2022-05-13 Jaganmohanrao valluri snort 2.9.20 * src/dynamic-preprocessors/appid/service_plugins/service_ssl.c : Fixed a scenario where SSL traffic was not detected correctly. * src/dynamic-preprocessors/smtp/snort_smtp.c : Fixed a possible memory corruption. * src/dynamic-preprocessors/imap/imap_util.c src/dynamic-preprocessors/pop/pop_util.c src/dynamic-preprocessors/smtp/smtp_util.c src/preprocessors/spp_httpinspect.c : Fixed malformed packet debug engine output. * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed security zones info in intrusion events. * src/dynamic-preprocessors/appid/fw_appid.c : Fixed URL lookup failure. * src/preprocessors/HttpInspect/server/hi_server.c : Fixed a possible memory leak. * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c src/dynamic-preprocessors/appid/fw_appid.c src/dynamic-preprocessors/appid/fw_appid.h src/dynamic-preprocessors/appid/detector_plugins/service_plugins/service_api.h : Added support for dns root queries and underflow. * src/dynamic-preprocessors/smtp/snort_smtp.c src/Makefile.am src/dynamic-examples/Makefile.am src/dynamic-plugins/sf_dynamic_plugins.c src/dynamic-plugins/sf_dynamic_preprocessor.h src/dynamic-preprocessors/Makefile.am src/dynamic-preprocessors/smtp/snort_smtp.h src/dynamic-preprocessors/smtp/spp_smtp.c src/smtp_api.h : Added support to get extra data from SMTP and HTTP into IPS event. * src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c : Added support for login success and failure eventing for IMAP and POP3. * src/dynamic-preprocessors/appid/hi_server.c : Added support to handle empty string for SNI/CN/SAN/ORG. 2021-12-01 Jaganmohanrao valluri snort 2.9.19 * src/snort.c : Fixed an issue where verdict will be applied onto next session when timeout occurs in some scenarios. * rc/file-process/file_service.c : Removed an excessively flooding log. * src/dynamic-preprocessors/modbus/modbus_decode.c : Fixed possible integer overflow. * src/fpcreate.c : Added fix to GCC compiled snort to use AC-BNFA-Q search-method when Intel-cpm is enabled. * src/generators.h src/preprocessors/Stream6/snort_stream_tcp.c : Added fix to not to drop packets when window size is 0 by TCP normalizer and Added new alert with GID 129 and SID 21 when such packets are seen. * src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c : Added support for Appid to detect login success and failure for IMAP and POP3 protocols. * src/dynamic-preprocessors/reputation/reputation_config.c src/dynamic-preprocessors/reputation/spp_reputation.c src/dynamic-preprocessors/reputation/spp_reputation.h src/pkt_tracer.c src/snort.c src/util.c : Fixed terminology to be bias-free in log/error messages. * src/snort.c : Fixed a potential race condition. 2021-08-17 Jaganmohanrao valluri snort 2.9.18.1 * snort/src/dynamic-preprocessors/dcerpc2/dce2_smb.c: Fixed possible memory corruption in SMB preprocessor. 2021-05-26 Ramachandrareddy Dhanireddy snort 2.9.18 * src/file-process/file_service.c, src/generators.h, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h : Added range field support in HTTP preprocessor. * src/preprocessors/HttpInspect/client/hi_client.c : Added alert for http chunk size mismatch. * src/detection-plugins/detection_leaf_node.c : Fixed a condition in which alert would not be generated. * src/dynamic-preprocessors/appid/service_plugins/service_snmp.c : Added support to detect snmp 'report pdu'. * src/dynamic-preprocessors/dcerpc2/dce2_paf.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h : Fixed possible memory corruption in smb preprocessor. * src/preprocessors/Stream6/snort_stream_icmp.c, src/preprocessors/Stream6/stream_common.h, src/preprocessors/spp_stream6.c : Fixed handling ICMP error code -4. * src/dynamic-preprocessors/dcerpc2/dce2_memory.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/memory_stats.c : Added additional stats for SMB preprocessor. * src/dynamic-preprocessors/appid/appInfoTable.c : Fixed an error when debugmsgs option enabled in compilation. 2021-03-19 Divakar Y snort 2.9.17.1 * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed wrong reference to configuration during reload. * src/dynamic-preprocessors/appid/fw_appid.c : Fixed possible memleak in appid. * src/detect.c, src/preprocessors/snort_httpinspect.c : Fixed a race-condition in http preproc and IPS. * configure.in : Fixed compilation issues when intel-soft-cpm is enabled. * src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/Stream6/stream_common.h, src/preprocessors/spp_stream6.c : Fixed a race-condition in stream preproc. 2020-10-30 Divakar Y snort 2.9.17 * src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/spp_stream6.c : Fixed Memory leak in reassembly networks and ports config during reload. * src/file-process/file_resume_block.c, src/file-process/file_service.c, src/file-process/file_lib.c, src/file-process/file_lib.h : Fixed resume-block for SMBv2 partial content retry and pending verdicts. * src/win32/WIN32-Prj/snort_installer.nsi : Added user visible message to choose 4.1.1 or any higher version of winpcap, in windows 32 installer. * src/win32/WIN32-Prj/snort_installer_x64.nsi, src/win32/WIN32-Prj/snort_installer.nsi : Fixed popup message that was not honoring windows silent uninstaller option. * src/preprocessors/snort_httpinspect.c : Fix to populate original client IP for drop events, when inline normalization is disabled. * src/dynamic-preprocessors/appid/luaDetectorApi.c : Fixed AppID caching proxy IP instead of tunneled IP in the dynamic cache during ultrasurf traffic. * src/detection-plugins/sp_react.c, src/dynamic-preprocessors/sdf/spp_sdf.c, src/parser.c, src/preprocessors/Stream6/snort_stream_tcp.c, tools/u2streamer/Unified2File.c, src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/appInfoTable.c, snort/src/dynamic-plugins/sf_dynamic_plugins.c, src/memory_stats.c, src/sfutil/sfportobject.c, src/snort.h : Fixed multiple static analysis issues. * src/dynamic-preprocessors/appid/appInfoTable.c : Fixed a potential race condition. * configure.in, src/reload.c : Fix to not rely on the last-modified-time for loading the dynamic detection libs. * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c, src/file-process/file_capture.c, src/file-process/file_resume_block.c, src/file-process/file_segment_process.c, src/file-process/file_service.c : Added debug messages in file-process packet flow. * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c : Fix to address cases of ambiguous codes between SMTP & FTP and when SMTP server does not support EHLO. * src/file-process/file_segment_process.c : Fixed issue of generating multiple events for a single file transfer over SMB. * src/dynamic-preprocessors/appid/appIdConfig.h, src/dynamic-preprocessors/appid/appInfoTable.c, src/dynamic-preprocessors/appid/appInfoTable.h, src/dynamic-preprocessors/appid/flow.h, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/flow.h : Fixed false positives for ultrasurf. * src/dynamic-preprocessors/sip/spp_sip.c : Fixed SIP pre-processor to detect SSL encrypted SIP traffic better. * src/dynamic-preprocessors/appid/luaDetectorApi.c, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/file-process/file_service.c, src/generators.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_client.h, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/include/hi_server.h, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h : Added support for HTTP range field parsing to detect if HTTP response/request is indeed partial or full content. * src/preprocessors/spp_session.c : Fixed TCP memcap oversize. * src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/client/hi_client_norm.c, src/preprocessors/HttpInspect/include/hi_include.h, src/preprocessors/HttpInspect/include/hi_paf.h, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Stream6/snort_stream_icmp.c, src/preprocessors/Stream6/snort_stream_icmp.h, src/preprocessors/Stream6/snort_stream_ip.c, src/preprocessors/Stream6/snort_stream_ip.h, src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/Stream6/snort_stream_tcp.h, src/preprocessors/Stream6/snort_stream_udp.c, src/preprocessors/Stream6/snort_stream_udp.h, src/preprocessors/Stream6/stream_common.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_httpinspect.h, src/preprocessors/spp_stream6.c, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/fw_appid.h, src/dynamic-preprocessors/appid/spp_appid.c : Enhanced statistics dumped during snort exit and SIGUSR1. * src/dynamic-preprocessors/imap/imap_paf.c, src/dynamic-preprocessors/imap/snort_imap.h, src/dynamic-preprocessors/pop/pop_paf.c, src/dynamic-preprocessors/pop/snort_pop.h, src/dynamic-preprocessors/sip/spp_sip.h, src/dynamic-preprocessors/smtp/smtp_paf.c, src/dynamic-preprocessors/smtp/snort_smtp.h, src/dynamic-preprocessors/appid/flow.h, src/dynamic-preprocessors/appid/service_plugins/service_ssl.c, src/dynamic-preprocessors/dcerpc2/dce2_list.h, src/dynamic-preprocessors/ftptelnet/ftpp_si.h, src/file-process/file_segment_process.h, src/file-process/libs/file_lib.h, src/preprocessors/sip_common.h, src/preprocessors/snort_httpinspect.h : Optimized structures in several preprocessors. * src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h src/file-process/file_service.c : Fixed SMBv1 file block for pending verdict retry packets. * src/dynamic-preprocessors/dcerpc2/dce2_smb.c : Fixed SMBv1 unknown file size upload block. * src/detect.c, src/detect.h, src/parser.c, src/parser.h, src/preprocessors/Session/session_common.h, src/preprocessors/Stream6/snort_stream_udp.c, src/preprocessors/Stream6/snort_stream_udp.h, src/preprocessors/spp_stream6.c, src/preprocessors/Stream6/stream_common.c, src/preprocessors/Stream6/stream_common.h, src/preprocessors/spp_stream6.c, src/reload.c, src/snort.c, src/snort.h : Fixed incorrect filtering of UDP traffic when "ignore_any_rules" is configured. * src/detection-plugins/sp_session.c, src/detection-plugins/sp_session.h, src/sfutil/util_jsnorm.c : Fixed GCC 10.1.1 compilation issues. * src/decode.c, src/decode.h, src/log_text.c, src/log.c, src/preprocessors/Stream6/snort_stream_tcp.c : Added support to detect TCP Fast Open packets. * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed TCP segment queue hole issue as per the RFC793 recommendation for OOO Ack packet handling. * src/detection-plugins/detection_leaf_node.c, src/detection-plugins/detection_options.c, src/dynamic-preprocessors/appid/appInfoTable.c, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/service_plugins/service_base.c, src/dynamic-preprocessors/appid/service_plugins/service_ftp.c, src/dynamic-preprocessors/appid/service_plugins/service_rexec.c, src/dynamic-preprocessors/appid/service_plugins/service_rpc.c, src/dynamic-preprocessors/appid/service_plugins/service_rshell.c, src/dynamic-preprocessors/appid/service_plugins/service_snmp.c, src/dynamic-preprocessors/appid/service_plugins/service_tftp.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, src/fpcreate.c, src/parser.c, src/preprocessors/Session/session_common.h, src/preprocessors/spp_session.c, src/reload.c, src/snort.c : Fixed build when some configure options were disabled. * src/detection-plugins/sp_byte_math.c : Fixed byte_math operation for multiplication integer overflow. * src/dynamic-preprocessors/appid/appId.h, src/dynamic-preprocessors/appid/service_plugins/service_ssl.c : Fix to include 853 port in SSL detector for DNS over TLS runs on SSL. * src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/appid/Makefile_defs, src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/util/common_util.h : Fix for excessive logging of lua detector invalid LUA (null). * snort/src/detection-plugins/sp_byte_check.c, src/detection-plugins/sp_byte_extract.c, src/detection-plugins/sp_byte_jump.c, src/detection-plugins/sp_byte_math.c, src/detection-plugins/sp_byte_math.h, src/detection-plugins/sp_isdataat.c, src/detection-plugins/sp_pattern_match.c : Added support for allowing common names across rule options. * src/memory_stats.c : Removed a redundant log. * spp_sip.c : Fixed handling encrypted traffic by SIP preprocessor. * snort/configure.in, snort/doc/README.s7commplus, snort/etc/sf_rule_options, snort/etc/sf_rule_validation.conf, snort/src/dynamic-preprocessors/Makefile.am, snort/src/dynamic-preprocessors/s7commplus/Makefile.am, snort/src/dynamic-preprocessors/s7commplus/s7comm_decode.c, snort/src/dynamic-preprocessors/s7commplus/s7comm_decode.h, snort/src/dynamic-preprocessors/s7commplus/s7comm_paf.c, snort/src/dynamic-preprocessors/s7commplus/s7comm_paf.h, snort/src/dynamic-preprocessors/s7commplus/s7comm_roptions.c, snort/src/dynamic-preprocessors/s7commplus/s7comm_roptions.h, snort/src/dynamic-preprocessors/s7commplus/spp_s7comm.c, snort/src/dynamic-preprocessors/s7commplus/spp_s7comm.h, snort/src/generators.h, snort/src/preprocids.h : Added support for s7Commplus protocol. * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed out of order FIN packet leading to segment trimming. * src/output-plugins/spo_unified2.c, src/preprocessors/Stream6/snort_stream_tcp.c : Fix to populate original IP in dropped events when inline normalization is enabled. * snort/src/sfutil/sf_ip.h : Fixed compiler warnings. * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c : Fixed DNS application detector failing to detect DNS traffic in some scenarios. 2020-07-24 Hariharan Chandrashekar snort 2.9.16.1 * src/dynamic-preprocessors/appid/appIdConfig.h, src/dynamic-preprocessors/appid/appInfoTable.c, src/dynamic-preprocessors/appid/flow.h, src/dynamic-preprocessors/appid/fw_appid.c : Added packet counters to make sure flows with one-way data don't pend forever. * src/detection-plugins/sp_flowbits.c, src/snort.c : Fixed potential race condition between reload and exit path. * src/detection-plugins/sp_session.c, src/preprocessors/Stream6/stream_paf.h, src/sfutil/util_jsnorm.c : Added support for GCC version 10.1.1. 2020-03-15 Hariharan Chandrashekar snort 2.9.16 * src/preprocessors/Stream6/snort_stream_tcp.c : Addressed an issue when out-of-order FIN is received by dropping it. * src/output-plugins/spo_unified2.c, src/preprocessors/Stream6/snort_stream_tcp.c : Fixed an issue in which xtradata is not added to the alert in unified file. * src/reload.c, src/snort.c : Fixed potential race condition between reload and exit path (main thread). * etc/file_magic.conf : Updated the file magic to detect ALZ file types. * src/sfutil/sf_ip.h : Added support for gcc version 9.2.1. * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c : Fixed an issue in which APPID returns no match. * src/dynamic-preprocessors/dcerpc2/sf_dce2.vcxproj, src/dynamic-preprocessors/dnp3/sf_dnp3.vcxproj, src/dynamic-preprocessors/dns/sf_dns.vcxproj, src/dynamic-preprocessors/dynamic_preprocessors.vcxproj, src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.vcxproj, src/dynamic-preprocessors/gtp/sf_gtp.vcxproj, src/dynamic-preprocessors/imap/sf_imap.vcxproj, src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.vcxproj, src/dynamic-preprocessors/modbus/sf_modbus.vcxproj, src/dynamic-preprocessors/pop/sf_pop.vcxproj, src/dynamic-preprocessors/reputation/sf_reputation.vcxproj, src/dynamic-preprocessors/sdf/sf_sdf.vcxproj, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.vcxproj, src/dynamic-preprocessors/sip/sf_sip.vcxproj, src/dynamic-preprocessors/smtp/sf_smtp.vcxproj, src/dynamic-preprocessors/ssh/sf_ssh.vcxproj, src/dynamic-preprocessors/ssl/sf_ssl.vcxproj, src/win32/WIN32-Prj/build_all.vcxproj, src/win32/WIN32-Prj/sf_engine.vcxproj, src/win32/WIN32-Prj/sf_engine_initialize.vcxproj, src/win32/WIN32-Prj/snort.vcxproj, src/win32/WIN32-Prj/snort_initialize.vcxproj, src/win32/WIN32-Prj/snort_installer_x64.nsi, src/win32/WIN32-Prj/snort_x64.dsw, src/win64/WIN64-Libraries/Packet.lib, src/win64/WIN64-Libraries/libdnet/dnet.lib, src/win64/WIN64-Libraries/pcre.lib, src/win64/WIN64-Libraries/wpcap.lib, src/win64/WIN64-Libraries/zlib.lib, tools/u2spewfoo/u2spewfoo.vcxproj : Added 64-bit support for Windows 10 operating system. * src/dynamic-preprocessors/pop/snort_pop.c : Fixed an issue where POP preprocessor was not generating alert in some cases. * src/dynamic-preprocessors/gtp/gtp_parser.c : Fixed the alerting logic for GTP v2 with missing TEID. * src/preprocessors/HttpInspect/utils/hi_paf.c : Fixed file policy not working with character prefix in chunk size. * configure.in, src/reload.c, src/side-channel/sidechannel.c, src/snort.c, src/target-based/sftarget_reader.c, src/util.h : Added support for glibc version 2.30. * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/Stream6/stream_paf.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/stream_api.h : Added support for early inspection of HTTP payload before flushing in pre-ack mode. * src/file-process/file_api.h, src/file-process/file_service.c, src/preprocessors/HttpInspect/include/hi_norm.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/server/hi_server_norm.c, src/preprocessors/snort_httpinspect.c : Normalize randomly encoded nulls interspersed in the HTTP server response to UTF-8. 2019-12-15 Hariharan Chandrashekar snort 2.9.15.1 * src/file-process/file_ss.c : Fixed the right order of precedence. Thanks to David Binderman for reporting this. * src/dynamic-preprocessors/ssl_common/ssl_config.c : Fixed snort core seen during ssl re-configuration. * src/fpdetect.c, src/log_text.c, src/profiler.h : Fixed compiler warnings. * src/file-process/file_segment_process.c : Fixed file access issues on files from SMB share. * configure.in, src/reload.c, src/side-channel/sidechannel.c, src/snort.c, src/target-based/sftarget_reader.c, src/util.h : Added support for glibc version 2.30. 2019-10-02 Hariharan Chandrashekar snort 2.9.15 * src/snort.c, src/control/sfcontrol.c, src/preprocessors/Session/stream5_ha.c, src/preprocessors/session_api.h, src/dynamic-plugins/sp_dynamic.c : Fixed a potential race condition. * src/detect.c : Fixed static analysis issues. * src/detect.c, src/detect.h, src/file-process/file_service.c, src/reload.c, src/sfdaq.h, src/snort.c, src/snort.h : Added new debugs to print detection, file_processing and Preproc time consumption info and verdict. * src/dynamic-preprocessors/appid/fw_appid.c : Added NULL check before dereferencing tcp_header. * src/file-process/libs/file_lib.h, src/sfdaq.h : Fix to make daq_pktHdr globally visible and removed the extra Packet variable from the FILE_PKT_DEBUG macro. * snort/etc/file_magic.conf : Added support to detect new Korean file formats .egg and .alz to the file preprocessor. * src/dynamic-preprocessors/gtp/gtp_parser.c, src/dynamic-preprocessors/gtp/spp_gtp.h : Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets. * src/detect.c : Added a check before printing the Packet latency trace when detection is enabled or not. * src/file-process/file_capture.c, src/file-process/file_mime_process.c, src/file-process/file_resume_block.c, src/file-process/file_segment_process.c, src/file-process/file_service.c, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/sfdaq.h : Added debug messages in file-process packet flow. * src/dynamic-plugins/sp_dynamic.c, src/reload.c, src/reload.h, src/snort.c : Fixed dynamic rules from getting disabled after multiple reloads. * src/pkt_tracer.c : Fix to print packet trace information in the direction of the packet on the wire. * etc/file_magic.conf : Added new file magic to detect RAR file-type. * src/dynamic-plugins/sf_dynamic_preprocessor.h : Updated preproc version. * src/dynamic-plugins/sf_dynamic_preprocessor.h : Provided an API to query non-flow related information from DAQ. * src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/sfdaq.c, src/sfdaq.h : Added a generic api DAQ_Ioctl for dynamic preprocs to use for various daq clis. * src/dynamic-preprocessors/appid/Makefile_defs, src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c, src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c, src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c, src/dynamic-preprocessors/appid/service_plugins/service_base.h, src/dynamic-preprocessors/appid/service_plugins/service_ftp.c, src/dynamic-preprocessors/appid/service_plugins/service_netbios.c, src/dynamic-preprocessors/appid/service_plugins/service_nntp.c : Fix to whitelist ftp data sessions when no file policy exists. * src/dynamic-preprocessors/appid/fw_appid.c : Fixed -Wparentheses warning. * src/dynamic-preprocessors/appid/fw_appid.c : Fixed the algorithm that triggers port only detection. * src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/include/hi_paf.h, src/preprocessors/HttpInspect/utils/hi_paf.c : Fixed an issue where HTTP was wrongly processing non HTTP traffic on port 443. * src/dynamic-preprocessors/appid/appIdConfig.h, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/service_plugins/service_base.c, src/dynamic-preprocessors/appid/service_plugins/service_base.h : Fixed IPS alerts generation for ICMP packets. * src/file-process/file_resume_block.c : Fixed signature lookup when the context is not present. * src/preprocessors/HttpInspect/utils/hi_paf.c : Added a new state to handle HTTP responses, having no status message followed by status code. * src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h : Added DPD callbacks for receiving ftp transfer mode before generating file events. * snort/etc/file_magic.conf : Fixed RTF file magic to a more generic value. * src/preprocessors/spp_httpinspect.c : Added debug logs during HTTP Reload. * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c : Fix to bypass munmap if shmemSegptr points to zeroSegptr. * src/parser.c : Added rule SID check during Snort validation. * src/pkt_tracer.c : Corrected endianness representation for some of the parameters in the debug log. 2019-07-26 Hariharan Chandrashekar snort 2.9.14.1 * src/sfdaq.c : Fixed packet drop scenario. 2019-04-23 Hariharan Chandrashekar Snort 2.9.14.0 All files: updated copyright to 2019. * src/build.h : updating build number to 15003. * src/dynamic-preprocessors/appid/fw_appid.c : Fix to block https traffic going through proxy. * src/dynamic-preprocessors/appid/fw_appid.c : Reset navl packet counters when shifting to new req/resp. * src/file-process/file_ss.c : Fixed enabling side channel during some race conditions. * src/appIdApi.h, src/dynamic-preprocessors/appid/detector_plugins/detector_http.c, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/thirdparty_appid_types.h : Improving appId detection for proxied traffic. * src/control/sfcontrol.c, src/preprocessors/spp_httpinspect.c, src/detection-plugins/sp_isdataat.c, src/detection-plugins/sp_isdataat.h, src/preprocessors/HttpInspect/include/hi_eo_log.h, src/dynamic-preprocessors/appid/luaDetectorModule.c, src/dynamic-preprocessors/appid/detector_plugins/detector_cip.c, src/file-process/file_resume_block.c, src/file-process/file_service.h, src/file-process/file_service_config.c, src/file-process/file_ss.c, src/file-process/file_ss.h, src/file-process/libs/file_config.h, src/reload.c, src/snort.c : Fixed potential race conditions across snort code base. * src/dynamic-preprocessors/appid/hostPortAppCache.c : Added support for wild card port numbers in host cache and overwriting port service AppId. * src/preprocessors/HttpInspect/utils/hi_paf.c : Fixed the chunk extensions parsing in the HTTP responses leading to the correct construction of the PDU. * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed missing inspection for out of order HTTP flows. * src/dynamic-preprocessors/appid/appInfoTable.c : Allow spaces in appid.conf and userappid.conf. * src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c : Added support for new STLS client patterns to help better detect POP3S over SSL. * src/dynamic-preprocessors/dcerpc2/dce2_smb2.c, src/file-process/file_segment_process.c : Fixed decrement of segment_mem_in_use counter when no pruning is done. * doc/README.http_inspect, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/utils/hi_paf.c : Fixed HTTP issue caused due to invalid versions. * src/parser.c : Fixed static analysis issues. * src/decode.c : Removed Duplicate length checks when decoding IPv6 Extensions. * src/preprocessors/sfprocpidstats.c : Changed the sfprocpidstat to calculate CPU statistics when --suppress-config-log option is not supplied. * src/file-process/libs/file_lib.h : Reset the max file id's default value. * src/dynamic-preprocessors/appid/appId_ss.c, src/dynamic-preprocessors/appid/appInfoTable.c : Logging the aggressiveness setting for BitTorrent, Ultrasurf, Psiphon & fixing paranthesis in 'If' condition. * src/dynamic-preprocessors/appid/service_plugins/service_ftp.c : Fixed FTP detection issues when a multi-line server response is split across multiple packets. * src/dynamic-preprocessors/appid/appIdConfig.c, src/dynamic-preprocessors/appid/appIdConfig.h, src/dynamic-preprocessors/appid/commonAppMatcher.c, src/dynamic-preprocessors/appid/spp_appid.c, src/dynamic-preprocessors/appid/thirdparty_appid_api.h, src/dynamic-preprocessors/appid/thirdparty_appid_utils.c : Added a new AppId preproc config option which specifies path to NAVL related cofiguration. * src/dynamic-preprocessors/appid/fw_appid.c : Fix to set TOR as payloadAppId if NAVL detects it over an HTTP SSL Tunnel. * src/dynamic-preprocessors/imap/imap_config.c, src/dynamic-preprocessors/pop/pop_config.c, src/dynamic-preprocessors/smtp/smtp_config.c, src/file-process/file_api.h, src/file-process/file_mime_config.c, src/file-process/file_mime_config.h, src/preprocessors/perf_indicators.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_httpinspect.c : Fix Snort2 with a newer ICC without fixing the [bad] binary-crossing strtok assumptions. * src/preprocessors/spp_sfportscan.c : Fix for filling the ip4hdr in the port scan packet creation. * src/checksum.h, src/encode.c : Updated the checksum correctly for reset and locally modified packets for GRE flow. * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed issue in handling TCP timestamp options in Snort. * src/dynamic-preprocessors/appid/fw_appid.c : Fixed compilation warning. * src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/sdf/spp_sdf.c, src/dynamic-preprocessors/sdf/spp_sdf.h : Fixed Sensitive Data Threshold Configuration. * src/dynamic-preprocessors/appid/fw_appid.c, src/preprocessors/Session/session_expect.c : Fix for setting application_protocol_ordinal by the caller. * src/file-process/file_resume_block.c, src/file-process/file_ss.c : Removed unused variables. * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c : Added support for detecting Mac based SMTP Microsoft Outlook client application * src/dynamic-preprocessors/sip/sip_config.c : Fixed policy deployment failure due to SIP preprocessor config validation. * src/dynamic-preprocessors/appid/luaDetectorApi.c : Including more informations for lua errors while loading patterns. * src/dynamic-preprocessors/sdf/sdf_credit_card.c, src/dynamic-preprocessors/sdf/sdf_pattern_match.c : Fix to treat any pii without following by non-digit as full pattern match and fire alert. * src/dynamic-preprocessors/reputation/shmem/shmem_lib.c : Fixed snort process exit when processing reputation and if another snort was launched that does the same work. * src/preprocessors/Stream6/snort_stream_tcp.c : Fix to not flush the urgent data to preprocs and the segment be trimmed. * src/dynamic-preprocessors/appid/appIdApi.c : Stop marking the HTTP inspection as done if the SSL detector is in progress and no URL is extracted. * src/dynamic-preprocessors/appid/service_plugins/service_rexec.c, src/dynamic-preprocessors/appid/service_plugins/service_rshell.c : Fix here is to set the AppId for rsh/rexec control sessions initially to allow the data session and doing the rest of the validation later. * src/control/sfcontrol.h, src/preprocessors/spp_perfmonitor.c : Fix for enabling flow profiling mode without restarting snort detection engine. * src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/include/hi_client.h : Fixed x-forward-for-like headers when there are multiple proxies. * src/file-process/file_service.c : Fix to update the file_config when we update the file_context. * src/dynamic-preprocessors/appid/service_plugins/service_base.c : Fix to prevent re-allocation of memory for SMB AppId data. * src/dynamic-preprocessors/Makefile.am : Add -f option to the mv command for fixing make distcheck failure during file overwrite. * doc/README.http_inspect, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/preprocessors/HttpInspect/utils/hi_paf.c : A new preprocessor alert is added 120:27 to alert if there is no proper end of header. * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed uninitialized members of StreamTracker for midstream sessions. * src/preprocessors/session_api.h, src/preprocessors/spp_session.c : Removal of Blocklist timeout code. * src/preprocessors/spp_session.c : Fix for snort to check for expired sessions and stop matching new packets with expired sessions. * src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/snort.c : Fix to get daq capabilities for snort firewall in optimized way. * tools/appid_detector_builder.sh : Fixed API name used by OpenAppId LUA detector builder. * src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/luaDetectorModule.c : Locking LUA detectors during snort reload free. * src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/luaDetectorFlowApi.c, src/dynamic-preprocessors/appid/service_plugins/service_ssl.c : Setting AppId for RSHELL/REXEC stderr data sessions. * src/memory_stats.c, src/memory_stats.h, src/snort.c src/preprocessors/HttpInspect/client/hi_client.c, src/dynamic-preprocessors/appid/luaDetectorModule.c, src/dynamic-preprocessors/appid/service_plugins/service_rpc.c, src/dynamic-preprocessors/appid/spp_appid.c, src/dynamic-preprocessors/appid/service_plugins/service_base.c : Fixed issues reported by valgrind. * src/dynamic-preprocessors/appid/appIdApi.c, src/dynamic-preprocessors/appid/fw_appid.c : Fix for FTP Active detection issues in case of multi-line server responses. * src/dynamic-preprocessors/ftptelnet/ftpp_si.h, src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, src/file-process/file_api.h, src/file-process/file_resume_block.c, src/file-process/file_resume_block.h, src/file-process/file_segment_process.c, src/file-process/file_service.c, src/preprocessors/Stream6/snort_stream_tcp.c : Fixed File policy with the rule block with reset that was not blocking the file upload. * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c : Fixed snort process exit while processing Security Intelligence. 2019-03-21 Bhumika Sachdeva Snort 2.9.13.0 * src/dynamic-preprocessors/sip/sip_config.c : Changed number of max sessions SIP can handle. * src/dynamic-preprocessors/appid/luaDetectorModule.c : Fixed an issue in loading of bunch of lua detector. * src/dynamic-preprocessors/sdf/sdf_credit_card.c, src/dynamic-preprocessors/sdf/sdf_pattern_match.c : Fixed an issue with processing of pattern matching. * src/dynamic-preprocessors/appid/appIdApi.c : Fixed an issue with HTTP inspection in case SSL detector is in process and no URL has been extracted. * src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/include/hi_client.h : Fixing of x-forward-for-like headers in case of multiple proxies by snort. * src/preprocessors/Stream6/snort_stream_tcp.c : Blocking the flush of urgent data to preprocs and trimming of segment in case urgent flag is set and urgent pointer > 0. * src/dynamic-preprocessors/appid/service_plugins/service_rexec.c, src/dynamic-preprocessors/appid/service_plugins/service_rshell.c : Set the AppId for rsh/rexec control sessions initially to allow the data session and doing the rest of the validation. * src/file-process/file_service.c : Fixed the Snort process failure while processing file policy on SMB2 traffic. * src/dynamic-preprocessors/appid/service_plugins/service_base.c : Modified the prevention of re-allocation of memory for SMB AppId data. * src/dynamic-preprocessors/appid/luaDetectorModule.c, src/dynamic-preprocessors/appid/service_plugins/service_base.c : Fixed memory leak issues. * src/control/sfcontrol.c, src/detection-plugins/Makefile.am, src/dynamic-examples/Makefile.am, src/dynamic-plugins/Makefile.am, src/dynamic-plugins/sf_decompression_define.h, src/dynamic-plugins/sf_dynamic_decompression.c, src/dynamic-plugins/sf_dynamic_decompression.h, src/dynamic-plugins/sf_dynamic_detection.h, src/dynamic-plugins/sf_dynamic_engine.h, src/dynamic-plugins/sf_dynamic_meta.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sf_dynamic_side_channel.h, src/dynamic-plugins/sf_engine/bmh.c, src/dynamic-plugins/sf_engine/examples/12759.c, src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h, src/dynamic-plugins/sf_engine/examples/rule_storeandforward.c, src/dynamic-plugins/sf_engine/examples/rule_storeandforward2.c, src/dynamic-plugins/sf_engine/sf_decompression.c, src/dynamic-plugins/sf_engine/sf_decompression.h, src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h, src/dynamic-plugins/so_rule_mem_adjust.h, src/dynamic-plugins/sp_dynamic.c, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/appid/service_plugins/service_netbios.c, src/dynamic-preprocessors/appid/service_plugins/service_rpc.c, src/dynamic-preprocessors/appid/thirdparty_appid_utils.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/includes/smb.h, src/dynamic-preprocessors/sip/sip_dialog.c, src/dynamic-preprocessors/sip/sip_roptions.c, src/preprocessors/HttpInspect/utils/hi_util_hbm.c, src/preprocessors/spp_arpspoof.c, src/reload.c, src/snort.c, src/snort.h, snort_build/Makefile.common, snort_build/common-snort-opts.makefile : Snort now supports reload on snort rules update. * configure.in, src/control/sfcontrol.c : Addressed FreeBSD Build error. * src/preprocessors/perf-base.c : Fixed an issue with Inspection engine performance statistics showing 0 drops in case of non-zero drops. * src/control/sfcontrol.c : Fixed an issue where snort was stuck in cleanup. * preproc_rules/preprocessor.rules, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/utils/hi_paf.c : Handling of junk characters after chunk size in HTTP response. * src/detection-plugins/sp_byte_math.c : Handled a zero value case with division operator. * src/preprocessors/Stream6/snort_stream_tcp.c : Updated TCP policy for client and server session while flushing the client or server segment list. * doc/README.http_inspect, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/utils/hi_paf.c : Handled a new pre-processor alert in case of improper end of HTTP header. * src/dynamic-preprocessors/reputation/shmem/shmem_lib.c, src/detection-plugins/sp_isdataat.c, src/detection-plugins/sp_isdataat.h : Fixed a potential race condition. * src/dynamic-preprocessors/appid/appIdStats.c, src/dynamic-preprocessors/appid/appInfoTable.c, src/dynamic-preprocessors/appid/detector_plugins/detector_http.c, src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/service_plugins/service_ssh.c, src/dynamic-preprocessors/appid/service_plugins/service_ssl.c, src/dynamic-preprocessors/appid/thirdparty_appid_utils.c, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/sfutil/bnfa_search.c, src/sfutil/sf_textlog.c : Validation of malloc return values. * src/preprocessors/sfprocpidstats.c : Modified the sfprocpidstat to only calculate CPU statistics when --suppress-config-log option is not supplied. 2018-09-18 Puneeth Kumar C V Snort 2.9.12.0 * doc/README.http_inspect, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/HttpInspect/utils/hi_paf.c : Fixed an issue where in if we have a junk line before HTTP response header, the header was wrongly parsed. A new preprocessor alert with gid:120 and sid:26 is alerted if any junk lines before HTTP response header is detected. * etc/gen-msg.map, preproc_rules/preprocessor.rules, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/include/hi_server.h, src/preprocessors/HttpInspect/server/hi_server.c : If any of the standard header fields like Transfer-Encoding, content-encoding, content-length, content-type are preceded by \t, then a new alert is added with gid:120 and sid:25. * doc/README.http_inspect, doc/snort_manual.pdf, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/preprocessors/snort_httpinspect.h, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/HttpInspect/utils/hi_paf.c : Fixed GZIP evasions wherein a HTTP response with content-encoding:gzip contains a body which has some gzip related anomaly. A new alert with gid:120 and sid:24 has been added to detect mixed gzip encode and plain text response. * src/preprocessors/HttpInspect/server/hi_server.c : Memory leak in decompression when using zlib version 1.2.11. Thanks Elof for reporting it and Thanks Anuj Patel for sending the patch. * src/: dynamic-preprocessors/dcerpc2/dce2_smb2.c, dynamic-preprocessors/dcerpc2/dce2_smb.h, dynamic-preprocessors/dcerpc2/dce2_smb2.c, dynamic-preprocessors/dcerpc2/dce2_smb2.h, dynamic-preprocessors/dcerpc2/dce2_paf.c, includes/smb.h, dynamic-preprocessors/dcerpc2/spp_dce2.c, file-process/file_api.h, file-process/file_segment_process.c, file-process/file_segment_process.h, SMB improvements for file processing. * src/dynamic-preprocessors/appid/: appInfoTable.h, fw_appid.c, fw_appid.h, hostPortAppCache.c, luaDetectorApi.c, luaDetectorApi.h, luaDetectorFlowApi.c, client_plugins/client_app_aim.c, client_plugins/client_app_api.h, client_plugins/client_app_base.c, client_plugins/client_app_base.h, client_plugins/client_app_bit.c, client_plugins/client_app_bit_tracker.c, client_plugins/client_app_msn.c, client_plugins/client_app_rtp.c, client_plugins/client_app_ssh.c, client_plugins/client_app_timbuktu.c, client_plugins/client_app_tns.c, client_plugins/client_app_vnc.c, client_plugins/client_app_ym.c, detector_plugins/detector_http.c, detector_plugins/detector_imap.c, detector_plugins/detector_kerberos.c, detector_plugins/detector_pattern.c, detector_plugins/detector_pop3.c, detector_plugins/detector_sip.c, detector_plugins/detector_smtp.c, service_plugins/service_api.h, service_plugins/service_base.c, service_plugins/service_base.h : Fixed an issue in a scenario where BitTorrent pattern is seen only on the 3rd packet of the session because of which we miss our client detection. * src/dynamic-preprocessors/appid/fw_appid.c : Re-enabling third party AppId detection for out-of-order/not-ok flows. * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c : Added support for HTTP CONNECT command to handle BitTorrent connections over proxy. * src/encode.c, src/reload.h, src/sfdaq.c, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/sdf/spp_sdf.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_session.c, src/preprocessors/spp_sfportscan.c, src/preprocessors/Stream6/snort_stream_ip.c, src/preprocessors/Stream6/snort_stream_tcp.c, src/sfutil/acsmx.c, src/sfutil/sfksearch.c, src/sfutil/sfportobject.c, tools/u2spewfoo/u2spewfoo.c : Fixed Snort warnings when compiled in OpenBSD with clang/llvm. Thanks to Markus for reporting this. * src/dynamic-preprocessors/file/spp_file.c : Fixed an issue where file inspect not working after reload. * src/dynamic-preprocessors/Makefile.am : Fixed an issue where snort was not coming up with AppId enabled on OpenBSD. * src/: snort.c, dynamic-plugins/sf_dynamic_preprocessor.h, preprocessors/perf.c, preprocessors/Stream6/snort_stream_icmp.c, preprocessors/Stream6/snort_stream_ip.c, preprocessors/Stream6/snort_stream_tcp.c, preprocessors/Stream6/snort_stream_udp.c : Fixed compilation issue with --disable-reload. * configure.in, doc/README.appid, doc/snort_manual.tex, rpm/README.build_rpms, rpm/generate-all-rpms, rpm/snort.spec, src/dynamic-preprocessors/appid/Makefile_defs : Compile AppID by default. * src/dynamic-preprocessors/appid/fw_appid.c : Changes to AppId to ignore malformed packets. * src/: dynamic-preprocessors/dcerpc2/dce2_smb2.c, file-process/file_segment_process.c, file-process/file_segment_process.h : Fix an issue where memory is over allocated due to SMB traffic. * src/dynamic-preprocessors/appid/: appIdApi.c, appIdConfig.h, appInfoTable.c, fw_appid.c, hostPortAppCache.c : Added support for wild card port numbers in host cache and overwriting port service AppId. * src/mstring.c : Fixed an issue with msplit() not behaving properly in some scenarios. * src/dynamic-preprocessors/appid/: fw_appid.c, test/appIdTests.c : Fixed an issue where retransmitted packet incorrectly treated as out of order. * src/preprocessors/spp_frag3.c : Fixed snort crash in some scenraios. * src/dynamic-preprocessors/appid/: fw_appid.c, service_plugins/service_ssl.c : Fixed an issue wherein if we have multiple ssl certificates, they were concatinated. * src/dynamic-preprocessors/appid/fw_appid.c : Using Inner IP header to determine the protocol & direction for AppId. * src/: reload.c, preprocessors/spp_normalize.c, preprocessors/Stream6/snort_stream_tcp.c : Fixed an issue where snort cores due to wrong/stale policy IDs in the flush path. * src/detection-plugins/sp_pattern_match.c : Fixed an issue with intrusion rule that was trigerring false negatives. * src/sfutil/sfportobject.c, src/decode.c, src/fpcreate.c, src/plugbase.c, src/util.c, src/dynamic-preprocessors/sdf/sdf_us_ssn.c : Fixed static analysis issues. * src/preprocessors/Stream6/: snort_stream_tcp.c, stream_common.c : Fixed early setting of PKT_STREAM_ORDER_BAD when out of order packet is seen. * src/preprocessors/: session_api.h, spp_session.c : This change will allow us to use the session stream key to lookup the session instead of directly storing the S pointer * src/: event_wrapper.c, event_wrapper.h, preprocessors/portscan.c : Fixed an issue where Port Scan doesn't block scans * src/: obfuscation.c, dynamic-preprocessors/appid/detector_plugins/detector_http.c, dynamic-preprocessors/file/file_agent.c, dynamic-preprocessors/file/file_inspect_config.c, dynamic-preprocessors/sdf/sdf_us_ssn.c, file-process/file_capture.c : Fixed bugs reported by open source community. Thanks for David Binderman for reporting this. * src/snort.c : Avoid possible double free and memory corruption in snortcleanup(). * doc/snort_manual.pdf, src/reg_test.h src/dynamic-preprocessors/reputation/spp_reputation.c : Prevent restart when Reputation memcap changes. * src/dynamic-preprocessors/appid/luaDetectorModule.c : Fixed an issue where AppId continues to try & load the remaining detectors instead of returning after finding an invalid one. * src/snort.c : Reduced the number of session prunings when snort is idle. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c : Fixed an issue which can cause buffer overflow and memory corruption in FTP control path. * src/reload.c : Synchronise reload and restart in snort. * src/snort_bounds.h : Fixed possible buffer overrun. * src/dynamic-preprocessors/appid/: fw_appid.c, fw_appid.h, luaDetectorApi.c, spp_appid.c, client_plugins/client_app_base.c, service_plugins/service_base.c, test/Makefile.am : Remove misleading exit log about DetectorFini. * src/dynamic-preprocessors/appid/: client_plugins/client_app_rtp.c, client_plugins/client_app_rtp.h, test/Makefile.am, test/appIdTests.c, test/client_app_rtp_test.c, test/client_app_rtp_test.h : Fix for the issue where RTP doesn't get detected when there is SSRC switch. * src/dynamic-preprocessors/appid/: fw_appid.c, detector_plugins/detector_smtp.c, service_plugins/service_ftp.c : Fixed an issue where is SMTP is detected too late. * src/dynamic-plugins/sf_dynamic_plugins.c, dynamic-preprocessors/appid/appIdConfig.h, dynamic-preprocessors/appid/fw_appid.c : Added mutex protections into the framework API to protect against some thread contention. * src/preprocessors/: session_api.h, spp_session.c, Session/session_expect.c : Changes to allow simulated packets to match an existing session. * src/: snort.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-preprocessors/reputation/spp_reputation.c, preprocessors/session_api.h, preprocessors/spp_session.c, preprocessors/Session/session_common.h, sfutil/sfPolicyData.h : Re-evaluate IP reputation on all flows except black listed flows after reputation update. * doc/README.http_inspect, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/include/hi_paf.h, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/HttpInspect/utils/hi_paf.c : Added handling chunked encoding in HTTP1.0 request and response. * src/preprocessors/: snort_httpinspect.c, HttpInspect/client/hi_client.c, HttpInspect/include/hi_client.h, Stream6/snort_stream_tcp.c, Stream6/stream_paf.c : Fixed an issue where in HTTPS post file detection not working. * src/: parser.c, snort.h, detection-plugins/sp_pcre.c, dynamic-plugins/sf_convert_dynamic.c, dynamic-plugins/sf_dynamic_engine.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, output-plugins/spo_log_tcpdump.c, preprocessors/spp_normalize.c, preprocessors/Stream6/snort_stream_tcp.c : Fixed an issue with Snort using incorrect snort config in reload path. * src/: decode.c, preprocessors/portscan.c, preprocessors/spp_frag3.c : Fixed an issue with IP Protocol scanning not getting detected. * src/decode.c : Fixed heap out of bounds read in DecodeCiscoMeta(). * src/decode.c : Fixed 1 byte buffer overflow in CheckIPV6HopOptions. * src/dynamic-preprocessors/appid/: commonAppMatcher.c : Fix for the issue where hosts were not being discovered if the ND rule had IPv6 network and zone. * src/sfutil/Unified2_common.h : Fixed an issue with Unified2IDSEventIPv6 structure's app_name field has incorrect size. * src/util.c : Fixed an issue where logging packet can cause a segmentation fault in single-pcap mode when printing timestamp. Thanks to Stephan Zeisbarg for reporting this issue. * src/preprocessors/portscan.c : Fix Protocol sweep alert. 2017-12-06 Meghana R Snort 2.9.11.1 * sfeng/ims/sfsnort/snort/src/build.h : updating build number to 268 * sfeng/ims/sfsnort/snort/: src/encode.c, src/reload.h, src/sfdaq.c, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/sdf/spp_sdf.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_session.c, src/preprocessors/spp_sfportscan.c, src/preprocessors/Stream6/snort_stream_ip.c, src/preprocessors/Stream6/snort_stream_tcp.c, src/sfutil/acsmx.c, src/sfutil/sfksearch.c, src/sfutil/sfportobject.c, tools/u2spewfoo/u2spewfoo.c : Fixed warnings when snort is compiled in OpenBSD with clang/llvm. Thanks to Markus Lude for noting the issue. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/file/spp_file.c : Fixed issue of applying new configuration in file inspection after snort reload. * sfeng/ims/sfsnort/snort/src/preprocessors/spp_session.c : Added null check before accessing session cache. * sfeng/ims/sfsnort/snort/src/: appIdApi.h, dynamic-preprocessors/appid/appIdApi.c : Fixed issue where AppId was not setting HA flags correctly for unmonitored sessions. * sfeng/ims/sfsnort/snort/src/: snort.c, dynamic-plugins/sf_dynamic_preprocessor.h, preprocessors/perf.c, preprocessors/Stream6/snort_stream_icmp.c, preprocessors/Stream6/snort_stream_ip.c, preprocessors/Stream6/snort_stream_tcp.c, preprocessors/Stream6/snort_stream_udp.c : Fixed issue in compilation of snort with --disable-reload option. Thanks to BlueSky for noting the issue. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/Makefile.am : Fixed AppID compilation failure in OpenBSD platform. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/fw_appid.c : Fixed issue to set correct flags when there is a need to ignore thirdparty detection for an SSL session. * sfeng/ims/sfsnort/snort/src/: event_wrapper.c, event_wrapper.h, preprocessors/portscan.c : Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets, which means snort will block the packet and generate logs. * sfeng/ims/sfsnort/snort/src/: obfuscation.c, dynamic-preprocessors/appid/detector_plugins/detector_http.c, dynamic-preprocessors/file/file_agent.c, dynamic-preprocessors/file/file_inspect_config.c, dynamic-preprocessors/sdf/sdf_us_ssn.c, file-process/file_capture.c : Fixed incorrect usage of bitwise-operator and removed dead code. Thanks to David Binderman for noting the issue and proposing the fix. * sfeng/ims/sfsnort/snort/: doc/snort_manual.pdf, src/snort.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/reputation/spp_reputation.c, src/preprocessors/session_api.h, src/preprocessors/spp_session.c, src/preprocessors/Session/session_common.h, src/sfutil/sfPolicyData.h : Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/: client_plugins/client_app_rtp.c, client_plugins/client_app_rtp.h : Fixed issue to detect RTP upto two SSRC switches in each traffic direction. * sfeng/ims/sfsnort/snort/src/snort.c : Added changes to reduce the number of session pruning when snort is idle. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/ftptelnet/pp_ftp.c : Fixed an issue related to setting of directory path when handling FTP sessions. * sfeng/ims/sfsnort/snort/src/snort_bounds.h : Fixed an issue with the incorrect return in SafeSnprintf function. * sfeng/ims/sfsnort/snort/src/preprocessors/: snort_httpinspect.c, HttpInspect/client/hi_client.c, HttpInspect/include/hi_client.h, Stream6/snort_stream_tcp.c, Stream6/stream_paf.c : Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive copy of segment data by not splitting them when flushing headers. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c : Added changes to show missing session log message only when debugging mode is enabled. * sfeng/ims/sfsnort/snort/: doc/snort_manual.pdf, src/preprocessors/portscan.c : Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan. * sfeng/ims/sfsnort/snort/src/preprocessors/Stream6/snort_stream_tcp.c : Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels. * sfeng/ims/sfsnort/snort/src/: decode.c, preprocessors/portscan.c, preprocessors/spp_frag3.c : Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets. * sfeng/ims/sfsnort/snort/src/preprocessors/snort_httpinspect.c: Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup. 2017-09-05 Meghana R Snort 2.9.11 * src/build.h : updating build number to 125. * src/preprocessors/: spp_session.c, Stream6/snort_stream_tcp.c : Fixed issue with updation of global IPS id before packet processing. * src/output-plugins/spo_unified2.c : Added changes to display AppId for IPv6 unified events. * src/: dynamic-preprocessors/Makefile.am, reload-adjust/appdata_adjuster.c, sfutil/sfmemcap.c, sfutil/sfmemcap.h : Fixed dynamic preprocessor compilation failure in OpenBSD platform. * src/: parser.c, snort.h, detection-plugins/sp_replace.c : Fixed issues while parsing rules in snort reload path. * src/: appIdApi.h, dynamic-preprocessors/appid/appId.h, dynamic-preprocessors/appid/appIdApi.c, dynamic-preprocessors/appid/appIdConfig.h, dynamic-preprocessors/appid/appInfoTable.c, dynamic-preprocessors/appid/flow.h, dynamic-preprocessors/appid/fw_appid.c, dynamic-preprocessors/appid/hostPortAppCache.c, dynamic-preprocessors/appid/hostPortAppCache.h : Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent. * src/preprocessors/spp_normalize.c : Fixed incorrect usage of snort configuration in snort reload path. * src/dynamic-preprocessors/appid/: flow.c, flow.h, fw_appid.c : Fixed issues with printing of messages for out-of-order packets. * src/: mempool.c, mempool.h, reg_test.h, reload.c, control/sfcontrol.c, control/sfcontrol.h, preprocessors/spp_session.c, preprocessors/Stream6/snort_stream_tcp.c : Added support for forced allocation of TCP protocol memory pool after maximum limit is reached. * src/reload.c : Fixed synchronisation issue during snort reload. * src/sfutil/: sf_ip.h, sf_ipvar.c, sf_ipvar.h : Added changes to improve performance of ipvar list comparison. * src/: dynamic-output/plugins/output_lib.h, dynamic-output/plugins/output_plugin.c, dynamic-preprocessors/dcerpc2/dce2_smb.c, dynamic-preprocessors/dcerpc2/dce2_smb.h, dynamic-preprocessors/dcerpc2/dce2_smb2.c, dynamic-preprocessors/dcerpc2/spp_dce2.c, dynamic-preprocessors/file/file_event_log.c, file-process/file_api.h, file-process/file_service.c, file-process/file_stats.c, file-process/file_stats.h, sfutil/sf_textlog.c, sfutil/sf_textlog.h : Added support for storing filenames in unicode format for SMB protocol. * src/dynamic-preprocessors/appid/detector_plugins/detector_smtp.c : Enhanced SMTP client detection by allowing line folding and all authentication methods. * src/: fpcreate.c, sfutil/sfthd.c, sfutil/sfxhash.c : Fixed issue in detection filter counter when rule is used in multiple configurations. 2017-06-19 Meghana R Snort 2.9.11 Beta *src/build.h : updating build number to 101 * configure.in : Control-socket and side-channel support for FreeBSD platform. * src/snort.c : Fixed an issue where snort did not exit gracefully on SIGHUP during the initialisation. * src/detect.c : Added a data length check before copying into memory during application detection. * doc/snort_manual.pdf, src/dynamic-preprocessors/appid/appIdConfig.h, src/dynamic-preprocessors/appid/appInfoTable.c, src/dynamic-preprocessors/appid/commonAppMatcher.c, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/fw_appid.h, src/dynamic-preprocessors/appid/hostPortAppCache.c, src/dynamic-preprocessors/appid/hostPortAppCache.h, src/dynamic-preprocessors/appid/luaDetectorApi.c : Added new hostPortCache which can maintain runtime AppId entries. * src/preprocessors/perf-flow.c : Added null check for individual sfFlow structure members. * doc/snort_manual.tex : Fixed syntax error in snort_maual.tex * src/dynamic-preprocessors/appid/test/Makefile.am, dynamic-preprocessors/dcerpc2/test/Makefile.am, sfutil/test/Makefile.am : Linked librt library in appidd and dcerpc2 modules. * doc/snort_manual.pdf, doc/snort_manual.tex, src/decode.c, src/decode.h, src/detect.c, src/encode.c, src/reg_test.h, src/snort.c, src/snort.h, src/util.c, src/reload.c src/detection-plugins/sp_byte_math.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c, src/dynamic-preprocessors/appid/appIdConfig.h, src/dynamic-preprocessors/appid/appInfoTable.c, src/dynamic-preprocessors/appid/commonAppMatcher.c, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/fw_appid.h, src/dynamic-preprocessors/appid/hostPortAppCache.c, src/dynamic-preprocessors/appid/hostPortAppCache.h, src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c, src/dynamic-preprocessors/appid/test/Makefile.am, src/dynamic-preprocessors/dcerpc2/dce2_smb2.c, src/dynamic-preprocessors/dcerpc2/dce2_smb2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dcerpc2/test/Makefile.am, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/imap/spp_imap.c, src/dynamic-preprocessors/pop/spp_pop.c, src/dynamic-preprocessors/smtp/spp_smtp.c, src/file-process/file_api.h, src/file-process/file_segment_process.c, src/file-process/file_segment_process.h, src/file-process/file_service.c, src/preprocessors/perf-base.c, src/preprocessors/perf-flow.c, src/preprocessors/perf_indicators.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_session.c, src/preprocessors/spp_stream6.c, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c, src/preprocessors/Session/session_expect.c, src/preprocessors/Stream6/snort_stream_tcp.c, src/reload-adjust/appdata_adjuster.c, src/sfutil/sfrf.c, src/sfutil/sfrf.h, src/sfutil/test/Makefile.am, src/sfutil/test/unit_hacks.c, src/target-based/sftarget_reader.c, src/target-based/sftarget_reader.h : Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed. * src/encode.c, dynamic-plugins/sf_engine/sf_snort_plugin_byte.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, preprocessors/perf-base.c, preprocessors/perf_indicators.c, preprocessors/snort_httpinspect.c, preprocessors/HttpInspect/utils/hi_cmd_lookup.c : Fixed multiple issues reported by Coverity. * src/preprocessors/Stream6/: snort_stream_tcp.c : Added a null check before retrieving tcpssn for getting re-built packets. * src/dynamic-preprocessors/reputation/spp_reputation.c : Fixed double free issue in reputation module. * src/detection-plugins/sp_byte_math.c, file-process/file_service.c : Fixed Coverity Issue - added null check before usage. * src/dynamic-preprocessors/appid/fw_appid.c : Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media. * src/dynamic-preprocessors/appid/fw_appid.c : Added a null check to prevent copy unless debugHostIp is configured in AppId. * src/decode.c, decode.h, detect.c, snort.h, util.c, preprocessors/spp_session.c, preprocessors/Stream6/snort_stream_tcp.c, sfutil/sfrf.c, sfutil/sfrf.h : Performance improvement when SYN rate limit has reached and drop is configured as next action. * src/preprocessors/HttpInspect/server/hi_server.c : Fixed issue of uninitialised value before usage. * src/file-process/file_service.c : Fixed issue with SHA value display in File Events. * src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c : Enhanced the processing of SIP/RTP future flows without ignoring them. * src/preprocessors/snort_httpinspect.c : Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data. * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed stream5 to flush out ACK'ed segments using PAF when session is terminating. * src/preprocessors/spp_session.c : Fixed issue with associating router solicit/reply packets to a single session. * src/preprocessors/HttpInspect/server/hi_server_norm.c, sfutil/util_utf.c : Fixed issues with normalisation of unicode HTML pages that do not have unicode encoding specifiers. * src/appIdApi.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-preprocessors/appid/appIdApi.c, dynamic-preprocessors/appid/appIdConfig.h, dynamic-preprocessors/appid/commonAppMatcher.c, dynamic-preprocessors/appid/fw_appid.c, dynamic-preprocessors/appid/fw_appid.h, dynamic-preprocessors/appid/detector_plugins/detector_sip.c, dynamic-preprocessors/appid/service_plugins/service_base.h, dynamic-preprocessors/appid/service_plugins/service_ftp.c, dynamic-preprocessors/appid/service_plugins/service_rexec.c, dynamic-preprocessors/appid/service_plugins/service_rshell.c, dynamic-preprocessors/appid/service_plugins/service_snmp.c, dynamic-preprocessors/appid/service_plugins/service_tftp.c, dynamic-preprocessors/appid/test/appIdTests.c : Fixed the issue in FTP active traffic by copying the flags as is when expected flow is in the same direction as current flow, reversing the flags when expected flow is in opposite direction and not copying the flags when expected flow's direction is unknown. * src/dynamic-plugins/sf_dynamic_plugins.c, dynamic-preprocessors/dcerpc2/spp_dce2.c Fixed issue of multiple allocation of ada cache in dcerpc2 module. * src/preprocessors/spp_httpinspect.c : Made changes to take care of boundary conditions after mempool allocation. * src/dynamic-preprocessors/appid/luaDetectorModule.c : Fixed Coverity Issues - Removed logically dead duplicate code that does NULL check after creating a new luaState. * src/file-process/file_service.c, preprocessors/Stream6/snort_stream_tcp.c : Fixed issue in file signature lookup for retransmitted FTP packet. * src/output-plugins/spo_log_buffer_dump.c : Changes to free HTTP buffers not used during processing. * src/dynamic-plugins/sf_dynamic_plugins.c, dynamic-preprocessors/dcerpc2/spp_dce2.c, dynamic-preprocessors/dnp3/spp_dnp3.c, dynamic-preprocessors/sip/sip_config.c, dynamic-preprocessors/sip/spp_sip.c, reload-adjust/appdata_adjuster.c, reload-adjust/appdata_adjuster.h : Fixed issues in SIP related to reallocation of the same data structure multiple times and accessing numSessions which is asynchronously written by packet processing thread. * src/dynamic-preprocessors/dcerpc2/spp_dce2.c : Added multiple null checks in dcerpc2 module. * src/dynamic-preprocessors/dnp3/spp_dnp3.c, reload-adjust/appdata_adjuster.c, reload-adjust/appdata_adjuster.h : Added null pointer checks in DNP3CheckConfig. * src/preprocessors/spp_session.c : Fixed Coverity issue - added null check before usage. * src/build.h : updating build number to 42 * src/snort.c : Trigger Snort restart when `config disable-attribute-reload-thread` is turned on/off. * src/preprocessors/Stream6/snort_stream_tcp.c : Fixed detection issue where wrong file signature calculation was done for secure-ftp. * src/dynamic-preprocessors/ftptelnet/: ftpp_si.c, ftpp_si.h, pp_ftp.c : Fixed incorrect referencing of ftp_data_session after its pruned. * src/dynamic-preprocessors/appid/fw_appid.c : Stability improvement by resolving valgrind reported issues in AppId. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c, file-process/file_api.h, file-process/file_resume_block.h, file-process/file_service.c, preprocessors/Session/session_common.h, Session/session_expect.c, Stream6/snort_stream_tcp.c, Stream6/snort_stream_tcp.h, Stream6/stream_common.h, parser.c, parser.h, snort.c, snort.h, dynamic-preprocessors/dcerpc2/dce2_smb.c, dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, file-process/file_mime_process.c, file-process/libs/file_lib.c, preprocessors/snort_httpinspect.c, preprocessors/spp_normalize.c, preprocessors/spp_normalize.h, preprocessors/spp_stream6.c, preprocessors/stream_api.h, preprocessors/HttpInspect/client/hi_client.c : Fixed issue where FTP file type block doesn't work on retried download. * src/appIdApi.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-preprocessors/appid/appIdApi.c, dynamic-preprocessors/appid/flow.c, dynamic-preprocessors/appid/flow.h, dynamic-preprocessors/appid/fw_appid.c, dynamic-preprocessors/appid/fw_appid.h, dynamic-preprocessors/appid/detector_plugins/detector_sip.c : Fixed issue where Snort is inappropriately handling traffic for which AppId was creating future flow. * src/file-process/file_segment_process.c : Fixed issue of updating the file session information for SMB2 file transfer spanning multiple TCP sessions. * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c, luaDetectorApi.c, service_state.c, service_state.h, detector_plugins/detector_dns.c, detector_plugins/detector_http.c, detector_plugins/detector_imap.c, detector_plugins/detector_kerberos.c, detector_plugins/detector_pattern.c, detector_plugins/detector_pop3.c, detector_plugins/detector_sip.c, detector_plugins/detector_smtp.c, service_plugins/service_MDNS.c, service_plugins/service_api.h, service_plugins/service_base.c, service_plugins/service_base.h, service_plugins/service_battle_field.c, service_plugins/service_bgp.c, service_plugins/service_bit.c, service_plugins/service_bootp.c, service_plugins/service_dcerpc.c, service_plugins/service_direct_connect.c, service_plugins/service_flap.c, service_plugins/service_ftp.c, service_plugins/service_irc.c, service_plugins/service_lpr.c, service_plugins/service_mysql.c, service_plugins/service_netbios.c, service_plugins/service_nntp.c, service_plugins/service_ntp.c, service_plugins/service_radius.c, service_plugins/service_rexec.c, service_plugins/service_rfb.c, service_plugins/service_rlogin.c, service_plugins/service_rpc.c, service_plugins/service_rshell.c, service_plugins/service_rsync.c, service_plugins/service_rtmp.c, service_plugins/service_snmp.c, service_plugins/service_ssh.c, service_plugins/service_ssl.c, service_plugins/service_telnet.c, service_plugins/service_tftp.c, service_plugins/service_timbuktu.c, service_plugins/service_tns.c, test/appIdTests.c, test/sessionFile.c : Changes in AppId discovery to address session and services related issues. * src/dynamic-preprocessors/appid/: appId.h, fw_appid.c : Performance improvements for SIP/RTP audio and video data flow in AppId . * src/dynamic-preprocessors/appid/: fw_appid.c, thirdparty_appid_utils.c, test/appIdTests.c, test/externalApis.c : Fixed an issue related to incorrect processing of XFF addresses during Snort reload. * src/dynamic-preprocessors/appid/luaDetectorModule.c : Improved error handling in luadetector when lua_State object is NULL. * src/preprocessors/snort_httpinspect.c : Improved flushing mechanism for HTTP POST header. * src/output-plugins/spo_log_buffer_dump.c : Fixed an issue where HTTP buffers were incorrectly dumped as DNS payload buffers. * src/preprocessors/Stream6/snort_stream_tcp.c : Prevent application preprocessors from processing packets having end_sequence numbers less than current TCP window base. 2016-11-07 Gagan Sachdeva Snort 2.9.9.0 * src/build.h : updating build number to 56. * tools/u2spewfoo/u2spewfoo.c : src/snort.c, win32/WIN32-Includes/config.h : Fixed Issue related to DLL-Load in Snort on Windows platforms For CVE-2016-1417, thanks to Secureworks for reporting this issue. * src/: detection_filter.c, detection_filter.h, fpdetect.c, detection-plugins/detection_options.c, detection-plugins/detection_options.h, sfutil/sfthd.c, sfutil/sfthd.h, sfutil/test/sfthd_test.c : Incrementing detection_filter count on either raw packets or re-assembled packets but not on both. * src/detection-plugins/sp_byte_jump.c : Fixed an issue where value present in the zero index of byte_extract array was incorrectly used when byte_extract rule option is not present. 2016-09-08 Seshaiah Erugu Snort 2.9.9 * src/build.h : Updated build number to 82. * src/dynamic-preprocessors/appid/: appId.h, fw_appid.c, spp_appid.c: Improved handling of HTTP tunneling in AppId. * src/detection-plugins/sp_byte_jump.c: Fixed a bug where byte_jump postoffset was incorrectly initialized leading to failure in rule matching in some scenarios. * src/detection-plugins/sp_rpc_check.c: Fixed RPC decode plugin issue where rule context was missing and RPC values were not read correctly. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/smtp/snort_smtp.c : Fixed an issue in mime data processing in case of stateless inspection. * sfeng/ims/sfsnort/snort/src/preprocessors/: spp_session.c, Stream6/stream_paf.c : Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX. * sfeng/ims/sfsnort/snort/src/output-plugins/spo_log_buffer_dump.c : Added banner message with packet timestamp for every buffer dump. * sfeng/ims/sfsnort/snort/src/: snort.h, dynamic-preprocessors/dcerpc2/dce2_paf.c, dynamic-preprocessors/dnp3/dnp3_paf.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/imap/imap_paf.c, dynamic-preprocessors/modbus/modbus_paf.c, dynamic-preprocessors/modbus/modbus_paf.h, dynamic-preprocessors/pop/pop_paf.c, dynamic-preprocessors/sip/sip_paf.c, dynamic-preprocessors/smtp/smtp_paf.c, preprocessors/snort_httpinspect.c, preprocessors/spp_stream6.c, preprocessors/stream_api.h, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Stream6/snort_stream_tcp.c, preprocessors/Stream6/stream_paf.c, preprocessors/Stream6/stream_paf.h : Generating an event when content-length in a POST request is greater than Payload. * sfeng/ims/sfsnort/snort/src/decode.c : Decoding support for packets that contain VLAN and SGT. * sfeng/ims/sfsnort/snort/src/preprocessors/HttpInspect/client/hi_client.c : Fixed Coverity issue - added null check before usage. * sfeng/ims/sfsnort/snort/src/preprocessors/snort_httpinspect.c : Fixed Coverity issue - added null check for Field_Name. * sfeng/ims/sfsnort/snort/src/preprocessors/Stream6/snort_stream_tcp.c : Fixed an issue where out-of-bounds memory access (is possible) due to incorrect length argument in memcpy. * sfeng/ims/sfsnort/snort/src/preprocessors/spp_stream6.c : Resolved an issue where stream_config is not set (to) correct value in some cases after reload. * sfeng/ims/sfsnort/snort/src/file-process/: file_segment_process.c, file_service.c : Changes done to avoid memory allocation for each signature callback and handle segments properly when file session has not been created yet. * sfeng/ims/sfsnort/snort/preproc_rules/preprocessor.rules : Added new http prepreocessor alert for multiple content encoding. alert ( msg: "HI_SERVER_MULTIPLE_CONTENT_ENCODING"; sid:20; gid: 120; rev: 1; metadata: rule-type preproc ; classtype:unknown; ). * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/fw_appid.c : Changes done to handle empty HTTP XFF field. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/service_plugins/service_base.c : Changed initiator_ip to be in sync with other ip's. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/fw_appid.c : Fixed an issue where AppId was skipping inspection of some HTTP requests. * sfeng/ims/sfsnort/snort/src/dynamic-plugins/sf_dynamic_plugins.c : Fixed compiler warning by changing the definition of dummyConsumeHAState() function. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/: fw_appid.c, detector_plugins/detector_smtp.c : Fixed AppId compilation warnings. * sfeng/ims/sfsnort/snort/src/: parser.c, parser.h, snort.c, snort.h, preprocessors/spp_normalize.c, preprocessors/spp_normalize.h, preprocessors/spp_stream6.c, preprocessors/stream_api.h, preprocessors/Session/session_common.h, preprocessors/Session/session_expect.c, preprocessors/Stream6/snort_stream_tcp.c : Fixed an issue where Malware files not getting dropped over FTP protocol. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/appInfoTable.c : Fixed issue with using dynamic app ID names (not in appMapping.data) in Snort rules. * sfeng/ims/sfsnort/snort/src/preprocessors/HttpInspect/utils/hi_paf.c : Handling HTTP header line containing \r or \r\r. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/: flow.h, fw_appid.c, thirdparty_appid_types.h : Performance improvement in Appid. * sfeng/ims/sfsnort/snort/src/: file-process/file_service.c, preprocessors/snort_httpinspect.c, preprocessors/snort_httpinspect.h : Added support to detect partial content when it starts in second reassembled packet. * sfeng/ims/sfsnort/snort/src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h, HttpInspect/client/hi_client.c HTTP preprocessor enhanced to handle the split of chunk length itself across different packets. * sfeng/ims/sfsnort/snort/src/decode.c : Fixed an issue where single packet can cause a segmentation fault if there is a specific snort rule is in place. Thanks to Marcel da Silva for reporting this issue. * sfeng/ims/sfsnort/snort/src/decode.c : Fixed an issue where incorrect byte order was been used for comparision with hard coded value. Thanks to Al Lewis who reported this issue on open source. * sfeng/ims/sfsnort/snort/src/preprocessors/: spp_session.c, spp_stream6.c, Session/session_common.h, Stream6/snort_stream_tcp.c : This patch changes the logic in session to set a flag in the SCB for a flow on the first packet after a reload to indicate the stream config pointer is stale. Previously the pointer was set to NULL. Stream was changed to check this stale flag and, if true, the stream config pointer in the SCB is reinitialized. With this change the stream configuration pointer continues to point to the old configuration which will still be valid until the stream preproc runs. This ensures that the part of the SSL preproc that runs before Session/Stream have run will have a valid stream config pointer after a reload. In addition the StreamActivatePafTcp function, which is called by the SSL preproc and requires a valid stream configuration, was changed to check for the pointer being NULL and if it is it will reinitialize the pointer to valid value and log a warning message. * sfeng/ims/sfsnort/snort/doc/snort_manual.tex : Snort manual updated with Buffer dump feature. * sfeng/ims/sfsnort/snort/doc/snort_manual.tex : Snort manual changed with Rule Options Enhancement. * sfeng/ims/sfsnort/snort/src/sfutil/sfghash.c : Added NULL check for SFGHASH. * sfeng/ims/sfsnort/snort/etc/sf_rule_options : Error message is updated for byte_extract options. When creating a rule with byte_extract option an error message is sent when the rule doesn't include a variable name, which is mandatory. * sfeng/ims/sfsnort/snort/src/: encode.c, preprocids.h, detection-plugins/sp_byte_math.c, dynamic-output/plugins/output_lib.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, preprocessors/perf-base.c, preprocessors/snort_httpinspect.c, preprocessors/spp_stream6.c, preprocessors/HttpInspect/server/hi_server.c, sfutil/sf_ip.h, win32/WIN32-Prj/snort.dsp : Addressed issues in Snort Windows build. * sfeng/ims/sfsnort/snort/src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c, sp_byte_math.c : An error message is sent if string rule option is not present when bytes to grab are greater than 4 bytes in byte_math rule. * sfeng/ims/sfsnort/snort/src/preprocessors/Stream6/snort_stream_tcp.c : Resolved an incorrect logging of source and destination ip when TCP stream queue is full. * sfeng/ims/sfsnort/snort/src/detection-plugins/sp_byte_math.c : Error message is updated for byte_math options. When creating a rule with byte_math option an error message is sent when the rule doesn't include offset and rvalue. * sfeng/ims/sfsnort/snort/src/dynamic-preprocessors/appid/: Makefile_defs, fw_appid.c, client_plugins/client_app_base.c, client_plugins/client_app_smtp.c, client_plugins/client_app_smtp.h, detector_plugins/detector_base.c, detector_plugins/detector_smtp.c, service_plugins/service_base.c, service_plugins/service_smtp.c, service_plugins/service_smtp.h : Added SMTP detection to AppID, added detector_smtp.c file as part of this enhancement. 2016-05-12 Seshaiah Erugu Snort 2.9.9 Beta * src/build.h : Updated build number to 4065. * src/dynamic-preprocessors/appid/fw_appid.c : Fix for handling bogus client AppIds for AppleCoreMedia. * src/preprocessors/spp_arpspoof.c : Added 802.11/wifi header support in ARP Preprocessor. * src/: detect.c, dynamic-plugins/sf_engine/sf_snort_packet.h, preprocessors/session_api.h, preprocessors/Stream6/snort_stream_tcp.c : Changed RST handling on closed tcp connection. * src/dynamic-preprocessors/appid/appInfoTable.c : Fixed a compilation issue in AppId. * src/: appIdApi.h, dynamic-preprocessors/appid/appIdApi.c, dynamic-preprocessors/appid/flow.h, dynamic-preprocessors/appid/fw_appid.c, dynamic-preprocessors/appid/httpCommon.h, dynamic-preprocessors/appid/luaDetectorApi.c, dynamic-preprocessors/appid/thirdparty_appid_types.h, dynamic-preprocessors/appid/detector_plugins/detector_http.c, dynamic-preprocessors/appid/detector_plugins/detector_http.h : Added support for Host, User-Agent, and Referer fields to be rewritten. * src/dynamic-preprocessors/appid/: appIdApi.c, appInfoTable.h, fw_appid.c, luaDetectorApi.c, detector_plugins/detector_http.c, service_plugins/service_ftp.c, service_plugins/service_tftp.c : Fixed AppId compilation warnings. * src/preprocessors/Session/stream5_ha.c : Fix updates HA sf_base counters during failover. * src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/: appId.h : Fix Reconstructed the call to port-service detection. * src/dynamic-preprocessors/appid/test/appIdTests.c : Fixed an AppId compilation issue. * src/dynamic-preprocessors/appid/appId.h : Revised appid.h to have APP_ID_ICMP and APP_ID_ICMPV6. * src/dynamic-preprocessors/appid/: httpCommon.h, luaDetectorApi.c, detector_plugins/detector_http.c : Added DEFER_TO_SIMPLE_DETECT action to CHPAddAction. * src/preprocessors/HttpInspect/: event_output/hi_eo_log.c, New HTTP prepocessor alert added for Multiple content encodings. * src/preprocessors/Stream6/snort_stream_tcp.c : Fix populates DAQ_PktHdr_t of the packet generated while flushing queued segments with src and dst IP's. * src/preprocessors/HttpInspect/: client/hi_client.c, event_output/hi_eo_log.c, include/hi_eo_events.h, server/hi_server.c : New HTTP preprocessor alert added for multiple content lengths. * src/dynamic-preprocessors/appid/: fw_appid.c, service_plugins/service_rshell.c : Fix reduces extra service discovery to improve performance. * src/preprocessors/HttpInspect/client/hi_client.c : Fix to handle chunk encoding followed by \r\r\r\n and \n\n\n\r\r\n. This issue was reported by Steffen Ullrich. * src/: detection_filter.c, detection_filter.h, fpdetect.c, detection-plugins/detection_options.c, detection-plugins/detection_options.h, sfutil/sfthd.c, sfutil/sfthd.h, sfutil/test/sfthd_test.c : Fix related to detection_options. Added a new variable detection_filter_count to detection_option_eval_data_t data structure and set it when detection_filter_test is called for first time. * src/dynamic-preprocessors/appid/: fw_appid.c, test/appIdTests.c : Fix picks last IP address in XFF address list. * src/decode.c : Added an additional check for divisibility of the length of the PGM header by 4. If it's not, then an error is returned instead of calculating the checksum. * src/dynamic-preprocessors/appid/fw_appid.c : Changed ignore tp appid logic. * src/preprocessors/HttpInspect/server/hi_server.c : File filled with delimiters now successfully gets detected. * src/dynamic-preprocessors/appid/service_plugins/service_ftp.c : Fix ignores text after FTP response codes. * src/preprocessors/HttpInspect/server/hi_server.c : Modified Http header parsing of multiline content-encoding header. * src/: appIdApi.h, dynamic-preprocessors/appid/appIdApi.c, dynamic-preprocessors/appid/appInfoTable.h, dynamic-preprocessors/appid/flow.h, dynamic-preprocessors/appid/fw_appid.c, dynamic-preprocessors/appid/luaDetectorApi.c, dynamic-preprocessors/appid/detector_plugins/detector_http.c : Made changes in getHttpSearch() to return value based on any payloadAppId match, not just CHP patterns. * src/preprocessors/: snort_httpinspect.c, HttpInspect/server/hi_server.c : Fixed Coverity issue - Unsigned compared against 0. * src/preprocessors/: snort_httpinspect.c, HttpInspect/server/hi_server.c : Improved chunked gzip content handling. * src/: dynamic-preprocessors/sdf/spp_sdf.c, obfuscation.c : Fix to mask sensitive data spanning multiple raw packets. * src/sfutil/sfghash.c : Added NULL pointer checks to all the functions in sfghash.c. * src/preprocessors/spp_httpinspect.c : Fix Sets file_depth after Snort reload. * src/dynamic-preprocessors/appid/: fw_appid.c, httpCommon.h, luaDetectorApi.c, detector_plugins/detector_http.c, detector_plugins/detector_http.h : Fix allows multiple key patterns per AppId instance in CHPMultiAddAction(). * src/preprocessors/HttpInspect/files/file_decomp_SWF.c : Fixed an issue with LZMA flash decompression. * etc/sf_rule_options, src/detection-plugins/sp_byte_extract.c, src/detection-plugins/sp_byte_extract.h : Changed code to allow 1 to 10 bytes (bytes_to_extract )values in byte_extract rule. * configure.in, doc/snort_manual.tex, etc/snort.conf, rpm/snort.spec, src/dynamic-plugins/sf_dynamic_meta.h, src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h, src/win32/WIN32-Includes/config.h, src/win32/WIN32-Prj/snort_installer.nsi : API version updated. * src/dynamic-preprocessors/appid/fw_appid.c : Fix prevents bogus generic clients, and also prevents things like "MPEG" showing up as a client in case of AppleCoreMedia. * src/detection-plugins/sp_byte_jump.c : Now from_end option acccepts 0-10 bytes in byte_jump rule. * src/dynamic-preprocessors/appid/: fw_appid.c, httpCommon.h : Added more AppId instances for CHPMultixxx Lua api. * configure.in, src/appIdApi.h, src/sfdaq.c, src/sfdaq.h, src/tag.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-preprocessors/appid/appIdApi.c, src/dynamic-preprocessors/appid/flow.c, src/dynamic-preprocessors/appid/flow.h, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/fw_appid.h, src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/luaDetectorApi.h, src/dynamic-preprocessors/appid/luaDetectorFlowApi.c, src/dynamic-preprocessors/appid/client_plugins/client_app_aim.c, src/dynamic-preprocessors/appid/client_plugins/client_app_base.c, src/dynamic-preprocessors/appid/client_plugins/client_app_bit.c, src/dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c, src/dynamic-preprocessors/appid/client_plugins/client_app_msn.c, src/dynamic-preprocessors/appid/client_plugins/client_app_rtp.c, src/dynamic-preprocessors/appid/client_plugins/client_app_smtp.c, src/dynamic-preprocessors/appid/client_plugins/client_app_ssh.c, src/dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c, src/dynamic-preprocessors/appid/client_plugins/client_app_tns.c, src/dynamic-preprocessors/appid/client_plugins/client_app_vnc.c, src/dynamic-preprocessors/appid/client_plugins/client_app_ym.c, src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c, src/dynamic-preprocessors/appid/detector_plugins/detector_http.c, src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c, src/dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c, src/dynamic-preprocessors/appid/detector_plugins/detector_pattern.c, src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c, src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c, src/dynamic-preprocessors/appid/service_plugins/service_MDNS.c, src/dynamic-preprocessors/appid/service_plugins/service_api.h, src/dynamic-preprocessors/appid/service_plugins/service_base.c, src/dynamic-preprocessors/appid/service_plugins/service_base.h, src/dynamic-preprocessors/appid/service_plugins/service_battle_field.c, src/dynamic-preprocessors/appid/service_plugins/service_bgp.c, src/dynamic-preprocessors/appid/service_plugins/service_bit.c, src/dynamic-preprocessors/appid/service_plugins/service_bootp.c, src/dynamic-preprocessors/appid/service_plugins/service_dcerpc.c, src/dynamic-preprocessors/appid/service_plugins/service_direct_connect.c, src/dynamic-preprocessors/appid/service_plugins/service_flap.c, src/dynamic-preprocessors/appid/service_plugins/service_ftp.c, src/dynamic-preprocessors/appid/service_plugins/service_irc.c, src/dynamic-preprocessors/appid/service_plugins/service_lpr.c, src/dynamic-preprocessors/appid/service_plugins/service_mysql.c, src/dynamic-preprocessors/appid/service_plugins/service_netbios.c, src/dynamic-preprocessors/appid/service_plugins/service_nntp.c, src/dynamic-preprocessors/appid/service_plugins/service_ntp.c, src/dynamic-preprocessors/appid/service_plugins/service_radius.c, src/dynamic-preprocessors/appid/service_plugins/service_rexec.c, src/dynamic-preprocessors/appid/service_plugins/service_rfb.c, src/dynamic-preprocessors/appid/service_plugins/service_rlogin.c, src/dynamic-preprocessors/appid/service_plugins/service_rpc.c, src/dynamic-preprocessors/appid/service_plugins/service_rshell.c, src/dynamic-preprocessors/appid/service_plugins/service_rsync.c, src/dynamic-preprocessors/appid/service_plugins/service_rtmp.c, src/dynamic-preprocessors/appid/service_plugins/service_smtp.c, src/dynamic-preprocessors/appid/service_plugins/service_snmp.c, src/dynamic-preprocessors/appid/service_plugins/service_ssh.c, src/dynamic-preprocessors/appid/service_plugins/service_ssl.c, src/dynamic-preprocessors/appid/service_plugins/service_telnet.c, src/dynamic-preprocessors/appid/service_plugins/service_tftp.c, src/dynamic-preprocessors/appid/service_plugins/service_timbuktu.c, src/dynamic-preprocessors/appid/service_plugins/service_tns.c, src/dynamic-preprocessors/appid/test/appIdTests.c, src/dynamic-preprocessors/appid/util/common_util.h, src/file-process/file_resume_block.c, src/preprocessors/Session/session_expect.c, src/preprocessors/Stream6/snort_stream_tcp.c : Added the flag to prevent third-party application identification to expected connections. Changed the internal and external flags field into one 64-bit flags field. Added address space and instance to AppID debug. Cleaned up some compiler warnings. Added the debugging flags and info to the service validator function to allow internal debugging. Fixed processing of packets without any payload. Fixed tftp and rshell detection. Fixed third-party application identification proto state for sessions after http. Fixed expected session allow for AppId continutation (tftp, snmp). * src/dynamic-preprocessors/appid/: appInfoTable.c, appInfoTable.h, fw_appid.h : Fixed the issue where AppId for Facebook over SPDY/HTTP 1.1 is incorrect. * src/dynamic-preprocessors/appid/fw_appid.c : Fixed Coverity warning for Uninitialized variable. * src/dynamic-preprocessors/appid/: httpCommon.h, luaDetectorApi.c, detector_plugins/detector_http.c : Changed code in CHPAddAction to REWRITE/INSERT side effect. * src/dynamic-preprocessors/appid/appInfoTable.c : Disabled internal AppID detectors for HTTP/2 by default. * src/preprocessors/HttpInspect/: include/h2_common.h, utils/h2_common.c, utils/h2_paf.c : Added support for HTTP/2. * src/dynamic-preprocessors/imap/imap_buffer_dump.c, src/dynamic-preprocessors/imap/imap_buffer_dump.h, src/dynamic-preprocessors/ftptelnet/ftptelnet_buffer_dump.c, src/dynamic-preprocessors/ftptelnet/ftptelnet_buffer_dump.h, src/dynamic-preprocessors/dcerpc2/dcerpc2_buffer_dump.c, src/dynamic-preprocessors/dcerpc2/dcerpc2_buffer_dump.h, src/dynamic-preprocessors/ssl/ssl_buffer_dump.c, src/dynamic-preprocessors/ssl/ssl_buffer_dump.h, src/dynamic-preprocessors/ssh/ssh_buffer_dump.c, src/dynamic-preprocessors/ssh/ssh_buffer_dump.h, src/dynamic-preprocessors/dns/dns_buffer_dump.c, src/dynamic-preprocessors/dns/dns_buffer_dump.h, src/dynamic-preprocessors/modbus/modbus_buffer_dump.c, src/dynamic-preprocessors/modbus/modbus_buffer_dump.h, src/preprocessors/HttpInspect/utils/hi_buffer_dump.c, src/preprocessors/HttpInspect/include/hi_buffer_dump.h, src/output-plugins/spo_log_buffer_dump.h, src/output-plugins/spo_log_buffer_dump.c, src/dynamic-preprocessors/smtp/smtp_buffer_dump.c, src/dynamic-preprocessors/smtp/smtp_buffer_dump.h, src/dynamic-preprocessors/sip/sip_buffer_dump.c, src/dynamic-preprocessors/sip/sip_buffer_dump.h, src/dynamic-preprocessors/pop/pop_buffer_dump.c, src/dynamic-preprocessors/pop/pop_buffer_dump.h, src/dynamic-preprocessors/dnp3/dnp3_buffer_dump.c, src/dynamic-preprocessors/dnp3/dnp3_buffer_dump.h, src/dynamic-preprocessors/gtp/gtp_buffer_dump.c, src/dynamic-preprocessors/gtp/gtp_buffer_dump.h, src/dynamic-preprocessors/imap/imap_buffer_dump.c : Added these files as part of Buffer-dump feature. * src/detection-plugins/sp_byte_math.c, src/detection-plugins/sp_byte_math.h : Added new rule option "byte_math". 2016-04-26 Rahul Burman Snort 2.9.8.3 * src/build.h: updating build number to 383 * configure.in, src/preprocessors/HttpInspect/server/hi_server.c: Modified Http header parsing of multiline content-encoding header. * src/preprocessors/: snort_httpinspect.c, HttpInspect/server/hi_server.c: Fixed an issue where file position pointer was incorrectly set for HTTP response containing chunked and gzip data. * src/preprocessors/Stream6/: snort_stream_tcp.c Added sanity check to TCP trimming in out-of-order FIN case. * src/parser.c: Disabled port groups that are not useful unless adapative profiling is enabled. * src/: dynamic-preprocessors/sdf/spp_sdf.c, obfuscation.c: Fixed an issue of incorrect masking of sensitive data. 2016-03-18 Gaurav Nagare Snort 2.9.8.2 * src/build.h: updating build number to 335 * src/dynamic-plugins/: sf_engine/examples/detection_lib_meta.h, sf_dynamic_meta.h: Updated detection API version to 2.6 to use the latest snort SO rules. * src/: dynamic-preprocessors/sdf/spp_sdf.c, preprocessors/Stream6/snort_stream_tcp.c, obfuscation.c: Fixed several issues with SDF and obfuscation. * src/: profiler.h, preprocessors/perf_indicators.c, preprocessors/perf_indicators.h: Resolved snort build issue with "--disable-perfprofiling" configure option. * src/: decode.c, decode.h: Added Double VLAN tagging support. * src/file-process/file_mime_process.c: Enhanced mime parsing by adding support for detecting files after unknown headers and no headers. * src/preprocessors/HttpInspect/server/hi_server.c: Fixed memory leak. * src/preprocessors/HttpInspect/utils/hi_paf.c: Fixed issue with gzip decompression. If the server response specifies Content-Encoding as GZIP, but no Content-Length field for HTTP version 1.0. * doc/snort_manual.pdf, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_httpinspect.c: Fixed Snort memory leak in parsing HTTP xff options. * src/preprocessors/spp_httpinspect.c: Fixed Coverity issues. * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h, HttpInspect/include/hi_paf.h, HttpInspect/server/hi_server.c, HttpInspect/utils/hi_paf.c: Improved End of Header(EOH) identification for response header spanning multiple reassembled packets. * src/preprocessors/: HttpInspect/utils/hi_paf.c, Stream6/snort_stream_tcp.c, Stream6/stream_paf.c: Improved packet reassembly for HTTP, added code to purge segment correctly when PAF decides to ignore packet upon reaching paf_max. * src/fpdetect.c: Fixed to use outer header callback functions when checking IP rule against outer IPs and inner header callback when checking against inner IPs. * src/preprocessors/spp_httpinspect.c: Fixed an issue where http_inspect current and default config had different file depth. * src/dynamic-preprocessors/appid/detector_plugins/detector_dns.c: Handled malformed DNS host in AppId. * src/file-process/: file_api.h, file_segment_process.c, file_service.c: Prevented access to file contexts which are pruned when memcap is reached. * src/dynamic-preprocessors/appid/: app_forecast.c, app_forecast.h, flow.h, fw_appid.c, spp_appid.c, thirdparty_appid_types.h: Performance improvements to AppID. * src/dynamic-preprocessors/appid/luaDetectorApi.c: Created a future-flow API for lua detector. Exposed DNS API to lua detector. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Fixed an issue where unexpected SSL negotiation starts for FTP with explicit SSL. * src/preprocessors/HttpInspect/utils/hi_paf.c: Updated HTTP PAF to accept all tokens between method and version string in request URI. * src/preprocessors/HttpInspect/files/file_decomp_SWF.c: Fixed Flash LZMA decompression issue. * src/preprocessors/spp_httpinspect.c: Fixed file_depth intialization issue during Snort reload. 2015-11-18 Carter Waxman Snort 2.9.8.0 * src/build.h: updating build number to 229 * src/preprocessors/: session_api.h, spp_session.c, Session/session_expect.c, Session/session_expect.h: Added support for multiple expected sessions created for a single packet. * doc/: snort_manual.pdf, snort_manual.tex: Changed gtp ports in snort manual * src/: dynamic-preprocessors/ftptelnet/ftpp_si.c, dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, preprocessors/spp_session.c: Change setAppProcolId to update SFAT for non-TCP traffic * src/dynamic-preprocessors/appid/spp_appid.c: Fixed reload issues * src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c: Future flows are now created for both directions on SIP * src/dynamic-preprocessors/smtp/smtp_paf.c: Improved reliability of SMTP PAF * src/dynamic-preprocessors/appid/fw_appid.c: Bugs Fixed: Improved AppId detection on SSL/TLS protocols for decrypted * src/: dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, preprocessors/Stream6/snort_stream_tcp.c: Fixed FTP file detection where server SYNs data channel before responding to PORT on command channel. * src/dynamic-preprocessors/appid/: commonAppMatcher.c, fw_appid.c, fw_appid.h, service_plugins/service_ftp.c: Improved detection of data on FTPS data channel * src/: encode.c, util.h, dynamic-preprocessors/appid/test/sessionFile.h, preprocessors/spp_session.c, preprocessors/spp_stream6.c, preprocessors/Session/session_common.h: Added support for MPLS active responses * src/dynamic-preprocessors/appid/: detector_plugins/detector_pop3.c, service_plugins/service_ftp.c: Improved detection of POP3S * src/detection-plugins/sp_appid.c: Fixed reliability issue with client AppID IPS rules * preproc_rules/preprocessor.rules, src/dynamic-preprocessors/smtp/smtp_config.c, src/dynamic-preprocessors/smtp/smtp_config.h, src/dynamic-preprocessors/smtp/smtp_log.h, src/dynamic-preprocessors/smtp/smtp_paf.c: Added preproc alert for excessive data following "AUTH NTLM\r\n" "AUTH CRAM-MD5\r\n" * src/dynamic-preprocessors/reputation/: reputation_config.c, shmem/shmem_mgmt.c: Improved reliability of reputation shared memory on single-cpu systems * doc/: snort_manual.pdf, snort_manual.tex: Fix first/last typo in manual. Thanks Mohsen Abbaspour for reporting it. * src/dynamic-preprocessors/appid/spp_appid.c: Update AppID to use only global snort config and only process IP packets * src/dynamic-preprocessors/appid/service_plugins/service_tftp.c: Fixed reversal of TFTP detection had the source and destination address data * src/: detection-plugins/sp_byte_jump.c, dynamic-plugins/sf_convert_dynamic.c, dynamic-preprocessors/appid/appIdConfig.c, dynamic-preprocessors/appid/commonAppMatcher.c, dynamic-preprocessors/appid/fw_appid.c, dynamic-preprocessors/appid/luaDetectorApi.c, dynamic-preprocessors/appid/client_plugins/client_app_smtp.c, dynamic-preprocessors/appid/detector_plugins/detector_http.c, dynamic-preprocessors/appid/service_plugins/service_MDNS.c, dynamic-preprocessors/ftptelnet/hi_util_kmap.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/reputation/reputation_config.c, dynamic-preprocessors/sdf/sdf_detection_option.c, dynamic-preprocessors/ssl_common/ssl_config.c, dynamic-preprocessors/ssl_common/ssl_ha.c, output-plugins/spo_csv.c, preprocessors/spp_arpspoof.c, preprocessors/spp_session.c, preprocessors/HttpInspect/utils/hi_util_kmap.c, sfutil/ipobj.c, sfutil/sfghash.c: Added error checks to improve reliability * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c, service_plugins/service_ssl.c, service_plugins/service_ssl.h: Fixed issue where appid info was not populated for ssl sessions on non-standard ports 2015-08-28 Rahul Burman Snort 2.9.8_rc * src/build.h: updating build number to 195 * src/preprocessors/HttpInspect/: client/hi_client.c, server/hi_server.c: NULL check added for call to strndup function. * src/output-plugins/spo_alert_unixsock.c: Resolved issue where output data is corrupted while writing to unix socket [reported by Alexander Bubnov]. * src/: dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/ftpp_ui_config.