2008-03-12 Todd Wease * src/decode.c: * doc/README.gre: * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/Makefile.am: Disable PPP decoding if architecture requires word alignment, e.g. SPARC machines. * src/dynamic-preprocessors/dcerpc/smb_structs.h: Fix endian issue when determining if SMB is using unicode strings. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: Fix issue where FTPTelnet sometimes determines incorrect direction with midstream session. * src/generators.h: * src/preprocessors/spp_frag3.c: * doc/README.frag3: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/gen-msg.map: Update frag3 to remove enforcement of ttl_limit. Add preprocessor alert for min_ttl anomaly. * doc/README.ipip: * doc/Makefile.am: Added README doc for IP in IP decoding. * doc/README.stream4: * etc/gen-msg.map: Fixed some typos. Thanks to rmkml for pointing this out. 2008-03-06 Steven Sturges * src/dynamic-preprocessors/ssl/spp_ssl.c: * doc/README.ssl: * doc/snort_manual.tex: * doc/snort_manual.pdf: Improve handling for change cipher records and rule options. Indicate that trustservers option only makes sense when noinspect_encrypted is used. 2008-03-05 Steven Sturges * doc/README.variables: * doc/snort_manual.tex: * doc/snort_manual.pdf: Fix a few misspellings. Thanks to Markus Lude for letting us know. 2008-03-04 Steven Sturges * configure.in: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: * src/win32/WIN32-Includes/config.h: 2.8.1 RC prep * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.arpspoof (added): * doc/README.pcap_readmode (added): * snort.8: Document new multiple pcap command line options and ARP Spoof preprocessor configuration. * doc/README.dcerpc: * doc/README.http_inspect: * doc/README.stream4: Update to include information about alerts generated from various preprocessors. * src/decode.c: * src/log_text.c: * src/parser.c: * src/profiler.c: * src/detection-plugins/sp_cvs.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-preprocessors/libs/sfcommon.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/bitop_funcs.h: * src/sfutil/sf_iph.c: * src/sfutil/sfportobject.c: * src/target-based/sftarget_reader.c: * src/win32/WIN32-Includes/rpc/types.h: Win32 complier warning cleanup. * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/win32/WIN32-Prj/sf_engine.dsp: Reorganize packet structure to provide better compatibility with shared libraries. * src/detect.c: * src/detect.h: * src/plugbase.c: * src/plugbase.h: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/output-plugins/spo_alert_fast.c: * src/snort.c: * src/snort.h: Update to logging of DCE/RPC defragmented packets when using console/fast output modes. * src/preprocids.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: Add ability for dynamic rules to store and retrieve data on stream session. * src/detection-plugins/sp_pcre.c: Fix compile warning with older versions of PCRE library. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Update default configuration for FTP's STRU command. 2008-01-27 Todd Wease * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/generators.h: * src/preprocessors/spp_frag3.c: * src/snort.c: * src/snort.h: * src/util.c: * etc/gen-msg.map: Added IP in IP encapsulation support for both IPv4 and IPv6. * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/snort.c: Enforce stricter versioning when loading shared objects. Vesions of shared libraries - engine and dynamic preprocessors - will not load if from an older version of Snort. * src/dynamic-preprocessors/ssl/spp_ssl.c: Fatal error if commas are not used in SSL dynamic preprocessor configuration. Thanks to Chris Rohlf for bringing this to our attention. * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * etc/gen-msg.map: Update Stream5 to alert on data without TCP flags when non-linux policy. Thanks to Chris Eagle, Naval Postgraduate School, for bringing this to our attention. * src/parser.c: Generate a parsing error if an empty IP list is used (this is equivalent to !any). Thanks to Chris Rohlf for bring this to our attention. * src/parser.c: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: Various port object changes. Update to handle open port ranges (ie, 1024:) and print error lines from config file parsing. Added support for handling embedded lists with negations. Use more compatible strrchr() instead of rindex(). Add stricter configuration checks - thanks to Rmkml for bringing this to our attention. * src/target-based/sftarget_reader.c: Use inet_pton() instead of inet_aton. * src/target-based/sftarget_reader.c: * src/util.c: Set uid and gid of target-based thread if not already set. * doc/snort_manual.tex: * doc/snort_manual.pdf: Update to describe new pcre match limit options. * src/win32/WIN32-Prj/snort.dsp: Remove system dependent Oracle paths from project. * src/fpcreate.c: Correctly set the max_size when a longer pattern. * src/profiler.c: Add Percent of Total column to output. * src/sfutil/sf_textlog.c: Added format string to prevent messages with certain format from crashing Snort. 2007-12-10 Todd Wease * configure.in: Require PCRE version 6 or better * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/smtp/sf_smtp.dsp * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/stream_api.h: Reduce command line and response line overflow false positives in SMTP preprocessor when Snort is missing packets. Only alert on one unique SMTP event per session. * configure.in: Add check for Phil Woods pcap so that pcap stats are computed correctly. Thanks to John Hally for bringing this to our attention. * doc/INSTALL: Update for building on Mac OSX 10.5. Thanks to Martin Fong for bringing this to our attention. * doc/README.asn1: * doc/README.dcerpc: * doc/README.dns: * doc/README.flow-portscan: * doc/README.frag3: * doc/README.ssh: * doc/README.stream5: Update to include information about alerts generated from various preprocessors. * doc/snort_manual.pdf: * doc/snort_manual.tex: Add info on stream_size option added with Stream5. * etc/gen-msg.map: Update to include GRE alerts * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Allow specifying metadata within a shared library rule. * src/decode.c: Update for decoding IP6 header lengths. * src/detect.c: * src/parser.c: Correctly handle rule-type keyword. Thanks to Tung Tran for bringing this to our attention. * src/log_text.c: * src/log.c: Fix issue with printing IPv6 addresses. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Update default configuration to allow optional string to STRU command. * src/dynamic-preprocessors/libs/sfparser.c: * src/dynamic-preprocessors/libs/ssl.c: * src/dynamic-preprocessors/libs/ssl.h: * src/dynamic-preprocessors/ssl/spp_ssl.c: Updates to better handle SSLv2 recognition. * src/preprocessors/snort_stream4_session.c: * src/preprocessors/stream.h: Fix misaligned structures for Sparc 64bit OpenBSD. Thanks to Markus Lude for helping us track down the problem. * src/preprocessors/spp_stream4.c: Warn if configured with stream4 & target-based attributes. * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_iph.c: * src/sfutil/sf_ipvar.c: Code cleanup for IPv6 related changes. * src/preprocessors/Stream5/snort_stream5_tcp.c: Handle additional cases of multiple sequences of TCP SYN packets on a session that has previously been reset. * src/preprocessors/Stream5/snort_stream5_tcp.c: Add checks for missing packets in reassembly. * src/sfutil/sfportobject.c: * src/sfutil/sfxhash.c: Code cleanup. * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Better handling for starting attribute reload thread and logging parsing errors. * src/fpcreate.c: * src/fpdetect.c: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/parser.c: * src/snort.c: * src/snort.h: Added performance profiling stats for rule option evaluation. Add limits to pcre matching that could affect performance. 2007-11-12 Todd Wease * src/byte_extract.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: Allow byte_jump 'string' option to support variable-length numeric data. * src/cpuclock.h: * configure.in: Add support for rule and preprocessor profiling times for Sparc v9 processors. * src/decode.h: * src/decode.c: * doc/README.gre: * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/snort.h: * src/util.c: * src/util.h: * configure.in: Update GRE decoder to support PPTP GRE v.1 header. Add new GRE decoder alerts and README. Integrate with IPv6 codebase. * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: Update decoder to work will all 3 versions of pflog files. Thanks to Ronaldo Maia for reporting this issue. * src/parser.c: * src/parser.h: * src/snort.c: * src/snort.h: * src/plugbase.c: * src/plugbase.h: * src/util.c: * src/util.h: * src/decode.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/mempool.c: * src/preprocessors/perf.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf.h: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/profiler.c: * src/profiler.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/tag.c: * src/tag.h: Snort can now read multiple pcaps on the command line. The '-r' flag can be given multiple times, as well as options for reading a list of pcaps on the command line, a file containing pcaps to read and/or a directory to recurse through gathering pcaps. Multiple filters can be used and an option to reset Snort to a post initialization state for each pcap read can be given. * src/detect.c: * src/fpcreate.c: * src/fpcreate.h: * src/parser.c: * src/parser.h: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: * src/sfutil/sfrim.h: Portlists code consolidation and general cleanup. * src/detect.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/fpdetect.c: * src/ipv6_port.h: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_unified2.c: * src/output-plugins/spo_unified.c: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/preprocessors/stream.