Upstream NEWS is weak; release notes for 2.8.5.1 follow.
[*] Improvements
* Fixed syslog output when running on Windows.
* Fixed potential segfault when printing IPv6 packets using the -v option.
Thanks to Laurent Gaffie for reporting this issue.
* Fixed segfault when additional policies were added during a configuration
reload.
* Port lists
* IPv6 support
* Packet performance monitoring
* Experimental support for target-based stream and IP frag reassembly
* Ability to take actions on preprocessor events
* Detection for TCP session hijacking based on MAC address
* Unified2 output plugin
* Improved performance and detection capabilities
Fixed header files to avoid conflicts with system files on BSD for
IPv6 data structures.
Added code to prevent URI-related alerts from firing when the
body is being normalized.
Make Stream5 the default stream engine.
Add alert for multiple GRE encapsulations.
Added ability for Snort to track fragmented ICMPv6 to check for the
remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).
Code cleanup, change malloc/calloc to SnortAlloc, use safer functions
SnortSnprintf, SnortStrncpy, etc. Check pointers before use.
Additional updates for bounds checking.
And many more . . . check the ChangeLog for all the details
Snort v2.6.1.5 includes:
* A new http_post rule keyword used to search for content in normalized
HTTP posts
* A fix for a potential memory leak when generating HTTP Inspection events
Snort v2.6.1.4 includes detection functionality for a BSD IPv6 fragmentation
overflow, and addresses a number of potential security-related issues in
Snort as reported by customers, uncovered by internal investigations, and
through third-party code audits.
2.6.1 provides new functionality including the following:
* New pattern matcher with a significantly reduced memory footprint
* Introduction of stream5 for experimental use
* Improvements to stream4, including UDP session tracking and optimizations for the reassembly buffer
* Handling for reassembly of SMB fragmented data in DCE/RPC
* An ssh preprocessor for experimental use
* Updated Snort decoder that can decode GRE encapsulated packets
* Output plugin to allow Snort to configure Aruba access control
Snort 2.6.0:
* Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
* Added configurable stream flushpoints.
* Improved rpc processing.
* Improved portscan detection.
* Improved http request processing and handling of possible evasion cases.
* Improved performance monitoring.
The Snort 2.6 release also introduces the ability to use dynamic rules and dynamic preprocessors and contains further improvements to the Snort detection engine.
Remove snort-{pgsql,mysql,prelude}. The new snort package uses options.mk
to specify build options.
From the ChangeLog:
> 2005-09-16 - Snort 2.4.1 Released
> [*] New additions
> * Added a -K command line option to manually select the logging mode using
> a single switch. The -b and -N switches will be deprecated in version
> 2.7. Pcap logging is now the default for Snort at startup, use "-K ascii"
> to revert to old behavior.
>
> [*] Improvements
> * Win32 version now supports winpcap 3.1 and MySQL client 4.13.
> * Added event on zero-length RPC fragments.
> * Fixed TCP SACK processing for text based outputs that could result in a
> DoS.
> * General improvements to frag3 including Teardrop detection fix.
> * Fixed a bug in the PPPoE decoder.
> * Added patch for time stats from Bill Parker. Enable with configure
> --enable-timestats.
> * Fixed IDS mode bailing at startup if logdir is specified in snort.conf
> and /var/log/snort doesn't exist.
> * Added decoder for IPEnc for OpenBSD. Thanks Jason Ish for the patch
> (long time ago) and Chris Kuethe for reraising the issue.
> * Allow snort to use usernames (-u) and groupnames (-g) that include
> numbers. Thanks to Shaick for the patch.
> * Fixed broken -T option.
> * Change ip_proto to ip for portscan configuration. Thanks David Bianco
> for pointing this out.
> * Fix for prelude initialization. Thanks Yoann Vandoorselaere for the
> update.
> * For content matches, when subsequent rule options fail, start searching
> again in correct location.
> * Updated Win32 to handle pflog patch.
> * Added support for new OpenBSD pflog format. Older pflog format,
> OpenBSD 3.3 and earlier is still supported. Thanks Breno Leitao
> and Christian Reis for the patch.
> * Added statistics counter for ETH_LOOPBACK packets. Thanks rmkml
> for the patch.
If you are using this package make note of the distribution change
mentioned below. I have update the MESSAGE to inform users of this and
there is now also a net/snort-rules package with the community rules.
> [*] Distribution Change
> * Rules are no longer distributed as part of the Snort releases, they are
> available as a separate download from snort.org. This was done for
> three reasons:
> 1) To better manage the new rules licensing.
> 2) To reduce the size of the engine download.
> 3) To move the thousands of documentation files for the rules into
> the rules tarballs. If you've ever checked Snort out of CVS you'll
> know why this is a Good Thing.
>
> [*] New additions
> * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor
> is a target-based IP defragmentation module, and is intended as a
> replacement for the frag2 module. Check out the README.frag3 for full
> info on this new preprocessor.
>
> * Libprelude support has been added (enable with --enable-prelude).
> Thanks Yoann Vandoorselaere!