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Improvements to FTP preprocessor to block malware when downloaded with a client that supports FTP REST. * src/dynamic-preprocessors/appid/fw_appid.c: Resolved issue where squid detector is not showing expected alerts. Reset app ID when SSL is identified on an FTP data channel. * src/preprocessors/spp_perfmonitor.c: Resolved snort output error issue in perfmonitor preprocessor * src/preprocessors/Stream6/snort_stream_tcp.c: Resolved issue where snort marks retransmitted packet as bad segment. Fixed issue where XFF/ExtraData is not always logged when 'drop' rules trigger [reported by Mike Cox]. * src/dynamic-preprocessors/reputation/reputation_config.c: Fixed unexpected behaviour in reputation config where blacklist is displayed in priority field even though whitelist option is set [reported by Mike Cox]. * src/: decode.h, snort.c, dynamic-plugins/sf_engine/sf_snort_packet.h, preprocessors/Stream6/snort_stream_tcp.c: Improvements done to avoid RETRY verdict for re-transmitted packet. * etc/gen-msg.map: Fixed a typo where ssp_ssl is renamed to spp_ssl * src/preprocessors/spp_session.c: Changes done to avoid memory allocation for default no. of sessions when session tracking is disabled. * doc/snort_manual.tex: Corrected errors in snort_manual.tex [reported by Gabriel Corre]. * src/dynamic-preprocessors/appid/: appId.h, appIdStats.c, service_plugins/service_ftp.c: Changes done to differentiate between active and passive FTP connections. * src/dynamic-preprocessors/appid/: appIdApi.c, appIdConfig.h, appInfoTable.c, flow.h, fw_appid.c, thirdparty_appid_api.h, thirdparty_appid_utils.c, detector_plugins/detector_http.c, detector_plugins/detector_sip.c: Fixed issues reported by valgrind in AppID. 2015-08-05 Victor Roemer Snort 2.9.8 Beta * src/build.h: Update build number to 176 * src/dynamic-preprocessors/appid/service_plugins/service_ftp.c: Snort to support EPRT command for active FTP on IPv4 and IPv6 * src/dynamic-preprocessors/ftptelnet/: ftpp_si.c, ftpp_si.h, pp_ftp.c: Some PDF files were not blocked by snort. * src/preprocessors/HttpInspect/client/hi_client.c: Check if packet has start of PDU before generating alert. * src/dynamic-preprocessors/smtp/smtp_util.c: SMTP preprocessor email log buffer length update before copying to avoid assert failure. * src/: active.c, decode.h, preprocids.h, detection-plugins/sp_react.c, dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-preprocessors/appid/spp_appid.c, dynamic-preprocessors/reputation/spp_reputation.c, preprocessors/spp_session.c: Sessions that are blocked and trusted. Fix sp_react when sending data. * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c, detector_plugins/detector_http.c: Skip simple detection only for those CHP actions that could overrirde client ID, payload ID, etc. * doc/snort_manual.tex: Correct Unified2 Packet content. * etc/snort.conf, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/Stream6/stream_paf.c: Clear True-IP and XFF between HTTP transactions. Prevents Snort from logging extra data on transactions incorrectly. * src/sfutil/sf_ip.h: Treat 0.0.0.0/0 as "any" ipv4 address, fixing rule matches on ip header leaf node. * src/preprocessors/perf-base.c: Fixed macro usage to work with ICC and C89. * src/preprocessors/perf-base.c: Fixed erroneous performance values being generated when Snort is idle. * src/dynamic-preprocessors/appid/: service_plugins/service_api.h, util/NetworkSet.h: Fixed appid compilation issues for FreeBSD and OpenBSD. * tools/appid_detector_builder.sh: Fix script shortcomings for HTTP URL, Copyright, DetectorClean() stub. * src/decode.c: Snort min_ttl decoder rules drop regardless of alert/drop type. * src/dynamic-preprocessors/appid/luaDetectorApi.c: Set active flag for sandboxing for SSL Lua detectors. * src/: active.h, sfdaq.c, sfdaq.h, snort.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, file-process/file_service.c: Add support for DAQ Retry detection of the current packet. This change adds active response api function to request a packet retry (method added to dpd struct as well) and to query if the packet disposition is ACTIVE_RETRY. * src/preprocessors/: spp_session.c, Session/stream5_ha.c, Session/stream5_ha.h: preprocessors/Stream6/snort_stream_tcp.c: preprocessors/spp_session.c: If session lookup fails for a packet being processed by the Session preprocessor while DAQ HA is enabled and DAQ HA state is available for the packet, retrieve and process the HA state from the DAQ and retry the lookup. Do not store DAQ HA state when unsupported tunnel types are decoded that might make the underlying hardware's concept of flows not match Snort's. * src/dynamic-preprocessors/file/: file_agent.c, file_agent.h, spp_file.c: Support daemon option with file_inspect preprocessor. * src/preprocessors/Stream6/snort_stream_tcp.c: When processing asymmetric traffic, TCP segements are no longer queued indefinately, reducing session cache thrashing caused by excessive prunning. * src/preprocessors/HttpInspect/session_inspection/hi_si.c: Fix false positive on HI_ANOM_SERVER_ALERT. * src/dynamic-preprocessors/appid/: detector_plugins/detector_pattern.c, service_plugins/service_api.h, service_plugins/service_base.c: C detectors were not enabled when testing with a pcap. * src/: event.h, sfutil/Unified2_common.h: Increase max size for app ID names so they don't get truncated in alerts. * src/dynamic-preprocessors/appid/commonAppMatcher.c: Fix an issue with old/new config and AppID reload swap. * src/dynamic-preprocessors/appid/service_plugins/service_bootp.c: Fix in AppId bootp srevice plugin for packets without layer 2 header. * snort.8: Updated -q and -M switch description in snort manpage. * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c, detector_plugins/detector_pattern.h, util/NetworkSet.h, util/OutputFile.c, util/sfutil.c: Fix Snort compilation issues on OSX when AppID is enabled. * src/: dynamic-plugins/sf_dynamic_define.h, dynamic-plugins/sf_engine/sf_snort_plugin_api.h, dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h, dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h, dynamic-preprocessors/appid/appId.h, dynamic-preprocessors/appid/flow.h, dynamic-preprocessors/appid/host_tracker.h, dynamic-preprocessors/appid/rna_flow.h, dynamic-preprocessors/appid/service_state.h, dynamic-preprocessors/appid/spp_appid.c, dynamic-preprocessors/appid/thirdparty_appid_api.h, dynamic-preprocessors/appid/client_plugins/client_app_api.h, dynamic-preprocessors/appid/client_plugins/client_app_bit.c, dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c, dynamic-preprocessors/appid/client_plugins/client_app_rtp.c, dynamic-preprocessors/appid/client_plugins/client_app_ssh.c, dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c, dynamic-preprocessors/appid/client_plugins/client_app_tns.c, dynamic-preprocessors/appid/client_plugins/client_app_vnc.c, dynamic-preprocessors/appid/detector_plugins/detector_dns.c, dynamic-preprocessors/appid/detector_plugins/detector_imap.c, dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c, dynamic-preprocessors/appid/detector_plugins/detector_pop3.c, dynamic-preprocessors/appid/detector_plugins/detector_sip.c, dynamic-preprocessors/appid/service_plugins/service_base.c, dynamic-preprocessors/appid/service_plugins/service_bit.c, dynamic-preprocessors/appid/service_plugins/service_timbuktu.c, dynamic-preprocessors/appid/service_plugins/service_tns.c, side-channel/dynamic-plugins/sf_dynamic_side_channel_lib.h: Rename SO_PUBLIC to SF_SO_PUBLIC. Removed unused appid/rna code. * doc/README.appid, rpm/snort.spec, tools/Makefile.am, tools/appid_detector_builder.sh: Added shell script to build simple LUA detectors for Snort. * src/dynamic-preprocessors/appid/: luaDetectorApi.c, client_plugins/client_app_base.c, client_plugins/client_app_base.h: Add sanity checks for lua client mod calls. Add function for service detectors to add clients. Open client-side API to allow clients to be added outside of client api. * configure.in, src/dynamic-output/plugins/output_lib.h: Don't export visibility hidden or invalid daq include path. * src/dynamic-preprocessors/appid/service_plugins/service_tftp.c: Switch source and destination when adding the expected flow. * doc/README.stream5, doc/snort_manual.tex, etc/snort.conf, src/preprocessors/Stream6/snort_stream_tcp.c: Added a new configure option "log_asymmetric_traffic" to turn on/off logging the message for asymmetric traffic. By default, it will be turned off. * src/detect.c: Call correct function to get app names for alerts. * configure.in, src/dynamic-preprocessors/appid/dns_defs.h, src/dynamic-preprocessors/appid/client_plugins/client_app_rtp.c, src/dynamic-preprocessors/appid/service_plugins/service_api.h, src/dynamic-preprocessors/appid/service_plugins/service_netbios.c: Replace use of __BYTE_ORDER with use of WORDS_BIGENDIAN or SF_BIGENDIAN. * src/dynamic-preprocessors/appid/fw_appid.c: Free http_session->new_uri and new_cookie before reassigning. * src/: preprocessors/spp_normalize.c, snort.h: When normaization is removed from snort conf, a reload would not disable it in Stream. * src/preprocessors/perf_indicators.h: Added a NULL check for a pointer argument in a perf_indicator utility inline function. * src/: parser.c, preprocessors/Stream6/snort_stream_tcp.c, sfutil/sfPolicyUserData.h: Fixed an issue where stream fails during multiple-policy configuration if stream_tcp configs are present in the default, but not child policies. * src/dynamic-preprocessors/appid/appInfoTable.c: App name(s) in Snort rules are now case insensitive. * doc/snort_manual.tex, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_httpinspect.c, src/preprocessors/stream_api.h, src/preprocessors/HttpInspect/include/hi_si.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/HttpInspect/session_inspection/hi_si.c, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Session/session_common.h, src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/Stream6/stream_paf.c, src/preprocessors/Stream6/stream_paf.h: Stop reassembly if HTTP flow depth has been reached. * src/dynamic-preprocessors/appid/: fw_appid.c: Fix for core while processing SIP traffic from ignore sessions. * src/dynamic-preprocessors/appid/service_plugins/service_ssl.c: Fix for parsing SSL client hello packet (do not assume that this packet always contains extensions field). * src/: dynamic-preprocessors/dcerpc2/dce2_paf.c, dynamic-preprocessors/dnp3/dnp3_paf.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/imap/imap_paf.c, dynamic-preprocessors/pop/pop_paf.c, dynamic-preprocessors/sip/sip_paf.c, dynamic-preprocessors/smtp/smtp_paf.c, preprocessors/spp_stream6.c, preprocessors/stream_api.h, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Session/session_common.h, preprocessors/Stream6/snort_stream_tcp.c, preprocessors/Stream6/snort_stream_tcp.h, preprocessors/Stream6/stream_paf.c, preprocessors/Stream6/stream_paf.h: Allow 2 PAF clients to be active at a time. * src/detection-plugins/detection_options.c: Detection_filter events incorrect both raw and reassembled packets used. Added a check that, if session is being reassembled, consider reassembled packet. Else, consider raw packet for count. When "no_stream" is present in the rule, need to consider raw packets only, even though session reassembly is happening. Took care of this case by adding OtnFlowIgnoreReassembled(otn) check. * src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h: Filename parsed from Mime body for UUencoded file. * src/: detect.c, detect.h, event_queue.c, event_queue.h, event_wrapper.c, event_wrapper.h, fpdetect.c, fpdetect.h, ppm.c, tag.c, tag.h, file-process/file_service.c, preprocessors/Stream6/snort_stream_tcp.c, sfutil/sfPolicyData.h, sfutil/sfrf.c: Internal (gid:135) rate filtering events now use runtime NAP instead of runtime IPS for rule tree lookups. * src/dynamic-preprocessors/Makefile.am: Fix for Snort compilation issue on OSX. * src/: appIdApi.h, decode.h, detect.c, snort.c, snort.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-preprocessors/appid/appIdApi.c, dynamic-preprocessors/appid/flow.c, dynamic-preprocessors/appid/flow.h, dynamic-preprocessors/appid/luaDetectorApi.c, dynamic-preprocessors/appid/luaDetectorApi.h, dynamic-preprocessors/appid/client_plugins/client_app_aim.c, dynamic-preprocessors/appid/client_plugins/client_app_api.h, dynamic-preprocessors/appid/client_plugins/client_app_base.c, dynamic-preprocessors/appid/client_plugins/client_app_base.h, dynamic-preprocessors/appid/client_plugins/client_app_bit.c, dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c, dynamic-preprocessors/appid/client_plugins/client_app_msn.c, dynamic-preprocessors/appid/client_plugins/client_app_rtp.c, dynamic-preprocessors/appid/client_plugins/client_app_smtp.c, dynamic-preprocessors/appid/client_plugins/client_app_ssh.c, dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c, dynamic-preprocessors/appid/client_plugins/client_app_tns.c, dynamic-preprocessors/appid/client_plugins/client_app_vnc.c, dynamic-preprocessors/appid/client_plugins/client_app_ym.c, dynamic-preprocessors/appid/detector_plugins/detector_dns.c, dynamic-preprocessors/appid/detector_plugins/detector_imap.c, dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c, dynamic-preprocessors/appid/detector_plugins/detector_pattern.c, dynamic-preprocessors/appid/detector_plugins/detector_pop3.c, dynamic-preprocessors/appid/detector_plugins/detector_sip.c, dynamic-preprocessors/appid/service_plugins/service_api.h, dynamic-preprocessors/appid/service_plugins/service_base.c, dynamic-preprocessors/appid/service_plugins/service_base.h, dynamic-preprocessors/appid/service_plugins/service_rpc.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/sip/sip_dialog.c, preprocessors/session_api.h, preprocessors/sip_common.h, preprocessors/spp_session.c, preprocessors/spp_session.h, preprocessors/spp_stream6.c, preprocessors/stream_api.h, preprocessors/Session/session_expect.c, preprocessors/Session/session_expect.h: Allow all preprocessors to create expected session calls. * src/dynamic-plugins/: sf_dynamic_plugins.c, sf_dynamic_preprocessor.h: Corrected function prototype definition for DP API method called to register an Active Response callback. * src/snort.c: Clean up the inline failopen thread before calling DAQ_Stop in SnortCleanup(). Prevent running in daemon mode from killing these threads. * src/preprocessors/: perf-base.h, perf.c: Don't clear procpidstats structure, so snort doesn't core. * src/dynamic-preprocessors/appid/: service_state.h, service_plugins/service_base.c: Restart service search state machine if previous session was only partial. * configure.in, src/sfdaq.c, src/sfdaq.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h: Added accessor methods for DAQ query flow method. * src/preprocessors/snort_httpinspect.c: Added checks to prevent raw packets from being used for file process in HTTP. * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c: Fix for processing HTTPS data to extract client app id. * src/preprocessors/: perf-base.c, Stream6/snort_stream_tcp.c: Prunes due to timouts will are now counted by perfmonitor as prunes. * doc/snort_manual.tex, src/parser.c, src/parser.h, src/snort.h, src/detection-plugins/detection_options.c: Introduced config option `disable_replace. * preproc_rules/preprocessor.rules, src/preprocessors/session_api.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/Stream6/snort_stream_tcp.c etc/gen-msg.map: HI_EO_SERVER_PROTOCOL_OTHER alert is added to detect SSH tunneling over HTTP. * configure.in: Remove unused declaration of ADD_WERROR. * src/: active.c, detection-plugins/sp_react.c: Changed code to add FIN on last data packet and bump the seq for the FIN flag. * src/active.c: Added a FIN packet after the last data packet and before the reset. * src/dynamic-preprocessors/appid/fw_appid.c: Fixed HTTP header field offset calculation for fragmented HTTP headers. * doc/: snort_manual.pdf, snort_manual.tex: Added note about fast pattern matcher being case insensitive. * src/: dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-preprocessors/appid/spp_appid.c: Allow for multiple isAppIdRequired functions. * doc/snort_manual.tex: When not set by preprocessor, set file_data pointer to beg. of payload. Also fixed an issue when doe_ptr is moved to http buffers, the length for those buffers is incorrect. * src/: snort.c, preprocessors/perf.c, preprocessors/perf.h, preprocessors/spp_perfmonitor.c: Change the way perfmon dumps stats to ensure that multiple instances will dump stats at offsets from absolute time. This gives Snort the ability to dump stats asynchronously (when idle). * src/snort.c: Change the order of permissions drop and chroot so that we set the uid and gid before creating the pid file. * src/preprocessors/Stream6/snort_stream_tcp.c: Change PAF to handle full PDU in single tcp segment correctly. * src/decode.c: Prevent duplicate alerting of decoder rule 116:296. * src/dynamic-preprocessors/appid/fw_appid.c: Use memcpy instead of strdup. * src/dynamic-preprocessors/appid/detector_plugins/detector_http.c: Fixed the calculation of 'end' index in http_header_pattern_match when HTTP header does not have a properly terminated 'Server' field. * src/: log_text.c, log_text.h, output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c: Add AppID to console alert logs. * src/dynamic-preprocessors/appid/: service_state.c, service_plugins/service_base.c: Don't fail adding a service if the id_state is already in the host cache. * src/dynamic-preprocessors/appid/fw_appid.c: Addressed pinhole issue not allowing FTP-Data sessions. * src/: decode.c, parser.c, sfdaq.c, sfdaq.h, snort.c, snort.h: Update snort to handle the DAQ flags to determine which tunnels it can render flow verdicts to hardware. * src/active.c: Included function for sending UDP response(s). * src/: sfutil/sfrt_flat.c, dynamic-preprocessors/reputation/reputation_config.c: Limit number of IP entries based on memcap. Avoiding issue of sfrt table not being created in the first place. * src/: tag.c, detection-plugins/detection_leaf_node.c, file-process/file_capture.c, file-process/file_mempool.c, file-process/file_resume_block.c, file-process/file_segment_process.c, file-process/file_segment_process.h, preprocessors/perf-flow.c, preprocessors/portscan.c, preprocessors/Session/session_expect.c, sfutil/sf_ip.h, sfutil/sfrf.c, sfutil/sfthd.c, sfutil/sfthd.h: Replaced all sfaddr_t occurrences in hash keys with struct in6_addr. * src/sfutil/sfdebug.h, tools/control/sfcontrol.c: Fixed ascii output of file data. * src/: profiler.h, snort.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-preprocessors/Makefile.am, preprocessors/Makefile.am, preprocessors/perf_indicators.c, preprocessors/perf_indicators.h: New dynamic-preprocessor API hooks for fetching a set of snort performance indicators and the pcap readback mode bit. * src/sfutil/sfdebug.h, tools/control/sfcontrol.c: Fixed string termination to only dump values that have been initialized. * src/sfutil/: sfrt_flat.c, sfrt_flat.h, sfrt_flat_dir.c, sfrt_flat_dir.h: Memory optimizations for reputation preprocessor * src/: decode.h, detect.c, detection_util.c, plugbase.c, plugbase.h, preprocids.h, snort.h, dynamic-plugins/sf_engine/Makefile.am, dynamic-plugins/sf_engine/sf_snort_packet.h, preprocessors/spp_frag3.c, preprocessors/spp_session.c, sfutil/sf_ip.c, sfutil/sf_ip.h: Changed the preprocessor mask from 32-bit to 64-bit. Changed all declarations to use PreprocEnableMask as the type. * src/: file-process/file_resume_block.c, sfutil/sfxhash.c, sfutil/sfxhash.h: Added a memcap to sfxhash usage in file_resume_block. * src/dynamic-preprocessors/dcerpc2/: dce2_smb2.c, dce2_smb2.h, dce2_stats.h, spp_dce2.c: Currently, we use file size to avoid processing pipe and print share data because file size is 0 in that case. However, for smbclient, it sets file size to be zero which snort fails to identify those files correctly. * src/: dynamic-preprocessors/appid/commonAppMatcher.c, dynamic-preprocessors/appid/hostPortAppCache.c, dynamic-preprocessors/appid/lengthAppCache.c, dynamic-preprocessors/appid/service_state.c, dynamic-preprocessors/appid/util/NetworkSet.c, preprocessors/Session/session_expect.c, sfutil/sfxhash.c, sfutil/sfxhash.h: Create SFXHASH with non-negative sizes only. * doc/snort_manual.tex: Documentation for new Port Override feature. * src/dynamic-preprocessors/appid/: luaDetectorApi.c, luaDetectorApi.h, client_plugins/client_app_base.c, detector_plugins/detector_pattern.c, service_plugins/service_base.c: Fix memory leaks in detector_pattern. * src/dynamic-preprocessors/appid/service_plugins/service_dns.c, src/dynamic-preprocessors/appid/service_plugins/service_base.c, src/dynamic-preprocessors/appid/service_plugins/service_api.h, src/dynamic-preprocessors/appid/fw_appid.h, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/appIdApi.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/appIdApi.h: Included 2 new Appid Api calls for DNS_QUERY and DNS_QUERY_LEN. * src/preprocessors/HttpInspect/client/hi_client.c: Enable publishing of host name from raw packets for Appid. * src/: post_detection.c, post_detection.h: Inline modifier removed from post detection initialization function. * src/post_detection.h: Remove static modifier from inline function definition. * src/decode.c: FabricPath decoding modified the packet data pointer and length fields used to caluclate ethernet header offesets incorrectly. * src/: Makefile.am, decode.h, detect.c, post_detection.c, post_detection.h, snort.c, dynamic-examples/Makefile.am, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-preprocessors/Makefile.am: Provide an API method available to all preprocessors to register a callback function that is called post-detection processing of the packet on which the callback was registered. * src/dynamic-preprocessors/appid/: commonAppMatcher.c, thirdparty_appid_api.h, thirdparty_appid_utils.c: Use Snort's logging facility for 3rd party AppID impls. * src/: decode.c, decode.h, encode.c, generators.h, sf_protocols.h, dynamic-plugins/sf_engine/sf_snort_packet.h: Added a decoding for Cisco Metadata headers. * src/dynamic-preprocessors/appid/: commonAppMatcher.c, fw_appid.c, fw_appid.h, client_plugins/client_app_api.h, client_plugins/client_app_base.c, detector_plugins/detector_pattern.c, detector_plugins/detector_sip.c, service_plugins/service_api.h, service_plugins/service_base.c, service_plugins/service_base.h, util/sf_mlmp.c, util/sf_mlmp.h: Fixes for sandboxing sip and http. * src/dynamic-preprocessors/appid/: appIdConfig.c, luaDetectorApi.c, detector_plugins/detector_imap.c, detector_plugins/detector_kerberos.c, detector_plugins/detector_pop3.c, detector_plugins/detector_sip.c, service_plugins/service_MDNS.c, service_plugins/service_battle_field.c, service_plugins/service_bgp.c, service_plugins/service_bit.c, service_plugins/service_bootp.c, service_plugins/service_dcerpc.c, service_plugins/service_direct_connect.c, service_plugins/service_dns.c, service_plugins/service_flap.c, service_plugins/service_ftp.c, service_plugins/service_irc.c, service_plugins/service_lpr.c, service_plugins/service_mysql.c, service_plugins/service_netbios.c, service_plugins/service_nntp.c, service_plugins/service_ntp.c, service_plugins/service_radius.c, service_plugins/service_rexec.c, service_plugins/service_rfb.c, service_plugins/service_rlogin.c, service_plugins/service_rpc.c, service_plugins/service_rshell.c, service_plugins/service_rsync.c, service_plugins/service_rtmp.c, service_plugins/service_smtp.c, service_plugins/service_snmp.c, service_plugins/service_ssh.c, service_plugins/service_ssl.c, service_plugins/service_telnet.c, service_plugins/service_tftp.c, service_plugins/service_timbuktu.c, service_plugins/service_tns.c: Initialize current_ref_count for all service plugins. * src/: detection-plugins/sp_appid.c, dynamic-preprocessors/appid/fw_appid.c: Fixed AppID in snort rules, trim appNames. * src/dynamic-preprocessors/appid/: flow.h, fw_appid.c, host_tracker.h, service_state.h, client_plugins/client_app_base.c, service_plugins/service_base.c: Allow multiple service and client detectors to be evaluated on that same flow. * src/dynamic-preprocessors/appid/: Makefile.am, appIdConfig.h, commonAppMatcher.c, luaDetectorApi.c, luaDetectorApi.h, luaDetectorModule.c, client_plugins/client_app_base.c, client_plugins/client_app_base.h, detector_plugins/detector_base.c, detector_plugins/detector_pattern.c, detector_plugins/detector_pattern.h, service_plugins/service_api.h, service_plugins/service_base.c, service_plugins/service_base.h, service_plugins/service_pattern.c, service_plugins/service_pattern.h: Implemented new Lua API to inject pattern/port for client and server. * src/dynamic-preprocessors/: appid/fw_appid.h, appid/luaDetectorApi.c, appid/luaDetectorApi.h, appid/luaDetectorModule.c, appid/spp_appid.c, appid/service_plugins/service_MDNS.c, dcerpc2/spp_dce2.c, dnp3/spp_dnp3.c, dns/spp_dns.c, ftptelnet/spp_ftptelnet.c, gtp/spp_gtp.c, imap/spp_imap.c, isakmp/spp_isakmp.c, modbus/spp_modbus.c, pop/spp_pop.c, reputation/spp_reputation.c, sdf/spp_sdf.c, sip/spp_sip.c, smtp/spp_smtp.c, ssh/spp_ssh.c, ssl_common/ssl_config.c, ssl_common/ssl_ha.c: Implemented lua detector performance profiling. * src/generators.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c, src/dynamic-preprocessors/dcerpc2/dce2_event.h, src/dynamic-preprocessors/dcerpc2/dce2_smb2.c, doc/README.dcerpc2, doc/snort_manual.tex, preproc_rules/preprocessor.rules, etc/gen-msg.map: SMBv2 and SMBv3 preprocessor alerts update. * src/encode.c: Use ip6h struct to reference the src/dst address bytes. * configure.in, src/file-process/file_segment_process.c, src/file-process/file_segment_process.h, src/file-process/file_service.c, src/file-process/file_stats.c, src/file-process/libs/file_lib.c, src/file-process/Makefile.am, src/file-process/file_api.h, src/dynamic-preprocessors/sip/sip_utils.h, src/dynamic-preprocessors/dcerpc2/Makefile.am, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_session.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h, src/dynamic-preprocessors/dcerpc2/dce2_smb2.c, src/dynamic-preprocessors/dcerpc2/dce2_smb2.h, src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp, src/dynamic-preprocessors/dcerpc2/spp_dce2.c: doc/README.dcerpc2, doc/snort_manual.tex: SMBv2 and SMBv3 file inspection support. * src/: Makefile.am, appIdApi.h, detect.c, event.h, sf_sdlist.c, snort_debug.h, detection-plugins/sp_appid.c, detection-plugins/sp_appid.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sf_engine/sf_snort_plugin_api.c, dynamic-preprocessors/Makefile.am, dynamic-preprocessors/appid/Makefile.am, dynamic-preprocessors/appid/appId.c, dynamic-preprocessors/appid/appId.h, dynamic-preprocessors/appid/appIdApi.c, dynamic-preprocessors/appid/appIdConfig.c, dynamic-preprocessors/appid/appIdConfig.h, dynamic-preprocessors/appid/appIdStats.c, dynamic-preprocessors/appid/appInfoTable.c, dynamic-preprocessors/appid/appInfoTable.h, dynamic-preprocessors/appid/app_forecast.c, dynamic-preprocessors/appid/app_forecast.h, dynamic-preprocessors/appid/commonAppMatcher.c, dynamic-preprocessors/appid/commonAppMatcher.h, dynamic-preprocessors/appid/flow.c, dynamic-preprocessors/appid/flow.h, dynamic-preprocessors/appid/flow_error.h, dynamic-preprocessors/appid/fw_appid.c, dynamic-preprocessors/appid/fw_appid.h, dynamic-preprocessors/appid/hostPortAppCache.c, dynamic-preprocessors/appid/hostPortAppCache.h, dynamic-preprocessors/appid/host_tracker.h, dynamic-preprocessors/appid/httpCommon.h, dynamic-preprocessors/appid/lengthAppCache.c, dynamic-preprocessors/appid/lengthAppCache.h, dynamic-preprocessors/appid/luaDetectorApi.c, dynamic-preprocessors/appid/luaDetectorApi.h, dynamic-preprocessors/appid/luaDetectorFlowApi.c, dynamic-preprocessors/appid/luaDetectorFlowApi.h, dynamic-preprocessors/appid/luaDetectorModule.c, dynamic-preprocessors/appid/luaDetectorModule.h, dynamic-preprocessors/appid/rna_flow.h, dynamic-preprocessors/appid/service_state.c, dynamic-preprocessors/appid/service_state.h, dynamic-preprocessors/appid/spp_appid.c, dynamic-preprocessors/appid/thirdparty_appid_api.h, dynamic-preprocessors/appid/thirdparty_appid_types.h, dynamic-preprocessors/appid/thirdparty_appid_utils.c, dynamic-preprocessors/appid/thirdparty_appid_utils.h, dynamic-preprocessors/appid/client_plugins/clientAppConfig.h, dynamic-preprocessors/appid/client_plugins/client_app_aim.c, dynamic-preprocessors/appid/client_plugins/client_app_aim.h, dynamic-preprocessors/appid/client_plugins/client_app_api.h, dynamic-preprocessors/appid/client_plugins/client_app_base.c, dynamic-preprocessors/appid/client_plugins/client_app_base.h, dynamic-preprocessors/appid/client_plugins/client_app_bit.c, dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c, dynamic-preprocessors/appid/client_plugins/client_app_msn.c, dynamic-preprocessors/appid/client_plugins/client_app_msn.h, dynamic-preprocessors/appid/client_plugins/client_app_rtp.c, dynamic-preprocessors/appid/client_plugins/client_app_smtp.c, dynamic-preprocessors/appid/client_plugins/client_app_smtp.h, dynamic-preprocessors/appid/client_plugins/client_app_ssh.c, dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c, dynamic-preprocessors/appid/client_plugins/client_app_tns.c, dynamic-preprocessors/appid/client_plugins/client_app_vnc.c, dynamic-preprocessors/appid/client_plugins/client_app_ym.c, dynamic-preprocessors/appid/client_plugins/client_app_ym.h, dynamic-preprocessors/appid/detector_plugins/detector_api.h, dynamic-preprocessors/appid/detector_plugins/detector_base.c, dynamic-preprocessors/appid/detector_plugins/detector_http.c, dynamic-preprocessors/appid/detector_plugins/detector_http.h, dynamic-preprocessors/appid/detector_plugins/detector_imap.c, dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c, dynamic-preprocessors/appid/detector_plugins/detector_pop3.c, dynamic-preprocessors/appid/detector_plugins/detector_sip.c, dynamic-preprocessors/appid/detector_plugins/detector_sip.h, dynamic-preprocessors/appid/detector_plugins/http_url_patterns.c, dynamic-preprocessors/appid/detector_plugins/http_url_patterns.h, dynamic-preprocessors/appid/service_plugins/serviceConfig.h, dynamic-preprocessors/appid/service_plugins/service_MDNS.c, dynamic-preprocessors/appid/service_plugins/service_MDNS.h, dynamic-preprocessors/appid/service_plugins/service_api.h, dynamic-preprocessors/appid/service_plugins/service_base.c, dynamic-preprocessors/appid/service_plugins/service_base.h, dynamic-preprocessors/appid/service_plugins/service_battle_field.c, dynamic-preprocessors/appid/service_plugins/service_battle_field.h, dynamic-preprocessors/appid/service_plugins/service_bgp.c, dynamic-preprocessors/appid/service_plugins/service_bgp.h, dynamic-preprocessors/appid/service_plugins/service_bit.c, dynamic-preprocessors/appid/service_plugins/service_bootp.c, dynamic-preprocessors/appid/service_plugins/service_bootp.h, dynamic-preprocessors/appid/service_plugins/service_dcerpc.c, dynamic-preprocessors/appid/service_plugins/service_dcerpc.h, dynamic-preprocessors/appid/service_plugins/service_direct_connect.c, dynamic-preprocessors/appid/service_plugins/service_direct_connect.h, dynamic-preprocessors/appid/service_plugins/service_dns.c, dynamic-preprocessors/appid/service_plugins/service_dns.h, dynamic-preprocessors/appid/service_plugins/service_flap.c, dynamic-preprocessors/appid/service_plugins/service_flap.h, dynamic-preprocessors/appid/service_plugins/service_ftp.c, dynamic-preprocessors/appid/service_plugins/service_ftp.h, dynamic-preprocessors/appid/service_plugins/service_irc.c, dynamic-preprocessors/appid/service_plugins/service_irc.h, dynamic-preprocessors/appid/service_plugins/service_lpr.c, dynamic-preprocessors/appid/service_plugins/service_lpr.h, dynamic-preprocessors/appid/service_plugins/service_mysql.c, dynamic-preprocessors/appid/service_plugins/service_mysql.h, dynamic-preprocessors/appid/service_plugins/service_netbios.c, dynamic-preprocessors/appid/service_plugins/service_netbios.h, dynamic-preprocessors/appid/service_plugins/service_nntp.c, dynamic-preprocessors/appid/service_plugins/service_nntp.h, dynamic-preprocessors/appid/service_plugins/service_ntp.c, dynamic-preprocessors/appid/service_plugins/service_ntp.h, dynamic-preprocessors/appid/service_plugins/service_pattern.c, dynamic-preprocessors/appid/service_plugins/service_pattern.h, dynamic-preprocessors/appid/service_plugins/service_radius.c, dynamic-preprocessors/appid/service_plugins/service_radius.h, dynamic-preprocessors/appid/service_plugins/service_rexec.c, dynamic-preprocessors/appid/service_plugins/service_rexec.h, dynamic-preprocessors/appid/service_plugins/service_rfb.c, dynamic-preprocessors/appid/service_plugins/service_rfb.h, dynamic-preprocessors/appid/service_plugins/service_rlogin.c, dynamic-preprocessors/appid/service_plugins/service_rlogin.h, dynamic-preprocessors/appid/service_plugins/service_rpc.c, dynamic-preprocessors/appid/service_plugins/service_rpc.h, dynamic-preprocessors/appid/service_plugins/service_rshell.c, dynamic-preprocessors/appid/service_plugins/service_rshell.h, dynamic-preprocessors/appid/service_plugins/service_rsync.c, dynamic-preprocessors/appid/service_plugins/service_rsync.h, dynamic-preprocessors/appid/service_plugins/service_rtmp.c, dynamic-preprocessors/appid/service_plugins/service_rtmp.h, dynamic-preprocessors/appid/service_plugins/service_smtp.c, dynamic-preprocessors/appid/service_plugins/service_smtp.h, dynamic-preprocessors/appid/service_plugins/service_snmp.c, dynamic-preprocessors/appid/service_plugins/service_snmp.h, dynamic-preprocessors/appid/service_plugins/service_ssh.c, dynamic-preprocessors/appid/service_plugins/service_ssh.h, dynamic-preprocessors/appid/service_plugins/service_ssl.c, dynamic-preprocessors/appid/service_plugins/service_ssl.h, dynamic-preprocessors/appid/service_plugins/service_telnet.c, dynamic-preprocessors/appid/service_plugins/service_telnet.h, dynamic-preprocessors/appid/service_plugins/service_tftp.c, dynamic-preprocessors/appid/service_plugins/service_tftp.h, dynamic-preprocessors/appid/service_plugins/service_timbuktu.c, dynamic-preprocessors/appid/service_plugins/service_tns.c, dynamic-preprocessors/appid/util/NetworkSet.c, dynamic-preprocessors/appid/util/NetworkSet.h, dynamic-preprocessors/appid/util/common_util.h, dynamic-preprocessors/appid/util/fw_avltree.c, dynamic-preprocessors/appid/util/ip_funcs.c, dynamic-preprocessors/appid/util/ip_funcs.h, dynamic-preprocessors/appid/util/sf_mlmp.c, dynamic-preprocessors/appid/util/sfutil.c, dynamic-preprocessors/appid/util/sfutil.h, preprocessors/session_api.h, preprocessors/spp_session.c, sfutil/Unified2_common.h: Snort side changes to openAppid to support openAVC * src/dynamic-plugins/sf_dynamic_preprocessor.h, src/sfutil/sf_ip.h: Bump dpd version. * configure.in, src/parser.c, src/fpcreate.c, src/fpdetect.c, src/fpdetect, src/parser.c, src/pcrm.c, src/pcrm.h, src/signature.c, src/signature.h, src/detection-plugins/Makefile.am, src/detection-plugins/detection_leaf_node.c, src/detection-plugins/detection_options.c, src/sfutil/sfportobject.h: NEW FEATURE Port Override. Adds new metadata keywords "else-ports", "or-ports" and "and-ports". * src/sfdaq.c, src/sfdaq.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c, src/sfutil/sfPolicy.c, src/target-based/sftarget_reader.c: Add a generic DAQ modify flow function to dpd. * configure.in, src/debug.c, src/decode.c, src/decode.h, src/detect.c, src/detection_filter.c, src/detection_filter.h, src/encode.c, src/fpcreate.c, src/fpdetect.c, src/ipv6_port.h, src/log.c, src/log_text.c, src/parser.c, src/ppm.c, src/rate_filter.c, src/sfdaq.c, src/sfdaq.h, src/sfthreshold.c, src/sfthreshold.h, src/snort.c, src/snort.h, src/snort_debug.h, src/tag.c, src/util.c, src/util.h, src/detection-plugins/sp_ftpbounce.c, src/detection-plugins/sp_session.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-preprocessors/appid/flow.c, src/dynamic-preprocessors/appid/flow.h, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/fw_appid.h, src/dynamic-preprocessors/appid/hostPortAppCache.c, src/dynamic-preprocessors/appid/hostPortAppCache.h, src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/luaDetectorFlowApi.c, src/dynamic-preprocessors/appid/rna_flow.h, src/dynamic-preprocessors/appid/service_state.c, src/dynamic-preprocessors/appid/service_state.h, src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c, src/dynamic-preprocessors/appid/service_plugins/service_api.h, src/dynamic-preprocessors/appid/service_plugins/service_base.c, src/dynamic-preprocessors/appid/service_plugins/service_ftp.c, src/dynamic-preprocessors/appid/service_plugins/service_rexec.c, src/dynamic-preprocessors/appid/service_plugins/service_rpc.c, src/dynamic-preprocessors/appid/service_plugins/service_rshell.c, src/dynamic-preprocessors/appid/service_plugins/service_snmp.c, src/dynamic-preprocessors/appid/service_plugins/service_ssl.c, src/dynamic-preprocessors/appid/service_plugins/service_tftp.c, src/dynamic-preprocessors/appid/util/ip_funcs.h, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c, src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.h, src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c, src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h, src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c, src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h, src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c, src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/imap/spp_imap.c, src/dynamic-preprocessors/reputation/reputation_config.c, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/sip/sip_parser.c, src/dynamic-preprocessors/ssl_common/ssl_ha.c, src/dynamic-preprocessors/ssl_common/ssl_inspect.c, src/file-process/file_resume_block.c, src/output-plugins/spo_alert_sf_socket.c, src/output-plugins/spo_log_ascii.c, src/output-plugins/spo_unified2.c, src/preprocessors/perf-flow.c, src/preprocessors/perf-flow.h, src/preprocessors/portscan.c, src/preprocessors/portscan.h, src/preprocessors/session_api.h, src/preprocessors/sip_common.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_session.c, src/preprocessors/spp_sfportscan.c, src/preprocessors/spp_stream6.c, src/preprocessors/stream_api.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/files/file_decomp.c, src/preprocessors/HttpInspect/include/file_decomp.h, src/preprocessors/HttpInspect/include/hi_si.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h, src/preprocessors/HttpInspect/session_inspection/hi_si.c, src/preprocessors/HttpInspect/user_interface/hi_ui_config.c, src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c, src/preprocessors/Session/session_common.h, src/preprocessors/Session/session_expect.c, src/preprocessors/Session/session_expect.h, src/preprocessors/Session/stream5_ha.c, src/preprocessors/Session/stream5_ha.h, src/preprocessors/Stream6/snort_stream_icmp.c, src/preprocessors/Stream6/snort_stream_icmp.h, src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/Stream6/snort_stream_tcp.h, src/preprocessors/Stream6/snort_stream_udp.c, src/preprocessors/Stream6/snort_stream_udp.h, src/preprocessors/Stream6/stream_paf.c, src/sfutil/ipobj.c, src/sfutil/ipobj.h, src/sfutil/sfPolicy.c, src/sfutil/sfPolicy.h, src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sf_iph.c, src/sfutil/sf_iph.h, src/sfutil/sf_ipvar.c, src/sfutil/sf_ipvar.h, src/sfutil/sf_vartable.c, src/sfutil/sfrf.c, src/sfutil/sfrf.h, src/sfutil/sfrt.c, src/sfutil/sfrt.h, src/sfutil/sfrt_dir.c, src/sfutil/sfrt_dir.h, src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c, src/sfutil/sfrt_flat_dir.h, src/sfutil/sfthd.c, src/sfutil/sfthd.h, src/sfutil/util_net.c, src/sfutil/util_net.h, src/sfutil/test/sf_ip_test.c, src/sfutil/test/sfrf_test.c, src/sfutil/test/sfrt_test.c, src/sfutil/test/sfthd_test.c, src/side-channel/sidechannel.c, src/target-based/sftarget_reader.c, src/target-based/sftarget_reader.h: Refactor sfip_t/sfaddr_t code to be compatible with struct in6_addr. 2015-08-13 Rahul Burman Snort 2.9.7.6 * src/build.h: updating build number to 285 * src/dynamic-preprocessors/reputation/reputation_config.c: Fixed unexpected behaviour in reputation config where blacklist is displayed in priority field even though whitelist option is set [reported by Mike Cox]. * src/preprocessors/Stream6/snort_stream_tcp.c: Fixed issue where XFF/ExtraData is not always logged when 'drop' rules trigger [reported by Mike Cox]. Fixed issue in TCP session deletion when being called from Stream5 HA. * src/: active.h, file-process/file_service.c: ACTIVE_DROP is changed to ACTIVE_FORCE_DROP when file_verdict is pending. * src/dynamic-preprocessors/appid/fw_appid.c: Fixed issue where openappid does not provide the Content-Type field for use with CHPAddAction. * doc/snort_manual.tex: Corrected errors in snort_manual.tex [reported by Gabriel Corre]. * preproc_rules/preprocessor.rules src/preprocessors/: session_api.h, snort_httpinspect.c, HttpInspect/event_output/hi_eo_log.c, HttpInspect/include/hi_eo_events.h Stream6/snort_stream_tcp.c: Enhancement done to detect 'SSH tunneling over HTTP'. * src/sfutil/sfportobject.c: Fixed Memory leaks [reported by Bill Parker]. * doc/snort_manual.tex: Corrected the information about unified2 record structure [reported by Avery Rozar]. * etc/snort.conf, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/Stream6/stream_paf.c: Fixed issue where original client IP in intrusion event is incorrectly populated with XFF of the last GET request. * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h, HttpInspect/server/hi_server.c, snort_httpinspect.c, snort_httpinspect.h, HttpInspect/server/hi_server.c: Http unlimited decompression will now decompress the entire stream. * src/decode.c: Added a check so that min_ttl decoder do not drop packet in alert mode. * etc/snort.conf, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/server/hi_server.c Fixed issue where original client IP in intrusion event is incorrectly populated with XFF of the last GET request. 2015-07-01 Carter Waxman Snort 2.9.7.5 * src/build.h: updating build number to 262 * src/preprocessors/Stream6/snort_stream_tcp.c: Improved handling of asymmetric traffic * src/active.c: Active responses no longer set the FIN flag on the last segment transmitted * src/dynamic-preprocessors/appid/luaDetectorApi.c: Added sanity checks to client api * doc/snort_manual.pdf, src/: dynamic-preprocessors/dcerpc2/dce2_paf.c, dynamic-preprocessors/dnp3/dnp3_paf.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/imap/imap_paf.c, dynamic-preprocessors/pop/pop_paf.c, dynamic-preprocessors/sip/sip_paf.c, dynamic-preprocessors/smtp/smtp_paf.c, preprocessors/session_api.h, preprocessors/spp_stream6.c, preprocessors/stream_api.h, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Session/session_common.h, preprocessors/Stream6/snort_stream_tcp.c, preprocessors/Stream6/snort_stream_tcp.h, preprocessors/Stream6/stream_paf.c, preprocessors/Stream6/stream_paf.h: Multiple PAF clients can Read/Write to the same user data * src/: file-process/file_api.h, file-process/file_mail_common.h, file-process/file_mime_process.c, sfutil/sf_email_attach_decode.c, sfutil/sf_email_attach_decode.h: Fixed filename parsing from Mime body for UUencoded MIME * src/preprocessors/perf-base.c, src/preprocessors/Stream6/snort_stream_tcp.c: Prunes triggered by timeouts are now accounted by perfmonitor. * src/preprocessors/spp_session.c: Log warning instead of Fatal Error if a stream5_global config is in a non-default policy * src/detection-plugins/sp_base64_decode.c: Removed unused checks * src/snort.c: Improved reliability of configuration reloads * src/preprocessors/snort_httpinspect.c: Fixed issue in http file processing where SHAs may not always be correct. * doc/snort_manual.pdf, src/sfutil/sf_email_attach_decode.c: Fixed handling new line chars in QP encoding * src/preprocessors/snort_httpinspect.c: Fixed inconsistent behavior when configuring "max_gzip_mem -1" 2015-22-04 Joel Cornett Snort 2.9.7.3 * src/build.h: updating build number to 217 * src/: decode.h, detection-plugins/sp_clientserver.c, dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-plugins/sf_engine/sf_snort_plugin_api.c, dynamic-preprocessors/dcerpc2/dce2_session.h, dynamic-preprocessors/sdf/spp_sdf.c, preprocessors/HttpInspect/server/hi_server.c, preprocessors/Stream6/snort_stream_tcp.c, preprocessors/snort_httpinspect.c, preprocessors/spp_normalize.c: Added mode safety checks to normalization. Fixed an issue in PAF where the start of the PDU after flushing was not being set correctly in some case. Improved Stream reassembly of HTTPS sessions * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Stability improvements for ftp_telnet preprocessor * doc/snort_manual.pdf, doc/snort_manual.tex, src/detection-plugins/sp_base64_decode.c, src/detection-plugins/sp_base64_decode.h, src/detection-plugins/sp_file_data.c: Improved performance for file preprocessor Documentation changes * src/dynamic-preprocessors/appid/: service_plugins/service_base.c, service_state.c: Various OpenAppId improvements * configure.in: Fixed issue with configure script handling of -Werror compiler flags * src/decode.c: Improved decoding of IPv6 extensions * src/detection-plugins/detection_options.c: Fixed an issue where the protected_content rule option was not backtracking correctly in some cases * src/snort.c: Fixed snort handling of PID files * tools/: u2openappid/u2openappid.c, u2spewfoo/u2spewfoo.c: Fixed usage info. * src/dynamic-preprocessors/sip/: Makefile.am, sf_sip.dsp, sip_dialog.c, sip_parser.c, spp_sip.c: Added PAF support for TCP traffic * src/: log_text.c, log_text.h, output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c: Extended support for OpenAppId logging to cmg and console output loggers * src/dynamic-preprocessors/appid/service_plugins/service_ssl.c: Improved SSLv3 handling for OpenAppId 2014-24-12 Victor Roemer Snort 2.9.7.2 * src/build.h: updating build number to 177 * src/preprocessors/Stream6/snort_stream_tcp.c: Resolved an issue where the inline normalization preprocessor incorrectly resized packets when 'preprocessor normalize_tcp: trim' was enabled. * src/decode.c, src/encode.c: Added support for Cisco FabricPath decoding/encoding. Ensure flow_id is copied into the DAQ_PktHdr_t. * src/snort.h, src/sfutil/sfrt.c, src/sfutil/sfrt.h src/target-based/sftarget_reader.c: Moved ntohl conversion inside of the sfrt api for both IPv4 and IPv6. * src/target-based/sftarget_protocol_reference.c Lookup application protocol id only after the session is established. Assign application protocol id to the session when using host attribute table. * src/util.c: Changes for suppressing configuration logging. * src/file-process/file_service.c: Assign the file config to a file context prior to checking if HTTP continuation. 2014-10-10 Carter Waxman Snort 2.9.7.0 * src/build.h: updating build number to 149 * src/dynamic-preprocessors/appid/spp_appid.c: Fixed issue in which AppID would be disabled after a reload. * configure.in: Added dependency for OpenSSL when building with --enable-openappid * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex: Added documentation for the new Extended X-Forwarded-For capabilities * src/preprocessors/Stream6/snort_stream_tcp.c: Reused the TcpSessionCleanup logic to add a function to flush queued unacked segments. 2014-09-15 Joel Cornett Snort 2.9.7.0-rc * src/build.h: updating build number to 147 * configure.in, src/sfdaq.c: Fixed C99 compliance issue with DAQ. * src/preprocessors/: Stream6/snort_stream_tcp.c, spp_session.c: Improved stability of TCP session decoding. * tools/u2streamer/u2streamer.c: Improved stability of u2streamer tool. * src/snort.c: Fixed issue with daemonization mode. Thanks to Eugenio Perez for noting the issue and proposing a fix. * src/: dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, preprocessor/Stream6/snort_stream_tcp.c, encode.c, encode.h, snort.c, snort.h: Added support to detect heartbleed attacks. * build/dobuild.sh, rpm/README.build_rpms, rpm/generate-all-rpms, rpm/snort.spec, src/dynamic-preprocessors/appid/Makefile.am: Added OpenAppID to snort RPM. * doc/: README.active, README.file_ips, INSTALL, snort_manual.tex: Updated documentation. * doc/INSTALL: Added common configuration mistakes and fixes to INSTALL. Thanks to Bill Parker for the documentation. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Improved FTP traffic handling. * src/dynamic-preprocessors/appid/detector_plugins: detector_http.c, detector_imap.c, detector_pop3.c: Improved stability of OpenAppID preprocessor parsing HTTP headers. * src/: parser.c, snort.c, snort.h, util.c: Added a new option `--suppress-config-log` to Snort command line arguments. This option suppresses logging of configuration information to output. * src/: active.c, active.h, preprocessors/Stream6/snort_stream_ip.c, preprocessors/Stream6/snort_stream_tcp.c, preprocessors/Stream6/snort_stream_udp.c: Fixed issue with blocklisting of flow traffic. * src/preprocessors: spp_session.c, spp_stream6.c: Improved stability of Stream6 preprocessor. * configure.in, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.h, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/imap/snort_imap.h, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/pop/snort_pop.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, src/dynamic-preprocessors/ssl_common/ssl_include.h, src/dynamic-preprocessors/ssl_common/ssl_inspect.c, src/dynamic-preprocessors/ssl_common/ssl_session.h, src/encode.c: Fixed encoding issue with DAQ packet headers. * doc/README.ssl, doc/snort_manual.pdf, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/dynamic-preprocessors/ssl_common/ssl.c, src/dynamic-preprocessors/ssl_common/ssl.h, src/dynamic-preprocessors/ssl_common/ssl_config.c, src/dynamic-preprocessors/ssl_common/ssl_config.h, src/dynamic-preprocessors/ssl_common/ssl_inspect.c, src/dynamic-preprocessors/ssl_common/ssl_inspect.h, src/dynamic-preprocessors/ssl_common/ssl_session.h: Added support to detect heartbleed attacks. * doc/snort_manual.tex, src/dynamic-examples/dynamic-rule/detection_lib_meta.h, src/dynamic-plugins/sf_dynamic_engine.h, src/dynamic-plugins/sf_dynamic_meta.h, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/preprocessors/Stream6/snort_stream_tcp.c, src/decode.c, src/decode.h, src/encode.c, src/parser.c, src/parser.h, src/snort.c, src/snort.h: Added a new config option `max_ip6_extensions` to change the maximum number of IPv6 extension headers decoded. Thanks to Antonio Atlasis for providing data to the ChangeLog. * src/dynamic-preprocessors/modbus/: modbus_paf.h, modbus_roptions.c, spp_modbus.c: Improved traffic handling by modbus preprocessor * src/: dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/pop/spp_pop.c, dynamic-preprocessors/smtp/spp_smtp.c, dynamic-preprocessors/ssh/spp_ssh.c, preprocessors/spp_session.c: Fixed issue with stream configuration state changing across reloads. Thanks to Eugenio Perez for noting the issue. * src/dynamic-preprocessors/appid/Makefile.am: Fixed compilation issue with OpenAppID on OpenBSD. * src/plugbase.c: Improved implementation of plugin API. * src: detection-plugins/sp_ftpbounce.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Improved stability of FTP preprocessor. * configure.in, src/dynamic-preprocessors/appid/appIdConfig.c, src/dynamic-preprocessors/appid/appIdConfig.h, src/dynamic-preprocessors/appid/flow.h, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/fw_appid.h, src/dynamic-preprocessors/appid/luaDetectorApi.h: Fixed compilation issues with OpenAppID on Mac OS X. * src/preprocessors/: perf-flow.c, spp_perfmonitor.c: Minimum flow-ip-memcap changed to 8200. * src/sf_sdlist.c: Fixed implementation of `sf_sdlist`. Thanks to Yang Zhang for noting the issue. * src/: preprocessors/Stream6/snort_stream_tcp.c, preprocessors/spp_frag3.c, preprocessors/spp_normalize.c: active.h, decode.c, Check checksum configuration as well as na_policy_mode setting before drop. * src/preprocessors/snort_httpinspect.c: Improved handling in HTTPInspect preprocessor. * src/sfutil/mpse.c: Fixed building snort with --disable-perfprofiling. Thanks to Yonatan Ben-David for noting the issue. * src: encode.c, encode.h: Fixed ICMPv6 encoding issue. * etc/snort.conf, src/detection-plugins/sp_file_type.c, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/ftptelnet/Makefile.am, src/dynamic-preprocessors/imap/Makefile.am, src/dynamic-preprocessors/pop/Makefile.am, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/dynamic-preprocessors/smtp/Makefile.am, src/dynamic-preprocessors/ssl/Makefile.am, src/preprocessors/Session/Makefile.am, src/win32/WIN32-Prj/sf_engine.dsp, src/win32/WIN32-Prj/snort.dsp, src/win32/WIN32-Prj/snort.dsw, src/win32/WIN32-Prj/snort_installer.nsi: Fixed Win32 and distcheck build issues. * doc/OpenDetectorDeveloperGuide.docx, doc/OpenDetectorDeveloperGuide.pdf, src/dynamic-preprocessors/appid/Makefile.am, src/dynamic-preprocessors/appid/appInfoTable.c, src/dynamic-preprocessors/appid/detector_plugins/detector_http.c, src/dynamic-preprocessors/appid/detector_plugins/detector_http.h, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/httpCommon.h, src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/service_plugins/service_base.c, src/dynamic-preprocessors/appid/service_plugins/service_rtmp.c, src/dynamic-preprocessors/appid/service_plugins/service_rtmp.h: Added RTMP detector (w/ metadata) to OpenAppID and updated Lua API. 2014-06-04 Carter Waxman Snort 2.9.7.0.beta * src/build.h: updating build number to 109 * src/: detection-plugins/sp_base64_decode.c, dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Use correct buffer size for base64 decoding. Fix the bound check for base64_decode rule. Thanks Joshua providing the patch. * src/: detect.c, dynamic-preprocessors/reputation/spp_reputation.c, dynamic-preprocessors/reputation/shmem/shmem_config.h, dynamic-preprocessors/reputation/shmem/shmem_mgmt.c, preprocessors/session_api.h, preprocessors/spp_session.c: Improved reputation performance by only checking IPs once per session. Changed control socket to respond 0 when reloading empty IP reputation lists. Avoid registering reputation preprocessor when there are no IP lists * src/: active.c, fpdetect.c, dynamic-preprocessors/dcerpc2/dce2_smb.c, file-process/file_resume_block.c: Fixed build issue when configuring with --disable-active-response --disable-react --disable-flexresp3 (Reported by Jeremy Hoel) * src/parser.c src/preprocessors/Session/stream5_ha.c, src/preprocessors/Stream6/snort_stream_icmp.c, src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/Stream6/snort_stream_udp.c, src/preprocessors/spp_session.c: Fixed configuration parsing issues. * src/: fpcreate.c, fpdetect.c: Fixed rule protocol mapping when using target-based detection. * src/preprocessors/perf-base.c: Added field in now files for number of normalizers used. * src/preprocessors/Stream6/snort_stream_tcp.c: Fix handling of data on syn for Mac OSX reassembly. * src/dynamic-plugins/sf_dynamic_plugins.c: Remove optional field check to improve compatiblity for DragonFlyBSD. Thanks Joshua Kinard providing patch. * src/detect.c: Fixed AppID not correctly handling packets without sessions (Discovered by James Lay) * src/preprocessors/snort_httpinspect.c: Fixed issue with HTTP session data handling. (Discovered by James Lay) * src/snort.c: Fixed parsing of custom rule types on reload. * src/util.c: Fixed timestamp arithmetic error (Reported by David Turnbull) * src/: sf_protocols.h, preprocessors/perf-base.c, preprocessors/perf-base.h, preprocessors/session_api.h, preprocessors/spp_session.c, preprocessors/spp_stream6.c, preprocessors/stream_api.h, preprocessors/Stream6/stream_common.c, preprocessors/Stream6/stream_common.h: Fixed IP protocol number type (Reported by Joshua Kinard) * src/: strlcatu.h, strlcpyu.h: Wrap function signatures for strlcat/strlcpy. Thanks to James Golab for reporting the issue. * doc/: snort_manual.pdf, snort_manual.tex: Typos fixed (Credit to Jenah J. Sigurdson) * src/: encode.h, parser.c, dynamic-preprocessors/imap/imap_paf.c, dynamic-preprocessors/pop/pop_paf.c, dynamic-preprocessors/smtp/smtp_paf.c, file-process/file_mail_common.h, preprocessors/stream_api.h, preprocessors/Stream6/stream_paf.c: Fixed PAF flushing behavior when encountering gaps. paf_max now has a hard flush limit of ~64,000. Email protocols will flush within 1500 characters of paf_max. * src/: dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, preprocessors/session_api.h, preprocessors/spp_rpc_decode.c, preprocessors/spp_session.c, preprocessors/Stream6/snort_stream_tcp.c: Changed flushing to use receiver's flush policy in all functions. Updated POP, IMAP, DNS, RPC, and SSL to use the correct directions. Added SSN_TO_SERVER(SSN_FROM_CLIENT) and SSN_TO_CLIENT(SSN_FROM_SERVER) to make code more readable (Discovered by John Enure). * src/detection_util.c: Fixed Http buffer name initialization. * src/preprocessors/HttpInspect/normalization/hi_norm.c: Fixed URI parsing and normalization. * doc/README.file_ips, src/plugbase.c, src/rule_option_types.h, src/detection-plugins/Makefile.am, src/detection-plugins/detection_options.c, src/detection-plugins/sp_file_type.c, src/file-process/file_api.h, src/file-process/file_service.c, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_identifier.c, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h: Allow registration of the same file type callback. Harden file_type and file_group rule options. Fix file id to always use the matched file id. File identifier rule options 'type' and 'ver' no longer accept arbitrary ASCII characters as valid arguments, only permitting [A-Za-z0-9_.] characters. Snort's 'file_type' rule option now checks for trailing comma (,) and pipe (|) separators and other typo like mistakes. * configure.in, src/active.c, src/active.h, src/decode.c, src/detection-plugins/detection_options.c, src/detection-plugins/sp_replace.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/parser.c, src/parser.h, src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/normalize.c, src/preprocessors/normalize.h, src/preprocessors/perf-base.c, src/preprocessors/perf-base.h, src/preprocessors/spp_normalize.c, src/preprocessors/spp_normalize.h, src/preprocessors/spp_session.c, src/snort.c, src/snort.h: Added would-normalize normalization statistics for inline_test mode. Normalization behavior now enabled / configured using na_policy_mode. Fix typos in spp_normalize.c (Thanks to Gregory S Thomas for mentioning). * doc/README.normalize, doc/snort_manual.pdf, doc/snort_manual.tex, src/preprocessors/normalize.c, src/preprocessors/perf-base.c, src/preprocessors/perf-base.h, src/preprocessors/spp_normalize.c, src/preprocessors/spp_normalize.h, src/preprocessors/Stream6/snort_stream_tcp.c: TCP normalization configurations have been split into more granular options. URP normalization is now ENABLED with the "urp" keyword instead of DISABLED. New performance monitor stats have been introduced for these changes. * src/decode.h, src/detect.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/preprocessors/Session/session_expect.c, src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/spp_stream6.c, src/preprocessors/stream_api.h: Changed priority of ftp-telnet reassembly to improve performance. Process end of file data correctly for ftp data channel. * etc/file_magic.conf, src/sfutil/sf_email_attach_decode.c: File type UUENCODED is now all caps. Set file data pointer correctly after UU decoding ends. * src/: dynamic-preprocessors/imap/imap_config.c, dynamic-preprocessors/pop/pop_config.c, dynamic-preprocessors/smtp/smtp_config.c, file-process/file_mime_config.c, file-process/file_mime_config.h: +0 and -0 are no longer valid values for decoding depth. * src/dynamic-preprocessors/dnp3/spp_dnp3.c: Validate DNP3 packets before processing. * src/: snort.c, snort.h, sfutil/intel-soft-cpm.c, sfutil/intel-soft-cpm.h: Fixed issues during reload. * configure.in, doc/README.http_inspect, doc/snort_manual.pdf, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/generators.h, src/preprocessors/HttpInspect/Makefile.am, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/files/Makefile.am, src/preprocessors/HttpInspect/files/file_decomp.c, src/preprocessors/HttpInspect/files/file_decomp_PDF.c, src/preprocessors/HttpInspect/files/file_decomp_SWF.c, src/preprocessors/HttpInspect/files/include/file_decomp.h, src/preprocessors/HttpInspect/files/include/file_decomp_PDF.h src/preprocessors/HttpInspect/include/Makefile.am, src/preprocessors/HttpInspect/include/file_decomp.h, src/preprocessors/HttpInspect/include/file_decomp_PDF.h, src/preprocessors/HttpInspect/include/file_decomp_SWF.h, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/include/hi_include.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/server/hi_server.cr, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_httpinspect.c, src/util.c: Added ability for HttpInspect to decompress DEFLATE and LZMA encoded SWF content and DEFLATE encoded pdf content. * src/preprocessors/spp_perfmonitor.c: Fixed race condition in perf montitor during reload. * src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/include/hi_client.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/user_interface/hi_ui_config.c, src/preprocessors/snort_httpinspect.c: Added Enhanced XFF support to HttpInspect. * src/profiler.c: Fixed duplicate profiler entries when using multiple policies. * configure.in, src/Makefile.am, src/dump.c, src/dump.h, src/snort.c, src/control/sfcontrol.h, tools/control/Makefile.am, tools/control/README.snort_dump_packets_control, tools/control/sfcontrol.c, tools/control/snort_dump_packets.c: Added control socket command to dump packets. * src/: preprocessors/snort_httpinspect.c, preprocessors/snort_httpinspect.h, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/include/hi_ui_config.h, preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h, preprocessors/HttpInspect/session_inspection/hi_si.c, preprocessors/HttpInspect/user_interface/hi_ui_config.c, preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c, sfutil/util_jsnorm.c, sfutil/util_jsnorm.h: Removed dead max_pipeline and inspection_type configurations. Improved memory efficiency of unicode->ascii map. Expanded possible number of preprocessor alerts for HttpInspect from 31 to 63. * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: Fixed FindPiiRecursively to better handle partial matches. * src/dynamic-preprocessors/sip/sip_parser.c: Fixed handling SDP when caller and callee have identical session ids. * src/: dynamic-preprocessors/Makefile.am, dynamic-preprocessors/sip/sip_config.h, dynamic-preprocessors/sip/sip_dialog.c, dynamic-preprocessors/sip/spp_sip.h, preprocessors/Makefile.am, preprocessors/sip_common.h, preprocessors/spp_stream6.c, preprocessors/stream_api.h: Support better SIP parsing and call handling. * Makefile.am, configure.in, doc/Makefile.am, doc/README, doc/README.frag3, doc/USAGE, doc/WISHLIST, doc/snort_manual.tex, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-preprocessors/ftptelnet/ftpp_si.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/ssl_common/ssl_config.c, dynamic-preprocessors/ssl_common/ssl_include.h, dynamic-preprocessors/ssl_common/ssl_inspect.c, etc/Makefile.am, etc/gen-msg.map, libs/ssl_include.h, rpm/snort.spec, snort.8, src/Makefile.am, src/active.c, src/active.h, src/byte_extract.c, src/checksum.h, src/debug.c, src/decode.c, src/decode.h, src/detect.c, src/detect.h, src/detection-plugins/detection_options.c, src/detection-plugins/detection_options.h, src/detection-plugins/sp_asn1.c, src/detection-plugins/sp_asn1_detect.c, src/detection-plugins/sp_byte_check.c, src/detection-plugins/sp_byte_check.h, src/detection-plugins/sp_byte_jump.c, src/detection-plugins/sp_byte_jump.h, src/detection-plugins/sp_clientserver.c, src/detection-plugins/sp_clientserver.h, src/detection-plugins/sp_dsize_check.c, src/detection-plugins/sp_dsize_check.h, src/detection-plugins/sp_flowbits.c, src/detection-plugins/sp_flowbits.h, src/detection-plugins/sp_ftpbounce.c, src/detection-plugins/sp_ftpbounce.h, src/detection-plugins/sp_icmp_code_check.c, src/detection-plugins/sp_icmp_code_check.h, src/detection-plugins/sp_icmp_id_check.c, src/detection-plugins/sp_icmp_id_check.h, src/detection-plugins/sp_icmp_seq_check.c, src/detection-plugins/sp_icmp_seq_check.h, src/detection-plugins/sp_icmp_type_check.c, src/detection-plugins/sp_icmp_type_check.h, src/detection-plugins/sp_ip_fragbits.c, src/detection-plugins/sp_ip_fragbits.h, src/detection-plugins/sp_ip_id_check.c, src/detection-plugins/sp_ip_id_check.h, src/detection-plugins/sp_ip_proto.c, src/detection-plugins/sp_ip_proto.h, src/detection-plugins/sp_ip_same_check.c, src/detection-plugins/sp_ip_same_check.h, src/detection-plugins/sp_ip_tos_check.c, src/detection-plugins/sp_ip_tos_check.h, src/detection-plugins/sp_ipoption_check.c, src/detection-plugins/sp_ipoption_check.h, src/detection-plugins/sp_isdataat.c, src/detection-plugins/sp_isdataat.h, src/detection-plugins/sp_pattern_match.c, src/detection-plugins/sp_pattern_match.h, src/detection-plugins/sp_pcre.c, src/detection-plugins/sp_react.c, src/detection-plugins/sp_react.h, src/detection-plugins/sp_replace.c, src/detection-plugins/sp_replace.h, src/detection-plugins/sp_respond.h, src/detection-plugins/sp_respond3.c, src/detection-plugins/sp_rpc_check.c, src/detection-plugins/sp_rpc_check.h, src/detection-plugins/sp_session.c, src/detection-plugins/sp_session.h, src/detection-plugins/sp_tcp_ack_check.c, src/detection-plugins/sp_tcp_ack_check.h, src/detection-plugins/sp_tcp_flag_check.c, src/detection-plugins/sp_tcp_flag_check.h, src/detection-plugins/sp_tcp_seq_check.c, src/detection-plugins/sp_tcp_seq_check.h, src/detection-plugins/sp_tcp_win_check.c, src/detection-plugins/sp_tcp_win_check.h, src/detection-plugins/sp_ttl_check.c, src/detection-plugins/sp_ttl_check.h, src/detection_filter.c, src/detection_filter.h, src/detection_util.c, src/detection_util.h, src/dynamic-examples/Makefile.am, src/dynamic-plugins/sf_convert_dynamic.c, src/dynamic-plugins/sf_convert_dynamic.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c, src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h, src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c, src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.h, src/dynamic-plugins/sf_src/dynamic_plugins.c, src/dynamic-plugins/sf_src/dynamic_preprocessor.h, src/dynamic-plugins/sp_dynamic.c, src/dynamic-plugins/sp_dynamic.h, src/dynamic-plugins/sp_preprocopt.c, src/dynamic-plugins/sp_preprocopt.h, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/ftptelnet/Makefile.am, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.h, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/pp_telnet.c, src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/imap/Makefile.am, src/dynamic-preprocessors/imap/imap_config.c, src/dynamic-preprocessors/imap/imap_config.h, src/dynamic-preprocessors/imap/imap_log.c, src/dynamic-preprocessors/imap/imap_log.h, src/dynamic-preprocessors/imap/imap_util.c, src/dynamic-preprocessors/imap/imap_util.h, src/dynamic-preprocessors/imap/sf_imap.dsp, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/imap/snort_imap.h, src/dynamic-preprocessors/imap/spp_imap.c, src/dynamic-preprocessors/imap/spp_imap.h, src/dynamic-preprocessors/libs/Makefile.am, src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp, src/dynamic-preprocessors/libs/ssl.c, src/dynamic-preprocessors/libs/ssl.h, src/dynamic-preprocessors/libs/ssl_include.h, src/dynamic-preprocessors/pop/Makefile.am, src/dynamic-preprocessors/pop/pop_config.c, src/dynamic-preprocessors/pop/pop_config.h, src/dynamic-preprocessors/pop/pop_log.c, src/dynamic-preprocessors/pop/pop_log.h, src/dynamic-preprocessors/pop/pop_util.c, src/dynamic-preprocessors/pop/pop_util.h, src/dynamic-preprocessors/pop/sf_pop.dsp, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/pop/snort_pop.h, src/dynamic-preprocessors/pop/spp_pop.c, src/dynamic-preprocessors/pop/spp_pop.h, src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c, src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h, src/dynamic-preprocessors/reputation/shmem/shmem_common.h, src/dynamic-preprocessors/reputation/shmem/shmem_config.c, src/dynamic-preprocessors/reputation/shmem/shmem_config.h, src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h, src/dynamic-preprocessors/reputation/shmem/shmem_lib.c, src/dynamic-preprocessors/reputation/shmem/shmem_lib.h, src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c, src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/dynamic-preprocessors/sip/sf_sip.dsp, src/dynamic-preprocessors/smtp/Makefile.am, src/dynamic-preprocessors/smtp/sf_smtp.dsp, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, src/dynamic-preprocessors/ssl/Makefile.am, src/dynamic-preprocessors/ssl/sf_ssl.dsp, src/dynamic-preprocessors/ssl_common/ssl.c, src/dynamic-preprocessors/ssl_common/ssl.h, src/dynamic-preprocessors/ssl_common/ssl_config.c, src/dynamic-preprocessors/ssl_common/ssl_config.h, src/dynamic-preprocessors/ssl_common/ssl_ha.c, src/dynamic-preprocessors/ssl_common/ssl_ha.h, src/dynamic-preprocessors/ssl_common/ssl_include.h, src/dynamic-preprocessors/ssl_common/ssl_inspect.c, src/dynamic-preprocessors/ssl_common/ssl_inspect.h, src/dynamic-preprocessors/ssl_common/ssl_session.h, src/encode.c, src/encode.h, src/event.h, src/event_queue.c, src/event_wrapper.c, src/fpcreate.c, src/fpcreate.h, src/fpdetect.c, src/fpdetect.h, src/generators.h, src/hashstring.c, src/hashstring.h, src/idle_processing.c, src/log.c, src/log.h, src/log_text.c, src/mempool.c, src/mempool.h, src/mstring.c, src/mstring.h, src/output-plugins/spo_alert_fast.c, src/output-plugins/spo_alert_fast.h, src/output-plugins/spo_alert_full.c, src/output-plugins/spo_alert_full.h, src/output-plugins/spo_alert_sf_socket.c, src/output-plugins/spo_alert_syslog.c, src/output-plugins/spo_alert_syslog.h, src/output-plugins/spo_alert_test.c, src/output-plugins/spo_alert_test.h, src/output-plugins/spo_alert_unixsock.c, src/output-plugins/spo_alert_unixsock.h, src/output-plugins/spo_csv.c, src/output-plugins/spo_csv.h, src/output-plugins/spo_log_ascii.c, src/output-plugins/spo_log_ascii.h, src/output-plugins/spo_log_null.c, src/output-plugins/spo_log_null.h, src/output-plugins/spo_log_tcpdump.c, src/output-plugins/spo_log_tcpdump.h, src/output-plugins/spo_unified2.h, src/packet_time.c, src/parser.c, src/parser.h, src/parser/IpAddrSet.c, src/parser/IpAddrSet.h, src/pcrm.c, src/pcrm.h, src/plugbase.c, src/plugbase.h, src/plugin_enum.h, src/ppm.c, src/preprocessors/HttpInspect/include/hi_client.h, src/preprocessors/HttpInspect/include/hi_paf.h, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Session/stream5_ha.c, src/preprocessors/normalize.c, src/preprocessors/normalize.h, src/preprocessors/perf-base.c, src/preprocessors/perf-base.h, src/preprocessors/perf-event.c, src/preprocessors/perf-event.h, src/preprocessors/perf-flow.c, src/preprocessors/perf-flow.h, src/preprocessors/perf.c, src/preprocessors/perf.h, src/preprocessors/session_api.h src/preprocessors/sfprocpidstats.c, src/preprocessors/sfprocpidstats.h, src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_arpspoof.h, src/preprocessors/spp_bo.c, src/preprocessors/spp_bo.h, src/preprocessors/spp_frag3.c, src/preprocessors/spp_frag3.h, src/preprocessors/spp_normalize.c, src/preprocessors/spp_normalize.h, src/preprocessors/spp_perfmonitor.c, src/preprocessors/spp_perfmonitor.h, src/preprocessors/spp_rpc_decode.c, src/preprocessors/spp_rpc_decode.h, src/preprocessors/spp_session.c, src/preprocessors/spp_stream5.c, src/preprocessors/spp_stream5.h, src/preprocessors/stream_api.c, src/preprocessors/stream_api.h, src/preprocessors/stream_expect.c, src/preprocessors/stream_expect.h, src/profiler.c, src/profiler.h, src/rate_filter.c, src/rate_filter.h, src/rules.h, src/sf_protocols.h, src/sf_sdlist.c, src/sf_sdlist.h, src/sf_sdlist_types.h, src/sfdaq.c, src/sfdaq.h, src/sfthreshold.c, src/sfutil/acsmx.c, src/sfutil/acsmx.h, src/sfutil/acsmx2.c, src/sfutil/bitop.h, src/sfutil/bitop_funcs.h, src/sfutil/getopt.h, src/sfutil/mpse.c, src/sfutil/mpse.h, src/sfutil/sf_email_attach_decode.c, src/sfutil/sf_email_attach_decode.h, src/sfutil/sf_ip.c, src/sfutil/sf_iph.c, src/sfutil/sf_sechash.c, src/sfutil/sf_sechash.h, src/sfutil/sha2.h, src/sfutil/util_jsnorm.c, src/sfutil/util_jsnorm.h, src/sfutil/util_unfold.c, src/sfutil/util_unfold.h, src/signature.h, src/snort.c, src/snort.h, src/snort_debug.h, src/spo_plugbase.h, src/tag.c, src/tag.h, src/util.c, src/util.h, src/win32/WIN32-Code/getopt.c, src/win32/WIN32-Code/inet_aton.c, src/win32/WIN32-Code/misc.c, src/win32/WIN32-Includes/config.h, src/win32/WIN32-Includes/getopt.h, src/win32/WIN32-Prj/snort_installer.nsi, ssl/ssl_setup.c, tools/control/sfcontrol.c: Refactor SSL code to make a library for state processing across non-native protocols that use SSL via STARTTLS. Update IMAP/POP/FTP/SSL preprocessors to use new SSL library, and activation of PAF for those protocols. Add ability to share basic state for SSL. * configure.in, doc/README.session, doc/README.stream5, doc/snort_manual.pdf, doc/snort_manual.tex, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/gtp/spp_gtp.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/modbus/spp_modbus.c, dynamic-preprocessors/pop/spp_pop.c, dynamic-preprocessors/sip/spp_sip.c, dynamic-preprocessors/smtp/spp_smtp.c, dynamic-preprocessors/ssh/spp_ssh.c, etc/sf_rule_options, preprocessors/Session/session_common.c, preprocessors/Session/session_common.h, preprocessors/Session/session_expect.c, preprocessors/Stream6/snort_stream_ip.c, preprocessors/Stream6/snort_stream_tcp.c, preprocessors/Stream6/snort_stream_tcp.h, preprocessors/Stream6/snort_stream_udp.c, preprocessors/Stream6/stream_common.h, preprocessors/session_api.h, preprocessors/snort_httpinspect.c, preprocessors/spp_rpc_decode.c, preprocessors/spp_session.c, preprocessors/spp_stream6.c, preprocessors/stream_api.h, preprocids.h, src/Makefile.am, src/active.c, src/active.h, src/build.h, src/detect.c, src/detect.h, src/detection-plugins/Makefile.am, src/detection-plugins/sp_clientserver.c, src/detection-plugins/sp_flowbits.c, src/detection-plugins/sp_pattern_match.c, src/detection-plugins/sp_pattern_match.h, src/dynamic-examples/Makefile.am, src/dynamic-examples/dynamic-preprocessor/spp_example.c, src/dynamic-output/plugins/output_lib.h, src/dynamic-output/plugins/output_plugin.c, src/dynamic-plugins/sf_convert_dynamic.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c, src/dynamic-plugins/sp_preprocopt.c, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/dcerpc2/dce2_cl.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_paf.c, src/dynamic-preprocessors/dcerpc2/dce2_roptions.c, src/dynamic-preprocessors/dcerpc2/dce2_session.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dnp3/dnp3_roptions.c, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/dynamic-preprocessors/dnp3/spp_dnp3.h, src/dynamic-preprocessors/dns/spp_dns.c, src/dynamic-preprocessors/dns/spp_dns.h, src/dynamic-preprocessors/file/file_agent.c, src/dynamic-preprocessors/file/file_event_log.c, src/dynamic-preprocessors/file/spp_file.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.h, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/pp_telnet.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, src/dynamic-preprocessors/gtp/gtp_roptions.c, src/dynamic-preprocessors/gtp/spp_gtp.c, src/dynamic-preprocessors/imap/imap_config.c, src/dynamic-preprocessors/imap/imap_config.h, src/dynamic-preprocessors/imap/sf_imap.dsp, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/imap/snort_imap.h, src/dynamic-preprocessors/imap/spp_imap.c, src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp, src/dynamic-preprocessors/modbus/modbus_decode.c, src/dynamic-preprocessors/modbus/modbus_roptions.c, src/dynamic-preprocessors/modbus/spp_modbus.c, src/dynamic-preprocessors/modbus/spp_modbus.h, src/dynamic-preprocessors/pop/pop_config.c, src/dynamic-preprocessors/pop/pop_config.h, src/dynamic-preprocessors/pop/pop_util.c, src/dynamic-preprocessors/pop/sf_pop.dsp, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/pop/snort_pop.h, src/dynamic-preprocessors/pop/spp_pop.c, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/sdf/spp_sdf.c, src/dynamic-preprocessors/sip/sip_dialog.c, src/dynamic-preprocessors/sip/sip_roptions.c, src/dynamic-preprocessors/sip/spp_sip.c, src/dynamic-preprocessors/smtp/sf_smtp.dsp, src/dynamic-preprocessors/smtp/smtp_config.c, src/dynamic-preprocessors/smtp/smtp_config.h, src/dynamic-preprocessors/smtp/smtp_util.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/spp_smtp.c, src/dynamic-preprocessors/ssh/spp_ssh.c, src/encode.c, src/encode.h, src/event_queue.c, src/event_wrapper.c, src/file-process/file_api.h, src/file-process/file_mime_process.c, src/file-process/file_mime_process.h, src/file-process/file_service.c, src/file-process/file_stats.c, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/fpcreate.c, src/fpdetect.c, src/generators.h, src/parser.c, src/parser.h, src/plugbase.c, src/plugbase.h, src/ppm.c, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/session_inspection/hi_si.c, src/preprocessors/Makefile.am, src/preprocessors/Session/Makefile.am, src/preprocessors/Session/session_common.c, src/preprocessors/Session/session_common.h, src/preprocessors/Session/session_expect.c, src/preprocessors/Session/session_expect.h, src/preprocessors/Session/snort_session.c, src/preprocessors/Session/snort_session.h, src/preprocessors/Session/stream5_ha.c, src/preprocessors/Session/stream5_ha.h, src/preprocessors/Stream6/Makefile.am, src/preprocessors/Stream6/snort_stream_icmp.c, src/preprocessors/Stream6/snort_stream_icmp.h, src/preprocessors/Stream6/snort_stream_ip.c, src/preprocessors/Stream6/snort_stream_ip.h, src/preprocessors/Stream6/snort_stream_tcp.c, src/preprocessors/Stream6/snort_stream_tcp.h, src/preprocessors/Stream6/snort_stream_udp.c, src/preprocessors/Stream6/snort_stream_udp.h, src/preprocessors/Stream6/stream_common.c, src/preprocessors/Stream6/stream_common.h, src/preprocessors/Stream6/stream_paf.c, src/preprocessors/Stream6/stream_paf.h, src/preprocessors/perf-base.c, src/preprocessors/portscan.c, src/preprocessors/session_api.c, src/preprocessors/session_api.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_bo.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_normalize.c, src/preprocessors/spp_perfmonitor.c, src/preprocessors/spp_rpc_decode.c, src/preprocessors/spp_session.c, src/preprocessors/spp_session.h, src/preprocessors/spp_sfportscan.c, src/preprocessors/spp_stream5.c, src/preprocessors/spp_stream5.h, src/preprocessors/spp_stream6.c, src/preprocessors/spp_stream6.h, src/preprocessors/stream_api.h, src/preprocessors/stream_expect.c, src/preprocessors/stream_expect.h, src/preprocids.h, src/sf_sdlist.c, src/sf_sdlist.h, src/sfdaq.c, src/sfdaq.h, src/sfutil/sfPolicy.c, src/sfutil/sfPolicy.h, src/sfutil/sfPolicyData.h, src/sfutil/sfPolicyUserData.h, src/sfutil/sf_email_attach_decode.h, src/sfutil/sfrf.c, src/sfutil/sfthd.c, src/sfutil/test/sf_ip_test.c, src/snort.c, src/snort.h, src/target-based/sftarget_protocol_reference.c, src/target-based/sftarget_reader.c, src/target-based/sftarget_reader.h, src/util.c, src/win32/WIN32-Prj/snort.dsp, tools/Makefile.a: Split the session tracking and reassembly functionality of Stream5 into new Session and Stream preprocessors. * configure.in, doc/INSTALL, doc/Makefile.am, doc/README.appid, doc/snort_manual.tex, src/detect.c, src/detection-plugins/Makefile.am, src/detection-plugins/detection_options.c, src/detection-plugins/sp_appid.c, src/detection-plugins/sp_appid.h src/dynamic-plugins/sf_dynamic_common.h, src/dynamic-plugins/sf_dynamic_define.h, src/dynamic-plugins/sf_dynamic_meta.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sf_engine/Makefile.am, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-preprocessors/Makefile.am src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/appid/Makefile.am, src/dynamic-preprocessors/appid/appId.h, src/dynamic-preprocessors/appid/appIdConfig.c, src/dynamic-preprocessors/appid/appIdConfig.h, src/dynamic-preprocessors/appid/appIdStats.c, src/dynamic-preprocessors/appid/appIdStats.h, src/dynamic-preprocessors/appid/appInfoTable.c, src/dynamic-preprocessors/appid/appInfoTable.h, src/dynamic-preprocessors/appid/attribute.h, src/dynamic-preprocessors/appid/client_plugins/Makefile.am, src/dynamic-preprocessors/appid/client_plugins/client_app_aim.c, src/dynamic-preprocessors/appid/client_plugins/client_app_aim.h, src/dynamic-preprocessors/appid/client_plugins/client_app_api.h, src/dynamic-preprocessors/appid/client_plugins/client_app_base.c, src/dynamic-preprocessors/appid/client_plugins/client_app_base.h, src/dynamic-preprocessors/appid/client_plugins/client_app_bit.c, src/dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c, src/dynamic-preprocessors/appid/client_plugins/client_app_msn.c, src/dynamic-preprocessors/appid/client_plugins/client_app_msn.h, src/dynamic-preprocessors/appid/client_plugins/client_app_rtp.c, src/dynamic-preprocessors/appid/client_plugins/client_app_sip.c, src/dynamic-preprocessors/appid/client_plugins/client_app_sip.h, src/dynamic-preprocessors/appid/client_plugins/client_app_smtp.c, src/dynamic-preprocessors/appid/client_plugins/client_app_smtp.h, src/dynamic-preprocessors/appid/client_plugins/client_app_ssh.c, src/dynamic-preprocessors/appid/client_plugins/client_app_template.c, src/dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c, src/dynamic-preprocessors/appid/client_plugins/client_app_tns.c, src/dynamic-preprocessors/appid/client_plugins/client_app_vnc.c, src/dynamic-preprocessors/appid/client_plugins/client_app_ym.c, src/dynamic-preprocessors/appid/client_plugins/client_app_ym.h, src/dynamic-preprocessors/appid/commonAppMatcher.c, src/dynamic-preprocessors/appid/commonAppMatcher.h, src/dynamic-preprocessors/appid/detector_plugins/Makefile.am, src/dynamic-preprocessors/appid/detector_plugins/detector_api.h, src/dynamic-preprocessors/appid/detector_plugins/detector_base.c, src/dynamic-preprocessors/appid/detector_plugins/detector_base.h, src/dynamic-preprocessors/appid/detector_plugins/detector_http.c, src/dynamic-preprocessors/appid/detector_plugins/detector_http.h, src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c, src/dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c, src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c, src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c, src/dynamic-preprocessors/appid/detector_plugins/detector_sip.h, src/dynamic-preprocessors/appid/detector_plugins/http_url_patterns.c, src/dynamic-preprocessors/appid/detector_plugins/http_url_patterns.h, src/dynamic-preprocessors/appid/diffScript.sh, src/dynamic-preprocessors/appid/doxy_api.c, src/dynamic-preprocessors/appid/flow.c, src/dynamic-preprocessors/appid/flow.h, src/dynamic-preprocessors/appid/flow_error.h, src/dynamic-preprocessors/appid/fw_appid.c, src/dynamic-preprocessors/appid/fw_appid.h, src/dynamic-preprocessors/appid/hostPortAppCache.c, src/dynamic-preprocessors/appid/hostPortAppCache.h, src/dynamic-preprocessors/appid/host_tracker.h, src/dynamic-preprocessors/appid/httpCommon.h, src/dynamic-preprocessors/appid/luaDetectorApi.c, src/dynamic-preprocessors/appid/luaDetectorApi.h, src/dynamic-preprocessors/appid/luaDetectorFlowApi.c, src/dynamic-preprocessors/appid/luaDetectorFlowApi.h, src/dynamic-preprocessors/appid/luaDetectorModule.c, src/dynamic-preprocessors/appid/luaDetectorModule.h, src/dynamic-preprocessors/appid/rna_flow.h, src/dynamic-preprocessors/appid/service_plugins/Makefile.am, src/dynamic-preprocessors/appid/service_plugins/dcerpc.c, src/dynamic-preprocessors/appid/service_plugins/dcerpc.h, src/dynamic-preprocessors/appid/service_plugins/service_MDNS.c, src/dynamic-preprocessors/appid/service_plugins/service_MDNS.h, src/dynamic-preprocessors/appid/service_plugins/service_api.h, src/dynamic-preprocessors/appid/service_plugins/service_base.c, src/dynamic-preprocessors/appid/service_plugins/service_base.h, src/dynamic-preprocessors/appid/service_plugins/service_battle_field.c, src/dynamic-preprocessors/appid/service_plugins/service_battle_field.h, src/dynamic-preprocessors/appid/service_plugins/service_bgp.c, src/dynamic-preprocessors/appid/service_plugins/service_bgp.h, src/dynamic-preprocessors/appid/service_plugins/service_bit.c, src/dynamic-preprocessors/appid/service_plugins/service_bootp.c, src/dynamic-preprocessors/appid/service_plugins/service_bootp.h, src/dynamic-preprocessors/appid/service_plugins/service_dcerpc.c, src/dynamic-preprocessors/appid/service_plugins/service_dcerpc.h, src/dynamic-preprocessors/appid/service_plugins/service_direct_connect.c, src/dynamic-preprocessors/appid/service_plugins/service_direct_connect.h, src/dynamic-preprocessors/appid/service_plugins/service_dns.c, src/dynamic-preprocessors/appid/service_plugins/service_dns.h, src/dynamic-preprocessors/appid/service_plugins/service_flap.c, src/dynamic-preprocessors/appid/service_plugins/service_flap.h, src/dynamic-preprocessors/appid/service_plugins/service_ftp.c, src/dynamic-preprocessors/appid/service_plugins/service_ftp.h, src/dynamic-preprocessors/appid/service_plugins/service_irc.c, src/dynamic-preprocessors/appid/service_plugins/service_irc.h, src/dynamic-preprocessors/appid/service_plugins/service_lpr.c, src/dynamic-preprocessors/appid/service_plugins/service_lpr.h, src/dynamic-preprocessors/appid/service_plugins/service_mysql.c, src/dynamic-preprocessors/appid/service_plugins/service_mysql.h, src/dynamic-preprocessors/appid/service_plugins/service_netbios.c, src/dynamic-preprocessors/appid/service_plugins/service_netbios.h, src/dynamic-preprocessors/appid/service_plugins/service_nntp.c, src/dynamic-preprocessors/appid/service_plugins/service_nntp.h, src/dynamic-preprocessors/appid/service_plugins/service_ntp.c, src/dynamic-preprocessors/appid/service_plugins/service_ntp.h, src/dynamic-preprocessors/appid/service_plugins/service_pattern.c, src/dynamic-preprocessors/appid/service_plugins/service_pattern.h, src/dynamic-preprocessors/appid/service_plugins/service_radius.c, src/dynamic-preprocessors/appid/service_plugins/service_radius.h, src/dynamic-preprocessors/appid/service_plugins/service_rexec.c, src/dynamic-preprocessors/appid/service_plugins/service_rexec.h, src/dynamic-preprocessors/appid/service_plugins/service_rfb.c, src/dynamic-preprocessors/appid/service_plugins/service_rfb.h, src/dynamic-preprocessors/appid/service_plugins/service_rlogin.c, src/dynamic-preprocessors/appid/service_plugins/service_rlogin.h, src/dynamic-preprocessors/appid/service_plugins/service_rpc.c, src/dynamic-preprocessors/appid/service_plugins/service_rpc.h, src/dynamic-preprocessors/appid/service_plugins/service_rshell.c, src/dynamic-preprocessors/appid/service_plugins/service_rshell.h, src/dynamic-preprocessors/appid/service_plugins/service_rsync.c, src/dynamic-preprocessors/appid/service_plugins/service_rsync.h, src/dynamic-preprocessors/appid/service_plugins/service_sip.c, src/dynamic-preprocessors/appid/service_plugins/service_sip.h, src/dynamic-preprocessors/appid/service_plugins/service_smtp.c, src/dynamic-preprocessors/appid/service_plugins/service_smtp.h, src/dynamic-preprocessors/appid/service_plugins/service_snmp.c, src/dynamic-preprocessors/appid/service_plugins/service_snmp.h, src/dynamic-preprocessors/appid/service_plugins/service_ssh.c, src/dynamic-preprocessors/appid/service_plugins/service_ssh.h, src/dynamic-preprocessors/appid/service_plugins/service_ssl.c, src/dynamic-preprocessors/appid/service_plugins/service_ssl.h, src/dynamic-preprocessors/appid/service_plugins/service_telnet.c, src/dynamic-preprocessors/appid/service_plugins/service_telnet.h, src/dynamic-preprocessors/appid/service_plugins/service_template.c, src/dynamic-preprocessors/appid/service_plugins/service_tftp.c, src/dynamic-preprocessors/appid/service_plugins/service_tftp.h, src/dynamic-preprocessors/appid/service_plugins/service_timbuktu.c, src/dynamic-preprocessors/appid/service_plugins/service_tns.c, src/dynamic-preprocessors/appid/service_plugins/service_util.h, src/dynamic-preprocessors/appid/service_state.c, src/dynamic-preprocessors/appid/service_state.h, src/dynamic-preprocessors/appid/spp_appid.c, src/dynamic-preprocessors/appid/spp_appid.h, src/dynamic-preprocessors/appid/tools/u2openappid/Makefile.am, src/dynamic-preprocessors/appid/tools/u2streamer/Makefile.am, src/dynamic-preprocessors/appid/util/Makefile.am, src/dynamic-preprocessors/appid/util/OutputFile.c, src/dynamic-preprocessors/appid/util/OutputFile.h, src/dynamic-preprocessors/appid/util/acsmx.c, src/dynamic-preprocessors/appid/util/acsmx.h, src/dynamic-preprocessors/appid/util/acsmx2.c, src/dynamic-preprocessors/appid/util/acsmx2.h, src/dynamic-preprocessors/appid/util/bnfa_search.c, src/dynamic-preprocessors/appid/util/bnfa_search.h, src/dynamic-preprocessors/appid/util/common_util.h, src/dynamic-preprocessors/appid/util/fw_avltree.c, src/dynamic-preprocessors/appid/util/fw_avltree.h, src/dynamic-preprocessors/appid/util/ip_funcs.h, src/dynamic-preprocessors/appid/util/mpse.c, src/dynamic-preprocessors/appid/util/mpse.h, src/dynamic-preprocessors/appid/util/sf_error.h, src/dynamic-preprocessors/appid/util/sf_mlmp.c, src/dynamic-preprocessors/appid/util/sf_mlmp.h, src/dynamic-preprocessors/appid/util/sf_multi_mpse.c, src/dynamic-preprocessors/appid/util/sf_multi_mpse.h, src/dynamic-preprocessors/appid/util/sfghash.c, src/dynamic-preprocessors/appid/util/sfghash.h, src/dynamic-preprocessors/appid/util/sfhashfcn.c, src/dynamic-preprocessors/appid/util/sfhashfcn.h, src/dynamic-preprocessors/appid/util/sfksearch.c, src/dynamic-preprocessors/appid/util/sfksearch.h, src/dynamic-preprocessors/appid/util/sflsq.c, src/dynamic-preprocessors/appid/util/sflsq.h, src/dynamic-preprocessors/appid/util/sfmemcap.c, src/dynamic-preprocessors/appid/util/sfmemcap.h, src/dynamic-preprocessors/appid/util/sfutil.c, src/dynamic-preprocessors/appid/util/sfutil.h, src/dynamic-preprocessors/appid/util/sfxhash.c, src/dynamic-preprocessors/appid/util/sfxhash.h, src/dynamic-preprocessors/file/file_agent.c, src/dynamic-preprocessors/imap/spp_imap.c, src/event.h, src/event_wrapper.c, src/file-process/file_service.c, src/file-process/file_stats.c, src/file-process/file_stats.h, src/log.c, src/log.h, src/output-plugins/spo_alert_unixsock.c, src/output-plugins/spo_unified2.c, src/plugbase.c, src/plugin_enum.h, src/ppm.c, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/include/hi_client.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/include/hi_util.h, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/perf-base.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_sfportscan.c, src/preprocessors/spp_stream5.c, src/preprocessors/str_search.c, src/preprocessors/str_search.h, src/preprocessors/stream_api.h, src/preprocids.h, src/rule_option_types.h, src/sf_protocols.h, src/sfutil/Makefile.am, src/sfutil/Unified2_common.h, src/sfutil/acsmx.c, src/sfutil/acsmx2.c, src/sfutil/bnfa_search.c, src/sfutil/mpse.c, src/sfutil/mpse.h, src/sfutil/mpse_methods.h, src/sfutil/sfPolicy.h, src/sfutil/sf_ip.h, src/sfutil/sfdebug.h, src/sfutil/sfghash.c, src/sfutil/sfghash.h, src/sfutil/sfhashfcn.c, src/sfutil/sfksearch.c, src/sfutil/sflsq.c, src/sfutil/sflsq.h, src/sfutil/sfmemcap.c, src/sfutil/sfrt.h, src/sfutil/sfxhash.c, src/sfutil/sfxhash.h, src/signature.h, src/snort.c, src/snort.h, src/snort_debug.h, src/tag.c, src/target-based/sftarget_protocol_reference.c, src/target-based/sftarget_protocol_reference.h, src/util.c, tools/Makefile.am, tools/file_server/file_server.c, tools/u2openappid/Makefile.am, tools/u2openappid/u2openappid.c, tools/u2spewfoo/u2spewfoo.c tools/u2spewfoo/u2spewfoo.c, tools/u2streamer/Makefile.am, tools/u2streamer/SpoolFileIterator.c, tools/u2streamer/SpoolFileIterator.h, tools/u2streamer/TimestampedFile.c, tools/u2streamer/TimestampedFile.h, tools/u2streamer/Unified2.c, tools/u2streamer/Unified2.h, tools/u2streamer/Unified2File.c, tools/u2streamer/Unified2File.h, tools/u2streamer/UnifiedLog.c, tools/u2streamer/UnifiedLog.h, tools/u2streamer/sf_error.c, tools/u2streamer/sf_error.h, src/dynamic-preprocessors/appid/util/common_util.c, tools/u2streamer/u2streamer.c: Improved support for AppID preprocessor. Removed Lua dependency in favor of LuaJIT. Fixed appid with Lua/LuaBitOp (no LuaJIT), support FreeBSD Fixed OpenBSD, FreeBSD openAppId support, Removed support for Lua Added metadata extraction to SSL for AppID. Changed some Lua API names. Refactored to use common data structures. Fixed return value checks for fseek(), strdup, malloc(), and stat() and removed deprecated library calls (Thanks to Bill Parker for reporting the issues). 2014-02-21 Steven Sturges * configure.in, src/detect.c, src/event.h, src/event_wrapper.c, src/log.c, src/log.h, src/plugbase.c, src/plugin_enum.h, src/ppm.c, src/preprocids.h, src/rule_option_types.h, src/sf_protocols.h, src/signature.h, src/snort.c, src/snort.h, src/snort_debug.h, src/tag.c, src/detection-plugins/Makefile.am, src/detection-plugins/detection_options.c, src/dynamic-plugins/sf_dynamic_common.h, src/dynamic-plugins/sf_dynamic_define.h, src/dynamic-plugins/sf_dynamic_meta.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sf_engine/Makefile.am, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-preprocessors/Makefile.am, src/output-plugins/spo_alert_unixsock.c, src/output-plugins/spo_unified2.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_sfportscan.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/include/hi_client.