]>
Commit | Line | Data |
---|---|---|
a346713f PBG |
1 | 2024-03-24: 3.1.83.0 |
2 | ||
3 | * detection: use correct packet in trace logs | |
4 | * doc: add libml to optional dependencies | |
5 | * flow: add filter to dump flows | |
6 | * flow: fix UT | |
7 | * hash: exception handling for random device | |
8 | * packet_capture: fixed wrong dlt in pcap header when nfq is used | |
9 | * stream: count retransmits when we disable content rules | |
10 | * trace: replace colon delimiter for tenant with whitespace in the trace_logger output | |
11 | ||
bd6cbf1b PBG |
12 | 2024-03-12: 3.1.82.0 |
13 | ||
14 | * appid: broadcast commands with ctrlcon | |
15 | * appid: change eve pattern matching logic | |
16 | * appid: replaced warning log with logging api for CBD | |
17 | * file_api: do not clear the file capture and user file data pointers when updating the verdict from the cache | |
18 | * filters: updated dyn array with vector | |
19 | * flow: updated flow_data linklist with STL container | |
20 | * framework: validate parameter of number type in a string form | |
21 | * kaizen: rename to Snort ML | |
22 | * main: clear lua stack when registering commands in a shell | |
23 | * main: reset main-thread stats from the main thread | |
24 | * main: update limits help | |
25 | * packet_capture: add packet capturing per tenant | |
26 | * sfip: remove references to unused mode feature | |
27 | * sfip: zero out var/node pointers after operations to remedy heap-use-after-free on reload | |
28 | * smb: fix for improper session cache destruction in tterm during config reload | |
29 | * snort2lua: change deprecated use of ptr_fn to lambda | |
30 | * stats: fix timing stats | |
31 | * stats: perf improvement changes | |
32 | * stream: remove splitter from session before inspectors | |
33 | * stream_tcp: add reasons for drops due to trims | |
34 | * stream_tcp: implement support for proxy mode normalization behavior | |
35 | * stream_tcp: update documentation for stream TCP alerts to include the new 129:21 and 129:22 alerts | |
36 | * trace: add tenants logging | |
37 | ||
be0977a3 SC |
38 | 2024-02-20: 3.1.81.0 |
39 | ||
40 | * appid: check tenant_match() if required | |
41 | * appid: log error message instead of fatal error if appid stats logfile is not accessible | |
42 | * appid: Lowering max packet count before service fail | |
43 | * control: Adds counting to ctrlcon blocked to allow for nested commands | |
44 | * detection: add c'tors, use new instead of snort_calloc | |
45 | * detection: copy ip var name in dup_rtn | |
46 | * flow: added ips event suppression flags | |
47 | * host_cache: fixed update_stats to remove race_condition | |
48 | * http_inspect: recreate JSNorm if reload takes place inside transaction | |
49 | * ips_context: add lazy-allocation of alt buffer | |
50 | * kaizen: provide an option to enable Kaizen's mock | |
51 | * kaizen: remove redundant semicolon and add explicit cast | |
52 | * kaizen: rename modules | |
53 | * lua: improve spell of wizard for HTTP | |
54 | * memory: prevent data race between main and packet threads | |
55 | * service_inspectors: add check for JSNorm config actuality | |
56 | * stream_tcp: add alerts for exceeding thresholds for max queued bytes or segments | |
57 | * stream_tcp: add check to verify seglist head is not nullptr and only initialize PAF when it is not | |
58 | * utils: add macro for setting thread name | |
59 | ||
40d9b873 SC |
60 | 2024-02-01: 3.1.79.0 |
61 | ||
a3d4f30c SC |
62 | * appid: add tenants filter for appid debug |
63 | * appid: process organization unit instead of organization name | |
64 | * appid: return false in is_appid_inspecting_session for quic if not decrypting | |
65 | * appid: update peg counts to be thread safe | |
66 | * coverity: fix for stream and hash | |
67 | * filters: make rate_filter multithreaded + some cleanup | |
68 | * kaizen: add dev_notes.txt | |
69 | * kaizen: change default value of uri_depth to -1 | |
70 | * kaizen: change kaizen gid to 411 | |
71 | * kaizen: extend mock object with simple matching mechanism | |
