This is a HUGE bump, so look at the changelog on the Snort website !
For example, Snort does not natively handle MySQL anymore.
As for the pkgsrc changes :
- updated deps (net/daq) ;
- updated config files ;
- updated MASTER_SITE ;
- some substitution to handle pkgsrc paths ;
- updated compile options.
Upstream NEWS is weak; release notes for 2.8.5.1 follow.
[*] Improvements
* Fixed syslog output when running on Windows.
* Fixed potential segfault when printing IPv6 packets using the -v option.
Thanks to Laurent Gaffie for reporting this issue.
* Fixed segfault when additional policies were added during a configuration
reload.
* Update rule latency thresholding
* The flow and stream4 preprocessors will be deprecated in a future release.
* DCE/RPC preprocessor changes to handle abnormal TCP segmentation.
Added option to reassemble fragmentation buffers early. Updated
documentation.
* Fixed handling of MPLS label in checking Stream session uniqueness
when IPv4 packets are received and build is IPv6.
See the ChangeLog for all the details
Fix non-priv'ed builds which should fix PR 39260
2008-07-24 - Snort 2.8.2.2
[*] Improvements
* Fix issue with evaluating PCRE rule options with /U modifier that
are followed by a relative content rule option.
* Fix issue with dsize range check.
2008-06-12 - Snort 2.8.2.1
[*] Improvements
* Fix support for pass rules that sometimes did not take precedence
over alert and/or drop rules.
Includes fix for CVE-2008-1804
[*] New Additions
* Target-Based support to allow rules to use an attribute table
describing services running on various hosts on the network.
Eliminates reliance on port-based rules.
* Support for GRE encapsulation for both IPv4 & IPv6.
* Support for IP over IP tunneling for both IPv4 & IPv6.
* SSL preprocessor to allow ability to not inspect encrypted traffic.
* Ability to read mulitple PCAPs from the command line.
* Support for new CVS rule detection options.
[*] Improvements
* Update to HTTP Inspect to identify overly long HTTP header fields.
* Updates to IPv6 support, including changes to avoid namespace
conflicts for certain Operating systems.
* Updates to address issues seen on various Sparc platforms.
* Stricter enforcement of shared object versions to avoid API
conflicts.
[*] Improvements
* Updates to build with new versions of libPCRE.
* Fix Stream5 debugging output to actually compile and have correct output
for normal & IPv6 enabled builds.
* Correct perfmonitor statistic calculation for pattern matcher percentage.
* Port lists
* IPv6 support
* Packet performance monitoring
* Experimental support for target-based stream and IP frag reassembly
* Ability to take actions on preprocessor events
* Detection for TCP session hijacking based on MAC address
* Unified2 output plugin
* Improved performance and detection capabilities
Fixed header files to avoid conflicts with system files on BSD for
IPv6 data structures.
Added code to prevent URI-related alerts from firing when the
body is being normalized.
Make Stream5 the default stream engine.
Add alert for multiple GRE encapsulations.
Added ability for Snort to track fragmented ICMPv6 to check for the
remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).
Code cleanup, change malloc/calloc to SnortAlloc, use safer functions
SnortSnprintf, SnortStrncpy, etc. Check pointers before use.
Additional updates for bounds checking.
And many more . . . check the ChangeLog for all the details
Snort v2.6.1.5 includes:
* A new http_post rule keyword used to search for content in normalized
HTTP posts
* A fix for a potential memory leak when generating HTTP Inspection events
Snort v2.6.1.4 includes detection functionality for a BSD IPv6 fragmentation
overflow, and addresses a number of potential security-related issues in
Snort as reported by customers, uncovered by internal investigations, and
through third-party code audits.
2.6.1 provides new functionality including the following:
* New pattern matcher with a significantly reduced memory footprint
* Introduction of stream5 for experimental use
* Improvements to stream4, including UDP session tracking and optimizations for the reassembly buffer
* Handling for reassembly of SMB fragmented data in DCE/RPC
* An ssh preprocessor for experimental use
* Updated Snort decoder that can decode GRE encapsulated packets
* Output plugin to allow Snort to configure Aruba access control
Snort 2.6.0:
* Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
* Added configurable stream flushpoints.
