![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / net / snort
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
snort: Fix build on SunOS.
Update to Snort 2.9.15.1
2019-12-15 - Snort 2.9.15.1
New Additions
Added support for glibc version 2.30.
Improvements/Fix
Fixed Snort core seen during SSL re-configuration.
Fixed file access issues on files from SMB share.
Snort 2.9.15.0
New Additions
Added new debugs to print detection, file_processing and Preproc time
consumption info and verdict.
Added support to detect new Korean file formats .egg and .alg in the file
preprocessor.
Added support to detect new RAR file-type in the file preprocessor.
Improvements / Fix
Fix to generate ALERT if TEID value is zero in GTP v1 and v2 packets.
Fix to whitelist FTP data sessions when no file policy exists.
Fix RTF file magic to a more generic value to prevent evasions.
Added debug logs during HTTP reload.
Added rule SID check during validation.
Fix an issue where HTTP was processing non-HTTP traffic on port 443.
Added new debugs to print detection, file processing, and Prepro time
consumption info and verdicts.
Snort 2.9.14.1
[*] New Additions
* Added support for wild card port numbers in host cache and overwriting port
service AppId.
* Added support for new STLS client patterns to help better detect POP3S over
SSL.
* Added support for detecting Mac based SMTP Microsoft Outlook client
application.
* Added a new preprocessor alert 120:27 to alert if there is no proper end of
header.
[*] Improvements / Fix
* Improved appId detection for proxied traffic.
* Fix for enabling flow profiling mode without restarting snort detection
engine.
* Fixed packet drop scenario.
Snort 2.9.13.0
New Additions
Snort now supports reload on snort rules update.
Addition of a scenario to add a packet to blacklist verdict to ensure the
new session will be allowed.
Handled a new pre-processor alert in case of the improper end of t HTTP
header.
Improvements
Modified the calculation of file hash for FTP/HTTP with offset values.
Fixed portal authentication connection stuck in half closed state.
Updated UDP global timeout for a non-standard port.
This release also patched the following two vulnerabilities:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-smb-snort
Snort 2.9.12.0
New Additions
Parsing HTTP CONNECT to extract the tunnel IP and port information.
Alerting and dechunking for chunked encoding in HTTP1.0 request and
response.
Improvements
Fixed an issue where, if we have a junk line before HTTP response header,
the header was wrongly parsed.
Fixed GZIP evasions where an HTTP response with content-encoding:gzip
contains a body that has a GZIP-related anomaly.
Fixed an issue in certain scenarios where a BitTorrent pattern is seen
only on the third packet of the session, causing us to miss our client
detection.
SMB improvements for file detection and processing.
2017-12-06 - Snort 2.9.11.1
New Additions
Added support to block portscan. In addition to tracking the scanning
packets, action(drop/sdrop/reject) will be taken for all the packets, which
means Snort will block the packet and generate logs.
Added support to re-evaluate reputation after reputation update for all
flows except those that have already been blacklisted.
Improvements
Fixed issue to detect RTP up to two SSRC switches in each traffic
direction.
Fixed issues related to HTTP POST header flushing, calling file processing
directly if it is not a multipart header and changes to avoid expensive copy
of segment data by not splitting them when flushing headers.
Fixed issue of triggering protocol sweep alert when there are multiple
destinations from single source ip protocol scan.
Added changes to fix IP portscan for protocol other than ICMP and fixed
issue of bad fragment size event not being generated for oversized packets.
Added changes to use raw data in case of PDF and SWF files during file
processing for SHA calculation and Malware Cloud Lookup.
Fixed issue of correct session matching for TCP SYN packets without window
scale option so that FTP data channels match the same rule as FTP control
channels.
Fixed issue of applying new configuration in file inspection after Snort
reload.
Snort 2.9.11
[*] New additions
Changes to eliminate Snort restart when there are changes to the memory
allocated for preprocessors, by releasing unused or least recently used memory
when needed.
Added support for storing filenames in Unicode for SMB protocol.
Added implementation of hostPortCache versioning for unknown flows in
AppID to detect and block BitTorrent.
[*] Improvements
Enhanced RTSP metadata parsing to match the user-agent field to detect
RTSP traffic over Windows Media.
Performance improvement when SYN rate limit has reached and drop is
configured as next action
Control-socket and side-channel support for FreeBSD platform.
Fixed issue in file signature lookup for retransmitted FTP packet.
Enhanced the processing of SIP/RTP future flows without ignoring them.
Changes made in PDF/SWF decompression by adding boundary to the size of
the decompressed data.
Added a null check to prevent copy unless debugHostIp is configured in
AppId.
Fixed issue where FTP file type block doesn't work for retried download.
Resolved issue where Snort is inappropriately handling traffic for which
AppId was creating future flow.
