This version fixes the buffer overflow issue noted in:
http://www.kb.cert.org/vuls/id/916785
Changes:
- follow PKG_SYSCONFDIR
- added rc.d script
- create own user and group
- added MESSAGE with post-install instructions
- removed DEINSTALL
- minor cleanups (this package was really half-baked..)
1.9.1:
======
- src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- alignment errors on non-x86 platforms
- added new space delimited options
alert_fragments
no_alert_multiple_requests
no_alert_large_fragments
no_alert_incomplete
- corrected buffer overflow in fragment normalization
- src/snort.c
- Win32 '-s' parameter wasn't configured to accept an optarg,
but code expected one, causing null-pointer violation.
- Backport of 2.0 fixes for stream4 ( off by one errors on reassembly )
Fixes and additions:
* Fixed compilation problems on all non-BSD operating systems
* Added better configuration support for locating libpcap
* Fixed ICMP ping packet id/sequence printouts
* Made allowances for 64-bit machines in the decoders
* Updated the portscan detector to the latest version
* Disabled the defragmenter by default (in the rules file)
* Added a patch from Dave Dittrich to make daemon mode alerts
filenames conform
* to the data in the documentation
* Revamped the ICMP data structures to mimic those found in *BSD
and provide for higher fidelity decoding/printout in the future
* Repaired the output plugins so that they operate properly now
* For the record, the payload dump conforms to the length of the IP
datagram now and does not show pad bytes added by the minimum
Ethernet frame size
* Applied Chris Cramer's byte ordering patch to the flexresp code
Other updates and changes since version 1.6:
* New preprocessor plugin: IP defragmentation!!
* New output plugins cover all old logging and alerting options
* New output plugin no logs to MySQL, PostgreSQL, unixODBC databases
* Updated portscan detection functionality
* Added quote removal for most plugin parsers
* -C crash bug fixed
* PID/PATH_VARRUN file fixes
* Converted many putc(3) calls to fputc(3) for portability
* Transport layer decoders use ip_len field for length metric now
* String tokenizer code modified for more reliable operation
* Fixed flexible response code sequence prediction
* Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
platforms
* Set automake options so that people don't need gmake anymore to
build Snort on BSD systems
* Fixed SMB alert code large tmp file hole
* Added sigsetmask code to fix SIGHUP weirdness
* Added execvp option for SIGHUP restart code
* Added ARP header printout validation
* Added Session logging file integrity checking
* Added -u/-g setuid/gid capability switches
* Added -O IP address obfuscation switch
* Added -t chroot switch
* Fixed non-TCP/UDP/ICMP transport layer decoding & logging
* Fixes and additions to the portscan preprocessor
* Fixed Tru64 u_int* type declarations
* Added check for pcap.h into configuration script
* Fixed timeval problems on Linux boxen
* Database logging plugin has been modified extensively, see the
www.incident.org website for more information
* Switched TCP flags printout routine to ensure proper RFP output
scan output. ;)
* Fixed default log/alert function code so that these functions are
never NULL
New features:
* Token Ring and FDDI decoder support
* Snort ported to Tru64/Alpha, IRIX 6.X, and AIX
* Output plugins added (modular output system)
* John Wilson greatly improved the speed of the content pattern matcher
* Added FlexResp (active response) plugin from Christian Lademann
* Snort man page now ships with the distribution
* Snort now generates a PID file for easier integration with scripting
* Added support for "stealthed" network interfaces
New command line switches:
* -q => quiet mode (no stdout printing)
* -C => print payload ASCII content only
* -P => set explicit snaplen for packet collection
Plugins:
* Added Postgres SQL DB logging output module from Jed Pickel
* Added portscan detection plugin from Patrick Mullen
* HTTP decode preprocessor largely rewritten and much more accurate
* Minfrag rule moved to preprocessor module
* Added ICMP ECHO ID check plugin
* Added ICMP ECHO sequence check plugin
* Added RPC analysis plugin from Mark Hindess
* Added IP option analysis plugin
* Added nocase plugin (makes content rules work with case insensitivity)
* Added syslog output module with user definable syslog facility
* Added tcpdump output module
(and building without patches on Solaris).
Changes are:
* fixed a problem with pass rules not being applied properly
* fixed a #include ordering statement for Slackware 4.0 installs
* fixed banner output for the -V option
* Token Ring decoding is now fully functional
* Added packet buffer cleanup code to all protocol decoders
* fixed a problem with improper TCP option output
* Added a Snort man page
From the Readme:
Version 1.5 adds major new functionality! Detection and preprocessing plugins,
session logging, rules file variables and includes, five new network layer
decoders including ISDN and Token Ring support, new detection functionality,
and a bunch of other cool stuff.