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_ipvar.c: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/tag.c: IPv6 data type name changes to avoid library namespace conflicts. * src/detection-plugins/sp_pattern_match.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/preprocessors/snort_stream4_udp.c: * src/rules.h: * src/sf_sdlist.c: * src/sf_types.h: Fix compiler warnings. * src/detection-plugins/sp_pcre.c: * src/fpdetect.c: Fixed issue where some rules will continue to match on a Uri, even after the first packet. * src/dynamic-plugins/Makefile.am: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/fpcreate.c: Enabled target-based code to properly assess dynamic rule flow. * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: Update Win32 project files to include target-based and GRE defines. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Allow white space prior to FTP command. * src/preprocids.h: * doc/README.ssl: * doc/snort_manual.tex: * etc/snort.conf: * configure.in: * src/win32/WIN32-Prj/snort.dsw: * src/dynamic-preprocessors/ssl/Makefile.am: * src/dynamic-preprocessors/ssl/sf_preproc_info.h: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/dynamic-preprocessors/ssl/spp_ssl.h: * src/win32/WIN32-Includes/config.h: Added SSL preprocessor. * src/ipv6_port.h: Update IP_CLEAR to clear all fields. Update IP_COPY_VALUE to copy each field individually. * src/log.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/log_text.h: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_tcpdump.c: * src/win32/WIN32-Prj/snort.dsp: * src/log_text.c: * src/log_text.h: * src/sfutil/sf_textlog.c: * src/sfutil/sf_textlog.h: Added rollover of logs upon reaching configured limit - applies to alert_full, alert_fast, log_tcpdump, alert_csv. * src/log.c: Added IP obfuscation for IPv6 addresses. * src/plugbase.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * doc/README.stream4: * doc/README.stream5: * doc/snort_manual.tex: * etc/snort.conf: * src/win32/WIN32-Prj/snort.dsp: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: CVS detection plugin. Currently only looks for an invalid entry. Ports 514 and 2401 added to default ports for stream reassembly. * src/ppm.c: * src/ppm.h: * src/profiler.c: * doc/snort_manual.tex: Fix microseconds calculations. Add ability to use ppm with readback mode. Add documentation to Snort Manual. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * doc/README.http_inspect: * doc/snort_manual.tex: * etc/gen-msg.map: Added overly long http header detection. * src/preprocessors/perf-base.c: * src/preprocessors/spp_perfmonitor.c: * src/snort.c: * src/snort.h: * src/util.c: Fixed issue where packets were being blocked when Snort, running in inline mode, was shutting down. * src/preprocessors/spp_frag3.c: Fixed issue where frag3 does not initialize correctly without any configuration arguments. Thanks to Jason Carr for reporting this. * src/preprocessors/spp_sfportscan.c: Fix endian issue in sfportscan when IP addresses are logged. Thanks to Jerry Litteer for reporting this. * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/stream_api.h: Added function to stream api for returning whether or not there are missing segments. Only supported in stream5. * src/preprocessors/str_search.c: * src/sfutil/mpse.c: * src/sfutil/mpse.h: Fixed issue where MPSE global counter was being reset by SMTP for each new pattern matcher it created. * src/sfutil/sf_vartable.c: * src/sfutil/sf_vartable.h: * doc/README.variables: * doc/snort_manual.tex: Fix segfault with duplicate variables in IPv6 code (enabled with --enable-ipv6). * src/target-based/Makefile.am: * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Target based cleanup. * src/util.c: Fixed incorrect calculation of pcap recevied and dropped. * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: Added GRE and target-based to default Win32 build. * doc/INSTALL: * doc/README.ftptelnet: * doc/README.http_inspect: * doc/README.sfportscan: * doc/README.stream4: * doc/README.stream5: * doc/README.variables: * doc/snort_manual.tex: Documentation updates. Thanks to Jeff Dell for pointing out unified/unified2 errors in Snort Manual and inconsistencies in sfportscan documentation. 2007-11-06 Steven Sturges * src/win32/WIN32-Includes/pcre.h: * src/win32/WIN32-Includes/pcreposix.h: * src/win32/WIN32-Libraries/pcre.lib: Update Win32 LibPCRE to version 7.4. 2007-11-05 Steven Sturges * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix debug to correctly call inet_ntoa. Thanks to rmkml for reporting the problem. 2007-09-07 Steven Sturges * configure.in: * src/build.h: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: * snort.8: 2.8.0 Final release prep. Update spec file to relocate installed schemas and be more consistent with location of docs. * src/parser.c: Initialize rule_count variables. Thanks to Ken Steele for pointing it out. * src/signature.c: * src/detection-plugins/sp_urilen_check.c: * src/plugbase.c: Fix typos in comments. Thanks rmkml for reviewing. * src/tag.c: * src/sfutil/sf_ip.c: * src/sfutil/sf_iph.c: Cleanup printing of IPv6 Addresses. * src/detection-plugins/sp_pcre.c: Initialize the found offset so that it contains correct value when not found. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Improve checking on ftp commands from client. * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Disable ftptelnet when compiled with IPv6. * src/decode.c: * src/snort.c: After logging alert for BSD IPv6 Fragmentation vulnerability, reset the pseudo packet that is used for logging purposes. * src/dynamic-preprocessors/smtp/snort_smtp.c: Memory cleanup of mime boundary regular expressions at Snort exit. * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_sfportscan.c: Memory cleanup of portscan hash table at Snort exit. * src/output-plugins/spo_alert_prelude.c: Correctly get IP Header length for logging. * src/output-plugins/spo_alert_sf_socket.c: Complete initialization after rules are read for specific GID/SID alerts to log via sf socket. * src/output-plugins/spo_unified2.c: Code cleanup. * src/preprocessors/spp_frag3.c: Handle VLAN tags in fragmented traffic and include in rebuilt packets if part of original traffic. * src/preprocessors/spp_stream5.c: Initialize memory for flowbits after all configuration is processed, as config flowbitsize option might change default. Handle byte alignment issue on Solaris with the flowbits data structure used by Stream5. Thanks to JJC & Shane Castle for helping us troubleshoot these issues and testing the patches. * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/stream_api.h: Handle strange sequences of multiple TCP Reset packets on the same session when some of those Resets also contain other flags. Thanks to Siim Poder for reporting the problem. 2007-08-31 Steven Sturges * src/parser.c: Updates to prevent variable defintions of the same name as a portvar, var and ipvar. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fix copying of IP address from packet when determining client config that resulted from IPv6 port. * src/output-plugins/spo_alert_prelude.c: Updates to write GID in alert data. Thanks to Yoann Vandoorselaere for the update. * src/output-plugins/spo_unified2.c: Don't write tagged packets the same as unified. Packets that are part of stream reassembly refer to the original event directly from the packet record header. * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: Code cleanup and free data correctly on parsing errors. 2007-08-30 Steven Sturges * doc/Makefile.am: Include README.ipv6 & README.variables in the distribution tarball. Thanks to Jeff Dell for pointing out that it was missing. * RELEASE.NOTES: Fix some spelling errors. Thanks rmkml for pointing it out. * etc/snort.conf: Update to use new portvar syntax for HTTP_PORTS, ORACLE_PORTS, and SHELLCODE_PORTS. Thanks to rmkml for mentioning this. 2007-08-22 Steven Sturges * configure.in: * src/sf_types.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: Fixes to build 2.8.0 Beta on OpenBSD. * doc/README.variables: * doc/snort_manual.tex: * doc/snort_manual.pdf: Update PortList documentation. 2007-08-20 Steven Sturges * configure.in: * src/build.h: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: 2.8.0 Beta prep. * src/Makefile.am: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/event.h: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_unified2.c: * src/pcap_pkthdr32.h (added): * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/stream_api.h: * src/snort_packet_header.h (removed): * src/win32/WIN32-Prj/snort.dsp: * src/snort.c: Renamed snort_packet_header.h to pcap_pkthdr32.h and changed instances of SnortPktHdr with pcap_pkthdr except in Event struct and unified code where pcap_pkthdr32 is used because 32 bit timevals are required. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/plugbase.c: * src/plugbase.h: * src/util.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_httpinspect.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/snort.c: Added framework for preprocessors to print stats at exit or USR1 signal. Preprocessors register a function that will print the stats and they will be printed when DropStats() is called. * src/detection-plugins/sp_pattern_match.c: Commented out 'content-list' rule option code since it is broken and there are no plans in the near future to fix it. * src/checksum.h: * src/decode.c: * src/decode.h: * src/detect.c: * src/detect.h: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_ttl_check.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-preprocessors/dynamic_preprocessors.dsp: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ftptelnet/ftpp_include.h: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/fpdetect.c: * src/fpdetect.h: * src/generators.h: * src/ipv6.c (removed): * src/ipv6.h (removed): * src/ipv6_port.h (added): * src/log.c: * src/Makefile.am: * src/output-plugins/spo_alert_arubaaction.