72 | * kaizen: make kaizen configurable per policy | |
73 | * kaizen: register module only when LibML present or REG_TEST defined | |
74 | * kaizen: update copyright | |
75 | * mercury: updating alpn info without sni in 7.6 | |
76 | * network_inspectors: add kaizen ML based exploit detector | |
77 | * packet_tracer: add tenants to filters | |
78 | * profiler: improve multithread rule percentage calculation | |
79 | * ssl: heap overflow issue when processing handshake records | |
80 | * stream_tcp: correct labeling of in-sequence and out-of-sequence packets | |
81 | * stream_tcp: persist disable_reassembly in Flow | |
82 | * stream_tcp: set packet direction flag based on direction saved in reassembly state | |
40d9b873 | 83 | |
5fa858fd PBG |
84 | 2024-01-16: 3.1.78.0 |
85 | ||
86 | * appid: print odp version and odp detector count on startup | |
87 | * copyright: update year to 2024 | |
88 | * doc: update arg list for "generate_builtin.sh". Add parity to "generate_" scripts arg list, thanks to @puck(https://github.com/puck) | |
89 | * main: fix inconsistent lua variables assignment | |
90 | * parser: fix --dump-rule-meta for negated ports | |
91 | ||
878c5eb4 PBG |
92 | 2023-12-20: 3.1.77.0 |
93 | ||
94 | * appid: add http3 to the list of ssl protocols as http3 will always be inside quic and encrypted | |
95 | * appid: do not delete hsession for http3 | |
96 | * appid: fix coverity issues | |
97 | * appid: lua logging doc update | |
98 | * build: arm compilation support | |
99 | * catch: add boost software license for catch.hpp | |
100 | * detection: adjust built-in GID range to 40-999 | |
101 | * detection: collect matched buffers on IpsContext | |
102 | * flow: add tenant ID to FlowKey | |
103 | * host_cache: fix race condition on peg counts | |
104 | * http_inspect: publish HTTP/1 request bodies, track MIME boundary | |
105 | * main: fix reload_id data race | |
106 | * parser: add CWD to conf search order | |
107 | * profiler: change time tracking for "rule_time (%)" field in rule_profiler output | |
108 | * profiler: dump memory profiler stats at frequent interval | |
109 | * pub_sub: add get_client_body and is_mime methods | |
110 | * ssl: stopping inspection once client or server app packet is found | |
111 | * utils: add get_file_size | |
112 | ||
f8731435 PBG |
113 | 2023-12-03: 3.1.76.0 |
114 | ||
115 | * appid: added missed cppcheck warning | |
116 | * appid: adding support for memory profiling of third party lib | |
117 | * appid: additional check for lua logging | |
118 | * appid: fixing coverity issues | |
119 | * dns: fix parsing 'additionals' section in dns response | |
120 | * flow_cache: added new protocol base counters | |
121 | * pegs: make add_peg_count and set_peg_count protected to be available for the derived class | |
122 | * perf_mon: fix variable name issue reported by cppcheck | |
123 | ||
815c68b5 PBG |
124 | 2023-11-19: 3.1.75.0 |
125 | ||
126 | * appid: add appId for DNS over QUIC and DNS over HTTP/3 to application_ids.h | |
127 | * decompress: use list for OLE file entries to guarantee their order in file_data | |
128 | * detection: setting flag for flows with affected logging due to event filter | |
129 | ||
7acc98e2 PBG |
130 | 2023-11-07: 3.1.74.0 |
131 | ||
132 | * actions, detection, file_api, flow, stream: coverity fixes | |
133 | * appid: clean up main thread appid debug and make appid on, off, on work | |
134 | * appid: lua log function with appiddebug check | |
135 | * build: address miscellaneous cppcheck warnings | |
136 | * build: fix up 32-bit compilation | |
137 | * build: fix coverity and cppcheck issues | |
138 | * build: remove unused functions reported by cppcheck | |
139 | * codecs: fix bad checksum when auth(51) protocol header is present between IP and TCP layer. | |
140 | * dce_rpc: added SMB Redesigned Multichannel enabled code | |
141 | * http_inspect: add correct handling of configuration error | |
142 | * ips_options: fix ack option | |
143 | * ips_options: fix flow bits | |