* Improved rpc processing.
* Improved portscan detection.
* Improved http request processing and handling of possible evasion cases.
* Improved performance monitoring.
The Snort 2.6 release also introduces the ability to use dynamic rules and dynamic preprocessors and contains further improvements to the Snort detection engine.
Remove snort-{pgsql,mysql,prelude}. The new snort package uses options.mk
to specify build options.
These releases have better performance, numerous new features and
incorporate many bug fixes. Notable bug fixes and improvements include:
* Tcp stream properly reassembled after failed sequence check,
which may lead to possible detection evasion.
* Added configurable stream flushpoints.
* Improved rpc processing.
* Improved portscan detection.
* Improved http request processing and handling of possible
evasion cases.
* Improved performance monitoring.
This includes the fix for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0839
> +2006-02-20 Steven Sturges <ssturges@sourcefire.com>
> + * src/preprocessors/spp_frag3.c:
> + * configure.in:
> + Fix ip options handling. Thanks to Vyacheslav Burdjanadze for
> + finding the issue.
> +
> +2006-01-09 Steven Sturges <ssturges@sourcefire.com>
> + * src/sfutil/mwm.c:
> + Fixed bug with multiple recurring patterns in Wu-Manbher implementation.
> + Thanks to Evan Stawnyczy for pointing it out an Marc Norton for the
> + fix.
> + * src/parser/IpAddrSet.c:
> + Fixed problem with parsing conf file and rules when DNS is not working.
> + Thanks Martin Olsson for mentioning this and testing the fix.
> + * src/preprocessors/spp_perfmonitor.c:
> + * src/preprocessors/perf-base.c:
> + Handle wrapping on 64-bit platforms
> +
> +2005-11-17 Andrew Mullican <amullican@sourcefire.com>
> + * src/sfutil/sfxhash.c:
> + * src/preprocessors/portscan.c:
> + Add tracker without using bogus data, to avoid internal buffer overrun.
> + Thanks Sandro Poppi for the find.
> +
> +2005-11-11 Steven Sturges <ssturges@sourcefire.com>
> + * src/snort.c:
> + Allow value of 0 to be used with -G flag
> + * src/preprocessors/spp_bo.c:
> + Code Cleanup
> + * src/preprocessors/spp_frag3.c:
> + Fix memory leak and mishandling of IP Options. Thanks Yin
> + Zhaohui for the find.
- Fixed potential buffer overflow in BackOrifice preprocessor and
added an alert on attempt to overflow buffer in snort. Thanks
Andy Mullican for the fix.
From the ChangeLog:
> 2005-09-16 - Snort 2.4.1 Released
> [*] New additions
> * Added a -K command line option to manually select the logging mode using
> a single switch. The -b and -N switches will be deprecated in version
> 2.7. Pcap logging is now the default for Snort at startup, use "-K ascii"
> to revert to old behavior.
>
> [*] Improvements
> * Win32 version now supports winpcap 3.1 and MySQL client 4.13.
> * Added event on zero-length RPC fragments.
> * Fixed TCP SACK processing for text based outputs that could result in a
> DoS.
> * General improvements to frag3 including Teardrop detection fix.
> * Fixed a bug in the PPPoE decoder.
> * Added patch for time stats from Bill Parker. Enable with configure
> --enable-timestats.
> * Fixed IDS mode bailing at startup if logdir is specified in snort.conf
> and /var/log/snort doesn't exist.
> * Added decoder for IPEnc for OpenBSD. Thanks Jason Ish for the patch
> (long time ago) and Chris Kuethe for reraising the issue.
> * Allow snort to use usernames (-u) and groupnames (-g) that include
> numbers. Thanks to Shaick for the patch.
> * Fixed broken -T option.
> * Change ip_proto to ip for portscan configuration. Thanks David Bianco
> for pointing this out.
> * Fix for prelude initialization. Thanks Yoann Vandoorselaere for the
> update.
> * For content matches, when subsequent rule options fail, start searching
> again in correct location.
> * Updated Win32 to handle pflog patch.