Performance improvements for SIP/RTP audio and video data flow in AppId.
Performance and stability improvements in FTP preprocessor like incorrect
referencing of ftp_data_session after its pruned.
Stability improvement by resolving valgrind reported issues in AppId.
Improved flushing mechanism for HTTP POST header.
Added changes to display AppId for IPv6 unified events.
Fixed issues with printing of messages for out-of-order packets.
Fixed issue in increment of detection filter counter when rule is used in
multiple configurations.
Fixed dynamic preprocessor compilation failure in OpenBSD platform.
Added changes to improve performance of ipvar list comparison.
Enhanced SMTP client detection by allowing line folding and all
authentication methods.
Upgraded to version 2.9.9.0. This is a HUGE bump, so look at the changelog on the Snort website ! For example, Snort does not natively handle MySQL anymore. As for the pkgsrc changes : - updated deps (net/daq) ; - updated config files ; - updated MASTER_SITE ; - some substitution to handle pkgsrc paths ; - updated compile options.
Remove example rc.d scripts from PLISTs. These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or ignored otherwise.
Update to 2.8.5.1, to resolve a security issue.
Upstream NEWS is weak; release notes for 2.8.5.1 follow.
[*] Improvements
* Fixed syslog output when running on Windows.
* Fixed potential segfault when printing IPv6 packets using the -v option.
Thanks to Laurent Gaffie for reporting this issue.
* Fixed segfault when additional policies were added during a configuration
reload.
Convert @exec/@unexec to @pkgdir or drop it.
Remove @dirrm entries from PLISTs
Set MAKE_JOBS_SAFE=NO
Fix non-priv'ed builds which should fix PR 39260
2008-07-24 - Snort 2.8.2.2
[*] Improvements
* Fix issue with evaluating PCRE rule options with /U modifier that
are followed by a relative content rule option.
* Fix issue with dsize range check.
2008-06-12 - Snort 2.8.2.1
[*] Improvements
* Fix support for pass rules that sometimes did not take precedence
over alert and/or drop rules.
pullup ticket #2398 - requested by adrianp
snort: update for fixes & security vulnerability
revisions pulled up:
- pkgsrc/net/snort/Makefile 1.37
- pkgsrc/net/snort/PLIST 1.27
- pkgsrc/net/snort/distinfo 1.43
Module Name: pkgsrc
Committed By: adrianp
Date: Sun May 25 23:49:07 UTC 2008
Modified Files:
pkgsrc/net/snort: Makefile PLIST distinfo
Log Message:
Update to 2.8.1
Includes fix for CVE-2008-1804
[*] New Additions
* Target-Based support to allow rules to use an attribute table
describing services running on various hosts on the network.
Eliminates reliance on port-based rules.
* Support for GRE encapsulation for both IPv4 & IPv6.
* Support for IP over IP tunneling for both IPv4 & IPv6.
* SSL preprocessor to allow ability to not inspect encrypted traffic.
* Ability to read mulitple PCAPs from the command line.
* Support for new CVS rule detection options.
[*] Improvements
* Update to HTTP Inspect to identify overly long HTTP header fields.
* Updates to IPv6 support, including changes to avoid namespace
conflicts for certain Operating systems.
* Updates to address issues seen on various Sparc platforms.
* Stricter enforcement of shared object versions to avoid API
conflicts.
Update to 2.8.1 Includes fix for CVE-2008-1804 [*] New Additions * Target-Based support to allow rules to use an attribute table describing services running on various hosts on the network. Eliminates reliance on port-based rules. * Support for GRE encapsulation for both IPv4 & IPv6. * Support for IP over IP tunneling for both IPv4 & IPv6. * SSL preprocessor to allow ability to not inspect encrypted traffic. * Ability to read mulitple PCAPs from the command line. * Support for new CVS rule detection options. [*] Improvements * Update to HTTP Inspect to identify overly long HTTP header fields. * Updates to IPv6 support, including changes to avoid namespace conflicts for certain Operating systems. * Updates to address issues seen on various Sparc platforms. * Stricter enforcement of shared object versions to avoid API conflicts.
Update to 2.8.0.1 [*] Improvements * Updates to build with new versions of libPCRE. * Fix Stream5 debugging output to actually compile and have correct output for normal & IPv6 enabled builds. * Correct perfmonitor statistic calculation for pattern matcher percentage.
