Changes:
2.1.0:
======
- A new connection tracking module, Flow (replaces conversation)
- A new portscan detector based off of Flow, Flow-Portscan (replaces
portscan2)
- A new http preprocessor, HttpInspect (replaces http_decode)
- Alert Thresholding and Suppression
- PCRE rule keyword (Perl Compat Regular Expressions)
- isdataat rule keyword (buffer length detection)
- A ton of new and updated rules.
2.0.6:
======
- 64-bit update for detection engine. (Thanks, Silio d'Angelo)
- Added better PPP decoding. (Thanks Jesper Peterson)
- Updated ip_proto optimization for high-speed detection engine.
- Fixed infinite loop problem that was introduced by the recursive pattern
matching patch. Reported by Lawrence Reed, thanks for testing out the
changes for us!
- Various changes to help respond (version 1) work a little better.
- spp_http_decode 64-bit patch from Dirk Mueller.
- Out-of-order ACK problem from Andrew Rucker. Also, updated stream4 to the
most recent version from HEAD.
- Minor fixes to tagging related to 'src' and 'dst' directives
- When counting one byte patterns in 'ningroup' added a check for
psLen==1 (wu-manber pattern matcher). Thanks Josh Sakofsky and Dennis
McGuire for helping us test this.
2.0.5:
======
- Stream4 fixes from Andrew Rucker Jones.
- Allow memcap to be configured for threshold features.
2.0.4:
======
- Fixed a core dump introduced with 2.0.3 when dealing with negated patterns
2.0.3:
======
- doe_ptr handling in byte_test/byte_jump slightly modified to work
better with the pcre patch
- content processing is now recursive to make distance/within processing
better ( thanks to Shai Rubin for patch! )
- fixed a bug in the mwm.c pattern matcher that resulted in some alerts
not firing in a particular configuration of rules
2.0.2:
======
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
Patch from Adrian Portelli via PR pkg/22900.
Changes:
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
Changes:
- fix host endianess problem in udp decoder
- vlan decoding fixes from Michael Pomraning
- add tcp state checking to httpflow
- ignoring bad checksums throughout snort if checksumming is turned on
- config disable_ttcp_alerts is now also config disable_tcpopt_ttcp_alerts
- better initialization handling of low memory conditions pointing to the
- low memory search engine
- byte_jump / byte_test 2 byte cases handled and unified
- correctly assign port numbers on tcpoption events
- pass rule logic changed to "win" in specific multiple event cases
- named interface support for win32 from the winpcap folks
- spp_bo now also will work with log-only output plugins
- added window detection plugin documentation to manual
- lots of new rules and tons of rule documentation
IMPORTANT: This version fixes remotely exploitable heap overflow in the stream4
preprocessor module.
Advisory: http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
Changes:
2.0.0:
======
- Enhanced high-performance detection engine
- Stateful Pattern Matching
- New detection keywords: byte_test & byte_jump
- The Snort code base has undergone an external third party professional
security audit funded by Sourcefire (http://www.sourcefire.com)
- Many new and updated rules
- snort.conf has been updated
- Enhancements to self preservation mechanisms in stream4 and frag2
- State tracking fixes in stream4
- New HTTP flow analyzer
- Enhanced protocol decoding (TCP options, 802.1q, etc)
- Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, etc)
- Enhanced flexresp mode for real-time TCP session sniping
- Better chroot()'ing
- Tagging system updated
- Several million bugs addressed....
- Updated FAQ (thanks to Erek Adams and Dragos Ruiu) Snort 2.0 can be
downloaded at http://www.snort.org/dl/snort-2.0.0.tar.gz. Binary
versions of the codebase will be built over the next several days and
made available at here.
