprocessors/Stream6/snort_stream_tcp.c,
3461 preprocessors/Stream6/snort_stream_tcp.h,
3462 preprocessors/Stream6/stream_paf.c,
3463 preprocessors/Stream6/stream_paf.h:
3464 Multiple PAF clients can Read/Write to the same user data
3465
3466 * src/: file-process/file_api.h, file-process/file_mail_common.h,
3467 file-process/file_mime_process.c,
3468 sfutil/sf_email_attach_decode.c, sfutil/sf_email_attach_decode.h:
3469 Fixed filename parsing from Mime body for UUencoded MIME
3470
3471 * src/preprocessors/perf-base.c,
3472 src/preprocessors/Stream6/snort_stream_tcp.c:
3473 Prunes triggered by timeouts are now accounted by perfmonitor.
3474
3475 * src/preprocessors/spp_session.c:
3476 Log warning instead of Fatal Error
3477 if a stream5_global config is in a non-default policy
3478
3479 * src/detection-plugins/sp_base64_decode.c:
3480 Removed unused checks
3481
3482 * src/snort.c:
3483 Improved reliability of configuration reloads
3484
3485 * src/preprocessors/snort_httpinspect.c:
3486 Fixed issue in http
3487 file processing where SHAs may not always be correct.
3488
3489 * doc/snort_manual.pdf,
3490 src/sfutil/sf_email_attach_decode.c:
3491 Fixed handling new line chars in QP encoding
3492
3493
3494 * src/preprocessors/snort_httpinspect.c:
3495 Fixed inconsistent behavior when configuring "max_gzip_mem -1"
3496
3497 2015-22-04 Joel Cornett <jocornet@cisco.com>
3498 Snort 2.9.7.3
3499 * src/build.h:
3500 updating build number to 217
3501
3502 * src/: decode.h, detection-plugins/sp_clientserver.c,
3503 dynamic-plugins/sf_engine/sf_snort_packet.h,
3504 dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
3505 dynamic-preprocessors/dcerpc2/dce2_session.h,
3506 dynamic-preprocessors/sdf/spp_sdf.c,
3507 preprocessors/HttpInspect/server/hi_server.c,
3508 preprocessors/Stream6/snort_stream_tcp.c,
3509 preprocessors/snort_httpinspect.c, preprocessors/spp_normalize.c:
3510 Added mode safety checks to normalization.
3511 Fixed an issue in PAF where the start of the PDU after flushing was not
3512 being set correctly in some case.
3513 Improved Stream reassembly of HTTPS sessions
3514
3515 * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
3516 Stability improvements for ftp_telnet preprocessor
3517
3518 * doc/snort_manual.pdf, doc/snort_manual.tex,
3519 src/detection-plugins/sp_base64_decode.c,
3520 src/detection-plugins/sp_base64_decode.h,
3521 src/detection-plugins/sp_file_data.c:
3522 Improved performance for file preprocessor
3523 Documentation changes
3524
3525 * src/dynamic-preprocessors/appid/: service_plugins/service_base.c,
3526 service_state.c:
3527 Various OpenAppId improvements
3528
3529 * configure.in:
3530 Fixed issue with configure script handling of -Werror compiler flags
3531
3532 * src/decode.c:
3533 Improved decoding of IPv6 extensions
3534
3535 * src/detection-plugins/detection_options.c:
3536 Fixed an issue where the protected_content rule option was not
3537 backtracking correctly in some cases
3538
3539 * src/snort.c:
3540 Fixed snort handling of PID files
3541
3542 * tools/: u2openappid/u2openappid.c, u2spewfoo/u2spewfoo.c:
3543 Fixed usage info.
3544
3545 * src/dynamic-preprocessors/sip/: Makefile.am, sf_sip.dsp, sip_dialog.c,
3546 sip_parser.c, spp_sip.c:
3547 Added PAF support for TCP traffic
3548
3549 * src/: log_text.c, log_text.h, output-plugins/spo_alert_fast.c,
3550 output-plugins/spo_alert_full.c:
3551 Extended support for OpenAppId logging to cmg and console output loggers
3552
3553 * src/dynamic-preprocessors/appid/service_plugins/service_ssl.c:
3554 Improved SSLv3 handling for OpenAppId
3555
3556 2014-24-12 Victor Roemer <viroemer@cisco.com>
3557 Snort 2.9.7.2
3558 * src/build.h:
3559 updating build number to 177
3560
3561 * src/preprocessors/Stream6/snort_stream_tcp.c:
3562 Resolved an issue where the inline normalization preprocessor
3563 incorrectly resized packets when 'preprocessor normalize_tcp: trim'
3564 was enabled.
3565
3566 * src/decode.c, src/encode.c:
3567 Added support for Cisco FabricPath decoding/encoding.
3568 Ensure flow_id is copied into the DAQ_PktHdr_t.
3569
3570 * src/snort.h, src/sfutil/sfrt.c, src/sfutil/sfrt.h
3571 src/target-based/sftarget_reader.c:
3572 Moved ntohl conversion inside of the sfrt api for both IPv4 and IPv6.
3573
3574 * src/target-based/sftarget_protocol_reference.c
3575 Lookup application protocol id only after the session is established.
3576 Assign application protocol id to the session when using host attribute table.
3577
3578 * src/util.c:
3579 Changes for suppressing configuration logging.
3580
3581 * src/file-process/file_service.c:
3582 Assign the file config to a file context prior to checking if HTTP continuation.
3583
3584 2014-10-10 Carter Waxman <cwaxman@cisco.com>
3585 Snort 2.9.7.0
3586 * src/build.h: updating build number to 149
3587
3588 * src/dynamic-preprocessors/appid/spp_appid.c:
3589 Fixed issue in which AppID would be disabled after a reload.
3590
3591 * configure.in:
3592 Added dependency for OpenSSL when building with --enable-openappid
3593
3594 * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex:
3595 Added documentation for the new Extended X-Forwarded-For
3596 capabilities
3597
3598 * src/preprocessors/Stream6/snort_stream_tcp.c:
3599 Reused the TcpSessionCleanup logic to add a function to flush queued unacked segments.
3600
3601 2014-09-15 Joel Cornett <jocornet@cisco.com>
3602 Snort 2.9.7.0-rc
3603 * src/build.h:
3604 updating build number to 147
3605
3606 * configure.in,
3607 src/sfdaq.c:
3608 Fixed C99 compliance issue with DAQ.
3609
3610 * src/preprocessors/:
3611 Stream6/snort_stream_tcp.c,
3612 spp_session.c:
3613 Improved stability of TCP session decoding.
3614
3615 * tools/u2streamer/u2streamer.c:
3616 Improved stability of u2streamer tool.
3617
3618 * src/snort.c:
3619 Fixed issue with daemonization mode. Thanks to Eugenio Perez
3620 for noting the issue and proposing a fix.
3621
3622 * src/:
3623 dynamic-plugins/sf_dynamic_plugins.c,
3624 dynamic-plugins/sf_dynamic_preprocessor.h,
3625 preprocessor/Stream6/snort_stream_tcp.c,
3626 encode.c, encode.h, snort.c, snort.h:
3627 Added support to detect heartbleed attacks.
3628
3629 * build/dobuild.sh,
3630 rpm/README.build_rpms, rpm/generate-all-rpms, rpm/snort.spec,
3631 src/dynamic-preprocessors/appid/Makefile.am:
3632 Added OpenAppID to snort RPM.
3633
3634 * doc/: README.active, README.file_ips, INSTALL, snort_manual.tex:
3635 Updated documentation.
3636
3637 * doc/INSTALL:
3638 Added common configuration mistakes and fixes to INSTALL.
3639 Thanks to Bill Parker for the documentation.
3640
3641 * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
3642 Improved FTP traffic handling.
3643
3644 * src/dynamic-preprocessors/appid/detector_plugins:
3645 detector_http.c, detector_imap.c, detector_pop3.c:
3646 Improved stability of OpenAppID preprocessor parsing HTTP
3647 headers.
3648
3649 * src/:
3650 parser.c, snort.c, snort.h, util.c:
3651 Added a new option `--suppress-config-log` to Snort command
3652 line arguments. This option suppresses logging of
3653 configuration information to output.
3654
3655 * src/:
3656 active.c, active.h,
3657 preprocessors/Stream6/snort_stream_ip.c,
3658 preprocessors/Stream6/snort_stream_tcp.c,
3659 preprocessors/Stream6/snort_stream_udp.c:
3660 Fixed issue with blacklisting of flow traffic.
3661
3662 * src/preprocessors:
3663 spp_session.c, spp_stream6.c:
3664 Improved stability of Stream6 preprocessor.
3665
3666 * configure.in,
3667 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
3668 src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
3669 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
3670 src/dynamic-preprocessors/imap/snort_imap.c,
3671 src/dynamic-preprocessors/imap/snort_imap.h,
3672 src/dynamic-preprocessors/pop/snort_pop.c,
3673 src/dynamic-preprocessors/pop/snort_pop.h,
3674 src/dynamic-preprocessors/smtp/snort_smtp.c,
3675 src/dynamic-preprocessors/smtp/snort_smtp.h,
3676 src/dynamic-preprocessors/ssl_common/ssl_include.h,
3677 src/dynamic-preprocessors/ssl_common/ssl_inspect.c,
3678 src/dynamic-preprocessors/ssl_common/ssl_session.h,
3679 src/encode.c:
3680 Fixed encoding issue with DAQ packet headers.
3681
3682 * doc/README.ssl,
3683 doc/snort_manual.pdf,
3684 doc/snort_manual.tex,
3685 etc/gen-msg.map,
3686 preproc_rules/preprocessor.rules,
3687 src/dynamic-preprocessors/ssl_common/ssl.c,
3688 src/dynamic-preprocessors/ssl_common/ssl.h,
3689 src/dynamic-preprocessors/ssl_common/ssl_config.c,
3690 src/dynamic-preprocessors/ssl_common/ssl_config.h,
3691 src/dynamic-preprocessors/ssl_common/ssl_inspect.c,
3692 src/dynamic-preprocessors/ssl_common/ssl_inspect.h,
3693 src/dynamic-preprocessors/ssl_common/ssl_session.h:
3694 Added support to detect heartbleed attacks.
3695
3696 * doc/snort_manual.tex,
3697 src/dynamic-examples/dynamic-rule/detection_lib_meta.h,
3698 src/dynamic-plugins/sf_dynamic_engine.h,
3699 src/dynamic-plugins/sf_dynamic_meta.h,
3700 src/dynamic-plugins/sf_dynamic_preprocessor.h,
3701 src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
3702 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
3703 src/preprocessors/Stream6/snort_stream_tcp.c,
3704 src/decode.c, src/decode.h, src/encode.c, src/parser.c,
3705 src/parser.h, src/snort.c, src/snort.h:
3706 Added a new config option `max_ip6_extensions` to change the
3707 maximum number of IPv6 extension headers decoded. Thanks to
3708 Antonio Atlasis for providing data to the ChangeLog.
3709
3710 * src/dynamic-preprocessors/modbus/:
3711 modbus_paf.h, modbus_roptions.c, spp_modbus.c:
3712 Improved traffic handling by modbus preprocessor
3713
3714 * src/:
3715 dynamic-preprocessors/dns/spp_dns.c,
3716 dynamic-preprocessors/imap/spp_imap.c,
3717 dynamic-preprocessors/pop/spp_pop.c,
3718 dynamic-preprocessors/smtp/spp_smtp.c,
3719 dynamic-preprocessors/ssh/spp_ssh.c,
3720 preprocessors/spp_session.c:
3721 Fixed issue with stream configuration state changing across
3722 reloads. Thanks to Eugenio Perez for noting the issue.
3723
3724 * src/dynamic-preprocessors/appid/Makefile.am:
3725 Fixed compilation issue with OpenAppID on OpenBSD.
3726
3727 * src/plugbase.c:
3728 Improved implementation of plugin API.
3729
3730 * src:
3731 detection-plugins/sp_ftpbounce.c,
3732 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
3733 Improved stability of FTP preprocessor.
3734
3735 * configure.in,
3736 src/dynamic-preprocessors/appid/appIdConfig.c,
3737 src/dynamic-preprocessors/appid/appIdConfig.h,
3738 src/dynamic-preprocessors/appid/flow.h,
3739 src/dynamic-preprocessors/appid/fw_appid.c,
3740 src/dynamic-preprocessors/appid/fw_appid.h,
3741 src/dynamic-preprocessors/appid/luaDetectorApi.h:
3742 Fixed compilation issues with OpenAppID on Mac OS X.
3743
3744 * src/preprocessors/:
3745 perf-flow.c, spp_perfmonitor.c:
3746 Minimum flow-ip-memcap changed to 8200.
3747
3748 * src/sf_sdlist.c:
3749 Fixed implementation of `sf_sdlist`. Thanks to Yang Zhang
3750 for noting the issue.
3751
3752 * src/:
3753 preprocessors/Stream6/snort_stream_tcp.c,
3754 preprocessors/spp_frag3.c,
3755 preprocessors/spp_normalize.c:
3756 active.h, decode.c,
3757 Check checksum configuration as well as na_policy_mode
3758 setting before drop.
3759
3760 * src/preprocessors/snort_httpinspect.c:
3761 Improved handling in HTTPInspect preprocessor.
3762
3763 * src/sfutil/mpse.c:
3764 Fixed building snort with --disable-perfprofiling. Thanks to
3765 Yonatan Ben-David for noting the issue.
3766
3767 * src:
3768 encode.c, encode.h:
3769 Fixed ICMPv6 encoding issue.
3770
3771 * etc/snort.conf,
3772 src/detection-plugins/sp_file_type.c,
3773 src/dynamic-preprocessors/Makefile.am,
3774 src/dynamic-preprocessors/ftptelnet/Makefile.am,
3775 src/dynamic-preprocessors/imap/Makefile.am,
3776 src/dynamic-preprocessors/pop/Makefile.am,
3777 src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
3778 src/dynamic-preprocessors/smtp/Makefile.am,
3779 src/dynamic-preprocessors/ssl/Makefile.am,
3780 src/preprocessors/Session/Makefile.am,
3781 src/win32/WIN32-Prj/sf_engine.dsp,
3782 src/win32/WIN32-Prj/snort.dsp,
3783 src/win32/WIN32-Prj/snort.dsw,
3784 src/win32/WIN32-Prj/snort_installer.nsi:
3785 Fixed Win32 and distcheck build issues.
3786
3787 * doc/OpenDetectorDeveloperGuide.docx,
3788 doc/OpenDetectorDeveloperGuide.pdf,
3789 src/dynamic-preprocessors/appid/Makefile.am,
3790 src/dynamic-preprocessors/appid/appInfoTable.c,
3791 src/dynamic-preprocessors/appid/detector_plugins/detector_http.c,
3792 src/dynamic-preprocessors/appid/detector_plugins/detector_http.h,
3793 src/dynamic-preprocessors/appid/fw_appid.c,
3794 src/dynamic-preprocessors/appid/httpCommon.h,
3795 src/dynamic-preprocessors/appid/luaDetectorApi.c,
3796 src/dynamic-preprocessors/appid/service_plugins/service_base.c,
3797 src/dynamic-preprocessors/appid/service_plugins/service_rtmp.c,
3798 src/dynamic-preprocessors/appid/service_plugins/service_rtmp.h:
3799 Added RTMP detector (w/ metadata) to OpenAppID and updated
3800 Lua API.
3801
3802 2014-06-04 Carter Waxman <cwaxman@cisco.com>
3803 Snort 2.9.7.0.beta
3804 * src/build.h:
3805 updating build number to 109
3806
3807 * src/: detection-plugins/sp_base64_decode.c,
3808 dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
3809 Use correct buffer size for base64 decoding.
3810 Fix the bound check for base64_decode rule. Thanks Joshua providing the
3811 patch.
3812
3813 * src/: detect.c,
3814 dynamic-preprocessors/reputation/spp_reputation.c,
3815 dynamic-preprocessors/reputation/shmem/shmem_config.h,
3816 dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
3817 preprocessors/session_api.h, preprocessors/spp_session.c:
3818 Improved reputation performance by only checking IPs once per
3819 session. Changed control socket to respond 0 when reloading empty IP
3820 reputation lists. Avoid registering reputation preprocessor when there are no IP lists
3821
3822 * src/: active.c, fpdetect.c,
3823 dynamic-preprocessors/dcerpc2/dce2_smb.c,
3824 file-process/file_resume_block.c:
3825 Fixed build issue when configuring with --disable-active-response
3826 --disable-react --disable-flexresp3 (Reported by Jeremy Hoel)
3827
3828 * src/parser.c
3829 src/preprocessors/Session/stream5_ha.c,
3830 src/preprocessors/Stream6/snort_stream_icmp.c,
3831 src/preprocessors/Stream6/snort_stream_tcp.c,
3832 src/preprocessors/Stream6/snort_stream_udp.c,
3833 src/preprocessors/spp_session.c:
3834 Fixed configuration parsing issues.
3835
3836 * src/: fpcreate.c, fpdetect.c:
3837 Fixed rule protocol mapping when using target-based detection.
3838
3839 * src/preprocessors/perf-base.c:
3840 Added field in now files for number of normalizers used.
3841
3842 * src/preprocessors/Stream6/snort_stream_tcp.c:
3843 Fix handling of data on syn for Mac OSX reassembly.
3844
3845 * src/dynamic-plugins/sf_dynamic_plugins.c:
3846 Remove optional field check to improve compatiblity for DragonFlyBSD.
3847 Thanks Joshua Kinard providing patch.
3848
3849 * src/detect.c:
3850 Fixed AppID not correctly handling packets without sessions (Discovered by
3851 James Lay)
3852
3853 * src/preprocessors/snort_httpinspect.c:
3854 Fixed issue with HTTP session data handling. (Discovered by James Lay)
3855
3856 * src/snort.c:
3857 Fixed parsing of custom rule types on reload.
3858
3859 * src/util.c:
3860 Fixed timestamp arithmetic error (Reported by David Turnbull)
3861
3862 * src/: sf_protocols.h, preprocessors/perf-base.c,
3863 preprocessors/perf-base.h, preprocessors/session_api.h,
3864 preprocessors/spp_session.c, preprocessors/spp_stream6.c,
3865 preprocessors/stream_api.h,
3866 preprocessors/Stream6/stream_common.c,
3867 preprocessors/Stream6/stream_common.h:
3868 Fixed IP protocol number type (Reported by Joshua Kinard)
3869
3870 * src/: strlcatu.h, strlcpyu.h:
3871 Wrap function signatures for strlcat/strlcpy. Thanks to James
3872 Golab for reporting the issue.
3873
3874 * doc/: snort_manual.pdf, snort_manual.tex:
3875 Typos fixed (Credit to Jenah J. Sigurdson)
3876
3877 * src/: encode.h, parser.c, dynamic-preprocessors/imap/imap_paf.c,
3878 dynamic-preprocessors/pop/pop_paf.c,
3879 dynamic-preprocessors/smtp/smtp_paf.c,
3880 file-process/file_mail_common.h, preprocessors/stream_api.h,
3881 preprocessors/Stream6/stream_paf.c:
3882 Fixed PAF flushing behavior when encountering gaps.
3883 paf_max now has a hard flush limit of ~64,000. Email protocols will
3884 flush within 1500 characters of paf_max.
3885
3886 * src/: dynamic-preprocessors/dns/spp_dns.c,
3887 dynamic-preprocessors/imap/snort_imap.c,
3888 dynamic-preprocessors/pop/snort_pop.c,
3889 preprocessors/session_api.h, preprocessors/spp_rpc_decode.c,
3890 preprocessors/spp_session.c,
3891 preprocessors/Stream6/snort_stream_tcp.c:
3892 Changed flushing to use receiver's flush policy in all functions.
3893 Updated POP, IMAP, DNS, RPC, and SSL to use the correct directions.
3894 Added SSN_TO_SERVER(SSN_FROM_CLIENT) and SSN_TO_CLIENT(SSN_FROM_SERVER)
3895 to make code more readable (Discovered by John Enure).
3896
3897 * src/detection_util.c:
3898 Fixed Http buffer name initialization.
3899
3900 * src/preprocessors/HttpInspect/normalization/hi_norm.c:
3901 Fixed URI parsing and normalization.
3902
3903 * doc/README.file_ips, src/plugbase.c, src/rule_option_types.h,
3904 src/detection-plugins/Makefile.am,
3905 src/detection-plugins/detection_options.c,
3906 src/detection-plugins/sp_file_type.c,
3907 src/file-process/file_api.h, src/file-process/file_service.c,
3908 src/file-process/libs/file_config.c,
3909 src/file-process/libs/file_config.h,
3910 src/file-process/libs/file_identifier.c,
3911 src/file-process/libs/file_lib.c,
3912 src/file-process/libs/file_lib.h:
3913 Allow registration of the same file type callback.
3914 Harden file_type and file_group rule options.
3915 Fix file id to always use the matched file id.
3916 File identifier rule options 'type' and 'ver' no longer accept
3917 arbitrary ASCII characters as valid arguments, only
3918 permitting [A-Za-z0-9_.] characters.
3919 Snort's 'file_type' rule option now checks for trailing comma (,)
3920 and pipe (|) separators and other typo like mistakes.
3921
3922 * configure.in,
3923 src/active.c,
3924 src/active.h,
3925 src/decode.c,
3926 src/detection-plugins/detection_options.c,
3927 src/detection-plugins/sp_replace.c,
3928 src/dynamic-plugins/sf_dynamic_plugins.c,
3929 src/parser.c,
3930 src/parser.h,
3931 src/preprocessors/Stream6/snort_stream_tcp.c,
3932 src/preprocessors/normalize.c,
3933 src/preprocessors/normalize.h,
3934 src/preprocessors/perf-base.c,
3935 src/preprocessors/perf-base.h,
3936 src/preprocessors/spp_normalize.c,
3937 src/preprocessors/spp_normalize.h,
3938 src/preprocessors/spp_session.c,
3939 src/snort.c,
3940 src/snort.h:
3941 Added would-normalize normalization statistics for inline_test mode.
3942 Normalization behavior now enabled / configured using na_policy_mode.
3943 Fix typos in spp_normalize.c (Thanks to Gregory S Thomas for mentioning).
3944
3945 * doc/README.normalize, doc/snort_manual.pdf, doc/snort_manual.tex,
3946 src/preprocessors/normalize.c, src/preprocessors/perf-base.c,
3947 src/preprocessors/perf-base.h, src/preprocessors/spp_normalize.c,
3948 src/preprocessors/spp_normalize.h,
3949 src/preprocessors/Stream6/snort_stream_tcp.c:
3950 TCP normalization configurations have been split into more granular options.
3951 URP normalization is now ENABLED with the "urp" keyword instead of
3952 DISABLED. New performance monitor stats have been introduced for these
3953 changes.
3954
3955 * src/decode.h,
3956 src/detect.c,
3957 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
3958 src/preprocessors/Session/session_expect.c,
3959 src/preprocessors/Stream6/snort_stream_tcp.c,
3960 src/preprocessors/spp_stream6.c,
3961 src/preprocessors/stream_api.h:
3962 Changed priority of ftp-telnet reassembly to improve performance.
3963 Process end of file data correctly for ftp data channel.
3964
3965 * etc/file_magic.conf,
3966 src/sfutil/sf_email_attach_decode.c:
3967 File type UUENCODED is now all caps.
3968 Set file data pointer correctly after UU decoding ends.
3969
3970 * src/: dynamic-preprocessors/imap/imap_config.c,
3971 dynamic-preprocessors/pop/pop_config.c,
3972 dynamic-preprocessors/smtp/smtp_config.c,
3973 file-process/file_mime_config.c, file-process/file_mime_config.h:
3974 +0 and -0 are no longer valid values for decoding depth.
3975
3976 * src/dynamic-preprocessors/dnp3/spp_dnp3.c:
3977 Validate DNP3 packets before processing.
3978
3979 * src/: snort.c, snort.h, sfutil/intel-soft-cpm.c,
3980 sfutil/intel-soft-cpm.h:
3981 Fixed issues during reload.
3982
3983 * configure.in,
3984 doc/README.http_inspect,
3985 doc/snort_manual.pdf,
3986 doc/snort_manual.tex,
3987 etc/gen-msg.map,
3988 preproc_rules/preprocessor.rules,
3989 src/generators.h,
3990 src/preprocessors/HttpInspect/Makefile.am,
3991 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
3992 src/preprocessors/HttpInspect/files/Makefile.am,
3993 src/preprocessors/HttpInspect/files/file_decomp.c,
3994 src/preprocessors/HttpInspect/files/file_decomp_PDF.c,
3995 src/preprocessors/HttpInspect/files/file_decomp_SWF.c,
3996 src/preprocessors/HttpInspect/files/include/file_decomp.h,
3997 src/preprocessors/HttpInspect/files/include/file_decomp_PDF.h
3998 src/preprocessors/HttpInspect/include/Makefile.am,
3999 src/preprocessors/HttpInspect/include/file_decomp.h,
4000 src/preprocessors/HttpInspect/include/file_decomp_PDF.h,
4001 src/preprocessors/HttpInspect/include/file_decomp_SWF.h,
4002 src/preprocessors/HttpInspect/include/hi_eo_events.h,
4003 src/preprocessors/HttpInspect/include/hi_include.h,
4004 src/preprocessors/HttpInspect/include/hi_ui_config.h,
4005 src/preprocessors/HttpInspect/server/hi_server.cr,
4006 src/preprocessors/snort_httpinspect.c,
4007 src/preprocessors/snort_httpinspect.h,
4008 src/preprocessors/spp_httpinspect.c,
4009 src/util.c:
4010 Added ability for HttpInspect to decompress DEFLATE and LZMA encoded
4011 SWF content and DEFLATE encoded pdf content.
4012
4013 * src/preprocessors/spp_perfmonitor.c:
4014 Fixed race condition in perf montitor during reload.
4015
4016 * src/preprocessors/HttpInspect/client/hi_client.c,
4017 src/preprocessors/HttpInspect/include/hi_client.h,
4018 src/preprocessors/HttpInspect/include/hi_ui_config.h,
4019 src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
4020 src/preprocessors/snort_httpinspect.c:
4021 Added Enhanced XFF support to HttpInspect.
4022
4023 * src/profiler.c:
4024 Fixed duplicate profiler entries when using multiple policies.
4025
4026 * configure.in, src/Makefile.am, src/dump.c, src/dump.h,
4027 src/snort.c, src/control/sfcontrol.h, tools/control/Makefile.am,
4028 tools/control/README.snort_dump_packets_control,
4029 tools/control/sfcontrol.c, tools/control/snort_dump_packets.c:
4030 Added control socket command to dump packets.
4031
4032 * src/: preprocessors/snort_httpinspect.c,
4033 preprocessors/snort_httpinspect.h,
4034 preprocessors/HttpInspect/client/hi_client.c,
4035 preprocessors/HttpInspect/include/hi_ui_config.h,
4036 preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h,
4037 preprocessors/HttpInspect/session_inspection/hi_si.c,
4038 preprocessors/HttpInspect/user_interface/hi_ui_config.c,
4039 preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c,
4040 sfutil/util_jsnorm.c, sfutil/util_jsnorm.h:
4041 Removed dead max_pipeline and inspection_type configurations.
4042 Improved memory efficiency of unicode->ascii map.
4043 Expanded possible number of preprocessor alerts for HttpInspect from 31 to 63.
4044
4045 * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
4046 Fixed FindPiiRecursively to better handle partial matches.
4047
4048 * src/dynamic-preprocessors/sip/sip_parser.c:
4049 Fixed handling SDP when caller and callee have identical session
4050 ids.
4051
4052 * src/: dynamic-preprocessors/Makefile.am,
4053 dynamic-preprocessors/sip/sip_config.h,
4054 dynamic-preprocessors/sip/sip_dialog.c,
4055 dynamic-preprocessors/sip/spp_sip.h, preprocessors/Makefile.am,
4056 preprocessors/sip_common.h, preprocessors/spp_stream6.c,
4057 preprocessors/stream_api.h:
4058 Support better SIP parsing and call handling.
4059
4060 * Makefile.am,
4061 configure.in,
4062 doc/Makefile.am,
4063 doc/README,
4064 doc/README.frag3,
4065 doc/USAGE,
4066 doc/WISHLIST,
4067 doc/snort_manual.tex,
4068 dynamic-plugins/sf_dynamic_plugins.c,
4069 dynamic-plugins/sf_dynamic_preprocessor.h,
4070 dynamic-preprocessors/ftptelnet/ftpp_si.c,
4071 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
4072 dynamic-preprocessors/imap/snort_imap.c,
4073 dynamic-preprocessors/pop/snort_pop.c,
4074 dynamic-preprocessors/smtp/snort_smtp.c,
4075 dynamic-preprocessors/ssl_common/ssl_config.c,
4076 dynamic-preprocessors/ssl_common/ssl_include.h,
4077 dynamic-preprocessors/ssl_common/ssl_inspect.c,
4078 etc/Makefile.am,
4079 etc/gen-msg.map,
4080 libs/ssl_include.h,
4081 rpm/snort.spec,
4082 snort.8,
4083 src/Makefile.am,
4084 src/active.c,
4085 src/active.h,
4086 src/byte_extract.c,
4087 src/checksum.h,
4088 src/debug.c,
4089 src/decode.c,
4090 src/decode.h,
4091 src/detect.c,
4092 src/detect.h,
4093 src/detection-plugins/detection_options.c,
4094 src/detection-plugins/detection_options.h,
4095 src/detection-plugins/sp_asn1.c,
4096 src/detection-plugins/sp_asn1_detect.c,
4097 src/detection-plugins/sp_byte_check.c,
4098 src/detection-plugins/sp_byte_check.h,
4099 src/detection-plugins/sp_byte_jump.c,
4100 src/detection-plugins/sp_byte_jump.h,
4101 src/detection-plugins/sp_clientserver.c,
4102 src/detection-plugins/sp_clientserver.h,
4103 src/detection-plugins/sp_dsize_check.c,
4104 src/detection-plugins/sp_dsize_check.h,
4105 src/detection-plugins/sp_flowbits.c,
4106 src/detection-plugins/sp_flowbits.h,
4107 src/detection-plugins/sp_ftpbounce.c,
4108 src/detection-plugins/sp_ftpbounce.h,
4109 src/detection-plugins/sp_icmp_code_check.c,
4110 src/detection-plugins/sp_icmp_code_check.h,
4111 src/detection-plugins/sp_icmp_id_check.c,
4112 src/detection-plugins/sp_icmp_id_check.h,
4113 src/detection-plugins/sp_icmp_seq_check.c,
4114 src/detection-plugins/sp_icmp_seq_check.h,
4115 src/detection-plugins/sp_icmp_type_check.c,
4116 src/detection-plugins/sp_icmp_type_check.h,
4117 src/detection-plugins/sp_ip_fragbits.c,
4118 src/detection-plugins/sp_ip_fragbits.h,
4119 src/detection-plugins/sp_ip_id_check.c,
4120 src/detection-plugins/sp_ip_id_check.h,
4121 src/detection-plugins/sp_ip_proto.c,
4122 src/detection-plugins/sp_ip_proto.h,
4123 src/detection-plugins/sp_ip_same_check.c,
4124 src/detection-plugins/sp_ip_same_check.h,
4125 src/detection-plugins/sp_ip_tos_check.c,
4126 src/detection-plugins/sp_ip_tos_check.h,
4127 src/detection-plugins/sp_ipoption_check.c,
4128 src/detection-plugins/sp_ipoption_check.h,
4129 src/detection-plugins/sp_isdataat.c,
4130 src/detection-plugins/sp_isdataat.h,
4131 src/detection-plugins/sp_pattern_match.c,
4132 src/detection-plugins/sp_pattern_match.h,
4133 src/detection-plugins/sp_pcre.c,
4134 src/detection-plugins/sp_react.c,
4135 src/detection-plugins/sp_react.h,
4136 src/detection-plugins/sp_replace.c,
4137 src/detection-plugins/sp_replace.h,
4138 src/detection-plugins/sp_respond.h,
4139 src/detection-plugins/sp_respond3.c,
4140 src/detection-plugins/sp_rpc_check.c,
4141 src/detection-plugins/sp_rpc_check.h,
4142 src/detection-plugins/sp_session.c,
4143 src/detection-plugins/sp_session.h,
4144 src/detection-plugins/sp_tcp_ack_check.c,
4145 src/detection-plugins/sp_tcp_ack_check.h,
4146 src/detection-plugins/sp_tcp_flag_check.c,
4147 src/detection-plugins/sp_tcp_flag_check.h,
4148 src/detection-plugins/sp_tcp_seq_check.c,
4149 src/detection-plugins/sp_tcp_seq_check.h,
4150 src/detection-plugins/sp_tcp_win_check.c,
4151 src/detection-plugins/sp_tcp_win_check.h,
4152 src/detection-plugins/sp_ttl_check.c,
4153 src/detection-plugins/sp_ttl_check.h,
4154 src/detection_filter.c,
4155 src/detection_filter.h,
4156 src/detection_util.c,
4157 src/detection_util.h,
4158 src/dynamic-examples/Makefile.am,
4159 src/dynamic-plugins/sf_convert_dynamic.c,
4160 src/dynamic-plugins/sf_convert_dynamic.h,
4161 src/dynamic-plugins/sf_dynamic_plugins.c,
4162 src/dynamic-plugins/sf_dynamic_preprocessor.h,
4163 src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c,
4164 src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h,
4165 src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c,
4166 src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.h,
4167 src/dynamic-plugins/sf_src/dynamic_plugins.c,
4168 src/dynamic-plugins/sf_src/dynamic_preprocessor.h,
4169 src/dynamic-plugins/sp_dynamic.c,
4170 src/dynamic-plugins/sp_dynamic.h,
4171 src/dynamic-plugins/sp_preprocopt.c,
4172 src/dynamic-plugins/sp_preprocopt.h,
4173 src/dynamic-preprocessors/Makefile.am,
4174 src/dynamic-preprocessors/ftptelnet/Makefile.am,
4175 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
4176 src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
4177 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
4178 src/dynamic-preprocessors/ftptelnet/pp_telnet.c,
4179 src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
4180 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
4181 src/dynamic-preprocessors/imap/Makefile.am,
4182 src/dynamic-preprocessors/imap/imap_config.c,
4183 src/dynamic-preprocessors/imap/imap_config.h,
4184 src/dynamic-preprocessors/imap/imap_log.c,
4185 src/dynamic-preprocessors/imap/imap_log.h,
4186 src/dynamic-preprocessors/imap/imap_util.c,
4187 src/dynamic-preprocessors/imap/imap_util.h,
4188 src/dynamic-preprocessors/imap/sf_imap.dsp,
4189 src/dynamic-preprocessors/imap/snort_imap.c,
4190 src/dynamic-preprocessors/imap/snort_imap.h,
4191 src/dynamic-preprocessors/imap/spp_imap.c,
4192 src/dynamic-preprocessors/imap/spp_imap.h,
4193 src/dynamic-preprocessors/libs/Makefile.am,
4194 src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp,
4195 src/dynamic-preprocessors/libs/ssl.c,
4196 src/dynamic-preprocessors/libs/ssl.h,
4197 src/dynamic-preprocessors/libs/ssl_include.h,
4198 src/dynamic-preprocessors/pop/Makefile.am,
4199 src/dynamic-preprocessors/pop/pop_config.c,
4200 src/dynamic-preprocessors/pop/pop_config.h,
4201 src/dynamic-preprocessors/pop/pop_log.c,
4202 src/dynamic-preprocessors/pop/pop_log.h,
4203 src/dynamic-preprocessors/pop/pop_util.c,
4204 src/dynamic-preprocessors/pop/pop_util.h,
4205 src/dynamic-preprocessors/pop/sf_pop.dsp,
4206 src/dynamic-preprocessors/pop/snort_pop.c,
4207 src/dynamic-preprocessors/pop/snort_pop.h,
4208 src/dynamic-preprocessors/pop/spp_pop.c,
4209 src/dynamic-preprocessors/pop/spp_pop.h,
4210 src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c,
4211 src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h,
4212 src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
4213 src/dynamic-preprocessors/reputation/shmem/shmem_config.c,
4214 src/dynamic-preprocessors/reputation/shmem/shmem_config.h,
4215 src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
4216 src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
4217 src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
4218 src/dynamic-preprocessors/reputation/shmem/shmem_lib.h,
4219 src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
4220 src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
4221 src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
4222 src/dynamic-preprocessors/sip/sf_sip.dsp,
4223 src/dynamic-preprocessors/smtp/Makefile.am,
4224 src/dynamic-preprocessors/smtp/sf_smtp.dsp,
4225 src/dynamic-preprocessors/smtp/snort_smtp.c,
4226 src/dynamic-preprocessors/smtp/snort_smtp.h,
4227 src/dynamic-preprocessors/ssl/Makefile.am,
4228 src/dynamic-preprocessors/ssl/sf_ssl.dsp,
4229 src/dynamic-preprocessors/ssl_common/ssl.c,
4230 src/dynamic-preprocessors/ssl_common/ssl.h,
4231 src/dynamic-preprocessors/ssl_common/ssl_config.c,
4232 src/dynamic-preprocessors/ssl_common/ssl_config.h,
4233 src/dynamic-preprocessors/ssl_common/ssl_ha.c,
4234 src/dynamic-preprocessors/ssl_common/ssl_ha.h,
4235 src/dynamic-preprocessors/ssl_common/ssl_include.h,
4236 src/dynamic-preprocessors/ssl_common/ssl_inspect.c,
4237 src/dynamic-preprocessors/ssl_common/ssl_inspect.h,
4238 src/dynamic-preprocessors/ssl_common/ssl_session.h,
4239 src/encode.c,
4240 src/encode.h,
4241 src/event.h,
4242 src/event_queue.c,
4243 src/event_wrapper.c,
4244 src/fpcreate.c,
4245 src/fpcreate.h,
4246 src/fpdetect.c,
4247 src/fpdetect.h,
4248 src/generators.h,
4249 src/hashstring.c,
4250 src/hashstring.h,
4251 src/idle_processing.c,
4252 src/log.c,
4253 src/log.h,
4254 src/log_text.c,
4255 src/mempool.c,
4256 src/mempool.h,
4257 src/mstring.c,
4258 src/mstring.h,
4259 src/output-plugins/spo_alert_fast.c,
4260 src/output-plugins/spo_alert_fast.h,
4261 src/output-plugins/spo_alert_full.c,
4262 src/output-plugins/spo_alert_full.h,
4263 src/output-plugins/spo_alert_sf_socket.c,
4264 src/output-plugins/spo_alert_syslog.c,
4265 src/output-plugins/spo_alert_syslog.h,
4266 src/output-plugins/spo_alert_test.c,
4267 src/output-plugins/spo_alert_test.h,
4268 src/output-plugins/spo_alert_unixsock.c,
4269 src/output-plugins/spo_alert_unixsock.h,
4270 src/output-plugins/spo_csv.c,
4271 src/output-plugins/spo_csv.h,
4272 src/output-plugins/spo_log_ascii.c,
4273 src/output-plugins/spo_log_ascii.h,
4274 src/output-plugins/spo_log_null.c,
4275 src/output-plugins/spo_log_null.h,
4276 src/output-plugins/spo_log_tcpdump.c,
4277 src/output-plugins/spo_log_tcpdump.h,
4278 src/output-plugins/spo_unified2.h,
4279 src/packet_time.c,
4280 src/parser.c,
4281 src/parser.h,
4282 src/parser/IpAddrSet.c,
4283 src/parser/IpAddrSet.h,
4284 src/pcrm.c,
4285 src/pcrm.h,
4286 src/plugbase.c,
4287 src/plugbase.h,
4288 src/plugin_enum.h,
4289 src/ppm.c,
4290 src/preprocessors/HttpInspect/include/hi_client.h,
4291 src/preprocessors/HttpInspect/include/hi_paf.h,
4292 src/preprocessors/HttpInspect/utils/hi_paf.c,
4293 src/preprocessors/Session/stream5_ha.c,
4294 src/preprocessors/normalize.c,
4295 src/preprocessors/normalize.h,
4296 src/preprocessors/perf-base.c,
4297 src/preprocessors/perf-base.h,
4298 src/preprocessors/perf-event.c,
4299 src/preprocessors/perf-event.h,
4300 src/preprocessors/perf-flow.c,
4301 src/preprocessors/perf-flow.h,
4302 src/preprocessors/perf.c,
4303 src/preprocessors/perf.h,
4304 src/preprocessors/session_api.h
4305 src/preprocessors/sfprocpidstats.c,
4306 src/preprocessors/sfprocpidstats.h,
4307 src/preprocessors/spp_arpspoof.c,
4308 src/preprocessors/spp_arpspoof.h,
4309 src/preprocessors/spp_bo.c,
4310 src/preprocessors/spp_bo.h,
4311 src/preprocessors/spp_frag3.c,
4312 src/preprocessors/spp_frag3.h,
4313 src/preprocessors/spp_normalize.c,
4314 src/preprocessors/spp_normalize.h,
4315 src/preprocessors/spp_perfmonitor.c,
4316 src/preprocessors/spp_perfmonitor.h,
4317 src/preprocessors/spp_rpc_decode.c,
4318 src/preprocessors/spp_rpc_decode.h,
4319 src/preprocessors/spp_session.c,
4320 src/preprocessors/spp_stream5.c,
4321 src/preprocessors/spp_stream5.h,
4322 src/preprocessors/stream_api.c,
4323 src/preprocessors/stream_api.h,
4324 src/preprocessors/stream_expect.c,
4325 src/preprocessors/stream_expect.h,
4326 src/profiler.c,
4327 src/profiler.h,
4328 src/rate_filter.c,
4329 src/rate_filter.h,
4330 src/rules.h,
4331 src/sf_protocols.h,
4332 src/sf_sdlist.c,
4333 src/sf_sdlist.h,
4334 src/sf_sdlist_types.h,
4335 src/sfdaq.c,
4336 src/sfdaq.h,
4337 src/sfthreshold.c,
4338 src/sfutil/acsmx.c,
4339 src/sfutil/acsmx.h,
4340 src/sfutil/acsmx2.c,
4341 src/sfutil/bitop.h,
4342 src/sfutil/bitop_funcs.h,
4343 src/sfutil/getopt.h,
4344 src/sfutil/mpse.c,
4345 src/sfutil/mpse.h,
4346 src/sfutil/sf_email_attach_decode.c,
4347 src/sfutil/sf_email_attach_decode.h,
4348 src/sfutil/sf_ip.c,
4349 src/sfutil/sf_iph.c,
4350 src/sfutil/sf_sechash.c,
4351 src/sfutil/sf_sechash.h,
4352 src/sfutil/sha2.h,
4353 src/sfutil/util_jsnorm.c,
4354 src/sfutil/util_jsnorm.h,
4355 src/sfutil/util_unfold.c,
4356 src/sfutil/util_unfold.h,
4357 src/signature.h,
4358 src/snort.c,
4359 src/snort.h,
4360 src/snort_debug.h,
4361 src/spo_plugbase.h,
4362 src/tag.c,
4363 src/tag.h,
4364 src/util.c,
4365 src/util.h,
4366 src/win32/WIN32-Code/getopt.c,
4367 src/win32/WIN32-Code/inet_aton.c,
4368 src/win32/WIN32-Code/misc.c,
4369 src/win32/WIN32-Includes/config.h,
4370 src/win32/WIN32-Includes/getopt.h,
4371 src/win32/WIN32-Prj/snort_installer.nsi,
4372 ssl/ssl_setup.c,
4373 tools/control/sfcontrol.c:
4374 Refactor SSL code to make a library for state processing across
4375 non-native protocols that use SSL via STARTTLS. Update IMAP/POP/FTP/SSL
4376 preprocessors to use new SSL library, and activation of PAF for those
4377 protocols. Add ability to share basic state for SSL.
4378
4379 * configure.in,
4380 doc/README.session,
4381 doc/README.stream5,
4382 doc/snort_manual.pdf,
4383 doc/snort_manual.tex,
4384 dynamic-preprocessors/dns/spp_dns.c,
4385 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
4386 dynamic-preprocessors/gtp/spp_gtp.c,
4387 dynamic-preprocessors/imap/spp_imap.c,
4388 dynamic-preprocessors/modbus/spp_modbus.c,
4389 dynamic-preprocessors/pop/spp_pop.c,
4390 dynamic-preprocessors/sip/spp_sip.c,
4391 dynamic-preprocessors/smtp/spp_smtp.c,
4392 dynamic-preprocessors/ssh/spp_ssh.c,
4393 etc/sf_rule_options,
4394 preprocessors/Session/session_common.c,
4395 preprocessors/Session/session_common.h,
4396 preprocessors/Session/session_expect.c,
4397 preprocessors/Stream6/snort_stream_ip.c,
4398 preprocessors/Stream6/snort_stream_tcp.c,
4399 preprocessors/Stream6/snort_stream_tcp.h,
4400 preprocessors/Stream6/snort_stream_udp.c,
4401 preprocessors/Stream6/stream_common.h,
4402 preprocessors/session_api.h,
4403 preprocessors/snort_httpinspect.c,
4404 preprocessors/spp_rpc_decode.c,
4405 preprocessors/spp_session.c,
4406 preprocessors/spp_stream6.c,
4407 preprocessors/stream_api.h,
4408 preprocids.h,
4409 src/Makefile.am,
4410 src/active.c,
4411 src/active.h,
4412 src/build.h,
4413 src/detect.c,
4414 src/detect.h,
4415 src/detection-plugins/Makefile.am,
4416 src/detection-plugins/sp_clientserver.c,
4417 src/detection-plugins/sp_flowbits.c,
4418 src/detection-plugins/sp_pattern_match.c,
4419 src/detection-plugins/sp_pattern_match.h,
4420 src/dynamic-examples/Makefile.am,
4421 src/dynamic-examples/dynamic-preprocessor/spp_example.c,
4422 src/dynamic-output/plugins/output_lib.h,
4423 src/dynamic-output/plugins/output_plugin.c,
4424 src/dynamic-plugins/sf_convert_dynamic.c,
4425 src/dynamic-plugins/sf_dynamic_plugins.c,
4426 src/dynamic-plugins/sf_dynamic_preprocessor.h,
4427 src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
4428 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
4429 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
4430 src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
4431 src/dynamic-plugins/sp_preprocopt.c,
4432 src/dynamic-preprocessors/Makefile.am,
4433 src/dynamic-preprocessors/dcerpc2/dce2_cl.c,
4434 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
4435 src/dynamic-preprocessors/dcerpc2/dce2_config.h,
4436 src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
4437 src/dynamic-preprocessors/dcerpc2/dce2_roptions.c,
4438 src/dynamic-preprocessors/dcerpc2/dce2_session.h,
4439 src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
4440 src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
4441 src/dynamic-preprocessors/dcerpc2/snort_dce2.h,
4442 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
4443 src/dynamic-preprocessors/dnp3/dnp3_roptions.c,
4444 src/dynamic-preprocessors/dnp3/spp_dnp3.c,
4445 src/dynamic-preprocessors/dnp3/spp_dnp3.h,
4446 src/dynamic-preprocessors/dns/spp_dns.c,
4447 src/dynamic-preprocessors/dns/spp_dns.h,
4448 src/dynamic-preprocessors/file/file_agent.c,
4449 src/dynamic-preprocessors/file/file_event_log.c,
4450 src/dynamic-preprocessors/file/spp_file.c,
4451 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
4452 src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
4453 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
4454 src/dynamic-preprocessors/ftptelnet/pp_telnet.c,
4455 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
4456 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
4457 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
4458 src/dynamic-preprocessors/gtp/gtp_roptions.c,
4459 src/dynamic-preprocessors/gtp/spp_gtp.c,
4460 src/dynamic-preprocessors/imap/imap_config.c,
4461 src/dynamic-preprocessors/imap/imap_config.h,
4462 src/dynamic-preprocessors/imap/sf_imap.dsp,
4463 src/dynamic-preprocessors/imap/snort_imap.c,
4464 src/dynamic-preprocessors/imap/snort_imap.h,
4465 src/dynamic-preprocessors/imap/spp_imap.c,
4466 src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp,
4467 src/dynamic-preprocessors/modbus/modbus_decode.c,
4468 src/dynamic-preprocessors/modbus/modbus_roptions.c,
4469 src/dynamic-preprocessors/modbus/spp_modbus.c,
4470 src/dynamic-preprocessors/modbus/spp_modbus.h,
4471 src/dynamic-preprocessors/pop/pop_config.c,
4472 src/dynamic-preprocessors/pop/pop_config.h,
4473 src/dynamic-preprocessors/pop/pop_util.c,
4474 src/dynamic-preprocessors/pop/sf_pop.dsp,
4475 src/dynamic-preprocessors/pop/snort_pop.c,
4476 src/dynamic-preprocessors/pop/snort_pop.h,
4477 src/dynamic-preprocessors/pop/spp_pop.c,
4478 src/dynamic-preprocessors/reputation/spp_reputation.c,
4479 src/dynamic-preprocessors/sdf/spp_sdf.c,
4480 src/dynamic-preprocessors/sip/sip_dialog.c,
4481 src/dynamic-preprocessors/sip/sip_roptions.c,
4482 src/dynamic-preprocessors/sip/spp_sip.c,
4483 src/dynamic-preprocessors/smtp/sf_smtp.dsp,
4484 src/dynamic-preprocessors/smtp/smtp_config.c,
4485 src/dynamic-preprocessors/smtp/smtp_config.h,
4486 src/dynamic-preprocessors/smtp/smtp_util.c,
4487 src/dynamic-preprocessors/smtp/snort_smtp.c,
4488 src/dynamic-preprocessors/smtp/spp_smtp.c,
4489 src/dynamic-preprocessors/ssh/spp_ssh.c,
4490 src/encode.c,
4491 src/encode.h,
4492 src/event_queue.c,
4493 src/event_wrapper.c,
4494 src/file-process/file_api.h,
4495 src/file-process/file_mime_process.c,
4496 src/file-process/file_mime_process.h,
4497 src/file-process/file_service.c,
4498 src/file-process/file_stats.c,
4499 src/file-process/libs/file_config.c,
4500 src/file-process/libs/file_config.h,
4501 src/fpcreate.c,
4502 src/fpdetect.c,
4503 src/generators.h,
4504 src/parser.c,
4505 src/parser.h,
4506 src/plugbase.c,
4507 src/plugbase.h,
4508 src/ppm.c,
4509 src/preprocessors/HttpInspect/include/hi_ui_config.h,
4510 src/preprocessors/HttpInspect/session_inspection/hi_si.c,
4511 src/preprocessors/Makefile.am,
4512 src/preprocessors/Session/Makefile.am,
4513 src/preprocessors/Session/session_common.c,
4514 src/preprocessors/Session/session_common.h,
4515 src/preprocessors/Session/session_expect.c,
4516 src/preprocessors/Session/session_expect.h,
4517 src/preprocessors/Session/snort_session.c,
4518 src/preprocessors/Session/snort_session.h,
4519 src/preprocessors/Session/stream5_ha.c,
4520 src/preprocessors/Session/stream5_ha.h,
4521 src/preprocessors/Stream6/Makefile.am,
4522 src/preprocessors/Stream6/snort_stream_icmp.c,
4523 src/preprocessors/Stream6/snort_stream_icmp.h,
4524 src/preprocessors/Stream6/snort_stream_ip.c,
4525 src/preprocessors/Stream6/snort_stream_ip.h,
4526 src/preprocessors/Stream6/snort_stream_tcp.c,
4527 src/preprocessors/Stream6/snort_stream_tcp.h,
4528 src/preprocessors/Stream6/snort_stream_udp.c,
4529 src/preprocessors/Stream6/snort_stream_udp.h,
4530 src/preprocessors/Stream6/stream_common.c,
4531 src/preprocessors/Stream6/stream_common.h,
4532 src/preprocessors/Stream6/stream_paf.c,
4533 src/preprocessors/Stream6/stream_paf.h,
4534 src/preprocessors/perf-base.c,
4535 src/preprocessors/portscan.c,
4536 src/preprocessors/session_api.c,
4537 src/preprocessors/session_api.h,
4538 src/preprocessors/snort_httpinspect.c,
4539 src/preprocessors/snort_httpinspect.h,
4540 src/preprocessors/spp_arpspoof.c,
4541 src/preprocessors/spp_bo.c,
4542 src/preprocessors/spp_frag3.c,
4543 src/preprocessors/spp_httpinspect.c,
4544 src/preprocessors/spp_normalize.c,
4545 src/preprocessors/spp_perfmonitor.c,
4546 src/preprocessors/spp_rpc_decode.c,
4547 src/preprocessors/spp_session.c,
4548 src/preprocessors/spp_session.h,
4549 src/preprocessors/spp_sfportscan.c,
4550 src/preprocessors/spp_stream5.c,
4551 src/preprocessors/spp_stream5.h,
4552 src/preprocessors/spp_stream6.c,
4553 src/preprocessors/spp_stream6.h,
4554 src/preprocessors/stream_api.h,
4555 src/preprocessors/stream_expect.c,
4556 src/preprocessors/stream_expect.h,
4557 src/preprocids.h,
4558 src/sf_sdlist.c,
4559 src/sf_sdlist.h,
4560 src/sfdaq.c,
4561 src/sfdaq.h,
4562 src/sfutil/sfPolicy.c,
4563 src/sfutil/sfPolicy.h,
4564 src/sfutil/sfPolicyData.h,
4565 src/sfutil/sfPolicyUserData.h,
4566 src/sfutil/sf_email_attach_decode.h,
4567 src/sfutil/sfrf.c,
4568 src/sfutil/sfthd.c,
4569 src/sfutil/test/sf_ip_test.c,
4570 src/snort.c,
4571 src/snort.h,
4572 src/target-based/sftarget_protocol_reference.c,
4573 src/target-based/sftarget_reader.c,
4574 src/target-based/sftarget_reader.h,
4575 src/util.c,
4576 src/win32/WIN32-Prj/snort.dsp,
4577 tools/Makefile.a:
4578 Split the session tracking and reassembly functionality of Stream5
4579 into new Session and Stream preprocessors.