144 | * packet_io: fix incorrect counters caused by data plane counters reset | |
145 | * search_tool: allow an override of the search method | |
146 | * search_tool: fall back to normal mpse if no snort config | |
147 | ||
485d012f PBG |
148 | 2023-10-23: 3.1.73.0 |
149 | ||
150 | * appid: added support for appid trace logs with multiple logging levels | |
151 | * appid: fixing cppcheck issue | |
152 | * control: code refactor to support all unix flavors | |
153 | * detection: fix cleaning of rule profiling stats when profiling starts | |
154 | * host_cache: added segmented cache | |
155 | * http_inspect: handle reserved gzip flags | |
156 | * http_inspect: response to 0.9 isn't necessarily 0.9 | |
157 | * profiler: extend field length to support uint64 | |
158 | * stream: skip duplicated alerts in TcpReassemblerState's list. Thanks wenhao-in-chengdu for reporting the issue and suggesting a fix. | |
159 | * stream_tcp: ignore normalization checks when in midstream state | |
160 | ||
bc00486b PBG |
161 | 2023-10-10: 3.1.72.0 |
162 | ||
163 | * active: added API for printing delayed action string | |
164 | * appid: support to get correct http session based on stream_id | |
165 | * control: allow one command at a time | |
166 | * dce_rpc: using reset_using_rpkt() inline to what is there in eval() of SMB inspector code as well | |
167 | * flow_cache: added protocol base LRU caches | |
168 | * helpers: increase buffer space for function names, allow printing truncated names | |
169 | * http_inspect: clear fake headers snapshot for 0.9 response | |
170 | * http_inspect: run detection on failed utf decoding | |
171 | * memory: change NOW type counts to SUM type, where necessary | |
172 | * packet_io: fix daq stats | |
173 | * stream_tcp: accept 1 byte of trimmed probe data after zero window | |
174 | * stream_tcp: update rcv_nxt appropriately for each segment | |
175 | * tcp: timeout for embryonic and idle session | |
176 | ||
2a2ea9b6 PBG |
177 | 2023-09-25: 3.1.71.0 |
178 | ||
179 | * appid, http_inspect, http2_inspect: create appid session if not present in decrypt event handler, add message section as part of StreamFlowIntf for httpx | |
180 | * codecs: Add IPv6 Reserved Address to GID:116 Rules | |
181 | * detection: avoid multiple fixups of duplicated trees | |
182 | * detection: fix of default ips policy switching | |
183 | * flow: allow reinspection for blocked icmp flows after reload | |
184 | * flow: generate flow setup and established events for ha flows | |
185 | * host_cache: cppcheck fix | |
186 | * http2_inspect: fix http2 frame length for logging | |
187 | * main: fix signals handling after failed started instances | |
188 | * main: reset_stats argument type improvement | |
189 | * parser: add file_id rule syntax evaluation | |
190 | * smtp: add alert for mixed LF and CRLF | |
191 | * smtp: process DATA\n (no \r) | |
192 | * stream: extend list of arguments for extra data logging | |
193 | * stream_tcp: ensure all data segments after a zero window are blocked when NAP is inline | |
194 | * stream_tcp: examine whether a segment plugs a hole before blocking due to exceeding queue_limit | |
195 | ||
196 | 2023-09-10: 3.1.70.0 | |
c52b1bfd PBG |
197 | |
198 | * appid: makes regex error more of a warning | |
199 | * detection: fix assert expression | |
200 | * helpers: improve hyperscan_search error message | |
201 | * host_cache: added segmented host cache | |
202 | * main: prevent reloading unprepared thread | |
203 | * search_engines: allow a snort config to be passed to find_all | |
204 | ||
0649974b PBG |
205 | 2023-08-27: 3.1.69.0 |
206 | ||
207 | * appid: mark ssl appid lookup successful if a service id is available | |
208 | * appid: prefer eve client over appid detected client after decryption and use appid detected client version if eve client equals appid client | |
209 | * dce_rpc: fix stats for client/server segments reassembled. Thanks to Bader-eddine Ouaich for addressing the issue. | |
210 | * dns: updates to allow DNS to be compiled dynamically. | |