2.0.rc4:
========
- byte_jump/byte_test don't force relative content options
- byte_jump/byte_test absolute offsets work
- Better FIN handling in Stream4
2.0.rc3:
========
- A low memory usage detection method (enabled via "config detection:
search-method lowmem")
- Moved the default unix socket location to LOGDIR
2.0.rc2:
========
- syslog should work on win32 and unix
- major tagging updates
- new UDP decoding alerts
- snort.conf updates
2.0.rc1:
========
- Higher performance (due to a new pattern matcher and rebuilt detection
engine)
- Better decoders
- Enhanced stream reassembly and defragmentation
- Tons of bug fixes
- Updated rules
- Updated snort.conf
- New detection keywords (byte_test, byte_jump, distance, within) &
stateful pattern matching
- New HTTP flow analyzer
- Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)
- Better self preservation in stateful subsystems
- Xrefs fixed
- Flexresp works faster and more effectively
- Better chroot()'ing
- Fixed 802.1q decoding
- Better async state handling
- New alerting option: -A cmg!!
This version fixes the buffer overflow issue noted in:
http://www.kb.cert.org/vuls/id/916785
Changes:
- follow PKG_SYSCONFDIR
- added rc.d script
- create own user and group
- added MESSAGE with post-install instructions
- removed DEINSTALL
- minor cleanups (this package was really half-baked..)
1.9.1:
======
- src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- alignment errors on non-x86 platforms
- added new space delimited options
alert_fragments
no_alert_multiple_requests
no_alert_large_fragments
no_alert_incomplete
- corrected buffer overflow in fragment normalization
- src/snort.c
- Win32 '-s' parameter wasn't configured to accept an optarg,
but code expected one, causing null-pointer violation.
- Backport of 2.0 fixes for stream4 ( off by one errors on reassembly )
Changes:
The main purpose of this release is a stable target with many fragroute
and tcp connection oriented fixes. This is also the last release of the
1.8.7 line and signals the start of the beta cycle for the 1.9 branch.
<mipam@ibb.net>. From the release notes:
1.8.4 and 1.8.5 both had bugs that were found right as we were ready
to do a full release and represented good midway points but 1.8.6
should be the stable target.
Changes include:
* The ICMP decoders have been rewritten.
* (This is a summary of recent changes -- not all mine)
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snort-db schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to lost
frags
* double PID file write
* S4 alignment problems on SPARC fixed ( rpc_decode still has SPARC
alignment errors )
* new snmptrap code
* documentation updates
* Stability fixes in frag2
* SEQ / ACK checking should be correct
* Reassembled packets with stream4 will now also be inspected when
using -z est
* ip fragments are now calculated correctly
* rule headers correctly matched
( multiple CIDR performance greatly increased )
private mail -- thanks!)
Changes are:
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snortdb schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to
lost packets werwerwerwerwer
* double PID file write
* S4 alignment problems on Sparc fixed
* new snmptrap code
* documentation updates
* Stability fixes in frag2
Major repairs include a fix to frag2 on Linux platforms, the icmp
decoder and printout routines were updated to match the data
structures that I implemented in 1.8.1 and the flexresp code was
repaired and should now be faster, plus the usual rule updates. I
also added a new "-B" command line switch to convert IP addresses
in a pcap file to a new specified IP subnet addresses.
* fixed UTC timestamps
* fixed SIGUSR1 handling, should reset properly now after getting
a signal
* fixed PID path generation code, PID files go in the right place
now
* fixed stability problems in stream4
* fixed stability problems in frag2
* tweaks to spo_unified for better integration with barnyard
* added -f switch to turn off fflush() calls in binary logging mode
* added new config keyword to stream4, "log_flushed_streams", which
causes all buffered packets in the stream reassembler for that
session to be logged in the event of an event on that stream
(must be used in conjunction with spo_log_tcpdump)
* added packet precacheing for flexresp TCP packets, responses
should be generated more quickly
* fixed rules parser code for various failure modes
* several new rules files and a new classification system
* SNMP alerts
* IDMEF XML output (the Silicon Defense plugin is integrated into
the main codebase now)
* Limited regex support in the rules language
* New packet counters for stream4 and frag2
* New normalization mode for http_decode
Fixes and additions:
* Fixed compilation problems on all non-BSD operating systems
* Added better configuration support for locating libpcap
* Fixed ICMP ping packet id/sequence printouts
* Made allowances for 64-bit machines in the decoders
* Updated the portscan detector to the latest version
* Disabled the defragmenter by default (in the rules file)
* Added a patch from Dave Dittrich to make daemon mode alerts
filenames conform
* to the data in the documentation
* Revamped the ICMP data structures to mimic those found in *BSD
and provide for higher fidelity decoding/printout in the future
* Repaired the output plugins so that they operate properly now
* For the record, the payload dump conforms to the length of the IP
datagram now and does not show pad bytes added by the minimum
Ethernet frame size
* Applied Chris Cramer's byte ordering patch to the flexresp code
Other updates and changes since version 1.6:
* New preprocessor plugin: IP defragmentation!!