4580
4581 * configure.in,
4582 doc/INSTALL,
4583 doc/Makefile.am,
4584 doc/README.appid,
4585 doc/snort_manual.tex,
4586 src/detect.c,
4587 src/detection-plugins/Makefile.am,
4588 src/detection-plugins/detection_options.c,
4589 src/detection-plugins/sp_appid.c,
4590 src/detection-plugins/sp_appid.h
4591 src/dynamic-plugins/sf_dynamic_common.h,
4592 src/dynamic-plugins/sf_dynamic_define.h,
4593 src/dynamic-plugins/sf_dynamic_meta.h,
4594 src/dynamic-plugins/sf_dynamic_plugins.c,
4595 src/dynamic-plugins/sf_dynamic_preprocessor.h,
4596 src/dynamic-plugins/sf_engine/Makefile.am,
4597 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
4598 src/dynamic-preprocessors/Makefile.am
4599 src/dynamic-preprocessors/Makefile.am,
4600 src/dynamic-preprocessors/appid/Makefile.am,
4601 src/dynamic-preprocessors/appid/appId.h,
4602 src/dynamic-preprocessors/appid/appIdConfig.c,
4603 src/dynamic-preprocessors/appid/appIdConfig.h,
4604 src/dynamic-preprocessors/appid/appIdStats.c,
4605 src/dynamic-preprocessors/appid/appIdStats.h,
4606 src/dynamic-preprocessors/appid/appInfoTable.c,
4607 src/dynamic-preprocessors/appid/appInfoTable.h,
4608 src/dynamic-preprocessors/appid/attribute.h,
4609 src/dynamic-preprocessors/appid/client_plugins/Makefile.am,
4610 src/dynamic-preprocessors/appid/client_plugins/client_app_aim.c,
4611 src/dynamic-preprocessors/appid/client_plugins/client_app_aim.h,
4612 src/dynamic-preprocessors/appid/client_plugins/client_app_api.h,
4613 src/dynamic-preprocessors/appid/client_plugins/client_app_base.c,
4614 src/dynamic-preprocessors/appid/client_plugins/client_app_base.h,
4615 src/dynamic-preprocessors/appid/client_plugins/client_app_bit.c,
4616 src/dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c,
4617 src/dynamic-preprocessors/appid/client_plugins/client_app_msn.c,
4618 src/dynamic-preprocessors/appid/client_plugins/client_app_msn.h,
4619 src/dynamic-preprocessors/appid/client_plugins/client_app_rtp.c,
4620 src/dynamic-preprocessors/appid/client_plugins/client_app_sip.c,
4621 src/dynamic-preprocessors/appid/client_plugins/client_app_sip.h,
4622 src/dynamic-preprocessors/appid/client_plugins/client_app_smtp.c,
4623 src/dynamic-preprocessors/appid/client_plugins/client_app_smtp.h,
4624 src/dynamic-preprocessors/appid/client_plugins/client_app_ssh.c,
4625 src/dynamic-preprocessors/appid/client_plugins/client_app_template.c,
4626 src/dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c,
4627 src/dynamic-preprocessors/appid/client_plugins/client_app_tns.c,
4628 src/dynamic-preprocessors/appid/client_plugins/client_app_vnc.c,
4629 src/dynamic-preprocessors/appid/client_plugins/client_app_ym.c,
4630 src/dynamic-preprocessors/appid/client_plugins/client_app_ym.h,
4631 src/dynamic-preprocessors/appid/commonAppMatcher.c,
4632 src/dynamic-preprocessors/appid/commonAppMatcher.h,
4633 src/dynamic-preprocessors/appid/detector_plugins/Makefile.am,
4634 src/dynamic-preprocessors/appid/detector_plugins/detector_api.h,
4635 src/dynamic-preprocessors/appid/detector_plugins/detector_base.c,
4636 src/dynamic-preprocessors/appid/detector_plugins/detector_base.h,
4637 src/dynamic-preprocessors/appid/detector_plugins/detector_http.c,
4638 src/dynamic-preprocessors/appid/detector_plugins/detector_http.h,
4639 src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c,
4640 src/dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c,
4641 src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
4642 src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
4643 src/dynamic-preprocessors/appid/detector_plugins/detector_sip.h,
4644 src/dynamic-preprocessors/appid/detector_plugins/http_url_patterns.c,
4645 src/dynamic-preprocessors/appid/detector_plugins/http_url_patterns.h,
4646 src/dynamic-preprocessors/appid/diffScript.sh,
4647 src/dynamic-preprocessors/appid/doxy_api.c,
4648 src/dynamic-preprocessors/appid/flow.c,
4649 src/dynamic-preprocessors/appid/flow.h,
4650 src/dynamic-preprocessors/appid/flow_error.h,
4651 src/dynamic-preprocessors/appid/fw_appid.c,
4652 src/dynamic-preprocessors/appid/fw_appid.h,
4653 src/dynamic-preprocessors/appid/hostPortAppCache.c,
4654 src/dynamic-preprocessors/appid/hostPortAppCache.h,
4655 src/dynamic-preprocessors/appid/host_tracker.h,
4656 src/dynamic-preprocessors/appid/httpCommon.h,
4657 src/dynamic-preprocessors/appid/luaDetectorApi.c,
4658 src/dynamic-preprocessors/appid/luaDetectorApi.h,
4659 src/dynamic-preprocessors/appid/luaDetectorFlowApi.c,
4660 src/dynamic-preprocessors/appid/luaDetectorFlowApi.h,
4661 src/dynamic-preprocessors/appid/luaDetectorModule.c,
4662 src/dynamic-preprocessors/appid/luaDetectorModule.h,
4663 src/dynamic-preprocessors/appid/rna_flow.h,
4664 src/dynamic-preprocessors/appid/service_plugins/Makefile.am,
4665 src/dynamic-preprocessors/appid/service_plugins/dcerpc.c,
4666 src/dynamic-preprocessors/appid/service_plugins/dcerpc.h,
4667 src/dynamic-preprocessors/appid/service_plugins/service_MDNS.c,
4668 src/dynamic-preprocessors/appid/service_plugins/service_MDNS.h,
4669 src/dynamic-preprocessors/appid/service_plugins/service_api.h,
4670 src/dynamic-preprocessors/appid/service_plugins/service_base.c,
4671 src/dynamic-preprocessors/appid/service_plugins/service_base.h,
4672 src/dynamic-preprocessors/appid/service_plugins/service_battle_field.c,
4673 src/dynamic-preprocessors/appid/service_plugins/service_battle_field.h,
4674 src/dynamic-preprocessors/appid/service_plugins/service_bgp.c,
4675 src/dynamic-preprocessors/appid/service_plugins/service_bgp.h,
4676 src/dynamic-preprocessors/appid/service_plugins/service_bit.c,
4677 src/dynamic-preprocessors/appid/service_plugins/service_bootp.c,
4678 src/dynamic-preprocessors/appid/service_plugins/service_bootp.h,
4679 src/dynamic-preprocessors/appid/service_plugins/service_dcerpc.c,
4680 src/dynamic-preprocessors/appid/service_plugins/service_dcerpc.h,
4681 src/dynamic-preprocessors/appid/service_plugins/service_direct_connect.c,
4682 src/dynamic-preprocessors/appid/service_plugins/service_direct_connect.h,
4683 src/dynamic-preprocessors/appid/service_plugins/service_dns.c,
4684 src/dynamic-preprocessors/appid/service_plugins/service_dns.h,
4685 src/dynamic-preprocessors/appid/service_plugins/service_flap.c,
4686 src/dynamic-preprocessors/appid/service_plugins/service_flap.h,
4687 src/dynamic-preprocessors/appid/service_plugins/service_ftp.c,
4688 src/dynamic-preprocessors/appid/service_plugins/service_ftp.h,
4689 src/dynamic-preprocessors/appid/service_plugins/service_irc.c,
4690 src/dynamic-preprocessors/appid/service_plugins/service_irc.h,
4691 src/dynamic-preprocessors/appid/service_plugins/service_lpr.c,
4692 src/dynamic-preprocessors/appid/service_plugins/service_lpr.h,
4693 src/dynamic-preprocessors/appid/service_plugins/service_mysql.c,
4694 src/dynamic-preprocessors/appid/service_plugins/service_mysql.h,
4695 src/dynamic-preprocessors/appid/service_plugins/service_netbios.c,
4696 src/dynamic-preprocessors/appid/service_plugins/service_netbios.h,
4697 src/dynamic-preprocessors/appid/service_plugins/service_nntp.c,
4698 src/dynamic-preprocessors/appid/service_plugins/service_nntp.h,
4699 src/dynamic-preprocessors/appid/service_plugins/service_ntp.c,
4700 src/dynamic-preprocessors/appid/service_plugins/service_ntp.h,
4701 src/dynamic-preprocessors/appid/service_plugins/service_pattern.c,
4702 src/dynamic-preprocessors/appid/service_plugins/service_pattern.h,
4703 src/dynamic-preprocessors/appid/service_plugins/service_radius.c,
4704 src/dynamic-preprocessors/appid/service_plugins/service_radius.h,
4705 src/dynamic-preprocessors/appid/service_plugins/service_rexec.c,
4706 src/dynamic-preprocessors/appid/service_plugins/service_rexec.h,
4707 src/dynamic-preprocessors/appid/service_plugins/service_rfb.c,
4708 src/dynamic-preprocessors/appid/service_plugins/service_rfb.h,
4709 src/dynamic-preprocessors/appid/service_plugins/service_rlogin.c,
4710 src/dynamic-preprocessors/appid/service_plugins/service_rlogin.h,
4711 src/dynamic-preprocessors/appid/service_plugins/service_rpc.c,
4712 src/dynamic-preprocessors/appid/service_plugins/service_rpc.h,
4713 src/dynamic-preprocessors/appid/service_plugins/service_rshell.c,
4714 src/dynamic-preprocessors/appid/service_plugins/service_rshell.h,
4715 src/dynamic-preprocessors/appid/service_plugins/service_rsync.c,
4716 src/dynamic-preprocessors/appid/service_plugins/service_rsync.h,
4717 src/dynamic-preprocessors/appid/service_plugins/service_sip.c,
4718 src/dynamic-preprocessors/appid/service_plugins/service_sip.h,
4719 src/dynamic-preprocessors/appid/service_plugins/service_smtp.c,
4720 src/dynamic-preprocessors/appid/service_plugins/service_smtp.h,
4721 src/dynamic-preprocessors/appid/service_plugins/service_snmp.c,
4722 src/dynamic-preprocessors/appid/service_plugins/service_snmp.h,
4723 src/dynamic-preprocessors/appid/service_plugins/service_ssh.c,
4724 src/dynamic-preprocessors/appid/service_plugins/service_ssh.h,
4725 src/dynamic-preprocessors/appid/service_plugins/service_ssl.c,
4726 src/dynamic-preprocessors/appid/service_plugins/service_ssl.h,
4727 src/dynamic-preprocessors/appid/service_plugins/service_telnet.c,
4728 src/dynamic-preprocessors/appid/service_plugins/service_telnet.h,
4729 src/dynamic-preprocessors/appid/service_plugins/service_template.c,
4730 src/dynamic-preprocessors/appid/service_plugins/service_tftp.c,
4731 src/dynamic-preprocessors/appid/service_plugins/service_tftp.h,
4732 src/dynamic-preprocessors/appid/service_plugins/service_timbuktu.c,
4733 src/dynamic-preprocessors/appid/service_plugins/service_tns.c,
4734 src/dynamic-preprocessors/appid/service_plugins/service_util.h,
4735 src/dynamic-preprocessors/appid/service_state.c,
4736 src/dynamic-preprocessors/appid/service_state.h,
4737 src/dynamic-preprocessors/appid/spp_appid.c,
4738 src/dynamic-preprocessors/appid/spp_appid.h,
4739 src/dynamic-preprocessors/appid/tools/u2openappid/Makefile.am,
4740 src/dynamic-preprocessors/appid/tools/u2streamer/Makefile.am,
4741 src/dynamic-preprocessors/appid/util/Makefile.am,
4742 src/dynamic-preprocessors/appid/util/OutputFile.c,
4743 src/dynamic-preprocessors/appid/util/OutputFile.h,
4744 src/dynamic-preprocessors/appid/util/acsmx.c,
4745 src/dynamic-preprocessors/appid/util/acsmx.h,
4746 src/dynamic-preprocessors/appid/util/acsmx2.c,
4747 src/dynamic-preprocessors/appid/util/acsmx2.h,
4748 src/dynamic-preprocessors/appid/util/bnfa_search.c,
4749 src/dynamic-preprocessors/appid/util/bnfa_search.h,
4750 src/dynamic-preprocessors/appid/util/common_util.h,
4751 src/dynamic-preprocessors/appid/util/fw_avltree.c,
4752 src/dynamic-preprocessors/appid/util/fw_avltree.h,
4753 src/dynamic-preprocessors/appid/util/ip_funcs.h,
4754 src/dynamic-preprocessors/appid/util/mpse.c,
4755 src/dynamic-preprocessors/appid/util/mpse.h,
4756 src/dynamic-preprocessors/appid/util/sf_error.h,
4757 src/dynamic-preprocessors/appid/util/sf_mlmp.c,
4758 src/dynamic-preprocessors/appid/util/sf_mlmp.h,
4759 src/dynamic-preprocessors/appid/util/sf_multi_mpse.c,
4760 src/dynamic-preprocessors/appid/util/sf_multi_mpse.h,
4761 src/dynamic-preprocessors/appid/util/sfghash.c,
4762 src/dynamic-preprocessors/appid/util/sfghash.h,
4763 src/dynamic-preprocessors/appid/util/sfhashfcn.c,
4764 src/dynamic-preprocessors/appid/util/sfhashfcn.h,
4765 src/dynamic-preprocessors/appid/util/sfksearch.c,
4766 src/dynamic-preprocessors/appid/util/sfksearch.h,
4767 src/dynamic-preprocessors/appid/util/sflsq.c,
4768 src/dynamic-preprocessors/appid/util/sflsq.h,
4769 src/dynamic-preprocessors/appid/util/sfmemcap.c,
4770 src/dynamic-preprocessors/appid/util/sfmemcap.h,
4771 src/dynamic-preprocessors/appid/util/sfutil.c,
4772 src/dynamic-preprocessors/appid/util/sfutil.h,
4773 src/dynamic-preprocessors/appid/util/sfxhash.c,
4774 src/dynamic-preprocessors/appid/util/sfxhash.h,
4775 src/dynamic-preprocessors/file/file_agent.c,
4776 src/dynamic-preprocessors/imap/spp_imap.c,
4777 src/event.h,
4778 src/event_wrapper.c,
4779 src/file-process/file_service.c,
4780 src/file-process/file_stats.c,
4781 src/file-process/file_stats.h,
4782 src/log.c,
4783 src/log.h,
4784 src/output-plugins/spo_alert_unixsock.c,
4785 src/output-plugins/spo_unified2.c,
4786 src/plugbase.c,
4787 src/plugin_enum.h,
4788 src/ppm.c,
4789 src/preprocessors/HttpInspect/client/hi_client.c,
4790 src/preprocessors/HttpInspect/include/hi_client.h,
4791 src/preprocessors/HttpInspect/include/hi_ui_config.h,
4792 src/preprocessors/HttpInspect/include/hi_util.h,
4793 src/preprocessors/HttpInspect/server/hi_server.c,
4794 src/preprocessors/perf-base.c,
4795 src/preprocessors/snort_httpinspect.c,
4796 src/preprocessors/spp_httpinspect.c,
4797 src/preprocessors/spp_sfportscan.c,
4798 src/preprocessors/spp_stream5.c,
4799 src/preprocessors/str_search.c,
4800 src/preprocessors/str_search.h,
4801 src/preprocessors/stream_api.h,
4802 src/preprocids.h,
4803 src/rule_option_types.h,
4804 src/sf_protocols.h,
4805 src/sfutil/Makefile.am,
4806 src/sfutil/Unified2_common.h,
4807 src/sfutil/acsmx.c,
4808 src/sfutil/acsmx2.c,
4809 src/sfutil/bnfa_search.c,
4810 src/sfutil/mpse.c,
4811 src/sfutil/mpse.h,
4812 src/sfutil/mpse_methods.h,
4813 src/sfutil/sfPolicy.h,
4814 src/sfutil/sf_ip.h,
4815 src/sfutil/sfdebug.h,
4816 src/sfutil/sfghash.c,
4817 src/sfutil/sfghash.h,
4818 src/sfutil/sfhashfcn.c,
4819 src/sfutil/sfksearch.c,
4820 src/sfutil/sflsq.c,
4821 src/sfutil/sflsq.h,
4822 src/sfutil/sfmemcap.c,
4823 src/sfutil/sfrt.h,
4824 src/sfutil/sfxhash.c,
4825 src/sfutil/sfxhash.h,
4826 src/signature.h,
4827 src/snort.c,
4828 src/snort.h,
4829 src/snort_debug.h,
4830 src/tag.c,
4831 src/target-based/sftarget_protocol_reference.c,
4832 src/target-based/sftarget_protocol_reference.h,
4833 src/util.c,
4834 tools/Makefile.am,
4835 tools/file_server/file_server.c,
4836 tools/u2openappid/Makefile.am,
4837 tools/u2openappid/u2openappid.c,
4838 tools/u2spewfoo/u2spewfoo.c
4839 tools/u2spewfoo/u2spewfoo.c,
4840 tools/u2streamer/Makefile.am,
4841 tools/u2streamer/SpoolFileIterator.c,
4842 tools/u2streamer/SpoolFileIterator.h,
4843 tools/u2streamer/TimestampedFile.c,
4844 tools/u2streamer/TimestampedFile.h,
4845 tools/u2streamer/Unified2.c,
4846 tools/u2streamer/Unified2.h,
4847 tools/u2streamer/Unified2File.c,
4848 tools/u2streamer/Unified2File.h,
4849 tools/u2streamer/UnifiedLog.c,
4850 tools/u2streamer/UnifiedLog.h,
4851 tools/u2streamer/sf_error.c,
4852 tools/u2streamer/sf_error.h,
4853 src/dynamic-preprocessors/appid/util/common_util.c,
4854 tools/u2streamer/u2streamer.c:
4855 Improved support for AppID preprocessor.
4856 Removed Lua dependency in favor of LuaJIT.
4857 Fixed appid with Lua/LuaBitOp (no LuaJIT), support FreeBSD
4858 Fixed OpenBSD, FreeBSD openAppId support, Removed support for Lua
4859 Added metadata extraction to SSL for AppID. Changed some Lua API names.
4860 Refactored to use common data structures.
4861 Fixed return value checks for fseek(), strdup, malloc(), and stat()
4862 and removed deprecated library calls (Thanks to Bill Parker for
4863 reporting the issues).
4864
4865 2014-02-21 Steven Sturges <ssturges@sourcefire.com>
4866 * configure.in, src/detect.c, src/event.h, src/event_wrapper.c,
4867 src/log.c, src/log.h, src/plugbase.c, src/plugin_enum.h,
4868 src/ppm.c, src/preprocids.h, src/rule_option_types.h,
4869 src/sf_protocols.h, src/signature.h, src/snort.c, src/snort.h,
4870 src/snort_debug.h, src/tag.c, src/detection-plugins/Makefile.am,
4871 src/detection-plugins/detection_options.c,
4872 src/dynamic-plugins/sf_dynamic_common.h,
4873 src/dynamic-plugins/sf_dynamic_define.h,
4874 src/dynamic-plugins/sf_dynamic_meta.h,
4875 src/dynamic-plugins/sf_dynamic_plugins.c,
4876 src/dynamic-plugins/sf_dynamic_preprocessor.h,
4877 src/dynamic-plugins/sf_engine/Makefile.am,
4878 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
4879 src/dynamic-preprocessors/Makefile.am,
4880 src/output-plugins/spo_alert_unixsock.c,
4881 src/output-plugins/spo_unified2.c,
4882 src/preprocessors/snort_httpinspect.c,
4883 src/preprocessors/spp_httpinspect.c,
4884 src/preprocessors/spp_sfportscan.c,
4885 src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
4886 src/preprocessors/HttpInspect/client/hi_client.c,
4887 src/preprocessors/HttpInspect/include/hi_client.h,
4888 src/preprocessors/HttpInspect/include/hi_ui_config.h,
4889 src/preprocessors/HttpInspect/include/hi_util.h,
4890 src/preprocessors/HttpInspect/server/hi_server.c,
4891 src/preprocessors/Stream5/stream5_common.h,
4892 src/sfutil/Unified2_common.h, src/sfutil/sfPolicy.h,
4893 src/sfutil/sf_ip.h, src/sfutil/sfrt.h,
4894 src/target-based/sftarget_protocol_reference.c,
4895 src/target-based/sftarget_protocol_reference.h,
4896 tools/Makefile.am, tools/u2spewfoo/u2spewfoo.c,
4897 tools/: Makefile.am, u2spewfoo/u2spewfoo.c,
4898 u2openappid/Makefile.am, u2openappid/u2openappid.c,
4899 u2streamer/Makefile.am, u2streamer/SpoolFileIterator.c,
4900 u2streamer/SpoolFileIterator.h, u2streamer/TimestampedFile.c,
4901 u2streamer/TimestampedFile.h, u2streamer/Unified2.c,
4902 u2streamer/Unified2.h, u2streamer/Unified2File.c,
4903 u2streamer/Unified2File.h, u2streamer/UnifiedLog.c,
4904 u2streamer/UnifiedLog.h, u2streamer/sf_error.c,
4905 u2streamer/sf_error.h, u2streamer/u2streamer.c,
4906 src/dynamic-preprocessors/appid/: Makefile.am, appId.h,
4907 appIdConfig.c, appIdConfig.h, appIdStats.c, appIdStats.h,
4908 appInfoTable.c, appInfoTable.h, attribute.h, commonAppMatcher.c,
4909 commonAppMatcher.h, diffScript.sh, doxy_api.c, flow.c, flow.h,
4910 flow_error.h, fw_appid.c, fw_appid.h, hostPortAppCache.c,
4911 hostPortAppCache.h, host_tracker.h, httpCommon.h,
4912 luaDetectorApi.c, luaDetectorApi.h, luaDetectorFlowApi.c,
4913 luaDetectorFlowApi.h, luaDetectorModule.c, luaDetectorModule.h,
4914 rna_flow.h, service_state.c, service_state.h, spp_appid.c,
4915 spp_appid.h, detector_plugins/Makefile.am,
4916 detector_plugins/detector_api.h,
4917 detector_plugins/detector_base.c,
4918 detector_plugins/detector_base.h,
4919 detector_plugins/detector_imap.c,
4920 detector_plugins/detector_kerberos.c,
4921 detector_plugins/detector_pop3.c,
4922 detector_plugins/detector_http.c,
4923 detector_plugins/detector_http.h,
4924 detector_plugins/http_url_patterns.c,
4925 detector_plugins/http_url_patterns.h,
4926 util/Makefile.am, util/OutputFile.c, util/OutputFile.h,
4927 util/acsmx.c, util/acsmx.h, util/acsmx2.c, util/acsmx2.h,
4928 util/bnfa_search.c, util/bnfa_search.h, util/common_util.h,
4929 util/fw_avltree.c, util/fw_avltree.h, util/ip_funcs.h,
4930 util/mpse.c, util/mpse.h, util/sf_error.h, util/sf_mlmp.c,
4931 util/sf_mlmp.h, util/sf_multi_mpse.c, util/sf_multi_mpse.h,
4932 util/sfghash.c, util/sfghash.h, util/sfhashfcn.c,
4933 util/sfhashfcn.h, util/sfksearch.c, util/sfksearch.h,
4934 util/sflsq.c, util/sflsq.h, util/sfmemcap.c, util/sfmemcap.h,
4935 util/sfutil.c, util/sfutil.h, util/sfxhash.c, util/sfxhash.h,
4936 client_plugins/Makefile.am, client_plugins/client_app_aim.c,
4937 client_plugins/client_app_aim.h, client_plugins/client_app_api.h,
4938 client_plugins/client_app_base.c,
4939 client_plugins/client_app_base.h,
4940 client_plugins/client_app_bit.c,
4941 client_plugins/client_app_bit_tracker.c,
4942 client_plugins/client_app_msn.c, client_plugins/client_app_msn.h,
4943 client_plugins/client_app_rtp.c, client_plugins/client_app_sip.c,
4944 client_plugins/client_app_sip.h,
4945 client_plugins/client_app_smtp.c,
4946 client_plugins/client_app_smtp.h,
4947 client_plugins/client_app_ssh.c,
4948 client_plugins/client_app_template.c,
4949 client_plugins/client_app_timbuktu.c,
4950 client_plugins/client_app_tns.c, client_plugins/client_app_vnc.c,
4951 client_plugins/client_app_ym.c, client_plugins/client_app_ym.h,
4952 service_plugins/Makefile.am, service_plugins/dcerpc.c,
4953 service_plugins/dcerpc.h, service_plugins/service_MDNS.c,
4954 service_plugins/service_MDNS.h, service_plugins/service_api.h,
4955 service_plugins/service_base.c, service_plugins/service_base.h,
4956 service_plugins/service_battle_field.c,
4957 service_plugins/service_battle_field.h,
4958 service_plugins/service_bgp.c, service_plugins/service_bgp.h,
4959 service_plugins/service_bit.c, service_plugins/service_bootp.c,
4960 service_plugins/service_bootp.h,
4961 service_plugins/service_dcerpc.c,
4962 service_plugins/service_dcerpc.h,
4963 service_plugins/service_direct_connect.c,
4964 service_plugins/service_direct_connect.h,
4965 service_plugins/service_dns.c, service_plugins/service_dns.h,
4966 service_plugins/service_flap.c, service_plugins/service_flap.h,
4967 service_plugins/service_ftp.c, service_plugins/service_ftp.h,
4968 service_plugins/service_irc.c, service_plugins/service_irc.h,
4969 service_plugins/service_lpr.c, service_plugins/service_lpr.h,
4970 service_plugins/service_mysql.c, service_plugins/service_mysql.h,
4971 service_plugins/service_netbios.c,
4972 service_plugins/service_netbios.h,
4973 service_plugins/service_nntp.c, service_plugins/service_nntp.h,
4974 service_plugins/service_ntp.c, service_plugins/service_ntp.h,
4975 service_plugins/service_pattern.c,
4976 service_plugins/service_pattern.h,
4977 service_plugins/service_radius.c,
4978 service_plugins/service_radius.h,
4979 service_plugins/service_rexec.c, service_plugins/service_rexec.h,
4980 service_plugins/service_rfb.c, service_plugins/service_rfb.h,
4981 service_plugins/service_rlogin.c,
4982 service_plugins/service_rlogin.h, service_plugins/service_rpc.c,
4983 service_plugins/service_rpc.h, service_plugins/service_rshell.c,
4984 service_plugins/service_rshell.h,
4985 service_plugins/service_rsync.c, service_plugins/service_rsync.h,
4986 service_plugins/service_sip.c, service_plugins/service_sip.h,
4987 service_plugins/service_smtp.c, service_plugins/service_smtp.h,
4988 service_plugins/service_snmp.c, service_plugins/service_snmp.h,
4989 service_plugins/service_ssh.c, service_plugins/service_ssh.h,
4990 service_plugins/service_ssl.c, service_plugins/service_ssl.h,
4991 service_plugins/service_telnet.c,
4992 service_plugins/service_telnet.h,
4993 service_plugins/service_template.c,
4994 service_plugins/service_tftp.c, service_plugins/service_tftp.h,
4995 service_plugins/service_timbuktu.c,
4996 service_plugins/service_tns.c, service_plugins/service_util.h,
4997 src/detection-plugins/: sp_appid.c, sp_appid.h,
4998 doc/README.appid:
4999 New Open App ID feature to identify application protocol, client,
5000 server, and web application and be able to leverage that within
5001 Snort rules.
5002
5003 2014-02-19 Steven Sturges <ssturges@sourcefire.com>
5004 * doc/snort_manual.pdf, doc/snort_manual.tex, src/active.c,
5005 src/active.h, src/encode.h, src/detection-plugins/sp_react.c:
5006 Added Active_SendBigData to active.c for sending multi-packet react
5007 pages. Modified react.c to use Active_SendBigData to allow payload
5008 that spans a single TCP packet (1500+ bytes).
5009
5010 * src/: preprocessors/Stream5/snort_stream5_tcp.c,
5011 preprocessors/Stream5/stream5_paf.c,
5012 preprocessors/Stream5/stream5_paf.h,
5013 dynamic-preprocessors/pop/Makefile.am,
5014 dynamic-preprocessors/pop/pop_config.c,
5015 dynamic-preprocessors/pop/pop_config.h,
5016 dynamic-preprocessors/pop/pop_log.c,
5017 dynamic-preprocessors/pop/pop_log.h,
5018 dynamic-preprocessors/pop/pop_paf.c,
5019 dynamic-preprocessors/pop/pop_paf.h,
5020 dynamic-preprocessors/pop/pop_util.c,
5021 dynamic-preprocessors/pop/sf_pop.dsp,
5022 dynamic-preprocessors/pop/snort_pop.c,
5023 dynamic-preprocessors/pop/snort_pop.h,
5024 dynamic-preprocessors/pop/spp_pop.c,
5025 dynamic-preprocessors/smtp/Makefile.am,
5026 dynamic-preprocessors/smtp/sf_smtp.dsp,
5027 dynamic-preprocessors/smtp/smtp_config.c,
5028 dynamic-preprocessors/smtp/smtp_config.h,
5029 dynamic-preprocessors/smtp/smtp_log.c,
5030 dynamic-preprocessors/smtp/smtp_log.h,
5031 dynamic-preprocessors/smtp/smtp_paf.c,
5032 dynamic-preprocessors/smtp/smtp_paf.h,
5033 dynamic-preprocessors/smtp/smtp_util.c,
5034 dynamic-preprocessors/smtp/smtp_util.h,
5035 dynamic-preprocessors/smtp/snort_smtp.c,
5036 dynamic-preprocessors/smtp/snort_smtp.h,
5037 dynamic-preprocessors/smtp/spp_smtp.c, file-process/Makefile.am,
5038 file-process/file_api.h, file-process/file_mail_common.h,
5039 file-process/file_mime_config.c, file-process/file_mime_config.h,
5040 file-process/file_mime_process.c,
5041 file-process/file_mime_process.h, file-process/file_service.c,
5042 dynamic-preprocessors/imap/Makefile.am,
5043 dynamic-preprocessors/imap/imap_config.c,
5044 dynamic-preprocessors/imap/imap_config.h,
5045 dynamic-preprocessors/imap/imap_log.c,
5046 dynamic-preprocessors/imap/imap_log.h,
5047 dynamic-preprocessors/imap/imap_paf.c,
5048 dynamic-preprocessors/imap/imap_paf.h,
5049 dynamic-preprocessors/imap/imap_util.c,
5050 dynamic-preprocessors/imap/sf_imap.dsp,
5051 dynamic-preprocessors/imap/snort_imap.c,
5052 dynamic-preprocessors/imap/snort_imap.h,
5053 dynamic-preprocessors/imap/spp_imap.c,
5054 preprocessors/snort_httpinspect.c, preprocessors/stream_api.h,
5055 preprocessors/HttpInspect/include/hi_ui_config.h,
5056 sfutil/sf_email_attach_decode.h,
5057 dynamic-preprocessors/Makefile.am,
5058 dynamic-preprocessors/file/file_agent.c:
5059 add paf support to smtp/impa/pop protocols.
5060
5061 * src/dynamic-preprocessors/ssh/spp_ssh.c:
5062 count the max_client_bytes once the session is encrypted. Fix the
5063 ProcessSSHKeyExchange to parse server new keys
5064
5065 * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
5066 Fix ftp-data perfstats profiling.
5067
5068 * configure.in, src/decode.h, src/sfdaq.c, src/sfdaq.h,
5069 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
5070 src/dynamic-preprocessors/sip/sip_dialog.c,
5071 src/dynamic-preprocessors/ssh/spp_ssh.c,
5072 src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
5073 src/preprocessors/stream_expect.c,
5074 src/preprocessors/stream_expect.h:
5075 Add ability to specify details about dynamic protocols/data channels
5076 via DAQ.
5077
5078 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5079 Checked for existence of policy_id parameter on Stream5 TCP policy.
5080
5081 * src/preprocessors/perf-base.c:
5082 Ensure pkt_stats cannot go below zero
5083
5084 * etc/sf_rule_options, src/Makefile.am, src/fpcreate.c,
5085 src/parser.c, src/parser.h, src/snort.c, src/snort.h,
5086 src/detection-plugins/sp_pattern_match.c,
5087 src/detection-plugins/sp_pattern_match.h,
5088 src/dynamic-plugins/sf_convert_dynamic.c,
5089 src/dynamic-plugins/sf_dynamic_define.h,
5090 src/dynamic-plugins/sf_dynamic_meta.h,
5091 src/dynamic-plugins/sf_engine/Makefile.am,
5092 src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
5093 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
5094 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
5095 src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
5096 src/sfutil/Makefile.am, src/hashstring.c, src/hashstring.h,
5097 sfutil/sf_sechash.c, sfutil/sf_sechash.h,
5098 src/file-process/file_capture.c,
5099 src/file-process/file_resume_block.c,
5100 src/file-process/libs/Makefile.am,
5101 src/file-process/libs/file_lib.c, src/sfutil/Makefile.am,
5102 src/sfutil/md5.c, src/sfutil/md5.h, src/sfutil/sf_sechash.c,
5103 src/sfutil/sf_sechash.h, src/sfutil/sha2.c, src/sfutil/sha2.h,
5104 src/win32/WIN32-Prj/snort.dsp, configure.in,
5105 doc/snort_manual.pdf, doc/snort_manual.tex:
5106 Protected Rule Content feature. Updating the minor revision number for
5107 the engine API for share library rules. Augmented the logic in configure.in
5108 to force the -lcrypto library to be included in the link. Added
5109 implementations of SHA2 and MD5 algorithms to Snort to allow use with older
5110 versions of OpenSSL.
5111
5112 * doc/: snort_manual.pdf, snort_manual.tex:
5113 Modified descriptions of urilen, dsize, and flags rule options.
5114
5115 * doc/snort_manual.pdf, doc/snort_manual.tex,
5116 src/sfutil/sfPolicy.c:
5117 Added check in binding mappings to prevent Snort from loading binding
5118 policy_ids > 4095, having it reject the configuration on load. Updated
5119 documentation to include config binding policy_id.
5120
5121 * src/preprocessors/spp_stream5.c:
5122 New minimum max_tcp sessions is now 2.
5123
5124 * src/: dynamic-preprocessors/ftptelnet/pp_ftp.c,
5125 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
5126 dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
5127 preprocessors/spp_stream5.c, preprocessors/stream_api.h,
5128 preprocessors/stream_expect.c, preprocessors/stream_expect.h:
5129 Change preprocessor order for when FTP data is handled.
5130
5131 * src/: dynamic-examples/dynamic-preprocessor/Makefile.am,
5132 dynamic-plugins/sf_engine/Makefile.am,
5133 dynamic-preprocessors/dcerpc2/Makefile.am,
5134 dynamic-preprocessors/dnp3/Makefile.am,
5135 dynamic-preprocessors/dns/Makefile.am,
5136 dynamic-preprocessors/file/Makefile.am,
5137 dynamic-preprocessors/ftptelnet/Makefile.am,
5138 dynamic-preprocessors/gtp/Makefile.am,
5139 dynamic-preprocessors/imap/Makefile.am,
5140 dynamic-preprocessors/modbus/Makefile.am,
5141 dynamic-preprocessors/pop/Makefile.am,
5142 dynamic-preprocessors/reputation/Makefile.am,
5143 dynamic-preprocessors/rzb_saac/Makefile.am,
5144 dynamic-preprocessors/sdf/Makefile.am,
5145 dynamic-preprocessors/sip/Makefile.am,
5146 dynamic-preprocessors/smtp/Makefile.am,
5147 dynamic-preprocessors/ssh/Makefile.am,
5148 dynamic-preprocessors/ssl/Makefile.am:
5149 Install libraries into user defined libdir. Thanks to cjgd7-facebook
5150 for reporting the issue.
5151
5152 * src/: detection-plugins/detection_options.c,
5153 detection-plugins/sp_pattern_match.c,
5154 detection-plugins/sp_pattern_match.h,
5155 dynamic-plugins/sf_convert_dynamic.c:
5156 Update 'within' rule limits to handle extraction of a 0
5157 via byte_extract.
5158
5159 * src/detection-plugins/: sp_byte_check.c, sp_byte_extract.h,
5160 sp_byte_jump.c, sp_isdataat.c, sp_pattern_match.c:
5161 Modified error outputs to include the specific offending rule option.
5162
5163 2013-12-30 Steven Sturges <ssturges@sourcefire.com>
5164 Snort 2.9.6.0
5165 * src/build.h:
5166 updating build number to 47
5167
5168 * doc/README.file, doc/README.file_ips,
5169 etc/file_magic.conf, etc/Makefile.am:
5170 Added file_magic.conf and fixed a few typos. Thanks to Joshua Kinard for
5171 pointing them out.
5172
5173 * doc/snort_manual.tex:
5174 Update snort team members
5175
5176 * src/detection-plugins/sp_file_type.h,
5177 src/dynamic-preprocessors/libs/sf_preproc_info.h,
5178 tools/file_server/file_server.c:
5179 Clean up copyright and attribution.
5180
5181 * src/dynamic-preprocessors/sdf/spp_sdf.c:
5182 Fix seconndary check for reassembled packets.
5183
5184 * doc/: README.GTP, README.PerfProfiling, README.dcerpc2,
5185 README.file, README.frag3, README.ftptelnet, README.http_inspect,
5186 README.imap, README.multipleconfigs, README.normalize,
5187 README.pop, README.reload, README.reputation, README.rpc_decode,
5188 README.sfportscan, README.sip, README.unified2, USAGE, WISHLIST,
5189 snort_manual.pdf, snort_manual.tex, README.SMTP, README.counts,
5190 README.asn1, README.active, README, NEWS, INSTALL:
5191 Corrected typos in documentation. Thanks to Mahendra Ladhe for
5192 pointing out the mistakes and providing a patch.
5193
5194 * src/: file-process/file_capture.c,
5195 file-process/file_mime_process.c,
5196 dynamic-preprocessors/imap/snort_imap.c,
5197 dynamic-preprocessors/smtp/snort_smtp.c,
5198 dynamic-preprocessors/file/file_inspect_config.c,
5199 dynamic-preprocessors/pop/snort_pop.c,
5200 sfutil/sf_email_attach_decode.h:
5201 Enable detetion on all file data
5202
5203 * src/sfutil/: sfxhash.c, sfxhash.h:
5204 Fix alignment of sfxhash node on sparc. Thanks to Markus Lude.
5205
5206 * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
5207 Identify EOF on single segment PDU transimssions.
5208
5209 * src/dynamic-preprocessors/dcerpc2/dce2_memory.c:
5210 Avoid checking memcap for DCE/RPC configuration data.
5211
5212 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5213 Tweak retransmit handling to ensure full right overlap condition holds
5214
5215 2013-11-22 Steven Sturges <ssturges@sourcefire.com>
5216 Snort 2.9.6.0.rc
5217
5218 * src/build.h: updating build number to 43
5219
5220 * configure.in, doc/README.ha, doc/snort_manual.pdf,
5221 doc/snort_manual.tex, doc/Makefile.am:
5222 Add Stream5 HA documentation and mark --enable-ha and
5223 --enable-side-channel as experimental.
5224
5225 * rpm/snort.spec:
5226 Install snort_control, u2boat, u2spewfoo from spec file.
5227 Thanks to Bradley Turnbough for mentioning it.
5228
5229 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5230 using sequence number overlapping to trigger retransmission
5231 handler. This fixed issue on file blocking.
5232
5233 * src/dynamic-preprocessors/: pop/pop_log.c, smtp/smtp_log.c,
5234 imap/imap_log.c:
5235 avoid mail decoding prepocessor alerts when they not enabled
5236 in config.
5237
5238 * doc/snort_manual.tex,
5239 src/: active.c, active.h, decode.c, detect.c, fpdetect.c,
5240 detection-plugins/sp_react.c,
5241 dynamic-plugins/sf_dynamic_plugins.c,
5242 file-process/file_resume_block.c, file-process/file_service.c,
5243 output-plugins/spo_alert_fast.c, output-plugins/spo_unified2.c,
5244 preprocessors/spp_bo.c, preprocessors/spp_frag3.c,
5245 preprocessors/Stream5/snort_stream5_ip.c,
5246 preprocessors/Stream5/snort_stream5_tcp.c,
5247 preprocessors/Stream5/snort_stream5_udp.c:
5248 alerts get wdrop when active is suspended; code for cdrop is ready
5249 but disabled
5250
5251 * src/: file-process/file_api.h, file-process/file_resume_block.c,
5252 file-process/file_service.c, file-process/libs/file_lib.h,
5253 dynamic-preprocessors/file/file_agent.c:
5254 Add file id to file API callbacks to support multiple file contexts.
5255
5256 * preproc_rules/decoder.rules, src/decode.c, src/generators.h:
5257 Validate authentication headers. New decoder rules (116:465 and 116:466).
5258
5259 * doc/snort_manual.pdf, doc/snort_manual.tex,
5260 src/detection-plugins/sp_icmp_code_check.c:
5261 Added data validation checks to the icode rule option. The parser
5262 phase will now throw fatal errors for illegal values.
5263 Update manual to reflect the additional data validation.
5264
5265 * src/preprocessors/Stream5/: snort_stream5_ip.c,
5266 snort_stream5_udp.c:
5267 Force block for block rule in inline test mode.
5268
5269 * src/: dynamic-preprocessors/imap/snort_imap.c,
5270 dynamic-preprocessors/pop/snort_pop.c,
5271 dynamic-preprocessors/smtp/snort_smtp.c,
5272 preprocessors/stream_api.h,
5273 preprocessors/Stream5/snort_stream5_tcp.c:
5274 Don't put gaps in reassembled packets
5275
5276 * src/: preprocessors/Stream5/snort_stream5_session.c,
5277 side-channel/sidechannel.c:
5278 The global list in the session cache is ordered from MRU (head) to
5279 LRU (tail), so correctly walk backward rather than forward from the
5280 LRU looking for sessions to time out. Clean up compiler warning in
5281 Side Channel.
5282
5283 * src/file-process/: libs/file_lib.c, file_api.h, file_capture.c,
5284 file_service.c, file_service.h:
5285 Add multiple file contexts support for file API.
5286
5287 * src/: dynamic-preprocessors/ftptelnet/ftpp_si.c,
5288 dynamic-preprocessors/ftptelnet/ftpp_si.h,
5289 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
5290 dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
5291 preprocessors/Stream5/snort_stream5_tcp.c:
5292 Add EndOfFile stream event callback. Remove EOF logic from
5293 FTP/Preprocessor in lieu of new callback.
5294
5295 * src/: file-process/file_service.c,
5296 file-process/file_service_config.c,
5297 file-process/file_service_config.h, snort.c:
5298 make sure file configuration is initialized during reload.
5299
5300 2013-10-18 Hui Cao <hcao@sourcefire.com>
5301 Snort 2.9.6.0.beta
5302 * doc/: Makefile.am, README.file, README.file_ips:
5303 Add readme for experimental file type ips rule keywords.
5304
5305 * src/detection-plugins/sp_icmp_code_check.c:
5306 Allow a negative value in the ICMP icode x<>y range check. This
5307 permits the rule to include a check for zero
5308
5309 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5310 Disable detection when the TCP connection was already closed.
5311
5312 * src/: dynamic-preprocessors/ftptelnet/ftpp_si.h,
5313 dynamic-preprocessors/ftptelnet/pp_ftp.c,
5314 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
5315 file-process/file_api.h:
5316 Fix FTP-Data file processing.
5317
5318 * src/snort_bounds.h:
5319 Avoid assertion for zero size memory copy
5320
5321 * src/: dynamic-plugins/sf_dynamic_plugins.c,
5322 detection-plugins/sp_react.c:
5323 Only inject response page when session is established.
5324
5325 * src/dynamic-preprocessors/smtp/smtp_log.h,
5326 src/dynamic-preprocessors/smtp/snort_smtp.c,
5327 src/dynamic-preprocessors/smtp/snort_smtp.h,
5328 preproc_rules/preprocessor.rules, etc/gen-msg.map:
5329 Add a new preprocessor alert to detect Cyrus SASL authentication
5330 attack.
5331
5332 * src/dynamic-preprocessors/ssh/spp_ssh.c:
5333 Set_reassembly to ABSOLUTE only if the traffic is SSH.
5334 Statefully process ssh version/ssh key exchange
5335 init/key exchange and/or encrypted data within a single
5336 reassembled packet. Thanks to Florian Westphal for reporting this.
5337
5338 * src/file-process/file_mime_process.c:
5339 For IMAP, the MIME and message will be inside fetch
5340 body, which will be end at ")".
5341
5342 * src/: dynamic-preprocessors/dns/spp_dns.c,
5343 dynamic-preprocessors/ssh/spp_ssh.c,
5344 Change preprocessor reassembly policy; Changed SSH preprocessor state
5345 transition based on the dir rather than both.
5346
5347 * src/: preprocessors/Stream5/snort_stream5_tcp.c:
5348 Ignore the gap when turning on reassembly dynamically on the very
5349 first packet of the session.
5350
5351 * src/dynamic-preprocessors/dnp3/spp_dnp3.c:
5352 Fix the incorrect mempool warnings. Thanks to Bram for reporting this
5353
5354 * doc/snort_manual.pdf, doc/snort_manual.tex, configure.in,
5355 src/snort.c, src/util.c:
5356 Trim freed memory before and after configuration reload.
5357
5358 * src/: dynamic-preprocessors/imap/snort_imap.c,
5359 dynamic-preprocessors/pop/snort_pop.c,
5360 dynamic-preprocessors/smtp/snort_smtp.c,
5361 file-process/file_mime_process.c,
5362 sfutil/sf_email_attach_decode.c:
5363 Allow 7bit decoding of binary file attachments.
5364
5365 * src/dynamic-preprocessors/sdf/: spp_sdf.c, spp_sdf.h:
5366 Avoid partial rule tree match during reload.
5367
5368 * src/tag.c:
5369 Fix boundary check error so that the global tagged packet limit
5370 doesn't allow an extra tag.
5371
5372 * src/: file-process/file_mime_process.h, file-process/file_api.h,
5373 file-process/file_mime_process.c, file-process/file_service.c,
5374 dynamic-preprocessors/imap/snort_imap.c,
5375 dynamic-preprocessors/imap/spp_imap.c,
5376 dynamic-preprocessors/smtp/snort_smtp.c,
5377 dynamic-preprocessors/pop/snort_pop.c,
5378 dynamic-preprocessors/pop/spp_pop.c:
5379 Add simple PAF support for POP and IMAP.
5380
5381 * src/: util.c, util.h, sfutil/sf_ip.c, sfutil/sf_ip.h: Bugs
5382 Add sfip_convert_ip_text_to_binary() to enforce platform agnostic
5383 IPv4 syntax. Make sure xatou(), xatol(), and xatoup() return values
5384 within specified range
5385
5386 * doc/snort_manual.tex:
5387 Update the document to include the '<=' and '>=' operators to
5388 the byte_test command
5389
5390 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5391 Make sure INTERNAL_EVENT_SESSION_ADD event only in the
5392 ESTABLISHED state.
5393
5394 * src/sfutil/sf_email_attach_decode.c:
5395 Check the QP encoding string is valid to avoid decoding end of line
5396 incorrectly.