> * Added support for new OpenBSD pflog format. Older pflog format,
> OpenBSD 3.3 and earlier is still supported. Thanks Breno Leitao
> and Christian Reis for the patch.
> * Added statistics counter for ETH_LOOPBACK packets. Thanks rmkml
> for the patch.
If you are using this package make note of the distribution change
mentioned below. I have update the MESSAGE to inform users of this and
there is now also a net/snort-rules package with the community rules.
> [*] Distribution Change
> * Rules are no longer distributed as part of the Snort releases, they are
> available as a separate download from snort.org. This was done for
> three reasons:
> 1) To better manage the new rules licensing.
> 2) To reduce the size of the engine download.
> 3) To move the thousands of documentation files for the rules into
> the rules tarballs. If you've ever checked Snort out of CVS you'll
> know why this is a Good Thing.
>
> [*] New additions
> * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor
> is a target-based IP defragmentation module, and is intended as a
> replacement for the frag2 module. Check out the README.frag3 for full
> info on this new preprocessor.
>
> * Libprelude support has been added (enable with --enable-prelude).
> Thanks Yoann Vandoorselaere!
>
> * An "ftpbounce" rule detection plugin was added for easier detection of
> FTP bounce attacks.
>
> * Added a new Snort config option, "ignore_ports," to ignore packets
> based on port number. This is similar to bpf filters, but done within
> snort.conf.
>
> [*] Improvements
> * Snort startup messages printed in syslog now contain a PID before each
> entry. Thanks Sekure for initially bringing this up.
>
> * Stream4: Performance improvements.
>
> * Stream4: Added 'max_session_limit' option which limits number of
> concurrent sessions tracked. Added favor_old/favor_new options that
> affect order in which packets are put together for reassembly.
>
> * Stream4: New configuration options to manage flushpoints for improved
> anti-evasion. The flush_behavior option selects flushpoint management
> mode. New flush_base, flush_range, and flush_seed manage randomized
> flushing. Check out the snort.conf file for full config data on the
> new flush options.
>
> * Added two more alerts for BackOrifice client and server packets. This
> allows specific alerts to be suppressed.
>
> * PerfMon preprocessor updated to include more detailed stats for rebuilt
> packets (applayer, wire, fragmented & TCP). Also added 'atexitonly'
> option that dumps stats at exit of snort, and command line -Z flag to
> specify the file to which stats are logged.
>
> * Added new Http Inspect config item, "tab_uri_delimiter," which if
> specified, lets a tab character (0x09) act as the delimiter for a URI.
>
> * Added a '-G' command line flag to snort that specifies the Snort
> instance log identifier. It takes a single argument that can be either
> hex (prefaced with 0x) or decimal. The unified log files will include
> the instance ID when the -G flag is used.
>
> * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now
> handled in the IP decoder. Those sids are now considered obsolete.
>
> * Http_Inspect "flow_depth" option now accepts a -1 value which tells
> Snort to ignore all server-side traffic.
>
> * RPMs have been updated to be more portable, and also now include a
> "--with inline" option for those wanting to build Inline RPMs. Thanks
> Daniel Wittenberg and JP Vossen for your help!
>
> * Many, many bug fixes have also gone into this release, please see the
> ChangeLog for details.
- Fix /var => ${VARBASE}
- Changes Include:
> * Issues with suppressing sfPortscan Open Ports have been fixed.
>
> * Added a new mini-preprocessor to catch the X-Link2State
> vulnerability. This preprocessor can be configured to drop the
> offending connection when in Inline-mode. Please read snort.conf or
> the snort manual for more details. This preprocessor is enabled by
> default in snort.conf.
2005-03-10 - Snort 2.3.2 Released
* Removed end-of-line parser fix in favor of completely reworking
this at the next parser overhaul.
2005-03-09 - Snort 2.3.1 Released
* Fixed issue where the number of flowbits were too small. Thanks Marc
Norton for the fix.
* Fixed parsing of comments at end of line in config file. In
snort.conf, anything that follows a # on a line is considered a
comment. Thanks Steve Sturges for the fix.
* Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX.
Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and
Jonathan Miner for working with us on this.