211 | * framework: add virtual for inspectors that publish data when no ips policy is enabled. | |
212 | * http2_inspect: add frame when logging a packet | |
213 | * http2_inspect: handle empty header name | |
214 | * http2_inspect: update connection settings on ack | |
215 | * http2_inspect: update test tool configurations | |
216 | * http_inspect: adjust formatting | |
217 | * inspector: export get_service_inspector_by_service method | |
218 | * mime: fix boundary search | |
219 | * mime: postpone boundary-look-alike data till the next PDU arrives | |
220 | * mime: support transport padding in boundary strings | |
221 | ||
0e45905d PBG |
222 | 2023-08-14: 3.1.68.0 |
223 | ||
224 | * appid, cip: parsing cip safety segments | |
225 | * dns: parse and publish dns response with ip, fqdn/ttl data | |
226 | * doc: udpate tutorial | |
227 | * http_inspect: disable rule evaluation caching for MIME attachments | |
228 | * managers: fix get_inspector to use the passed in snort config for context and inspection inspectors | |
229 | * sfip: Add < operator so SfIp can be used in std::map and std::set. | |
230 | * src: remove ips option asn1 | |
231 | * stream: init meta ack packet action field | |
232 | * wizard: refactoring - split curses to multiple files by protocol | |
233 | ||
f9405780 PBG |
234 | 2023-07-30: 3.1.67.0 |
235 | ||
236 | * appid: do not raise SMTP response overflow IPS alert on SSL traffic | |
237 | * appid: SSL regex pattern implementation | |
238 | * build: fix cstdint related clearlinux errors | |
239 | * build: fix issues with local build | |
240 | * build: fix type resolution for OSX build environment | |
241 | * control: fix descriptor polling implementation (POSIX) | |
242 | * control: follow code style and formatting | |
243 | * detection: service_extension config | |
244 | * flow: fix ha_test use of stack variable | |
245 | * flow: make sure cpputest mock objects are initialized | |
246 | * ips_options: remove FIXIT comment from sd_pattern | |
247 | * lua: change cip binder rule from 22222 to 2222 (thanks to animator-ra on GitHub for this fix). | |
248 | * main: increase the user policy id range to 0 - 2^64-1 | |
249 | * perf_mon: continue even when pegcounts can't be resolved | |
250 | * profiler: handle reload scenarios and tsan issues | |
251 | * profiler: remove interdependency with time and memory for accumulation | |
252 | * profiler: shell commands for time profiler | |
253 | * ssl: extract common name in the SSL certificate using openssl apis | |
254 | * ssl: parse and publish server common name from server certificate | |
255 | * ssl: remove wildcard character from common name string extracted from ssl certificate | |
256 | * style: fix whitespace | |
257 | ||
323d5cb4 PBG |
258 | 2023-07-14: 3.1.66.0 |
259 | ||
260 | * appid: cache Complex HTTP Pattern glossary before detectors reload | |
261 | * appid: early detection of ssh and ignoring third-party detection | |
262 | * appid: fix for opportunistic tls detected as ssl | |
263 | * binder: in case of a service change, remove flags indicating an abort of the direction | |
264 | * flow: changes to support derived classes of parent class Flow | |
265 | * ftp: remove file_data dependency on file_id | |
266 | * helpers: added additional log in print_backtrace for debugging purpose | |
267 | * ips_options: add gadget check for vba_data | |
268 | * ips_options: add unit tests for vba_data | |
269 | * ips_options: update dev_notes about IPS options input values | |
270 | * perf_mon: fix dump_stats collision with perf mon | |
271 | * rna: add stats for rna graphs | |
272 | * stream_tcp: validate proper update of stream_tcp state when seglist head follows a hole | |
273 | ||
679b6070 PBG |
274 | 2023-06-29: 3.1.65.0 |
275 | ||
276 | * analyzer: poison memory segment after msg->data | |
277 | * appid: add support for cip multiple service packet | |
278 | * appid: check size boundaries before header validation | |
279 | * appid: do not use global pointers to service and client detectors for packet processing during reload detectors | |
