Commit graph

86 commits

Author SHA1 Message Date
adrianp
20aab0d59e Update to 2.6.1.5
Snort v2.6.1.5 includes:
* A new http_post rule keyword used to search for content in normalized
  HTTP posts
* A fix for a potential memory leak when generating HTTP Inspection events

Snort v2.6.1.4 includes detection functionality for a BSD IPv6 fragmentation
overflow, and addresses a number of potential security-related issues in
Snort as reported by customers, uncovered by internal investigations, and
through third-party code audits.
2007-05-18 22:20:09 +00:00
adrianp
8464f66dc1 Fix typos in options.mk
Fix snort-flexresp{2} so that they actually can be tested and work properly
 with the new libnet{10,11} laoyout
Pointed out by wiz@ in private email
2007-03-23 10:54:52 +00:00
joerg
800393454c Kill an useless, unportable check. 2007-02-20 17:29:36 +00:00
adrianp
e62c23b0b4 Update to 2.6.1.3
* src/dynamic-preprocessors/Makefile.am:
* src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
* src/dynamic-preprocessors/dcerpc/dcerpc.c:
Add bounds checking to ReassembleSMBWriteX; use Safememcpy for calculated
length buffer copies.
2007-02-19 19:40:35 +00:00
adrianp
0e80ca1b00 Remove the now obsolete Makefile.common 2007-02-17 21:45:18 +00:00
adrianp
889bae3488 Add options.mk missed in the 2.6 update 2007-02-17 19:08:48 +00:00
adrianp
8588663438 Update to snort 2.6.1.2
2.6.1 provides new functionality including the following:

* New pattern matcher with a significantly reduced memory footprint
* Introduction of stream5 for experimental use
* Improvements to stream4, including UDP session tracking and optimizations for the reassembly buffer
* Handling for reassembly of SMB fragmented data in DCE/RPC
* An ssh preprocessor for experimental use
* Updated Snort decoder that can decode GRE encapsulated packets
* Output plugin to allow Snort to configure Aruba access control

Snort 2.6.0:
* Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
* Added configurable stream flushpoints.
* Improved rpc processing.
* Improved portscan detection.
* Improved http request processing and handling of possible evasion cases.
* Improved performance monitoring.

The Snort 2.6 release also introduces the ability to use dynamic rules and dynamic preprocessors and contains further improvements to the Snort detection engine.

Remove snort-{pgsql,mysql,prelude}. The new snort package uses options.mk
to specify build options.
2007-02-17 19:08:05 +00:00
rillig
2829e658f2 Mechanically replaced man/* with ${PKGMANDIR}/* in the definition of
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.

Fixes PR 35265, although I did not use the patch provided therein.
2007-01-07 09:13:46 +00:00
rillig
33d47824d2 Fixed a typo (SUBST_MESSAGE.cgi => SUBST_MESSAGE.paths) found by pkglint. 2006-06-18 00:25:26 +00:00
adrianp
5ecf126456 Update to 2.4.5
These releases have better performance, numerous new features and
incorporate many bug fixes. Notable bug fixes and improvements include:

* Tcp stream properly reassembled after failed sequence check,
  which may lead to possible detection evasion.
* Added configurable stream flushpoints.
* Improved rpc processing.
* Improved portscan detection.
* Improved http request processing and handling of possible
  evasion cases.
* Improved performance monitoring.
2006-06-06 18:51:52 +00:00
jlam
802ce74fcb Modify packages that set PKG_USERS and PKG_GROUPS to follow the new
syntax as specified in pkgsrc/mk/install/bsd.pkginstall.mk:1.47.
2006-04-23 00:12:35 +00:00
adrianp
55341ffa93 Add debug option
Suggested by Jason Miller in private email
2006-04-18 22:39:32 +00:00
adrianp
df223db62c Update to 2.4.4
This includes the fix for:
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0839
> +2006-02-20 Steven Sturges <ssturges@sourcefire.com>
> +    * src/preprocessors/spp_frag3.c:
> +    * configure.in:
> +      Fix ip options handling.  Thanks to Vyacheslav Burdjanadze for
> +      finding the issue.
> +
> +2006-01-09 Steven Sturges <ssturges@sourcefire.com>
> +    * src/sfutil/mwm.c:
> +      Fixed bug with multiple recurring patterns in Wu-Manbher implementation.
> +      Thanks to Evan Stawnyczy for pointing it out an Marc Norton for the
> +      fix.
> +    * src/parser/IpAddrSet.c:
> +      Fixed problem with parsing conf file and rules when DNS is not working.
> +      Thanks Martin Olsson for mentioning this and testing the fix.
> +    * src/preprocessors/spp_perfmonitor.c:
> +    * src/preprocessors/perf-base.c:
> +      Handle wrapping on 64-bit platforms
> +
> +2005-11-17 Andrew Mullican <amullican@sourcefire.com>
> +    * src/sfutil/sfxhash.c:
> +    * src/preprocessors/portscan.c:
> +      Add tracker without using bogus data, to avoid internal buffer overrun.
> +      Thanks Sandro Poppi for the find.
> +
> +2005-11-11 Steven Sturges <ssturges@sourcefire.com>
> +    * src/snort.c:
> +      Allow value of 0 to be used with -G flag
> +    * src/preprocessors/spp_bo.c:
> +      Code Cleanup
> +    * src/preprocessors/spp_frag3.c:
> +      Fix memory leak and mishandling of IP Options.  Thanks Yin
> +      Zhaohui for the find.
2006-03-09 09:37:44 +00:00
joerg
fa3a5ce6cb Fix errno. 2006-02-16 20:45:51 +00:00
adrianp
557b62da26 Include database schemas in the install
Bump snort{-mysql,-pgsql} to nb1
2006-01-03 17:34:40 +00:00
jlam
dc9594e09d Remove USE_PKGINSTALL from pkgsrc now that mk/install/pkginstall.mk
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
2005-12-29 06:21:30 +00:00
rillig
579e977969 Ran "pkglint --autofix", which corrected some of the quoting issues in
CONFIGURE_ARGS.
2005-12-05 23:55:01 +00:00
rillig
b71a1d488b Fixed pkglint warnings. The warnings are mostly quoting issues, for
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in

    http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
2005-12-05 20:49:47 +00:00
adrianp
267c5d32ad Update to snort 2.4.3
- Fixed potential buffer overflow in BackOrifice preprocessor and
  added an alert on attempt to overflow buffer in snort.  Thanks
  Andy Mullican for the fix.
2005-10-18 15:15:04 +00:00
adrianp
cfef221d76 Update to 2.4.2
- don't try to actually open the log file when in test mode
- Fixes to address schema being a keyword in MySQL 5.0
2005-10-11 20:53:22 +00:00
adrianp
d790f32cfe Update snort to 2.4.1
From the ChangeLog:
> 2005-09-16 - Snort 2.4.1 Released
> [*] New additions
>     * Added a -K command line option to manually select the logging mode using
>       a single switch.  The -b and -N switches will be deprecated in version
>       2.7.  Pcap logging is now the default for Snort at startup, use "-K ascii"
>       to revert to old behavior.
>
> [*] Improvements
>     * Win32 version now supports winpcap 3.1 and MySQL client 4.13.
>     * Added event on zero-length RPC fragments.
>     * Fixed TCP SACK processing for text based outputs that could result in a
>       DoS.
>     * General improvements to frag3 including Teardrop detection fix.
>     * Fixed a bug in the PPPoE decoder.
>     * Added patch for time stats from Bill Parker.  Enable with configure
>       --enable-timestats.
>     * Fixed IDS mode bailing at startup if logdir is specified in snort.conf
>       and /var/log/snort doesn't exist.
>     * Added decoder for IPEnc for OpenBSD.  Thanks Jason Ish for the patch
>       (long time ago) and Chris Kuethe for reraising the issue.
>     * Allow snort to use usernames (-u) and groupnames (-g) that include
>       numbers.  Thanks to Shaick for the patch.
>     * Fixed broken -T option.
>     * Change ip_proto to ip for portscan configuration.  Thanks David Bianco
>       for pointing this out.
>     * Fix for prelude initialization.  Thanks Yoann Vandoorselaere for the
>       update.
>     * For content matches, when subsequent rule options fail, start searching
>       again in correct location.
>     * Updated Win32 to handle pflog patch.
>     * Added support for new OpenBSD pflog format.  Older pflog format,
>       OpenBSD 3.3 and earlier is still supported.  Thanks Breno Leitao
>       and Christian Reis for the patch.
>     * Added statistics counter for ETH_LOOPBACK packets.  Thanks rmkml
>       for the patch.
2005-09-20 18:01:26 +00:00
adrianp
981f7d7d52 Add patch from snort CVS to address a security issue:
http://secunia.com/advisories/16786/
Whitespace police on MESSAGE
Bump to nb1
2005-09-14 12:46:52 +00:00
rillig
7a95adad42 The real user name in PKG_USERS does not need to be escaped with double
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
2005-08-23 11:48:47 +00:00
jlam
bd2788d930 Merge CONF_FILES/SUPPORT_FILES and CONF_FILES_PERMS/SUPPORT_FILES_PERMS
as the INSTALL and DEINSTALL scripts no longer distinguish between
the two types of files.  Drop SUPPORT_FILES{,_PERMS} and modify the
packages in pkgsrc accordingly.
2005-08-19 18:12:36 +00:00
adrianp
8ab84e9d39 Update snort to 2.4.0
If you are using this package make note of the distribution change
mentioned below.  I have update the MESSAGE to inform users of this and
there is now also a net/snort-rules package with the community rules.