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/include/hi_util.h, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/Stream5/stream5_common.h, src/sfutil/Unified2_common.h, src/sfutil/sfPolicy.h, src/sfutil/sf_ip.h, src/sfutil/sfrt.h, src/target-based/sftarget_protocol_reference.c, src/target-based/sftarget_protocol_reference.h, tools/Makefile.am, tools/u2spewfoo/u2spewfoo.c, tools/: Makefile.am, u2spewfoo/u2spewfoo.c, u2openappid/Makefile.am, u2openappid/u2openappid.c, u2streamer/Makefile.am, u2streamer/SpoolFileIterator.c, u2streamer/SpoolFileIterator.h, u2streamer/TimestampedFile.c, u2streamer/TimestampedFile.h, u2streamer/Unified2.c, u2streamer/Unified2.h, u2streamer/Unified2File.c, u2streamer/Unified2File.h, u2streamer/UnifiedLog.c, u2streamer/UnifiedLog.h, u2streamer/sf_error.c, u2streamer/sf_error.h, u2streamer/u2streamer.c, src/dynamic-preprocessors/appid/: Makefile.am, appId.h, appIdConfig.c, appIdConfig.h, appIdStats.c, appIdStats.h, appInfoTable.c, appInfoTable.h, attribute.h, commonAppMatcher.c, commonAppMatcher.h, diffScript.sh, doxy_api.c, flow.c, flow.h, flow_error.h, fw_appid.c, fw_appid.h, hostPortAppCache.c, hostPortAppCache.h, host_tracker.h, httpCommon.h, luaDetectorApi.c, luaDetectorApi.h, luaDetectorFlowApi.c, luaDetectorFlowApi.h, luaDetectorModule.c, luaDetectorModule.h, rna_flow.h, service_state.c, service_state.h, spp_appid.c, spp_appid.h, detector_plugins/Makefile.am, detector_plugins/detector_api.h, detector_plugins/detector_base.c, detector_plugins/detector_base.h, detector_plugins/detector_imap.c, detector_plugins/detector_kerberos.c, detector_plugins/detector_pop3.c, detector_plugins/detector_http.c, detector_plugins/detector_http.h, detector_plugins/http_url_patterns.c, detector_plugins/http_url_patterns.h, util/Makefile.am, util/OutputFile.c, util/OutputFile.h, util/acsmx.c, util/acsmx.h, util/acsmx2.c, util/acsmx2.h, util/bnfa_search.c, util/bnfa_search.h, util/common_util.h, util/fw_avltree.c, util/fw_avltree.h, util/ip_funcs.h, util/mpse.c, util/mpse.h, util/sf_error.h, util/sf_mlmp.c, util/sf_mlmp.h, util/sf_multi_mpse.c, util/sf_multi_mpse.h, util/sfghash.c, util/sfghash.h, util/sfhashfcn.c, util/sfhashfcn.h, util/sfksearch.c, util/sfksearch.h, util/sflsq.c, util/sflsq.h, util/sfmemcap.c, util/sfmemcap.h, util/sfutil.c, util/sfutil.h, util/sfxhash.c, util/sfxhash.h, client_plugins/Makefile.am, client_plugins/client_app_aim.c, client_plugins/client_app_aim.h, client_plugins/client_app_api.h, client_plugins/client_app_base.c, client_plugins/client_app_base.h, client_plugins/client_app_bit.c, client_plugins/client_app_bit_tracker.c, client_plugins/client_app_msn.c, client_plugins/client_app_msn.h, client_plugins/client_app_rtp.c, client_plugins/client_app_sip.c, client_plugins/client_app_sip.h, client_plugins/client_app_smtp.c, client_plugins/client_app_smtp.h, client_plugins/client_app_ssh.c, client_plugins/client_app_template.c, client_plugins/client_app_timbuktu.c, client_plugins/client_app_tns.c, client_plugins/client_app_vnc.c, client_plugins/client_app_ym.c, client_plugins/client_app_ym.h, service_plugins/Makefile.am, service_plugins/dcerpc.c, service_plugins/dcerpc.h, service_plugins/service_MDNS.c, service_plugins/service_MDNS.h, service_plugins/service_api.h, service_plugins/service_base.c, service_plugins/service_base.h, service_plugins/service_battle_field.c, service_plugins/service_battle_field.h, service_plugins/service_bgp.c, service_plugins/service_bgp.h, service_plugins/service_bit.c, service_plugins/service_bootp.c, service_plugins/service_bootp.h, service_plugins/service_dcerpc.c, service_plugins/service_dcerpc.h, service_plugins/service_direct_connect.c, service_plugins/service_direct_connect.h, service_plugins/service_dns.c, service_plugins/service_dns.h, service_plugins/service_flap.c, service_plugins/service_flap.h, service_plugins/service_ftp.c, service_plugins/service_ftp.h, service_plugins/service_irc.c, service_plugins/service_irc.h, service_plugins/service_lpr.c, service_plugins/service_lpr.h, service_plugins/service_mysql.c, service_plugins/service_mysql.h, service_plugins/service_netbios.c, service_plugins/service_netbios.h, service_plugins/service_nntp.c, service_plugins/service_nntp.h, service_plugins/service_ntp.c, service_plugins/service_ntp.h, service_plugins/service_pattern.c, service_plugins/service_pattern.h, service_plugins/service_radius.c, service_plugins/service_radius.h, service_plugins/service_rexec.c, service_plugins/service_rexec.h, service_plugins/service_rfb.c, service_plugins/service_rfb.h, service_plugins/service_rlogin.c, service_plugins/service_rlogin.h, service_plugins/service_rpc.c, service_plugins/service_rpc.h, service_plugins/service_rshell.c, service_plugins/service_rshell.h, service_plugins/service_rsync.c, service_plugins/service_rsync.h, service_plugins/service_sip.c, service_plugins/service_sip.h, service_plugins/service_smtp.c, service_plugins/service_smtp.h, service_plugins/service_snmp.c, service_plugins/service_snmp.h, service_plugins/service_ssh.c, service_plugins/service_ssh.h, service_plugins/service_ssl.c, service_plugins/service_ssl.h, service_plugins/service_telnet.c, service_plugins/service_telnet.h, service_plugins/service_template.c, service_plugins/service_tftp.c, service_plugins/service_tftp.h, service_plugins/service_timbuktu.c, service_plugins/service_tns.c, service_plugins/service_util.h, src/detection-plugins/: sp_appid.c, sp_appid.h, doc/README.appid: New Open App ID feature to identify application protocol, client, server, and web application and be able to leverage that within Snort rules. 2014-02-19 Steven Sturges * doc/snort_manual.pdf, doc/snort_manual.tex, src/active.c, src/active.h, src/encode.h, src/detection-plugins/sp_react.c: Added Active_SendBigData to active.c for sending multi-packet react pages. Modified react.c to use Active_SendBigData to allow payload that spans a single TCP packet (1500+ bytes). * src/: preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_paf.c, preprocessors/Stream5/stream5_paf.h, dynamic-preprocessors/pop/Makefile.am, dynamic-preprocessors/pop/pop_config.c, dynamic-preprocessors/pop/pop_config.h, dynamic-preprocessors/pop/pop_log.c, dynamic-preprocessors/pop/pop_log.h, dynamic-preprocessors/pop/pop_paf.c, dynamic-preprocessors/pop/pop_paf.h, dynamic-preprocessors/pop/pop_util.c, dynamic-preprocessors/pop/sf_pop.dsp, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/snort_pop.h, dynamic-preprocessors/pop/spp_pop.c, dynamic-preprocessors/smtp/Makefile.am, dynamic-preprocessors/smtp/sf_smtp.dsp, dynamic-preprocessors/smtp/smtp_config.c, dynamic-preprocessors/smtp/smtp_config.h, dynamic-preprocessors/smtp/smtp_log.c, dynamic-preprocessors/smtp/smtp_log.h, dynamic-preprocessors/smtp/smtp_paf.c, dynamic-preprocessors/smtp/smtp_paf.h, dynamic-preprocessors/smtp/smtp_util.c, dynamic-preprocessors/smtp/smtp_util.h, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, dynamic-preprocessors/smtp/spp_smtp.c, file-process/Makefile.am, file-process/file_api.h, file-process/file_mail_common.h, file-process/file_mime_config.c, file-process/file_mime_config.h, file-process/file_mime_process.c, file-process/file_mime_process.h, file-process/file_service.c, dynamic-preprocessors/imap/Makefile.am, dynamic-preprocessors/imap/imap_config.c, dynamic-preprocessors/imap/imap_config.h, dynamic-preprocessors/imap/imap_log.c, dynamic-preprocessors/imap/imap_log.h, dynamic-preprocessors/imap/imap_paf.c, dynamic-preprocessors/imap/imap_paf.h, dynamic-preprocessors/imap/imap_util.c, dynamic-preprocessors/imap/sf_imap.dsp, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/snort_imap.h, dynamic-preprocessors/imap/spp_imap.c, preprocessors/snort_httpinspect.c, preprocessors/stream_api.h, preprocessors/HttpInspect/include/hi_ui_config.h, sfutil/sf_email_attach_decode.h, dynamic-preprocessors/Makefile.am, dynamic-preprocessors/file/file_agent.c: add paf support to smtp/impa/pop protocols. * src/dynamic-preprocessors/ssh/spp_ssh.c: count the max_client_bytes once the session is encrypted. Fix the ProcessSSHKeyExchange to parse server new keys * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Fix ftp-data perfstats profiling. * configure.in, src/decode.h, src/sfdaq.c, src/sfdaq.h, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/sip/sip_dialog.c, src/dynamic-preprocessors/ssh/spp_ssh.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/stream_expect.c, src/preprocessors/stream_expect.h: Add ability to specify details about dynamic protocols/data channels via DAQ. * src/preprocessors/Stream5/snort_stream5_tcp.c: Checked for existence of policy_id parameter on Stream5 TCP policy. * src/preprocessors/perf-base.c: Ensure pkt_stats cannot go below zero * etc/sf_rule_options, src/Makefile.am, src/fpcreate.c, src/parser.c, src/parser.h, src/snort.c, src/snort.h, src/detection-plugins/sp_pattern_match.c, src/detection-plugins/sp_pattern_match.h, src/dynamic-plugins/sf_convert_dynamic.c, src/dynamic-plugins/sf_dynamic_define.h, src/dynamic-plugins/sf_dynamic_meta.h, src/dynamic-plugins/sf_engine/Makefile.am, src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c, src/sfutil/Makefile.am, src/hashstring.c, src/hashstring.h, sfutil/sf_sechash.c, sfutil/sf_sechash.h, src/file-process/file_capture.c, src/file-process/file_resume_block.c, src/file-process/libs/Makefile.am, src/file-process/libs/file_lib.c, src/sfutil/Makefile.am, src/sfutil/md5.c, src/sfutil/md5.h, src/sfutil/sf_sechash.c, src/sfutil/sf_sechash.h, src/sfutil/sha2.c, src/sfutil/sha2.h, src/win32/WIN32-Prj/snort.dsp, configure.in, doc/snort_manual.pdf, doc/snort_manual.tex: Protected Rule Content feature. Updating the minor revision number for the engine API for share library rules. Augmented the logic in configure.in to force the -lcrypto library to be included in the link. Added implementations of SHA2 and MD5 algorithms to Snort to allow use with older versions of OpenSSL. * doc/: snort_manual.pdf, snort_manual.tex: Modified descriptions of urilen, dsize, and flags rule options. * doc/snort_manual.pdf, doc/snort_manual.tex, src/sfutil/sfPolicy.c: Added check in binding mappings to prevent Snort from loading binding policy_ids > 4095, having it reject the configuration on load. Updated documentation to include config binding policy_id. * src/preprocessors/spp_stream5.c: New minimum max_tcp sessions is now 2. * src/: dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/stream_expect.c, preprocessors/stream_expect.h: Change preprocessor order for when FTP data is handled. * src/: dynamic-examples/dynamic-preprocessor/Makefile.am, dynamic-plugins/sf_engine/Makefile.am, dynamic-preprocessors/dcerpc2/Makefile.am, dynamic-preprocessors/dnp3/Makefile.am, dynamic-preprocessors/dns/Makefile.am, dynamic-preprocessors/file/Makefile.am, dynamic-preprocessors/ftptelnet/Makefile.am, dynamic-preprocessors/gtp/Makefile.am, dynamic-preprocessors/imap/Makefile.am, dynamic-preprocessors/modbus/Makefile.am, dynamic-preprocessors/pop/Makefile.am, dynamic-preprocessors/reputation/Makefile.am, dynamic-preprocessors/rzb_saac/Makefile.am, dynamic-preprocessors/sdf/Makefile.am, dynamic-preprocessors/sip/Makefile.am, dynamic-preprocessors/smtp/Makefile.am, dynamic-preprocessors/ssh/Makefile.am, dynamic-preprocessors/ssl/Makefile.am: Install libraries into user defined libdir. Thanks to cjgd7-facebook for reporting the issue. * src/: detection-plugins/detection_options.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_pattern_match.h, dynamic-plugins/sf_convert_dynamic.c: Update 'within' rule limits to handle extraction of a 0 via byte_extract. * src/detection-plugins/: sp_byte_check.c, sp_byte_extract.h, sp_byte_jump.c, sp_isdataat.c, sp_pattern_match.c: Modified error outputs to include the specific offending rule option. 2013-12-30 Steven Sturges Snort 2.9.6.0 * src/build.h: updating build number to 47 * doc/README.file, doc/README.file_ips, etc/file_magic.conf, etc/Makefile.am: Added file_magic.conf and fixed a few typos. Thanks to Joshua Kinard for pointing them out. * doc/snort_manual.tex: Update snort team members * src/detection-plugins/sp_file_type.h, src/dynamic-preprocessors/libs/sf_preproc_info.h, tools/file_server/file_server.c: Clean up copyright and attribution. * src/dynamic-preprocessors/sdf/spp_sdf.c: Fix seconndary check for reassembled packets. * doc/: README.GTP, README.PerfProfiling, README.dcerpc2, README.file, README.frag3, README.ftptelnet, README.http_inspect, README.imap, README.multipleconfigs, README.normalize, README.pop, README.reload, README.reputation, README.rpc_decode, README.sfportscan, README.sip, README.unified2, USAGE, WISHLIST, snort_manual.pdf, snort_manual.tex, README.SMTP, README.counts, README.asn1, README.active, README, NEWS, INSTALL: Corrected typos in documentation. Thanks to Mahendra Ladhe for pointing out the mistakes and providing a patch. * src/: file-process/file_capture.c, file-process/file_mime_process.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/file/file_inspect_config.c, dynamic-preprocessors/pop/snort_pop.c, sfutil/sf_email_attach_decode.h: Enable detetion on all file data * src/sfutil/: sfxhash.c, sfxhash.h: Fix alignment of sfxhash node on sparc. Thanks to Markus Lude. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Identify EOF on single segment PDU transimssions. * src/dynamic-preprocessors/dcerpc2/dce2_memory.c: Avoid checking memcap for DCE/RPC configuration data. * src/preprocessors/Stream5/snort_stream5_tcp.c: Tweak retransmit handling to ensure full right overlap condition holds 2013-11-22 Steven Sturges Snort 2.9.6.0.rc * src/build.h: updating build number to 43 * configure.in, doc/README.ha, doc/snort_manual.pdf, doc/snort_manual.tex, doc/Makefile.am: Add Stream5 HA documentation and mark --enable-ha and --enable-side-channel as experimental. * rpm/snort.spec: Install snort_control, u2boat, u2spewfoo from spec file. Thanks to Bradley Turnbough for mentioning it. * src/preprocessors/Stream5/snort_stream5_tcp.c: using sequence number overlapping to trigger retransmission handler. This fixed issue on file blocking. * src/dynamic-preprocessors/: pop/pop_log.c, smtp/smtp_log.c, imap/imap_log.c: avoid mail decoding prepocessor alerts when they not enabled in config. * doc/snort_manual.tex, src/: active.c, active.h, decode.c, detect.c, fpdetect.c, detection-plugins/sp_react.c, dynamic-plugins/sf_dynamic_plugins.c, file-process/file_resume_block.c, file-process/file_service.c, output-plugins/spo_alert_fast.c, output-plugins/spo_unified2.c, preprocessors/spp_bo.c, preprocessors/spp_frag3.c, preprocessors/Stream5/snort_stream5_ip.c, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/snort_stream5_udp.c: alerts get wdrop when active is suspended; code for cdrop is ready but disabled * src/: file-process/file_api.h, file-process/file_resume_block.c, file-process/file_service.c, file-process/libs/file_lib.h, dynamic-preprocessors/file/file_agent.c: Add file id to file API callbacks to support multiple file contexts. * preproc_rules/decoder.rules, src/decode.c, src/generators.h: Validate authentication headers. New decoder rules (116:465 and 116:466). * doc/snort_manual.pdf, doc/snort_manual.tex, src/detection-plugins/sp_icmp_code_check.c: Added data validation checks to the icode rule option. The parser phase will now throw fatal errors for illegal values. Update manual to reflect the additional data validation. * src/preprocessors/Stream5/: snort_stream5_ip.c, snort_stream5_udp.c: Force block for block rule in inline test mode. * src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, preprocessors/stream_api.h, preprocessors/Stream5/snort_stream5_tcp.c: Don't put gaps in reassembled packets * src/: preprocessors/Stream5/snort_stream5_session.c, side-channel/sidechannel.c: The global list in the session cache is ordered from MRU (head) to LRU (tail), so correctly walk backward rather than forward from the LRU looking for sessions to time out. Clean up compiler warning in Side Channel. * src/file-process/: libs/file_lib.c, file_api.h, file_capture.c, file_service.c, file_service.h: Add multiple file contexts support for file API. * src/: dynamic-preprocessors/ftptelnet/ftpp_si.c, dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, preprocessors/Stream5/snort_stream5_tcp.c: Add EndOfFile stream event callback. Remove EOF logic from FTP/Preprocessor in lieu of new callback. * src/: file-process/file_service.c, file-process/file_service_config.c, file-process/file_service_config.h, snort.c: make sure file configuration is initialized during reload. 2013-10-18 Hui Cao Snort 2.9.6.0.beta * doc/: Makefile.am, README.file, README.file_ips: Add readme for experimental file type ips rule keywords. * src/detection-plugins/sp_icmp_code_check.c: Allow a negative value in the ICMP icode x<>y range check. This permits the rule to include a check for zero * src/preprocessors/Stream5/snort_stream5_tcp.c: Disable detection when the TCP connection was already closed. * src/: dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, file-process/file_api.h: Fix FTP-Data file processing. * src/snort_bounds.h: Avoid assertion for zero size memory copy * src/: dynamic-plugins/sf_dynamic_plugins.c, detection-plugins/sp_react.c: Only inject response page when session is established. * src/dynamic-preprocessors/smtp/smtp_log.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, preproc_rules/preprocessor.rules, etc/gen-msg.map: Add a new preprocessor alert to detect Cyrus SASL authentication attack. * src/dynamic-preprocessors/ssh/spp_ssh.c: Set_reassembly to ABSOLUTE only if the traffic is SSH. Statefully process ssh version/ssh key exchange init/key exchange and/or encrypted data within a single reassembled packet. Thanks to Florian Westphal for reporting this. * src/file-process/file_mime_process.c: For IMAP, the MIME and message will be inside fetch body, which will be end at ")". * src/: dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ssh/spp_ssh.c, Change preprocessor reassembly policy; Changed SSH preprocessor state transition based on the dir rather than both. * src/: preprocessors/Stream5/snort_stream5_tcp.c: Ignore the gap when turning on reassembly dynamically on the very first packet of the session. * src/dynamic-preprocessors/dnp3/spp_dnp3.c: Fix the incorrect mempool warnings. Thanks to Bram for reporting this * doc/snort_manual.pdf, doc/snort_manual.tex, configure.in, src/snort.c, src/util.c: Trim freed memory before and after configuration reload. * src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, file-process/file_mime_process.c, sfutil/sf_email_attach_decode.c: Allow 7bit decoding of binary file attachments. * src/dynamic-preprocessors/sdf/: spp_sdf.c, spp_sdf.h: Avoid partial rule tree match during reload. * src/tag.c: Fix boundary check error so that the global tagged packet limit doesn't allow an extra tag. * src/: file-process/file_mime_process.h, file-process/file_api.h, file-process/file_mime_process.c, file-process/file_service.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/spp_pop.c: Add simple PAF support for POP and IMAP. * src/: util.c, util.h, sfutil/sf_ip.c, sfutil/sf_ip.h: Bugs Add sfip_convert_ip_text_to_binary() to enforce platform agnostic IPv4 syntax. Make sure xatou(), xatol(), and xatoup() return values within specified range * doc/snort_manual.tex: Update the document to include the '<=' and '>=' operators to the byte_test command * src/preprocessors/Stream5/snort_stream5_tcp.c: Make sure INTERNAL_EVENT_SESSION_ADD event only in the ESTABLISHED state. * src/sfutil/sf_email_attach_decode.c: Check the QP encoding string is valid to avoid decoding end of line incorrectly. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Tweak config output to correspond to config input. Thanks to Reinoud Koornstra for the suggestion. * src/preprocessors/Stream5/: snort_stream5_icmp.c, snort_stream5_ip.c, snort_stream5_tcp.c, snort_stream5_udp.c: dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/ssl/spp_ssl.c, encode.c, dynamic-preprocessors/dcerpc2/dce2_cl.c, dynamic-preprocessors/dcerpc2/dce2_session.h, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/imap/snort_imap.c: preprocessors/spp_rpc_decode.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/stream_expect.c: Handle out of order SSL handshake in SMTP. Thanks to Bram for the reporting this. * src/preprocessors/perf-base.c: Update the header printed at top of now file. * src/preprocessors/perf-base.c: Change name of stat from Blocked Packets to Block Verdicts. * src/preprocessors/Stream5/snort_stream5_session.c: Timeout a session when session timeout reaches instead of waiting for session nominal timeout. * configure.in, src/plugbase.c, src/rule_option_types.h, src/snort.c, src/detection-plugins/Makefile.am, src/detection-plugins/: sp_file_type.c, sp_file_type.h, src/detection-plugins/detection_options.c, src/dynamic-preprocessors/Makefile.am, src/file-process/Makefile.am, src/file-process/file_api.h, src/file-process/file_service.c, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/libs/Makefile.am, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/spp_stream5.c, tools/Makefile.am, doc/: README.file, README.file_ips, Makefile.am: File inspection keywords for IPS rules. * src/dynamic-preprocessors/sdf/: sdf_pattern_match.c, sdf_pattern_match.h, spp_sdf.c, spp_sdf.h: Add stateful pattern match of sdf patterns across packets. * mkinstalldirs, doc/snort_manual.tex, src/detect.c, src/detection_util.h, src/fpdetect.c, src/parser.c, src/tag.c, src/tag.h, src/target-based/sf_attribute_table.y, tools/u2spewfoo/u2spewfoo.c: Support single session capture via tag rule option. Log all packets to the same place as original alert. Enable tagging on pass rules. * src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/snort_imap.h, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/snort_pop.h, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, file-process/file_api.h, file-process/file_mime_process.c, preprocessors/str_search.c, preprocessors/str_search.h, sfutil/bnfa_search.c: Add Stateful mime boundary search when split between packets. * src/preprocessors/HttpInspect/client/hi_client.c: Change the uri search to start from method end instead of the start of payload. * configure.in, doc/README.file, doc/snort_manual.pdf, src/parser.c, src/preprocids.h, src/snort.c, src/util.c, src/detection-plugins/.cvsignore, src/dynamic-examples/Makefile.am, src/dynamic-plugins/sf_engine/.cvsignore, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/file/Makefile.am, src/dynamic-preprocessors/file/file_agent.c, src/dynamic-preprocessors/file/file_agent.h, src/dynamic-preprocessors/file/file_event_log.c, src/dynamic-preprocessors/file/file_event_log.h, src/dynamic-preprocessors/file/file_inspect_config.c, src/dynamic-preprocessors/file/file_inspect_config.h, src/dynamic-preprocessors/file/file_sha.c, src/dynamic-preprocessors/file/file_sha.h, src/dynamic-preprocessors/file/sf_file.dsp, src/dynamic-preprocessors/file/spp_file.c, src/dynamic-preprocessors/file/spp_file.h, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/file-process/Makefile.am, src/file-process/circular_buffer.c, src/file-process/circular_buffer.h, src/file-process/file_api.h, src/file-process/file_capture.c, src/file-process/file_capture.h, src/file-process/file_mempool.c, src/file-process/file_mempool.h, src/file-process/file_resume_block.c, src/file-process/file_service.c, src/file-process/file_service.h, src/file-process/file_service_config.c, src/file-process/file_service_config.h, src/file-process/file_stats.c, src/file-process/file_stats.h, src/file-process/libs/file_config.c, src/file-process/libs/file_config.h, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/file-process/libs/file_sha256.h, tools/Makefile.am, tools/file_server/Makefile.am, tools/file_server/README.file_server, tools/file_server/file_server.c: Add file capture feature and introduce file inspect preprocessor * src/preprocessors/Stream5/snort_stream5_tcp.c: Parse error if there are missing direction specifiers. Thanks to Bram Fabeg for the report. * src/ipv6_port.h: Remove duplicate macro for GET_ORIG_IPH_PROTO. * doc/: README.decode, README.gre, README.mpls, snort_manual.pdf, snort_manual.tex: Update manual and other docs related to tunneling. Thanks to Jason Poley for noting it. * src/parser.c: Not so silently skip duplicate service metadata. * src/: log.c, mempool.c, parser.c, snort.c, util.c, detection-plugins/sp_ip_tos_check.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_replace.c, detection-plugins/sp_session.c, detection-plugins/sp_tcp_win_check.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/sdf/sdf_pattern_match.c, output-plugins/spo_log_ascii.c, output-plugins/spo_log_tcpdump.c, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Stream5/snort_stream5_tcp.c: Replace obsolete bzero and index calls. Credits to Bill Parker * src/dynamic-preprocessors/: smtp/snort_smtp.c, ssl/spp_ssl.c, libs/ssl.c, libs/ssl.h: Check for SSL type only when the SSL handshake is not complete. Don't check for type in SSL data. Thanks to Bram Fabeg for reporting this. * src/preprocessors/: HttpInspect/server/hi_server.c, HttpInspect/server/hi_server_norm.c, Stream5/snort_stream5_tcp.c: Only check charset bom once per response body; Only set charset once per charset= * src/profiler.c: Fix issue when reading pcaps from command line and using multiple policies and --pcap-reset. * src/detection-plugins/detection_options.c: Don't count RTN perf time in OTN perf time. Credits to Reinoud for reporting this. * doc/README.flowbits: Fix typo in flowbits isnotset examples * src/snort.c, src/snort.h, src/util.c, snort.8, doc/snort_manual.pdf, doc/snort_manual.tex: Add a command line switch --no-interface-pidfile to snort. * src/preprocessors/: spp_stream5.c, Stream5/stream5_common.h: Updated Stream's exit stats to use 'filtered' instead of dropped. * src/: detection_util.h, dynamic-preprocessors/sip/spp_sip.c: Don't set sip/http buffers to null * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Return mismatch if requested http buffer was not set * src/snort.c: Bugs Fixed: Capture packet data for sigabrt and sigbus * doc/README.dcerpc2, doc/snort_manual.pdf, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/active.c, src/active.h, src/encode.c, src/encode.h, src/generators.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c, src/dynamic-preprocessors/dcerpc2/dce2_event.h, src/dynamic-preprocessors/dcerpc2/dce2_memory.c, src/dynamic-preprocessors/dcerpc2/dce2_memory.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h, src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.h, src/dynamic-preprocessors/dcerpc2/includes/smb.h, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/file-process/file_api.h, src/file-process/file_mime_process.c, src/file-process/file_service.c, src/file-process/libs/file_identifier.c, src/file-process/libs/file_identifier.h, src/file-process/libs/file_lib.c, src/file-process/libs/file_lib.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/Stream5/snort_stream5_tcp.c: Add SMB file support 2013-10-18 Steven Sturges Snort 2.9.5.6 * src/build.h: updating build number to 208 * src/preprocessors/Stream5/snort_stream5_tcp.c: add NULL check for preprocessors that check for PAF before they check for any actual tcp session * src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c, sp_isdataat.c, sp_pattern_match.c: Test if the byte extracted distance and/or offset is within bounds of the search buffer. Thanks to Nathan Fowler for noting the issue. * src/preprocessors/HttpInspect/client/hi_client.c: clear cookie normalization buffer to avoid accidental null dereference in pipelined request. Thanks to Michael Galapchuk for reporting the problem. 2013-09-02 Steven Sturges Snort 2.9.5.5 * src/preprocessors/Stream5/snort_stream5_tcp.c: disable all detection (not just content-base) for packets on previously blocked sessions * src/preprocessors/perf.c: Write perfmon entry when both packet count and time conditions are met, rather than waiting for a multiple of the packet count after the time is reached. * src/dynamic-preprocessors/smtp/snort_smtp.c: Stop inspection of the entire session when TLS data is present with ignore_tls_data enabled in SMTP - Check for midstream pickups and gaps when we miss server hello, and stop inspection as soon as we get client hello when ignore_tls_data is turned on * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: changed pcre relative match with HTTP buffers to be not allowed in .so rules (same as in text rules) 2013-07-03 Steven Sturges Snort 2.9.5.3 * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed handling of partial segment purging. Thanks to Lode Mertens for reporting the issue. * configure.in, src/active.c, src/decode.c, src/decode.h, src/detect.c, src/detection_util.c, src/detection_util.h, src/encode.c, src/encode.h, src/fpcreate.c, src/fpdetect.c, src/log_text.c, src/parser.c, src/plugbase.c, src/ppm.c, src/ppm.h, src/profiler.c, src/snort.c, src/util.c, src/util.h, src/detection-plugins/detection_options.c, src/detection-plugins/sp_byte_check.c, src/detection-plugins/sp_ftpbounce.c, src/detection-plugins/sp_pattern_match.c, src/detection-plugins/sp_pattern_match.h, src/detection-plugins/sp_pcre.c, src/detection-plugins/sp_pcre.h, src/detection-plugins/sp_replace.c, src/detection-plugins/sp_rpc_check.c, src/detection-plugins/sp_urilen_check.c, src/dynamic-examples/dynamic-preprocessor/spp_example.c, src/dynamic-plugins/sf_convert_dynamic.c, src/dynamic-plugins/sf_dynamic_common.h, src/dynamic-plugins/sf_dynamic_define.h, src/dynamic-plugins/sf_dynamic_engine.h, src/dynamic-plugins/sf_dynamic_meta.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sp_dynamic.c, src/dynamic-plugins/sf_engine/Makefile.am, src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, src/dynamic-plugins/sf_engine/examples/bug26266.c, src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h, src/dynamic-plugins/sf_engine/examples/fake_snort.c, src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c, src/dynamic-preprocessors/dcerpc2/dce2_http.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/dynamic-preprocessors/dns/spp_dns.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, src/dynamic-preprocessors/gtp/spp_gtp.c, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/imap/spp_imap.c, src/dynamic-preprocessors/isakmp/spp_isakmp.c, src/dynamic-preprocessors/modbus/spp_modbus.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/pop/spp_pop.c, src/dynamic-preprocessors/reputation/reputation_config.h, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c, src/dynamic-preprocessors/sdf/spp_sdf.c, src/dynamic-preprocessors/sip/sip_dialog.c, src/dynamic-preprocessors/sip/sip_parser.c, src/dynamic-preprocessors/sip/spp_sip.c, src/dynamic-preprocessors/smtp/spp_smtp.c, src/dynamic-preprocessors/ssh/spp_ssh.c, src/dynamic-preprocessors/ssl/spp_ssl.c, src/file-process/file_service.c, src/file-process/libs/file_config.c, src/output-plugins/spo_unified2.c, src/preprocessors/portscan.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_bo.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_perfmonitor.c, src/preprocessors/spp_rpc_decode.c, src/preprocessors/spp_sfportscan.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/normalization/hi_norm.c, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/snort_stream5_udp.c, src/preprocessors/Stream5/stream5_common.h, src/sfutil/sf_iph.c, src/sfutil/sf_iph.h, src/sfutil/test/unit_hacks.c: Performance improvements and other refactorings. Notable changes include: improved HTTP buffer implementation and replaced run-time packet checks with assertions. * src/preprocessors/Stream5/snort_stream5_tcp.c: Ensure proper counting of sessions initializing. * doc/Makefile.am, doc/faq.pdf, doc/faq.tex: Remove Snort FAQ from source package since its now live on the web. * src/preprocessors/: spp_stream5.c, stream_expect.c, stream_expect.h: Add a memcap to expected session tracking. * src/sfutil/sfrt_flat.c: Check for memory allocation failure in both IPV4 and IPV6 tables. * src/control/sfcontrol.c: Do not timeout during shutdown and fix stop processing code in the control socket thread. Add the thread to the list before creation of the thread to prevent a race condition. 2013-06-04 Steven Sturges Snort 2.9.5 * src/: snort.c, preprocessors/spp_stream5.c: when block rules fire during shutdown, log them as alert instead of drop * src/: active.c, active.h, preprocessors/Stream5/snort_stream5_session.c: don't allow blocks or actions from pruned sessions (unrelated to current packet) * src/preprocessors/Stream5/snort_stream5_tcp.c: don't generate 129:1 in syn-sent * src/preprocessors/Stream5/: snort_stream5_tcp.c, snort_stream5_udp.c, stream5_common.h: don't apply window or mss on midstream pickups remove unused flags eliminate read-mode check when determining window * src/preprocessors/Stream5/snort_stream5_tcp.c: don't reassemble on the tracked allowlisted flows fix sequence number validation on ack to zero window syn+ack fix timestamp tracking to use window base instead of next expected * src/preprocessors/spp_stream5.c: when stream5 disables inspection, ensure non-content rules are not run * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: When removing a pipe tracker, NULL out static request tracker's pipe tracker for pipe tracker that was dynamically allocated. * src/file-process/libs/file_identifier.c: Update some comments and avoid adding the same file magic * src/preprocessors/: spp_stream5.c, stream_api.h, Stream5/snort_stream5_tcp.c: swap client/server on midstream pickup if we identify server by service using client port * src/file-process/libs/file_identifier.c: Remove the code that parent file type might overwrite child file type. * preproc_rules/preprocessor.rules, src/generators.h, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Stream5/snort_stream5_tcp.c: HTTP PAF abort improvements * doc/: README.frag3, snort_manual.pdf, snort_manual.tex: Added config event_trace description to Snort manual. Removed commas from Frag3 example configurations, thanks to Nicholas Horton for mentioning this. * src/: dynamic-preprocessors/reputation/reputation_config.c, sfutil/sfrt_flat.c, sfutil/sfrt_flat.h, sfutil/sfrt_flat_dir.c: Copy reputation info from another list when a duplicate address is inserted. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix issue when SMTP BDAT command specifies 0 length. * src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c: Don't sort the manifest file. * src/: snort.h, util.c: Fix FatalError to actually exit when initializing in the failopen thread. * src/dynamic-preprocessors/reputation/reputation_config.c: Update to use more accurate ip list file parsing and validation. * src/: active.h, snort.c, dynamic-plugins/sf_dynamic_plugins.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/Stream5/snort_stream5_tcp.c: ensure that force blocks persist * src/dynamic-preprocessors/reputation/shmem/: shmem_config.c, shmem_config.h, shmem_datamgmt.c, shmem_datamgmt.h, shmem_mgmt.c: Refactor/cleanup of shared memory, data management logic. * src/: dynamic-examples/dynamic-rule/detection_lib_meta.h, dynamic-plugins/sf_dynamic_meta.h, dynamic-plugins/sf_engine/sf_snort_detection_engine.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h: Add a stream API function to populate a session key given a packet. Also, export REQ_ENGINE_LIB_MAJOR and REQ_ENGINE_LIB_MINOR from snort * src/preprocessors/Stream5/snort_stream5_tcp.c: allow stream5 to track allowlisted sessions * src/: snort.c, dynamic-preprocessors/dnp3/spp_dnp3.c, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_paf.c, sfutil/sfPolicy.c, sfutil/sfPolicy.h: disable config by vlan or net selection if -DPOLICY_BY_ID_ONLY * src/: snort.c, snort.h, dynamic-preprocessors/smtp/spp_smtp.c, preprocessors/Stream5/stream5_ha.c, preprocessors/Stream5/stream5_ha.h, win32/WIN32-Code/misc.c, win32/WIN32-Includes/config.h, win32/WIN32-Prj/snort.dsp: don't compile pcap reload for Win, add function for ffs() which is not defined in windows. * src/preprocessors/snort_httpinspect.c: Support large file processing in post raw data (not in MIME format) * src/: decode.c, decode.h, fpcreate.c, fpdetect.c, parser.c, parser.h, plugbase.c, plugbase.h, rate_filter.c, rate_filter.h, sfthreshold.c, sfthreshold.h, snort.c, snort.h, spo_plugbase.h, util.c, util.h, control/sfcontrol.c, control/sfcontrol.h, detection-plugins/detection_options.c, detection-plugins/detection_options.h, detection-plugins/sp_asn1.c, detection-plugins/sp_base64_data.c, detection-plugins/sp_base64_decode.c, detection-plugins/sp_byte_check.c, detection-plugins/sp_byte_extract.c, detection-plugins/sp_byte_jump.c, detection-plugins/sp_clientserver.c, detection-plugins/sp_cvs.c, detection-plugins/sp_dsize_check.c, detection-plugins/sp_file_data.c, detection-plugins/sp_flowbits.c, detection-plugins/sp_ftpbounce.c, detection-plugins/sp_icmp_code_check.c, detection-plugins/sp_icmp_id_check.c, detection-plugins/sp_icmp_seq_check.c, detection-plugins/sp_icmp_type_check.c, detection-plugins/sp_ip_fragbits.c, detection-plugins/sp_ip_id_check.c, detection-plugins/sp_ip_proto.c, detection-plugins/sp_ip_same_check.c, detection-plugins/sp_ip_tos_check.c, detection-plugins/sp_ipoption_check.c, detection-plugins/sp_isdataat.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_pattern_match.h, detection-plugins/sp_pcre.c, detection-plugins/sp_pcre.h, detection-plugins/sp_pkt_data.c, detection-plugins/sp_react.c, detection-plugins/sp_replace.c, detection-plugins/sp_replace.h, detection-plugins/sp_respond3.c, detection-plugins/sp_rpc_check.c, detection-plugins/sp_session.c, detection-plugins/sp_tcp_ack_check.c, detection-plugins/sp_tcp_flag_check.c, detection-plugins/sp_tcp_seq_check.c, detection-plugins/sp_tcp_win_check.c, detection-plugins/sp_ttl_check.c, detection-plugins/sp_urilen_check.c, dynamic-examples/dynamic-preprocessor/sf_preproc_info.h, dynamic-examples/dynamic-preprocessor/spp_example.c, dynamic-examples/dynamic-rule/detection_lib_meta.h, dynamic-output/libs/output_lib.c, dynamic-output/plugins/output_api.h, dynamic-output/plugins/output_common.h, dynamic-output/plugins/output_lib.h, dynamic-output/plugins/output_plugin.c, dynamic-plugins/sf_convert_dynamic.c, dynamic-plugins/sf_convert_dynamic.h, dynamic-plugins/sf_dynamic_detection.h, dynamic-plugins/sf_dynamic_engine.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h, dynamic-plugins/sp_preprocopt.c, dynamic-plugins/sp_preprocopt.h, dynamic-plugins/sf_engine/sf_snort_detection_engine.c, dynamic-plugins/sf_engine/sf_snort_detection_engine.h, dynamic-plugins/sf_engine/sf_snort_plugin_api.h, dynamic-plugins/sf_engine/sf_snort_plugin_loop.c, dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c, dynamic-plugins/sf_preproc_example/sf_preproc_info.h, dynamic-preprocessors/dcerpc2/dce2_config.c, dynamic-preprocessors/dcerpc2/dce2_config.h, dynamic-preprocessors/dcerpc2/dce2_paf.c, dynamic-preprocessors/dcerpc2/dce2_paf.h, dynamic-preprocessors/dcerpc2/dce2_roptions.c, dynamic-preprocessors/dcerpc2/dce2_roptions.h, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-preprocessors/dcerpc2/spp_dce2.c, dynamic-preprocessors/dnp3/dnp3_paf.c, dynamic-preprocessors/dnp3/dnp3_paf.h, dynamic-preprocessors/dnp3/dnp3_roptions.c, dynamic-preprocessors/dnp3/dnp3_roptions.h, dynamic-preprocessors/dnp3/spp_dnp3.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c, dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, dynamic-preprocessors/gtp/gtp_roptions.c, dynamic-preprocessors/gtp/gtp_roptions.h, dynamic-preprocessors/gtp/spp_gtp.c, dynamic-preprocessors/imap/imap_config.h, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/modbus/modbus_paf.c, dynamic-preprocessors/modbus/modbus_paf.h, dynamic-preprocessors/modbus/modbus_roptions.c, dynamic-preprocessors/modbus/modbus_roptions.h, dynamic-preprocessors/modbus/spp_modbus.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/spp_pop.c, dynamic-preprocessors/reputation/reputation_config.c, dynamic-preprocessors/reputation/reputation_config.h, dynamic-preprocessors/reputation/spp_reputation.c, dynamic-preprocessors/reputation/shmem/shmem_common.h, dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h, dynamic-preprocessors/sdf/sdf_detection_option.c, dynamic-preprocessors/sdf/sdf_detection_option.h, dynamic-preprocessors/sdf/spp_sdf.c, dynamic-preprocessors/sdf/spp_sdf.h, dynamic-preprocessors/sip/sip_roptions.c, dynamic-preprocessors/sip/sip_roptions.h, dynamic-preprocessors/sip/spp_sip.c, dynamic-preprocessors/sip/spp_sip.h, dynamic-preprocessors/smtp/smtp_config.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/spp_smtp.c, dynamic-preprocessors/ssh/spp_ssh.c, dynamic-preprocessors/ssl/spp_ssl.c, file-process/file_service.c, output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c, output-plugins/spo_alert_sf_socket.c, output-plugins/spo_alert_syslog.c, output-plugins/spo_alert_test.c, output-plugins/spo_alert_unixsock.c, output-plugins/spo_csv.c, output-plugins/spo_log_ascii.c, output-plugins/spo_log_null.c, output-plugins/spo_log_tcpdump.c, output-plugins/spo_unified2.c, parser/IpAddrSet.c, parser/IpAddrSet.h, preprocessors/portscan.c, preprocessors/portscan.h, preprocessors/spp_arpspoof.c, preprocessors/spp_bo.c, preprocessors/spp_frag3.c, preprocessors/spp_httpinspect.c, preprocessors/spp_normalize.c, preprocessors/spp_perfmonitor.c, preprocessors/spp_rpc_decode.c, preprocessors/spp_sfportscan.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/HttpInspect/include/hi_paf.h, preprocessors/HttpInspect/include/hi_ui_server_lookup.h, preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c, preprocessors/HttpInspect/utils/hi_paf.c, preprocessors/Stream5/snort_stream5_session.h, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/snort_stream5_tcp.h, preprocessors/Stream5/snort_stream5_udp.c, preprocessors/Stream5/snort_stream5_udp.h, preprocessors/Stream5/stream5_common.c, preprocessors/Stream5/stream5_common.h, preprocessors/Stream5/stream5_ha.c, preprocessors/Stream5/stream5_ha.h, preprocessors/Stream5/stream5_paf.c, preprocessors/Stream5/stream5_paf.h, sfutil/Makefile.am, sfutil/acsmx.c, sfutil/acsmx.h, sfutil/acsmx2.c, sfutil/acsmx2.h, sfutil/bnfa_search.c, sfutil/bnfa_search.h, sfutil/intel-soft-cpm.c, sfutil/intel-soft-cpm.h, sfutil/mpse.c, sfutil/mpse.h, sfutil/sfPolicy.c, sfutil/sfPolicy.h, sfutil/sfPolicyData.h, sfutil/sfPolicyUserData.c, sfutil/sfPolicyUserData.h, sfutil/sfksearch.c, sfutil/sfksearch.h, sfutil/sfrf.c, sfutil/sfrf.h, sfutil/sfrt.c, sfutil/sfrt.h, sfutil/sfthd.c, sfutil/sfthd.h, sfutil/test/sfrf_test.c, sfutil/test/sfthd_test.c, sfutil/test/unit_hacks.c, sfutil/test/unit_hacks.h, target-based/sftarget_reader.c, target-based/sftarget_reader.h: Add a control channel command that reloads the snort configuration. If a restart is needed, the command will return an error and the new configuration will be freed. Using this can replace the HUP signal, which does not have a means of feedback to the user. * preproc_rules/preprocessor.rules, src/generators.h, src/dynamic-preprocessors/imap/imap_log.c, src/dynamic-preprocessors/imap/imap_log.h, src/dynamic-preprocessors/pop/pop_log.c, src/dynamic-preprocessors/pop/pop_log.h, src/dynamic-preprocessors/smtp/smtp_log.c, src/dynamic-preprocessors/smtp/smtp_log.h, doc/README.imap, doc/README.pop: Removed the decoding failure alert for bitencoded/non-encoded attachments since it was invalid as we don't decoded these attachments. * src/preprocessors/spp_frag3.c: Continue to track fragments if rebuilt packet caused a drop. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed POST_SESSION_CLEANUP() macro to not log messages when Stream5 is configured with "prune_log_max 0". Thanks to Gregory S Thomas for pointing out the issue. * src/preprocessors/Stream5/snort_stream5_tcp.c: Skip MAC address verification on packets being routed by a DAQ Module. * src/: decode.c, parser.c: Disallow rule-type decode rules with a sid that exceed DECODE_INDEX_MAX. * src/decode.c: Fixed MPLS header length check. Credits to Jacob Baines for the find. * src/fpdetect.c: When decoding Teredo and the inner IPv6 doesn't have any payload, reset do_detect_content to ensure content matches are checked when evaluating rules against the outer IPv4 'payload'. Thanks to Yun Zheng Hu & L0rd Ch0de1m0rt for reporting the issue & crafting traffic to reproduce. * doc/snort_manual.tex: Add reference 'msb' to the list of valid ones in the Snort manual. * src/preprocessors/Stream5/snort_stream5_tcp.c: flush and free application data on receipt of TCP RST in the close-wait state * src/: snort.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/stream_expect.c, preprocessors/Stream5/snort_stream5_icmp.c, preprocessors/Stream5/snort_stream5_ip.c, preprocessors/Stream5/snort_stream5_session.c, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/snort_stream5_tcp.h, preprocessors/Stream5/snort_stream5_udp.c, preprocessors/Stream5/snort_stream5_udp.h, preprocessors/Stream5/stream5_common.c, preprocessors/Stream5/stream5_common.h, preprocessors/Stream5/stream5_ha.c, preprocessors/Stream5/stream5_ha.h, side-channel/Makefile.am, side-channel/dmq.c, side-channel/dmq.h, side-channel/rbmq.c, side-channel/rbmq.h, side-channel/sidechannel.c, side-channel/sidechannel_define.h, configure.in: Add the ability to share basic session state for Stream via a side channel * src/: fpdetect.c, parser.c, snort.c, snort.h, util.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_paf.c: Improve some processing performance for small packets * src/preprocessors/Stream5/snort_stream5_tcp.c: fix alerts on packets with same src/dst ports fix prior alert tracking to prevent redundant alerts fix missing u2 packets. * src/dynamic-preprocessors/smtp/snort_smtp.c: Copy remaining data to normalization buffer if already normalizing and in AUTH state. * src/ppm.c: Apply event filter support for PPM rules. * src/: preprocessors/snort_httpinspect.c, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-plugins/sf_engine/sf_snort_packet.h, detection-plugins/detection_options.c, detection-plugins/detection_options.h, decode.h, detection_util.c, encode.c, encode.h, fpdetect.c: update the packet number check in detection to include the rebuilt packet count. * doc/snort_manual.tex: Update description for rawbytes rule option * src/sfutil/sfrt_flat.c: correct return value for memory allocation failures * src/: file-process/file_mime_process.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c: Check log_state in case of allocation failure * src/: file-process/file_mime_process.c, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/pop/snort_pop.c: Processing each mime attachment after the boundary is found. * doc/README.http_inspect, doc/faq.pdf, doc/snort_manual.pdf, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/generators.h, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/preprocessors/spp_stream5.c, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Stream5/snort_stream5_tcp.c: Correct handling of head responses Flush extra line feeds with following PDUs (skipped over by http_inspect) add profiling for PAF Make PAF debug output more readable * src/: detect.c, detect.h, generators.h, snort.c, snort.h, util.c, output-plugins/spo_log_tcpdump.c, preprocessors/perf-base.c, preprocessors/perf-base.h: Add a new column for total_alert_pkts to permonitor stats. * src/preprocessors/: perf-base.c, perf.c: Fix insolent file handling in perfmonitor. * src/sfutil/sf_vartable.c: Free allocation on failure. * src/sfutil/sf_ipvar.c: Refactor sfip_node_t list freeing; Free sfip_node_t list on allocation failure. * snort.8: Update snort.8 * src/: dynamic-preprocessors/ftptelnet/hi_util_kmap.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, preprocessors/HttpInspect/utils/hi_util_kmap.c: Check for NULL parameter pointer before copying into file name. Alloc key node after checking for zero length. Remove unnecessary curr_ch NULL check. * src/control/sfcontrol.c: Fix error checks for CS_TYPE_MAX to be greater than or equal to. * src/dynamic-preprocessors/dcerpc2/: dce2_smb.c, dce2_smb.h: Remove unneccessary NULL check of session pointer. Fix set SMB fingerprint functions to just set flag and not return anything. * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: Closed file before returning on error. NULL terminated string gotten from fread() before passing to strtok_r. Checked return value of fseek(), ftell() and fread(). Added log messages for errors. * src/preprocessors/Stream5/snort_stream5_tcp.c: don't do PAF on midstream pickup sessions do midstream pickup on SYN/ACK when packet is within require_3whs grace period. * src/preprocessors/Stream5/snort_stream5_tcp.c: fix midstream pickup when server data is seen before client. Thanks to John Eure for reporting the issue. * src/preprocessors/perf-flow.c: Don't skip logging of flows with 0 packet count for flow-ip tracking. * src/preprocessors/Stream5/snort_stream5_tcp.c: fix multi-pdu per segment flushing * src/preprocessors/snort_httpinspect.c: check http session tracker for file upload processing * src/: encode.c, preprocessors/snort_httpinspect.c, preprocessors/spp_frag3.c, preprocessors/Stream5/snort_stream5_tcp.c: Adjust stream reassembly for a few edge cases * src/preprocessors/snort_httpinspect.c: fix the parsing of max gzip mem * src/: snort.c, dynamic-output/plugins/output.h, dynamic-output/plugins/output_base.c: Print dynamic output modules with other plugins durring startup. * doc/snort_manual.pdf, etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c, src/decode.h, src/encode.c, src/generators.h, src/sf_protocols.h: Add decoding support for ERSpan type 2 and type 3 when ERSpan is inside GRE. * src/: snort.c, snort.h: Add --pcap-reload Snort flag to reload between pcap runs. * doc/README.daq, doc/faq.pdf, doc/snort_manual.pdf, doc/snort_manual.tex, src/decode.h, src/fpdetect.c, src/snort.c, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/smtp_util.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/file-process/file_mime_process.c, src/output-plugins/spo_unified2.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/snort_stream5_tcp.h: Ensure logging of extra data captured after alert * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c: When a writer is in read mode, ensure the size is the shared memory segment size. * src/file-process/: libs/file_lib.c, file_service.c: Only display the file stats for types in the current configuration * src/: dynamic-preprocessors/ftptelnet/ftpp_si.h, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/Stream5/snort_stream5_session.c, control/sfcontrol.c: Add a stream api function to return the session key given a session pointer. Expose the SessionKey structure to dynamic preprocessors. For ICMP "sessions", include ICMP type as an element in the key, thereby making it a different "session" if the type varies. Echo replies are keyed the same as requests. * doc/snort_manual.pdf, doc/snort_manual.tex, src/parser.c, src/parser.h, src/snort.c, src/snort.h, doc/README.reload: Remove "config read_bin_file" documentation * src/: decode.c, decode.h, sfutil/sf_ip.h, sfutil/sf_iph.c, preprocessors/perf-base.c, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-preprocessors/sdf/spp_sdf.c: Update IP6RawHdr structure and fix version extraction for little endian machines. Reduce size of sfip_t by 4 bytes. * src/detection-plugins/sp_pattern_match.c: Error if relative rule option used after fast pattern only. * preproc_rules/decoder.rules, src/decode.c, src/generators.h: Add decoder alert for IPv6 Routing Type 0 headers. * src/encode.c: Replace usage of ScAdapterInlineMode() with DAQ_GetInterfaceMode(). * src/: rate_filter.h, dynamic-preprocessors/sdf/sdf_us_ssn.h, dynamic-preprocessors/sdf/spp_sdf.h, sfutil/sfrt_flat_dir.h: Cleanup recursive header inclusions. * src/decode.h: Fix macros for token ring header field extraction. * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: Move SSN advertisement check before stricter validation. * doc/: README.dcerpc2, snort_manual.pdf, snort_manual.tex: Update dce_stub_data documentation. * src/parser.c: Cleanup function ValidateIPList(). * src/dynamic-output/plugins/output_base.c: Remove dead code path. * src/detection-plugins/sp_respond3.c: FatalError if Resp3_Parse() is called with bad parameters. * src/: snort_bounds.h, preprocessors/perf-base.c: Add error recovery to the perfstats logging code. * src/output-plugins/: spo_alert_fast.c, spo_alert_full.c: Add printing of GID:SID:Rev even if there is no msg in a rule. * src/dynamic-preprocessors/: smtp/spp_smtp.c, pop/spp_pop.c, imap/spp_imap.c: Initialize file depth to all the configurations, not just the default. * configure.in, src/decode.h, src/detection-plugins/sp_clientserver.c, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c, src/dynamic-preprocessors/dcerpc2/dce2_paf.c, src/dynamic-preprocessors/dcerpc2/dce2_paf.h, src/dynamic-preprocessors/dcerpc2/dce2_session.h, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dnp3/dnp3_paf.c, src/dynamic-preprocessors/dnp3/dnp3_paf.h, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, src/dynamic-preprocessors/modbus/modbus_paf.c, src/dynamic-preprocessors/modbus/modbus_paf.h, src/dynamic-preprocessors/modbus/spp_modbus.c, src/file-process/file_mime_process.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/include/hi_paf.h, src/preprocessors/HttpInspect/mode_inspection/hi_mi.c, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/snort_stream5_tcp.h, src/preprocessors/Stream5/stream5_paf.c, src/preprocessors/Stream5/stream5_paf.h: Add support for PAF activation by service and hardened PAF (removed --disable-paf from configure.in) * etc/gen-msg.map, src/decode.c, src/decode.h, src/generators.h, preproc_rules/decoder.rules: Support decoding of ICMPv6 Node Info Query and Node Info Response. Added decoder event for invalid codes therein. * src/preprocessors/: HttpInspect/mode_inspection/hi_mi.c, HttpInspect/client/hi_client.c, HttpInspect/include/hi_client.h, snort_httpinspect.h: Log XFF data on raw packet when reassembly is turned off. * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: Refactor dead code path in DCE2_SmbTransactionGetName(). * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: Factor out dead code path in ftpp_ui_client_lookup_add(). * src/preprocessors/spp_bo.c: Remove redundant dereferences to array pointer. * src/sfutil/sfrf.c: Factor out dead code path in SFRF_ConfigAdd(). * src/preprocessors/Stream5/snort_stream5_tcp.c: Factor out dead code path in Stream5ProcessTcp(). * src/fpcreate.c: Factor out dead code path in fpCreatePortObject2PortGroup(). * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c, src/dynamic-preprocessors/dcerpc2/dce2_config.c: Factor out dead code paths in DCE2 Preproc. * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Factor out dead code paths in SetCursorInternal(). * src/dynamic-preprocessors/sip/: sip_roptions.c, spp_sip.c, spp_sip.h: add user defined SIP method to parsing policy instead of running policy * src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, etc/gen-msg.map, src/generators.h, preproc_rules/preprocessor.rules, src/preprocessors/HttpInspect/client/hi_client.c: Add preprocessor alert when snort sees unescaped space within the URI Log IPs followed by portnum from the XFF header * src/preprocessors/Stream5/snort_stream5_tcp.c: Remove unnecessary check for NULL on array type. * src/preprocessors/spp_frag3.c: Remove unnecessary check for NULL on array type. * src/snort.c: Remove unnecessary check for NULL on array type. * tools/u2boat/u2boat.c: Make sure ConvertRecord func pointer is valid before called. * src/detection-plugins/sp_byte_extract.c: Fix value check for byte extract "multiplier" arg. * src/: util.c, util.h: Remove dead functions from util.c * tools/u2spewfoo/u2spewfoo.c: Check for error and prevent leaks with realloc in u2spewfoo. Thanks to William Parker for reporting it. * src/: parser.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-preprocessors/dcerpc2/dce2_config.c, dynamic-preprocessors/dns/spp_dns.c: Fix dead code paths * src/preprocessors/Stream5/snort_stream5_tcp.c: Reset overlap count when 129:7 is triggered to avoid repeated false positives * src/dynamic-preprocessors/smtp/: snort_smtp.c, snort_smtp.h: Handle 535 response codes - authentication failed. * doc/README.SMTP, doc/snort_manual.tex, src/dynamic-preprocessors/smtp/smtp_config.c, src/dynamic-preprocessors/smtp/smtp_config.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h: Added new configuration options "data_cmds", "binary_data_cmds" and "auth_cmds" to the smtp preprocessor. * doc/README.reload, doc/snort_manual.tex, src/snort.c, src/preprocessors/perf-base.c, src/preprocessors/perf-base.h, src/preprocessors/perf-flow.c, src/preprocessors/perf-flow.h, src/preprocessors/perf.c, src/preprocessors/perf.h, src/preprocessors/spp_perfmonitor.c, src/preprocessors/Stream5/snort_stream5_tcp.c: Added "flow-file" configuration option and optional arguments to "atexitonly" for perfmonitor preprocessor. * src/: detection-plugins/sp_pattern_match.c, dynamic-plugins/sf_engine/sf_snort_plugin_content.c, Adjust detection option pointer and distance for content matches with negative distances that put pointer before start of buffer. * src/preprocessors/HttpInspect/session_inspection/hi_si.c: Ensure all request and response fields are reset * src/generators.h, preproc_rules/preprocessor.rules, src/preprocessors/spp_frag3.c: Remove dead preprocessor alerts from Frag3, GIDs 123:9, 123:10 that are covered by 116:458. * src/: dynamic-preprocessors/ftptelnet/ftpp_si.c, dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, preprocessors/stream_api.h, preprocessors/Stream5/snort_stream5_tcp.c: Set reassembly on ftp-data for file processing and file_data ptr for ftp-data channel. * src/: decode.c, decode.h, encode.c, sf_protocols.h, snort.c: Allowlist encrypted ESP tunnels if decoding ESP traffic. * src/detection-plugins/sp_react.c: Fix issue where react action was lost when Snort reloads. * src/dynamic-preprocessors/: imap/snort_imap.c, imap/spp_imap.c, smtp/snort_smtp.c, smtp/spp_smtp.c, pop/snort_pop.c, pop/spp_pop.c: Enforce target based config setting for file processing. * src/file-process/file_mime_process.c: Make sure signature context is created at any file position. * src/dynamic-preprocessors/: pop/snort_pop.c, pop/snort_pop.h, smtp/snort_smtp.c, smtp/snort_smtp.h: Using boundary to check end of file * src/: decode.h, dynamic-plugins/sf_engine/sf_snort_packet.h, output-plugins/spo_unified2.c, preprocessors/spp_sfportscan.c: Update portscan unified2 events to log type of portscan in protocol field instead of 0xFF. * doc/: README.asn1, snort_manual.pdf, snort_manual.tex: Update asn1 rule option documentation to remove reference to byte_test updating relative pointer. Thanks to Brandon Castel for bringing this to our attention. * src/: file-process/file_mime_process.c, file-process/file_mime_process.h, preprocessors/HttpInspect/client/hi_client.c, file-process/Makefile.am, file-process/file_api.h, file-process/file_mime_config.c, file-process/file_mime_config.h, file-process/file_resume_block.c, file-process/file_resume_block.h, file-process/file_service.c, file-process/file_service.h, file-process/file_service_config.c, preprocessors/snort_httpinspect.c, preprocessors/snort_httpinspect.h, preprocessors/spp_httpinspect.c, preprocessors/HttpInspect/include/hi_client.h, preprocessors/HttpInspect/include/hi_ui_config.h, dynamic-preprocessors/imap/spp_imap.c, file-process/libs/file_config.c, file-process/libs/file_config.h, sfutil/sf_email_attach_decode.c, snort.c: Add support for http file upload. * doc/: PROBLEMS, README.WIN32, README.daq, faq.tex, snort_manual.tex: Update READMEs and FAQ and Snort Manual to standardize the format of references to libpcap. Also update location of winpcap. Thanks to Joshua Kinard and Bryan Jones for pointing out the discrepancies. * src/preprocessors/spp_sfportscan.c: Fix portscan to only prep a pseudo-packet if actually generating an alert * src/file-process/: file_api.h, file_service.c: Add packet to file api calls to determine if the session is inline. * src/dynamic-preprocessors/sip/sip_config.c: Fatal error during SIP preprocessor configuration if a standard or user defined method cannot be allocated. * src/: file-process/file_resume_block.c, file-process/file_service.c, file-process/file_service.h, snort.c: Move file resume cache clean to restart or snort exit * src/file-process/: file_api.h, file_resume_block.c: File API change to support logging file resume blocking. * src/: preprocessors/Stream5/snort_stream5_tcp.c, file-process/Makefile.am, file-process/file_api.h, file-process/file_mime_process.c, file-process/file_mime_process.h, file-process/file_resume_block.c, file-process/file_resume_block.h, file-process/file_service.c, file-process/file_service_config.c, dynamic-preprocessors/pop/pop_config.c, dynamic-preprocessors/pop/pop_config.h, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/pop/snort_pop.h, dynamic-preprocessors/pop/spp_pop.c, dynamic-preprocessors/smtp/smtp_config.c, dynamic-preprocessors/smtp/smtp_config.h, dynamic-preprocessors/smtp/smtp_util.c, dynamic-preprocessors/smtp/smtp_util.h, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, dynamic-preprocessors/smtp/spp_smtp.c, dynamic-preprocessors/imap/imap_config.c, dynamic-preprocessors/imap/imap_config.h, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/imap/snort_imap.h, dynamic-preprocessors/imap/spp_imap.c, util.c, util.h, file-process/libs/file_config.c, file-process/libs/file_config.h, file-process/libs/file_lib.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h: File blocking, http resume blocking, file statistics, and file name support for pop, imap. * src/output-plugins/spo_alert_unixsock.c: Update to use memset and memmove instead of bzero/bcopy. Thanks to Bill Parker for the suggestion. * doc/: README.dcerpc2, snort_manual.pdf, snort_manual.tex: Update dcerpc2 preprocessor documentation to remove -1 as a default and valid value to max_frag_len. * src/preprocessors/spp_perfmonitor.c: Make sure perfmonitor evaluation function is added to each policy's preprocessor evaluation list. * configure.in, doc/INSTALL, doc/README.reputation, doc/snort_manual.pdf, doc/snort_manual.tex, src/fpcreate.c, src/fpcreate.h, src/parser.c, src/parser.h, src/rule_option_types.h, src/snort.c, src/snort.h, src/detection-plugins/detection_options.c, src/dynamic-examples/Makefile.am, src/dynamic-output/Makefile.am, src/dynamic-output/libs/Makefile.am, src/dynamic-plugins/sf_convert_dynamic.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sp_dynamic.c, src/dynamic-plugins/sp_preprocopt.c, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp, src/dynamic-preprocessors/dnp3/sf_dnp3.dsp, src/dynamic-preprocessors/dns/sf_dns.dsp, src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/gtp/sf_gtp.dsp, src/dynamic-preprocessors/imap/sf_imap.dsp, src/dynamic-preprocessors/isakmp/sf_isakmp.dsp, src/dynamic-preprocessors/libs/Makefile.am, src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp, src/dynamic-preprocessors/modbus/sf_modbus.dsp, src/dynamic-preprocessors/pop/sf_pop.dsp, src/dynamic-preprocessors/reputation/sf_reputation.dsp, src/dynamic-preprocessors/sdf/sf_sdf.dsp, src/dynamic-preprocessors/sip/sf_sip.dsp, src/dynamic-preprocessors/smtp/sf_smtp.dsp, src/dynamic-preprocessors/ssh/sf_ssh.dsp, src/dynamic-preprocessors/ssl/sf_ssl.dsp, src/preprocessors/spp_httpinspect.c, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/stream5_common.c, src/win32/WIN32-Prj/sf_engine.dsp, src/win32/WIN32-Prj/sf_testdetect.dsp, src/win32/WIN32-Prj/snort.dsp: Removed --disable-dynamicplugin configure option and hardened dynamic plugin code. * src/: dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-preprocessors/ftptelnet/ftpp_si.c, dynamic-preprocessors/ftptelnet/ftpp_si.h, dynamic-preprocessors/ftptelnet/ftpp_ui_config.h, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/Stream5/snort_stream5_tcp.c: File processing for ftp-data channel. * src/dynamic-preprocessors/dcerpc2/: dce2_smb.c, dce2_smb.h: Remove NetBIOS session state. * src/: plugbase.c, output-plugins/Makefile.am, output-plugins/spo_unified.c, output-plugins/spo_unified.h: Remove deprecated unified support. Same functionality is supported with unified2. * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: Correct setting FID in reassembled packets on big endian systems. * doc/INSTALL, doc/snort_manual.pdf, doc/snort_manual.tex, src/output-plugins/spo_alert_unixsock.c: Update alert_unixsock output plugin and documentation for use on FreeBSD. * src/: decode.c, decode.h: Add RFC 5925 (The TCP Authentication Option) option as a valid TCP option and tag RFC 2385 (Protection of BGP Sessions via the TCP MD5 Signature Option) option as obsolete. * rpm/snort.spec, doc/snort_manual.tex, src/win32/WIN32-Prj/snort_installer.nsi, src/win32/WIN32-Includes/config.h: Set version to 2.9.5 2013-04-18 Steven Sturges Snort 2.9.4.6 * src/build.h: updating build number to 73 * doc/README.counts, doc/snort_manual.pdf, doc/snort_manual.tex, src/decode.c, src/parser.c, src/snort.h: Added config tunnel_verdicts and tunnel bypass for allowlist and blocklist verdicts for 6in4 or 4in6 encapsulated traffic. * src/preprocessors/spp_frag3.c: Don't update IP options length and count in frag3 after allocating option buffer when receiving duplicate 0 offset fragments with IP options. 2013-03-20 Steven Sturges Snort 2.9.4.5 * src/build.h: updating build number to 71 * src/preprocessors/Stream5/snort_stream5_tcp.c: prevent pruning when dup'ing a seglist node to avoid broken flushed packets * src/detection-plugins/detection_options.c: recursively search patterns within the HTTP uri buffers until the buffer ends. * src/preprocessors/HttpInspect/: client/hi_client.c, client/hi_client_norm.c, include/hi_client.h: Remove proxy information from the normalized URI buffer. Thanks to L0rd Ch0de1m0rt for reporting the issue. * src/: control/sfcontrol.c, preprocessors/Stream5/snort_stream5_tcp.c: fix logging of unified2 packet data when alerting on a packet containing multiple HTTP PDUs 2013-02-19 Bhagyashree Bantwal Snort 2.9.4.1 * src/build.h: updating build number to 69 * src/preprocessors/Stream5/snort_stream5_tcp.c: Only check for TCP Window Slam on client packets. * src/: control/sfcontrol.c, control/sfcontrol.h, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/Stream5/snort_stream5_session.c, preprocessors/Stream5/stream5_common.h Add a stream API function to return a session key given a session. Expose the session key * src/target-based/sftarget_reader.c: Change routing table layout for ip6 attribute lookups to be more space efficient * src/preprocessors/spp_frag3.c: Forcibly drop excessive overlaps * src/preprocessors/spp_frag3.c: Propagate address_space_id from raw packet to frag3 rebuilt packet DAQ header * src/: encode.c, encode.h, preprocessors/Stream5/snort_stream5_tcp.c: Update packet encoding to propagate the address_space_id in DAQ header * configure.in, src/decode.c: Define NO_NON_ETHER_DECODER by default in Snort builds. Add --enable-non-ether-decoders as a configure flag. * src/dynamic-preprocessors/: pop/snort_pop.c, pop/snort_pop.h, smtp/snort_smtp.c, smtp/snort_smtp.h: Use MIME boundary for end of file indication even for the last file * src/dynamic-preprocessors/reputation/spp_reputation.c: only inspect ingress zone for passive interface. * doc/README.reputation: * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c: When a writer is in read mode, the size should be the shared memory segment size. * src/: control/sfcontrol.c, control/sfcontrol.h, dynamic-preprocessors/reputation/spp_reputation.c: Only decode outer header in main control section. Payload is handled by the handler. * src/dynamic-preprocessors/reputation/: spp_reputation.c shmem/shmem_mgmt.c: update share memory for snort readers that are idle. * src/parser.c: make sure otn is different from original and and that option functions weren't already freed before freeing the dup list. * src/dynamic-preprocessors/: smtp/spp_smtp.c, imap/spp_imap.c, pop/spp_pop.c: Initialize file depth to all the policies, not just default policy * src/dynamic-preprocessors/: pop/spp_pop.c, smtp/snort_smtp.c, imap/spp_imap.c: check whether mime decoding is disabled before allocating memory. * doc/: snort_manual.pdf, snort_manual.tex: changed doc default to 10 max_attribute_services_per_host. * src/: parser.c, parser.h, snort.c, snort.h, preprocessors/spp_frag3.c, preprocessors/Stream5/snort_stream5_tcp.c, target-based/sftarget_hostentry.c, target-based/sftarget_reader.c, target-based/sftarget_reader.h: remove unused AttributeData and change attribute table to use uints instead of AttributeData to reduce host/service from 5208/5192 to 80/16 bytes respectively. Add config max_attribute_services_per_host to change from default of 10. Unused AttributeData includes operating system, vendor, and version for host and application and version for service. Note that the data is still parsed from hosts.xml but not actually stored in memory. Also tweak some stream5 debug code that threw warnings. * src/: file-process/file_service.c, preprocessors/snort_httpinspect.c: avoid processing partial HTTP content. * src/: encode.c, encode.h, preprocessors/Stream5/snort_stream5_tcp.c: Make sure daq supports zones and interfaces in the daq header. * src/: encode.c, encode.h, preprocessors/Stream5/snort_stream5_tcp.c: Maintain ingress and egress interfaces and zones and daq flags in the tcp session to be used to populate reassembled packets correctly. 2012-10-30 Steven Sturges Snort 2.9.4 * src/build.h: updating build number to 37 * doc/README.counts, doc/snort_manual.tex, doc/snort_manual.pdf, src/active.c, src/active.h, src/decode.c, src/parser.c, src/parser.h, src/snort.c, src/snort.h, src/util.c: added config tunnel_verdicts and tunnel bypass for allowlist and blocklist verdicts for gtp or teredo encapsulated traffic. * src/dynamic-preprocessors/smtp/: snort_smtp.c, snort_smtp.h: Handle MS Exchange X-EXPS and XEXCH50 commands in the SMTP preprocessor. 2012-10-16 Steven Sturges Snort 2.9.4 RC * src/build.h: updating build number to 35 * src/file-process/libs/: file_identifier.c, file_identifier.h Fixed one issue when inserting a file magic in between another file magic. In addition, avoid cloning nodes which are not used by other node. This improves memory assuage (from 10M down to 4M) * src/: detect.c, plugbase.c, plugbase.h, snort.c, snort.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h Added 2 new dpd functions. One turns off detection, the other re-enables a given preprocessor. After the preprocessors are configured, the preprocessor list is filtered if detection is off. * src/active.c : allow TCP RST response to segments w/o data * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine.c, sf_snort_plugin_api.c, sf_snort_plugin_api.h, sf_snort_plugin_byte.c, sf_snort_plugin_content.c, sf_snort_plugin_hdropts.c, sf_snort_plugin_pcre.c Changed logic of option evaluations for SO rules that use a custom evaluation function to match that of the SO rule builtin logic when the NOT_FLAG is used. * src/detection-plugins/: sp_flowbits.c, sp_flowbits.h Use appropriate interger types and comparisons. * src/preprocessors/HttpInspect/: client/hi_client.c, server/hi_server.c fix win32 warnings * src/: active.c, fpdetect.c, preprocessors/spp_stream5.c don't enable active response unless configured * src/: dynamic-plugins/sf_engine/sf_snort_packet.h, preprocessors/spp_stream5.c, file-process/file_service.c, decode.h avoid logging incorrect file name/file size when multiple files within one packet. * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: Fix Win32 build warnings. 2012-09-20 Steven Sturges Snort 2.9.4 Beta * configure.in, doc/snort_manual.pdf, src/parser.c, src/parser.h, src/sfdaq.h, src/snort.h, src/dynamic-preprocessors/sip/sip_dialog.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/Stream5/snort_stream5_session.c, src/preprocessors/Stream5/snort_stream5_session.h, src/preprocessors/Stream5/stream5_common.h: Add use of address_space_id in stream & frag hash keys when DAQ provides it. * src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, dynamic-preprocessors/smtp/snort_smtp.c, preprocessors/snort_httpinspect.c, preprocessors/Stream5/snort_stream5_tcp.c, sfutil/sf_email_attach_decode.h, win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp, win32/WIN32-Prj/snort.dsw: Fix a few Win32 warnings. * src/preprocessors/Stream5/snort_stream5_tcp.c ensure that the LWS policy matches that of the server (instead of the dest) * COPYING, LICENSE, contrib/snortpp.c, doc/README, src/active.h, src/byte_extract.c, src/byte_extract.h, src/checksum.h, src/cpuclock.h, src/debug.c, src/decode.h, src/detect.c, src/detect.h, src/detection_filter.c, src/detection_filter.h, src/detection_util.c, src/detection_util.h, src/encode.c, src/encode.h, src/event.h, src/event_queue.c, src/event_queue.h, src/event_wrapper.c, src/event_wrapper.h, src/fpcreate.c, src/fpcreate.h, src/fpdetect.c, src/fpdetect.h, src/generators.h, src/idle_processing.c, src/idle_processing.h, src/idle_processing_funcs.h, src/ipv6_port.h, src/log.c, src/log.h, src/log_text.c, src/log_text.h, src/mempool.c, src/mempool.h, src/mstring.c, src/mstring.h, src/obfuscation.c, src/obfuscation.h, src/packet_time.c, src/packet_time.h, src/parser.c, src/parser.h, src/pcap_pkthdr32.h, src/pcrm.c, src/pcrm.h, src/plugbase.c, src/plugbase.h, src/plugin_enum.h, src/ppm.c, src/ppm.h, src/preprocids.h, src/profiler.c, src/profiler.h, src/rate_filter.c, src/rate_filter.h, src/rule_option_types.h, src/rules.h, src/sf_protocols.h, src/sf_sdlist.c, src/sf_sdlist.h, src/sf_sdlist_types.h, src/sf_types.h, src/sfdaq.c, src/sfdaq.h, src/sfthreshold.c, src/sfthreshold.h, src/signature.c, src/signature.h, src/snort.c, src/snort.h, src/snort_bounds.h, src/snort_debug.h, src/snprintf.c, src/snprintf.h, src/spo_plugbase.h, src/strlcatu.h, src/strlcpyu.h, src/tag.c, src/tag.h, src/treenodes.h, src/util.c, src/util.h, src/control/sfcontrol.c, src/control/sfcontrol.h, src/control/sfcontrol_funcs.h, src/detection-plugins/detection_options.h, src/detection-plugins/sp_asn1.c, src/detection-plugins/sp_asn1.h, src/detection-plugins/sp_asn1_detect.c, src/detection-plugins/sp_asn1_detect.h, src/detection-plugins/sp_base64_data.c, src/detection-plugins/sp_base64_data.h, src/detection-plugins/sp_base64_decode.c, src/detection-plugins/sp_base64_decode.h, src/detection-plugins/sp_byte_check.h, src/detection-plugins/sp_byte_extract.h, src/detection-plugins/sp_byte_jump.h, src/detection-plugins/sp_clientserver.c, src/detection-plugins/sp_clientserver.h, src/detection-plugins/sp_cvs.c, src/detection-plugins/sp_cvs.h, src/detection-plugins/sp_dsize_check.c, src/detection-plugins/sp_dsize_check.h, src/detection-plugins/sp_file_data.c, src/detection-plugins/sp_file_data.h, src/detection-plugins/sp_flowbits.c, src/detection-plugins/sp_flowbits.h, src/detection-plugins/sp_ftpbounce.c, src/detection-plugins/sp_ftpbounce.h, src/detection-plugins/sp_hdr_opt_wrap.c, src/detection-plugins/sp_hdr_opt_wrap.h, src/detection-plugins/sp_icmp_code_check.c, src/detection-plugins/sp_icmp_code_check.h, src/detection-plugins/sp_icmp_id_check.c, src/detection-plugins/sp_icmp_id_check.h, src/detection-plugins/sp_icmp_seq_check.c, src/detection-plugins/sp_icmp_seq_check.h, src/detection-plugins/sp_icmp_type_check.c, src/detection-plugins/sp_icmp_type_check.h, src/detection-plugins/sp_ip_fragbits.c, src/detection-plugins/sp_ip_fragbits.h, src/detection-plugins/sp_ip_id_check.c, src/detection-plugins/sp_ip_id_check.h, src/detection-plugins/sp_ip_proto.c, src/detection-plugins/sp_ip_proto.h, src/detection-plugins/sp_ip_same_check.c, src/detection-plugins/sp_ip_same_check.h, src/detection-plugins/sp_ip_tos_check.c, src/detection-plugins/sp_ip_tos_check.h, src/detection-plugins/sp_ipoption_check.c, src/detection-plugins/sp_ipoption_check.h, src/detection-plugins/sp_isdataat.c, src/detection-plugins/sp_isdataat.h, src/detection-plugins/sp_pattern_match.c, src/detection-plugins/sp_pattern_match.h, src/detection-plugins/sp_pcre.h, src/detection-plugins/sp_pkt_data.c, src/detection-plugins/sp_pkt_data.h, src/detection-plugins/sp_react.c, src/detection-plugins/sp_react.h, src/detection-plugins/sp_replace.c, src/detection-plugins/sp_replace.h, src/detection-plugins/sp_respond.h, src/detection-plugins/sp_respond3.c, src/detection-plugins/sp_rpc_check.c, src/detection-plugins/sp_rpc_check.h, src/detection-plugins/sp_session.c, src/detection-plugins/sp_session.h, src/detection-plugins/sp_tcp_ack_check.c, src/detection-plugins/sp_tcp_ack_check.h, src/detection-plugins/sp_tcp_flag_check.c, src/detection-plugins/sp_tcp_flag_check.h, src/detection-plugins/sp_tcp_seq_check.c, src/detection-plugins/sp_tcp_seq_check.h, src/detection-plugins/sp_tcp_win_check.c, src/detection-plugins/sp_tcp_win_check.h, src/detection-plugins/sp_ttl_check.c, src/detection-plugins/sp_ttl_check.h, src/detection-plugins/sp_urilen_check.c, src/detection-plugins/sp_urilen_check.h, src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h, src/dynamic-examples/dynamic-preprocessor/spp_example.c, src/dynamic-examples/dynamic-rule/detection_lib_meta.h, src/dynamic-examples/dynamic-rule/rules.c, src/dynamic-examples/dynamic-rule/sid109.c, src/dynamic-examples/dynamic-rule/sid637.c, src/dynamic-output/libs/output_lib.c, src/dynamic-output/plugins/output.h, src/dynamic-output/plugins/output_api.h, src/dynamic-output/plugins/output_base.c, src/dynamic-output/plugins/output_common.h, src/dynamic-output/plugins/output_lib.h, src/dynamic-output/plugins/output_plugin.c, src/dynamic-plugins/sf_convert_dynamic.h, src/dynamic-plugins/sf_dynamic_common.h, src/dynamic-plugins/sf_dynamic_define.h, src/dynamic-plugins/sf_dynamic_detection.h, src/dynamic-plugins/sf_dynamic_engine.h, src/dynamic-plugins/sf_dynamic_meta.h, src/dynamic-plugins/sp_dynamic.h, src/dynamic-plugins/sp_preprocopt.h, src/dynamic-plugins/sf_engine/bmh.c, src/dynamic-plugins/sf_engine/bmh.h, src/dynamic-plugins/sf_engine/sf_decompression.c, src/dynamic-plugins/sf_engine/sf_decompression.h, src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c, src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c, src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c, src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h, src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c, src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h, src/dynamic-plugins/sf_preproc_example/sf_preproc_info.h, src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c, src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.h, src/dynamic-preprocessors/dcerpc2/dce2_cl.c, src/dynamic-preprocessors/dcerpc2/dce2_cl.h, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_co.h, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_debug.c, src/dynamic-preprocessors/dcerpc2/dce2_debug.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c, src/dynamic-preprocessors/dcerpc2/dce2_event.h, src/dynamic-preprocessors/dcerpc2/dce2_http.c, src/dynamic-preprocessors/dcerpc2/dce2_http.h, src/dynamic-preprocessors/dcerpc2/dce2_list.c, src/dynamic-preprocessors/dcerpc2/dce2_list.h, src/dynamic-preprocessors/dcerpc2/dce2_memory.c, src/dynamic-preprocessors/dcerpc2/dce2_memory.h, src/dynamic-preprocessors/dcerpc2/dce2_paf.c, src/dynamic-preprocessors/dcerpc2/dce2_paf.h, src/dynamic-preprocessors/dcerpc2/dce2_roptions.c, src/dynamic-preprocessors/dcerpc2/dce2_roptions.h, src/dynamic-preprocessors/dcerpc2/dce2_session.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.h, src/dynamic-preprocessors/dcerpc2/dce2_stats.c, src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/dce2_tcp.c, src/dynamic-preprocessors/dcerpc2/dce2_tcp.h, src/dynamic-preprocessors/dcerpc2/dce2_udp.c, src/dynamic-preprocessors/dcerpc2/dce2_udp.h, src/dynamic-preprocessors/dcerpc2/dce2_utils.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.h, src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h, src/dynamic-preprocessors/dcerpc2/includes/smb.h, src/dynamic-preprocessors/dnp3/dnp3_map.h, src/dynamic-preprocessors/dnp3/dnp3_paf.c, src/dynamic-preprocessors/dnp3/dnp3_paf.h, src/dynamic-preprocessors/dnp3/dnp3_reassembly.c, src/dynamic-preprocessors/dnp3/dnp3_reassembly.h, src/dynamic-preprocessors/dnp3/dnp3_roptions.c, src/dynamic-preprocessors/dnp3/dnp3_roptions.h, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/dynamic-preprocessors/dnp3/spp_dnp3.h, src/dynamic-preprocessors/dns/spp_dns.c, src/dynamic-preprocessors/dns/spp_dns.h, src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c, src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h, src/dynamic-preprocessors/ftptelnet/ftp_client.h, src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c, src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h, src/dynamic-preprocessors/ftptelnet/ftp_server.h, src/dynamic-preprocessors/ftptelnet/ftpp_eo.h, src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h, src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c, src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h, src/dynamic-preprocessors/ftptelnet/ftpp_include.h, src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.h, src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c, src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h, src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c, src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h, src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c, src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h, src/dynamic-preprocessors/ftptelnet/ftpp_util_kmap.h, src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c, src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h, src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c, src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/pp_ftp.h, src/dynamic-preprocessors/ftptelnet/pp_telnet.c, src/dynamic-preprocessors/ftptelnet/pp_telnet.h, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h, src/dynamic-preprocessors/gtp/gtp_config.c, src/dynamic-preprocessors/gtp/gtp_config.h, src/dynamic-preprocessors/gtp/gtp_debug.h, src/dynamic-preprocessors/gtp/gtp_parser.c, src/dynamic-preprocessors/gtp/gtp_parser.h, src/dynamic-preprocessors/gtp/gtp_roptions.c, src/dynamic-preprocessors/gtp/gtp_roptions.h, src/dynamic-preprocessors/gtp/spp_gtp.c, src/dynamic-preprocessors/gtp/spp_gtp.h, src/dynamic-preprocessors/imap/imap_config.c, src/dynamic-preprocessors/imap/imap_config.h, src/dynamic-preprocessors/imap/imap_log.c, src/dynamic-preprocessors/imap/imap_log.h, src/dynamic-preprocessors/imap/imap_util.c, src/dynamic-preprocessors/imap/imap_util.h, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/imap/snort_imap.h, src/dynamic-preprocessors/imap/spp_imap.c, src/dynamic-preprocessors/imap/spp_imap.h, src/dynamic-preprocessors/isakmp/spp_isakmp.c, src/dynamic-preprocessors/isakmp/spp_isakmp.h, src/dynamic-preprocessors/libs/sf_preproc_info.h, src/dynamic-preprocessors/libs/sfcommon.h, src/dynamic-preprocessors/libs/sfparser.c, src/dynamic-preprocessors/libs/ssl.c, src/dynamic-preprocessors/libs/ssl.h, src/dynamic-preprocessors/modbus/modbus_decode.c, src/dynamic-preprocessors/modbus/modbus_decode.h, src/dynamic-preprocessors/modbus/modbus_paf.c, src/dynamic-preprocessors/modbus/modbus_paf.h, src/dynamic-preprocessors/modbus/modbus_roptions.c, src/dynamic-preprocessors/modbus/modbus_roptions.h, src/dynamic-preprocessors/modbus/spp_modbus.c, src/dynamic-preprocessors/modbus/spp_modbus.h, src/dynamic-preprocessors/pop/pop_config.c, src/dynamic-preprocessors/pop/pop_config.h, src/dynamic-preprocessors/pop/pop_log.c, src/dynamic-preprocessors/pop/pop_log.h, src/dynamic-preprocessors/pop/pop_util.c, src/dynamic-preprocessors/pop/pop_util.h, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/pop/snort_pop.h, src/dynamic-preprocessors/pop/spp_pop.c, src/dynamic-preprocessors/pop/spp_pop.h, src/dynamic-preprocessors/reputation/reputation_config.h, src/dynamic-preprocessors/reputation/reputation_debug.h, src/dynamic-preprocessors/reputation/reputation_utils.c, src/dynamic-preprocessors/reputation/reputation_utils.h, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/reputation/spp_reputation.h, src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c, src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h, src/dynamic-preprocessors/reputation/shmem/shmem_common.h, src/dynamic-preprocessors/reputation/shmem/shmem_config.c, src/dynamic-preprocessors/reputation/shmem/shmem_config.h, src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h, src/dynamic-preprocessors/reputation/shmem/shmem_lib.c, src/dynamic-preprocessors/reputation/shmem/shmem_lib.h, src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c, src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h, src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c, src/dynamic-preprocessors/sdf/sdf_credit_card.c, src/dynamic-preprocessors/sdf/sdf_credit_card.h, src/dynamic-preprocessors/sdf/sdf_detection_option.c, src/dynamic-preprocessors/sdf/sdf_detection_option.h, src/dynamic-preprocessors/sdf/sdf_pattern_match.c, src/dynamic-preprocessors/sdf/sdf_pattern_match.h, src/dynamic-preprocessors/sdf/sdf_us_ssn.c, src/dynamic-preprocessors/sdf/sdf_us_ssn.h, src/dynamic-preprocessors/sdf/spp_sdf.h, src/dynamic-preprocessors/sip/sip_config.h, src/dynamic-preprocessors/sip/sip_debug.h, src/dynamic-preprocessors/sip/sip_dialog.c, src/dynamic-preprocessors/sip/sip_dialog.h, src/dynamic-preprocessors/sip/sip_parser.c, src/dynamic-preprocessors/sip/sip_parser.h, src/dynamic-preprocessors/sip/sip_roptions.h, src/dynamic-preprocessors/sip/sip_utils.c, src/dynamic-preprocessors/sip/sip_utils.h, src/dynamic-preprocessors/sip/spp_sip.c, src/dynamic-preprocessors/sip/spp_sip.h, src/dynamic-preprocessors/sip/test/sip_test.c, src/dynamic-preprocessors/smtp/smtp_config.c, src/dynamic-preprocessors/smtp/smtp_config.h, src/dynamic-preprocessors/smtp/smtp_log.c, src/dynamic-preprocessors/smtp/smtp_log.h, src/dynamic-preprocessors/smtp/smtp_normalize.c, src/dynamic-preprocessors/smtp/smtp_normalize.h, src/dynamic-preprocessors/smtp/smtp_util.c, src/dynamic-preprocessors/smtp/smtp_util.h, src/dynamic-preprocessors/smtp/smtp_xlink2state.c, src/dynamic-preprocessors/smtp/smtp_xlink2state.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, src/dynamic-preprocessors/smtp/spp_smtp.h, src/dynamic-preprocessors/ssh/spp_ssh.c, src/dynamic-preprocessors/ssh/spp_ssh.h, src/dynamic-preprocessors/ssl/spp_ssl.c, src/dynamic-preprocessors/ssl/spp_ssl.h, src/output-plugins/spo_alert_fast.c, src/output-plugins/spo_alert_fast.h, src/output-plugins/spo_alert_full.c, src/output-plugins/spo_alert_full.h, src/output-plugins/spo_alert_sf_socket.c, src/output-plugins/spo_alert_sf_socket.h, src/output-plugins/spo_alert_syslog.c, src/output-plugins/spo_alert_syslog.h, src/output-plugins/spo_alert_test.c, src/output-plugins/spo_alert_test.h, src/output-plugins/spo_alert_unixsock.h, src/output-plugins/spo_csv.c, src/output-plugins/spo_csv.h, src/output-plugins/spo_log_ascii.c, src/output-plugins/spo_log_ascii.h, src/output-plugins/spo_log_null.c, src/output-plugins/spo_log_null.h, src/output-plugins/spo_log_tcpdump.c, src/output-plugins/spo_log_tcpdump.h, src/output-plugins/spo_unified.c, src/output-plugins/spo_unified.h, src/output-plugins/spo_unified2.c, src/output-plugins/spo_unified2.h, src/parser/IpAddrSet.c, src/parser/IpAddrSet.h, src/preprocessors/normalize.c, src/preprocessors/normalize.h, src/preprocessors/perf-base.c, src/preprocessors/perf-base.h, src/preprocessors/perf-event.c, src/preprocessors/perf-event.h, src/preprocessors/perf-flow.c, src/preprocessors/perf-flow.h, src/preprocessors/perf.c, src/preprocessors/perf.h, src/preprocessors/portscan.c, src/preprocessors/portscan.h, src/preprocessors/sfprocpidstats.c, src/preprocessors/sfprocpidstats.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_arpspoof.h, src/preprocessors/spp_bo.c, src/preprocessors/spp_bo.h, src/preprocessors/spp_frag3.c, src/preprocessors/spp_frag3.h, src/preprocessors/spp_httpinspect.h, src/preprocessors/spp_normalize.c, src/preprocessors/spp_normalize.h, src/preprocessors/spp_perfmonitor.h, src/preprocessors/spp_rpc_decode.c, src/preprocessors/spp_rpc_decode.h, src/preprocessors/spp_sfportscan.c, src/preprocessors/spp_sfportscan.h, src/preprocessors/spp_stream5.c, src/preprocessors/spp_stream5.h, src/preprocessors/str_search.c, src/preprocessors/str_search.h, src/preprocessors/stream_api.c, src/preprocessors/stream_api.h, src/preprocessors/stream_expect.c, src/preprocessors/stream_expect.h, src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c, src/preprocessors/HttpInspect/client/hi_client_norm.c, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_ad.h, src/preprocessors/HttpInspect/include/hi_client.h, src/preprocessors/HttpInspect/include/hi_client_norm.h, src/preprocessors/HttpInspect/include/hi_client_stateful.h, src/preprocessors/HttpInspect/include/hi_cmd_lookup.h, src/preprocessors/HttpInspect/include/hi_eo.h, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/include/hi_eo_log.h, src/preprocessors/HttpInspect/include/hi_include.h, src/preprocessors/HttpInspect/include/hi_mi.h, src/preprocessors/HttpInspect/include/hi_norm.h, src/preprocessors/HttpInspect/include/hi_paf.h, src/preprocessors/HttpInspect/include/hi_reqmethod_check.h, src/preprocessors/HttpInspect/include/hi_return_codes.h, src/preprocessors/HttpInspect/include/hi_server.h, src/preprocessors/HttpInspect/include/hi_server_norm.h, src/preprocessors/HttpInspect/include/hi_si.h, src/preprocessors/HttpInspect/include/hi_stateful_inspect.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h, src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h, src/preprocessors/HttpInspect/include/hi_uri.h, src/preprocessors/HttpInspect/include/hi_urilen_check.h, src/preprocessors/HttpInspect/include/hi_util.h, src/preprocessors/HttpInspect/include/hi_util_hbm.h, src/preprocessors/HttpInspect/include/hi_util_kmap.h, src/preprocessors/HttpInspect/include/hi_util_xmalloc.h, src/preprocessors/HttpInspect/mode_inspection/hi_mi.c, src/preprocessors/HttpInspect/normalization/hi_norm.c, src/preprocessors/HttpInspect/server/hi_server_norm.c, src/preprocessors/HttpInspect/session_inspection/hi_si.c, src/preprocessors/HttpInspect/user_interface/hi_ui_config.c, src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c, src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c, src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/HttpInspect/utils/hi_util_hbm.c, src/preprocessors/HttpInspect/utils/hi_util_kmap.c, src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c, src/preprocessors/Stream5/snort_stream5_icmp.c, src/preprocessors/Stream5/snort_stream5_icmp.h, src/preprocessors/Stream5/snort_stream5_ip.c, src/preprocessors/Stream5/snort_stream5_ip.h, src/preprocessors/Stream5/snort_stream5_session.c, src/preprocessors/Stream5/snort_stream5_session.h, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/snort_stream5_tcp.h, src/preprocessors/Stream5/snort_stream5_udp.c, src/preprocessors/Stream5/snort_stream5_udp.h, src/preprocessors/Stream5/stream5_common.c, src/preprocessors/Stream5/stream5_common.h, src/preprocessors/Stream5/stream5_paf.c, src/preprocessors/Stream5/stream5_paf.h, src/sfutil/Unified2_common.h, src/sfutil/acsmx.c, src/sfutil/acsmx.h, src/sfutil/acsmx2.h, src/sfutil/asn1.c, src/sfutil/asn1.h, src/sfutil/bitop.h, src/sfutil/bitop_funcs.h, src/sfutil/bnfa_search.h, src/sfutil/getopt.h, src/sfutil/intel-soft-cpm.c, src/sfutil/intel-soft-cpm.h, src/sfutil/ipobj.c, src/sfutil/ipobj.h, src/sfutil/mpse.c, src/sfutil/segment_mem.c, src/sfutil/segment_mem.h, src/sfutil/sfActionQueue.c, src/sfutil/sfActionQueue.h, src/sfutil/sfPolicy.c, src/sfutil/sfPolicy.h, src/sfutil/sfPolicyUserData.c, src/sfutil/sfPolicyUserData.h, src/sfutil/sf_base64decode.c, src/sfutil/sf_base64decode.h, src/sfutil/sf_email_attach_decode.c, src/sfutil/sf_email_attach_decode.h, src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sf_iph.h, src/sfutil/sf_ipvar.c, src/sfutil/sf_ipvar.h, src/sfutil/sf_seqnums.h, src/sfutil/sf_textlog.c, src/sfutil/sf_textlog.h, src/sfutil/sf_vartable.c, src/sfutil/sf_vartable.h, src/sfutil/sfeventq.c, src/sfutil/sfeventq.h, src/sfutil/sfghash.c, src/sfutil/sfghash.h, src/sfutil/sfhashfcn.c, src/sfutil/sfhashfcn.h, src/sfutil/sfksearch.c, src/sfutil/sfksearch.h, src/sfutil/sflsq.c, src/sfutil/sflsq.h, src/sfutil/sfmemcap.c, src/sfutil/sfmemcap.h, src/sfutil/sfportobject.c, src/sfutil/sfportobject.h, src/sfutil/sfprimetable.c, src/sfutil/sfprimetable.h, src/sfutil/sfrf.c, src/sfutil/sfrf.h, src/sfutil/sfrim.c, src/sfutil/sfrt.c, src/sfutil/sfrt.h, src/sfutil/sfrt_dir.c, src/sfutil/sfrt_dir.h, src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c, src/sfutil/sfrt_flat_dir.h, src/sfutil/sfrt_lctrie.c, src/sfutil/sfrt_lctrie.h, src/sfutil/sfrt_trie.h, src/sfutil/sfsnprintfappend.c, src/sfutil/sfsnprintfappend.h, src/sfutil/sfthd.c, src/sfutil/sfthd.h, src/sfutil/sfxhash.c, src/sfutil/sfxhash.h, src/sfutil/strvec.c, src/sfutil/strvec.h, src/sfutil/util_jsnorm.c, src/sfutil/util_jsnorm.h, src/sfutil/util_math.c, src/sfutil/util_math.h, src/sfutil/util_net.c, src/sfutil/util_net.h, src/sfutil/util_str.c, src/sfutil/util_str.h, src/sfutil/util_unfold.c, src/sfutil/util_unfold.h, src/sfutil/util_utf.c, src/sfutil/util_utf.h, src/sfutil/test/sf_ip_test.c, src/sfutil/test/sfrf_test.c, src/sfutil/test/sfrt_test.c, src/sfutil/test/sfthd_test.c, src/sfutil/test/unit_hacks.c, src/sfutil/test/unit_hacks.h, src/target-based/sf_attribute_table.y, src/target-based/sftarget_hostentry.c, src/target-based/sftarget_hostentry.h, src/target-based/sftarget_protocol_reference.c, src/target-based/sftarget_protocol_reference.h, src/target-based/sftarget_reader.c, src/target-based/sftarget_reader.h, src/win32/WIN32-Code/getopt.c, src/win32/WIN32-Code/inet_aton.c, src/win32/WIN32-Code/misc.c, src/win32/WIN32-Code/name.h, src/win32/WIN32-Code/win32_service.c, src/win32/WIN32-Includes/config.h, src/win32/WIN32-Includes/getopt.h, src/win32/WIN32-Includes/inttypes.h, src/win32/WIN32-Includes/stdint.h, src/win32/WIN32-Includes/WinPCAP/pthread.h, src/win32/WIN32-Includes/WinPCAP/sched.h, src/win32/WIN32-Includes/WinPCAP/semaphore.h, tools/control/sfcontrol.c, tools/u2boat/u2boat.c, tools/u2boat/u2boat.h, tools/u2spewfoo/u2spewfoo.c: Updated the address of the Free Software Foundation. * src/dynamic-preprocessors/dnp3/spp_dnp3.c: Check default config before dereferencing memcap. * src/preprocessors/Stream5/snort_stream5_tcp.c: fix handling of gaps in PAF. * src/dynamic-preprocessors/smtp/: smtp_util.c, snort_smtp.c, snort_smtp.h: get individual file names for multiple file attachments within one smtp packet * src/dynamic-output/plugins/output_plugin.c: Don't change vlanId into network byte order in the dynamic output API. * src/dynamic-preprocessors/imap/: snort_imap.c, snort_imap.h: Add a flag to indicate end of MIME to avoid incorrect data end marker * src/sfutil/sf_email_attach_decode.h: change decode length calculation when file depth is larger than max int * src/: preprocessors/HttpInspect/include/hi_paf.h, sfutil/sf_email_attach_decode.h, preprocessors/HttpInspect/utils/hi_paf.c: auto enable http ports when file policy is enabled * src/sfutil/sfthd.c: Global thresholds can be disabled with count -1. * src/sfutil/sfthd.c: allow gen_id 0 sig_id 0 and gen_id X sig_id 0 together * src/: decode.h, preprocessors/snort_httpinspect.c: file data is only valid with PAF processing * src/preprocessors/Stream5/snort_stream5_tcp.c: don't flag missing packets when PAF flushing to allow better recovery from gaps * src/dynamic-preprocessors/: smtp/smtp_config.c, imap/imap_config.c, imap/spp_imap.c, pop/pop_config.c, pop/spp_pop.c: Enable file data configurations for preprocessors when file processing is enabled * src/preprocessors/Stream5/snort_stream5_tcp.c: fixed check for hole in seglist while PAF scanning * src/: snort.c, dynamic-examples/Makefile.am, dynamic-plugins/Makefile.am, dynamic-preprocessors/Makefile.am, dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, preprocessors/spp_stream5.c, target-based/Makefile.am, target-based/sftarget_reader.c, target-based/sftarget_reader.h: Add an API call to add a service to a host in the attribute table. Remove the unused live attribute table code. * doc/README.ppm, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/detect.c, src/generators.h, src/parser.c, src/ppm.c, src/ppm.h: added 134:3 and IPs and ports to log messages for PPM packet events * src/snort.c: force drop TCP/UDP now gets DAQ blocklist instead of DAQ block verdict * doc/README.stream5, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/generators.h, src/preprocessors/Stream5/snort_stream5_tcp.c: add 129:20 for midstream traffic we don't pick up. * src/preprocessors/Stream5/snort_stream5_tcp.c: fix normalize_tcp to not block duplicate SYNs * src/parser.c, src/snort.