280 | * appid: fix FTP parsing | |
281 | * codecs: fix ipv6_mobility parsing | |
282 | * codecs: fix tcp options parsing | |
283 | * detection: update condition since the negated stuff can be matched in such cases | |
284 | * file_api: avoid file cache lookup after creating new file cache entry. | |
285 | * icmp6: allow rules to match packet data after header | |
286 | * ips_content: add flag for non-default value of depth | |
287 | * ips_content: clean-up of function | |
288 | * ips_content: make the negated content be opposite to normal content | |
289 | * ips_content: update condition checks | |
290 | * log: fix out-of-bounds read access | |
291 | * netflow: fix raw data conversion | |
292 | * parser: base service_only on services not cursor type | |
293 | * profiler: fix date related problems in rule_profiling json output | |
294 | * protocols: remove of unnecessary old_opt check | |
295 | * regex: clear flags reused by module to construct ips option | |
296 | * rna: fix icmpv6 decoding | |
297 | * thread_config: added thread level mempolicy | |
298 | * utils: fix out-of-bound access | |
299 | ||
6a0cb303 PBG |
300 | 2023-06-15: 3.1.64.0 |
301 | ||
302 | * appid: always publish a change message after do not decrypt | |
303 | * detection: handle case when no rule tree node is found for a policy ID. | |
304 | * flow: introduced granular counters for idle_prunes | |
305 | * http_inspect: remove stream interface abstraction for http/1.1 flows | |
306 | * stream_ip: fix session counters in timeout and cleanup cases | |
307 | ||
e4e6e348 PBG |
308 | 2023-06-01: 3.1.63.0 |
309 | ||
310 | * appid: changes logic in ssl pattern matching | |
311 | * http_inspect: rebuild start line | |
312 | * loggers: reuse sensor_id u2 event field for tenant_id value | |
313 | * main: add Pig destructor to free dynamic memory | |
314 | * main: allow network IDs to use up to 32 bits. | |
315 | * main: handling the return code in case of error in creation of daq instance | |
316 | * perf_monitor: fix data bus subscription | |
317 | * stream_tcp: account for data from zero window probes | |
318 | ||
680ba65c PBG |
319 | 2023-05-21: 3.1.62.0 |
320 | ||
321 | * appid: added logic to check for encrypted appid before assigning SSL service based on port | |
322 | * decompress, detetion, file_api, framework: cppcheck fixes | |
323 | * flow: clean up flow termination | |
324 | * flow: do not recycle flow cache entries | |
325 | * http_inspect: add support for file transfer using Partial Content | |
326 | * main: disable watchdog when Snort 3 process exits gracefully | |
327 | * main, managers: set the network policy using the user id during inspector delete | |
328 | * memory: add extra jemalloc counts for tracking | |
329 | * memory: use jemalloc stats.mapped for process total | |
330 | * profiler: add json formatter | |
331 | * protocols: add check for missing Geneve layer in get_geneve_options. | |
332 | * protocols,codecs: decode Geneve variable length options. | |
333 | * sfip/test: fix a miscalculation of the number of codes entries. | |
334 | * snort2lua: remove 'reference' option during conversion | |
335 | ||
7723002a PBG |
336 | 2023-05-04: 3.1.61.0 |
337 | ||
338 | * appid: appIdPegCounters thread data handling refactored to prevent data races | |
339 | * appid: ensure that TP SSL detection is not overwrite SMTPS service and client in a starttls session | |
340 | * appid: validate data size of SSL certificate record before parsing | |
341 | * build: remove unused header. Thanks to Rui Chen for reporting the issue. | |
342 | * cmake: update sed call. Thanks to graysky for reporting the issue. | |
343 | * flow: defensive fix to prevent crash if flow->prev is nullptr. | |
344 | * flow, hash, stream: add a free list node count that is output as a peg count | |
345 | * managers: check main SnortConfig pointer in InspectorManager::get_inspector() to avoid memory bad access calls | |
346 | * memory: fix memory pruning race condition and bail on reap failure | |
347 | * memory: provide a default value for pointers if the module has not been initialized | |