> [*] Distribution Change
>     * Rules are no longer distributed as part of the Snort releases, they are
>       available as a separate download from snort.org.  This was done for
>       three reasons:
>         1) To better manage the new rules licensing.
>         2) To reduce the size of the engine download.
>         3) To move the thousands of documentation files for the rules into
>            the rules tarballs.  If you've ever checked Snort out of CVS you'll
>            know why this is a Good Thing.
>
> [*] New additions
>     * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor
>       is a target-based IP defragmentation module, and is intended as a
>       replacement for the frag2 module.  Check out the README.frag3 for full
>       info on this new preprocessor.
>
>     * Libprelude support has been added (enable with --enable-prelude).
>       Thanks Yoann Vandoorselaere!
>
>     * An "ftpbounce" rule detection plugin was added for easier detection of
>       FTP bounce attacks.
>
>     * Added a new Snort config option, "ignore_ports," to ignore packets
>       based on port number.  This is similar to bpf filters, but done within
>       snort.conf.
>
> [*] Improvements
>     * Snort startup messages printed in syslog now contain a PID before each
>       entry. Thanks Sekure for initially bringing this up.
>
>     * Stream4: Performance improvements.
>
>     * Stream4: Added 'max_session_limit' option which limits number of
>       concurrent sessions tracked.  Added favor_old/favor_new options that
>       affect order in which packets are put together for reassembly.
>
>     * Stream4: New configuration options to manage flushpoints for improved
>       anti-evasion.  The flush_behavior option selects flushpoint management
>       mode.  New flush_base, flush_range, and flush_seed manage randomized
>       flushing.  Check out the snort.conf file for full config data on the
>       new flush options.
>
>     * Added two more alerts for BackOrifice client and server packets. This
>       allows specific alerts to be suppressed.
>
>     * PerfMon preprocessor updated to include more detailed stats for rebuilt
>       packets (applayer, wire, fragmented & TCP). Also added 'atexitonly'
>       option that dumps stats at exit of snort, and command line -Z flag to
>       specify the file to which stats are logged.
>
>     * Added new Http Inspect config item, "tab_uri_delimiter," which if
>       specified, lets a tab character (0x09) act as the delimiter for a URI.
>
>     * Added a '-G' command line flag to snort that specifies the Snort
>       instance log identifier. It takes a single argument that can be either
>       hex (prefaced with 0x) or decimal. The unified log files will include
>       the instance ID when the -G flag is used.
>
>     * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now
>       handled in the IP decoder. Those sids are now considered obsolete.
>
>     * Http_Inspect "flow_depth" option now accepts a -1 value which tells
>       Snort to ignore all server-side traffic.
>
>     * RPMs have been updated to be more portable, and also now include a
>       "--with inline" option for those wanting to build Inline RPMs. Thanks
>       Daniel Wittenberg and JP Vossen for your help!
>
>     * Many, many bug fixes have also gone into this release, please see the
>       ChangeLog for details.
2005-08-13 19:56:47 +00:00
reed
ee8be9d0c1 RCD_SCRIPTS_EXAMPLEDIR is no longer customizable.
And always is defined as share/examples/rc.d
which was the default before.