>
> * An "ftpbounce" rule detection plugin was added for easier detection of
> FTP bounce attacks.
>
> * Added a new Snort config option, "ignore_ports," to ignore packets
> based on port number. This is similar to bpf filters, but done within
> snort.conf.
>
> [*] Improvements
> * Snort startup messages printed in syslog now contain a PID before each
> entry. Thanks Sekure for initially bringing this up.
>
> * Stream4: Performance improvements.
>
> * Stream4: Added 'max_session_limit' option which limits number of
> concurrent sessions tracked. Added favor_old/favor_new options that
> affect order in which packets are put together for reassembly.
>
> * Stream4: New configuration options to manage flushpoints for improved
> anti-evasion. The flush_behavior option selects flushpoint management
> mode. New flush_base, flush_range, and flush_seed manage randomized
> flushing. Check out the snort.conf file for full config data on the
> new flush options.
>
> * Added two more alerts for BackOrifice client and server packets. This
> allows specific alerts to be suppressed.
>
> * PerfMon preprocessor updated to include more detailed stats for rebuilt
> packets (applayer, wire, fragmented & TCP). Also added 'atexitonly'
> option that dumps stats at exit of snort, and command line -Z flag to
> specify the file to which stats are logged.
>
> * Added new Http Inspect config item, "tab_uri_delimiter," which if
> specified, lets a tab character (0x09) act as the delimiter for a URI.
>
> * Added a '-G' command line flag to snort that specifies the Snort
> instance log identifier. It takes a single argument that can be either
> hex (prefaced with 0x) or decimal. The unified log files will include
> the instance ID when the -G flag is used.
>
> * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now
> handled in the IP decoder. Those sids are now considered obsolete.
>
> * Http_Inspect "flow_depth" option now accepts a -1 value which tells
> Snort to ignore all server-side traffic.
>
> * RPMs have been updated to be more portable, and also now include a
> "--with inline" option for those wanting to build Inline RPMs. Thanks
> Daniel Wittenberg and JP Vossen for your help!
>
> * Many, many bug fixes have also gone into this release, please see the
> ChangeLog for details.
- ok'ed snj@, wiz@
- Install database scripts which goes a part-way to addressing PR 18996
Updated database schema diagram from Chris Reid. Schema can be found in
./doc/snort_schema_v106.pdf
Added --include-pcre* configuration option to help cross compiling. Thanks
Erik de Castro Lopo.
Fixed thresholding/suppression issue with queuing multiple events per packet.
Thanks Andreas Ostling.
When a rebuilt stream causes an alert, log out the original packets instead of
the rebuilt packet. Thanks sekure@gmail.com for the report.
Turned off http_inspect alerts that were causing false positives in the preset
webserver profiles (Thanks Dan Roelker).
Turn off encoding alerts in HTTP parameter field. The parameter field is still
normalized, it just doesn't alert. This helps reduce alerts that are generated
from complex parameter queries (Thanks Dan Roelker).
Fixed memory leak in "fast" output. Thanks for your bug report
sekure@gmail.com.
Clear error code which under Windows was causing a subsequent false failure in
parsing threshold rules. (Thanks to Rich Adamson)
Further details can be found in Changelog and RELEASE.NOTES.
Changes:
2.1.0:
======
- A new connection tracking module, Flow (replaces conversation)
- A new portscan detector based off of Flow, Flow-Portscan (replaces
portscan2)
- A new http preprocessor, HttpInspect (replaces http_decode)
- Alert Thresholding and Suppression
- PCRE rule keyword (Perl Compat Regular Expressions)
- isdataat rule keyword (buffer length detection)
- A ton of new and updated rules.
2.0.6:
======
- 64-bit update for detection engine. (Thanks, Silio d'Angelo)
- Added better PPP decoding. (Thanks Jesper Peterson)
- Updated ip_proto optimization for high-speed detection engine.
- Fixed infinite loop problem that was introduced by the recursive pattern
matching patch. Reported by Lawrence Reed, thanks for testing out the
changes for us!
- Various changes to help respond (version 1) work a little better.
- spp_http_decode 64-bit patch from Dirk Mueller.
- Out-of-order ACK problem from Andrew Rucker. Also, updated stream4 to the
most recent version from HEAD.
- Minor fixes to tagging related to 'src' and 'dst' directives
- When counting one byte patterns in 'ningroup' added a check for
psLen==1 (wu-manber pattern matcher). Thanks Josh Sakofsky and Dennis
McGuire for helping us test this.
2.0.5:
======
- Stream4 fixes from Andrew Rucker Jones.
- Allow memcap to be configured for threshold features.
2.0.4:
======
- Fixed a core dump introduced with 2.0.3 when dealing with negated patterns
2.0.3:
======
- doe_ptr handling in byte_test/byte_jump slightly modified to work
better with the pcre patch
- content processing is now recursive to make distance/within processing
better ( thanks to Shai Rubin for patch! )
- fixed a bug in the mwm.c pattern matcher that resulted in some alerts
not firing in a particular configuration of rules
2.0.2:
======
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
IMPORTANT: This version fixes remotely exploitable heap overflow in the stream4
preprocessor module.