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/snort.h, src/dynamic-preprocessors/smtp/smtp_config.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/imap/imap_config.h, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/imap/spp_imap.c, src/dynamic-preprocessors/pop/pop_config.h, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/pop/spp_pop.c, src/sfutil/sf_email_attach_decode.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, configure.in, src/detection-plugins/sp_file_data.c: file_depth integration, openssl integration, reload configuration * src/dynamic-preprocessors/: libs/ssl.c, libs/ssl.h, ssl/spp_ssl.c: Add SSLv3/TLS backwards compatibiltiy with SSLv2 ClientHello in the ssl preprocessor. * src/: preprocessors/snort_httpinspect.c, src/dynamic-preprocessors/: imap/snort_imap.c, pop/snort_pop.c, smtp/snort_smtp.c: add file type id support for HTTP post, smtp, imap, and pop * src/: snort_debug.h, control/sfcontrol.c, preprocessors/Stream5/snort_stream5_tcp.c: Do not delete application session data on last ACK. * src/output-plugins/spo_unified.c: Add deprecated warning for unified output plugin. * src/decode.h: Add support for decoding PPP type 0x57 (IPv6) for PPPoE * src/Makefile.am, src/generators.h, src/parser.c, src/parser.h, src/preprocids.h, src/snort.c, src/snort_debug.h, configure.in, src/dynamic-preprocessors/Makefile.am, src/preprocessors/snort_httpinspect.c, src/detection-plugins/sp_file_data.c, src/dynamic-examples/Makefile.am: add file type identification and file signature sha256 calculation for HTTP. * src/: util.c, dynamic-preprocessors/dcerpc2/spp_dce2.c, dynamic-preprocessors/dnp3/spp_dnp3.c, dynamic-preprocessors/dns/spp_dns.c, dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, dynamic-preprocessors/gtp/spp_gtp.c, dynamic-preprocessors/imap/spp_imap.c, dynamic-preprocessors/isakmp/spp_isakmp.c, dynamic-preprocessors/modbus/spp_modbus.c, dynamic-preprocessors/pop/spp_pop.c, dynamic-preprocessors/reputation/spp_reputation.c, dynamic-preprocessors/sip/spp_sip.c, dynamic-preprocessors/ssh/spp_ssh.c, dynamic-preprocessors/ssl/spp_ssl.c: Remove IPv6 tag from snort -V * configure.in, doc/README.ipv6, doc/README.unified2, doc/README.variables, doc/snort_manual.tex, src/decode.h, src/detect.c, src/detect.h, src/encode.c, src/fpdetect.c, src/ipv6_port.h, src/log.c, src/log_text.c, src/parser.c, src/sf_protocols.h, src/snort.c, src/snort.h, src/tag.c, src/util.c, src/util.h, src/detection-plugins/sp_ftpbounce.c, src/detection-plugins/sp_icmp_id_check.c, src/detection-plugins/sp_icmp_seq_check.c, src/detection-plugins/sp_ip_same_check.c, src/detection-plugins/sp_session.c, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-preprocessors/dynamic_preprocessors.dsp, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dnp3/sf_dnp3.dsp, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/dynamic-preprocessors/dns/sf_dns.dsp, src/dynamic-preprocessors/dns/spp_dns.c, src/dynamic-preprocessors/ftptelnet/ftpp_si.c, src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c, src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c, src/dynamic-preprocessors/ftptelnet/pp_ftp.c, src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c, src/dynamic-preprocessors/gtp/sf_gtp.dsp, src/dynamic-preprocessors/gtp/spp_gtp.c, src/dynamic-preprocessors/imap/sf_imap.dsp, src/dynamic-preprocessors/imap/spp_imap.c, src/dynamic-preprocessors/isakmp/spp_isakmp.c, src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp, src/dynamic-preprocessors/modbus/sf_modbus.dsp, src/dynamic-preprocessors/modbus/spp_modbus.c, src/dynamic-preprocessors/pop/sf_pop.dsp, src/dynamic-preprocessors/pop/spp_pop.c, src/dynamic-preprocessors/reputation/sf_reputation.dsp, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/sdf/sf_sdf.dsp, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/dynamic-preprocessors/sip/sf_sip.dsp, src/dynamic-preprocessors/sip/sip_dialog.c, src/dynamic-preprocessors/sip/spp_sip.c, src/dynamic-preprocessors/smtp/sf_smtp.dsp, src/dynamic-preprocessors/ssh/sf_ssh.dsp, src/dynamic-preprocessors/ssh/spp_ssh.c, src/dynamic-preprocessors/ssl/sf_ssl.dsp, src/dynamic-preprocessors/ssl/spp_ssl.c, src/output-plugins/spo_alert_sf_socket.c, src/output-plugins/spo_log_ascii.c, src/output-plugins/spo_unified2.c, src/parser/IpAddrSet.c, src/parser/IpAddrSet.h, src/preprocessors/normalize.c, src/preprocessors/perf-base.c, src/preprocessors/perf-base.h, src/preprocessors/perf-flow.c, src/preprocessors/portscan.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_normalize.c, src/preprocessors/spp_normalize.h, src/preprocessors/spp_sfportscan.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_expect.c, src/preprocessors/HttpInspect/session_inspection/hi_si.c, src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c, src/preprocessors/Stream5/snort_stream5_icmp.c, src/preprocessors/Stream5/snort_stream5_session.c, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/snort_stream5_udp.c, src/preprocessors/Stream5/stream5_common.c, src/preprocessors/Stream5/stream5_common.h, src/sfutil/ipobj.c, src/sfutil/ipobj.h, src/sfutil/sfPolicy.c, src/sfutil/sf_ip.h, src/sfutil/sf_iph.h, src/sfutil/sf_ipvar.h, src/sfutil/sfrf.c, src/sfutil/sfrt.c, src/sfutil/sfrt.h, src/sfutil/sfrt_dir.c, src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c, src/sfutil/sfthd.c, src/sfutil/util_net.c, src/sfutil/util_net.h, src/sfutil/test/Makefile.am, src/sfutil/test/sfrf_test.c, src/sfutil/test/sfthd_test.c, src/sfutil/test/unit_hacks.c, src/sfutil/test/unit_hacks.h, src/target-based/sf_attribute_table.y, src/target-based/sftarget_reader.c, src/target-based/sftarget_reader.h, src/win32/WIN32-Prj/build_all.dsp, src/win32/WIN32-Prj/sf_engine.dsp, src/win32/WIN32-Prj/sf_engine_initialize.dsp, src/win32/WIN32-Prj/snort.dsp, src/win32/WIN32-Prj/snort_initialize.dsp, src/win32/WIN32-Prj/snort_installer.nsi: Remove IPv4 only code paths 2012-07-30 Hui Cao Snort 2.9.3.1 * src/build.h: Updated build number to 40 * src/sfutil/acsmx2.c: Release memory during return. * src/dynamic-preprocessors/sip/sip_config.c: Free method struct when method->methodName is NULL. * src/: detection-plugins/detection_options.c, detection-plugins/sp_byte_check.c, detection-plugins/sp_byte_extract.c, detection-plugins/sp_byte_jump.c, dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_preprocopt.c: Fix constant expression in hashing routines for 64bit platforms. * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: Fix Samba chained OpenAndX -> Write command handling. * src/active.c: Check for TCP RST flag regardless of other flags to block resetting resets. * src/: active.c, decode.c, detection-plugins/sp_pcre.c, dynamic-plugins/sf_convert_dynamic.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sp_dynamic.c, dynamic-preprocessors/dnp3/dnp3_map.c, dynamic-preprocessors/reputation/reputation_config.c, dynamic-preprocessors/sdf/spp_sdf.c, dynamic-preprocessors/sip/sip_config.c, dynamic-preprocessors/sip/sip_roptions.c, dynamic-preprocessors/smtp/spp_smtp.c, output-plugins/spo_alert_unixsock.c, preprocessors/spp_httpinspect.c, preprocessors/spp_perfmonitor.c, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/server/hi_server.c, sfutil/bnfa_search.c, sfutil/sf_iph.c, target-based/sf_attribute_table_parser.l: Parse time memory cleanup * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: Fixed issue on big endian systems where behaviour was incorrect. 2012-07-10 Todd Wease Snort 2.9.3 * src/build.h: Updated build number to 37 * src/preprocessors/HttpInspect/server/hi_server.c: When paf is turned on, the flow depth on raw packets should be checking if max_seq was set. * src/preprocessors/HttpInspect/client/hi_client.c: Rearranged check in hi_client_extract_header() to stop processing when there is no more data. * src/dynamic-preprocessors/smtp/: smtp_util.c, snort_smtp.c: Clear flags for filename logging if there are no ending quotes for MIME attachement filename. Thanks to Rick Chisholm for helping us track down the issue. * doc/CREDITS: Update rmkml's email address. * src/preprocessors/: snort_httpinspect.h, HttpInspect/server/hi_server.c: Fix application of flow_depth for transfers of files over 2GB. 2012-06-06 Russ Combs Snort 2.9.3 RC * src/build.h: updating build number to 33 * src/: checksum.h, decode.c, encode.c: Dropped dnets checksumming functionality. * src/: decode.h, encode.c, dynamic-plugins/sf_engine/sf_snort_packet.h: Remove unused policyEngineData. * src/preprocessors/: Stream5/snort_stream5_tcp.c, HttpInspect/utils/hi_paf.c: Need to check for NULL since a timeout can release proto specific data. Fix mid-stream pickup sequence tracking. * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h, HttpInspect/server/hi_server.c: Apply server flow depth to session when PAF is turned on. * src/preprocessors/Stream5/: snort_stream5_session.c, stream5_common.h: Change SessionKey to a SessionKey pointer. * src/dynamic-output/plugins/: output_lib.h, output_plugin.c: Add dynamic output API for DAQ interface mode. * src/: dynamic-output/plugins/output_base.c, plugbase.c, spo_plugbase.h: Remove older output plugin when new one is available. * src/dynamic-plugins/: sf_dynamic_plugins.c, sf_engine/sf_snort_detection_engine.c: Force exact versioning match of running dynamic engine and dynamic engine used to build SO rules. * src/: sfdaq.c, sfdaq.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h: Add API for checking whether DAQ can allowlist. * src/: parser.c, parser.h, snort.c: Added config disable-attribute-reload-thread to snort.conf. Snort now provides snort.conf(line #) on errors durring parsing. * src/: parser.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_pattern_match.h: Warn users when rules contain relative options off of fast_pattern:only content matches. * src/dynamic-preprocessors/sdf/spp_sdf.c: SDF now only looks at rebuilt packets. * src/control/sfcontrol.c, src/dynamic-preprocessors/reputation/reputation_config.c, src/dynamic-preprocessors/reputation/reputation_config.h, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/reputation/spp_reputation.h, src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c, src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h, tools/control/sfcontrol.c: Add ability to query reputation pp with control socket. User can now query reputation pp for routing table and management information. Fixed bug to prevent IP Reputation from trying to allocate too much memory. * doc/: Makefile.am, README.unified2, snort_manual.tex: Add README.unified2 to Makefile.am. Add documentation for unified2 file format. Add smb_fingerprint_policy documentation to snort manual. * src/preprocessors/Stream5/stream5_paf.c: Ensure PAF is configured on reload the same as it was on restart. * src/preprocessors/spp_stream5.c: Fix stream5 issue on reload were it wasn't validating or registering preprocessor function when new policy is added. * configure.in, doc/INSTALL, doc/README.decoder_preproc_rules, doc/snort_manual.pdf, doc/snort_manual.tex, etc/snort.conf, rpm/snort.spec, src/event_queue.c, src/event_queue.h, src/event_wrapper.c, src/fpcreate.c, src/fpcreate.h, src/fpdetect.c, src/fpdetect.h, src/parser.c, src/parser.h, src/ppm.c, src/signature.h, src/snort.h, src/detection-plugins/detection_options.c, src/detection-plugins/detection_options.h, src/preprocessors/spp_frag3.c, src/sfutil/sfeventq.c, src/sfutil/sfeventq.h, src/win32/WIN32-Prj/snort.dsp: Removed --enable-decoder-preprocessor-rules configure option and hardened preprocessor and decoder rule event code. To enable old behavior such that specific preprocessor and decoder rules don't have to be explicity added to snort.conf, add "config autogenerate_preprocessor_decoder_rules" to your snort.conf. * src/: profiler.h, dynamic-output/plugins/output_lib.h, dynamic-plugins/sf_dynamic_preprocessor.h, sfutil/sfPolicy.h, sfutil/sf_ip.h: Added a function, sfip_fast_equals_raw, that does the minimum needed to determine if 2 IPs are equal. Added profiler macros that allow for unique variable names. Moved GetPolicyFunc definition to sfPolicy.h. * src/: snort.c, detection-plugins/sp_flowbits.c, detection-plugins/sp_flowbits.h, dynamic-plugins/sp_dynamic.c: Fix flowbit group toggle. Fix issue with SO rules that reuse a flowbits structure when all stubs aren't enabled. * src/dynamic-preprocessors/smtp/: smtp_config.c, snort_smtp.c, snort_smtp.h, spp_smtp.c: SMTP PP now only allocates its mempools 1 time. Fix build on legacy systems that don't support c99 declarations. Fix memory leak on reload. * src/: detect.c, ppm.c: Fix PPM when PPM rules are dynamically generated and there are multiple policies. 2012-04-26 Russ Combs Snort 2.9.3 Beta * src/build.h: Updating build number to 22. * src/: snort.c, control/sfcontrol.c: Stop daq before tearing down control socket and freeing idle processors. * src/control/sfcontrol.c, src/control/sfcontrol.h, tools/control/sfcontrol.c: - Return the correct codes with responses. - Use macros to define the codes. - Update the client to receive multiple status (0x0009) messages followed by a success or error message. * doc/snort_manual.tex, src/preprocessors/Stream5/snort_stream5_session.c, src/preprocessors/Stream5/stream5_common.h, src/preprocessors/spp_stream5.c, src/detection-plugins/sp_flowbits.c, src/detection-plugins/sp_flowbits.h, src/parser.c, src/snort.h: - Flowbits can belong to multiple groups. - Restrict the syntax of flowbit name and group names to alphanumeric string including periods, dashes, and underscores. - Changed the maximal flowbit size to be 2048. - Changes the error syntax when maximum number of flowbit ID exceeds allowed value. - Thanks to Cees for providing information about the size bug. * src/: preprocessors/spp_stream5.c, preprocessors/stream_api.h, dynamic-preprocessors/sip/sip_dialog.c: Ignore sessions already started through updated stream API. * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h, tools/u2spewfoo/u2spewfoo.c: - Remove *_NG logging from Unified2. - Snort unified2 doesn't log to *_NG formats anymore. * src/tag.c: Fix compiler warning on FreeBSD in mis-matched format string. * src/preprocessors/spp_arpspoof.c: - Fix handling when arpspoof_detect_host was set without arpspoof. - Fix compiler warnings on FreeBSD by utilizing modern ip6 code. - Verify snort works correctly, and doesn't cause warnings on FreeBSD. * src/: detection-plugins/Makefile.am, dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: Remove unnecessary cruft. * src/output-plugins/spo_alert_unixsock.c: Don't rely on UNIX_PATH_MAX value being 108. * src/: active.c, encode.c, encode.h: Force drop/resets resulting in ICMP unreachables will have the code for administratively prohibited while ips ICMP unreachables remain port unreachable. * src/dynamic-output/: dynamic_output.dsp Makefile.am, src/dynamic-output/libs: Makefile.am output_lib.c snort_output.pc.in, src/dynamic-output/plugins: Makefile.am output_api.h output_base.c, output_common.h output.h output_lib.h output_plugin.c Added dynamic output plugin support. * configure.in, snort.8, contrib/Makefile.am, contrib/README, contrib/create_mssql, contrib/create_mysql, contrib/create_oracle.sql, contrib/create_postgresql, contrib/mysql.php3, contrib/pgsql.php3, contrib/snortdb-extra.gz, doc/INSTALL, doc/Makefile.am, doc/README.ARUBA, doc/README.database, doc/faq.tex, doc/snort_manual.tex, etc/snort.conf, m4/Makefile.am, m4/libprelude.m4, rpm/snort.spec, src/plugbase.c, src/snort.c, src/snort.h, src/output-plugins/Makefile.am, src/plugins/output_base.c, plugins/output_lib.h, src/plugins/output_plugin.c, src/output-plugins/spo_alert_arubaaction.c, src/output-plugins/spo_alert_arubaaction.h, src/output-plugins/spo_alert_prelude.c, src/output-plugins/spo_alert_prelude.h, src/output-plugins/spo_database.c, src/output-plugins/spo_database.h, src/win32/Makefile.am, src/win32/WIN32-Prj/snort_installer.nsi, win32/WIN32-Prj/snort.dsp, win32/WIN32-Prj/snort.dsw: win32/WIN32-Prj/snort_installer.nsi, win32/WIN32-Prj/snort_installer_options.ini: Remove deprecated output plugins aruba, prelude, mysql, oracle and mssql from Snort. * src/detection-plugins/sp_flowbits.c, src/detection-plugins/sp_flowbits.h, src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c, src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h, src/snort_debug.h, src/dynamic-plugins/sf_convert_dynamic.c, src/dynamic-plugins/sf_dynamic_engine.h, src/dynamic-plugins/sp_dynamic.c, src/dynamic-plugins/sp_dynamic.h, doc/README.flowbits, doc/snort_manual.tex, doc/snort_manual.pdf: Flowbit OR feature. Fixed the so_rules check issue and also the so stub file generated. * doc/README.SMTP, doc/README.imap, doc/README.pop, doc/snort_manual.tex, etc/gen-msg.map, src/dynamic-preprocessors/imap/imap_config.c, src/dynamic-preprocessors/imap/imap_log.h, src/dynamic-preprocessors/imap/imap_util.c, src/dynamic-preprocessors/imap/imap_util.h, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/pop_config.c, src/dynamic-preprocessors/pop/pop_log.h, src/dynamic-preprocessors/pop/pop_util.c, src/dynamic-preprocessors/pop/pop_util.h, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/smtp_config.c, src/dynamic-preprocessors/smtp/smtp_log.h, src/dynamic-preprocessors/smtp/smtp_util.c, src/dynamic-preprocessors/smtp/smtp_util.h, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/spp_smtp.c: - SMTP/IMAP/POP will now extract non-encoded attachments when content-type MIME headers are present. - SMTP will not decode when ignore_data is present. - Content-Transfer-Encoding should take precendence over Content-Type. - Content-type should first check if boundary in non MIME header state. - Fix SMTP stat msg. * doc/README.http_inspect, doc/faq.pdf, doc/snort_manual.pdf, doc/snort_manual.tex, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_httpinspect.c, src/preprocessors/HttpInspect/server/hi_server.c: Update http_inspect decompression to not allocate compress/decompress buffers per session. * src/preprocessors/HttpInspect/normalization/hi_norm.c: - Fix the handling of % encoded ?. HI no longer treats % encoded ? as start of query string. * src/preprocessors/HttpInspect/: include/hi_paf.h, utils/hi_paf.c: Provide access method for HI main to handle simple responses. * src/preprocessors/HttpInspect/: server/hi_server.c, client/hi_client.c: - Fix extraction of Transfer-Encoding header. - Handle chunk extensions when de-chunking. - Fix handling of packets beyond flow depth when PAF is turned on. - Add code to handle simple responses and not generate false positive. * src/dynamic-plugins/sf_engine/sf_snort_packet.h: Frag related fixes: - Check ip6 extension order on frags, including inner on first frag. - Added 116:458 for no offset and no more. - Added 116:459 for frag w/o data. * src/: decode.c, decode.h: - Properly decode pflog version 4. - Salutations to Ryan McBride for the pflog v4 patch. * src/dynamic-preprocessors/sip/sip_parser.c: Add compact form support of VIA header to SIP. * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: Don't presume 3 bytes of junk in a telnet stream is encryption unless midstream pickup. * src/: fpdetect.c, pcrm.c, pcrm.h: Process any->any rules even when a service matches in the attribute table * src/preprocessors/spp_frag3.c: - Drop bad fragments BEFORE inserting them into tracker. - Ensure that all fragments are dropped in inline mode when the first fragment is bad. * src/target-based/sftarget_reader_live.c: - Initialize the value of ret and fix some obscure formatting. - Thanks to William Parker for notifying us. * src/: debug.c, snort.c: Fix placement of int error to avoid warning. * doc/README.dcerpc2, doc/faq.pdf, doc/snort_manual.pdf, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/generators.h, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/dcerpc2/dce2_cl.c, src/dynamic-preprocessors/dcerpc2/dce2_co.c, src/dynamic-preprocessors/dcerpc2/dce2_co.h, src/dynamic-preprocessors/dcerpc2/dce2_config.c, src/dynamic-preprocessors/dcerpc2/dce2_config.h, src/dynamic-preprocessors/dcerpc2/dce2_debug.h, src/dynamic-preprocessors/dcerpc2/dce2_event.c, src/dynamic-preprocessors/dcerpc2/dce2_event.h, src/dynamic-preprocessors/dcerpc2/dce2_http.c, src/dynamic-preprocessors/dcerpc2/dce2_list.c, src/dynamic-preprocessors/dcerpc2/dce2_list.h, src/dynamic-preprocessors/dcerpc2/dce2_memory.c, src/dynamic-preprocessors/dcerpc2/dce2_memory.h, src/dynamic-preprocessors/dcerpc2/dce2_paf.c, src/dynamic-preprocessors/dcerpc2/dce2_roptions.c, src/dynamic-preprocessors/dcerpc2/dce2_session.h, src/dynamic-preprocessors/dcerpc2/dce2_smb.c, src/dynamic-preprocessors/dcerpc2/dce2_smb.h, src/dynamic-preprocessors/dcerpc2/dce2_stats.h, src/dynamic-preprocessors/dcerpc2/dce2_tcp.c, src/dynamic-preprocessors/dcerpc2/dce2_tcp.h, src/dynamic-preprocessors/dcerpc2/dce2_udp.c, src/dynamic-preprocessors/dcerpc2/dce2_utils.c, src/dynamic-preprocessors/dcerpc2/dce2_utils.h, src/dynamic-preprocessors/dcerpc2/snort_dce2.c, src/dynamic-preprocessors/dcerpc2/snort_dce2.h, src/dynamic-preprocessors/dcerpc2/spp_dce2.c, src/dynamic-preprocessors/dcerpc2/spp_dce2.h, src/dynamic-preprocessors/dcerpc2/includes/smb.h, src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, src/sfutil/Makefile.am, src/sfutil/sf_seqnums.h, src/win32/WIN32-Prj/snort.dsp: Update SMB request/response handling to handle server to client evasions where SMB header values aren't echoed in response. - Add support for SMB_COM_WRITE_ANDX "raw" mode. - Add support for additional commands for opening, reading from and writing to SMB named pipes - Update handling of SMB_COM_WRITE_RAW. - Add global configuration option for determining Windows/Samba policy on a per session basis and new preprocessor events. - Add tracking of named pipe state - byte or message mode. - Update SMB_COM_TRANSACTION handling to better support out of order displacements and parameters. - Updates to SMB ByteCount, data offset and data length handling. - Update for Transaction error, where Samba throws out transaction on error and correct data offset passed in to function. - Don't set dcerpc2 rule options and stop processing dcerpc data when server response indicates encrypted packet privacy. - Fix dcerpc2 PAF when target based is enabled to not abort if protocol undefined. - Added processing of chained SMB_COM_WRITE_ANDXs for Samba policies. * src/preprocessors/Stream5/snort_stream5_tcp.c: - Correctly log TCP segments to unified2 when there are multiple alerts on the same reassembled packet. - Purge after flush at session shutdown to avoid reprocessing it when the cache is freed causing strange dce2 alerts. * configure.in: If pkg-config macros do not exist then configure script would be invalid. If it does not exist define a macro that does nothing and continue. * configure.in, src/debug.c, src/decode.c, src/log.c, src/parser.c, src/snort_debug.h, src/util.c, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/dynamic-preprocessors/libs/ssl.c, src/dynamic-preprocessors/modbus/spp_modbus.c, src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, tools/u2boat/u2boat.c, tools/u2spewfoo/u2spewfoo.c: Fix compilation warnings. * src/snort.c: Check return of DAQ_Acquire in failopen thread see description. * src/dynamic-preprocessors/reputation/shmem/: shmem_config.h, shmem_mgmt.c, shmem_mgmt.h, src/sfutil/sfrt_flat_dir.c: - Disable timeout for shared memory readers. - Readers and writer updates their own active flags. - Update the entry value along with length update. * src/Makefile.am, src/decode.h, src/parser.c, src/parser.h, src/snort.c, src/snort.h, src/dynamic-preprocessors/reputation/reputation_config.c, src/dynamic-preprocessors/reputation/reputation_config.h, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/reputation/spp_reputation.h, src/dynamic-preprocessors/reputation/shmem/shmem_common.h, src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h, src/dynamic-output/libs/Makefile.am, src/dynamic-output/libs/output_lib.c, configure.in, src/sfutil/sfrt.h, src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c, src/sfutil/sfrt_flat_dir.h, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, doc/: README.reputation, snort_manual.pdf, snort_manual.tex: - Reputation preprocessor updates to support zones and handle ingress/egress groups and zone zero. - Enforce default policy for reputation preprocessor. - Check for NULL when servicing the shared memory. - Update documents for white action configuration, manifest file for reputation Preprocessor. * rpm/snort.spec: Remove all of the dead cruft from snort.spec. * src/parser.c: Fix a parsing memory leak scenario by freeing the tokens on failure. * preproc_rules/decoder.rules: Update decoder rules to have more accurate names. Same alert, new name. * src/output-plugins/spo_unified2.c: Set would drop when interface not inline. * src/: dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/snort_smtp.c, sfutil/sf_email_attach_decode.c, sfutil/sf_email_attach_decode.h, doc/: README.SMTP, README.imap, README.pop, snort_manual.tex: SMTP/POP/IMAP decoding changes: - Change the memory allocation for decoding. Allocate only when we see attachments. Do not allocate at the beginning of the session. - Apply the decoding depths to attachments instead of all attachments in a session. - Alert when decoding fails and not when decoding depths are exceeded. - Reset decode bytes read only after processing the entire attachment. Attachments can span multiple packets. 2012-3-17 Steven Sturges Snort 2.9.2.2 * src/build.h: Updated to build 121. * src/preprocessors/HttpInspect/normalization/hi_norm.c: Fix HTTP URI normalization when URI has more than 2k slashes. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed split fin-ack tracking and flush/free app data on reset when listener is in fin-wait-1, fin-wait-2, or closing state. * src/: encode.c, encode.h, snort.c, snort.h, Fix generation of response packets on fragmented IPv6 packet by using the frag reassembled packet to encode. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix logical byte count and remove unreachable code * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: Update to handle IPv6 traffic for processing of IP header options within .so rules. * src/preprocessors/Stream5/snort_stream5_tcp.c: Expand slam threshold to <= 4 and fix for non-reassembled sessions. * src/preprocessors/Stream5/snort_stream5_tcp.c: Check seq within window relative to window base. * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Fix flow flags for single segment PDUs from PAF. * doc/: faq.pdf, faq.tex, snort_manual.pdf, snort_manual.tex: Remove references to deprecated servers. * src/dynamic-preprocessors/sip/sip_parser.c: Unknown method alert is generated only after verifying the packet is SIP. Don't generate alerts for a. multiple SIP messages within one UDP packet (140:17) and b. mismatched content length (140:18) simultaneously. * doc/: INSTALL, snort_manual.pdf, snort_manual.tex: Updates to the manual to fix formatting, clarify detection_filter, and remove obsolete configure options. Thanks to Larry Hughes, Eoin Miller, Beenph and Joshua Kinard for reading it! * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, src/dynamic-preprocessors/sip/sip_config.c, src/dynamic-preprocessors/sip/sip_config.h, src/dynamic-preprocessors/sip/sip_dialog.c, src/dynamic-preprocessors/sip/sip_dialog.h, src/dynamic-preprocessors/sip/spp_sip.c, src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map: Limit number of dialogs within a stream session. Thanks to Filip Valder for providing the information. * src/active.c: Allow repeated responses to non-TCP/UDP traffic. * src/: sfdaq.c, sfdaq.h, output-plugins/spo_unified2.c: Correctly log blocked flag in unified2 events when an interface is passive. * doc/: README.filters, snort_manual.pdf, snort_manual.tex: Update README & manual to document -1 as acceptable value for event_filter. * src/: snort.c: Add stats output to dirty pig shutdown. * src/: preprocessors/Stream5/stream5_common.c: Update initialization for stream_ip. * doc/snort_manual.pdf, src/byte_extract.c, src/util.h, src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: Make byte extraction of strings only allow for positive values. * src/preprocessors/HttpInspect/client/hi_client.c: Check for paf_max before marking a packet as request body. * doc/: README.SMTP, snort_manual.pdf, snort_manual.tex, preproc_rules/preprocessor.rules, src/generators.h, src/dynamic-preprocessors/smtp/smtp_config.h, src/dynamic-preprocessors/smtp/smtp_util.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/spp_smtp.c: Added SMTP preproc shutdown stats. Remove the decoding memcap exceeded alert and displaying this info instead. * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c, spp_ftptelnet.c: Update parsing for ftptelnet config. * src/dynamic-preprocessors/modbus/spp_modbus.c: Update to free the modbus session data. * src/: snort_bounds.h, preprocessors/HttpInspect/server/hi_server_norm.c: Update javascript normalization to call a safeboundsmemmove function when the src and dst buffers overlap. * src/preprocessors/HttpInspect/client/hi_client.c: Change the code to not look for POST data (while parsing method) when PAF is enabled and process request packets when the method is undefined. * src/dynamic-preprocessors/pop/: snort_pop.c, snort_pop.h: Decode data following +OK response without the octets string. * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: Made macro in dcerpc2 preprocessor used for progressing through data more robust. * src/preprocessors/: snort_httpinspect.h, HttpInspect/client/hi_client.c, HttpInspect/server/hi_server.c: Eliminate false positives (no content-length or transfer-encoding) when chunk size spans across multiple packets. Thanks to Daniel Dallmann for reporting the issue. * src/preprocessors/Stream5/snort_stream5_tcp.c: Update handling of retransmitted segments overlapping the window on the left * src/preprocessors/HttpInspect/server/hi_server.c: Set the file_data to the raw HTTP response body (de-chunked/ normalized) when decompression fails due to false GZIP headers. Set the inspect_body flag after resetting the decompress_data flag to allow extraction of HTTP response body across packets when decompression fails entirely. Thanks to Eoin Miller for reporting this issue. * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex, src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h: Remove the Max on the gzip memcap. Thanks to Eoin Miller for the request. * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_paf.c, dce2_session.h, dce2_smb.c, dce2_smb.h, snort_dce2.c, snort_dce2.h: State tracking improvements to SMB processing in the dcerpc2 preprocessor when missing packets on a session. * tools/u2spewfoo/u2spewfoo.c: Tweaks to dump u2 files in the presence of certain errors. * src/encode.c: Fix overhead calculation to ensure sufficient buffer space for defragging a maximum length IP datagram regardless of encapsulations. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix false positives on 129:16. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix stream5 to not purge too early when normalizing streams. * src/decode.c: Remove redundant clearing of pointer in error case. Thanks to Josh Kinard for pointing out the error. * src/preprocessors/spp_normalize.c: Change normalizer priority to ensure ahead of frag3 regardless of conf ordering. * src/detection-plugins/sp_react.c, doc/README.active, doc/snort_manual.pdf, doc/snort_manual.tex: Don't allow more than one % in a user-defined HTML page used for react rule options. Thanks to Cleber S. Brandão for reporting the issue. * configure.in: Update configure script to correctly display 'Disable' help verbage for the --disable-xxx options. Thanks to Kungu Panda for pointing it out. * src/: plugbase.c, plugbase.h, snort.c, output-plugins/spo_alert_arubaaction.c, output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c, output-plugins/spo_alert_prelude.c, output-plugins/spo_alert_syslog.c, output-plugins/spo_alert_test.c, output-plugins/spo_alert_unixsock.c, output-plugins/spo_csv.c, output-plugins/spo_database.c, output-plugins/spo_log_ascii.c, output-plugins/spo_log_null.c, output-plugins/spo_log_tcpdump.c, output-plugins/spo_unified.c, output-plugins/spo_unified2.c: Update unified2 output to rotate the unified2 file on reload. * src/dynamic-preprocessors/smtp/smtp_util.c: Truncate the trailing end of the email id when the rcpt to or mail from addresses are too long. * doc/snort_manual.tex, doc/README.GTP, src/: dynamic-plugins/sf_dynamic_plugins.c, util.c, util.h: Throttle the so rules memcap error message. 2012-1-17 16:16 Hui Cao Snort 2.9.2.1 All files: updated copyright to 2012 * src/build.h: pdated build number to 107 * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed building when -DREG_TEST not used with --enable-debug. Tweaked r_win_base initialization upon midstream pickup to work with tighter sequence number validation. Updated TCP session tracking to avoid requeuing retransmitted data Add tweaks for paf_max flushing of chunked http data * src/dynamic-preprocessors/reputation/shmem/: shmem_config.c, shmem_config.h, shmem_mgmt.c, shmem_mgmt.h: Avoided writer updating reader's zero segment pointer. Changed shared memory update timeout to a larger value. * src/generators.h, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/utils/hi_paf.c, doc/README.http_inspect, etc/gen-msg.map, preproc_rules/preprocessor.rules: Added an alert on http/0.9 simple requests (119:32) * preproc_rules/: decoder.rules, preprocessor.rules: Bump a few rule rev's that were out of sync w/ VRT * src/preprocessors/Stream5/snort_stream5_tcp.c: Changed Warning -> WARNING Don't attempt to flush if the grinder failed when pruning a session * src/: preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_common.h, sfutil/test/unit_hacks.c: Auto-disable stream reassembly on paf abort if auto-enabled * src/: detection-plugins/sp_dsize_check.c, dynamic-preprocessors/dnp3/spp_dnp3.c, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_paf.c: Fixed handling PAF flushing anomalies but purging afflicted segments * src/sfutil/: sfrt_dir.c, sfrt_flat_dir.c, sfrt_flat_dir.h: Fixed the wrong value of calculating memory allocated. Changed sfrt length field from char to uint8_t * src/: decode.c, dynamic-preprocessors/gtp/gtp_parser.c: Added checking invalid extension header length for GTPv1 * src/: preprocessors/stream_expect.c, profiler.h: Fixed some compiler warnings * src/: decode.c, dynamic-preprocessors/gtp/gtp_parser.c Added checking invalid extension header length * doc/: README.GTP, snort_manual.pdf, snort_manual.tex: Added a simple user case to the GTP document. * src/dynamic-preprocessors/modbus/modbus_decode.c: Fixed a couple errors in modbus request/response length checking. * etc/reference.config: Added 'msb' to reference.conf for Microsoft Bulletin url * src/detection-plugins/sp_flowbits.c: When same flowbit is defined both in default group and user specified group, that flowbit will be changed to specified group. * src/dynamic-preprocessors/dnp3/: dnp3_paf.c, dnp3_reassembly.c, spp_dnp3.c, spp_dnp3.h: Added #define statements for several "magic numbers" in DNP3 code * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c: Fixed a bug where the DNP3 preprocessor would generate alerts for "reserved function" on valid DNP3 functions. * src/dynamic-preprocessors/dnp3/dnp3_roptions.c: Added parser errors for missing dnp3_func and dnp3_ind arguments. * src/: generators.h, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/event_output/hi_eo_log.c, preprocessors/HttpInspect/include/hi_eo_events.h: Added a preprocessor alert to alert when a HTTP method being parsed is not a GET or a POST or not defined by the user. * src/preprocessors/HttpInspect/: client/hi_client.c, server/hi_server.c: Added checking bounds before unfolding. * Makefile.am, configure.in: Cleanup very dated rules files. * src/: snort.c, win32/WIN32-Includes/stdint.h: Don't add handlers signal values that aren't supported on Windows. * src/dynamic-preprocessors/reputation/reputation_config.c: Corrected the variable name called to create IP talbe. 2011-12-14 Ryan Jordan Snort 2.9.2 * src/build.h: updating build number to 78 * snort.8: Fixed spelling errors. Thanks to Neline van Ginkel for the report. * src/: snort.c, preprocessors/spp_perfmonitor.c: Perfmonitor "now" files are created after Snort drops privileges. * src/output-plugins/spo_unified2.c: Only log IPv6 extra data when the packet is IPv6. * src/preprocessors/HttpInspect/: server/hi_server.c, client/hi_client.c: Fixed unfolding of HTTP Headers across packet boundaries. Thanks to Jim Hranicky for reporting this issue on the RC build. * src/preprocessors/spp_httpinspect.c: HTTP Inspect should check for hi_swap_config in HttpInspectInit() only when snort is compiled with --enable-reload. Fixed build errors on Win32. * src/preprocessors/Stream5/snort_stream5_tcp.c: When pruning a session, don't attempt to flush if the grinder failed to decode a TCP header. Thanks to Jim Hranicky for reporting this issue on the RC build. 2011-11-23 Ryan Jordan Snort 2.9.2 RC * src/build.h: updating build number to 75 * src/preprocessors/spp_httpinspect.c: Fixed an issue with HTTP Inspect server conf reload (when the HTTP Inspect is turned on from off between a reload) * src/preprocessors/spp_stream5.c: Fixed a memory leak caused by initializing the expected channel more than once. * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Fixed a segfault during dcerpc2 startup when stream5 is not enabled. * src/preprocessors/spp_normalize.c: Added support to turn normalization off or on during a Snort reload. * src/dynamic-preprocessors/modbus/spp_modbus.c: Moved the check for truncated PDUs past the port check, to avoid false positives. * src/sfutil/bitop_funcs.h: Fixed an error in the allocation of flowbit groups, where bytes were interpreted as bits. * src/detection-plugins/sp_flowbits.c: Fixed a flowbits issue where the "isset" operation failed when there was only a single flowbit in a group. Fixed the error message logged when the same flowbit is added to two groups. * src/ipv6_port.h: * src/: dynamic-preprocessors/gtp/gtp_parser.c, dynamic-preprocessors/gtp/gtp_roptions.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/reputation/reputation_config.c, sfutil/segment_mem.c, encode.c: Compiler warning cleanup. * doc/: README.reload, snort_manual.pdf, snort_manual.tex: Updated the reload documentation to mention the caveat that exists with reload and fail-open in OpenBSD when Snort is run on primary network interface. * src/dynamic-preprocessors/dnp3/: dnp3_reassembly.c, dnp3_reassembly.h, dnp3_roptions.c, spp_dnp3.c: Added support for multiple DNP3 PDUs in a single DNP3 payload. Fixed an issue where the DNP3 preprocessor only identified the minimum reserved address, instead of all reserved addresses. * src/dynamic-preprocessors/dnp3/spp_dnp3.h: Updated an incorrect minimum DNP3 memcap to match the documented minimum of 4144 bytes. * src/output-plugins/spo_unified2.c: Snort will fatal error when the user configures the same filename for options "alert_unified2" and "log_unified2". * src/sfutil/: sfrt.c, sfrt.h, sfrt_dir.c, sfrt_dir.h: Added the ability to delete entries in the sfrt table. * src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_frag3.c, src/preprocessors/spp_normalize.c, src/preprocessors/spp_stream5.c, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/stream5_common.c, src/dynamic-preprocessors/reputation/reputation_config.c, etc/gen-msg.map, src/detection-plugins/sp_flowbits.c, src/detection-plugins/sp_replace.c, src/output-plugins/spo_alert_sf_socket.c, src/decode.c, src/detect.c, src/generators.h, src/sfdaq.c, src/snort.c, src/tag.c, src/util.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/sfutil/acsmx2.c, configure.in, src/dynamic-preprocessors/dnp3/spp_dnp3.c, src/target-based/sftarget_protocol_reference.c: * src/dynamic-preprocessors/dnp3/dnp3_roptions.c: Made the format of warning messages consistent. * src/dynamic-preprocessors/: dnp3/spp_dnp3.c, modbus/spp_modbus.c: Providing an empty port list now causes a fatal error. * src/dynamic-preprocessors/dnp3/spp_dnp3.h: Fixed reserved address check on big-endian machines. * src/preprocessors/Stream5/snort_stream5_tcp.c: Changed identification of TCP retransmits by comparing payloads instead of TCP checksums. * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/dynamic-preprocessors/imap/snort_imap.c, src/dynamic-preprocessors/pop/snort_pop.c, src/dynamic-preprocessors/smtp/smtp_util.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/output-plugins/spo_unified2.c, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/sfutil/Unified2_common.h, tools/u2spewfoo/u2spewfoo.c: Enable logging of normalized JavaScript to unified2 when built without --enable-sourcefire. - Changed extra data logging to log packet-specific data (gzip/normalized) after each packet. - Updated u2spewfoo to read the normalized JavaScript extra data. * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c: Fixed a bug where "dnp3_data" rules would not work if the content was broken up by CRCs or split across multiple DNP3 segments. As a result, DNP3 rules that inspect the DNP3 headers now require "rawbytes" to work correctly, as the DNP3 reassembly buffer is inspected by default. * etc/gen-msg.map, preproc_rules/preprocessor.rules, src/dynamic-preprocessors/dnp3/spp_dnp3.h: Removed DNP3 rule 145:5, and decremented the SIDs of rules 145:6 and 145:7. The old 145:5 was never able to be triggered. Updated references for rules 119:15 and 137:1. * rpm/snort.spec: Updated the RPM spec file to use wildcards for linking and installing preprocessors. Thanks to Tim Brigham for the suggestion. * src/detection_util.h: Increased the URI buffer size from 4096 to 8192 to normalize and detect longer URIs. * src/preprocessors/: spp_frag3.c, spp_stream5.c, Stream5/snort_stream5_tcp.c, Stream5/snort_stream5_udp.c: Change the printing function of tracker/session sizes (TcpSession/UdpSession/StreamLWSession/FragTarcker) from fprintf to LogMessage. Fix handling of "first" and "vista" policies in stream5 that, under certain circumstances with overlaps and gaps, could cause the stream5 segmentation list to get out of order. * doc/snort_manual.pdf, doc/snort_manual.tex, src/detection-plugins/sp_dsize_check.c: Enable the "dsize" rule option with rebuilt packets, if it is the start of a PDU. Thanks to Dave Bertouille for reporting this problem. * src/dynamic-preprocessors/modbus/modbus_decode.c: Added length checking for Modbus "Read File Record" and "Write File Record" requests. * src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h, tools/u2spewfoo/u2spewfoo.c: Added new Unified2 event structs with extra application ID data. Updated u2spewfoo to read these fields. * src/detection-plugins/: sp_asn1_detect.c, sp_byte_check.c, sp_byte_jump.c, sp_isdataat.c: Allow rule evaluation to continue if the doe_ptr reaches the end of a buffer, but a negative offset brings it back in-bounds. Thanks again to Dave Bertouille for the suggestion. * src/target-based/sf_attribute_table.y: Allow empty attribute_value in attribute table. * configure.in, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Added Protocol-Aware Flushing support for FTP. * snort.8: Updated the man page to include more signals that have been used. Made some format changes, thanks to Markus Lude. * doc/Makefile.am: Fixed an error while running "make distcleancheck". * doc/snort_manual.pdf, doc/snort_manual.tex, src/win32/WIN32-Includes/config.h, configure.in, src/snort.c, src/snort.h, src/util.c, src/control/sfcontrol.c, src/target-based/sftarget_reader.c: Redefined default signals, and added support for signal customization. 2011-10-28 Ryan Jordan Snort 2.9.2 Beta * src/build.h: updating build number to 64 * src/preprocessors/: snort_httpinspect.c, HttpInspect/include/hi_ui_config.h, HttpInspect/server/hi_server.c, HttpInspect/server/hi_server_norm.c, HttpInspect/user_interface/hi_ui_config.c: * src/sfutil/: util_jsnorm.c, util_jsnorm.h: Updated the HTTP preprocessor to normalize HTTP responses that include javascript escaped data in their bodies. This expands Snort's coverage in detecting HTTP client-side attacks. See the Snort Manual and README.http_inspect for configuration details. * doc/README.modbus: * src/dynamic-preprocessors/modbus/: Makefile.am, modbus_decode.c, modbus_decode.h, modbus_paf.c, modbus_paf.h, modbus_roptions.c, modbus_roptions.h, sf_modbus.dsp, spp_modbus.c, spp_modbus.h: Added the Modbus preprocessor, which decodes the Modbus protocol and provides new rule options for some protocol fields. See the Snort Manual and README.modbus for more details. * doc/README.dnp3: * src/dynamic-preprocessors/dnp3/: Makefile.am, dnp3_map.c, dnp3_map.h, dnp3_paf.c, dnp3_paf.h, dnp3_reassembly.c, dnp3_reassembly.h, dnp3_roptions.c, dnp3_roptions.h, sf_dnp3.dsp, spp_dnp3.c, spp_dnp3.h: Added the DNP3 preprocessor, which decodes the DNP3 protocol and provides new rule options for some protocol fields. The preprocessor also performs reassembly of segmented DNP3 traffic. See the Snort Manual and README.dnp3 for more details. * doc/README.gtp: * src/decode.c: * src/dynamic-preprocessors/gtp/: Makefile.am, gtp_config.c, gtp_config.h, gtp_debug.h, gtp_parser.c, gtp_parser.h, gtp_roptions.c, gtp_roptions.h, sf_gtp.dsp, spp_gtp.c, spp_gtp.h Added a packet decoder and preprocessor for the GTP protocol. These support detecting attacks over GTP (GPRS Tunneling Protocol). See the Snort Manual and README.gtp for more details. * doc/faq.pdf, doc/faq.tex, src/Makefile.am, src/debug.c, src/smalloc.h, src/snort_debug.h, src/dynamic-plugins/sf_dynamic_common.h, src/dynamic-preprocessors/dcerpc2/dce2_paf.c, src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, src/dynamic-preprocessors/gtp/gtp_debug.h, src/dynamic-preprocessors/sip/sip_debug.h, src/parser/IpAddrSet.c, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Stream5/stream5_paf.c: Expanded the debug bits from 32 to 64 bits. * src/preprocessors/: spp_stream5.c, Stream5/snort_stream5_icmp.c, Stream5/snort_stream5_icmp.h, Stream5/snort_stream5_ip.c, Stream5/snort_stream5_ip.h, Stream5/snort_stream5_udp.c, Stream5/snort_stream5_udp.h: Cleaned up application data for non-TCP sessions after a block or timeout. * src/preprocessors/spp_sfportscan.c: Negative memcap numbers are no longer allowed. * src/preprocessors/HttpInspect/server/hi_server.c: HTTP responses with incorrect status messages are now inspected. * src/preprocessors/Stream5/stream5_paf.c: Fixed PAF callback registration during Snort reload. * src/parser.c: Fixed crash when setting HOME_NET to an empty variable. Thanks to Elof for reporting this issue. * src/preprocessors/spp_normalize.c: Don't register the packet callback if Snort is not inline. Fixed a crash in the normalizer during Snort reload. * src/: sfdaq.c, sfdaq.h, snort.c, snort.h, util.c: Fixed a possible segfault upon fatal error during Snort reload. * src/win32/WIN32-Prj/snort_installer.nsi: Updated Windows project files for new preprocessors. * doc/: snort_manual.pdf, snort_manual.tex: Updated the Snort manual for new features. Updated the names of contributors to match those found on snort.org. Updated the 'config cs_dir' path to be relative to pid-path. Described the FlowIP CSV file format. Thanks to Eoin Miller for pointing out the lack of documentation. * src/preprocessors/: perf-base.c, perf-base.h, perf.c, perf.h, spp_frag3.c, spp_frag3.h, Stream5/snort_stream5_tcp.c: Added frag3 and stream5 memory usage to perfmon output. * src/control/sfcontrol.c: Added counters to bypass the work queue mutex when nothing is queued. Cleaned up compiler warnings. * src/preprocessors/HttpInspect/client/hi_client.c: When the same IP is parsed multiple times for XFF/True-client-IP , the duplicate entries are freed from memory. * src/preprocessors/: stream_expect.c, spp_stream5.c, stream_api.h, stream_expect.h, Stream5/snort_stream5_session.c, Stream5/snort_stream5_session.h, Stream5/stream5_common.h: Changed instances of "char" to "uint8_t" when dealing with protocol numbers, preventing a potential issue when Snort supports protocols > 128. Thanks to Joshua Kinard for providing a patch for this issue. * src/detection-plugins/sp_react.c: Added a content-length header to the react responses. * src/: decode.h, dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-preprocessors/imap/snort_imap.c, dynamic-preprocessors/pop/snort_pop.c, dynamic-preprocessors/smtp/smtp_config.h, dynamic-preprocessors/smtp/smtp_util.c, dynamic-preprocessors/smtp/smtp_util.h, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, dynamic-preprocessors/smtp/spp_smtp.c, output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c, preprocessors/snort_httpinspect.h, preprocessors/spp_httpinspect.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/HttpInspect/include/hi_ui_config.h, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/snort_stream5_tcp.h, preprocessors/Stream5/stream5_common.h: Reduced the memory usage per TCP session for extra data event logging. * src/dynamic-preprocessors/sip/spp_sip.c: Changed a description in the SIP exit stats. * configure.in, src/snort.c, src/util.c, src/target-based/sftarget_reader.c: Where possible, sigaction() is used instead of signal() to establish signal handlers. * src/util.c: Fixed an error in the calculation of dropped packets. Thanks to Will Metcalf for identifying the issue. * src/preprocessors/: perf-flow.c, perf-flow.h: Fixed a bug where packets longer than 4500 bytes were not logged in the perfmon flow stats. * src/: active.c, decode.c, decode.h, encode.c, parser.c, sf_protocols.h, snort.c: Fix PPPoE support and active responses to ICMP. Thanks to Eric Lauzon for identifying an issue with PPPoE traffic. * etc/gen-msg.map, preproc_rules/preprocessor.rules, src/generators.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_client.h, src/preprocessors/HttpInspect/include/hi_eo_events.h: Added new preprocessor alerts: 1) Both true-client-ip and XFF headers exist in single packet 2) Multiple client-ips with different values in the same session * etc/gen-msg.map: Fixed an error with incorrect SID numbers for some SMTP preprocessor rules. Thanks to Eric Olsen for identifying the issue. * src/: decode.h, detect.c, encode.c, encode.h, plugbase.c, plugbase.h, snort.c, snort.h, detection-plugins/detection_options.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-preprocessors/dcerpc2/snort_dce2.c, dynamic-preprocessors/sdf/spp_sdf.c, output-plugins/spo_alert_fast.c, preprocessors/spp_frag3.c, preprocessors/spp_rpc_decode.c, preprocessors/spp_sfportscan.c, preprocessors/stream_api.h, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_common.c: Refactored packet flags. Added new packet flags for raw in-order stream segment discrimination. * src/preprocessors/snort_httpinspect.c: Fixed an issue where gzip logging code misinterpreted the data being passed to it. Increased max_method_len to 256. Thanks to rmkml for identifying the issue. * src/: preprocessors/spp_rpc_decode.c, dynamic-preprocessors/dcerpc2/dce2_roptions.c, dynamic-preprocessors/dcerpc2/dce2_smb.c: Fixed compiler warnings. * src/sfutil/bnfa_search.c: Fixed code defined by #ifdef ALLOW_NFA_FULL to compile and run. Thanks to Brian Hwang for reporting the issue. * src/: dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sp_dynamic.h, dynamic-preprocessors/reputation/reputation_config.c, dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h: The paths to allowlist & blocklist files are now relative to the location of snort.conf. * src/preprocessors/Stream5/snort_stream5_session.c: Don't prune blocked sessions if pruning for memcap. * src/preprocessors/spp_stream5.c: Fixed session data lookup for meta data messages. * etc/: sf_rule_options, sf_rule_validation.conf: Updated rule validation files with new rule options. * configure.in, doc/INSTALL, doc/README.ARUBA, doc/README.database, doc/README.ipv6, doc/snort_manual.tex, src/output-plugins/spo_alert_arubaaction.c, src/output-plugins/spo_alert_prelude.c, src/output-plugins/spo_database.c: Added deprecation warnings for database, alert_aruba_action, and alert_prelude output plugins. These output plugins are considered deprecated with this release and will be removed in Snort 2.9.3. * src/: plugbase.c, plugbase.h, preprocids.h, profiler.c, sfdaq.c, sfdaq.h, snort.c, snort.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, preprocessors/spp_stream5.c, preprocessors/stream_api.h, preprocessors/Stream5/snort_stream5_icmp.c, preprocessors/Stream5/snort_stream5_ip.c, preprocessors/Stream5/snort_stream5_session.c, preprocessors/Stream5/snort_stream5_session.h: Added API and DAQ functions to get flow start and end events directly from the DAQ when no stream data is available. * src/sfdaq.c: Prevent underflow when calculating outstanding packets. Thanks to Hussein Bahaidarah for reporting this issue. Don't unload daq modules if --disable-dlclose was a configure option. * src/: active.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h: Snort dynamic API changes to inject response packets. 2011-10-20 Ryan Jordan Snort 2.9.1.2 * configure.in, rpm/snort.spec, src/build.h, src/win32/WIN32-Includes/config.h, src/win32/WIN32-Prj/snort_installer.nsi: Incremented version numbers to Snort 2.9.1.2, Build 84. * src/preprocessors/snort_httpinspect.c, src/sfutil/util_utf.c: Fixed an issue where Snort would sometimes stop processing traffic in a persistent HTTP 1.1 connection with a UTF-32 encoded response followed by a UTF-16 encoded response. 2011-10-05 Ryan Jordan Snort 2.9.1.1 * src/decode.c: Fixed decode.c to allow building with --enable-debug. * src/: dynamic-plugins/sf_engine/sf_decompression.c, dynamic-plugins/sf_engine/sf_decompression.h, preprocessors/snort_httpinspect.h, preprocessors/HttpInspect/server/hi_server.c: Fixed http_inspect decompression and decompression API to decompress both raw and zlib deflated data. Support locating utf charset when spaces are present. * src/: preprocessors/HttpInspect/server/hi_server_norm.c, sfutil/util_utf.h: Added "Byte Order Mark" support for unicode in http_inspect. * src/detection-plugins/sp_urilen_check.c: Fixed potential false positives when using urilen detection option. * src/preprocessors/Stream5/stream5_paf.c: Fixed flushing beyond "paf_max". Verify paf configuration before enabling. * src/preprocessors/Stream5/snort_stream5_tcp.c: Free application and protocol state when a session is blocked. Ensure that seglist_next is NULL after being freed. * src/dynamic-preprocessors/smtp/smtp_util.c: Fixed an issue with SMTP logging while running in inline mode. * src/dynamic-preprocessors/reputation/Makefile.am, src/dynamic-preprocessors/reputation/reputation_config.c, src/dynamic-preprocessors/reputation/reputation_config.h, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/reputation/spp_reputation.h, src/Makefile.am, src/idle_processing.c, src/idle_processing.h, src/idle_processing_funcs.h, src/plugbase.c, src/plugbase.h, src/snort.c, src/snort.h, src/util.c, src/util.h, src/dynamic-examples/Makefile.am, src/dynamic-preprocessors/reputation/shmem/shmem_config.c, src/dynamic-preprocessors/reputation/shmem/shmem_config.h, src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h, src/dynamic-preprocessors/reputation/shmem/shmem_lib.c, src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c, src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h, src/control/Makefile.am, src/control/sfcontrol.c, src/control/sfcontrol.h, src/control/sfcontrol_funcs.h, src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c, src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h, src/dynamic-preprocessors/reputation/shmem/shmem_common.h, src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c, src/dynamic-preprocessors/reputation/shmem/shmem_lib.h, src/sfutil/Makefile.am, src/sfutil/segment_mem.c, src/sfutil/segment_mem.h, src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c, src/sfutil/sfrt_flat_dir.h, src/dynamic-preprocessors/Makefile.am, tools/control/Makefile.am, tools/control/README.snort_control, tools/control/sfcontrol.c, src/dynamic-plugins/sf_dynamic_plugins.c, src/dynamic-plugins/sf_dynamic_preprocessor.h, configure.in, tools/Makefile.am: - Added support for shared memory between Snort processes. This is used in the IP Reputation preprocessor to share a single copy of IP allowlists & blocklists. - Added a control channel, so that commands may be issued to a running Snort process by way of a Unix socket. * src/preprocessors/HttpInspect/utils/hi_paf.c: Ensure HTTP 1.1 responses without length indicators (e.g. 304) are flushed at the end of the headers. Preprocessor rule 120:8 is fired at end of headers if content-length and transfer-encoding: chunked are not present, but not for response codes 1XX, 204, 304. * doc/README.reputation, doc/snort_manual.pdf, doc/snort_manual.tex: Updated Snort documentation, added documentation for Shared Memory and the Control Socket. * src/: dynamic-preprocessors/reputation/sf_reputation.dsp, dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, win32/WIN32-Includes/stdint.h, win32/WIN32-Prj/snort.dsp, win32/WIN32-Prj/snort.dsw: Updated Win32 build files. 2011-08-23 Ryan Jordan Snort 2.9.1 * src/build.h: Updated build number to 71. * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c, src/decode.h, src/generators.h, src/snort.c, src/dynamic-plugins/sf_engine/sf_snort_packet.h: Fixed an issue with decoding large numbers of IPv6 extension headers. Added rule 116:456 to safeguard against too many IPv6 extension headers. Thanks to Martin Sch�tte for reporting the issue. * src/detection-plugins/sp_urilen_check.c, src/detection-plugins/sp_urilen_check.h: Fixed the urilen rule option to look at reassembled packets. Added an extra parameter to specify whether to check raw or normalized uri buffer. Will check raw uri buffer by default. * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp, dynamic-preprocessors/dns/sf_dns.dsp, dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, dynamic-preprocessors/imap/sf_imap.dsp, dynamic-preprocessors/isakmp/sf_isakmp.dsp, dynamic-preprocessors/pop/sf_pop.dsp, dynamic-preprocessors/reputation/sf_reputation.dsp, dynamic-preprocessors/sdf/sf_sdf.dsp, dynamic-preprocessors/sip/sf_sip.dsp, dynamic-preprocessors/smtp/sf_smtp.dsp, dynamic-preprocessors/ssh/sf_ssh.dsp, dynamic-preprocessors/ssl/sf_ssl.dsp, win32/WIN32-Prj/sf_engine.dsp: Fixed a bug where the sensitive_data preprocessor gave an error while loading sensitive data rules. * doc/README.http_inspect, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/generators.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/utils/hi_paf.c: Added two HTTP Inspect preprocessor rules: 119:28 - post w/o content-length or transfer-encoding: chunked 120:8 - message with invalid content-length or chunk size * src/preprocessors/spp_httpinspect.c: Fixed a bug where Snort wouldn't reload, giving the error that "Changing decompress_depth requries a restart". * etc/gen-msg.map: Commented out four rules from gen-msg.map, 133:44 through 133:47, because they were not yet implemented. * preproc_rules/preprocessor.rules: Added a CVE reference for Rule 119:19. Added a reference to SMTP preprocessor rule 124:4. Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor alert that was missing the corresponding rule. * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: PAF tweak for single-segment full PDUs matching only-stream * src/snort.c: Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD. Set default paf_max to 16K. * doc/: README.reputation, snort_manual.pdf, snort_manual.tex: Added a use case in the IP Reputation preprocessor documentation. * src/: dynamic-preprocessors/reputation/reputation_config.c, dynamic-preprocessors/reputation/sf_reputation.dsp, win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi: Fixed the IP Reputation preprocessor so that it would build on Windows. * src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h, server/hi-server.c, utils/hi_paf.c: Support up to full 32-bit content-lengths * src/preprocessors/Stream5/stream5_paf.c: Fixed compilation with the options "--disable-target-based --enable-paf". * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed an error in IDS mode when segments overlap and the sequence number wraps. * tools/u2spewfoo/Makefile.am: Added the u2spewfoo Windows project file to the Snort source tarball. 2011-07-19 Ryan Jordan Snort 2.9.1 RC * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, preproc_rules/preprocessor.rules, src/dynamic-preprocessors/sip/sip_parser.c, src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map: Added three new SIP preprocessor alerts. * src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c, stream5_paf.h: Allow multiple preprocs to scan for PDUs on the same port. This fixes a problem with DCE autodetect using the same ports as HTTP. * src/build.h: Updated build number to 63. * src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c, detection-plugins/sp_tcp_win_check.c, dynamic-plugins/sf_engine/sf_snort_plugin_content.c, dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, preprocessors/spp_normalize.c: Fixed some compiler warnings. * src/: detection-plugins/detection_options.c, detection-plugins/sp_flowbits.h, dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Only set/clear/toggle/unset a flowbit when all of the rule matches, including the IPs and Ports. Thanks to Eoin Miller for reporting the issue. * src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am, dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am, pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am, sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am, ssh/Makefile.am, ssl/Makefile.am: Fixed dynamic preprocesor Makefiles so that they can be built in parallel. * doc/README.http_inspect, doc/snort_manual.pdf, doc/snort_manual.tex, etc/gen-msg.map, preproc_rules/preprocessor.rules, src/generators.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/snort_httpinspect.h, src/preprocessors/HttpInspect/client/hi_client.c, src/preprocessors/HttpInspect/event_output/hi_eo_log.c, src/preprocessors/HttpInspect/include/hi_eo_events.h, src/preprocessors/HttpInspect/include/hi_ui_config.h, src/preprocessors/HttpInspect/include/hi_util.h, src/preprocessors/HttpInspect/user_interface/hi_ui_config.c, src/sfutil/util_unfold.c: Added a new HTTP Inspect preprocessor rule, GID 119 SID 26. This rule checks for 200+ whitespaces in a folded header line from an HTTP request. A new config option was added to configure the allowable amount whitespace. Added a new configuration option to http_inspect server configuration: "small_chunk_length { }", with preprocessor rules for both client and server. Consecutive chunk lengths less than or equal to will cause an event to be generated. See README.http_inspect for more information. * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp, dynamic-preprocessors/dns/sf_dns.dsp, dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp, dynamic-preprocessors/imap/sf_imap.dsp, dynamic-preprocessors/isakmp/sf_isakmp.dsp, dynamic-preprocessors/sdf/sf_sdf.dsp, dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp, dynamic-preprocessors/sip/sf_sip.dsp, dynamic-preprocessors/smtp/sf_smtp.dsp, dynamic-preprocessors/ssh/sf_ssh.dsp, dynamic-preprocessors/ssl/sf_ssl.dsp, win32/WIN32-Prj/sf_engine.dsp, win32/WIN32-Prj/sf_engine_initialize.dsp, win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp: Fixed the Win32 build to (1) not use .pch, and (2) correct sed patterns on ipv6_port.h. * src/output-plugins/spo_alert_sf_socket.c: Fixed a problem where Snort's generic IP address structure was being sent by the socket output plugin. The output plugin now only generates events for IPv4 packets, and is guaranteed to use uint32_t IPv4 addresses for interoperability. * src/sfutil/: sfrt.c, sfrt.h: Optimized some memory usage. * configure.in: Add check for pkg-config and provide instructions to get it if pkg-config is not installed. * src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_common.h: Show single segment PAF packets and only short-circuit at correct sequence. When aborting PAF, flush at paf_max. Tweaked retransmission check to use actual sequence numbers instead of the adjusted sequence numbers. Changed the pseudo-random flush point after each flush. * src/snort.c: Fixed a compilation error when active response is disabled. * src/snort.h: Fixed a bug where Snort wouldn't daemonize on OpenBSD if the process was running as root. Thanks to Olaf Schreck for reporting this issue. * src/preprocessors/: perf-base.c, perf-base.h, perf-event.c, perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h, spp_perfmonitor.c: Split out Perfmon submodule Init and Reset, so that everything is initialized when the Perfmonitor preprocessor is initialized. Previously, some data was initialized on the first packet. * src/detection-plugins/sp_tcp_flag_check.c: Fixed a couple spots where the "1" and "2" flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for reporting the issue and supplying a patch. * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex, src/dynamic-preprocessors/sip/sip_parser.c, src/dynamic-preprocessors/sip/spp_sip.h, preproc_rules/preprocessor.rules, etc/gen-msg.map: Added a new SIP preprocessor alert for missing content type headers. Fixed an issue where the SIP preprocessor checked for Stream5 even if the SIP preprocessor was disabled. * etc/unicode.map: Updated unicode.map to match the unicode standard on Windows 7 SP1. * etc/snort.conf: Sync'ed to VRT's latest snort.conf. * src/: decode.c, detect.c: Tweaked the preprocessing loop to bypass app preprocs if no app data. * src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c, src/dynamic-preprocessors/reputation/Makefile.am, src/dynamic-preprocessors/reputation/reputation_config.h, src/dynamic-preprocessors/reputation/reputation_utils.c, src/dynamic-preprocessors/reputation/sf_reputation.dsp, src/dynamic-preprocessors/reputation/spp_reputation.c, src/dynamic-preprocessors/reputation/spp_reputation.h, src/dynamic-preprocessors/reputation/reputation_config.c, src/dynamic-preprocessors/reputation/reputation_debug.h, src/dynamic-preprocessors/reputation/reputation_utils.h, doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf, doc/snort_manual.tex, preproc_rules/preprocessor.rules, src/dynamic-preprocessors/Makefile.am, configure.in, src/preprocids.h, etc/gen-msg.map: Added the IP Reputation preprocessor. This preprocessor provides the ability to allowlist and blocklist packets based on IP addresses. See README.reputation for more information. * src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-preprocessors/dcerpc2/Makefile.am, dynamic-preprocessors/dcerpc2/dce2_config.c, dynamic-preprocessors/dcerpc2/dce2_debug.h, dynamic-preprocessors/dcerpc2/dce2_paf.c, dynamic-preprocessors/dcerpc2/dce2_paf.h, dynamic-preprocessors/dcerpc2/sf_dce2.dsp, dynamic-preprocessors/dcerpc2/snort_dce2.c: Added protocol-aware flushing support for the dcerpc2 preprocessor. * src/dynamic-plugins/sf_convert_dynamic.c: Added the ability to convert shared object rules that use the preprocessor rule option. * src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c, HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c, Stream5/snort_stream5_tcp.c: Don't enable paf unless stream ports configured for the given direction; add "(PAF)" to http inspect ports output to indicate when enabled; and only register port for given direction if corresponding flow depth is set. Support full 32-bit content-lengths and chunk sizes, and flush/abort when exceeded. * doc/README.SMTP, doc/snort_manual.tex, src/dynamic-preprocessors/smtp/smtp_config.h, src/dynamic-preprocessors/smtp/smtp_util.c, src/dynamic-preprocessors/smtp/snort_smtp.c, src/dynamic-preprocessors/smtp/snort_smtp.h, src/dynamic-preprocessors/smtp/spp_smtp.c: Fixed performance issue: allocate the buffers used for filename, mailfrom and rcptto logging using mempool ('memcap' used to allocate the mempool). Added a fatal error when b64_decode_depth is used with enable_mime_decoding. 2011-06-13 Ryan Jordan Snort 2.9.1 Beta * configure.in: Updates to configure.in. - Fix zlib checks to use correctly named variable for checking zlib header and library existence. - Enable IPv6 by default in builds. Can use --disable-ipv6 to turn it off. using --enable-zlib, configure should fail. snort -V should show IPv6 by default and VRT config should load without modification. - Added a new option, "--enable-large-pcap", which allows Snort to read pcap files that are larger than 2 GB. - Changed the default ./configure options to match the requirements for the bundled snort.conf * doc/: INSTALL, README.imap, README.pop, README.SMTP, README.stream5, README.sip, README.tag, README.http_inspect, README.counts, README.normalize, snort_manual.pdf, snort_manual.tex: Updated documentation for Snort 2.9.1: - Added documentation for new SIP, POP and IMAP preprocessors - Updated README.stream5 with documentation for Protocol Aware Flushing (PAF) - Updated README.http_inspect with memcap information, clarified "http_cookie" information, and documentation for "log_uri" and "log_hostname". - Fixed a typo in README.counts - Updated "byte_extract" section to reflect syntax changes - Improved the explanation of "max_queued_events" - Added documentation for the ESP decoder, which is now configurable - Improved the explanation of "rawbytes" - Fixed an incorrect example in README.tag. * etc/snort.conf: Synced snort.conf with VRT's latest version. Added configurations for new preprocessors. * preproc_rules/: decoder.rules, preprocessor.rules Added new preprocessor rules for SIP, SMTP, POP, and IMAP. Added decoder rules 116:453, 116:454, and 116:455. These rules were formerly covered by VRT rules. * src/build.h: Updated build number to 46 * src/decode.c: TCP and UDP decoder rules that require a fully-decoded packet will only fire if the checksum is correct and the port number is not ignored. ESP decoding is now configurable, and off by default. The "config enable_decode_oversized_alerts" option now applies to packets where the UDP header claims there is more data than actually exists. The Teredo decoder now only processes packets in the Teredo prefix (2001:0000::/32) or the link-local prefix (fe80::/16). * src/detection-plugins/sp_cvs.c: Fixed a false positive in the CVS detection plugin. * doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c: Made some changes to the byte_extract syntax: - Writing "string" without a number type defaults to decimal. - The "string" and "hex/dec/oct" options are now independent of each other, like in byte_test and byte_jump. You can write "string,dec", "hex,string", "string,relative,oct", etc. - Specifying one of "hex", "dec", and "oct" without using "string" results in an error. - byte_extract options can no longer be delimited by spaces. This does not affect "align " or "multiplier ". * src/: parser.c, util.c, util.h, detection-plugins/sp_base64_decode.c, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sp_dynamic.c, dynamic-preprocessors/smtp/smtp_util.c, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/server/hi_server.c, sfutil/sf_base64decode.c, sfutil/sf_base64decode.h: Changes include the following: - Attempt dechunkind only when transfer-encoding: chunked is present. - Override the content length with transfer encoding - SnortStrcasestr uses slen now. - unfolding : trim spaces when required. * src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c, sfutil/sf_ipvar.h, sfutil/sf_vartable.c: Update Frag3/Stream5 to print bound addresses, better descriptsions of detect anomalies and port lists. - Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds - Updated Frag3 to print meaningful detect anomalies configuration - Updated Stream5 to print that there are more ports than those printed. * src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c, sf_decompression.h, sf_snort_detection_engine.c, sf_snort_plugin_api.h: Added a Decompression API that wraps Zlib for use with dynamic plugins. See sf_decompression.h for more details. * src/: fpcreate.c, fpdetect.c, treenodes.h: Update pattern matcher and sort functions to correctly sort by priority as well as implement sorting by content_length (which was never done with 2.8.2 addition of rule option tree). Added a warning when max-pattern-len is defined twice. Packets will no longer be tagged or logged if they are filtered or passed. * src/preprocessors/Stream5: Ensured that reassembly doesn't require packet dropping in IPS mode. The message "additional ports configured but not printed" is only printed when that is actually the case. * src/snort.c: fix output of filename / shutdown alerts sequence when iterating over multiple pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or -A console:test). Fixed an issue with reloading Snort while the default output options were used. When reading several pcap files with --pcap-dir, Snort will move on to the next file if one fails to load. * src/output-plugins/spo_alert_full.c: Update alert_full to print rule references, regardless of whether there is TCP/UDP/etc. * src/output-plugins/spo_log_tcpdump.c: convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0 fix 'mixed decls and code' compiler warning * src/: decode.h, detect.c, detection_util.c, detection_util.h, fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c, rule_option_types.h, detection-plugins/Makefile.am, detection-plugins/detection_options.c, detection-plugins/sp_base64_data.c, detection-plugins/sp_byte_check.c, detection-plugins/sp_byte_extract.c, detection-plugins/sp_byte_jump.c, detection-plugins/sp_file_data.c, detection-plugins/sp_ftpbounce.c, detection-plugins/sp_isdataat.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c, detection-plugins/sp_pkt_data.h, dynamic-plugins/sf_convert_dynamic.c, dynamic-plugins/sf_dynamic_common.h, dynamic-plugins/sf_dynamic_define.h, dynamic-plugins/sf_dynamic_engine.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h, dynamic-plugins/sf_engine/sf_snort_detection_engine.c, dynamic-plugins/sf_engine/sf_snort_packet.h, dynamic-plugins/sf_engine/sf_snort_plugin_api.c, dynamic-plugins/sf_engine/sf_snort_plugin_content.c, dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/pp_telnet.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/smtp/smtp_util.c, dynamic-preprocessors/smtp/snort_smtp.c, dynamic-preprocessors/smtp/snort_smtp.h, preprocessors/snort_httpinspect.c, preprocessors/snort_httpinspect.h, preprocessors/spp_rpc_decode.c, preprocessors/HttpInspect/server/hi_server.c, preprocessors/HttpInspect/server/hi_server_norm.c, preprocessors/Stream5/snort_stream5_tcp.c: The "file_data" and "base64_data" rule options now set the buffer for any rule options that follow them. This applies to both relative and non-relative rule options. The detection code now uses 3 separate buffers: - "Alt Detect": set by file_data, base64_data, etc. - "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect - Raw packet data The AltDetect buffer can also be set by custom .so rules. * src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h: IPv6 source and destination addresses are now logged in Unified2 as extra data events. This is configured with "config log_ipv6_extra_data". * src/dynamic-preprocessors/sip/Makefile.am, src/dynamic-preprocessors/sip/sf_sip.dsp, src/dynamic-preprocessors/sip/sip_config.c, src/dynamic-preprocessors/sip/sip_config.h, src/dynamic-preprocessors/sip/sip_debug.h, src/dynamic-preprocessors/sip/sip_dialog.c, src/dynamic-preprocessors/sip/sip_dialog.h, src/dynamic-preprocessors/sip/sip_parser.c, src/dynamic-preprocessors/sip/sip_parser.h, src/dynamic-preprocessors/sip/sip_roptions.c, src/dynamic-preprocessors/sip/spp_sip.c, src/dynamic-preprocessors/sip/spp_sip.h, src/dynamic-preprocessors/sip/sip_roptions.h, src/dynamic-preprocessors/sip/sip_utils.c, src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip, etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am, src/dynamic-preprocessors/sip/test/sip_test.c, configure.in, src/dynamic-preprocessors/Makefile.am: Added a new preprocessor for SIP traffic. See README.sip and the Snort Manual for more information. * src/: dynamic-preprocessors/dcerpc2/dce2_utils.c, dynamic-preprocessors/dcerpc2/spp_dce2.c, preprocessors/spp_frag3.c: Make Frag3 OpenBSD Vuln alert only happen if the frag policy is 'linux' (which includes OpenBSD). The 'bsd' policy is NOT used for OpenBSD, which is the only OS on which the vulnerability was present. This reduces false positives to only occur when frag3 policy is linux and its an actual linux system, rather than the alert occuring regardless of frag policy. * src/: detection-plugins/Makefile.am, detection-plugins/sp_byte_extract.c, detection-plugins/sp_byte_extract.h, dynamic-plugins/sf_convert_dynamic.c, dynamic-plugins/sf_engine/Makefile.am, dynamic-plugins/sf_engine/sf_snort_detection_engine.c, dynamic-plugins/sf_engine/sf_snort_detection_engine.h, dynamic-plugins/sf_engine/sf_snort_plugin_api.c, dynamic-plugins/sf_engine/sf_snort_plugin_api.h, dynamic-plugins/sf_engine/sf_snort_plugin_byte.c, dynamic-plugins/sf_engine/sf_snort_plugin_content.c, dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c, dynamic-plugins/sf_engine/sf_snort_plugin_loop.c, dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, Added support for ByteExtract variables to the .so rule versions of Content, ByteTest, ByteJump, and isdataat. * src/: encode.c, preprocessors/spp_normalize.c, preprocessors/Stream5/snort_stream5_tcp.c, preprocessors/Stream5/stream5_common.c: Fixed the TTL on encoded response packets. * src/: fpcreate.c, fpdetect.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_pattern_match.h, dynamic-plugins/sf_dynamic_define.h, dynamic-plugins/sf_engine/sf_snort_detection_engine.c, dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Update to not inspect HTTP method buffer with Snort's fast pattern engine. Rules with only HTTP method content end up as non-content rules. This eliminates a short cycle of searches with fast pattern on every initial HTTP request. * src/dynamic-preprocessors/pop/: all files Added a new preprocessor for POP traffic. See README.pop for more information. * src/dynamic-preprocessors/imap/: all files Added a new preprocessor for IMAP traffic. See README.imap for more information. * src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h: Base64 decoding was moved to its own section in sfutil, for use by the new email preprocessors. Added support for uuencoded email attachments. * src/dynamic-preprocessors/sdf/spp_sdf.c: The Sensitive Data preprocessor now inspects the "file_data" buffer, used for HTTP response bodies & decoded email attachments. * src/: snort.c, preprocessors/spp_stream5.c, preprocessors/stream_api.h: Update Snort to return a DAQ verdict of allowlist (meaning don't send Snort any more packets) for sessions that are being ignored in both directions or ports that are configured to ignore. For DAQ modules and hardware that supports it, this should result in a performance gain because Snort no longer has to decode packets that are part of that connection. * src/util.c: Added an error message when opening a pid file fails. * src/preprocessors/HttpInspect/: client/hi_client.c, server/hi_server.c: The Set-Cookie: and Cookie: headers wont be included in the cookie buffers. * configure.in, src/active.c, src/active.h, src/decode.h, src/encode.c, src/encode.h, src/log_text.c, src/log_text.h, src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c, src/sfdaq.h, src/snort.h, src/snort_debug.h, src/detection-plugins/sp_react.c, src/detection-plugins/sp_respond3.c, src/dynamic-plugins/sf_dynamic_define.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h, src/preprocessors/snort_httpinspect.c, src/preprocessors/spp_httpinspect.c, src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h, src/preprocessors/HttpInspect/Makefile.am, src/preprocessors/HttpInspect/include/Makefile.am, src/preprocessors/HttpInspect/include/hi_paf.h, src/preprocessors/HttpInspect/mode_inspection/hi_mi.c, src/preprocessors/HttpInspect/server/hi_server.c, src/preprocessors/HttpInspect/utils/Makefile.am, src/preprocessors/HttpInspect/utils/hi_paf.c, src/preprocessors/Stream5/Makefile.am, src/preprocessors/Stream5/snort_stream5_icmp.c, src/preprocessors/Stream5/snort_stream5_session.c, src/preprocessors/Stream5/snort_stream5_tcp.c, src/preprocessors/Stream5/snort_stream5_tcp.h, src/preprocessors/Stream5/snort_stream5_udp.c, src/preprocessors/Stream5/stream5_common.c, src/preprocessors/Stream5/stream5_common.h, src/preprocessors/Stream5/stream5_paf.c, src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h: Added support in Stream5 for Protocol Aware Flushing (PAF). PAF allows Snort to statefully scan a stream and reassemble a complete PDU regardless of segmentation. Added PAF support to HTTP Inspect, allowing the preprocessor to determine when HTTP sessions are flushed by Stream5. See README.stream5 for more details. * src/preprocessors/: stream_ignore.h, stream_ignore.c, Stream5/snort_stream5_udp.c: added support for ignoring UDP channels. Light weight session will be created to track UDP channel, even ports are not monitored. * src/win32/: most files Updated Snort and its libraries to build/link against MFC. 2011-03-23 Steven Sturges * src/build.h: Increment Snort build number to 134 * src/: decode.h, encode.c: * src/dynamic-plugins/sf_engine/: sf_snort_packet.h: * src/preprocessors/: spp_sfportscan.c, spp_frag3.c: * src/output-plugins/: spo_alert_fast.c: * src/preprocessors/Stream5/: stream5_common.c: Updated portscan to set protocol correctly in raw packet for IPv6 and changed the encoder to recognize portscan packets as pseudo packets so that the checksum isn't calculated * src/: sfdaq.c, util.c: Improve handling of DAQ failure codes when Snort is shutting down. * src/preprocessors/spp_perfmonitor.c: Update perfmonitor to create now files prior to dropping privs 2011-03-16 Ryan Jordan Snort 2.9.0.5 * src/build.h: Increment Snort build number to 132 * src/snort.c: * src/preprocessors/: normalize.c, perf-base.c, perf-base.h, Stream5/snort_stream5_tcp.c: TCP timestamp options are only NOPed by the Normalization preprocessor if Stream5 has seen a full 3-way handshake, and timestamps weren't negotiated. The IPS mode reassembly policy has been refactored to do stream normalization within the first policy. Packets injected by the normalization preprocessor are now counted in the packet statistics. * doc/snort_manual.tex: * src/: parser.c, parser.h: * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c: Added a "config vlan_agnostic" setting that globally disables Stream's use of vlan tag in session tracking. * src/: snort.c, preprocessors/normalize.c, preprocessors/spp_normalize.c, preprocessors/spp_normalize.h, preprocessors/perf-base.c, preprocessors/perf-base.h: * doc/: README.normalize, snort_manual.pdf, snort_manual.tex: Fixed the normalization preprocessor to call its post-initialization config functions during a policy reload. Packets can no longer be trimmed below the minimum ethernet frame length. Trimming is now configurable with the "normalize_ip4: trim;" option. TOS clearing is now configurable with "normalize_ip4: tos;". The "normalize_ip4: trim" option is automatically disabled if the DAQ can't inject packets. If the DAQ tries and fails to inject a given packet, the wire packet is not blocked. Updated documentation regarding these changes. * src/detection-plugins/sp_cvs.c: Fixed a false positive in the CVS detection plugin. It was incorrectly parsing CVS entries that had a '+' in between the 3rd and 4th slashes. * src/preprocessors/HttpInspect/: client/hi_client.c, server/hi_server.c: Changed a pointer comparison to a size check for code readability. Belated thanks to Dwane Atkins and Parker Crook for reporting a related issue that was fixed in Snort 2.9.0.4 build 111. Moved the zlib initialization such that gzipped responses are still inspected if the zipped data starts after the first Stream-reassembled packet is inspected. * src/decode.c: Fixed an issue with decoding too many IP layers in a single packet. The Teredo proto bit was not unset after hitting the limit on IP layers. Thanks to Dwane Atkins for reporting this issue. IPv6 fragmented packets are no longer inspected unless they have an offset of zero and the next layer is UDP. This behavior is consistent with IPv4 decoding. Thanks to Martin Sch�tte for reporting an issue where fragged ICMPv6 packets were being inspected. The decoder no longer attempts to decode Teredo packets inside of IPv4 fragments, instead waiting for the reassembled packet. * src/encode.c: Fixed a problem where encoded packets had their lengths calculated incorrectly. This caused the active response feature to generate incorrect RST packets if the original packet had a VLAN tag. * preproc_rules/preprocessor.rules: Updated references to rule 125:1:1 * src/preprocessors/spp_perfmonitor.c: Perfmonitor files are now created after Snort changes uid/gid. * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: Fixed the size formatting of an error message argument when compiling with --enable-rzb-saac. Thanks to Cleber S. Brand�o for reporting this issue. * etc/snort.conf: Updated the default snort.conf with max compress and decompress depths to enable unlimited decompression of gzipped HTTP responses. * snort.8: Fixed the man page's URL regarding the location of Snort rules. Thanks to Michael Scheidell for reporting an out-of-date man page section. * doc/README.http_inspect, doc/snort_manual.tex, src/preprocessors/snort_httpinspect.c: HTTP Inspect's "unlimited_decompress" option now requires that "compress_depth" and "decompress_depth" are set to their max values. * src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h, dynamic-plugins/sf_dynamic_engine.h, preprocessors/Stream5/snort_stream5_tcp.c: Fixed an error that prevented compiling with --disable-dynamicplugin. Thanks to Jason Wallace for reporting this issue. * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c, snort_ftptelnet.h, spp_ftptelnet.c: Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside the ftp_telnet preprocessor to avoid a naming conflict with similar functions in HTTP Inspect. Thanks to Bruce Corwin for reporting this issue. * src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c, perf-flow.h: Fixed comparisons between signed and unsigned int, which lead to a faulty length check. Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this issue. 2011-02-28 Ryan Jordan Snort 2.9.0.4 * src/build.h: Increment Snort build number to 111. * src/preprocessors/HttpInspect/client/hi_client.c: src/preprocessors/HttpInspect/server/hi_server.c: Fixed a bug in the way partial HTTP headers are handled. 2011-02-10 Ryan Jordan Snort 2.9.0.4 * src/build.h: Increment Snort build number to 110 * snort.8, src/snort.c: Updated Snort man page to match the output of "snort --help". Removed "-o" from the list of valid options, since it was removed a while ago. The verdict from defragged packets are no longer cleared, so that they can be applied to the raw packet. Thanks to Markus Lude for submitting a patch that fixed errors in the man page. * src/fpcreate.c: Deletec the call to fpDeletePortGroup() prior to calling FatalError(). * src/parser.c: Fixed portvar parsing code to correctly dislpay names of undefined portvars. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed a FIN sequence number handling issue, where RST after FIN caused a false positive on Stream5 preprocessor rule 129:15. Thanks to Jason Wallace for pointing out the issue. * doc/: INSTALL, README.frag3, README.http_inspect, README.stream5, snort_manual.tex, snort_manual.pdf: Added documentation for the option "small-segments". Updated team members. Clarified some undocumented "flow" options. Minor edits to punctuation on "ssl_version" examples. Re-worded uricontent's description. Added missing semicolons to rule option examples. Updated "enable_cookie" documentation. Added documentation for "iis_encode" in http_encode keywords. Improved the description of the "disable" keyword. Added "--enable-sourcefire" description. Thanks to Joshua Kinard for sending in several patches to the manual. * doc/: Makefile.am, README.rzb_saac: Added SaaC readme. * configure.in, doc/Makefile.am, doc/README.rzb_saac, src/snort.c, src/util.c, src/util.h, src/dynamic-plugins/sf_engine/examples/Makefile.am, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/dns/spp_dns.c, src/dynamic-preprocessors/rzb_saac/Makefile.am, src/dynamic-preprocessors/rzb_saac/rzb_debug.c, src/dynamic-preprocessors/rzb_saac/rzb_debug.h, src/dynamic-preprocessors/rzb_saac/rzb_http-client.c, src/dynamic-preprocessors/rzb_saac/rzb_http-client.h, src/dynamic-preprocessors/rzb_saac/rzb_http-collector.h, src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c, src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h, src/dynamic-preprocessors/rzb_saac/rzb_http-server.c, src/dynamic-preprocessors/rzb_saac/rzb_http-server.h, src/dynamic-preprocessors/rzb_saac/rzb_http.h, src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c, src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h, src/dynamic-preprocessors/rzb_saac/sf_preproc_info.h, src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c: Added Razorback SaaC to the dynamic-preprocessors. Use --enable-rzb-saac to build it. Moved the initgroups call to a separate function and call it from the main thread. * src/detection-plugins/sp_clientserver.c: Fixed an erroneous error check so that "no_frag" and "no_stream" can be used in the same "flow" rule option. * src/detection-plugins/sp_pattern_match.c: Rules that use a "depth" value lower than the length of their content now cause an error. Depth should be >= the content length. * src/detection-plugins/sp_tcp_flag_check.c: Changed the reserved bits flags "1, 2" to "C, E". The old values can still be used for backwards compatability. * preproc_rules/preprocessor.rules: Added references to FTP and SMTP preprocessor rules. * src/dynamic-plugins/sf_engine/examples/: detection_lib_meta.h: Removed extraneous ifdef * src/: preprocessors/spp_frag3.c, preprocessors/spp_sfportscan.c, dynamic-preprocessors/dcerpc2/dce2_config.c: Added startup log message to show that the preprocessors are inactive when added to snort.conf as "disabled". Updated frag3 startup log to indicate the memcap frmo which prealloc fragments were generated. * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c: Updated the Frag3KeyCmp and Stream5KeyCmp functions to handle 32bit sparc platforms where 64bit pointer comparisons can cause bus errors. Thanks to Stephan for reporting this issue. * src/: preprocessors/portscan.c, win32/WIN32-Includes/config.h: Portscan preprocessor's hash table is now allocated based on the memcap, instead of being the same size. * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_utils.c, dce2_smb.c: Fixed a bug that caused dcerpc2 to reassemble some segments incorrectly. If extra bytes at the end of a request corrupt the next request, they will be discarded. * src/dynamic-preprocessors/ssl/spp_ssl.c: Updated the SSL preproc to count the packets it processes, instead of counting all packets to enter the intiial function. * doc/: faq.tex, faq.pdf: Updated FAQ based on snort.org reorganization. * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex: Updated cookie documentation. Cookie buffer includes "Cookie" header name for HTTP requests and "Set-Cookie" for HTTP responses. When enable_cookie is disabled, cookie buffer points to the HTTP header * src/preprocessors/snort_httpinspect.c: Fixed the error message during parsing of HTTP inspect server config. Make it a warning. * src/: detection_util.h, preprocessors/snort_httpinspect.c, preprocessors/spp_httpinspect.c, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/include/hi_client.h, preprocessors/HttpInspect/include/hi_norm.h, preprocessors/HttpInspect/include/hi_ui_config.h, preprocessors/HttpInspect/normalization/hi_norm.c, preprocessors/HttpInspect/server/hi_server.c: Fixed a false positive due to a large chunk length followed by a small packet. Moved the lookup table such that they are initialized only once. When de-chunking returns error, the data is now inspected as a normal body. Moved the Initialize function out of hi_ui_config.h. CRLFs are no longer placed in the status message buffer. * many files: Updated all Sourcefire copyright notices to the year 2011. 