This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.

This was discussed on tech-pkg in late January and late April.

Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
2005-05-02 20:33:57 +00:00
adrianp
3dee82540a - Update snort to 2.3.3
- Fix /var => ${VARBASE}
- Changes Include:
> * Issues with suppressing sfPortscan Open Ports have been fixed.
>
> * Added a new mini-preprocessor to catch the X-Link2State
>   vulnerability.  This preprocessor can be configured to drop the
>   offending connection when in Inline-mode. Please read snort.conf or
>   the snort manual for more details.  This preprocessor is enabled by
>   default in snort.conf.
2005-04-27 18:36:25 +00:00
tv
f816d81489 Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used. 2005-04-11 21:44:48 +00:00
adrianp
4d11577321 - Update snort from 2.3.0 -> 2.3.2
2005-03-10 - Snort 2.3.2 Released

* Removed end-of-line parser fix in favor of completely reworking
  this at the next parser overhaul.

2005-03-09 - Snort 2.3.1 Released

* Fixed issue where the number of flowbits were too small. Thanks Marc
  Norton for the fix.

* Fixed parsing of comments at end of line in config file.  In
  snort.conf, anything that follows a # on a line is considered a
  comment. Thanks Steve Sturges for the fix.

* Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX.
  Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and
  Jonathan Miner for working with us on this.
2005-03-25 18:28:28 +00:00
agc
b12d62efb5 Add RMD160 digests. 2005-02-24 12:13:41 +00:00
taca
5f20232d33 Update distinfo for snort-2.3.0. 2005-01-29 03:27:58 +00:00
adrianp
9bff922955 Update to snort 2.3.0
2005-01-25 - Snort 2.3.0 Final Released

* Fixed issue with sfPortscan reporting incorrect IP datagram length.
  Thanks Jon Hart for the test case and finding the bug, and Marc Norton
  for resolving the issue.

* Threshold/Suppression now prints properly when logging to syslog.
  Thanks Sekure for pointing out the problem. Thanks Steve Sturges for
  working on the fix.

* Threshold memcap argument now correctly handles non-integer input.
  Thanks nnposter for the patch.

* Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were
  not decoded properly. Thanks Dan Roelker for the fix.

* Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your
  work on putting it all together.

2004-12-15 - Snort 2.3.0 RC2 Released

* Small performance improvement to arpspoof and also fixed a problem
  where the list of configured IP/MAC entries would contain only one
  entry and leaked memory (Jeff Nathan).

* Fixed a problem affecting MacOS X where linking may fail with
  non-standard libraries when global symbols are encountered multiple
  times (Jeff Nathan).

* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP
  alerts.  Thanks for the report, Sekure. Thanks Dan Roelker for the fix.

* Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the
  logdir config will work if the default or command-line logdir does not
  exist on the system. Thanks Dan Roelker.

* Fixed bug when setting the doe_ptr on a successful pcre match.
  It is now set relative to base_ptr. Thanks Steve Sturges for the
  fix.

* Added from_beginning and multiplier options for byte_jump.
  from_beginning skips bytes from the beginning of the content,
  instead of from the location immediately following the number
  of bytes to skip.  multiplier takes a numeric argument, and
  skips x times that number of bytes. Thanks again to Steve Sturges.

* In "fast" output, now log only actual packet contents when UDP
  data length is greater than actual data length. Thanks Brian
  Caswell for spotting this, and Andrew Mullican for working on the fix.