- ok'ed snj@, wiz@
- Install database scripts which goes a part-way to addressing PR 18996
Updated database schema diagram from Chris Reid. Schema can be found in
./doc/snort_schema_v106.pdf
Added --include-pcre* configuration option to help cross compiling. Thanks
Erik de Castro Lopo.
Fixed thresholding/suppression issue with queuing multiple events per packet.
Thanks Andreas Ostling.
When a rebuilt stream causes an alert, log out the original packets instead of
the rebuilt packet. Thanks sekure@gmail.com for the report.
Turned off http_inspect alerts that were causing false positives in the preset
webserver profiles (Thanks Dan Roelker).
Turn off encoding alerts in HTTP parameter field. The parameter field is still
normalized, it just doesn't alert. This helps reduce alerts that are generated
from complex parameter queries (Thanks Dan Roelker).
Fixed memory leak in "fast" output. Thanks for your bug report
sekure@gmail.com.
Clear error code which under Windows was causing a subsequent false failure in
parsing threshold rules. (Thanks to Rich Adamson)
Further details can be found in Changelog and RELEASE.NOTES.
- Grab maintainership of the package (with ok of previous owner)
- Use SUBST_* code
Ok'ed wiz@, snj@, salo@
From the changelog:
2004-05-06 Daniel Roelker <droelker@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c:
Fixed rule read up error when parsing hexmode content options.
Thanks for pointing it out Toni Maatta. (Roelker)
* src/preprocessors/spp_stream4.c:
Fixed null pointer dereference when detect_scans were enabled and
creating a new session that had funky flags. Thanks to Chad
Kreimendahl for reporting the bug and testing the fix. (Roelker)
2004-04-20 Daniel Roelker <droelker@sourcefire.com>
* src/event_queue.c:
* src/event_queue.h:
* src/sfutil/sfeventq.c:
* src/sfutil/sfeventq.h:
Added multi-event queueing in Snort. Snort now supports logging
multiple events per packet, and prioritizing those events using
different methods. Thanks to H.D. Moore for illustrating event
obfuscations when snort only logged one event per packet. (Roelker)
* src/snort.c:
* src/decode.c:
* src/detect.c:
* src/fpcreate.c:
* src/fpdetect.c:
* src/preprocessors/spp_arpspoof.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_stream4.c:
Updated event generators to use new event queueing sytem. (Roelker)
* src/output-plugins/spo_alert_fast.c:
Added newline to 'cmg' alert output, so IP decode is easier to
read. (Roelker)
* src/output-plugins/spo_database.c:
Updated how current/utc times are calculated, as well as how they are
formatted, thanks Marcus Janoski. (Reid)
* src/parser.c:
Error on unterminated IP lists. Added 'config event_queue' parameter.
Configuration changes to 'config checksum_mode' for specifying
which checksums to do. (Norton)
* src/plugbase.h:
Fixes from Chris Reid for timestamp routines. (Reid)
* src/tag.c:
Revert to old tag functionality. Will add proposed tagging
configurations in the future. (Roelker)
While here, convert to buildlink3.
Changes:
* Various portability fixes.
* Fixed conversation parsing faults so users can operate this
preprocessor
* Detect non-rfc standard chunk encodings. Detect abnormal HTTP
requests with newlines, spaces, etc. before the request method.
* Fix negative stats output on snort exit or SIGUSR1.
* Removed escaping of '%' and '_' characters in MySQL
* Various documentation fixes/updates.
* Added Flowbits detection functionality.
* Added utility to parse out perfmon stats.
* Tagged Packets no longer have NULL msg name.
* Fixed http_inspect double alerting on pkts and rebuilt streams.
* http_inspect proxy_alert now supports normal proxy networks setups.
http_inspect default server only valid if specified in config.
* Close Socket when Snort receives SIGHUP.
* Added GID, SID, and Rev to csv output.
* config chroot readded.
* Added additional error checking for custom rules.
* Flow now honors -q (quiet).
* Removed non_rfc_chars from default profiles.
* Added suppression negation.
* Better support for ODBC. Better memory management. Improved escaping
of SQL strings.
* Other miscellaneous bugfixes.