Update to 2.8.0 * Port lists * IPv6 support * Packet performance monitoring * Experimental support for target-based stream and IP frag reassembly * Ability to take actions on preprocessor events * Detection for TCP session hijacking based on MAC address * Unified2 output plugin * Improved performance and detection capabilities
Update to snort 2.6.1.2
2.6.1 provides new functionality including the following:
* New pattern matcher with a significantly reduced memory footprint
* Introduction of stream5 for experimental use
* Improvements to stream4, including UDP session tracking and optimizations for the reassembly buffer
* Handling for reassembly of SMB fragmented data in DCE/RPC
* An ssh preprocessor for experimental use
* Updated Snort decoder that can decode GRE encapsulated packets
* Output plugin to allow Snort to configure Aruba access control
Snort 2.6.0:
* Tcp stream properly reassembled after failed sequence check, which may lead to possible detection evasion.
* Added configurable stream flushpoints.
* Improved rpc processing.
* Improved portscan detection.
* Improved http request processing and handling of possible evasion cases.
* Improved performance monitoring.
The Snort 2.6 release also introduces the ability to use dynamic rules and dynamic preprocessors and contains further improvements to the Snort detection engine.
Remove snort-{pgsql,mysql,prelude}. The new snort package uses options.mk
to specify build options.
Include database schemas in the install
Bump snort{-mysql,-pgsql} to nb1
Update snort to 2.4.0 If you are using this package make note of the distribution change mentioned below. I have update the MESSAGE to inform users of this and there is now also a net/snort-rules package with the community rules. > [*] Distribution Change > * Rules are no longer distributed as part of the Snort releases, they are > available as a separate download from snort.org. This was done for > three reasons: > 1) To better manage the new rules licensing. > 2) To reduce the size of the engine download. > 3) To move the thousands of documentation files for the rules into > the rules tarballs. If you've ever checked Snort out of CVS you'll > know why this is a Good Thing. > > [*] New additions > * Added new IP defragmentation preprocessor, Frag3. The frag3 preprocessor > is a target-based IP defragmentation module, and is intended as a > replacement for the frag2 module. Check out the README.frag3 for full > info on this new preprocessor. > > * Libprelude support has been added (enable with --enable-prelude). > Thanks Yoann Vandoorselaere! > > * An "ftpbounce" rule detection plugin was added for easier detection of > FTP bounce attacks. > > * Added a new Snort config option, "ignore_ports," to ignore packets > based on port number. This is similar to bpf filters, but done within > snort.conf. > > [*] Improvements > * Snort startup messages printed in syslog now contain a PID before each > entry. Thanks Sekure for initially bringing this up. > > * Stream4: Performance improvements. > > * Stream4: Added 'max_session_limit' option which limits number of > concurrent sessions tracked. Added favor_old/favor_new options that > affect order in which packets are put together for reassembly. > > * Stream4: New configuration options to manage flushpoints for improved > anti-evasion. The flush_behavior option selects flushpoint management > mode. New flush_base, flush_range, and flush_seed manage randomized > flushing. Check out the snort.conf file for full config data on the > new flush options. > > * Added two more alerts for BackOrifice client and server packets. This > allows specific alerts to be suppressed. > > * PerfMon preprocessor updated to include more detailed stats for rebuilt > packets (applayer, wire, fragmented & TCP). Also added 'atexitonly' > option that dumps stats at exit of snort, and command line -Z flag to > specify the file to which stats are logged. > > * Added new Http Inspect config item, "tab_uri_delimiter," which if > specified, lets a tab character (0x09) act as the delimiter for a URI. > > * Added a '-G' command line flag to snort that specifies the Snort > instance log identifier. It takes a single argument that can be either > hex (prefaced with 0x) or decimal. The unified log files will include > the instance ID when the -G flag is used. > > * "Same SRC/DST" (sid 527) and "Loopback Traffic" (sid 528) are now > handled in the IP decoder. Those sids are now considered obsolete. > > * Http_Inspect "flow_depth" option now accepts a -1 value which tells > Snort to ignore all server-side traffic. > > * RPMs have been updated to be more portable, and also now include a > "--with inline" option for those wanting to build Inline RPMs. Thanks > Daniel Wittenberg and JP Vossen for your help! > > * Many, many bug fixes have also gone into this release, please see the > ChangeLog for details.
RCD_SCRIPTS_EXAMPLEDIR is no longer customizable. And always is defined as share/examples/rc.d which was the default before. This rc.d scripts are not automatically added to PLISTs now also. So add to each corresponding PLIST as required. This was discussed on tech-pkg in late January and late April. Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
- Update snort to 2.3.3
- Fix /var => ${VARBASE}
- Changes Include:
> * Issues with suppressing sfPortscan Open Ports have been fixed.
>
> * Added a new mini-preprocessor to catch the X-Link2State
> vulnerability. This preprocessor can be configured to drop the
> offending connection when in Inline-mode. Please read snort.conf or
> the snort manual for more details. This preprocessor is enabled by
> default in snort.conf.