348 | * profiler: add shell commands | |
349 | * profiler: move profiler module to separate files | |
350 | * snort: add show_config_generation() command | |
351 | * stream_tcp: populate TCP pseudopackets with VLAN ids in TCP reassembler to avoid issues with secondary flow creation / expected flow cache | |
352 | ||
b303d60a PBG |
353 | 2023-04-20: 3.1.60.0 |
354 | ||
355 | * appid: fixed TSAN warnings | |
356 | * appid: log max rss difference and pattern count during appid initialization and reload detectors | |
357 | * appid: make ssl app group id lookup set payload and client | |
358 | * appid: making free_servicematch_list thread local | |
359 | * src: change a few operator bool functions to named functions | |
360 | * src: fix broken unit test/tweak define related to previous operator bool fixes | |
361 | ||
fa5e6e5c PBG |
362 | 2023-04-06: 3.1.59.0 |
363 | ||
364 | * file_api: handling file cache context | |
365 | * flow_cache: prune multiple flows | |
366 | * http2_inspect: clear flow stream_intf with flow_data | |
367 | * http2_inspect: make flow data reload safe | |
368 | * memory: subtract the allocated memory from the thread pruned before comparing to the target | |
369 | * stream: store thread local flow control pointer in global | |
370 | * thread_config: add preemptive watchdog kick for flow deletion | |
371 | * thread_config: remove message use in watchdog timer | |
372 | ||
fc35a68d PBG |
373 | 2023-03-22: 3.1.58.0 |
374 | ||
375 | * actions: restore rtn check in Actions::alert and add to Actions::log | |
376 | * appid: give precedence to eve detected client over appid when eve_http_client_mapping config is set | |
377 | * detection: fix queue_limit pegcounter evaluation | |
378 | * host cache: removed some log to prevent log flooding | |
379 | * js_norm: initialize normalization context only when script is detected | |
380 | * loggers: fix pcap flushing | |
381 | * memory: add shell command to dump heap stats | |
382 | ||
1624492c PBG |
383 | 2023-03-09: 3.1.57.0 |
384 | ||
385 | * ftp_telnet: updated flushing around subnegotiation parameters | |
386 | * search_engine: allocate a single shared scratch space | |
387 | * profiler: add rule time percentage table field | |
388 | ||
29167413 PBG |
389 | 2023-02-22: 3.1.56.0 |
390 | ||
391 | * appid: add validation for rpcbind universal address | |
392 | * appid: merge cname pattern matchers with ssl pattern matchers | |
393 | * configure: fix typo in jemalloc with tcmalloc error message | |
394 | * copyright: update for year 2023 | |
395 | * doc: update sd_pattern docs after obfuscation changes | |
396 | * sd_pattern: keep obfuscation blocks per buffer | |
397 | ||
1b7a459b PBG |
398 | 2023-02-08: 3.1.55.0 |
399 | ||
400 | * appid: first packet detector creation support in appid detector builder script | |
401 | * appid: support for IPv4 and IPv6 subnets for First Packet API | |
402 | * appid: updating lua API to accomodate netbios domain extraction, substring search, and substring index. | |
403 | * appid: use packet thread's odp context instead of inspector's context for packet processing | |
404 | * build: fix configure_cmake.sh 'too many arguments' error | |
405 | * detection: add new pegcount | |
406 | * main: avoid race conditions when accessing id to tid map | |
407 | * ssl: refactor ssl client hello parser to be used by appid/ssl inspectors | |
408 | * stream_tcp: fix passive pickups with missing packets. Thanks to nagmtuc and hedayat for reporting and helping debug the issue. | |
409 | * wizard: ensure Wizard is refcounted by MagicSplitter to prevent snort crashes due to memory corruption | |
410 | ||
b81d74d7 SC |
411 | 2023-01-25: 3.1.53.0 |
412 | ||
413 | * appid: publish tls host set in eve process event handler only when appid discovery is complete | |
414 | * detection: show search algorithm configured | |
415 | * file_api: handling filedata in multithreading context | |
416 | * flow: add stream interface to get parent flow from child flow | |
417 | * memory: added memusage pegs | |