Changes:
2.1.0:
======
- A new connection tracking module, Flow (replaces conversation)
- A new portscan detector based off of Flow, Flow-Portscan (replaces
portscan2)
- A new http preprocessor, HttpInspect (replaces http_decode)
- Alert Thresholding and Suppression
- PCRE rule keyword (Perl Compat Regular Expressions)
- isdataat rule keyword (buffer length detection)
- A ton of new and updated rules.
2.0.6:
======
- 64-bit update for detection engine. (Thanks, Silio d'Angelo)
- Added better PPP decoding. (Thanks Jesper Peterson)
- Updated ip_proto optimization for high-speed detection engine.
- Fixed infinite loop problem that was introduced by the recursive pattern
matching patch. Reported by Lawrence Reed, thanks for testing out the
changes for us!
- Various changes to help respond (version 1) work a little better.
- spp_http_decode 64-bit patch from Dirk Mueller.
- Out-of-order ACK problem from Andrew Rucker. Also, updated stream4 to the
most recent version from HEAD.
- Minor fixes to tagging related to 'src' and 'dst' directives
- When counting one byte patterns in 'ningroup' added a check for
psLen==1 (wu-manber pattern matcher). Thanks Josh Sakofsky and Dennis
McGuire for helping us test this.
2.0.5:
======
- Stream4 fixes from Andrew Rucker Jones.
- Allow memcap to be configured for threshold features.
2.0.4:
======
- Fixed a core dump introduced with 2.0.3 when dealing with negated patterns
2.0.3:
======
- doe_ptr handling in byte_test/byte_jump slightly modified to work
better with the pcre patch
- content processing is now recursive to make distance/within processing
better ( thanks to Shai Rubin for patch! )
- fixed a bug in the mwm.c pattern matcher that resulted in some alerts
not firing in a particular configuration of rules
2.0.2:
======
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
Patch from Adrian Portelli via PR pkg/22900.
Changes:
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
Changes:
- fix host endianess problem in udp decoder
- vlan decoding fixes from Michael Pomraning
- add tcp state checking to httpflow
- ignoring bad checksums throughout snort if checksumming is turned on
- config disable_ttcp_alerts is now also config disable_tcpopt_ttcp_alerts
- better initialization handling of low memory conditions pointing to the
- low memory search engine
- byte_jump / byte_test 2 byte cases handled and unified
- correctly assign port numbers on tcpoption events
- pass rule logic changed to "win" in specific multiple event cases
- named interface support for win32 from the winpcap folks
- spp_bo now also will work with log-only output plugins
- added window detection plugin documentation to manual
- lots of new rules and tons of rule documentation
IMPORTANT: This version fixes remotely exploitable heap overflow in the stream4
preprocessor module.
Advisory: http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
Changes:
2.0.0:
======
- Enhanced high-performance detection engine
- Stateful Pattern Matching
- New detection keywords: byte_test & byte_jump
- The Snort code base has undergone an external third party professional
security audit funded by Sourcefire (http://www.sourcefire.com)
- Many new and updated rules
- snort.conf has been updated
- Enhancements to self preservation mechanisms in stream4 and frag2
- State tracking fixes in stream4
- New HTTP flow analyzer
- Enhanced protocol decoding (TCP options, 802.1q, etc)
- Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, etc)
- Enhanced flexresp mode for real-time TCP session sniping
- Better chroot()'ing
- Tagging system updated
- Several million bugs addressed....
- Updated FAQ (thanks to Erek Adams and Dragos Ruiu) Snort 2.0 can be
downloaded at http://www.snort.org/dl/snort-2.0.0.tar.gz. Binary
versions of the codebase will be built over the next several days and
made available at here.