Advisory: http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
Changes:
2.0.0:
======
- Enhanced high-performance detection engine
- Stateful Pattern Matching
- New detection keywords: byte_test & byte_jump
- The Snort code base has undergone an external third party professional
security audit funded by Sourcefire (http://www.sourcefire.com)
- Many new and updated rules
- snort.conf has been updated
- Enhancements to self preservation mechanisms in stream4 and frag2
- State tracking fixes in stream4
- New HTTP flow analyzer
- Enhanced protocol decoding (TCP options, 802.1q, etc)
- Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, etc)
- Enhanced flexresp mode for real-time TCP session sniping
- Better chroot()'ing
- Tagging system updated
- Several million bugs addressed....
- Updated FAQ (thanks to Erek Adams and Dragos Ruiu) Snort 2.0 can be
downloaded at http://www.snort.org/dl/snort-2.0.0.tar.gz. Binary
versions of the codebase will be built over the next several days and
made available at here.
2.0.rc4:
========
- byte_jump/byte_test don't force relative content options
- byte_jump/byte_test absolute offsets work
- Better FIN handling in Stream4
2.0.rc3:
========
- A low memory usage detection method (enabled via "config detection:
search-method lowmem")
- Moved the default unix socket location to LOGDIR
2.0.rc2:
========
- syslog should work on win32 and unix
- major tagging updates
- new UDP decoding alerts
- snort.conf updates
2.0.rc1:
========
- Higher performance (due to a new pattern matcher and rebuilt detection
engine)
- Better decoders
- Enhanced stream reassembly and defragmentation
- Tons of bug fixes
- Updated rules
- Updated snort.conf
- New detection keywords (byte_test, byte_jump, distance, within) &
stateful pattern matching
- New HTTP flow analyzer
- Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)
- Better self preservation in stateful subsystems
- Xrefs fixed
- Flexresp works faster and more effectively
- Better chroot()'ing
- Fixed 802.1q decoding
- Better async state handling
- New alerting option: -A cmg!!
This version fixes the buffer overflow issue noted in:
http://www.kb.cert.org/vuls/id/916785
Changes:
- follow PKG_SYSCONFDIR
- added rc.d script
- create own user and group
- added MESSAGE with post-install instructions
- removed DEINSTALL
- minor cleanups (this package was really half-baked..)
1.9.1:
======
- src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- alignment errors on non-x86 platforms
- added new space delimited options
alert_fragments
no_alert_multiple_requests
no_alert_large_fragments
no_alert_incomplete
- corrected buffer overflow in fragment normalization
- src/snort.c
- Win32 '-s' parameter wasn't configured to accept an optarg,
but code expected one, causing null-pointer violation.
- Backport of 2.0 fixes for stream4 ( off by one errors on reassembly )
Changes:
The main purpose of this release is a stable target with many fragroute
and tcp connection oriented fixes. This is also the last release of the
1.8.7 line and signals the start of the beta cycle for the 1.9 branch.
private mail -- thanks!)
Changes are:
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snortdb schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to
lost packets werwerwerwerwer
* double PID file write
* S4 alignment problems on Sparc fixed
* new snmptrap code
* documentation updates
* Stability fixes in frag2
* fixed UTC timestamps
* fixed SIGUSR1 handling, should reset properly now after getting
a signal
* fixed PID path generation code, PID files go in the right place
now
* fixed stability problems in stream4
* fixed stability problems in frag2
* tweaks to spo_unified for better integration with barnyard
* added -f switch to turn off fflush() calls in binary logging mode
* added new config keyword to stream4, "log_flushed_streams", which
causes all buffered packets in the stream reassembler for that
session to be logged in the event of an event on that stream
(must be used in conjunction with spo_log_tcpdump)
* added packet precacheing for flexresp TCP packets, responses
should be generated more quickly
* fixed rules parser code for various failure modes
* several new rules files and a new classification system
New features:
* Token Ring and FDDI decoder support
* Snort ported to Tru64/Alpha, IRIX 6.X, and AIX
* Output plugins added (modular output system)
* John Wilson greatly improved the speed of the content pattern matcher
* Added FlexResp (active response) plugin from Christian Lademann
* Snort man page now ships with the distribution
* Snort now generates a PID file for easier integration with scripting
* Added support for "stealthed" network interfaces
New command line switches:
* -q => quiet mode (no stdout printing)
* -C => print payload ASCII content only
* -P => set explicit snaplen for packet collection
Plugins:
* Added Postgres SQL DB logging output module from Jed Pickel
* Added portscan detection plugin from Patrick Mullen
* HTTP decode preprocessor largely rewritten and much more accurate
* Minfrag rule moved to preprocessor module
* Added ICMP ECHO ID check plugin
* Added ICMP ECHO sequence check plugin
* Added RPC analysis plugin from Mark Hindess
* Added IP option analysis plugin
* Added nocase plugin (makes content rules work with case insensitivity)
* Added syslog output module with user definable syslog facility
* Added tcpdump output module
(and building without patches on Solaris).
