2005-07-22 - Snort 2.4.0 Released

[*] Distribution Change
    * Rules are no longer distributed as part of the Snort releases, they are
      available as a separate download from snort.org.  This was done for 
      three reasons: 
        1) To better manage the new rules licensing.
        2) To reduce the size of the engine download.
        3) To move the thousands of documentation files for the rules into
           the rules tarballs.  If you've ever checked Snort out of CVS you'll
           know why this is a Good Thing.

[*] New additions
    * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor 
      is a target-based IP defragmentation module, and is intended as a 
      replacement for the frag2 module.  Check out the README.frag3 for full
      info on this new preprocessor.

    * Libprelude support has been added (enable with --enable-prelude).
      Thanks Yoann Vandoorselaere!

    * An "ftpbounce" rule detection plugin was added for easier detection of
      FTP bounce attacks.

    * Added a new Snort config option, "ignore_ports," to ignore packets
      based on port number.  This is similar to bpf filters, but done within
      snort.conf.

[*] Improvements
    * Snort startup messages printed in syslog now contain a PID before each
      entry. Thanks Sekure for initially bringing this up.

    * Stream4: Performance improvements.
    
    * Stream4: Added 'max_session_limit' option which limits number of 
      concurrent sessions tracked.  Added favor_old/favor_new options that 
      affect order in which packets are put together for reassembly.  

    * Stream4: New configuration options to manage flushpoints for improved
      anti-evasion.  The flush_behavior option selects flushpoint management 
      mode.  New flush_base, flush_range, and flush_seed manage randomized 
      flushing.  Check out the snort.conf file for full config data on the 
      new flush options. 

    * Added two more alerts for BackOrifice client and server packets. This
      allows specific alerts to be suppressed.

    * PerfMon preprocessor updated to include more detailed stats for rebuilt
      packets (applayer, wire, fragmented & TCP). Also added 'atexitonly'
      option that dumps stats at exit of snort, and command line -Z flag to
      specify the file to which stats are logged.

    * Added new Http Inspect config item, "tab_uri_delimiter," which if
      specified, lets a tab character (0x09) act as the delimiter for a URI.

    * Added a '-G' command line flag to snort that specifies the Snort
      instance log identifier. It takes a single argument that can be either
      hex (prefaced with 0x) or decimal. The unified log files will include
      the instance ID when the -G flag is used.

    * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now
      handled in the IP decoder. Those sids are now considered obsolete.

    * Http_Inspect "flow_depth" option now accepts a -1 value which tells
      Snort to ignore all server-side traffic.

    * RPMs have been updated to be more portable, and also now include a
      "--with inline" option for those wanting to build Inline RPMs. Thanks
      Daniel Wittenberg and JP Vossen for your help!

    * Many, many bug fixes have also gone into this release, please see the
      ChangeLog for details.