2008-09-15 Todd Wease * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/fpcreate.c: * src/generators.h: * src/ppm.c: * src/ppm.h: * src/profiler.c: * src/rules.h: * etc/gen-msg.map: Update rule latency thresholding. * src/preprocessors/spp_flow.c: * src/preprocessors/spp_stream4.c: * doc/README.flow: * doc/README.flow-portscan: * doc/README.stream4: * doc/snort_manual.tex: * doc/snort_manual.pdf: The flow and stream4 preprocessors will be deprecated in a future release. 2008-08-12 Todd Wease * src/bounds.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * doc/README.dcerpc: * doc/snort_manual.tex: DCE/RPC preprocessor changes to handle abnormal TCP segmentation. Added option to reassemble fragmentation buffers early. Updated documentation. * src/decode.c: * src/decode.h: * src/preprocessors/Stream5/snort_stream5_session.c: Fixed handling of MPLS label in checking Stream session uniqueness when IPv4 packets are received and build is IPv6. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: MPLS stats are now printed, whether compiled for MPLS or not. * src/detection-plugins/sp_pattern_match.c: Fixed checksum calculation for IPv6 case for 'replace' rule option. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Added check to not register so rule if it has already been registered. * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: Added better handling of SMTP data header options to avoid false positives occuring with data header buffer overlflow smtp preprocessor event. Thanks to rmkml for bringing this to our attention. * src/event_queue.c: * src/signature.c: Added checks to only allow one rule without an SID defined. Thanks to Christian Mock for bringing this to our attention. * src/parser.c: * doc/README.PerfProfiling: Updated performance profiling README to document new 'filename' option. Fixed handling of 'filename' option in the rule profiling configuration. * src/plugbase.c: Changed plugins startup output to use log function instead of printf(). * src/preprocessors/HttpInspect/client/hi_client.c: Fixes to avoid false positives on http_inspect preprocessor events for bare byte encoding and oversize request-uri directory. * doc/CREDITS: Credits updates. * doc/README.decode: * doc/snort_manual.tex: Fixed some spelling errors and confusing syntax. Thanks to Hari Sekhon for pointing many of these out. 2008-07-18 Todd Wease * src/detection-plugins/sp_dsize_check.c: Fix issue with rule option "dsize" range check. Thanks to Bhadresh Patel for bringing this to our attention. * src/detection-plugins/sp_pcre.c: Fix issue with evaluating PCRE rule options with /U modifier that are followed by a relative content rule option. Many thanks to Bamm Visscher for doing the research, finding the offending rule and producing the test case necessary to track down and fix the issue. Also thanks to others on the snort users list - craig for starting a thread and JJ Cummings for confirming it was not a logging issue. 2008-07-11 Todd Wease * src/byte_extract.c: Added byte test for 3 bytes. * src/debug.c: * src/debug.h: * src/dynamic-preprocessors/libs/ssl.c: * src/dynamic-preprocessors/libs/ssl.h: * src/dynamic-preprocessors/ssl/sf_preproc_info.h: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/dynamic-preprocessors/ssl/spp_ssl.h: Updates to SSL preprocessor to make it work with stream reassembly, multiple handshake records and disabling detection. * src/decode.c: * src/preprocessors/spp_frag3.c: * src/parser.c: * src/snort.c: * src/snort.h: Fix MPLS fragmentation reassembly issue. * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/sfutil/sfhashfcn.h: Move hash rot macros. * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: Update Win32 project files to include MPLS. * src/util.c: For read mode, reset errno after gathering pcaps from a directory. * etc/sid-msg.map: Updates. 2008-06-16 Todd Wease * src/cpuclock.h: Fixed compilation issue on HPUX machines related to performance profiling and the assembly instructions used for getting cpu clock ticks. Thanks to Pavan Raj and Jaipal Reddy for pointing this out. * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/generators.h: * src/log.c: * src/log.h: * src/output-plugins/spo_unified2.c: * src/parser.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/stream5_common.h: * src/snort.c: * src/snort.h: * src/util.c: * configure.in: * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.mpls: Added MPLS decoding support. * src/decode.c: * src/generators.h: * etc/gen-msg.map: Fixed alert message for IP datagram being greater than captured length. * src/decode.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_pcre.c: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/fpcreate.c: * src/fpdetect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_httpinspect.c: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/util.c: * src/util.h: * doc/README.http_inspect: * doc/snort_manual.tex: * doc/snort_manual.pdf: New Feature for HTTP Inspect to split requests into 5 components - Method, URI, Header (non-cookie), Cookies, Body. Added HTTP server specific configurations to normalize HTTP header and/or cookie buffers. Provided content and PCRE modifiers to allow searches within one or more of those individual buffers. Added content modifier to allow rule writer to specify content to be used for fast pattern matcher. Updated dynamic rule API to allow searches within the new buffers. * src/detection-plugins/sp_flowbits.c: * src/dynamic-plugins/sp_dynamic.c: * src/parser.c: * src/snort.c: * src/snort.h: Provided command line switch to bail on rule parsing failure. * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/preprocessors/spp_httpinspect.c: Fixed some configuration error checking. * src/dynamic-preprocessors/ssl/spp_ssl.c: Fixed false negative when using 'trustservers' option. * src/output-plugins/spo_database.c: Fixed issue where when using the 'ruletype' keyword with database output, events were getting logged using both the default log method and the ruletype log method. Thanks to Agent Smith for pointing this out. * src/output-plugins/spo_unified2.c: Fixed issue in unified2 code where the timestamp of an event on a stream reassembled packet was using the last stream segment instead of the first. * src/parser.c: * src/profiler.c: * src/snort.h: * doc/snort_manual.tex: * doc/snort_manual.pdf: Provided option to rule and preprocessor profiling configurations to log to file instead of syslog. * src/preprocessors/perf-flow.c: Packet size distribution reported by snort flow stats do not count reassmbled packets anymore. * src/preprocessors/Stream5/snort_stream5_tcp.c: Update Stream5 to flush bytes up to ACK if ACK falls in the middle of a segment instead of including entire segment in reassembled packet. * src/snort.c: Reset packet processor when reading multiple pcaps and pcap reset option is used. * doc/README.decode: Update GRE decoder alerts. 2008-06-04 Todd Wease * src/fpdetect.c: * src/detection-plugins/detection_options.c: Fix issue where pass rules weren't getting precedence over alert rules. Thanks to Jason Haar for pointing this out. * src/snort.c: Reset data link for new pcap when reading multiple pcaps. * etc/gen-msg.map: Add IPv6 decoder events. 2008-05-07 Todd Wease * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: Fix issue in ICMP6 code that made an incorrect calculation when the ICMP6 type was an echo or an echo reply. * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/profiler.c: * src/profiler.h: Pattern Matcher Caching & Rule Processing Performance Improvements. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix memory leak caused by missed or dropped traffic. * src/preprocessors/HttpInspect/include/hi_eo_events.h: Remove redundant macro. * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.decoder_preproc_rules: Add documentation on the use of decoder and preprocessor rules. 2008-04-30 Todd Wease * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/fpcreate.c: * src/fpdetect.c: * src/profiler.c: Process IP rules by fast pattern searching payload of outer IP, then evaluating matching rules against IP header & payload of inner & outer IP. This is to address false positives and false negatives in IP rules. * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: * src/preprocessors/spp_frag3.c: Fix typos. Thanks to rmkml for pointing this out. * src/ipv6_port.h: * src/log.c: * src/log_text.c: Update log to correct datagram length macro for IPv6. * src/detection-plugins/sp_pcre.c: * src/dynamic-plugins/sf_dynamic_define.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: Expose a pcre wrapper function to detection library rules via plugin api. 2008-04-14 Todd Wease * configure.in: * src/detect.c: * src/detect.h: * src/detection-plugins/Makefile.am: * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1.h: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_check.h: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_byte_jump.h: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_clientserver.h: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_dsize_check.h: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_ftpbounce.h: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_code_check.h: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_id_check.h: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_seq_check.h: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_icmp_type_check.h: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_fragbits.h: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_id_check.h: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ipoption_check.h: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_proto.h: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_same_check.h: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_ip_tos_check.h: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_isdataat.