5397
5398 * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
5399 Tweak config output to correspond to config input.
5400 Thanks to Reinoud Koornstra for the suggestion.
5401
5402 * src/preprocessors/Stream5/: snort_stream5_icmp.c,
5403 snort_stream5_ip.c, snort_stream5_tcp.c, snort_stream5_udp.c:
5404 dynamic-preprocessors/pop/snort_pop.c,
5405 dynamic-preprocessors/smtp/snort_smtp.c,
5406 dynamic-preprocessors/ssl/spp_ssl.c,
5407 encode.c, dynamic-preprocessors/dcerpc2/dce2_cl.c,
5408 dynamic-preprocessors/dcerpc2/dce2_session.h,
5409 dynamic-preprocessors/dcerpc2/snort_dce2.c,
5410 dynamic-preprocessors/dns/spp_dns.c,
5411 dynamic-preprocessors/imap/snort_imap.c:
5412 preprocessors/spp_rpc_decode.c, preprocessors/spp_stream5.c,
5413 preprocessors/stream_api.h, preprocessors/stream_expect.c:
5414 Handle out of order SSL handshake in SMTP.
5415 Thanks to Bram for the reporting this.
5416
5417 * src/preprocessors/perf-base.c:
5418 Update the header printed at top of now file.
5419
5420 * src/preprocessors/perf-base.c:
5421 Change name of stat from Blocked Packets to Block Verdicts.
5422
5423 * src/preprocessors/Stream5/snort_stream5_session.c:
5424 Timeout a session when session timeout reaches instead of waiting for
5425 session nominal timeout.
5426
5427 * configure.in, src/plugbase.c, src/rule_option_types.h,
5428 src/snort.c, src/detection-plugins/Makefile.am,
5429 src/detection-plugins/: sp_file_type.c, sp_file_type.h,
5430 src/detection-plugins/detection_options.c,
5431 src/dynamic-preprocessors/Makefile.am,
5432 src/file-process/Makefile.am, src/file-process/file_api.h,
5433 src/file-process/file_service.c,
5434 src/file-process/file_service_config.c,
5435 src/file-process/file_service_config.h,
5436 src/file-process/libs/Makefile.am,
5437 src/file-process/libs/file_config.c,
5438 src/file-process/libs/file_config.h,
5439 src/file-process/libs/file_lib.c,
5440 src/file-process/libs/file_lib.h,
5441 src/preprocessors/spp_stream5.c, tools/Makefile.am,
5442 doc/: README.file, README.file_ips, Makefile.am:
5443 File inspection keywords for IPS rules.
5444
5445 * src/dynamic-preprocessors/sdf/: sdf_pattern_match.c,
5446 sdf_pattern_match.h, spp_sdf.c, spp_sdf.h:
5447 Add stateful pattern match of sdf patterns across packets.
5448
5449 * mkinstalldirs, doc/snort_manual.tex, src/detect.c,
5450 src/detection_util.h, src/fpdetect.c, src/parser.c, src/tag.c,
5451 src/tag.h, src/target-based/sf_attribute_table.y,
5452 tools/u2spewfoo/u2spewfoo.c:
5453 Support single session capture via tag rule option.
5454 Log all packets to the same place as original alert.
5455 Enable tagging on pass rules.
5456
5457 * src/: dynamic-preprocessors/imap/snort_imap.c,
5458 dynamic-preprocessors/imap/snort_imap.h,
5459 dynamic-preprocessors/pop/snort_pop.c,
5460 dynamic-preprocessors/pop/snort_pop.h,
5461 dynamic-preprocessors/smtp/snort_smtp.c,
5462 dynamic-preprocessors/smtp/snort_smtp.h, file-process/file_api.h,
5463 file-process/file_mime_process.c, preprocessors/str_search.c,
5464 preprocessors/str_search.h, sfutil/bnfa_search.c:
5465 Add Stateful mime boundary search when split between packets.
5466
5467 * src/preprocessors/HttpInspect/client/hi_client.c:
5468 Change the uri search to start from method end instead of the start
5469 of payload.
5470
5471 * configure.in, doc/README.file, doc/snort_manual.pdf,
5472 src/parser.c, src/preprocids.h, src/snort.c, src/util.c,
5473 src/detection-plugins/.cvsignore,
5474 src/dynamic-examples/Makefile.am,
5475 src/dynamic-plugins/sf_engine/.cvsignore,
5476 src/dynamic-preprocessors/Makefile.am,
5477 src/dynamic-preprocessors/file/Makefile.am,
5478 src/dynamic-preprocessors/file/file_agent.c,
5479 src/dynamic-preprocessors/file/file_agent.h,
5480 src/dynamic-preprocessors/file/file_event_log.c,
5481 src/dynamic-preprocessors/file/file_event_log.h,
5482 src/dynamic-preprocessors/file/file_inspect_config.c,
5483 src/dynamic-preprocessors/file/file_inspect_config.h,
5484 src/dynamic-preprocessors/file/file_sha.c,
5485 src/dynamic-preprocessors/file/file_sha.h,
5486 src/dynamic-preprocessors/file/sf_file.dsp,
5487 src/dynamic-preprocessors/file/spp_file.c,
5488 src/dynamic-preprocessors/file/spp_file.h,
5489 src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
5490 src/file-process/Makefile.am, src/file-process/circular_buffer.c,
5491 src/file-process/circular_buffer.h, src/file-process/file_api.h,
5492 src/file-process/file_capture.c, src/file-process/file_capture.h,
5493 src/file-process/file_mempool.c, src/file-process/file_mempool.h,
5494 src/file-process/file_resume_block.c,
5495 src/file-process/file_service.c, src/file-process/file_service.h,
5496 src/file-process/file_service_config.c,
5497 src/file-process/file_service_config.h,
5498 src/file-process/file_stats.c, src/file-process/file_stats.h,
5499 src/file-process/libs/file_config.c,
5500 src/file-process/libs/file_config.h,
5501 src/file-process/libs/file_identifier.c,
5502 src/file-process/libs/file_identifier.h,
5503 src/file-process/libs/file_lib.c,
5504 src/file-process/libs/file_lib.h,
5505 src/file-process/libs/file_sha256.h, tools/Makefile.am,
5506 tools/file_server/Makefile.am,
5507 tools/file_server/README.file_server,
5508 tools/file_server/file_server.c:
5509 Add file capture feature and introduce file inspect preprocessor
5510
5511 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5512 Parse error if there are missing direction specifiers.
5513 Thanks to Bram Fabeg for the report.
5514
5515 * src/ipv6_port.h:
5516 Remove duplicate macro for GET_ORIG_IPH_PROTO.
5517
5518 * doc/: README.decode, README.gre, README.mpls, snort_manual.pdf,
5519 snort_manual.tex:
5520 Update manual and other docs related to tunneling.
5521 Thanks to Jason Poley for noting it.
5522
5523 * src/parser.c:
5524 Not so silently skip duplicate service metadata.
5525
5526 * src/: log.c, mempool.c, parser.c, snort.c, util.c,
5527 detection-plugins/sp_ip_tos_check.c,
5528 detection-plugins/sp_pattern_match.c,
5529 detection-plugins/sp_replace.c, detection-plugins/sp_session.c,
5530 detection-plugins/sp_tcp_win_check.c,
5531 dynamic-preprocessors/dns/spp_dns.c,
5532 dynamic-preprocessors/ftptelnet/pp_ftp.c,
5533 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
5534 dynamic-preprocessors/sdf/sdf_pattern_match.c,
5535 output-plugins/spo_log_ascii.c, output-plugins/spo_log_tcpdump.c,
5536 preprocessors/HttpInspect/utils/hi_paf.c,
5537 preprocessors/Stream5/snort_stream5_tcp.c:
5538 Replace obsolete bzero and index calls. Credits to Bill Parker
5539
5540 * src/dynamic-preprocessors/: smtp/snort_smtp.c, ssl/spp_ssl.c,
5541 libs/ssl.c, libs/ssl.h:
5542 Check for SSL type only when the SSL handshake is not complete.
5543 Don't check for type in SSL data.
5544 Thanks to Bram Fabeg for reporting this.
5545
5546 * src/preprocessors/: HttpInspect/server/hi_server.c,
5547 HttpInspect/server/hi_server_norm.c, Stream5/snort_stream5_tcp.c:
5548 Only check charset bom once per response body;
5549 Only set charset once per charset=
5550
5551 * src/profiler.c:
5552 Fix issue when reading pcaps from command line and using multiple
5553 policies and --pcap-reset.
5554
5555 * src/detection-plugins/detection_options.c:
5556 Don't count RTN perf time in OTN perf time.
5557 Credits to Reinoud for reporting this.
5558
5559 * doc/README.flowbits:
5560 Fix typo in flowbits isnotset examples
5561
5562 * src/snort.c, src/snort.h, src/util.c, snort.8,
5563 doc/snort_manual.pdf, doc/snort_manual.tex:
5564 Add a command line switch --no-interface-pidfile to snort.
5565
5566 * src/preprocessors/: spp_stream5.c, Stream5/stream5_common.h:
5567 Updated Stream's exit stats to use 'filtered' instead of dropped.
5568
5569 * src/: detection_util.h, dynamic-preprocessors/sip/spp_sip.c:
5570 Don't set sip/http buffers to null
5571
5572 * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
5573 Return mismatch if requested http buffer was not set
5574
5575 * src/snort.c: Bugs Fixed:
5576 Capture packet data for sigabrt and sigbus
5577
5578 * doc/README.dcerpc2, doc/snort_manual.pdf, doc/snort_manual.tex,
5579 etc/gen-msg.map, preproc_rules/preprocessor.rules, src/active.c,
5580 src/active.h, src/encode.c, src/encode.h, src/generators.h,
5581 src/dynamic-plugins/sf_dynamic_plugins.c,
5582 src/dynamic-plugins/sf_dynamic_preprocessor.h,
5583 src/dynamic-preprocessors/dcerpc2/dce2_co.c,
5584 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
5585 src/dynamic-preprocessors/dcerpc2/dce2_config.h,
5586 src/dynamic-preprocessors/dcerpc2/dce2_event.c,
5587 src/dynamic-preprocessors/dcerpc2/dce2_event.h,
5588 src/dynamic-preprocessors/dcerpc2/dce2_memory.c,
5589 src/dynamic-preprocessors/dcerpc2/dce2_memory.h,
5590 src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
5591 src/dynamic-preprocessors/dcerpc2/dce2_smb.h,
5592 src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
5593 src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
5594 src/dynamic-preprocessors/dcerpc2/snort_dce2.h,
5595 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
5596 src/dynamic-preprocessors/dcerpc2/spp_dce2.h,
5597 src/dynamic-preprocessors/dcerpc2/includes/smb.h,
5598 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
5599 src/dynamic-preprocessors/imap/snort_imap.c,
5600 src/dynamic-preprocessors/pop/snort_pop.c,
5601 src/dynamic-preprocessors/smtp/snort_smtp.c,
5602 src/file-process/file_api.h,
5603 src/file-process/file_mime_process.c,
5604 src/file-process/file_service.c,
5605 src/file-process/libs/file_identifier.c,
5606 src/file-process/libs/file_identifier.h,
5607 src/file-process/libs/file_lib.c,
5608 src/file-process/libs/file_lib.h,
5609 src/preprocessors/snort_httpinspect.c,
5610 src/preprocessors/Stream5/snort_stream5_tcp.c:
5611 Add SMB file support
5612
5613 2013-10-18 Steven Sturges <ssturges@sourcefire.com>
5614 Snort 2.9.5.6
5615 * src/build.h:
5616 updating build number to 208
5617
5618 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5619 add NULL check for preprocessors that check for PAF before
5620 they check for any actual tcp session
5621
5622 * src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c,
5623 sp_isdataat.c, sp_pattern_match.c:
5624 Test if the byte extracted distance and/or offset is within
5625 bounds of the search buffer. Thanks to Nathan Fowler for
5626 noting the issue.
5627
5628 * src/preprocessors/HttpInspect/client/hi_client.c:
5629 clear cookie normalization buffer to avoid accidental null
5630 dereference in pipelined request. Thanks to Michael Galapchuk
5631 for reporting the problem.
5632
5633 2013-09-02 Steven Sturges <ssturges@sourcefire.com>
5634 Snort 2.9.5.5
5635 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5636 disable all detection (not just content-base) for packets on previously
5637 blocked sessions
5638
5639 * src/preprocessors/perf.c:
5640 Write perfmon entry when both packet count and time conditions are met,
5641 rather than waiting for a multiple of the packet count after the time is
5642 reached.
5643
5644 * src/dynamic-preprocessors/smtp/snort_smtp.c:
5645 Stop inspection of the entire session when TLS data is present with
5646 ignore_tls_data enabled in SMTP - Check for midstream pickups and
5647 gaps when we miss server hello, and stop inspection as soon as we get
5648 client hello when ignore_tls_data is turned on
5649
5650 * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
5651 changed pcre relative match with HTTP buffers to be not allowed in .so
5652 rules (same as in text rules)
5653
5654 2013-07-03 Steven Sturges <ssturges@sourcefire.com>
5655 Snort 2.9.5.3
5656 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5657 Fixed handling of partial segment purging. Thanks to Lode Mertens
5658 for reporting the issue.
5659
5660 * configure.in, src/active.c, src/decode.c, src/decode.h,
5661 src/detect.c, src/detection_util.c, src/detection_util.h,
5662 src/encode.c, src/encode.h, src/fpcreate.c, src/fpdetect.c,
5663 src/log_text.c, src/parser.c, src/plugbase.c, src/ppm.c,
5664 src/ppm.h, src/profiler.c, src/snort.c, src/util.c, src/util.h,
5665 src/detection-plugins/detection_options.c,
5666 src/detection-plugins/sp_byte_check.c,
5667 src/detection-plugins/sp_ftpbounce.c,
5668 src/detection-plugins/sp_pattern_match.c,
5669 src/detection-plugins/sp_pattern_match.h,
5670 src/detection-plugins/sp_pcre.c, src/detection-plugins/sp_pcre.h,
5671 src/detection-plugins/sp_replace.c,
5672 src/detection-plugins/sp_rpc_check.c,
5673 src/detection-plugins/sp_urilen_check.c,
5674 src/dynamic-examples/dynamic-preprocessor/spp_example.c,
5675 src/dynamic-plugins/sf_convert_dynamic.c,
5676 src/dynamic-plugins/sf_dynamic_common.h,
5677 src/dynamic-plugins/sf_dynamic_define.h,
5678 src/dynamic-plugins/sf_dynamic_engine.h,
5679 src/dynamic-plugins/sf_dynamic_meta.h,
5680 src/dynamic-plugins/sf_dynamic_plugins.c,
5681 src/dynamic-plugins/sf_dynamic_preprocessor.h,
5682 src/dynamic-plugins/sp_dynamic.c,
5683 src/dynamic-plugins/sf_engine/Makefile.am,
5684 src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
5685 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
5686 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
5687 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
5688 src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
5689 src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
5690 src/dynamic-plugins/sf_engine/examples/bug26266.c,
5691 src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
5692 src/dynamic-plugins/sf_engine/examples/fake_snort.c,
5693 src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c,
5694 src/dynamic-preprocessors/dcerpc2/dce2_http.h,
5695 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
5696 src/dynamic-preprocessors/dnp3/spp_dnp3.c,
5697 src/dynamic-preprocessors/dns/spp_dns.c,
5698 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
5699 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
5700 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
5701 src/dynamic-preprocessors/gtp/spp_gtp.c,
5702 src/dynamic-preprocessors/imap/snort_imap.c,
5703 src/dynamic-preprocessors/imap/spp_imap.c,
5704 src/dynamic-preprocessors/isakmp/spp_isakmp.c,
5705 src/dynamic-preprocessors/modbus/spp_modbus.c,
5706 src/dynamic-preprocessors/pop/snort_pop.c,
5707 src/dynamic-preprocessors/pop/spp_pop.c,
5708 src/dynamic-preprocessors/reputation/reputation_config.h,
5709 src/dynamic-preprocessors/reputation/spp_reputation.c,
5710 src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c,
5711 src/dynamic-preprocessors/sdf/spp_sdf.c,
5712 src/dynamic-preprocessors/sip/sip_dialog.c,
5713 src/dynamic-preprocessors/sip/sip_parser.c,
5714 src/dynamic-preprocessors/sip/spp_sip.c,
5715 src/dynamic-preprocessors/smtp/spp_smtp.c,
5716 src/dynamic-preprocessors/ssh/spp_ssh.c,
5717 src/dynamic-preprocessors/ssl/spp_ssl.c,
5718 src/file-process/file_service.c,
5719 src/file-process/libs/file_config.c,
5720 src/output-plugins/spo_unified2.c, src/preprocessors/portscan.c,
5721 src/preprocessors/snort_httpinspect.c,
5722 src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_bo.c,
5723 src/preprocessors/spp_frag3.c,
5724 src/preprocessors/spp_httpinspect.c,
5725 src/preprocessors/spp_perfmonitor.c,
5726 src/preprocessors/spp_rpc_decode.c,
5727 src/preprocessors/spp_sfportscan.c,
5728 src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
5729 src/preprocessors/HttpInspect/client/hi_client.c,
5730 src/preprocessors/HttpInspect/normalization/hi_norm.c,
5731 src/preprocessors/Stream5/snort_stream5_tcp.c,
5732 src/preprocessors/Stream5/snort_stream5_udp.c,
5733 src/preprocessors/Stream5/stream5_common.h, src/sfutil/sf_iph.c,
5734 src/sfutil/sf_iph.h, src/sfutil/test/unit_hacks.c:
5735 Performance improvements and other refactorings. Notable changes
5736 include: improved HTTP buffer implementation and replaced run-time
5737 packet checks with assertions.
5738
5739 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5740 Ensure proper counting of sessions initializing.
5741
5742 * doc/Makefile.am, doc/faq.pdf, doc/faq.tex:
5743 Remove Snort FAQ from source package since its now live on the web.
5744
5745 * src/preprocessors/: spp_stream5.c, stream_expect.c,
5746 stream_expect.h:
5747 Add a memcap to expected session tracking.
5748
5749 * src/sfutil/sfrt_flat.c:
5750 Check for memory allocation failure in both IPV4 and IPV6 tables.
5751
5752 * src/control/sfcontrol.c:
5753 Do not timeout during shutdown and fix stop processing code in the
5754 control socket thread. Add the thread to the list before creation
5755 of the thread to prevent a race condition.
5756
5757 2013-06-04 Steven Sturges <ssturges@sourcefire.com>
5758 Snort 2.9.5
5759 * src/: snort.c, preprocessors/spp_stream5.c:
5760 when block rules fire during shutdown, log them as alert instead
5761 of drop
5762
5763 * src/: active.c, active.h,
5764 preprocessors/Stream5/snort_stream5_session.c:
5765 don't allow blocks or actions from pruned sessions (unrelated to
5766 current packet)
5767
5768 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5769 don't generate 129:1 in syn-sent
5770
5771 * src/preprocessors/Stream5/: snort_stream5_tcp.c,
5772 snort_stream5_udp.c, stream5_common.h:
5773 don't apply window or mss on midstream pickups
5774 remove unused flags
5775 eliminate read-mode check when determining window
5776
5777 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5778 don't reassemble on the tracked whitelisted flows
5779 fix sequence number validation on ack to zero window syn+ack
5780 fix timestamp tracking to use window base instead of next expected
5781
5782 * src/preprocessors/spp_stream5.c:
5783 when stream5 disables inspection, ensure non-content rules are not run
5784
5785 * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
5786 When removing a pipe tracker, NULL out static request tracker's
5787 pipe tracker for pipe tracker that was dynamically allocated.
5788
5789 * src/file-process/libs/file_identifier.c:
5790 Update some comments and avoid adding the same file magic
5791
5792 * src/preprocessors/: spp_stream5.c, stream_api.h,
5793 Stream5/snort_stream5_tcp.c:
5794 swap client/server on midstream pickup if we identify server by service
5795 using client port
5796
5797 * src/file-process/libs/file_identifier.c:
5798 Remove the code that parent file type might overwrite child file type.
5799
5800 * preproc_rules/preprocessor.rules, src/generators.h,
5801 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
5802 src/preprocessors/HttpInspect/include/hi_eo_events.h,
5803 src/preprocessors/HttpInspect/utils/hi_paf.c,
5804 src/preprocessors/Stream5/snort_stream5_tcp.c:
5805 HTTP PAF abort improvements
5806
5807 * doc/: README.frag3, snort_manual.pdf, snort_manual.tex:
5808 Added config event_trace description to Snort manual. Removed
5809 commas from Frag3 example configurations, thanks to Nicholas
5810 Horton for mentioning this.
5811
5812 * src/: dynamic-preprocessors/reputation/reputation_config.c,
5813 sfutil/sfrt_flat.c, sfutil/sfrt_flat.h, sfutil/sfrt_flat_dir.c:
5814 Copy reputation info from another list when a duplicate address is
5815 inserted.
5816
5817 * src/dynamic-preprocessors/smtp/snort_smtp.c:
5818 Fix issue when SMTP BDAT command specifies 0 length.
5819
5820 * src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c:
5821 Don't sort the manifest file.
5822
5823 * src/: snort.h, util.c:
5824 Fix FatalError to actually exit when initializing in the failopen
5825 thread.
5826
5827 * src/dynamic-preprocessors/reputation/reputation_config.c:
5828 Update to use more accurate ip list file parsing and validation.
5829
5830 * src/: active.h, snort.c, dynamic-plugins/sf_dynamic_plugins.c,
5831 preprocessors/spp_stream5.c, preprocessors/stream_api.h,
5832 preprocessors/Stream5/snort_stream5_tcp.c:
5833 ensure that force blocks persist
5834
5835 * src/dynamic-preprocessors/reputation/shmem/: shmem_config.c,
5836 shmem_config.h, shmem_datamgmt.c, shmem_datamgmt.h, shmem_mgmt.c:
5837 Refactor/cleanup of shared memory, data management logic.
5838
5839 * src/: dynamic-examples/dynamic-rule/detection_lib_meta.h,
5840 dynamic-plugins/sf_dynamic_meta.h,
5841 dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
5842 preprocessors/spp_stream5.c, preprocessors/stream_api.h:
5843 Add a stream API function to populate a session key given a packet.
5844 Also, export REQ_ENGINE_LIB_MAJOR and REQ_ENGINE_LIB_MINOR from snort
5845
5846 * src/preprocessors/Stream5/snort_stream5_tcp.c:
5847 allow stream5 to track whitelisted sessions
5848
5849 * src/: snort.c, dynamic-preprocessors/dnp3/spp_dnp3.c,
5850 preprocessors/Stream5/snort_stream5_tcp.c,
5851 preprocessors/Stream5/stream5_paf.c, sfutil/sfPolicy.c,
5852 sfutil/sfPolicy.h:
5853 disable config by vlan or net selection if -DPOLICY_BY_ID_ONLY
5854
5855 * src/: snort.c, snort.h, dynamic-preprocessors/smtp/spp_smtp.c,
5856 preprocessors/Stream5/stream5_ha.c,
5857 preprocessors/Stream5/stream5_ha.h, win32/WIN32-Code/misc.c,
5858 win32/WIN32-Includes/config.h, win32/WIN32-Prj/snort.dsp:
5859 don't compile pcap reload for Win, add function for ffs() which
5860 is not defined in windows.
5861
5862 * src/preprocessors/snort_httpinspect.c:
5863 Support large file processing in post raw data (not in MIME format)
5864
5865 * src/: decode.c, decode.h, fpcreate.c, fpdetect.c, parser.c,
5866 parser.h, plugbase.c, plugbase.h, rate_filter.c, rate_filter.h,
5867 sfthreshold.c, sfthreshold.h, snort.c, snort.h, spo_plugbase.h,
5868 util.c, util.h, control/sfcontrol.c, control/sfcontrol.h,
5869 detection-plugins/detection_options.c,
5870 detection-plugins/detection_options.h,
5871 detection-plugins/sp_asn1.c, detection-plugins/sp_base64_data.c,
5872 detection-plugins/sp_base64_decode.c,
5873 detection-plugins/sp_byte_check.c,
5874 detection-plugins/sp_byte_extract.c,
5875 detection-plugins/sp_byte_jump.c,
5876 detection-plugins/sp_clientserver.c, detection-plugins/sp_cvs.c,
5877 detection-plugins/sp_dsize_check.c,
5878 detection-plugins/sp_file_data.c,
5879 detection-plugins/sp_flowbits.c,
5880 detection-plugins/sp_ftpbounce.c,
5881 detection-plugins/sp_icmp_code_check.c,
5882 detection-plugins/sp_icmp_id_check.c,
5883 detection-plugins/sp_icmp_seq_check.c,
5884 detection-plugins/sp_icmp_type_check.c,
5885 detection-plugins/sp_ip_fragbits.c,
5886 detection-plugins/sp_ip_id_check.c,
5887 detection-plugins/sp_ip_proto.c,
5888 detection-plugins/sp_ip_same_check.c,
5889 detection-plugins/sp_ip_tos_check.c,
5890 detection-plugins/sp_ipoption_check.c,
5891 detection-plugins/sp_isdataat.c,
5892 detection-plugins/sp_pattern_match.c,
5893 detection-plugins/sp_pattern_match.h,
5894 detection-plugins/sp_pcre.c, detection-plugins/sp_pcre.h,
5895 detection-plugins/sp_pkt_data.c, detection-plugins/sp_react.c,
5896 detection-plugins/sp_replace.c, detection-plugins/sp_replace.h,
5897 detection-plugins/sp_respond3.c,
5898 detection-plugins/sp_rpc_check.c, detection-plugins/sp_session.c,
5899 detection-plugins/sp_tcp_ack_check.c,
5900 detection-plugins/sp_tcp_flag_check.c,
5901 detection-plugins/sp_tcp_seq_check.c,
5902 detection-plugins/sp_tcp_win_check.c,
5903 detection-plugins/sp_ttl_check.c,
5904 detection-plugins/sp_urilen_check.c,
5905 dynamic-examples/dynamic-preprocessor/sf_preproc_info.h,
5906 dynamic-examples/dynamic-preprocessor/spp_example.c,
5907 dynamic-examples/dynamic-rule/detection_lib_meta.h,
5908 dynamic-output/libs/output_lib.c,
5909 dynamic-output/plugins/output_api.h,
5910 dynamic-output/plugins/output_common.h,
5911 dynamic-output/plugins/output_lib.h,
5912 dynamic-output/plugins/output_plugin.c,
5913 dynamic-plugins/sf_convert_dynamic.c,
5914 dynamic-plugins/sf_convert_dynamic.h,
5915 dynamic-plugins/sf_dynamic_detection.h,
5916 dynamic-plugins/sf_dynamic_engine.h,
5917 dynamic-plugins/sf_dynamic_plugins.c,
5918 dynamic-plugins/sf_dynamic_preprocessor.h,
5919 dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h,
5920 dynamic-plugins/sp_preprocopt.c, dynamic-plugins/sp_preprocopt.h,
5921 dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
5922 dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
5923 dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
5924 dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
5925 dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
5926 dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c,
5927 dynamic-plugins/sf_preproc_example/sf_preproc_info.h,
5928 dynamic-preprocessors/dcerpc2/dce2_config.c,
5929 dynamic-preprocessors/dcerpc2/dce2_config.h,
5930 dynamic-preprocessors/dcerpc2/dce2_paf.c,
5931 dynamic-preprocessors/dcerpc2/dce2_paf.h,
5932 dynamic-preprocessors/dcerpc2/dce2_roptions.c,
5933 dynamic-preprocessors/dcerpc2/dce2_roptions.h,
5934 dynamic-preprocessors/dcerpc2/snort_dce2.c,
5935 dynamic-preprocessors/dcerpc2/spp_dce2.c,
5936 dynamic-preprocessors/dnp3/dnp3_paf.c,
5937 dynamic-preprocessors/dnp3/dnp3_paf.h,
5938 dynamic-preprocessors/dnp3/dnp3_roptions.c,
5939 dynamic-preprocessors/dnp3/dnp3_roptions.h,
5940 dynamic-preprocessors/dnp3/spp_dnp3.c,
5941 dynamic-preprocessors/dns/spp_dns.c,
5942 dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c,
5943 dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h,
5944 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
5945 dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
5946 dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
5947 dynamic-preprocessors/gtp/gtp_roptions.c,
5948 dynamic-preprocessors/gtp/gtp_roptions.h,
5949 dynamic-preprocessors/gtp/spp_gtp.c,
5950 dynamic-preprocessors/imap/imap_config.h,
5951 dynamic-preprocessors/imap/snort_imap.c,
5952 dynamic-preprocessors/imap/spp_imap.c,
5953 dynamic-preprocessors/modbus/modbus_paf.c,
5954 dynamic-preprocessors/modbus/modbus_paf.h,
5955 dynamic-preprocessors/modbus/modbus_roptions.c,
5956 dynamic-preprocessors/modbus/modbus_roptions.h,
5957 dynamic-preprocessors/modbus/spp_modbus.c,
5958 dynamic-preprocessors/pop/snort_pop.c,
5959 dynamic-preprocessors/pop/spp_pop.c,
5960 dynamic-preprocessors/reputation/reputation_config.c,
5961 dynamic-preprocessors/reputation/reputation_config.h,
5962 dynamic-preprocessors/reputation/spp_reputation.c,
5963 dynamic-preprocessors/reputation/shmem/shmem_common.h,
5964 dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
5965 dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
5966 dynamic-preprocessors/sdf/sdf_detection_option.c,
5967 dynamic-preprocessors/sdf/sdf_detection_option.h,
5968 dynamic-preprocessors/sdf/spp_sdf.c,
5969 dynamic-preprocessors/sdf/spp_sdf.h,
5970 dynamic-preprocessors/sip/sip_roptions.c,
5971 dynamic-preprocessors/sip/sip_roptions.h,
5972 dynamic-preprocessors/sip/spp_sip.c,
5973 dynamic-preprocessors/sip/spp_sip.h,
5974 dynamic-preprocessors/smtp/smtp_config.c,
5975 dynamic-preprocessors/smtp/snort_smtp.c,
5976 dynamic-preprocessors/smtp/spp_smtp.c,
5977 dynamic-preprocessors/ssh/spp_ssh.c,
5978 dynamic-preprocessors/ssl/spp_ssl.c, file-process/file_service.c,
5979 output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c,
5980 output-plugins/spo_alert_sf_socket.c,
5981 output-plugins/spo_alert_syslog.c,
5982 output-plugins/spo_alert_test.c,
5983 output-plugins/spo_alert_unixsock.c, output-plugins/spo_csv.c,
5984 output-plugins/spo_log_ascii.c, output-plugins/spo_log_null.c,
5985 output-plugins/spo_log_tcpdump.c, output-plugins/spo_unified2.c,
5986 parser/IpAddrSet.c, parser/IpAddrSet.h, preprocessors/portscan.c,
5987 preprocessors/portscan.h, preprocessors/spp_arpspoof.c,
5988 preprocessors/spp_bo.c, preprocessors/spp_frag3.c,
5989 preprocessors/spp_httpinspect.c, preprocessors/spp_normalize.c,
5990 preprocessors/spp_perfmonitor.c, preprocessors/spp_rpc_decode.c,
5991 preprocessors/spp_sfportscan.c, preprocessors/spp_stream5.c,
5992 preprocessors/stream_api.h,
5993 preprocessors/HttpInspect/include/hi_paf.h,
5994 preprocessors/HttpInspect/include/hi_ui_server_lookup.h,
5995 preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c,
5996 preprocessors/HttpInspect/utils/hi_paf.c,
5997 preprocessors/Stream5/snort_stream5_session.h,
5998 preprocessors/Stream5/snort_stream5_tcp.c,
5999 preprocessors/Stream5/snort_stream5_tcp.h,
6000 preprocessors/Stream5/snort_stream5_udp.c,
6001 preprocessors/Stream5/snort_stream5_udp.h,
6002 preprocessors/Stream5/stream5_common.c,
6003 preprocessors/Stream5/stream5_common.h,
6004 preprocessors/Stream5/stream5_ha.c,
6005 preprocessors/Stream5/stream5_ha.h,
6006 preprocessors/Stream5/stream5_paf.c,
6007 preprocessors/Stream5/stream5_paf.h, sfutil/Makefile.am,
6008 sfutil/acsmx.c, sfutil/acsmx.h, sfutil/acsmx2.c, sfutil/acsmx2.h,
6009 sfutil/bnfa_search.c, sfutil/bnfa_search.h,
6010 sfutil/intel-soft-cpm.c, sfutil/intel-soft-cpm.h, sfutil/mpse.c,
6011 sfutil/mpse.h, sfutil/sfPolicy.c, sfutil/sfPolicy.h,
6012 sfutil/sfPolicyData.h, sfutil/sfPolicyUserData.c,
6013 sfutil/sfPolicyUserData.h, sfutil/sfksearch.c,
6014 sfutil/sfksearch.h, sfutil/sfrf.c, sfutil/sfrf.h, sfutil/sfrt.c,
6015 sfutil/sfrt.h, sfutil/sfthd.c, sfutil/sfthd.h,
6016 sfutil/test/sfrf_test.c, sfutil/test/sfthd_test.c,
6017 sfutil/test/unit_hacks.c, sfutil/test/unit_hacks.h,
6018 target-based/sftarget_reader.c, target-based/sftarget_reader.h:
6019 Add a control channel command that reloads the snort configuration. If
6020 a restart is needed, the command will return an error and the new
6021 configuration will be freed. Using this can replace the HUP signal,
6022 which does not have a means of feedback to the user.
6023
6024 * preproc_rules/preprocessor.rules, src/generators.h,
6025 src/dynamic-preprocessors/imap/imap_log.c,
6026 src/dynamic-preprocessors/imap/imap_log.h,
6027 src/dynamic-preprocessors/pop/pop_log.c,
6028 src/dynamic-preprocessors/pop/pop_log.h,
6029 src/dynamic-preprocessors/smtp/smtp_log.c,
6030 src/dynamic-preprocessors/smtp/smtp_log.h,
6031 doc/README.imap, doc/README.pop:
6032 Removed the decoding failure alert for bitencoded/non-encoded
6033 attachments since it was invalid as we don't decoded these attachments.
6034
6035 * src/preprocessors/spp_frag3.c:
6036 Continue to track fragments if rebuilt packet caused a drop.
6037
6038 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6039 Fixed POST_SESSION_CLEANUP() macro to not log messages when Stream5
6040 is configured with "prune_log_max 0". Thanks to Gregory S Thomas
6041 for pointing out the issue.
6042
6043 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6044 Skip MAC address verification on packets being routed by a DAQ Module.
6045
6046 * src/: decode.c, parser.c:
6047 Disallow rule-type decode rules with a sid that exceed
6048 DECODE_INDEX_MAX.
6049
6050 * src/decode.c:
6051 Fixed MPLS header length check. Credits to Jacob Baines for the
6052 find.
6053
6054 * src/fpdetect.c:
6055 When decoding Teredo and the inner IPv6 doesn't have any payload,
6056 reset do_detect_content to ensure content matches are checked when
6057 evaluating rules against the outer IPv4 'payload'. Thanks to Yun
6058 Zheng Hu & L0rd Ch0de1m0rt for reporting the issue & crafting
6059 traffic to reproduce.
6060
6061 * doc/snort_manual.tex:
6062 Add reference 'msb' to the list of valid ones in the Snort manual.
6063
6064 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6065 flush and free application data on receipt of TCP RST in the
6066 close-wait state
6067
6068 * src/: snort.c, preprocessors/spp_stream5.c,
6069 preprocessors/stream_api.h, preprocessors/stream_expect.c,
6070 preprocessors/Stream5/snort_stream5_icmp.c,
6071 preprocessors/Stream5/snort_stream5_ip.c,
6072 preprocessors/Stream5/snort_stream5_session.c,
6073 preprocessors/Stream5/snort_stream5_tcp.c,
6074 preprocessors/Stream5/snort_stream5_tcp.h,
6075 preprocessors/Stream5/snort_stream5_udp.c,
6076 preprocessors/Stream5/snort_stream5_udp.h,
6077 preprocessors/Stream5/stream5_common.c,
6078 preprocessors/Stream5/stream5_common.h,
6079 preprocessors/Stream5/stream5_ha.c,
6080 preprocessors/Stream5/stream5_ha.h, side-channel/Makefile.am,
6081 side-channel/dmq.c, side-channel/dmq.h, side-channel/rbmq.c,
6082 side-channel/rbmq.h, side-channel/sidechannel.c,
6083 side-channel/sidechannel_define.h,
6084 configure.in:
6085 Add the ability to share basic session state for Stream via a
6086 side channel
6087
6088 * src/: fpdetect.c, parser.c, snort.c, snort.h, util.c,
6089 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
6090 dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
6091 dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
6092 preprocessors/Stream5/snort_stream5_tcp.c,
6093 preprocessors/Stream5/stream5_paf.c:
6094 Improve some processing performance for small packets
6095
6096 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6097 fix alerts on packets with same src/dst ports
6098 fix prior alert tracking to prevent redundant alerts
6099 fix missing u2 packets.
6100
6101 * src/dynamic-preprocessors/smtp/snort_smtp.c:
6102 Copy remaining data to normalization buffer if already normalizing
6103 and in AUTH state.
6104
6105 * src/ppm.c:
6106 Apply event filter support for PPM rules.
6107
6108 * src/: preprocessors/snort_httpinspect.c,
6109 dynamic-preprocessors/dcerpc2/snort_dce2.c,
6110 dynamic-plugins/sf_engine/sf_snort_packet.h,
6111 detection-plugins/detection_options.c,
6112 detection-plugins/detection_options.h, decode.h,
6113 detection_util.c, encode.c, encode.h, fpdetect.c:
6114 update the packet number check in detection to include
6115 the rebuilt packet count.
6116
6117 * doc/snort_manual.tex:
6118 Update description for rawbytes rule option
6119
6120 * src/sfutil/sfrt_flat.c:
6121 correct return value for memory allocation failures
6122
6123 * src/: file-process/file_mime_process.c,
6124 dynamic-preprocessors/imap/snort_imap.c,
6125 dynamic-preprocessors/pop/snort_pop.c,
6126 dynamic-preprocessors/smtp/snort_smtp.c:
6127 Check log_state in case of allocation failure
6128
6129 * src/: file-process/file_mime_process.c,
6130 dynamic-preprocessors/imap/snort_imap.c,
6131 dynamic-preprocessors/smtp/snort_smtp.c,
6132 dynamic-preprocessors/pop/snort_pop.c:
6133 Processing each mime attachment after the boundary is found.
6134
6135 * doc/README.http_inspect, doc/faq.pdf, doc/snort_manual.pdf,
6136 etc/gen-msg.map, preproc_rules/preprocessor.rules,
6137 src/generators.h,
6138 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
6139 src/preprocessors/spp_stream5.c,
6140 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
6141 src/preprocessors/HttpInspect/include/hi_eo_events.h,
6142 src/preprocessors/HttpInspect/utils/hi_paf.c,
6143 src/preprocessors/Stream5/snort_stream5_tcp.c:
6144 Correct handling of head responses
6145 Flush extra line feeds with following PDUs (skipped over by http_inspect)
6146 add profiling for PAF
6147 Make PAF debug output more readable
6148
6149 * src/: detect.c, detect.h, generators.h, snort.c, snort.h, util.c,
6150 output-plugins/spo_log_tcpdump.c, preprocessors/perf-base.c,
6151 preprocessors/perf-base.h:
6152 Add a new column for total_alert_pkts to permonitor stats.
6153
6154 * src/preprocessors/: perf-base.c, perf.c:
6155 Fix insolent file handling in perfmonitor.
6156
6157 * src/sfutil/sf_vartable.c:
6158 Free allocation on failure.
6159
6160 * src/sfutil/sf_ipvar.c:
6161 Refactor sfip_node_t list freeing; Free sfip_node_t list on
6162 allocation failure.
6163
6164 * snort.8:
6165 Update snort.8
6166
6167 * src/: dynamic-preprocessors/ftptelnet/hi_util_kmap.c,
6168 dynamic-preprocessors/ftptelnet/pp_ftp.c,
6169 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
6170 preprocessors/HttpInspect/utils/hi_util_kmap.c:
6171 Check for NULL parameter pointer before copying into file name.
6172 Alloc key node after checking for zero length. Remove
6173 unnecessary curr_ch NULL check.
6174
6175 * src/control/sfcontrol.c:
6176 Fix error checks for CS_TYPE_MAX to be greater than or equal to.
6177
6178 * src/dynamic-preprocessors/dcerpc2/: dce2_smb.c, dce2_smb.h:
6179 Remove unneccessary NULL check of session pointer. Fix set SMB
6180 fingerprint functions to just set flag and not return anything.
6181
6182 * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
6183 Closed file before returning on error. NULL terminated string gotten
6184 from fread() before passing to strtok_r. Checked return value of
6185 fseek(), ftell() and fread(). Added log messages for errors.
6186
6187 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6188 don't do PAF on midstream pickup sessions
6189 do midstream pickup on SYN/ACK when packet is within require_3whs
6190 grace period.
6191
6192 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6193 fix midstream pickup when server data is seen before client. Thanks to
6194 John Eure for reporting the issue.
6195
6196 * src/preprocessors/perf-flow.c:
6197 Don't skip logging of flows with 0 packet count for flow-ip tracking.
6198
6199 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6200 fix multi-pdu per segment flushing
6201
6202 * src/preprocessors/snort_httpinspect.c:
6203 check http session tracker for file upload processing
6204
6205 * src/: encode.c, preprocessors/snort_httpinspect.c,
6206 preprocessors/spp_frag3.c,
6207 preprocessors/Stream5/snort_stream5_tcp.c:
6208 Adjust stream reassembly for a few edge cases
6209
6210 * src/preprocessors/snort_httpinspect.c:
6211 fix the parsing of max gzip mem
6212
6213 * src/: snort.c, dynamic-output/plugins/output.h,
6214 dynamic-output/plugins/output_base.c:
6215 Print dynamic output modules with other plugins durring startup.
6216
6217 * doc/snort_manual.pdf, etc/gen-msg.map,
6218 preproc_rules/decoder.rules, src/decode.c, src/decode.h,
6219 src/encode.c, src/generators.h, src/sf_protocols.h:
6220 Add decoding support for ERSpan type 2 and type 3 when ERSpan
6221 is inside GRE.
6222
6223 * src/: snort.c, snort.h:
6224 Add --pcap-reload Snort flag to reload between pcap runs.
6225
6226 * doc/README.daq, doc/faq.pdf, doc/snort_manual.pdf,
6227 doc/snort_manual.tex, src/decode.h, src/fpdetect.c, src/snort.c,
6228 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
6229 src/dynamic-preprocessors/imap/snort_imap.c,
6230 src/dynamic-preprocessors/pop/snort_pop.c,
6231 src/dynamic-preprocessors/smtp/smtp_util.c,
6232 src/dynamic-preprocessors/smtp/snort_smtp.c,
6233 src/file-process/file_mime_process.c,
6234 src/output-plugins/spo_unified2.c,
6235 src/preprocessors/snort_httpinspect.c,
6236 src/preprocessors/snort_httpinspect.h,
6237 src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
6238 src/preprocessors/Stream5/snort_stream5_tcp.c,
6239 src/preprocessors/Stream5/snort_stream5_tcp.h:
6240 Ensure logging of extra data captured after alert
6241
6242 * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c:
6243 When a writer is in read mode, ensure the size is the shared memory
6244 segment size.
6245
6246 * src/file-process/: libs/file_lib.c, file_service.c:
6247 Only display the file stats for types in the current configuration
6248
6249 * src/: dynamic-preprocessors/ftptelnet/ftpp_si.h,
6250 preprocessors/spp_stream5.c, preprocessors/stream_api.h,
6251 preprocessors/Stream5/snort_stream5_session.c,
6252 control/sfcontrol.c:
6253 Add a stream api function to return the session key given a session
6254 pointer. Expose the SessionKey structure to dynamic preprocessors.
6255 For ICMP "sessions", include ICMP type as an element in the key,
6256 thereby making it a different "session" if the type varies. Echo
6257 replies are keyed the same as requests.
6258
6259 * doc/snort_manual.pdf, doc/snort_manual.tex, src/parser.c,
6260 src/parser.h, src/snort.c, src/snort.h, doc/README.reload:
6261 Remove "config read_bin_file" documentation
6262
6263 * src/: decode.c, decode.h, sfutil/sf_ip.h, sfutil/sf_iph.c,
6264 preprocessors/perf-base.c,
6265 dynamic-preprocessors/dcerpc2/snort_dce2.c,
6266 dynamic-plugins/sf_engine/sf_snort_packet.h,
6267 dynamic-preprocessors/sdf/spp_sdf.c:
6268 Update IP6RawHdr structure and fix version extraction for little
6269 endian machines. Reduce size of sfip_t by 4 bytes.
6270
6271 * src/detection-plugins/sp_pattern_match.c:
6272 Error if relative rule option used after fast pattern only.
6273
6274 * preproc_rules/decoder.rules, src/decode.c, src/generators.h:
6275 Add decoder alert for IPv6 Routing Type 0 headers.
6276
6277 * src/encode.c:
6278 Replace usage of ScAdapterInlineMode() with DAQ_GetInterfaceMode().
6279
6280 * src/: rate_filter.h, dynamic-preprocessors/sdf/sdf_us_ssn.h,
6281 dynamic-preprocessors/sdf/spp_sdf.h, sfutil/sfrt_flat_dir.h:
6282 Cleanup recursive header inclusions.
6283
6284 * src/decode.h:
6285 Fix macros for token ring header field extraction.
6286
6287 * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
6288 Move SSN advertisement check before stricter validation.
6289
6290 * doc/: README.dcerpc2, snort_manual.pdf, snort_manual.tex:
6291 Update dce_stub_data documentation.
6292
6293 * src/parser.c:
6294 Cleanup function ValidateIPList().
6295
6296 * src/dynamic-output/plugins/output_base.c:
6297 Remove dead code path.
6298
6299 * src/detection-plugins/sp_respond3.c:
6300 FatalError if Resp3_Parse() is called with bad parameters.
6301
6302 * src/: snort_bounds.h, preprocessors/perf-base.c:
6303 Add error recovery to the perfstats logging code.
6304
6305 * src/output-plugins/: spo_alert_fast.c, spo_alert_full.c:
6306 Add printing of GID:SID:Rev even if there is no msg in a rule.
6307
6308 * src/dynamic-preprocessors/: smtp/spp_smtp.c, pop/spp_pop.c,
6309 imap/spp_imap.c:
6310 Initialize file depth to all the configurations, not just the default.
6311
6312 * configure.in, src/decode.h,
6313 src/detection-plugins/sp_clientserver.c,
6314 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
6315 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
6316 src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
6317 src/dynamic-preprocessors/dcerpc2/dce2_paf.h,
6318 src/dynamic-preprocessors/dcerpc2/dce2_session.h,
6319 src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
6320 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
6321 src/dynamic-preprocessors/dnp3/dnp3_paf.c,
6322 src/dynamic-preprocessors/dnp3/dnp3_paf.h,
6323 src/dynamic-preprocessors/dnp3/spp_dnp3.c,
6324 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
6325 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
6326 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
6327 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
6328 src/dynamic-preprocessors/modbus/modbus_paf.c,
6329 src/dynamic-preprocessors/modbus/modbus_paf.h,
6330 src/dynamic-preprocessors/modbus/spp_modbus.c,
6331 src/file-process/file_mime_process.c,
6332 src/preprocessors/snort_httpinspect.c,
6333 src/preprocessors/spp_httpinspect.c,
6334 src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
6335 src/preprocessors/HttpInspect/client/hi_client.c,
6336 src/preprocessors/HttpInspect/include/hi_paf.h,
6337 src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
6338 src/preprocessors/HttpInspect/server/hi_server.c,
6339 src/preprocessors/HttpInspect/utils/hi_paf.c,
6340 src/preprocessors/Stream5/snort_stream5_tcp.c,
6341 src/preprocessors/Stream5/snort_stream5_tcp.h,
6342 src/preprocessors/Stream5/stream5_paf.c,
6343 src/preprocessors/Stream5/stream5_paf.h:
6344 Add support for PAF activation by service and hardened PAF (removed
6345 --disable-paf from configure.in)
6346
6347 * etc/gen-msg.map, src/decode.c, src/decode.h, src/generators.h,
6348 preproc_rules/decoder.rules:
6349 Support decoding of ICMPv6 Node Info Query and Node Info Response.
6350 Added decoder event for invalid codes therein.
6351
6352 * src/preprocessors/: HttpInspect/mode_inspection/hi_mi.c,
6353 HttpInspect/client/hi_client.c, HttpInspect/include/hi_client.h,
6354 snort_httpinspect.h:
6355 Log XFF data on raw packet when reassembly is turned off.
6356
6357 * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
6358 Refactor dead code path in DCE2_SmbTransactionGetName().
6359
6360 * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
6361 Factor out dead code path in ftpp_ui_client_lookup_add().
6362
6363 * src/preprocessors/spp_bo.c:
6364 Remove redundant dereferences to array pointer.
6365
6366 * src/sfutil/sfrf.c:
6367 Factor out dead code path in SFRF_ConfigAdd().
6368
6369 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6370 Factor out dead code path in Stream5ProcessTcp().
6371
6372 * src/fpcreate.c:
6373 Factor out dead code path in fpCreatePortObject2PortGroup().
6374
6375 * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c,
6376 src/dynamic-preprocessors/dcerpc2/dce2_config.c:
6377 Factor out dead code paths in DCE2 Preproc.
6378
6379 * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
6380 Factor out dead code paths in SetCursorInternal().
6381
6382 * src/dynamic-preprocessors/sip/: sip_roptions.c, spp_sip.c,
6383 spp_sip.h:
6384 add user defined SIP method to parsing policy instead of running policy
6385
6386 * src/preprocessors/HttpInspect/include/hi_eo_events.h,
6387 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
6388 etc/gen-msg.map, src/generators.h,
6389 preproc_rules/preprocessor.rules,
6390 src/preprocessors/HttpInspect/client/hi_client.c:
6391 Add preprocessor alert when snort sees unescaped space within the URI
6392 Log IPs followed by portnum from the XFF header
6393
6394 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6395 Remove unnecessary check for NULL on array type.
