Commit graph

46 commits

Author SHA1 Message Date
snj
2898463d1b s/capabilty/capability/; s/seperate/separate/ 2004-01-31 23:57:54 +00:00
kristerw
6f13a6d41f Make this package build on NetBSD 1.6. 2004-01-31 20:43:41 +00:00
salo
495195d60a Update to version 2.1.0.
Changes:

2.1.0:
======
- A new connection tracking module, Flow (replaces conversation)
- A new portscan detector based off of Flow, Flow-Portscan (replaces
  portscan2)
- A new http preprocessor, HttpInspect (replaces http_decode)
- Alert Thresholding and Suppression
- PCRE rule keyword (Perl Compat Regular Expressions)
- isdataat rule keyword (buffer length detection)
- A ton of new and updated rules.

2.0.6:
======
- 64-bit update for detection engine. (Thanks, Silio d'Angelo)
- Added better PPP decoding. (Thanks Jesper Peterson)
- Updated ip_proto optimization for high-speed detection engine.
- Fixed infinite loop problem that was introduced by the recursive pattern
  matching patch. Reported by Lawrence Reed, thanks for testing out the
  changes for us!
- Various changes to help respond (version 1) work a little better.
- spp_http_decode 64-bit patch from Dirk Mueller.
- Out-of-order ACK problem from Andrew Rucker. Also, updated stream4 to the
  most recent version from HEAD.
- Minor fixes to tagging related to 'src' and 'dst' directives
- When counting one byte patterns in 'ningroup' added a check for
  psLen==1 (wu-manber pattern matcher). Thanks Josh Sakofsky and Dennis
  McGuire for helping us test this.

2.0.5:
======
- Stream4 fixes from Andrew Rucker Jones.
- Allow memcap to be configured for threshold features.

2.0.4:
======
- Fixed a core dump introduced with 2.0.3 when dealing with negated patterns

2.0.3:
======
- doe_ptr handling in byte_test/byte_jump slightly modified to work
  better with the pcre patch
- content processing is now recursive to make distance/within processing
  better ( thanks to Shai Rubin for patch! )
- fixed a bug in the mwm.c pattern matcher that resulted in some alerts
  not firing in a particular configuration of rules

2.0.2:
======
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
2003-12-31 14:11:42 +00:00
salo
c8f8e606df Update to version 2.0.2.
Patch from Adrian Portelli via PR pkg/22900.

Changes:

- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
2003-09-23 15:43:50 +00:00
salo
6ecd356afd Updated to version 2.0.1.
Changes:

- fix host endianess problem in udp decoder
- vlan decoding fixes from Michael Pomraning
- add tcp state checking to httpflow
- ignoring bad checksums throughout snort if checksumming is turned on
- config disable_ttcp_alerts is now also config disable_tcpopt_ttcp_alerts
- better initialization handling of low memory conditions pointing to the
- low memory search engine
- byte_jump / byte_test 2 byte cases handled and unified
- correctly assign port numbers on tcpoption events
- pass rule logic changed to "win" in specific multiple event cases
- named interface support for win32 from the winpcap folks
- spp_bo now also will work with log-only output plugins
- added window detection plugin documentation to manual
- lots of new rules and tons of rule documentation
2003-07-26 11:13:16 +00:00
grant
ca3be631f2 s/netbsd.org/NetBSD.org/ 2003-07-17 22:50:55 +00:00
salo
f926ba83a1 Bump PKGREVISION: honour PKG_SYSCONFDIR for real. (i thought i fixed this
before but apparently i did not :/)
2003-04-16 15:51:22 +00:00
salo
8dd2d2ad1d Updated to version 2.0.0.
IMPORTANT: This version fixes remotely exploitable heap overflow in the stream4
           preprocessor module.