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_pcre.h: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_react.h: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond2.h: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond.h: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_rpc_check.h: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_session.h: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_ack_check.h: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_flag_check.h: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_seq_check.h: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_tcp_win_check.h: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_ttl_check.h: * src/detection-plugins/sp_urilen_check.c: * src/detection-plugins/sp_urilen_check.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/event_queue.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/pcrm.h: * src/plugbase.c: * src/plugbase.h: * src/ppm.c: * src/ppm.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_frag3.h: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/rules.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: Pattern Matcher Caching & Rule Processing Performance Improvements. * configure.in: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/event_wrapper.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser/IpAddrSet.c: * src/parser.c: * src/parser.h: * src/pcrm.c: * src/plugbase.c: * src/plugbase.h: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/profiler.c: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sf_vartable.c: * src/sfutil/sf_vartable.h: * src/signature.c: * src/signature.h: * src/snort.c: * src/spo_plugbase.h: * src/target-based/sftarget_protocol_reference.c: * src/target-based/sftarget_protocol_reference.h: * src/target-based/sftarget_reader.c: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: Added configuration option to clean up all initialization memory at shutdown. * src/decode.h: * src/preprocessors/snort_httpinspect.c: Add counter for HTTP pipeline requests. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Fixed issue where some FTP traffic was being labeled as encrypted when it was not. * src/output-plugins/spo_database.c: Free SQL statement. Thanks to Carter Browne for pointing this out. * snort.8: * doc/snort_manual.tex: * src/snort.c: * src/util.c: Update to indicate --pid-path specifies the directory for the PID file. Thanks to Lee Clemens for pointing out the ambiguity. * src/snort.c: For --pcap-show option, print to stdout instead of stderr. * doc/snort_manual.tex: * src/snort.h: Set minimum max attribute hosts to 32 instead of 8192. * src/target-based/sf_attribute_table_parser.l: Allow ! character in attribute table grammar for string values. * src/snort.c: * src/util.c: Print log message with BPF filter passed to Snort. * src/sfutil/mpse.c: Fix issue with default case (which isn't ever hit) of pattern matcher performance stats not being calculated correctly. Thanks to Wang Zhen for pointing this out. * src/parser.c: Fixed string comparison for "portvar" and "ipvar" to use correct string length. Thanks to Eric Duda for pointing this out. * doc/INSTALL: Update MAC OSX install notes. * doc/README.arpspoof: Update arpspoof documentation. * etc/snort.conf: Update frag3_global configuration example. 2008-04-03 Steven Sturges * rpm/snort.spec: Add ssl preprocessor. Thanks fo Andrew Pendray for noticing. 2008-03-12 Todd Wease * src/decode.c: * doc/README.gre: * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/Makefile.am: Disable PPP decoding if architecture requires word alignment, e.g. SPARC machines. * src/dynamic-preprocessors/dcerpc/smb_structs.h: Fix endian issue when determining if SMB is using unicode strings. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: Fix issue where FTPTelnet sometimes determines incorrect direction with midstream session. * src/generators.h: * src/preprocessors/spp_frag3.c: * doc/README.frag3: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/gen-msg.map: Update frag3 to remove enforcement of ttl_limit. Add preprocessor alert for min_ttl anomaly. * doc/README.ipip: * doc/Makefile.am: Added README doc for IP in IP decoding. * doc/README.stream4: * etc/gen-msg.map: Fixed some typos. Thanks to rmkml for pointing this out. 2008-03-06 Steven Sturges * src/dynamic-preprocessors/ssl/spp_ssl.c: * doc/README.ssl: * doc/snort_manual.tex: * doc/snort_manual.pdf: Improve handling for change cipher records and rule options. Indicate that trustservers option only makes sense when noinspect_encrypted is used. 2008-03-05 Steven Sturges * doc/README.variables: * doc/snort_manual.tex: * doc/snort_manual.pdf: Fix a few misspellings. Thanks to Markus Lude for letting us know. 2008-03-04 Steven Sturges * configure.in: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: * src/win32/WIN32-Includes/config.h: 2.8.1 RC prep * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.arpspoof (added): * doc/README.pcap_readmode (added): * snort.8: Document new multiple pcap command line options and ARP Spoof preprocessor configuration. * doc/README.dcerpc: * doc/README.http_inspect: * doc/README.stream4: Update to include information about alerts generated from various preprocessors. * src/decode.c: * src/log_text.c: * src/parser.c: * src/profiler.c: * src/detection-plugins/sp_cvs.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-preprocessors/libs/sfcommon.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/bitop_funcs.h: * src/sfutil/sf_iph.c: * src/sfutil/sfportobject.c: * src/target-based/sftarget_reader.c: * src/win32/WIN32-Includes/rpc/types.h: Win32 compiler warning cleanup. * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/win32/WIN32-Prj/sf_engine.dsp: Reorganize to provide better compatibility with shared libraries. * src/detect.c: * src/detect.h: * src/plugbase.c: * src/plugbase.h: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/output-plugins/spo_alert_fast.c: * src/snort.c: * src/snort.h: Update to logging of DCE/RPC defragmented packets when using console/fast output modes. * src/preprocids.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: Add ability for dynamic rules to store and retrieve data on stream session. * src/detection-plugins/sp_pcre.c: Fix compile warning with older versions of PCRE library. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Update default configuration for FTP's STRU command. 2008-01-27 Todd Wease * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/generators.h: * src/preprocessors/spp_frag3.c: * src/snort.c: * src/snort.h: * src/util.c: * etc/gen-msg.map: Added IP in IP encapsulation support for both IPv4 and IPv6. * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/snort.c: Enforce stricter versioning when loading shared objects. Vesions of shared libraries - engine and dynamic preprocessors - will not load if from an older version of Snort. * src/dynamic-preprocessors/ssl/spp_ssl.c: Fatal error if commas are not used in SSL dynamic preprocessor configuration. Thanks to Chris Rohlf for bringing this to our attention. * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * etc/gen-msg.map: Update Stream5 to alert on data without TCP flags when non-linux policy. Thanks to Chris Eagle, Naval Postgraduate School, for bringing this to our attention. * src/parser.c: Generate a parsing error if an empty IP list is used (this is equivalent to !any). Thanks to Chris Rohlf for bring this to our attention. * src/parser.c: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: Various port object changes. Update to handle open port ranges (ie, 1024:) and print error lines from config file parsing. Added support for handling embedded lists with negations. Use more compatible strrchr() instead of rindex(). Add stricter configuration checks - thanks to Rmkml for bringing this to our attention. * src/target-based/sftarget_reader.c: Use inet_pton() instead of inet_aton. * src/target-based/sftarget_reader.c: * src/util.c: Set uid and gid of target-based thread if not already set. * doc/snort_manual.tex: * doc/snort_manual.pdf: Update to describe new pcre match limit options. * src/win32/WIN32-Prj/snort.dsp: Remove system dependent Oracle paths from project. * src/fpcreate.c: Correctly set the max_size when a longer pattern. * src/profiler.c: Add Percent of Total column to output. * src/sfutil/sf_textlog.c: Added format string to prevent messages with certain format from crashing Snort. 2007-12-10 Todd Wease * configure.in: Require PCRE version 6 or better * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/smtp/sf_smtp.dsp * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/stream_api.h: Reduce command line and response line overflow false positives in SMTP preprocessor when Snort is missing packets. Only alert on one unique SMTP event per session. * configure.in: Add check for Phil Woods pcap so that pcap stats are computed correctly. Thanks to John Hally for bringing this to our attention. * doc/INSTALL: Update for building on Mac OSX 10.5. Thanks to Martin Fong for bringing this to our attention. * doc/README.asn1: * doc/README.dcerpc: * doc/README.dns: * doc/README.flow-portscan: * doc/README.frag3: * doc/README.ssh: * doc/README.stream5: Update to include information about alerts generated from various preprocessors. * doc/snort_manual.pdf: * doc/snort_manual.tex: Add info on stream_size option added with Stream5. * etc/gen-msg.map: Update to include GRE alerts * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Allow specifying metadata within a shared library rule. * src/decode.c: Update for decoding IP6 header lengths. * src/detect.c: * src/parser.c: Correctly handle rule-type keyword. Thanks to Tung Tran for bringing this to our attention. * src/log_text.c: * src/log.c: Fix issue with printing IPv6 addresses. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Update default configuration to allow optional string to STRU command. * src/dynamic-preprocessors/libs/sfparser.c: * src/dynamic-preprocessors/libs/ssl.c: * src/dynamic-preprocessors/libs/ssl.h: * src/dynamic-preprocessors/ssl/spp_ssl.c: Updates to better handle SSLv2 recognition. * src/preprocessors/snort_stream4_session.c: * src/preprocessors/stream.h: Fix misaligned structures for Sparc 64bit OpenBSD. Thanks to Markus Lude for helping us track down the problem. * src/preprocessors/spp_stream4.c: Warn if configured with stream4 & target-based attributes. * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_iph.c: * src/sfutil/sf_ipvar.c: Code cleanup for IPv6 related changes. * src/preprocessors/Stream5/snort_stream5_tcp.c: Handle additional cases of multiple sequences of TCP SYN packets on a session that has previously been reset. * src/preprocessors/Stream5/snort_stream5_tcp.c: Add checks for missing packets in reassembly. * src/sfutil/sfportobject.c: * src/sfutil/sfxhash.c: Code cleanup. * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Better handling for starting attribute reload thread and logging parsing errors. * src/fpcreate.c: * src/fpdetect.c: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/parser.c: * src/snort.c: * src/snort.h: Added performance profiling stats for rule option evaluation. Add limits to pcre matching that could affect performance. 2007-11-12 Todd Wease * src/byte_extract.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: Allow byte_jump 'string' option to support variable-length numeric data. * src/cpuclock.h: * configure.in: Add support for rule and preprocessor profiling times for Sparc v9 processors. * src/decode.h: * src/decode.c: * doc/README.gre: * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/snort.h: * src/util.c: * src/util.h: * configure.in: Update GRE decoder to support PPTP GRE v.1 header. Add new GRE decoder alerts and README. Integrate with IPv6 codebase. * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: Update decoder to work will all 3 versions of pflog files. Thanks to Ronaldo Maia for reporting this issue. * src/parser.c: * src/parser.h: * src/snort.c: * src/snort.h: * src/plugbase.c: * src/plugbase.h: * src/util.c: * src/util.h: * src/decode.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/mempool.c: * src/preprocessors/perf.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf.h: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/profiler.c: * src/profiler.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/tag.c: * src/tag.h: Snort can now read multiple pcaps on the command line. The '-r' flag can be given multiple times, as well as options for reading a list of pcaps on the command line, a file containing pcaps to read and/or a directory to recurse through gathering pcaps. Multiple filters can be used and an option to reset Snort to a post initialization state for each pcap read can be given. * src/detect.c: * src/fpcreate.c: * src/fpcreate.h: * src/parser.c: * src/parser.h: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: * src/sfutil/sfrim.h: Portlists code consolidation and general cleanup. * src/detect.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/fpdetect.c: * src/ipv6_port.h: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_unified2.c: * src/output-plugins/spo_unified.c: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/preprocessors/stream.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_ipvar.c: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/tag.c: IPv6 data type name changes to avoid library namespace conflicts. * src/detection-plugins/sp_pattern_match.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/preprocessors/snort_stream4_udp.c: * src/rules.h: * src/sf_sdlist.c: * src/sf_types.h: Fix compiler warnings. * src/detection-plugins/sp_pcre.c: * src/fpdetect.c: Fixed issue where some rules will continue to match on a Uri, even after the first packet. * src/dynamic-plugins/Makefile.am: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/fpcreate.c: Enabled target-based code to properly assess dynamic rule flow. * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: Update Win32 project files to include target-based and GRE defines. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Allow white space prior to FTP command. * src/preprocids.h: * doc/README.ssl: * doc/snort_manual.tex: * etc/snort.conf: * configure.in: * src/win32/WIN32-Prj/snort.dsw: * src/dynamic-preprocessors/ssl/Makefile.am: * src/dynamic-preprocessors/ssl/sf_preproc_info.h: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/dynamic-preprocessors/ssl/spp_ssl.h: * src/win32/WIN32-Includes/config.h: Added SSL preprocessor. * src/ipv6_port.h: Update IP_CLEAR to clear all fields. Update IP_COPY_VALUE to copy each field individually. * src/log.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/log_text.h: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_tcpdump.c: * src/win32/WIN32-Prj/snort.dsp: * src/log_text.c: * src/log_text.h: * src/sfutil/sf_textlog.c: * src/sfutil/sf_textlog.h: Added rollover of logs upon reaching configured limit - applies to alert_full, alert_fast, log_tcpdump, alert_csv. * src/log.c: Added IP obfuscation for IPv6 addresses. * src/plugbase.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * doc/README.stream4: * doc/README.stream5: * doc/snort_manual.tex: * etc/snort.conf: * src/win32/WIN32-Prj/snort.dsp: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: CVS detection plugin. Currently only looks for an invalid entry. Ports 514 and 2401 added to default ports for stream reassembly. * src/ppm.c: * src/ppm.h: * src/profiler.c: * doc/snort_manual.tex: Fix microseconds calculations. Add ability to use ppm with readback mode. Add documentation to Snort Manual. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * doc/README.http_inspect: * doc/snort_manual.tex: * etc/gen-msg.map: Added overly long http header detection. * src/preprocessors/perf-base.c: * src/preprocessors/spp_perfmonitor.c: * src/snort.c: * src/snort.h: * src/util.c: Fixed issue where packets were being blocked when Snort, running in inline mode, was shutting down. * src/preprocessors/spp_frag3.c: Fixed issue where frag3 does not initialize correctly without any configuration arguments. Thanks to Jason Carr for reporting this. * src/preprocessors/spp_sfportscan.c: Fix endian issue in sfportscan when IP addresses are logged. Thanks to Jerry Litteer for reporting this. * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/stream_api.h: Added function to stream api for returning whether or not there are missing segments. Only supported in stream5. * src/preprocessors/str_search.c: * src/sfutil/mpse.c: * src/sfutil/mpse.h: Fixed issue where MPSE global counter was being reset by SMTP for each new pattern matcher it created. * src/sfutil/sf_vartable.c: * src/sfutil/sf_vartable.h: * doc/README.variables: * doc/snort_manual.tex: Fix segfault with duplicate variables in IPv6 code (enabled with --enable-ipv6). * src/target-based/Makefile.am: * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Target based cleanup. * src/util.c: Fixed incorrect calculation of pcap recevied and dropped. * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: Added GRE and target-based to default Win32 build. * doc/INSTALL: * doc/README.ftptelnet: * doc/README.http_inspect: * doc/README.sfportscan: * doc/README.stream4: * doc/README.stream5: * doc/README.variables: * doc/snort_manual.tex: Documentation updates. Thanks to Jeff Dell for pointing out unified/unified2 errors in Snort Manual and inconsistencies in sfportscan documentation. 2007-11-06 Steven Sturges * src/win32/WIN32-Includes/pcre.h: * src/win32/WIN32-Includes/pcreposix.h: * src/win32/WIN32-Libraries/pcre.lib: Update Win32 LibPCRE to version 7.4. 2007-11-05 Steven Sturges * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix debug to correctly call inet_ntoa. Thanks to rmkml for reporting the problem. 2007-09-07 Steven Sturges * configure.in: * src/build.h: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: * snort.8: 2.8.0 Final release prep. Update spec file to relocate installed schemas and be more consistent with location of docs. * src/parser.c: Initialize rule_count variables. Thanks to Ken Steele for pointing it out. * src/signature.c: * src/detection-plugins/sp_urilen_check.c: * src/plugbase.c: Fix typos in comments. Thanks rmkml for reviewing. * src/tag.c: * src/sfutil/sf_ip.c: * src/sfutil/sf_iph.c: Cleanup printing of IPv6 Addresses. * src/detection-plugins/sp_pcre.c: Initialize the found offset so that it contains correct value when not found. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Improve checking on ftp commands from client. * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Disable ftptelnet when compiled with IPv6. * src/decode.c: * src/snort.c: After logging alert for BSD IPv6 Fragmentation vulnerability, reset the pseudo packet that is used for logging purposes. * src/dynamic-preprocessors/smtp/snort_smtp.c: Memory cleanup of mime boundary regular expressions at Snort exit. * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_sfportscan.c: Memory cleanup of portscan hash table at Snort exit. * src/output-plugins/spo_alert_prelude.c: Correctly get IP Header length for logging. * src/output-plugins/spo_alert_sf_socket.c: Complete initialization after rules are read for specific GID/SID alerts to log via sf socket. * src/output-plugins/spo_unified2.c: Code cleanup. * src/preprocessors/spp_frag3.c: Handle VLAN tags in fragmented traffic and include in rebuilt packets if part of original traffic. * src/preprocessors/spp_stream5.c: Initialize memory for flowbits after all configuration is processed, as config flowbitsize option might change default. Handle byte alignment issue on Solaris with the flowbits data structure used by Stream5. Thanks to JJC & Shane Castle for helping us troubleshoot these issues and testing the patches. * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/stream_api.h: Handle strange sequences of multiple TCP Reset packets on the same session when some of those Resets also contain other flags. Thanks to Siim Poder for reporting the problem. 2007-08-31 Steven Sturges * src/parser.c: Updates to prevent variable defintions of the same name as a portvar, var and ipvar. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fix copying of IP address from packet when determining client config that resulted from IPv6 port. * src/output-plugins/spo_alert_prelude.c: Updates to write GID in alert data. Thanks to Yoann Vandoorselaere for the update. * src/output-plugins/spo_unified2.c: Don't write tagged packets the same as unified. Packets that are part of stream reassembly refer to the original event directly from the packet record header. * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: Code cleanup and free data correctly on parsing errors. 2007-08-30 Steven Sturges * doc/Makefile.am: Include README.ipv6 & README.variables in the distribution tarball. Thanks to Jeff Dell for pointing out that it was missing. * RELEASE.NOTES: Fix some spelling errors. Thanks rmkml for pointing it out. * etc/snort.conf: Update to use new portvar syntax for HTTP_PORTS, ORACLE_PORTS, and SHELLCODE_PORTS. Thanks to rmkml for mentioning this. 2007-08-22 Steven Sturges * configure.in: * src/sf_types.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: Fixes to build 2.8.0 Beta on OpenBSD. * doc/README.variables: * doc/snort_manual.tex: * doc/snort_manual.pdf: Update PortList documentation. 2007-08-20 Steven Sturges * configure.in: * src/build.h: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: 2.8.0 Beta prep. * src/Makefile.am: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/event.h: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_unified2.c: * src/pcap_pkthdr32.h (added): * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/stream_api.h: * src/snort_packet_header.h (removed): * src/win32/WIN32-Prj/snort.dsp: * src/snort.c: Renamed snort_packet_header.h to pcap_pkthdr32.h and changed instances of SnortPktHdr with pcap_pkthdr except in Event struct and unified code where pcap_pkthdr32 is used because 32 bit timevals are required. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/plugbase.c: * src/plugbase.h: * src/util.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_httpinspect.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/snort.c: Added framework for preprocessors to print stats at exit or USR1 signal. Preprocessors register a function that will print the stats and they will be printed when DropStats() is called. * src/detection-plugins/sp_pattern_match.c: Commented out 'content-list' rule option code since it is broken and there are no plans in the near future to fix it. * src/checksum.h: * src/decode.c: * src/decode.h: * src/detect.c: * src/detect.h: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_ttl_check.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-preprocessors/dynamic_preprocessors.dsp: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ftptelnet/ftpp_include.h: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/fpdetect.c: * src/fpdetect.h: * src/generators.h: * src/ipv6.c (removed): * src/ipv6.h (removed): * src/ipv6_port.h (added): * src/log.c: * src/Makefile.am: * src/output-plugins/spo_alert_arubaaction.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_unified2.c: * src/parser/IpAddrSet.c: * src/parser/IpAddrSet.h: * src/parser.c: * src/parser.h: * src/plugbase.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/preprocessors/stream.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/rules.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/ipobj.c: * src/sfutil/Makefile.am: * src/sfutil/sf_ip.c (added): * src/sfutil/sf_ip.h (added): * src/sfutil/sf_iph.c (added): * src/sfutil/sf_iph.h (added): * src/sfutil/sf_ipvar.c (added): * src/sfutil/sf_ipvar.h (added): * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sf_vartable.c (added): * src/sfutil/sf_vartable.h (added): * src/snort.c: * src/snort.h: * src/tag.c: * src/util.c: * src/win32/WIN32-Prj/build_all.dsp: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: * src/win32/WIN32-Prj/snort_installer.nsi: * doc/README.ipv6: Added 1st phase of support for IPv6. Added support for ip variables and improved IP address list handling. See README.ipv6 for specifics on what portions of Snort fully support IPv6. Certain preprocessors are not supported -- and cannot be turned on with an IPv6 enabled snort. * src/output-plugins/spo_unified.c: Added configuration option to not append timestamps to unified log/alert files. * src/output-plugins/spo_unified2.c (added): * src/output-plugins/spo_unified2.h (added): * src/plugbase.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added unified2 logging/output format. * src/cpuclock.h (added): * src/detect.c: * src/fpdetect.c: * src/fpdetect.h: * src/Makefile.am: * src/parser.c: * src/ppm.c (added): * src/ppm.h (added): * src/profiler.h: * src/rules.h: * src/snort.c: Added support for packet performance monitoring. Allows Snort to be configured to only spend a certain time period on a given packet and/or rule and automatically suspend performance-intensive rules. See README.ppm for details. * src/bounds.h: * src/byte_extract.c: * src/byte_extract.h: * src/debug.c: * src/debug.h: * src/decode.c: * src/decode.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1_detect.c: * src/detection-plugins/sp_asn1_detect.h: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_session.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/bmh.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftp_client.h: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/log.c: * src/log.h: * src/mstring.c: * src/mstring.h: * src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_ad.h: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_server.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/perf.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf-flow.h: * src/preprocessors/perf.h: * src/preprocessors/portscan.c: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/bitop_funcs.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/snort.c: Changed packet payload pointers to use const qualifier to eliminate inadvertant writes to the packet buffer. * src/preprocessors/HttpInspect/include/hi_util_kmap.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/util/hi_util_kmap.c: * src/preprocessors/spp_httpinspect.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: Cleanup memory at Snort exit from session & client configurations. * src/debug.h: * src/preprocids.h: * src/generators.h: Added defines for SKYPE. * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: Fixed a few typos in comments. Thanks to rmkml for pointing them out. * doc/snort_manual.tex: * doc/snort_manual.pdf: Cleaned up a few typos in various sections. Thanks to rmkml, Joel Ebrahimi for pointing out the misspellings & errors. * src/decode.h: * src/detect.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_frag3.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/rules.h: * src/sfutil/Makefile.am: * src/sfutil/sfrt.c (added): * src/sfutil/sfrt.h (added): * src/sfutil/sfrt_dir.c (added): * src/sfutil/sfrt_dir.h (added): * src/sfutil/sfrt_trie.h (added): * src/signature.c: * src/signature.h: * src/snort.c: * src/snort.h: * src/target-based/Makefile.am (added): * src/target-based/sf_attribute_table_parser.l (added): * src/target-based/sf_attribute_table.y (added): * src/target-based/sftarget_hostentry.c (added): * src/target-based/sftarget_hostentry.h (added): * src/target-based/sftarget_protocol_reference.c (added): * src/target-based/sftarget_protocol_reference.h (added): * src/target-based/sftarget_reader.c (added): * src/target-based/sftarget_reader.h (added): * src/util.c: Added experimental support for Target-Based processing for Stream reassembly, IP Frag reassembly, and rule processing. Enable via --enable-targetbased option to configure. A thread is created to reload the attribute table upon receipt of a signal 30. * src/detect.c: * src/detect.h: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_clientserver.h: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/parser.h: * src/pcrm.c: * src/pcrm.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/rules.h: * src/sfutil/sfportobject.c (added): * src/sfutil/sfportobject.h (added): * src/sfutil/sfrim.c (added): * src/sfutil/sfrim.h (added): * src/signature.c: * src/signature.h: * src/snort.c: * src/util.c: Added Port Lists & Port Range functionality and added port variable handling. * preproc_rules/preprocessor.rules: * preproc_rules/decoder.rules: * preproc_rules/Makefile.am: * configure.in: * etc/snort.conf: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_optioncheck.