6396
6397 * src/preprocessors/spp_frag3.c:
6398 Remove unnecessary check for NULL on array type.
6399
6400 * src/snort.c:
6401 Remove unnecessary check for NULL on array type.
6402
6403 * tools/u2boat/u2boat.c:
6404 Make sure ConvertRecord func pointer is valid before called.
6405
6406 * src/detection-plugins/sp_byte_extract.c:
6407 Fix value check for byte extract "multiplier" arg.
6408
6409 * src/: util.c, util.h:
6410 Remove dead functions from util.c
6411
6412 * tools/u2spewfoo/u2spewfoo.c:
6413 Check for error and prevent leaks with realloc in u2spewfoo.
6414 Thanks to William Parker for reporting it.
6415
6416 * src/: parser.c, dynamic-plugins/sf_dynamic_plugins.c,
6417 dynamic-preprocessors/dcerpc2/dce2_config.c,
6418 dynamic-preprocessors/dns/spp_dns.c:
6419 Fix dead code paths
6420
6421 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6422 Reset overlap count when 129:7 is triggered to avoid repeated false
6423 positives
6424
6425 * src/dynamic-preprocessors/smtp/: snort_smtp.c, snort_smtp.h:
6426 Handle 535 response codes - authentication failed.
6427
6428 * doc/README.SMTP, doc/snort_manual.tex,
6429 src/dynamic-preprocessors/smtp/smtp_config.c,
6430 src/dynamic-preprocessors/smtp/smtp_config.h,
6431 src/dynamic-preprocessors/smtp/snort_smtp.c,
6432 src/dynamic-preprocessors/smtp/snort_smtp.h:
6433 Added new configuration options "data_cmds", "binary_data_cmds" and
6434 "auth_cmds" to the smtp preprocessor.
6435
6436 * doc/README.reload, doc/snort_manual.tex, src/snort.c,
6437 src/preprocessors/perf-base.c, src/preprocessors/perf-base.h,
6438 src/preprocessors/perf-flow.c, src/preprocessors/perf-flow.h,
6439 src/preprocessors/perf.c, src/preprocessors/perf.h,
6440 src/preprocessors/spp_perfmonitor.c,
6441 src/preprocessors/Stream5/snort_stream5_tcp.c:
6442 Added "flow-file" configuration option and optional arguments
6443 to "atexitonly" for perfmonitor preprocessor.
6444
6445 * src/: detection-plugins/sp_pattern_match.c,
6446 dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
6447 Adjust detection option pointer and distance for content matches
6448 with negative distances that put pointer before start of buffer.
6449
6450 * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
6451 Ensure all request and response fields are reset
6452
6453 * src/generators.h, preproc_rules/preprocessor.rules,
6454 src/preprocessors/spp_frag3.c:
6455 Remove dead preprocessor alerts from Frag3, GIDs 123:9, 123:10
6456 that are covered by 116:458.
6457
6458 * src/: dynamic-preprocessors/ftptelnet/ftpp_si.c,
6459 dynamic-preprocessors/ftptelnet/ftpp_si.h,
6460 dynamic-preprocessors/ftptelnet/pp_ftp.c,
6461 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
6462 dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
6463 dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
6464 preprocessors/stream_api.h,
6465 preprocessors/Stream5/snort_stream5_tcp.c:
6466 Set reassembly on ftp-data for file processing and file_data ptr
6467 for ftp-data channel.
6468
6469 * src/: decode.c, decode.h, encode.c, sf_protocols.h, snort.c:
6470 Whitelist encrypted ESP tunnels if decoding ESP traffic.
6471
6472 * src/detection-plugins/sp_react.c:
6473 Fix issue where react action was lost when Snort reloads.
6474
6475 * src/dynamic-preprocessors/: imap/snort_imap.c, imap/spp_imap.c,
6476 smtp/snort_smtp.c, smtp/spp_smtp.c, pop/snort_pop.c,
6477 pop/spp_pop.c:
6478 Enforce target based config setting for file processing.
6479
6480 * src/file-process/file_mime_process.c:
6481 Make sure signature context is created at any file position.
6482
6483 * src/dynamic-preprocessors/: pop/snort_pop.c, pop/snort_pop.h,
6484 smtp/snort_smtp.c, smtp/snort_smtp.h:
6485 Using boundary to check end of file
6486
6487 * src/: decode.h, dynamic-plugins/sf_engine/sf_snort_packet.h,
6488 output-plugins/spo_unified2.c, preprocessors/spp_sfportscan.c:
6489 Update portscan unified2 events to log type of portscan in
6490 protocol field instead of 0xFF.
6491
6492 * doc/: README.asn1, snort_manual.pdf, snort_manual.tex:
6493 Update asn1 rule option documentation to remove reference to
6494 byte_test updating relative pointer. Thanks to Brandon Castel
6495 for bringing this to our attention.
6496
6497 * src/: file-process/file_mime_process.c,
6498 file-process/file_mime_process.h,
6499 preprocessors/HttpInspect/client/hi_client.c,
6500 file-process/Makefile.am, file-process/file_api.h,
6501 file-process/file_mime_config.c, file-process/file_mime_config.h,
6502 file-process/file_resume_block.c,
6503 file-process/file_resume_block.h, file-process/file_service.c,
6504 file-process/file_service.h, file-process/file_service_config.c,
6505 preprocessors/snort_httpinspect.c,
6506 preprocessors/snort_httpinspect.h,
6507 preprocessors/spp_httpinspect.c,
6508 preprocessors/HttpInspect/include/hi_client.h,
6509 preprocessors/HttpInspect/include/hi_ui_config.h,
6510 dynamic-preprocessors/imap/spp_imap.c,
6511 file-process/libs/file_config.c, file-process/libs/file_config.h,
6512 sfutil/sf_email_attach_decode.c, snort.c:
6513 Add support for http file upload.
6514
6515 * doc/: PROBLEMS, README.WIN32, README.daq, faq.tex,
6516 snort_manual.tex:
6517 Update READMEs and FAQ and Snort Manual to standardize the format of
6518 references to libpcap. Also update location of winpcap. Thanks to
6519 Joshua Kinard and Bryan Jones for pointing out the discrepancies.
6520
6521 * src/preprocessors/spp_sfportscan.c:
6522 Fix portscan to only prep a pseudo-packet if actually generating an alert
6523
6524 * src/file-process/: file_api.h, file_service.c:
6525 Add packet to file api calls to determine if the session is inline.
6526
6527 * src/dynamic-preprocessors/sip/sip_config.c:
6528 Fatal error during SIP preprocessor configuration
6529 if a standard or user defined method cannot be allocated.
6530
6531 * src/: file-process/file_resume_block.c,
6532 file-process/file_service.c, file-process/file_service.h,
6533 snort.c:
6534 Move file resume cache clean to restart or snort exit
6535
6536 * src/file-process/: file_api.h, file_resume_block.c:
6537 File API change to support logging file resume blocking.
6538
6539 * src/: preprocessors/Stream5/snort_stream5_tcp.c,
6540 file-process/Makefile.am, file-process/file_api.h,
6541 file-process/file_mime_process.c,
6542 file-process/file_mime_process.h,
6543 file-process/file_resume_block.c,
6544 file-process/file_resume_block.h, file-process/file_service.c,
6545 file-process/file_service_config.c,
6546 dynamic-preprocessors/pop/pop_config.c,
6547 dynamic-preprocessors/pop/pop_config.h,
6548 dynamic-preprocessors/pop/snort_pop.c,
6549 dynamic-preprocessors/pop/snort_pop.h,
6550 dynamic-preprocessors/pop/spp_pop.c,
6551 dynamic-preprocessors/smtp/smtp_config.c,
6552 dynamic-preprocessors/smtp/smtp_config.h,
6553 dynamic-preprocessors/smtp/smtp_util.c,
6554 dynamic-preprocessors/smtp/smtp_util.h,
6555 dynamic-preprocessors/smtp/snort_smtp.c,
6556 dynamic-preprocessors/smtp/snort_smtp.h,
6557 dynamic-preprocessors/smtp/spp_smtp.c,
6558 dynamic-preprocessors/imap/imap_config.c,
6559 dynamic-preprocessors/imap/imap_config.h,
6560 dynamic-preprocessors/imap/snort_imap.c,
6561 dynamic-preprocessors/imap/snort_imap.h,
6562 dynamic-preprocessors/imap/spp_imap.c, util.c, util.h,
6563 file-process/libs/file_config.c, file-process/libs/file_config.h,
6564 file-process/libs/file_lib.h,
6565 dynamic-plugins/sf_dynamic_plugins.c,
6566 dynamic-plugins/sf_dynamic_preprocessor.h:
6567 File blocking, http resume blocking, file statistics, and file name
6568 support for pop, imap.
6569
6570 * src/output-plugins/spo_alert_unixsock.c:
6571 Update to use memset and memmove instead of bzero/bcopy. Thanks to
6572 Bill Parker for the suggestion.
6573
6574 * doc/: README.dcerpc2, snort_manual.pdf, snort_manual.tex:
6575 Update dcerpc2 preprocessor documentation to remove -1 as a default
6576 and valid value to max_frag_len.
6577
6578 * src/preprocessors/spp_perfmonitor.c:
6579 Make sure perfmonitor evaluation function is added to each policy's
6580 preprocessor evaluation list.
6581
6582 * configure.in, doc/INSTALL, doc/README.reputation,
6583 doc/snort_manual.pdf, doc/snort_manual.tex, src/fpcreate.c,
6584 src/fpcreate.h, src/parser.c, src/parser.h,
6585 src/rule_option_types.h, src/snort.c, src/snort.h,
6586 src/detection-plugins/detection_options.c,
6587 src/dynamic-examples/Makefile.am, src/dynamic-output/Makefile.am,
6588 src/dynamic-output/libs/Makefile.am,
6589 src/dynamic-plugins/sf_convert_dynamic.c,
6590 src/dynamic-plugins/sf_dynamic_plugins.c,
6591 src/dynamic-plugins/sp_dynamic.c,
6592 src/dynamic-plugins/sp_preprocopt.c,
6593 src/dynamic-preprocessors/Makefile.am,
6594 src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
6595 src/dynamic-preprocessors/dnp3/sf_dnp3.dsp,
6596 src/dynamic-preprocessors/dns/sf_dns.dsp,
6597 src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
6598 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
6599 src/dynamic-preprocessors/gtp/sf_gtp.dsp,
6600 src/dynamic-preprocessors/imap/sf_imap.dsp,
6601 src/dynamic-preprocessors/isakmp/sf_isakmp.dsp,
6602 src/dynamic-preprocessors/libs/Makefile.am,
6603 src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp,
6604 src/dynamic-preprocessors/modbus/sf_modbus.dsp,
6605 src/dynamic-preprocessors/pop/sf_pop.dsp,
6606 src/dynamic-preprocessors/reputation/sf_reputation.dsp,
6607 src/dynamic-preprocessors/sdf/sf_sdf.dsp,
6608 src/dynamic-preprocessors/sip/sf_sip.dsp,
6609 src/dynamic-preprocessors/smtp/sf_smtp.dsp,
6610 src/dynamic-preprocessors/ssh/sf_ssh.dsp,
6611 src/dynamic-preprocessors/ssl/sf_ssl.dsp,
6612 src/preprocessors/spp_httpinspect.c,
6613 src/preprocessors/Stream5/snort_stream5_tcp.c,
6614 src/preprocessors/Stream5/stream5_common.c,
6615 src/win32/WIN32-Prj/sf_engine.dsp,
6616 src/win32/WIN32-Prj/sf_testdetect.dsp,
6617 src/win32/WIN32-Prj/snort.dsp:
6618 Removed --disable-dynamicplugin configure option and hardened
6619 dynamic plugin code.
6620
6621 * src/: dynamic-plugins/sf_engine/sf_snort_packet.h,
6622 dynamic-preprocessors/ftptelnet/ftpp_si.c,
6623 dynamic-preprocessors/ftptelnet/ftpp_si.h,
6624 dynamic-preprocessors/ftptelnet/ftpp_ui_config.h,
6625 dynamic-preprocessors/ftptelnet/pp_ftp.c,
6626 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
6627 preprocessors/spp_stream5.c, preprocessors/stream_api.h,
6628 preprocessors/Stream5/snort_stream5_tcp.c:
6629 File processing for ftp-data channel.
6630
6631 * src/dynamic-preprocessors/dcerpc2/: dce2_smb.c, dce2_smb.h:
6632 Remove NetBIOS session state.
6633
6634 * src/: plugbase.c, output-plugins/Makefile.am,
6635 output-plugins/spo_unified.c, output-plugins/spo_unified.h:
6636 Remove deprecated unified support. Same functionality is
6637 supported with unified2.
6638
6639 * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
6640 Correct setting FID in reassembled packets on big endian systems.
6641
6642 * doc/INSTALL, doc/snort_manual.pdf, doc/snort_manual.tex,
6643 src/output-plugins/spo_alert_unixsock.c:
6644 Update alert_unixsock output plugin and documentation for use on FreeBSD.
6645
6646 * src/: decode.c, decode.h:
6647 Add RFC 5925 (The TCP Authentication Option) option as a valid TCP
6648 option and tag RFC 2385 (Protection of BGP Sessions via the TCP MD5
6649 Signature Option) option as obsolete.
6650
6651 * rpm/snort.spec, doc/snort_manual.tex,
6652 src/win32/WIN32-Prj/snort_installer.nsi,
6653 src/win32/WIN32-Includes/config.h:
6654 Set version to 2.9.5
6655
6656 2013-04-18 Steven Sturges <ssturges@sourcefire.com>
6657 Snort 2.9.4.6
6658 * src/build.h:
6659 updating build number to 73
6660
6661 * doc/README.counts, doc/snort_manual.pdf, doc/snort_manual.tex,
6662 src/decode.c, src/parser.c, src/snort.h:
6663 Added config tunnel_verdicts and tunnel bypass for whitelist and
6664 blacklist verdicts for 6in4 or 4in6 encapsulated traffic.
6665
6666 * src/preprocessors/spp_frag3.c:
6667 Don't update IP options length and count in frag3 after allocating
6668 option buffer when receiving duplicate 0 offset fragments with IP
6669 options.
6670
6671 2013-03-20 Steven Sturges <ssturges@sourcefire.com>
6672 Snort 2.9.4.5
6673 * src/build.h:
6674 updating build number to 71
6675
6676 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6677 prevent pruning when dup'ing a seglist node to avoid broken
6678 flushed packets
6679
6680 * src/detection-plugins/detection_options.c:
6681 recursively search patterns within the HTTP uri
6682 buffers until the buffer ends.
6683
6684 * src/preprocessors/HttpInspect/: client/hi_client.c,
6685 client/hi_client_norm.c, include/hi_client.h:
6686 Remove proxy information from the normalized URI buffer. Thanks
6687 to L0rd Ch0de1m0rt for reporting the issue.
6688
6689 * src/: control/sfcontrol.c, preprocessors/Stream5/snort_stream5_tcp.c:
6690 fix logging of unified2 packet data when alerting on a packet containing
6691 multiple HTTP PDUs
6692
6693 2013-02-19 Bhagyashree Bantwal <bbantwal@sourcefire.com>
6694 Snort 2.9.4.1
6695 * src/build.h: updating build number to 69
6696
6697 * src/preprocessors/Stream5/snort_stream5_tcp.c:
6698 Only check for TCP Window Slam on client packets.
6699
6700 * src/: control/sfcontrol.c, control/sfcontrol.h,
6701 preprocessors/spp_stream5.c, preprocessors/stream_api.h,
6702 preprocessors/Stream5/snort_stream5_session.c,
6703 preprocessors/Stream5/stream5_common.h
6704 Add a stream API function to return a session key given a session.
6705 Expose the session key
6706
6707 * src/target-based/sftarget_reader.c:
6708 Change routing table layout for ip6 attribute lookups to
6709 be more space efficient
6710
6711 * src/preprocessors/spp_frag3.c:
6712 Forcibly drop excessive overlaps
6713
6714 * src/preprocessors/spp_frag3.c:
6715 Propagate address_space_id from raw packet to frag3
6716 rebuilt packet DAQ header
6717
6718 * src/: encode.c, encode.h,
6719 preprocessors/Stream5/snort_stream5_tcp.c:
6720 Update packet encoding to propagate the address_space_id in DAQ header
6721
6722 * configure.in, src/decode.c:
6723 Define NO_NON_ETHER_DECODER by default in Snort builds. Add
6724 --enable-non-ether-decoders as a configure flag.
6725
6726 * src/dynamic-preprocessors/: pop/snort_pop.c, pop/snort_pop.h,
6727 smtp/snort_smtp.c, smtp/snort_smtp.h:
6728 Use MIME boundary for end of file indication even for the last file
6729
6730 * src/dynamic-preprocessors/reputation/spp_reputation.c:
6731 only inspect ingress zone for passive interface.
6732
6733 * doc/README.reputation:
6734 * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c:
6735 When a writer is in read mode, the size should be the shared
6736 memory segment size.
6737
6738 * src/: control/sfcontrol.c, control/sfcontrol.h,
6739 dynamic-preprocessors/reputation/spp_reputation.c:
6740 Only decode outer header in main control section. Payload is handled by the handler.
6741
6742 * src/dynamic-preprocessors/reputation/: spp_reputation.c
6743 shmem/shmem_mgmt.c:
6744 update share memory for snort readers that are idle.
6745
6746 * src/parser.c:
6747 make sure otn is different from original and and that option functions weren't
6748 already freed before freeing the dup list.
6749
6750 * src/dynamic-preprocessors/: smtp/spp_smtp.c, imap/spp_imap.c,
6751 pop/spp_pop.c:
6752 Initialize file depth to all the policies, not just default
6753 policy
6754
6755 * src/dynamic-preprocessors/: pop/spp_pop.c, smtp/snort_smtp.c,
6756 imap/spp_imap.c:
6757 check whether mime decoding is disabled before allocating memory.
6758
6759 * doc/: snort_manual.pdf, snort_manual.tex:
6760 changed doc default to 10 max_attribute_services_per_host.
6761
6762 * src/: parser.c, parser.h, snort.c, snort.h,
6763 preprocessors/spp_frag3.c,
6764 preprocessors/Stream5/snort_stream5_tcp.c,
6765 target-based/sftarget_hostentry.c,
6766 target-based/sftarget_reader.c, target-based/sftarget_reader.h:
6767 remove unused AttributeData and change attribute table to use uints instead of
6768 AttributeData to reduce host/service from 5208/5192 to 80/16
6769 bytes respectively. Add config max_attribute_services_per_host
6770 to change from default of 10. Unused AttributeData includes
6771 operating system, vendor, and version for host and application
6772 and version for service. Note that the data is still parsed from
6773 hosts.xml but not actually stored in memory. Also tweak some
6774 stream5 debug code that threw warnings.
6775
6776 * src/: file-process/file_service.c,
6777 preprocessors/snort_httpinspect.c:
6778 avoid processing partial HTTP content.
6779
6780 * src/: encode.c, encode.h,
6781 preprocessors/Stream5/snort_stream5_tcp.c:
6782 Make sure daq supports zones and interfaces in the daq header.
6783
6784 * src/: encode.c, encode.h,
6785 preprocessors/Stream5/snort_stream5_tcp.c:
6786 Maintain ingress and egress interfaces and zones and daq flags
6787 in the tcp session to be used to populate reassembled packets correctly.
6788
6789 2012-10-30 Steven Sturges <ssturges@sourcefire.com>
6790 Snort 2.9.4
6791 * src/build.h:
6792 updating build number to 37
6793
6794 * doc/README.counts, doc/snort_manual.tex, doc/snort_manual.pdf,
6795 src/active.c, src/active.h, src/decode.c, src/parser.c,
6796 src/parser.h, src/snort.c, src/snort.h, src/util.c:
6797 added config tunnel_verdicts and tunnel bypass for whitelist and
6798 blacklist verdicts for gtp or teredo encapsulated traffic.
6799
6800 * src/dynamic-preprocessors/smtp/: snort_smtp.c, snort_smtp.h:
6801 Handle MS Exchange X-EXPS and XEXCH50 commands in the SMTP
6802 preprocessor.
6803
6804 2012-10-16 Steven Sturges <ssturges@sourcefire.com>
6805 Snort 2.9.4 RC
6806 * src/build.h:
6807 updating build number to 35
6808
6809 * src/file-process/libs/: file_identifier.c, file_identifier.h
6810 Fixed one issue when inserting a file magic in between another
6811 file magic. In addition, avoid cloning nodes which are not used
6812 by other node. This improves memory assuage (from 10M down to
6813 4M)
6814
6815 * src/: detect.c, plugbase.c, plugbase.h, snort.c, snort.h,
6816 dynamic-plugins/sf_dynamic_plugins.c,
6817 dynamic-plugins/sf_dynamic_preprocessor.h
6818 Added 2 new dpd functions. One turns off detection, the other
6819 re-enables a given preprocessor. After the preprocessors are
6820 configured, the preprocessor list is filtered if detection is
6821 off.
6822
6823 * src/active.c :
6824 allow TCP RST response to segments w/o data
6825
6826 * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine.c,
6827 sf_snort_plugin_api.c, sf_snort_plugin_api.h,
6828 sf_snort_plugin_byte.c, sf_snort_plugin_content.c,
6829 sf_snort_plugin_hdropts.c, sf_snort_plugin_pcre.c
6830 Changed logic of option evaluations for SO rules that use a custom
6831 evaluation function to match that of the SO rule builtin logic
6832 when the NOT_FLAG is used.
6833
6834 * src/detection-plugins/: sp_flowbits.c, sp_flowbits.h
6835 Use appropriate interger types and comparisons.
6836
6837 * src/preprocessors/HttpInspect/: client/hi_client.c,
6838 server/hi_server.c
6839 fix win32 warnings
6840
6841 * src/: active.c, fpdetect.c, preprocessors/spp_stream5.c
6842 don't enable active response unless configured
6843
6844 * src/: dynamic-plugins/sf_engine/sf_snort_packet.h,
6845 preprocessors/spp_stream5.c, file-process/file_service.c,
6846 decode.h
6847 avoid logging incorrect file name/file size when multiple files
6848 within one packet.
6849
6850 * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
6851 Fix Win32 build warnings.
6852
6853 2012-09-20 Steven Sturges <ssturges@sourcefire.com>
6854 Snort 2.9.4 Beta
6855 * configure.in, doc/snort_manual.pdf, src/parser.c, src/parser.h,
6856 src/sfdaq.h, src/snort.h,
6857 src/dynamic-preprocessors/sip/sip_dialog.c,
6858 src/preprocessors/spp_frag3.c, src/preprocessors/spp_stream5.c,
6859 src/preprocessors/stream_api.h,
6860 src/preprocessors/Stream5/snort_stream5_session.c,
6861 src/preprocessors/Stream5/snort_stream5_session.h,
6862 src/preprocessors/Stream5/stream5_common.h:
6863 Add use of address_space_id in stream & frag hash keys when DAQ
6864 provides it.
6865
6866 * src/: dynamic-preprocessors/imap/snort_imap.c,
6867 dynamic-preprocessors/pop/snort_pop.c,
6868 dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
6869 dynamic-preprocessors/smtp/snort_smtp.c,
6870 preprocessors/snort_httpinspect.c,
6871 preprocessors/Stream5/snort_stream5_tcp.c,
6872 sfutil/sf_email_attach_decode.h,
6873 win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp,
6874 win32/WIN32-Prj/snort.dsw:
6875 Fix a few Win32 warnings.
6876
6877 * src/preprocessors/Stream5/snort_stream5_tcp.c
6878 ensure that the LWS policy matches that of the server (instead of
6879 the dest)
6880
6881 * COPYING, LICENSE, contrib/snortpp.c, doc/README, src/active.h,
6882 src/byte_extract.c, src/byte_extract.h, src/checksum.h,
6883 src/cpuclock.h, src/debug.c, src/decode.h, src/detect.c,
6884 src/detect.h, src/detection_filter.c, src/detection_filter.h,
6885 src/detection_util.c, src/detection_util.h, src/encode.c,
6886 src/encode.h, src/event.h, src/event_queue.c, src/event_queue.h,
6887 src/event_wrapper.c, src/event_wrapper.h, src/fpcreate.c,
6888 src/fpcreate.h, src/fpdetect.c, src/fpdetect.h, src/generators.h,
6889 src/idle_processing.c, src/idle_processing.h,
6890 src/idle_processing_funcs.h, src/ipv6_port.h, src/log.c,
6891 src/log.h, src/log_text.c, src/log_text.h, src/mempool.c,
6892 src/mempool.h, src/mstring.c, src/mstring.h, src/obfuscation.c,
6893 src/obfuscation.h, src/packet_time.c, src/packet_time.h,
6894 src/parser.c, src/parser.h, src/pcap_pkthdr32.h, src/pcrm.c,
6895 src/pcrm.h, src/plugbase.c, src/plugbase.h, src/plugin_enum.h,
6896 src/ppm.c, src/ppm.h, src/preprocids.h, src/profiler.c,
6897 src/profiler.h, src/rate_filter.c, src/rate_filter.h,
6898 src/rule_option_types.h, src/rules.h, src/sf_protocols.h,
6899 src/sf_sdlist.c, src/sf_sdlist.h, src/sf_sdlist_types.h,
6900 src/sf_types.h, src/sfdaq.c, src/sfdaq.h, src/sfthreshold.c,
6901 src/sfthreshold.h, src/signature.c, src/signature.h, src/snort.c,
6902 src/snort.h, src/snort_bounds.h, src/snort_debug.h,
6903 src/snprintf.c, src/snprintf.h, src/spo_plugbase.h,
6904 src/strlcatu.h, src/strlcpyu.h, src/tag.c, src/tag.h,
6905 src/treenodes.h, src/util.c, src/util.h, src/control/sfcontrol.c,
6906 src/control/sfcontrol.h, src/control/sfcontrol_funcs.h,
6907 src/detection-plugins/detection_options.h,
6908 src/detection-plugins/sp_asn1.c, src/detection-plugins/sp_asn1.h,
6909 src/detection-plugins/sp_asn1_detect.c,
6910 src/detection-plugins/sp_asn1_detect.h,
6911 src/detection-plugins/sp_base64_data.c,
6912 src/detection-plugins/sp_base64_data.h,
6913 src/detection-plugins/sp_base64_decode.c,
6914 src/detection-plugins/sp_base64_decode.h,
6915 src/detection-plugins/sp_byte_check.h,
6916 src/detection-plugins/sp_byte_extract.h,
6917 src/detection-plugins/sp_byte_jump.h,
6918 src/detection-plugins/sp_clientserver.c,
6919 src/detection-plugins/sp_clientserver.h,
6920 src/detection-plugins/sp_cvs.c, src/detection-plugins/sp_cvs.h,
6921 src/detection-plugins/sp_dsize_check.c,
6922 src/detection-plugins/sp_dsize_check.h,
6923 src/detection-plugins/sp_file_data.c,
6924 src/detection-plugins/sp_file_data.h,
6925 src/detection-plugins/sp_flowbits.c,
6926 src/detection-plugins/sp_flowbits.h,
6927 src/detection-plugins/sp_ftpbounce.c,
6928 src/detection-plugins/sp_ftpbounce.h,
6929 src/detection-plugins/sp_hdr_opt_wrap.c,
6930 src/detection-plugins/sp_hdr_opt_wrap.h,
6931 src/detection-plugins/sp_icmp_code_check.c,
6932 src/detection-plugins/sp_icmp_code_check.h,
6933 src/detection-plugins/sp_icmp_id_check.c,
6934 src/detection-plugins/sp_icmp_id_check.h,
6935 src/detection-plugins/sp_icmp_seq_check.c,
6936 src/detection-plugins/sp_icmp_seq_check.h,
6937 src/detection-plugins/sp_icmp_type_check.c,
6938 src/detection-plugins/sp_icmp_type_check.h,
6939 src/detection-plugins/sp_ip_fragbits.c,
6940 src/detection-plugins/sp_ip_fragbits.h,
6941 src/detection-plugins/sp_ip_id_check.c,
6942 src/detection-plugins/sp_ip_id_check.h,
6943 src/detection-plugins/sp_ip_proto.c,
6944 src/detection-plugins/sp_ip_proto.h,
6945 src/detection-plugins/sp_ip_same_check.c,
6946 src/detection-plugins/sp_ip_same_check.h,
6947 src/detection-plugins/sp_ip_tos_check.c,
6948 src/detection-plugins/sp_ip_tos_check.h,
6949 src/detection-plugins/sp_ipoption_check.c,
6950 src/detection-plugins/sp_ipoption_check.h,
6951 src/detection-plugins/sp_isdataat.c,
6952 src/detection-plugins/sp_isdataat.h,
6953 src/detection-plugins/sp_pattern_match.c,
6954 src/detection-plugins/sp_pattern_match.h,
6955 src/detection-plugins/sp_pcre.h,
6956 src/detection-plugins/sp_pkt_data.c,
6957 src/detection-plugins/sp_pkt_data.h,
6958 src/detection-plugins/sp_react.c,
6959 src/detection-plugins/sp_react.h,
6960 src/detection-plugins/sp_replace.c,
6961 src/detection-plugins/sp_replace.h,
6962 src/detection-plugins/sp_respond.h,
6963 src/detection-plugins/sp_respond3.c,
6964 src/detection-plugins/sp_rpc_check.c,
6965 src/detection-plugins/sp_rpc_check.h,
6966 src/detection-plugins/sp_session.c,
6967 src/detection-plugins/sp_session.h,
6968 src/detection-plugins/sp_tcp_ack_check.c,
6969 src/detection-plugins/sp_tcp_ack_check.h,
6970 src/detection-plugins/sp_tcp_flag_check.c,
6971 src/detection-plugins/sp_tcp_flag_check.h,
6972 src/detection-plugins/sp_tcp_seq_check.c,
6973 src/detection-plugins/sp_tcp_seq_check.h,
6974 src/detection-plugins/sp_tcp_win_check.c,
6975 src/detection-plugins/sp_tcp_win_check.h,
6976 src/detection-plugins/sp_ttl_check.c,
6977 src/detection-plugins/sp_ttl_check.h,
6978 src/detection-plugins/sp_urilen_check.c,
6979 src/detection-plugins/sp_urilen_check.h,
6980 src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h,
6981 src/dynamic-examples/dynamic-preprocessor/spp_example.c,
6982 src/dynamic-examples/dynamic-rule/detection_lib_meta.h,
6983 src/dynamic-examples/dynamic-rule/rules.c,
6984 src/dynamic-examples/dynamic-rule/sid109.c,
6985 src/dynamic-examples/dynamic-rule/sid637.c,
6986 src/dynamic-output/libs/output_lib.c,
6987 src/dynamic-output/plugins/output.h,
6988 src/dynamic-output/plugins/output_api.h,
6989 src/dynamic-output/plugins/output_base.c,
6990 src/dynamic-output/plugins/output_common.h,
6991 src/dynamic-output/plugins/output_lib.h,
6992 src/dynamic-output/plugins/output_plugin.c,
6993 src/dynamic-plugins/sf_convert_dynamic.h,
6994 src/dynamic-plugins/sf_dynamic_common.h,
6995 src/dynamic-plugins/sf_dynamic_define.h,
6996 src/dynamic-plugins/sf_dynamic_detection.h,
6997 src/dynamic-plugins/sf_dynamic_engine.h,
6998 src/dynamic-plugins/sf_dynamic_meta.h,
6999 src/dynamic-plugins/sp_dynamic.h,
7000 src/dynamic-plugins/sp_preprocopt.h,
7001 src/dynamic-plugins/sf_engine/bmh.c,
7002 src/dynamic-plugins/sf_engine/bmh.h,
7003 src/dynamic-plugins/sf_engine/sf_decompression.c,
7004 src/dynamic-plugins/sf_engine/sf_decompression.h,
7005 src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
7006 src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
7007 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
7008 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
7009 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
7010 src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
7011 src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
7012 src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
7013 src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
7014 src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
7015 src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c,
7016 src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c,
7017 src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h,
7018 src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c,
7019 src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h,
7020 src/dynamic-plugins/sf_preproc_example/sf_preproc_info.h,
7021 src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c,
7022 src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.h,
7023 src/dynamic-preprocessors/dcerpc2/dce2_cl.c,
7024 src/dynamic-preprocessors/dcerpc2/dce2_cl.h,
7025 src/dynamic-preprocessors/dcerpc2/dce2_co.c,
7026 src/dynamic-preprocessors/dcerpc2/dce2_co.h,
7027 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
7028 src/dynamic-preprocessors/dcerpc2/dce2_config.h,
7029 src/dynamic-preprocessors/dcerpc2/dce2_debug.c,
7030 src/dynamic-preprocessors/dcerpc2/dce2_debug.h,
7031 src/dynamic-preprocessors/dcerpc2/dce2_event.c,
7032 src/dynamic-preprocessors/dcerpc2/dce2_event.h,
7033 src/dynamic-preprocessors/dcerpc2/dce2_http.c,
7034 src/dynamic-preprocessors/dcerpc2/dce2_http.h,
7035 src/dynamic-preprocessors/dcerpc2/dce2_list.c,
7036 src/dynamic-preprocessors/dcerpc2/dce2_list.h,
7037 src/dynamic-preprocessors/dcerpc2/dce2_memory.c,
7038 src/dynamic-preprocessors/dcerpc2/dce2_memory.h,
7039 src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
7040 src/dynamic-preprocessors/dcerpc2/dce2_paf.h,
7041 src/dynamic-preprocessors/dcerpc2/dce2_roptions.c,
7042 src/dynamic-preprocessors/dcerpc2/dce2_roptions.h,
7043 src/dynamic-preprocessors/dcerpc2/dce2_session.h,
7044 src/dynamic-preprocessors/dcerpc2/dce2_smb.h,
7045 src/dynamic-preprocessors/dcerpc2/dce2_stats.c,
7046 src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
7047 src/dynamic-preprocessors/dcerpc2/dce2_tcp.c,
7048 src/dynamic-preprocessors/dcerpc2/dce2_tcp.h,
7049 src/dynamic-preprocessors/dcerpc2/dce2_udp.c,
7050 src/dynamic-preprocessors/dcerpc2/dce2_udp.h,
7051 src/dynamic-preprocessors/dcerpc2/dce2_utils.c,
7052 src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
7053 src/dynamic-preprocessors/dcerpc2/snort_dce2.h,
7054 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
7055 src/dynamic-preprocessors/dcerpc2/spp_dce2.h,
7056 src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h,
7057 src/dynamic-preprocessors/dcerpc2/includes/smb.h,
7058 src/dynamic-preprocessors/dnp3/dnp3_map.h,
7059 src/dynamic-preprocessors/dnp3/dnp3_paf.c,
7060 src/dynamic-preprocessors/dnp3/dnp3_paf.h,
7061 src/dynamic-preprocessors/dnp3/dnp3_reassembly.c,
7062 src/dynamic-preprocessors/dnp3/dnp3_reassembly.h,
7063 src/dynamic-preprocessors/dnp3/dnp3_roptions.c,
7064 src/dynamic-preprocessors/dnp3/dnp3_roptions.h,
7065 src/dynamic-preprocessors/dnp3/spp_dnp3.c,
7066 src/dynamic-preprocessors/dnp3/spp_dnp3.h,
7067 src/dynamic-preprocessors/dns/spp_dns.c,
7068 src/dynamic-preprocessors/dns/spp_dns.h,
7069 src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c,
7070 src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h,
7071 src/dynamic-preprocessors/ftptelnet/ftp_client.h,
7072 src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c,
7073 src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h,
7074 src/dynamic-preprocessors/ftptelnet/ftp_server.h,
7075 src/dynamic-preprocessors/ftptelnet/ftpp_eo.h,
7076 src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h,
7077 src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c,
7078 src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h,
7079 src/dynamic-preprocessors/ftptelnet/ftpp_include.h,
7080 src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h,
7081 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
7082 src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
7083 src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c,
7084 src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h,
7085 src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c,
7086 src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h,
7087 src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c,
7088 src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h,
7089 src/dynamic-preprocessors/ftptelnet/ftpp_util_kmap.h,
7090 src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c,
7091 src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h,
7092 src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c,
7093 src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h,
7094 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
7095 src/dynamic-preprocessors/ftptelnet/pp_ftp.h,
7096 src/dynamic-preprocessors/ftptelnet/pp_telnet.c,
7097 src/dynamic-preprocessors/ftptelnet/pp_telnet.h,
7098 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
7099 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
7100 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
7101 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h,
7102 src/dynamic-preprocessors/gtp/gtp_config.c,
7103 src/dynamic-preprocessors/gtp/gtp_config.h,
7104 src/dynamic-preprocessors/gtp/gtp_debug.h,
7105 src/dynamic-preprocessors/gtp/gtp_parser.c,
7106 src/dynamic-preprocessors/gtp/gtp_parser.h,
7107 src/dynamic-preprocessors/gtp/gtp_roptions.c,
7108 src/dynamic-preprocessors/gtp/gtp_roptions.h,
7109 src/dynamic-preprocessors/gtp/spp_gtp.c,
7110 src/dynamic-preprocessors/gtp/spp_gtp.h,
7111 src/dynamic-preprocessors/imap/imap_config.c,
7112 src/dynamic-preprocessors/imap/imap_config.h,
7113 src/dynamic-preprocessors/imap/imap_log.c,
7114 src/dynamic-preprocessors/imap/imap_log.h,
7115 src/dynamic-preprocessors/imap/imap_util.c,
7116 src/dynamic-preprocessors/imap/imap_util.h,
7117 src/dynamic-preprocessors/imap/snort_imap.c,
7118 src/dynamic-preprocessors/imap/snort_imap.h,
7119 src/dynamic-preprocessors/imap/spp_imap.c,
7120 src/dynamic-preprocessors/imap/spp_imap.h,
7121 src/dynamic-preprocessors/isakmp/spp_isakmp.c,
7122 src/dynamic-preprocessors/isakmp/spp_isakmp.h,
7123 src/dynamic-preprocessors/libs/sf_preproc_info.h,
7124 src/dynamic-preprocessors/libs/sfcommon.h,
7125 src/dynamic-preprocessors/libs/sfparser.c,
7126 src/dynamic-preprocessors/libs/ssl.c,
7127 src/dynamic-preprocessors/libs/ssl.h,
7128 src/dynamic-preprocessors/modbus/modbus_decode.c,
7129 src/dynamic-preprocessors/modbus/modbus_decode.h,
7130 src/dynamic-preprocessors/modbus/modbus_paf.c,
7131 src/dynamic-preprocessors/modbus/modbus_paf.h,
7132 src/dynamic-preprocessors/modbus/modbus_roptions.c,
7133 src/dynamic-preprocessors/modbus/modbus_roptions.h,
7134 src/dynamic-preprocessors/modbus/spp_modbus.c,
7135 src/dynamic-preprocessors/modbus/spp_modbus.h,
7136 src/dynamic-preprocessors/pop/pop_config.c,
7137 src/dynamic-preprocessors/pop/pop_config.h,
7138 src/dynamic-preprocessors/pop/pop_log.c,
7139 src/dynamic-preprocessors/pop/pop_log.h,
7140 src/dynamic-preprocessors/pop/pop_util.c,
7141 src/dynamic-preprocessors/pop/pop_util.h,
7142 src/dynamic-preprocessors/pop/snort_pop.c,
7143 src/dynamic-preprocessors/pop/snort_pop.h,
7144 src/dynamic-preprocessors/pop/spp_pop.c,
7145 src/dynamic-preprocessors/pop/spp_pop.h,
7146 src/dynamic-preprocessors/reputation/reputation_config.h,
7147 src/dynamic-preprocessors/reputation/reputation_debug.h,
7148 src/dynamic-preprocessors/reputation/reputation_utils.c,
7149 src/dynamic-preprocessors/reputation/reputation_utils.h,
7150 src/dynamic-preprocessors/reputation/spp_reputation.c,
7151 src/dynamic-preprocessors/reputation/spp_reputation.h,
7152 src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c,
7153 src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h,
7154 src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
7155 src/dynamic-preprocessors/reputation/shmem/shmem_config.c,
7156 src/dynamic-preprocessors/reputation/shmem/shmem_config.h,
7157 src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
7158 src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
7159 src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
7160 src/dynamic-preprocessors/reputation/shmem/shmem_lib.h,
7161 src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
7162 src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
7163 src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c,
7164 src/dynamic-preprocessors/sdf/sdf_credit_card.c,
7165 src/dynamic-preprocessors/sdf/sdf_credit_card.h,
7166 src/dynamic-preprocessors/sdf/sdf_detection_option.c,
7167 src/dynamic-preprocessors/sdf/sdf_detection_option.h,
7168 src/dynamic-preprocessors/sdf/sdf_pattern_match.c,
7169 src/dynamic-preprocessors/sdf/sdf_pattern_match.h,
7170 src/dynamic-preprocessors/sdf/sdf_us_ssn.c,
7171 src/dynamic-preprocessors/sdf/sdf_us_ssn.h,
7172 src/dynamic-preprocessors/sdf/spp_sdf.h,
7173 src/dynamic-preprocessors/sip/sip_config.h,
7174 src/dynamic-preprocessors/sip/sip_debug.h,
7175 src/dynamic-preprocessors/sip/sip_dialog.c,
7176 src/dynamic-preprocessors/sip/sip_dialog.h,
7177 src/dynamic-preprocessors/sip/sip_parser.c,
7178 src/dynamic-preprocessors/sip/sip_parser.h,
7179 src/dynamic-preprocessors/sip/sip_roptions.h,
7180 src/dynamic-preprocessors/sip/sip_utils.c,
7181 src/dynamic-preprocessors/sip/sip_utils.h,
7182 src/dynamic-preprocessors/sip/spp_sip.c,
7183 src/dynamic-preprocessors/sip/spp_sip.h,
7184 src/dynamic-preprocessors/sip/test/sip_test.c,
7185 src/dynamic-preprocessors/smtp/smtp_config.c,
7186 src/dynamic-preprocessors/smtp/smtp_config.h,
7187 src/dynamic-preprocessors/smtp/smtp_log.c,
7188 src/dynamic-preprocessors/smtp/smtp_log.h,
7189 src/dynamic-preprocessors/smtp/smtp_normalize.c,
7190 src/dynamic-preprocessors/smtp/smtp_normalize.h,
7191 src/dynamic-preprocessors/smtp/smtp_util.c,
7192 src/dynamic-preprocessors/smtp/smtp_util.h,
7193 src/dynamic-preprocessors/smtp/smtp_xlink2state.c,
7194 src/dynamic-preprocessors/smtp/smtp_xlink2state.h,
7195 src/dynamic-preprocessors/smtp/snort_smtp.c,
7196 src/dynamic-preprocessors/smtp/snort_smtp.h,
7197 src/dynamic-preprocessors/smtp/spp_smtp.h,
7198 src/dynamic-preprocessors/ssh/spp_ssh.c,
7199 src/dynamic-preprocessors/ssh/spp_ssh.h,
7200 src/dynamic-preprocessors/ssl/spp_ssl.c,
7201 src/dynamic-preprocessors/ssl/spp_ssl.h,
7202 src/output-plugins/spo_alert_fast.c,
7203 src/output-plugins/spo_alert_fast.h,
7204 src/output-plugins/spo_alert_full.c,
7205 src/output-plugins/spo_alert_full.h,
7206 src/output-plugins/spo_alert_sf_socket.c,
7207 src/output-plugins/spo_alert_sf_socket.h,
7208 src/output-plugins/spo_alert_syslog.c,
7209 src/output-plugins/spo_alert_syslog.h,
7210 src/output-plugins/spo_alert_test.c,
7211 src/output-plugins/spo_alert_test.h,
7212 src/output-plugins/spo_alert_unixsock.h,
7213 src/output-plugins/spo_csv.c, src/output-plugins/spo_csv.h,
7214 src/output-plugins/spo_log_ascii.c,
7215 src/output-plugins/spo_log_ascii.h,
7216 src/output-plugins/spo_log_null.c,
7217 src/output-plugins/spo_log_null.h,
7218 src/output-plugins/spo_log_tcpdump.c,
7219 src/output-plugins/spo_log_tcpdump.h,
7220 src/output-plugins/spo_unified.c,
7221 src/output-plugins/spo_unified.h,
7222 src/output-plugins/spo_unified2.c,
7223 src/output-plugins/spo_unified2.h, src/parser/IpAddrSet.c,
7224 src/parser/IpAddrSet.h, src/preprocessors/normalize.c,
7225 src/preprocessors/normalize.h, src/preprocessors/perf-base.c,
7226 src/preprocessors/perf-base.h, src/preprocessors/perf-event.c,
7227 src/preprocessors/perf-event.h, src/preprocessors/perf-flow.c,
7228 src/preprocessors/perf-flow.h, src/preprocessors/perf.c,
7229 src/preprocessors/perf.h, src/preprocessors/portscan.c,
7230 src/preprocessors/portscan.h, src/preprocessors/sfprocpidstats.c,
7231 src/preprocessors/sfprocpidstats.h,
7232 src/preprocessors/snort_httpinspect.c,
7233 src/preprocessors/snort_httpinspect.h,
7234 src/preprocessors/spp_arpspoof.c,
7235 src/preprocessors/spp_arpspoof.h, src/preprocessors/spp_bo.c,
7236 src/preprocessors/spp_bo.h, src/preprocessors/spp_frag3.c,
7237 src/preprocessors/spp_frag3.h,
7238 src/preprocessors/spp_httpinspect.h,
7239 src/preprocessors/spp_normalize.c,
7240 src/preprocessors/spp_normalize.h,
7241 src/preprocessors/spp_perfmonitor.h,
7242 src/preprocessors/spp_rpc_decode.c,
7243 src/preprocessors/spp_rpc_decode.h,
7244 src/preprocessors/spp_sfportscan.c,
7245 src/preprocessors/spp_sfportscan.h,
7246 src/preprocessors/spp_stream5.c, src/preprocessors/spp_stream5.h,
7247 src/preprocessors/str_search.c, src/preprocessors/str_search.h,
7248 src/preprocessors/stream_api.c, src/preprocessors/stream_api.h,
7249 src/preprocessors/stream_expect.c,
7250 src/preprocessors/stream_expect.h,
7251 src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c,
7252 src/preprocessors/HttpInspect/client/hi_client_norm.c,
7253 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
7254 src/preprocessors/HttpInspect/include/hi_ad.h,
7255 src/preprocessors/HttpInspect/include/hi_client.h,
7256 src/preprocessors/HttpInspect/include/hi_client_norm.h,
7257 src/preprocessors/HttpInspect/include/hi_client_stateful.h,
7258 src/preprocessors/HttpInspect/include/hi_cmd_lookup.h,
7259 src/preprocessors/HttpInspect/include/hi_eo.h,
7260 src/preprocessors/HttpInspect/include/hi_eo_events.h,
7261 src/preprocessors/HttpInspect/include/hi_eo_log.h,
7262 src/preprocessors/HttpInspect/include/hi_include.h,
7263 src/preprocessors/HttpInspect/include/hi_mi.h,
7264 src/preprocessors/HttpInspect/include/hi_norm.h,
7265 src/preprocessors/HttpInspect/include/hi_paf.h,
7266 src/preprocessors/HttpInspect/include/hi_reqmethod_check.h,
7267 src/preprocessors/HttpInspect/include/hi_return_codes.h,
7268 src/preprocessors/HttpInspect/include/hi_server.h,
7269 src/preprocessors/HttpInspect/include/hi_server_norm.h,
7270 src/preprocessors/HttpInspect/include/hi_si.h,
7271 src/preprocessors/HttpInspect/include/hi_stateful_inspect.h,
7272 src/preprocessors/HttpInspect/include/hi_ui_config.h,
7273 src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h,
7274 src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h,
7275 src/preprocessors/HttpInspect/include/hi_uri.h,
7276 src/preprocessors/HttpInspect/include/hi_urilen_check.h,
7277 src/preprocessors/HttpInspect/include/hi_util.h,
7278 src/preprocessors/HttpInspect/include/hi_util_hbm.h,
7279 src/preprocessors/HttpInspect/include/hi_util_kmap.h,
7280 src/preprocessors/HttpInspect/include/hi_util_xmalloc.h,
7281 src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
7282 src/preprocessors/HttpInspect/normalization/hi_norm.c,
7283 src/preprocessors/HttpInspect/server/hi_server_norm.c,
7284 src/preprocessors/HttpInspect/session_inspection/hi_si.c,
7285 src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
7286 src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c,
7287 src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c,
7288 src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c,
7289 src/preprocessors/HttpInspect/utils/hi_paf.c,
7290 src/preprocessors/HttpInspect/utils/hi_util_hbm.c,
7291 src/preprocessors/HttpInspect/utils/hi_util_kmap.c,
7292 src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c,
7293 src/preprocessors/Stream5/snort_stream5_icmp.c,
7294 src/preprocessors/Stream5/snort_stream5_icmp.h,
7295 src/preprocessors/Stream5/snort_stream5_ip.c,
7296 src/preprocessors/Stream5/snort_stream5_ip.h,
7297 src/preprocessors/Stream5/snort_stream5_session.c,
7298 src/preprocessors/Stream5/snort_stream5_session.h,
7299 src/preprocessors/Stream5/snort_stream5_tcp.c,
7300 src/preprocessors/Stream5/snort_stream5_tcp.h,
7301 src/preprocessors/Stream5/snort_stream5_udp.c,
7302 src/preprocessors/Stream5/snort_stream5_udp.h,
7303 src/preprocessors/Stream5/stream5_common.c,
7304 src/preprocessors/Stream5/stream5_common.h,
7305 src/preprocessors/Stream5/stream5_paf.c,
7306 src/preprocessors/Stream5/stream5_paf.h,
7307 src/sfutil/Unified2_common.h, src/sfutil/acsmx.c,
7308 src/sfutil/acsmx.h, src/sfutil/acsmx2.h, src/sfutil/asn1.c,
7309 src/sfutil/asn1.h, src/sfutil/bitop.h, src/sfutil/bitop_funcs.h,
7310 src/sfutil/bnfa_search.h, src/sfutil/getopt.h,
7311 src/sfutil/intel-soft-cpm.c, src/sfutil/intel-soft-cpm.h,
7312 src/sfutil/ipobj.c, src/sfutil/ipobj.h, src/sfutil/mpse.c,
7313 src/sfutil/segment_mem.c, src/sfutil/segment_mem.h,
7314 src/sfutil/sfActionQueue.c, src/sfutil/sfActionQueue.h,
7315 src/sfutil/sfPolicy.c, src/sfutil/sfPolicy.h,
7316 src/sfutil/sfPolicyUserData.c, src/sfutil/sfPolicyUserData.h,
7317 src/sfutil/sf_base64decode.c, src/sfutil/sf_base64decode.h,
7318 src/sfutil/sf_email_attach_decode.c,
7319 src/sfutil/sf_email_attach_decode.h, src/sfutil/sf_ip.c,
7320 src/sfutil/sf_ip.h, src/sfutil/sf_iph.h, src/sfutil/sf_ipvar.c,
7321 src/sfutil/sf_ipvar.h, src/sfutil/sf_seqnums.h,
7322 src/sfutil/sf_textlog.c, src/sfutil/sf_textlog.h,
7323 src/sfutil/sf_vartable.c, src/sfutil/sf_vartable.h,
7324 src/sfutil/sfeventq.c, src/sfutil/sfeventq.h,
7325 src/sfutil/sfghash.c, src/sfutil/sfghash.h,
7326 src/sfutil/sfhashfcn.c, src/sfutil/sfhashfcn.h,
7327 src/sfutil/sfksearch.c, src/sfutil/sfksearch.h,
7328 src/sfutil/sflsq.c, src/sfutil/sflsq.h, src/sfutil/sfmemcap.c,
7329 src/sfutil/sfmemcap.h, src/sfutil/sfportobject.c,
7330 src/sfutil/sfportobject.h, src/sfutil/sfprimetable.c,
7331 src/sfutil/sfprimetable.h, src/sfutil/sfrf.c, src/sfutil/sfrf.h,
7332 src/sfutil/sfrim.c, src/sfutil/sfrt.c, src/sfutil/sfrt.h,
7333 src/sfutil/sfrt_dir.c, src/sfutil/sfrt_dir.h,
7334 src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h,
7335 src/sfutil/sfrt_flat_dir.c, src/sfutil/sfrt_flat_dir.h,
7336 src/sfutil/sfrt_lctrie.c, src/sfutil/sfrt_lctrie.h,
7337 src/sfutil/sfrt_trie.h, src/sfutil/sfsnprintfappend.c,
7338 src/sfutil/sfsnprintfappend.h, src/sfutil/sfthd.c,
7339 src/sfutil/sfthd.h, src/sfutil/sfxhash.c, src/sfutil/sfxhash.h,
7340 src/sfutil/strvec.c, src/sfutil/strvec.h,
7341 src/sfutil/util_jsnorm.c, src/sfutil/util_jsnorm.h,
7342 src/sfutil/util_math.c, src/sfutil/util_math.h,
7343 src/sfutil/util_net.c, src/sfutil/util_net.h,
7344 src/sfutil/util_str.c, src/sfutil/util_str.h,
7345 src/sfutil/util_unfold.c, src/sfutil/util_unfold.h,
7346 src/sfutil/util_utf.c, src/sfutil/util_utf.h,
7347 src/sfutil/test/sf_ip_test.c, src/sfutil/test/sfrf_test.c,
7348 src/sfutil/test/sfrt_test.c, src/sfutil/test/sfthd_test.c,
7349 src/sfutil/test/unit_hacks.c, src/sfutil/test/unit_hacks.h,
7350 src/target-based/sf_attribute_table.y,
7351 src/target-based/sftarget_hostentry.c,
7352 src/target-based/sftarget_hostentry.h,
7353 src/target-based/sftarget_protocol_reference.c,
7354 src/target-based/sftarget_protocol_reference.h,
7355 src/target-based/sftarget_reader.c,
7356 src/target-based/sftarget_reader.h,
7357 src/win32/WIN32-Code/getopt.c, src/win32/WIN32-Code/inet_aton.c,
7358 src/win32/WIN32-Code/misc.c, src/win32/WIN32-Code/name.h,
7359 src/win32/WIN32-Code/win32_service.c,
7360 src/win32/WIN32-Includes/config.h,
7361 src/win32/WIN32-Includes/getopt.h,
7362 src/win32/WIN32-Includes/inttypes.h,
7363 src/win32/WIN32-Includes/stdint.h,
7364 src/win32/WIN32-Includes/WinPCAP/pthread.h,
7365 src/win32/WIN32-Includes/WinPCAP/sched.h,
7366 src/win32/WIN32-Includes/WinPCAP/semaphore.h,
7367 tools/control/sfcontrol.c, tools/u2boat/u2boat.c,
7368 tools/u2boat/u2boat.h, tools/u2spewfoo/u2spewfoo.c:
7369 Updated the address of the Free Software Foundation.
7370
7371 * src/dynamic-preprocessors/dnp3/spp_dnp3.c:
7372 Check default config before dereferencing memcap.
7373
7374 * src/preprocessors/Stream5/snort_stream5_tcp.c:
7375 fix handling of gaps in PAF.
