Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
This is a HUGE bump, so look at the changelog on the Snort website !
For example, Snort does not natively handle MySQL anymore.
As for the pkgsrc changes :
- updated deps (net/daq) ;
- updated config files ;
- updated MASTER_SITE ;
- some substitution to handle pkgsrc paths ;
- updated compile options.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
Upstream NEWS is weak; release notes for 2.8.5.1 follow.
[*] Improvements
* Fixed syslog output when running on Windows.
* Fixed potential segfault when printing IPv6 packets using the -v option.
Thanks to Laurent Gaffie for reporting this issue.
* Fixed segfault when additional policies were added during a configuration
reload.
* Update rule latency thresholding
* The flow and stream4 preprocessors will be deprecated in a future release.
* DCE/RPC preprocessor changes to handle abnormal TCP segmentation.
Added option to reassemble fragmentation buffers early. Updated
documentation.
* Fixed handling of MPLS label in checking Stream session uniqueness
when IPv4 packets are received and build is IPv6.
See the ChangeLog for all the details
Fix non-priv'ed builds which should fix PR 39260
2008-07-24 - Snort 2.8.2.2
[*] Improvements
* Fix issue with evaluating PCRE rule options with /U modifier that
are followed by a relative content rule option.
* Fix issue with dsize range check.
2008-06-12 - Snort 2.8.2.1
[*] Improvements
* Fix support for pass rules that sometimes did not take precedence
over alert and/or drop rules.
Includes fix for CVE-2008-1804
[*] New Additions
* Target-Based support to allow rules to use an attribute table
describing services running on various hosts on the network.
Eliminates reliance on port-based rules.
* Support for GRE encapsulation for both IPv4 & IPv6.
* Support for IP over IP tunneling for both IPv4 & IPv6.
* SSL preprocessor to allow ability to not inspect encrypted traffic.
* Ability to read mulitple PCAPs from the command line.
* Support for new CVS rule detection options.
[*] Improvements
* Update to HTTP Inspect to identify overly long HTTP header fields.
* Updates to IPv6 support, including changes to avoid namespace
conflicts for certain Operating systems.
* Updates to address issues seen on various Sparc platforms.
* Stricter enforcement of shared object versions to avoid API
conflicts.
[*] Improvements
* Updates to build with new versions of libPCRE.
* Fix Stream5 debugging output to actually compile and have correct output
for normal & IPv6 enabled builds.
* Correct perfmonitor statistic calculation for pattern matcher percentage.
* Port lists
* IPv6 support
* Packet performance monitoring
* Experimental support for target-based stream and IP frag reassembly
* Ability to take actions on preprocessor events
* Detection for TCP session hijacking based on MAC address
* Unified2 output plugin
* Improved performance and detection capabilities
Fixed header files to avoid conflicts with system files on BSD for
IPv6 data structures.
Added code to prevent URI-related alerts from firing when the
body is being normalized.
Make Stream5 the default stream engine.
Add alert for multiple GRE encapsulations.
Added ability for Snort to track fragmented ICMPv6 to check for the
remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).
Code cleanup, change malloc/calloc to SnortAlloc, use safer functions
SnortSnprintf, SnortStrncpy, etc. Check pointers before use.
Additional updates for bounds checking.
And many more . . . check the ChangeLog for all the details
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
Snort v2.6.1.5 includes:
* A new http_post rule keyword used to search for content in normalized
HTTP posts
* A fix for a potential memory leak when generating HTTP Inspection events
Snort v2.6.1.4 includes detection functionality for a BSD IPv6 fragmentation
overflow, and addresses a number of potential security-related issues in
Snort as reported by customers, uncovered by internal investigations, and
through third-party code audits.
2.6.1 provides new functionality including the following:
* New pattern matcher with a significantly reduced memory footprint
* Introduction of stream5 for experimental use
* Improvements to stream4, including UDP session tracking and optimizations for the reassembly buffer
* Handling for reassembly of SMB fragmented data in DCE/RPC
* An ssh preprocessor for experimental use
* Updated Snort decoder that can decode GRE encapsulated packets
* Output plugin to allow Snort to configure Aruba access control
Snort 2.6.0:
* Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
* Added configurable stream flushpoints.
* Improved rpc processing.
* Improved portscan detection.
* Improved http request processing and handling of possible evasion cases.
* Improved performance monitoring.
The Snort 2.6 release also introduces the ability to use dynamic rules and dynamic preprocessors and contains further improvements to the Snort detection engine.