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sp_dynamic.c: * src/event_queue.c: * src/event_wrapper.c: * src/event_wrapper.h: * src/parser.c: * src/plugbase.c: * src/plugbase.h: Added support to provide action control (alert, drop, pass, etc) over preprocessor and decoder generated events, as well as references and classifications via a rule. These rules do not include IP addresses as the individual preprocessor/decoder configuration dictates the traffic to which an event applies. In conjunction with this, certain post-processing rule options (tag, logto, etc) may be added to those rules, while other options that relate to data inspection (content, byte_test, etc) may not. Enable via --enable-decoder-preprocessor-rules option to configure. * src/dynamic-plugins/sf_dynamic_plugins.c: Search for other shared library extensions on OpenBSD. Thanks to Nikns Siankin for the request. * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-preprocessors/dcerpc/Makefile.am: * src/dynamic-preprocessors/dns/Makefile.am: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/ssh/Makefile.am: Fixes to correct shared library extension on MAC OS. * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/stream5_common.h: * src/generators.h: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added basic TCP session hijacking detection. Detection based on MAC address used during TCP 3-way handshake and MAC address in subsequent packets. * src/preprocessors/Stream5/snort_stream5_tcp.c: * doc/README.stream5: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added stream_size rule option (only supported by Stream5). * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/generators.h: Improved detection for encrypted ftp sessions, reducing false positives. Added detection of subnegotiation begin commands without matching subnegotiation end (evasion attempt). * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_config.h: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_log.h: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/smtp/spp_smtp.h: * doc/README.SMTP: * etc/snort.conf: * src/generators.h: Rework much of preprocessor to improve searches, additional vulnerability checks. Updates include changes to handle case insensitive searches. Alert on header name length (Exim exploit) and check for valid mime headers. Add port 587 (see RFC 2476) to default ports. Improved normalization to separate commands and data. Updates to config parsing and console startup output. * src/parser.c: Handle duplicate rules by using the newer revision or the earlier appearing rule (if same revision). * src/sf_types.h (added): * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/flow_cache.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/flow/portscan/unique_tracker.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf.c: * src/preprocessors/perf-event.c: * src/preprocessors/perf-event.h: * src/profiler.c: * src/sfutil/util_math.c: * src/sfutil/util_math.h: * src/snort.h: * src/snprintf.h: * src/util.c: * src/util.h: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Includes/WinPCAP/time_calls.h: Updated logging to print 64bit values on various platforms in a more portable manner. * configure.in: * src/decode.c: * src/preprocessors/perf-base.c: * src/preprocessors/spp_perfmonitor.c: * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: * src/win32/WIN32-Includes/config.h: Fixed issue with various versions of pcap reporting received & dropped stats differently. Pcap versions 0.9 & higher accumulate stats, whereas earlier versions do not. * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/sfghash.c: * src/sfutil/sfhashfcn.c: * src/sfutil/sfhashfcn.h: * src/sfutil/sfprimetable.c (added): * src/sfutil/sfprimetable.h (added): * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: Improve performance of pattern match engines to not evaluate a rule with a pattern that has already been seen and the rule already processed. This changes takes into account if that rule fails because of an unset flowbit (which may have been set by another rule). Changed hash table hash functions to use power of two computations instead of prime numbers. * src/util.c: Added PCRE library version information to Snort startup banner. 2007-07-27 Steven Sturges * etc/snort.conf: Turn off flow since Stream5 is now enabled by default. * src/snort.c: Fix printing of threshold counts until after all rules are read. This issue did not affect thresholding, only display of thresholding. Thanks to Jeffrey Denton for reporting the problem. * src/sfutil/ipobj.c: Fix free of invalid pointer when using a negated IP list. This is used by sfportscan preprocessor configuration parsing. Thanks to Anders Ostrem for reporting the problem. * src/preprocessors/Stream5/snort_stream5_session.c: Fixed issue when experimental ICMP tracking is used without using the TCP or UDP session tracking. ICMP was attempting to lookup TCP or UDP sessions from uninitialized session cache. Thanks to Koji Shikata for reporting the problem. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed invalid session pointer when rule tries to use flowbits after session ends. Thanks to rmkml for initially reporting the problem. 2007-07-06 Steven Sturges * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed potential invalid memory access when require 3whs option is used. 2007-06-28 Steven Sturges * src/sfutil/acsmx2.c: * src/sfutil/bnfa_search.c: Revert previous changes as they resulted in some false negatives with mixed case patterns and rules. Will address in a future release. * src/detection-plugins/sp_react.c: Fixed problem with segfault with flexresp. Thanks to Keith Pachulski for reporting the issue. 2007-06-20 Steven Sturges * src/sfutil/acsmx2.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: Performance improvement to track the last state of a pattern that match, so if it hits that state again immediately, don't go re-evaluate all of the same rules. * src/decode.c: * src/detect.c: * src/snort.h: * src/util.c: Properly handle UDP checksum if checksum value is 0 in header (do not calculate). Add stat that tracks number of failed checksums. * src/detection-plugins/sp_pcre.c: Add /P flag to PCRE detection to check HTTP inspect's normalized client request body. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-examples/Makefile.am: Fix header file replication. * src/output-plugins/spo_alert_prelude.c: Update to write data at Snort exit. Thanks Yoann Vandoorselaere for the patch. * src/parser.c: Update to max line length. Mark 'stateless' option to be deprecated, use flow:stateless. 2007-06-19 Steven Sturges * src/byte_extract.h: * src/event_queue.h: * src/event_wrapper.h: * src/inline.h: * src/ipv6.c: * src/ipv6.h: * src/packet_time.h: * src/plugin_enum.h: * src/preprocids.h: * src/sfthreshold.h: * src/snort_packet_header.h: * src/detection-plugins/sp_asn1.h: * src/detection-plugins/sp_asn1_detect.h: * src/detection-plugins/sp_flowbits.h: * src/detection-plugins/sp_ip_proto.c: * src/dynamic-examples/Makefile.am: * src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h: * src/dynamic-examples/dynamic-preprocessor/spp_example.c: * src/dynamic-examples/dynamic-rule/detection_lib_meta.h: * src/dynamic-examples/dynamic-rule/rules.c: * src/dynamic-examples/dynamic-rule/sid109.c: * src/dynamic-examples/dynamic-rule/sid637.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/snort_stream4_session.h: * src/preprocessors/snort_stream4_udp.h: * src/preprocessors/spp_flow.h: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_httpinspect.h: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_sfportscan.h: * src/preprocessors/spp_stream5.c: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/preprocessors/stream.h: * src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_ad.h: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_client_norm.h: * src/preprocessors/HttpInspect/include/hi_eo.h: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_eo_log.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_return_codes.h: * src/preprocessors/HttpInspect/include/hi_server.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/include/hi_util_hbm.h: * src/preprocessors/HttpInspect/include/hi_util_kmap.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/HttpInspect/utils/hi_util_hbm.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/flow/common_defs.h: * src/preprocessors/flow/flow.c: * src/preprocessors/flow/flow.h: * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/flow_cache.h: * src/preprocessors/flow/flow_callback.c: * src/preprocessors/flow/flow_callback.h: * src/preprocessors/flow/flow_class.c: * src/preprocessors/flow/flow_class.h: * src/preprocessors/flow/flow_config.h: * src/preprocessors/flow/flow_error.h: * src/preprocessors/flow/flow_hash.c: * src/preprocessors/flow/flow_hash.h: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/flow_print.h: * src/preprocessors/flow/flow_stat.c: * src/preprocessors/flow/flow_stat.h: * src/preprocessors/flow/int-snort/flow_packet.c: * src/preprocessors/flow/int-snort/flow_packet.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps.h: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/flowps_snort.h: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/flow/portscan/scoreboard.h: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/flow/portscan/server_stats.h: * src/preprocessors/flow/portscan/unique_tracker.c: * src/preprocessors/flow/portscan/unique_tracker.h: * src/sfutil/acsmx2.