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_unified2.c: * src/parser/IpAddrSet.c: * src/parser/IpAddrSet.h: * src/parser.c: * src/parser.h: * src/plugbase.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/preprocessors/stream.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/rules.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/ipobj.c: * src/sfutil/Makefile.am: * src/sfutil/sf_ip.c (added): * src/sfutil/sf_ip.h (added): * src/sfutil/sf_iph.c (added): * src/sfutil/sf_iph.h (added): * src/sfutil/sf_ipvar.c (added): * src/sfutil/sf_ipvar.h (added): * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sf_vartable.c (added): * src/sfutil/sf_vartable.h (added): * src/snort.c: * src/snort.h: * src/tag.c: * src/util.c: * src/win32/WIN32-Prj/build_all.dsp: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: * src/win32/WIN32-Prj/snort_installer.nsi: * doc/README.ipv6: Added 1st phase of support for IPv6. Added support for ip variables and improved IP address list handling. See README.ipv6 for specifics on what portions of Snort fully support IPv6. Certain preprocessors are not supported -- and cannot be turned on with an IPv6 enabled snort. * src/output-plugins/spo_unified.c: Added configuration option to not append timestamps to unified log/alert files. * src/output-plugins/spo_unified2.c (added): * src/output-plugins/spo_unified2.h (added): * src/plugbase.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added unified2 logging/output format. * src/cpuclock.h (added): * src/detect.c: * src/fpdetect.c: * src/fpdetect.h: * src/Makefile.am: * src/parser.c: * src/ppm.c (added): * src/ppm.h (added): * src/profiler.h: * src/rules.h: * src/snort.c: Added support for packet performance monitoring. Allows Snort to be configured to only spend a certain time period on a given packet and/or rule and automatically suspend performance-intensive rules. See README.ppm for details. * src/bounds.h: * src/byte_extract.c: * src/byte_extract.h: * src/debug.c: * src/debug.h: * src/decode.c: * src/decode.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1_detect.c: * src/detection-plugins/sp_asn1_detect.h: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_session.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/bmh.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftp_client.h: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/log.c: * src/log.h: * src/mstring.c: * src/mstring.h: * src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_ad.h: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_server.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/perf.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf-flow.h: * src/preprocessors/perf.h: * src/preprocessors/portscan.c: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/bitop_funcs.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/snort.c: Changed packet payload pointers to use const qualifier to eliminate inadvertant writes to the packet buffer. * src/preprocessors/HttpInspect/include/hi_util_kmap.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/util/hi_util_kmap.c: * src/preprocessors/spp_httpinspect.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: Cleanup memory at Snort exit from session & client configurations. * src/debug.h: * src/preprocids.h: * src/generators.h: Added defines for SKYPE. * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: Fixed a few typos in comments. Thanks to rmkml for pointing them out. * doc/snort_manual.tex: * doc/snort_manual.pdf: Cleaned up a few typos in various sections. Thanks to rmkml, Joel Ebrahimi for pointing out the misspellings & errors. * src/decode.h: * src/detect.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_frag3.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/rules.h: * src/sfutil/Makefile.am: * src/sfutil/sfrt.c (added): * src/sfutil/sfrt.h (added): * src/sfutil/sfrt_dir.c (added): * src/sfutil/sfrt_dir.h (added): * src/sfutil/sfrt_trie.h (added): * src/signature.c: * src/signature.h: * src/snort.c: * src/snort.h: * src/target-based/Makefile.am (added): * src/target-based/sf_attribute_table_parser.l (added): * src/target-based/sf_attribute_table.y (added): * src/target-based/sftarget_hostentry.c (added): * src/target-based/sftarget_hostentry.h (added): * src/target-based/sftarget_protocol_reference.c (added): * src/target-based/sftarget_protocol_reference.h (added): * src/target-based/sftarget_reader.c (added): * src/target-based/sftarget_reader.h (added): * src/util.c: Added experimental support for Target-Based processing for Stream reassembly, IP Frag reassembly, and rule processing. Enable via --enable-targetbased option to configure. A thread is created to reload the attribute table upon receipt of a signal 30. * src/detect.c: * src/detect.h: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_clientserver.h: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/parser.h: * src/pcrm.c: * src/pcrm.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/rules.h: * src/sfutil/sfportobject.c (added): * src/sfutil/sfportobject.h (added): * src/sfutil/sfrim.c (added): * src/sfutil/sfrim.h (added): * src/signature.c: * src/signature.h: * src/snort.c: * src/util.c: Added Port Lists & Port Range functionality and added port variable handling. * preproc_rules/preprocessor.rules: * preproc_rules/decoder.rules: * preproc_rules/Makefile.am: * configure.in: * etc/snort.conf: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_optioncheck.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sp_dynamic.c: * src/event_queue.c: * src/event_wrapper.c: * src/event_wrapper.h: * src/parser.c: * src/plugbase.c: * src/plugbase.h: Added support to provide action control (alert, drop, pass, etc) over preprocessor and decoder generated events, as well as references and classifications via a rule. These rules do not include IP addresses as the individual preprocessor/decoder configuration dictates the traffic to which an event applies. In conjunction with this, certain post-processing rule options (tag, logto, etc) may be added to those rules, while other options that relate to data inspection (content, byte_test, etc) may not. Enable via --enable-decoder-preprocessor-rules option to configure. * src/dynamic-plugins/sf_dynamic_plugins.c: Search for other shared library extensions on OpenBSD. Thanks to Nikns Siankin for the request. * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-preprocessors/dcerpc/Makefile.am: * src/dynamic-preprocessors/dns/Makefile.am: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/ssh/Makefile.am: Fixes to correct shared library extension on MAC OS. * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/stream5_common.h: * src/generators.h: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added basic TCP session hijacking detection. Detection based on MAC address used during TCP 3-way handshake and MAC address in subsequent packets. * src/preprocessors/Stream5/snort_stream5_tcp.c: * doc/README.stream5: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added stream_size rule option (only supported by Stream5). * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/generators.h: Improved detection for encrypted ftp sessions, reducing false positives. Added detection of subnegotiation begin commands without matching subnegotiation end (evasion attempt). * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_config.h: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_log.h: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/smtp/spp_smtp.h: * doc/README.SMTP: * etc/snort.conf: * src/generators.h: Rework much of preprocessor to improve searches, additional vulnerability checks. Updates include changes to handle case insensitive searches. Alert on header name length (Exim exploit) and check for valid mime headers. Add port 587 (see RFC 2476) to default ports. Improved normalization to separate commands and data. Updates to config parsing and console startup output. * src/parser.c: Handle duplicate rules by using the newer revision or the earlier appearing rule (if same revision). * src/sf_types.h (added): * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/flow_cache.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/flow/portscan/unique_tracker.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf.c: * src/preprocessors/perf-event.c: * src/preprocessors/perf-event.h: * src/profiler.c: * src/sfutil/util_math.c: * src/sfutil/util_math.h: * src/snort.h: * src/snprintf.h: * src/util.c: * src/util.h: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Includes/WinPCAP/time_calls.h: Updated logging to print 64bit values on various platforms in a more portable manner. * configure.in: * src/decode.c: * src/preprocessors/perf-base.c: * src/preprocessors/spp_perfmonitor.c: * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: * src/win32/WIN32-Includes/config.h: Fixed issue with various versions of pcap reporting received & dropped stats differently. Pcap versions 0.9 & higher accumulate stats, whereas earlier versions do not. * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/sfghash.c: * src/sfutil/sfhashfcn.c: * src/sfutil/sfhashfcn.h: * src/sfutil/sfprimetable.c (added): * src/sfutil/sfprimetable.h (added): * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: Improve performance of pattern match engines to not evaluate a rule with a pattern that has already been seen and the rule already processed. This changes takes into account if that rule fails because of an unset flowbit (which may have been set by another rule). Changed hash table hash functions to use power of two computations instead of prime numbers. * src/util.c: Added PCRE library version information to Snort startup banner. 