7376
7377 * src/dynamic-preprocessors/smtp/: smtp_util.c, snort_smtp.c,
7378 snort_smtp.h:
7379 get individual file names for multiple file attachments within
7380 one smtp packet
7381
7382 * src/dynamic-output/plugins/output_plugin.c:
7383 Don't change vlanId into network byte order in the dynamic output API.
7384
7385 * src/dynamic-preprocessors/imap/: snort_imap.c, snort_imap.h:
7386 Add a flag to indicate end of MIME to avoid incorrect data end marker
7387
7388 * src/sfutil/sf_email_attach_decode.h:
7389 change decode length calculation when file depth is larger than max int
7390
7391 * src/: preprocessors/HttpInspect/include/hi_paf.h,
7392 sfutil/sf_email_attach_decode.h,
7393 preprocessors/HttpInspect/utils/hi_paf.c:
7394 auto enable http ports when file policy is enabled
7395
7396 * src/sfutil/sfthd.c:
7397 Global thresholds can be disabled with count -1.
7398
7399 * src/sfutil/sfthd.c:
7400 allow gen_id 0 sig_id 0 and gen_id X sig_id 0 together
7401
7402 * src/: decode.h, preprocessors/snort_httpinspect.c:
7403 file data is only valid with PAF processing
7404
7405 * src/preprocessors/Stream5/snort_stream5_tcp.c:
7406 don't flag missing packets when PAF flushing to allow better recovery
7407 from gaps
7408
7409 * src/dynamic-preprocessors/: smtp/smtp_config.c,
7410 imap/imap_config.c, imap/spp_imap.c, pop/pop_config.c,
7411 pop/spp_pop.c:
7412 Enable file data configurations for preprocessors when file processing
7413 is enabled
7414
7415 * src/preprocessors/Stream5/snort_stream5_tcp.c:
7416 fixed check for hole in seglist while PAF scanning
7417
7418 * src/: snort.c, dynamic-examples/Makefile.am,
7419 dynamic-plugins/Makefile.am, dynamic-preprocessors/Makefile.am,
7420 dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
7421 preprocessors/spp_stream5.c, target-based/Makefile.am,
7422 target-based/sftarget_reader.c, target-based/sftarget_reader.h:
7423 Add an API call to add a service to a host in the attribute table.
7424 Remove the unused live attribute table code.
7425
7426 * doc/README.ppm, doc/snort_manual.tex, etc/gen-msg.map,
7427 preproc_rules/preprocessor.rules, src/detect.c, src/generators.h,
7428 src/parser.c, src/ppm.c, src/ppm.h:
7429 added 134:3 and IPs and ports to log messages for PPM packet events
7430
7431 * src/snort.c:
7432 force drop TCP/UDP now gets DAQ blacklist instead of DAQ block verdict
7433
7434 * doc/README.stream5, etc/gen-msg.map,
7435 preproc_rules/preprocessor.rules, src/generators.h,
7436 src/preprocessors/Stream5/snort_stream5_tcp.c:
7437 add 129:20 for midstream traffic we don't pick up.
7438
7439 * src/preprocessors/Stream5/snort_stream5_tcp.c:
7440 fix normalize_tcp to not block duplicate SYNs
7441
7442 * src/parser.c, src/snort.c, src/preprocessors/snort_httpinspect.c,
7443 src/preprocessors/snort_httpinspect.h, src/snort.h,
7444 src/dynamic-preprocessors/smtp/smtp_config.h,
7445 src/dynamic-preprocessors/smtp/snort_smtp.c,
7446 src/dynamic-preprocessors/imap/imap_config.h,
7447 src/dynamic-preprocessors/imap/snort_imap.c,
7448 src/dynamic-preprocessors/imap/spp_imap.c,
7449 src/dynamic-preprocessors/pop/pop_config.h,
7450 src/dynamic-preprocessors/pop/snort_pop.c,
7451 src/dynamic-preprocessors/pop/spp_pop.c,
7452 src/sfutil/sf_email_attach_decode.h,
7453 src/preprocessors/HttpInspect/include/hi_ui_config.h,
7454 configure.in, src/detection-plugins/sp_file_data.c:
7455 file_depth integration, openssl integration, reload configuration
7456
7457 * src/dynamic-preprocessors/: libs/ssl.c, libs/ssl.h,
7458 ssl/spp_ssl.c:
7459 Add SSLv3/TLS backwards compatibiltiy with SSLv2 ClientHello in the
7460 ssl preprocessor.
7461
7462 * src/: preprocessors/snort_httpinspect.c,
7463 src/dynamic-preprocessors/: imap/snort_imap.c, pop/snort_pop.c,
7464 smtp/snort_smtp.c:
7465 add file type id support for HTTP post, smtp, imap, and pop
7466
7467 * src/: snort_debug.h, control/sfcontrol.c,
7468 preprocessors/Stream5/snort_stream5_tcp.c:
7469 Do not delete application session data on last ACK.
7470
7471 * src/output-plugins/spo_unified.c:
7472 Add deprecated warning for unified output plugin.
7473
7474 * src/decode.h:
7475 Add support for decoding PPP type 0x57 (IPv6) for PPPoE
7476
7477 * src/Makefile.am, src/generators.h, src/parser.c, src/parser.h,
7478 src/preprocids.h, src/snort.c, src/snort_debug.h, configure.in,
7479 src/dynamic-preprocessors/Makefile.am,
7480 src/preprocessors/snort_httpinspect.c,
7481 src/detection-plugins/sp_file_data.c,
7482 src/dynamic-examples/Makefile.am:
7483 add file type identification and file signature sha256 calculation
7484 for HTTP.
7485
7486 * src/: util.c, dynamic-preprocessors/dcerpc2/spp_dce2.c,
7487 dynamic-preprocessors/dnp3/spp_dnp3.c,
7488 dynamic-preprocessors/dns/spp_dns.c,
7489 dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
7490 dynamic-preprocessors/gtp/spp_gtp.c,
7491 dynamic-preprocessors/imap/spp_imap.c,
7492 dynamic-preprocessors/isakmp/spp_isakmp.c,
7493 dynamic-preprocessors/modbus/spp_modbus.c,
7494 dynamic-preprocessors/pop/spp_pop.c,
7495 dynamic-preprocessors/reputation/spp_reputation.c,
7496 dynamic-preprocessors/sip/spp_sip.c,
7497 dynamic-preprocessors/ssh/spp_ssh.c,
7498 dynamic-preprocessors/ssl/spp_ssl.c:
7499 Remove IPv6 tag from snort -V
7500
7501 * configure.in, doc/README.ipv6, doc/README.unified2,
7502 doc/README.variables, doc/snort_manual.tex, src/decode.h,
7503 src/detect.c, src/detect.h, src/encode.c, src/fpdetect.c,
7504 src/ipv6_port.h, src/log.c, src/log_text.c, src/parser.c,
7505 src/sf_protocols.h, src/snort.c, src/snort.h, src/tag.c,
7506 src/util.c, src/util.h, src/detection-plugins/sp_ftpbounce.c,
7507 src/detection-plugins/sp_icmp_id_check.c,
7508 src/detection-plugins/sp_icmp_seq_check.c,
7509 src/detection-plugins/sp_ip_same_check.c,
7510 src/detection-plugins/sp_session.c,
7511 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
7512 src/dynamic-preprocessors/dynamic_preprocessors.dsp,
7513 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
7514 src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
7515 src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
7516 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
7517 src/dynamic-preprocessors/dnp3/sf_dnp3.dsp,
7518 src/dynamic-preprocessors/dnp3/spp_dnp3.c,
7519 src/dynamic-preprocessors/dns/sf_dns.dsp,
7520 src/dynamic-preprocessors/dns/spp_dns.c,
7521 src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
7522 src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c,
7523 src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c,
7524 src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
7525 src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
7526 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
7527 src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
7528 src/dynamic-preprocessors/gtp/sf_gtp.dsp,
7529 src/dynamic-preprocessors/gtp/spp_gtp.c,
7530 src/dynamic-preprocessors/imap/sf_imap.dsp,
7531 src/dynamic-preprocessors/imap/spp_imap.c,
7532 src/dynamic-preprocessors/isakmp/spp_isakmp.c,
7533 src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp,
7534 src/dynamic-preprocessors/modbus/sf_modbus.dsp,
7535 src/dynamic-preprocessors/modbus/spp_modbus.c,
7536 src/dynamic-preprocessors/pop/sf_pop.dsp,
7537 src/dynamic-preprocessors/pop/spp_pop.c,
7538 src/dynamic-preprocessors/reputation/sf_reputation.dsp,
7539 src/dynamic-preprocessors/reputation/spp_reputation.c,
7540 src/dynamic-preprocessors/sdf/sf_sdf.dsp,
7541 src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
7542 src/dynamic-preprocessors/sip/sf_sip.dsp,
7543 src/dynamic-preprocessors/sip/sip_dialog.c,
7544 src/dynamic-preprocessors/sip/spp_sip.c,
7545 src/dynamic-preprocessors/smtp/sf_smtp.dsp,
7546 src/dynamic-preprocessors/ssh/sf_ssh.dsp,
7547 src/dynamic-preprocessors/ssh/spp_ssh.c,
7548 src/dynamic-preprocessors/ssl/sf_ssl.dsp,
7549 src/dynamic-preprocessors/ssl/spp_ssl.c,
7550 src/output-plugins/spo_alert_sf_socket.c,
7551 src/output-plugins/spo_log_ascii.c,
7552 src/output-plugins/spo_unified2.c, src/parser/IpAddrSet.c,
7553 src/parser/IpAddrSet.h, src/preprocessors/normalize.c,
7554 src/preprocessors/perf-base.c, src/preprocessors/perf-base.h,
7555 src/preprocessors/perf-flow.c, src/preprocessors/portscan.c,
7556 src/preprocessors/snort_httpinspect.c,
7557 src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_frag3.c,
7558 src/preprocessors/spp_normalize.c,
7559 src/preprocessors/spp_normalize.h,
7560 src/preprocessors/spp_sfportscan.c,
7561 src/preprocessors/spp_stream5.c,
7562 src/preprocessors/stream_expect.c,
7563 src/preprocessors/HttpInspect/session_inspection/hi_si.c,
7564 src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c,
7565 src/preprocessors/Stream5/snort_stream5_icmp.c,
7566 src/preprocessors/Stream5/snort_stream5_session.c,
7567 src/preprocessors/Stream5/snort_stream5_tcp.c,
7568 src/preprocessors/Stream5/snort_stream5_udp.c,
7569 src/preprocessors/Stream5/stream5_common.c,
7570 src/preprocessors/Stream5/stream5_common.h, src/sfutil/ipobj.c,
7571 src/sfutil/ipobj.h, src/sfutil/sfPolicy.c, src/sfutil/sf_ip.h,
7572 src/sfutil/sf_iph.h, src/sfutil/sf_ipvar.h, src/sfutil/sfrf.c,
7573 src/sfutil/sfrt.c, src/sfutil/sfrt.h, src/sfutil/sfrt_dir.c,
7574 src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h,
7575 src/sfutil/sfrt_flat_dir.c, src/sfutil/sfthd.c,
7576 src/sfutil/util_net.c, src/sfutil/util_net.h,
7577 src/sfutil/test/Makefile.am, src/sfutil/test/sfrf_test.c,
7578 src/sfutil/test/sfthd_test.c, src/sfutil/test/unit_hacks.c,
7579 src/sfutil/test/unit_hacks.h,
7580 src/target-based/sf_attribute_table.y,
7581 src/target-based/sftarget_reader.c,
7582 src/target-based/sftarget_reader.h,
7583 src/win32/WIN32-Prj/build_all.dsp,
7584 src/win32/WIN32-Prj/sf_engine.dsp,
7585 src/win32/WIN32-Prj/sf_engine_initialize.dsp,
7586 src/win32/WIN32-Prj/snort.dsp,
7587 src/win32/WIN32-Prj/snort_initialize.dsp,
7588 src/win32/WIN32-Prj/snort_installer.nsi:
7589 Remove IPv4 only code paths
7590
7591 2012-07-30 Hui Cao <hcao@sourcefire.com>
7592 Snort 2.9.3.1
7593 * src/build.h:
7594 Updated build number to 40
7595
7596 * src/sfutil/acsmx2.c:
7597 Release memory during return.
7598
7599 * src/dynamic-preprocessors/sip/sip_config.c:
7600 Free method struct when method->methodName is NULL.
7601
7602 * src/: detection-plugins/detection_options.c,
7603 detection-plugins/sp_byte_check.c,
7604 detection-plugins/sp_byte_extract.c,
7605 detection-plugins/sp_byte_jump.c, dynamic-plugins/sp_dynamic.c,
7606 dynamic-plugins/sp_preprocopt.c:
7607 Fix constant expression in hashing routines for 64bit platforms.
7608
7609 * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
7610 Fix Samba chained OpenAndX -> Write command handling.
7611
7612 * src/active.c:
7613 Check for TCP RST flag regardless of other flags to block resetting
7614 resets.
7615
7616 * src/: active.c, decode.c, detection-plugins/sp_pcre.c,
7617 dynamic-plugins/sf_convert_dynamic.c,
7618 dynamic-plugins/sf_dynamic_plugins.c,
7619 dynamic-plugins/sf_dynamic_preprocessor.h,
7620 dynamic-plugins/sp_dynamic.c,
7621 dynamic-preprocessors/dnp3/dnp3_map.c,
7622 dynamic-preprocessors/reputation/reputation_config.c,
7623 dynamic-preprocessors/sdf/spp_sdf.c,
7624 dynamic-preprocessors/sip/sip_config.c,
7625 dynamic-preprocessors/sip/sip_roptions.c,
7626 dynamic-preprocessors/smtp/spp_smtp.c,
7627 output-plugins/spo_alert_unixsock.c,
7628 preprocessors/spp_httpinspect.c, preprocessors/spp_perfmonitor.c,
7629 preprocessors/HttpInspect/client/hi_client.c,
7630 preprocessors/HttpInspect/server/hi_server.c,
7631 sfutil/bnfa_search.c, sfutil/sf_iph.c,
7632 target-based/sf_attribute_table_parser.l:
7633 Parse time memory cleanup
7634
7635 * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
7636 Fixed issue on big endian systems where behaviour was incorrect.
7637
7638 2012-07-10 Todd Wease <twease@sourcefire.com>
7639 Snort 2.9.3
7640
7641 * src/build.h:
7642 Updated build number to 37
7643
7644 * src/preprocessors/HttpInspect/server/hi_server.c:
7645 When paf is turned on, the flow depth on raw packets should be checking
7646 if max_seq was set.
7647
7648 * src/preprocessors/HttpInspect/client/hi_client.c:
7649 Rearranged check in hi_client_extract_header() to stop processing when
7650 there is no more data.
7651
7652 * src/dynamic-preprocessors/smtp/: smtp_util.c, snort_smtp.c:
7653 Clear flags for filename logging if there are no ending quotes for MIME
7654 attachement filename. Thanks to Rick Chisholm for helping us track down
7655 the issue.
7656
7657 * doc/CREDITS:
7658 Update rmkml's email address.
7659
7660 * src/preprocessors/: snort_httpinspect.h, HttpInspect/server/hi_server.c:
7661 Fix application of flow_depth for transfers of files over 2GB.
7662
7663 2012-06-06 Russ Combs <rcombs@sourcefire.com>
7664 Snort 2.9.3 RC
7665
7666 * src/build.h: updating build number to 33
7667
7668 * src/: checksum.h, decode.c, encode.c:
7669
7670 Dropped dnets checksumming functionality.
7671
7672 * src/: decode.h, encode.c,
7673 dynamic-plugins/sf_engine/sf_snort_packet.h:
7674
7675 Remove unused policyEngineData.
7676
7677 * src/preprocessors/: Stream5/snort_stream5_tcp.c,
7678 HttpInspect/utils/hi_paf.c:
7679
7680 Need to check for NULL since a timeout can release proto specific
7681 data.
7682
7683 Fix mid-stream pickup sequence tracking.
7684
7685 * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h,
7686 HttpInspect/server/hi_server.c:
7687
7688 Apply server flow depth to session when PAF is turned on.
7689
7690 * src/preprocessors/Stream5/: snort_stream5_session.c,
7691 stream5_common.h:
7692
7693 Change SessionKey to a SessionKey pointer.
7694
7695 * src/dynamic-output/plugins/: output_lib.h, output_plugin.c:
7696
7697 Add dynamic output API for DAQ interface mode.
7698
7699 * src/: dynamic-output/plugins/output_base.c, plugbase.c,
7700 spo_plugbase.h:
7701
7702 Remove older output plugin when new one is available.
7703
7704 * src/dynamic-plugins/: sf_dynamic_plugins.c,
7705 sf_engine/sf_snort_detection_engine.c:
7706
7707 Force exact versioning match of running dynamic engine and dynamic
7708 engine used to build SO rules.
7709
7710 * src/: sfdaq.c, sfdaq.h, dynamic-plugins/sf_dynamic_plugins.c,
7711 dynamic-plugins/sf_dynamic_preprocessor.h:
7712
7713 Add API for checking whether DAQ can whitelist.
7714
7715 * src/: parser.c, parser.h, snort.c:
7716
7717 Added config disable-attribute-reload-thread to snort.conf.
7718
7719 Snort now provides snort.conf(line #) on errors durring parsing.
7720
7721 * src/: parser.c, detection-plugins/sp_pattern_match.c,
7722 detection-plugins/sp_pattern_match.h:
7723
7724 Warn users when rules contain relative options off of
7725 fast_pattern:only content matches.
7726
7727 * src/dynamic-preprocessors/sdf/spp_sdf.c:
7728
7729 SDF now only looks at rebuilt packets.
7730
7731 * src/control/sfcontrol.c,
7732 src/dynamic-preprocessors/reputation/reputation_config.c,
7733 src/dynamic-preprocessors/reputation/reputation_config.h,
7734 src/dynamic-preprocessors/reputation/spp_reputation.c,
7735 src/dynamic-preprocessors/reputation/spp_reputation.h,
7736 src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
7737 src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
7738 tools/control/sfcontrol.c:
7739
7740 Add ability to query reputation pp with control socket.
7741
7742 User can now query reputation pp for routing table and management
7743 information.
7744
7745 Fixed bug to prevent IP Reputation from trying to allocate too much
7746 memory.
7747
7748 * doc/: Makefile.am, README.unified2, snort_manual.tex:
7749
7750 Add README.unified2 to Makefile.am.
7751
7752 Add documentation for unified2 file format.
7753
7754 Add smb_fingerprint_policy documentation to snort manual.
7755
7756 * src/preprocessors/Stream5/stream5_paf.c:
7757
7758 Ensure PAF is configured on reload the same as it was on restart.
7759
7760 * src/preprocessors/spp_stream5.c:
7761
7762 Fix stream5 issue on reload were it wasn't validating or registering
7763 preprocessor function when new policy is added.
7764
7765 * configure.in, doc/INSTALL, doc/README.decoder_preproc_rules,
7766 doc/snort_manual.pdf, doc/snort_manual.tex, etc/snort.conf,
7767 rpm/snort.spec, src/event_queue.c, src/event_queue.h,
7768 src/event_wrapper.c, src/fpcreate.c, src/fpcreate.h,
7769 src/fpdetect.c, src/fpdetect.h, src/parser.c, src/parser.h,
7770 src/ppm.c, src/signature.h, src/snort.h,
7771 src/detection-plugins/detection_options.c,
7772 src/detection-plugins/detection_options.h,
7773 src/preprocessors/spp_frag3.c, src/sfutil/sfeventq.c,
7774 src/sfutil/sfeventq.h, src/win32/WIN32-Prj/snort.dsp:
7775
7776 Removed --enable-decoder-preprocessor-rules configure option and
7777 hardened preprocessor and decoder rule event code. To enable old
7778 behavior such that specific preprocessor and decoder rules don't
7779 have to be explicity added to snort.conf, add "config
7780 autogenerate_preprocessor_decoder_rules" to your snort.conf.
7781
7782 * src/: profiler.h, dynamic-output/plugins/output_lib.h,
7783 dynamic-plugins/sf_dynamic_preprocessor.h, sfutil/sfPolicy.h,
7784 sfutil/sf_ip.h:
7785
7786 Added a function, sfip_fast_equals_raw, that does the minimum needed
7787 to determine if 2 IPs are equal. Added profiler macros that allow for
7788 unique variable names. Moved GetPolicyFunc definition to sfPolicy.h.
7789
7790 * src/: snort.c, detection-plugins/sp_flowbits.c,
7791 detection-plugins/sp_flowbits.h, dynamic-plugins/sp_dynamic.c:
7792
7793 Fix flowbit group toggle.
7794
7795 Fix issue with SO rules that reuse a flowbits structure when all
7796 stubs aren't enabled.
7797
7798 * src/dynamic-preprocessors/smtp/: smtp_config.c, snort_smtp.c,
7799 snort_smtp.h, spp_smtp.c:
7800
7801 SMTP PP now only allocates its mempools 1 time.
7802
7803 Fix build on legacy systems that don't support c99 declarations.
7804
7805 Fix memory leak on reload.
7806
7807 * src/: detect.c, ppm.c:
7808
7809 Fix PPM when PPM rules are dynamically generated and there are
7810 multiple policies.
7811
7812 2012-04-26 Russ Combs <rcombs@sourcefire.com>
7813 Snort 2.9.3 Beta
7814
7815 * src/build.h:
7816
7817 Updating build number to 22.
7818
7819 * src/: snort.c, control/sfcontrol.c:
7820
7821 Stop daq before tearing down control socket and freeing idle
7822 processors.
7823
7824 * src/control/sfcontrol.c, src/control/sfcontrol.h,
7825 tools/control/sfcontrol.c:
7826
7827 - Return the correct codes with responses.
7828 - Use macros to define the codes.
7829 - Update the client to receive multiple status (0x0009) messages
7830 followed by a success or error message.
7831
7832 * doc/snort_manual.tex,
7833 src/preprocessors/Stream5/snort_stream5_session.c,
7834 src/preprocessors/Stream5/stream5_common.h,
7835 src/preprocessors/spp_stream5.c,
7836 src/detection-plugins/sp_flowbits.c,
7837 src/detection-plugins/sp_flowbits.h, src/parser.c, src/snort.h:
7838
7839 - Flowbits can belong to multiple groups.
7840 - Restrict the syntax of flowbit name and group names to alphanumeric
7841 string including periods, dashes, and underscores.
7842 - Changed the maximal flowbit size to be 2048.
7843 - Changes the error syntax when maximum number of flowbit ID
7844 exceeds allowed value.
7845 - Thanks to Cees <celzinga@gmail.com> for providing information about
7846 the size bug.
7847
7848 * src/: preprocessors/spp_stream5.c, preprocessors/stream_api.h,
7849 dynamic-preprocessors/sip/sip_dialog.c:
7850
7851 Ignore sessions already started through updated stream API.
7852
7853 * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h,
7854 src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h,
7855 tools/u2spewfoo/u2spewfoo.c:
7856
7857 - Remove *_NG logging from Unified2.
7858 - Snort unified2 doesn't log to *_NG formats anymore.
7859
7860 * src/tag.c:
7861
7862 Fix compiler warning on FreeBSD in mis-matched format string.
7863
7864 * src/preprocessors/spp_arpspoof.c:
7865
7866 - Fix handling when arpspoof_detect_host was set without arpspoof.
7867 - Fix compiler warnings on FreeBSD by utilizing modern ip6 code.
7868 - Verify snort works correctly, and doesn't cause warnings on
7869 FreeBSD.
7870
7871 * src/: detection-plugins/Makefile.am,
7872 dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:
7873
7874 Remove unnecessary cruft.
7875
7876 * src/output-plugins/spo_alert_unixsock.c:
7877
7878 Don't rely on UNIX_PATH_MAX value being 108.
7879
7880 * src/: active.c, encode.c, encode.h:
7881
7882 Force drop/resets resulting in ICMP unreachables will have the
7883 code for administratively prohibited while ips ICMP unreachables
7884 remain port unreachable.
7885
7886 * src/dynamic-output/: dynamic_output.dsp Makefile.am,
7887 src/dynamic-output/libs: Makefile.am output_lib.c snort_output.pc.in,
7888 src/dynamic-output/plugins: Makefile.am output_api.h output_base.c,
7889 output_common.h output.h output_lib.h output_plugin.c
7890
7891 Added dynamic output plugin support.
7892
7893 * configure.in, snort.8, contrib/Makefile.am, contrib/README,
7894 contrib/create_mssql, contrib/create_mysql,
7895 contrib/create_oracle.sql, contrib/create_postgresql,
7896 contrib/mysql.php3, contrib/pgsql.php3, contrib/snortdb-extra.gz,
7897 doc/INSTALL, doc/Makefile.am, doc/README.ARUBA,
7898 doc/README.database, doc/faq.tex, doc/snort_manual.tex,
7899 etc/snort.conf, m4/Makefile.am, m4/libprelude.m4, rpm/snort.spec,
7900 src/plugbase.c, src/snort.c, src/snort.h,
7901 src/output-plugins/Makefile.am,
7902 src/plugins/output_base.c, plugins/output_lib.h,
7903 src/plugins/output_plugin.c,
7904 src/output-plugins/spo_alert_arubaaction.c,
7905 src/output-plugins/spo_alert_arubaaction.h,
7906 src/output-plugins/spo_alert_prelude.c,
7907 src/output-plugins/spo_alert_prelude.h,
7908 src/output-plugins/spo_database.c,
7909 src/output-plugins/spo_database.h,
7910 src/win32/Makefile.am,
7911 src/win32/WIN32-Prj/snort_installer.nsi,
7912 win32/WIN32-Prj/snort.dsp, win32/WIN32-Prj/snort.dsw:
7913 win32/WIN32-Prj/snort_installer.nsi,
7914 win32/WIN32-Prj/snort_installer_options.ini:
7915
7916 Remove deprecated output plugins aruba, prelude, mysql, oracle and
7917 mssql from Snort.
7918
7919 * src/detection-plugins/sp_flowbits.c,
7920 src/detection-plugins/sp_flowbits.h,
7921 src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
7922 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
7923 src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
7924 src/snort_debug.h, src/dynamic-plugins/sf_convert_dynamic.c,
7925 src/dynamic-plugins/sf_dynamic_engine.h,
7926 src/dynamic-plugins/sp_dynamic.c,
7927 src/dynamic-plugins/sp_dynamic.h, doc/README.flowbits,
7928 doc/snort_manual.tex, doc/snort_manual.pdf:
7929
7930 Flowbit OR feature. Fixed the so_rules check issue and also the so stub
7931 file generated.
7932
7933 * doc/README.SMTP, doc/README.imap, doc/README.pop,
7934 doc/snort_manual.tex, etc/gen-msg.map,
7935 src/dynamic-preprocessors/imap/imap_config.c,
7936 src/dynamic-preprocessors/imap/imap_log.h,
7937 src/dynamic-preprocessors/imap/imap_util.c,
7938 src/dynamic-preprocessors/imap/imap_util.h,
7939 src/dynamic-preprocessors/imap/snort_imap.c,
7940 src/dynamic-preprocessors/pop/pop_config.c,
7941 src/dynamic-preprocessors/pop/pop_log.h,
7942 src/dynamic-preprocessors/pop/pop_util.c,
7943 src/dynamic-preprocessors/pop/pop_util.h,
7944 src/dynamic-preprocessors/pop/snort_pop.c,
7945 src/dynamic-preprocessors/smtp/smtp_config.c,
7946 src/dynamic-preprocessors/smtp/smtp_log.h,
7947 src/dynamic-preprocessors/smtp/smtp_util.c,
7948 src/dynamic-preprocessors/smtp/smtp_util.h,
7949 src/dynamic-preprocessors/smtp/snort_smtp.c,
7950 src/dynamic-preprocessors/smtp/spp_smtp.c:
7951
7952 - SMTP/IMAP/POP will now extract non-encoded attachments when
7953 content-type MIME headers are present.
7954 - SMTP will not decode when ignore_data is present.
7955 - Content-Transfer-Encoding should take precendence over
7956 Content-Type.
7957 - Content-type should first check if boundary in non MIME header
7958 state.
7959 - Fix SMTP stat msg.
7960
7961 * doc/README.http_inspect, doc/faq.pdf, doc/snort_manual.pdf,
7962 doc/snort_manual.tex, src/preprocessors/snort_httpinspect.c,
7963 src/preprocessors/snort_httpinspect.h,
7964 src/preprocessors/spp_httpinspect.c,
7965 src/preprocessors/HttpInspect/server/hi_server.c:
7966
7967 Update http_inspect decompression to not allocate compress/decompress
7968 buffers per session.
7969
7970 * src/preprocessors/HttpInspect/normalization/hi_norm.c:
7971
7972 - Fix the handling of % encoded ?. HI no longer treats % encoded
7973 ? as start of query string.
7974
7975 * src/preprocessors/HttpInspect/: include/hi_paf.h, utils/hi_paf.c:
7976
7977 Provide access method for HI main to handle simple responses.
7978
7979 * src/preprocessors/HttpInspect/: server/hi_server.c,
7980 client/hi_client.c:
7981
7982 - Fix extraction of Transfer-Encoding header.
7983 - Handle chunk extensions when de-chunking.
7984 - Fix handling of packets beyond flow depth when PAF is turned on.
7985 - Add code to handle simple responses and not generate false
7986 positive.
7987
7988 * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
7989
7990 Frag related fixes:
7991
7992 - Check ip6 extension order on frags, including inner on first frag.
7993 - Added 116:458 for no offset and no more.
7994 - Added 116:459 for frag w/o data.
7995
7996 * src/: decode.c, decode.h:
7997
7998 - Properly decode pflog version 4.
7999 - Salutations to Ryan McBride for the pflog v4 patch.
8000
8001 * src/dynamic-preprocessors/sip/sip_parser.c:
8002
8003 Add compact form support of VIA header to SIP.
8004
8005 * src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
8006
8007 Don't presume 3 bytes of junk in a telnet stream is encryption
8008 unless midstream pickup.
8009
8010 * src/: fpdetect.c, pcrm.c, pcrm.h:
8011
8012 Process any->any rules even when a service matches in the attribute
8013 table
8014
8015 * src/preprocessors/spp_frag3.c:
8016
8017 - Drop bad fragments BEFORE inserting them into tracker.
8018 - Ensure that all fragments are dropped in inline mode when the
8019 first fragment is bad.
8020
8021 * src/target-based/sftarget_reader_live.c:
8022
8023 - Initialize the value of ret and fix some obscure formatting.
8024 - Thanks to William Parker for notifying us.
8025
8026 * src/: debug.c, snort.c:
8027
8028 Fix placement of int error to avoid warning.
8029
8030 * doc/README.dcerpc2, doc/faq.pdf, doc/snort_manual.pdf,
8031 doc/snort_manual.tex, etc/gen-msg.map,
8032 preproc_rules/preprocessor.rules, src/generators.h,
8033 src/dynamic-preprocessors/Makefile.am,
8034 src/dynamic-preprocessors/dcerpc2/dce2_cl.c,
8035 src/dynamic-preprocessors/dcerpc2/dce2_co.c,
8036 src/dynamic-preprocessors/dcerpc2/dce2_co.h,
8037 src/dynamic-preprocessors/dcerpc2/dce2_config.c,
8038 src/dynamic-preprocessors/dcerpc2/dce2_config.h,
8039 src/dynamic-preprocessors/dcerpc2/dce2_debug.h,
8040 src/dynamic-preprocessors/dcerpc2/dce2_event.c,
8041 src/dynamic-preprocessors/dcerpc2/dce2_event.h,
8042 src/dynamic-preprocessors/dcerpc2/dce2_http.c,
8043 src/dynamic-preprocessors/dcerpc2/dce2_list.c,
8044 src/dynamic-preprocessors/dcerpc2/dce2_list.h,
8045 src/dynamic-preprocessors/dcerpc2/dce2_memory.c,
8046 src/dynamic-preprocessors/dcerpc2/dce2_memory.h,
8047 src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
8048 src/dynamic-preprocessors/dcerpc2/dce2_roptions.c,
8049 src/dynamic-preprocessors/dcerpc2/dce2_session.h,
8050 src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
8051 src/dynamic-preprocessors/dcerpc2/dce2_smb.h,
8052 src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
8053 src/dynamic-preprocessors/dcerpc2/dce2_tcp.c,
8054 src/dynamic-preprocessors/dcerpc2/dce2_tcp.h,
8055 src/dynamic-preprocessors/dcerpc2/dce2_udp.c,
8056 src/dynamic-preprocessors/dcerpc2/dce2_utils.c,
8057 src/dynamic-preprocessors/dcerpc2/dce2_utils.h,
8058 src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
8059 src/dynamic-preprocessors/dcerpc2/snort_dce2.h,
8060 src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
8061 src/dynamic-preprocessors/dcerpc2/spp_dce2.h,
8062 src/dynamic-preprocessors/dcerpc2/includes/smb.h,
8063 src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
8064 src/sfutil/Makefile.am, src/sfutil/sf_seqnums.h,
8065 src/win32/WIN32-Prj/snort.dsp:
8066
8067 Update SMB request/response handling to handle server to client
8068 evasions where SMB header values aren't echoed in response.
8069
8070 - Add support for SMB_COM_WRITE_ANDX "raw" mode.
8071 - Add support for additional commands for opening, reading from and
8072 writing to SMB named pipes
8073 - Update handling of SMB_COM_WRITE_RAW.
8074 - Add global configuration option for determining Windows/Samba policy
8075 on a per session basis and new preprocessor events.
8076 - Add tracking of named pipe state - byte or message mode.
8077 - Update SMB_COM_TRANSACTION handling to better support out of order
8078 displacements and parameters.
8079 - Updates to SMB ByteCount, data offset and data length handling.
8080 - Update for Transaction error, where Samba throws out transaction
8081 on error and correct data offset passed in to function.
8082 - Don't set dcerpc2 rule options and stop processing dcerpc data
8083 when server response indicates encrypted packet privacy.
8084 - Fix dcerpc2 PAF when target based is enabled to not abort if
8085 protocol undefined.
8086 - Added processing of chained SMB_COM_WRITE_ANDXs for Samba policies.
8087
8088 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8089
8090 - Correctly log TCP segments to unified2 when there are multiple alerts on
8091 the same reassembled packet.
8092 - Purge after flush at session shutdown to avoid reprocessing it when the
8093 cache is freed causing strange dce2 alerts.
8094
8095 * configure.in:
8096
8097 If pkg-config macros do not exist then configure script would be
8098 invalid. If it does not exist define a macro that does nothing and
8099 continue.
8100
8101 * configure.in, src/debug.c, src/decode.c, src/log.c, src/parser.c,
8102 src/snort_debug.h, src/util.c,
8103 src/dynamic-preprocessors/dnp3/spp_dnp3.c,
8104 src/dynamic-preprocessors/libs/ssl.c,
8105 src/dynamic-preprocessors/modbus/spp_modbus.c,
8106 src/sfutil/sf_ip.c,
8107 src/sfutil/sf_ip.h, tools/u2boat/u2boat.c,
8108 tools/u2spewfoo/u2spewfoo.c:
8109
8110 Fix compilation warnings.
8111
8112 * src/snort.c:
8113
8114 Check return of DAQ_Acquire in failopen thread see description.
8115
8116 * src/dynamic-preprocessors/reputation/shmem/: shmem_config.h,
8117 shmem_mgmt.c, shmem_mgmt.h,
8118 src/sfutil/sfrt_flat_dir.c:
8119
8120 - Disable timeout for shared memory readers.
8121 - Readers and writer updates their own active flags.
8122 - Update the entry value along with length update.
8123
8124 * src/Makefile.am, src/decode.h, src/parser.c, src/parser.h,
8125 src/snort.c, src/snort.h,
8126 src/dynamic-preprocessors/reputation/reputation_config.c,
8127 src/dynamic-preprocessors/reputation/reputation_config.h,
8128 src/dynamic-preprocessors/reputation/spp_reputation.c,
8129 src/dynamic-preprocessors/reputation/spp_reputation.h,
8130 src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
8131 src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
8132 src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
8133 src/dynamic-output/libs/Makefile.am,
8134 src/dynamic-output/libs/output_lib.c, configure.in,
8135 src/sfutil/sfrt.h, src/sfutil/sfrt_flat.c,
8136 src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c,
8137 src/sfutil/sfrt_flat_dir.h,
8138 src/dynamic-plugins/sf_dynamic_plugins.c,
8139 src/dynamic-plugins/sf_dynamic_preprocessor.h,
8140 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
8141 doc/: README.reputation, snort_manual.pdf, snort_manual.tex:
8142
8143 - Reputation preprocessor updates to support zones and handle
8144 ingress/egress groups and zone zero.
8145 - Enforce default policy for reputation preprocessor.
8146 - Check for NULL when servicing the shared memory.
8147 - Update documents for white action configuration, manifest file
8148 for reputation Preprocessor.
8149
8150 * rpm/snort.spec:
8151
8152 Remove all of the dead cruft from snort.spec.
8153
8154 * src/parser.c:
8155
8156 Fix a parsing memory leak scenario by freeing the tokens on failure.
8157
8158 * preproc_rules/decoder.rules:
8159
8160 Update decoder rules to have more accurate names. Same alert,
8161 new name.
8162
8163 * src/output-plugins/spo_unified2.c:
8164
8165 Set would drop when interface not inline.
8166
8167 * src/: dynamic-preprocessors/imap/snort_imap.c,
8168 dynamic-preprocessors/pop/snort_pop.c,
8169 dynamic-preprocessors/smtp/snort_smtp.c,
8170 sfutil/sf_email_attach_decode.c, sfutil/sf_email_attach_decode.h,
8171 doc/: README.SMTP, README.imap, README.pop, snort_manual.tex:
8172
8173 SMTP/POP/IMAP decoding changes:
8174
8175 - Change the memory allocation for decoding. Allocate only when we see
8176 attachments. Do not allocate at the beginning of the session.
8177 - Apply the decoding depths to attachments instead of all attachments in
8178 a session.
8179 - Alert when decoding fails and not when decoding depths are exceeded.
8180 - Reset decode bytes read only after processing the entire attachment.
8181 Attachments can span multiple packets.
8182
8183 2012-3-17 Steven Sturges <ssturges@sourcefire.com>
8184 Snort 2.9.2.2
8185 * src/build.h:
8186 Updated to build 121.
8187
8188 * src/preprocessors/HttpInspect/normalization/hi_norm.c:
8189 Fix HTTP URI normalization when URI has more than 2k slashes.
8190
8191 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8192 Fixed split fin-ack tracking and flush/free app data on reset
8193 when listener is in fin-wait-1, fin-wait-2, or closing state.
8194
8195 * src/: encode.c, encode.h, snort.c, snort.h,
8196 Fix generation of response packets on fragmented IPv6 packet
8197 by using the frag reassembled packet to encode.
8198
8199 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8200 Fix logical byte count and remove unreachable code
8201
8202 * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:
8203 Update to handle IPv6 traffic for processing of IP header
8204 options within .so rules.
8205
8206 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8207 Expand slam threshold to <= 4 and fix for non-reassembled
8208 sessions.
8209
8210 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8211 Check seq within window relative to window base.
8212
8213 * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
8214 Fix flow flags for single segment PDUs from PAF.
8215
8216 * doc/: faq.pdf, faq.tex, snort_manual.pdf, snort_manual.tex:
8217 Remove references to deprecated servers.
8218
8219 * src/dynamic-preprocessors/sip/sip_parser.c:
8220 Unknown method alert is generated only after verifying the
8221 packet is SIP. Don't generate alerts for a. multiple SIP
8222 messages within one UDP packet (140:17) and b. mismatched
8223 content length (140:18) simultaneously.
8224
8225 * doc/: INSTALL, snort_manual.pdf, snort_manual.tex:
8226 Updates to the manual to fix formatting, clarify detection_filter,
8227 and remove obsolete configure options. Thanks to Larry Hughes,
8228 Eoin Miller, Beenph and Joshua Kinard for reading it!
8229
8230 * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
8231 src/dynamic-preprocessors/sip/sip_config.c,
8232 src/dynamic-preprocessors/sip/sip_config.h,
8233 src/dynamic-preprocessors/sip/sip_dialog.c,
8234 src/dynamic-preprocessors/sip/sip_dialog.h,
8235 src/dynamic-preprocessors/sip/spp_sip.c,
8236 src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map:
8237 Limit number of dialogs within a stream session. Thanks
8238 to Filip Valder for providing the information.
8239
8240 * src/active.c:
8241 Allow repeated responses to non-TCP/UDP traffic.
8242
8243 * src/: sfdaq.c, sfdaq.h, output-plugins/spo_unified2.c:
8244 Correctly log blocked flag in unified2 events when an interface
8245 is passive.
8246
8247 * doc/: README.filters, snort_manual.pdf, snort_manual.tex:
8248 Update README & manual to document -1 as acceptable value for
8249 event_filter.
8250
8251 * src/: snort.c:
8252 Add stats output to dirty pig shutdown.
8253
8254 * src/: preprocessors/Stream5/stream5_common.c:
8255 Update initialization for stream_ip.
8256
8257 * doc/snort_manual.pdf, src/byte_extract.c, src/util.h,
8258 src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
8259 Make byte extraction of strings only allow for positive values.
8260
8261 * src/preprocessors/HttpInspect/client/hi_client.c:
8262 Check for paf_max before marking a packet as request body.
8263
8264 * doc/: README.SMTP, snort_manual.pdf, snort_manual.tex,
8265 preproc_rules/preprocessor.rules, src/generators.h,
8266 src/dynamic-preprocessors/smtp/smtp_config.h,
8267 src/dynamic-preprocessors/smtp/smtp_util.c,
8268 src/dynamic-preprocessors/smtp/snort_smtp.c,
8269 src/dynamic-preprocessors/smtp/spp_smtp.c:
8270 Added SMTP preproc shutdown stats. Remove the decoding memcap
8271 exceeded alert and displaying this info instead.
8272
8273 * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c,
8274 spp_ftptelnet.c:
8275 Update parsing for ftptelnet config.
8276
8277 * src/dynamic-preprocessors/modbus/spp_modbus.c:
8278 Update to free the modbus session data.
8279
8280 * src/: snort_bounds.h,
8281 preprocessors/HttpInspect/server/hi_server_norm.c:
8282 Update javascript normalization to call a safeboundsmemmove
8283 function when the src and dst buffers overlap.
8284
8285 * src/preprocessors/HttpInspect/client/hi_client.c:
8286 Change the code to not look for POST data (while parsing method)
8287 when PAF is enabled and process request packets when the
8288 method is undefined.
8289
8290 * src/dynamic-preprocessors/pop/: snort_pop.c, snort_pop.h:
8291 Decode data following +OK response without the octets string.
8292
8293 * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
8294 Made macro in dcerpc2 preprocessor used for progressing through
8295 data more robust.
8296
8297 * src/preprocessors/: snort_httpinspect.h,
8298 HttpInspect/client/hi_client.c, HttpInspect/server/hi_server.c:
8299 Eliminate false positives (no content-length or transfer-encoding)
8300 when chunk size spans across multiple packets. Thanks to Daniel
8301 Dallmann for reporting the issue.
8302
8303 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8304 Update handling of retransmitted segments overlapping the
8305 window on the left
8306
8307 * src/preprocessors/HttpInspect/server/hi_server.c:
8308 Set the file_data to the raw HTTP response body (de-chunked/
8309 normalized) when decompression fails due to false GZIP headers.
8310 Set the inspect_body flag after resetting the decompress_data
8311 flag to allow extraction of HTTP response body across packets
8312 when decompression fails entirely. Thanks to Eoin Miller for
8313 reporting this issue.
8314
8315 * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex,
8316 src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h:
8317 Remove the Max on the gzip memcap. Thanks to Eoin Miller for
8318 the request.
8319
8320 * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_paf.c,
8321 dce2_session.h, dce2_smb.c, dce2_smb.h, snort_dce2.c,
8322 snort_dce2.h:
8323 State tracking improvements to SMB processing in the dcerpc2
8324 preprocessor when missing packets on a session.
8325
8326 * tools/u2spewfoo/u2spewfoo.c:
8327 Tweaks to dump u2 files in the presence of certain errors.
8328
8329 * src/encode.c:
8330 Fix overhead calculation to ensure sufficient buffer space for
8331 defragging a maximum length IP datagram regardless of encapsulations.
8332
8333 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8334 Fix false positives on 129:16.
8335
8336 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8337 Fix stream5 to not purge too early when normalizing streams.
8338
8339 * src/decode.c:
8340 Remove redundant clearing of pointer in error case. Thanks
8341 to Josh Kinard for pointing out the error.
8342
8343 * src/preprocessors/spp_normalize.c:
8344 Change normalizer priority to ensure ahead of frag3 regardless
8345 of conf ordering.
8346
8347 * src/detection-plugins/sp_react.c, doc/README.active,
8348 doc/snort_manual.pdf, doc/snort_manual.tex:
8349 Don't allow more than one % in a user-defined HTML page used
8350 for react rule options. Thanks to Cleber S. Brandão for
8351 reporting the issue.
8352
8353 * configure.in:
8354 Update configure script to correctly display 'Disable' help
8355 verbage for the --disable-xxx options. Thanks to Kungu Panda for
8356 pointing it out.
8357
8358 * src/: plugbase.c, plugbase.h, snort.c,
8359 output-plugins/spo_alert_arubaaction.c,
8360 output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c,
8361 output-plugins/spo_alert_prelude.c,
8362 output-plugins/spo_alert_syslog.c,
8363 output-plugins/spo_alert_test.c,
8364 output-plugins/spo_alert_unixsock.c, output-plugins/spo_csv.c,
8365 output-plugins/spo_database.c, output-plugins/spo_log_ascii.c,
8366 output-plugins/spo_log_null.c, output-plugins/spo_log_tcpdump.c,
8367 output-plugins/spo_unified.c, output-plugins/spo_unified2.c:
8368 Update unified2 output to rotate the unified2 file on reload.
8369
8370 * src/dynamic-preprocessors/smtp/smtp_util.c:
8371 Truncate the trailing end of the email id when the
8372 rcpt to or mail from addresses are too long.
8373
8374 * doc/snort_manual.tex, doc/README.GTP, src/:
8375 dynamic-plugins/sf_dynamic_plugins.c, util.c, util.h:
8376 Throttle the so rules memcap error message.
8377
8378 2012-1-17 16:16 Hui Cao <hcao@sourcefire.com>
8379 Snort 2.9.2.1
8380 All files: updated copyright to 2012
8381
8382 * src/build.h: pdated build number to 107
8383
8384 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8385 Fixed building when -DREG_TEST not used with --enable-debug.
8386 Tweaked r_win_base initialization upon midstream pickup to work with tighter
8387 sequence number validation.