Advisory:  http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

Changes:

2.0.0:
======
- Enhanced high-performance detection engine
- Stateful Pattern Matching
- New detection keywords: byte_test & byte_jump
- The Snort code base has undergone an external third party professional
  security audit funded by Sourcefire (http://www.sourcefire.com)
- Many new and updated rules
- snort.conf has been updated
- Enhancements to self preservation mechanisms in stream4 and frag2
- State tracking fixes in stream4
- New HTTP flow analyzer
- Enhanced protocol decoding (TCP options, 802.1q, etc)
- Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, etc)
- Enhanced flexresp mode for real-time TCP session sniping
- Better chroot()'ing
- Tagging system updated
- Several million bugs addressed....
- Updated FAQ (thanks to Erek Adams and Dragos Ruiu) Snort 2.0 can be
  downloaded at http://www.snort.org/dl/snort-2.0.0.tar.gz. Binary
  versions of the codebase will be built over the next several days and
  made available at here.

2.0.rc4:
========
- byte_jump/byte_test don't force relative content options
- byte_jump/byte_test absolute offsets work
- Better FIN handling in Stream4

2.0.rc3:
========
- A low memory usage detection method (enabled via "config detection:
  search-method lowmem")
- Moved the default unix socket location to LOGDIR

2.0.rc2:
========
- syslog should work on win32 and unix
- major tagging updates
- new UDP decoding alerts
- snort.conf updates

2.0.rc1:
========
- Higher performance (due to a new pattern matcher and rebuilt detection
  engine)
- Better decoders
- Enhanced stream reassembly and defragmentation
- Tons of bug fixes
- Updated rules
- Updated snort.conf
- New detection keywords (byte_test, byte_jump, distance, within) &
  stateful pattern matching
- New HTTP flow analyzer
- Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)
- Better self preservation in stateful subsystems
- Xrefs fixed
- Flexresp works faster and more effectively
- Better chroot()'ing
- Fixed 802.1q decoding
- Better async state handling
- New alerting option: -A cmg!!
2003-04-16 06:37:19 +00:00
salo
974cf2e158 Updated to version 1.9.1.
This version fixes the buffer overflow issue noted in:

  http://www.kb.cert.org/vuls/id/916785

Changes:

 - follow PKG_SYSCONFDIR
 - added rc.d script
 - create own user and group
 - added MESSAGE with post-install instructions
 - removed DEINSTALL
 - minor cleanups (this package was really half-baked..)

1.9.1:
======
 - src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
	- alignment errors on non-x86 platforms
	- added new space delimited options
	  alert_fragments
	  no_alert_multiple_requests
	  no_alert_large_fragments
	  no_alert_incomplete
 - corrected buffer overflow in fragment normalization
 - src/snort.c
	- Win32 '-s' parameter wasn't configured to accept an optarg,
	  but code expected one, causing null-pointer violation.
 - Backport of 2.0 fixes for stream4 ( off by one errors on reassembly )
2003-03-04 01:02:25 +00:00
tron
39a943ad92 Replace "true" by "${TRUE}". 2002-12-09 16:01:10 +00:00
wiz
b8de028caa COMMENT should be set in Makefile, not any common Makefile parts. 2002-11-09 13:43:48 +00:00
hubertf
9a9c836482 Update snort to 1.9.0. Changes:
Lots of new rules, extended analyzing of packages etc.

Fixes PR 18637 by Adrian Portelli <adrianp@stindustries.net>
2002-10-13 04:42:12 +00:00
wiz
eb1999c37d Use BUILDLINK_PREFIX.libpcap. 2002-10-10 12:28:24 +00:00
wiz
cb16668c4c buildlink1 -> buildlink2. 2002-10-10 12:23:05 +00:00
wiz
ddabe6af97 Remove libpcap buildlink.mk inclusion -- it's included in all the files that
include this file.
2002-10-10 12:20:23 +00:00
wiz
c7932517a1 Update to 1.8.7, prompted by Mipam.
Changes:
The main purpose of this release is a stable target with many fragroute
and tcp connection oriented fixes.  This is also the last release of the
1.8.7 line and signals the start of the beta cycle for the 1.9 branch.
2002-07-15 14:41:26 +00:00
rh
9935573961 Remove SNORT_USE_PGSQL option. This will be split out into a separate
package.  For that purpose, move most of Makefile into a new
Makefile.common.
2002-04-15 08:31:14 +00:00
rh
2842fc1305 Add a SNORT_USE_PGSQL option to compile in PostgreSQL support (and add
the appropriate dependency).  Patch provided by ww@GROOVY.NET
2002-04-14 09:49:46 +00:00
rh
843bf5a7ba Update snort to 1.8.6. Patch provided in private mail by Mipam
<mipam@ibb.net>.  From the release notes:

    1.8.4 and 1.8.5 both had bugs that were found right as we were ready
    to do a full release and represented good midway points but 1.8.6
    should be the stable target.

Changes include:
  * The ICMP decoders have been rewritten.
  * (This is a summary of recent changes -- not all mine)
  * Fixed stream4 offset initialization
  * Double Open of snort log file
  * Lots of new rules
  * Fatal error on problems other than -> and <>
  * Fixed stream4 several low memory conditions
  * Error checking in stream4/frag2 argument parsing
  * snort-db schema updates to 1.05
  * --with-pcap-includes should now look at specified pcap
  * packet statistics now should be more accurate with regards to lost
    frags
  * double PID file write
  * S4 alignment problems on SPARC fixed ( rpc_decode still has SPARC
  alignment errors )
  * new snmptrap code
  * documentation updates
  * Stability fixes in frag2
  * SEQ / ACK checking should be correct
  * Reassembled packets with stream4 will now also be inspected when
    using -z est
  * ip fragments are now calculated correctly
  * rule headers correctly matched
    ( multiple CIDR performance greatly increased )
2002-04-10 22:01:10 +00:00
rh
49eb8b5659 Update snort to 1.8.4 (update was provided by Mipam <mipam@ibb.net> in a
private mail -- thanks!)

Changes are:
	* Fixed stream4 offset initialization
	* Double Open of snort log file
	* Lots of new rules
	* Fatal error on problems other than -> and <>
	* Fixed stream4 several low memory conditions
	* Error checking in stream4/frag2 argument parsing
	* snortdb schema updates to 1.05
	* --with-pcap-includes should now look at specified pcap
	* packet statistics now should be more accurate with regards to
	  lost packets werwerwerwerwer
	* double PID file write
	* S4 alignment problems on Sparc fixed
	* new snmptrap code
	* documentation updates
	* Stability fixes in frag2
2002-04-02 21:34:08 +00:00
hubertf
9046bc90b7 add leftovers 2002-03-29 01:05:46 +00:00
jmc
f9cf2febd0 Add powerpc/macppc support 2002-03-13 08:20:18 +00:00
skrll
08bdd44549 mkdir -> ${MKDIR}
rmdir -> ${RMDIR}
rm -> ${RM} (${RM} added to PLIST_SUBST)
chmod -> ${CHMOD}
chown -> ${CHOWN}
2002-02-15 10:12:28 +00:00
agc
a3c645a3eb Normalise all the uses of "wheel", and "root" for ${ROOT_GROUP}, now that
the definition is available in all the defs.${OPSYS}.mk files.
2001-12-05 16:03:56 +00:00
kleink
86465690a4 Update snort to 1.8.3; changes since 1.8.2 include:
Major repairs include a fix to frag2 on Linux platforms, the icmp
    decoder and printout routines were updated to match the data
    structures that I implemented in 1.8.1 and the flexresp code was
    repaired and should now be faster, plus the usual rule updates.  I
    also added a new "-B" command line switch to convert IP addresses
    in a pcap file to a new specified IP subnet addresses.
2001-12-02 14:43:49 +00:00
kleink
ad1ab47c7b Update snort to 1.8.2; changes since 1.8.1 include:
* fixed UTC timestamps
            * fixed SIGUSR1 handling, should reset properly now after getting
              a signal
            * fixed PID path generation code, PID files go in the right place
	      now
            * fixed stability problems in stream4
            * fixed stability problems in frag2
            * tweaks to spo_unified for better integration with barnyard
            * added -f switch to turn off fflush() calls in binary logging mode
            * added new config keyword to stream4, "log_flushed_streams", which
              causes all buffered packets in the stream reassembler for that
              session to be logged in the event of an event on that stream
	      (must be used in conjunction with spo_log_tcpdump)
            * added packet precacheing for flexresp TCP packets, responses
              should be generated more quickly
            * fixed rules parser code for various failure modes
            * several new rules files and a new classification system
2001-11-28 13:44:51 +00:00
hubertf
121139a0b5 Only use DLT_PPP_{SERIAL,ETHER} on systems that actually have it
(i.e. on 1.5 and up). (I *love* digging such stuff out of CVS
logs...)