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/ipobj.c: * src/sfutil/ipobj.h: * src/sfutil/sfeventq.c: * src/sfutil/sfeventq.h: * src/sfutil/sfghash.c: * src/sfutil/sfghash.h: * src/sfutil/sfhashfcn.c: * src/sfutil/sfhashfcn.h: * src/sfutil/sflsq.c: * src/sfutil/sflsq.h: * src/sfutil/sfmemcap.c: * src/sfutil/sfmemcap.h: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfsnprintfappend.h: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/sfutil/util_math.c: * src/sfutil/util_math.h: * src/sfutil/util_net.c: * src/sfutil/util_net.h: * src/sfutil/util_str.c: * src/sfutil/util_str.h: * src/win32/WIN32-Code/inet_aton.c: * src/win32/WIN32-Code/name.h: Update copyright dates & info and add GPL header. 2007-06-01 Steven Sturges * src/util.c: Update to hourly timestats from Bill Parker. 2007-06-01 Steven Sturges * src/preprocessors/spp_frag3.c: Fix configuration parsing to validate parameters for memcap, max_frags, prealloc_frags. Thanks to Joel Ebrahimi for pointing out the issue. 2007-05-30 Steven Sturges * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: Cleanup xlink2state processing and remove potential read beyond end of packet. * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update handling of timed out session cleanup when the 'same' (IPs/ports) session is picked up midstream. 2007-05-23 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.stream5: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/stream5_common.h: Update Stream5 to use 65535 << 14 as max allowable value for the 'max_window' option. * src/decode.c: * src/detect.c: * src/snort.c: * src/snort.h: When checking for IPv6 BSD frag vulnerability, use a pseudo packet with false IPv4 headers for logging purposes rather than writing the IPv4 header within the original packet buffer. * src/preprocessors/spp_frag3.c: Update to not change original packet buffer when rebuilding fragments with IP options. * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_rpc_decode.h: Update to use the altdecode buffer for normalization. 2007-05-22 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: Update for 2.7.0. * configure.in: * src/debug.c: * src/debug.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/win32/WIN32-Includes/config.h: Check for wchar.h and don't try to use it if not present. Fixes builds on OpenBSD 3.5 and others. * src/dynamic-plugins/sf_dynamic_detection.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ppftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/event_queue.c: * src/event_queue.h: * src/ipv6.c: * src/ipv6.h: * src/mempool.c: * src/parser.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/sfeventq.c: * src/sfutil/sfeventq.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sfxhash.c: * src/snort.c: Added code to cleanup memory at Snort exit/restart. * src/output-plugins/spo_log_tcpdump.c: Update to timestamp writing on 64bit platforms. * src/dynamic-preprocessors/smtp/smtp_normalize.c: Update normalization for postfix and sendmail servers that normalize any space except '\n'. * src/preprocessors/str_search.c: * src/sfutil/bnfa_search.c: * src/sfutil/mpse.c: Use BNFA, smaller memory footprint for searches from SMTP. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_eo_log.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: Update way in which Body vs URI's are normalized, checked for anomalies and alerted on. * src/preprocessors/snort_stream4_udp.c: Fix use of ignore_any keyword when dealing with portscan and/or rules that have flow/flowbits. * src/preprocessors/Stream5/snort_stream5_tcp.c: Update to timestamp handling and anomaly detection with invalid timestamps on RST packets. * src/snort.c: * src/snort.h: Add --loop option to be used with -r for pcap readback mode. 2007-05-09 Adam Keeton * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: Added code to prevent URI-related alerts from firing when the body is being normalized. 2007-05-08 Adam Keeton * src/preprocessors/HttpInspect/client/hi_client.c: Fixed pointer initialization relating to POST normalization. 2007-04-27 Steven Sturges * src/decode.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Provide new rule keyword modifier for content option that allows a rule to search for a pattern in the body of an HTTP client request. * src/util.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: Update to normalize the body of a client request to allow rules to check specifically for parameters of a POST or GET request. Also add stats that are part of the hourly stats that track various HTTP encodings and normalizations that have occured. * src/preprocessors/spp_stream4.c: Fix potential memory leak. * doc/README.ipv6: Updates for clarity. * doc/faq.tex: * configure.in: Add minimal PCRE version. * etc/gen-msg.map: * src/decode.c: * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Handle TCP window scale option that is > 14. Added decoder alert for this and adjust the scale per RFC 1323 in Stream5. * etc/snort.conf: Make Stream5 the default stream engine. * src/decode.c: Add alert for multiple GRE encapsulations. * src/ipv6.c: Additional structure name changes to avoid conflicts on Win32. * src/parser.c: Update the maximum number of entries in an IP List to 1024 (was 128). Added ability to configure Timestats interval, default is 3600 seconds (1 hour) when enabled via --enable-timestats. * src/snort.c: * src/snort.h: * src/util.h: Revised signal handler for Timestats. * src/util.c: Update Timestats to include Wifi, GRE, Frag & TCP Stream info. Thanks to Bill Parker for the update. * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_type_check.c: Update to parsing of icmp rule options for better grammar enforcement. * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: Specify TCP window of 0 for RST packets that are sent. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/sf_dynamic_preproc_lib.c: Make Preprocess() function available to dynamic preprocessors. Thanks Vladimir Shcherbakov for the request. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Code cleanup and a minor reorganization. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix truncated buffer in when compiled in debug mode. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update to track additional stats for TCP session cache and session states. * src/preprocessors/spp_perfmonitor.c: Fix behaviour of 'accumlate' option. * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update for 64bit platforms. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * doc/README.stream5: Updates to config validation. Code cleanup for readability. Update TCP Window Scale use and sequence validation to be RFC 1323 compliant. Document min/max values for parameters, etc. 2007-04-13 Steven Sturges * src/decode.h: * src/decode.c: * src/ipv6.c: Changed structure declaration and usage to not conflict with OpenBSD. 2007-03-28 Steven Sturges * rpm/snort.spec: Remove smp_flags from spec file to not parallelize building. * doc/README.ipv6 * etc/gen-msg.map: * src/Makefile.am: * src/decode.c: * src/decode.h: * src/generators.h: * src/ipv6.c (added): * src/ipv6.h (added): * src/parser.c: * src/snort.c: * src/snort.h: * src/win32/WIN32-Prj/snort.dsp: Added ability for Snort to track fragmented ICMPv6 to check for the remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365). * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Code/win32_service.c: * src/plugbase.c: * src/preprocessors/perf-base.c: * src/preprocessors/stream_ignore.c: * src/profiler.c: * src/snort.c: Cleanup to use safe snprintf and strncpy functions, check return values of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer bounds checks. * src/parser.c: Fix issue with printing rule information twice. * src/profiler.h: * src/preprocessors/spp_flow.c: Fix miscalculation of processor time attributable to flow. * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Added hasXXX functions for Content, ByteTest, and PCRE. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Code cleanup to perform bounds checking, validation of memcpy success, remove potential memory leak. Code readability improvements and update DCE endianness checks. * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/dynamic-preprocessors/dns/spp_dns.c: Code cleanup for initialization of memory allocations and add early termination when at end of packet payload. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Code cleanup for initialization of memory allocations and remove dead/unused code for directory and user state tracking. * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: Code cleanup for initialization of memory allocations, fix normalization to prevent read beyond packet payload. Generate SMTP command overflow even if packet payload doesn't contain complete command (missing LF). * src/preprocessors/spp_frag3.c: Further update to handle iptables (and other datalink layers) that do not have ethernet headers to be included in rebuilt fragment. * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * doc/README.stream5: * doc/snort_manual.tex: * doc/snort_manual.pdf: Add verification of options for ICMP, TCP, UDP configurations are within reasonable limits. Reorganize reassembly flush initialization. Print list of UDP rules that are effectively ignored with ignore_any_rules option. Update session timeout handling. * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/Stream5/snort_stream5_session.c: Allow use of limit on number of nodes in hash table instead of relying on memcap for limiting sessions. * src/bounds.h: * src/debug.c: * src/detect.c: * src/fpdetect.c: * src/log.c: * src/parser.c: * src/pcrm.c: * src/plugbase.c: * src/profiler.c: * src/sfthreshold.c: * src/snort.c: * src/ubi_BinTree.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_session.