- Update snort from 2.3.0 -> 2.3.2 2005-03-10 - Snort 2.3.2 Released * Removed end-of-line parser fix in favor of completely reworking this at the next parser overhaul. 2005-03-09 - Snort 2.3.1 Released * Fixed issue where the number of flowbits were too small. Thanks Marc Norton for the fix. * Fixed parsing of comments at end of line in config file. In snort.conf, anything that follows a # on a line is considered a comment. Thanks Steve Sturges for the fix. * Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX. Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and Jonathan Miner for working with us on this.
Pullup ticket 267 - requested by Adrian Portelli
security fix for snort
Revisions pulled up:
- pkgsrc/net/snort/Makefile.common 1.17
- pkgsrc/net/snort/PLIST 1.18
- pkgsrc/net/snort/distinfo 1.24
- pkgsrc/net/snort-mysql/Makefile 1.12
- pkgsrc/net/snort-contrib/DESCR removed
- pkgsrc/net/snort-contrib/Makefile removed
- pkgsrc/net/snort-contrib/PLIST removed
- pkgsrc/net/snort-contrib/distinfo removed
Module Name: pkgsrc
Committed By: adrianp
Date: Fri Jan 28 23:02:41 UTC 2005
Modified Files:
pkgsrc/net/snort: Makefile Makefile.common PLIST
Log Message:
Update to snort 2.3.0
2005-01-25 - Snort 2.3.0 Final Released
* Fixed issue with sfPortscan reporting incorrect IP datagram length.
Thanks Jon Hart for the test case and finding the bug, and Marc Norton
for resolving the issue.
* Threshold/Suppression now prints properly when logging to syslog.
Thanks Sekure for pointing out the problem. Thanks Steve Sturges for
working on the fix.
* Threshold memcap argument now correctly handles non-integer input.
Thanks nnposter for the patch.
* Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were
not decoded properly. Thanks Dan Roelker for the fix.
* Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your
work on putting it all together.
2004-12-15 - Snort 2.3.0 RC2 Released
* Small performance improvement to arpspoof and also fixed a problem
where the list of configured IP/MAC entries would contain only one
entry and leaked memory (Jeff Nathan).
* Fixed a problem affecting MacOS X where linking may fail with
non-standard libraries when global symbols are encountered multiple
times (Jeff Nathan).
* Ignore RST|ACK midstream pickup case so we don't get an evasive TCP
alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix.
* Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the
logdir config will work if the default or command-line logdir does not
exist on the system. Thanks Dan Roelker.
* Fixed bug when setting the doe_ptr on a successful pcre match.
It is now set relative to base_ptr. Thanks Steve Sturges for the
fix.
* Added from_beginning and multiplier options for byte_jump.
from_beginning skips bytes from the beginning of the content,
instead of from the location immediately following the number
of bytes to skip. multiplier takes a numeric argument, and
skips x times that number of bytes. Thanks again to Steve Sturges.
* In "fast" output, now log only actual packet contents when UDP
data length is greater than actual data length. Thanks Brian
Caswell for spotting this, and Andrew Mullican for working on the fix.
* Please check the ChangeLog for further details.
2004-11-18 - Snort 2.3.0 RC1 Released
* Added IPS functionality from Snort-Inline. A big thanks to the
Snort-Inline guys (Jed Haile, Rob McMillen, William Metcalf, and Victor
Julien). Also, Thanks Dan Roelker for doing the integrating of
Snort-Inline into the official Snort project.
* Added new portscan detector. The design and implementation was headed
up by Dan Roelker, and included Marc Norton and Jeremy Hewlett.
* Numerous changes for better 64bit Snort support from Jeremy Hewlett and
Marc Norton. Additionally, an --enable-64bit-gcc option was added to
configure. However, there are still some memory alignment issues to
work out before 64bit mode is fully functional, patches are welcomed.
Thanks Chris Baker for doing 64bit testing.
* Added not_established keyword to the flow detection option. This allows
snort to do dynamic firewall rulesets. Experimental for now.
* Added an enforce_state keyword to stream4 so we won't pick up midstream
sessions. This works well for asynchronous links and also for
just monitoring legitimate traffic.
* Relocated ./contrib files to http://www.snort.org/dl/contrib as many
are not maintained by Sourcefire and are out of date. The rpm and
schema files have been relocated in their respective 'rpm' and 'schemas'
directories under the snort parent directory.
* perfmonitor config line can now be configured with "accumulate" or
"reset." Thanks Marc Norton for the feature, and Barry Basselgia for
pointing out the issue. Thanks Scott Dexter and Andreas Ostling for
doing some initial testing.
* Fixed 64-bit bug in sfmemcap.c found and tested by Ryan Matteson
and Clay McClure. Thanks guys.
* Fixed reference times to match log time for first packet, for an event
generated by a reassembled packet. Incremented event ID to give
unique ID for each packet. Also made unified logging compatible with
Windows. Thanks Andrew Mullican for the fix.