Requested by wiz in private mail.
2001-11-07 03:03:05 +00:00
zuntum
d038a73ebd Move pkg/ files into package's toplevel directory 2001-10-31 22:52:58 +00:00
wiz
d6524cf3f5 Use libpcap buildlink.mk instead of OS test. By Stoned Elipot from pkg/13928. 2001-09-11 16:12:56 +00:00
abs
8d04d4c878 At least depend on the right version of pcal for SunOS or Linux. 2001-08-24 11:43:47 +00:00
hubertf
3678eadbb6 Upgrade snort to 1.8.1. Changes:
* SNMP alerts
    * IDMEF XML output (the Silicon Defense plugin is integrated into
      the main codebase now)
    * Limited regex support in the rules language
    * New packet counters for stream4 and frag2
    * New normalization mode for http_decode
2001-08-22 18:07:50 +00:00
wiz
70a8917220 regen 2001-08-22 10:31:07 +00:00
hubertf
4629a9f636 Teach snort about our DLT_PPP_* 2001-08-22 01:20:26 +00:00
itojun
e1d55fb7ab upgrade to 1.8p1.
for list of changes, see http://www.snort.org/snort-files.htm
default rule files are now named *.rules, not *-lib.
2001-08-03 06:35:11 +00:00
wiz
433b62957e Move to sha1 checksum, and/or add distfile sizes. 2001-04-21 11:23:08 +00:00
agc
bbc67fac91 + move the distfile digest/checksum value from files/md5 to distinfo
+ move the patch digest/checksum values from files/patch-sum to distinfo
2001-04-17 11:53:33 +00:00
wiz
28eeb60ba5 Update to 1.7, provided by Mipam in private mail.
Changes: lots of bugfixes, many new plugins, SPADE (statistical anomaly
detector), and more.
2001-02-26 20:43:27 +00:00
wiz
a13ea108bb Update to new COMMENT style: COMMENT var in Makefile instead of pkg/COMMENT. 2001-02-17 17:52:59 +00:00
rh
589043a29f Update snort to 1.6.3.2. Notable changes include:
Fixes and additions:

   * Fixed compilation problems on all non-BSD operating systems
   * Added better configuration support for locating libpcap
   * Fixed ICMP ping packet id/sequence printouts
   * Made allowances for 64-bit machines in the decoders
   * Updated the portscan detector to the latest version
   * Disabled the defragmenter by default (in the rules file)
   * Added a patch from Dave Dittrich to make daemon mode alerts
	filenames conform
   * to the data in the documentation
   * Revamped the ICMP data structures to mimic those found in *BSD
	and provide for higher fidelity decoding/printout in the future
   * Repaired the output plugins so that they operate properly now
   * For the record, the payload dump conforms to the length of the IP
	datagram now and does not show pad bytes added by the minimum
	Ethernet frame size
   * Applied Chris Cramer's byte ordering patch to the flexresp code

Other updates and changes since version 1.6:

   * New preprocessor plugin: IP defragmentation!!
   * New output plugins cover all old logging and alerting options
   * New output plugin no logs to MySQL, PostgreSQL, unixODBC databases
   * Updated portscan detection functionality
   * Added quote removal for most plugin parsers
   * -C crash bug fixed
   * PID/PATH_VARRUN file fixes
   * Converted many putc(3) calls to fputc(3) for portability
   * Transport layer decoders use ip_len field for length metric now
   * String tokenizer code modified for more reliable operation
   * Fixed flexible response code sequence prediction
   * Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
	platforms
   * Set automake options so that people don't need gmake anymore to
	build Snort on BSD systems
   * Fixed SMB alert code large tmp file hole
   * Added sigsetmask code to fix SIGHUP weirdness
   * Added execvp option for SIGHUP restart code
   * Added ARP header printout validation
   * Added Session logging file integrity checking
   * Added -u/-g setuid/gid capability switches
   * Added -O IP address obfuscation switch
   * Added -t chroot switch
   * Fixed non-TCP/UDP/ICMP transport layer decoding & logging
   * Fixes and additions to the portscan preprocessor
   * Fixed Tru64 u_int* type declarations
   * Added check for pcap.h into configuration script
   * Fixed timeval problems on Linux boxen
   * Database logging plugin has been modified extensively, see the
	www.incident.org website for more information
   * Switched TCP flags printout routine to ensure proper RFP output
	scan output. ;)
   * Fixed default log/alert function code so that these functions are
	never NULL
2000-12-27 10:08:35 +00:00
wiz
a4f3b12d25 Update checksum, distfile seems to have changed. Fixes pkg/9892. 2000-05-28 10:33:52 +00:00
agc
6b303b113f Upgrade snort to version 1.6. Changes since version 1.5.1 include:
New features:
* Token Ring and FDDI decoder support
* Snort ported to Tru64/Alpha, IRIX 6.X, and AIX
* Output plugins added (modular output system)
* John Wilson greatly improved the speed of the content pattern matcher
* Added FlexResp (active response) plugin from Christian Lademann
* Snort man page now ships with the distribution
* Snort now generates a PID file for easier integration with scripting
* Added support for "stealthed" network interfaces

New command line switches:
* -q => quiet mode (no stdout printing)
* -C => print payload ASCII content only
* -P => set explicit snaplen for packet collection

Plugins:
* Added Postgres SQL DB logging output module from Jed Pickel
* Added portscan detection plugin from Patrick Mullen
* HTTP decode preprocessor largely rewritten and much more accurate
* Minfrag rule moved to preprocessor module
* Added ICMP ECHO ID check plugin
* Added ICMP ECHO sequence check plugin
* Added RPC analysis plugin from Mark Hindess
* Added IP option analysis plugin
* Added nocase plugin (makes content rules work with case insensitivity)
* Added syslog output module with user definable syslog facility
* Added tcpdump output module

(and building without patches on Solaris).
2000-03-20 12:03:45 +00:00
rh
c5bbb18156 Update snort to 1.5.1
Changes are:
        * fixed a problem with pass rules not being applied properly
        * fixed a #include ordering statement for Slackware 4.0 installs
        * fixed banner output for the -V option
        * Token Ring decoding is now fully functional
        * Added packet buffer cleanup code to all protocol decoders
        * fixed a problem with improper TCP option output
        * Added a Snort man page
2000-02-04 16:18:01 +00:00
agc
353916ddfa Make this package work on Solaris. 2000-02-02 12:06:15 +00:00
wiz
553049dd6d update snort to 1.5; added distribution sites, install example configs.
From the Readme:
Version 1.5 adds major new functionality!  Detection and preprocessing plugins,
session logging, rules file variables and includes, five new network layer
decoders including ISDN and Token Ring support, new detection functionality,
and a bunch of other cool stuff.
2000-01-15 21:58:29 +00:00
abs
df05aef71f Strip trailing '.', and/or leading '(a|an) ' 2000-01-05 15:37:50 +00:00
rh
640cc42269 Initial import of snort-1.2.1, a libpcap-based packet sniffer/logger. 1999-09-10 15:48:02 +00:00