* Please check the ChangeLog for further details.

2004-11-18 - Snort 2.3.0 RC1 Released

* Added IPS functionality from Snort-Inline.  A big thanks to the
  Snort-Inline guys (Jed Haile, Rob McMillen, William Metcalf, and Victor
  Julien).  Also, Thanks Dan Roelker for doing the integrating of
  Snort-Inline into the official Snort project.

* Added new portscan detector.  The design and implementation was headed
  up by Dan Roelker, and included Marc Norton and Jeremy Hewlett.

* Numerous changes for better 64bit Snort support from Jeremy Hewlett and
  Marc Norton.  Additionally, an --enable-64bit-gcc option was added to
  configure.  However, there are still some memory alignment issues to
  work out before 64bit mode is fully functional, patches are welcomed.
  Thanks Chris Baker for doing 64bit testing.

* Added not_established keyword to the flow detection option.  This allows
  snort to do dynamic firewall rulesets.  Experimental for now.

* Added an enforce_state keyword to stream4 so we won't pick up midstream
  sessions.  This works well for asynchronous links and also for
  just monitoring legitimate traffic.

* Relocated ./contrib files to http://www.snort.org/dl/contrib as many
  are not maintained by Sourcefire and are out of date. The rpm and
  schema files have been relocated in their respective 'rpm' and 'schemas'
  directories under the snort parent directory.

* perfmonitor config line can now be configured with "accumulate" or
  "reset."  Thanks Marc Norton for the feature, and Barry Basselgia for
  pointing out the issue.  Thanks Scott Dexter and Andreas Ostling for
  doing some initial testing.

* Fixed 64-bit bug in sfmemcap.c found and tested by Ryan Matteson
  and Clay McClure.  Thanks guys.

* Fixed reference times to match log time for first packet, for an event
  generated by a reassembled packet.  Incremented event ID to give
  unique ID for each packet.  Also made unified logging compatible with
  Windows.  Thanks Andrew Mullican for the fix.

* Fixed linux perfmonitoring stats for the 2.6 kernel.  Thanks to
  everyone that reported this bug.  Thanks Dan Roelker for the fix.

* Get thresholding/suppression to work for alerts that do not
  contain an ip header (primarily decode alerts).  Thanks
  Brian Caswell.

* Fix conditions where snort would log double web alerts that
  contained only content options (no uricontents).  Thanks to kawa for
  finding and reporting this bug.

* Fix suppression/thresholding bug for non-rule alerts.  Thanks to
  Alex Butcher for reporting it to us.

* Many other bug fixes, please check the ChangeLog for details.
2005-01-28 23:02:41 +00:00
reed
32d8f290c2 The default location of the pkgsrc-installed rc.d scripts is now
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.

This is from ideas from Greg Woods and others.

Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
2004-12-28 02:47:40 +00:00
reed
62071c8b2f RCD_SCRIPTS_EXAMPLEDIR was just changed to be a relative directory
under ${PREFIX} instead of being an absolute path.

So fix the references using RCD_SCRIPTS_EXAMPLEDIR to be
${PREFIX}/${RCD_SCRIPTS_EXAMPLEDIR}.

This should have no changes to use before.

Please note that the MESSAGE files in most cases are wrong in the
first place. We have automated mechanisms and could have an automated
message for explaining rc.d script usage. (This is something to do!)
2004-10-11 22:14:51 +00:00
adrianp
96e4430cac Do a conditional remove of the share/snort directory so it does not conflict
with the new snort-contib package.
2004-09-23 20:01:34 +00:00
adrianp
6c9528f437 - Update snort to 2.2.0
- ok'ed snj@, wiz@
- Install database scripts which goes a part-way to addressing PR 18996