2010-12-20 Ryan Jordan Snort 2.9.0.3 * src/build.h: Increment Snort build number to 98 * doc/: snort_manual.tex, snort_manual.pdf: Fixed Snort manual descriptions of some rule options. Changed whitespace in several areas to be more consistent. Max mime mem example changed from 1000 to 4000. Updated manual for distance / within / offset / depth combos. Thanks to Joshua Kinard for submitting several fixes. * doc/INSTALL: Update doc/INSTALL with instructions for building on OpenBSD. * src/dynamic-preprocessors/smtp/smtp_config.c: Print alert_unknown_commands in SMTP config of snort output. Print the SMTP MIME config details with snort output. * src/: decode.c, decode.h, snort.c: discriminate between ip4 and ip6 raw packets Thanks to Gerald Maziarski for reporting this issue. * src/detection-plugins/: detection_options.c, sp_byte_jump.c, sp_pattern_match.c: restore doe flags along with doe pointer. * preproc_rules/preprocessor.rules: Updated preprocessor.rules references to match VRT. * src/dynamic-preprocessors/smtp/spp_smtp.c: When the SMTP preprocessor is started in a "disabled" state, it no longer requires Stream5. * src/decode.c: Truncated ESP traffic is now handled correctly. Thanks to rmkml for bringing the issue to our attention. * src/: decode.c, fpdetect.c: Fixed a problem with handling UDP/IPv6 over Teredo where the inner UDP header was malformed. * preproc_rules/preprocessor.rules: Added a reference to preprocessor.rules. * src/dynamic-preprocessors/smtp/spp_smtp.c: When the SMTP preprocessor is started in a "disabled" state, it no longer requires Stream5. * src/detection-plugins/: detection_options.c, sp_pattern_match.c: Update content to check for HTTP_RESP_BODY in packet flag if option is relative and not using rawbytes. * etc/snort.conf: Update with snort.conf from VRT * src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h: Bumped minor version number in example detection lib. * src/preprocessors/spp_frag3.c: Fix memory leak when there are two zero offset fragments with different IP options. Previous code was blindly copying new IP options over top of existing ones. * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine.c, sf_snort_plugin_api.h: Fixed overlaps in various flags in the Shared Object rule API. Shared Object rules from previous 2.9.0 versions need to be recompiled. * src/detection-plugins/sp_pattern_match.c: Moved non-zero initializations in the PatternMatchData struct to the NewNode() function. This fixes the use of depth, offset, distance, and within on uricontent options. Reject invalid combinations of distance/within and offset/depth including repeated keywords. Thanks to Dave Bertouille and Daniel Clemens for pointing out issues here. * src/: snort.c, util.c, util.h: write correct pid to file for glibc2.2 / linux threads * src/preprocessors/: snort_httpinspect.c, HttpInspect/mode_inspection/hi_mi.c: Fixed an instance where HTTP session data was not checked. DAQ 0.5 * daq/os-daq-modules/Makefile.am: The IPFW DAQ now builds on OpenBSD. Thanks to Ross Lawrie, Randall Rioux, and many others for reporting this. 2010-11-15 Ryan Jordan Snort 2.9.0.2 * preproc_rules/preprocessor.rules: Added a reference to an 0day ProFTP bug in a FTP preprocessor rule. * src/build.h: Increment Snort build number to 92 * src/preprocessors/Stream5/snort_stream5_tcp.c: Count only acked segs for flushing post-ack. Thanks to Eoin Miller for helping track this issue and provide test scenarios. * src/detection_util.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: fix file_data:mime in So rules. content matches following file_data:mime should not enter fast pattern matcher. Reset file_data_ptr once stream flush is done and stream reassembled packet is processed. * src/dynamic-preprocessors/ssl/spp_ssl.c: Fix return value for SSL rule options * src/: plugbase.h, preprocessors/snort_httpinspect.c: Set the dce preproc bit in HTTP only when server flow depth is -1 * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_smb.c, dce2_utils.c, dce2_utils.h, includes/smb.h: use offset or remaining fields and overwrite as appropriate instead of always appending data * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/client/hi_client.c: Fixed a couple of memory leaks. * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: Fixed an error in the handling of HTTP Session Data. * doc/: README.http_inspect,snort_manual.pdf, snort_manual.tex: Update to the snort manual. remove the stream5 alerts. reference the gen-msg.map. * preprocessors/Stream5/snort_stream5_tcp.c: urgent pointer handling corrected for one byte of urgent data at the start of a segment. The general case of an N-byte urgent payload prefix would be handled here by removing the == 1 limit in urg_offset == 1 but that restrictio is not safe until we flush urgent data. As is, urgent data is never flushed in reassembled packets and can only be detected i raw packets. pointer handling. * src/: decode.h, detection_util.h, plugbase.h, preprocessors/snort_httpinspect.c, preprocessors/snort_httpinspect.h, preprocessors/HttpInspect/server/hi_server.c, Apply server flow depth on a session basis rather than per packet basis. This change improves the performance by disabling detect on packet when the packet is beyond the specified flow depth. server_flow_depth now takes values from -1 to 65535 * src/parser.c: Correct setting of dup_opt_func and cleanup existing opt_func list before hand to address parse-time leak. 2010-11-01 Ryan Jordan Snort 2.9.0.1 * doc/: snort_manual.pdf, snort_manual.tex: Added "flush_factor". Fixed incorrect line wrap (thx Shawn Thompson). values for within and depth updated * src/build.h: Increment Snort build number to 82. * src/preprocessors/HttpInspect/: client/hi_client.c, server/hi_server.c: HTTP header buffers (raw/normalized) now include the missing \n (of \r\n\r\n). * src/target-based/sf_attribute_table.y: Set YYMAXDEPTH to something that covers large number of services for a single host. * src/parser.c, src/preprocessors/spp_stream5.c, doc/snort_manual.pdf, doc/snort_manual.tex: Fix use of config flowbits_size and update default to 1024. * src/detection-plugins/sp_pcre.c: Correct calculation of offset to its original now that libpcre is fixed. * src/: detection-plugins/sp_pcre.c, win32/WIN32-Includes/pcre.h, win32/WIN32-Includes/pcreposix.h, win32/WIN32-Libraries/pcre.lib: Update Win32 libpcre to newer version and use --enable-newline-is-cr instead of --enable-newline-is-any. Also added comments to sp_pcre.c in terms of how Snort is interpreting the ovector from pcre_exec. * etc/gen-msg.map: Added rules 120:4 and 120:5 to gen-msg.map. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix issue when handling overlap limit enforcement. Thanks to rmkml and Miguel Alvarez for pointing out the issue. * src/preprocessors/Stream5/snort_stream5_tcp.c: fix flush after initial when acks are withheld conditional on NORMALIZER process stream after window slam unless normalizing fully separate pre-ack flush from post-ack flush to ensure switching on policy for listener direction; allow window limit greater than 16-bit; tweak flush point tracing. added preprocessor rule 129:19, window slam * src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_common.h: add stream5_tcp: flush_factor <#> * doc/snort_manual.tex, src/detection-plugins/sp_ttl_check.c: Allow >= and <= with ttl keyword. Also fix the parsing for ttl. Update manual * src/util.c: Make parent_wait variable volatile so it doesn't get optimized out. * src/decode.c: In CheckIPv4_MinTTL(), use the ttl passed as an argument instead of the packet's IP header. * preproc_rules/preprocessor.rules: adds preprocessor rule 129:19 * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c, src/generators.h: Ported .so rule for ICMP DOS to decoder. * etc/gen-msg.map, src/generators.h, * src/: active.c, encode.c, detection-plugins/sp_react.c: set ack number appropriately * src/preprocessors/snort_httpinspect.c: file data ptr should be set to the decode buffer when the http response body is normalized. * src/preprocessors/HttpInspect/: client/hi_client.c, server/hi_server.c: inspect stream inserted packets to check if they have a valid HTTP response. When there is a single segment HTTP response inspect the body. Dont wait for the reassembled packet ( due to flush point issues) * src/: detection_util.h, fpdetect.c, detection-plugins/sp_byte_check.c, detection-plugins/sp_byte_extract.c, detection-plugins/sp_byte_jump.c, detection-plugins/sp_ftpbounce.c, detection-plugins/sp_isdataat.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_pcre.c, preprocessors/snort_httpinspect.c, preprocessors/HttpInspect/server/hi_server.c: When extended_response_inspection is not enabled check for "HTTP". If present, apply flow depth otherwise do not disable detect and dont apply flow depth. * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex: Update Manual and README.http_inspect * src/signature.c: remove commented out printfs * src/preprocessors/HttpInspect/server/hi_server.c: inspect stream reassembled packets only when stream reassembly is turned on. * tools/u2boat/Makefile.am: Update Makefile to include docdir * src/encode.c: don't calculate checksum for pseudo-packets * src/: decode.c, decode.h, detect.c, detection_util.c, detection_util.h, fpdetect.c, log.c, log_text.c, mstring.c, detection-plugins/detection_options.c, detection-plugins/sp_asn1.c, detection-plugins/sp_base64_data.c, detection-plugins/sp_base64_decode.c, detection-plugins/sp_byte_check.c, detection-plugins/sp_byte_extract.c, detection-plugins/sp_byte_jump.c, detection-plugins/sp_file_data.c, detection-plugins/sp_ftpbounce.c, detection-plugins/sp_isdataat.c, detection-plugins/sp_pattern_match.c, detection-plugins/sp_pcre.c, detection-plugins/sp_urilen_check.c, dynamic-plugins/sf_dynamic_common.h, dynamic-plugins/sf_dynamic_engine.h, dynamic-plugins/sf_dynamic_plugins.c, dynamic-plugins/sf_dynamic_preprocessor.h, dynamic-plugins/sf_engine/sf_snort_detection_engine.c, dynamic-plugins/sf_engine/sf_snort_plugin_api.c, dynamic-plugins/sf_engine/sf_snort_plugin_content.c, dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c, dynamic-preprocessors/ftptelnet/pp_ftp.c, dynamic-preprocessors/ftptelnet/pp_telnet.c, dynamic-preprocessors/ftptelnet/snort_ftptelnet.c, dynamic-preprocessors/smtp/smtp_util.c, dynamic-preprocessors/smtp/snort_smtp.c, output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c, preprocessors/spp_httpinspect.c, preprocessors/spp_rpc_decode.c, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/normalization/hi_norm.c, preprocessors/HttpInspect/server/hi_server.c, preprocessors/HttpInspect/server/hi_server_norm.c, preprocessors/Stream5/snort_stream5_tcp.c: add buffer length attribute to alt decode buffer and don't set alt decode flag for alt_dsize changes which are indicated by that value being non-zero. * src/preprocessors/Stream5/snort_stream5_tcp.c: purge listener for pre-ack Flip the direction to match that the configurations in stream5_tcp. * src/: decode.h, preprocessors/spp_httpinspect.c, preprocessors/HttpInspect/normalization/hi_norm.c: add new keyword to http_encode to detect ascii encoding * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: Propigate noalert back to detection option tree. * src/: parser.c, signature.c, signature.h: Allow multiple .so rules to reference a single soid metadata. * doc/: README.active, README.daq, snort_manual.pdf, snort_manual.tex: clarify use of multiple --daq and config daq. * src/parser.c: error on multiple --daq args 2010-10-04 Ryan Jordan Snort 2.9.0 * doc/Makefile.am: * doc/README.FLEXRESP: * doc/README.FLEXRESP2: * doc/README.http_inspect: * doc/README.INLINE: * doc/README.ipv6: * doc/README.stream5: * doc/README.wireless: * doc/snort_manual.tex: Removed obsolete README files. Updated README.ipv6. Documented other changes made below. * etc/gen-msg.map: * preproc_rules/preprocessor.rules: * src/generators.h: Added new preprocessor rules for HTTP Inspect and Frag3. Removed an old preprocessor rule for the already-removed dcerpc preprocessor. * rpm/snort.spec: * src/build.h: Updated version numbers. * src/dynamic-plugins/sp_dynamic.c: * src/fpcreate.c: Shared Object rules which use HTTP Content as their Fast Pattern should now work correctly. * src/decode.c: * src/decode.h: * src/detection-plugins/detection_options.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/sdf/sdf_detection_option.c: * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: * src/dynamic-preprocessors/sdf/spp_sdf.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/parser.c: * src/ppm.c: * src/ppm.h: * src/profiler.c: * src/target-based/sf_attribute_table_parser.l: Miscellaneous code cleanup. Other preprocessor rules had to be modified as part of the new Stream5 rule option listed below. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_server_norm.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/server/hi_server_norm.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/spp_httpinspect.c: * src/sfutil/util_utf.c: * src/sfutil/util_utf.h: * src/sfutil/Makefile.am: * snort_head/snort/src/win32/WIN32-Prj/snort.dsp: HTTP Inspect now handles "chunked" Transfer-Encoding for any Content-Encoding, not just for gzipped responses. HTTP Inspect now decompresses responses with "Content-Encoding: deflate". HTTP Inspect now normalizes server responses that use UTF-16 or UTF-32 charsets. * src/preprocessors/portscan.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed an issue with some Stream5 sessions not being cleared until shutdown. Fixed a bug that caused false positives on Stream5 rule 129:4. Fixed a bug where Stream5 reassembled on all ports when sfportscan was in snort.conf, but in a "disabled" state. Added a preprocessor rule option, enabled by Stream5. The syntax is "reassembly: , [,noalert]". It enables/disables Stream reassembly for the session that matches the rule. 2010-09-03 Ryan Jordan Snort 2.9.0 RC * Fixed clean shutdown after reload. * Fixed tagging to log tagged packets regardless of filtering. * Fixed mempool initialization of free list count bug reported by zhangz@risinginfo.com. * Snort resized packets are now dropped and injected as required by DAQs. * Fixed Snort I/O Totals reporting injected packets with IPFW when NO packets are injected externally. * Tweaked Snort's dynamic preprocessor example. * More informative dynamic preprocessor loading error messages. * Added preprocessor alerts added to alert when Snort sees a client hello after a server hello or when Snort sees a server hello without a client hello when trustservers is disabled. * Documentation Updates: Updates to HTTP inspect README and Snort Manual. * Added parser error to fragoffset: Error when !, < and > operators are used with each other. * Updated README for daq with updated information on firewalls with FreeBSD and OpenBSD * Added more complete error checking to "byte_extract" rule option parsing. * The Sensitive Data preprocessor no longer searches HTTP headers for PII, as this introduced unnecessary false positives. In addition, the "us_social_nodashes" rule is now off by default to avoid false positives. * Added a new decoder alert for IPv6 extension headers that don't follow the RFC's recommended order. * Fixed a bug in the validation of IPv6 option lengths. * Fixed a bug in the normalization of HTTP responses with both gzipped Content-Encoding and chunked Transfer-Encoding. * Teredo packets with another layer of UDP on top will now display the correct port numbers in console output. * Reduced false positives on decoder alerts when "config deep_teredo_inspection" is enabled. * Fixed a problem with evaulating UDP rules on Teredo traffic, where the result of rule evaluation on the outer UDP * Changed the default search methond in snort.conf from "ac-bnfa" to "ac-split". 2010-06-23 Steven Sturges * doc/README.active: * doc/README.http_inspect: * doc/README.ssl: * doc/snort_manual.tex: Updated descripgions of rule options. * etc/gen-msg.map: Update messages for IPv6 decoder events. * src/win32/Makefile.am: * src/win32/WIN32-Includes/libnet/Devioctl.h: * src/win32/WIN32-Includes/libnet/gnuc.h: * src/win32/WIN32-Includes/libnet/ifaddrlist.h: * src/win32/WIN32-Includes/libnet/IPExport.h: * src/win32/WIN32-Includes/libnet/IPHlpApi.h: * src/win32/WIN32-Includes/libnet/IPTypes.h: * src/win32/WIN32-Includes/libnet/libnet-asn1.h: * src/win32/WIN32-Includes/libnet/libnet-functions.h: * src/win32/WIN32-Includes/libnet/libnet.h: * src/win32/WIN32-Includes/libnet/libnet-headers.h: * src/win32/WIN32-Includes/libnet/libnet-macros.h: * src/win32/WIN32-Includes/libnet/LibnetNT.h: * src/win32/WIN32-Includes/libnet/libnet-ospf.h: * src/win32/WIN32-Includes/libnet/libnet-structures.h: * src/win32/WIN32-Includes/libnet/Ntddpack.h: * src/win32/WIN32-Includes/libnet/packet_types.h: * src/win32/WIN32-Includes/libnet/NTDDNDIS.H: * src/win32/WIN32-Includes/libnet/PACKET32.H: * src/win32/WIN32-Includes/mysql/config-netware.h: * src/win32/WIN32-Includes/mysql/config-os2.h: * src/win32/WIN32-Includes/mysql/config-win.h: * src/win32/WIN32-Includes/mysql/libmysqld.def: * src/win32/WIN32-Includes/mysql/libmysql.def: * src/win32/WIN32-Includes/mysql/m_ctype.h: * src/win32/WIN32-Includes/mysql/m_string.h: * src/win32/WIN32-Includes/mysql/my_dbug.h: * src/win32/WIN32-Includes/mysql/my_getopt.h: * src/win32/WIN32-Includes/mysql/my_global.h * src/win32/WIN32-Includes/mysql/my_pthread.h: * src/win32/WIN32-Includes/mysql/mysqld_error.h: * src/win32/WIN32-Includes/mysql/mysql_embed.h: * src/win32/WIN32-Includes/mysql/my_sys.h: * src/win32/WIN32-Includes/mysql/raid.h: * src/win32/WIN32-Libraries/libnet/LibnetNT.lib: * src/inline.c: * src/inline.h: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: Remove dead files. * src/active.c: * src/preprocessors/normalize.c: * src/preprocessors/spp_normalize.c: DAQ capability updates * src/decode.c: * src/decode.h: * src/generators.h: IPv6 decoding updates * src/decode.c: * src/log.c: * src/log.h: * src/log_text.c: * src/log_text.h: Improvement of packet output when obfuscating IP addresses. * src/detection-plugins/sp_byte_jump.c: Updates to multiplier parameter handling. * src/detection-plugins/sp_react.c: Added HTTP header to response payload. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Update to handling string format detection. * src/dynamic-preprocessors/libs/ssl.c: * src/dynamic-preprocessors/libs/ssl.h: * src/dynamic-preprocessors/ssl/spp_ssl.c: Updates to handling of SSL rule options when handshake says SSLv2 but certificate is SSLv3 and interaction with Stream reassembled packets. * src/dynamic-preprocessors/sdf/spp_sdf.c: Display configuration information at startup. * src/fpdetect.c: Improved handling of gzip decoded buffer for fast pattern searches. * src/parser.c: Updates to parsing of IP variables with negated IP ranges. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/server/hi_server.c: Chunk encoding processing updates. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/Makefile.am: * src/preprocessors/HttpInspect/include/hi_cmd_lookup.h: * src/preprocessors/HttpInspect/Makefile.am: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/HttpInspect/utils/Makefile.am: * src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/spp_httpinspect.c: Use lookup for HTTP method validation. * src/preprocessors/Stream5/snort_stream5_tcp.c: Updated state tracking for FIN_WAIT_2 and LAST_ACK * src/sfdaq.c: * src/sfdaq.h: * src/snort.c: * src/util.c: Handle -g/-u limited with DAQ modules that require root privs. 2010-06-16 Ryan Jordan Snort 2.9.0 Beta * Snort uses the DAQ library for packet acquisition and injection. ./configure --enable-inline and --enable-ipfw are deleted. Just run ./snort -Q to activate inline mode for DAQs that support it. See the README.daq there for more. * A normalizer preprocessor has been added to help minimize evasion vectors. Use ./configure --enable-normalizer to build and config normalize_* to enable. See README.normalize for more. * Flexresp and flexresp2 have been replaced with a new flexresp3 module that supports the rule keywords from each. ./configure --enable-flexresp --enable-flexresp2 are deprecated. * The react rule option has been rewritten to correct a number of issues. You can also customize the injected content with config react. Use ./configure --enable-react to build. * config min_ttl is now policy specific. You can also set a normalization value with config new_ttl. * Snort has a new active response capability. Build it with ./configure --enable-active-response. This mode enables automatically sending TCP resets and ICMP unreachables. See README.active for more. * Passive mode Snort can now inject packets for drop, sdrop, and reject rules. In addition, block and sblock rules have been added as synonyms for drop and sdrop to help avoid confusion between dropped packets and blocked packets. Configure with config response. * Snort shutdown output now includes new counts so you can see if any events are not being reported due to event queue and pattern matching configurations. Also, ./configure --enable-timestats has been eliminated but the shutdown output of packet rates has been made standard. * BPFs can be written for IPv6. * ./snort -T has bee expanded to validate more than just the conf. For example, you can now validate BPFs. * Snort no longer depends on libnet and uses libdnet instead. * Added the "byte_extract" detection option. This saves bytes from the packet into variables for use by other options. * Added support for byte_extract variables in the following rule options * content (offset, depth, distance, within) * byte_test (offset, comparison value) * byte_jump (offset) * isdataat (offset) * Added decoder support for Teredo tunneling (IPv6 over UDP over IPv4). * Added decoder support for Encapsulated Security Payload (ESP) with NULL encryption. * Added 18 decoder rules for different types of malformed IPv6 headers. * Moved 24 content-less rules into the packet decoder. * The Sensitive Data preprocessor now prints its configuration on startup. * Fixed the Snort RPM so that it installs the Sensitive Data preprocessor. * Updated the description of the "-h" option in the Snort help output. * Added a tools directory, with "u2boat" and "u2spewfoo". These programs can be used to turn Unified2 files into pcaps and console output, respectively. * Replaced Unified with Unified2 in snort.conf. * Moved the rules/ directory into its own separate tarball. * Snort will print encapsulated layers in text output. * Initial iteration of DCE/RPC preprocessor removed. * SO rule updates. Updated storeRuleData() and getRuleData() API functions. Added dynamic allocation functions allocRuleData() and freeRuleData() mainly for data stored on a stream session and to utilize a new configuration option to put a memcap on the amount of data SO rules allocate. * Fixed possible non-runtime memory leak in SO rule preprocessor rule options. * Added negation support to SSL preprocessor rule options ssl_state and ssl_version * Added support for Intel's Soft CPM for use as a fast pattern matcher. * Fixed issue when specifying a --pcap-dir where Snort would fatal error if there was a broken symbolic link under the directory. * Fixed an issue where copying an SO rule stub to modify the rule action, IPs and/or ports didn't work as expected. * Set state in SSL preprocessor even if record is truncated. * Fixed inconsistency with flowbits behaviour if stream session timed out. stream5 now resets flowbits on a timeout. * Snort will now fatal error if adaptive profiles is enabled in any policy other than the default policy. * Fixed false positives caused by using the fast_pattern option with the "only" argument on an http content in a rule. * Fix OpenBSD compile with --enable-prelude. * Fixed issue in SO rules converted to text rules that were not setting mutliplier correctly. * Fixed inconsistencies in behaviour with user defined rule types. * Snort will now throw validation error for ipvar definition with negated ip list that is more general that other ip list in definition. * Added support for IP variable substitution. * Created new decoder event for ICMP PATH MTU denial of service attempt. * Fixed SSL preprocessor to potentially update state before reassmebled packet is decoded. * Added a new argument "mime" to the detection option "file_data". This argument will set the doe_ptr to the start of the base64 decoded MIME attachment. New config options "enable_mime_decoding", "max_mime_depth" and "max_mime_mem" are added to SMTP configuration to support this feature. * Added the "base64_decode" and "base64_data" detection option. The "base64_decode" decodes the base64 encoded data. The "base64_data" points the doe_ptr to the start of the base64 decoded buffer. * Added a new mode "inline-test". This mode simulates the inline mode of snort, allowing evaluation of inline behavior without affecting traffic. The command line option --enable-inline-test and snort config option policy_mode:inline_test added to support this feature. The drop rules will be loaded and will be triggered as a Wdrop (Would Drop) alert. * Added the support to extract the original client IP from the X-Forwarded-For or True-Client-IP headers. This client IP will now be logged to the unified2 output when HTTP Inspect is configured with enable_xff. * Added support to u2spewfoo to read the Orginal Client IP, Wdrop Alerts, Gzip decompressed Data. * Added support to print the Gzip decompressed data with cmg output. 2010-04-16 Ryan Jordan * doc/README.dcerpc: * doc/README.dcerpc2: * doc/README.flowbits: * doc/README.frag3: * doc/README.http_inspect: * doc/README.PerfProfiling: * doc/README.sensitive_data: * doc/README.sfportscan: * doc/README.stream5: * doc/snort_manual.tex: Updated Snort documentation * etc/classification.config: * etc/gen-msg.map: * etc/snort.conf: Replaced snort.conf with the version we ship in the rules tarball. Fixed a duplicate entry in gen-msg.map. * src/decode.c: * src/decode.h: Added alert for IPv6/UDP packets with zero checksum. * src/detection-plugins/detection_options.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_isdataat.c: For byte_test, byte_jump, and isdataat, only do an in bounds check of the doe_ptr if the rule option is relative and will be using the doe_ptr. * src/detection-plugins/sp_pattern_match.c: Fixed a valgrind error. * src/detection-plugins/sp_react.c: Removed instances of the word "porn" from Snort. * src/dynamic-plugins/sf_convert_dynamic.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sp_dynamic.c: Changed the parsing of dynamic detection plugins to register dynamic rules per policy. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/stream_ignore.h: * src/target-based/sftarget_protocol_reference.c: The FTP preprocessor now marks data channels with the "ftp-data" service identifier. Adaptive profiling must be turned on for this. * src/dynamic-preprocessors/sdf/sdf_credit_card.c: * src/dynamic-preprocessors/sdf/sdf_detection_option.c: * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: * src/dynamic-preprocessors/sdf/sdf_pattern_match.h: * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: * src/dynamic-preprocessors/sdf/spp_sdf.c: * src/dynamic-preprocessors/sdf/spp_sdf.h: * src/generators.h: Moved the sensitive data preprocessor's preproc rule to GID 139. Fixed the ability to reload Snort with sensitive_data turned on. Fixed bugs in the parsing of "sd_pattern" rules that overlapped. U.S. Social Security numbers are now required to have non-digits on either side in order to cause a match. * src/mempool.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_server.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: Added a "max_gzip_mem" option to http_inspect. Use this to set the maximum amount of memory used for gzip decompression. The "+" sign is now normalized to a space. Added a "disable" option to http_inspect so that a memcap can be set without enabling http_inspect across all VLANs. * src/preprocessors/sfprocpidstats.c: * src/preprocessors/sfprocpidstats.h: * src/preprocessors/spp_perfmonitor.c: Fixed a memory leak. * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: Fixed an issue that could cause Snort to take minutes to reload. * src/snort.c: Unblocked signals that Snort does not handle itself. * src/win32/Makefile.am: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/mysql/config-netware.h: * src/win32/WIN32-Includes/mysql/config-os2.h: * src/win32/WIN32-Includes/mysql/config-win.h: * src/win32/WIN32-Includes/mysql/errmsg.h: * src/win32/WIN32-Includes/mysql/libmysqld.def: * src/win32/WIN32-Includes/mysql/libmysql.def: * src/win32/WIN32-Includes/mysql/m_ctype.h: * src/win32/WIN32-Includes/mysql/m_string.h: * src/win32/WIN32-Includes/mysql/my_alloc.h: * src/win32/WIN32-Includes/mysql/my_dbug.h: * src/win32/WIN32-Includes/mysql/my_getopt.h: * src/win32/WIN32-Includes/mysql/my_global.h: * src/win32/WIN32-Includes/mysql/my_list.h: * src/win32/WIN32-Includes/mysql/my_pthread.h: * src/win32/WIN32-Includes/mysql/mysql_com.h: * src/win32/WIN32-Includes/mysql/mysqld_error.h: * src/win32/WIN32-Includes/mysql/mysql_embed.h: * src/win32/WIN32-Includes/mysql/mysql.h: * src/win32/WIN32-Includes/mysql/mysql_time.h: * src/win32/WIN32-Includes/mysql/mysql_version.h: * src/win32/WIN32-Includes/mysql/my_sys.h: * src/win32/WIN32-Includes/mysql/raid.h: * src/win32/WIN32-Includes/mysql/typelib.h: * src/win32/WIN32-Prj/snort.dsw: * src/win32/WIN32-Prj/snort_installer.nsi: Updated the MySQL client library in the Windows build. Fixed a conflict between MSSQL headers and the newer Windows Platform SDK. 2010-01-27 Ryan Jordan * doc/Makefile.am: Added README.sensitive_data * doc/README.dcerpc2: Removed "events" from default configuration. * doc/README.http_inspect: Added support for extended ascii codes in HTTP request URI using a new configurable option "extended_ascii_uri" Changed the pattern match to search only the HTTP response body when extended response inspection is enabled. Also copy only the decompressed data into the decode buffer. * doc/README.INLINE: Content replacement now allows replacement strings of varying sizes. * doc/README.multipleconfigs: Limit number of individual networks per line to 512. * doc/README.stream5: Removed "min_ttl" option, added the latest stream alerts. * doc/snort_manual.tex: Fixed typos, updated the Snort manual to match the README updates. Eliminated the kick-ass and the lotion. Updated with new PCRE options. * etc/classification.config: Cleaned up classification.config. Thanks to Guise McAllaster for reporting this issue. * etc/gen-msg.map: Added sig ID for http_inspect's chunk size mismatch. * etc/snort.conf: Fixed typos. Default "dynamicengine" entry is now specified by directory. * src/build.h: Updated build number. * src/checksum.h: checksum calculation for icmpv6 added . also fixed a warning in hi_client.c * src/configure.in: Updated makefile/configure script to optionally build dynamic examples. Thanks to Markus Lude for raising the issue. Fixed linker option on Solaris 10 to use nanosleep. Thanks to Randal T. Rioux for reporting this issue. * src/decode.c: checksum calculation for icmpv6 added . also fixed a warning in hi_client.c * src/decode.h: Change the pattern match to search only the HTTP response body when extended response inspection is enabled. Also copy only the decompressed data into the decode buffer. * src/detect.c: Formatting changes. * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_ip_proto.c: Replaced strol and strtoul with inline functions that reset errno first. * src/detection-plugins/sp_pattern_match.c: Check if file_data is within the packet boundaries and set the search depth accordingly. * src/detection-plugins/sp_pcre.c: Pcre new options fix. Raw options and status options werent matching as expected. * src/detection-plugins/sp_replace.c: checksum calculation for icmpv6 added . also fixed a warning in hi_client.c * src/dynamic-examples/Makefile.am: * src/Makefile.am: Update makefile/configure script to optionally build dynamic examples. * src/dynamic-plugins/sf_dynamic_plugins.c: Replaced strol and strtoul with inline functions that reset errno first. * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/event_queue.c: * src/event_queue.h: * src/preprocessors/spp_frag3.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/sfutil/sfeventq.h: * src/snort.c: * src/snort.h: Fixed a bug where Snort would log a packet other than the one triggering the alert. * src/dynamic-preprocessors/dcerpc2/dce2_debug.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/libs/sfparser.c: * src/output-plugins/spo_unified2.c: * src/parser.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Replaced strol and strtoul with inline functions that reset errno first. * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h: * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/dynamic-preprocessors/ssh/sf_preproc_info.h: * src/dynamic-preprocessors/ssl/sf_preproc_info.h: Updated build version number. * src/dynamic-preprocessors/sdf/.cvsignore: Added .cvsignore file * src/dynamic-preprocessors/sdf/sdf_credit_card.c: * src/dynamic-preprocessors/sdf/sdf_credit_card.h: Added license text. Added check for the Issuer Number in credit card numbers. * src/dynamic-preprocessors/sdf/sdf_detection_option.c: * src/dynamic-preprocessors/sdf/sdf_detection_option.h: * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: * src/dynamic-preprocessors/sdf/sdf_pattern_match.h: Added license text. Fixed error when using the same sensitive data rule in multiple policies. Sensitive data rules must use the preprocessor's generator ID. * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: * src/dynamic-preprocessors/sdf/sdf_us_ssn.h: Added license text. * src/dynamic-preprocessors/sdf/spp_sdf.c: * src/dynamic-preprocessors/sdf/spp_sdf.h: Fixed double-free when the preprocessor was enabled in multiple policies. Added the ability to search HTTP Uri buffers for sensitive data. Fixed the pcap header for pseudo-packets generated by the preprocessor. * src/fpcreate.c: OpenBSD update * src/generators.h: Added alert for HTTP chunk size mismatch. * src/obfuscation.c: Made a debug message optionally compilable. * src/output-plugins/spo_log_tcpdump.c: Fix use of -L option to work correctly. Thanks to Allan Adkins for reporting this issue. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/server/hi_server.c: Added http response stats. Added support for extended ascii codes in HTTP request URI using a new configurable option "extended_ascii_uri" Added an alert for incorrect chunk size fields. * src/preprocessors/perf.c: Fixed null deref when "rotate stats" signal was caught w/out perfmon enabled. * src/preprocessors/snort_httpinspect.c: Fixed a case where the HTTP Inspect preprocessor would disable the Sensitive Data preprocessor. * src/preprocessors/spp_httpinspect.c: Decompressed bytes read will now be based on the total out of zstream. * src/target-based/sftarget_reader.c: attribute table printing - converting to host order before printing the ip address * src/util.c: * src/util.h: adding zlib version information for snort -V * src/win32/Makefile.am: Add zlib 1.2.3 to Win32 build. * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/zlib/zconf.h: * src/win32/WIN32-Includes/zlib/zlib.h: * src/win32/WIN32-Prj/snort.dsp: Add zlib 1.2.3 to Win32 build. * src/win32/WIN32-Prj/snort_installer.nsi: Added Sensitive Data preproc to Windows installer script. 2009-12-21 Ryan Jordan * doc/README.dcerpc: Added deprecation notice. * doc/README.dcerpc2: Added note about fast pattern contents. * doc/README.filters: Slight change to indicate that filters were introduced in 2.8.5, which is no longer the current version. * doc/README.flowbits: Added documentation for flowbit groups. * doc/README.http_inspect: Added documentation for new HTTP rule options. * doc/snort_manual.tex: Updated for HTTP rule options and other cleanup. * doc/TODO: Removed obfuscation code from the TODO. * etc/gen-msg.map: Added new Stream5 alert for the "TCP 4-way handshake" * etc/snort.conf: Fixed typos. Added examples for Unified2 output and Sensitive Data preprocessor config. * rpm/snort.spec: Updated version number. * src/bounds.h: Formatting change. Added "SafeMemCheck" function. Modified "SafeMemcpy" and "SafeMemset" to use it. * src/build.h: Updated build number. * src/debug.c: Moved definition for snort_conf. * src/decode.h: Made changes for HTTP response gzip support. * src/detect.c: Updated to use new Obfuscation API. * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/fpcreate.c: * src/fpcreate.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: Added support for ac "split" pattern matcher to use less memory with improved performance over ac-bnfa. Thanks to Charlie Lasswell for the ideas! * src/detect.h: * src/event_wrapper.c: * src/event_wrapper.h: * src/inline.c: * src/profiler.c: * src/rate_filter.h: * src/rules.h: * src/tag.c: * src/tag.h: * src/treenodes.h: OTNs and RTNs were moved to their own header file. * src/detection-plugins/detection_options.c: * src/detection-plugins/Makefile.am: * src/detection-plugins/sp_file_data.c: * src/detection-plugins/sp_file_data.h: New detection option "file_data" was added. * src/detection-plugins/detection_options.h: * src/rule_option_types.h: Moved option_type_t to its own header file. * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: allowing flowbits group name only with set and toggle operations check if the content rules have http modifiers. * src/detection-plugins/sp_replace.c: need to check from the relative depth for bounds adjust the bounds while replacing to prevent buffer overflow. allow replace with different size strings. enhancement to replace. * src/detection-plugins/sp_isdataat.c: negated isdataat support. * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: Update pattern match parsing to error on invalid rules. * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_proto.h: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_pcre.h: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: Updated calls to RegisterRuleOption() to match new definiton. * src/dynamic-plugins/sf_convert_dynamic.c: Updated conversion of Content and PCRE rule options to match HTTP changes. * src/dynamic-plugins/sf_dynamic_common.h: Updated HTTP flags. * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: Added definition of OTN Handler. A detection option or preprocessor can register one of these to get the OTN of any rule using its rule option. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: Added several items to DynamicPreprocessorData, to allow dynamic preprocessors to call more Snort functions. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: Check for HTTP modifiers to Content and PCRE options in shared object rules. * src/dynamic-plugins/sf_engine/sf_snort_packet.h: Added missing Packet member to SFSnortPacket. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: Moved DCERPC_FragType definition. * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_sfportscan.c: Added "disabled" option to frag3_global, stream5_global, portscan, dcerpc, and dcerpc2 preprocessor configurations so that memcaps can be specified in the default configuration w/o enabling that preprocessor. This allows specification of the preprocessors only in the desired configuration. * src/dynamic-preprocessors/dcerpc/Makefile.am: * src/dynamic-preprocessors/dcerpc2/Makefile.am: * src/dynamic-preprocessors/dns/Makefile.am: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/ssh/Makefile.am: * src/dynamic-preprocessors/ssl/Makefile.am: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: Fix make dist to include all required files. * src/dynamic-preprocessors/dcerpc2/dce2_event.c: * src/dynamic-preprocessors/dcerpc2/dce2_list.h: * src/dynamic-preprocessors/dcerpc2/dce2_utils.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h: Changed use of some integers to enumerated types. * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: Added dce_iface options to the fast pattern matcher. * src/dynamic-preprocessors/dcerpc2/snort_dce2.h: * src/dynamic-preprocessors/dcerpc2/dce2_config.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: Added sensitive data to the list of preprocs that get re-enabled after disabling detection. * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Removed config file/line from error message since not set at this point. Also removed redundant "dcerpc2 configuration" text. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/treenodes.sed: Included more header files for use in dynamic preprocessors. * src/dynamic-preprocessors/sdf/Makefile.am: * src/dynamic-preprocessors/sdf/sdf_credit_card.c: * src/dynamic-preprocessors/sdf/sdf_credit_card.h: * src/dynamic-preprocessors/sdf/sdf_detection_option.c: * src/dynamic-preprocessors/sdf/sdf_detection_option.h: * src/dynamic-preprocessors/sdf/sdf_pattern_match.c: * src/dynamic-preprocessors/sdf/sdf_pattern_match.h: * src/dynamic-preprocessors/sdf/sdf_us_ssn.c: * src/dynamic-preprocessors/sdf/sdf_us_ssn.h: * src/dynamic-preprocessors/sdf/sf_preproc_info.h: * src/dynamic-preprocessors/sdf/sf_sdf.dsp: * src/dynamic-preprocessors/sdf/spp_sdf.c: * src/dynamic-preprocessors/sdf/spp_sdf.h: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/preprocids.h: * doc/README.sensitive_data: * doc/snort_manual.tex: Added Sensitive Data preprocessor. It performs detection of Personally Identifiable Information, such as credit card numbers and U.S. Social Security numbers. * src/dynamic-preprocessors/ssh/spp_ssh.c: Formatting change. * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: Content rules with the new HTTP modifiers can use the fast pattern matcher. * src/generators.h: Added SIDs for new preprocessor alerts. * src/Makefile.am: Added new files to Makefile. * src/obfuscation.c: * src/obfuscation.h: * src/util.c: * src/util.h: Fixed output obfuscation, and added an Obfuscation API for use in preprocessors & output plugins. * src/log.c: * src/log.h: * src/log_text.c: * src/log_text.h: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_test.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_null.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified2.c: * src/output-plugins/spo_unified.c: Modified several output plugins to print obfuscated data using the new Obfuscation API. * src/parser.c: * src/parser.h: Added support for OTN handlers. Added support for using new http content options with the fast pattern matcher. * src/pcrm.c: * src/pcrm.h: Formatting changes. * src/plugbase.c: * src/plugbase.h: Added OTN handler argument to the RegisterRuleOption() function. Initialized the "file_data" rule option. * src/ppm.c: * src/ppm.h: Remove non-portlists code. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_server.h: * src/preprocessors/HttpInspect/include/hi_server_norm.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/include/Makefile.am: * src/preprocessors/HttpInspect/Makefile.am: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/server/hi_server_norm.c: * src/preprocessors/HttpInspect/server/Makefile.am: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/spp_httpinspect.c: New feature for HTTP Inspect to split requests into 5 components - Method, URI, Header (non-cookie), Cookies, Body. Added HTTP server specific configurations to normalize HTTP header and/or cookie buffers. Provided content and PCRE modifiers to allow searches within one or more of those individual buffers. Added content modifier to allow rule writer to specify content to be used for fast pattern matcher. Updated dynamic rule API to allow searches within the new buffers. * src/preprocessors/perf.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf-flow.h: * src/preprocessors/perf.h: * src/preprocessors/Stream5/snort_stream5_udp.c: Add Flow-IP stats to the Performance Monitor preprocessor. Write out a commented line to the now file the first time perfmon Reduce performance overhead when FlowIP stats aren't enabled. * src/preprocessors/sfprocpidstats.c: Changed GetCpuName() to catch errno when sscanf() sets it. * src/preprocessors/spp_rpc_decode.c: Fixed warnings when compiled in Win32. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: Added detection of "4-way TCP Handshake" when require_3whs is enabled. Added "disabled" option so that memcaps can be configured in the default policy w/out enabling the preprocessor. Added support for output obfuscation. * src/prototypes.h: * src/sys_include.h: Removed more obsolete/unused files. * src/sfthreshold.c: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/bnfa_search.c: * src/sfutil/ipobj.c: * src/sfutil/ipobj.h: * src/sfutil/Makefile.am: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_iph.c: * src/sfutil/sf_ipvar.c: * src/sfutil/sfksearch.c: * src/sfutil/sfPolicyUserData.c: * src/sfutil/sfPolicyUserData.h: * src/sfutil/sfportobject.c: * src/sfutil/sfxhash.c: * src/sfutil/sfrf.c: * src/sfutil/sfrt_trie.h: * src/sfutil/sf_vartable.c: Cleaned up warnings, especially when compiled with ICC. * src/sfutil/util_net.c: * src/sfutil/util_net.h: Fix ip obfuscation to not modify packet data and only obfuscate for text outputs. * src/signature.c: * src/signature.h: * src/snort.c: * src/snort.h: Remove non-portlists code. * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed. * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Code/win32_service.c: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: * src/win32/WIN32-Prj/snort_installer.nsi: Win32 project files updated to reflect Makefile changes. 2009-12-15 Ryan Jordan * doc/snort_manual.tex: Clarified the documentation for output plugins alert_fast, alert_full, log_tcpdump, and alert_csv. Added documentation for log limits. * etc/gen-msg.map: * src/generators.h: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_eo_events.h: Changes to improve handling of pipelined requests and chunked encodings based on content length header field. * src/preprocessors/snort_httpinspect.c: Fix error message for validation of client_flow_depth. * src/build.h: Updated build number * src/codes.c: * src/codes.h: * src/detection-plugins/sp_respond2.h: Removed unused code. * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: Set IPv6 UDP DCE/RPC reassembly headers. * src/dynamic-preprocessors/Makefile.am: Exported more files to allow re-building of some .so files on NetBSD. * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssh/spp_ssh.h: Fixed an issue where the SSH preprocessor would erroneously alert on "protocol mismatch" when autodetect was turned on. * src/log.h: * src/parser.c: Fixed reloading of auto-iface variables after privileges had been dropped. Thanks to Pablo Catalina for reporting this issue. * src/output-plugins/spo_alert_prelude.c: Fixed compiling on AIX 6, or with --enable-prelude and --enable-ipv6. Thanks to Rnadall Rioux for reporting the AIX issues. Thanks to Markus Lude for reporting the prelude & IPv6 issues. * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/stream_api.h: Set smaller flush point appropriate for RPC header. * src/sfutil/Makefile.am: * src/sfutil/sf_ipvar.c: Fixed an error where negative IP lists were not always being checked. * src/sfutil/sfPolicy.c: * src/sfutil/sfPolicy.h: Fix to return correct vlan/ip id. * src/sfutil/sfrt.h: * src/sfutil/sfrt_trie.h: More compile fixes on AIX 6. * src/snort.c: * src/target-based/sftarget_reader.c: Fix issues at startup and perfstats rotation with old versions of libc (2.2, 2.3) & linux threads. * src/util.h: Added a function prototype for InitTimeStats. * src/win32/WIN32-Includes/config.h: Formatting changes. 2009-10-21 Ryan Jordan * doc/README.filters: added missing _. * doc/snort_manual.tex: Update to add PCRE modifiers that were left out of table 3.8. Fixed typos. * src/build.h: Updated build number. * src/codes.c: * src/codes.h: Removed unused code. * src/decode.c: When label > NUM_RESERVED_LABELS, iRet should be set based on the payload type * src/configure.in: * src/Makefile.am: * src/dynamic-examples/Makefile.am: * src/dynamic-examples/dynamic-preprocessor/Makefile.am: * src/dynamic-examples/dynamic-preprocessor/spp_example.c: Added the dynamic-examples back to the Makefile, and updated the example preprocessor to support multiple policies & config reloading. * src/detection-plugins/sp_pcre.c: fixed warning: ISO C90 forbids mixed declarations and code * src/detection-plugins/sp_respond2.h: separate flexresp interface from implementation Made react, resp, and resp2 independent except that libnet is only initialized/closed once regardless of build combinations. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Fixed a bug where dynamic rules were not initialized correctly after a snort.conf reload. * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/parser.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: Fixed segfault when adding policies on reload Fixed potentially freed stream5 configuration being read on clean exit Fixed potentially wrong stream5 configuration being used during reload * src/dynamic-preprocessors/dcerpc2/dce2_co.c: Make log message a debug message * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: changing the return value * src/dynamic-preprocessors/ssh/spp_ssh.c: Fixed SSH preprocessor to use "FLPOLICY_IGNORE" when turning off Stream reassembly, as opposed to "FLPOLICY_NONE" * src/fpcreate.c: * src/profiler.c: Updated uses of IPPROTO_IP to ETHERNET_TYPE_IP * src/output-plugins/spo_alert_sf_socket.c: fixed otn lookup; due to not calling "first" function the configured gid/sids would not be found and so no no alerts would go out the socket and no errors reported. * src/log.c: use orig api and family for embedded icmp packet printing. Fixed out-of-bounds access when printing IPv6 packets using -v. * src/output-plugins/spo_database.c: Included missing "last_cid" column when inserting a new sensor into the table while "ignore_bpf" was turned on. * src/preprocessors/perf-base.c: Fixed inaccurate wire speed stats. * src/preprocessors/HttpInspect/client/hi_client.c: Updated previous bugfix to check for more possible return values. * src/preprocessors/spp_perfmonitor.c: Check if packet is stream rebuilt. Don't include in stats. * src/sfutil/sf_ip.h: processing of 0.0.0.0/x enabled. Only 0.0.0.0/32 is considered as "any". * src/sfutil/sfPolicy.c: fixed segfault when more than 10 policies were applied. * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/output-plugins/spo_alert_syslog.c: * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Prj/sf_engine_initialize.dsp: * src/win32/WIN32-Prj/snort_initialize.dsp: Fix syslog output under Windows. * src/snort.c: enable -Q output with --help for !IPFW && !WIN32 builds; change text to be more accurrate. * src/snort.h: Handled MPLS BOS. * src/target-based/sf_attribute_table_parser.l: * src/target-based/sf_attribute_table.y: * src/target-based/sftarget_reader.c: Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed Free host entries that are not inserted into routing table due to max_attribute_hosts limit 2009-09-15 Ryan Jordan * doc/README.frag3: Removed ttl_limit option, as it has been deprecated. * doc/README.ftptelnet: Added the ignore_telnet_erase_cmds option. * doc/README.ssh: Fixed the documentation to reflect changes in SSH for 2.8.5. * doc/snort_manual.tex: Duplicated the above doc changes for the manual. Clarified order of rule actions. * etc/gen-msg.map: Punctuation changes. * etc/snort.conf: Fix the example SSH configuration, and turn it on by default. This should increase performance in situations where a lot of SSH traffic was inspected. * rpm/snort.spec: Updated version number. * src/build.h: Updated build number. * configure.in: Added configure switch to disable core files. * src/codes.c: * src/codes.h: Removed old/unused code. * src/debug.c: * src/sfutil/sfportobject.c: * src/snort.c: * src/snort.h: * src/util.c: redirect stdin/stdout/stderr to /dev/null for debug write to file and change ownership of file to dropped privs * src/decode.c: Allow support for label values of 0 or 2 at locations other than bottom of stack. * src/decode.h: * src/win32/WIN32-Prj/snort_installer.nsi: Moved a couple rules into the decoder. * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/detection-plugins/Makefile.am: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_react.h: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond2.h: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond.h: * src/detection-plugins/sp_session.c: * src/win32/WIN32-Prj/snort.dsp: Made react, resp, and resp2 independent except that libnet is only initialized/closed once regardless of build combinations. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Added a new check to handle loading of older libraries. * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/dynamic-preprocessors/ssh/sf_preproc_info.h: * src/dynamic-preprocessors/ssh/spp_ssh.h: * src/dynamic-preprocessors/ssl/sf_preproc_info.h: Changed the build numbers of preprocessors. * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_stream5.c: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: Fixed compile warnings. * src/preprocessors/spp_sfportscan.c: Don't include vlan header in portscan event/log packet. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix core by adjusting IPv6 buffer size * src/profiler.c: Clean up preprocessor profiler formatting. * src/dynamic-preprocessors/ssh/spp_ssh.c: Changed limit on max_server_version_len to 255. * src/dynamic-preprocessors/smtp/smtp_log.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/generators.h: Gave xlink2state smtp preprocessor alert a unique sid. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Fixed memory leaks. * src/fpcreate.c: Fixed potential segfault with multiplie policies. * src/fpdetect.c: * src/fpdetect.h: * src/preprocessors/perf-base.c: * src/preprocessors/perf.c: * src/preprocessors/perf-event.c: * src/preprocessors/perf-event.h: * src/preprocessors/perf-flow.c: * src/preprocessors/perf-flow.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/sfutil/sfActionQueue.c: IPv6-related changes. * src/mempool.c: Check return values from mempool_init and fatal if bad when freeing pools, set to NULL. * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/sfutil/sfPolicy.c: Added additional error-checking. * src/output-plugins/spo_unified.c: * src/parser.c: * src/parser.h: * src/signature.c: * src/signature.h: Fixed a couple invalid reads & writes. * src/plugbase.c: Check configuration for all policies. * snort_head/snort/snort.8: Updated man page to reflect doc changes. 2009-07-13 Ryan Jordan * src/win32/WIN32-Prj/sf_testdetect.dsp: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: Win32 updates. * configure.in: Update for module pack confliction. * snort.8: Removed obsolete option -o * doc/CREDITS: Updated credits to reflect Snort 2.8.5 work * doc/INSTALL: Indentation changes, update for Mac * doc/Makefile.am: Added README.filters * doc/README.filters: New README, describes the new filtering features in Snort 2.8.5 * doc/README.frag3: Added the overlap_limit and min_fragment_length options * doc/README.ftptelnet: Indentation changes * doc/README.http_inspect: Added post_depth option. * doc/README.INLINE: Changed "snort_inline" to "Snort Inline" * doc/README.PerfProfiling: Updated stats output to reflect "Rev" column * doc/README.reload: New README, describes how to reload a Snort configuration in 2.8.5 * doc/README.ssh: Updated the README to reflect changes in the SSH preprocessor for 2.8.5 * doc/README.thresholding: Updated to indicate that "threshold" is deprecated in favor of "event_filter". * doc/snort_manual.tex: Updated to include 2.8.5 features, formatting updates. Removed old references to Stream4. * etc/gen-msg.map: Moved XMAS attack handling to decoder. Gave xlink2state smtp preprocessor alert unique sid. * etc/threshold.conf: Updated with formatting changes, deprecation notice for "threshold" * src/build.h: New build number. * src/codes.c: * src/codes.h: Removed unused files. * src/decode.c: * src/decode.h: Made some options policy-specific. Removed a couple poorly-performing rules and made them into decoder checks instead. * src/detect.c: * src/ppm.h: Don't reset packet time * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1_detect.c: Removed redundant check. * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_isdataat.h: Moved flags & struct to header file. * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_replace.c: * src/detection-plugins/sp_replace.h: Check for combination of "replace" and "http_*" options, which are incompatible. * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond.c: Renamed respond's config so it didn't conflict with gloabl Snort config. * src/dynamic-plugins/sf_convert_dynamic.c: * src/dynamic-plugins/sf_convert_dynamic.h: Added a missing handler for "isdataat" options in .so rules. * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/ipv6_port.h: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: Changed variables from "uintX_t" to "u_intX_t". * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.h: * src/dynamic-preprocessors/dcerpc2/dce2_event.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.h: * src/dynamic-preprocessors/dcerpc2/dce2_stats.h: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Added detection for DCE/RPC server->client attacks. * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: Fixed memory leak. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Fixed some FTP false positives. * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: Fixed multiple policy support in these preprocessors. * src/fpdetect.c: * src/rules.h: One rule can have different actions in different policies. * src/generators.h: Changed SSL preprocessor's ID to avoid conflict with DCE/RPC 2 * src/inline.c: Win32 updates * src/log.c: Fixed issue with verbose output while in IDS mode. * src/mempool.c: * src/mempool.h: * src/preprocessors/portscan.c: * src/sfutil/Makefile.am: * src/sfutil/sfActionQueue.c: * src/sfutil/sfActionQueue.h: Made several config options specific to bound policies. * src/output-plugins/spo_unified2.h: Used 104 and 105 for the VLAN+MPLS event records. * src/parser/IpAddrSet.c: * src/parser/IpAddrSet.h: Clean up IpAddrSet in rate filter and suppress * src/parser.c: * src/parser.h: Fixed warnings * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_httpinspect.c: HTTP Inspect now allows 1024 server profiles. The storage size was reduced. * src/preprocessors/spp_frag3.c: Fixed problem where Snort wouldn't reload if prealloc_memcap was specified. * src/preprocessors/spp_perfmonitor.c: Fixed problem where "now" file stopped updating after a reload. * src/preprocessors/spp_sfportscan.c: * src/sfutil/sfportobject.c: * src/sfutil/sfrf.c: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: Fixed memory leaks. * src/preprocessors/spp_stream5.c: * src/sfutil/sfPolicyUserData.c: * src/sfutil/sfPolicyUserData.h: * src/target-based/sftarget_reader.c: * src/target-based/sftarget_reader.h: Update for linuxthreads. * src/preprocessors/Stream5/snort_stream5_tcp.c: Added -H command-line option. Uses 192 for all TCP flushpoints. Only useful for repeatability while testing Snort. * src/profiler.c: Added rule revision to profiling output. * src/rate_filter.c: * src/rate_filter.h: Automatically enable "session delete" events with "session add" events. * src/sf_sdlist.c: * src/sfutil/sf_ipvar.c: Formatting changes * src/sf_types.h: Win32 updates * src/snort.c: * src/snort.h: Several fixes involving policy reload * src/util.c: Formatting changes, updated references to snort.org. * src/util.h: Don't allow 0 for threshold count or seconds. 2009-05-06 Ryan Jordan * etc/gen-msg.map: Added new messages for MPLS and Frag3. * etc/snort.conf: Modified an example port number, and added overlap_limit to the default frag3_engine config. * src/detect.c: * src/detect.h: * src/detection_filter.c: * src/detection_filter.h: * src/rate_filter.c: * src/rate_filter.h: * src/sfthreshold.c: * src/sfthreshold.h: Added support for detection_filter, rate_filter, and event_filter. See doc/README.filters for more info. * src/detection-plugins/Makefile.am: * src/detection-plugins/sp_hdr_opt_wrap.c: * src/detection-plugins/sp_hdr_opt_wrap.h: * src/dynamic-plugins/Makefile.am: * src/dynamic-plugins/sf_convert_dynamic.c: * src/dynamic-plugins/sf_convert_dynamic.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Changed the way .so rules are handled, to take advantage of the Rule Option Tree. * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_check.h: Added support for ">=" and "<=" test options. * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: * src/dynamic-plugins/sp_dynamic.c: Flowbits are now part of the rule stub that gets generated when dumping dynamic rules. * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_replace.c: * src/detection-plugins/sp_replace.h: Content replacement code moved out to sp_replace.{c,h} * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_pcre.h: PCRE matches are no lnoger repeated if anchored. * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: Packet structure re-arranged, and other code cleanup. * src/dynamic-preprocessors/ssh/Makefile.am: * src/dynamic-preprocessors/ssh/sf_preproc_info.h: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssh/spp_ssh.h: Updated SSH preprocessor. Config options have been modified, see README.ssh for details. * src/parser.c: Fixed handling of IP lists with mis-matched brackets. * src/output-plugins/spo_unified2.c: * src/output-plugins/spo_unified2.h: MPLS and VLAN records have been consolidated into Unified2Event_v2. * src/win32/Makefile.am: * src/win32/WIN32-Code/inet_aton.c: * src/win32/WIN32-Code/misc.c: * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Code/win32_service.c: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Prj/build_all.dsp: * src/win32/WIN32-Prj/sf_engine_initialize.dsp: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: * src/win32/WIN32-Prj/snort_initialize.dsp: * src/win32/WIN32-Prj/snort_installer.nsi: Updated Win32 installer to include new Snort files. * rpm/snort.spec: Updated RPM to include new Snort files. * doc/CREDITS: * doc/README.filters: * doc/README.frag3: * doc/README.http_inspect: * doc/README.ssh: * doc/README.thresholding: * doc/snort_manual.tex: Documentation updates. In addition, the following files were modified to enable: - Reloading snort.conf without restarting Snort - Applying multiple snort.confs on a per-vlan or per-CIDR block basis - Compiler warning clean-up * src/bounds.h: * src/byte_extract.c: * src/byte_extract.h: * src/checksum.h: * src/cpuclock.h: * src/debug.c: * src/decode.c: * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1_detect.c: * src/detection-plugins/sp_asn1_detect.h: * src/detection-plugins/sp_asn1.h: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_byte_jump.h: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_clientserver.h: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_dsize_check.h: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_ftpbounce.h: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_code_check.h: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_id_check.h: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_seq_check.h: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_icmp_type_check.h: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_fragbits.h: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_id_check.h: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ipoption_check.h: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_same_check.h: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_ip_tos_check.h: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_isdataat.h: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_react.h: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond2.h: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond.h: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_rpc_check.h: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_session.h: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_ack_check.h: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_flag_check.h: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_seq_check.h: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_tcp_win_check.h: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_ttl_check.h: * src/detection-plugins/sp_urilen_check.c: * src/detection-plugins/sp_urilen_check.h: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_dynamic_define.h: * src/dynamic-plugins/sf_dynamic_detection.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/Makefile.am: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_file_decode.c: * src/dynamic-preprocessors/dcerpc/smb_file_decode.h: * src/dynamic-preprocessors/dcerpc/smb_file_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.h: * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.h: * src/dynamic-preprocessors/dcerpc2/dce2_debug.c: * src/dynamic-preprocessors/dcerpc2/dce2_debug.h: * src/dynamic-preprocessors/dcerpc2/dce2_event.c: * src/dynamic-preprocessors/dcerpc2/dce2_event.h: * src/dynamic-preprocessors/dcerpc2/dce2_http.c: * src/dynamic-preprocessors/dcerpc2/dce2_list.h: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/dcerpc2/dce2_session.h: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/dce2_stats.h: * src/dynamic-preprocessors/dcerpc2/dce2_tcp.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h: * src/dynamic-preprocessors/dcerpc2/includes/smb.h: * src/dynamic-preprocessors/dcerpc2/Makefile.am: * src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.h: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: * src/dynamic-preprocessors/dns/Makefile.am: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: * src/dynamic-preprocessors/dynamic_preprocessors.dsp: * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c: * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.h: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h: * src/dynamic-preprocessors/libs/sfcommon.h: * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp: * src/dynamic-preprocessors/libs/sfparser.c: * src/dynamic-preprocessors/libs/ssl.c: * src/dynamic-preprocessors/libs/ssl.h: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_config.h: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/ssl/Makefile.am: * src/dynamic-preprocessors/ssl/sf_preproc_info.h: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/dynamic-preprocessors/ssl/spp_ssl.h: * src/event.h: * src/event_queue.c: * src/event_queue.h: * src/event_wrapper.c: * src/event_wrapper.h: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/generators.h: * src/inline.c: * src/inline.h: * src/ipv6_port.h: * src/log.c: * src/log.h: * src/log_text.c: * src/log_text.h: * src/Makefile.am: * src/mempool.c: * src/mstring.c: * src/mstring.h: * src/output-plugins/spo_alert_arubaaction.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_test.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_alert_unixsock.h: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_database.h: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_ascii.h: * src/output-plugins/spo_log_null.c: * src/output-plugins/spo_log_null.h: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_unified.h: * src/parser/IpAddrSet.c: * src/parser/IpAddrSet.h: * src/parser.h: * src/pcap_pkthdr32.h: * src/pcrm.c: * src/pcrm.h: * src/plugbase.c: * src/plugbase.h: * src/ppm.c: * src/ppm.h: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/include/hi_client_stateful.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_reqmethod_check.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_stateful_inspect.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_uri.h: * src/preprocessors/HttpInspect/include/hi_urilen_check.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/perf.c: * src/preprocessors/perf-event.c: * src/preprocessors/perf-event.h: * src/preprocessors/perf-flow.c: * src/preprocessors/perf-flow.h: * src/preprocessors/perf.h: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/sfprocpidstats.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_bo.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_frag3.h: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_httpinspect.h: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_perfmonitor.h: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_sfportscan.h: * src/preprocessors/spp_stream5.c: * src/preprocessors/spp_stream5.h: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/preprocessors/str_search.h: * src/preprocids.h: * src/profiler.c: * src/profiler.h: * src/rules.h: * src/sf_types.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/bnfa_search.c: * src/sfutil/ipobj.c: * src/sfutil/Makefile.am: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfeventq.c: * src/sfutil/sfeventq.h: * src/sfutil/sfghash.c: * src/sfutil/sfghash.h: * src/sfutil/sfhashfcn.c: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_iph.c: * src/sfutil/sf_ipvar.c: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sflsq.c: * src/sfutil/sflsq.h: * src/sfutil/sfPolicy.c: * src/sfutil/sfPolicy.h: * src/sfutil/sfPolicyUserData.c: * src/sfutil/sfPolicyUserData.h: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: * src/sfutil/sfrf.c: * src/sfutil/sfrf.h: * src/sfutil/sfrt.c: * src/sfutil/sfrt_dir.c: * src/sfutil/sfrt_dir.h: * src/sfutil/sfrt.h: * src/sfutil/sfrt_lctrie.c: * src/sfutil/sfrt_lctrie.h: * src/sfutil/sfrt_trie.h: * src/sfutil/sf_textlog.h: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sf_vartable.c: * src/sfutil/sf_vartable.h: * src/sfutil/sfxhash.c: * src/sfutil/util_math.c: * src/sfutil/util_math.h: * src/sfutil/util_net.c: * src/sfutil/util_net.h: * src/signature.c: * src/signature.h: * src/snort.c: * src/snort.h: * src/snprintf.c: * src/spo_plugbase.h: * src/tag.c: * src/tag.h: * src/target-based/sf_attribute_table_parser.l: * src/target-based/sf_attribute_table.y: * src/target-based/sftarget_hostentry.c: * src/target-based/sftarget_hostentry.h: * src/target-based/sftarget_protocol_reference.c: * src/target-based/sftarget_protocol_reference.h: * src/target-based/sftarget_reader.c: * src/target-based/sftarget_reader.h: * src/util.c: * src/util.h: 2009-04-20 Ryan Jordan * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: Changed DCE2 configuration such that events are disabled by default. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Fixed false positive when an additional /r/n followed the QUIT command. * src/dynamic-preprocessors/ssh/spp_ssh.c: Fixed infinite loop when parsing SSH configuration. * src/output-plugins/spo_database.c: Fixed an issue that prevented Snort from inserting records into the sensor table of a MySQL database. Thanks to David Cecchino for pointing out this issue. * src/parser.c: * src/sfutil/ipobj.c: Fixed handling of IP lists that begin with variables, when IPv6 was enabled. * src/preprocessors/Stream5/snort_stream5_tcp.c: Handle case where require_3whs is configured, no session has been created and an ACK is received with a RST flag. Thanks to Jeff Johnson for reporting the problem. * src/sfthreshold.c: * src/sfutil/sf_ipvar.c: * src/sfutil/sfportobject.c: * src/sfutil/sfthd.c: * src/sfutil/sf_vartable.c: * src/util.c: Fixed issues with use of IPv6 address variables. * rpm/snort.spec: Added DCE2 preprocessor to RPM spec file. Thanks to Scott Fabbri, c0uch, and Andrew Pendray for reporting this. * doc/snort_manual.tex: Updated to add Bhagyasree Bantwal, newest member of Snort Team. 2009-03-11 Steven Sturges * src/util.c: Fix for IPv6 on Win32 to define interface variables. * src/win32/WIN32-Prj/snort_installer_options.ini: Update for IPv6 intalls. 2009-03-10 Steven Sturges * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Correctly pass operation to allow flowbits checked-but-not-set and set-but-not-checked validation to work between text and shared rules. * src/dynamic-plugins/sf_dynamic_define.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: Handle relative PCREs the same as text rules. Fix misnamed macro. * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_event.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: Address False positives seen in testing. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: Add missing attribute check when FTP traffic is picked up mid-TCP stream. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Fix handling of EPRT command for IPv6. * src/output-plugins/spo_unified2.c: unlink output file in test mode. * src/fpcreate.c: * src/fpdetect.c: * src/parser.c: Fix logging to syslog for rule counts at startup. * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/stream5_common.h: * etc/gen-msg.map: Add stream5 option to restrict the number of consecutive small TCP segments inserted for reassembly without seeing an ACK. Generate alert (gid:129,sid:12) when that limit is exceeded. Allow overriding of this configuration on a port basis via an ignore_ports option. * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: Fixed issues w/ IPv6 comparisons and /32 used with IPv6. Added and updated unit test code. Thanks to mamcmil on snort.org forums for pointing out the problem. * src/win32/WIN32-Prj/snort_installer.nsi: * src/win32/WIN32-Prj/snort_installer_options.ini: * src/win32/WIN32-Prj/sf_engine.dsp: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: * configure.in: * rpm/snort.spec: * src/win32/WIN32-Includes/config.h: 2.8.4 Final build changes. Allow IPv6 to be installed via windows installer. 2009-02-06 Todd Wease * snort.8: * src/parser.c: * src/snort.c: * src/snort.h: Added command line option "--require-rule-sid" to require every rule have an sid. * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: Fix compilation issue with --disable-dynamicplugin. Thanks to Jason Wallace for bringing this to our attention. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Push dynamic engine minor version to 10 and build version to 16. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Fix preprocessor rule option processing for dynamic detection rules. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Add checks for header and method buffers when fast pattern is not specified in dynamic detection rules. * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/sfutil/acsmx2.c: * src/sfutil/bnfa_search.c: Update uses of isprint() to check for isascii() as well where only printable ascii characters are relevant. * src/dynamic-preprocessors/smtp/snort_smtp.c: Update smtp preprocessor to use stream5 direction data when determining if preprocessor is configured to process traffic. * doc/README.stream5: * doc/snort_manual.tex: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Add range checking in stream5 preprocessor for prune_log_max and update error messages to indicate 0 is a valid value for prune_log_max, max_queued_segs and max_queued_bytes. * src/preprocessors/Stream5/snort_stream5_tcp.c: Update to stream5 preprocessor to handle ECN and CWR bits in the SYN packet. Thanks to Lothar Braun for bringing this to our attention. * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: Fix configuration parsing of IPv6 addresses to allow /32 cidr. * src/decode.c: * src/decode.h: * src/detect.c: * src/detect.h: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_proto.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.h: * src/parser.c: * src/plugbase.c: * src/plugbase.h: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/rules.h: * src/snort.c: Added rule and preprocessor filtering by protocol so that traffic will not be evaluated for which there are no rules or preprocessors interested in that traffic. * src/decode.c: Fixed IPv6 decoder for Sparc memory alignment in IPv6 enabled binary. * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/log_text.c: * src/sfutil/sf_iph.c: Fixed issue in IPv6 enabled binary, where ICMP (not ICMP6) over IPv6 would cause a segfault. * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/profiler.c: * src/profiler.h: Fixed inconsistent results in rule profiling. Thanks to Geoff Whittington for bringing this to our attention. * src/detection-plugins/sp_byte_jump.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added new "post_offset" argument to byte jump rule option to move some designated amount after the byte jump. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/plugbase.c: * src/target-based/sftarget_reader.c: * src/target-based/sftarget_reader.h: Added functionality to the dynamic-plugin API to check whether adaptive profiles is configured and to check whether or not a preprocessor is configured. * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Fatal error if both dcerpc and dcerpc2 preprocessors are configured. * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_rpc_decode.c: Updates to stream5 filtering so that stream5 does not track sessions for which there are no rules that could fire on that traffic or preprocessors that are interested in that traffic. * doc/README.dcerpc2: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/gen-msg.map: * etc/snort.conf: Added dcerpc2 preprocessor documentation. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Added performance profiling statistics to the dcerpc2 preprocessor. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h: * src/dynamic-preprocessors/dcerpc2/includes/smb.h: Fix for architectures requiring strict memory alignment such as Sparc in the dcerpc2 preprocessor. * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.h: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.h: Updated configuration error reporting in the dcerpc2 preprocessor. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.h: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.h: * src/dynamic-preprocessors/dcerpc2/dce2_tcp.h: * src/dynamic-preprocessors/dcerpc2/dce2_udp.h: * src/dynamic-preprocessors/dcerpc2/dce2_session.h: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.h: Updated dcerpc2 preprocessor autodetection and handling of missed packets to limit false positives. * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/dce2_debug.c: * src/dynamic-preprocessors/dcerpc2/dce2_list.c: * src/dynamic-preprocessors/dcerpc2/dce2_memory.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/dce2_stats.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: Updated dcerpc2 preprocessor logging. * preproc_rules/preprocessor.rules: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_event.c: * src/dynamic-preprocessors/dcerpc2/dce2_event.h: * src/generators.h: Added new preprocessor event to the dcerpc2 preprocessor to alert on Bind or Alter Context PDUs that don't have any context items. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Updated ftp_telnet preprocessor to consider the AUTH command as the beginning of a possibly encrypted session. * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: Pushed the ftp_telnet preprocessor minor version to 2 and build version to 11. * src/decode.c: * src/snort.h: * src/util.c: Added additional ethertypes to Vlan decoder. * configure.in * src/output-plugins/spo_database.c: Added reconnect capability to MySQL database output plugin. Thanks to Ian Mitchell and other users on the lists for bringing this to our attention. * src/output-plugins/spo_unified2.c: * src/output-plugins/spo_unified2.h: Added code to better handle logging to an NFS mounted share. * src/parser.c: Command line BPF filter now overrides configuration in snort.conf. * src/parser.c: Command line log directory now overrides configuration in snort.conf. * src/parser.c: * src/snort.c: Fixed read back mode to reallow reading from stdin. Thanks to John Gerber for bringing this to our attention. * src/plugbase.c: * src/util.c: Fixed compilation on HPUX 11.11. Thanks to Lars Ebeling for bringing this to our attention. * src/preprocessors/spp_rpc_decode.c: Continue defragmentation even when alerting on fragmentation in the rpc_decode preprocessor. * src/preprocessors/spp_stream5.c: Stream5 will now fatal error if there isn't at least one of track tcp, track udp or track icmp. * src/sfthreshold.c: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: Allow a count of -1 to threshold configuration option to disable all thresholding for that object. * src/snort.c: Fixed issue with SIGHUP and handling of daemonize flag. * preproc_rules/decoder.rules: * preproc_rules/preprocessor.rules: Added decoder/preprocessor rules for MPLS and DCE/RPC. * snort.8: Update manpage for "-x", "--conf-error-out" and "--exit-check" command line options. 2008-12-30 Steven Sturges * src/output-plugins/spo_database.c: Update to check for a missing host name when connecting to a MySQL database and fail gracefully. Thanks to Chris Benedict for the report. * doc/README.stream5: * doc/snort_manual.pdf: * doc/snort_manual.tex: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/stream5_common.h: Update Stream5 to better handle out-of-sequence server responses when not doing server-side reassembly. Add limits on number of bytes and segments queued to prevent one session from consuming all memory. * src/target-based/sf_attribute_table.y: Force bison to use malloc/free instead of alloca for older versions of bison. * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Don't fatal error when reloading an attribute table beyond the configured limit. Only display warning to syslog/console. 2008-10-03 Todd Wease * configure.in: * src/decode.c: * src/decode.h: * src/detection-plugins/sp_pattern_match.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/fpdetect.c: * src/generators.h: * src/ipv6_port.h: * src/log.c: * src/log_text.c: * src/output-plugins/spo_alert_test.c: * src/output-plugins/spo_csv.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/stream_ignore.c: * src/sfutil/ipobj.c: * src/sfutil/ipobj.h: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_iph.c: * src/sfutil/sf_ipvar.c: * src/sfutil/sfrt.c: * src/sfutil/sfrt.h: * src/sfutil/sfrt_dir.c: * src/sfutil/sfrt_dir.h: * src/snort.c: * src/target-based/sf_attribute_table.y: * src/target-based/sftarget_reader.c: * src/target-based/sftarget_reader.h: * src/win32/WIN32-Prj/sf_engine.dsp: IPv6 updates and support for sfportscan, ftp_telnet, frag3 and dns preprocessors and adaptive IPS. * etc/gen-msg.map: * src/decode.h: * src/detect.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-preprocessors/dcerpc2/dce2_cl.c: * src/dynamic-preprocessors/dcerpc2/dce2_cl.h: * src/dynamic-preprocessors/dcerpc2/dce2_co.c: * src/dynamic-preprocessors/dcerpc2/dce2_co.h: * src/dynamic-preprocessors/dcerpc2/dce2_config.c: * src/dynamic-preprocessors/dcerpc2/dce2_config.h: * src/dynamic-preprocessors/dcerpc2/dce2_debug.c: * src/dynamic-preprocessors/dcerpc2/dce2_debug.h: * src/dynamic-preprocessors/dcerpc2/dce2_event.c: * src/dynamic-preprocessors/dcerpc2/dce2_event.h: * src/dynamic-preprocessors/dcerpc2/dce2_http.c: * src/dynamic-preprocessors/dcerpc2/dce2_http.h: * src/dynamic-preprocessors/dcerpc2/dce2_list.c: * src/dynamic-preprocessors/dcerpc2/dce2_list.h: * src/dynamic-preprocessors/dcerpc2/dce2_memory.c: * src/dynamic-preprocessors/dcerpc2/dce2_memory.h: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c: * src/dynamic-preprocessors/dcerpc2/dce2_roptions.h: * src/dynamic-preprocessors/dcerpc2/dce2_session.h: * src/dynamic-preprocessors/dcerpc2/dce2_smb.c: * src/dynamic-preprocessors/dcerpc2/dce2_smb.h: * src/dynamic-preprocessors/dcerpc2/dce2_stats.c: * src/dynamic-preprocessors/dcerpc2/dce2_stats.h: * src/dynamic-preprocessors/dcerpc2/dce2_tcp.c: * src/dynamic-preprocessors/dcerpc2/dce2_tcp.h: * src/dynamic-preprocessors/dcerpc2/dce2_udp.c: * src/dynamic-preprocessors/dcerpc2/dce2_udp.h: * src/dynamic-preprocessors/dcerpc2/dce2_utils.c: * src/dynamic-preprocessors/dcerpc2/dce2_utils.h: * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h: * src/dynamic-preprocessors/dcerpc2/includes/smb.h: * src/dynamic-preprocessors/dcerpc2/Makefile.am: * src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp: * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc2/snort_dce2.c: * src/dynamic-preprocessors/dcerpc2/snort_dce2.h: * src/dynamic-preprocessors/dcerpc2/spp_dce2.c: * src/dynamic-preprocessors/dcerpc2/spp_dce2.h: * src/dynamic-preprocessors/Makefile.am: * src/generators.h: * src/output-plugins/spo_alert_fast.c: * src/preprocessors/snort_httpinspect.c: * src/sf_types.h: * src/sfutil/sfrt.c: * src/sfutil/sfrt.h: * src/util.c: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: Addition of dcerpc2 preprocessor. Addition of new rule options supported by preprocessor. * src/detect.c: * src/detect.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/fpdetect.c: * src/parser.c: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/target-based/sftarget_protocol_reference.c: * src/target-based/sftarget_protocol_reference.h: Add adaptive support for http_inspect, rpc, smtp, dcerpc, dcerpc2, dns, ftp_telnet, ssh and ssl preprocessors. * configure.in: * src/detect.c: * src/detection-plugins/detection_options.c: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1.h: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_check.h: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_byte_jump.h: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_clientserver.h: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_dsize_check.h: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_ftpbounce.h: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_code_check.h: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_id_check.h: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_seq_check.h: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_icmp_type_check.h: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_fragbits.h: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_id_check.h: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ipoption_check.h: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_proto.h: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_same_check.h: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_ip_tos_check.h: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_isdataat.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_pcre.h: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_react.h: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond2.h: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond.h: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_rpc_check.h: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_session.h: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_ack_check.h: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_flag_check.h: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_seq_check.h: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_tcp_win_check.h: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_ttl_check.h: * src/detection-plugins/sp_urilen_check.c: * src/detection-plugins/sp_urilen_check.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/pcrm.c: * src/pcrm.h: * src/plugbase.c: * src/ppm.c: * src/ppm.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_frag3.h: * src/preprocessors/str_search.c: * src/profiler.c: * src/profiler.h: * src/rules.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/snort.c: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: Harden rule option tree code. * configure.in: * doc/Makefile.am: * doc/snort_manual.tex: * doc/README.sfportscan: * src/detect.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_flowbits.c: * src/fatal.h: * src/generators.h: * src/Makefile.am: * src/parser.c: * src/plugbase.c: * src/preprocessors/flow/common_defs.h (removed): * src/preprocessors/flow/flow.c (removed): * src/preprocessors/flow/flow_cache.c (removed): * src/preprocessors/flow/flow_cache.h (removed): * src/preprocessors/flow/flow_callback.c (removed): * src/preprocessors/flow/flow_callback.h (removed): * src/preprocessors/flow/flow_class.c (removed): * src/preprocessors/flow/flow_class.h (removed): * src/preprocessors/flow/flow_config.h (removed): * src/preprocessors/flow/flow_error.h (removed): * src/preprocessors/flow/flow.h (removed): * src/preprocessors/flow/flow_hash.c (removed): * src/preprocessors/flow/flow_hash.h (removed): * src/preprocessors/flow/flow_print.c (removed): * src/preprocessors/flow/flow_print.h (removed): * src/preprocessors/flow/flow_stat.c (removed): * src/preprocessors/flow/flow_stat.h (removed): * src/preprocessors/flow/int-snort (removed): * src/preprocessors/flow/Makefile.am (removed): * src/preprocessors/flow/portscan (removed): * src/preprocessors/Makefile.am: * src/preprocessors/portscan.c (removed): * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_session.c (removed): * src/preprocessors/snort_stream4_session.h (removed): * src/preprocessors/snort_stream4_udp.c (removed): * src/preprocessors/snort_stream4_udp.h (removed): * src/preprocessors/spp_flow.c (removed): * src/preprocessors/spp_flow.h (removed): * src/preprocessors/spp_stream4.c (removed): * src/preprocessors/spp_stream4.h (removed): * src/preprocessors/stream.h (removed): * src/preprocids.h: * src/snort.c: * src/win32/WIN32-Prj/snort.dsp: Removal of stream4 and flow preprocessors from code base. * src/tag.c: * src/tag.h: * src/ubi_BinTree.c (removed): * src/ubi_BinTree.h (removed): * src/ubi_SplayTree.c (removed): * src/ubi_SplayTree.h (removed): Tagging now uses a hash table instead of a splay tree for data storage. * src/detection-plugins/detection_options.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/plugbase.c: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: Support rules with content rule options that are only not contents. * src/detection-plugins/detection_options.c: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/plugbase.c: * src/plugbase.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Add override keyword support. Argument to a rule option can be overriden and processed elsewhere. Added for support of new byte_test and byte_jump rule option argument "dce". * src/detection-plugins/detection_options.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: Add hash and compare functions for preprocessors to rule option tree. * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_pattern_match.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_httpinspect.h: Make sure Stream5 is enabled when parsing most arguments to flow rule option. Make sure http_inspect is enabled when parsing uricontent or http content modifiers. * src/detection-plugins/sp_clientserver.c: Added no_frag and only_frag arguments to flow rule option. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: Added dynamic callbacks for logging and resetting event queue. * doc/README.stream5: * doc/snort_manual.tex: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: Port and service based filtering to improve performance. Stream5 will ignore traffic (if it is configured to do so) for which there are no rules or preprocessors configured to look at this traffic. * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: ftp_telnet_protocol server configurations now support multiple IP addresses and netmasks. * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_httpinspect.c: http_inspect preprocessor server configurations now support multiple IP addresses and netmasks. * doc/README.http_inspect: * doc/snort_manual.tex: * src/generators.h: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: Add a "max_headers" and "max_header_length" options to http_inspect server configuration. * src/preprocessors/HttpInspect/client/hi_client.c: Fix to correctly identify end of http client body request. * src/profiler.c: * src/profiler.h: * src/ppm.c: * src/ppm.h: Update to handle rule latency threhsolding with rule option tree. * doc/README.ftptelnet: * doc/snort_manual.tex: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Added "ignore_data_chan" option to ftp_telnet preprocessor to deprecate confusing "data_chan" option. * src/preprocessors/spp_stream5.c: Fix to alert on dropped packet in midstream session. * doc/CREDITS: * doc/snort_manual.tex: Update for new members of Snort team - Dilbagh Chahal and Ryan Jordan. * etc/snort.conf: Add "trustservers" do default ssl preprocessor configuration. * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/WinPCAP/pcap-stdinc.h: Updates to compile in Visual Studio 2008. 2008-09-15 Todd Wease * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/fpcreate.c: * src/generators.h: * src/ppm.c: * src/ppm.h: * src/profiler.c: * src/rules.h: * etc/gen-msg.map: Update rule latency thresholding. * src/preprocessors/spp_flow.c: * src/preprocessors/spp_stream4.c: * doc/README.flow: * doc/README.flow-portscan: * doc/README.stream4: * doc/snort_manual.tex: * doc/snort_manual.pdf: The flow and stream4 preprocessors will be deprecated in a future release. 2008-08-12 Todd Wease * src/bounds.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * doc/README.dcerpc: * doc/snort_manual.tex: DCE/RPC preprocessor changes to handle abnormal TCP segmentation. Added option to reassemble fragmentation buffers early. Updated documentation. * src/decode.c: * src/decode.h: * src/preprocessors/Stream5/snort_stream5_session.c: Fixed handling of MPLS label in checking Stream session uniqueness when IPv4 packets are received and build is IPv6. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: MPLS stats are now printed, whether compiled for MPLS or not. * src/detection-plugins/sp_pattern_match.c: Fixed checksum calculation for IPv6 case for 'replace' rule option. * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Added check to not register so rule if it has already been registered. * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: Added better handling of SMTP data header options to avoid false positives occuring with data header buffer overlflow smtp preprocessor event. Thanks to rmkml for bringing this to our attention. * src/event_queue.c: * src/signature.c: Added checks to only allow one rule without an SID defined. Thanks to Christian Mock for bringing this to our attention. * src/parser.c: * doc/README.PerfProfiling: Updated performance profiling README to document new 'filename' option. Fixed handling of 'filename' option in the rule profiling configuration. * src/plugbase.c: Changed plugins startup output to use log function instead of printf(). * src/preprocessors/HttpInspect/client/hi_client.c: Fixes to avoid false positives on http_inspect preprocessor events for bare byte encoding and oversize request-uri directory. * doc/CREDITS: Credits updates. * doc/README.decode: * doc/snort_manual.tex: Fixed some spelling errors and confusing syntax. Thanks to Hari Sekhon for pointing many of these out. 2008-07-18 Todd Wease * src/detection-plugins/sp_dsize_check.c: Fix issue with rule option "dsize" range check. Thanks to Bhadresh Patel for bringing this to our attention. * src/detection-plugins/sp_pcre.c: Fix issue with evaluating PCRE rule options with /U modifier that are followed by a relative content rule option. Many thanks to Bamm Visscher for doing the research, finding the offending rule and producing the test case necessary to track down and fix the issue. Also thanks to others on the snort users list - craig for starting a thread and JJ Cummings for confirming it was not a logging issue. 2008-07-11 Todd Wease * src/byte_extract.c: Added byte test for 3 bytes. * src/debug.c: * src/debug.h: * src/dynamic-preprocessors/libs/ssl.c: * src/dynamic-preprocessors/libs/ssl.h: * src/dynamic-preprocessors/ssl/sf_preproc_info.h: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/dynamic-preprocessors/ssl/spp_ssl.h: Updates to SSL preprocessor to make it work with stream reassembly, multiple handshake records and disabling detection. * src/decode.c: * src/preprocessors/spp_frag3.c: * src/parser.c: * src/snort.c: * src/snort.h: Fix MPLS fragmentation reassembly issue. * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/sfutil/sfhashfcn.h: Move hash rot macros. * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: Update Win32 project files to include MPLS. * src/util.c: For read mode, reset errno after gathering pcaps from a directory. * etc/sid-msg.map: Updates. 2008-06-16 Todd Wease * src/cpuclock.h: Fixed compilation issue on HPUX machines related to performance profiling and the assembly instructions used for getting cpu clock ticks. Thanks to Pavan Raj and Jaipal Reddy for pointing this out. * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/generators.h: * src/log.c: * src/log.h: * src/output-plugins/spo_unified2.c: * src/parser.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/stream5_common.h: * src/snort.c: * src/snort.h: * src/util.c: * configure.in: * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.mpls: Added MPLS decoding support. * src/decode.c: * src/generators.h: * etc/gen-msg.map: Fixed alert message for IP datagram being greater than captured length. * src/decode.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_pcre.c: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/fpcreate.c: * src/fpdetect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_httpinspect.c: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/util.c: * src/util.h: * doc/README.http_inspect: * doc/snort_manual.tex: * doc/snort_manual.pdf: New Feature for HTTP Inspect to split requests into 5 components - Method, URI, Header (non-cookie), Cookies, Body. Added HTTP server specific configurations to normalize HTTP header and/or cookie buffers. Provided content and PCRE modifiers to allow searches within one or more of those individual buffers. Added content modifier to allow rule writer to specify content to be used for fast pattern matcher. Updated dynamic rule API to allow searches within the new buffers. * src/detection-plugins/sp_flowbits.c: * src/dynamic-plugins/sp_dynamic.c: * src/parser.c: * src/snort.c: * src/snort.h: Provided command line switch to bail on rule parsing failure. * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/preprocessors/spp_httpinspect.c: Fixed some configuration error checking. * src/dynamic-preprocessors/ssl/spp_ssl.c: Fixed false negative when using 'trustservers' option. * src/output-plugins/spo_database.c: Fixed issue where when using the 'ruletype' keyword with database output, events were getting logged using both the default log method and the ruletype log method. Thanks to Agent Smith for pointing this out. * src/output-plugins/spo_unified2.c: Fixed issue in unified2 code where the timestamp of an event on a stream reassembled packet was using the last stream segment instead of the first. * src/parser.c: * src/profiler.c: * src/snort.h: * doc/snort_manual.tex: * doc/snort_manual.pdf: Provided option to rule and preprocessor profiling configurations to log to file instead of syslog. * src/preprocessors/perf-flow.c: Packet size distribution reported by snort flow stats do not count reassmbled packets anymore. * src/preprocessors/Stream5/snort_stream5_tcp.c: Update Stream5 to flush bytes up to ACK if ACK falls in the middle of a segment instead of including entire segment in reassembled packet. * src/snort.c: Reset packet processor when reading multiple pcaps and pcap reset option is used. * doc/README.decode: Update GRE decoder alerts. 2008-06-04 Todd Wease * src/fpdetect.c: * src/detection-plugins/detection_options.c: Fix issue where pass rules weren't getting precedence over alert rules. Thanks to Jason Haar for pointing this out. * src/snort.c: Reset data link for new pcap when reading multiple pcaps. * etc/gen-msg.map: Add IPv6 decoder events. 2008-05-07 Todd Wease * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: Fix issue in ICMP6 code that made an incorrect calculation when the ICMP6 type was an echo or an echo reply. * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/profiler.c: * src/profiler.h: Pattern Matcher Caching & Rule Processing Performance Improvements. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix memory leak caused by missed or dropped traffic. * src/preprocessors/HttpInspect/include/hi_eo_events.h: Remove redundant macro. * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.decoder_preproc_rules: Add documentation on the use of decoder and preprocessor rules. 2008-04-30 Todd Wease * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/fpcreate.c: * src/fpdetect.c: * src/profiler.c: Process IP rules by fast pattern searching payload of outer IP, then evaluating matching rules against IP header & payload of inner & outer IP. This is to address false positives and false negatives in IP rules. * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: * src/preprocessors/spp_frag3.c: Fix typos. Thanks to rmkml for pointing this out. * src/ipv6_port.h: * src/log.c: * src/log_text.c: Update log to correct datagram length macro for IPv6. * src/detection-plugins/sp_pcre.c: * src/dynamic-plugins/sf_dynamic_define.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: Expose a pcre wrapper function to detection library rules via plugin api. 2008-04-14 Todd Wease * configure.in: * src/detect.c: * src/detect.h: * src/detection-plugins/Makefile.am: * src/detection-plugins/detection_options.c: * src/detection-plugins/detection_options.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1.h: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_check.h: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_byte_jump.h: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_clientserver.h: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_dsize_check.h: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_ftpbounce.h: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_code_check.h: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_id_check.h: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_seq_check.h: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_icmp_type_check.h: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_fragbits.h: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_id_check.h: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_ipoption_check.h: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_proto.h: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_same_check.h: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_ip_tos_check.h: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_isdataat.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_pcre.h: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_react.h: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond2.h: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond.h: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_rpc_check.h: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_session.h: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_ack_check.h: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_flag_check.h: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_seq_check.h: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_tcp_win_check.h: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_ttl_check.h: * src/detection-plugins/sp_urilen_check.c: * src/detection-plugins/sp_urilen_check.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/event_queue.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/pcrm.h: * src/plugbase.c: * src/plugbase.h: * src/ppm.c: * src/ppm.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_frag3.h: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/rules.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: Pattern Matcher Caching & Rule Processing Performance Improvements. * configure.in: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/event_wrapper.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser/IpAddrSet.c: * src/parser.c: * src/parser.h: * src/pcrm.c: * src/plugbase.c: * src/plugbase.h: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/profiler.c: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sf_vartable.c: * src/sfutil/sf_vartable.h: * src/signature.c: * src/signature.h: * src/snort.c: * src/spo_plugbase.h: * src/target-based/sftarget_protocol_reference.c: * src/target-based/sftarget_protocol_reference.h: * src/target-based/sftarget_reader.c: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: Added configuration option to clean up all initialization memory at shutdown. * src/decode.h: * src/preprocessors/snort_httpinspect.c: Add counter for HTTP pipeline requests. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Fixed issue where some FTP traffic was being labeled as encrypted when it was not. * src/output-plugins/spo_database.c: Free SQL statement. Thanks to Carter Browne for pointing this out. * snort.8: * doc/snort_manual.tex: * src/snort.c: * src/util.c: Update to indicate --pid-path specifies the directory for the PID file. Thanks to Lee Clemens for pointing out the ambiguity. * src/snort.c: For --pcap-show option, print to stdout instead of stderr. * doc/snort_manual.tex: * src/snort.h: Set minimum max attribute hosts to 32 instead of 8192. * src/target-based/sf_attribute_table_parser.l: Allow ! character in attribute table grammar for string values. * src/snort.c: * src/util.c: Print log message with BPF filter passed to Snort. * src/sfutil/mpse.c: Fix issue with default case (which isn't ever hit) of pattern matcher performance stats not being calculated correctly. Thanks to Wang Zhen for pointing this out. * src/parser.c: Fixed string comparison for "portvar" and "ipvar" to use correct string length. Thanks to Eric Duda for pointing this out. * doc/INSTALL: Update MAC OSX install notes. * doc/README.arpspoof: Update arpspoof documentation. * etc/snort.conf: Update frag3_global configuration example. 2008-04-03 Steven Sturges * rpm/snort.spec: Add ssl preprocessor. Thanks fo Andrew Pendray for noticing. 2008-03-12 Todd Wease * src/decode.c: * doc/README.gre: * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/Makefile.am: Disable PPP decoding if architecture requires word alignment, e.g. SPARC machines. * src/dynamic-preprocessors/dcerpc/smb_structs.h: Fix endian issue when determining if SMB is using unicode strings. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: Fix issue where FTPTelnet sometimes determines incorrect direction with midstream session. * src/generators.h: * src/preprocessors/spp_frag3.c: * doc/README.frag3: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/gen-msg.map: Update frag3 to remove enforcement of ttl_limit. Add preprocessor alert for min_ttl anomaly. * doc/README.ipip: * doc/Makefile.am: Added README doc for IP in IP decoding. * doc/README.stream4: * etc/gen-msg.map: Fixed some typos. Thanks to rmkml for pointing this out. 2008-03-06 Steven Sturges * src/dynamic-preprocessors/ssl/spp_ssl.c: * doc/README.ssl: * doc/snort_manual.tex: * doc/snort_manual.pdf: Improve handling for change cipher records and rule options. Indicate that trustservers option only makes sense when noinspect_encrypted is used. 2008-03-05 Steven Sturges * doc/README.variables: * doc/snort_manual.tex: * doc/snort_manual.pdf: Fix a few misspellings. Thanks to Markus Lude for letting us know. 2008-03-04 Steven Sturges * configure.in: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: * src/win32/WIN32-Includes/config.h: 2.8.1 RC prep * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.arpspoof (added): * doc/README.pcap_readmode (added): * snort.8: Document new multiple pcap command line options and ARP Spoof preprocessor configuration. * doc/README.dcerpc: * doc/README.http_inspect: * doc/README.stream4: Update to include information about alerts generated from various preprocessors. * src/decode.c: * src/log_text.c: * src/parser.c: * src/profiler.c: * src/detection-plugins/sp_cvs.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-preprocessors/libs/sfcommon.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/bitop_funcs.h: * src/sfutil/sf_iph.c: * src/sfutil/sfportobject.c: * src/target-based/sftarget_reader.c: * src/win32/WIN32-Includes/rpc/types.h: Win32 compiler warning cleanup. * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/win32/WIN32-Prj/sf_engine.dsp: Reorganize to provide better compatibility with shared libraries. * src/detect.c: * src/detect.h: * src/plugbase.c: * src/plugbase.h: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/output-plugins/spo_alert_fast.c: * src/snort.c: * src/snort.h: Update to logging of DCE/RPC defragmented packets when using console/fast output modes. * src/preprocids.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: Add ability for dynamic rules to store and retrieve data on stream session. * src/detection-plugins/sp_pcre.c: Fix compile warning with older versions of PCRE library. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Update default configuration for FTP's STRU command. 2008-01-27 Todd Wease * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/generators.h: * src/preprocessors/spp_frag3.c: * src/snort.c: * src/snort.h: * src/util.c: * etc/gen-msg.map: Added IP in IP encapsulation support for both IPv4 and IPv6. * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/snort.c: Enforce stricter versioning when loading shared objects. Vesions of shared libraries - engine and dynamic preprocessors - will not load if from an older version of Snort. * src/dynamic-preprocessors/ssl/spp_ssl.c: Fatal error if commas are not used in SSL dynamic preprocessor configuration. Thanks to Chris Rohlf for bringing this to our attention. * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * etc/gen-msg.map: Update Stream5 to alert on data without TCP flags when non-linux policy. Thanks to Chris Eagle, Naval Postgraduate School, for bringing this to our attention. * src/parser.c: Generate a parsing error if an empty IP list is used (this is equivalent to !any). Thanks to Chris Rohlf for bring this to our attention. * src/parser.c: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: Various port object changes. Update to handle open port ranges (ie, 1024:) and print error lines from config file parsing. Added support for handling embedded lists with negations. Use more compatible strrchr() instead of rindex(). Add stricter configuration checks - thanks to Rmkml for bringing this to our attention. * src/target-based/sftarget_reader.c: Use inet_pton() instead of inet_aton. * src/target-based/sftarget_reader.c: * src/util.c: Set uid and gid of target-based thread if not already set. * doc/snort_manual.tex: * doc/snort_manual.pdf: Update to describe new pcre match limit options. * src/win32/WIN32-Prj/snort.dsp: Remove system dependent Oracle paths from project. * src/fpcreate.c: Correctly set the max_size when a longer pattern. * src/profiler.c: Add Percent of Total column to output. * src/sfutil/sf_textlog.c: Added format string to prevent messages with certain format from crashing Snort. 2007-12-10 Todd Wease * configure.in: Require PCRE version 6 or better * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/smtp/sf_smtp.dsp * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/stream_api.h: Reduce command line and response line overflow false positives in SMTP preprocessor when Snort is missing packets. Only alert on one unique SMTP event per session. * configure.in: Add check for Phil Woods pcap so that pcap stats are computed correctly. Thanks to John Hally for bringing this to our attention. * doc/INSTALL: Update for building on Mac OSX 10.5. Thanks to Martin Fong for bringing this to our attention. * doc/README.asn1: * doc/README.dcerpc: * doc/README.dns: * doc/README.flow-portscan: * doc/README.frag3: * doc/README.ssh: * doc/README.stream5: Update to include information about alerts generated from various preprocessors. * doc/snort_manual.pdf: * doc/snort_manual.tex: Add info on stream_size option added with Stream5. * etc/gen-msg.map: Update to include GRE alerts * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Allow specifying metadata within a shared library rule. * src/decode.c: Update for decoding IP6 header lengths. * src/detect.c: * src/parser.c: Correctly handle rule-type keyword. Thanks to Tung Tran for bringing this to our attention. * src/log_text.c: * src/log.c: Fix issue with printing IPv6 addresses. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Update default configuration to allow optional string to STRU command. * src/dynamic-preprocessors/libs/sfparser.c: * src/dynamic-preprocessors/libs/ssl.c: * src/dynamic-preprocessors/libs/ssl.h: * src/dynamic-preprocessors/ssl/spp_ssl.c: Updates to better handle SSLv2 recognition. * src/preprocessors/snort_stream4_session.c: * src/preprocessors/stream.h: Fix misaligned structures for Sparc 64bit OpenBSD. Thanks to Markus Lude for helping us track down the problem. * src/preprocessors/spp_stream4.c: Warn if configured with stream4 & target-based attributes. * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_iph.c: * src/sfutil/sf_ipvar.c: Code cleanup for IPv6 related changes. * src/preprocessors/Stream5/snort_stream5_tcp.c: Handle additional cases of multiple sequences of TCP SYN packets on a session that has previously been reset. * src/preprocessors/Stream5/snort_stream5_tcp.c: Add checks for missing packets in reassembly. * src/sfutil/sfportobject.c: * src/sfutil/sfxhash.c: Code cleanup. * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Better handling for starting attribute reload thread and logging parsing errors. * src/fpcreate.c: * src/fpdetect.c: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_ipoption_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/parser.c: * src/snort.c: * src/snort.h: Added performance profiling stats for rule option evaluation. Add limits to pcre matching that could affect performance. 2007-11-12 Todd Wease * src/byte_extract.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: Allow byte_jump 'string' option to support variable-length numeric data. * src/cpuclock.h: * configure.in: Add support for rule and preprocessor profiling times for Sparc v9 processors. * src/decode.h: * src/decode.c: * doc/README.gre: * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/snort.h: * src/util.c: * src/util.h: * configure.in: Update GRE decoder to support PPTP GRE v.1 header. Add new GRE decoder alerts and README. Integrate with IPv6 codebase. * src/decode.c: * src/decode.h: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: Update decoder to work will all 3 versions of pflog files. Thanks to Ronaldo Maia for reporting this issue. * src/parser.c: * src/parser.h: * src/snort.c: * src/snort.h: * src/plugbase.c: * src/plugbase.h: * src/util.c: * src/util.h: * src/decode.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/mempool.c: * src/preprocessors/perf.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf.h: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/profiler.c: * src/profiler.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/tag.c: * src/tag.h: Snort can now read multiple pcaps on the command line. The '-r' flag can be given multiple times, as well as options for reading a list of pcaps on the command line, a file containing pcaps to read and/or a directory to recurse through gathering pcaps. Multiple filters can be used and an option to reset Snort to a post initialization state for each pcap read can be given. * src/detect.c: * src/fpcreate.c: * src/fpcreate.h: * src/parser.c: * src/parser.h: * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: * src/sfutil/sfrim.h: Portlists code consolidation and general cleanup. * src/detect.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_respond.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/fpdetect.c: * src/ipv6_port.h: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_unified2.c: * src/output-plugins/spo_unified.c: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/preprocessors/stream.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/sf_ip.c: * src/sfutil/sf_ip.h: * src/sfutil/sf_ipvar.c: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/tag.c: IPv6 data type name changes to avoid library namespace conflicts. * src/detection-plugins/sp_pattern_match.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/preprocessors/snort_stream4_udp.c: * src/rules.h: * src/sf_sdlist.c: * src/sf_types.h: Fix compiler warnings. * src/detection-plugins/sp_pcre.c: * src/fpdetect.c: Fixed issue where some rules will continue to match on a Uri, even after the first packet. * src/dynamic-plugins/Makefile.am: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/fpcreate.c: Enabled target-based code to properly assess dynamic rule flow. * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: Update Win32 project files to include target-based and GRE defines. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Allow white space prior to FTP command. * src/preprocids.h: * doc/README.ssl: * doc/snort_manual.tex: * etc/snort.conf: * configure.in: * src/win32/WIN32-Prj/snort.dsw: * src/dynamic-preprocessors/ssl/Makefile.am: * src/dynamic-preprocessors/ssl/sf_preproc_info.h: * src/dynamic-preprocessors/ssl/sf_ssl.dsp: * src/dynamic-preprocessors/ssl/spp_ssl.c: * src/dynamic-preprocessors/ssl/spp_ssl.h: * src/win32/WIN32-Includes/config.h: Added SSL preprocessor. * src/ipv6_port.h: Update IP_CLEAR to clear all fields. Update IP_COPY_VALUE to copy each field individually. * src/log.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/log_text.h: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_tcpdump.c: * src/win32/WIN32-Prj/snort.dsp: * src/log_text.c: * src/log_text.h: * src/sfutil/sf_textlog.c: * src/sfutil/sf_textlog.h: Added rollover of logs upon reaching configured limit - applies to alert_full, alert_fast, log_tcpdump, alert_csv. * src/log.c: Added IP obfuscation for IPv6 addresses. * src/plugbase.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * doc/README.stream4: * doc/README.stream5: * doc/snort_manual.tex: * etc/snort.conf: * src/win32/WIN32-Prj/snort.dsp: * src/detection-plugins/sp_cvs.c: * src/detection-plugins/sp_cvs.h: CVS detection plugin. Currently only looks for an invalid entry. Ports 514 and 2401 added to default ports for stream reassembly. * src/ppm.c: * src/ppm.h: * src/profiler.c: * doc/snort_manual.tex: Fix microseconds calculations. Add ability to use ppm with readback mode. Add documentation to Snort Manual. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * doc/README.http_inspect: * doc/snort_manual.tex: * etc/gen-msg.map: Added overly long http header detection. * src/preprocessors/perf-base.c: * src/preprocessors/spp_perfmonitor.c: * src/snort.c: * src/snort.h: * src/util.c: Fixed issue where packets were being blocked when Snort, running in inline mode, was shutting down. * src/preprocessors/spp_frag3.c: Fixed issue where frag3 does not initialize correctly without any configuration arguments. Thanks to Jason Carr for reporting this. * src/preprocessors/spp_sfportscan.c: Fix endian issue in sfportscan when IP addresses are logged. Thanks to Jerry Litteer for reporting this. * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/stream_api.h: Added function to stream api for returning whether or not there are missing segments. Only supported in stream5. * src/preprocessors/str_search.c: * src/sfutil/mpse.c: * src/sfutil/mpse.h: Fixed issue where MPSE global counter was being reset by SMTP for each new pattern matcher it created. * src/sfutil/sf_vartable.c: * src/sfutil/sf_vartable.h: * doc/README.variables: * doc/snort_manual.tex: Fix segfault with duplicate variables in IPv6 code (enabled with --enable-ipv6). * src/target-based/Makefile.am: * src/target-based/sf_attribute_table_parser.l: * src/target-based/sftarget_reader.c: Target based cleanup. * src/util.c: Fixed incorrect calculation of pcap recevied and dropped. * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: Added GRE and target-based to default Win32 build. * doc/INSTALL: * doc/README.ftptelnet: * doc/README.http_inspect: * doc/README.sfportscan: * doc/README.stream4: * doc/README.stream5: * doc/README.variables: * doc/snort_manual.tex: Documentation updates. Thanks to Jeff Dell for pointing out unified/unified2 errors in Snort Manual and inconsistencies in sfportscan documentation. 2007-11-06 Steven Sturges * src/win32/WIN32-Includes/pcre.h: * src/win32/WIN32-Includes/pcreposix.h: * src/win32/WIN32-Libraries/pcre.lib: Update Win32 LibPCRE to version 7.4. 2007-11-05 Steven Sturges * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix debug to correctly call inet_ntoa. Thanks to rmkml for reporting the problem. 2007-09-07 Steven Sturges * configure.in: * src/build.h: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: * snort.8: 2.8.0 Final release prep. Update spec file to relocate installed schemas and be more consistent with location of docs. * src/parser.c: Initialize rule_count variables. Thanks to Ken Steele for pointing it out. * src/signature.c: * src/detection-plugins/sp_urilen_check.c: * src/plugbase.c: Fix typos in comments. Thanks rmkml for reviewing. * src/tag.c: * src/sfutil/sf_ip.c: * src/sfutil/sf_iph.c: Cleanup printing of IPv6 Addresses. * src/detection-plugins/sp_pcre.c: Initialize the found offset so that it contains correct value when not found. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Improve checking on ftp commands from client. * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Disable ftptelnet when compiled with IPv6. * src/decode.c: * src/snort.c: After logging alert for BSD IPv6 Fragmentation vulnerability, reset the pseudo packet that is used for logging purposes. * src/dynamic-preprocessors/smtp/snort_smtp.c: Memory cleanup of mime boundary regular expressions at Snort exit. * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_sfportscan.c: Memory cleanup of portscan hash table at Snort exit. * src/output-plugins/spo_alert_prelude.c: Correctly get IP Header length for logging. * src/output-plugins/spo_alert_sf_socket.c: Complete initialization after rules are read for specific GID/SID alerts to log via sf socket. * src/output-plugins/spo_unified2.c: Code cleanup. * src/preprocessors/spp_frag3.c: Handle VLAN tags in fragmented traffic and include in rebuilt packets if part of original traffic. * src/preprocessors/spp_stream5.c: Initialize memory for flowbits after all configuration is processed, as config flowbitsize option might change default. Handle byte alignment issue on Solaris with the flowbits data structure used by Stream5. Thanks to JJC & Shane Castle for helping us troubleshoot these issues and testing the patches. * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/stream_api.h: Handle strange sequences of multiple TCP Reset packets on the same session when some of those Resets also contain other flags. Thanks to Siim Poder for reporting the problem. 2007-08-31 Steven Sturges * src/parser.c: Updates to prevent variable defintions of the same name as a portvar, var and ipvar. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fix copying of IP address from packet when determining client config that resulted from IPv6 port. * src/output-plugins/spo_alert_prelude.c: Updates to write GID in alert data. Thanks to Yoann Vandoorselaere for the update. * src/output-plugins/spo_unified2.c: Don't write tagged packets the same as unified. Packets that are part of stream reassembly refer to the original event directly from the packet record header. * src/sfutil/sfportobject.c: * src/sfutil/sfportobject.h: Code cleanup and free data correctly on parsing errors. 2007-08-30 Steven Sturges * doc/Makefile.am: Include README.ipv6 & README.variables in the distribution tarball. Thanks to Jeff Dell for pointing out that it was missing. * RELEASE.NOTES: Fix some spelling errors. Thanks rmkml for pointing it out. * etc/snort.conf: Update to use new portvar syntax for HTTP_PORTS, ORACLE_PORTS, and SHELLCODE_PORTS. Thanks to rmkml for mentioning this. 2007-08-22 Steven Sturges * configure.in: * src/sf_types.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: Fixes to build 2.8.0 Beta on OpenBSD. * doc/README.variables: * doc/snort_manual.tex: * doc/snort_manual.pdf: Update PortList documentation. 2007-08-20 Steven Sturges * configure.in: * src/build.h: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * rpm/snort.spec: 2.8.0 Beta prep. * src/Makefile.am: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/event.h: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_unified2.c: * src/pcap_pkthdr32.h (added): * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/stream_api.h: * src/snort_packet_header.h (removed): * src/win32/WIN32-Prj/snort.dsp: * src/snort.c: Renamed snort_packet_header.h to pcap_pkthdr32.h and changed instances of SnortPktHdr with pcap_pkthdr except in Event struct and unified code where pcap_pkthdr32 is used because 32 bit timevals are required. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/plugbase.c: * src/plugbase.h: * src/util.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_httpinspect.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/snort.c: Added framework for preprocessors to print stats at exit or USR1 signal. Preprocessors register a function that will print the stats and they will be printed when DropStats() is called. * src/detection-plugins/sp_pattern_match.c: Commented out 'content-list' rule option code since it is broken and there are no plans in the near future to fix it. * src/checksum.h: * src/decode.c: * src/decode.h: * src/detect.c: * src/detect.h: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_ttl_check.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-preprocessors/dynamic_preprocessors.dsp: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dns/sf_dns.dsp: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ftptelnet/ftpp_include.h: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/fpdetect.c: * src/fpdetect.h: * src/generators.h: * src/ipv6.c (removed): * src/ipv6.h (removed): * src/ipv6_port.h (added): * src/log.c: * src/Makefile.am: * src/output-plugins/spo_alert_arubaaction.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_unified2.c: * src/parser/IpAddrSet.c: * src/parser/IpAddrSet.h: * src/parser.c: * src/parser.h: * src/plugbase.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/preprocessors/stream.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/rules.h: * src/sfthreshold.c: * src/sfthreshold.h: * src/sfutil/ipobj.c: * src/sfutil/Makefile.am: * src/sfutil/sf_ip.c (added): * src/sfutil/sf_ip.h (added): * src/sfutil/sf_iph.c (added): * src/sfutil/sf_iph.h (added): * src/sfutil/sf_ipvar.c (added): * src/sfutil/sf_ipvar.h (added): * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sf_vartable.c (added): * src/sfutil/sf_vartable.h (added): * src/snort.c: * src/snort.h: * src/tag.c: * src/util.c: * src/win32/WIN32-Prj/build_all.dsp: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: * src/win32/WIN32-Prj/snort_installer.nsi: * doc/README.ipv6: Added 1st phase of support for IPv6. Added support for ip variables and improved IP address list handling. See README.ipv6 for specifics on what portions of Snort fully support IPv6. Certain preprocessors are not supported -- and cannot be turned on with an IPv6 enabled snort. * src/output-plugins/spo_unified.c: Added configuration option to not append timestamps to unified log/alert files. * src/output-plugins/spo_unified2.c (added): * src/output-plugins/spo_unified2.h (added): * src/plugbase.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added unified2 logging/output format. * src/cpuclock.h (added): * src/detect.c: * src/fpdetect.c: * src/fpdetect.h: * src/Makefile.am: * src/parser.c: * src/ppm.c (added): * src/ppm.h (added): * src/profiler.h: * src/rules.h: * src/snort.c: Added support for packet performance monitoring. Allows Snort to be configured to only spend a certain time period on a given packet and/or rule and automatically suspend performance-intensive rules. See README.ppm for details. * src/bounds.h: * src/byte_extract.c: * src/byte_extract.h: * src/debug.c: * src/debug.h: * src/decode.c: * src/decode.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1_detect.c: * src/detection-plugins/sp_asn1_detect.h: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_session.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/bmh.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftp_client.h: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/log.c: * src/log.h: * src/mstring.c: * src/mstring.h: * src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_ad.h: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_server.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/perf.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf-flow.h: * src/preprocessors/perf.h: * src/preprocessors/portscan.c: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/bitop_funcs.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/snort.c: Changed packet payload pointers to use const qualifier to eliminate inadvertant writes to the packet buffer. * src/preprocessors/HttpInspect/include/hi_util_kmap.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/util/hi_util_kmap.c: * src/preprocessors/spp_httpinspect.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: Cleanup memory at Snort exit from session & client configurations. * src/debug.h: * src/preprocids.h: * src/generators.h: Added defines for SKYPE. * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: Fixed a few typos in comments. Thanks to rmkml for pointing them out. * doc/snort_manual.tex: * doc/snort_manual.pdf: Cleaned up a few typos in various sections. Thanks to rmkml, Joel Ebrahimi for pointing out the misspellings & errors. * src/decode.h: * src/detect.c: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_frag3.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/stream_api.h: * src/rules.h: * src/sfutil/Makefile.am: * src/sfutil/sfrt.c (added): * src/sfutil/sfrt.h (added): * src/sfutil/sfrt_dir.c (added): * src/sfutil/sfrt_dir.h (added): * src/sfutil/sfrt_trie.h (added): * src/signature.c: * src/signature.h: * src/snort.c: * src/snort.h: * src/target-based/Makefile.am (added): * src/target-based/sf_attribute_table_parser.l (added): * src/target-based/sf_attribute_table.y (added): * src/target-based/sftarget_hostentry.c (added): * src/target-based/sftarget_hostentry.h (added): * src/target-based/sftarget_protocol_reference.c (added): * src/target-based/sftarget_protocol_reference.h (added): * src/target-based/sftarget_reader.c (added): * src/target-based/sftarget_reader.h (added): * src/util.c: Added experimental support for Target-Based processing for Stream reassembly, IP Frag reassembly, and rule processing. Enable via --enable-targetbased option to configure. A thread is created to reload the attribute table upon receipt of a signal 30. * src/detect.c: * src/detect.h: * src/detection-plugins/sp_clientserver.c: * src/detection-plugins/sp_clientserver.h: * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/fpdetect.h: * src/parser.c: * src/parser.h: * src/pcrm.c: * src/pcrm.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/rules.h: * src/sfutil/sfportobject.c (added): * src/sfutil/sfportobject.h (added): * src/sfutil/sfrim.c (added): * src/sfutil/sfrim.h (added): * src/signature.c: * src/signature.h: * src/snort.c: * src/util.c: Added Port Lists & Port Range functionality and added port variable handling. * preproc_rules/preprocessor.rules: * preproc_rules/decoder.rules: * preproc_rules/Makefile.am: * configure.in: * etc/snort.conf: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_dsize_check.c: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_id_check.c: * src/detection-plugins/sp_icmp_seq_check.c: * src/detection-plugins/sp_icmp_type_check.c: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_ip_id_check.c: * src/detection-plugins/sp_ip_optioncheck.c: * src/detection-plugins/sp_ip_proto.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_ip_tos_check.c: * src/detection-plugins/sp_isdataat.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/detection-plugins/sp_rpc_check.c: * src/detection-plugins/sp_session.c: * src/detection-plugins/sp_tcp_ack_check.c: * src/detection-plugins/sp_tcp_flag_check.c: * src/detection-plugins/sp_tcp_seq_check.c: * src/detection-plugins/sp_tcp_win_check.c: * src/detection-plugins/sp_ttl_check.c: * src/detection-plugins/sp_urilen_check.c: * src/dynamic-plugins/sp_dynamic.c: * src/event_queue.c: * src/event_wrapper.c: * src/event_wrapper.h: * src/parser.c: * src/plugbase.c: * src/plugbase.h: Added support to provide action control (alert, drop, pass, etc) over preprocessor and decoder generated events, as well as references and classifications via a rule. These rules do not include IP addresses as the individual preprocessor/decoder configuration dictates the traffic to which an event applies. In conjunction with this, certain post-processing rule options (tag, logto, etc) may be added to those rules, while other options that relate to data inspection (content, byte_test, etc) may not. Enable via --enable-decoder-preprocessor-rules option to configure. * src/dynamic-plugins/sf_dynamic_plugins.c: Search for other shared library extensions on OpenBSD. Thanks to Nikns Siankin for the request. * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-preprocessors/dcerpc/Makefile.am: * src/dynamic-preprocessors/dns/Makefile.am: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/ssh/Makefile.am: Fixes to correct shared library extension on MAC OS. * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/stream5_common.h: * src/generators.h: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added basic TCP session hijacking detection. Detection based on MAC address used during TCP 3-way handshake and MAC address in subsequent packets. * src/preprocessors/Stream5/snort_stream5_tcp.c: * doc/README.stream5: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added stream_size rule option (only supported by Stream5). * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/generators.h: Improved detection for encrypted ftp sessions, reducing false positives. Added detection of subnegotiation begin commands without matching subnegotiation end (evasion attempt). * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_config.h: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_log.h: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/smtp/spp_smtp.h: * doc/README.SMTP: * etc/snort.conf: * src/generators.h: Rework much of preprocessor to improve searches, additional vulnerability checks. Updates include changes to handle case insensitive searches. Alert on header name length (Exim exploit) and check for valid mime headers. Add port 587 (see RFC 2476) to default ports. Improved normalization to separate commands and data. Updates to config parsing and console startup output. * src/parser.c: Handle duplicate rules by using the newer revision or the earlier appearing rule (if same revision). * src/sf_types.h (added): * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/flow_cache.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/flow/portscan/unique_tracker.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf.c: * src/preprocessors/perf-event.c: * src/preprocessors/perf-event.h: * src/profiler.c: * src/sfutil/util_math.c: * src/sfutil/util_math.h: * src/snort.h: * src/snprintf.h: * src/util.c: * src/util.h: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Includes/WinPCAP/time_calls.h: Updated logging to print 64bit values on various platforms in a more portable manner. * configure.in: * src/decode.c: * src/preprocessors/perf-base.c: * src/preprocessors/spp_perfmonitor.c: * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: * src/win32/WIN32-Includes/config.h: Fixed issue with various versions of pcap reporting received & dropped stats differently. Pcap versions 0.9 & higher accumulate stats, whereas earlier versions do not. * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/sfghash.c: * src/sfutil/sfhashfcn.c: * src/sfutil/sfhashfcn.h: * src/sfutil/sfprimetable.c (added): * src/sfutil/sfprimetable.h (added): * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: Improve performance of pattern match engines to not evaluate a rule with a pattern that has already been seen and the rule already processed. This changes takes into account if that rule fails because of an unset flowbit (which may have been set by another rule). Changed hash table hash functions to use power of two computations instead of prime numbers. * src/util.c: Added PCRE library version information to Snort startup banner. 2007-07-27 Steven Sturges * etc/snort.conf: Turn off flow since Stream5 is now enabled by default. * src/snort.c: Fix printing of threshold counts until after all rules are read. This issue did not affect thresholding, only display of thresholding. Thanks to Jeffrey Denton for reporting the problem. * src/sfutil/ipobj.c: Fix free of invalid pointer when using a negated IP list. This is used by sfportscan preprocessor configuration parsing. Thanks to Anders Ostrem for reporting the problem. * src/preprocessors/Stream5/snort_stream5_session.c: Fixed issue when experimental ICMP tracking is used without using the TCP or UDP session tracking. ICMP was attempting to lookup TCP or UDP sessions from uninitialized session cache. Thanks to Koji Shikata for reporting the problem. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed invalid session pointer when rule tries to use flowbits after session ends. Thanks to rmkml for initially reporting the problem. 2007-07-06 Steven Sturges * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed potential invalid memory access when require 3whs option is used. 2007-06-28 Steven Sturges * src/sfutil/acsmx2.c: * src/sfutil/bnfa_search.c: Revert previous changes as they resulted in some false negatives with mixed case patterns and rules. Will address in a future release. * src/detection-plugins/sp_react.c: Fixed problem with segfault with flexresp. Thanks to Keith Pachulski for reporting the issue. 2007-06-20 Steven Sturges * src/sfutil/acsmx2.c: * src/sfutil/acsmx.h: * src/sfutil/bnfa_search.c: Performance improvement to track the last state of a pattern that match, so if it hits that state again immediately, don't go re-evaluate all of the same rules. * src/decode.c: * src/detect.c: * src/snort.h: * src/util.c: Properly handle UDP checksum if checksum value is 0 in header (do not calculate). Add stat that tracks number of failed checksums. * src/detection-plugins/sp_pcre.c: Add /P flag to PCRE detection to check HTTP inspect's normalized client request body. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-examples/Makefile.am: Fix header file replication. * src/output-plugins/spo_alert_prelude.c: Update to write data at Snort exit. Thanks Yoann Vandoorselaere for the patch. * src/parser.c: Update to max line length. Mark 'stateless' option to be deprecated, use flow:stateless. 2007-06-19 Steven Sturges * src/byte_extract.h: * src/event_queue.h: * src/event_wrapper.h: * src/inline.h: * src/ipv6.c: * src/ipv6.h: * src/packet_time.h: * src/plugin_enum.h: * src/preprocids.h: * src/sfthreshold.h: * src/snort_packet_header.h: * src/detection-plugins/sp_asn1.h: * src/detection-plugins/sp_asn1_detect.h: * src/detection-plugins/sp_flowbits.h: * src/detection-plugins/sp_ip_proto.c: * src/dynamic-examples/Makefile.am: * src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h: * src/dynamic-examples/dynamic-preprocessor/spp_example.c: * src/dynamic-examples/dynamic-rule/detection_lib_meta.h: * src/dynamic-examples/dynamic-rule/rules.c: * src/dynamic-examples/dynamic-rule/sid109.c: * src/dynamic-examples/dynamic-rule/sid637.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/snort_stream4_session.h: * src/preprocessors/snort_stream4_udp.h: * src/preprocessors/spp_flow.h: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_httpinspect.h: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_sfportscan.h: * src/preprocessors/spp_stream5.c: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: * src/preprocessors/stream.h: * src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_ad.h: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_client_norm.h: * src/preprocessors/HttpInspect/include/hi_eo.h: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_eo_log.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_mi.h: * src/preprocessors/HttpInspect/include/hi_norm.h: * src/preprocessors/HttpInspect/include/hi_return_codes.h: * src/preprocessors/HttpInspect/include/hi_server.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h: * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h: * src/preprocessors/HttpInspect/include/hi_util.h: * src/preprocessors/HttpInspect/include/hi_util_hbm.h: * src/preprocessors/HttpInspect/include/hi_util_kmap.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/HttpInspect/utils/hi_util_hbm.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * src/preprocessors/flow/common_defs.h: * src/preprocessors/flow/flow.c: * src/preprocessors/flow/flow.h: * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/flow_cache.h: * src/preprocessors/flow/flow_callback.c: * src/preprocessors/flow/flow_callback.h: * src/preprocessors/flow/flow_class.c: * src/preprocessors/flow/flow_class.h: * src/preprocessors/flow/flow_config.h: * src/preprocessors/flow/flow_error.h: * src/preprocessors/flow/flow_hash.c: * src/preprocessors/flow/flow_hash.h: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/flow_print.h: * src/preprocessors/flow/flow_stat.c: * src/preprocessors/flow/flow_stat.h: * src/preprocessors/flow/int-snort/flow_packet.c: * src/preprocessors/flow/int-snort/flow_packet.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps.h: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/flowps_snort.h: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/flow/portscan/scoreboard.h: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/flow/portscan/server_stats.h: * src/preprocessors/flow/portscan/unique_tracker.c: * src/preprocessors/flow/portscan/unique_tracker.h: * src/sfutil/acsmx2.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/ipobj.c: * src/sfutil/ipobj.h: * src/sfutil/sfeventq.c: * src/sfutil/sfeventq.h: * src/sfutil/sfghash.c: * src/sfutil/sfghash.h: * src/sfutil/sfhashfcn.c: * src/sfutil/sfhashfcn.h: * src/sfutil/sflsq.c: * src/sfutil/sflsq.h: * src/sfutil/sfmemcap.c: * src/sfutil/sfmemcap.h: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfsnprintfappend.h: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/sfutil/util_math.c: * src/sfutil/util_math.h: * src/sfutil/util_net.c: * src/sfutil/util_net.h: * src/sfutil/util_str.c: * src/sfutil/util_str.h: * src/win32/WIN32-Code/inet_aton.c: * src/win32/WIN32-Code/name.h: Update copyright dates & info and add GPL header. 2007-06-01 Steven Sturges * src/util.c: Update to hourly timestats from Bill Parker. 2007-06-01 Steven Sturges * src/preprocessors/spp_frag3.c: Fix configuration parsing to validate parameters for memcap, max_frags, prealloc_frags. Thanks to Joel Ebrahimi for pointing out the issue. 2007-05-30 Steven Sturges * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: Cleanup xlink2state processing and remove potential read beyond end of packet. * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update handling of timed out session cleanup when the 'same' (IPs/ports) session is picked up midstream. 2007-05-23 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.stream5: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/stream5_common.h: Update Stream5 to use 65535 << 14 as max allowable value for the 'max_window' option. * src/decode.c: * src/detect.c: * src/snort.c: * src/snort.h: When checking for IPv6 BSD frag vulnerability, use a pseudo packet with false IPv4 headers for logging purposes rather than writing the IPv4 header within the original packet buffer. * src/preprocessors/spp_frag3.c: Update to not change original packet buffer when rebuilding fragments with IP options. * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_rpc_decode.h: Update to use the altdecode buffer for normalization. 2007-05-22 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: Update for 2.7.0. * configure.in: * src/debug.c: * src/debug.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/win32/WIN32-Includes/config.h: Check for wchar.h and don't try to use it if not present. Fixes builds on OpenBSD 3.5 and others. * src/dynamic-plugins/sf_dynamic_detection.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ppftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/event_queue.c: * src/event_queue.h: * src/ipv6.c: * src/ipv6.h: * src/mempool.c: * src/parser.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/sfeventq.c: * src/sfutil/sfeventq.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sfxhash.c: * src/snort.c: Added code to cleanup memory at Snort exit/restart. * src/output-plugins/spo_log_tcpdump.c: Update to timestamp writing on 64bit platforms. * src/dynamic-preprocessors/smtp/smtp_normalize.c: Update normalization for postfix and sendmail servers that normalize any space except '\n'. * src/preprocessors/str_search.c: * src/sfutil/bnfa_search.c: * src/sfutil/mpse.c: Use BNFA, smaller memory footprint for searches from SMTP. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_eo_log.h: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: Update way in which Body vs URI's are normalized, checked for anomalies and alerted on. * src/preprocessors/snort_stream4_udp.c: Fix use of ignore_any keyword when dealing with portscan and/or rules that have flow/flowbits. * src/preprocessors/Stream5/snort_stream5_tcp.c: Update to timestamp handling and anomaly detection with invalid timestamps on RST packets. * src/snort.c: * src/snort.h: Add --loop option to be used with -r for pcap readback mode. 2007-05-09 Adam Keeton * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: Added code to prevent URI-related alerts from firing when the body is being normalized. 2007-05-08 Adam Keeton * src/preprocessors/HttpInspect/client/hi_client.c: Fixed pointer initialization relating to POST normalization. 2007-04-27 Steven Sturges * src/decode.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Provide new rule keyword modifier for content option that allows a rule to search for a pattern in the body of an HTTP client request. * src/util.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/include/hi_client.h: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: Update to normalize the body of a client request to allow rules to check specifically for parameters of a POST or GET request. Also add stats that are part of the hourly stats that track various HTTP encodings and normalizations that have occured. * src/preprocessors/spp_stream4.c: Fix potential memory leak. * doc/README.ipv6: Updates for clarity. * doc/faq.tex: * configure.in: Add minimal PCRE version. * etc/gen-msg.map: * src/decode.c: * src/generators.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Handle TCP window scale option that is > 14. Added decoder alert for this and adjust the scale per RFC 1323 in Stream5. * etc/snort.conf: Make Stream5 the default stream engine. * src/decode.c: Add alert for multiple GRE encapsulations. * src/ipv6.c: Additional structure name changes to avoid conflicts on Win32. * src/parser.c: Update the maximum number of entries in an IP List to 1024 (was 128). Added ability to configure Timestats interval, default is 3600 seconds (1 hour) when enabled via --enable-timestats. * src/snort.c: * src/snort.h: * src/util.h: Revised signal handler for Timestats. * src/util.c: Update Timestats to include Wifi, GRE, Frag & TCP Stream info. Thanks to Bill Parker for the update. * src/detection-plugins/sp_icmp_code_check.c: * src/detection-plugins/sp_icmp_type_check.c: Update to parsing of icmp rule options for better grammar enforcement. * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: Specify TCP window of 0 for RST packets that are sent. * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/sf_dynamic_preproc_lib.c: Make Preprocess() function available to dynamic preprocessors. Thanks Vladimir Shcherbakov for the request. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Code cleanup and a minor reorganization. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix truncated buffer in when compiled in debug mode. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update to track additional stats for TCP session cache and session states. * src/preprocessors/spp_perfmonitor.c: Fix behaviour of 'accumlate' option. * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update for 64bit platforms. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * doc/README.stream5: Updates to config validation. Code cleanup for readability. Update TCP Window Scale use and sequence validation to be RFC 1323 compliant. Document min/max values for parameters, etc. 2007-04-13 Steven Sturges * src/decode.h: * src/decode.c: * src/ipv6.c: Changed structure declaration and usage to not conflict with OpenBSD. 2007-03-28 Steven Sturges * rpm/snort.spec: Remove smp_flags from spec file to not parallelize building. * doc/README.ipv6 * etc/gen-msg.map: * src/Makefile.am: * src/decode.c: * src/decode.h: * src/generators.h: * src/ipv6.c (added): * src/ipv6.h (added): * src/parser.c: * src/snort.c: * src/snort.h: * src/win32/WIN32-Prj/snort.dsp: Added ability for Snort to track fragmented ICMPv6 to check for the remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365). * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Code/win32_service.c: * src/plugbase.c: * src/preprocessors/perf-base.c: * src/preprocessors/stream_ignore.c: * src/profiler.c: * src/snort.c: Cleanup to use safe snprintf and strncpy functions, check return values of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer bounds checks. * src/parser.c: Fix issue with printing rule information twice. * src/profiler.h: * src/preprocessors/spp_flow.c: Fix miscalculation of processor time attributable to flow. * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: Added hasXXX functions for Content, ByteTest, and PCRE. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Code cleanup to perform bounds checking, validation of memcpy success, remove potential memory leak. Code readability improvements and update DCE endianness checks. * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/dynamic-preprocessors/dns/spp_dns.c: Code cleanup for initialization of memory allocations and add early termination when at end of packet payload. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Code cleanup for initialization of memory allocations and remove dead/unused code for directory and user state tracking. * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: Code cleanup for initialization of memory allocations, fix normalization to prevent read beyond packet payload. Generate SMTP command overflow even if packet payload doesn't contain complete command (missing LF). * src/preprocessors/spp_frag3.c: Further update to handle iptables (and other datalink layers) that do not have ethernet headers to be included in rebuilt fragment. * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: * doc/README.stream5: * doc/snort_manual.tex: * doc/snort_manual.pdf: Add verification of options for ICMP, TCP, UDP configurations are within reasonable limits. Reorganize reassembly flush initialization. Print list of UDP rules that are effectively ignored with ignore_any_rules option. Update session timeout handling. * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/Stream5/snort_stream5_session.c: Allow use of limit on number of nodes in hash table instead of relying on memcap for limiting sessions. * src/bounds.h: * src/debug.c: * src/detect.c: * src/fpdetect.c: * src/log.c: * src/parser.c: * src/pcrm.c: * src/plugbase.c: * src/profiler.c: * src/sfthreshold.c: * src/snort.c: * src/ubi_BinTree.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_session.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/parser/IpAddrSet.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/flow_print.h: * src/sfutil/acsmx2.c: * src/sfutil/ipobj.c: * src/sfutil/sfghash.c: * src/sfutil/sfmemcap.c: * src/sfutil/sfxhash.c: Cleanup to use safe snprintf and strncpy functions, check return values of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer bounds checks. Add handling for FatalError not returning for static code analysis tools. * src/sfutil/sfthd.c: Fix memory leak in global config. Thanks Boris Lytochkin for pointing this out. 2007-02-20 Steven Sturges * src/util.c: Update copyright date to include 2007. 2007-02-17 Steven Sturges * src/parser.c: Code cleanup, remove tab characters going to syslog. * src/detection-plugins/sp_clientserver.c: Handle flow keyword with Stream5 UDP sessions. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Add bounds checking to ReassembleSMBWriteX; use Safememcpy for calculated length buffer copies. 2007-02-09 Steven Sturges * configure.in: Added support for libpcap that depends on libpfring. Thanks to Jason Wallace for the patch. Also updated description as to why libpcap check might fail and what files might be missing, thanks to James Affeld for that suggestion. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update configuration parsing and validation checks and fix issue with static flushpoints not really being static. * src/output-plugins/spo_database.c: Code cleanup to check that a query was not truncated when using snprintf and guarantee NULL terminated string. 2007-02-07 Steven Sturges * src/decode.c: * src/detection-plugins/sp_ip_same_check.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_react.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/parser.c: * src/plugbase.c: * src/preprocessors/flow/flow_print.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_stream4.c: * src/snort.c: * src/tag.c: * src/win32/WIN32-Code/misc.c: Code & warning cleanup. * src/parser.c: Add file and line number to an error message. Thanks to rmkml for pointing out the omission. 2007-02-05 Steven Sturges * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/fpdetect.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/parser/IpAddrSet.c: * src/parser.c: * src/plugbase.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/server/hi_server.c: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/sfutil/acsmx2.c: * src/sfutil/ipobj.c: * src/signature.c: * src/snort.c: * src/tag.c: * src/ubi_BinTree.c: * src/util.h: More code cleanup, eliminate warnings on Win32 platform. 2007-02-02 Steven Sturges * doc/README.stream5: Cleanup spelling, etc. * src/bounds.h: * src/preprocessors/spp_frag3.c: Fix issue when Snort is inline using iptables, without either the ipconntrack or NAT modules. This should not occur using the recommended snort inline configuration, since the OS is supposed to handle IP fragment reassembly. The Ethernet header doesn't exist in the packet received by Snort, causing snort to dereference an invalid pointer. Thanks to Panda Software and Joel Ebrahimi for reporting the issue." * src/parser.c: Fix benign warning when using -E on Win32. * src/plugbase.c: * src/preprocessors/spp_telnet_negotiation.c (removed): * src/preprocessors/spp_telnet_negotiation.h (removed): * src/preprocessors/Makefile.am: * src/win32/WIN32-Prj/snort.dsp: Removed deprecated telnet preprocessor. * src/profiler.c: * src/profiler.h: Added profiling code for 64 bit Intel and PPC platforms. * src/decode.h: * src/detect.c: * src/fpdetect.c: * src/log.c: * src/mstring.c: * src/parser.c: * src/plugbase.c: * src/profiler.c: * src/profiler.h: * src/sfthreshold.c: * src/signature.c: * src/snort.c: * src/strlcatu.c: * src/strlcpyu.c: * src/ubi_BinTree.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_react.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_ttl_check.c: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-flow.c: * src/preprocessors/perf.c: * src/preprocessors/portscan.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/str_search.c: * src/preprocessors/stream.h: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/flow/flow.h: * src/preprocessors/flow/int-snort/flow_packet.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/sfutil/acsmx.c: * src/sfutil/acsmx2.c: * src/sfutil/bitop_funcs.h: * src/sfutil/getopt_long.c: * src/sfutil/ipobj.c: * src/sfutil/sfghash.c: * src/sfutil/sflsq.c: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfxhash.c: * src/win32/WIN32-Code/misc.c: * src/win32/WIN32-Code/syslog.c: * src/win32/WIN32-Code/win32_service.c: Code cleanup, change malloc/calloc to SnortAlloc, use safer functions SnortSnprintf, SnortStrncpy, etc. Check pointers before use. * src/win32/WIN32-Code/win32_service.c: Fix issue with service initialization and parameter validation. Thanks Hideki Saito for pointing out the problem. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Code cleanup, update calculating for valid length to handle alternate padding. Update to use safer functions. * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream5.c: * src/preprocessors/stream_api.h: * src/preprocessors/Stream5/snort_stream5_udp.c: Allow portscan to work with Stream5 UDP session tracking (because it replaces flow preprocessor). Added API function to get direction of packet (not supported in Stream4). * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/stream5_common.h: Stream5 config parsing improvements. Check option parameters for reasonable values (prevent huge memcaps, etc). 2007-01-29 Steven Sturges * src/debug.c: * configure.in: Handle platforms that don't support vswprintf and vwprintf. Thanks Nikns Siankin for pointing that out for OpenBSD. * src/profiler.h: * src/profiler.c: * src/rules.h: Use 64 bit values to store profiling counters. * doc/snort_manual.tex: * doc/snort_manual.pdf: Added a table for content modifiers and links to their respective sections. Removed old preprocessor sections and moved ASN.1 from preprocessor to detection plugins section. Added section for Stream5. * src/win32/WIN32-Prj/snort.dsp: Always use DYNAMIC_PLUGIN. * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/LibnetNT.h: Code cleanup. * src/detection-plugins/sp_flowbits.c: * src/preprocessors/spp_stream5.c: Fix issue with flowbits for UDP streams. * src/detection-plugins/sp_flowbits.c: Add check when stream4 or stream5 are not enabled to still support flowbits. Will be removed when Flow preprocessor and Stream4 are deprecated. Thanks to Nathan Ching for pointing out the issue. * src/snort.c: Fix to allow dynamic rules to load correctly. * doc/README.stream4: * doc/README.stream5: Cleanup. 2007-01-18 Steven Sturges * etc/generators: * src/generators.h: Remove generator IDs that are no longer used. * doc/README.tag * doc/snort_manual.tex: * doc/snort_manual.pdf: Added info on snort.conf config option tagged_packet_limit and added README.tag info file for the tag option in rules. * doc/README.http_inspect: * doc/snort_manual.tex: * doc/snort_manual.pdf: Emphasized in httpinspect documentation that a flow_depth between 1 and 1460 will only inspect at most that many bytes of a server's response, stream reassembled or not and that rules written to inspect more than flow_depth bytes will be ineffective. Thanks to Christian Seifert for pointing this out. 2007-01-17 Steven Sturges * configure.in: * snort.8: * RELEASE.NOTES: * etc/snort.conf: * rpm/snort.spec: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Prj/snort_installer.nsi: * doc/snort_manual.tex: * doc/snort_manual.pdf: Update for 2.7.0 Beta * src/dynamic-plugins/sf_engine/Makefile.am: * src/win32/Makefile.am: * src/win32/WIN32-Code/getopt.c: * src/win32/WIN32-Code/getopt_long.c: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/getopt.h: * src/win32/WIN32-Includes/getopt1.h: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Prj/.cvsignore: * src/win32/WIN32-Prj/sf_engine.dsp: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: Update Win32 build enviornment for 2.7.0. * doc/README.stream5: * doc/README.ftptelnet: Fix a few typos and add better descriptions for alerts. * etc/gen-msg.map: * etc/generators.h: Add Stream5 alert. * etc/snort.conf: * src/preprocessors/spp_frag2.c (removed): * src/preprocessors/spp_frag2.h (removed): * src/preprocessors/Makefile.am: * src/plugbase.c: * src/plugbase.h: Remove deprecated Frag2. * src/sfutil/mwm.c (removed): * src/sfutil/mwm.h (removed): Remove deprecated mwm pattern matcher. * src/detection-plugins/sp_ipoption_check.c: * src/decode.h: * src/decode.c: * src/log.c: Add handling of IP Option ESEC (Extended Security). * src/debug.h: * src/bounds.h: * src/fpcreate.h: * src/fpdetect.h: * src/tag.c: * src/detection-plugins/sp_respond2.c: * src/dynamic-preprocessors/ftptelnet/ftpp_include.h: * src/preprocessors/portscan.h: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/HttpInspect/include/hi_include.h: * src/preprocessors/flow/common_defs.h: * src/sfutil/bitop_funcs.h: Move definition of INLINE for inline functions to a common place. * src/debug.c: * src/debug.h: * src/dynamic-plugins/sf_dynamic_preprocessor.h: Add DebugWideMessageFunc for use with Wide Character sets, however it does not write to syslog. * src/debug.c: * src/decode.c: * src/detect.c: * src/detect.h: * src/fpcreate.c: * src/fpdetect.c: * src/log.c: * src/mstring.c: * src/parser.c: * src/pcrm.c: * src/plugbase.c: * src/profiler.h: * src/sf_sdlist.c: * src/sfthreshold.c: * src/sfthreshold.h: * src/signature.c: * src/snort.c: * src/snort.h: * src/tag.c: * src/util.c: * src/util.h: * src/detection-plugins/sp_ip_fragbits.c: * src/detection-plugins/sp_pcre.c: * src/detection-plugins/sp_rpc_check.c: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/smtp/smtp_confic.c: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssh/spp_ssh.h: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/str_search.c: * src/preprocessors/stream_ignore.c: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/ipobj.c: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/mwm.c: * src/sfutil/mwm.h: * src/sfutil/sfeventq.c: * src/sfutil/sfghash.c: * src/sfutil/sfghash.h: * src/sfutil/sfhashfcn.c: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/sfutil/sflsq.c: * src/sfutil/sflsq.h: * src/sfutil/sfmemcap.c: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfthd.c: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * src/sfutil/util_match.c: * src/sfutil/util_net.c: Code cleanup, change malloc to calloc, use safer functions SnortAlloc, SnortStrdup. Check pointers before use. * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: * src/sfutil/mwm.c: * src/sfutil/mwm.h: Added caller usable state tracking to pattern matcher. * src/parser.c: * src/parser.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: To better handle rule options that are provided by dynamic preprocessors, make 2 passes through snort.conf at startup. * src/parser.c: * src/snort.c: Improve dynamicengine keyword and commandline option to allow for specifying directory or file. * src/detect.c: * src/event_queue.c: * src/event_queue.h: * src/event_wrapper.c: * src/event_wrapper.h: * src/fpcreate.c: * src/parser.c: * src/signature.c: * src/signature.h: Unify logging to a single code path and added ability to have rule stubs for preprocessor and decoder events. * src/snort.c: Fix code that looks for .snortrc. Thanks to Benjamin Bennett for pointing out the issue. * src/preprocessors/portscan.c: * src/preprocessors/spp_sfportscan.c: Fix false alert where destination IP was not in range reported by sfportscan alert. * src/preprocessors/spp_sfportscan.c: Reset threshold checking at end of portscan alerting so that other events generated for packet wouldn't use old value returned from testing portscan thresholding/suppression. Thanks to Andreas Ostling for pointing this out. * src/preprocessors/spp_frag3.c: Cleanup of GRE code for GRE nested fragments. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_session.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/Stream5/stream5_common.h: Added memcap for TCP reassembly packet storage. Reduced memory consumption of session tracking data structures. Added target-based reassembly for HPUX 11, HPUX 10.2, Windows 2003, Windows Vista. Added target-based support for processing of TCP timestamps, TCP Resets, and repeated SYN packets. Improved Session cache management. Update flushpoint management. Improved handling of midstream session establishment. Code cleanup to use safe functions for memory allocation. Set tcp policy for both sides of session, rather that by first packet seen, correctly does target-based reassembly for each side. Simplify code handling sessions to ignore. 2007-01-07 Steven Sturges * src/decode.c: * src/decode.h: Fixed issue where GRE decoder was attempting to assign a potentially negative value to an unsigned integer. This value, which would then be positive, was then checked to see if it was less than zero, which would indicate whether the calculated length of the header was greater than the length of the rest of the packet capture. This would always return false and the assumed length of the packet would potentially be larger than the actual length, leading to a potential dereferning of invalid memory. Thanks to Chris Rohlf for pointing this out. 2006-12-04 Steven Sturges * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Configuration validation update. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: Additional updates for bounds checking. * src/detection-plugins/sp_isdataat.c: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added an option to specify rawbytes for the buffer. 2006-11-30 Steven Sturges * src/tag.c: Fix logging of tagged packets when -G (event source ID) is used. * src/event.h: * src/snort_packet_header.h: * src/output-plugins/spo_unified.c: Fix unified to work correctly on 64bit platforms. Thanks Nikns Siankin for the report. Nikns provides a patch to barnyard that may be required to use this functionality on a 64bit systems. Grab the patch from here: http://secure.lv/~nikns/stuff/barnyard_64bit.diff * src/snort.c: * src/snort.h: Reorganize code for inline fail-open to create pattern matcher rule groups in the thread. * src/util.c: Code cleanup * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix segfault caused by integer overflow and add additional checks to protect against other underflow/overflow conditions. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Add capability to have multiple application layer preprocessors store data within the stream to better handle autodetection and multi-protocol packets. Fix additional issue with high CPU and reprocessing rebuilt packets that are split across a sequence wrap. 2006-11-22 Steven Sturges * preprocessors/spp_stream4.c: Fix problem with snort using high CPU and reprocessing the same rebuilt packets at session end or ACK in middle of packet when there are gaps in the packet sequence. 2006-11-16 Andrew Mullican * etc/gen-msg.map: Add DCE/RPC preprocessor alert. 2006-11-07 Steven Sturges * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Updates for printing of options and handling of memcap. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Add print for config option. * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_session.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_udp.c: Add UDP session tracking stats. Improved TCP Timestamp handling. Seperate MacOS policy from BSD, as they differ slightly. Improved performance of session pruning. * src/snort.c: Updates to inline thread initialization. 2006-10-30 Steven Sturges * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix debug prints. * src/detection-plugins/sp_isdataat.c: Fix problem with this option not being marked as relative when 'relative' is used. This change should've been made with changes for not rechecking non-relative options on 2006-08-16. 2006-10-27 Steven Sturges * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: Output user-selected server profile at startup. * src/parser.c: Detect corrupt files and handle mixed windows and unix line endings. * doc/README.dcerpc: Update description of DCE/RPC auto-detect. * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix various bugs relating to unicode, ntohs, bounds-checking, and SMB chained AndX commands. * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: Print out mempcap and max_frag_size on startup. 2006-10-23 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: Updated stream4 documentation in the Snort manual to reflect new UDP options and inline option updates. Corrected error with event_queue parameter - changed max_events to max_queue. * doc/faq.tex: Updated FAQ to reflect disuse of ACID in favor of BASE. Added references to FLoP and Mudpit as output systems for Snort. Added references to two IDS books. * doc/README.decode: Added README file for the Snort decoder * doc/README.stream4: Made minor changes to language * etc/snort.conf: Added commented out decoder options with description - enable_decode_oversized_alerts and enable_decode_oversized_drops * doc/README.http_inspect: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Updated tab_uri_delimiter section in document to reflect deprecation. Removed the deprecated tab_uri_delimiter from server profiles since it's redundant with whitespace_chars. * src/preprocessors/snort_httpinspect.c: Allow user-specified ports to override internal defaults. * src/detection-plugins/sp_pattern_match.c: Fix error message with max pattern size. * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: Fix spelling of obsolete in macros. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fix spelling of DETECT_ANOMALIES macro. * src/profiler.c: Removed tabs from preprocessor stats output. Tabs aren't compliant with syslog RFC. * doc/README.ftptelnet: * doc/snort_manual.tex: * doc/snort_manual.pdf: Added documentation on Telnet configuration option detect_anomalies * src/preprocessors/spp_stream4.c: Fixed potential for infinite loop when only part of a packet being used in reassembly is ACK'd. * src/preprocessors/perf-base.c: Fixed packet count stats when in readback mode. 2006-10-13 Steven Sturges * src/detection-plugins/sp_flowbits.c: Fixed an off-by-one error message that prevented the maximum number of flowbits from being used. Include number of flowbits used in summary of flowbits usage. * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: Fix parser to properly error if misconfigured ports. * src/decode.c: * src/decode.h: * src/parser.c: Added new config option "enable_decode_oversized_alerts" and "enable_decode_oversized_drops" to allow alerting on packets with extra bytes at the end of their payload 2006-10-12 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: * RELEASE.NOTES: Prepare for 2.6.1 RC. * configure.in: * src/parser.c: * src/snort.c: * src/snort.h: Start a thread if running in inline mode that passes traffic through once pcap is opened and snort is not ready to start inspection (ie, loading rules, creating pattern matcher, etc). Thread is terminated when snort is ready to process packets. Compiled in via --enable-inline-init-failopen option to configure script. Disable by --disable-inline-init-failopen commandline option or 'config disable_inline_init_failopen' in snort.conf/user.conf in the case that the interface is fail-closed. Requires libpthread. * src/parser.c: Require a sid for every rule. * src/dynamic-preprocessors/ssh/spp_ssh.c: Verifies that the stream preprocessor is enabled. Version string bounds checking now uses the length of the version string versus the length of the entire payload. * src/preprocessors/snort_stream4_udp.c: Update UDP session stats (packet count, start/end time, bytes, etc). * doc/README.stream4: * doc/Makefile.am: Finally a description for Stream4. Thanks Todd! * src/parser.c: * src/signature.c: Allow for variable metadata in rule options. Ignore unknown metadata fields. * etc/gen-msg.map: * src/decode.c: * src/generators.h: Added additional TCP length checking and UDP length checking and new decode alerts for anomalous lengths. 2006-10-09 Steven Sturges * src/preprocessors/spp_stream4.c: Fix problem with reassembly of server side traffic. Thanks rmkml and Crusoe Researchers for notifying us of the issue. * src/preprocessors/spp_stream4.c: * src/generators.h: * etc/gen-msg.map: Fix Stream4 to handle duplicate SYN packets by purging existing packets queued for reassembly after the seq of the SYN. Also, properly handle retransmitted data that is overlapping the current packet and when trimmed overlapping the next packet. 2006-10-04 Steven Sturges * src/decode.c: Fixed issue in GRE code where data could potentially be dereferenced past the end of the packet. * src/parser.c: Fix log message. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_session.h: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Add stats tracking for UDP sessions to perfmonitor and stream4's session stats (keepstats option). Update Stream4 to purge UDP session cache on a timeout basis, similar to the way TCP session cache is purged. Remove cache_clean_percent option. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: Fixes for CORE SMB fragmentation. Also, fix for perf-profiling. 2006-09-27 Steven Sturges * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: Fix issue with use of Stream4 cache_clean_percent option that resulted in a segfault when the max session limit was reached. Thanks to Jason Ish for reporting the problem. * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * doc/README.http_inspect: Split the IIS profile in the HTTP inspect preprocessor into IIS, ISS4, and ISS5_0. ISS 4.0 and ISS 5.0 both support double decoding, but ISS 5.1 and beyond do not. Double decoding alerts are now disabled in the ISS profile, but remain enabled for the IIS 4.0 and IIS 5.0 profiles. Thanks to Pratap Ramamurthy for pointing out that IIS 5.1 does not support double decoding * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: Fixed issue where iface_ADDRESS variable wasn't getting set before configuration file was read. Now all up interfaces will get a variable created. Note that these will NOT get set if the readmode flag is set. Thanks to Paul Melson for reporting the problem. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Handle reassembly of first packet for midstream pickups (first packet wasn't part of an established session at that point, so some rules might fail). * src/preprocessors/Stream5/snort_stream5_session.c: Fix handling of cache clean by percent. * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: Fix problem with relative options not being marked as relative (for distance/within keywords). 2006-09-21 Steven Sturges * src/generators.h: * src/snort.c: * src/sfutil/bitop_funcs.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: Update for GRE additions and compilation on Win32. * src/preprocessors/spp_stream4.c: Fix issue with alerts missing in DEBUG mode. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: Fix signedness issue that caused HttpInspect to miss certain oversized chunk alerts. * src/sfutil/ipobj.c: Fix parsing that prevented multiple IP lists from being parsed correctly. This fixes a problem with sfportscan configuration when 'watch_ip', 'ignore_scanners', and 'ignore_scanned' options are used together. Thanks to Rob Sharp and Husnu Demir for reporting the bug. 2006-09-18 Steven Sturges * configure.in: * doc/INSTALL: * gen-msg.map: * src/decode.c: * src/decode.h: * src/generators.h: * src/snort.c: * src/snort.h: * src/util.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_stream4.c: Added support to decode GRE encapsulated traffic. Only IP as transport protocol is supported and only one layer of encapsulation will be decoded - packets with multiple GRE headers will be discarded. Thanks Todd Wease (and welcome to the Snort team!) for this contribution. * configure.in: * doc/README.ARUBA: * doc/Makefile.am: * doc/snort_manual.tex: * src/plugbase.c: * src/output-plugins/Makefile.am: * src/output-plugins/spo_alert_arubaaction.c: * src/output-plugins/spo_alert_arubaaction.h: Added support for communcation with an Aruba Networks wireless mobility authentication/access control system. * configure.in: GCC 4.x.x has strict aliasing on by default with optimization level 2. However, Snort uses aliases in a number of places. configure now checks the gcc compiler version for 4 and disables strict aliasing with -fno-strict-aliasing. Thanks to Ronald Henderson and Keith Konecnik for simultaneously (and independently) discovering and reporting this issue. 2006-09-15 Steven Sturges * src/detection-plugins/sp_pattern_match.c: Cleanly fail with content patterns that are > 2048 bytes. * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: Fix memcap to be global. Turn off memcap alerts by default. Add config item to enable alerting on exceeded memcap. * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/mpse.c: Code cleanup 2006-09-13 Steven Sturges * src/decode.c: * src/decode.h: * src/log.c: * src/log.h: * src/generators.h: * etc/gen-msg.map: Added code to print original datagram for all ICMP error types if alerted on. Fix to print original datagram on alert if original datagram was ICMP. Thanks to John Papapanos for pointing out the above 2 issues. Added additional decoder alerts for ICMP error types. Removed fragtracking of ICMP original datagram - it never made sense since only an ICMP response to the first frag is ever returned. Fixed issue where data and size pointers were not set correctly for ICMP error types. * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Remove checks for duplicate alerts within a given session, as this is now handled within the general alerting mechanism and session tracking. * src/parser.c: When a variable was redefined, a call to LogMessage() was missing a parameter. Thanks to Greg Baran for pointing this out. 2006-09-11 Steven Sturges * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: Fix to remove uses of strlen or wcslen. Properly validate andXOffset. Fix bug in DCE/RPC fragment reassembly. 2006-09-07 Steven Sturges * src/util.c: Fix output for the USR1 signal when calculating statistics for pcap counts. Keep a tally of packets seen/dropped/etc and use deltas, rather than the 'most recent' value when determining percentages after each USR1 signal. Thanks to Colin Grady for pointing out the issue. * src/parser.c: Allow for a line without an end of line marker in snort.conf. 2006-09-06 Steven Sturges * src/decode.c: * src/detect.c: * src/log.c: * src/snort.c: * src/detection-plugins/sp_respond.c: * src/detection-plugins/sp_respond2.c: * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: Fix memory leak in ascii and cmg output modules. Remove calls to ClearDumpBuf() from related calls PrintIPPkt() and PrintNetData(), as it is no longer needed. 2006-08-31 Steven Sturges * rpm/snort.spec: * etc/snort.conf: Add DNS preprocessor to packaging and config. * doc/Makefile.am: * doc/README.stream5: Add Stream5 README. 2006-08-30 Steven Sturges * src/sfutil/ipobj.c: Additional fix for parsing of IP lists that are not space separated. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Treat spaces as part of a filename in 'string' parameter validation. Thanks Bamm Visscher for pointing out the issue. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_session.h: Remove the ifdef'd splay tree code for packet and session storage. It has been replaced by a hash table and is no longer needed. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/stream_api.h: * src/preprocessors/spp_stream5.c: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/stream5_common.h: Add a few functions to the Stream API to allow a protocol analyzer to change the reassembly characteristics (direction, flush policy) for an individual session. * configure.in: * doc/Makefile.am: * doc/README.dns: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/gen-msg.map: * src/build.h: * src/debug.h: * src/generators.h: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dns/Makefile.am: * src/dynamic-preprocessors/dns/sf_preproc_info.h: * src/dynamic-preprocessors/dns/spp_dns.c: * src/dynamic-preprocessors/dns/spp_dns.h: Add a dynamic preprocessor to decode and analyze DNS responses over TCP and UDP. The TCP portion is stateful and requires stream is enabled. 2006-08-29 Steven Sturges * src/detection-plugins/sp_pattern_match.c: Fix unchecked free. Thanks Krzysztof Burghardt for pointing out the problem. * src/sfutil/acsmx2.c: Fixed off by one to sparse index calculation and off by 2 ps increment for SparseBands. 200-08-24 Steven Sturges * src/fpcreate.c: * src/sfutil/mpse.c: * src/sfutil/Makefile.am: Fix issues with using lowmem. It was reporting an out of memory error. This was broken with the addition of the smaller memory Aho-Corasick pattern matcher. 2006-08-17 Steven Sturges * doc/README.dcerpc: * doc/snort_manual.tex: * doc/snort_manual.pdf: * etc/snort.conf: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: Change config option max_memory to memcap for DCE/RPC. 2006-08-16 Steven Sturges * src/rules.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pcre.c: Resolve issue with rechecking rule options that follow a content or PCRE that are relative. Only recheck if the next option is relative. Thanks to Randy Smith for pointing out the issue. * configure.in: Enable dynamicplugins by default. Can override with --disable-dynamicplugin. * snort.8: * doc/snort_manual.pdf: * doc/snort_manual.tex: * doc/Makefile.am: * doc/README.ssh: * doc/README.dcerpc: * etc/snort.conf: * src/win32/WIN32-Prj/snort_installer.nsi: Added SSH and DCE/RPC preprocessor sections and description of new command line options. 2006-08-15 Steven Sturges * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: Remove obsolete file. * src/preprocessors/Stream5/Makefile.am: Update to include header files. * src/preprocessors/Stream5/stream5_common.c: * src/preprocessors/flow/flow_cache.c: * src/sfutil/util_math.c: * src/sfutil/util_math.h: Cleanup Win32 warnings. * src/sfutil/mpse.c: * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: Remove references to MWM and sfksearch. 2006-08-14 Steven Sturges * configure.in: * etc/gen-msg.map: * etc/snort.conf: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: * src/dynamic-preprocessors/Makefile.am: * src/preprocessors/Makefile.am: * src/preprocessors/spp_stream5.c: * src/preprocessors/spp_stream5.h: * src/preprocessors/Stream5/snort_stream5_tcp.c: * src/preprocessors/Stream5/snort_stream5_tcp.h: * src/preprocessors/Stream5/snort_stream5_udp.c: * src/preprocessors/Stream5/snort_stream5_udp.h: * src/preprocessors/Stream5/snort_stream5_icmp.c: * src/preprocessors/Stream5/snort_stream5_icmp.h: * src/preprocessors/Stream5/Makefile.am: * src/preprocessors/stream_api.h: * src/generators.h: * src/plugbase.h: * src/Makefile.am: * src/plugin_enum.h: New target-based Stream module. Moved flow & flowbits to be part of Stream API. * src/debug.h: * src/generators.h: * src/preprocids.h: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dcerpc/Makefile.am: * src/dynamic-preprocessors/dcerpc/dcerpc.c: * src/dynamic-preprocessors/dcerpc/dcerpc.h: * src/dynamic-preprocessors/dcerpc/dcerpc_util.c: * src/dynamic-preprocessors/dcerpc/dcerpc_util.h: * src/dynamic-preprocessors/dcerpc/dcerpc_config.c: * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp: * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c: * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h: * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h: * src/dynamic-preprocessors/dcerpc/smb_file_decode.c: * src/dynamic-preprocessors/dcerpc/smb_file_decode.h: * src/dynamic-preprocessors/dcerpc/smb_file_structs.h: * src/dynamic-preprocessors/dcerpc/smb_structs.h: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c: * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c: * src/dynamic-preprocessors/dcerpc/spp_dcerpc.h: New dynamic DCE/RPC protocol normalizer. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/ssh/sf_ssh.dsp: * src/dynamic-preprocessors/ssh/Makefile.am: * src/dynamic-preprocessors/ssh/spp_ssh.c: * src/dynamic-preprocessors/ssh/spp_ssh.h: * src/dynamic-preprocessors/ssh/sf_preproc_info.h: New dynamic ssh protocol normalizer. * src/detection-plugins/sp_clientserver.c: * src/preprocessors/Makefile.am: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_udp.c: * src/preprocessors/snort_stream4_udp.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Stream4 UDP session tracking support. Reassembly performance improvements. Add ability to block TCP sessions. * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c: Added RC4 dynamic rule option. * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: * src/pcrm.c: * src/sfutil/Makefile.am: * src/sfutil/bnfa_search.c: * src/sfutil/bnfa_search.