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/parser/IpAddrSet.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/flow_print.h: * src/sfutil/acsmx2.c: * src/sfutil/ipobj.c: * src/sfutil/sfghash.c: * src/sfutil/sfmemcap.c: * src/sfutil/sfxhash.c: Cleanup to use safe snprintf and strncpy functions, check return values of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer bounds checks. Add handling for FatalError not returning for static code analysis tools. * src/sfutil/sfthd.c: Fix memory leak in global config. Thanks Boris Lytochkin for pointing this out. 2007-02-20 Steven Sturges * src/util.c: Update copyright date to include 2007. 2007-02-17 Steven Sturges * src/parser.c: Code cleanup, remove tab characters going to syslog. * src/detection-plugins/sp_clientserver.c: Handle flow keyword with Stream5 UDP sessions. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Add bounds checking to ReassembleSMBWriteX; use Safememcpy for calculated length buffer copies. 2007-02-09 Steven Sturges * configure.in: Added support for libpcap that depends on libpfring. Thanks to Jason Wallace for the patch. Also updated description as to why libpcap check might fail and what files might be missing, thanks to James Affeld for that suggestion. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update configuration parsing and validation checks and fix issue with static flushpoints not really being static. * src/output-plugins/spo_database.c: Code cleanup to check that a query was not truncated when using snprintf and guarantee NULL terminated string. 2007-02-07 Steven Sturges * src/decode.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_react.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/parser.c: * src/plugbase.c: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_stream4.c: * src/snort.c: * src/tag.c: * src/win32/WIN32-Code/misc.c: Code & warning cleanup. * src/parser.c: Add file and line number to an error message. Thanks to rmkml for pointing out the omission. 2007-02-05 Steven Sturges * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/fpdetect.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/parser/IpAddrSet.c: * src/parser.c: * src/plugbase.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/acsmx2.c: * src/sfutil/ipobj.c: * src/signature.c: * src/snort.c: * src/tag.c: * src/ubi_BinTree.c: * src/util.h: More code cleanup, eliminate warnings on Win32 platform. 2007-02-02 Steven Sturges * doc/README.stream5: Cleanup spelling, etc. * src/bounds.h: * src/preprocessors/spp_frag3.c: Fix issue when Snort is inline using iptables, without either the ipconntrack or NAT modules. This should not occur using the recommended snort inline configuration, since the OS is supposed to handle IP fragment reassembly. The Ethernet header doesn't exist in the packet received by Snort, causing snort to dereference an invalid pointer. Thanks to Panda Software and Joel Ebrahimi for reporting the issue." * src/parser.c: Fix benign warning when using -E on Win32. * src/plugbase.c: * src/preprocessors/spp_telnet_negotiation.c (removed): * src/preprocessors/spp_telnet_negotiation.h (removed): * src/preprocessors/Makefile.am: * src/win32/WIN32-Prj/snort.dsp: Removed deprecated telnet preprocessor. * src/profiler.c: * src/profiler.h: Added profiling code for 64 bit Intel and PPC platforms. * src/decode.h: * src/detect.c: * src/fpdetect.c: * src/log.c: * src/mstring.c: * src/parser.c: * src/plugbase.c: * src/profiler.c: * src/profiler.h: * src/sfthreshold.c: * src/signature.c: * src/snort.c: * src/strlcatu.c: * src/strlcpyu.c: * src/ubi_BinTree.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_ttl_check.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf.c: * src/preprocessors/portscan.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/str_search.c: * src/preprocessors/stream.h: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/flow/flow.h: * src/preprocessors/flow/int-snort/flow_packet.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/sfutil/acsmx.c: * src/sfutil/acsmx2.c: * src/sfutil/bitop_funcs.h: * src/sfutil/getopt_long.c: * src/sfutil/ipobj.c: * src/sfutil/sfghash.c: * src/sfutil/sflsq.c: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfxhash.c: * src/win32/WIN32-Code/misc.c: * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Code/win32_service.c: Code cleanup, change malloc/calloc to SnortAlloc, use safer functions SnortSnprintf, SnortStrncpy, etc. Check pointers before use. * src/win32/WIN32-Code/win32_service.c: Fix issue with service initialization and parameter validation. Thanks Hideki Saito for pointing out the problem. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Code cleanup, update calculating for valid length to handle alternate padding. Update to use safer functions. * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_udp.c: Allow portscan to work with Stream5 UDP session tracking (because it replaces flow preprocessor). Added API function to get direction of packet (not supported in Stream4). * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.h: Stream5 config parsing improvements. Check option parameters for reasonable values (prevent huge memcaps, etc). 2007-01-29 Steven Sturges * src/debug.c: * configure.in: Handle platforms that don't support vswprintf and vwprintf. Thanks Nikns Siankin for pointing that out for OpenBSD. * src/profiler.h: * src/profiler.c: * src/rules.h: Use 64 bit values to store profiling counters. * doc/snort_manual.tex: * doc/snort_manual.pdf: Added a table for content modifiers and links to their respective sections. Removed old preprocessor sections and moved ASN.1 from preprocessor to detection plugins section. Added section for Stream5. * src/win32/WIN32-Prj/snort.dsp: Always use DYNAMIC_PLUGIN. * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/LibnetNT.h: Code cleanup. * src/detection-plugins/sp_flowbits.c: * src/preprocessors/spp_stream5.c: Fix issue with flowbits for UDP streams. * src/detection-plugins/sp_flowbits.c: Add check when stream4 or stream5 are not enabled to still support flowbits. Will be removed when Flow preprocessor and Stream4 are deprecated. Thanks to Nathan Ching for pointing out the issue. * src/snort.c: Fix to allow dynamic rules to load correctly. * doc/README.stream4: * doc/README.stream5: Cleanup. 2007-01-18 Steven Sturges * etc/generators: * src/generators.h: Remove generator IDs that are no longer used. * doc/README.tag * doc/snort_manual.tex: * doc/snort_manual.pdf: Added info on snort.conf config option tagged_packet_limit and added README.tag info file for the tag option in rules. * doc/README.http_inspect: * doc/snort_manual.tex: * doc/snort_manual.pdf: Emphasized in httpinspect documentation that a flow_depth between 1 and 1460 will only inspect at most that many bytes of a server's response, stream reassembled or not and that rules written to inspect more than flow_depth bytes will be ineffective. Thanks to Christian Seifert for pointing this out. 2007-01-17 Steven Sturges * configure.in: * snort.8: * RELEASE.NOTES: * etc/snort.conf: * rpm/snort.spec: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * doc/snort_manual.tex: * doc/snort_manual.pdf: Update for 2.7.0 Beta * src/dynamic-plugins/sf_engine/Makefile.am: * src/win32/Makefile.am: * src/win32/WIN32-Code/getopt.c: * src/win32/WIN32-Code/getopt_long.c: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/getopt.h: * src/win32/WIN32-Includes/getopt1.h: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Prj/.cvsignore: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: Update Win32 build enviornment for 2.7.0. * doc/README.stream5: * doc/README.ftptelnet: Fix a few typos and add better descriptions for alerts. * etc/gen-msg.map: * etc/generators.h: Add Stream5 alert. * etc/snort.conf: * src/preprocessors/spp_frag2.c (removed): * src/preprocessors/spp_frag2.h (removed): * src/preprocessors/Makefile.am: * src/plugbase.c: * src/plugbase.h: Remove deprecated Frag2. * src/sfutil/mwm.c (removed): * src/sfutil/mwm.h (removed): Remove deprecated mwm pattern matcher. * src/detection-plugins/sp_ipoption_check.c: * src/decode.h: * src/decode.c: * src/log.c: Add handling of IP Option ESEC (Extended Security). * src/debug.h: * src/bounds.h: * src/fpcreate.h: * src/fpdetect.h: * src/tag.c: * src/detection-plugins/sp_respond2.c: * src/dynamic-preprocessors/ftptelnet/ftpp_include.h: * src/preprocessors/portscan.h: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/flow/common_defs.h: * src/sfutil/bitop_funcs.h: Move definition of INLINE for inline functions to a common place. * src/debug.c: * src/debug.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: Add DebugWideMessageFunc for use with Wide Character sets, however it does not write to syslog. * src/debug.c: * src/decode.c: * src/detect.c: * src/detect.h: * src/fpcreate.c: * src/fpdetect.c: * src/log.c: * src/mstring.c: * src/parser.c: * src/pcrm.c: * src/plugbase.c: * src/profiler.h: * src/sf_sdlist.c: * src/sfthreshold.c: * src/sfthreshold.h: * src/signature.c: * src/snort.c: * src/snort.h: * src/tag.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_rpc_check.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_confic.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssh/spp_ssh.h: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/str_search.c: * src/preprocessors/stream_ignore.c: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/ipobj.c: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/mwm.c: * src/sfutil/mwm.h: * src/sfutil/sfeventq.c: * src/sfutil/sfghash.c: * src/sfutil/sfghash.h: * src/sfutil/sfhashfcn.c: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sflsq.c: * src/sfutil/sflsq.h: * src/sfutil/sfmemcap.c: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfthd.c: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/sfutil/util_match.c: * src/sfutil/util_net.c: Code cleanup, change malloc to calloc, use safer functions SnortAlloc, SnortStrdup. Check pointers before use. * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/mwm.c: * src/sfutil/mwm.h: Added caller usable state tracking to pattern matcher. * src/parser.c: * src/parser.