* New output plugins cover all old logging and alerting options
* New output plugin no logs to MySQL, PostgreSQL, unixODBC databases
* Updated portscan detection functionality
* Added quote removal for most plugin parsers
* -C crash bug fixed
* PID/PATH_VARRUN file fixes
* Converted many putc(3) calls to fputc(3) for portability
* Transport layer decoders use ip_len field for length metric now
* String tokenizer code modified for more reliable operation
* Fixed flexible response code sequence prediction
* Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
platforms
* Set automake options so that people don't need gmake anymore to
build Snort on BSD systems
* Fixed SMB alert code large tmp file hole
* Added sigsetmask code to fix SIGHUP weirdness
* Added execvp option for SIGHUP restart code
* Added ARP header printout validation
* Added Session logging file integrity checking
* Added -u/-g setuid/gid capability switches
* Added -O IP address obfuscation switch
* Added -t chroot switch
* Fixed non-TCP/UDP/ICMP transport layer decoding & logging
* Fixes and additions to the portscan preprocessor
* Fixed Tru64 u_int* type declarations
* Added check for pcap.h into configuration script
* Fixed timeval problems on Linux boxen
* Database logging plugin has been modified extensively, see the
www.incident.org website for more information
* Switched TCP flags printout routine to ensure proper RFP output
scan output. ;)
* Fixed default log/alert function code so that these functions are
never NULL
New features:
* Token Ring and FDDI decoder support
* Snort ported to Tru64/Alpha, IRIX 6.X, and AIX
* Output plugins added (modular output system)
* John Wilson greatly improved the speed of the content pattern matcher
* Added FlexResp (active response) plugin from Christian Lademann
* Snort man page now ships with the distribution
* Snort now generates a PID file for easier integration with scripting
* Added support for "stealthed" network interfaces
New command line switches:
* -q => quiet mode (no stdout printing)
* -C => print payload ASCII content only
* -P => set explicit snaplen for packet collection
Plugins:
* Added Postgres SQL DB logging output module from Jed Pickel
* Added portscan detection plugin from Patrick Mullen
* HTTP decode preprocessor largely rewritten and much more accurate
* Minfrag rule moved to preprocessor module
* Added ICMP ECHO ID check plugin
* Added ICMP ECHO sequence check plugin
* Added RPC analysis plugin from Mark Hindess
* Added IP option analysis plugin
* Added nocase plugin (makes content rules work with case insensitivity)
* Added syslog output module with user definable syslog facility
* Added tcpdump output module
(and building without patches on Solaris).
Changes are:
* fixed a problem with pass rules not being applied properly
* fixed a #include ordering statement for Slackware 4.0 installs
* fixed banner output for the -V option
* Token Ring decoding is now fully functional
* Added packet buffer cleanup code to all protocol decoders
* fixed a problem with improper TCP option output
* Added a Snort man page
From the Readme:
Version 1.5 adds major new functionality! Detection and preprocessing plugins,
session logging, rules file variables and includes, five new network layer
decoders including ISDN and Token Ring support, new detection functionality,
and a bunch of other cool stuff.