8388 Updated TCP session tracking to avoid requeuing retransmitted data
8389 Add tweaks for paf_max flushing of chunked http data
8390
8391 * src/dynamic-preprocessors/reputation/shmem/: shmem_config.c,
8392 shmem_config.h, shmem_mgmt.c, shmem_mgmt.h:
8393 Avoided writer updating reader's zero segment pointer.
8394 Changed shared memory update timeout to a larger value.
8395
8396 * src/generators.h,
8397 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
8398 src/preprocessors/HttpInspect/include/hi_eo_events.h,
8399 src/preprocessors/HttpInspect/utils/hi_paf.c,
8400 doc/README.http_inspect, etc/gen-msg.map,
8401 preproc_rules/preprocessor.rules:
8402 Added an alert on http/0.9 simple requests (119:32)
8403
8404 * preproc_rules/: decoder.rules, preprocessor.rules:
8405 Bump a few rule rev's that were out of sync w/ VRT
8406
8407 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8408 Changed Warning -> WARNING
8409 Don't attempt to flush if the grinder failed when pruning a session
8410
8411 * src/: preprocessors/Stream5/snort_stream5_tcp.c,
8412 preprocessors/Stream5/stream5_common.h, sfutil/test/unit_hacks.c:
8413 Auto-disable stream reassembly on paf abort if auto-enabled
8414
8415
8416 * src/: detection-plugins/sp_dsize_check.c,
8417 dynamic-preprocessors/dnp3/spp_dnp3.c,
8418 preprocessors/Stream5/snort_stream5_tcp.c,
8419 preprocessors/Stream5/stream5_paf.c:
8420 Fixed handling PAF flushing anomalies but purging afflicted segments
8421
8422 * src/sfutil/: sfrt_dir.c, sfrt_flat_dir.c, sfrt_flat_dir.h:
8423 Fixed the wrong value of calculating memory allocated.
8424 Changed sfrt length field from char to uint8_t
8425
8426 * src/: decode.c, dynamic-preprocessors/gtp/gtp_parser.c:
8427 Added checking invalid extension header length for GTPv1
8428
8429 * src/: preprocessors/stream_expect.c, profiler.h:
8430 Fixed some compiler warnings
8431
8432 * src/: decode.c, dynamic-preprocessors/gtp/gtp_parser.c
8433 Added checking invalid extension header length
8434
8435 * doc/: README.GTP, snort_manual.pdf, snort_manual.tex:
8436 Added a simple user case to the GTP document.
8437
8438 * src/dynamic-preprocessors/modbus/modbus_decode.c:
8439 Fixed a couple errors in modbus request/response length checking.
8440
8441 * etc/reference.config:
8442 Added 'msb' to reference.conf for Microsoft Bulletin url
8443
8444 * src/detection-plugins/sp_flowbits.c:
8445 When same flowbit is defined both in default group and user specified group,
8446 that flowbit will be changed to specified group.
8447
8448 * src/dynamic-preprocessors/dnp3/: dnp3_paf.c, dnp3_reassembly.c,
8449 spp_dnp3.c, spp_dnp3.h:
8450 Added #define statements for several "magic numbers" in DNP3 code
8451
8452 * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c:
8453 Fixed a bug where the DNP3 preprocessor would generate alerts for "reserved
8454 function" on valid DNP3 functions.
8455
8456 * src/dynamic-preprocessors/dnp3/dnp3_roptions.c:
8457 Added parser errors for missing dnp3_func and dnp3_ind arguments.
8458
8459 * src/: generators.h, preprocessors/HttpInspect/client/hi_client.c,
8460 preprocessors/HttpInspect/event_output/hi_eo_log.c,
8461 preprocessors/HttpInspect/include/hi_eo_events.h:
8462 Added a preprocessor alert to alert when a HTTP method being parsed is not a GET
8463 or a POST or not defined by the user.
8464
8465 * src/preprocessors/HttpInspect/: client/hi_client.c,
8466 server/hi_server.c:
8467 Added checking bounds before unfolding.
8468
8469 * Makefile.am, configure.in:
8470 Cleanup very dated rules files.
8471
8472 * src/: snort.c, win32/WIN32-Includes/stdint.h:
8473 Don't add handlers signal values that aren't supported on Windows.
8474
8475 * src/dynamic-preprocessors/reputation/reputation_config.c:
8476 Corrected the variable name called to create IP talbe.
8477
8478 2011-12-14 Ryan Jordan <ryan.jordan@sourcefire.com>
8479 Snort 2.9.2
8480 * src/build.h: updating build number to 78
8481
8482 * snort.8:
8483 Fixed spelling errors. Thanks to Neline van Ginkel for the report.
8484
8485 * src/: snort.c, preprocessors/spp_perfmonitor.c:
8486 Perfmonitor "now" files are created after Snort drops privileges.
8487
8488 * src/output-plugins/spo_unified2.c:
8489 Only log IPv6 extra data when the packet is IPv6.
8490
8491 * src/preprocessors/HttpInspect/: server/hi_server.c, client/hi_client.c:
8492 Fixed unfolding of HTTP Headers across packet boundaries.
8493 Thanks to Jim Hranicky for reporting this issue on the RC build.
8494
8495 * src/preprocessors/spp_httpinspect.c:
8496 HTTP Inspect should check for hi_swap_config in HttpInspectInit()
8497 only when snort is compiled with --enable-reload.
8498 Fixed build errors on Win32.
8499
8500 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8501 When pruning a session, don't attempt to flush if the grinder
8502 failed to decode a TCP header.
8503 Thanks to Jim Hranicky for reporting this issue on the RC build.
8504
8505 2011-11-23 Ryan Jordan <ryan.jordan@sourcefire.com>
8506 Snort 2.9.2 RC
8507 * src/build.h: updating build number to 75
8508
8509 * src/preprocessors/spp_httpinspect.c:
8510 Fixed an issue with HTTP Inspect server conf reload
8511 (when the HTTP Inspect is turned on from off between a reload)
8512
8513 * src/preprocessors/spp_stream5.c:
8514 Fixed a memory leak caused by initializing the expected channel
8515 more than once.
8516
8517 * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
8518 Fixed a segfault during dcerpc2 startup when stream5 is not enabled.
8519
8520 * src/preprocessors/spp_normalize.c:
8521 Added support to turn normalization off or on during a Snort reload.
8522
8523 * src/dynamic-preprocessors/modbus/spp_modbus.c:
8524 Moved the check for truncated PDUs past the port check, to avoid
8525 false positives.
8526
8527 * src/sfutil/bitop_funcs.h:
8528 Fixed an error in the allocation of flowbit groups, where bytes
8529 were interpreted as bits.
8530
8531 * src/detection-plugins/sp_flowbits.c:
8532 Fixed a flowbits issue where the "isset" operation failed when
8533 there was only a single flowbit in a group.
8534 Fixed the error message logged when the same flowbit is added
8535 to two groups.
8536
8537 * src/ipv6_port.h:
8538 * src/: dynamic-preprocessors/gtp/gtp_parser.c,
8539 dynamic-preprocessors/gtp/gtp_roptions.c,
8540 dynamic-preprocessors/ftptelnet/pp_ftp.c,
8541 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
8542 dynamic-preprocessors/reputation/reputation_config.c,
8543 sfutil/segment_mem.c, encode.c:
8544 Compiler warning cleanup.
8545
8546 * doc/: README.reload, snort_manual.pdf, snort_manual.tex:
8547 Updated the reload documentation to mention the caveat that exists
8548 with reload and fail-open in OpenBSD when Snort is run on primary
8549 network interface.
8550
8551 * src/dynamic-preprocessors/dnp3/: dnp3_reassembly.c,
8552 dnp3_reassembly.h, dnp3_roptions.c, spp_dnp3.c:
8553 Added support for multiple DNP3 PDUs in a single DNP3 payload.
8554 Fixed an issue where the DNP3 preprocessor only identified the
8555 minimum reserved address, instead of all reserved addresses.
8556
8557 * src/dynamic-preprocessors/dnp3/spp_dnp3.h:
8558 Updated an incorrect minimum DNP3 memcap to match the documented
8559 minimum of 4144 bytes.
8560
8561 * src/output-plugins/spo_unified2.c:
8562 Snort will fatal error when the user configures the same filename
8563 for options "alert_unified2" and "log_unified2".
8564
8565 * src/sfutil/: sfrt.c, sfrt.h, sfrt_dir.c, sfrt_dir.h:
8566 Added the ability to delete entries in the sfrt table.
8567
8568 * src/preprocessors/snort_httpinspect.c,
8569 src/preprocessors/spp_frag3.c, src/preprocessors/spp_normalize.c,
8570 src/preprocessors/spp_stream5.c,
8571 src/preprocessors/Stream5/snort_stream5_tcp.c,
8572 src/preprocessors/Stream5/stream5_common.c,
8573 src/dynamic-preprocessors/reputation/reputation_config.c,
8574 etc/gen-msg.map, src/detection-plugins/sp_flowbits.c,
8575 src/detection-plugins/sp_replace.c,
8576 src/output-plugins/spo_alert_sf_socket.c, src/decode.c,
8577 src/detect.c, src/generators.h, src/sfdaq.c, src/snort.c,
8578 src/tag.c, src/util.c, src/dynamic-plugins/sf_dynamic_plugins.c,
8579 src/sfutil/acsmx2.c, configure.in,
8580 src/dynamic-preprocessors/dnp3/spp_dnp3.c,
8581 src/target-based/sftarget_protocol_reference.c:
8582 * src/dynamic-preprocessors/dnp3/dnp3_roptions.c:
8583 Made the format of warning messages consistent.
8584
8585 * src/dynamic-preprocessors/: dnp3/spp_dnp3.c, modbus/spp_modbus.c:
8586 Providing an empty port list now causes a fatal error.
8587
8588 * src/dynamic-preprocessors/dnp3/spp_dnp3.h:
8589 Fixed reserved address check on big-endian machines.
8590
8591 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8592 Changed identification of TCP retransmits by comparing payloads
8593 instead of TCP checksums.
8594
8595 * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h,
8596 src/dynamic-preprocessors/imap/snort_imap.c,
8597 src/dynamic-preprocessors/pop/snort_pop.c,
8598 src/dynamic-preprocessors/smtp/smtp_util.c,
8599 src/dynamic-preprocessors/smtp/snort_smtp.c,
8600 src/output-plugins/spo_unified2.c,
8601 src/preprocessors/snort_httpinspect.c,
8602 src/preprocessors/snort_httpinspect.h,
8603 src/preprocessors/spp_httpinspect.c,
8604 src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
8605 src/preprocessors/HttpInspect/include/hi_ui_config.h,
8606 src/sfutil/Unified2_common.h, tools/u2spewfoo/u2spewfoo.c:
8607 Enable logging of normalized JavaScript to unified2 when built
8608 without --enable-sourcefire.
8609 - Changed extra data logging to log packet-specific data
8610 (gzip/normalized) after each packet.
8611 - Updated u2spewfoo to read the normalized JavaScript
8612 extra data.
8613
8614 * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c:
8615 Fixed a bug where "dnp3_data" rules would not work if the content
8616 was broken up by CRCs or split across multiple DNP3 segments.
8617 As a result, DNP3 rules that inspect the DNP3 headers now require
8618 "rawbytes" to work correctly, as the DNP3 reassembly buffer is
8619 inspected by default.
8620
8621 * etc/gen-msg.map, preproc_rules/preprocessor.rules,
8622 src/dynamic-preprocessors/dnp3/spp_dnp3.h:
8623 Removed DNP3 rule 145:5, and decremented the SIDs of rules 145:6
8624 and 145:7. The old 145:5 was never able to be triggered.
8625 Updated references for rules 119:15 and 137:1.
8626
8627 * rpm/snort.spec:
8628 Updated the RPM spec file to use wildcards for linking and installing
8629 preprocessors. Thanks to Tim Brigham for the suggestion.
8630
8631 * src/detection_util.h:
8632 Increased the URI buffer size from 4096 to 8192 to normalize and
8633 detect longer URIs.
8634
8635 * src/preprocessors/: spp_frag3.c, spp_stream5.c,
8636 Stream5/snort_stream5_tcp.c, Stream5/snort_stream5_udp.c:
8637 Change the printing function of tracker/session sizes
8638 (TcpSession/UdpSession/StreamLWSession/FragTarcker) from fprintf
8639 to LogMessage.
8640 Fix handling of "first" and "vista" policies in stream5 that,
8641 under certain circumstances with overlaps and gaps, could cause
8642 the stream5 segmentation list to get out of order.
8643
8644 * doc/snort_manual.pdf, doc/snort_manual.tex,
8645 src/detection-plugins/sp_dsize_check.c:
8646 Enable the "dsize" rule option with rebuilt packets, if it is the
8647 start of a PDU. Thanks to Dave Bertouille for reporting this problem.
8648
8649 * src/dynamic-preprocessors/modbus/modbus_decode.c:
8650 Added length checking for Modbus "Read File Record" and
8651 "Write File Record" requests.
8652
8653 * src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h,
8654 tools/u2spewfoo/u2spewfoo.c:
8655 Added new Unified2 event structs with extra application ID data.
8656 Updated u2spewfoo to read these fields.
8657
8658 * src/detection-plugins/: sp_asn1_detect.c, sp_byte_check.c,
8659 sp_byte_jump.c, sp_isdataat.c:
8660 Allow rule evaluation to continue if the doe_ptr reaches the end
8661 of a buffer, but a negative offset brings it back in-bounds.
8662 Thanks again to Dave Bertouille for the suggestion.
8663
8664 * src/target-based/sf_attribute_table.y:
8665 Allow empty attribute_value in attribute table.
8666
8667 * configure.in,
8668 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
8669 Added Protocol-Aware Flushing support for FTP.
8670
8671 * snort.8:
8672 Updated the man page to include more signals that have been used.
8673 Made some format changes, thanks to Markus Lude.
8674
8675 * doc/Makefile.am:
8676 Fixed an error while running "make distcleancheck".
8677
8678 * doc/snort_manual.pdf, doc/snort_manual.tex,
8679 src/win32/WIN32-Includes/config.h, configure.in, src/snort.c,
8680 src/snort.h, src/util.c, src/control/sfcontrol.c,
8681 src/target-based/sftarget_reader.c:
8682 Redefined default signals, and added support for signal
8683 customization.
8684
8685
8686 2011-10-28 Ryan Jordan <ryan.jordan@sourcefire.com>
8687 Snort 2.9.2 Beta
8688 * src/build.h: updating build number to 64
8689
8690 * src/preprocessors/: snort_httpinspect.c,
8691 HttpInspect/include/hi_ui_config.h,
8692 HttpInspect/server/hi_server.c,
8693 HttpInspect/server/hi_server_norm.c,
8694 HttpInspect/user_interface/hi_ui_config.c:
8695 * src/sfutil/: util_jsnorm.c, util_jsnorm.h:
8696 Updated the HTTP preprocessor to normalize HTTP responses that include
8697 javascript escaped data in their bodies. This expands Snort's coverage
8698 in detecting HTTP client-side attacks.
8699 See the Snort Manual and README.http_inspect for configuration details.
8700
8701 * doc/README.modbus:
8702 * src/dynamic-preprocessors/modbus/: Makefile.am, modbus_decode.c,
8703 modbus_decode.h, modbus_paf.c, modbus_paf.h, modbus_roptions.c,
8704 modbus_roptions.h, sf_modbus.dsp, spp_modbus.c, spp_modbus.h:
8705 Added the Modbus preprocessor, which decodes the Modbus protocol and
8706 provides new rule options for some protocol fields.
8707 See the Snort Manual and README.modbus for more details.
8708
8709 * doc/README.dnp3:
8710 * src/dynamic-preprocessors/dnp3/: Makefile.am, dnp3_map.c, dnp3_map.h,
8711 dnp3_paf.c, dnp3_paf.h, dnp3_reassembly.c, dnp3_reassembly.h,
8712 dnp3_roptions.c, dnp3_roptions.h, sf_dnp3.dsp, spp_dnp3.c, spp_dnp3.h:
8713 Added the DNP3 preprocessor, which decodes the DNP3 protocol
8714 and provides new rule options for some protocol fields.
8715 The preprocessor also performs reassembly of segmented DNP3 traffic.
8716 See the Snort Manual and README.dnp3 for more details.
8717
8718 * doc/README.gtp:
8719 * src/decode.c:
8720 * src/dynamic-preprocessors/gtp/: Makefile.am, gtp_config.c,
8721 gtp_config.h, gtp_debug.h, gtp_parser.c, gtp_parser.h, gtp_roptions.c,
8722 gtp_roptions.h, sf_gtp.dsp, spp_gtp.c, spp_gtp.h
8723 Added a packet decoder and preprocessor for the GTP protocol.
8724 These support detecting attacks over GTP (GPRS Tunneling Protocol).
8725 See the Snort Manual and README.gtp for more details.
8726
8727 * doc/faq.pdf, doc/faq.tex, src/Makefile.am, src/debug.c,
8728 src/smalloc.h, src/snort_debug.h,
8729 src/dynamic-plugins/sf_dynamic_common.h,
8730 src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
8731 src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
8732 src/dynamic-preprocessors/gtp/gtp_debug.h,
8733 src/dynamic-preprocessors/sip/sip_debug.h,
8734 src/parser/IpAddrSet.c,
8735 src/preprocessors/HttpInspect/utils/hi_paf.c,
8736 src/preprocessors/Stream5/stream5_paf.c:
8737 Expanded the debug bits from 32 to 64 bits.
8738
8739 * src/preprocessors/: spp_stream5.c, Stream5/snort_stream5_icmp.c,
8740 Stream5/snort_stream5_icmp.h, Stream5/snort_stream5_ip.c,
8741 Stream5/snort_stream5_ip.h, Stream5/snort_stream5_udp.c,
8742 Stream5/snort_stream5_udp.h:
8743 Cleaned up application data for non-TCP sessions after
8744 a block or timeout.
8745
8746 * src/preprocessors/spp_sfportscan.c:
8747 Negative memcap numbers are no longer allowed.
8748
8749 * src/preprocessors/HttpInspect/server/hi_server.c:
8750 HTTP responses with incorrect status messages are now inspected.
8751
8752 * src/preprocessors/Stream5/stream5_paf.c:
8753 Fixed PAF callback registration during Snort reload.
8754
8755 * src/parser.c:
8756 Fixed crash when setting HOME_NET to an empty variable.
8757 Thanks to Elof for reporting this issue.
8758
8759 * src/preprocessors/spp_normalize.c:
8760 Don't register the packet callback if Snort is not inline.
8761 Fixed a crash in the normalizer during Snort reload.
8762
8763 * src/: sfdaq.c, sfdaq.h, snort.c, snort.h, util.c:
8764 Fixed a possible segfault upon fatal error during Snort reload.
8765
8766 * src/win32/WIN32-Prj/snort_installer.nsi:
8767 Updated Windows project files for new preprocessors.
8768
8769 * doc/: snort_manual.pdf, snort_manual.tex:
8770 Updated the Snort manual for new features.
8771 Updated the names of contributors to match those found on snort.org.
8772 Updated the 'config cs_dir' path to be relative to pid-path.
8773
8774 Described the FlowIP CSV file format. Thanks to Eoin Miller for
8775 pointing out the lack of documentation.
8776
8777 * src/preprocessors/: perf-base.c, perf-base.h, perf.c, perf.h,
8778 spp_frag3.c, spp_frag3.h, Stream5/snort_stream5_tcp.c:
8779 Added frag3 and stream5 memory usage to perfmon output.
8780
8781 * src/control/sfcontrol.c:
8782 Added counters to bypass the work queue mutex when nothing
8783 is queued.
8784 Cleaned up compiler warnings.
8785
8786 * src/preprocessors/HttpInspect/client/hi_client.c:
8787 When the same IP is parsed multiple times for XFF/True-client-IP
8788 , the duplicate entries are freed from memory.
8789
8790 * src/preprocessors/: stream_expect.c, spp_stream5.c, stream_api.h,
8791 stream_expect.h, Stream5/snort_stream5_session.c,
8792 Stream5/snort_stream5_session.h, Stream5/stream5_common.h:
8793 Changed instances of "char" to "uint8_t" when dealing with
8794 protocol numbers, preventing a potential issue when Snort
8795 supports protocols > 128. Thanks to Joshua Kinard for
8796 providing a patch for this issue.
8797
8798 * src/detection-plugins/sp_react.c:
8799 Added a content-length header to the react responses.
8800
8801 * src/: decode.h, dynamic-plugins/sf_engine/sf_snort_packet.h,
8802 dynamic-preprocessors/imap/snort_imap.c,
8803 dynamic-preprocessors/pop/snort_pop.c,
8804 dynamic-preprocessors/smtp/smtp_config.h,
8805 dynamic-preprocessors/smtp/smtp_util.c,
8806 dynamic-preprocessors/smtp/smtp_util.h,
8807 dynamic-preprocessors/smtp/snort_smtp.c,
8808 dynamic-preprocessors/smtp/snort_smtp.h,
8809 dynamic-preprocessors/smtp/spp_smtp.c,
8810 output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c,
8811 preprocessors/snort_httpinspect.h,
8812 preprocessors/spp_httpinspect.c, preprocessors/spp_stream5.c,
8813 preprocessors/stream_api.h,
8814 preprocessors/HttpInspect/include/hi_ui_config.h,
8815 preprocessors/Stream5/snort_stream5_tcp.c,
8816 preprocessors/Stream5/snort_stream5_tcp.h,
8817 preprocessors/Stream5/stream5_common.h:
8818 Reduced the memory usage per TCP session for extra data event
8819 logging.
8820
8821 * src/dynamic-preprocessors/sip/spp_sip.c:
8822 Changed a description in the SIP exit stats.
8823
8824 * configure.in, src/snort.c, src/util.c,
8825 src/target-based/sftarget_reader.c:
8826 Where possible, sigaction() is used instead of signal() to
8827 establish signal handlers.
8828
8829 * src/util.c:
8830 Fixed an error in the calculation of dropped packets.
8831 Thanks to Will Metcalf for identifying the issue.
8832
8833 * src/preprocessors/: perf-flow.c, perf-flow.h:
8834 Fixed a bug where packets longer than 4500 bytes were not logged
8835 in the perfmon flow stats.
8836
8837 * src/: active.c, decode.c, decode.h, encode.c, parser.c,
8838 sf_protocols.h, snort.c:
8839 Fix PPPoE support and active responses to ICMP.
8840 Thanks to Eric Lauzon for identifying an issue with PPPoE traffic.
8841
8842 * etc/gen-msg.map, preproc_rules/preprocessor.rules,
8843 src/generators.h,
8844 src/preprocessors/HttpInspect/client/hi_client.c,
8845 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
8846 src/preprocessors/HttpInspect/include/hi_client.h,
8847 src/preprocessors/HttpInspect/include/hi_eo_events.h:
8848 Added new preprocessor alerts:
8849 1) Both true-client-ip and XFF headers exist in single packet
8850 2) Multiple client-ips with different values in the same session
8851
8852 * etc/gen-msg.map:
8853 Fixed an error with incorrect SID numbers for some SMTP preprocessor
8854 rules. Thanks to Eric Olsen for identifying the issue.
8855
8856 * src/: decode.h, detect.c, encode.c, encode.h, plugbase.c,
8857 plugbase.h, snort.c, snort.h,
8858 detection-plugins/detection_options.c,
8859 dynamic-plugins/sf_dynamic_plugins.c,
8860 dynamic-plugins/sf_dynamic_preprocessor.h,
8861 dynamic-plugins/sf_engine/sf_snort_packet.h,
8862 dynamic-preprocessors/dcerpc2/snort_dce2.c,
8863 dynamic-preprocessors/sdf/spp_sdf.c,
8864 output-plugins/spo_alert_fast.c, preprocessors/spp_frag3.c,
8865 preprocessors/spp_rpc_decode.c, preprocessors/spp_sfportscan.c,
8866 preprocessors/stream_api.h,
8867 preprocessors/Stream5/snort_stream5_tcp.c,
8868 preprocessors/Stream5/stream5_common.c:
8869 Refactored packet flags. Added new packet flags for raw in-order
8870 stream segment discrimination.
8871
8872 * src/preprocessors/snort_httpinspect.c:
8873 Fixed an issue where gzip logging code misinterpreted the data
8874 being passed to it.
8875
8876 Increased max_method_len to 256.
8877 Thanks to rmkml for identifying the issue.
8878
8879 * src/: preprocessors/spp_rpc_decode.c,
8880 dynamic-preprocessors/dcerpc2/dce2_roptions.c,
8881 dynamic-preprocessors/dcerpc2/dce2_smb.c:
8882 Fixed compiler warnings.
8883
8884 * src/sfutil/bnfa_search.c:
8885 Fixed code defined by #ifdef ALLOW_NFA_FULL to compile and run.
8886 Thanks to Brian Hwang for reporting the issue.
8887
8888 * src/: dynamic-plugins/sf_dynamic_plugins.c,
8889 dynamic-plugins/sf_dynamic_preprocessor.h,
8890 dynamic-plugins/sp_dynamic.h,
8891 dynamic-preprocessors/reputation/reputation_config.c,
8892 dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
8893 dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h:
8894 The paths to whitelist & blacklist files are now relative to
8895 the location of snort.conf.
8896
8897 * src/preprocessors/Stream5/snort_stream5_session.c:
8898 Don't prune blocked sessions if pruning for memcap.
8899
8900 * src/preprocessors/spp_stream5.c:
8901 Fixed session data lookup for meta data messages.
8902
8903 * etc/: sf_rule_options, sf_rule_validation.conf:
8904 Updated rule validation files with new rule options.
8905
8906 * configure.in, doc/INSTALL, doc/README.ARUBA, doc/README.database,
8907 doc/README.ipv6, doc/snort_manual.tex,
8908 src/output-plugins/spo_alert_arubaaction.c,
8909 src/output-plugins/spo_alert_prelude.c,
8910 src/output-plugins/spo_database.c:
8911 Added deprecation warnings for database, alert_aruba_action,
8912 and alert_prelude output plugins. These output plugins are
8913 considered deprecated with this release and will be removed
8914 in Snort 2.9.3.
8915
8916 * src/: plugbase.c, plugbase.h, preprocids.h, profiler.c, sfdaq.c,
8917 sfdaq.h, snort.c, snort.h, dynamic-plugins/sf_dynamic_plugins.c,
8918 dynamic-plugins/sf_dynamic_preprocessor.h,
8919 preprocessors/spp_stream5.c, preprocessors/stream_api.h,
8920 preprocessors/Stream5/snort_stream5_icmp.c,
8921 preprocessors/Stream5/snort_stream5_ip.c,
8922 preprocessors/Stream5/snort_stream5_session.c,
8923 preprocessors/Stream5/snort_stream5_session.h:
8924 Added API and DAQ functions to get flow start and end events
8925 directly from the DAQ when no stream data is available.
8926
8927 * src/sfdaq.c:
8928 Prevent underflow when calculating outstanding packets.
8929 Thanks to Hussein Bahaidarah for reporting this issue.
8930
8931 Don't unload daq modules if --disable-dlclose was a configure
8932 option.
8933
8934 * src/: active.c, dynamic-plugins/sf_dynamic_plugins.c,
8935 dynamic-plugins/sf_dynamic_preprocessor.h:
8936 Snort dynamic API changes to inject response packets.
8937
8938 2011-10-20 Ryan Jordan <ryan.jordan@sourcefire.com>
8939 Snort 2.9.1.2
8940 * configure.in,
8941 rpm/snort.spec,
8942 src/build.h,
8943 src/win32/WIN32-Includes/config.h,
8944 src/win32/WIN32-Prj/snort_installer.nsi:
8945 Incremented version numbers to Snort 2.9.1.2, Build 84.
8946
8947 * src/preprocessors/snort_httpinspect.c,
8948 src/sfutil/util_utf.c:
8949 Fixed an issue where Snort would sometimes stop processing traffic
8950 in a persistent HTTP 1.1 connection with a UTF-32 encoded response
8951 followed by a UTF-16 encoded response.
8952
8953 2011-10-05 Ryan Jordan <ryan.jordan@sourcefire.com>
8954 Snort 2.9.1.1
8955 * src/decode.c:
8956 Fixed decode.c to allow building with --enable-debug.
8957
8958 * src/: dynamic-plugins/sf_engine/sf_decompression.c,
8959 dynamic-plugins/sf_engine/sf_decompression.h,
8960 preprocessors/snort_httpinspect.h,
8961 preprocessors/HttpInspect/server/hi_server.c:
8962 Fixed http_inspect decompression and decompression API to decompress
8963 both raw and zlib deflated data.
8964 Support locating utf charset when spaces are present.
8965
8966 * src/: preprocessors/HttpInspect/server/hi_server_norm.c,
8967 sfutil/util_utf.h:
8968 Added "Byte Order Mark" support for unicode in http_inspect.
8969
8970 * src/detection-plugins/sp_urilen_check.c:
8971 Fixed potential false positives when using urilen detection option.
8972
8973 * src/preprocessors/Stream5/stream5_paf.c:
8974 Fixed flushing beyond "paf_max".
8975 Verify paf configuration before enabling.
8976
8977 * src/preprocessors/Stream5/snort_stream5_tcp.c:
8978 Free application and protocol state when a session is blocked.
8979 Ensure that seglist_next is NULL after being freed.
8980
8981 * src/dynamic-preprocessors/smtp/smtp_util.c:
8982 Fixed an issue with SMTP logging while running in inline mode.
8983
8984 * src/dynamic-preprocessors/reputation/Makefile.am,
8985 src/dynamic-preprocessors/reputation/reputation_config.c,
8986 src/dynamic-preprocessors/reputation/reputation_config.h,
8987 src/dynamic-preprocessors/reputation/spp_reputation.c,
8988 src/dynamic-preprocessors/reputation/spp_reputation.h,
8989 src/Makefile.am, src/idle_processing.c, src/idle_processing.h,
8990 src/idle_processing_funcs.h, src/plugbase.c, src/plugbase.h,
8991 src/snort.c, src/snort.h, src/util.c, src/util.h,
8992 src/dynamic-examples/Makefile.am,
8993 src/dynamic-preprocessors/reputation/shmem/shmem_config.c,
8994 src/dynamic-preprocessors/reputation/shmem/shmem_config.h,
8995 src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
8996 src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
8997 src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
8998 src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
8999 src/control/Makefile.am, src/control/sfcontrol.c,
9000 src/control/sfcontrol.h, src/control/sfcontrol_funcs.h,
9001 src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c,
9002 src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h,
9003 src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
9004 src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
9005 src/dynamic-preprocessors/reputation/shmem/shmem_lib.h,
9006 src/sfutil/Makefile.am, src/sfutil/segment_mem.c,
9007 src/sfutil/segment_mem.h, src/sfutil/sfrt_flat.c,
9008 src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c,
9009 src/sfutil/sfrt_flat_dir.h,
9010 src/dynamic-preprocessors/Makefile.am, tools/control/Makefile.am,
9011 tools/control/README.snort_control, tools/control/sfcontrol.c,
9012 src/dynamic-plugins/sf_dynamic_plugins.c,
9013 src/dynamic-plugins/sf_dynamic_preprocessor.h, configure.in,
9014 tools/Makefile.am:
9015 - Added support for shared memory between Snort processes.
9016 This is used in the IP Reputation preprocessor to share a single copy
9017 of IP whitelists & blacklists.
9018 - Added a control channel, so that commands may be issued to
9019 a running Snort process by way of a Unix socket.
9020
9021 * src/preprocessors/HttpInspect/utils/hi_paf.c:
9022 Ensure HTTP 1.1 responses without length indicators (e.g. 304)
9023 are flushed at the end of the headers.
9024 Preprocessor rule 120:8 is fired at end of headers if content-length
9025 and transfer-encoding: chunked are not present, but not for response
9026 codes 1XX, 204, 304.
9027
9028 * doc/README.reputation, doc/snort_manual.pdf,
9029 doc/snort_manual.tex:
9030 Updated Snort documentation, added documentation for Shared Memory
9031 and the Control Socket.
9032
9033 * src/: dynamic-preprocessors/reputation/sf_reputation.dsp,
9034 dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
9035 win32/WIN32-Includes/stdint.h, win32/WIN32-Prj/snort.dsp,
9036 win32/WIN32-Prj/snort.dsw:
9037 Updated Win32 build files.
9038
9039
9040 2011-08-23 Ryan Jordan <ryan.jordan@sourcefire.com>
9041 Snort 2.9.1
9042 * src/build.h:
9043 Updated build number to 71.
9044
9045 * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c,
9046 src/decode.h, src/generators.h, src/snort.c,
9047 src/dynamic-plugins/sf_engine/sf_snort_packet.h:
9048 Fixed an issue with decoding large numbers of IPv6 extension headers.
9049 Added rule 116:456 to safeguard against too many IPv6 extension headers.
9050 Thanks to Martin Sch�tte for reporting the issue.
9051
9052 * src/detection-plugins/sp_urilen_check.c,
9053 src/detection-plugins/sp_urilen_check.h:
9054 Fixed the urilen rule option to look at reassembled packets.
9055 Added an extra parameter to specify whether to check raw or normalized
9056 uri buffer. Will check raw uri buffer by default.
9057
9058 * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
9059 dynamic-preprocessors/dns/sf_dns.dsp,
9060 dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
9061 dynamic-preprocessors/imap/sf_imap.dsp,
9062 dynamic-preprocessors/isakmp/sf_isakmp.dsp,
9063 dynamic-preprocessors/pop/sf_pop.dsp,
9064 dynamic-preprocessors/reputation/sf_reputation.dsp,
9065 dynamic-preprocessors/sdf/sf_sdf.dsp,
9066 dynamic-preprocessors/sip/sf_sip.dsp,
9067 dynamic-preprocessors/smtp/sf_smtp.dsp,
9068 dynamic-preprocessors/ssh/sf_ssh.dsp,
9069 dynamic-preprocessors/ssl/sf_ssl.dsp,
9070 win32/WIN32-Prj/sf_engine.dsp:
9071 Fixed a bug where the sensitive_data preprocessor gave an error while
9072 loading sensitive data rules.
9073
9074 * doc/README.http_inspect, etc/gen-msg.map,
9075 preproc_rules/preprocessor.rules, src/generators.h,
9076 src/preprocessors/snort_httpinspect.c,
9077 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
9078 src/preprocessors/HttpInspect/include/hi_eo_events.h,
9079 src/preprocessors/HttpInspect/utils/hi_paf.c:
9080 Added two HTTP Inspect preprocessor rules:
9081 119:28 - post w/o content-length or transfer-encoding: chunked
9082 120:8 - message with invalid content-length or chunk size
9083
9084 * src/preprocessors/spp_httpinspect.c:
9085 Fixed a bug where Snort wouldn't reload, giving the error that
9086 "Changing decompress_depth requries a restart".
9087
9088 * etc/gen-msg.map:
9089 Commented out four rules from gen-msg.map, 133:44 through 133:47,
9090 because they were not yet implemented.
9091
9092 * preproc_rules/preprocessor.rules:
9093 Added a CVE reference for Rule 119:19.
9094 Added a reference to SMTP preprocessor rule 124:4.
9095 Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor
9096 alert that was missing the corresponding rule.
9097
9098 * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
9099 PAF tweak for single-segment full PDUs matching only-stream
9100
9101 * src/snort.c:
9102 Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD.
9103 Set default paf_max to 16K.
9104
9105 * doc/: README.reputation, snort_manual.pdf, snort_manual.tex:
9106 Added a use case in the IP Reputation preprocessor documentation.
9107
9108 * src/: dynamic-preprocessors/reputation/reputation_config.c,
9109 dynamic-preprocessors/reputation/sf_reputation.dsp,
9110 win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi:
9111 Fixed the IP Reputation preprocessor so that it would build on Windows.
9112
9113 * src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h,
9114 server/hi-server.c, utils/hi_paf.c:
9115 Support up to full 32-bit content-lengths
9116
9117 * src/preprocessors/Stream5/stream5_paf.c:
9118 Fixed compilation with the options "--disable-target-based --enable-paf".
9119
9120 * src/preprocessors/Stream5/snort_stream5_tcp.c:
9121 Fixed an error in IDS mode when segments overlap and the sequence
9122 number wraps.
9123
9124 * tools/u2spewfoo/Makefile.am:
9125 Added the u2spewfoo Windows project file to the Snort source tarball.
9126
9127 2011-07-19 Ryan Jordan <ryan.jordan@sourcefire.com>
9128 Snort 2.9.1 RC
9129 * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
9130 preproc_rules/preprocessor.rules,
9131 src/dynamic-preprocessors/sip/sip_parser.c,
9132 src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map:
9133 Added three new SIP preprocessor alerts.
9134
9135 * src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c,
9136 stream5_paf.h:
9137 Allow multiple preprocs to scan for PDUs on the same port.
9138 This fixes a problem with DCE autodetect using the same
9139 ports as HTTP.
9140
9141 * src/build.h:
9142 Updated build number to 63.
9143
9144 * src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c,
9145 detection-plugins/sp_tcp_win_check.c,
9146 dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
9147 dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
9148 preprocessors/spp_normalize.c:
9149 Fixed some compiler warnings.
9150
9151 * src/: detection-plugins/detection_options.c,
9152 detection-plugins/sp_flowbits.h,
9153 dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
9154 Only set/clear/toggle/unset a flowbit when all of the rule
9155 matches, including the IPs and Ports. Thanks to Eoin Miller
9156 for reporting the issue.
9157
9158 * src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am,
9159 dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am,
9160 pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am,
9161 sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am,
9162 ssh/Makefile.am, ssl/Makefile.am:
9163 Fixed dynamic preprocesor Makefiles so that they can be built
9164 in parallel.
9165
9166 * doc/README.http_inspect, doc/snort_manual.pdf,
9167 doc/snort_manual.tex, etc/gen-msg.map,
9168 preproc_rules/preprocessor.rules, src/generators.h,
9169 src/preprocessors/snort_httpinspect.c,
9170 src/preprocessors/snort_httpinspect.h,
9171 src/preprocessors/HttpInspect/client/hi_client.c,
9172 src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
9173 src/preprocessors/HttpInspect/include/hi_eo_events.h,
9174 src/preprocessors/HttpInspect/include/hi_ui_config.h,
9175 src/preprocessors/HttpInspect/include/hi_util.h,
9176 src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
9177 src/sfutil/util_unfold.c:
9178 Added a new HTTP Inspect preprocessor rule, GID 119 SID 26.
9179 This rule checks for 200+ whitespaces in a folded header line
9180 from an HTTP request. A new config option was added to configure
9181 the allowable amount whitespace.
9182
9183 Added a new configuration option to http_inspect server configuration:
9184 "small_chunk_length { <chunk_size> <num_consec_chunks> }", with
9185 preprocessor rules for both client and server. Consecutive chunk lengths
9186 less than or equal to <chunk_size> will cause an event to be generated.
9187
9188 See README.http_inspect for more information.
9189
9190 * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
9191 dynamic-preprocessors/dns/sf_dns.dsp,
9192 dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
9193 dynamic-preprocessors/imap/sf_imap.dsp,
9194 dynamic-preprocessors/isakmp/sf_isakmp.dsp,
9195 dynamic-preprocessors/sdf/sf_sdf.dsp,
9196 dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
9197 dynamic-preprocessors/sip/sf_sip.dsp,
9198 dynamic-preprocessors/smtp/sf_smtp.dsp,
9199 dynamic-preprocessors/ssh/sf_ssh.dsp,
9200 dynamic-preprocessors/ssl/sf_ssl.dsp,
9201 win32/WIN32-Prj/sf_engine.dsp,
9202 win32/WIN32-Prj/sf_engine_initialize.dsp,
9203 win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp:
9204 Fixed the Win32 build to (1) not use .pch, and (2) correct sed
9205 patterns on ipv6_port.h.
9206
9207 * src/output-plugins/spo_alert_sf_socket.c:
9208 Fixed a problem where Snort's generic IP address structure was
9209 being sent by the socket output plugin.
9210 The output plugin now only generates events for IPv4 packets,
9211 and is guaranteed to use uint32_t IPv4 addresses for interoperability.
9212
9213 * src/sfutil/: sfrt.c, sfrt.h:
9214 Optimized some memory usage.
9215
9216 * configure.in:
9217 Add check for pkg-config and provide instructions to get it if
9218 pkg-config is not installed.
9219
9220 * src/preprocessors/Stream5/: snort_stream5_tcp.c,
9221 stream5_common.h:
9222 Show single segment PAF packets and only short-circuit at
9223 correct sequence.
9224 When aborting PAF, flush at paf_max.
9225 Tweaked retransmission check to use actual sequence numbers
9226 instead of the adjusted sequence numbers.
9227 Changed the pseudo-random flush point after each flush.
9228
9229 * src/snort.c:
9230 Fixed a compilation error when active response is disabled.
9231
9232 * src/snort.h:
9233 Fixed a bug where Snort wouldn't daemonize on OpenBSD if the
9234 process was running as root. Thanks to Olaf Schreck for reporting
9235 this issue.
9236
9237 * src/preprocessors/: perf-base.c, perf-base.h, perf-event.c,
9238 perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h,
9239 spp_perfmonitor.c:
9240 Split out Perfmon submodule Init and Reset, so that everything is
9241 initialized when the Perfmonitor preprocessor is initialized.
9242 Previously, some data was initialized on the first packet.
9243
9244 * src/detection-plugins/sp_tcp_flag_check.c:
9245 Fixed a couple spots where the "1" and "2"
9246 flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for
9247 reporting the issue and supplying a patch.
9248
9249 * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
9250 src/dynamic-preprocessors/sip/sip_parser.c,
9251 src/dynamic-preprocessors/sip/spp_sip.h,
9252 preproc_rules/preprocessor.rules, etc/gen-msg.map:
9253 Added a new SIP preprocessor alert for missing content type headers.
9254 Fixed an issue where the SIP preprocessor checked for Stream5 even if
9255 the SIP preprocessor was disabled.
9256
9257 * etc/unicode.map:
9258 Updated unicode.map to match the unicode standard on Windows 7 SP1.
9259
9260 * etc/snort.conf:
9261 Sync'ed to VRT's latest snort.conf.
9262
9263 * src/: decode.c, detect.c:
9264 Tweaked the preprocessing loop to bypass app preprocs if no
9265 app data.
9266
9267 * src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c,
9268 src/dynamic-preprocessors/reputation/Makefile.am,
9269 src/dynamic-preprocessors/reputation/reputation_config.h,
9270 src/dynamic-preprocessors/reputation/reputation_utils.c,
9271 src/dynamic-preprocessors/reputation/sf_reputation.dsp,
9272 src/dynamic-preprocessors/reputation/spp_reputation.c,
9273 src/dynamic-preprocessors/reputation/spp_reputation.h,
9274 src/dynamic-preprocessors/reputation/reputation_config.c,
9275 src/dynamic-preprocessors/reputation/reputation_debug.h,
9276 src/dynamic-preprocessors/reputation/reputation_utils.h,
9277 doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf,
9278 doc/snort_manual.tex, preproc_rules/preprocessor.rules,
9279 src/dynamic-preprocessors/Makefile.am, configure.in,
9280 src/preprocids.h, etc/gen-msg.map:
9281 Added the IP Reputation preprocessor. This preprocessor provides
9282 the ability to whitelist and blacklist packets based on IP addresses.
9283 See README.reputation for more information.
9284
9285 * src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c,
9286 dynamic-preprocessors/dcerpc2/Makefile.am,
9287 dynamic-preprocessors/dcerpc2/dce2_config.c,
9288 dynamic-preprocessors/dcerpc2/dce2_debug.h,
9289 dynamic-preprocessors/dcerpc2/dce2_paf.c,
9290 dynamic-preprocessors/dcerpc2/dce2_paf.h,
9291 dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
9292 dynamic-preprocessors/dcerpc2/snort_dce2.c:
9293 Added protocol-aware flushing support for the dcerpc2 preprocessor.
9294
9295 * src/dynamic-plugins/sf_convert_dynamic.c:
9296 Added the ability to convert shared object rules that use the
9297 preprocessor rule option.
9298
9299 * src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c,
9300 HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c,
9301 Stream5/snort_stream5_tcp.c:
9302 Don't enable paf unless stream ports configured
9303 for the given direction; add "(PAF)" to http inspect ports output
9304 to indicate when enabled; and only register port for given
9305 direction if corresponding flow depth is set.
9306
9307 Support full 32-bit content-lengths and chunk sizes, and flush/abort
9308 when exceeded.
9309
9310 * doc/README.SMTP, doc/snort_manual.tex,
9311 src/dynamic-preprocessors/smtp/smtp_config.h,
9312 src/dynamic-preprocessors/smtp/smtp_util.c,
9313 src/dynamic-preprocessors/smtp/snort_smtp.c,
9314 src/dynamic-preprocessors/smtp/snort_smtp.h,
9315 src/dynamic-preprocessors/smtp/spp_smtp.c:
9316 Fixed performance issue: allocate the buffers used
9317 for filename, mailfrom and rcptto logging using mempool
9318 ('memcap' used to allocate the mempool).
9319 Added a fatal error when b64_decode_depth is used with
9320 enable_mime_decoding.
9321
9322 2011-06-13 Ryan Jordan <ryan.jordan@sourcefire.com>
9323 Snort 2.9.1 Beta
9324 * configure.in:
9325 Updates to configure.in.
9326 - Fix zlib checks to use correctly named variable for checking zlib
9327 header and library existence.
9328 - Enable IPv6 by default in builds. Can use --disable-ipv6 to turn it off.
9329 using --enable-zlib, configure should fail. snort -V should show
9330 IPv6 by default and VRT config should load without modification.
9331 - Added a new option, "--enable-large-pcap", which allows Snort to read
9332 pcap files that are larger than 2 GB.
9333 - Changed the default ./configure options to match the requirements
9334 for the bundled snort.conf
9335 * doc/: INSTALL, README.imap, README.pop,
9336 README.SMTP, README.stream5, README.sip, README.tag,
9337 README.http_inspect, README.counts, README.normalize,
9338 snort_manual.pdf, snort_manual.tex:
9339 Updated documentation for Snort 2.9.1:
9340 - Added documentation for new SIP, POP and IMAP preprocessors
9341 - Updated README.stream5 with documentation for
9342 Protocol Aware Flushing (PAF)
9343 - Updated README.http_inspect with memcap information,
9344 clarified "http_cookie" information, and documentation for
9345 "log_uri" and "log_hostname".
9346 - Fixed a typo in README.counts
9347 - Updated "byte_extract" section to reflect syntax changes
9348 - Improved the explanation of "max_queued_events"
9349 - Added documentation for the ESP decoder, which is now configurable
9350 - Improved the explanation of "rawbytes"
9351 - Fixed an incorrect example in README.tag.
9352 * etc/snort.conf:
9353 Synced snort.conf with VRT's latest version.
9354
9355 Added configurations for new preprocessors.
9356 * preproc_rules/: decoder.rules, preprocessor.rules
9357 Added new preprocessor rules for SIP, SMTP, POP, and IMAP.
9358
9359 Added decoder rules 116:453, 116:454, and 116:455. These rules
9360 were formerly covered by VRT rules.
9361 * src/build.h: Updated build number to 46
9362 * src/decode.c:
9363 TCP and UDP decoder rules that require a fully-decoded packet will
9364 only fire if the checksum is correct and the port number is not ignored.
9365
9366 ESP decoding is now configurable, and off by default.
9367
9368 The "config enable_decode_oversized_alerts" option now applies to
9369 packets where the UDP header claims there is more data than actually exists.
9370 The Teredo decoder now only processes packets in the Teredo prefix
9371 (2001:0000::/32) or the link-local prefix (fe80::/16).
9372 * src/detection-plugins/sp_cvs.c:
9373 Fixed a false positive in the CVS detection plugin.
9374 * doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c:
9375 Made some changes to the byte_extract syntax:
9376 - Writing "string" without a number type defaults to decimal.
9377 - The "string" and "hex/dec/oct" options are now independent of each
9378 other, like in byte_test and byte_jump.
9379 You can write "string,dec", "hex,string", "string,relative,oct", etc.
9380 - Specifying one of "hex", "dec", and "oct" without using "string"
9381 results in an error.
9382 - byte_extract options can no longer be delimited by spaces.
9383 This does not affect "align <num>" or "multiplier <num>".
9384 * src/: parser.c, util.c, util.h,
9385 detection-plugins/sp_base64_decode.c,
9386 dynamic-plugins/sf_dynamic_plugins.c,
9387 dynamic-plugins/sf_dynamic_preprocessor.h,
9388 dynamic-plugins/sp_dynamic.c,
9389 dynamic-preprocessors/smtp/smtp_util.c,
9390 preprocessors/HttpInspect/client/hi_client.c,
9391 preprocessors/HttpInspect/server/hi_server.c,
9392 sfutil/sf_base64decode.c, sfutil/sf_base64decode.h:
9393 Changes include the following:
9394 - Attempt dechunkind only when transfer-encoding: chunked is present.
9395 - Override the content length with transfer encoding
9396 - SnortStrcasestr uses slen now.
9397 - unfolding : trim spaces when required.
9398 * src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c,
9399 preprocessors/Stream5/snort_stream5_tcp.c,
9400 preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c,
9401 sfutil/sf_ipvar.h, sfutil/sf_vartable.c:
9402 Update Frag3/Stream5 to print bound addresses, better descriptsions of detect
9403 anomalies and port lists.
9404 - Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds
9405 - Updated Frag3 to print meaningful detect anomalies configuration
9406 - Updated Stream5 to print that there are more ports than those printed.
9407 * src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c,
9408 sf_decompression.h, sf_snort_detection_engine.c,
9409 sf_snort_plugin_api.h:
9410 Added a Decompression API that wraps Zlib for use with dynamic
9411 plugins. See sf_decompression.h for more details.
9412 * src/: fpcreate.c, fpdetect.c, treenodes.h:
9413 Update pattern matcher and sort functions to
9414 correctly sort by priority as well as implement sorting by
9415 content_length (which was never done with 2.8.2 addition of rule
9416 option tree).
9417
9418 Added a warning when max-pattern-len is defined twice.
9419
9420 Packets will no longer be tagged or logged if they are filtered or passed.
9421 * src/preprocessors/Stream5:
9422 Ensured that reassembly doesn't require packet dropping in IPS mode.
9423 The message "additional ports configured but not printed" is only printed
9424 when that is actually the case.
9425 * src/snort.c:
9426 fix output of filename / shutdown alerts sequence when iterating over multiple
9427 pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or
9428 -A console:test).
9429
9430 Fixed an issue with reloading Snort while the default output options
9431 were used.
9432
9433 When reading several pcap files with --pcap-dir, Snort will move on
9434 to the next file if one fails to load.
9435 * src/output-plugins/spo_alert_full.c:
9436 Update alert_full to print rule references, regardless of whether
9437 there is TCP/UDP/etc.