2.0.rc4:
========
- byte_jump/byte_test don't force relative content options
- byte_jump/byte_test absolute offsets work
- Better FIN handling in Stream4
2.0.rc3:
========
- A low memory usage detection method (enabled via "config detection:
search-method lowmem")
- Moved the default unix socket location to LOGDIR
2.0.rc2:
========
- syslog should work on win32 and unix
- major tagging updates
- new UDP decoding alerts
- snort.conf updates
2.0.rc1:
========
- Higher performance (due to a new pattern matcher and rebuilt detection
engine)
- Better decoders
- Enhanced stream reassembly and defragmentation
- Tons of bug fixes
- Updated rules
- Updated snort.conf
- New detection keywords (byte_test, byte_jump, distance, within) &
stateful pattern matching
- New HTTP flow analyzer
- Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)
- Better self preservation in stateful subsystems
- Xrefs fixed
- Flexresp works faster and more effectively
- Better chroot()'ing
- Fixed 802.1q decoding
- Better async state handling
- New alerting option: -A cmg!!
This version fixes the buffer overflow issue noted in:
http://www.kb.cert.org/vuls/id/916785
Changes:
- follow PKG_SYSCONFDIR
- added rc.d script
- create own user and group
- added MESSAGE with post-install instructions
- removed DEINSTALL
- minor cleanups (this package was really half-baked..)
1.9.1:
======
- src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- alignment errors on non-x86 platforms
- added new space delimited options
alert_fragments
no_alert_multiple_requests
no_alert_large_fragments
no_alert_incomplete
- corrected buffer overflow in fragment normalization
- src/snort.c
- Win32 '-s' parameter wasn't configured to accept an optarg,
but code expected one, causing null-pointer violation.
- Backport of 2.0 fixes for stream4 ( off by one errors on reassembly )
Changes:
The main purpose of this release is a stable target with many fragroute
and tcp connection oriented fixes. This is also the last release of the
1.8.7 line and signals the start of the beta cycle for the 1.9 branch.
<mipam@ibb.net>. From the release notes:
1.8.4 and 1.8.5 both had bugs that were found right as we were ready
to do a full release and represented good midway points but 1.8.6
should be the stable target.
Changes include:
* The ICMP decoders have been rewritten.
* (This is a summary of recent changes -- not all mine)
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snort-db schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to lost
frags
* double PID file write
* S4 alignment problems on SPARC fixed ( rpc_decode still has SPARC
alignment errors )
* new snmptrap code
* documentation updates
* Stability fixes in frag2
* SEQ / ACK checking should be correct
* Reassembled packets with stream4 will now also be inspected when
using -z est
* ip fragments are now calculated correctly
* rule headers correctly matched
( multiple CIDR performance greatly increased )
private mail -- thanks!)
Changes are:
* Fixed stream4 offset initialization
* Double Open of snort log file
* Lots of new rules
* Fatal error on problems other than -> and <>
* Fixed stream4 several low memory conditions
* Error checking in stream4/frag2 argument parsing
* snortdb schema updates to 1.05
* --with-pcap-includes should now look at specified pcap
* packet statistics now should be more accurate with regards to
lost packets werwerwerwerwer
* double PID file write
* S4 alignment problems on Sparc fixed
* new snmptrap code
* documentation updates
* Stability fixes in frag2
Major repairs include a fix to frag2 on Linux platforms, the icmp
decoder and printout routines were updated to match the data
structures that I implemented in 1.8.1 and the flexresp code was
repaired and should now be faster, plus the usual rule updates. I
also added a new "-B" command line switch to convert IP addresses
in a pcap file to a new specified IP subnet addresses.
* fixed UTC timestamps
* fixed SIGUSR1 handling, should reset properly now after getting
a signal
* fixed PID path generation code, PID files go in the right place
now
* fixed stability problems in stream4
* fixed stability problems in frag2
* tweaks to spo_unified for better integration with barnyard
* added -f switch to turn off fflush() calls in binary logging mode
* added new config keyword to stream4, "log_flushed_streams", which
causes all buffered packets in the stream reassembler for that
session to be logged in the event of an event on that stream
(must be used in conjunction with spo_log_tcpdump)
* added packet precacheing for flexresp TCP packets, responses
should be generated more quickly
* fixed rules parser code for various failure modes
* several new rules files and a new classification system
* SNMP alerts
* IDMEF XML output (the Silicon Defense plugin is integrated into
the main codebase now)
* Limited regex support in the rules language
* New packet counters for stream4 and frag2
* New normalization mode for http_decode