2007-07-27 Steven Sturges * etc/snort.conf: Turn off flow since Stream5 is now enabled by default. * src/snort.c: Fix printing of threshold counts until after all rules are read. This issue did not affect thresholding, only display of thresholding. Thanks to Jeffrey Denton for reporting the problem. * src/sfutil/ipobj.c: Fix free of invalid pointer when using a negated IP list. This is used by sfportscan preprocessor configuration parsing. Thanks to Anders Ostrem for reporting the problem. * src/preprocessors/Stream5/snort_stream5_session.c: Fixed issue when experimental ICMP tracking is used without using the TCP or UDP session tracking. ICMP was attempting to lookup TCP or UDP sessions from uninitialized session cache. Thanks to Koji Shikata for reporting the problem. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed invalid session pointer when rule tries to use flowbits after session ends. Thanks to rmkml for initially reporting the problem. 2007-07-06 Steven Sturges * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed potential invalid memory access when require 3whs option is used. 2007-06-28 Steven Sturges * src/sfutil/acsmx2.c: * src/sfutil/bnfa_search.c: Revert previous changes as they resulted in some false negatives with mixed case patterns and rules. Will address in a future release. * src/detection-plugins/sp_react.c: Fixed problem with segfault with flexresp. Thanks to Keith Pachulski for reporting the issue. 2007-06-20 Steven Sturges * src/sfutil/acsmx2.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: Performance improvement to track the last state of a pattern that match, so if it hits that state again immediately, don't go re-evaluate all of the same rules. * src/decode.c: * src/detect.c: * src/snort.h: * src/util.c: Properly handle UDP checksum if checksum value is 0 in header (do not calculate). Add stat that tracks number of failed checksums. * src/detection-plugins/sp_pcre.c: Add /P flag to PCRE detection to check HTTP inspect's normalized client request body. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-examples/Makefile.am: Fix header file replication. * src/output-plugins/spo_alert_prelude.c: Update to write data at Snort exit. Thanks Yoann Vandoorselaere for the patch. * src/parser.c: Update to max line length. Mark 'stateless' option to be deprecated, use flow:stateless. 2007-06-19 Steven Sturges * src/byte_extract.h: * src/event_queue.h: * src/event_wrapper.h: * src/inline.h: * src/ipv6.c: * src/ipv6.h: * src/packet_time.h: * src/plugin_enum.h: * src/preprocids.h: * src/sfthreshold.h: * src/snort_packet_header.h: * src/detection-plugins/sp_asn1.h: * src/detection-plugins/sp_asn1_detect.h: * src/detection-plugins/sp_flowbits.h: * src/detection-plugins/sp_ip_proto.c: * src/dynamic-examples/Makefile.am: * src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h: * src/dynamic-examples/dynamic-preprocessor/spp_example.c: * src/dynamic-examples/dynamic-rule/detection_lib_meta.h: * src/dynamic-examples/dynamic-rule/rules.c: * src/dynamic-examples/dynamic-rule/sid109.c: * src/dynamic-examples/dynamic-rule/sid637.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/snort_stream4_session.h: * src/preprocessors/snort_stream4_udp.h: * src/preprocessors/spp_flow.h: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_httpinspect.h: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_sfportscan.h: * src/preprocessors/spp_stream5.c: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/preprocessors/stream.h: * src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_ad.h: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_client_norm.h: * src/preprocessors/HttpInspect/include/hi_eo.h: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_eo_log.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_return_codes.h: * src/preprocessors/HttpInspect/include/hi_server.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/include/hi_util_hbm.h: * src/preprocessors/HttpInspect/include/hi_util_kmap.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/HttpInspect/utils/hi_util_hbm.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/flow/common_defs.h: * src/preprocessors/flow/flow.c: * src/preprocessors/flow/flow.h: * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/flow_cache.h: * src/preprocessors/flow/flow_callback.c: * src/preprocessors/flow/flow_callback.h: * src/preprocessors/flow/flow_class.c: * src/preprocessors/flow/flow_class.h: * src/preprocessors/flow/flow_config.h: * src/preprocessors/flow/flow_error.h: * src/preprocessors/flow/flow_hash.c: * src/preprocessors/flow/flow_hash.h: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/flow_print.h: * src/preprocessors/flow/flow_stat.c: * src/preprocessors/flow/flow_stat.h: * src/preprocessors/flow/int-snort/flow_packet.c: * src/preprocessors/flow/int-snort/flow_packet.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps.h: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/flowps_snort.h: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/flow/portscan/scoreboard.h: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/flow/portscan/server_stats.h: * src/preprocessors/flow/portscan/unique_tracker.c: * src/preprocessors/flow/portscan/unique_tracker.h: * src/sfutil/acsmx2.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/ipobj.c: * src/sfutil/ipobj.h: * src/sfutil/sfeventq.c: * src/sfutil/sfeventq.h: * src/sfutil/sfghash.c: * src/sfutil/sfghash.h: * src/sfutil/sfhashfcn.c: * src/sfutil/sfhashfcn.h: * src/sfutil/sflsq.c: * src/sfutil/sflsq.h: * src/sfutil/sfmemcap.c: * src/sfutil/sfmemcap.h: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfsnprintfappend.h: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/sfutil/util_math.c: * src/sfutil/util_math.h: * src/sfutil/util_net.c: * src/sfutil/util_net.h: * src/sfutil/util_str.c: * src/sfutil/util_str.h: * src/win32/WIN32-Code/inet_aton.c: * src/win32/WIN32-Code/name.h: Update copyright dates & info and add GPL header. 2007-06-01 Steven Sturges * src/util.c: Update to hourly timestats from Bill Parker. 2007-06-01 Steven Sturges * src/preprocessors/spp_frag3.c: Fix configuration parsing to validate parameters for memcap, max_frags, prealloc_frags. Thanks to Joel Ebrahimi for pointing out the issue. 2007-05-30 Steven Sturges * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: Cleanup xlink2state processing and remove potential read beyond end of packet. * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update handling of timed out session cleanup when the 'same' (IPs/ports) session is picked up midstream. 2007-05-23 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.stream5: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/stream5_common.h: Update Stream5 to use 65535 << 14 as max allowable value for the 'max_window' option. * src/decode.c: * src/detect.c: * src/snort.c: * src/snort.h: When checking for IPv6 BSD frag vulnerability, use a pseudo packet with false IPv4 headers for logging purposes rather than writing the IPv4 header within the original packet buffer. * src/preprocessors/spp_frag3.c: Update to not change original packet buffer when rebuilding fragments with IP options. * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_rpc_decode.h: Update to use the altdecode buffer for normalization. 2007-05-22 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: Update for 2.7.0. * configure.in: * src/debug.c: * src/debug.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/win32/WIN32-Includes/config.h: Check for wchar.h and don't try to use it if not present. Fixes builds on OpenBSD 3.5 and others. * src/dynamic-plugins/sf_dynamic_detection.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ppftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/event_queue.c: * src/event_queue.h: * src/ipv6.c: * src/ipv6.h: * src/mempool.c: * src/parser.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/sfeventq.c: * src/sfutil/sfeventq.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sfxhash.c: * src/snort.c: Added code to cleanup memory at Snort exit/restart. * src/output-plugins/spo_log_tcpdump.c: Update to timestamp writing on 64bit platforms. * src/dynamic-preprocessors/smtp/smtp_normalize.c: Update normalization for postfix and sendmail servers that normalize any space except '\n'. * src/preprocessors/str_search.c: * src/sfutil/bnfa_search.c: * src/sfutil/mpse.c: Use BNFA, smaller memory footprint for searches from SMTP. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_eo_log.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: Update way in which Body vs URI's are normalized, checked for anomalies and alerted on. * src/preprocessors/snort_stream4_udp.c: Fix use of ignore_any keyword when dealing with portscan and/or rules that have flow/flowbits. * src/preprocessors/Stream5/snort_stream5_tcp.c: Update to timestamp handling and anomaly detection with invalid timestamps on RST packets. * src/snort.c: * src/snort.h: Add --loop option to be used with -r for pcap readback mode. 2007-05-09 Adam Keeton * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: Added code to prevent URI-related alerts from firing when the body is being normalized. 2007-05-08 Adam Keeton * src/preprocessors/HttpInspect/client/hi_client.c: Fixed pointer initialization relating to POST normalization. 2007-04-27 Steven Sturges * src/decode.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Provide new rule keyword modifier for content option that allows a rule to search for a pattern in the body of an HTTP client request. * src/util.