9438 * src/output-plugins/spo_log_tcpdump.c:
9439 convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0
9440 fix 'mixed decls and code' compiler warning
9441 * src/: decode.h, detect.c, detection_util.c, detection_util.h,
9442 fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c,
9443 rule_option_types.h, detection-plugins/Makefile.am,
9444 detection-plugins/detection_options.c,
9445 detection-plugins/sp_base64_data.c,
9446 detection-plugins/sp_byte_check.c,
9447 detection-plugins/sp_byte_extract.c,
9448 detection-plugins/sp_byte_jump.c,
9449 detection-plugins/sp_file_data.c,
9450 detection-plugins/sp_ftpbounce.c,
9451 detection-plugins/sp_isdataat.c,
9452 detection-plugins/sp_pattern_match.c,
9453 detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c,
9454 detection-plugins/sp_pkt_data.h,
9455 dynamic-plugins/sf_convert_dynamic.c,
9456 dynamic-plugins/sf_dynamic_common.h,
9457 dynamic-plugins/sf_dynamic_define.h,
9458 dynamic-plugins/sf_dynamic_engine.h,
9459 dynamic-plugins/sf_dynamic_plugins.c,
9460 dynamic-plugins/sf_dynamic_preprocessor.h,
9461 dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h,
9462 dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
9463 dynamic-plugins/sf_engine/sf_snort_packet.h,
9464 dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
9465 dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
9466 dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
9467 dynamic-preprocessors/ftptelnet/pp_ftp.c,
9468 dynamic-preprocessors/ftptelnet/pp_telnet.c,
9469 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
9470 dynamic-preprocessors/smtp/smtp_util.c,
9471 dynamic-preprocessors/smtp/snort_smtp.c,
9472 dynamic-preprocessors/smtp/snort_smtp.h,
9473 preprocessors/snort_httpinspect.c,
9474 preprocessors/snort_httpinspect.h,
9475 preprocessors/spp_rpc_decode.c,
9476 preprocessors/HttpInspect/server/hi_server.c,
9477 preprocessors/HttpInspect/server/hi_server_norm.c,
9478 preprocessors/Stream5/snort_stream5_tcp.c:
9479 The "file_data" and "base64_data" rule options now set the buffer
9480 for any rule options that follow them. This applies to both relative
9481 and non-relative rule options.
9482
9483 The detection code now uses 3 separate buffers:
9484 - "Alt Detect": set by file_data, base64_data, etc.
9485 - "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect
9486 - Raw packet data
9487
9488 The AltDetect buffer can also be set by custom .so rules.
9489 * src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c,
9490 src/sfutil/Unified2_common.h:
9491 IPv6 source and destination addresses are now logged in Unified2
9492 as extra data events. This is configured with "config log_ipv6_extra_data".
9493 * src/dynamic-preprocessors/sip/Makefile.am,
9494 src/dynamic-preprocessors/sip/sf_sip.dsp,
9495 src/dynamic-preprocessors/sip/sip_config.c,
9496 src/dynamic-preprocessors/sip/sip_config.h,
9497 src/dynamic-preprocessors/sip/sip_debug.h,
9498 src/dynamic-preprocessors/sip/sip_dialog.c,
9499 src/dynamic-preprocessors/sip/sip_dialog.h,
9500 src/dynamic-preprocessors/sip/sip_parser.c,
9501 src/dynamic-preprocessors/sip/sip_parser.h,
9502 src/dynamic-preprocessors/sip/sip_roptions.c,
9503 src/dynamic-preprocessors/sip/spp_sip.c,
9504 src/dynamic-preprocessors/sip/spp_sip.h,
9505 src/dynamic-preprocessors/sip/sip_roptions.h,
9506 src/dynamic-preprocessors/sip/sip_utils.c,
9507 src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip,
9508 etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am,
9509 src/dynamic-preprocessors/sip/test/sip_test.c, configure.in,
9510 src/dynamic-preprocessors/Makefile.am:
9511 Added a new preprocessor for SIP traffic.
9512 See README.sip and the Snort Manual for more information.
9513 * src/: dynamic-preprocessors/dcerpc2/dce2_utils.c,
9514 dynamic-preprocessors/dcerpc2/spp_dce2.c,
9515 preprocessors/spp_frag3.c:
9516 Make Frag3 OpenBSD Vuln alert only happen if the frag policy is
9517 'linux' (which includes OpenBSD). The 'bsd' policy is NOT used
9518 for OpenBSD, which is the only OS on which the vulnerability was
9519 present.
9520
9521 This reduces false positives to only occur when frag3 policy is
9522 linux and its an actual linux system, rather than the alert
9523 occuring regardless of frag policy.
9524 * src/: detection-plugins/Makefile.am,
9525 detection-plugins/sp_byte_extract.c,
9526 detection-plugins/sp_byte_extract.h,
9527 dynamic-plugins/sf_convert_dynamic.c,
9528 dynamic-plugins/sf_engine/Makefile.am,
9529 dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
9530 dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
9531 dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
9532 dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
9533 dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
9534 dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
9535 dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
9536 dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
9537 dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
9538 Added support for ByteExtract variables to the .so rule versions of
9539 Content, ByteTest, ByteJump, and isdataat.
9540 * src/: encode.c, preprocessors/spp_normalize.c,
9541 preprocessors/Stream5/snort_stream5_tcp.c,
9542 preprocessors/Stream5/stream5_common.c:
9543 Fixed the TTL on encoded response packets.
9544 * src/: fpcreate.c, fpdetect.c,
9545 detection-plugins/sp_pattern_match.c,
9546 detection-plugins/sp_pattern_match.h,
9547 dynamic-plugins/sf_dynamic_define.h,
9548 dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
9549 dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
9550 Update to not inspect HTTP method buffer with Snort's fast pattern engine.
9551 Rules with only HTTP method content end up as non-content rules.
9552 This eliminates a short cycle of searches with fast pattern on every
9553 initial HTTP request.
9554 * src/dynamic-preprocessors/pop/: all files
9555 Added a new preprocessor for POP traffic.
9556 See README.pop for more information.
9557 * src/dynamic-preprocessors/imap/: all files
9558 Added a new preprocessor for IMAP traffic.
9559 See README.imap for more information.
9560 * src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h:
9561 Base64 decoding was moved to its own section in sfutil, for use
9562 by the new email preprocessors.
9563
9564 Added support for uuencoded email attachments.
9565 * src/dynamic-preprocessors/sdf/spp_sdf.c:
9566 The Sensitive Data preprocessor now inspects the "file_data" buffer, used
9567 for HTTP response bodies & decoded email attachments.
9568 * src/: snort.c, preprocessors/spp_stream5.c,
9569 preprocessors/stream_api.h:
9570 Update Snort to return a DAQ verdict of whitelist (meaning don't
9571 send Snort any more packets) for sessions that are being ignored
9572 in both directions or ports that are configured to ignore. For
9573 DAQ modules and hardware that supports it, this should result in
9574 a performance gain because Snort no longer has to decode packets
9575 that are part of that connection.
9576 * src/util.c:
9577 Added an error message when opening a pid file fails.
9578 * src/preprocessors/HttpInspect/: client/hi_client.c,
9579 server/hi_server.c:
9580 The Set-Cookie: and Cookie: headers wont be included in the cookie buffers.
9581 * configure.in, src/active.c, src/active.h, src/decode.h,
9582 src/encode.c, src/encode.h, src/log_text.c, src/log_text.h,
9583 src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c,
9584 src/sfdaq.h, src/snort.h, src/snort_debug.h,
9585 src/detection-plugins/sp_react.c,
9586 src/detection-plugins/sp_respond3.c,
9587 src/dynamic-plugins/sf_dynamic_define.h,
9588 src/dynamic-plugins/sf_engine/sf_snort_packet.h,
9589 src/preprocessors/snort_httpinspect.c,
9590 src/preprocessors/spp_httpinspect.c,
9591 src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
9592 src/preprocessors/HttpInspect/Makefile.am,
9593 src/preprocessors/HttpInspect/include/Makefile.am,
9594 src/preprocessors/HttpInspect/include/hi_paf.h,
9595 src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
9596 src/preprocessors/HttpInspect/server/hi_server.c,
9597 src/preprocessors/HttpInspect/utils/Makefile.am,
9598 src/preprocessors/HttpInspect/utils/hi_paf.c,
9599 src/preprocessors/Stream5/Makefile.am,
9600 src/preprocessors/Stream5/snort_stream5_icmp.c,
9601 src/preprocessors/Stream5/snort_stream5_session.c,
9602 src/preprocessors/Stream5/snort_stream5_tcp.c,
9603 src/preprocessors/Stream5/snort_stream5_tcp.h,
9604 src/preprocessors/Stream5/snort_stream5_udp.c,
9605 src/preprocessors/Stream5/stream5_common.c,
9606 src/preprocessors/Stream5/stream5_common.h,
9607 src/preprocessors/Stream5/stream5_paf.c,
9608 src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h:
9609 Added support in Stream5 for Protocol Aware Flushing (PAF).
9610 PAF allows Snort to statefully scan a stream and reassemble a complete
9611 PDU regardless of segmentation.
9612
9613 Added PAF support to HTTP Inspect, allowing the preprocessor to determine
9614 when HTTP sessions are flushed by Stream5.
9615
9616 See README.stream5 for more details.
9617 * src/preprocessors/: stream_ignore.h, stream_ignore.c,
9618 Stream5/snort_stream5_udp.c:
9619 added support for ignoring UDP channels. Light weight session
9620 will be created to track UDP channel, even ports are not
9621 monitored.
9622 * src/win32/: most files
9623 Updated Snort and its libraries to build/link against MFC.
9624
9625 2011-03-23 Steven Sturges <ssturges@sourcefire.com>
9626 * src/build.h:
9627 Increment Snort build number to 134
9628 * src/: decode.h, encode.c:
9629 * src/dynamic-plugins/sf_engine/: sf_snort_packet.h:
9630 * src/preprocessors/: spp_sfportscan.c, spp_frag3.c:
9631 * src/output-plugins/: spo_alert_fast.c:
9632 * src/preprocessors/Stream5/: stream5_common.c:
9633 Updated portscan to set protocol correctly in raw packet for
9634 IPv6 and changed the encoder to recognize portscan packets as pseudo
9635 packets so that the checksum isn't calculated
9636 * src/: sfdaq.c, util.c:
9637 Improve handling of DAQ failure codes when Snort is shutting down.
9638 * src/preprocessors/spp_perfmonitor.c:
9639 Update perfmonitor to create now files prior to dropping privs
9640
9641 2011-03-16 Ryan Jordan <ryan.jordan@sourcefire.com>
9642 Snort 2.9.0.5
9643 * src/build.h:
9644 Increment Snort build number to 132
9645 * src/snort.c:
9646 * src/preprocessors/: normalize.c, perf-base.c, perf-base.h,
9647 Stream5/snort_stream5_tcp.c:
9648 TCP timestamp options are only NOPed by the Normalization preprocessor
9649 if Stream5 has seen a full 3-way handshake, and timestamps weren't
9650 negotiated.
9651
9652 The IPS mode reassembly policy has been refactored to do stream
9653 normalization within the first policy.
9654
9655 Packets injected by the normalization preprocessor are now counted
9656 in the packet statistics.
9657 * doc/snort_manual.tex:
9658 * src/: parser.c, parser.h:
9659 * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
9660 Added a "config vlan_agnostic" setting that globally disables Stream's
9661 use of vlan tag in session tracking.
9662 * src/: snort.c, preprocessors/normalize.c,
9663 preprocessors/spp_normalize.c, preprocessors/spp_normalize.h,
9664 preprocessors/perf-base.c, preprocessors/perf-base.h:
9665 * doc/: README.normalize, snort_manual.pdf, snort_manual.tex:
9666 Fixed the normalization preprocessor to call its post-initialization
9667 config functions during a policy reload.
9668
9669 Packets can no longer be trimmed below the minimum ethernet frame
9670 length. Trimming is now configurable with the "normalize_ip4: trim;"
9671 option. TOS clearing is now configurable with "normalize_ip4: tos;".
9672
9673 The "normalize_ip4: trim" option is automatically disabled if the
9674 DAQ can't inject packets. If the DAQ tries and fails to inject
9675 a given packet, the wire packet is not blocked.
9676
9677 Updated documentation regarding these changes.
9678 * src/detection-plugins/sp_cvs.c:
9679 Fixed a false positive in the CVS detection plugin. It was incorrectly
9680 parsing CVS entries that had a '+' in between the 3rd and 4th slashes.
9681 * src/preprocessors/HttpInspect/: client/hi_client.c,
9682 server/hi_server.c:
9683 Changed a pointer comparison to a size check for code readability.
9684 Belated thanks to Dwane Atkins and Parker Crook for reporting a
9685 related issue that was fixed in Snort 2.9.0.4 build 111.
9686
9687 Moved the zlib initialization such that gzipped responses are still
9688 inspected if the zipped data starts after the first Stream-reassembled
9689 packet is inspected.
9690 * src/decode.c:
9691 Fixed an issue with decoding too many IP layers in a single packet. The
9692 Teredo proto bit was not unset after hitting the limit on IP layers.
9693 Thanks to Dwane Atkins for reporting this issue.
9694
9695 IPv6 fragmented packets are no longer inspected unless they have an
9696 offset of zero and the next layer is UDP. This behavior is consistent
9697 with IPv4 decoding.
9698 Thanks to Martin Sch�tte for reporting an issue where fragged ICMPv6
9699 packets were being inspected.
9700
9701 The decoder no longer attempts to decode Teredo packets inside of
9702 IPv4 fragments, instead waiting for the reassembled packet.
9703 * src/encode.c:
9704 Fixed a problem where encoded packets had their lengths calculated
9705 incorrectly. This caused the active response feature to generate
9706 incorrect RST packets if the original packet had a VLAN tag.
9707 * preproc_rules/preprocessor.rules:
9708 Updated references to rule 125:1:1
9709 * src/preprocessors/spp_perfmonitor.c:
9710 Perfmonitor files are now created after Snort changes uid/gid.
9711 * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
9712 Fixed the size formatting of an error message argument when
9713 compiling with --enable-rzb-saac.
9714 Thanks to Cleber S. Brand�o for reporting this issue.
9715 * etc/snort.conf:
9716 Updated the default snort.conf with max compress and decompress
9717 depths to enable unlimited decompression of gzipped HTTP responses.
9718 * snort.8:
9719 Fixed the man page's URL regarding the location of Snort rules.
9720 Thanks to Michael Scheidell for reporting an out-of-date man page section.
9721 * doc/README.http_inspect, doc/snort_manual.tex,
9722 src/preprocessors/snort_httpinspect.c:
9723 HTTP Inspect's "unlimited_decompress" option now requires that
9724 "compress_depth" and "decompress_depth" are set to their max values.
9725 * src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h,
9726 dynamic-plugins/sf_dynamic_engine.h,
9727 preprocessors/Stream5/snort_stream5_tcp.c:
9728 Fixed an error that prevented compiling with --disable-dynamicplugin.
9729 Thanks to Jason Wallace for reporting this issue.
9730 * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c,
9731 snort_ftptelnet.h, spp_ftptelnet.c:
9732 Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside
9733 the ftp_telnet preprocessor to avoid a naming conflict with similar
9734 functions in HTTP Inspect.
9735 Thanks to Bruce Corwin for reporting this issue.
9736 * src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c,
9737 perf-flow.h:
9738 Fixed comparisons between signed and unsigned int, which lead to
9739 a faulty length check.
9740 Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this
9741 issue.
9742
9743 2011-02-28 Ryan Jordan <ryan.jordan@sourcefire.com>
9744 Snort 2.9.0.4
9745 * src/build.h:
9746 Increment Snort build number to 111.
9747 * src/preprocessors/HttpInspect/client/hi_client.c:
9748 src/preprocessors/HttpInspect/server/hi_server.c:
9749 Fixed a bug in the way partial HTTP headers are handled.
9750
9751 2011-02-10 Ryan Jordan <ryan.jordan@sourcefire.com>
9752 Snort 2.9.0.4
9753 * src/build.h: Increment Snort build number to 110
9754 * snort.8, src/snort.c:
9755 Updated Snort man page to match the output of "snort --help".
9756 Removed "-o" from the list of valid options, since it was removed
9757 a while ago.
9758 The verdict from defragged packets are no longer cleared, so that
9759 they can be applied to the raw packet.
9760 Thanks to Markus Lude for submitting a patch that fixed errors in the
9761 man page.
9762 * src/fpcreate.c:
9763 Deletec the call to fpDeletePortGroup() prior to calling FatalError().
9764 * src/parser.c:
9765 Fixed portvar parsing code to correctly dislpay names of undefined
9766 portvars.
9767 * src/preprocessors/Stream5/snort_stream5_tcp.c:
9768 Fixed a FIN sequence number handling issue, where RST after FIN caused a
9769 false positive on Stream5 preprocessor rule 129:15.
9770 Thanks to Jason Wallace for pointing out the issue.
9771 * doc/: INSTALL, README.frag3, README.http_inspect, README.stream5,
9772 snort_manual.tex, snort_manual.pdf:
9773 Added documentation for the option "small-segments".
9774 Updated team members.
9775 Clarified some undocumented "flow" options.
9776 Minor edits to punctuation on "ssl_version" examples.
9777 Re-worded uricontent's description.
9778 Added missing semicolons to rule option examples.
9779 Updated "enable_cookie" documentation.
9780 Added documentation for "iis_encode" in http_encode keywords.
9781 Improved the description of the "disable" keyword.
9782 Added "--enable-sourcefire" description.
9783 Thanks to Joshua Kinard for sending in several patches to the manual.
9784 * doc/: Makefile.am, README.rzb_saac:
9785 Added SaaC readme.
9786 * configure.in, doc/Makefile.am, doc/README.rzb_saac, src/snort.c,
9787 src/util.c, src/util.h,
9788 src/dynamic-plugins/sf_engine/examples/Makefile.am,
9789 src/dynamic-preprocessors/Makefile.am,
9790 src/dynamic-preprocessors/dns/spp_dns.c,
9791 src/dynamic-preprocessors/rzb_saac/Makefile.am,
9792 src/dynamic-preprocessors/rzb_saac/rzb_debug.c,
9793 src/dynamic-preprocessors/rzb_saac/rzb_debug.h,
9794 src/dynamic-preprocessors/rzb_saac/rzb_http-client.c,
9795 src/dynamic-preprocessors/rzb_saac/rzb_http-client.h,
9796 src/dynamic-preprocessors/rzb_saac/rzb_http-collector.h,
9797 src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c,
9798 src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h,
9799 src/dynamic-preprocessors/rzb_saac/rzb_http-server.c,
9800 src/dynamic-preprocessors/rzb_saac/rzb_http-server.h,
9801 src/dynamic-preprocessors/rzb_saac/rzb_http.h,
9802 src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c,
9803 src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h,
9804 src/dynamic-preprocessors/rzb_saac/sf_preproc_info.h,
9805 src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c:
9806 Added Razorback SaaC to the dynamic-preprocessors.
9807 Use --enable-rzb-saac to build it. Moved the initgroups call to a
9808 separate function and call it from the main thread.
9809 * src/detection-plugins/sp_clientserver.c:
9810 Fixed an erroneous error check so that "no_frag" and "no_stream" can be
9811 used in the same "flow" rule option.
9812 * src/detection-plugins/sp_pattern_match.c:
9813 Rules that use a "depth" value lower than the length of their content
9814 now cause an error. Depth should be >= the content length.
9815 * src/detection-plugins/sp_tcp_flag_check.c:
9816 Changed the reserved bits flags "1, 2" to "C, E". The old values can still
9817 be used for backwards compatability.
9818 * preproc_rules/preprocessor.rules:
9819 Added references to FTP and SMTP preprocessor rules.
9820 * src/dynamic-plugins/sf_engine/examples/: detection_lib_meta.h:
9821 Removed extraneous ifdef
9822 * src/: preprocessors/spp_frag3.c, preprocessors/spp_sfportscan.c,
9823 dynamic-preprocessors/dcerpc2/dce2_config.c:
9824 Added startup log message to show that the preprocessors are
9825 inactive when added to snort.conf as "disabled".
9826 Updated frag3 startup log to indicate the memcap frmo which prealloc
9827 fragments were generated.
9828 * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
9829 Updated the Frag3KeyCmp and Stream5KeyCmp functions to handle 32bit
9830 sparc platforms where 64bit pointer comparisons can cause bus
9831 errors. Thanks to Stephan for reporting this issue.
9832 * src/: preprocessors/portscan.c, win32/WIN32-Includes/config.h:
9833 Portscan preprocessor's hash table is now allocated based on
9834 the memcap, instead of being the same size.
9835 * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_utils.c, dce2_smb.c:
9836 Fixed a bug that caused dcerpc2 to reassemble some segments incorrectly.
9837 If extra bytes at the end of a request corrupt the next request, they
9838 will be discarded.
9839 * src/dynamic-preprocessors/ssl/spp_ssl.c:
9840 Updated the SSL preproc to count the packets it processes,
9841 instead of counting all packets to enter the intiial function.
9842 * doc/: faq.tex, faq.pdf:
9843 Updated FAQ based on snort.org reorganization.
9844 * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex:
9845 Updated cookie documentation.
9846 Cookie buffer includes "Cookie" header name for HTTP requests and
9847 "Set-Cookie" for HTTP responses. When enable_cookie is disabled,
9848 cookie buffer points to the HTTP header
9849 * src/preprocessors/snort_httpinspect.c:
9850 Fixed the error message during parsing of HTTP inspect
9851 server config. Make it a warning.
9852 * src/: detection_util.h, preprocessors/snort_httpinspect.c,
9853 preprocessors/spp_httpinspect.c,
9854 preprocessors/HttpInspect/client/hi_client.c,
9855 preprocessors/HttpInspect/include/hi_client.h,
9856 preprocessors/HttpInspect/include/hi_norm.h,
9857 preprocessors/HttpInspect/include/hi_ui_config.h,
9858 preprocessors/HttpInspect/normalization/hi_norm.c,
9859 preprocessors/HttpInspect/server/hi_server.c:
9860 Fixed a false positive due to a large chunk length followed
9861 by a small packet.
9862 Moved the lookup table such that they are initialized only once.
9863 When de-chunking returns error, the data is now inspected as a
9864 normal body.
9865 Moved the Initialize function out of hi_ui_config.h.
9866 CRLFs are no longer placed in the status message buffer.
9867 * many files:
9868 Updated all Sourcefire copyright notices to the year 2011.
9869
9870 2010-12-20 Ryan Jordan <ryan.jordan@sourcefire.com>
9871 Snort 2.9.0.3
9872 * src/build.h:
9873 Increment Snort build number to 98
9874 * doc/: snort_manual.tex, snort_manual.pdf:
9875 Fixed Snort manual descriptions of some rule options.
9876 Changed whitespace in several areas to be more consistent.
9877 Max mime mem example changed from 1000 to 4000.
9878 Updated manual for distance / within / offset / depth combos.
9879 Thanks to Joshua Kinard for submitting several fixes.
9880 * doc/INSTALL:
9881 Update doc/INSTALL with instructions for building on OpenBSD.
9882 * src/dynamic-preprocessors/smtp/smtp_config.c:
9883 Print alert_unknown_commands in SMTP config of snort output.
9884 Print the SMTP MIME config details with snort output.
9885 * src/: decode.c, decode.h, snort.c:
9886 discriminate between ip4 and ip6 raw packets
9887 Thanks to Gerald Maziarski for reporting this issue.
9888 * src/detection-plugins/: detection_options.c, sp_byte_jump.c,
9889 sp_pattern_match.c:
9890 restore doe flags along with doe pointer.
9891 * preproc_rules/preprocessor.rules:
9892 Updated preprocessor.rules references to match VRT.
9893 * src/dynamic-preprocessors/smtp/spp_smtp.c:
9894 When the SMTP preprocessor is started in a
9895 "disabled" state, it no longer requires Stream5.
9896 * src/decode.c:
9897 Truncated ESP traffic is now handled correctly.
9898 Thanks to rmkml for bringing the issue to our attention.
9899 * src/: decode.c, fpdetect.c:
9900 Fixed a problem with handling UDP/IPv6 over Teredo where the inner UDP
9901 header was malformed.
9902 * preproc_rules/preprocessor.rules:
9903 Added a reference to preprocessor.rules.
9904 * src/dynamic-preprocessors/smtp/spp_smtp.c:
9905 When the SMTP preprocessor is started in a
9906 "disabled" state, it no longer requires Stream5.
9907 * src/detection-plugins/: detection_options.c, sp_pattern_match.c:
9908 Update content to check for HTTP_RESP_BODY in packet flag
9909 if option is relative and not using rawbytes.
9910 * etc/snort.conf:
9911 Update with snort.conf from VRT
9912 * src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h:
9913 Bumped minor version number in example detection lib.
9914 * src/preprocessors/spp_frag3.c:
9915 Fix memory leak when there are two zero offset
9916 fragments with different IP options. Previous code was blindly
9917 copying new IP options over top of existing ones.
9918 * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine.c,
9919 sf_snort_plugin_api.h:
9920 Fixed overlaps in various flags in the Shared Object rule API.
9921 Shared Object rules from previous 2.9.0 versions need to be recompiled.
9922 * src/detection-plugins/sp_pattern_match.c:
9923 Moved non-zero initializations in the PatternMatchData struct
9924 to the NewNode() function. This fixes the use of depth, offset,
9925 distance, and within on uricontent options.
9926 Reject invalid combinations of distance/within and offset/depth
9927 including repeated keywords.
9928 Thanks to Dave Bertouille and Daniel Clemens for pointing out issues here.
9929 * src/: snort.c, util.c, util.h:
9930 write correct pid to file for glibc2.2 / linux threads
9931 * src/preprocessors/: snort_httpinspect.c,
9932 HttpInspect/mode_inspection/hi_mi.c:
9933 Fixed an instance where HTTP session data was not checked.
9934 DAQ 0.5
9935 * daq/os-daq-modules/Makefile.am:
9936 The IPFW DAQ now builds on OpenBSD.
9937 Thanks to Ross Lawrie, Randall Rioux, and many others for reporting this.
9938
9939 2010-11-15 Ryan Jordan <ryan.jordan@sourcefire.com>
9940 Snort 2.9.0.2
9941 * preproc_rules/preprocessor.rules:
9942 Added a reference to an 0day ProFTP bug in a FTP
9943 preprocessor rule.
9944 * src/build.h:
9945 Increment Snort build number to 92
9946 * src/preprocessors/Stream5/snort_stream5_tcp.c:
9947 Count only acked segs for flushing post-ack. Thanks to Eoin Miller
9948 for helping track this issue and provide test scenarios.
9949 * src/detection_util.h:
9950 * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
9951 * src/preprocessors/Stream5/snort_stream5_tcp.c:
9952 fix file_data:mime in So rules. content matches following
9953 file_data:mime should not enter fast pattern matcher. Reset file_data_ptr once
9954 stream flush is done and stream reassembled packet is processed.
9955 * src/dynamic-preprocessors/ssl/spp_ssl.c:
9956 Fix return value for SSL rule options
9957 * src/: plugbase.h, preprocessors/snort_httpinspect.c:
9958 Set the dce preproc bit in HTTP only when server flow depth is -1
9959 * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_smb.c,
9960 dce2_utils.c, dce2_utils.h, includes/smb.h:
9961 use offset or remaining fields and overwrite
9962 as appropriate instead of always appending data
9963 * src/preprocessors/HttpInspect/server/hi_server.c:
9964 * src/preprocessors/HttpInspect/client/hi_client.c:
9965 Fixed a couple of memory leaks.
9966 * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
9967 Fixed an error in the handling of HTTP Session Data.
9968 * doc/: README.http_inspect,snort_manual.pdf, snort_manual.tex:
9969 Update to the snort manual. remove the stream5
9970 alerts. reference the gen-msg.map.
9971 * preprocessors/Stream5/snort_stream5_tcp.c:
9972 urgent pointer handling corrected for one
9973 byte of urgent data at the start of a segment. The general case
9974 of an N-byte urgent payload prefix would be handled here by
9975 removing the == 1 limit in urg_offset == 1 but that restrictio
9976 is not safe until we flush urgent data. As is, urgent data is
9977 never flushed in reassembled packets and can only be detected i
9978 raw packets.
9979 pointer handling.
9980 * src/: decode.h, detection_util.h, plugbase.h,
9981 preprocessors/snort_httpinspect.c,
9982 preprocessors/snort_httpinspect.h,
9983 preprocessors/HttpInspect/server/hi_server.c,
9984 Apply server flow depth on a session basis
9985 rather than per packet basis. This change improves the
9986 performance by disabling detect on packet when the packet is
9987 beyond the specified flow depth. server_flow_depth now takes
9988 values from -1 to 65535
9989 * src/parser.c:
9990 Correct setting of dup_opt_func and cleanup existing opt_func list before
9991 hand to address parse-time leak.
9992
9993 2010-11-01 Ryan Jordan <ryan.jordan@sourcefire.com>
9994 Snort 2.9.0.1
9995 * doc/: snort_manual.pdf, snort_manual.tex:
9996 Added "flush_factor".
9997 Fixed incorrect line wrap (thx Shawn Thompson).
9998 values for within and depth updated
9999 * src/build.h:
10000 Increment Snort build number to 82.
10001 * src/preprocessors/HttpInspect/: client/hi_client.c,
10002 server/hi_server.c:
10003 HTTP header buffers (raw/normalized) now include the missing \n (of \r\n\r\n).
10004 * src/target-based/sf_attribute_table.y:
10005 Set YYMAXDEPTH to something that covers large number of services for a single host.
10006 * src/parser.c, src/preprocessors/spp_stream5.c,
10007 doc/snort_manual.pdf, doc/snort_manual.tex:
10008 Fix use of config flowbits_size and update default to 1024.
10009 * src/detection-plugins/sp_pcre.c:
10010 Correct calculation of offset to its original now that libpcre is fixed.
10011 * src/: detection-plugins/sp_pcre.c, win32/WIN32-Includes/pcre.h,
10012 win32/WIN32-Includes/pcreposix.h, win32/WIN32-Libraries/pcre.lib:
10013 Update Win32 libpcre to newer version and use --enable-newline-is-cr instead of
10014 --enable-newline-is-any. Also added comments to sp_pcre.c in terms of how Snort is
10015 interpreting the ovector from pcre_exec.
10016 * etc/gen-msg.map:
10017 Added rules 120:4 and 120:5 to gen-msg.map.
10018 * src/preprocessors/Stream5/snort_stream5_tcp.c:
10019 Fix issue when handling overlap limit enforcement. Thanks to rmkml
10020 and Miguel Alvarez for pointing out the issue.
10021 * src/preprocessors/Stream5/snort_stream5_tcp.c:
10022 fix flush after initial when acks are withheld
10023 conditional on NORMALIZER
10024 process stream after window slam unless normalizing
10025 fully separate pre-ack flush from post-ack flush to ensure switching on policy for listener direction;
10026 allow window limit greater than 16-bit; tweak flush point tracing.
10027 added preprocessor rule 129:19, window slam
10028 * src/preprocessors/Stream5/: snort_stream5_tcp.c,
10029 stream5_common.h:
10030 add stream5_tcp: flush_factor <#>
10031 * doc/snort_manual.tex, src/detection-plugins/sp_ttl_check.c:
10032 Allow >= and <= with ttl keyword. Also fix the parsing for ttl. Update manual
10033 * src/util.c:
10034 Make parent_wait variable volatile so it doesn't get optimized out.
10035 * src/decode.c:
10036 In CheckIPv4_MinTTL(), use the ttl passed as an argument instead of the packet's IP header.
10037 * preproc_rules/preprocessor.rules:
10038 adds preprocessor rule 129:19
10039 * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c,
10040 src/generators.h:
10041 Ported .so rule for ICMP DOS to decoder.
10042 * etc/gen-msg.map, src/generators.h,
10043 * src/: active.c, encode.c, detection-plugins/sp_react.c:
10044 set ack number appropriately
10045 * src/preprocessors/snort_httpinspect.c:
10046 file data ptr should be set to the decode buffer when the http response body is normalized.
10047 * src/preprocessors/HttpInspect/: client/hi_client.c,
10048 server/hi_server.c:
10049 inspect stream inserted packets to check if they have a valid HTTP response.
10050 When there is a single segment HTTP response inspect the body.
10051 Dont wait for the reassembled packet ( due to flush point issues)
10052 * src/: detection_util.h, fpdetect.c,
10053 detection-plugins/sp_byte_check.c,
10054 detection-plugins/sp_byte_extract.c,
10055 detection-plugins/sp_byte_jump.c,
10056 detection-plugins/sp_ftpbounce.c,
10057 detection-plugins/sp_isdataat.c,
10058 detection-plugins/sp_pattern_match.c,
10059 detection-plugins/sp_pcre.c, preprocessors/snort_httpinspect.c,
10060 preprocessors/HttpInspect/server/hi_server.c:
10061 When extended_response_inspection is not enabled check for "HTTP".
10062 If present, apply flow depth otherwise do not disable detect and dont apply flow depth.
10063 * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex:
10064 Update Manual and README.http_inspect
10065 * src/signature.c:
10066 remove commented out printfs
10067 * src/preprocessors/HttpInspect/server/hi_server.c:
10068 inspect stream reassembled packets only when stream reassembly is turned on.
10069 * tools/u2boat/Makefile.am:
10070 Update Makefile to include docdir
10071 * src/encode.c:
10072 don't calculate checksum for pseudo-packets
10073 * src/: decode.c, decode.h, detect.c, detection_util.c,
10074 detection_util.h, fpdetect.c, log.c, log_text.c, mstring.c,
10075 detection-plugins/detection_options.c,
10076 detection-plugins/sp_asn1.c, detection-plugins/sp_base64_data.c,
10077 detection-plugins/sp_base64_decode.c,
10078 detection-plugins/sp_byte_check.c,
10079 detection-plugins/sp_byte_extract.c,
10080 detection-plugins/sp_byte_jump.c,
10081 detection-plugins/sp_file_data.c,
10082 detection-plugins/sp_ftpbounce.c,
10083 detection-plugins/sp_isdataat.c,
10084 detection-plugins/sp_pattern_match.c,
10085 detection-plugins/sp_pcre.c, detection-plugins/sp_urilen_check.c,
10086 dynamic-plugins/sf_dynamic_common.h,
10087 dynamic-plugins/sf_dynamic_engine.h,
10088 dynamic-plugins/sf_dynamic_plugins.c,
10089 dynamic-plugins/sf_dynamic_preprocessor.h,
10090 dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
10091 dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
10092 dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
10093 dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
10094 dynamic-preprocessors/ftptelnet/pp_ftp.c,
10095 dynamic-preprocessors/ftptelnet/pp_telnet.c,
10096 dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
10097 dynamic-preprocessors/smtp/smtp_util.c,
10098 dynamic-preprocessors/smtp/snort_smtp.c,
10099 output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c,
10100 preprocessors/spp_httpinspect.c, preprocessors/spp_rpc_decode.c,
10101 preprocessors/HttpInspect/client/hi_client.c,
10102 preprocessors/HttpInspect/normalization/hi_norm.c,
10103 preprocessors/HttpInspect/server/hi_server.c,
10104 preprocessors/HttpInspect/server/hi_server_norm.c,
10105 preprocessors/Stream5/snort_stream5_tcp.c:
10106 add buffer length attribute to alt decode buffer and don't set alt decode flag for alt_dsize changes
10107 which are indicated by that value being non-zero.
10108 * src/preprocessors/Stream5/snort_stream5_tcp.c:
10109 purge listener for pre-ack
10110 Flip the direction to match that the configurations in stream5_tcp.
10111 * src/: decode.h, preprocessors/spp_httpinspect.c,
10112 preprocessors/HttpInspect/normalization/hi_norm.c:
10113 add new keyword to http_encode to detect ascii encoding
10114 * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
10115 Propigate noalert back to detection option tree.
10116 * src/: parser.c, signature.c, signature.h:
10117 Allow multiple .so rules to reference a single soid metadata.
10118 * doc/: README.active, README.daq, snort_manual.pdf,
10119 snort_manual.tex:
10120 clarify use of multiple --daq and config daq.
10121 * src/parser.c:
10122 error on multiple --daq args
10123
10124 2010-10-04 Ryan Jordan <ryan.jordan@sourcefire.com>
10125 Snort 2.9.0
10126 * doc/Makefile.am:
10127 * doc/README.FLEXRESP:
10128 * doc/README.FLEXRESP2:
10129 * doc/README.http_inspect:
10130 * doc/README.INLINE:
10131 * doc/README.ipv6:
10132 * doc/README.stream5:
10133 * doc/README.wireless:
10134 * doc/snort_manual.tex:
10135 Removed obsolete README files. Updated README.ipv6.
10136 Documented other changes made below.
10137
10138 * etc/gen-msg.map:
10139 * preproc_rules/preprocessor.rules:
10140 * src/generators.h:
10141 Added new preprocessor rules for HTTP Inspect and Frag3.
10142 Removed an old preprocessor rule for the already-removed dcerpc
10143 preprocessor.
10144
10145 * rpm/snort.spec:
10146 * src/build.h:
10147 Updated version numbers.
10148
10149 * src/dynamic-plugins/sp_dynamic.c:
10150 * src/fpcreate.c:
10151 Shared Object rules which use HTTP Content as their Fast Pattern
10152 should now work correctly.
10153
10154 * src/decode.c:
10155 * src/decode.h:
10156 * src/detection-plugins/detection_options.c:
10157 * src/dynamic-plugins/sf_dynamic_engine.h:
10158 * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
10159 * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
10160 * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
10161 * src/dynamic-plugins/sp_preprocopt.c:
10162 * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
10163 * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
10164 * src/dynamic-preprocessors/sdf/sdf_detection_option.c:
10165 * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
10166 * src/dynamic-preprocessors/sdf/spp_sdf.c:
10167 * src/dynamic-preprocessors/ssl/spp_ssl.c:
10168 * src/parser.c:
10169 * src/ppm.c:
10170 * src/ppm.h:
10171 * src/profiler.c:
10172 * src/target-based/sf_attribute_table_parser.l:
10173 Miscellaneous code cleanup.
10174 Other preprocessor rules had to be modified as part of the new Stream5
10175 rule option listed below.
10176
10177 * src/preprocessors/HttpInspect/client/hi_client.c:
10178 * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
10179 * src/preprocessors/HttpInspect/include/hi_eo_events.h:
10180 * src/preprocessors/HttpInspect/include/hi_norm.h:
10181 * src/preprocessors/HttpInspect/include/hi_server_norm.h:
10182 * src/preprocessors/HttpInspect/include/hi_ui_config.h:
10183 * src/preprocessors/HttpInspect/normalization/hi_norm.c:
10184 * src/preprocessors/HttpInspect/server/hi_server.c:
10185 * src/preprocessors/HttpInspect/server/hi_server_norm.c:
10186 * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
10187 * src/preprocessors/snort_httpinspect.c:
10188 * src/preprocessors/snort_httpinspect.h:
10189 * src/preprocessors/spp_httpinspect.c:
10190 * src/sfutil/util_utf.c:
10191 * src/sfutil/util_utf.h:
10192 * src/sfutil/Makefile.am:
10193 * snort_head/snort/src/win32/WIN32-Prj/snort.dsp:
10194 HTTP Inspect now handles "chunked" Transfer-Encoding for any Content-Encoding,
10195 not just for gzipped responses.
10196 HTTP Inspect now decompresses responses with "Content-Encoding: deflate".
10197 HTTP Inspect now normalizes server responses that use UTF-16 or UTF-32
10198 charsets.
10199
10200 * src/preprocessors/portscan.c:
10201 * src/preprocessors/spp_sfportscan.c:
10202 * src/preprocessors/Stream5/snort_stream5_tcp.c:
10203 Fixed an issue with some Stream5 sessions not being cleared until shutdown.
10204 Fixed a bug that caused false positives on Stream5 rule 129:4.
10205 Fixed a bug where Stream5 reassembled on all ports when sfportscan was in
10206 snort.conf, but in a "disabled" state.
10207 Added a preprocessor rule option, enabled by Stream5. The syntax is
10208 "reassembly: <on|off>,<client|server|both> [,noalert]". It enables/disables
10209 Stream reassembly for the session that matches the rule.
10210
10211 2010-09-03 Ryan Jordan <ryan.jordan@sourcefire.com>
10212 Snort 2.9.0 RC
10213 * Fixed clean shutdown after reload.
10214 * Fixed tagging to log tagged packets regardless of filtering.
10215 * Fixed mempool initialization of free list count bug reported by
10216 zhangz@risinginfo.com.
10217 * Snort resized packets are now dropped and injected as required by DAQs.
10218 * Fixed Snort I/O Totals reporting injected packets with IPFW when NO
10219 packets are injected externally.
10220 * Tweaked Snort's dynamic preprocessor example.
10221 * More informative dynamic preprocessor loading error messages.
10222 * Added preprocessor alerts added to alert when Snort sees a client hello
10223 after a server hello or when Snort sees a server hello without a client
10224 hello when trustservers is disabled.
10225 * Documentation Updates: Updates to HTTP inspect README and Snort Manual.
10226 * Added parser error to fragoffset: Error when !, < and > operators are
10227 used with each other.
10228 * Updated README for daq with updated information on firewalls with FreeBSD
10229 and OpenBSD
10230 * Added more complete error checking to "byte_extract" rule option parsing.
10231 * The Sensitive Data preprocessor no longer searches HTTP headers for PII, as
10232 this introduced unnecessary false positives. In addition, the
10233 "us_social_nodashes" rule is now off by default to avoid false positives.
10234 * Added a new decoder alert for IPv6 extension headers that don't follow the
10235 RFC's recommended order.
10236 * Fixed a bug in the validation of IPv6 option lengths.
10237 * Fixed a bug in the normalization of HTTP responses with both gzipped
10238 Content-Encoding and chunked Transfer-Encoding.
10239 * Teredo packets with another layer of UDP on top will now display the correct
10240 port numbers in console output.
10241 * Reduced false positives on decoder alerts when "config deep_teredo_inspection"
10242 is enabled.
10243 * Fixed a problem with evaulating UDP rules on Teredo traffic, where the result
10244 of rule evaluation on the outer UDP
10245 * Changed the default search methond in snort.conf from "ac-bnfa" to "ac-split".
10246
10247 2010-06-23 Steven Sturges <ssturges@sourcefire.com>
10248 * doc/README.active:
10249 * doc/README.http_inspect:
10250 * doc/README.ssl:
10251 * doc/snort_manual.tex:
10252 Updated descripgions of rule options.
10253 * etc/gen-msg.map:
10254 Update messages for IPv6 decoder events.
10255 * src/win32/Makefile.am:
10256 * src/win32/WIN32-Includes/libnet/Devioctl.h:
10257 * src/win32/WIN32-Includes/libnet/gnuc.h:
10258 * src/win32/WIN32-Includes/libnet/ifaddrlist.h:
10259 * src/win32/WIN32-Includes/libnet/IPExport.h:
10260 * src/win32/WIN32-Includes/libnet/IPHlpApi.h:
10261 * src/win32/WIN32-Includes/libnet/IPTypes.h:
10262 * src/win32/WIN32-Includes/libnet/libnet-asn1.h:
10263 * src/win32/WIN32-Includes/libnet/libnet-functions.h:
10264 * src/win32/WIN32-Includes/libnet/libnet.h:
10265 * src/win32/WIN32-Includes/libnet/libnet-headers.h:
10266 * src/win32/WIN32-Includes/libnet/libnet-macros.h:
10267 * src/win32/WIN32-Includes/libnet/LibnetNT.h:
10268 * src/win32/WIN32-Includes/libnet/libnet-ospf.h:
10269 * src/win32/WIN32-Includes/libnet/libnet-structures.h:
10270 * src/win32/WIN32-Includes/libnet/Ntddpack.h:
10271 * src/win32/WIN32-Includes/libnet/packet_types.h:
10272 * src/win32/WIN32-Includes/libnet/NTDDNDIS.H:
10273 * src/win32/WIN32-Includes/libnet/PACKET32.H:
10274 * src/win32/WIN32-Includes/mysql/config-netware.h:
10275 * src/win32/WIN32-Includes/mysql/config-os2.h:
10276 * src/win32/WIN32-Includes/mysql/config-win.h:
10277 * src/win32/WIN32-Includes/mysql/libmysqld.def:
10278 * src/win32/WIN32-Includes/mysql/libmysql.def:
10279 * src/win32/WIN32-Includes/mysql/m_ctype.h:
10280 * src/win32/WIN32-Includes/mysql/m_string.h:
10281 * src/win32/WIN32-Includes/mysql/my_dbug.h:
10282 * src/win32/WIN32-Includes/mysql/my_getopt.h:
10283 * src/win32/WIN32-Includes/mysql/my_global.h
10284 * src/win32/WIN32-Includes/mysql/my_pthread.h:
10285 * src/win32/WIN32-Includes/mysql/mysqld_error.h:
10286 * src/win32/WIN32-Includes/mysql/mysql_embed.h:
10287 * src/win32/WIN32-Includes/mysql/my_sys.h:
10288 * src/win32/WIN32-Includes/mysql/raid.h:
10289 * src/win32/WIN32-Libraries/libnet/LibnetNT.lib:
10290 * src/inline.c:
10291 * src/inline.h:
10292 * src/detection-plugins/sp_respond.c:
10293 * src/detection-plugins/sp_respond2.c:
10294 Remove dead files.
10295 * src/active.c:
10296 * src/preprocessors/normalize.c:
10297 * src/preprocessors/spp_normalize.c:
10298 DAQ capability updates
10299 * src/decode.c:
10300 * src/decode.h:
10301 * src/generators.h:
10302 IPv6 decoding updates
10303 * src/decode.c:
10304 * src/log.c:
10305 * src/log.h:
10306 * src/log_text.c:
10307 * src/log_text.h:
10308 Improvement of packet output when obfuscating IP addresses.
10309 * src/detection-plugins/sp_byte_jump.c:
10310 Updates to multiplier parameter handling.
10311 * src/detection-plugins/sp_react.c:
10312 Added HTTP header to response payload.
10313 * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
10314 Update to handling string format detection.
10315 * src/dynamic-preprocessors/libs/ssl.c:
10316 * src/dynamic-preprocessors/libs/ssl.h:
10317 * src/dynamic-preprocessors/ssl/spp_ssl.c:
10318 Updates to handling of SSL rule options when handshake says SSLv2
10319 but certificate is SSLv3 and interaction with Stream reassembled
10320 packets.
10321 * src/dynamic-preprocessors/sdf/spp_sdf.c:
10322 Display configuration information at startup.
10323 * src/fpdetect.c:
10324 Improved handling of gzip decoded buffer for fast pattern searches.
10325 * src/parser.c:
10326 Updates to parsing of IP variables with negated IP ranges.
10327 * src/preprocessors/HttpInspect/client/hi_client.c:
10328 * src/preprocessors/HttpInspect/server/hi_server.c:
10329 Chunk encoding processing updates.
10330 * src/preprocessors/HttpInspect/client/hi_client.c:
10331 * src/preprocessors/HttpInspect/include/hi_ui_config.h:
10332 * src/preprocessors/HttpInspect/include/Makefile.am:
10333 * src/preprocessors/HttpInspect/include/hi_cmd_lookup.h:
10334 * src/preprocessors/HttpInspect/Makefile.am:
10335 * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
10336 * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
10337 * src/preprocessors/HttpInspect/utils/Makefile.am:
10338 * src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c:
10339 * src/preprocessors/snort_httpinspect.c:
10340 * src/preprocessors/snort_httpinspect.h:
10341 * src/preprocessors/spp_httpinspect.c:
10342 Use lookup for HTTP method validation.
10343 * src/preprocessors/Stream5/snort_stream5_tcp.c:
10344 Updated state tracking for FIN_WAIT_2 and LAST_ACK
10345 * src/sfdaq.c:
10346 * src/sfdaq.h:
10347 * src/snort.c:
10348 * src/util.c:
10349 Handle -g/-u limited with DAQ modules that require root privs.
10350
10351 2010-06-16 Ryan Jordan <ryan.jordan@sourcefire.com>
10352 Snort 2.9.0 Beta
10353 * Snort uses the DAQ library for packet acquisition and injection.
10354 ./configure --enable-inline and --enable-ipfw are deleted. Just run ./snort
10355 -Q to activate inline mode for DAQs that support it. See the README.daq there
10356 for more.
10357 * A normalizer preprocessor has been added to help minimize evasion vectors.
10358 Use ./configure --enable-normalizer to build and config normalize_* to
10359 enable. See README.normalize for more.
10360 * Flexresp and flexresp2 have been replaced with a new flexresp3 module that
10361 supports the rule keywords from each. ./configure --enable-flexresp
10362 --enable-flexresp2 are deprecated.
10363 * The react rule option has been rewritten to correct a number of issues. You
10364 can also customize the injected content with config react. Use ./configure
10365 --enable-react to build.
10366 * config min_ttl is now policy specific. You can also set a normalization
10367 value with config new_ttl.
10368 * Snort has a new active response capability. Build it with ./configure
10369 --enable-active-response. This mode enables automatically sending TCP resets
10370 and ICMP unreachables. See README.active for more.
10371 * Passive mode Snort can now inject packets for drop, sdrop, and reject rules.
10372 In addition, block and sblock rules have been added as synonyms for drop and
10373 sdrop to help avoid confusion between dropped packets and blocked packets.
10374 Configure with config response.
10375 * Snort shutdown output now includes new counts so you can see if any events
10376 are not being reported due to event queue and pattern matching
10377 configurations. Also, ./configure --enable-timestats has been eliminated but
10378 the shutdown output of packet rates has been made standard.
10379 * BPFs can be written for IPv6.
10380 * ./snort -T has bee expanded to validate more than just the conf. For
10381 example, you can now validate BPFs.
10382 * Snort no longer depends on libnet and uses libdnet instead.
10383 * Added the "byte_extract" detection option. This saves bytes from the packet
10384 into variables for use by other options.
10385 * Added support for byte_extract variables in the following rule options
10386 * content (offset, depth, distance, within)
10387 * byte_test (offset, comparison value)
10388 * byte_jump (offset)
10389 * isdataat (offset)
10390 * Added decoder support for Teredo tunneling (IPv6 over UDP over IPv4).
10391 * Added decoder support for Encapsulated Security Payload (ESP) with NULL encryption.
10392 * Added 18 decoder rules for different types of malformed IPv6 headers.
10393 * Moved 24 content-less rules into the packet decoder.
10394 * The Sensitive Data preprocessor now prints its configuration on startup.
10395 * Fixed the Snort RPM so that it installs the Sensitive Data preprocessor.
10396 * Updated the description of the "-h" option in the Snort help output.
10397 * Added a tools directory, with "u2boat" and "u2spewfoo". These programs can be
10398 used to turn Unified2 files into pcaps and console output, respectively.
10399 * Replaced Unified with Unified2 in snort.conf.
10400 * Moved the rules/ directory into its own separate tarball.
10401 * Snort will print encapsulated layers in text output.
10402 * Initial iteration of DCE/RPC preprocessor removed.
10403 * SO rule updates. Updated storeRuleData() and getRuleData() API
10404 functions. Added dynamic allocation functions allocRuleData() and
10405 freeRuleData() mainly for data stored on a stream session and to
10406 utilize a new configuration option to put a memcap on the amount of
10407 data SO rules allocate.
10408 * Fixed possible non-runtime memory leak in SO rule preprocessor rule
10409 options.
10410 * Added negation support to SSL preprocessor rule options ssl_state and
10411 ssl_version
10412 * Added support for Intel's Soft CPM for use as a fast pattern matcher.