* Fixed linux perfmonitoring stats for the 2.6 kernel. Thanks to
everyone that reported this bug. Thanks Dan Roelker for the fix.
* Get thresholding/suppression to work for alerts that do not
contain an ip header (primarily decode alerts). Thanks
Brian Caswell.
* Fix conditions where snort would log double web alerts that
contained only content options (no uricontents). Thanks to kawa for
finding and reporting this bug.
* Fix suppression/thresholding bug for non-rule alerts. Thanks to
Alex Butcher for reporting it to us.
* Many other bug fixes, please check the ChangeLog for details.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Jan 29 03:27:58 UTC 2005
Modified Files:
pkgsrc/net/snort: distinfo
Log Message:
Update distinfo for snort-2.3.0.
---
Module Name: pkgsrc
Committed By: adrianp
Date: Fri Jan 28 23:03:59 UTC 2005
Modified Files:
pkgsrc/net/snort-mysql: Makefile
Log Message:
Sync and minor tidy up for snort 2.3.0 release.
---
Module Name: pkgsrc
Committed By: adrianp
Date: Fri Jan 28 22:51:27 UTC 2005
Removed Files:
pkgsrc/net/snort-contrib: DESCR Makefile PLIST distinfo
Log Message:
As of snort 2.3.0 all contrib files are now available from:
http://www.snort.org/dl/contrib/
Update to snort 2.3.0 2005-01-25 - Snort 2.3.0 Final Released * Fixed issue with sfPortscan reporting incorrect IP datagram length. Thanks Jon Hart for the test case and finding the bug, and Marc Norton for resolving the issue. * Threshold/Suppression now prints properly when logging to syslog. Thanks Sekure for pointing out the problem. Thanks Steve Sturges for working on the fix. * Threshold memcap argument now correctly handles non-integer input. Thanks nnposter for the patch. * Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were not decoded properly. Thanks Dan Roelker for the fix. * Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your work on putting it all together. 2004-12-15 - Snort 2.3.0 RC2 Released * Small performance improvement to arpspoof and also fixed a problem where the list of configured IP/MAC entries would contain only one entry and leaked memory (Jeff Nathan). * Fixed a problem affecting MacOS X where linking may fail with non-standard libraries when global symbols are encountered multiple times (Jeff Nathan). * Ignore RST|ACK midstream pickup case so we don't get an evasive TCP alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix. * Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the logdir config will work if the default or command-line logdir does not exist on the system. Thanks Dan Roelker. * Fixed bug when setting the doe_ptr on a successful pcre match. It is now set relative to base_ptr. Thanks Steve Sturges for the fix. * Added from_beginning and multiplier options for byte_jump. from_beginning skips bytes from the beginning of the content, instead of from the location immediately following the number of bytes to skip. multiplier takes a numeric argument, and skips x times that number of bytes. Thanks again to Steve Sturges. * In "fast" output, now log only actual packet contents when UDP data length is greater than actual data length. Thanks Brian Caswell for spotting this, and Andrew Mullican for working on the fix. * Please check the ChangeLog for further details. 2004-11-18 - Snort 2.3.0 RC1 Released * Added IPS functionality from Snort-Inline. A big thanks to the Snort-Inline guys (Jed Haile, Rob McMillen, William Metcalf, and Victor Julien). Also, Thanks Dan Roelker for doing the integrating of Snort-Inline into the official Snort project. * Added new portscan detector. The design and implementation was headed up by Dan Roelker, and included Marc Norton and Jeremy Hewlett. * Numerous changes for better 64bit Snort support from Jeremy Hewlett and Marc Norton. Additionally, an --enable-64bit-gcc option was added to configure. However, there are still some memory alignment issues to work out before 64bit mode is fully functional, patches are welcomed. Thanks Chris Baker for doing 64bit testing. * Added not_established keyword to the flow detection option. This allows snort to do dynamic firewall rulesets. Experimental for now. * Added an enforce_state keyword to stream4 so we won't pick up midstream sessions. This works well for asynchronous links and also for just monitoring legitimate traffic. * Relocated ./contrib files to http://www.snort.org/dl/contrib as many are not maintained by Sourcefire and are out of date. The rpm and schema files have been relocated in their respective 'rpm' and 'schemas' directories under the snort parent directory. * perfmonitor config line can now be configured with "accumulate" or "reset." Thanks Marc Norton for the feature, and Barry Basselgia for pointing out the issue. Thanks Scott Dexter and Andreas Ostling for doing some initial testing. * Fixed 64-bit bug in sfmemcap.c found and tested by Ryan Matteson and Clay McClure. Thanks guys. * Fixed reference times to match log time for first packet, for an event generated by a reassembled packet. Incremented event ID to give unique ID for each packet. Also made unified logging compatible with Windows. Thanks Andrew Mullican for the fix. * Fixed linux perfmonitoring stats for the 2.6 kernel. Thanks to everyone that reported this bug. Thanks Dan Roelker for the fix. * Get thresholding/suppression to work for alerts that do not contain an ip header (primarily decode alerts). Thanks Brian Caswell. * Fix conditions where snort would log double web alerts that contained only content options (no uricontents). Thanks to kawa for finding and reporting this bug. * Fix suppression/thresholding bug for non-rule alerts. Thanks to Alex Butcher for reporting it to us. * Many other bug fixes, please check the ChangeLog for details.