Remove snort-{pgsql,mysql,prelude}. The new snort package uses options.mk
to specify build options.
2005-01-25 - Snort 2.3.0 Final Released
* Fixed issue with sfPortscan reporting incorrect IP datagram length.
Thanks Jon Hart for the test case and finding the bug, and Marc Norton
for resolving the issue.
* Threshold/Suppression now prints properly when logging to syslog.
Thanks Sekure for pointing out the problem. Thanks Steve Sturges for
working on the fix.
* Threshold memcap argument now correctly handles non-integer input.
Thanks nnposter for the patch.
* Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were
not decoded properly. Thanks Dan Roelker for the fix.
* Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your
work on putting it all together.
2004-12-15 - Snort 2.3.0 RC2 Released
* Small performance improvement to arpspoof and also fixed a problem
where the list of configured IP/MAC entries would contain only one
entry and leaked memory (Jeff Nathan).
* Fixed a problem affecting MacOS X where linking may fail with
non-standard libraries when global symbols are encountered multiple
times (Jeff Nathan).
* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP
alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix.
* Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the
logdir config will work if the default or command-line logdir does not
exist on the system. Thanks Dan Roelker.
* Fixed bug when setting the doe_ptr on a successful pcre match.
It is now set relative to base_ptr. Thanks Steve Sturges for the
fix.
* Added from_beginning and multiplier options for byte_jump.
from_beginning skips bytes from the beginning of the content,
instead of from the location immediately following the number
of bytes to skip. multiplier takes a numeric argument, and
skips x times that number of bytes. Thanks again to Steve Sturges.
* In "fast" output, now log only actual packet contents when UDP
data length is greater than actual data length. Thanks Brian
Caswell for spotting this, and Andrew Mullican for working on the fix.
* Please check the ChangeLog for further details.
2004-11-18 - Snort 2.3.0 RC1 Released
* Added IPS functionality from Snort-Inline. A big thanks to the
Snort-Inline guys (Jed Haile, Rob McMillen, William Metcalf, and Victor
Julien). Also, Thanks Dan Roelker for doing the integrating of
Snort-Inline into the official Snort project.
* Added new portscan detector. The design and implementation was headed
up by Dan Roelker, and included Marc Norton and Jeremy Hewlett.
* Numerous changes for better 64bit Snort support from Jeremy Hewlett and
Marc Norton. Additionally, an --enable-64bit-gcc option was added to
configure. However, there are still some memory alignment issues to
work out before 64bit mode is fully functional, patches are welcomed.
Thanks Chris Baker for doing 64bit testing.
* Added not_established keyword to the flow detection option. This allows
snort to do dynamic firewall rulesets. Experimental for now.
* Added an enforce_state keyword to stream4 so we won't pick up midstream
sessions. This works well for asynchronous links and also for
just monitoring legitimate traffic.
* Relocated ./contrib files to http://www.snort.org/dl/contrib as many
are not maintained by Sourcefire and are out of date. The rpm and
schema files have been relocated in their respective 'rpm' and 'schemas'
directories under the snort parent directory.
* perfmonitor config line can now be configured with "accumulate" or
"reset." Thanks Marc Norton for the feature, and Barry Basselgia for
pointing out the issue. Thanks Scott Dexter and Andreas Ostling for
doing some initial testing.
* Fixed 64-bit bug in sfmemcap.c found and tested by Ryan Matteson
and Clay McClure. Thanks guys.
* Fixed reference times to match log time for first packet, for an event
generated by a reassembled packet. Incremented event ID to give
unique ID for each packet. Also made unified logging compatible with
Windows. Thanks Andrew Mullican for the fix.
* Fixed linux perfmonitoring stats for the 2.6 kernel. Thanks to
everyone that reported this bug. Thanks Dan Roelker for the fix.
* Get thresholding/suppression to work for alerts that do not
contain an ip header (primarily decode alerts). Thanks
Brian Caswell.
* Fix conditions where snort would log double web alerts that
contained only content options (no uricontents). Thanks to kawa for
finding and reporting this bug.
* Fix suppression/thresholding bug for non-rule alerts. Thanks to
Alex Butcher for reporting it to us.
* Many other bug fixes, please check the ChangeLog for details.
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.
This is from ideas from Greg Woods and others.
Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
Changes:
2.1.0:
======
- A new connection tracking module, Flow (replaces conversation)
- A new portscan detector based off of Flow, Flow-Portscan (replaces
portscan2)
- A new http preprocessor, HttpInspect (replaces http_decode)
- Alert Thresholding and Suppression
- PCRE rule keyword (Perl Compat Regular Expressions)
- isdataat rule keyword (buffer length detection)
- A ton of new and updated rules.
2.0.6:
======
- 64-bit update for detection engine. (Thanks, Silio d'Angelo)
- Added better PPP decoding. (Thanks Jesper Peterson)
- Updated ip_proto optimization for high-speed detection engine.
- Fixed infinite loop problem that was introduced by the recursive pattern
matching patch. Reported by Lawrence Reed, thanks for testing out the
changes for us!
- Various changes to help respond (version 1) work a little better.
- spp_http_decode 64-bit patch from Dirk Mueller.
- Out-of-order ACK problem from Andrew Rucker. Also, updated stream4 to the
most recent version from HEAD.
- Minor fixes to tagging related to 'src' and 'dst' directives
- When counting one byte patterns in 'ningroup' added a check for
psLen==1 (wu-manber pattern matcher). Thanks Josh Sakofsky and Dennis
McGuire for helping us test this.
2.0.5:
======
- Stream4 fixes from Andrew Rucker Jones.
- Allow memcap to be configured for threshold features.
2.0.4:
======
- Fixed a core dump introduced with 2.0.3 when dealing with negated patterns
2.0.3:
======
- doe_ptr handling in byte_test/byte_jump slightly modified to work
better with the pcre patch
- content processing is now recursive to make distance/within processing
better ( thanks to Shai Rubin for patch! )
- fixed a bug in the mwm.c pattern matcher that resulted in some alerts
not firing in a particular configuration of rules
2.0.2:
======
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
Changes:
- fix host endianess problem in udp decoder
- vlan decoding fixes from Michael Pomraning
- add tcp state checking to httpflow
- ignoring bad checksums throughout snort if checksumming is turned on
- config disable_ttcp_alerts is now also config disable_tcpopt_ttcp_alerts
- better initialization handling of low memory conditions pointing to the
- low memory search engine
- byte_jump / byte_test 2 byte cases handled and unified
- correctly assign port numbers on tcpoption events
- pass rule logic changed to "win" in specific multiple event cases
- named interface support for win32 from the winpcap folks
- spp_bo now also will work with log-only output plugins
- added window detection plugin documentation to manual
- lots of new rules and tons of rule documentation
<mipam@ibb.net>. From the release notes:
1.8.4 and 1.8.5 both had bugs that were found right as we were ready
to do a full release and represented good midway points but 1.8.6
should be the stable target.
Changes include:
* The ICMP decoders have been rewritten.
* (This is a summary of recent changes -- not all mine)
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snort-db schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to lost
frags
* double PID file write
* S4 alignment problems on SPARC fixed ( rpc_decode still has SPARC
alignment errors )
* new snmptrap code
* documentation updates
* Stability fixes in frag2
* SEQ / ACK checking should be correct
* Reassembled packets with stream4 will now also be inspected when
using -z est
* ip fragments are now calculated correctly
* rule headers correctly matched
( multiple CIDR performance greatly increased )
private mail -- thanks!)
Changes are:
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snortdb schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to
lost packets werwerwerwerwer
* double PID file write
* S4 alignment problems on Sparc fixed
* new snmptrap code
* documentation updates
* Stability fixes in frag2
Major repairs include a fix to frag2 on Linux platforms, the icmp
decoder and printout routines were updated to match the data
structures that I implemented in 1.8.1 and the flexresp code was
repaired and should now be faster, plus the usual rule updates. I
also added a new "-B" command line switch to convert IP addresses
in a pcap file to a new specified IP subnet addresses.
* fixed UTC timestamps
* fixed SIGUSR1 handling, should reset properly now after getting
a signal
* fixed PID path generation code, PID files go in the right place
now
* fixed stability problems in stream4
* fixed stability problems in frag2
* tweaks to spo_unified for better integration with barnyard
* added -f switch to turn off fflush() calls in binary logging mode
* added new config keyword to stream4, "log_flushed_streams", which
causes all buffered packets in the stream reassembler for that
session to be logged in the event of an event on that stream
(must be used in conjunction with spo_log_tcpdump)
* added packet precacheing for flexresp TCP packets, responses
should be generated more quickly
* fixed rules parser code for various failure modes
* several new rules files and a new classification system