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: Added smaller memory consumption pattern matcher. * src/decode.h: * src/fpdetect.c: * src/inline.c: Improved handling for stateless rules. * configure.in: * src/parser.c: * src/parser.h: * src/rules.h: * src/snort.c: * src/snort.h: Remove use of ifdefs for rule state. * src/parser.c: * src/snort.c: * src/snort.h: Add ability to give directory or specific library for dynamic engine. * src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h: * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Add alerts and normalization for telnet subnegotiation begin that doesn't have a matching end. Could result in an evasion over the FTP command channel. * src/snort.c: * src/snort.h: * src/util.c: Added counter for segments queued for reassembly. * src/snort.c: * src/dynamic-plugins/sf_dynamic_detection.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: Improved handling of different versions of same shared library. * src/detect.c: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/bmh.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/output-plugins/spo_alert_fast.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/sfutil/acsmx.c: Code cleanup, 2.6.1 Beta prep. 2006-08-09 Steven Sturges * doc/faq.tex: * doc/faq.pdf: Add information on snort responding to kill signal. 2006-08-02 Steven Sturges * src/output-plugins/spo_alert_prelude.c: Update to provide links to Snort classification reference information. Thanks Yoann Vandoorselaere. * src/sfutil/ipobj.c: Fix parsing of IP lists that are not space separated. * src/configure.in: Update for HPUX 11. * src/snort.c: * src/util.c: Fix race condition with daemonization. * src/dynamic-plugins/sf_dynamic_plugins.c: Update for shared library extensions on HP & MAC. Thanks J. Aaron Pendergrass for raising the HP issues and testing. 2006-07-25 Andrew Mullican * src/preprocessors/HttpInspect/client/hi_client.c: Fix to HttpInspect to check for non-RFC whitespace (ie, CR) after URI. * src/preprocessors/spp_frag3.c: Eliminate spurious log messages. 2006-07-20 Steven Sturges * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: No longer require HELO (or EHLO) first in an SMTP conversation. Some servers (such as ArGoSoft) don't require it. * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: Handle normalization when Subnegotiation Begin doesn't have a matching Subnegotiation End command by normalizing just the begin. Thanks to Pratap Ramamurthy for pointing out the potential issue. 2006-07-14 Steven Sturges * src/decode.h: * src/detect.c: * src/fpdetect.c: Handle pass rule that hits a pipelined URI and an alert that matches a secondary pipelined URI. * src/preprocessors/spp_frag3.c: Fix issue with First policy when dealing with whole overlaps. Thanks Russ S for sending in the bug report. * src/preprocessors/spp_stream4.c: Performance improvement for logging tagged packets. Thanks Victor Julien for pointing out the area for improvement. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix potential access violation. 2006-07-12 Steven Sturges * src/output-plugins/spo_database.c: Update to gracefully disconnect from Oracle DB. Thanks to Nikns Siankin for the patch. * src/output-plugins/spo_csv.c: Fix issue with parsing config other than default. * src/decode.c: * src/parser.c: * src/snort.h: * doc/snort_manual.tex: * doc/snort_manual.pdf: Change default inline behaviour to not drop packets with decoder errors, invalid IP & TCP options and invalid checksums. Drop behaviour can be enabled by using new options, noted in the Snort Manual. 2006-06-30 Steven Sturges * schemas/Makefile.am: Add create_db2 srcipt to be included in distro. * src/mstring.c: Address potential read overflow. * src/sfthreshold.c: * src/tag.c: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Includes/NETINET/IN_SYSTM.h: Code cleanup. * src/snort.c: * src/util.c: Fix issue with daemonization on MAC OSX and parent not exiting cleanly. * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: * snort.8: * doc/snort_manual.tex: * doc/snort_manual.pdf: Provide support for locking the PID file so that no additional snort process is able to start using the same PID file. Can be overridden with --nolock-pidfile. * src/detection-plugins/sp_pattern_match.c: Fix issue with replace option and replaced data always being placed at the beginning of the packet. * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fix issue with parsing default server configuration on Win32 platform. * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: Fix potential read beyond end of buffer and update configuration to use less memory. * src/preprocessors/spp_stream4.c: Fix reassembly issue. * src/preprocessors/snort_httpinspect.c: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Handle additional whitespace characters on a per server configured basis. Defaults are to treat Htab (\t, 9), VTab (\v, 11), Form Feed (\f, 12), and CR (\r, 13) as whitespace. * src/sfutil/ipobj.c: Revise IP list parsing code. 2006-05-31 Steven Sturges * src/inline.c: Update to handle signals received when no traffic is flowing when snort is compiled with inline ipq. Thanks Victor Julien for the patch. * configure.in: Fix issue with using postgresql and dynamic plugins. Thanks Nikns Siankin for pointing out the issue. * src/sfutil/ipobj.c: Fix problem when parsing multiple hosts in an IP list. 2006-05-24 Steven Sturges * etc/gen-msg.map: * src/generators.h: * src/preprocessors/spp_stream4.c: Fix potential evasion in Stream4. Thanks Brandon Franklin for the find. * src/snort.c: * src/parser.c: * src/dynamic-plugins/sf_engine/bmh.c: * src/preprocessors/HttpInspect/utils/hi_util_hbm.c: * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/sfutil/acsmx2.c: * src/sfthreshold.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/output-plugins/spo_log_tcpdump.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/flow/portscan/server_stats.h: Further code review cleanup. Cleanup possible null pointer dereferences, memory leaks, etc. * src/preprocessors/HttpInspect/client/hi_client.c: Fix to HttpInspect to check for non-RFC whitespace (ie, CR) after URI. Thanks to Blake Hartstein for mentioning the problem. 2006-05-17 Steven Sturges * src/detection-plugins/sp_rpc_check.c: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/bmh.h: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/utils/hi_util_hbm.c: * src/sfutil/acsmx.c: * src/sfutil/event_wrapper.c: * src/sfutil/mwm.c: * src/sfutil/sfthd.c: Further code review cleanup. Cleanup possible null pointer dereferences, memory leaks, etc. * src/decode.h: * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: Move SPARC_TWIDDLE to common place. 2006-05-12 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: * doc/README.sfportscan: Proofreading updates. * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/perf.c: * src/preprocessors/perf.h: Correctly close performance stats file on HUP and exit. * src/snort.c: * src/snort.h: * configure.in: Signal handler updates for SEGV and HUP. Define CATCHSEGV in snort.c to trap segv signals. Can also define NOCOREFILE to prevent snort from leaving a core file on receipt of a segv. * src/parser.c: Fix variable definition parsing code to handle user supplied value if variable isn't defined. Thanks to Jeremey Hewlett for pointing out the problem. * src/snort.c: * src/detection-plugins/sp_session.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_unified.c: * src/preprocessors/perf.c: * src/preprocessors/perf.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/sfutil/mwm.c: Further code review cleanup. Cleanup possible null pointer dereferences, memory leaks, etc. 2006-05-01 Steven Sturges * rpm/snort.spec: * etc/snort.conf: Include a default path for the dynamicpreprocessors and engine. * src/detect.c: * src/parser.c: * src/pcrm.c: * src/sfthreshold.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/portscan/server_stats.c: * src/sfutil/ipobj.c: * src/sfutil/mpse.c: * src/sfutil/sfghash.c: * src/sfutil/sfksearch.c: * src/sfutil/sfxhash.c: Code review cleanup. Cleanup possible null pointer dereferences, memory leaks, etc. Thanks to Adam Keeton (and welcome to the project)! 2006-04-27 Steven Sturges * RELEASE.NOTES: Add information about memory consumption with pattern matching engines. * doc/snort_manual.tex: * doc/snort_manual.pdf: Update to list all options for pattern matching and note that Wu-Manber is going to be deprecated. * src/util.c: Update output info to account for packets buffered by pcap but not yet received by snort. Corrected protocol breakdown. * src/output-plugins/spo_database.c: Update to correctly strip timestamp precision for MySQL. Thanks Axton Grams for the patch and Nikns Siankin and Vlatko Kosturjak for testing. Update to handle when interface isn't specified in config or commandline (finial initialization done post PCAP initialization). Thanks Jonathan Miner for pointing out the problem. * schemas/create_db2: Updated to include gid in schema and version 107 to match the other schemas. Thanks Vlatko Kosturjak for the update. * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: Fix compilation problems with Sun CC and others that support C99 standard. Thanks Chris Kern for noticing the problem. * src/preprocessors/spp_stream4.c: * src/sfutil/acsmx2.h: Fix compilation problems with Sun CC compiler. 2006-04-11 Steven Sturges * src/fpdetect.c: * src/profiler.h: * src/rules.h: * src/detection-plugins/sp_flowbits.c: Update rule performance profiling to handle flowbits:noalert option correctly (it is a match even though there wasn't an alert). * src/output-plugins/spo_database.c: Updates to be ANSI SQL compiliant. Thanks Vlatko Kosturjak for the updates. * src/preprocessors/spp_stream4.c: Fix incorrectly ignored Reset packets with overlapped/retransmitted data. * src/inline.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/stream_api.h: Allow retransmitted packets through in inline mode if they have not been ACK'd by other side. 2006-03-29 Steven Sturges * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: Do not check beyond 4 characters for an FTP command. * src/dynamic-preprocessors/smtp/snort_smtp.c: Free SMTP session memory. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Updates to previous checks for duplicate alerts. Better performance. Fix cleanup when stream is flushed. 2006-03-24 Steven Sturges * src/snort.c: Update to fix signal handling issue with libprelude and to disable segv signal handler when compiled for Debug mode. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Display warnings with configurations that are required for other detection capabilities (ie, normalization is required for ayt threshold and encryption detection). * src/dynamic-preprocessors/smtp/smtp_config.c: Clear default ports if ports are specified. Correctly handle specifying valid commands as invalid. * src/dynamic-preprocessors/smtp/snort_smtp.c: Fix alerts possibly giving incorrect information. Move debug code inside DEBUG ifdef; fix possible SEGV in debug code. Disable detection for to-be-rebuilt packets. * src/preprocessors/spp_frag3.c: Correctly calculate the number of preallocated frags when preallocating based on a memory limit. * configure.in: * src/snort.c: Remove pcap_setnonblock() call. Was causing performance problems on certain OSs. Reverts change made with previous checkins. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/preprocessors/stream_api.h: * src/fpdetect.c: Fix potential issue for duplicate alerts on the same data in the original packet and the Stream reassembled packet. * doc/snort_manual.tex: * doc/snort_manual.pdf: Proofreading... 2006-03-15 Steven Sturges * schemas/create_mssql: * schemas/create_mysql: * schemas/create_oracle.sql: * schemas/create_postgresql: Updated to include gid in schemas. Schema version 107. Thanks Nikns Siankin for the updates and all the testing. * src/profiler.h: Add support for AMD processor. Thanks Alex Kirk for trying this out. * configure.in: * src/snort.c: Use pcap_setnonblock() if available to help with snort exiting on SIGTERM (and others) when no traffic is flowing. * src/decode.c: Fix pflog decoding for OpenBSD platforms. * src/dynamic-plugins/sf_engine/Makefile.am: * doc/INSTALL: Updates for FreeBSD 6.x compilation. Thanks Richard Bejtlich for testing. * doc/snort_manual.tex: * doc/snort_manual.pdf: Fixed a few typos and added a warning about the to be deprecated telnet decode preprocessor. 2006-03-07 Steven Sturges * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: Fixed potential segfault condition in stateless mode. * src/preprocessors/spp_frag3.c: Added Fatal error messages for unknown config options. * src/snort.c: * src/preprocessors/spp_perfmonitor.c: Code cleanup 2006-03-02 Steven Sturges * configure.in: * src/output-plugins/spo_alert_prelude.c: Additional fixes from Yoann Vandoorselaere. Require libprelude version 0.9.6. * src/preprocessors/spp_perfmonitor.c: Initialize the pcap counters the first time we get a packet. * src/fpdetect.c: Fix leaking of classification info between rules and preprocessor/decoder alerts. 2006-02-28 Steven Sturges * src/dynamic-preprocessors/Makefile.am: Install required header files when --enable-dynamicplugin used with configure. * src/preprocessors/spp_stream4.c: If ignoring a packet because it is a duplicate (retransmitted), drop it if in inline mode. Original packet was either dropped or passed through. 2006-02-27 Steven Sturges * src/detection-plugion/sp_flowbits.c: Update parsing to handle spaces and correct keyword checking. 2006-02-23 Steven Sturges * src/snort.c: * src/snort.h: * src/fpdetect.c: * src/parser.c: * src/event_queue.h: * doc/README: * doc/snort_manual.tex: * doc/snort_manual.pdf: * snort.8: Changed command line options --flush-all-events to --process-all-events and --alert-on-drop to --treat-drop-as-alert. Updated docs/manpage. * src/output-plugins/spo_unified.c: Fix unified log file rollover to correctly write magic numbers. * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: Update some comments relative to endianness. * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/spp_smtp.c: Fix issues with SMTP preprocessor causing rules to not fire. Thanks Andy Mullican for the fix. 2006-02-22 Steven Sturges * src/preprocessors/spp_frag3.c: * doc/README.frag3: Added option to preallocate frags based on a memcap (combination of memcap and prealloc_frags options). Perform preallocation post-pcap open because of memory issues with certain versions of pcap. 2006-02-21 Steven Sturges * src/output-plugins/spo_alert_prelude.c: packet_to_data() Standardize AdditionalData fields name. Support more packet fields, remove unused one. Send rule revision and TCP/IP options code/value as AdditionalData. Thanks Yoann Vandoorselaere for the updates. event_to_reference() Double check that system->url is not NULL. Support ICMP headers, patch from Andrea Barisani. * src/snort.c: * src/snort.h: * src/util.c: Updates to signal handlers to better deal with reentrant issues in syslog and libc. * src/dynamic-plugins/sf_dynamic_plugins.c: Print warning if dynamic library directory doesnt exist or is empty. Thanks Andy Mullican for the fix. 2006-02-20 Steven Sturges * src/sfutil/sfeventq.c: Fix issue when more than max events are added to event queue. * src/parser.c: * src/plugbase.c: * src/plugbase.h: * src/snort.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_log_tcpdump.c: Fix issue with output plugins that depend on datalink and snaplen (which are set in OpenPcap). Caused by reordering of initialization on 2006-01-26. Thanks Matt Bedynek and Jeremy Hewlett for the find. 2006-02-17 Steven Sturges * doc/INSTALL: Updated to include current options and added a section for compilation on MAC OSX. * src/signature.c: Strip whitespaces from reference system and id. This fixes a reference lookup problem resulting in an invalid URL in case the reference begins with a space character (example: reference: x,y; would fail). Thanks Yoann Vandoorselaere for the patch. 2006-02-16 Steven Sturges * src/preprocessors/spp_frag3.c: Fix ip options handling. Thanks to Vyacheslav Burdjanadze for finding the issue. * src/dynamicpreprocessors/ftptelnet/snort_ftptelnet.c: Fix processing of configuration without options. * src/snort.c: Fix OpenPcap merge issue. 2006-02-15 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: Update perfmonitor section. Thanks to Passreality for pointing out the omissions. * src/preprocessors/spp_stream4.c: Only increment memory counter once per allocation. 2006-02-14 Steven Sturges * doc/snort_manual.tex: * doc/snort_manual.pdf: Updates to manual for 2.6.0 * src/win32/WIN32-Prj/snort.dsp: Added missing files. 2006-02-13 Steven Sturges * src/parser.c: Handle longer lines for config * src/sfutil/acsmx2.c: Change visual name of Aho-Corasick sparse bands. * src/preprocessors/spp_frag3.c: When a timeout occurs on a Fragmented session, purge the existing fragments and treat it as a new session. Allows for proper defragmentation, per OS target configuration. 2006-02-09 Steven Sturges * src/util.c: Fix -M flag to log Fatal and regular Error messages to syslog as well. Thanks Andy Mullican. * snort.8: * doc/README: * src/snort.c: Add info on additional commandline switches. * src/preprocessors/spp_stream4.c: Fix compilation issue on some platforms. 2006-02-08 Steven Sturges * src/parser.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: Allow default configuration without options 2006-02-06 Steven Sturges * etc/snort.conf: * src/dynamic-examples/dynamic-preprocessor/Makefile.am: * src/dynamic-examples/dynamic-rule/Makefile.am: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/Makefile.am: Add info to snort.conf on how to load dynamic libraries and update Makefiles to use path similar t othat of snort.conf. * src/parser.c: Fixed error message when dynamic token is used. 2006-02-03 Steven Sturges * src/dynamic-examples/dynamic-preprocessor/Makefile.am: * src/dynamic-examples/dynamic-rule/Makefile.am: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-plugins/sf_dynamic_plugins.c: Fix installation directories * src/preprocessors/Makefile.am: * src/preprocessors/stream_api.h: * src/preprocessors/stream_api.c: Fixes for MacOS X compilation. 2006-02-02 Steven Sturges * src/detect.c: * src/event_queue.c: * src/event_queue.h: * src/fpdetect.c: * src/parser.c: * src/snort.c: * src/snort.h: * src/sfutil/sfeventq.c: Changed rule ordering to better handle drop and pass rules when other alerts trigger on the same packet. Thanks Marc Norton for the changes. * src/profiler.c: * src/profiler.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Win32 fixes. * src/snort.c: Fix SigHup processing. * src/util.c: Code Cleanup. * src/detection-plugins/sp_pattern_match.c: Return non-zero when search goes out-of-bounds. * src/preprocessors/snort_httpinspect.c: Fix from Chris Sherwin for pipelined requests. * src/preprocessors/spp_frag3.c: Change noisy LogMessage to Debug. 2006-01-30 Steven Sturges * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: Include config.h if required. * configure.in: * src/Makefile.am: * src/dynamic-examples/.cvsignore: * src/dynamic-examples/Makefile.am: * src/dynamic-examples/dynamic-preprocessor/.cvsignore: * src/dynamic-examples/dynamic-preprocessor/Makefile.am: * src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h: * src/dynamic-examples/dynamic-preprocessor/spp_example.c: * src/dynamic-examples/dynamic-rule/.cvsignore: * src/dynamic-examples/dynamic-rule/Makefile.am: * src/dynamic-examples/dynamic-rule/detection_lib_meta.h: * src/dynamic-examples/dynamic-rule/rules.c: * src/dynamic-examples/dynamic-rule/sid109.c: * src/dynamic-examples/dynamic-rule/sid637.c: Added examples for manual of dynamic preprocessor and dynamic rule library. * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/smtp/Makefile.am: More fixes to cleanup. 2006-01-26 Steven Sturges * src/preprocessors/spp_stream4.c: Fixed a few retranmission alerts that are not toggled off by diasble_evasion_alerts config. * src/parser.c: * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: Addressed some startup issues when running daemon mode. Configuration is validated prior to daemonizing, therefore if config errors exist, snort will exit, returning error to initialization script/process. Parent process doesn't exit until config file is read and a child is forked and has created its pid file. Thanks to Marc Norton and Chris Sherwin for their work on this. Fixed issue with opening pcap prior to reading it from a config file. Thanks Martin Olsson for noting this. * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/ftptelnet/Makefile.am: Fixed builds on FreeBSD. 2006-01-24 Steven Sturges * src/win32/Makefile.am: Win32 Updates. * doc/Makefile.am: Added files. * src/win32/WIN32-Prj/snort.dsp: Removed deprecated src files. * src/win32/WIN32-Prj/snort_installer.nsi: Added dynamic modules, updated version number. 2006-01-23 Steven Sturges * src/preprocessors/spp_flow.c: Fixed error message when parsing flow configuration. * src/snort.c: * src/snort.h: Fixed issue with creating PID files. * src/util.c: Fixed issue with DropStats and unopened pcap. * src/Makefile.am: * src/dynamic-plugins/Makefile.am: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/sfutil/Makefile.am: Updates to handle make dist and make distcheck. Win32 Updates. 2006-01-20 Steven Sturges * schemas/create_mysql: * src/output-plugins/spo_database.c: Updated to write GID when logging events. Thanks to Graham Keeling for the patch and Kevin Johnson for helping test. * src/snort.c: * doc/README: * snort.8: Added info on new command line options. * src/snort.c: Updated CreatePidFile to use interface name if available when in inline mode (and using a bridging interface). 2006-01-19 Steven Sturges * src/util.c: Updated Timestats to print packet stats per hour and breakdown per protocol. Thanks Bill Parker for the update. To use this feature, use --enable-timestats. * src/sfutil/sfthd.c: Fix parameter ordering in test routine. Thanks Yin Zhaohui for the find. * src/detect.c: Fixed DEBUG_WRAP statement. Thanks Yin Zhaohui for pointing this out. 2006-01-19 Steven Sturges * autojunk.sh: * configure.in: Added use of libtool to build dynamically loadable modules, --enable-dynamicplugin. Added performance profiling, --enable-perfprofiling. Added separation of rules being enabled from them appearing in snort.conf, --enable-rulestate. Added pthread linkage, --enable-pthread. * src/win32/WIN32-Prj/snort.dsp: * src/win32/WIN32-Prj/snort.dsw: * src/win32/WIN32-Prj/build_all.dsp: Added dynamically loadable modules and updated workspace for other project files (new preprocessors, DLLs, and utility project to build everything). * RELEASE.NOTES: * doc/Makefile.am: * doc/README: Updated for new files and 2.6.0 release preparation. * doc/README.PerfProfiling: * src/profiler.c: * src/profiler.h: Added performance profiling metrics. Can measure both rules and preprocessor performance. Enable via --enable-perfprofiling. See profiler.h for MACROs to use and various preprocessors for examples. * doc/README.SMTP: * src/dynamic-preprocessors/smtp/.cvsignore: * src/dynamic-preprocessors/smtp/Makefile.am: * src/dynamic-preprocessors/smtp/sf_preproc_info.h: * src/dynamic-preprocessors/smtp/sf_smtp.dsp: * src/dynamic-preprocessors/smtp/smtp_config.c: * src/dynamic-preprocessors/smtp/smtp_config.h: * src/dynamic-preprocessors/smtp/smtp_log.c: * src/dynamic-preprocessors/smtp/smtp_log.h: * src/dynamic-preprocessors/smtp/smtp_normalize.c: * src/dynamic-preprocessors/smtp/smtp_normalize.h: * src/dynamic-preprocessors/smtp/smtp_util.c: * src/dynamic-preprocessors/smtp/smtp_util.h: * src/dynamic-preprocessors/smtp/smtp_xlink2state.c: * src/dynamic-preprocessors/smtp/smtp_xlink2state.h: * src/dynamic-preprocessors/smtp/snort_smtp.c: * src/dynamic-preprocessors/smtp/snort_smtp.h: * src/dynamic-preprocessors/smtp/spp_smtp.c: * src/dynamic-preprocessors/smtp/spp_smtp.h: * src/preprocessors/spp_xlink2state.c (removed): * src/preprocessors/spp_xlink2state.h (removed): * src/preprocessors/xlink2state.c (removed): * src/preprocessors/xlink2state.h (removed): Added dynamically loadable SMTP preprocessor. Thanks Andy Mullican for the work and research. Renders xlink2state mini preprocessor defunct. * doc/README.ftptelnet: * src/dynamic-preprocessors/ftptelnet/.cvsignore: * src/dynamic-preprocessors/ftptelnet/Makefile.am: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftp_client.h: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftp_server.h: * src/dynamic-preprocessors/ftptelnet/ftpp_eo.h: * src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h: * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c: * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h: * src/dynamic-preprocessors/ftptelnet/ftpp_include.h: * src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h: * src/dynamic-preprocessors/ftptelnet/ftpp_si.c: * src/dynamic-preprocessors/ftptelnet/ftpp_si.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c: * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h: * src/dynamic-preprocessors/ftptelnet/ftpp_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c: * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c: * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h: * src/dynamic-preprocessors/ftptelnet/pp_ftp.c: * src/dynamic-preprocessors/ftptelnet/pp_ftp.h: * src/dynamic-preprocessors/ftptelnet/pp_telnet.c: * src/dynamic-preprocessors/ftptelnet/pp_telnet.h: * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp: * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h: * src/preprocessors/spp_telnet_negotiation.c: Added dynamically loadable FTP/Telnet preprocessor. Thanks Steven Sturges for the work and research. Replaces telnet decoder. * doc/README.sfportscan: * src/preprocessors/spp_sfportscan.c: Updated for preprocessor protocol ordering. Added performance measurements. Added ACK scan detection and false positive prevention with sessions picked up midstream and dropped packets. * etc/gen-msg.map: * etc/generators: * src/generators.h: Added generator IDs for new preprocessors. * etc/snort.conf: Added examples for new preprocessors * src/Makefile.am: Added performance metric modules, new subdirs. * src/build.h: Seperated build version from snort.h. * src/debug.h: Added new preprocessors. * src/decode.c: * src/detect.c: Performance measurments of packet decoder, detection, rule evaluation and preprocessors. * src/decode.h: * src/detect.h Change to use dynamicly sized preprocessor array since more than 32 preprocessors may be loaded. * src/inline.c: * src/inline.h: Updated to always set drop flag for packets that are dropped for logging purposes. * src/plugbase.c: * src/plugbase.h: * src/plugin_enum.h: * src/preprocids.h: Support for new preprocessors, added checks to verify preprocessor configuration. Removed deprecated preprocessors. Added cleanup and shutdown functionality for preprocessors. Move preprocessor bitmasks from plugbase.h into preprocids.h. Added protocol stack based ordering of preprocessors, so that IP-layer preprocessors are run before TCP/UDP layer ones. * src/snort.c: * src/snort.h: Added longname option support. Added dynamic module commandline options, see README for details. Updated signal handling and exit/restart code. Switched to using pcap_dispatch from pcap_loop for better control of packet processing. Added performance measurements. Fixed -T flag and commandline help functionality. Added -M flag to write messages/warnings to syslog (doesn't write alert data there) when not in daemon mode. * src/tag.c: Put limit on tagging to alleviate overloaded databases that result in every packet being tagged on high bandwidth sensors. Prevents database DoS with tagging rules. * src/util.c: * src/util.h: Fixed issue with reentrant signal handlers. At exit because of signal, snort now logs to snort_exit file instead of syslog. Updated pid file creation when in Inline mode. * src/detection-plugins/Makefile.am: * src/detection-plugins/sp_asn1.c * src/detection-plugins/sp_asn1_detect.c: * src/detection-plugins/sp_asn1_detect.h: * src/detection-plugins/sp_urilen_check.c: * src/detection-plugins/sp_urilen_check.h: Modularized ASN1 detection code. Added URI Length check rule keyword. Thanks to Chris Sherwin for the new functionality. * src/dynamic-plugins/.cvsignore: * src/dynamic-plugins/Makefile.am: * src/dynamic-plugins/sf_dynamic_common.h: * src/dynamic-plugins/sf_dynamic_detection.h: * src/dynamic-plugins/sf_dynamic_engine.h: * src/dynamic-plugins/sf_dynamic_meta.h: * src/dynamic-plugins/sf_dynamic_plugins.c: * src/dynamic-plugins/sf_dynamic_preprocessor.h: * src/dynamic-plugins/sp_dynamic.c: * src/dynamic-plugins/sp_dynamic.h: * src/dynamic-plugins/sp_preprocopt.c: * src/dynamic-plugins/sp_preprocopt.h: * src/dynamic-plugins/sf_engine/.cvsignore: * src/dynamic-plugins/sf_engine/Makefile.am: * src/dynamic-plugins/sf_engine/bmh.c: * src/dynamic-plugins/sf_engine/bmh.h: * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c: * src/dynamic-plugins/sf_engine/sf_snort_packet.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h: * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c: * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c: * src/win32/WIN32-Prj/sf_engine.dsp: * src/rules.h: Added dynamically loadable rule detection capability. Can write compiled rules that are "blackboxed", yet still loaded at runtime. Thanks Andy Mullican, Steven Sturges and Marc Norton. * src/fpcreate.c: * src/fpcreate.h: * src/fpdetect.c: Performance measurments, added support for dynamic rule detection, and fix issue with non-content rules not being evaluated. * src/parser.c: * src/parser.h: Added dynamic rule and preprocessor parsing, rule state parsing, performance profiling parsing. * src/signature.c: * src/signature.h: Added 'gid' and 'metadata' fields to rules. * src/detection-plugins/sp_pcre.c: Provide ability to turn off PCRE checks via config nopcre. * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c: * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h: * src/dynamic-preprocessors/.cvsignore: * src/dynamic-preprocessors/Makefile.am: * src/dynamic-preprocessors/dynamic_preprocessors.dsp: * src/dynamic-preprocessors/initialize_headers.sh: * src/dynamic-preprocessors/sf_dynamic_initialize/.cvsignore: * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp: Added dynamically loadable preprocessor support. Simplifies development of preprocessors for quicker release of new preprocessor code. Thanks Andy Mullican, Steven Sturges and Marc Norton. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/perf.c: Added metric for inline blocked packets. * src/preprocessors/perf-flow.c: * src/preprocessors/perf-flow.h: Added better performance tracking for flow data for ports under 1024 and those above. * src/preprocessors/portscan.c: Added code to ignore certain ports. Added performance measurements. * src/preprocessors/snort_httpinspect.c: Updated for stream API. Added performance measurements. * src/preprocessors/spp_frag2.c: Updated for preprocessor protocol ordering. To be deprecated in next release. Added performance measurements. * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_sfportscan.c: Updated for preprocessor protocol ordering. Added performance measurements. * src/preprocessors/Makefile.am: * src/preprocessors/spp_portscan.c (removed): * src/preprocessors/spp_portscan.h (removed): * src/preprocessors/spp_portscan2.c (removed): * src/preprocessors/spp_portscan2.h (removed): * src/preprocessors/spp_conversation.c (removed): * src/preprocessors/spp_conversation.h (removed): Deprecated old portscan preprocessors. * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: Modularized this code for use by the dynamic SMTP preprocessor. * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: * src/event_wrapper.c: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/preprocessors/stream.h: * src/preprocessors/stream_api.h: * src/preprocessors/stream_ignore.c: * src/preprocessors/stream_ignore.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream4.h: Added api for Stream4 to help with development of next generation Stream processing. Flowbits are now stored as part of the Stream. Updated output plugins to use Stream api for logging reassembled packets. Added performance measurements. * src/sfutil/Makefile.am: * src/sfutil/getopt.h: * src/sfutil/getopt1.h: * src/sfutil/getopt_long.c: Added longname commandline option support. * src/sfutil/ipobj.c: * src/sfutil/ipobj.h: Updated IP Set to include port sets. * src/sfutil/mpse.c: Added performance measurements. * src/snort_packet_header.h: * src/win32/WIN32-Includes/libnet/gnuc.h: * src/debug.c: * src/detection-plugins/sp_pattern_match.c: * src/output-plugins/spo_alert_prelude.c: * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/server_stats.c: * src/sfutil/bitop.h: * src/sfutil/bitop_funcs.h: * src/sfutil/mwm.h: * src/sfutil/sfghash.h: * src/sfutil/sfksearch.c: * src/sfutil/sfksearch.h: * src/.cvsignore: Misc code cleanup. 2006-01-09 Steven Sturges * src/sfutil/mwm.c: Fixed bug with multiple recurring patterns in Wu-Manbher implementation. Thanks to Evan Stawnyczy for pointing it out and Marc Norton for the fix. * src/parser/IpAddrSet.c: Fixed problem with parsing conf file and rules when DNS is not working. Thanks Martin Olsson for mentioning this and testing the fix. * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/perf-base.c: Handle wrapping on 64-bit platforms 2005-11-17 Andrew Mullican * src/sfutil/sfxhash.c: * src/preprocessors/portscan.c: Add tracker without using bogus data, to avoid internal buffer overrun. Thanks Sandro Poppi for the find. 2005-11-11 Steven Sturges * src/snort.c: Allow value of 0 to be used with -G flag * src/preprocessors/spp_bo.c: Code Cleanup * src/preprocessors/spp_frag3.c: Fix memory leak and mishandling of IP Options. Thanks Yin Zhaohui for the find. 2005-10-16 Steven Sturges * etc/gen-msg.map: * etc/snort.conf: * src/generators.h: * src/preprocessors/spp_bo.c: Fixed potential buffer overflow in BackOrifice preprocessor and added an alert on attempt to overflow buffer in snort. Thanks Andy Mullican for the fix. 2005-10-11 Steven Sturges * src/win32/WIN32-Prj/snort_installer.nsi: Updated to mention WinPCAP 3.1 with correct website. Thanks Gianluca Varenni for mentioning the discrepancy. 2005-10-04 Steven Sturges * src/win32/WIN32-Libraries/libnet/LibnetNT.lib: * src/win32/WIN32-Prj/LibnetNT.dll: Rebuilt and updated LibnetNT linked with WinPCAP 3.1. 2005-09-23 Steven Sturges * src/output-plugins/spo_log_database.c: * schemas/create_mysql: Fixes to address schema being a keyword in MySQL 5.0. Thanks Wes Young, Adolfo Gomez, and Aleem Mawji for the updates. 2005-09-19 mfr * src/output-plugins/spo_log_tcpdump.c: don't try to actually open the log file when in test mode 2005-09-19 Steven Sturges * src/win32/WIN32-Includes/NETINET/IP.H: * src/win32/WIN32-Includes/NETINET/IP_VAR.H: * src/win32/WIN32-Includes/libnet/LibnetNT.h: Always use winsock2.h 2005-09-16 mfr * src/snort.c: New command line switch, -K, to explicitly set logging mode. Available arguments are "none", "pcap" and "ascii". Pcap mode is now the default logging mode of Snort. CheckLogDir() is no longer called in IDS mode until after reading in the snort.conf file to prevent unncessary exiting due to logdir being specified in snort.conf and inadvertantly checking for the existence of /var/log/snort. * src/util.c: Included CheckLogDir() call in CreatePidFile() on the off chance we have to fall back to using pv.log_dir which can happen due to the IDS mode logdir check being removed in src/snort.c * src/decode.c: Added check for bad length of TCP SACK option. * snort.8: Updated for -K command line switch * doc/README: Updated for new command line options and default logging mode. 2005-09-16 Steven Sturges * src/preprocessors/spp_frag3.c: Additional fixes to better handle various targets and extensions to the Shankar/Paxson model. Thanks Judy Novak for all of the OS testing & pcap work. 2005-09-14 Andrew Mullican * etc/gen-msg.map * src/generators.h * src/preprocessors/spp_rpc_decode.c: Added new alert on zero-length RPC fragment. 2005-09-14 Steven Sturges * src/win32/WIN32-Includes/pcap-namedb.h (removed): * src/win32/WIN32-Includes/pcap.h (removed): * src/win32/WIN32-Includes/WinPCAP/Devioctl.h: * src/win32/WIN32-Includes/WinPCAP/Gnuc.h: * src/win32/WIN32-Includes/WinPCAP/Ntddndis.h: * src/win32/WIN32-Includes/WinPCAP/Ntddpack.h: * src/win32/WIN32-Includes/WinPCAP/Packet32.h: * src/win32/WIN32-Includes/WinPCAP/Win32-Extensions.h: * src/win32/WIN32-Includes/WinPCAP/bittypes.h: * src/win32/WIN32-Includes/WinPCAP/bucket_lookup.h: * src/win32/WIN32-Includes/WinPCAP/count_packets.h: * src/win32/WIN32-Includes/WinPCAP/ip6_misc.h: * src/win32/WIN32-Includes/WinPCAP/memory_t.h: * src/win32/WIN32-Includes/WinPCAP/normal_lookup.h: * src/win32/WIN32-Includes/WinPCAP/pcap-bpf.h: * src/win32/WIN32-Includes/WinPCAP/pcap-int.h: * src/win32/WIN32-Includes/WinPCAP/pcap-stdinc.h: * src/win32/WIN32-Includes/WinPCAP/pcap.h: * src/win32/WIN32-Includes/WinPCAP/pthread.h: * src/win32/WIN32-Includes/WinPCAP/remote-ext.h: * src/win32/WIN32-Includes/WinPCAP/sched.h: * src/win32/WIN32-Includes/WinPCAP/semaphore.h: * src/win32/WIN32-Includes/WinPCAP/tcp_session.h: * src/win32/WIN32-Includes/WinPCAP/time_calls.h: * src/win32/WIN32-Includes/WinPCAP/tme.h: * src/win32/WIN32-Includes/mysql/Libmysql.def (removed): * src/win32/WIN32-Includes/mysql/config-netware.h: * src/win32/WIN32-Includes/mysql/config-os2.h: * src/win32/WIN32-Includes/mysql/config-win.h: * src/win32/WIN32-Includes/mysql/dbug.h (removed): * src/win32/WIN32-Includes/mysql/errmsg.h: * src/win32/WIN32-Includes/mysql/libmysql.def: * src/win32/WIN32-Includes/mysql/libmysqld.def: * src/win32/WIN32-Includes/mysql/m_ctype.h: * src/win32/WIN32-Includes/mysql/m_string.h: * src/win32/WIN32-Includes/mysql/my_alloc.h: * src/win32/WIN32-Includes/mysql/my_dbug.h: * src/win32/WIN32-Includes/mysql/my_getopt.h: * src/win32/WIN32-Includes/mysql/my_global.h: * src/win32/WIN32-Includes/mysql/my_list.h: * src/win32/WIN32-Includes/mysql/my_pthread.h: * src/win32/WIN32-Includes/mysql/my_sys.h: * src/win32/WIN32-Includes/mysql/mysql.h: * src/win32/WIN32-Includes/mysql/mysql_com.h: * src/win32/WIN32-Includes/mysql/mysql_embed.h: * src/win32/WIN32-Includes/mysql/mysql_time.h: * src/win32/WIN32-Includes/mysql/mysql_version.h: * src/win32/WIN32-Includes/mysql/mysqld_error.h: * src/win32/WIN32-Includes/mysql/raid.h: * src/win32/WIN32-Includes/mysql/typelib.h: * src/win32/WIN32-Libraries/Packet.lib: * src/win32/WIN32-Libraries/wpcap.lib: * src/win32/WIN32-Libraries/mysql/mysqlclient.lib: * src/win32/WIN32-Prj/snort.dsp: Updated to use WinPCAP 3.1 and MySql client 4.13. Preparation for Snort 2.4.1 release on Win32. 2005-09-14 Steven Sturges * src/snort.c: Mark -z option as to be deprecated. * src/preprocessors/spp_frag3.c: Fix issue with Teardrop alerts introduced with last update. 2005-09-01 Steven Sturges * src/decode.c: * src/decode.h: Fix snort decoder to correctly handle PPP over Ethernet decoding. Thanks Aristeu Gil Alves Jr for the pcap. * src/snort.c: * src/util.c: * configure.in: Added patch for time stats from Bill Parker. Enable with configure --enable-timestats. * src/snort.c: Do not allow -T (test mode) & -D (daemonize) together. * src/preprocessors/spp_frag3.c: Fix issue with Teardrop alerts. * src/preprocessors/spp_portscan.c: * src/preprocessors/spp_portscan2.c: Add deprecation warning. These will be deprecated in the next snort build. 2005-08-31 Steven Sturges * src/snort.c: * src/decode.c: * src/decode.h: Added decoder for IPEnc for Open BSD. Thanks Jason Ish for the patch (long time ago) and Chris Kuethe for reraising the issue. * src/snort.c: Allow snort to use usernames (-u) and groupnames (-g) that include numbers. Thanks to Shaick for the patch. 2005-08-29 Steven Sturges * src/preprocessors/spp_sfportscan.c: * etc/snort.conf: * doc/README.sfportscan: Change ip_proto to ip for portscan configuration. Thanks David Bianco for pointing this out and Andy Mullican for the updates. * src/snort.c: Fix broken -T option. Thanks Andy Mullican for the fix. * src/output-plugins/spo_alert_prelude.c: Fix for prelude initialization. Thanks Yoann Vandoorselaere for the update. * src/preprocessors/spp_frag3.c: * doc/README.frag3: Update to address Solaris reassembly issues. Update README to include info about new target-based policy. 2005-08-23 Steven Sturges * src/preprocessors/spp_frag3.c: Resolve some issues with handling of overlap conditions, multiple fragments with MoreFrags bit not set and added target based policies for windows and solaris (since they are actually different in certain cases). * src/preprocessors/stream.h: Added data structure padding to fix issues with 64bit Solaris. * src/log.c: Fix problem in sniffer mode when incomplete TCP option data is received. Thanks A Hernandez for the find. * src/decode.c: Set the source & dest ports used for logging before doing checksum verification. If invalid checksum, ports will be logged (even though they may be invalid). Wrapped alerts for same src/dst and loopback in mode==IDS & decoder alert checks. * src/plugbase.h: Use hex values for preprocessor bitmask constants instead of the decimal equivalent. * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_byte_check.c: Allow for signed offset values to handle negative offset in rules. Fixes potential issue on 64-bit architectures. * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: For content matches, when subsequent rule options fail, start searching again in correct location instead of again at end of the currently found pattern. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/perf.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/spp_xlink2state.c: * src/preprocessors/str_search.c: * src/preprocessors/xlink2state.c: * src/sfutil/asn1.c: * src/sfutil/mpse.h: * src/plugbase.c: * src/snort.c: Code/compiler warning cleanup. 2005-08-15 Steven Sturges * src/decode.c: * src/win32/WIN32-Includes/NETINET/IN_SYSTM.H: Updated Win32 to handle pflog patch. 2005-08-15 Steven Sturges * src/output-plugins/spo_alert_prelude.c: * etc/snort.conf: Fix GCC4 warning, make the arguments parser more robust and less fault tolerant. Correct parsing of IDMEF severity mapping. Don't try to initialize Prelude support when 'output alert_prelude' is not specified. Removed deprecated documentation from the conf file. Thanks Yoann Vandoorselaere for the updates. * src/preprocessors/spp_stream4.c: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/stream.h: Fixed problem on Solaris when reassembling at exit. Thanks Andrew Rucker Jones for identifying the issue. * src/decode.c: * src/decode.h: * src/snort.c: Added support for new OpenBSD pflog format. Older pflog format, OpenBSD 3.3 and earlier, is still supported. Thanks Breno Leitao and Christian Reis for the patch. * src/decode.c: * src/decode.h: * src/util.c: Added statistics counter for ETH_LOOPBACK packets. Thanks rmkml for the patch. 2005-07-29 mfr * rpm/snort.spec: Fix epoch inclusion for RPM generation 2005-07-29 Steven Sturges * src/preprocessors/spp_stream4.c: Fixed debug prints for new flush behavior changes. * src/detection-plugins/sp_pattern_match.c: Added checks to ensure some syntax correctness for content rules. Thanks Erik de Castro Lopo for the patch. 2005-07-27 mfr * etc/snort.conf: Changed snort.conf to reflect flush_behavior changes 2005-07-24 mfr * src/preprocessors/spp_stream4.c: Fix parsing problem in the flush_behavior config directive * etc/snort.conf: Turn perfmonitor off by default 2005-07-22 Steven Sturges * src/preprocessors/spp_stream4.c: Changed flush_behavior to use names instead of numeric value. New behaviors names are 'default', 'large_window', and 'random' 2005-07-22 Steven Sturges * src/win32/WIN32-Includes/config.h: Changed Snort version number * src/detection-plugins/sp_pattern_match.c: Fixed error message for replace 2005-07-22 mfr * src/preprocessors/HttpInspect/client/Makefile.am: * src/preprocessors/HttpInspect/event_output/Makefile.am: More cleanup 2005-07-22 mfr * src/preprocessors/HttpInspect/anomaly_detection/Makefile.am: * src/preprocessors/HttpInspect/mode_inspection/Makefile.am: * src/preprocessors/HttpInspect/normalization/Makefile.am: * src/preprocessors/HttpInspect/server/Makefile.am: * src/preprocessors/HttpInspect/session_inspection/Makefile.am: * src/preprocessors/HttpInspect/user_interface/Makefile.am: * src/preprocessors/HttpInspect/utils/Makefile.am: Remove references to files in other directories 2005-07-22 mfr * rpm/snort.spec: Fixup the spec file to reflect new method of rules distribution 2005-07-22 mfr * configure.in: Fix PostgreSQL support 2005-07-21 mfr * src/snort.h: Bump build number 2005-07-21 mfr * rpm/snort.spec: * rpm/generate-all-rpms: Setup for 2.4.0 release, removed inline build option from RPM generation for the time being * configure.in: * Makefile.am: * doc/Makefile.am: Updated for 2.4.0 release to remove references to sig docs and rules, which are now external to the distro * etc/snort.conf: Updated snort.conf for 2.4 release 2005-07-20 mfr * autojunk.sh: Added --copy switch to automake call, patch from Jeff Nathan * congfigure.in: Added maintainer mode call to prevent endless configure reruns. From Jeff Nathan 2005-07-20 Steven Sturges * src/preprocessors/perf-base.c: * src/preprocessors/perf.c: Improved file handling of perfmon stats file rollover. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Provided ability to use 2 sets of static flushpoints as well as random flushpoints for reassembly. Thanks Jason Brvenik for the patch. * src/plugbase.c: * src/plugbase.h: * src/preprocessors/snort_stream4_session.h: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/spp_stream4.c: * src/snort.c: * src/snort.h: Added code to process unflushed Streams at snort exit and when stream is purged from cache because of memory issues. * src/preprocessors/spp_telnet_negotiation.c: Small fix for normalization of subnegotiation options. 2005-07-19 mfr * doc/BUGS: Updated BUGS file for 2.4 release. * configure.in: Added PostgreSQL fixes and exit code patch from Javier Fernandez-Sanguino Pena 2005-07-18 mfr * doc/README: Updated the README file to reflect the current version of Snort and command line switches that are available (and the ones that no longer are available as well...) 2005-07-11 Steven Sturges * src/detection-plugins/sp_byte_jump.c: Fixed log message. * src/log.c: Convert ICMP Router Advertisement time to host byte order before printing. * src/snort.c: * src/snort.h: * src/preprocessors/perf.c: * src/preprocessors/perf.h: * src/preprocessors/spp_perfmonitor.c: Use singal to rollover perf stats file without having to restart snort. Thanks Andrew Mullican for the patch. * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/spp_frag3.c: Performance update for Frag3. Also added stats fields to Perfmon for Frag3. * src/sfutil/mwm.c: Fix to handle multiple instances (different case) of the same pattern when the matching one occurs later than the others. * src/snort.c: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_prelude.h: Fix to handle heartbeat and pthread issues with Prelude. Thanks Yoann Vandoorselaere for the patch. * src/sfutil/mwm.c: * src/preprocessor/spp_sfportscan.c: * src/preprocessor/HttpInspect/normalization/hi_norm.c: Data initialization fixes. Thanks Yoann Vandoorselaere for the patch. * src/output-plugins/spo_database.c: Update for Oracle output. Thanks Joel Esler for the fix. * src/output-plugins/spo_unified.c: Provide additional reliabilty for NT_SPECIAL_OUTPUT. Thanks Eric Lauzon for the fix. 2005-06-10 Jeremy Hewlett * src/output-plugins/spo_alert_prelude.c: Handle case when Packet pointer is NULL for Portscan alerts. * src/preprocessors/spp_frag3.c: * src/decode.c: Fixed processing of fragmented UDP traffic. 2005-05-20 Jeremy Hewlett * src/preprocessors/spp_perfmonitor.c: Fixed misprinted filename (mnorton). * src/snort.c: Allow -T flag when MUST_SPECIFY_DEVICE is enabled (mnorton). 2005-05-19 Jeremy Hewlett * src/parser/IpAddrSet.c: Fixed problem with parsing IP addresses of 255.255.255.255 for rules (ssturges). 2005-05-18 Jeremy Hewlett * src/decode.h: * src/decode.c: * src/generators.h: * src/preprocessors/spp_frag3.c: Added processing of IP Options in fragmented packets (ssturges). Thanks Brice Cotte for getting us discussing this topic. * src/preprocessors/snort_stream4_session.c: Fixed potential memory corruption (ssturges). 2005-05-09 Jeremy Hewlett * src/parser.c: Increase limit on number of rule options to 256 (was 64). Report error if limit is reached -- previously, extra options were ignored. Also increased max line length to 4096 chars, from 1024. 2005-05-09 Andrew Mullican * src/preprocessors/xlink2state.c: Bugfix for PowerPC architecture. 2005-05-05 Jeremy Hewlett * src/preprocessors/perf-base.c: Updated to better match true on the wire and user data values (Marc Norton). 2005-04-28 Jeremy Hewlett * src/snort.c: Added check for MUST_SPECIFY_DEVICE #ifdef, which if used, requires either a -i or -r commandline switch to start snort. If not used, current behavior remains (Marc Norton). * autojunk.sh: * configure.in: * Makefile.am: * etc/snort.conf: * m4/libprelude.m4: * m4/Makefile.am: * src/plugbase.c: * src/output-plugins/Makefile.am: * src/output-plugins/spo_alert_prelude.c: * src/output-plugins/spo_alert_prelude.h: Added support for prelude, enable with --enable-prelude. Thanks Yoann Vandoorselaere! 2005-04-26 Jeremy Hewlett * src/parser/IpAddrSet.c: Fixed Snort not resolving hostnames that start with a numeric and also parsing of invalid CIDR blocks (Daniel Cid). * src/plugbase.c: * src/plugbase.h: Remove unused functions str2s, hex2s, and int2s (Andy Mullican). Thanks Jeff Nathan for pointing this out. * src/preprocessors/spp_rpc_decode.c: Ignore multiple rpc requests if in a rebuilt packet (Thanks Andy Mullican). * src/inline.c: File descriptor clean up from Will Metcalf. 2005-04-22 Andrew Mullican * etc/gen-msg.map: * src/generators.h: * src/plugbase.c: * src/preprocessors/Makefile.am: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream4.h: * src/preprocessors/spp_xlink2state.c: * src/preprocessors/spp_xlink2state.h: * src/preprocessors/xlink2state.c: * src/preprocessors/xlink2state.h: * src/preprocessors/str_search.c: * src/preprocessors/str_search.h: Added xlink2state mini-preprocessor to catch MS Exchange buffer X-Link2State data overflow. 2005-04-11 Jeremy Hewlett * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: Fixed error messages in byte_jump & byte_test rule options (Marc Norton). * detection_plugins/sp_byte_jump.c: Fixed issue with 'multiplier' option. It is now being done before the 'align' option. This helps with rules that look at SMB traffic (Steve Sturges). * src/preprocessors/flow/flow_cache.c: * src/preprocessors/Makefile.am: * src/preprocessors/snort_stream4_session.c: * src/preprocessors/snort_stream4_session.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream4.h: * src/sfutil/sfxhash.c: * src/sfutil/sfxhash.h: * etc/snort.conf: Performance Improvements to Flow & Stream4 session management. Also added limit to number of active sessions for Stream4, default of 8192. Old memcap value now only applies to packets stored for reassembly. Configure using preprocessor stream4: max_sessions 16384 in snort.conf (Steve Sturges). * src/preprocessor/spp_perfmonitor.c: * src/preprocessor/spp_perfmonitor.h: * src/snort.c: Added -Z flag to set full path name to PerfMonitor stats file. This will override the file or snortfile configuration option (Marc Norton). 2005-04-05 Jeremy Hewlett * src/detect.c: * src/fpdetect.c: * src/log.c: * src/snort.c: * src/snort.h: * src/tag.c: * src/output-plugins/spo_unified.c: Added a -G flag that specifies an instance identifier for the event logs. Can be used when running multiple instances of snort, either on different CPUs or on same CPU but different interface. Each snort instance will use the value specified to generate unique event ids. Can specify either a decimal value (-G 1) or hex value preceeded by 0x (-G 0x11). Thanks Steve Sturges. * src/decode.h: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: Fix to remove unnecessary ICMP echo extension, and update output plugins to use ICMP header info. Thanks Kevin Douglas for finding this and Andrew Mullican for the fix. * src/decode.h: * src/detect.c: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * etc/snort.conf: Add option to Stream4 to limit server-side inspection for improved performance. Similar to HttpInspect's flow-depth, this option limits rule-inspection of server traffic to the set number of bytes (in 1 or more packets) until another client request is seen. Thanks Steve Sturges & Marc Norton * src/plugbase.c: Fix issue generating ascii strings. Thanks Sandro Poppi for the fix. 2005-04-01 Jeremy Hewlett * src/preprocessors/spp_sfportscan.c: Additional fixes for suppression issue with sfPortscan and Open Ports. Fix for packets logged with bogus ip lengths (related to Open Port alerts). Thanks Andy Mullican. 2005-03-25 Jeremy Hewlett * src/output-plugins/spo_alert_syslog.c: * src/snort.c: Add snort's PID to syslog. Thanks Steve Sturges. * src/preprocessors/spp_stream4.c: Added to default ports in Stream4 and cleaned up Stream4 configuration processing. Thanks Steve Sturges. * src/preprocessors/spp_frag3.c: Added packet dump (debug only) to Frag3. Patch from Steve Sturges. * src/sfthreshold.c: Added detail to config error messages for thresholding. Patch from Steve Sturges. * src/fpdetect.c: * src/plugbase.h: * src/detection-plugins/sp_flowbits.c: * src/preprocessors/spp_sfportscan.c: Code Cleanup (general), thanks Steve Sturges. * rpm/snort.org.spec: * rpm/snort.logrotate: Added schemas to distro, and 'sharedscripts' to logrotate. General clean up of spec file. Thanks Josh Kelley for pointing this out. 2005-03-25 Jeremy Hewlett * src/preprocessors/spp_sfportscan.c: Fixed suppression issue with sfPortscan and Open Ports. Patch from Andy Mullican. 2005-03-15 Jeremy Hewlett * src/decode.c: * src/parser/IpAddrSet.c: * src/parser/IpAddrSet.h: * src/preprocessors/spp_frag3.c: * etc/generators: Updates/Fixes to Frag3 IP reassembler (thanks ssturges): 1) Push first fragmented UDP packet through, but do not inspect other fragmented packets (until rebuilt). 2) Printing of Configuration Info 3) Code readability * src/parser.c: Removal of comment parsing code added for 2.3.1. * src/decode.c: * src/generators.h: Added support for detection of Lookback & Same src/dest attacks in the packet decoder. This obsoletes sids 527, 528. Thanks Marc Norton for the feature. * src/detection-plugins/Makefile.am: * src/plugbase.c: * src/detection-plugins/sp_ftpbounce.c: * src/detection-plugins/sp_ftpbounce.h: Added FTP Bounce detection Plugin. Thanks Steve Sturges. * src/detection-plugins/sp_flowbits.c: Increased Flowbits hash table size. Thanks Marc Norton. * src/fpcreate.c: Performance improvement in pattern matcher from Marc Norton. * src/decode.c: * src/decode.h: * src/fpdetect.c: * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_frag3.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/snort.c: * src/snort.h: Eliminate duplicate alerts on Rebuilt Streams/IP reassembled packets. Patch from Andy Mullican and Steve Sturges. * src/preprocessors/portscan.c: * src/preprocessors/sfportscan.c: * doc/README.sfportscan: * etc/generators: * etc/gen-msg.map: Added handling of midstream sessions in portscan preprocessors. Thanks Andy Mullican. * src/generators.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: * src/ubi_BinTree.c: * src/ubi_BinTree.h: * src/ubi_SplayTree.c: * src/ubi_SplayTree.h: * etc/gen-msg.map: * etc/snort.conf: Stream4 fixes - Handle PAWS, NULL TCP Flags in established session, limit overlaps in established session, update ACK when server sends RST. Performance changes for cleaning up session cache. Thanks Steve Sturges and Andy Mullican for the patches. * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: * src/preprocessors/snort_httpinspect.c: * doc/README.http_inspect: Added uri_tab_delimiter option to HttpInspect. Patch from Andy Mullican. * src/preprocessors/perf-base.c: Updates to PerfMon to handle multiple CPUs properly. Thanks Steve Sturges. * src/preprocessors/spp_telnet_negotiation.c: Fixed telnet decoder bug when ignoring Sub-negotiation end command. Thanks Steve Sturges. 2005-03-08 Jeremy Hewlett * src/preprocessors/spp_flow.c: * src/detection-plugins/sp_flowbits.c: Increased number of flowbits (mnorton) 2005-03-08 Steven Sturges * src/parser.c: Fixed parsing of comments at end of line in config file. In snort.conf, anything that follows a # on a line is considered a comment. 2005-03-04 Jeremy Hewlett * src/preprocessors/spp_sfportscan.c: Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX. Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and Jonathan Miner for working with us on this. 2005-01-28 Jeremy Hewlett * src/decode.c: * src/decode.h: * src/output-plugins/spo_unified.c: * src/preprocessors/HttpInspect/utils/hi_util_kmap.c: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_sfportscan.c: * src/sfthreshold.c: Fixed compiler warnings and code formatting (tabs to spaces). 2005-01-20 Andrew Mullican * src/generators.h: * src/preprocessors/spp_bo.c: Added 2 BackOrifice alerts (1 client, 1 server) so that some alerts can be suppressed. 2005-01-18 Steven Sturges * src/plugbase.c: * src/plugbase.h: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/snort_httpinspect.h: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_httpinspect.c: * src/snort.c: Change to verify that preprocessors have sufficient configuration data to correctly operate. * src/preprocessors/spp_frag3.c: Fixes to Frag3 to only have one instance of preprocessor. Uses policy context internally based on destination address of packet. Previously, each Frag3 Policy would result in a separate preprocessor instance. Also fixed use of ttl_limit option. 2005-01-18 Andrew Mullican * src/decode.c: * src/decode.h: * src/parser.c: Added ability to ignore packets based on port. Syntax in snort.conf is config ignore_ports: where list of ports can also include port ranges (ports separated by :). 2005-01-17 Steven Sturges * src/inline.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/perf.h: * src/preprocessors/sfprocpidstats.c: * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_frag3.c: * src/preprocessors/spp_perfmonitor.c: * src/snort.c: * src/snort.h: * src/util.c: Performance fixes to get correct 'on-the-wire' statistics. Added 'atexitonly' option for perfmonitor that results in performance stats only being dumped when snort exits, rather than periodically throughout snort's lifetime. 2005-01-13 Steven Sturges * src/preprocessors/spp_frag3.c: Fixed parsing of frag3 options to use space delimited options to handle IP address lists correctly. * etc/snort.conf: Updated example options for frag3 2005-01-13 Marc Norton * src/preprocessors/spp_sfportscan.c: Fixed arithmetic to correctly set the ip packet length in the ip header prior to writing the portscan info to the packet. Thanks Jon Hart for the test case and finding the bug. 2004-12-23 Steven Sturges * src/detect.c: * src/detection-plugins/sp_byte_jump.c: * src/detection-plugins/sp_pattern_match.c: * src/parser.c: * src/plugbase.c: * src/preprocessors/perf-base.c: * src/preprocessors/snort_httpinspect.c: * src/preprocessors/spp_conversation.c: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_stream4.c: * src/sfthreshold.c: * src/snort.c: * src/util.c: * src/util.h: * src/sfutil/Makefile.am: * src/sfutil/sfsnprintfappend.c: * src/sfutil/sfsnprintfappend.h: Fixed problem with logging that appeared in Snort 2.3.0 RC2, where single lines were broken up when sent to syslog. Thanks Sekure for pointing out the problem with thresholding. * src/sfthreshold.c: Fixed xatou function to check for non-digit parameter. Thanks nnposter for submitting a patch! 2004-12-20 Jeremy Hewlett * src/decode.h: * src/win32/WIN32-Includes/config.h: * src/win32/WIN32-Includes/stdint.h: * src/win32/WIN32-Includes/syslog.h: Reduces the number of warning on MingW/gcc. Thanks Gisle Vanem for the patch! 2004-12-17 Jeremy Hewlett * src/decode.c: Fixed issue with snort not properly decoding ppp links on MacOS X. Thanks Allan Jensen for reporting this and working with us on the fix (Roelker). 2004-12-14 Jeremy Hewlett * doc/README.http_inspect: Updated documentation on flow_depth and HTTP headers per conversations with Joe Patterson. Thanks Joe! 2004-12-09 Jeremy Hewlett * src/preprocessors/spp_arpspoof.c: Added variable names to function prototypes and made cosmetic changes to debug messages. In ARPspoofHostInit() fixed a problem where the list of configured IP/MAC entries would contain only one entry and leaked memory. In DetectARPattacks() made a small performance improvement by eliminating a copy of the ARP source protocol (IP) address (Jeff Nathan). * src/snort.h: * src/snort.c: * src/parser.c: Fixed a problem affecting MacOS X where linking may fail with non-standard libraries when global symbols are encountered multiple times. Removed duplicate globals and externed globals in headers. Defined globals in source. Made sure frag2 is only linked once (Jeff Nathan). 2004-12-08 Daniel Roelker * src/detect.c: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/fpdetect.c: * src/inline.c: * src/parser.c: * src/snort.c: * src/snort.h: If the 'Q' option (inline) is set, set a global variable that can be used externally. * src/preprocessors/snort_httpinspect.c: Update error message when IIS Unicode map file is not found. * src/preprocessors/spp_stream4.c: Ignore RST|ACK midstream pickup case so we don't get an evasive TCP alert. Thanks for the report, Sekure. * src/util.c: * src/util.h: * src/snort.c: Change SanityChecks() to CheckLogDir() so the function name now makes sense. Move CheckLogDir() to after parsing snort.conf (for IDS mode), so the logdir config will work if the default or command-line logdir does not exist on the system. 2004-11-19 Steven Sturges * src/preprocessors/spp_telnet_negotiation.c: Fixed issues with how telnet options are handled. 2004-11-18 Steve Sturges * src/detection-plugins/sp_pcre.c: Fixed bug when setting the doe_ptr on a successful pcre match. It is now set relative to base_ptr. * src/detection-plugins/sp_byte_jump.c: Added from_beginning and multiplier options for byte_jump. from_beginning skips bytes from the beginning of the content, instead of from the location immediately following the number of bytes to skip. multiplier takes a numeric argument, and skips x times that number of bytes. 2004-11-04 Andrew Mullican * src/detect.c: * src/detect.h: * src/log.c: In "fast" output, now log only actual packet contents when UDP data length is greater than actual data length. Thanks Brian Caswell for spotting this. 2004-11-04 Jeremy Hewlett * configure.in: Added --enable-64bit-gcc to set up the build environment for 64bit (tested only on Solaris9). Still are some memory alignment issues to work out before 64bit mode is fully functional, Patches are welcomed. Thanks Chris Baker for doing 64bit testing. * src/sfutil/sfmemcap.c: Better support for 64bit Snort (mnorton). 2004-11-04 Andrew Mullican * src/output-plugins/spo_unified.c: Fixed reference times to match log time for first packet, for an event generated by a reassembled packet. Incremented event ID to give unique ID for each packet. Also made unified logging compatible with Windows. 2004-11-02 Jeremy Hewlett * configure.in: Changed linking order of libmysqlclient. * src/detection-plugins/sp_rpc_check.c: * src/preprocessors/spp_frag2.c: * src/sfutil/acsmx2.c: Fixes for compilation on 64-bit Solaris. Snort 2_3 branch compiles cleanly (jhewlett, mnorton). Should be a few more changes coming shortly. * src/plugbase.c: Compilation fix for AIX. Thanks Markus Waldeck. * src/preprocessors/spp_perfmonitor.c: * src/preprocessors/perf-base.c: * src/preprocessors/perf-base.h: * src/preprocessors/perf.c: * src/preprocessors/perf.h: perfmonitor config line can now be configured with accumulate or reset. (mnorton). Thanks Barry Basselgia for pointing out the issue. Thanks Scott Dexter and Andreas Ostling for doing some initial testing. 2004-10-21 Daniel Roelker * src/preprocessors/HttpInspect/client/hi_client.c: Don't include the version string length as part of the directory length. Caused some false positives if the oversize directory length was set to small numbers. Thanks Jeremy Hewlett for catching this one. * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/snort_httpinspect.c: Fix false positives that were occurring on some events. Thanks to Vjay Larosa for the report. * src/preprocessors/perf-base.c: * src/preprocessors/sfprocpidstats.c: Fix linux perfmonitoring stats for the 2.6 kernel. Thanks to everyone that reported this bug. * src/preprocessors/spp_stream4.c: * src/preprocessors/stream.h: Add an enforce_state keyword to stream4 so we won't pick up midstream sessions. This works well for asynchronous links and also for just monitoring legitimate traffic. 2004-10-13 Daniel Roelker * src/detect.c: Fix suppression/thresholding bug for non-rule alerts. Thanks to Alex Butcher for reporting it to us. 2004-10-11 mfr * src/util.c: Fix divide by zero bug in TimeStats() 2004-10-05 Daniel Roelker * src/parser.c: Fix bug in preprocessor error statement that referenced freed memory. Thanks to Dennis George for submitting fix. * src/detection-plugins/sp_pattern_match.c: Fix content option modifiers so that they check the option specified and not offset. Thanks to Petr Kurtin for pointing out this bug. 2004-10-04 Daniel Roelker * src/decode.c: Fix TCP/IP options print bug that was found by Marcin Zgorecki. * src/plugbase.c: Move portscan initialization into preprocessors, not plugins. * preprocessors/portscan.c: Inspect invalid TCP initiators that stream4 doesn't track for portscans. Log open ports on TCP portsweeps when we can. Thanks to #snort and SGUIL guys for their comments and feedback. Also, thanks to David Lowless for his portscan testing in the UK. 2004-10-04 mfr * src/preprocessor/spp_frag3.c: * src/preprocessor/spp_frag3.h: * src/generators.h: * src/plugbase.c: * src/plugbase.h: New target-based IP defragmenter for Snort. * src/parser/IpAddrSet.h: * src/parser/IpAddrSet.c: Added functions for improved set parsing, generation, finding * src/preprocessors/flow/flow_cache.c: Reformatted output printing for flowcache_stats() function * src/preprocessor/spp_arpspoof.c: * src/preprocessor/spp_bo.c: * src/preprocessor/spp_conversation.c: * src/preprocessor/spp_flow.c: * src/preprocessor/spp_frag2.c: * src/preprocessor/spp_httpinspect.c: * src/preprocessor/spp_perfmonitor.c: * src/preprocessor/spp_portscan.c: * src/preprocessor/spp_rpc_decode.c: * src/preprocessor/spp_stream4.c: * src/preprocessor/spp_telnet_negotiation.c: * src/preprocessor/spp_stream4.c: Added context pointer handling to PreprocessorFunctionNode calls * src/sfutil/sflsq.h: * src/sfutil/sflsq.c: Added a couple a list node delete and add function for the current ptr * src/sfutil/sfxhash.h: * src/sfutil/sfxhash.c: Exposed sfxhash_free_node() function as a public function * src/util.c: * src/snort.c: Added a modified version of Bill Parker's run timing patch 2004-09-20 Daniel Roelker * src/util.c: Fix ts_print to work correctly for localtime logging. * src/fpdetect.c: Thresholded drop/sdrop rules should still drop the packet, but we just won't alert on them. Thanks to Brian Starrfield for finding this bug. 2004-09-17 Daniel Roelker * src/detect.c: Fix tagging issue that would tag rebuilt TCP streams, which for most output plugins this means we just relog the packets that we've already logged. Thanks Jeremy Hewlett and Daniel Cid for finding this bug. * src/event_queue.c: * src/event_queue.h: Only flush a TCP stream on rule alerts and not on preprocessor alerts. Thanks Jeremy Hewlett and Daniel Cid for finding this bug. 2004-09-13 Jeremy Hewlett * src/detection_plugins/sp_react.c: * src/detection_plugins/sp_react.h: Wrap sp_react in #ifdef tests so it can be enabled concurrently with sp_respond2 (Jeff Nathan). * src/detection_plugins/sp_respond.c: * src/detection_plugins/sp_respond.h: Wrap sp_respond in #ifdef tests so it is mutually exclusive of sp_respond2 (Jeff Nathan). * configure.in: * doc/Makefile.am: * doc/README.FLEXRESP2: * src/parser.c: * src/snort.h: * src/detection_plugins/Makefile.am: * src/detection_plugins/sp_respond2.c: * src/detection_plugins/sp_respond2.h: Import version 2 of the flexible response system written by Jeff Nathan 2004-09-08 Daniel Roelker * src/decode.c: Drop bad checksums if we're in inline mode and we're doing checksums. Thanks to William Metcalf and Victor Julien for this patch. * doc/CREDITS: Updated CREDITS with some major SourceFire contributors that were not mentioned. 2004-09-07 Daniel Roelker * src/inline.c: * src/inline.h: * src/parser.c: * src/snort.c: * src/snort.h: Make reject rule type work with linux bridging. Added config option 'layer2resets', which by default uses the interface specified by the ipq packet. In addition, you can also specify a src mac address so the sensor interface information is not apparent. Thanks to William Metcalf and Victor Julien for this feature. 2004-09-02 Daniel Roelker * src/detect.c: * src/fpdetect.c: * src/preprocessors/spp_stream4.c: Add inline state configuration for stream4, so we will drop packets that are not part of an existing TCP session and are not valid TCP initiators. Thanks Will Metcalf and Victor Julien for the initial implementation. Add functionality for drop/sdrop rules that will still drop a packet if the rule specifies "flow: established". We silently drop the packet, so as not to be DOS'd by stick/snot attacks. If the user wants the alerts, then add in the stream4 configuration of 'midstream_drop_alerts'. * src/rules.h: * src/detection_plugins/sp_clientserver.c: Add not_established keyword to the flow detection option. This allows snort to do dynamic firewall rulesets. Experimental for now, so if any wants to try let me know. * src/preprocessors/snort_httpinspect.c: Fix conditions where snort would log double web alerts that contained only content options (no uricontents). Thanks to kawa for finding and reporting this bug. 2004-08-31 Daniel Roelker * src/fpdetect.c: If InlineMode() is set, than the flow: established check will also look to see if the TCP stream was picked up in midstream. If it was, then we assume it's established. This also blocks packets that are generated by stick/snot type attacks, whereas before these packets were just being passed through because flow: established was not valid. 2004-08-27 Daniel Roelker * src/sfutil/sfmemcap.c: Fix 64-bit bug found and tested by Ryan Matteson (matty91@bellsouth.net) and Clay McClure (clay@daemons.net). Thanks guys. * src/preprocessors/spp_stream4.c: * src/preprocessors/snort_httpinspect.c: When we pick up TCP sessions in midstream, don't use stream4 direction to tell us how to inspect client and server traffic. Performance enhancement for some sites. * src/preprocessors/portscan.c: Add more comments and make portscan detail printouts more readable. 2004-08-20 Daniel Roelker * src/util.c: Make ts_print work correctly with timezones. Thanks to Dagobert Kellner for the fix. 2004-08-19 Daniel Roelker * src/util.c: Log an error when the user tries to setuid/gid and snort is being run in inline. Thanks Matt Brannigan for finding this bug. 2004-08-13 Daniel Roelker * src/detection-plugins/sp_pattern_match.c: Ignore replace rule options when snort isn't in GIDS mode. (Roelker) * src/decode.h: * src/detect.h: Set a packet_flag for drop alerts. This lets the output plugins know that we just dropped the packet that we logged. (Roelker) 2004-08-11 Daniel Roelker * src/inline.c: * src/spo_unified.c: Make inline alerts work with unified output. Thanks for the help in unified format Andrew Baker. * src/util.c: Added ASCII pig (thanks Dug Song) and snort team to snort initialization printout. * src/output-plugins/spo_log_tcpdump.c: Check to make sure we have a pointer before we reference a structure element. 2004-08-05 Daniel Roelker * src/log.c: * src/detect.c: Make tagging work for more than 1 second. (Daniel Roelker) * src/detect.c: * src/fpdetect.c: Get thresholding/suppression to work for alerts that do not contain an iph header (primarily decode alerts). Thanks Brian Caswell. 2004-08-04 Daniel Roelker * src/snort.c: Fix inline printf's during initialize. Also fix return code on invalid input for startup. This helps scripts so it returns an error if the command line arguments in the script are wrong. Thank you Matt Brannigan for this fix. 2004-07-28 Daniel Roelker * configure.in: Added --include-pcre* configuration option to help cross compiling. Thanks Erik de Castro Lopo. * src/event_queue.c: Fix bug in multi-event logging when thresholding/suppression was enabled for events in the queue. Thanks once again to Andreas Ostling. * src/output-plugins/spo_log_tcpdump.c: When a rebuilt stream causes an alert, log out the original packets instead of the rebuilt packet. Thanks Marty Roesch. * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Turn off some alerts in the profile that were causing false positives. * src/preprocessors/HttpInspect/normalization/hi_norm.c: Turn off encoding alerts in HTTP parameter field. The parameter field is still normalized, it just doesn't alert. This helps reduce alerts that are generated from complex parameter queries. 2004-07-08 Daniel Roelker * etc/gen-msg.map: * src/generators.h: * src/plugbase.c: * src/decode.h: * src/preprocessors/portscan.c: * src/preprocessors/portscan.h: * src/preprocessors/spp_sfportscan.c: * src/preprocessors/spp_sfportscan.h: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_flow.c: * src/preprocessors/flow/flow.h: Added new portscan detector. We now detect tcp, udp, icmp, and ip protocol scans. Along with the following scan types (using nmap terminology): portscan, decoy portscan, portsweep, and distributed portscan. The initial version will have three sensitivity levels, so if you want to change values manually go to portscan.c and change the values there. I don't want to confuse people out of the gate with lots of value configurations, so try these preset levels and give us feedback. (Daniel Roelker) 2004-07-06 Daniel Roelker * configure.in: * src/decode.c: * src/decode.h: * src/detect.c: * src/detect.h: * src/fpdetect.c: * src/inline.c: * src/inline.h: * src/mstring.c: * src/parser.c: * src/rules.h: * src/snort.c: * src/snort.h: * src/detection-plugins/sp_pattern_match.c: * src/detection-plugins/sp_pattern_match.h: * src/output-plugins/spo_database.c: * src/preprocessors/spp_stream4.c: Added IPS functionality from snort_inline. Thanks everyone that was involved in that project. For more info, go check out http://snort-inline.sourceforge.net. * src/log.c: Fixed memory leak in "fast" output. Thanks for your bug report sekure@gmail.com. 2004-06-22 Chris Reid * src/snort.c: Clear error code which under Windows was causing a subsequent false failure in parsing threshold rules. (thanks to Rich Adamson) 2004-06-16 Daniel Roelker * src/sfutil/asn1.c: * src/sfutil/asn1.h: * src/detection-plugins/sp_asn1.c: * src/detection-plugins/sp_asn1.h: * src/debug.h: * src/snort.c: Added ASN.1 parsing and detection functionality to snort. Please refer to README.asn1 for more information on rule usage. (Roelker) * src/parser.c: Added parsing check from Andreas Ostling so that users don't assume that destination port lists are allowed because no error is given. * src/preprocessors/spp_stream4.c: Fixed rebuilt TCP packet munging reported by Steve Halligan. Thanks a lot for getting this problem down to pcap so we could analyze the problem. * src/detect.c: * src/event_queue.c: * src/log.c: * src/preprocessors/spp_stream4.c: * src/sfutil/sfeventq.c: Improve TCP reassembly flushing for TCP streams that have already generated an alert. This was illustrated by Brian Bailey in his SANS GIAC practical examination. Thanks for working with us on this one. 2004-05-06 Daniel Roelker * src/detection-plugins/sp_pattern_match.c: Fixed rule read up error when parsing hexmode content options. Thanks for pointing it out Marty. (Roelker) * src/preprocessors/spp_stream4.c: Fixed null pointer dereference when detect_scans were enabled and creating a new session that had funky flags. Thanks to Chad Kreimendahl for reporting the bug and testing the fix. (Roelker) * src/snort.h: at build 28 2004-04-22 Daniel Roelker * src/decode.c: * src/detect.c: * src/event_queue.c: * src/event_queue.h: * src/event_wrapper.c: * src/event_wrapper.h: * src/fpcreate.c: * src/fpcreate.h: * src/parser.c: * src/preprocessors/spp_arpspoof.c: * src/preprocessors/spp_bo.c: * src/preprocessors/spp_conversation.c: * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_rpc_decode.c: * src/preprocessors/spp_stream4.c * src/sfutil/sfeventq.c: * src/sfutil/sfeventq.h: * src/signature.c: * src/signature.h: * src/snort.c: Added new event queueing algorithm, so Snort logs multiple events per packet/stream. The algorithm uses two ordering methods: priority and content length. (Roelker) * src/fpcreate.c: * src/fpcreate.h: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/acsmx.c: * src/sfutil/acsmx.h: * src/sfutil/mpse.c: * src/sfutil/mpse.h: New Aho-Corasick pattern matchers (Norton). Added content length tracking on otnx structures. * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/snort_httpinspect.c: Added webroot alert. This alert is generated when a URL directory traversal traverses past the webroot. Added new URI discovery technique pointed out by Kanatoko. * src/tag.c: Revert to old tagging behavior. Will add new functionality in a future version. * src/util.c: Changed Snort post-processing stats to unsigned so users won't get negative stats. Thanks to various people from the community for reporting this. 2004-03-22 Chris Reid * src/plugbase.c: * src/plugbase.h: * src/output-plugins/spo_database.c: Updated how current/utc times are calculated, as well as how they are formatted (thanks Marcus Janoski) 2004-03-18 mfr * src/sfutil/acsmx2.c: Fixed _toupper/_tolower calls on non-Win32 machines (again). * src/preprocessors/spp_stream4.c: Uncommented ssnptr set in BuildPacket() for Dan 2004-03-17 mfr * src/parser.c: Added FatalError() in ProcessIP if closing IP-list '[' isn't found * src/util.c: Revamped DropStats() function to use screen real estate more efficiently * src/event_wrapper.c: QueueEvent checks to see if we're in MODE_IDS before queuing events and ClearEventQueue() checks to make sure that the event_list has been initialized. * src/sfutil/acsmx2.c: Fixed _toupper/_tolower calls on non-Win32 machines. * src/sfutil/acsmx2.c: Fixed acsmx.h call to acsmx2.h. * doc/Makefile.am: Mark snort_manual.pdf for cleanup too. 2004-03-16 Jeremy Hewlett * src/snort.c: * src/sfutil/acsmx2.c: * src/sfutil/acsmx2.h: * src/sfutil/Makefile.am: New Aho-Corasick pattern matcher from Marc Norton - memory usage reduced by 75%. * src/snort.h: Build 26 2004-03-15 Jeremy Hewlett * src/parser.c: "config checksum_mode" now supports multiple arguments on one line instead of multiple lines. 2004-03-15 Daniel Roelker * src/util.c: Calculate dropped packets and received packets correctly. Thanks Yoann Vandoorselaere for pointing this out. 2004-03-08 Daniel Roelker * configure.in: Thanks to Erik de Castro Lopo for removing warnings. * src/decode.c: * src/decode.h: * src/detect.c: * src/event_wrapper.c: * src/event_wrapper.h: * src/snort.c: New event queuing and logging for decoder and stream4 events (Marty). * src/fpdetect.c: Return value for fpEvalPacket and reset BITOP array on HTTP pipelines (Marty/Roelker). * src/generators.h: * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/client/hi_client_norm.c: * src/preprocessors/HttpInspect/event_output/hi_eo_log.c: * src/preprocessors/HttpInspect/include/hi_eo_events.h: * src/preprocessors/HttpInspect/include/hi_ui_config.h: * src/preprocessors/HttpInspect/normalization/hi_norm.c: * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Added non-rfc chunk length encoding support, thanks for pointing it out H.D. Moore, and added webroot alert which alerts on webroot directory traversals (Roelker). * src/debug.h: * src/preprocessors/Makefile.am: * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_stream4.h: * src/preprocessors/stream.h: Added new TCP state engine (Marty). * src/output-plugins/spo_unified.c: Added stream packet logging for unified output, when alerting on rebuilt streams (Marty). * src/preprocessors/spp_conversation.c: Fixed conversation parsing faults so users can operate this preprocessor (Roelker). * src/snort_packet_header.h: Added for future support (Marty). * src/snort.h: Now on build 25. 2004-02-25 Jeremy Hewlett * src/output-plugins/spo_csv.c: Additional fixes from Alan Milligan with CSV output, thanks! * src/sfutil/bitop.h: Cleaning up unsigned/signed warnings * src/snort.h: Moving to build 24 2004-02-25 Chris Reid * src/output-plugins/spo_database.c: Removed escaping of '%' and '_' characters in MySQL (thanks Kristofer Karas). 2004-02-23 Jeremy Hewlett * snort.8: Updated -T info to include where snort looks for "snort.conf." Thanks Drew Smith for pointing that out. * doc/snort_manual.tex: Doc updates for thresholding - rule thresholds must contain a sid. * src/detect.c: * src/plugbase.c: Changed some startup messages from printf to LogMessage to be more consistent. Thanks for the patch, nnposter(at)users.sourceforge.net. * src/snort.h: Touched source code - bumping to 23 2004-02-17 Jeremy Hewlett * src/output-plugins/spo_csv.c: Fixed minor problems with CSV output not printing out src,srcport, dst,dstport properly. Thanks for the patch, Bill Guyton. Good spot! * src/snort.h: Now at build 22 2004-02-13 mfr * templates/sp_template.h: * templates/sp_template.c: * templates/spp_template.h: * templates/spp_template.c: Updated to match the current reality of Snort. 2004-02-10 Jeremy Hewlett * src/bounds.h: * src/event.h: * src/signature.h: Added fix for compiling on Tru64 - bitypes.h now wrapped in an ifdef. Thanks Hari Gopal and Darryl Cook for pointing out the problem and testing. * etc/snort.conf: * doc/snort_manual.tex: Various fixes pointed out by JP Vossen and Felipe Franciosi. 2004-02-09 Jeremy Hewlett * src/Makefile.am: Removed unnecessary libintsnort.a, which was causing problems for some trying to compile on Solaris without the default system tools (ie: the "ar" problem). 2004-02-05 Jeremy Hewlett * Makefile.am: Fixed tab vs space problem on Solaris. Thanks for the report, Chad Kreimendahl! 2004-02-05 Daniel Roelker * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps_snort.c: Fixed alert_once bug that was discovered by Kevin Amorin. Thanks for pointing out the particulars of the problem, so we could do a quick fix. 2004-01-30 Daniel Roelker * src/decode.h: * src/detection-plugins/Makefile.am: * src/detection-plugins/sp_flowbits.c: * src/detection-plugins/sp_flowbits.h: * src/parser.c: * src/plugbase.c: * src/preprocessors/flow/flow_cache.c: * src/preprocessors/flow/flow_cache.h: * src/preprocessors/flow/flow.h: * src/preprocessors/spp_flow.c: * src/preprocessors/spp_flow.h: * src/sfutil/bitop.h: * src/snort.c: Added Flowbits detection functionality. Thanks Brian Caswell for initial code prototype. * src/sys_include.h: * src/ubi_BinTree.c: * src/ubi_BinTree.h: * src/ubi_SplayTree.c: * src/ubi_SplayTree.h: No more Log variables. Die, die, die . . . 2004-01-21 Jeremy Hewlett * contrib/perfstats.c: Added utility to parse out perfmon stats * RELEASE.NOTES: Added file to keep track of release notes. ChangeLog will migrate to more detailed, code-oriented comments. 2004-01-20 Jeremy Hewlett * src/detect.c: Tagged Packets no longer have NULL msg name. * src/output-plugins/spo_csv.c: Minor CSV fixes from Elias Levy (Thanks Elias!) * doc/snort_manual.pdf: * doc/snort_manual.tex: Minor LaTeX fixes from Jen Harvey (Thanks Jen!) 2004-01-16 Jeremy Hewlett * src/decode.h: * src/preprocessors/spp_stream4.c: Fixed http_inspect double alerting on pkts and rebuilt streams. (Thanks Andreas Ostling) * src/detect.c: Fixed double incrementing of pc.log_pkts on non-rule events. * src/detect.h: Removed duplicated SnortEvent() function. * src/event_wrapper.c: Added additional checks to GenerateSnortEvent(). * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/include/hi_si.h: * src/preprocessors/HttpInspect/session_inspection/hi_si.c: * src/preprocessors/snort_httpinspect.c: http_inspect proxy_alert now supports normal proxy networks setups. http_inspect default server only valid if specified in config. (Thanks Brent Erickson) * src/snort.c: Error on multiple interfaces on command line. Corrected pcap_compile error. (Thanks Andreas Ostling). * src/output-plugins/spo_csv.c: Added string escaping for the msg. 2004-01-13 Chris Reid * Added Oracle support into Win32 version. Much appreciation to Adam Peterson and SPL Worldgroup Inc. for sponsoring this development! This option will now be available within the Win32 installer thanks to their contribution. 2004-1-13 Jeremy Hewlett * src/detection-plugins/sp_session.c: Fixed vague error message with directory creation problems (Thanks Kenneth Ingham) * src/event_wrapper.c: * src/event_wrapper.h: * src/preprocessors/flow/flow.c: * src/preprocessors/flow/flow_cache.h: * src/preprocessors/flow/flow_callback.h: * src/preprocessors/flow/flow.h: * src/preprocessors/flow/flow_stat.c: * src/preprocessors/flow/flow_stat.h: * src/preprocessors/flow/portscan/flowps.c: * src/preprocessors/flow/portscan/flowps.h: * src/preprocessors/flow/portscan/flowps_snort.c: * src/preprocessors/flow/portscan/scoreboard.c: * src/preprocessors/flow/portscan/scoreboard.h: * src/preprocessors/flow/portscan/server_stats.c: * src/preprocessors/flow/portscan/server_stats.h: * src/preprocessors/flow/portscan/unique_tracker.c: * src/sfutil/util_net.c: * src/sfutil/util_net.h: Fixed compilation problems on Solaris and some versions of BSD. Thanks to the Snort community for your support. These fixes change the variable type to u_int32 to remove the need for stdint.h * src/output-plugins/spo_alert_unixsock.c: Close Socket when Snort receives SIGHUP (Based on patch submitted by Neetu Nangia) * src/output-plugins/spo_csv.c: Added GID, SID, and Rev to csv output (Thanks Brennen Reynolds) * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: * src/preprocessors/perf-base.c: * src/preprocessors/spp_stream4.c: Fixed build warnings on FreeBSD 5.0 * src/parser.c: config chroot readded * src/parser.c: * src/parser.h: Added additional error checking for custom rules (Thanks Andreas Ostling) * src/preprocessors/flow/flow_print.c: Flow now honors -q (quiet) * src/preprocessors/HttpInspect/client/hi_client.c: * src/preprocessors/HttpInspect/normalization/hi_norm.c: Fixed issue with no_alert not quieting some alerts * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Removed non_rfc_chars from default profiles * src/sfthreshold.c: * src/sfutil/sfthd.c: * src/sfutil/sfthd.h: Added suppression negation (Thanks Andreas Ostling) * src/sfthreshold.c: Fixed backwards display of IP addresses on Solaris * doc/FAQ: * doc/README.csv: * doc/README.http_inspect: * doc/README.thresholding: * doc/snort_manual.pdf: * doc/snort_manual.tex: Minor clarifications and additions. 2004-1-5 Daniel Roelker * src/fpdetect.c: Fixes the signature error that user's were getting after changes to the AddMatch and SelectEvent routines. Thanks Andreas Ostling, Ron Shuck, Jon Hart, and Chris Keladis. 2003-12-22 Daniel Roelker * src/parser.c: Andreas Ostling parser fixes and updated error messages. 2003-12-20 Chris Reid * Win32 version wouldn't run as a service. Thanks to Michael Steele for pointing this out. 2003-12-17 Chris Reid * Updated Win32 to 2.1. * src/output-plugins/spo_database.c: Better support for ODBC. Better memory management (thanks Jeff Nathan). Improved escaping of SQL strings. 2003-12-17 Daniel Roelker * Snort 2.1 Release * src/decode.h: Options struct element len, changed to octet. Thanks Andrew Rucker. * src/detection-plugins/sp_pattern_match.c: Infinite looping patch during specific recursion processing. Thanks Lawrence Reed. * src/detection-plugins/sp_pcre.c: Fixed pcre URI matching. Thanks Jeremy Hewlett. * sp_respond.c: Fixes to help respond actions to correlate more closely to RFCs and now doesn't allow users to shoot themselves in the foot. * src/preprocessors/HttpInspect/normalization/hi_norm.c: Only log DOUBLE DECODE alerts if it's in the URL and not the parameter section. * src/preprocessors/spp_stream4.c: Sync stream4 up with the various versions of it. Fix problem of out-of-order ACKS that was recognized by Andrew Rucker. Also fixed off-by-one bug on reassembled streams that was introduced by previous stream4 patch. * src/sfutil/mwm.c: * src/sfutil/mwm.h: Fixed memory access bug in mwm content matching that multiple users were able to reproduce. * src/tag.c: Pkt tagging configuration now works correctly. Thanks Jeremy Hewlett for pointing this out. 2003-12-08 Chris Reid * Updated Snort 2.1 Win32 installer * Updated spo_database.c to escape sensor name strings. This had been causing a problem under Windows with MySQL because of WinPcap sensor names having embedded backslashes. 2003-12-03 Chris Reid * Updated Snort 2.1 beta to support Win32 2003-11-18 Daniel Roelker * src/detection-plugins/sp_ip_proto.c: Re-added ip_proto structure to ds_list so that the high-speed detection engine once again optimizes on ip_proto rules. 2003-11-14 Chris Green * src/preprocessors/flow/portscan/flowps_snort.c: * when using pktkludge output format, make destination address the last one seen. 2003-11-07 Daniel Roelker * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c: Added some additional config options to server profiles all and iis. * src/preprocessors/HttpInspect/client/hi_client.c: Return invalid URI for configs that don't allow a tab as a URI delimiter instead of processing. This helps reduce false positives for servers that won't accept tabs as valid. * autojunk.sh: Added --add-missing to automake so the flow dependencies get installed. * src/detection-plugins/sp_dsize_check.c: Validate dsize argument so that it is a decimal number and a positive integer. 2003-11-07 Martin Roesch * src/sfthreshold.c (print_thresholding): Cleaned up linewrapped separators, cosmetic cleanup for 80-col terminals 2003-11-06 Chris Green * src/detection-plugins/sp_pattern_match.c (CheckANDPatternMatch): Fixed a bug in sp_pattern_match that was introduced with the recursive processing in 2.0.3 that resulted in a core dump due to an OOB read 2003-11-04 Chris Green * src/log.c (PrintIPHeader): print frag size as the size of the datagram - header 2003-11-04 Marc Norton * src/snort.c (SnortMain): display thresholding information at start up 2003-10-30 Chris Green * src/log.c (PrintIPHeader): make fragsize print out the size of the payload rather than the size of the header 2003-10-28 Marc Norton * src/sfutil/mwm.c: fixed bug with search-method mwm resulting in retesting removing an active rule on occasion (Thanks to Raul Siles & David Perez for a reproducible test case!) 2003-10-28 Chris Green * src/util.c (read_infile): make snort FatalErrror on bpf filter problems (reported by Fran Loehmann) 2003-10-27 Chris Green * src/preprocessors/spp_flow.c (DEFAULT_MEMCAP): make default memcaps much smaller (FlowInit): display correct memcap 2003-10-20 Chris Green * configure.in: - removed smb alerting since it should be moved to barnyard Major 2.1 Features - Suppression/Thresholding by - HttpInspect replaces http_decode by Dan - Flow ( replaces spp_conversation ) - Flow-Portscan - PCRE (www.pcre.org) is now required to build - pcre keyword for regular expressions incorporated - isdataat keyword to help with rule writing See the doc/ subdirectory for more details 2003-10-02 Chris Green * src/parser.c (RuleType): func == NULL bug fix for Bart Haagdorens * Incorporated Steve Grubb's HUP fix for -u users that aren't doing Chroot. 2003-09-22 Chris Green * back from honeymoon * src/preprocessors/spp_stream4.c (BuildPacket): fixed DEBUG compilation/zero_flushed_buffers option 2003-09-10 Chris Green * Snort 2.0.2 * added flush_data_diff_size and zero_flushed_buffers for stream4_reassemble * added threhsolding (see doc/README.thresholding) from Sourcefire/Marc Norton 2003-09-02 Chris Reid * Updated Win32 code to properly support logging to the Windows Event Log without including the Microsoft- generated warning, as was previously observed. 2003-08-06 Chris Green * src/decode.c (DecodeTCP): fixed TCP_LARGE_OFFSET with patch from Bob Perkins 2003-07-28 Chris Reid * Updated sp_pattern_match.c and win32_service.c to play nice with Visual Studio .NET (thanks for feedback from Louis Jagoe). 2003-07-25 Chris Green * Makefile.am (dist-hook): - add signatures kludges to fix up official tarballs - fixed verstuff.pl to interpolate variables * spp_arpspoof patches from Jeff Nathan - Replaced unchecked malloc() calls with SnortAlloc - Changed the parameter name ipmel to ip_mac_entry_list in functions operating on this list for clarity - Re-ordered sanity tests in the preprocessor function to prevent a null pointer dereference and to identify early exit conditions - Minor optimization to the overwrite detection code: if the overwrite list hasn't been initialized return when entering the overwrite condition tests - Use FreeToks instead of for() and free() for mSplit tokens. - Implemented a CleanExit function suitable for CleanExit and Restart. - Added CallLogFuncs calls to accompany all CallAlertFuncs calls (previously CallLogFuncs was not used at all). * src/decode.c (DecodeVlan): - compile with --enable-debug 2003-07-22 Chris Green * Shortly after release: - added verstuff.pl - added dist-hook to run verstuff.pl to make the published tarballs up to date on snort version * Snort 2.0.1 Released 2003-07-18 Chris Green * src/decode.c (DecodeUDP): - fixed UDP checksums to not incorrectly calculate with a header in host byte order Thanks to Marc Norton & Jeremy Hewlett for helping * src/detect.c (Preprocess): - completely ignore invalid IP checksums throughout snort if we are checking them. 2003-07-09 Chris Green * src/decode.c (DecodeIEEE80211Pkt): - fixed vlan decoding on lots of advice + patch from Michael J. Pomraning over at SecurePipe. Thanks! 