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: Update to normalize the body of a client request to allow rules to check specifically for parameters of a POST or GET request. Also add stats that are part of the hourly stats that track various HTTP encodings and normalizations that have occured. * src/preprocessors/spp_stream4.c: Fix potential memory leak. * doc/README.ipv6: Updates for clarity. * doc/faq.tex: * configure.in: Add minimal PCRE version. * etc/gen-msg.map: * src/decode.c: * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Handle TCP window scale option that is > 14. Added decoder alert for this and adjust the scale per RFC 1323 in Stream5. * etc/snort.conf: Make Stream5 the default stream engine. * src/decode.c: Add alert for multiple GRE encapsulations. * src/ipv6.c: Additional structure name changes to avoid conflicts on Win32. * src/parser.c: Update the maximum number of entries in an IP List to 1024 (was 128). Added ability to configure Timestats interval, default is 3600 seconds (1 hour) when enabled via --enable-timestats. * src/snort.c: * src/snort.h: * src/util.h: Revised signal handler for Timestats. * src/util.c: Update Timestats to include Wifi, GRE, Frag & TCP Stream info. Thanks to Bill Parker for the update. * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_type_check.c: Update to parsing of icmp rule options for better grammar enforcement. * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: Specify TCP window of 0 for RST packets that are sent. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/sf_dynamic_preproc_lib.c: Make Preprocess() function available to dynamic preprocessors. Thanks Vladimir Shcherbakov for the request. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Code cleanup and a minor reorganization. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix truncated buffer in when compiled in debug mode. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update to track additional stats for TCP session cache and session states. * src/preprocessors/spp_perfmonitor.c: Fix behaviour of 'accumlate' option. * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update for 64bit platforms. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * doc/README.stream5: Updates to config validation. Code cleanup for readability. Update TCP Window Scale use and sequence validation to be RFC 1323 compliant. Document min/max values for parameters, etc. 2007-04-13 Steven Sturges * src/decode.h: * src/decode.c: * src/ipv6.c: Changed structure declaration and usage to not conflict with OpenBSD. 2007-03-28 Steven Sturges * rpm/snort.spec: Remove smp_flags from spec file to not parallelize building. * doc/README.ipv6 * etc/gen-msg.map: * src/Makefile.am: * src/decode.c: * src/decode.h: * src/generators.h: * src/ipv6.c (added): * src/ipv6.h (added): * src/parser.c: * src/snort.c: * src/snort.h: * src/win32/WIN32-Prj/snort.dsp: Added ability for Snort to track fragmented ICMPv6 to check for the remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365). * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Code/win32_service.c: * src/plugbase.c: * src/preprocessors/perf-base.c: * src/preprocessors/stream_ignore.c: * src/profiler.c: * src/snort.c: Cleanup to use safe snprintf and strncpy functions, check return values of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer bounds checks. * src/parser.c: Fix issue with printing rule information twice. * src/profiler.h: * src/preprocessors/spp_flow.c: Fix miscalculation of processor time attributable to flow. * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Added hasXXX functions for Content, ByteTest, and PCRE. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Code cleanup to perform bounds checking, validation of memcpy success, remove potential memory leak. Code readability improvements and update DCE endianness checks. * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/dynamic-preprocessors/dns/spp_dns.c: Code cleanup for initialization of memory allocations and add early termination when at end of packet payload. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Code cleanup for initialization of memory allocations and remove dead/unused code for directory and user state tracking. * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: Code cleanup for initialization of memory allocations, fix normalization to prevent read beyond packet payload. Generate SMTP command overflow even if packet payload doesn't contain complete command (missing LF). * src/preprocessors/spp_frag3.c: Further update to handle iptables (and other datalink layers) that do not have ethernet headers to be included in rebuilt fragment. * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * doc/README.stream5: * doc/snort_manual.tex: * doc/snort_manual.pdf: Add verification of options for ICMP, TCP, UDP configurations are within reasonable limits. Reorganize reassembly flush initialization. Print list of UDP rules that are effectively ignored with ignore_any_rules option. Update session timeout handling. * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/Stream5/snort_stream5_session.c: Allow use of limit on number of nodes in hash table instead of relying on memcap for limiting sessions. * src/bounds.h: * src/debug.c: * src/detect.c: * src/fpdetect.c: * src/log.c: * src/parser.c: * src/pcrm.c: * src/plugbase.c: * src/profiler.c: * src/sfthreshold.c: * src/snort.c: * src/ubi_BinTree.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_session.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/parser/IpAddrSet.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/flow_print.h: * src/sfutil/acsmx2.c: * src/sfutil/ipobj.c: * src/sfutil/sfghash.c: * src/sfutil/sfmemcap.c: * src/sfutil/sfxhash.c: Cleanup to use safe snprintf and strncpy functions, check return values of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer bounds checks. Add handling for FatalError not returning for static code analysis tools. * src/sfutil/sfthd.c: Fix memory leak in global config. Thanks Boris Lytochkin for pointing this out. 2007-02-20 Steven Sturges * src/util.c: Update copyright date to include 2007. 2007-02-17 Steven Sturges * src/parser.c: Code cleanup, remove tab characters going to syslog. * src/detection-plugins/sp_clientserver.c: Handle flow keyword with Stream5 UDP sessions. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Add bounds checking to ReassembleSMBWriteX; use Safememcpy for calculated length buffer copies. 2007-02-09 Steven Sturges * configure.in: Added support for libpcap that depends on libpfring. Thanks to Jason Wallace for the patch. Also updated description as to why libpcap check might fail and what files might be missing, thanks to James Affeld for that suggestion. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update configuration parsing and validation checks and fix issue with static flushpoints not really being static. * src/output-plugins/spo_database.c: Code cleanup to check that a query was not truncated when using snprintf and guarantee NULL terminated string. 2007-02-07 Steven Sturges * src/decode.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_react.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/parser.c: * src/plugbase.c: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_stream4.c: * src/snort.c: * src/tag.c: * src/win32/WIN32-Code/misc.c: Code & warning cleanup. * src/parser.c: Add file and line number to an error message. Thanks to rmkml for pointing out the omission. 2007-02-05 Steven Sturges * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/fpdetect.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/parser/IpAddrSet.c: * src/parser.c: * src/plugbase.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/acsmx2.c: * src/sfutil/ipobj.c: * src/signature.c: * src/snort.c: * src/tag.c: * src/ubi_BinTree.c: * src/util.h: More code cleanup, eliminate warnings on Win32 platform. 2007-02-02 Steven Sturges * doc/README.stream5: Cleanup spelling, etc. * src/bounds.h: * src/preprocessors/spp_frag3.c: Fix issue when Snort is inline using iptables, without either the ipconntrack or NAT modules. This should not occur using the recommended snort inline configuration, since the OS is supposed to handle IP fragment reassembly. The Ethernet header doesn't exist in the packet received by Snort, causing snort to dereference an invalid pointer. Thanks to Panda Software and Joel Ebrahimi for reporting the issue." * src/parser.c: Fix benign warning when using -E on Win32. * src/plugbase.c: * src/preprocessors/spp_telnet_negotiation.c (removed): * src/preprocessors/spp_telnet_negotiation.h (removed): * src/preprocessors/Makefile.am: * src/win32/WIN32-Prj/snort.dsp: Removed deprecated telnet preprocessor. * src/profiler.c: * src/profiler.h: Added profiling code for 64 bit Intel and PPC platforms. * src/decode.h: * src/detect.c: * src/fpdetect.c: * src/log.c: * src/mstring.c: * src/parser.c: * src/plugbase.c: * src/profiler.c: * src/profiler.h: * src/sfthreshold.c: * src/signature.c: * src/snort.c: * src/strlcatu.c: * src/strlcpyu.c: * src/ubi_BinTree.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_ttl_check.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf.c: * src/preprocessors/portscan.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/str_search.c: * src/preprocessors/stream.h: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/flow/flow.h: * src/preprocessors/flow/int-snort/flow_packet.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/sfutil/acsmx.c: * src/sfutil/acsmx2.c: * src/sfutil/bitop_funcs.h: * src/sfutil/getopt_long.c: * src/sfutil/ipobj.c: * src/sfutil/sfghash.c: * src/sfutil/sflsq.c: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfxhash.c: * src/win32/WIN32-Code/misc.c: * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Code/win32_service.c: Code cleanup, change malloc/calloc to SnortAlloc, use safer functions SnortSnprintf, SnortStrncpy, etc. Check pointers before use. * src/win32/WIN32-Code/win32_service.c: Fix issue with service initialization and parameter validation. Thanks Hideki Saito for pointing out the problem. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Code cleanup, update calculating for valid length to handle alternate padding. Update to use safer functions. * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_udp.c: Allow portscan to work with Stream5 UDP session tracking (because it replaces flow preprocessor). Added API function to get direction of packet (not supported in Stream4). * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.h: Stream5 config parsing improvements. Check option parameters for reasonable values (prevent huge memcaps, etc). 2007-01-29 Steven Sturges * src/debug.c: * configure.in: Handle platforms that don't support vswprintf and vwprintf. Thanks Nikns Siankin for pointing that out for OpenBSD. * src/profiler.h: * src/profiler.c: * src/rules.h: Use 64 bit values to store profiling counters. * doc/snort_manual.tex: * doc/snort_manual.pdf: Added a table for content modifiers and links to their respective sections. Removed old preprocessor sections and moved ASN.1 from preprocessor to detection plugins section. Added section for Stream5. * src/win32/WIN32-Prj/snort.dsp: Always use DYNAMIC_PLUGIN. * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/LibnetNT.h: Code cleanup. * src/detection-plugins/sp_flowbits.c: * src/preprocessors/spp_stream5.c: Fix issue with flowbits for UDP streams. * src/detection-plugins/sp_flowbits.c: Add check when stream4 or stream5 are not enabled to still support flowbits. Will be removed when Flow preprocessor and Stream4 are deprecated. Thanks to Nathan Ching for pointing out the issue. * src/snort.c: Fix to allow dynamic rules to load correctly. * doc/README.stream4: * doc/README.stream5: Cleanup. 2007-01-18 Steven Sturges * etc/generators: * src/generators.h: Remove generator IDs that are no longer used. * doc/README.tag * doc/snort_manual.tex: * doc/snort_manual.pdf: Added info on snort.conf config option tagged_packet_limit and added README.tag info file for the tag option in rules. * doc/README.http_inspect: * doc/snort_manual.tex: * doc/snort_manual.pdf: Emphasized in httpinspect documentation that a flow_depth between 1 and 1460 will only inspect at most that many bytes of a server's response, stream reassembled or not and that rules written to inspect more than flow_depth bytes will be ineffective. Thanks to Christian Seifert for pointing this out. 2007-01-17 Steven Sturges * configure.in: * snort.8: * RELEASE.NOTES: * etc/snort.conf: * rpm/snort.spec: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * doc/snort_manual.tex: * doc/snort_manual.pdf: Update for 2.7.0 Beta * src/dynamic-plugins/sf_engine/Makefile.am: * src/win32/Makefile.am: * src/win32/WIN32-Code/getopt.c: * src/win32/WIN32-Code/getopt_long.c: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/getopt.h: * src/win32/WIN32-Includes/getopt1.h: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Prj/.cvsignore: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: Update Win32 build enviornment for 2.7.0. * doc/README.stream5: * doc/README.ftptelnet: Fix a few typos and add better descriptions for alerts. * etc/gen-msg.map: * etc/generators.h: Add Stream5 alert. * etc/snort.conf: * src/preprocessors/spp_frag2.c (removed): * src/preprocessors/spp_frag2.h (removed): * src/preprocessors/Makefile.am: * src/plugbase.c: * src/plugbase.h: Remove deprecated Frag2. * src/sfutil/mwm.c (removed): * src/sfutil/mwm.h (removed): Remove deprecated mwm pattern matcher. * src/detection-plugins/sp_ipoption_check.c: * src/decode.h: * src/decode.c: * src/log.c: Add handling of IP Option ESEC (Extended Security). * src/debug.h: * src/bounds.h: * src/fpcreate.h: * src/fpdetect.h: * src/tag.c: * src/detection-plugins/sp_respond2.c: * src/dynamic-preprocessors/ftptelnet/ftpp_include.h: * src/preprocessors/portscan.h: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/flow/common_defs.h: * src/sfutil/bitop_funcs.h: Move definition of INLINE for inline functions to a common place. * src/debug.c: * src/debug.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: Add DebugWideMessageFunc for use with Wide Character sets, however it does not write to syslog. * src/debug.c: * src/decode.c: * src/detect.c: * src/detect.h: * src/fpcreate.c: * src/fpdetect.c: * src/log.c: * src/mstring.c: * src/parser.c: * src/pcrm.c: * src/plugbase.c: * src/profiler.h: * src/sf_sdlist.c: * src/sfthreshold.c: * src/sfthreshold.h: * src/signature.c: * src/snort.c: * src/snort.h: * src/tag.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_rpc_check.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_confic.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssh/spp_ssh.h: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/str_search.c: * src/preprocessors/stream_ignore.c: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/ipobj.c: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/mwm.c: * src/sfutil/mwm.h: * src/sfutil/sfeventq.c: * src/sfutil/sfghash.c: * src/sfutil/sfghash.h: * src/sfutil/sfhashfcn.c: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sflsq.c: * src/sfutil/sflsq.h: * src/sfutil/sfmemcap.c: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfthd.c: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/sfutil/util_match.c: * src/sfutil/util_net.c: Code cleanup, change malloc to calloc, use safer functions SnortAlloc, SnortStrdup. Check pointers before use. * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/mwm.c: * src/sfutil/mwm.h: Added caller usable state tracking to pattern matcher. * src/parser.c: * src/parser.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: To better handle rule options that are provided by dynamic preprocessors, make 2 passes through snort.conf at startup. * src/parser.c: * src/snort.c: Improve dynamicengine keyword and commandline option to allow for specifying directory or file. * src/detect.c: * src/event_queue.c: * src/event_queue.h: * src/event_wrapper.c: * src/event_wrapper.h: * src/fpcreate.c: * src/parser.c: * src/signature.c: * src/signature.h: Unify logging to a single code path and added ability to have rule stubs for preprocessor and decoder events. * src/snort.c: Fix code that looks for .snortrc. Thanks to Benjamin Bennett for pointing out the issue. * src/preprocessors/portscan.c: * src/preprocessors/spp_sfportscan.c: Fix false alert where destination IP was not in range reported by sfportscan alert. * src/preprocessors/spp_sfportscan.c: Reset threshold checking at end of portscan alerting so that other events generated for packet wouldn't use old value returned from testing portscan thresholding/suppression. Thanks to Andreas Ostling for pointing this out. * src/preprocessors/spp_frag3.c: Cleanup of GRE code for GRE nested fragments. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: Added memcap for TCP reassembly packet storage. Reduced memory consumption of session tracking data structures. Added target-based reassembly for HPUX 11, HPUX 10.2, Windows 2003, Windows Vista. Added target-based support for processing of TCP timestamps, TCP Resets, and repeated SYN packets. Improved Session cache management. Update flushpoint management. Improved handling of midstream session establishment. Code cleanup to use safe functions for memory allocation. Set tcp policy for both sides of session, rather that by first packet seen, correctly does target-based reassembly for each side. Simplify code handling sessions to ignore. 2007-01-07 Steven Sturges * src/decode.c: * src/decode.h: Fixed issue where GRE decoder was attempting to assign a potentially negative value to an unsigned integer. This value, which would then be positive, was then checked to see if it was less than zero, which would indicate whether the calculated length of the header was greater than the length of the rest of the packet capture. This would always return false and the assumed length of the packet would potentially be larger than the actual length, leading to a potential dereferning of invalid memory. Thanks to Chris Rohlf for pointing this out. 2006-12-04 Steven Sturges * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Configuration validation update. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Additional updates for bounds checking. * src/detection-plugins/sp_isdataat.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added an option to specify rawbytes for the buffer. 2006-11-30 Steven Sturges * src/tag.c: Fix logging of tagged packets when -G (event source ID) is used. * src/event.h: * src/snort_packet_header.h: * src/output-plugins/spo_unified.c: Fix unified to work correctly on 64bit platforms. Thanks Nikns Siankin for the report. Nikns provides a patch to barnyard that may be required to use this functionality on a 64bit systems. Grab the patch from here: http://secure.lv/~nikns/stuff/barnyard_64bit.diff * src/snort.c: * src/snort.h: Reorganize code for inline fail-open to create pattern matcher rule groups in the thread. * src/util.c: Code cleanup * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix segfault caused by integer overflow and add additional checks to protect against other underflow/overflow conditions. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Add capability to have multiple application layer preprocessors store data within the stream to better handle autodetection and multi-protocol packets. Fix additional issue with high CPU and reprocessing rebuilt packets that are split across a sequence wrap. 2006-11-22 Steven Sturges * preprocessors/spp_stream4.c: Fix problem with snort using high CPU and reprocessing the same rebuilt packets at session end or ACK in middle of packet when there are gaps in the packet sequence. 