Updated database schema diagram from Chris Reid. Schema can be found in
./doc/snort_schema_v106.pdf
Added --include-pcre* configuration option to help cross compiling. Thanks
Erik de Castro Lopo.
Fixed thresholding/suppression issue with queuing multiple events per packet.
Thanks Andreas Ostling.
When a rebuilt stream causes an alert, log out the original packets instead of
the rebuilt packet. Thanks sekure@gmail.com for the report.
Turned off http_inspect alerts that were causing false positives in the preset
webserver profiles (Thanks Dan Roelker).
Turn off encoding alerts in HTTP parameter field. The parameter field is still
normalized, it just doesn't alert. This helps reduce alerts that are generated
from complex parameter queries (Thanks Dan Roelker).
Fixed memory leak in "fast" output. Thanks for your bug report
sekure@gmail.com.
Clear error code which under Windows was causing a subsequent false failure in
parsing threshold rules. (Thanks to Rich Adamson)

Further details can be found in Changelog and RELEASE.NOTES.
2004-09-21 15:50:26 +00:00
adrianp
50d878d662 - Upgrade snort to 2.1.3
- Grab maintainership of the package (with ok of previous owner)
- Use SUBST_* code

Ok'ed wiz@, snj@, salo@

From the changelog:

2004-05-06 Daniel Roelker <droelker@sourcefire.com>

    * src/detection-plugins/sp_pattern_match.c:
      Fixed rule read up error when parsing hexmode content options.
      Thanks for pointing it out Toni Maatta.  (Roelker)

    * src/preprocessors/spp_stream4.c:
       Fixed null pointer dereference when detect_scans were enabled and
       creating a new session that had funky flags.  Thanks to Chad
       Kreimendahl for reporting the bug and testing the fix.  (Roelker)

2004-04-20 Daniel Roelker <droelker@sourcefire.com>

    * src/event_queue.c:
    * src/event_queue.h:
    * src/sfutil/sfeventq.c:
    * src/sfutil/sfeventq.h:
      Added multi-event queueing in Snort.  Snort now supports logging
      multiple events per packet, and prioritizing those events using
      different methods.  Thanks to H.D. Moore for illustrating event
      obfuscations when snort only logged one event per packet. (Roelker)

    * src/snort.c:
    * src/decode.c:
    * src/detect.c:
    * src/fpcreate.c:
    * src/fpdetect.c:
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_stream4.c:
      Updated event generators to use new event queueing sytem.  (Roelker)

    * src/output-plugins/spo_alert_fast.c:
      Added newline to 'cmg' alert output, so IP decode is easier to
      read.  (Roelker)

    * src/output-plugins/spo_database.c:
      Updated how current/utc times are calculated, as well as how they are
      formatted, thanks Marcus Janoski.  (Reid)

    * src/parser.c:
      Error on unterminated IP lists.  Added 'config event_queue' parameter.
      Configuration changes to 'config checksum_mode' for specifying
      which checksums to do.  (Norton)

    * src/plugbase.h:
      Fixes from Chris Reid for timestamp routines.  (Reid)

    * src/tag.c:
      Revert to old tag functionality.  Will add proposed tagging
      configurations in the future.  (Roelker)
2004-07-01 17:10:22 +00:00
reed
2d4122dd45 Fix references to rc.d scripts. This package uses RCD_SCRIPTS
which installs to ${RCD_SCRIPTS_EXAMPLEDIR}. But the MESSAGE
referred to wrong hard-coded location if the RCD_SCRIPTS_EXAMPLEDIR
was not the default. So use RCD_SCRIPTS_EXAMPLEDIR instead.

PKGREVISION not bumped because if someone had changed
RCD_SCRIPTS_EXAMPLEDIR before recent change of autoregistration
of rc.d script in PLIST, then it could not have been packaged
in first place.

Note that this commit does not imply that the MESSAGE is correct.
In some cases, the MESSAGE is clearly wrong such as suggesting
running the rc.d script from the example directory (which will work
although).
2004-04-23 22:43:20 +00:00
reed
9c790735db mk/bsd.pkg.install.mk now automatically registers
the RCD_SCRIPTS rc.d script(s) to the PLIST.

This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.

This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)

These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)

I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.

Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
  hard-coded etc/rc.d. These need to be fixed.
- maybe  remove from mk/${OPSYS}.pkg.dist mtree specifications too.
2004-04-23 22:07:52 +00:00
snj
afea2fbd9d Update to snort-2.1.2. From Adrian Portelli in PR pkg/25029.
While here, convert to buildlink3.

Changes:
* Various portability fixes.
* Fixed conversation parsing faults so users can operate this
  preprocessor
* Detect non-rfc standard chunk encodings.  Detect abnormal HTTP
  requests with newlines, spaces, etc. before the request method.
* Fix negative stats output on snort exit or SIGUSR1.
* Removed escaping of '%' and '_' characters in MySQL
* Various documentation fixes/updates.
* Added Flowbits detection functionality.
* Added utility to parse out perfmon stats.
* Tagged Packets no longer have NULL msg name.
* Fixed http_inspect double alerting on pkts and rebuilt streams.
* http_inspect proxy_alert now supports normal proxy networks setups.
  http_inspect default server only valid if specified in config.
* Close Socket when Snort receives SIGHUP.
* Added GID, SID, and Rev to csv output.
* config chroot readded.
* Added additional error checking for custom rules.
* Flow now honors -q (quiet).
* Removed non_rfc_chars from default profiles.
* Added suppression negation.
* Better support for ODBC.  Better memory management. Improved escaping
  of SQL strings.
* Other miscellaneous bugfixes.
2004-04-10 03:09:45 +00:00
snj
2898463d1b s/capabilty/capability/; s/seperate/separate/ 2004-01-31 23:57:54 +00:00
kristerw
6f13a6d41f Make this package build on NetBSD 1.6. 2004-01-31 20:43:41 +00:00
salo
495195d60a Update to version 2.1.0.
Changes:

2.1.0:
======
- A new connection tracking module, Flow (replaces conversation)
- A new portscan detector based off of Flow, Flow-Portscan (replaces
  portscan2)
- A new http preprocessor, HttpInspect (replaces http_decode)
- Alert Thresholding and Suppression
- PCRE rule keyword (Perl Compat Regular Expressions)
- isdataat rule keyword (buffer length detection)
- A ton of new and updated rules.

2.0.6:
======
- 64-bit update for detection engine. (Thanks, Silio d'Angelo)
- Added better PPP decoding. (Thanks Jesper Peterson)
- Updated ip_proto optimization for high-speed detection engine.
- Fixed infinite loop problem that was introduced by the recursive pattern
  matching patch. Reported by Lawrence Reed, thanks for testing out the
  changes for us!
- Various changes to help respond (version 1) work a little better.
- spp_http_decode 64-bit patch from Dirk Mueller.
- Out-of-order ACK problem from Andrew Rucker. Also, updated stream4 to the
  most recent version from HEAD.
- Minor fixes to tagging related to 'src' and 'dst' directives
- When counting one byte patterns in 'ningroup' added a check for
  psLen==1 (wu-manber pattern matcher). Thanks Josh Sakofsky and Dennis
  McGuire for helping us test this.

2.0.5:
======
- Stream4 fixes from Andrew Rucker Jones.
- Allow memcap to be configured for threshold features.

2.0.4:
======
- Fixed a core dump introduced with 2.0.3 when dealing with negated patterns

2.0.3:
======
- doe_ptr handling in byte_test/byte_jump slightly modified to work
  better with the pcre patch
- content processing is now recursive to make distance/within processing
  better ( thanks to Shai Rubin for patch! )
- fixed a bug in the mwm.c pattern matcher that resulted in some alerts
  not firing in a particular configuration of rules

2.0.2:
======
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
2003-12-31 14:11:42 +00:00
salo
c8f8e606df Update to version 2.0.2.
Patch from Adrian Portelli via PR pkg/22900.