2003-07-03 Chris Green * src/decode.c (DecodeIP): - removed redundant flag setting operation 2003-07-01 Chris Green * src/preprocessors/http-resp.c (IsHttpServerData): - ensure TCP state on discarded traffic * src/preprocessors/spp_stream4.c (GetDirection): - switch to using IP addresses * src/preprocessors/spp_frag2.c (Frag2Defrag): - ignore packets with bad checksums 2003-06-09 Marc Norton * src/fpdetect.c: fixed pass not always superceding Alert when rule order was Pass-Alert-Log * src/fpcreate.c: This fixes an initialization problem with the iBirDirection flag. 2003-06-04 Chris Green * src/preprocessors/spp_bo.c: log packet data 2003-05-30 Chris Green * src/snort.c: removed obsolete global flow variable 2003-05-28 Chris Reid * Win32 patches from Fulvio Risso (of WinPcap) so -i parameter can support both "-i 1" format, and also support named interfaces like "-i \Device\Packet_{12345678-90AB-CDEF-1234567890AB}". Fulvio also provided a more streamlined Win32 print_interface(). 2003-05-27 Chris Green * src/output-plugins/spo_alert_sf_socket.c: - made compile w/ debug * src/detection-plugins/sp_session.c (OpenSessionFile): refactored to do fatal error inside the lower level function where filename is defined. Bug Reported by Jon Werrett. 2003-05-27 Andrew R. Baker * Changed evalIndex to give precendence to help work around problems with rule ordering when not using -o 2003-05-14 Andrew R. Baker * src/Makefile.in: * src/plugbase.h: * src/spo_plugbase.h: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_alert_smb.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_alert_unixsock.c: * src/output-plugins/spo_csv.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_null.c: * src/output-plugins/spo_log_tcpdump.c: * src/output-plugins/spo_unified.c: Relocated Output Plugin API definitions to spo_plugbase.h * src/detect.c: * src/rules.h: added support for per OptTreeNode output functions * src/plugbase.c: * src/output-plugins/Makefile.in: * src/output-plugins/spo_alert_sf_socket.c: * src/output-plugins/spo_alert_sf_socket.h: Sourcefire UNIX datagram socket output plugin 2003-05-16 Chris Green * patches from jeff nathan - config.h before HAVE's in strc* - add OSX kludged support for /sw/include to libnet defaults * added doc/signatures to Makefile.am 2003-05-13 Chris Reid * Added sanity check in CleanExit() to prevent double-freeing of memory during recursive call to CleanExit(). (Mark Scott) 2003-05-13 Chris Green * patches from Jeff Nathan - calloc checks in detection-plugins - old version of autoheader doesn't like arguments to * add timersub.h to Makefile.am * src/detection-plugins/sp_byte_check.c (ByteTest): - FatalError if hex/oct are used w/o specifying the string parameter * src/detection-plugins/sp_byte_jump.c (ByteTest): - FatalError if hex/oct are used w/o specifying the string parameter * src/preprocessors/spp_frag2.c (RebuildFrag): fix integer wrap around on large packets resulting in invalid IP dgrm lengths with large packets for frag2. Thanks to Jason Royes for pointing it out. will truncate large packets so that the total resulting frame is less than 65535 unless you define DONT_TRUNCATE in config.h This is unfortunately required for compatiblity for other pcap applications. * src/decode.c (DecodeTCP): move port number assignment above option decoding so people don't complain about decoder events on port 0. 2003-05-02 Chris Reid * updated Win32 LibnetNT.dll (tested by Rich Adamson) 2003-04-28 Chris Green * updated create_postgresql (Frank Knobbe) * solaris forte C compiler patches from Taso Devetzis) 2003-04-25 Chris Green * src/detection-plugins/sp_tcp_win_check.c (SetupTcpWinCheck): - removed initialization message in debug 2003-04-24 Chris Green * src/decode.c (DecodeTCPOptions): - only alert on T/TCP if there is a CCECHO * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: * src/byte_extract.c: * src/byte_extract.h: - move the common extraction code to a single place - fix 2 byte extraction code on little endian architectures (Thanks to Jason Miller) * src/bounds.h (inBounds): - remove #include 2003-04-21 Chris Green * src/mwm.c (mwmPrepHashedPatternGroups): - upon a fatal error, yell about config detection: search-method lowmem 2003-04-16 Chris Green * src/detection-plugins/sp_pattern_match.c (ParsePattern): - u_int -> int for size check - (slightly) more readable string handling code * src/timersub.h: import timersub macro from glibc and upcased it * src/snort.c (InterfaceThread): - Use TIMERSUB * src/detect.c (AlertAction): AlertFlushStream takes one argument now * src/parser.c (ParseConfig): disable_tcpopt_ttcp_alerts parsing -- Thanks for pointing it out Jeff Dell * src/preprocessors/spp_stream4.c: - removed unused argument to DeleteSpd (AlertFlushStream): - get the ssnptr variable from the packet structure - unified logic for server and client side - removed memthresholding because of large delays * src/decode.h (_Stream): - get rid of dataPtr ( it's always the same thing as &s->data ) - add bytes_tracked variable for more memory protection * src/preprocessors/spp_stream4.c: - macroize sequence number type checks (StoreStreamPkt): - watch for how many packets we accept 2003-04-14 Chris Green * Snort 2.0.0 Released 2003-04-09 Chris Green * src/log.c,spo_database.c (PrintTcpOptions): (PrintIpOptions): - correctly print out * src/log.c,spo_database.c (PrintTcpOptions): (PrintIpOptions): - correctly print out * src/decode.c: Last bastions of ErrorMessage @ decode in non-verbose mode 2003-04-09 Chris Green * src/detection-plugins/sp_byte_jump.c: - another argument parsing bug ( Thanks Judy ) 2003-04-07 Chris Green * src/decode.c: Change all classifications to DECODE_CLASS * src/detection-plugins/sp_byte_check.c (ByteJump/ByteCheck) - do not SetUseDoe() for these functions. Doe is set automatically and use_doe is only needed to be set by people wishing to make the previous pattern match relative. Build 69 * src/decode.h - handle more FIN conditions * src/preprocessors/spp_stream4.c (ReassembleStream4): - adjusted established check * src/preprocessors/spp_stream4.c (NotForStream4): - refactoring 2003-04-04 Chris Green * src/detection-plugins/sp_byte_jump.c (ByteJump): - make offsets work for byte_test and byte_jump (Thanks Judy and Dan) 2003-04-03 Chris Green 2.0.0rc3 * etc/snort.conf: config detection: search-method lowmem Incorporates a lower memory pattern matcher from Marc Norton for people running into not being able to update to 2.0 due to memory issues. * src/snort.c (SnortMain): - move InitOutputPlugins down ( 1.9 forward fix from Nick ) 2003-04-01 Chris Green Build 67 * src/output-plugins/spo_alert_unixsock.c: - moved unix socket format to .h - moved default socket location to the logdir ( patches from Nick Zitzmann ) 2.0.0 RC2 2003-03-31 Chris Green * src/preprocessors/spp_stream4.c (CreateNewSession): - don't act like a happy wallaby if the IP transport doesn't support ECN but the reserved flags make it through crystal clear * src/preprocessors/spp_frag2.c (_FragTracker): only do 1 fragment tracker alert for things like teardrop * src/preprocessors/spp_stream4.c: - DisableDetect() instead of do_detect() - flush on write ssn stats (andrewb fix) * src/decode.c (DecodeUDP): - correctly decode UDP packets (andrewb fix) 2003-03-27 Chris Reid * src/tag.c #ifdef should have been #ifndef * src/acsmx.h Have WIN32 use definition of "inline" from config.h instead of a locally defined one * src/output-plugins/spo_alert_syslog.c * etc/snort.conf Changed Win32 default host to "127.0.0.1" (thanks to Rich Adamson) * src/win32/WIN32-Prj/snort_installer.nsi Added further installation instructions to help cut down on the number of 'newbie' questions. 2003-03-28 Chris Green * src/parser.c (ParseConfig): - make disable ipopt work (Thanks Tim Slighter) * src/tag.c (PrintTagNode): new f() - added static cling (ParseTag): fixed parser (AddTagNode): - fixed src/dst tagging - unified both tag cache logics * src/debug.h: * src/debug.c: added DebugThis() * etc/snort.conf make the config options do what they say * src/output-plugins/spo_alert_syslog.c (ParseSyslogArgs): - only warn if we are parsing snort.conf ( -s ) * src/tag.h (SetTags): - damn #if 0 * configure.in: - remove snmp/ssl 2003-03-27 Chris Reid Build 63 * src/snort.c * src/output-plugins/spo_alert_syslog.c Win32 '-s' now takes no arguments. Host/port info is configured only within snort.conf (output alert_syslog). 2003-03-27 Chris Green * configure.in: - changed to make DEBUG do -O0 and -g with gcc (-ggdb makes gdb confused. go fig.) * src/snort.c (ParseCmdLine): -s means syslog() not -s args on win32 * src/output-plugins/spo_alert_syslog.c (ParseSyslogArgs): - SnortAlloc - allow -s to work again 2003-03-26 Chris Green * src/decode.c (DecodeTCP): - bad format args (thanks Tim!) RC1 * Incorporated Patches from Jeff Nathan - libnet configure should work again - randomize flexible response ttls - add stop descriptor leaking * src/decode.c (DecodeIPOptions): truncation alerts for IP options too! (InitDecoderFlags): added decoder flags function * src/log.c (Print(I|Tc)cpOptions): - print out everything that I can 2003-03-25 Chris Green * src/signature.c (ReferenceSystemAdd): - fixed the dang linked list * rules/Makefile.in (EXTRA_DIST): added pop2.rules * src/decode.h (_Stream): - removed current_seq to save memory * src/preprocessors/spp_stream4.c - added isBetween inline function (UpdateState): - incorrect ACTION_ACK_CLIENT_DATA (StoreStreamPkt): - comment clarification * src/bounds.h: - added new file - moved standard bounds checking functions to this file * src/detection-plugins/sp_react.c (ParseReact): - give react a half a chance of working (SendTCP): - see above * src/detection-plugins/sp_clientserver.c (ParseFlowArgs): - fatal error on unknown option * src/output-plugins/spo_database.c (UpdateLastCid): - added missing free() (Database): - correctly write out the class_id junk * src/output-plugins/spo_alert_smb.c (AlertSmb): - print out the ports like was intended * src/preprocessors/spp_portscan2.c (SLog): - use fprintf for what it was designed for * src/preprocessors/spp_portscan.c (LogScanInfoToSeparateFile): - use fprintf for what it was designed for * src/log.c (PrintArpHeader): - wireless arp printing fix (PrintTcpOptions): - strncpy -> memcpy (PrintEapolKey): - aligned printf * src/decode.c (DecodeTRPkt): - more truncation style alerts 2003-03-24 mfr * src/preprocessors/spp_stream4.c: - changed PruneSessionCache() to only do timeout flushes if we're over 50% of the memcap (should help performance) * src/log.c: - fixed broken Frag Size calculation in IP header printout routine 2003-03-21 Chris Green * src/detection-plugins/sp_session.c: - fixed memory leak on filename creation * src/preprocessors/spp_stream4.c (Stream4InitReassembler): - make serveronly work * src/preprocessors/spp_telnet_negotiation.c (NormalizeTelnet): - check the byte, then increment * src/detection-plugins/sp_byte_check.c (ByteTestParse): more input validation for byte_check/byte_jump * src/log.c (PrintWifiHeader): - watch out for NULL bssid's * src/tag.c (TagHost): - removed redundant check (AddTagNode): - accumulate the tag seconds rather than the idx->seconds * src/detection-plugins/sp_pattern_match.c (PayloadSearchRegex): - actually die on a regex option ( might actually get it developed later ) * src/decode.c (DecodeIEEE80211Pkt): - more truncated packet alerts (DecodePPPoEPkt): - alert on truncated pppoe pkts - separate decoder for encapsulated PPP (DecodeVlan): - alert on truncated Vlan headers (DecodeUDP): - use the UDP header length field instead of capture length * src/detection-plugins/sp_byte_jump.c: src/detection-plugins/sp_byte_check.c: - protect against negative offsets ( don't rely on negative offsets working in the long term ) - don't continue when we can't parse string numbers * src/detection-plugins/sp_respond.c (Respond): - missing iph check * src/detection-plugins/sp_ip_proto.c (IpProtoDetectorFunction): - missing iph check * sspp_asn1, fnord, spo_xml, spo_SnmpTrap - removed ( will be available later as a contrib ) * src/preprocessors/spp_http_decode.c: - switch to using chars for lookup tables - removed extraneous sprintfing - removed old TBD feature code 2003-03-17 Chris Green * src/snort.c (FPUTS_WIN32): - changed to blank space rather than NULL Build 60 New Options added to snort.conf config: disable_tcpopt_experimental_alerts config: disable_tcpopt_obsolete_alerts config: disable_ttcp_alerts config: disable_tcpopt_alerts * src/preprocessors/spp_stream4.c (ReassembleStream4): - DisableDetect only if the emergency_status is NULL. (CreateNewSession): - fixed return logic with detect scans * etc/gen-msg.map: WARNINGS: -> snort_decoder: - new tcpopt events * src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode): - change to use DisableDetect() instead of do_detect = 0; (disables futher preprocessors) (RPC_CLASS): Use the same classification as the other decoder alerts * src/snort.h (_progvars): - added DecoderFlags structure for enabling/disabling decoder alerts * src/snort.h (_progvars): - added tcpopt_alert_flag * src/decode.c (DecodeTCP): - print out warnings on bad header lengths in verbose mode (DecodeTCPOptions): - nearly complete rewrite to identify whizbang things like bubba and skeeter options! 2003-03-14 Chris Reid Build 59 (really this time) * src/detect.c - corrected un-initialized memory in CreateRuleType() * src/snort.c - rationalize Unix vs. Win32 command-line options - add optarg for Win32 syslog '-s' parameter - bugfix for Win32 syslog initialization - thanks to Rich Adamson and L. Christopher Luther for helping with the syslog fixes * src/util.c - provide Win32 fix for SetChroot() * many files - added missing CVS ID tags - added missing copyrights 2003-03-13 Chris Green Build 59 * src/preprocessors/spp_stream4.c(TcpActionAsync): - update server side seq numbers on Async State machine * src/preprocessors/spp_stream4.c (BuildPacket): - Use Constants for IP Lens - Move SPARC_TWIDDLE to only initialization * src/preprocessors/spp_frag2.c - removed killme variable from InsertFrag - untabified (RebuildFrag): - converted to creating fake packets the same way as stream4 2003-03-10 Chris Green Build 58 * src/util.c: - new functions SetChroot, CurrentWorkingDir, SigChrootHupHandler, GetAbsolutePath - Chroot + HUP == "tough luck for now * src/snort.c (SnortMain): - Chroot after parsing the rules file - use fully qualified pathname for logdir in chroot case * src/output-plugins/spo_unified.c (UnifiedInitAlertFile): - removed a printf 2003-03-05 Chris Green * src/detection-plugins/sp_byte_check.c (ByteTest): - never touch doe_ptr on a successful match - inBounds check off by one when seeing if enough to read * src/detection-plugins/sp_byte_jump.c (ByteJump): - inBounds check off by one when seeing if enough to read * src/detection-plugins/sp_pattern_match.c (uniSearchReal): - inBounds check off by one when seeing if enough to read 2003-03-04 Chris Green * src/util.h (inBounds): end is always dsize + len so it should be p < end * src/preprocessors/spp_stream4.c (UpdateState): - added return ACTION_ACK_CLIENT_DATA * src/detection-plugins/sp_pattern_match.h (_PatternMatchData): - changed check_distance to use_doe ( check_distance was not used ) * src/detection-plugins/sp_pattern_match.c (uniSearchReal): - new function to unify uniSearchCI & uniSearch - all "work" related to distance, within, depth, and offset done in one place now (CheckANDPatternMatch): - condensed this down to be a very small wrapper around uniSearch ( now !content will alert with offset on small packets) (CheckUriPatternMatch): - condensed this down to be a very small wrapper around uniSearch * src/detection-plugins/sp_byte_check.c: * src/detection-plugins/sp_byte_jump.c: - inBounds function - doe_ptr - SetUseDoe - TEXTLEN constant * src/generators.h (RPC_MULTIPLE_RECORD_STR): fixed cut and pasto * src/util.h (inBounds): added new inBounds function to check a ptr position against a known start and end location * src/mstring.c (mSearch): subsequent offsets adjusted correctly (Marty) * src/preprocessors/spp_rpc_decode.c - redefine MSB - write fraghdr back into pkt - removed extraneous printf * src/preprocessors/spp_rpc_decode.c: - readded config.h and strings.h (Thanks Chad) * src/preprocessors/spp_stream4.c - suspend renabling mode fixes 2003-03-03 Chris Green * src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode): - alignment errors on non-x86 platforms - added new space delimited options alert_fragments no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete - corrected buffer overflow in fragment normalization 2003-02-28 Daniel Roelker * src/bitop.h: * src/fpcreate.c: * src/fpdetect.c: - Fixed a problem when snort runs with only uricontent matches and no contents. In this case an element in the bitop structure never got initialized, so it's not good to reference that. Problem was caught by Chris Green doing some unit testing. 2003-02-27 Chris Reid * src/win32/WIN32-Prj/snort.dsp * src/win32/WIN32-Prj/snort.mak * src/win32/WIN32-Prj/snort.dep - Removed an unnecessary file from the project (name.mc) * src/win32/WIN32-Prj/build_releases.bat - Script to easily compile all configurations of snort. * src/win32/WIN32-Prj/snort_installer.nsi * src/win32/WIN32-Prj/snort_installer_options.ini - Scripts to build a Win32 installation program for snort. Thanks to Chris Green for suggesting we use NSIS! 2003-02-19 Chris Reid * src/snort.c - Win32 '-s' parameter wasn't configured to accept an optarg, but code expected one, causing null-pointer violation. 2003-02-16 Chris Green * src/preprocessors/spp_http_decode.c (PreprocUrlDecode): * remove broken checks. * src/preprocessors/spp_telnet_negotiation.c (NormalizeTelnet): * remove broken checks. 2003-02-15 bmc * src/preprocessors/spp_asn1.c - don't bother decodeing the packet if its 0 bytes * src/preprocessors/spp_fnord.c - don't bother decodeing the packet if its 0 bytes - set DEBUG to DEBUG_PLUGIN instead of DEBUG_STREAM * src/preprocessors/spp_http_decode.c - don't bother decodeing the packet if its 0 bytes - if stream4 is enabled, only decode if if is client data on an established session (This makes using internal_alerts useful) * src/preprocessors/spp_rpc_decode.c - don't bother decodeing the packet if its 0 bytes - if stream4 is enabled, only decode if if is client data on an established session * src/preprocessors/spp_telnet_negotiation.c - don't bother decodeing the packet if its 0 bytes - if stream4 is enabled, only decode if if is client data on an established session 2003-02-15 bmc * src/detection-plugins/sp_byte_jump.c actually verify that it needs aligning before aligning. (more than 0 doesn't need aligned) 2003-02-15 bmc * src/detection-plugins/sp_byte_jump.c 0 is already aligned to a 32-bit boundry... 2003-02-14 bmc * src/mstring.c Fix so --enable-debug actually compiles 2003-02-14 mfr * src/parser.c Fixed XferHeader() function to copy the not_*p_flag to the RTNs... * src/detection-plugins/sp_ip_proto.c ip_proto options can now be stacked 2003-02-14 mfr * src/fpdetect.c src/mstring.c src/detection-plugins/sp_byte_check.c src/detection-plugins/sp_byte_jump.c src/detection-plugins/sp_pattern_match.c Fixed distance/within/byte_test/byte_jump relative (stateful) pattern matching and the like. Complete reimplementation of payload position tracking. Tested with several different attack scenarios with 100% detection rate, please test! 2003-02-04 Chris Reid * src/snort.c Added sanity checks on command-line parameters, for whenever a user forgets to put spaces between (ie.) /SERVICE/INSTALL. This only applies to /SERVICE parameter for Win32. * src/util.c - Updated Win32 banner for version 2.0 - Modified FatalError to generate a Win32 EventLog entry if this is a Win32 Service build, otherwise no errors are ever presented to the user. * src/mwm.c - Added an include of config.h, for Windows build. - Changed variable names "small" and "large" into "small_value" and "large_value" to prevent compile errors under Visual C++. * src/mpse.c * src/pcrm.c - Added an include of config.h, for Windows build. * src/parser/IpAddrSet.c * src/preprocessors/perf-flow.c - Added ifndef/endif around non-Win32 header files. * src/preprocessors/perf-base.c - Added changes to allow it to compile under Win32. * src/preprocessors/perf.h - Prevent definition of UINT64 under Win32. * src/preprocessors/spp_asn1.c * src/preprocessors/spp_bo.c * src/preprocessors/spp_fnord.c - Added documentation. * src/win32/WIN32-Includes/config.h - Added definition for UINT64 and uint64 - Changed VERSION to '2.0.0beta' * src/win32/WIN32-Code/win32_service.c - Changed how Win32 registry is opened for reading (was KEY_ALL_ACCESS, now is KEY_READ). Problem (and patch) was reported by Michael Miller. * src/win32/WIN32-Prj/snort.dsp - Removed all references to SFStats compile options, since these stats provide little useful information under Win32 due to API differences between Win32 and Unix, specifically the lack of a native getrusage(). * src/win32/WIN32-Prj/snort.ncb src/win32/WIN32-Prj/snort.opt src/win32/WIN32-Prj/snort.plg - Truncated the contents of these files. 2003-01-26 Chris Green * src/preprocessors/spp_stream4.c (AlertFlushStream): - Fixed problem where an alert on a stream would update sequence numbers incorrenctly - moved StoreStreamPkt up to avoid crash Thanks to Lawrence Reed for pointing out problems and almost perfect solutions * src/detection-plugins/sp_clientserver.c (CheckForReassembled): missing return in opt node check affects only flow: only_stream 2002-1-17 Daniel Roelker * src/preprocessors/spp_perfmonitor.c: Added 'snortfile' parameter to perfmonitor so users can use the default snort directory to log performance statistics. Suggested by L. Reed. * src/preprocessors/spp_stream4.c: Fixed performance statistic counter for total stream4 sessions. When a new session is created, we make sure that it was created before incrementing the counter. Fixed by L. Reed. 2003-01-07 mfr * configure.in Added patch from Jeff Nathan to fix libnet detection 2003-01-05 mfr * src/util.h Added self preservation control struct for the new SPAlloc function. * src/util.c Added self preservation-aware memory allocator, this allows coders to add new subsystems requiring self preservation techniques using a single allocation interface and management mechanism. * src/detection-plugins Changed the URI and AND checking modules to use the context pointer on the fp_list struct instead of the ds_list. This will cause all content/uricontent checks to be checked in the sequence that they appear in a rule so that all the distance/within and relative byte_test/byte_jump stuff will work properly. Merry Xmas cazz! * src/preprocessors/spp_frag2.c Changed frag2 to use the new SPAlloc mechanism as a testing platform. If this works right I'll convert all the other stuff over to it as well. 2002-12-19 Andrew R. Baker * src/detect.c: * src/fpdetect.c: * src/fpdetect.h: * src/parser.h: * src/rules.h: * src/snort.c: * src/snort.h: Fix custom rule types and arbitrary rule ordering that were broken with the new detection engine. 2002-12-13 Chris Green * src/preprocessors/spp_frag2.c (Frag2Defrag): - added "state_protection" config mechanism to enable/disable the thresholding operations * src/preprocessors/spp_stream4.c: - mark sessions that have been picked up midstream - protect against people setting up snort behind a tap without setting asynchronous link - added "state_protection" config mechanism to enable/disable the thresholding operations * src/decode.h (SSNFLAG_MIDSTREAM): added a midstream pickup flag 2002-12-12 Daniel J. Roelker * src/fpcreate.c: * src/fpdetect.c: Fixed bi-directional rule functionality when unique port was the destination port in a bi-directional rule. Reported by Brian Caswell. 2002-11-26 Andrew R. Baker * src/parser.c: fixed argument handling bugs for snaplen and read_bin_file config directives in snort.conf * src/snort.c: * src/snort.h: * src/util.c: * src/util.h: Modifications to signal handling and CleanExit/Restart 2002-11-26 Daniel Roelker * src/checksum.h: Problem with ICMP checksum. Routine did not return the compliment of the checksum. Thanks to Del Armstrong for point this out. * src/decode.c: Also, UDP checksums are only done if the checksum is 0. Otherwise, we don't do them, even if the config is set for that. Again, thanks to Del Armstrong for pointing this out. 2002-11-26 Chris Green * src/output-plugins/spo_database.c (BeginTransaction): * removing BEGIN for oracle ( Chad Kreimendahl ) 2002-11-25 Chris Green * src/preprocessors/spp_stream4.c (TcpActionAsync): (TcpAction): -- removed extra decrements for last_ack was causing a high false alarm rate for new \r\n rules. Thanks to Jens Krabbenhoeft for helping on this one -- disable nmap scans from alerting when we don't use detect_scans. Thanks to Chad Kreimendahl for this one 2002-11-24 Chris Green * src/preprocessors/spp_stream4.c: - fix argument parsing for emergency modes * src/preprocessors/spp_frag2.c (ParseFrag2Args): - fix argument parsing for emergency modes 2002-11-19 Chris Green * src/preprocessors/spp_stream4.c: fixed a bug where we would shift to suspend mode if stream4_reassemble wasn't enabled 2002-11-18 Chris Green Merging in mfr/cmg mitigations for extreme bogus session loads * src/preprocessors/spp_stream4.c: self_preservation_threshold: self_preservation_period: suspend_threshold: suspend_period: emergency_ports: <-- port list that will be reassembled * src/preprocessors/spp_frag2.c: self_preservation_threshold: self_preservation_period: suspend_threshold: suspend_period: added Emergency / Suspend mode * src/generators.h: added Emergency / Suspend alerts to stream4/frag2 - in the future, these should not generate packet log alerts but they are required to for the current view of the world * src/detect.h (DisableDetect): added function 2002-11-16 Chris Green * src/snort.h: - added a define SNORT_20 so that code will be easier to merge around 2002-11-13 Andrew R. Baker * src/log.c: * src/parser.c: * src/snort.c: * src/snort.h: * src/util.c: * src/output-plugins/spo_log_ascii.c: * src/output-plugins/spo_log_tcdump.c: * src/output-plugins/spo_unified.c: * src/output-plugins/spo_xml.c: * src/preprocessors/spp_portscan.c: * src/preprocessors/spp_stream4.c: Changes to cleanup the chroot process 2002-11-12 Andrew R. Baker * src/output-plugins/spo_log_ascii.c: fixed output file issues for ascii logging 2002-11-11 Andrew R. Baker * src/log.h: * src/parser.c: * src/plugbase.c: * src/snort.c: * src/snort.h: Cleanup command line alert and log configuration * src/decode.c: * src/snort.c: * src/snort.h: updated run mode determination and representation relocated log_dir sanity check relocated test_mode_flag check to outside InterfaceThread moved global variable declarations into snort.c from snort.h * src/snort.c: replaced ReadConfFile with ConfigFileSearch. The configuration file is now only read in once place. * src/log.c: * src/parser.c: * src/snort.c: * src/snort.h: * src/output-plugins/spo_alert_fast.c: * src/output-plugins/spo_alert_full.c: * src/output-plugins/spo_alert_syslog.c: * src/output-plugins/spo_database.c: * src/output-plugins/spo_unified.c: * src/preprocessors/perf-base.c: * src/preprocessors/spp_portscan.c: removed more vestiges of the multiple interface pthread support 2002-11-10 Brian Caswell * src/detection_plugins/sp_byte_test.c: added support for & and ^ 2002-11-07 Daniel J. Roelker * src/preprocessors/spp_http_decode.c: Fixed an infinite loop bug that occurred in my last update to http_decode that dealt with an off-by-one bug. Fixed now. Pointed out by Jens Krabbenhoeft and Nathan Labadie. 2002-11-07 Andrew R. Baker * src/snort.c: * src/snort.h: Removed unused MTU support code 2002-11-06 Daniel J. Roelker * src/mwm.c: * src/mwm.h: Fixed another bug in mwm search routines when dealing with identical one byte patterns in multiple rules. There was a theoretical possibility of overwriting a one byte rule group (example: "~") with another rule group of ("|00 7e|"). This has now been fixed and should be the last of the one byte pattern problems. 2002-11-06 Daniel J. Roelker * src/mwm.c: * src/mwm.h: Fixed bug when comparing multiple one byte rules with the same one byte pattern. Problem pointed out by Brian Caswell. 2002-11-06 Andrew R. Baker * src/snort.c: * src/snort.h: * src/decode.c: * doc/README: removed -6 (show IPv6) and -x (show IPX) command line options (they never did much anyway) cleaned up ARP, IPv6, and IPX packet counting * src/preprocessors/Makefile.am: add missing header (perf-event.h) to libspp_a_SOURCES 2002-11-05 mfr * src/plugbase.c: * src/detection_plugins/sp_byte_jump.c: * src/detection_plugins/sp_byte_jump.h: Added byte_jump, we can now decode a length from the app layer and jump the detect_offset_end (last match pointer) up that number of bytes, great for decoding RPC with Snort rules 2002-11-04 mfr * src/detect.c: * src/fpdetect.c: fixed case where multiple rules can have partial matches on content and fuxor the detect_offset_end calculations (i.e. reset the offset for every OTN in the system) 2002-11-04 Chris Green * src/detection-plugins/sp_byte_check.c: Make big,little arguments actually interpret the data correctly 2002-11-04 Andrew R. Baker * src/parser.c: * src/rules.h: * src/snort.c: * src/snort.h: * snort.8: remove ghetto message reference option (it has not worked since May) * src/output-plugins/spo_alert_fast.c: * src/snort.c: added "-A cmg" alerting mode 2002-11-02 Chris Green * HAVE_STRINGS_H all over the place for bzero/Solaris first reported by John Whitson 2002-11-1 Daniel Roelker * src/preprocessors/spp_http_decode.c: Fixed potential off-by-one bugs. Also fixed %25xx encoding and %uxxxx encoding for ascii characters. Still much work to be done but most of this will be added in the next version. 2002-11-01 mfr * src/detection_plugins/sp_byte_test.c: fixed range checks, inclusion of strings.h, byte boundry checks 2002-11-01 mfr * src/detection_plugins/sp_byte_test.c: added test rules to the sp_byte_test.c header comment block 2002-11-01 mfr * src/detect.c: * src/mstring.c: * src/detection_plugins/sp_pattern_match.c: fixed various "issues" with the distance/within code, should work much better now also removed redundent calls to pattern matcher for rules with mlutiple content checks * src/plugbase.c: * src/plugbase.h: * src/plugin_enum.h: * src/detection_plguins/sp_byte_test.c: * src/detection_plguins/sp_byte_test.h: added sp_byte_test, detection plugin that let's us perform discrete value checks on numbers that are encoded in packet payloads, either in straight binary representation or as strings 2002-11-01 Andrew R. Baker * src/decode.c: fix logic for generating decoder alerts * src/decode.c: * src/parser.c: * src/snort.c: * src/snort.h: * doc/README: removed broken support for the "-a" (show arp) command line switch 2002-10-31 Andrew R. Baker * src/util.c (GenHomenet & GenObfuscationMask): fix invalid reference to optarg * configure.in: * src/snort.h: * src/snort.c: removed pthread support (still need to remove MAX_INTERFACES cruft) 2002-10-30 Chris Green * (Repository): removed autogenerated files use sh autojunk.sh to recreate them if you are using CVS to compile 2002-10-30 Andrew R. Baker * src/parser/IpAddrSet.c: * src/parser/IpAddrSet.h: add API for IpAddrSet data structure * removed "extern char *file_name" and "extern int file_line" from scattered places in the source 2002-10-29 Andrew R. Baker * src/detection-plugins/*.c: add multiple options checks for plugins 2002-10-23 Chris Green * src/log.c more output clean ups from James Hoagland 2002-10-22 Chris Green * strtol fixes ( Dave Ockwell-Jenner ) * Merged in Glenns changes for net-snmp port declartion * src/parser.c (ParseRuleOptions): threshold added back * src/preprocessors/spp_portscan2.c (DEFAULT_MAX_SCANNER): change defaults back down 2002-10-22 Daniel Roelker * src/fpdetect.c: Bogus port 0 initialization in fpEvalHeaderTcp/Udp. (Dirk Geschke) 2002-10-18 Chris Green * src/detection-plugins/sp_clientserver.c (CheckFromClient): hide this under a DEBUG_CS * src/preprocessors/spp_stream4.c (AlertFlushStream): make AlertFlushStream adjust the base_seq upon a flush point (Thanks so much to qru for a reproducable test case... this was a PITA) 2002-10-16 Chris Green * src/util.c (CreatePidFile): use pv.log_dir instead of local variable (Cameron Humpries) * src/log.c (PrintICMPHeader): Removed newline amidst a sea of complains from James Hoagland & other users :) 2002-10-16 Roman Danyliw * src/output-plugin/database.c: - escape the signature name before trying to write it to the signature.sig_name field (Dirk Geschke) 2002-10-16 Dan Roelker * src/fpdetect.c: - Reverted no content rule checks back to the original snort behavior. Reassembled packets are now inspected against no content rules. (Jens Krabbenhoeft) * src/preprocessors/spp_perfmonitor.c: - Adjusted newlines for console statistics prettiness. 2002-10-14 Roman Danyliw * src/output-plugin/database.c: - Transaction abstraction functions (Begin/Commit/Rollback) - Fixed transaction SQL for MS-SQL - Fixed incorrect return value for MS-SQL Insert() (Hans Nilsson) 2002-10-13 Chris Green * src/log.c (PrintXrefs): newlines on Xrefs... pointed out by too many people to count :) * src/preprocessors/spp_portscan2.c (targetCompareFunc): - target compare function incorrect logic (pointed out by Pat Gorman) 2002-10-12 Roman Danyliw * src/output-plugin/database.c: - Fixed (PostgreSQL) sensor initialization to the sensor table by setting a default last_cid value - Fixed schema detection bug on MS-SQL enabled builds 2002-10-09 Chris Green * changed FatalError/exit codes * merged Sourcefire modifications into snort-head * kick off of snort-2.0 dev cycle win32 probably doesn't work yet. :-) 2002-10-09 Marc Norton Daniel Roelker * src/decode.h: p->preprocessors for enable/disable status * src/fpcreate.c, src/fpcreate.h, src/fpdetect.c, src/fpdetect.h: Added new detection engine. fpcreate.* creates the new detection engine and intializes the detection engine components. fpdetect.* analyzes packets as they come in and decides what happens to them. * src/pcrm.c, src/pcrm.h: Added new signature detection classification. * src/mpse.c, src/mpse.h (Norton): Added an interface for multi-pattern match routines. * src/mwm.c, src/mwm.h (Norton): Added modified Wu-Manber style multi-pattern matcher. * src/acsmx.c, src/acsmx.h (Norton): Added Aho-Corasick state machine, using a deterministic finite automata. * src/bitop.h: Added inline functionality for bit operations. Used in the new detection engine. * src/preprocessors/spp_httpflow.*, src/preprocessors/http-resp.*: Added an http protocol flow preprocessor that analyzes client and server traffic. Useful for HTTP performance. * src/preprocessors/spp_perfmonitor.*, src/preprocessors/perf*.*: Added a performance monitor that keeps stats on snort. Some of those stats are Mbits/sec, Alerts/sec, TCP state information, network traffic flows and percentages, etc. * src/preprocessors/sfprocpidstats.c: Added functionality for multiple CPU stats on linux. For use in spp_perfmonitor, etc. * src/parser.c: Added a new config option, 'detection'. This option allows the user to configure certain aspects of the detection engine. * src/checksum.h: Added new optimized inline checksumming routines. * src/mstring.c: Optimized mSearch and mSearchCI. 2002-10-09 Chris Green * src/snort.c (ParseCmdLine): - syslog option on non-win32 does not take the extra argument (Andrea Barisani) * updated snort.dsp to not require getrusage 2002-10-01 Chris Green * Fixes from Chris Reid - varchar sql arguments for mssql - usertime -> systemtime misses - snort project file updates 2002-09-26 Chris Green * configure scripts updated to handle net-snmp as well as ucd (Glenn Mansfield Keeni and Abe Katsuhisa) 2002-09-25 Chris Green * src/preprocessors/spp_http_decode.c: moved setting the uri_count to this preprocessor to handle false alerts on reassembled packets. 2002-09-17 Roman Danyliw * src/output-plugin/spo_database.c - make sure that a packet payload larger than those supported in the SQL INSERT are properly terminated. 2002-09-12 Roman Danyliw * src/output-plugin/spo_database.c - made the updating of the sensor.last_cid more efficient by only storing the new cid value at shutdown - removed extranous CR/LF from sensor name 2002-09-05 Chris Green * src/log.c (PrintICMPHeader): off by one error in printing Thanks to Dave Goldsmith 2002-09-05 Roman Danyliw * src/output-plugin/spo_database.c: (DatabaseInit) - added ignore_bpf configuration option (from Michael Boman) ignore_bpf - Do we want to create a new sensor definition everytime the BPF filter is changed? The options are: [no|0]: (default) Create a new sensor definition if BPF filter has been modified [yes|1]: Ignore the BPF part when looking for the server definition 2002-09-03 Roman Danyliw * src/output-plugin/spo_database.c - DB schema v106 - Added the sensor.last_cid field to the schema so the database can store the last used cid for a given sensor. This field will ensure that a cid will never be reused. Upgrading from v105 -> v106 is as simple as: mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL; mysql> UPDATE schema SET vseq=106; psql> ALTER TABLE sensor ADD last_cid INT8; psql> UPDATE schema SET vseq=106; - Improved error messages 2002-09-02 Chris Green * configure.in: - cleaned up win32 source packaging 2002-08-27 Andrew R. Baker * src/preprocessors/spp_asn1.c: do not check fragments 2002-08-26 mfr * src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c added thresholds to snort rules language, docs to come 2002-08-26 Andrew R. Baker * src/util.c: fix GenHomenet and GetObsfMask functions 2002-08-19 Chris Green * src/preprocessors/spp_perfmonitor.c (ParsePerfMonitorArgs): typo in fmt string 2002-08-18 Chris Green * src/preprocessors/spp_rpc_decode.c: Port changes from Andreas Ostling ( just like all the other ones now ) * win32/perf stuff from Chris Reid Will probably break again later the perf stuff is very highly subject to change * project fixes from Chris Reid 2002-08-16 Brian Caswell * src/util.c - allow daemon mode to dump stats to syslog 2002-08-15 Chris Green * src/preprocessors/spp_stream4.c (ParseStream4Args): - FatalError on unknown argument (ReassembleStream4): - Correctly mark sessigons as established with asynchronous_link enabled 2002-08-14 Chris Green * src/snort.c (ParseCmdLine): -R Include 'id' in snort_intf.pid file name (Phil Wood) * src/snort.c (ProcessPacket): reset uri_count (test case pointed out by Dan Roelker/Sourcefire) * src/preprocessors/spp_http_decode.c: uri_count set if not alerting. 2002-08-13 Chris Green * src/preprocessors/spp_conversation.c: new option alert_odd_protocols set allowed_ip_protocols to the numbers you like and it will alert on all bad protocols * src/detection-plugins/sp_session.c (LogSessionData): sp_session.c:221: warning: suggest parentheses around && within || * src/detection-plugins/sp_pattern_match.c (CheckANDPatternMatch): bug with mutliple decoded alternative contents 2002-08-13 Roman Danyliw * src/output-plugins/spo_database.c (CheckDBVersion): fixed logic to detect the DB schema version correctly when support for MS-SQL and another database are present 2002-08-13 Chris Green * src/preprocessors/spp_telnet_negotiation.c: - cleaner alt_dsize checks - make sure that we don't decode 1 byte past the end of the buffer -(SetTelnetPorts): preprocessor telnet_decode: 21 23 25 119 (now with port lists!) * src/detection-plugins/sp_pattern_match.c (PayloadSearchRawbytes): new pattern match option! rawbytes -- used to inspect the raw packet data instead of the alternatively decode application packet buffer * src/decode.h (DECODE_BLEN): my favorite constant typo. * src/preprocessors/spp_stream4.c (Stream4InitReassembler): turning off server side reassembly by default ( was what the default said it was ) * src/detection-plugins/sp_tcp_flag_check.c (ParseTCPFlags): adding mask bits to the flag checks (limitation pointed out by Dirk Mueller) example: flags: S,12 This checks the SYN flag is set regardless of the values of the ECN bits. tcp_flags & (0xFF ^ tcp_mask); for those of you that like to think in C * src/detection-plugins/sp_pattern_match.c (Check{AND|OR}PatternMatch): - normalization of telnet stuff into a separate buffer (this means logged packets will now look like they should on the wire) 2002-08-12 Chris Green * src/preprocessors/spp_telnet_negotiation.c (SetupTelNeg): - only allow this to be called telnet_decode - removing redundant function calls * src/perf-event.c (ProcessEventStats): - set to 0 (djr@sourcefire) 2002-08-12 Roman Danyliw * src/output-plugins/spo_database.c (Database) - Fixed length bug in code that generates the SQL INSERT statement into signature table 2002-08-08 Chris Green * src/preprocessors/spp_arpspoof.c (ARPspoofPreprocFunction): - include packet w/ alert (Jeff Nathan) 2002-08-07 Chris Green * preprocessor perfmonitor --enable-perfmonitor lots of statistics from Dan/Marc/Sourcefire 2002-08-06 Chris Green * src/checksum.h: Integrated fix from Marc Norton/Sourcefire occasional endianess bug in checksum routines inlined checksum 2002-08-05 Chris Green * src/preprocessors/spp_stream4.c (UpdateState): make session initiators more lenient 2002-08-04 Chris Green * src/preprocessors/spp_stream4.c (BuildPacket): - Session fix ( a different approach from Andreas Ostling ) (UpdateState) (UpdateStateAsync) - Move == TH_ACK checks to nearly the last of the checks and make catch all odder flag combinations - ttl_limit will only alert if the packet ttl is less than 10 (TcpAction*): - removed stream_pkt->packet_flag sets new ( makes no sense because we overwrite the packet_flags in BuildPacket ( pointed out by arron walters -- ended up being the source of a few other bugs ) 2002-07-30 Chris Green * src/preprocessors/spp_stream4.c (BuildPacket): - Mark the session direction establishments correctly (thanks to Andreas Ostling for noticing ) 2002-07-29 Chris Green * src/preprocessors/spp_stream4.c (ReassembleStream4): - make unestablished sessions and established sessions mutually exclusive - use & 2002-07-26 Chris Green * src/decode.c: added decode_alert_flag one may disable decoder alerts by using config disable_decode_alerts * src/preprocessors/spp_portscan2.c (PrunePortscanners): Portscan2 fixes from Jed Haile ( thanks :-) ) * src/decode.c (DecodeICMP): 8 bytes of extra info in a redirect, not 4 2002-07-23 Chris Green * Phil Wood ASN.1 fix * Phil Wood Classification fix * Andreas Ostling's BPF comment improvement * Just for the record, marty added distance/width as content options distance means there must be atleast N bytes between 2 matches width means that there must be a match within N bytes 2002-07-23 Andrew R. Baker * src/output-plugins/spo_SnmpTrap.c: - fix null pointer dereference for non-IP packets 2002-07-09 Chris Green * src/detection-plugins/sp_dsize_check.c (CheckDsizeRange): - changed dsize check to always return 0 on fake tcp pkts ( mirrors change made on all other functions .. ) 2002-07-08 Chris Green * Merged in win32 fixes from Chris Reid (thanks again!) 2002-07-05 Andrew R. Baker * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_stream4.c: - fixed packet_flags problem with rebuilt packets 2002-07-03 Chris Green * src/output-plugins/spo_SnmpTrap.c: - lots of *nArgs = 0 instead of NULL - added prototype for ipv6_print_hashing 2002-07-02 Chris Green * src/preprocessors/spp_stream4.c (TcpAction): - switched to using psuedo random flush points * src/preprocessors/spp_portscan2.c (PrunePortscanners): - fixed double delete of a tree node * compilation fixes from Chris Reid for win32 (Thanks!) 2002-07-01 Chris Green * src/preprocessors/spp_conversation.c (ConvCompareFunc): - fixed session equalness bug ( portscan2 should actually seem reasonable now ) (ConvFunc): - changed to use conf_flags for session initiation 2002-06-28 Chris Green * src/preprocessors/spp_stream4.c * src/decode.h (PKT_STREAM_INSERT): added a packet marker for inserted stream packets 2002-06-27 Chris Green * src/util.c (FatalError): fflush(*) * src/detection-plugins/sp_dsize_check.c: dsize checks always will return 0 for rebuilt stream packets (CheckDsizeRange): added min<>max range support for dsize option Thanks to Andreas �stling * src/parser.c (ParseConfig): missing return for config daemon thanks to Bill McCarty 2002-06-26 Chris Green * From Jeff Nathan: Moved resp* stuff to the OTN instead of RTN * spp_conversation rewrite * portscan2 * SNMP updates from Glenn Mansfield Keeni 2002-06-24 Chris Green * src/detection-plugins/sp_icmp_seq_check.c (ParseIcmpSeq): htons(ds_ptr->icmp_seq) from Andereas Ostling 2002-06-20 Andrew R. Baker * src/detect.c: fix event reference time for unified output 2002-06-20 Chris Green * src/preprocessors/spp_portscan2.c - parsing fixes from Phil Wood * src/util.c: - FreeToks fixes from Phil Wood 2002-06-16 Chris Green * src/preprocessors/spp_stream4.c Andrew Hintz bug reports (BuildPacket): - reinjected packets are now marked as established as well as rebuilt (UpdateState): - Server initiated: APF -> AF -> A was not properly terminating session 2002-06-13 Chris Green * src/output-plugins/spo_log_tcpdump.c (LogTcpdump): fixed broken -b -l . mode ( assuming iph is set doesn't work ) 2002-06-12 Chris Green * src/util.c (read_infile): close fd for -F 2002-06-11 Chris Green * src/preprocessors/spp_arpspoof.c: Fixes from Jeff Nathan * src/preprocessors/spp_asn1.c (ASN1Decode): ASN1 fix from Chris Reid 2002-06-08 Chris Green * src/generators.h (FRAG2_TTL_EVASION_STR): changed TTL Limit exceeded message to make more clear 2002-06-08 Andrew R. Baker * src/output-plugins/spo_log_tcpdump.c: * src/detect.c: * src/decode.h: make obfuscation work for all output plugins 2002-06-07 Chris Green * src/preprocessors/spp_stream4.c (ReassembleStream4): - accidentally inverted logic for async/normal sessions - marking streams as established correctly 2002-06-05 Chris Green * src/generators.h (STREAM4_TTL_EVASION_STR): changed so that people recognize message as ttl_limit related and not message related 2002-06-04 Chris Green * src/preprocessors/spp_http_decode.c: - fixed include order ( fixes compile on FreeBSD ) * src/preprocessors/spp_frag2.c (InsertFrag): - allow duplicate first fragment to be disabled 2002-06-03 Chris Green * src/detection-plugins/sp_clientserver.c (ParseFlowArgs): - added {no_stream,only_stream} keywords to flow: used to suppress reassembled streams from being alerted on * src/plugbase.h: changed machine/param.h -> sys/param.h 2002-06-03 Andrew R. Baker * src/output-plugins/log_tcpdump.c: fix obfuscation 2002-06-02 Chris Green * src/Makefile.am: added plug_base.h ( pointed out by Jeff Nathan ) 2002-05-30 mfr * src/log.c src/decode.c: Fixed non-functional embedded packet decode and printout for ICMP UNREACH and REDIRECT packets 2002-05-30 Chris Green * src/preprocessors/spp_frag2.c (Frag2Init): - left frag2 alerts on by default by accident (diabled) 2002-05-28 Chris Green * src/detect.c (CallLogFuncs): moved the traversal of the plugins ahead of the setting the packet logged flag since both check ( should both check? ) 2002-05-28 Andrew R. Baker * src/log.c: fix NULL pointer deref problem printing priority/class info 2002-05-27 Chris Green * src/preprocessors/spp_http_decode.c (SetPorts): - fatal error on invalid port description * rules.c (VarGet): - fatal error if undefined variable is called (ExpandVars): - don't expand variables inside "'s 2002-05-21 Chris Green * src/preprocessors/spp_stream4.c (StoreStreamPkt): - sheltered fast restransmission under evasion_alerts - missing returns 2002-05-20 Chris Green * src/preprocessors/spp_http_decode.c: - added newer unidecode function from rfp - added "internal_alerts" keyword 2002-05-19 Andrew R. Baker * src/output-plugins/spo_log_ascii.c: * src/preprocessors/spp_conversation.c: * src/preprocessors/spp_conversation.h: * src/preprocessors/spp_portscan2.c: * src/preprocessors/spp_portscan2.h: - corrected some global namespace pollution 2002-05-15 mfr * looked over and indented the hell out of spp_conversation and spp_portscan2 * put a FreeToks() function into util.c to clean up after mSplit()'s * other sundry stuff, conversation and portscan2 should be ready for testing from what I can see now 2002-05-15 Andrew R. Baker * src/output-plugins/spo_SnmpTrap.c: * src/output-plugins/spo_alert_smb.c: * src/detections-plugins/sp_react.c: - fixes for new SigInfo system * src/output-plugins/spo_idmef.c: * src/output-plugins/spo_idmef.h: * doc/README.IDMEF: * src/plugbase.c: * src/plugin_enum.h: - remove IDMEF instead of leaving it in a broken state 2002-05-14 Chris Green * src/util.h (GenObfuscationMask): make compile on OS X 2002-05-14 Andrew R. Baker * *.[ch]: - proper implementation of priority and reference signature metadata - other work surrouding signature metadata 2002-05-14 Chris Green * templates/sp_template.[ch]: - updated template for plugbase and modularity * src/preprocessors/spp_stream4.c (CreateNewSession): - added SYN_SENT initialization state * src/preprocessors/spp_http_decode.c: - fixed includes for WIN32 (Chris Reid) * src/preprocessors/spp_stream4.c (_Stream4Data): - added asynchronous_link useful for places that only see one side of a conversation - (UpdateState): mark session as established on asynch links 2002-05-13 Chris Green * src/snort.c (ProcessPacket): - added min_ttl check in front of Preprocess Check * src/snort.h (_progvars): - added min_ttl as a snort-wide configuration option config min_ttl: 1 to drop all things less than 1 config min_ttl: 0 to have none (default) * src/decode.c (DecodeTCP): - fixed bug where we didn't just toss invalid packet after alerting on it in decoder (DecodeEapolKey): - removed CallLogPlugins redundant call * src/generators.h - moved all plugin alert descriptions here * src/plugin_enum.h: - moved all PLUGIN_ constants to a single header * src/detection-plugins/sp_pattern_match.h: - cleaned up commented define * src/preprocessors/spp_http_decode.c (PreprocUrlDecode): - commented out spurious debug code * src/preprocessors/spp_stream4.c (StoreStreamPkt): - disable evasion alerts 2002-05-12 Chris Green * src/preprocessors/spp_http_decode.c (PreprocUrlDecode): - more debug code - set p->uri_count * src/parser.c (ParseConfig): - cleaned up some NULL dereferences 2002-05-09 Chris Green * src/preprocessors/spp_stream4.c: - moved SSNFLAG defines to decode.h so that we have access to the Session data outside of spp_stream4 - added SSNFLAG_HTTP_1_1, SSNFLAG_SEEN_PMATCH - moved Session,Stream to decode.h (ReassembleStream4): session_flags converted to & check instead of == for establishment * src/decode.h - added HTTP version constants 2002-05-08 Chris Green * src/decode.h (_Packet): - removed URI - added uri_count (_HttpUri): - changed to added parameters (_UriParam): - added parameter datastructure (VTH_VLAN): - fixed missing paren * src/preprocessors/spp_http_decode.c (SetPorts): - removing strncasecmp (PreprocUrlDecode): - moved to using UriBufs * src/decode.c: Added UriBufs * src/decode.h: - changed to use TRH and VLAN macros bitpacked notation expunging should be done 2002-05-07 Chris Green * src/decode.h (_TCPHdr): - changed to use TCP_OFFSET, TCP_X2 Macros * src/parser.c (ParseConfig): * src/snort.c (ParseCmdLine): - Fixed notcp,noicmp,noudp,noip to only disable - strcasecmp instead of strncasecmp * src/preprocessors/spp_http_decode.c: integrated spp_http_decode.c from rfp new option set: * unicode: decode unicode * iis_alt_unicode: %u000 encoding * double_encode : detect IIS decoding * abort_invalid_hex: detect only up until the first broken encoding * drop_url_parm: don't decode the stuff following ? * iis_flip_slash: substitute / for \ ( C:\DOS\RUN ) * full_whitespace: treat \r and as 2002-05-06 Chris Green * src/preprocessors/spp_stream4.c: fixed retranmission checksum alerts to live under evasion * src/detection-plugins/sp_pattern_match.h: commented out PATTERN_FAST until it works * src/generators.h: internal alerts from spp_http_decode 2002-05-01 Andrew R. Baker * src/plugbase.c: * src/output-plugins/spo_unified.c: cleaned up startup message printing 2002-04-25 Chris Green * Introduced IP_VER, IP_HLEN, SET_IP_VER, SET_IP_HLEN after thinking about tcpdump and what Fyodor had talked to me about months ago regarding cross platform compatiblity. No more twiddling. Plugins that use ip_ver, ip_hlen should be tested. No more bit packed notation allowed in the source tree. * src/preprocessors/spp_stream4.c: separated evasion alerts from retransmission/state evasion alerts default to being on now disable with disable_evasion_alerts 2002-04-24 Chris Green * src/preprocessors/spp_frag2.c (Frag2Init): fixex argument parsing * src/preprocessors/spp_http_decode.c: don't process fragments * src/preprocessors/spp_frag2.c (InsertFrag): make sure that we don't run out of memory if someone sends us the same fragment over and over again duplicate first frag is a special case 2002-04-23 Chris Green * src/preprocessors/spp_frag2.c (InsertFrag): - adding detection of attack where we would start reassembling packet fully before the full fragtracker is there * src/detect.c (EvalPacket): - fixed alert ip rules (got clobbered when playing detection engine optimizations ) - generate proper events when decode errors happen * src/plugbase.c (InitPlugIns): SetupFragOffset() * src/detection-plugins/sp_ip_fragbits.c: - added fragoffset: fragoffset: [!<>] defined in fragbits so that I can backport it. * src/preprocessors/spp_frag2.c (InsertFrag): - alert on frag2 overlaps To do this requires keeping the packets around for a while longer to detect all the multiple fragments and overlaps Changed the PruneCache to notice when things are completed and prune them in addition to just by time. Frag mem faults are going to increase because of this but each time one occurs, there should be plenty to expire. 2002-04-22 Chris Green * src/preprocessors/spp_frag2.c (Frag2Defrag): Warn/Discard on fragments with IP Options set. (ParseFrag2Args): min_ttl ttl_limit detect_state_problems * src/debug.h DEBUG_FRAG2 * src/preprocessors/spp_stream4.c (TraverseFunc): - added next seq check on reassembly - added alerts on retransmitted sequences... its ugly as sin right now (_Stream): - next_seq added (StoreStreamPkt): - added check for restranmitting too fast w/ a different data size - added tcp checksum retransmission checking (how much do I need to worry about data with the same checksum and different payloads... just throw it away for the moment) 2002-04-19 Chris Green * More win32 Service patches from Chris Reid ( Thanks! ) 2002-04-18 Chris Green * src/preprocessors/spp_frag2.c (Frag2Defrag): added ttl_limit detection * src/generators.h (FRAG2_TTL_EVASION): added * src/preprocessors/spp_stream4.c (StoreStreamPkt): -- first cut at TTL evasion detection keyword: ttl_limit for TCP Sessions 2002-04-16 Andrew R. Baker * src/preprocessors/spp_stream4.c: * src/preprocessors/spp_frag2.c: * src/preprocessors/spp_asn1.c: * src/log.c: * src/detect.c: fix broken event reference info for unified output 2002-04-15 Chris Green * src/preprocessors/spp_stream4.c (ParseStream4Args): added missing parsing line back in 2002-04-10 Andrew R. Baker * src/output-plugins/spo_unified.c: fix unified brokeness 2002-04-10 Andrew R. Baker * src/plugbase.h: * src/plugbase.c: * src/parser.h: * src/parser.c: Plugin API cleanup * src/output-plugins/spo_log_tcpdump.c: make log file timestamps work the same as in unified 2002-04-09 Chris Green * src/spp_portscan2.c: new changes from Jed/Jason 2002-04-08 Andrew R. Baker * add profiling configuration option * src/parser.c: correct NULL pointer dereference 2002-04-08 Chris Green * src/debug.c (GetDebugLevel): accidenatlly returning debuglevel instead of debug_level * src/log.c (PrintIPHeader): Modified fragment offset calculation (reported by Judy Novak) 2002-04-07 Chris Green * Fixed --enable-debug * src/preprocessors/spp_asn1.c: Missing includes 2002-04-06 Chris Green * src/detect.c (EvalHeader): Corrected incorrect ignore with -z est and PKT_REBUILT_STREAM * src/detection-plugins/sp_tcp_ack_check.c (ParseTcpAck): * src/detection-plugins/sp_tcp_seq_check.c (ParseTcpSeq): Phil Wood's Parsing Change 2002-04-05 Martin Roesch * detection engine now walks RTN and OTN lists iteratively instead of recursively, I guess we should cowtow to the x86 crowd... * RTNs are now sorted by destination port number allowing for earlier exit from the detection engine in the average case and improving performance * destination port is now the first thing checked when an RTN is processed (for UDP/TCP traffic) 2002-04-05 Chris Green * Merged in Nick L. Petroni, Jr.'s 802.11b stuff * src/detection-plugins/sp_pattern_match.c: Integrated Mike Fisk's SetMatch stuff ( large performance increase -- thanks for being so patient with me ) 2002-04-04 Chris Green * src/snort.c (SnortMain): Extra call to initoutput plugins commented out.. * src/detect.c (CallAlertPlugins): DEBUG_WRAPPED Andrew's printfs' 2002-04-03 Chris Green * src/debug.h: DEBUG_WRAP defined DEBUG WRAP used everywhere... * src/preprocessors/spp_conversation.c: ignore rebuilt stream 2002-04-02 Andrew R. Baker * Modularization cleanup 2002-04-02 Chris Green * src/debug.c (GetDebugLevel): only initialize debug_level once ( now easier to use gdb set command ) * src/preprocessors/spp_portscan.c: No processing on reassembled stream packets * lots of compilation fixes * started added spp_conversation 2002-04-01 Andrew R. Baker * config.h should be included almost everywhere.... 2002-03-31 Chris Green * src/detection-plugins/sp_pattern_match.c (CheckUriPatternMatch): Check for URI.uri with a packet flag * src/preprocessors/spp_http_decode.c (PreprocUrlDecode): - Moved decode ignore check up ( I don't think this is actually used anywhere ) - Moved somefunctions into CheckHTTPDecode * decode.h: - Changed URI.uri to u_int_8t[URI_SIZE] - URI_SIZE is 512 (should create an alert when that size is exceeded) - Added PKT_HTTP_DECODE to show if URI was filled in 2002-03-31 Andrew R. Baker * start work on cleaning up the output API 2002-03-30 Chris Green * src/output-plugins/spo_alert_unixsock.c: lots more checking for valid packets on things like portscan alerts 2002-03-29 Andrew R. Baker * src/parser.c : Add support for "special" output plugins * src/output-plugins/spo_unified.h : * src/output-plugins/spo_unified.c : Initial work towards a true unified output. 2002-03-29 Chris Green * src/preprocessors/spp_stream4.c (ReassembleStream4): * src/snort.h: removed pv.fake_packet check (old stream stuff) 2002-03-27 Chris Green * src/preprocessors/spp_stream4.c : More debug messages in Stream4 * doc/PROBLEMS: Added file to document bugs that we really can't work around easily and aren't necessarily ours. * src/parser.c (ParseRuleOptions): filename -> file_name for compilation 2003-03-26 Andrew R. Baker * src/output-plugins/spo_unified.c: fix file rotation bug in spo_unified write IPs in host order like everything else is * src/parser.c: updates to the rule parser. now we only complain for unrecognized rule options. 2002-03-26 Chris Green * src/detect.c (DumpChain): DebugMessage stuff.. 2002-03-25 Chris Green * stop stream4 from clobbering itself (Pascal Bouchaeine) 2002-03-24 Chris Green * src/plugbase.c (RegisterPlugin): - allow multiple plugins to start with same prefix 2002-03-23 Brian Caswell * initial add of flow: to signatures 2002-03-21 Chris Green * Place IP checks after port checks for 1.9 (based on patch from Christian Mock) * Fixed test header checks (greatly responsible for slowness on multiple CIDR blocks) (Christian Mock) 2002-03-19 Chris Green * Fixed Teardrop detection in frag2 ( Forward bugfix from Marty ) * Replaced most instances of #ifdef DEBUG\nprintf(...) with DebugMessage 2002-03-11 bmc * readded this file :) * renabled udp portscan detection * updated ICMP text printing (few bugs, few new features) * updated BUGS for jackasses on Bugtraq * fixed a bunch of stream4 stuff * cleaned a ton of signatures (see signature CVS logs for info) * number of FAQ updates * removed unstable/orphaned/unmaintained/deprecated code as we get ready for 2.0 * massive directory structure reordering * frag2 options code cleanup (cmg) * fixed pattern match exit conditions (cmg) * improved stats calculation (phil wood) * tweaked decoder code * improved ICMP ASCII output * fixed no-packet bug in spo_unified * moved alert code in spp_frag2 so packet is logged for teardrop * many stream4 fixes * added sp_clientserver (to client, to server, from client, from server) * cleaned infinate loop in regex * fix double PID write (reported by phil wood) * updated docs * ton of new signatures * split rules.c into parser.c|h and detect.c|h * smarter pruning for segments that have only partially been streamed * ethernet headers are now filled in for rebuilt packets * added case for stream segments that hadn't been completely handled in previous flush * added another interface init call when entering daemon mode for linux boxen that lose promisc mode when the process forks * strncat in sp_reference * opts[1] fix to plugin args passing * updated changes to db stuff from Roman * removed $default_directory from mysql_directory definition to allow --with-mysql to work again and select a non-default installation * fixed calloc call for PPPoE debug #ifdef DEBUG * Fixed pointer math for Stream4 sesesion ( IOU: Phil Wood; 1 Bar tab ) * Fixed suicidal tree pruning * ifdef AF_INET6 for decode.c and removal of spp_asn1.h from plugbase.h * cleaned up decode.c indentation, etc * added classifications for spp_fnord * mods to icmp ASCII log code for more informational printouts * added enhanced conf file parsing for frag2 (Chris Green) * added pattern match fixes (Chris Green) * other stuff that escapes me right now * pflog decoder support from Robert Fleck added * cleaned up decode.c indentation, etc * added classifications for spp_fnord * mods to icmp ASCII log code for more informational printouts * added enhanced conf file parsing for frag2 (Chris Green) * added pattern match fixes (Chris Green) * added enhanced resolution of TCP retransmissions to stream4 * changed default behavior of frag2 to favor old data over new * fixed screwed up fragbits printout * Fixed pointer arithmetic in calls to PrintNetData (thanks to Andreas �stling bugreports) * ntohs(p->iph->ip_len) -- should we have a p->ip_len? * don't complain about NULL ptr if p->dsize == 0 * Still has one nit in that a badly framed packet is counted twice in -v mode2 2001-11-29 bmc * Fixed crash in frag2 under Linux * Fixed flexresp code, session sniping should work again and be faster to boot * Fixed ICMP decoder and printout routines for new ICMP header data structs in decode.h * Added -B command line switch to translate IP addresses in pcap files from one subnet to another (see the man page). * Added spo_log_null to give users an option to deactivate logging output from the snort.conf file. 2001-11-02 mfr * fixed UTC timestamps * fixed SIGUSR1 handling, should reset properly now after getting a signal * fixed PID path generation code, PID files go in the right place now * fixed stability problems in stream4 * fixed stability problems in frag2 * tweaks to spo_unified for better integration with barnyard * added -f switch to turn off fflush() calls in binary logging mode * added new config keyword to stream4, "log_flushed_streams", which causes all buffered packets in the stream reassembler for that session to be logged in the event of an event on that stream (must be used in conjunction with spo_log_tcpdump) * added packet precacheing for flexresp TCP packets, responses should be generated more quickly * fixed rules parser code for various failure modes * several new rules files and a new classification system 2001-08-14 mfr * SNMP alerting support added by Glenn Mansfield Keeni & K. Jayanthi * IDMEF output support compiled in by default now * regex keyword code repaired, limited wildcard regex now available * new packet counters added to Snort stats output for frags and streams * http_decode preprocessor modified to normalize %u encoding * new detection modes in frag2, Snort picks up fragmentation attacks (teardrop, etc) much better now * repaired frag2 IP defragmenter, now 100% stable and functional * tweaks made to stream4 TCP stream reassembler, now 100% stable * Win32 code integrated with main Snort source now * fix for -r mode crash when no other command line options specified * fix for logfile names using ":" under win32 * tag code repaired * spp_arpspoof repaired * stream4 alerts are now off by default * syslog alerts now support standard GEN:SID:REV data 2001-08-04 fy * A couple of coredump fixes from Phil Wood * Solaris compilation fixes (and other minor tweaks I don't remember) * Incorporated WIN32 patches (and fixes) from Chris Reid * ms-sql support from Chris Reid * contrib/create_mssql 2001-07-09 mfr * added new IP defragmenter, spp_frag2 * added new stateful inspection/tcp stream reassembly plugin, spp_stream4 * Snort can now statefully detect ECN traffic (less false alarms) * stream4 can now keep session statistics in a "session.log" file * added new high-speed unified binary output system, spo_unified * added new data structs/management for tag code * added -k switch to tune checksum verification behavior * added -z switch to provide stateful verification of alerts * modified bahavior of http_decode, now only alerts once per packet * added unique Snort ID's to every Snort rule, plus generator, revision and event ID info to each alert * detection engine only alerts once per packet now, tcp stream code doesn't generate another alert packet if a previous one already alerted for that stream * fixed signal handling on svr4 systems * added enhanced cross reference printout to full/fast/syslog alert modes * added new high speed checksum verification (on x86) routines * added new ARP spoof detection preprocessor from Jeff Nathan 2001-04-20 fy * a couple of fixes in spp_defrag.c * spelling fixes in 'classification.config' file 2001-04-19 bmc * added ability to tag sessions & hosts (By Seconds, Bytes, and Packets) * ip protocol rule support * added 802.1q VLAN support * extensive configuration file config options (you can put your commandline options in snort.conf now) * priority & classification plugin by Brian Caswell * output plugin support for priority, classification, and refs * rpc_decode plugin (Defeats attacks laid out by Robert Graham's SideStep) * telnet negotiation normalization plugin (Defeats attacks laid out by Robert Graham's SideStep) * BackOrifice plugin (Can bruteforce BO keys. Defeats attacks laid out by Robert Graham's SideStep) * uricontent keyword pattern match. (Now you can look at the URL instead of the entire packet) * added -T commandline option (Does entire setup process, but stops after its done setting up) great for snort.conf testing!! * added -L commandline option. Specify filename of the binary output log when combined with "-b" * added -G commandline option. Turn on "ghetto" backwards compatability for people that need references in the MSG field * added -I commandline option. Prints the interface that the alert was received on * added -y commandline option. Adds YEAR to the timestamps * Fixed timestamp output problem on some ARCHs * ability for non-root users to sniff. (If the user can usually sniff from pcap) By Brian Caswell * Improved UNICODE detection by Koji Shikata * added sp_tcp_win_check. TCP Window Size can be looked now * added CSV output (see README.csv for more information) By Brian Caswell * added sp_same_ip_check. Checks for the same SRC & DST (Usually sign of a DOS attack) by Phil Wood * added variable lookups for include directives (eg 'include $RULESPATH/myrules.rules') * linux_sll (interface 'any') support fixed (According to the new libpcap spec) By Fyodor * new debugging code. No more #ifdef DEBUG. (see debug.c for more info) Idea from Eugene Tsyrklevich * strl* family functions (mostly for future developers, we'd encourage these to be used) (original code also supplied by Eugene) * new tcp stream reassembly module by Chris Cramer * include directives now are relative to snort.conf file location (unless full path in a config file is given) * snort will look for /etc/snort.conf and ./snort.conf if no config is given on the commandline * minor null ptr fixes and patches there and here (thanks to all of you guys who helped tracking them down, really :-) - Fyodor) * optiomized database schema (Support for references, added signature normalization, ....) * UTC cleanup by Andrew Baker * http_ignorehosts added from Matt Wachinski 2001-03-14 fy * tcp stream reassembly updates by Chris Cramer * path fixes for include (now relative path'es will be substituted by path of the main file) * DLT_LINUX_SLL support fixes * strlcat/stlcpy functions are being incorporated * Attempt to support MacOS platform. * A bunch of fixes for MTU dicovery routine * New debugging routines. (see BUGS file for more info). 2001-01-02 mfr fy * tcp stream reassembly preprocessor (beta) by Chris Cramer * Defragmentation plugin is now fully functional on all architectures * SPADE (Statistical anomaly detection) preprocessor has been added by James Hoagland * Added IIS/UNICODE attack detection to HTTP decoder * Reference plugin has been added by Joe McAlerney * New active response module: sp_react * Added "any" keyword to IP options (ipopts) plugin * IP fragmentation bits detection plugin added * Added TOS detection plugin from Erich Meier * Database output plugin improved in many ways by Jed Pickel * Oracle support added to database output plugin * XML output plugin by Jed Pickel/Roman Danyliw/CERT * IP address list support added with lots of help from Phil Wood * _ADDRESS variable implementation, specifying an interface name in the rules file as part of this variable automatically sets the IP/mask as the IP address/netmask of the specified interface * Rule parser is more anal about rule verification now, doesn't crash as readily * Arbitrary output types support added by Andrew Baker * Activate/dynamic rules allow rules to turn on/off other rules! * ICMP unreach. printout dumps encapsulated headers now * Improved TCP/IP options printout code, doesn't flood on 0 length options * Packet checksumming implemented for all supported protocols by Chris Cramer * TCP flags now print out in proper (bitwise) order * Added new fields to the packet header dumps including IP header length, TCP/UDP header length, Urgent pointer printout, IP Reserved bit printout, ICMP Type/Code explicit value printout * -X switch dumps packet byte data for data link through application layer * -L switch to privde a filename for binary log files specified with the -b switch * Added -I switch to print interface name in Snort alerts (first i/f only) * Fixed -S command line switch so it isn't overridden by variables in the rules file * Corrected PID file misadventures * Added a bunch of new statistics to the packet stats printout * Added SIGUSR1 handler, Snort will dump packet stats to console/syslog when it receives a SIGUSR1 * Memory management cleaned up/lots more free()'s to match up with malloc()'s * Added snprintf code to the distro for safety * UID = 0 code added for sniffer mode * fixed default alert filename for daemon mode * Updated USAGE file to resemble Snort's current reality * Changed snort-lib to snort.conf, Jed Pickel added lots of documentation to the file as well (thanks Jed!) * Pid file will not be created if -D switch is not used. * chroot behaviour has been changed, now, if chroot is used, you have to have snort.conf file within chroot directory (and all the other relevant files as well). The only file which will be placed outside chroot directory is snort pid file. 2000-07-22 mfr * Fixed compilation problems on all non-BSD operating systems * Added better configuration support for locating libpcap * Fixed ICMP ping packet id/sequence printouts * Made allowances for 64-bit machines in the decoders * Updated the portscan detector to the latest version * Disabled the defragmenter by default (in the rules file) * Added a patch from Dave Dittrich to make daemon mode alerts filenames conform to the data in the documentation * Revamped the ICMP data structures to mimic those found in *BSD and provide for higher fidelity decoding/printout in the future * Repaired the output plugins so that they operate properly now * For the record, the payload dump conforms to the length of the IP datagram now and does not show pad bytes added by the minimum Ethernet frame size 2000-07-08 mfr * Fixed Tru64 u_int* type declarations * Added check for pcap.h into configuration script * Fixed timeval problems on Linux boxen 2000-07-06 mfr * New preprocessor plugin: IP defragmentation!! * New output plugins cover all old logging and alerting options * New output plugin now logs to MySQL, PostgreSQL, unixODBC databases * Updated portscan detection functionality * Added quote removal for most plugin parsers * -C crash bug fixed * PID/PATH_VARRUN file fixes * Converted many putc(3) calls to fputc(3) for portability * Transport layer decoders use ip_len field for length metric now * String tokenizer code modified for more reliable operation * Fixed flexible response code sequence prediction * Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all platforms * Set automake options so that people don't need gmake anymore to build Snort on BSD systems * Fixed SMB alert code large tmp file hole * Added sigsetmask code to fix SIGHUP weirdness * Added execvp option for SIGHUP restart code * Added ARP header printout validation * Added Session logging file integrity checking * Added -u/-g setuid/gid capability switches * Added -O IP address obfuscation switch * Added -t chroot switch * Fixed non-TCP/UDP/ICMP transport layer decoding & logging * Fixes and additions to the portscan preprocessor * Database logging plugin has been modified extensively, see the www.incident.org website for more information * Switched TCP flags printout routine to ensure proper RFP output scan output. ;) * Fixed default log/alert function code so that these functions are never NULL 2000-03-20 mfr * Version 1.6 released! 2000-03-18 mfr * Modified the PID write out code to work in all run modes, and made the system detect/verify the _PATH_VARRUN variable and define it if necessary. * Integrated a HUP patch from J Cheeseman to prevent the command line parser from screwing up the command line at HUP time. * Added a little tweak from Fyodor for Makefile.in * Made exit code delete the PID file in all run modes. 2000-03-16 mfr * Activated the BPF compiler optimization switch in snort.c * Added support for unconfigured/stealthed network interfaces * CP added a default definition for _PATH_VARRUN * CP added checks for paths.h existence 2000-03-15 mfr * Moved the "session" keyword code to a plugin * Added Postgres database logging module from Jed Pickel * Added Token Ring layer 2 printout routine * Added "-q" support to the output plugin modules * Revamped the output plugin subsystem so that it conforms to the API standards laid out in the rest of Snort * CP set defaults for the alerting and logging facilities * Added Tru64/Alpha support 2000-02-26 mfr * modified minfrag proprocessor to only catch tiny frags on the home net ("home" keyword) or any traffic ("any" keyword) * implemented command line override of output plugins, alert and log switches on the command line will disable output plugins in favor of their configured activity * added -C command line switch to print packet payloads as ASCII only, with no hexdump * fixed a stupid crash bug on the "logto" keyword parser * put in a couple of command line switch validators to catch potential invalid arguments * fixed a potential crash bug in the ClearDumpBuf() function 2000-02-07 mfr * Added INADDR_BROADCAST patch from Steve Beaty * Added syslog PID patch from Ralf Hildebrant * Added IPv6 counter from Erich Meier * Added SunOS patch from Denis Ducamp * Added content-list rules from 2000-01-17 cp * Update of Patrick's portscan preprocessor. (and apropriate fixes) * Minor fix to configure.in from Herb Commodore. 2000-01-12 cp * John Wilson's update to insensitive pattern match code added. * Patrick Mullen's patch to log.c applied. * Patrick Mullen's changes to rules.c added. * Source Port traffic rules ajusted not to pull alerts on 53<-->53 UDP traffic. * Changed name ParseFlags to --> ParseTCPFlags in sp_tcp_flag_check.* since that's what it really is. * Added RCS Id tags to all the files and libs. Once they are commited at md.prestige.net, they should take proper values. :) 2000-01-08 cp * Patch from Herb Commodore to configure applied * Imrovements to content-matching code and implementation of case-insensitive matching from John Wilson * fixed a problem with pass rules not being applied properly * fixed a #include ordering statement for Slackware 4.0 installs * fixed banner output for the -V option * Token Ring decoding is now fully functional * Added packet buffer cleanup code to all protocol decoders * fixed a problem with improper TCP option output * Added a Snort man page 1999-12-08 mfr * preprocessor plugins (major new functionality!) * detection plugins (major new functionality!) * variables can now be specified in the rules file * include files can now be specified in the rules file * Session recording capability * Rules may now contain multiple "content" match keywords * New IP options detection module, allows IP option inspection * New HTTP decoder preprocessor defeats evasive web scans (whisker.pl) * detection engine has been heavily modified to implement the new "linked-list-of-function-pointers" concept, which makes the detection engine more efficient, more flexible, and faster! * TCP options decoder split into decode/log modules and recoded * IP options decoder split into decode/log modules and recoded * Token Ring layer 2 decoder (still in development) * ISDN-Raw layer 2 decoder (I4L) * ISDN-IP layer 2 decode (I4L) * ISDN-Cisco layer 2 decode (I4L) * Fixed PPP layer 2 decoder * NULL/Loopback layer 2 decoder * daemon mode code cleanup * tcpdump readback mode code cleanup * experimental support for UNIX socket alerting * fixed C++ comments in snort.c * binary log files now update properly (fflush added) * internal rules list integrity testing * IP fragments are no longer sent to the detection engine, just the preprocessor's. This is incentive for me (or someone) to write an IP defragmentation preprocessor! * post-decode call function call sequence has been modified to go into the preprocessor system instead of the detection engine 1999-10-18 mfr * snort.c: * added session dump command line switch * log.c: * added sesion data logging functionsi: OpenSessionFile(), DumpSessionData(). * decode.c: * fixes snaplen issues with reading back tcpdump files. 1999-10-13 mfr * snort.c: * threw out tcpdump file readback code and implemented open_pcap_offline solution. Has addded benefit of allowing BPF filters to be used to modify file readback streams. * Fixed MTU snafu. * decode.c: * Rewrote ARP decoder. The decoder is much simpler (but the log routines are far more complex) * Horsed around with the TCP and IP option decoders. I think they work better now... * log.c: * Added ARP printout and logging routines. ARP is now handled in a much more consistent and correct manner. * Fixed stupid crash bug in LogPkt() * rules.c: * Added in greater-than and less-than modifiers for dsize option keyword. You now have another (cheap!) way to look for buffer overflows * Removed range checking for the ICMP icode and itype option keywords so that DoS attacks and covert activity could be more easily filtered/monitored 1999-09-26 mfr * snort.c: * new command line options -A, -F, -N, -p, -b * logging and alerting functions are now selected and assigned to function pointers for faster/more efficient logging * got rid of -f command line option (superceded by -b) * put in new cleanup code for readback mode * ripped read_infile from tcpdump to read BPF filter files * decode.c: * code cleanup in support of new functionality * rules.c: * added support for the exception operator to work for ports * fixed stupid pointer initialization bug in ProcessHeadNode() file, fixed crashes on non-PC arch. * new option keywords: dsize, offset, depth * cleaned up crappy logic around the logging functions with nice clean function pointers (aaaahhhh....) * added bidirectional rules functionality (now Snort goes both ways....) * log.c: * broke out alerting function into separate subfunctions * ditto logging functions * fixed string termination code in the SMB alerter so that it can now alert to more than one box at a time * cleaned up syslog messages * finally fixed the SMB "alert once" problem (kudos to Gandalf Schaufelberger for that one) 1999-08-06 mfr * log.c: * added code to AlertMsg to make sure that there was in fact an alert message to print out * libraries: * fixed the backdoor and scan libraries so they should flase alarm less often 1999-08-05 mfr * snort.c: * activated CyberPsychotic's daemon mode code (use the -D switch for daemon mode * default logging directory changed from "." to /var/log/snort * sanity checks performed on the default log dir now * decode.c: * changed the truncated Ethernet header notification to only go off in verbose mode * removed cruft * rules.c: * Added Ron Snyder's "address negation" patch. Rules may now contain "!" on the IP addresses to indicate anything BUT the given address * log.c: * added support for the new default logging directory * configure.in: * fixed some more sparc configuration problems * other: * CyberPsychotic sent a new ftp buffer overflow rule in 1999-08-04 mfr * snort.c: * fixed some DEBUG statements * enabled the daemon mode code (this is still experimental) * decode.c: * fixed various and sundry DEBUG code * fixed the TCP option decoder so it wouldn't overflow its prinout buffer and cleaned up the temp buffer * rules.c: * fixed some DEBUG code * log.c: * fixed a buffer copy problem with the daemon mode alert logging * fixed the SMB alerting code and the standard log output when in SMB alerting mode * cleaned up some of the fragment logging code * fixed the logto rules option coding to work properly * configure.in: * fixed a whole bunch of little problems that are screwing up big endian/non-PC machines. This version should work and compile much more cleanly on all architectures! * other: fixed a bad rule in the RULES.SAMPLE file and another bad one in the misc-lib file 1999-08-01 mfr * rules.c: Wrote brand new detection engine. The new engine uses a 2-dimensional linked list with recursive node walking. Rules are grouped by address/port commonality and then option chains are linked to common head blocks. This reduces the number of tests required to find a specific test to perform, and reduces the total number of tests performed on a given packet in all cases by 200-500% over version 1.1. * decode.c: Rewrote the packet decode engine. The new engine performs far fewer copies and tries to set pointers to defer expensive function calls as late as possible. The PrintIP and Net data structures have been eliminated so that there is no global data required to perform tests or log a given packet. This will make any future multi- threading efforts much easier. * log.c: * Much of the logging system was rewritten to take advantage of the new detection and decoding engines. * Made the SMB alerting a configure-time option. If you want to use the SMB alerting feature, you need to specify a "--enable-smbalerts" when you run configure. This is a safety measure, read the INSTALL file for the reasons why! * snort.c: Fixed a bug in the netmask generation code that wouldn't allow certain CIDR blocks to be represented. Thanks to Nick Rogness for the heads up on this one! 1999-06-21 mfr * snort.c: * Added new command line switches: -f, -M, -r. -f: Record fragmented packets in tcpdump format -M: Send alerts via WinPopup messages (requires Samba) -r: Read and process files generated by tcpdump * Fixed startup dumpout code to not drop people if they just want to log all packets to the system * Added static netmask generation, this rids Snort of the need to link to libm, which makes it more Trinux friendly. * rules.c: * Added new rule option types: logto: log packets matching this rule to the specified log file minfrag: set the minimum size of fragmented packets, which allows alerts to be generated for traffic coming from things like nmap or fragrouter tcp flags: Added the ability to include the reserved bits of the tcp flags into the rules set. These flags are specified with a "1" and "2. Inclusion of these flags allows Queso fingerprinting attempts to be detected. id: The IP ID field may be specified. This is nice for picking up handcrafted packets with recognizable ID fields, like 31337 or other "elite" numbers. ack: The TCP ack field. Using this, nmap tcp "pings" may be detected. seq: The TCP sequence number. This is provided for completeness (I figured since I was putting in the ack field, I may as well include the sequence as well) * Rewrote the content parser. It now accepts "\" as a literal character, so things like "\|" or "\~" will work properly. * fixed the parenthesis finder for the options code * adjusted the acceptable character range in the rule parsers * log.c: * fragment logging more descriptive and correct * fixed IP header logging for ICMP and fragmented packets * improved "bad packet" printing/logging * fixed IP option output code * IP packet ID field now displayed * decode.c: * fixed IP fragment decoders and logic streams. * fragments are now fed thru the rules set (sorta) 1999-05-17 mfr * snort.c: Added "-x" command line switch to explicitly activate IPX packet notification so people in mixed protocol environments can maintain sanity. Also added in the new packet counter to generate statistics on exit of the number/percentage of each type of packet that Snort sees. * decode.h: Removed the references to u_int16_t and u_int32_t and replaced them with u_short and u_long. The u_int*_t variables caused portability headaches. Also added in the new patch from Chris S. for the WORDS_MUSTALIGN definition for S/Linux version. * log.h: Fixed the LOG_AUTH/LOG_AUTHPRIV problem that Solaris users were having. * decode.c: Added the new packet statistics counters throughout the code. Cleaned up the IPX code a bit. * rules.c: Cleaned up the isspace(3) (et al) calls. * etc: Made lots of tweaks to the autoconf stuff to get the S/Linux and HP-UX versions to compile cleanly out of the box. 1999-04-28 mfr * rules.c: Added the code to change the order the rules are applied in. * snort.c: Added two new command line switches: "-o" and "-s". * decode.c: Added in new layer 2 decoding for SLIP and RAW packet types. * log.c: Added code to send alert notification to syslog. 1999-04-17 mfr * rules.c: Rewrote the rules option parser. It's now a much more consistant interface for both reading rules into the program and writing them as a user. Added in new rule types to alert on TTL values, and ICMP types/codes. * log.c: Most of the logging code has been dramatically rewritten as well, and it now works much better. * mstring.c: Added the notion of a meta character to mSplit() so that it was possible to not split on every single occurence of a character in a string. * decode.c: Smoothed out all the logging system calls to work nicely with the new log code. 1999-04-08 mfr * rules.c: Moved AlertPkt() and LogPkt() to log.c * log.c: Totally revamped the logging code to be more logical and have less duplication in the code. There are now separate logging functions for each of the layers of the packet. PrintIPPkt() has been totally rewritten, PrintFragHeader has been eliminated, and two functions have been moved over from rules.c and completely rewritten as well. * decode.c: Reworked the routines which called the logging functions. 1999-04-06 mfr * decode.c: added code to display/log the Fragment ID field of the IP header. Got a nice patch from Sebastian to add in TOS decoding as well. Added ethernet header logging and display code. * mstring.c: fixed the match() routine. It had a tendency to miss some things some of the time. (oops!) Content based matching should work all the time now. * log.c: added code to display some of the new stuff that's decoded. * snort.c: add a new command line switch: "-e". This will display the ethernet header data in both the log files and on the screen. 1999-03-24 mfr * decode.c: fixed the damned TCP and IP options decoders. These things were a friggin pain in the ass to program up properly. Recoding them stopped the huge loop that they had a bad tendancy to get stuck in, thereby making the rest of the program nigh infinitely more useful for just about any friggin problem under the friggin sun. Frig it. * log.c: Stopped the insanity of unnessary carriage returns in the log files and on screen printouts. Another PITA. * rules.c: Fixed output formatting yet again. 1999-03-21 mfr * snort.c: fixed a bug in the timestamp code so the month prints out right * decode.c: added code to detect and decode IP and TCP Options. Also added code to print packet fragments with truncated headers into a PACKET_FRAG file which gets dumped in the default log directory. * log.c: added code and data structures to print out IP and TCP Options plus I fixed the f'd up fragment print out logic. Changed OpenLogFile() to include a mode argument for packet fragment print out. * rules.c: rewired the entire rules test routine and added some long needed goto's into the program. I feel manly now. Also added a new rule field: TCP flags. This allows us to alert/log/pass on tcp flags. Also added in port range functionality, you can now specify a range of ports, or greater than/less than a specified port. 1999-03-08 mfr * snort.c: Ripped off the timestamp printout routines from tcpdump and stuffed them into snort.c, yum yum. This gives us millisecond timestamping on the packets for those of you interested in such things. 1999-03-06 mfr * mstring.c: mContainsSubstring has been replaced. mContainsSubstring is a brute force pattern matcher, and is therefore very slow and not too efficient. The new routine, match(), implements a Boyer-Moore string search algorithm and is much faster in the general case and much more tolerent of "poor" pattern selection. * log.c: PrintNetData has been completely rewritten. It should now be much faster and only needs to generate the print out buffer once per packet. This routine was a major source of slow down/dropped packets before. You still shouldn't use verbose mode with the "-d" command line switch if you're using Snort as an IDS, because it's still slow enough to drop some large packets. Packet print out has changed as well, with the different packet layers separated by onto their own lines (well, mostly). Fragmented packets are now recorded in a "FRAG" file. * decode.c: Snort now detects fragmented packets, plus the DF and MF bits, and decodes the fragment offset. * snort.c: Now displays packet collected/dropped statistics when shutting down. 1999-02-18 mfr * snort.c: Code cleanup and some error checking was added. The system now accepts the interface name you give it at the command line. Fixed a problem with underallocating the interface name buffer for names specified on the command line. Suprisingly, this only came to light when tested on the Sparc architecture. * log.c: ICMP logging now includes the ICMP code description in the filename. This makes it easier to see what you're interested in without having to go digging into the log files. * decode.c: Made the ICMP types and codes a little more compatible with being used as a filename. 1999-01-28 mfr * rules.c: Rules sorting is now implemented. There are actually three separate lists (Pass, Log, Alert) now, with the rules being placed on to the lists in the order they're read from the rules file. The rule execution order was changed, now Alert rules are applied first, then Pass Rules, the Log rules. Content based rules are available now, the actual application layer data can be searched, both binary and text, for a specific pattern to activate a rule on. * decode.c: Minor changes to reflect the new rules structure. 1999-01-19 mfr * snort.c: Modularized the code, big time! New source modules are log, rules, decode, and mstring. Dumped SetFlow() for now. * rules.c: Rules based packet logging now enabled! * log.c: Now keeps track of TCP/UDP conversations better! * decode.c: Enhanced decoding of packets, including ICMP ECHO seq and id! 1999-01-08 mfr * snort.c: Made a fix to SetFlow() so that it wouldn't dump the program if it got traffic from 0.0.0.0 or 255.255.255.255. * snort.h: Removed the "#define VERSION" since it's handled in config.h. * README: Proper README file included with this distro 1998-12-21 mfr * snort.c: Made this file, figured out autoconf