Do a conditional remove of the share/snort directory so it does not conflict with the new snort-contib package.
- Update snort to 2.2.0 - ok'ed snj@, wiz@ - Install database scripts which goes a part-way to addressing PR 18996 Updated database schema diagram from Chris Reid. Schema can be found in ./doc/snort_schema_v106.pdf Added --include-pcre* configuration option to help cross compiling. Thanks Erik de Castro Lopo. Fixed thresholding/suppression issue with queuing multiple events per packet. Thanks Andreas Ostling. When a rebuilt stream causes an alert, log out the original packets instead of the rebuilt packet. Thanks sekure@gmail.com for the report. Turned off http_inspect alerts that were causing false positives in the preset webserver profiles (Thanks Dan Roelker). Turn off encoding alerts in HTTP parameter field. The parameter field is still normalized, it just doesn't alert. This helps reduce alerts that are generated from complex parameter queries (Thanks Dan Roelker). Fixed memory leak in "fast" output. Thanks for your bug report sekure@gmail.com. Clear error code which under Windows was causing a subsequent false failure in parsing threshold rules. (Thanks to Rich Adamson) Further details can be found in Changelog and RELEASE.NOTES.
- Upgrade snort to 2.1.3
- Grab maintainership of the package (with ok of previous owner)
- Use SUBST_* code
Ok'ed wiz@, snj@, salo@
From the changelog:
2004-05-06 Daniel Roelker <droelker@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c:
Fixed rule read up error when parsing hexmode content options.
Thanks for pointing it out Toni Maatta. (Roelker)
* src/preprocessors/spp_stream4.c:
Fixed null pointer dereference when detect_scans were enabled and
creating a new session that had funky flags. Thanks to Chad
Kreimendahl for reporting the bug and testing the fix. (Roelker)
2004-04-20 Daniel Roelker <droelker@sourcefire.com>
* src/event_queue.c:
* src/event_queue.h:
* src/sfutil/sfeventq.c:
* src/sfutil/sfeventq.h:
Added multi-event queueing in Snort. Snort now supports logging
multiple events per packet, and prioritizing those events using
different methods. Thanks to H.D. Moore for illustrating event
obfuscations when snort only logged one event per packet. (Roelker)
* src/snort.c:
* src/decode.c:
* src/detect.c:
* src/fpcreate.c:
* src/fpdetect.c:
* src/preprocessors/spp_arpspoof.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_stream4.c:
Updated event generators to use new event queueing sytem. (Roelker)
* src/output-plugins/spo_alert_fast.c:
Added newline to 'cmg' alert output, so IP decode is easier to
read. (Roelker)
* src/output-plugins/spo_database.c:
Updated how current/utc times are calculated, as well as how they are
formatted, thanks Marcus Janoski. (Reid)
* src/parser.c:
Error on unterminated IP lists. Added 'config event_queue' parameter.
Configuration changes to 'config checksum_mode' for specifying
which checksums to do. (Norton)
* src/plugbase.h:
Fixes from Chris Reid for timestamp routines. (Reid)
* src/tag.c:
Revert to old tag functionality. Will add proposed tagging
configurations in the future. (Roelker)
mk/bsd.pkg.install.mk now automatically registers
the RCD_SCRIPTS rc.d script(s) to the PLIST.
This GENERATE_PLIST idea is part of Greg A. Woods'
PR #22954.
This helps when the RC_SCRIPTS are installed to
a different ${RCD_SCRIPTS_EXAMPLEDIR}. (Later,
the default RCD_SCRIPTS_EXAMPLEDIR will be changed
to be more clear that they are the examples.)
These patches also remove the etc/rc.d/ scripts from PLISTs
(of packages that use RCD_SCRIPTS). (This also removes
now unused references from openssh* makefiles. Note that
qmail package has not been changed yet.)
I have been doing automatic PLIST registration for RC_SCRIPTS
for over a year. Not all of these packages have been tested,
but many have been tested and used.
Somethings maybe to do:
- a few packages still manually install the rc.d scripts to
hard-coded etc/rc.d. These need to be fixed.