10413 * Fixed issue when specifying a --pcap-dir where Snort would fatal
10414 error if there was a broken symbolic link under the directory.
10415 * Fixed an issue where copying an SO rule stub to modify the rule
10416 action, IPs and/or ports didn't work as expected.
10417 * Set state in SSL preprocessor even if record is truncated.
10418 * Fixed inconsistency with flowbits behaviour if stream session timed
10419 out. stream5 now resets flowbits on a timeout.
10420 * Snort will now fatal error if adaptive profiles is enabled in any
10421 policy other than the default policy.
10422 * Fixed false positives caused by using the fast_pattern option with
10423 the "only" argument on an http content in a rule.
10424 * Fix OpenBSD compile with --enable-prelude.
10425 * Fixed issue in SO rules converted to text rules that were not
10426 setting mutliplier correctly.
10427 * Fixed inconsistencies in behaviour with user defined rule types.
10428 * Snort will now throw validation error for ipvar definition with
10429 negated ip list that is more general that other ip list in
10430 definition.
10431 * Added support for IP variable substitution.
10432 * Created new decoder event for ICMP PATH MTU denial of service
10433 attempt.
10434 * Fixed SSL preprocessor to potentially update state before
10435 reassmebled packet is decoded.
10436 * Added a new argument "mime" to the detection option "file_data".
10437 This argument will set the doe_ptr to the start of the base64 decoded
10438 MIME attachment. New config options "enable_mime_decoding", "max_mime_depth"
10439 and "max_mime_mem" are added to SMTP configuration to support this feature.
10440 * Added the "base64_decode" and "base64_data" detection option.
10441 The "base64_decode" decodes the base64 encoded data. The "base64_data"
10442 points the doe_ptr to the start of the base64 decoded buffer.
10443 * Added a new mode "inline-test". This mode simulates the inline mode of snort,
10444 allowing evaluation of inline behavior without affecting traffic. The command
10445 line option --enable-inline-test and snort config option policy_mode:inline_test
10446 added to support this feature. The drop rules will be loaded and will be
10447 triggered as a Wdrop (Would Drop) alert.
10448 * Added the support to extract the original client IP from the X-Forwarded-For
10449 or True-Client-IP headers. This client IP will now be logged to the unified2
10450 output when HTTP Inspect is configured with enable_xff.
10451 * Added support to u2spewfoo to read the Orginal Client IP, Wdrop Alerts, Gzip decompressed Data.
10452 * Added support to print the Gzip decompressed data with cmg output.
10453
10454 2010-04-16 Ryan Jordan <ryan.jordan@sourcefire.com>
10455 * doc/README.dcerpc:
10456 * doc/README.dcerpc2:
10457 * doc/README.flowbits:
10458 * doc/README.frag3:
10459 * doc/README.http_inspect:
10460 * doc/README.PerfProfiling:
10461 * doc/README.sensitive_data:
10462 * doc/README.sfportscan:
10463 * doc/README.stream5:
10464 * doc/snort_manual.tex:
10465 Updated Snort documentation
10466
10467 * etc/classification.config:
10468 * etc/gen-msg.map:
10469 * etc/snort.conf:
10470 Replaced snort.conf with the version we ship in the rules tarball.
10471 Fixed a duplicate entry in gen-msg.map.
10472
10473 * src/decode.c:
10474 * src/decode.h:
10475 Added alert for IPv6/UDP packets with zero checksum.
10476
10477 * src/detection-plugins/detection_options.c:
10478 * src/detection-plugins/sp_byte_check.c:
10479 * src/detection-plugins/sp_byte_jump.c:
10480 * src/detection-plugins/sp_isdataat.c:
10481 For byte_test, byte_jump, and isdataat, only do an in bounds check of
10482 the doe_ptr if the rule option is relative and will be using the doe_ptr.
10483 * src/detection-plugins/sp_pattern_match.c:
10484 Fixed a valgrind error.
10485 * src/detection-plugins/sp_react.c:
10486 Removed instances of the word "porn" from Snort.
10487
10488 * src/dynamic-plugins/sf_convert_dynamic.c:
10489 * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
10490 * src/dynamic-plugins/sp_dynamic.c:
10491 Changed the parsing of dynamic detection plugins to register dynamic
10492 rules per policy.
10493
10494 * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
10495 * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
10496 * src/preprocessors/spp_stream5.c:
10497 * src/preprocessors/stream_api.h:
10498 * src/preprocessors/stream_ignore.h:
10499 * src/target-based/sftarget_protocol_reference.c:
10500 The FTP preprocessor now marks data channels with the "ftp-data"
10501 service identifier. Adaptive profiling must be turned on for this.
10502
10503 * src/dynamic-preprocessors/sdf/sdf_credit_card.c:
10504 * src/dynamic-preprocessors/sdf/sdf_detection_option.c:
10505 * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
10506 * src/dynamic-preprocessors/sdf/sdf_pattern_match.h:
10507 * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
10508 * src/dynamic-preprocessors/sdf/spp_sdf.c:
10509 * src/dynamic-preprocessors/sdf/spp_sdf.h:
10510 * src/generators.h:
10511 Moved the sensitive data preprocessor's preproc rule to GID 139.
10512 Fixed the ability to reload Snort with sensitive_data turned on.
10513 Fixed bugs in the parsing of "sd_pattern" rules that overlapped.
10514 U.S. Social Security numbers are now required to have non-digits on
10515 either side in order to cause a match.
10516
10517 * src/mempool.c:
10518 * src/preprocessors/HttpInspect/client/hi_client.c:
10519 * src/preprocessors/HttpInspect/include/hi_include.h:
10520 * src/preprocessors/HttpInspect/include/hi_mi.h:
10521 * src/preprocessors/HttpInspect/include/hi_server.h:
10522 * src/preprocessors/HttpInspect/include/hi_ui_config.h:
10523 * src/preprocessors/HttpInspect/include/hi_util.h:
10524 * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
10525 * src/preprocessors/HttpInspect/normalization/hi_norm.c:
10526 * src/preprocessors/HttpInspect/server/hi_server.c:
10527 * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
10528 * src/preprocessors/snort_httpinspect.c:
10529 * src/preprocessors/snort_httpinspect.h:
10530 Added a "max_gzip_mem" option to http_inspect. Use this to set
10531 the maximum amount of memory used for gzip decompression.
10532 The "+" sign is now normalized to a space.
10533 Added a "disable" option to http_inspect so that a memcap can
10534 be set without enabling http_inspect across all VLANs.
10535
10536 * src/preprocessors/sfprocpidstats.c:
10537 * src/preprocessors/sfprocpidstats.h:
10538 * src/preprocessors/spp_perfmonitor.c:
10539 Fixed a memory leak.
10540
10541 * src/preprocessors/Stream5/snort_stream5_session.c:
10542 * src/preprocessors/Stream5/snort_stream5_tcp.c:
10543 * src/preprocessors/Stream5/snort_stream5_udp.c:
10544 Fixed an issue that could cause Snort to take minutes to reload.
10545
10546 * src/snort.c:
10547 Unblocked signals that Snort does not handle itself.
10548
10549 * src/win32/Makefile.am:
10550 * src/win32/WIN32-Includes/config.h:
10551 * src/win32/WIN32-Includes/mysql/config-netware.h:
10552 * src/win32/WIN32-Includes/mysql/config-os2.h:
10553 * src/win32/WIN32-Includes/mysql/config-win.h:
10554 * src/win32/WIN32-Includes/mysql/errmsg.h:
10555 * src/win32/WIN32-Includes/mysql/libmysqld.def:
10556 * src/win32/WIN32-Includes/mysql/libmysql.def:
10557 * src/win32/WIN32-Includes/mysql/m_ctype.h:
10558 * src/win32/WIN32-Includes/mysql/m_string.h:
10559 * src/win32/WIN32-Includes/mysql/my_alloc.h:
10560 * src/win32/WIN32-Includes/mysql/my_dbug.h:
10561 * src/win32/WIN32-Includes/mysql/my_getopt.h:
10562 * src/win32/WIN32-Includes/mysql/my_global.h:
10563 * src/win32/WIN32-Includes/mysql/my_list.h:
10564 * src/win32/WIN32-Includes/mysql/my_pthread.h:
10565 * src/win32/WIN32-Includes/mysql/mysql_com.h:
10566 * src/win32/WIN32-Includes/mysql/mysqld_error.h:
10567 * src/win32/WIN32-Includes/mysql/mysql_embed.h:
10568 * src/win32/WIN32-Includes/mysql/mysql.h:
10569 * src/win32/WIN32-Includes/mysql/mysql_time.h:
10570 * src/win32/WIN32-Includes/mysql/mysql_version.h:
10571 * src/win32/WIN32-Includes/mysql/my_sys.h:
10572 * src/win32/WIN32-Includes/mysql/raid.h:
10573 * src/win32/WIN32-Includes/mysql/typelib.h:
10574 * src/win32/WIN32-Prj/snort.dsw:
10575 * src/win32/WIN32-Prj/snort_installer.nsi:
10576 Updated the MySQL client library in the Windows build.
10577 Fixed a conflict between MSSQL headers and the newer Windows Platform SDK.
10578
10579
10580 2010-01-27 Ryan Jordan <ryan.jordan@sourcefire.com>
10581 * doc/Makefile.am:
10582 Added README.sensitive_data
10583 * doc/README.dcerpc2:
10584 Removed "events" from default configuration.
10585 * doc/README.http_inspect:
10586 Added support for extended ascii codes in HTTP request URI using a new configurable option "extended_ascii_uri"
10587 Changed the pattern match to search only the HTTP response body when extended response inspection is enabled. Also copy only the decompressed data into the decode buffer.
10588 * doc/README.INLINE:
10589 Content replacement now allows replacement strings of varying sizes.
10590 * doc/README.multipleconfigs:
10591 Limit number of individual networks per line to 512.
10592 * doc/README.stream5:
10593 Removed "min_ttl" option, added the latest stream alerts.
10594 * doc/snort_manual.tex:
10595 Fixed typos, updated the Snort manual to match the README updates.
10596 Eliminated the kick-ass and the lotion.
10597 Updated with new PCRE options.
10598 * etc/classification.config:
10599 Cleaned up classification.config. Thanks to Guise McAllaster for reporting this issue.
10600 * etc/gen-msg.map:
10601 Added sig ID for http_inspect's chunk size mismatch.
10602 * etc/snort.conf:
10603 Fixed typos. Default "dynamicengine" entry is now specified by directory.
10604 * src/build.h:
10605 Updated build number.
10606 * src/checksum.h:
10607 checksum calculation for icmpv6 added . also fixed a warning in hi_client.c
10608 * src/configure.in:
10609 Updated makefile/configure script to optionally build dynamic examples.
10610 Thanks to Markus Lude for raising the issue.
10611
10612 Fixed linker option on Solaris 10 to use nanosleep.
10613 Thanks to Randal T. Rioux for reporting this issue.
10614 * src/decode.c:
10615 checksum calculation for icmpv6 added . also fixed a warning in hi_client.c
10616 * src/decode.h:
10617 Change the pattern match to search only the HTTP response body when extended response inspection is enabled. Also copy only the decompressed data into the decode buffer.
10618 * src/detect.c:
10619 Formatting changes.
10620 * src/detection-plugins/sp_asn1.c:
10621 * src/detection-plugins/sp_byte_check.c:
10622 * src/detection-plugins/sp_ip_proto.c:
10623 Replaced strol and strtoul with inline functions that reset errno first.
10624 * src/detection-plugins/sp_pattern_match.c:
10625 Check if file_data is within the packet boundaries and set the search depth accordingly.
10626 * src/detection-plugins/sp_pcre.c:
10627 Pcre new options fix. Raw options and status options werent matching as expected.
10628 * src/detection-plugins/sp_replace.c:
10629 checksum calculation for icmpv6 added . also fixed a warning in hi_client.c
10630 * src/dynamic-examples/Makefile.am:
10631 * src/Makefile.am:
10632 Update makefile/configure script to optionally build dynamic examples.
10633 * src/dynamic-plugins/sf_dynamic_plugins.c:
10634 Replaced strol and strtoul with inline functions that reset errno first.
10635 * src/dynamic-plugins/sf_dynamic_preprocessor.h:
10636 * src/event_queue.c:
10637 * src/event_queue.h:
10638 * src/preprocessors/spp_frag3.c:
10639 * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
10640 * src/sfutil/sfeventq.h:
10641 * src/snort.c:
10642 * src/snort.h:
10643 Fixed a bug where Snort would log a packet other than the one triggering the alert.
10644 * src/dynamic-preprocessors/dcerpc2/dce2_debug.c:
10645 * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
10646 * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
10647 * src/dynamic-preprocessors/libs/sfparser.c:
10648 * src/output-plugins/spo_unified2.c:
10649 * src/parser.c:
10650 * src/preprocessors/spp_perfmonitor.c:
10651 * src/preprocessors/Stream5/snort_stream5_tcp.c:
10652 Replaced strol and strtoul with inline functions that reset errno first.
10653 * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h:
10654 * src/dynamic-preprocessors/dns/sf_preproc_info.h:
10655 * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
10656 * src/dynamic-preprocessors/smtp/sf_preproc_info.h:
10657 * src/dynamic-preprocessors/ssh/sf_preproc_info.h:
10658 * src/dynamic-preprocessors/ssl/sf_preproc_info.h:
10659 Updated build version number.
10660 * src/dynamic-preprocessors/sdf/.cvsignore:
10661 Added .cvsignore file
10662 * src/dynamic-preprocessors/sdf/sdf_credit_card.c:
10663 * src/dynamic-preprocessors/sdf/sdf_credit_card.h:
10664 Added license text.
10665 Added check for the Issuer Number in credit card numbers.
10666 * src/dynamic-preprocessors/sdf/sdf_detection_option.c:
10667 * src/dynamic-preprocessors/sdf/sdf_detection_option.h:
10668 * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
10669 * src/dynamic-preprocessors/sdf/sdf_pattern_match.h:
10670 Added license text.
10671 Fixed error when using the same sensitive data rule in multiple policies.
10672 Sensitive data rules must use the preprocessor's generator ID.
10673 * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
10674 * src/dynamic-preprocessors/sdf/sdf_us_ssn.h:
10675 Added license text.
10676 * src/dynamic-preprocessors/sdf/spp_sdf.c:
10677 * src/dynamic-preprocessors/sdf/spp_sdf.h:
10678 Fixed double-free when the preprocessor was enabled in multiple policies.
10679 Added the ability to search HTTP Uri buffers for sensitive data.
10680 Fixed the pcap header for pseudo-packets generated by the preprocessor.
10681 * src/fpcreate.c:
10682 OpenBSD update
10683 * src/generators.h:
10684 Added alert for HTTP chunk size mismatch.
10685 * src/obfuscation.c:
10686 Made a debug message optionally compilable.
10687 * src/output-plugins/spo_log_tcpdump.c:
10688 Fix use of -L option to work correctly.
10689 Thanks to Allan Adkins for reporting this issue.
10690 * src/preprocessors/HttpInspect/client/hi_client.c:
10691 * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
10692 * src/preprocessors/HttpInspect/include/hi_eo_events.h:
10693 * src/preprocessors/HttpInspect/include/hi_ui_config.h:
10694 * src/preprocessors/HttpInspect/include/hi_include.h:
10695 * src/preprocessors/HttpInspect/include/hi_util.h:
10696 * src/preprocessors/HttpInspect/server/hi_server.c:
10697 Added http response stats.
10698 Added support for extended ascii codes in HTTP request URI
10699 using a new configurable option "extended_ascii_uri"
10700 Added an alert for incorrect chunk size fields.
10701 * src/preprocessors/perf.c:
10702 Fixed null deref when "rotate stats" signal was caught w/out perfmon enabled.
10703 * src/preprocessors/snort_httpinspect.c:
10704 Fixed a case where the HTTP Inspect preprocessor would disable the Sensitive Data preprocessor.
10705 * src/preprocessors/spp_httpinspect.c:
10706 Decompressed bytes read will now be based on the total out of zstream.
10707 * src/target-based/sftarget_reader.c:
10708 attribute table printing - converting to host order before printing the ip address
10709 * src/util.c:
10710 * src/util.h:
10711 adding zlib version information for snort -V
10712 * src/win32/Makefile.am:
10713 Add zlib 1.2.3 to Win32 build.
10714 * src/win32/WIN32-Includes/config.h:
10715 * src/win32/WIN32-Includes/zlib/zconf.h:
10716 * src/win32/WIN32-Includes/zlib/zlib.h:
10717 * src/win32/WIN32-Prj/snort.dsp:
10718 Add zlib 1.2.3 to Win32 build.
10719 * src/win32/WIN32-Prj/snort_installer.nsi:
10720 Added Sensitive Data preproc to Windows installer script.
10721
10722 2009-12-21 Ryan Jordan <ryan.jordan@sourcefire.com>
10723 * doc/README.dcerpc:
10724 Added deprecation notice.
10725 * doc/README.dcerpc2:
10726 Added note about fast pattern contents.
10727 * doc/README.filters:
10728 Slight change to indicate that filters were introduced in 2.8.5,
10729 which is no longer the current version.
10730 * doc/README.flowbits:
10731 Added documentation for flowbit groups.
10732 * doc/README.http_inspect:
10733 Added documentation for new HTTP rule options.
10734 * doc/snort_manual.tex:
10735 Updated for HTTP rule options and other cleanup.
10736 * doc/TODO:
10737 Removed obfuscation code from the TODO.
10738 * etc/gen-msg.map:
10739 Added new Stream5 alert for the "TCP 4-way handshake"
10740 * etc/snort.conf:
10741 Fixed typos. Added examples for Unified2 output and Sensitive Data
10742 preprocessor config.
10743 * rpm/snort.spec:
10744 Updated version number.
10745 * src/bounds.h:
10746 Formatting change. Added "SafeMemCheck" function. Modified "SafeMemcpy"
10747 and "SafeMemset" to use it.
10748 * src/build.h:
10749 Updated build number.
10750 * src/debug.c:
10751 Moved definition for snort_conf.
10752 * src/decode.h:
10753 Made changes for HTTP response gzip support.
10754 * src/detect.c:
10755 Updated to use new Obfuscation API.
10756 * src/sfutil/mpse.c:
10757 * src/sfutil/mpse.h:
10758 * src/fpcreate.c:
10759 * src/fpcreate.h:
10760 * src/sfutil/acsmx2.c:
10761 * src/sfutil/acsmx2.h:
10762 Added support for ac "split" pattern matcher to use less memory with
10763 improved performance over ac-bnfa. Thanks to Charlie Lasswell for
10764 the ideas!
10765 * src/detect.h:
10766 * src/event_wrapper.c:
10767 * src/event_wrapper.h:
10768 * src/inline.c:
10769 * src/profiler.c:
10770 * src/rate_filter.h:
10771 * src/rules.h:
10772 * src/tag.c:
10773 * src/tag.h:
10774 * src/treenodes.h:
10775 OTNs and RTNs were moved to their own header file.
10776 * src/detection-plugins/detection_options.c:
10777 * src/detection-plugins/Makefile.am:
10778 * src/detection-plugins/sp_file_data.c:
10779 * src/detection-plugins/sp_file_data.h:
10780 New detection option "file_data" was added.
10781 * src/detection-plugins/detection_options.h:
10782 * src/rule_option_types.h:
10783 Moved option_type_t to its own header file.
10784 * src/detection-plugins/sp_flowbits.c:
10785 * src/detection-plugins/sp_flowbits.h:
10786 allowing flowbits group name only with set and toggle operations
10787 check if the content rules have http modifiers.
10788 * src/detection-plugins/sp_replace.c:
10789 need to check from the relative depth for bounds
10790 adjust the bounds while replacing to prevent buffer overflow.
10791 allow replace with different size strings. enhancement to replace.
10792 * src/detection-plugins/sp_isdataat.c:
10793 negated isdataat support.
10794 * src/detection-plugins/sp_pattern_match.c:
10795 * src/detection-plugins/sp_pattern_match.h:
10796 Update pattern match parsing to error on invalid rules.
10797 * src/detection-plugins/sp_asn1.c:
10798 * src/detection-plugins/sp_byte_check.c:
10799 * src/detection-plugins/sp_byte_jump.c:
10800 * src/detection-plugins/sp_clientserver.c:
10801 * src/detection-plugins/sp_cvs.c:
10802 * src/detection-plugins/sp_dsize_check.c:
10803 * src/detection-plugins/sp_ftpbounce.c:
10804 * src/detection-plugins/sp_icmp_code_check.c:
10805 * src/detection-plugins/sp_icmp_id_check.c:
10806 * src/detection-plugins/sp_icmp_seq_check.c:
10807 * src/detection-plugins/sp_icmp_type_check.c:
10808 * src/detection-plugins/sp_ip_fragbits.c:
10809 * src/detection-plugins/sp_ip_id_check.c:
10810 * src/detection-plugins/sp_ipoption_check.c:
10811 * src/detection-plugins/sp_ip_proto.c:
10812 * src/detection-plugins/sp_ip_proto.h:
10813 * src/detection-plugins/sp_ip_same_check.c:
10814 * src/detection-plugins/sp_ip_tos_check.c:
10815 * src/detection-plugins/sp_pcre.c:
10816 * src/detection-plugins/sp_pcre.h:
10817 * src/detection-plugins/sp_react.c:
10818 * src/detection-plugins/sp_respond2.c:
10819 * src/detection-plugins/sp_respond.c:
10820 * src/detection-plugins/sp_rpc_check.c:
10821 * src/detection-plugins/sp_session.c:
10822 * src/detection-plugins/sp_tcp_ack_check.c:
10823 * src/detection-plugins/sp_tcp_flag_check.c:
10824 * src/detection-plugins/sp_tcp_seq_check.c:
10825 * src/detection-plugins/sp_tcp_win_check.c:
10826 * src/detection-plugins/sp_ttl_check.c:
10827 * src/detection-plugins/sp_urilen_check.c:
10828 * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
10829 * src/dynamic-preprocessors/ssl/spp_ssl.c:
10830 Updated calls to RegisterRuleOption() to match new definiton.
10831 * src/dynamic-plugins/sf_convert_dynamic.c:
10832 Updated conversion of Content and PCRE rule options to match HTTP changes.
10833 * src/dynamic-plugins/sf_dynamic_common.h:
10834 Updated HTTP flags.
10835 * src/dynamic-plugins/sf_dynamic_engine.h:
10836 * src/dynamic-plugins/sp_preprocopt.c:
10837 * src/dynamic-plugins/sp_preprocopt.h:
10838 Added definition of OTN Handler. A detection option or preprocessor can
10839 register one of these to get the OTN of any rule using its rule option.
10840 * src/dynamic-plugins/sf_dynamic_plugins.c:
10841 * src/dynamic-plugins/sf_dynamic_preprocessor.h:
10842 * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
10843 Added several items to DynamicPreprocessorData, to allow dynamic
10844 preprocessors to call more Snort functions.
10845 * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
10846 * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
10847 * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
10848 * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
10849 * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
10850 * src/dynamic-plugins/sp_dynamic.c:
10851 * src/dynamic-plugins/sp_dynamic.h:
10852 Check for HTTP modifiers to Content and PCRE options in shared object
10853 rules.
10854 * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
10855 Added missing Packet member to SFSnortPacket.
10856 * src/dynamic-preprocessors/dcerpc/dcerpc.c:
10857 * src/dynamic-preprocessors/dcerpc/dcerpc.h:
10858 Moved DCERPC_FragType definition.
10859 * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
10860 * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
10861 * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
10862 * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
10863 * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
10864 * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
10865 * src/preprocessors/portscan.h:
10866 * src/preprocessors/spp_frag3.c:
10867 * src/preprocessors/spp_sfportscan.c:
10868 Added "disabled" option to frag3_global, stream5_global, portscan,
10869 dcerpc, and dcerpc2 preprocessor configurations so that memcaps can be
10870 specified in the default configuration w/o enabling that preprocessor.
10871 This allows specification of the preprocessors only in the desired
10872 configuration.
10873 * src/dynamic-preprocessors/dcerpc/Makefile.am:
10874 * src/dynamic-preprocessors/dcerpc2/Makefile.am:
10875 * src/dynamic-preprocessors/dns/Makefile.am:
10876 * src/dynamic-preprocessors/dns/sf_dns.dsp:
10877 * src/dynamic-preprocessors/ftptelnet/Makefile.am:
10878 * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
10879 * src/dynamic-preprocessors/smtp/Makefile.am:
10880 * src/dynamic-preprocessors/ssh/Makefile.am:
10881 * src/dynamic-preprocessors/ssl/Makefile.am:
10882 * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
10883 * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
10884 * src/dynamic-preprocessors/ssl/sf_ssl.dsp:
10885 Fix make dist to include all required files.
10886 * src/dynamic-preprocessors/dcerpc2/dce2_event.c:
10887 * src/dynamic-preprocessors/dcerpc2/dce2_list.h:
10888 * src/dynamic-preprocessors/dcerpc2/dce2_utils.c:
10889 * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
10890 * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h:
10891 Changed use of some integers to enumerated types.
10892 * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
10893 Added dce_iface options to the fast pattern matcher.
10894 * src/dynamic-preprocessors/dcerpc2/snort_dce2.h:
10895 * src/dynamic-preprocessors/dcerpc2/dce2_config.h:
10896 * src/dynamic-preprocessors/smtp/snort_smtp.c:
10897 Added sensitive data to the list of preprocs that get re-enabled after
10898 disabling detection.
10899 * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
10900 Removed config file/line from error message since not set at this point.
10901 Also removed redundant "dcerpc2 configuration" text.
10902 * src/dynamic-preprocessors/Makefile.am:
10903 * src/dynamic-preprocessors/treenodes.sed:
10904 Included more header files for use in dynamic preprocessors.
10905 * src/dynamic-preprocessors/sdf/Makefile.am:
10906 * src/dynamic-preprocessors/sdf/sdf_credit_card.c:
10907 * src/dynamic-preprocessors/sdf/sdf_credit_card.h:
10908 * src/dynamic-preprocessors/sdf/sdf_detection_option.c:
10909 * src/dynamic-preprocessors/sdf/sdf_detection_option.h:
10910 * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
10911 * src/dynamic-preprocessors/sdf/sdf_pattern_match.h:
10912 * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
10913 * src/dynamic-preprocessors/sdf/sdf_us_ssn.h:
10914 * src/dynamic-preprocessors/sdf/sf_preproc_info.h:
10915 * src/dynamic-preprocessors/sdf/sf_sdf.dsp:
10916 * src/dynamic-preprocessors/sdf/spp_sdf.c:
10917 * src/dynamic-preprocessors/sdf/spp_sdf.h:
10918 * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
10919 * src/preprocids.h:
10920 * doc/README.sensitive_data:
10921 * doc/snort_manual.tex:
10922 Added Sensitive Data preprocessor. It performs detection of Personally
10923 Identifiable Information, such as credit card numbers and U.S. Social
10924 Security numbers.
10925 * src/dynamic-preprocessors/ssh/spp_ssh.c:
10926 Formatting change.
10927 * src/fpcreate.c:
10928 * src/fpcreate.h:
10929 * src/fpdetect.c:
10930 Content rules with the new HTTP modifiers can use the fast pattern
10931 matcher.
10932 * src/generators.h:
10933 Added SIDs for new preprocessor alerts.
10934 * src/Makefile.am:
10935 Added new files to Makefile.
10936 * src/obfuscation.c:
10937 * src/obfuscation.h:
10938 * src/util.c:
10939 * src/util.h:
10940 Fixed output obfuscation, and added an Obfuscation API for use in
10941 preprocessors & output plugins.
10942 * src/log.c:
10943 * src/log.h:
10944 * src/log_text.c:
10945 * src/log_text.h:
10946 * src/output-plugins/spo_alert_fast.c:
10947 * src/output-plugins/spo_alert_full.c:
10948 * src/output-plugins/spo_alert_prelude.c:
10949 * src/output-plugins/spo_alert_sf_socket.c:
10950 * src/output-plugins/spo_alert_syslog.c:
10951 * src/output-plugins/spo_alert_test.c:
10952 * src/output-plugins/spo_alert_unixsock.c:
10953 * src/output-plugins/spo_csv.c:
10954 * src/output-plugins/spo_database.c:
10955 * src/output-plugins/spo_log_ascii.c:
10956 * src/output-plugins/spo_log_null.c:
10957 * src/output-plugins/spo_log_tcpdump.c:
10958 * src/output-plugins/spo_unified2.c:
10959 * src/output-plugins/spo_unified.c:
10960 Modified several output plugins to print obfuscated data using the new
10961 Obfuscation API.
10962 * src/parser.c:
10963 * src/parser.h:
10964 Added support for OTN handlers. Added support for using new http
10965 content options with the fast pattern matcher.
10966 * src/pcrm.c:
10967 * src/pcrm.h:
10968 Formatting changes.
10969 * src/plugbase.c:
10970 * src/plugbase.h:
10971 Added OTN handler argument to the RegisterRuleOption() function.
10972 Initialized the "file_data" rule option.
10973 * src/ppm.c:
10974 * src/ppm.h:
10975 Remove non-portlists code.
10976 * src/preprocessors/HttpInspect/client/hi_client.c:
10977 * src/preprocessors/HttpInspect/client/hi_client_norm.c:
10978 * src/preprocessors/HttpInspect/include/hi_client.h:
10979 * src/preprocessors/HttpInspect/include/hi_eo_events.h:
10980 * src/preprocessors/HttpInspect/include/hi_mi.h:
10981 * src/preprocessors/HttpInspect/include/hi_norm.h:
10982 * src/preprocessors/HttpInspect/include/hi_server.h:
10983 * src/preprocessors/HttpInspect/include/hi_server_norm.h:
10984 * src/preprocessors/HttpInspect/include/hi_ui_config.h:
10985 * src/preprocessors/HttpInspect/include/hi_util.h:
10986 * src/preprocessors/HttpInspect/include/Makefile.am:
10987 * src/preprocessors/HttpInspect/Makefile.am:
10988 * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
10989 * src/preprocessors/HttpInspect/normalization/hi_norm.c:
10990 * src/preprocessors/HttpInspect/server/hi_server.c:
10991 * src/preprocessors/HttpInspect/server/hi_server_norm.c:
10992 * src/preprocessors/HttpInspect/server/Makefile.am:
10993 * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
10994 * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
10995 * src/preprocessors/snort_httpinspect.c:
10996 * src/preprocessors/snort_httpinspect.h:
10997 * src/preprocessors/spp_httpinspect.c:
10998 New feature for HTTP Inspect to split requests into 5 components -
10999 Method, URI, Header (non-cookie), Cookies, Body.
11000 Added HTTP server specific configurations to normalize HTTP header
11001 and/or cookie buffers. Provided content and PCRE modifiers to allow
11002 searches within one or more of those individual buffers. Added content
11003 modifier to allow rule writer to specify content to be used for fast
11004 pattern matcher. Updated dynamic rule API to allow searches within
11005 the new buffers.
11006 * src/preprocessors/perf.c:
11007 * src/preprocessors/spp_perfmonitor.c:
11008 * src/preprocessors/perf-flow.c:
11009 * src/preprocessors/perf-flow.h:
11010 * src/preprocessors/perf.h:
11011 * src/preprocessors/Stream5/snort_stream5_udp.c:
11012 Add Flow-IP stats to the Performance Monitor preprocessor.
11013 Write out a commented line to the now file the first time perfmon
11014 Reduce performance overhead when FlowIP stats aren't enabled.
11015 * src/preprocessors/sfprocpidstats.c:
11016 Changed GetCpuName() to catch errno when sscanf() sets it.
11017 * src/preprocessors/spp_rpc_decode.c:
11018 Fixed warnings when compiled in Win32.
11019 * src/preprocessors/spp_stream5.c:
11020 * src/preprocessors/Stream5/snort_stream5_session.h:
11021 * src/preprocessors/Stream5/snort_stream5_tcp.c:
11022 * src/preprocessors/Stream5/snort_stream5_tcp.h:
11023 * src/preprocessors/Stream5/stream5_common.c:
11024 * src/preprocessors/Stream5/stream5_common.h:
11025 * src/preprocessors/stream_api.h:
11026 Added detection of "4-way TCP Handshake" when require_3whs is enabled.
11027 Added "disabled" option so that memcaps can be configured in the default
11028 policy w/out enabling the preprocessor. Added support for output
11029 obfuscation.
11030 * src/prototypes.h:
11031 * src/sys_include.h:
11032 Removed more obsolete/unused files.
11033 * src/sfthreshold.c:
11034 * src/sfutil/acsmx2.c:
11035 * src/sfutil/acsmx2.h:
11036 * src/sfutil/bnfa_search.c:
11037 * src/sfutil/ipobj.c:
11038 * src/sfutil/ipobj.h:
11039 * src/sfutil/Makefile.am:
11040 * src/sfutil/mpse.c:
11041 * src/sfutil/mpse.h:
11042 * src/sfutil/sf_ip.c:
11043 * src/sfutil/sf_ip.h:
11044 * src/sfutil/sf_iph.c:
11045 * src/sfutil/sf_ipvar.c:
11046 * src/sfutil/sfksearch.c:
11047 * src/sfutil/sfPolicyUserData.c:
11048 * src/sfutil/sfPolicyUserData.h:
11049 * src/sfutil/sfportobject.c:
11050 * src/sfutil/sfxhash.c:
11051 * src/sfutil/sfrf.c:
11052 * src/sfutil/sfrt_trie.h:
11053 * src/sfutil/sf_vartable.c:
11054 Cleaned up warnings, especially when compiled with ICC.
11055 * src/sfutil/util_net.c:
11056 * src/sfutil/util_net.h:
11057 Fix ip obfuscation to not modify packet data and only obfuscate for
11058 text outputs.
11059 * src/signature.c:
11060 * src/signature.h:
11061 * src/snort.c:
11062 * src/snort.h:
11063 Remove non-portlists code.
11064 * src/target-based/sf_attribute_table_parser.l:
11065 * src/target-based/sftarget_reader.c:
11066 Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed.
11067 * src/win32/WIN32-Code/syslog.c:
11068 * src/win32/WIN32-Code/win32_service.c:
11069 * src/win32/WIN32-Includes/config.h:
11070 * src/win32/WIN32-Prj/snort.dsp:
11071 * src/win32/WIN32-Prj/snort.dsw:
11072 * src/win32/WIN32-Prj/snort_installer.nsi:
11073 Win32 project files updated to reflect Makefile changes.
11074
11075 2009-12-15 Ryan Jordan <ryan.jordan@sourcefire.com>
11076 * doc/snort_manual.tex:
11077 Clarified the documentation for output plugins alert_fast, alert_full,
11078 log_tcpdump, and alert_csv. Added documentation for log limits.
11079 * etc/gen-msg.map:
11080 * src/generators.h:
11081 * src/preprocessors/HttpInspect/client/hi_client.c:
11082 * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
11083 * src/preprocessors/HttpInspect/include/hi_client.h:
11084 * src/preprocessors/HttpInspect/include/hi_eo_events.h:
11085 Changes to improve handling of pipelined requests and chunked
11086 encodings based on content length header field.
11087 * src/preprocessors/snort_httpinspect.c:
11088 Fix error message for validation of client_flow_depth.
11089 * src/build.h:
11090 Updated build number
11091 * src/codes.c:
11092 * src/codes.h:
11093 * src/detection-plugins/sp_respond2.h:
11094 Removed unused code.
11095 * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
11096 * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
11097 Set IPv6 UDP DCE/RPC reassembly headers.
11098 * src/dynamic-preprocessors/Makefile.am:
11099 Exported more files to allow re-building of some .so files on NetBSD.
11100 * src/dynamic-preprocessors/ssh/spp_ssh.c:
11101 * src/dynamic-preprocessors/ssh/spp_ssh.h:
11102 Fixed an issue where the SSH preprocessor would erroneously alert on
11103 "protocol mismatch" when autodetect was turned on.
11104 * src/log.h:
11105 * src/parser.c:
11106 Fixed reloading of auto-iface variables after privileges had been dropped.
11107 Thanks to Pablo Catalina for reporting this issue.
11108 * src/output-plugins/spo_alert_prelude.c:
11109 Fixed compiling on AIX 6, or with --enable-prelude and --enable-ipv6.
11110 Thanks to Rnadall Rioux for reporting the AIX issues.
11111 Thanks to Markus Lude for reporting the prelude & IPv6 issues.
11112 * src/preprocessors/spp_rpc_decode.c:
11113 * src/preprocessors/spp_stream5.c:
11114 * src/preprocessors/Stream5/snort_stream5_tcp.c:
11115 * src/preprocessors/Stream5/snort_stream5_tcp.h:
11116 * src/preprocessors/stream_api.h:
11117 Set smaller flush point appropriate for RPC header.
11118 * src/sfutil/Makefile.am:
11119 * src/sfutil/sf_ipvar.c:
11120 Fixed an error where negative IP lists were not always being checked.
11121 * src/sfutil/sfPolicy.c:
11122 * src/sfutil/sfPolicy.h:
11123 Fix to return correct vlan/ip id.
11124 * src/sfutil/sfrt.h:
11125 * src/sfutil/sfrt_trie.h:
11126 More compile fixes on AIX 6.
11127 * src/snort.c:
11128 * src/target-based/sftarget_reader.c:
11129 Fix issues at startup and perfstats rotation with old versions of
11130 libc (2.2, 2.3) & linux threads.
11131 * src/util.h:
11132 Added a function prototype for InitTimeStats.
11133 * src/win32/WIN32-Includes/config.h:
11134 Formatting changes.
11135
11136 2009-10-21 Ryan Jordan <ryan.jordan@sourcefire.com>
11137 * doc/README.filters:
11138 added missing _.
11139 * doc/snort_manual.tex:
11140 Update to add PCRE modifiers that were left out of table 3.8.
11141 Fixed typos.
11142 * src/build.h:
11143 Updated build number.
11144 * src/codes.c:
11145 * src/codes.h:
11146 Removed unused code.
11147 * src/decode.c:
11148 When label > NUM_RESERVED_LABELS, iRet should be set based on the payload
11149 type
11150 * src/configure.in:
11151 * src/Makefile.am:
11152 * src/dynamic-examples/Makefile.am:
11153 * src/dynamic-examples/dynamic-preprocessor/Makefile.am:
11154 * src/dynamic-examples/dynamic-preprocessor/spp_example.c:
11155 Added the dynamic-examples back to the Makefile, and updated the example
11156 preprocessor to support multiple policies & config reloading.
11157 * src/detection-plugins/sp_pcre.c:
11158 fixed warning: ISO C90 forbids mixed declarations and code
11159 * src/detection-plugins/sp_respond2.h:
11160 separate flexresp interface from implementation
11161 Made react, resp, and resp2 independent except that libnet is only
11162 initialized/closed once regardless of build combinations.
11163 * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
11164 Fixed a bug where dynamic rules were not initialized correctly after a
11165 snort.conf reload.
11166 * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
11167 * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
11168 * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
11169 * src/dynamic-preprocessors/dns/spp_dns.c:
11170 * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
11171 * src/dynamic-preprocessors/smtp/spp_smtp.c:
11172 * src/dynamic-preprocessors/ssl/spp_ssl.c:
11173 * src/parser.c:
11174 * src/preprocessors/spp_httpinspect.c:
11175 * src/preprocessors/spp_rpc_decode.c:
11176 * src/preprocessors/spp_stream5.c:
11177 * src/preprocessors/Stream5/snort_stream5_session.c:
11178 * src/preprocessors/Stream5/snort_stream5_session.h:
11179 * src/preprocessors/Stream5/snort_stream5_tcp.c:
11180 * src/preprocessors/Stream5/snort_stream5_tcp.h:
11181 * src/preprocessors/Stream5/snort_stream5_udp.c:
11182 * src/preprocessors/Stream5/snort_stream5_udp.h:
11183 * src/preprocessors/Stream5/stream5_common.h:
11184 * src/preprocessors/stream_api.h:
11185 Fixed segfault when adding policies on reload
11186 Fixed potentially freed stream5 configuration being read on clean exit
11187 Fixed potentially wrong stream5 configuration being used during reload
11188 * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
11189 Make log message a debug message
11190 * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
11191 changing the return value
11192 * src/dynamic-preprocessors/ssh/spp_ssh.c:
11193 Fixed SSH preprocessor to use "FLPOLICY_IGNORE" when turning off Stream
11194 reassembly, as opposed to "FLPOLICY_NONE"
11195 * src/fpcreate.c:
11196 * src/profiler.c:
11197 Updated uses of IPPROTO_IP to ETHERNET_TYPE_IP
11198 * src/output-plugins/spo_alert_sf_socket.c:
11199 fixed otn lookup; due to not calling "first" function the configured
11200 gid/sids would not be found and so no no alerts would go out the socket
11201 and no errors reported.
11202 * src/log.c:
11203 use orig api and family for embedded icmp packet printing.
11204 Fixed out-of-bounds access when printing IPv6 packets using -v.
11205 * src/output-plugins/spo_database.c:
11206 Included missing "last_cid" column when inserting a new sensor into the
11207 table while "ignore_bpf" was turned on.
11208 * src/preprocessors/perf-base.c:
11209 Fixed inaccurate wire speed stats.
11210 * src/preprocessors/HttpInspect/client/hi_client.c:
11211 Updated previous bugfix to check for more possible return values.
11212 * src/preprocessors/spp_perfmonitor.c:
11213 Check if packet is stream rebuilt. Don't include in stats.
11214 * src/sfutil/sf_ip.h:
11215 processing of 0.0.0.0/x enabled. Only 0.0.0.0/32 is considered as "any".
11216 * src/sfutil/sfPolicy.c:
11217 fixed segfault when more than 10 policies were applied.
11218 * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
11219 * src/output-plugins/spo_alert_syslog.c:
11220 * src/win32/WIN32-Code/syslog.c:
11221 * src/win32/WIN32-Prj/sf_engine_initialize.dsp:
11222 * src/win32/WIN32-Prj/snort_initialize.dsp:
11223 Fix syslog output under Windows.
11224 * src/snort.c:
11225 enable -Q output with --help for !IPFW && !WIN32 builds; change text to
11226 be more accurrate.
11227 * src/snort.h:
11228 Handled MPLS BOS.
11229 * src/target-based/sf_attribute_table_parser.l:
11230 * src/target-based/sf_attribute_table.y:
11231 * src/target-based/sftarget_reader.c:
11232 Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed
11233 Free host entries that are not inserted into routing table due to
11234 max_attribute_hosts limit
11235
11236 2009-09-15 Ryan Jordan <ryan.jordan@sourcefire.com>
11237 * doc/README.frag3:
11238 Removed ttl_limit option, as it has been deprecated.
11239 * doc/README.ftptelnet:
11240 Added the ignore_telnet_erase_cmds option.
11241 * doc/README.ssh:
11242 Fixed the documentation to reflect changes in SSH for 2.8.5.
11243 * doc/snort_manual.tex:
11244 Duplicated the above doc changes for the manual. Clarified order
11245 of rule actions.
11246 * etc/gen-msg.map:
11247 Punctuation changes.
11248 * etc/snort.conf:
11249 Fix the example SSH configuration, and turn it on by default. This
11250 should increase performance in situations where a lot of SSH traffic
11251 was inspected.
11252 * rpm/snort.spec:
11253 Updated version number.
11254 * src/build.h:
11255 Updated build number.
11256 * configure.in:
11257 Added configure switch to disable core files.
11258 * src/codes.c:
11259 * src/codes.h:
11260 Removed old/unused code.
11261 * src/debug.c:
11262 * src/sfutil/sfportobject.c:
11263 * src/snort.c:
11264 * src/snort.h:
11265 * src/util.c:
11266 redirect stdin/stdout/stderr to /dev/null
11267 for debug write to file and change ownership of file to dropped privs
11268 * src/decode.c:
11269 Allow support for label values of 0 or 2 at locations other than bottom
11270 of stack.
11271 * src/decode.h:
11272 * src/win32/WIN32-Prj/snort_installer.nsi:
11273 Moved a couple rules into the decoder.
11274 * src/detection-plugins/detection_options.c:
11275 * src/detection-plugins/detection_options.h:
11276 * src/detection-plugins/Makefile.am:
11277 * src/detection-plugins/sp_pattern_match.c:
11278 * src/detection-plugins/sp_pattern_match.h:
11279 * src/detection-plugins/sp_react.c:
11280 * src/detection-plugins/sp_react.h:
11281 * src/detection-plugins/sp_respond2.c:
11282 * src/detection-plugins/sp_respond2.h:
11283 * src/detection-plugins/sp_respond.c:
11284 * src/detection-plugins/sp_respond.h:
11285 * src/detection-plugins/sp_session.c:
11286 * src/win32/WIN32-Prj/snort.dsp:
11287 Made react, resp, and resp2 independent except that libnet is only
11288 initialized/closed once regardless of build combinations.
11289 * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
11290 Added a new check to handle loading of older libraries.
11291 * src/dynamic-plugins/sf_dynamic_preprocessor.h:
11292 * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
11293 * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
11294 * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h:
11295 * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
11296 * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
11297 * src/dynamic-preprocessors/dns/sf_preproc_info.h:
11298 * src/dynamic-preprocessors/dns/spp_dns.c:
11299 * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
11300 * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
11301 * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
11302 * src/dynamic-preprocessors/smtp/sf_preproc_info.h:
11303 * src/dynamic-preprocessors/ssh/sf_preproc_info.h:
11304 * src/dynamic-preprocessors/ssh/spp_ssh.h:
11305 * src/dynamic-preprocessors/ssl/sf_preproc_info.h:
11306 Changed the build numbers of preprocessors.
11307 * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
11308 * src/preprocessors/spp_arpspoof.c:
11309 * src/preprocessors/spp_stream5.c:
11310 * src/sfutil/acsmx2.c:
11311 * src/sfutil/acsmx2.h:
11312 Fixed compile warnings.
11313 * src/preprocessors/spp_sfportscan.c:
11314 Don't include vlan header in portscan event/log packet.
11315 * src/preprocessors/Stream5/snort_stream5_tcp.c:
11316 Fix core by adjusting IPv6 buffer size
11317 * src/profiler.c:
11318 Clean up preprocessor profiler formatting.
11319 * src/dynamic-preprocessors/ssh/spp_ssh.c:
11320 Changed limit on max_server_version_len to 255.
11321 * src/dynamic-preprocessors/smtp/smtp_log.h:
11322 * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
11323 * src/dynamic-preprocessors/smtp/spp_smtp.c:
11324 * src/generators.h:
11325 Gave xlink2state smtp preprocessor alert a unique sid.
11326 * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
11327 Fixed memory leaks.
11328 * src/fpcreate.c:
11329 Fixed potential segfault with multiplie policies.
11330 * src/fpdetect.c:
11331 * src/fpdetect.h:
11332 * src/preprocessors/perf-base.c:
11333 * src/preprocessors/perf.c:
11334 * src/preprocessors/perf-event.c:
11335 * src/preprocessors/perf-event.h:
11336 * src/preprocessors/perf-flow.c:
11337 * src/preprocessors/perf-flow.h:
11338 * src/preprocessors/spp_frag3.c:
11339 * src/preprocessors/spp_perfmonitor.c:
11340 * src/sfutil/sfActionQueue.c:
11341 IPv6-related changes.
11342 * src/mempool.c:
11343 Check return values from mempool_init and fatal if bad when freeing
11344 pools, set to NULL.
11345 * src/preprocessors/Stream5/snort_stream5_icmp.c:
11346 * src/preprocessors/Stream5/snort_stream5_tcp.c:
11347 * src/preprocessors/Stream5/snort_stream5_udp.c:
11348 * src/sfutil/sfPolicy.c:
11349 Added additional error-checking.
11350 * src/output-plugins/spo_unified.c:
11351 * src/parser.c:
11352 * src/parser.h:
11353 * src/signature.c:
11354 * src/signature.h:
11355 Fixed a couple invalid reads & writes.
11356 * src/plugbase.c:
11357 Check configuration for all policies.
11358 * snort_head/snort/snort.8:
11359 Updated man page to reflect doc changes.
11360
11361 2009-07-13 Ryan Jordan <ryan.jordan@sourcefire.com>
11362 * src/win32/WIN32-Prj/sf_testdetect.dsp:
11363 * src/win32/WIN32-Prj/snort.dsp:
11364 * src/win32/WIN32-Prj/snort.dsw:
11365 Win32 updates.
11366 * configure.in:
11367 Update for module pack confliction.
11368 * snort.8:
11369 Removed obsolete option -o
11370 * doc/CREDITS:
11371 Updated credits to reflect Snort 2.8.5 work
11372 * doc/INSTALL:
11373 Indentation changes, update for Mac
11374 * doc/Makefile.am:
11375 Added README.filters
11376 * doc/README.filters:
11377 New README, describes the new filtering features in Snort 2.8.5
11378 * doc/README.frag3:
11379 Added the overlap_limit and min_fragment_length options
11380 * doc/README.ftptelnet:
11381 Indentation changes
11382 * doc/README.http_inspect:
11383 Added post_depth option.
11384 * doc/README.INLINE:
11385 Changed "snort_inline" to "Snort Inline"
11386 * doc/README.PerfProfiling:
11387 Updated stats output to reflect "Rev" column
11388 * doc/README.reload:
11389 New README, describes how to reload a Snort configuration in 2.8.5
11390 * doc/README.ssh:
11391 Updated the README to reflect changes in the SSH preprocessor for 2.8.5
11392 * doc/README.thresholding:
11393 Updated to indicate that "threshold" is deprecated in favor of "event_filter".
11394 * doc/snort_manual.tex:
11395 Updated to include 2.8.5 features, formatting updates.
11396 Removed old references to Stream4.
11397 * etc/gen-msg.map:
11398 Moved XMAS attack handling to decoder.
11399 Gave xlink2state smtp preprocessor alert unique sid.
11400 * etc/threshold.conf:
11401 Updated with formatting changes, deprecation notice for "threshold"
11402 * src/build.h:
11403 New build number.
11404 * src/codes.c:
11405 * src/codes.h:
11406 Removed unused files.
11407 * src/decode.c:
11408 * src/decode.h:
11409 Made some options policy-specific. Removed a couple poorly-performing
11410 rules and made them into decoder checks instead.
11411 * src/detect.c:
11412 * src/ppm.h:
11413 Don't reset packet time
11414 * src/detection-plugins/sp_asn1.c:
11415 * src/detection-plugins/sp_asn1_detect.c:
11416 Removed redundant check.
11417 * src/detection-plugins/sp_isdataat.c:
11418 * src/detection-plugins/sp_isdataat.h:
11419 Moved flags & struct to header file.
11420 * src/detection-plugins/sp_pattern_match.c:
11421 * src/detection-plugins/sp_replace.c:
11422 * src/detection-plugins/sp_replace.h:
11423 Check for combination of "replace" and "http_*" options, which are
11424 incompatible.
11425 * src/detection-plugins/sp_respond2.c:
11426 * src/detection-plugins/sp_respond.c:
11427 Renamed respond'