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: To better handle rule options that are provided by dynamic preprocessors, make 2 passes through snort.conf at startup. * src/parser.c: * src/snort.c: Improve dynamicengine keyword and commandline option to allow for specifying directory or file. * src/detect.c: * src/event_queue.c: * src/event_queue.h: * src/event_wrapper.c: * src/event_wrapper.h: * src/fpcreate.c: * src/parser.c: * src/signature.c: * src/signature.h: Unify logging to a single code path and added ability to have rule stubs for preprocessor and decoder events. * src/snort.c: Fix code that looks for .snortrc. Thanks to Benjamin Bennett for pointing out the issue. * src/preprocessors/portscan.c: * src/preprocessors/spp_sfportscan.c: Fix false alert where destination IP was not in range reported by sfportscan alert. * src/preprocessors/spp_sfportscan.c: Reset threshold checking at end of portscan alerting so that other events generated for packet wouldn't use old value returned from testing portscan thresholding/suppression. Thanks to Andreas Ostling for pointing this out. * src/preprocessors/spp_frag3.c: Cleanup of GRE code for GRE nested fragments. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: Added memcap for TCP reassembly packet storage. Reduced memory consumption of session tracking data structures. Added target-based reassembly for HPUX 11, HPUX 10.2, Windows 2003, Windows Vista. Added target-based support for processing of TCP timestamps, TCP Resets, and repeated SYN packets. Improved Session cache management. Update flushpoint management. Improved handling of midstream session establishment. Code cleanup to use safe functions for memory allocation. Set tcp policy for both sides of session, rather that by first packet seen, correctly does target-based reassembly for each side. Simplify code handling sessions to ignore. 2007-01-07 Steven Sturges * src/decode.c: * src/decode.h: Fixed issue where GRE decoder was attempting to assign a potentially negative value to an unsigned integer. This value, which would then be positive, was then checked to see if it was less than zero, which would indicate whether the calculated length of the header was greater than the length of the rest of the packet capture. This would always return false and the assumed length of the packet would potentially be larger than the actual length, leading to a potential dereferning of invalid memory. Thanks to Chris Rohlf for pointing this out. 2006-12-04 Steven Sturges * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Configuration validation update. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Additional updates for bounds checking. * src/detection-plugins/sp_isdataat.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added an option to specify rawbytes for the buffer. 2006-11-30 Steven Sturges * src/tag.c: Fix logging of tagged packets when -G (event source ID) is used. * src/event.h: * src/snort_packet_header.h: * src/output-plugins/spo_unified.c: Fix unified to work correctly on 64bit platforms. Thanks Nikns Siankin for the report. Nikns provides a patch to barnyard that may be required to use this functionality on a 64bit systems. Grab the patch from here: http://secure.lv/~nikns/stuff/barnyard_64bit.diff * src/snort.c: * src/snort.h: Reorganize code for inline fail-open to create pattern matcher rule groups in the thread. * src/util.c: Code cleanup * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix segfault caused by integer overflow and add additional checks to protect against other underflow/overflow conditions. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Add capability to have multiple application layer preprocessors store data within the stream to better handle autodetection and multi-protocol packets. Fix additional issue with high CPU and reprocessing rebuilt packets that are split across a sequence wrap. 2006-11-22 Steven Sturges * preprocessors/spp_stream4.c: Fix problem with snort using high CPU and reprocessing the same rebuilt packets at session end or ACK in middle of packet when there are gaps in the packet sequence. 2006-11-16 Andrew Mullican * etc/gen-msg.map: Add DCE/RPC preprocessor alert. 2006-11-07 Steven Sturges * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Updates for printing of options and handling of memcap. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Add print for config option. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: Add UDP session tracking stats. Improved TCP Timestamp handling. Seperate MacOS policy from BSD, as they differ slightly. Improved performance of session pruning. * src/snort.c: Updates to inline thread initialization. 2006-10-30 Steven Sturges * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix debug prints. * src/detection-plugins/sp_isdataat.c: Fix problem with this option not being marked as relative when 'relative' is used. This change should've been made with changes for not rechecking non-relative options on 2006-08-16. 2006-10-27 Steven Sturges * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: Output user-selected server profile at startup. * src/parser.c: Detect corrupt files and handle mixed windows and unix line endings. * doc/README.dcerpc: Update description of DCE/RPC auto-detect. * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix various bugs relating to unicode, ntohs, bounds-checking, and SMB chained AndX commands. * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: Print out mempcap and max_frag_size on startup. 2006-10-23 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: Updated stream4 documentation in the Snort manual to reflect new UDP options and inline option updates. Corrected error with event_queue parameter - changed max_events to max_queue. * doc/faq.tex: Updated FAQ to reflect disuse of ACID in favor of BASE. Added references to FLoP and Mudpit as output systems for Snort. Added references to two IDS books. * doc/README.decode: Added README file for the Snort decoder * doc/README.stream4: Made minor changes to language * etc/snort.conf: Added commented out decoder options with description - enable_decode_oversized_alerts and enable_decode_oversized_drops * doc/README.http_inspect: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Updated tab_uri_delimiter section in document to reflect deprecation. Removed the deprecated tab_uri_delimiter from server profiles since it's redundant with whitespace_chars. * src/preprocessors/snort_httpinspect.c: Allow user-specified ports to override internal defaults. * src/detection-plugins/sp_pattern_match.c: Fix error message with max pattern size. * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: Fix spelling of obsolete in macros. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fix spelling of DETECT_ANOMALIES macro. * src/profiler.c: Removed tabs from preprocessor stats output. Tabs aren't compliant with syslog RFC. * doc/README.ftptelnet: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added documentation on Telnet configuration option detect_anomalies * src/preprocessors/spp_stream4.c: Fixed potential for infinite loop when only part of a packet being used in reassembly is ACK'd. * src/preprocessors/perf-base.c: Fixed packet count stats when in readback mode. 2006-10-13 Steven Sturges * src/detection-plugins/sp_flowbits.c: Fixed an off-by-one error message that prevented the maximum number of flowbits from being used. Include number of flowbits used in summary of flowbits usage. * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: Fix parser to properly error if misconfigured ports. * src/decode.c: * src/decode.h: * src/parser.c: Added new config option "enable_decode_oversized_alerts" and "enable_decode_oversized_drops" to allow alerting on packets with extra bytes at the end of their payload 2006-10-12 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: * RELEASE.NOTES: Prepare for 2.6.1 RC. * configure.in: * src/parser.c: * src/snort.c: * src/snort.h: Start a thread if running in inline mode that passes traffic through once pcap is opened and snort is not ready to start inspection (ie, loading rules, creating pattern matcher, etc). Thread is terminated when snort is ready to process packets. Compiled in via --enable-inline-init-failopen option to configure script. Disable by --disable-inline-init-failopen commandline option or 'config disable_inline_init_failopen' in snort.conf/user.conf in the case that the interface is fail-closed. Requires libpthread. * src/parser.c: Require a sid for every rule. * src/dynamic-preprocessors/ssh/spp_ssh.c: Verifies that the stream preprocessor is enabled. Version string bounds checking now uses the length of the version string versus the length of the entire payload. * src/preprocessors/snort_stream4_udp.c: Update UDP session stats (packet count, start/end time, bytes, etc). * doc/README.stream4: * doc/Makefile.am: Finally a description for Stream4. Thanks Todd! * src/parser.c: * src/signature.c: Allow for variable metadata in rule options. Ignore unknown metadata fields. * etc/gen-msg.map: * src/decode.c: * src/generators.h: Added additional TCP length checking and UDP length checking and new