- maybe remove from mk/${OPSYS}.pkg.dist mtree specifications too.
Update to snort-2.1.2. From Adrian Portelli in PR pkg/25029. While here, convert to buildlink3. Changes: * Various portability fixes. * Fixed conversation parsing faults so users can operate this preprocessor * Detect non-rfc standard chunk encodings. Detect abnormal HTTP requests with newlines, spaces, etc. before the request method. * Fix negative stats output on snort exit or SIGUSR1. * Removed escaping of '%' and '_' characters in MySQL * Various documentation fixes/updates. * Added Flowbits detection functionality. * Added utility to parse out perfmon stats. * Tagged Packets no longer have NULL msg name. * Fixed http_inspect double alerting on pkts and rebuilt streams. * http_inspect proxy_alert now supports normal proxy networks setups. http_inspect default server only valid if specified in config. * Close Socket when Snort receives SIGHUP. * Added GID, SID, and Rev to csv output. * config chroot readded. * Added additional error checking for custom rules. * Flow now honors -q (quiet). * Removed non_rfc_chars from default profiles. * Added suppression negation. * Better support for ODBC. Better memory management. Improved escaping of SQL strings. * Other miscellaneous bugfixes.
Update to version 2.1.0. Changes: 2.1.0: ====== - A new connection tracking module, Flow (replaces conversation) - A new portscan detector based off of Flow, Flow-Portscan (replaces portscan2) - A new http preprocessor, HttpInspect (replaces http_decode) - Alert Thresholding and Suppression - PCRE rule keyword (Perl Compat Regular Expressions) - isdataat rule keyword (buffer length detection) - A ton of new and updated rules. 2.0.6: ====== - 64-bit update for detection engine. (Thanks, Silio d'Angelo) - Added better PPP decoding. (Thanks Jesper Peterson) - Updated ip_proto optimization for high-speed detection engine. - Fixed infinite loop problem that was introduced by the recursive pattern matching patch. Reported by Lawrence Reed, thanks for testing out the changes for us! - Various changes to help respond (version 1) work a little better. - spp_http_decode 64-bit patch from Dirk Mueller. - Out-of-order ACK problem from Andrew Rucker. Also, updated stream4 to the most recent version from HEAD. - Minor fixes to tagging related to 'src' and 'dst' directives - When counting one byte patterns in 'ningroup' added a check for psLen==1 (wu-manber pattern matcher). Thanks Josh Sakofsky and Dennis McGuire for helping us test this. 2.0.5: ====== - Stream4 fixes from Andrew Rucker Jones. - Allow memcap to be configured for threshold features. 2.0.4: ====== - Fixed a core dump introduced with 2.0.3 when dealing with negated patterns 2.0.3: ====== - doe_ptr handling in byte_test/byte_jump slightly modified to work better with the pcre patch - content processing is now recursive to make distance/within processing better ( thanks to Shai Rubin for patch! ) - fixed a bug in the mwm.c pattern matcher that resulted in some alerts not firing in a particular configuration of rules 2.0.2: ====== - Added Thresholding and Suppression features (Marc Norton/Sourcefire) - Fixed TCP RST processing bug found (Shai Rubin) - Cleanup of spp_arpspoof (Jeff Nathan) - Cleanup of win32 version including proper Event Log support (Chris Reid) - Munged data fixes for stream4 (Chris Green)
Update to version 2.0.2. Patch from Adrian Portelli via PR pkg/22900. Changes: - Added Thresholding and Suppression features (Marc Norton/Sourcefire) - Fixed TCP RST processing bug found (Shai Rubin) - Cleanup of spp_arpspoof (Jeff Nathan) - Cleanup of win32 version including proper Event Log support (Chris Reid) - Munged data fixes for stream4 (Chris Green)
Updated to version 2.0.1. Changes: - fix host endianess problem in udp decoder - vlan decoding fixes from Michael Pomraning - add tcp state checking to httpflow - ignoring bad checksums throughout snort if checksumming is turned on - config disable_ttcp_alerts is now also config disable_tcpopt_ttcp_alerts - better initialization handling of low memory conditions pointing to the - low memory search engine - byte_jump / byte_test 2 byte cases handled and unified - correctly assign port numbers on tcpoption events - pass rule logic changed to "win" in specific multiple event cases - named interface support for win32 from the winpcap folks - spp_bo now also will work with log-only output plugins - added window detection plugin documentation to manual - lots of new rules and tons of rule documentation
Pull up revision 1.9 (requested by salo in ticket #1257): Updated to version 2.0.0. [security fix]
Updated to version 2.0.0.
IMPORTANT: This version fixes remotely exploitable heap overflow in the stream4
preprocessor module.