Changes:

- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
2003-09-23 15:43:50 +00:00
salo
6ecd356afd Updated to version 2.0.1.
Changes:

- fix host endianess problem in udp decoder
- vlan decoding fixes from Michael Pomraning
- add tcp state checking to httpflow
- ignoring bad checksums throughout snort if checksumming is turned on
- config disable_ttcp_alerts is now also config disable_tcpopt_ttcp_alerts
- better initialization handling of low memory conditions pointing to the
- low memory search engine
- byte_jump / byte_test 2 byte cases handled and unified
- correctly assign port numbers on tcpoption events
- pass rule logic changed to "win" in specific multiple event cases
- named interface support for win32 from the winpcap folks
- spp_bo now also will work with log-only output plugins
- added window detection plugin documentation to manual
- lots of new rules and tons of rule documentation
2003-07-26 11:13:16 +00:00
grant
ca3be631f2 s/netbsd.org/NetBSD.org/ 2003-07-17 22:50:55 +00:00
salo
f926ba83a1 Bump PKGREVISION: honour PKG_SYSCONFDIR for real. (i thought i fixed this
before but apparently i did not :/)
2003-04-16 15:51:22 +00:00
salo
8dd2d2ad1d Updated to version 2.0.0.
IMPORTANT: This version fixes remotely exploitable heap overflow in the stream4
           preprocessor module.

Advisory:  http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10

Changes:

2.0.0:
======
- Enhanced high-performance detection engine
- Stateful Pattern Matching
- New detection keywords: byte_test & byte_jump
- The Snort code base has undergone an external third party professional
  security audit funded by Sourcefire (http://www.sourcefire.com)
- Many new and updated rules
- snort.conf has been updated
- Enhancements to self preservation mechanisms in stream4 and frag2
- State tracking fixes in stream4
- New HTTP flow analyzer
- Enhanced protocol decoding (TCP options, 802.1q, etc)
- Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, etc)
- Enhanced flexresp mode for real-time TCP session sniping
- Better chroot()'ing
- Tagging system updated
- Several million bugs addressed....
- Updated FAQ (thanks to Erek Adams and Dragos Ruiu) Snort 2.0 can be
  downloaded at http://www.snort.org/dl/snort-2.0.0.tar.gz. Binary
  versions of the codebase will be built over the next several days and
  made available at here.

2.0.rc4:
========
- byte_jump/byte_test don't force relative content options
- byte_jump/byte_test absolute offsets work
- Better FIN handling in Stream4

2.0.rc3:
========
- A low memory usage detection method (enabled via "config detection:
  search-method lowmem")
- Moved the default unix socket location to LOGDIR

2.0.rc2:
========
- syslog should work on win32 and unix
- major tagging updates
- new UDP decoding alerts
- snort.conf updates

2.0.rc1:
========
- Higher performance (due to a new pattern matcher and rebuilt detection
  engine)
- Better decoders
- Enhanced stream reassembly and defragmentation
- Tons of bug fixes
- Updated rules
- Updated snort.conf
- New detection keywords (byte_test, byte_jump, distance, within) &
  stateful pattern matching
- New HTTP flow analyzer
- Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)
- Better self preservation in stateful subsystems
- Xrefs fixed
- Flexresp works faster and more effectively
- Better chroot()'ing
- Fixed 802.1q decoding
- Better async state handling
- New alerting option: -A cmg!!
2003-04-16 06:37:19 +00:00
salo
974cf2e158 Updated to version 1.9.1.
This version fixes the buffer overflow issue noted in:

  http://www.kb.cert.org/vuls/id/916785

Changes:

 - follow PKG_SYSCONFDIR
 - added rc.d script
 - create own user and group
 - added MESSAGE with post-install instructions
 - removed DEINSTALL
 - minor cleanups (this package was really half-baked..)

1.9.1:
======
 - src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
	- alignment errors on non-x86 platforms
	- added new space delimited options
	  alert_fragments
	  no_alert_multiple_requests
	  no_alert_large_fragments
	  no_alert_incomplete
 - corrected buffer overflow in fragment normalization
 - src/snort.c
	- Win32 '-s' parameter wasn't configured to accept an optarg,
	  but code expected one, causing null-pointer violation.
 - Backport of 2.0 fixes for stream4 ( off by one errors on reassembly )
2003-03-04 01:02:25 +00:00
tron
39a943ad92 Replace "true" by "${TRUE}". 2002-12-09 16:01:10 +00:00