2006-11-16 Andrew Mullican * etc/gen-msg.map: Add DCE/RPC preprocessor alert. 2006-11-07 Steven Sturges * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Updates for printing of options and handling of memcap. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Add print for config option. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: Add UDP session tracking stats. Improved TCP Timestamp handling. Seperate MacOS policy from BSD, as they differ slightly. Improved performance of session pruning. * src/snort.c: Updates to inline thread initialization. 2006-10-30 Steven Sturges * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix debug prints. * src/detection-plugins/sp_isdataat.c: Fix problem with this option not being marked as relative when 'relative' is used. This change should've been made with changes for not rechecking non-relative options on 2006-08-16. 2006-10-27 Steven Sturges * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: Output user-selected server profile at startup. * src/parser.c: Detect corrupt files and handle mixed windows and unix line endings. * doc/README.dcerpc: Update description of DCE/RPC auto-detect. * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix various bugs relating to unicode, ntohs, bounds-checking, and SMB chained AndX commands. * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: Print out mempcap and max_frag_size on startup. 2006-10-23 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: Updated stream4 documentation in the Snort manual to reflect new UDP options and inline option updates. Corrected error with event_queue parameter - changed max_events to max_queue. * doc/faq.tex: Updated FAQ to reflect disuse of ACID in favor of BASE. Added references to FLoP and Mudpit as output systems for Snort. Added references to two IDS books. * doc/README.decode: Added README file for the Snort decoder * doc/README.stream4: Made minor changes to language * etc/snort.conf: Added commented out decoder options with description - enable_decode_oversized_alerts and enable_decode_oversized_drops * doc/README.http_inspect: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Updated tab_uri_delimiter section in document to reflect deprecation. Removed the deprecated tab_uri_delimiter from server profiles since it's redundant with whitespace_chars. * src/preprocessors/snort_httpinspect.c: Allow user-specified ports to override internal defaults. * src/detection-plugins/sp_pattern_match.c: Fix error message with max pattern size. * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: Fix spelling of obsolete in macros. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fix spelling of DETECT_ANOMALIES macro. * src/profiler.c: Removed tabs from preprocessor stats output. Tabs aren't compliant with syslog RFC. * doc/README.ftptelnet: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added documentation on Telnet configuration option detect_anomalies * src/preprocessors/spp_stream4.c: Fixed potential for infinite loop when only part of a packet being used in reassembly is ACK'd. * src/preprocessors/perf-base.c: Fixed packet count stats when in readback mode. 2006-10-13 Steven Sturges * src/detection-plugins/sp_flowbits.c: Fixed an off-by-one error message that prevented the maximum number of flowbits from being used. Include number of flowbits used in summary of flowbits usage. * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: Fix parser to properly error if misconfigured ports. * src/decode.c: * src/decode.h: * src/parser.c: Added new config option "enable_decode_oversized_alerts" and "enable_decode_oversized_drops" to allow alerting on packets with extra bytes at the end of their payload 2006-10-12 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: * RELEASE.NOTES: Prepare for 2.6.1 RC. * configure.in: * src/parser.c: * src/snort.c: * src/snort.h: Start a thread if running in inline mode that passes traffic through once pcap is opened and snort is not ready to start inspection (ie, loading rules, creating pattern matcher, etc). Thread is terminated when snort is ready to process packets. Compiled in via --enable-inline-init-failopen option to configure script. Disable by --disable-inline-init-failopen commandline option or 'config disable_inline_init_failopen' in snort.conf/user.conf in the case that the interface is fail-closed. Requires libpthread. * src/parser.c: Require a sid for every rule. * src/dynamic-preprocessors/ssh/spp_ssh.c: Verifies that the stream preprocessor is enabled. Version string bounds checking now uses the length of the version string versus the length of the entire payload. * src/preprocessors/snort_stream4_udp.c: Update UDP session stats (packet count, start/end time, bytes, etc). * doc/README.stream4: * doc/Makefile.am: Finally a description for Stream4. Thanks Todd! * src/parser.c: * src/signature.c: Allow for variable metadata in rule options. Ignore unknown metadata fields. * etc/gen-msg.map: * src/decode.c: * src/generators.h: Added additional TCP length checking and UDP length checking and new decode alerts for anomalous lengths. 2006-10-09 Steven Sturges * src/preprocessors/spp_stream4.c: Fix problem with reassembly of server side traffic. Thanks rmkml and Crusoe Researchers for notifying us of the issue. * src/preprocessors/spp_stream4.c: * src/generators.h: * etc/gen-msg.map: Fix Stream4 to handle duplicate SYN packets by purging existing packets queued for reassembly after the seq of the SYN. Also, properly handle retransmitted data that is overlapping the current packet and when trimmed overlapping the next packet. 2006-10-04 Steven Sturges * src/decode.c: Fixed issue in GRE code where data could potentially be dereferenced past the end of the packet. * src/parser.c: Fix log message. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_session.h: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Add stats tracking for UDP sessions to perfmonitor and stream4's session stats (keepstats option). Update Stream4 to purge UDP session cache on a timeout basis, similar to the way TCP session cache is purged. Remove cache_clean_percent option. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Fixes for CORE SMB fragmentation. Also, fix for perf-profiling. 2006-09-27 Steven Sturges * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: Fix issue with use of Stream4 cache_clean_percent option that resulted in a segfault when the max session limit was reached. Thanks to Jason Ish for reporting the problem. * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * doc/README.http_inspect: Split the IIS profile in the HTTP inspect preprocessor into IIS, ISS4, and ISS5_0. ISS 4.0 and ISS 5.0 both support double decoding, but ISS 5.1 and beyond do not. Double decoding alerts are now disabled in the ISS profile, but remain enabled for the IIS 4.0 and IIS 5.0 profiles. Thanks to Pratap Ramamurthy for pointing out that IIS 5.1 does not support double decoding * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: Fixed issue where iface_ADDRESS variable wasn't getting set before configuration file was read. Now all up interfaces will get a variable created. Note that these will NOT get set if the readmode flag is set. Thanks to Paul Melson for reporting the problem. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Handle reassembly of first packet for midstream pickups (first packet wasn't part of an established session at that point, so some rules might fail). * src/preprocessors/Stream5/snort_stream5_session.c: Fix handling of cache clean by percent. * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: Fix problem with relative options not being marked as relative (for distance/within keywords). 2006-09-21 Steven Sturges * src/generators.h: * src/snort.c: * src/sfutil/bitop_funcs.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update for GRE additions and compilation on Win32. * src/preprocessors/spp_stream4.c: Fix issue with alerts missing in DEBUG mode. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: Fix signedness issue that caused HttpInspect to miss certain oversized chunk alerts. * src/sfutil/ipobj.c: Fix parsing that prevented multiple IP lists from being parsed correctly. This fixes a problem with sfportscan configuration when 'watch_ip', 'ignore_scanners', and 'ignore_scanned' options are used together. Thanks to Rob Sharp and Husnu Demir for reporting the bug. 2006-09-18 Steven Sturges * configure.in: * doc/INSTALL: * gen-msg.map: * src/decode.c: * src/decode.h: * src/generators.h: * src/snort.c: * src/snort.h: * src/util.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_stream4.c: Added support to decode GRE encapsulated traffic. Only IP as transport protocol is supported and only one layer of encapsulation will be decoded - packets with multiple GRE headers will be discarded. Thanks Todd Wease (and welcome to the Snort team!) for this contribution. * configure.in: * doc/README.ARUBA: * doc/Makefile.am: * doc/snort_manual.tex: * src/plugbase.c: * src/output-plugins/Makefile.am: * src/output-plugins/spo_alert_arubaaction.c: * src/output-plugins/spo_alert_arubaaction.h: Added support for communcation with an Aruba Networks wireless mobility authentication/access control system. * configure.in: GCC 4.x.x has strict aliasing on by default with optimization level 2. However, Snort uses aliases in a number of places. configure now checks the gcc compiler version for 4 and disables strict aliasing with -fno-strict-aliasing. Thanks to Ronald Henderson and Keith Konecnik for simultaneously (and independently) discovering and reporting this issue. 2006-09-15 Steven Sturges * src/detection-plugins/sp_pattern_match.c: Cleanly fail with content patterns that are > 2048 bytes. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: Fix memcap to be global. Turn off memcap alerts by default. Add config item to enable alerting on exceeded memcap. * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/mpse.c: Code cleanup 2006-09-13 Steven Sturges * src/decode.c: * src/decode.h: * src/log.c: * src/log.h: * src/generators.h: * etc/gen-msg.map: Added code to print original datagram for all ICMP error types if alerted on. Fix to print original datagram on alert if original datagram was ICMP. Thanks to John Papapanos for pointing out the above 2 issues. Added additional decoder alerts for ICMP error types. Removed fragtracking of ICMP original datagram - it never made sense since only an ICMP response to the first frag is ever returned. Fixed issue where data and size pointers were not set correctly for ICMP error types. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Remove checks for duplicate alerts within a given session, as this is now handled within the general alerting mechanism and session tracking. * src/parser.c: When a variable was redefined, a call to LogMessage() was missing a parameter. Thanks to Greg Baran for pointing this out. 2006-09-11 Steven Sturges * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix to remove uses of strlen or wcslen. Properly validate andXOffset. Fix bug in DCE/RPC fragment reassembly. 2006-09-07 Steven Sturges * src/util.c: Fix output for the USR1 signal when calculating statistics for pcap counts. Keep a tally of packets seen/dropped/etc and use deltas, rather than the 'most recent' value when determining percentages after each USR1 signal. Thanks to Colin Grady for pointing out the issue. * src/parser.c: Allow for a line without an end of line marker in snort.conf. 2006-09-06 Steven Sturges * src/decode.c: * src/detect.c: * src/log.c: * src/snort.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix memory leak in ascii and cmg output modules. Remove calls to ClearDumpBuf() from related calls PrintIPPkt() and PrintNetData(), as it is no longer needed. 2006-08-31 Steven Sturges * rpm/snort.spec: * etc/snort.conf: Add DNS preprocessor to packaging and config. * doc/Makefile.am: * doc/README.stream5: Add Stream5 README. 2006-08-30 Steven Sturges * src/sfutil/ipobj.c: Additional fix for parsing of IP lists that are not space seperated. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Treat spaces as part of a filename in 'string' parameter validation. Thanks Bamm Visscher for pointing out the issue. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_session.h: Remove the ifdef'd splay tree code for packet and session storage. It has been replaced by a hash table and is no longer needed. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/stream_api.h: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/stream5_common.h: Add a few functions to the Stream API to allow a protocol analyzer to change the reassembly characteristics (direction, flush policy) for an individual session. * configure.in: * doc/Makefile.am: * doc/README.dns: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/gen-msg.map: * src/build.h: * src/debug.h: * src/generators.h: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dns/Makefile.am: * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: Add a dynamic preprocessor to decode and analyze DNS responses over TCP and UDP. The TCP portion is stateful and requires stream is enabled. 2006-08-29 Steven Sturges * src/detection-plugins/sp_pattern_match.c: Fix unchecked free. Thanks Krzysztof Burghardt for pointing out the problem. * src/sfutil/acsmx2.c: Fixed off by one to sparse index calculation and off by 2 ps increment for SparseBands. 200-08-24 Steven Sturges * src/fpcreate.c: * src/sfutil/mpse.c: * src/sfutil/Makefile.am: Fix issues with using lowmem. It was reporting an out of memory error. This was broken with the addition of the smaller memory Aho-Corasick pattern matcher. 2006-08-17 Steven Sturges * doc/README.dcerpc: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/snort.conf: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: Change config option max_memory to memcap for DCE/RPC. 2006-08-16 Steven Sturges * src/rules.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: Resolve issue with rechecking rule options that follow a content or PCRE that are relative. Only recheck if the next option is relative. Thanks to Randy Smith for pointing out the issue. * configure.in: Enable dynamicplugins by default. Can override with --disable-dynamicplugin. * snort.8: * doc/snort_manual.pdf: * doc/snort_manual.tex: * doc/Makefile.am: * doc/README.ssh: * doc/README.dcerpc: * etc/snort.conf: * src/win32/WIN32-Prj/snort_installer.nsi: Added SSH and DCE/RPC preprocessor sections and description of new command line options. 2006-08-15 Steven Sturges * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: Remove obsolete file. * src/preprocessors/Stream5/Makefile.am: Update to include header files. * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/flow/flow_cache.c: * src/sfutil/util_math.c: * src/sfutil/util_math.h: Cleanup Win32 warnings. * src/sfutil/mpse.c: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: Remove references to MWM and sfksearch. 2006-08-14 Steven Sturges * configure.in: * etc/gen-msg.map: * etc/snort.conf: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/Makefile.am: * src/preprocessors/Makefile.am: * src/preprocessors/spp_stream5.c: * src/preprocessors/spp_stream5.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/Makefile.am: * src/preprocessors/stream_api.h: * src/generators.h: * src/plugbase.h: * src/Makefile.am: * src/plugin_enum.h: New target-based Stream module. Moved flow & flowbits to be part of Stream API. * src/debug.h: * src/generators.h: * src/preprocids.h: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dcerpc/Makefile.am: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_file_decode.c: * src/dynamic-preprocessors/dcerpc/smb_file_decode.h: * src/dynamic-preprocessors/dcerpc/smb_file_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.h: New dynamic DCE/RPC protocol normalizer. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ssh/Makefile.am: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssh/spp_ssh.h: * src/dynamic-preprocessors/ssh/sf_preproc_info.h: New dynamic ssh protocol normalizer. * src/detection-plugins/sp_clientserver.c: * src/preprocessors/Makefile.am: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/snort_stream4_udp.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Stream4 UDP session tracking support. Reassembly performance improvements. Add ability to block TCP sessions. * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: Added RC4 dynamic rule option. * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/pcrm.c: * src/sfutil/Makefile.am: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: Added smaller memory consumption pattern matcher. * src/decode.h: * src/fpdetect.c: * src/inline.c: Improved handling for stateless rules. * configure.in: * src/parser.c: * src/parser.h: * src/rules.h: * src/snort.c: * src/snort.h: Remove use of ifdefs for rule state. * src/parser.c: * src/snort.c: * src/snort.h: Add ability to give directory or specific library for dynamic engine. * src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h: * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Add alerts and normalization for telnet subnegotiation begin that doesn't have a matching end. Could result in an evasion over the FTP command channel. * src/snort.c: * src/snort.h: * src/util.c: Added counter for segments queued for reassembly. * src/snort.c: * src/dynamic-plugins/sf_dynamic_detection.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: Improved handling of different versions of same shared library. * src/detect.c: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/bmh.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/output-plugins/spo_alert_fast.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/sfutil/acsmx.c: Code cleanup, 2.6.1 Beta prep. 2006-08-09 Steven Sturges * doc/faq.tex: * doc/faq.pdf: Add information on snort responding to kill signal. 2006-08-02 Steven Sturges * src/output-plugins/spo_alert_prelude.c: Update to provide links to Snort classification reference information. Thanks Yoann Vandoorselaere. * src/sfutil/ipobj.c: Fix parsing of IP lists that are not space seperated. * src/configure.in: Update for HPUX 11. * src/snort.c: * src/util.c: Fix race condition with daemonization. * src/dynamic-plugins/sf_dynamic_plugins.c: Update for shared library extensions on HP & MAC. Thanks J. Aaron Pendergrass for raising the HP issues and testing. 2006-07-25 Andrew Mullican * src/preprocessors/HttpInspect/client/hi_client.c: Fix to HttpInspect to check for non-RFC whitespace (ie, CR) after URI. * src/preprocessors/spp_frag3.c: Eliminate spurious log messages. 2006-07-20 Steven Sturges * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: No longer require HELO (or EHLO) first in an SMTP conversation. Some servers (such as ArGoSoft) don't require it. * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: Handle normalization when Subnegotiation Begin doesn't have a matching Subnegotiation End command by normalizing just the begin. Thanks to Pratap Ramamurthy for pointing out the potential issue. 2006-07-14 Steven Sturges * src/decode.h: * src/detect.c: * src/fpdetect.c: Handle pass rule that hits a pipelined URI and an alert that matches a secondary pipelined URI. * src/preprocessors/spp_frag3.c: Fix issue with First policy when dealing with whole overlaps. Thanks Russ S for sending in the bug report. * src/preprocessors/spp_stream4.c: Performance improvement for logging tagged packets. Thanks Victor Julien for pointing out the area for improvement. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix potential access violation. 2006-07-12 Steven Sturges * src/output-plugins/s