Advisory: http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
Changes:
2.0.0:
======
- Enhanced high-performance detection engine
- Stateful Pattern Matching
- New detection keywords: byte_test & byte_jump
- The Snort code base has undergone an external third party professional
security audit funded by Sourcefire (http://www.sourcefire.com)
- Many new and updated rules
- snort.conf has been updated
- Enhancements to self preservation mechanisms in stream4 and frag2
- State tracking fixes in stream4
- New HTTP flow analyzer
- Enhanced protocol decoding (TCP options, 802.1q, etc)
- Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, etc)
- Enhanced flexresp mode for real-time TCP session sniping
- Better chroot()'ing
- Tagging system updated
- Several million bugs addressed....
- Updated FAQ (thanks to Erek Adams and Dragos Ruiu) Snort 2.0 can be
downloaded at http://www.snort.org/dl/snort-2.0.0.tar.gz. Binary
versions of the codebase will be built over the next several days and
made available at here.
2.0.rc4:
========
- byte_jump/byte_test don't force relative content options
- byte_jump/byte_test absolute offsets work
- Better FIN handling in Stream4
2.0.rc3:
========
- A low memory usage detection method (enabled via "config detection:
search-method lowmem")
- Moved the default unix socket location to LOGDIR
2.0.rc2:
========
- syslog should work on win32 and unix
- major tagging updates
- new UDP decoding alerts
- snort.conf updates
2.0.rc1:
========
- Higher performance (due to a new pattern matcher and rebuilt detection
engine)
- Better decoders
- Enhanced stream reassembly and defragmentation
- Tons of bug fixes
- Updated rules
- Updated snort.conf
- New detection keywords (byte_test, byte_jump, distance, within) &
stateful pattern matching
- New HTTP flow analyzer
- Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)
- Better self preservation in stateful subsystems
- Xrefs fixed
- Flexresp works faster and more effectively
- Better chroot()'ing
- Fixed 802.1q decoding
- Better async state handling
- New alerting option: -A cmg!!
Pullup rev 1.8 (from ticket 1192 requested by salo) Snort RPC preprocessing buffer overflow when decoding fragmented RPC records (http://www.kb.cert.org/vuls/id/916785). Versions affected <1.9.1.
Updated to version 1.9.1. This version fixes the buffer overflow issue noted in: http://www.kb.cert.org/vuls/id/916785 Changes: - follow PKG_SYSCONFDIR - added rc.d script - create own user and group - added MESSAGE with post-install instructions - removed DEINSTALL - minor cleanups (this package was really half-baked..) 1.9.1: ====== - src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode): - alignment errors on non-x86 platforms - added new space delimited options alert_fragments no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete - corrected buffer overflow in fragment normalization - src/snort.c - Win32 '-s' parameter wasn't configured to accept an optarg, but code expected one, causing null-pointer violation. - Backport of 2.0 fixes for stream4 ( off by one errors on reassembly )
Replace "true" by "${TRUE}".
Update snort to 1.9.0. Changes: Lots of new rules, extended analyzing of packages etc. Fixes PR 18637 by Adrian Portelli <adrianp@stindustries.net>
Update snort to 1.8.4 (update was provided by Mipam <mipam@ibb.net> in a private mail -- thanks!) Changes are: * Fixed stream4 offset initialization * Double Open of snort log file * Lots of new rules * Fatal error on problems other than -> and <> * Fixed stream4 several low memory conditions * Error checking in stream4/frag2 argument parsing * snortdb schema updates to 1.05 * --with-pcap-includes should now look at specified pcap * packet statistics now should be more accurate with regards to lost packets werwerwerwerwer * double PID file write * S4 alignment problems on Sparc fixed * new snmptrap code * documentation updates * Stability fixes in frag2
add leftovers
mkdir -> ${MKDIR}
rmdir -> ${RMDIR}
rm -> ${RM} (${RM} added to PLIST_SUBST)
chmod -> ${CHMOD}
chown -> ${CHOWN}
Update snort to 1.8.2; changes since 1.8.1 include:
* fixed UTC timestamps
* fixed SIGUSR1 handling, should reset properly now after getting
a signal
* fixed PID path generation code, PID files go in the right place
now
* fixed stability problems in stream4
* fixed stability problems in frag2
* tweaks to spo_unified for better integration with barnyard
* added -f switch to turn off fflush() calls in binary logging mode
* added new config keyword to stream4, "log_flushed_streams", which
causes all buffered packets in the stream reassembler for that
session to be logged in the event of an event on that stream
(must be used in conjunction with spo_log_tcpdump)
* added packet precacheing for flexresp TCP packets, responses
should be generated more quickly
* fixed rules parser code for various failure modes
* several new rules files and a new classification system
Move pkg/ files into package's toplevel directory