418 | * memory: fix unit test build w/o reg test | |
419 | ||
e9b2fb4d RC |
420 | 2023-01-18: 3.1.52.0 |
421 | ||
b81d74d7 SC |
422 | * dce_rpc: add errno resets during uuid parsing |
423 | * dce_rpc: handling dcerpc over smbv2 | |
424 | * flow: update flow creation to exclude non-syn packets with no payload | |
425 | * framework: change range check types to int64_t to fix ILP32 bit issues | |
426 | * main: Fix missing include file that caused build error on some platforms. | |
427 | * memory: add final epoch to capture stats | |
428 | * memory: add regression test hooks | |
429 | * memory: fix init sequence; thanks to amishmm and Xiche for reporting and debugging the problem | |
430 | * netflow: grab the proto off of the netflow record - not the wire packet | |
431 | * rna: reset host_tracker type when visibility changes | |
432 | * stream: fix iss and irs and mid-stream sent post processing | |
433 | * stream: refactor tcp state machine to handle mid-stream flow and more established cases | |
e9b2fb4d | 434 | |
a0d8c184 RC |
435 | 2023-01-11: 3.1.51.0 |
436 | ||
437 | * appid: add support for cip service, client and payload detection | |
438 | * appid: do not create snmp future flow for udp reversed session | |
439 | * appid: use packet thread's odp context for future flow creation | |
440 | * build: error out if both jemalloc and tcmalloc are configured | |
441 | * build: exclude unused memory related sources | |
442 | * js_norm: add benchmark tests for PDF parser | |
443 | * js_norm: decode UTF-16BE to UTF-8 for JS in PDF | |
444 | * js_norm: delete unused method | |
445 | * js_norm: tune PDF parser performance | |
446 | * lua: add Adobe JavaScript related identifiers to snort_defaults | |
447 | * lua: fix typo in Sensitive Data classifications name | |
448 | * main: fix const issues causing compile warnings | |
449 | * memory: delete unnecessary includes | |
450 | * memory: incorporate overloads into profiler | |
451 | * memory: refactor jemalloc code and add relevant pegs | |
452 | * memory: rename manager to overloads to better indicate purpose | |
453 | * memory: update developer notes | |
454 | * memory: update stats regardless of state; add unit tests | |
455 | * memory: use the process total instead of per thread totals to enforce cap | |
456 | * watchdog: print thread id as well for better identification of unresponsive threads | |
457 | ||
83590bf7 RC |
458 | 2022-12-19: 3.1.50.0 |
459 | ||
460 | * alert_fast: fix initialization of http_inspect cheat codes | |
461 | * config: ensure table state is reset when starting a new shell | |
462 | * config: fix talos tweaks for the daq module | |
463 | * data_bus: improve pub-sub performance | |
464 | * host_cache: fix initialization from Lua | |
465 | * pop, imap, smtp: gracefully decline buffer requests when flow data is not present | |
466 | ||
5137fb71 RC |
467 | 2022-12-15: 3.1.49.0 |
468 | ||
469 | * appid: appid_detector_builder.sh addPortPatternService call fixed | |
470 | * appid: do not reset session data when built-in discovery is not done | |
471 | * appid: fixed assert condition for odp_ctxt and odp_thread_local_ctxt | |
472 | * doc: add decompression mention to js_norm reference | |
473 | * doc: update user/js_norm.txt for PDF in email protocols | |
474 | * geneve: if daq has the capability, do not bypass geneve tunnel | |
475 | * ips_options: fix offset related bug in byte_test eval() | |
476 | * js_norm: add PDF stream processing | |
477 | * js_norm: add support for email protocols | |
478 | * js_norm: fix pdf_tokenizer_test on FreeBSD platform | |
479 | * js_norm: update PDF tokenizer to use glue input streambuf | |
480 | * stream: ignore PAWS timestamp checks when in no_ack mode | |
481 | * wizard: remove client_first option | |
482 | ||
8a5562f2 SC |
483 | 2022-12-01: 3.1.48.0 |
484 | ||
485 | * appid: added config for logging alpn service mappings | |
486 | * appid: fixed addition of duplicate entries in app_info_table | |
487 | * appid: make appid availability independent from TP state | |
488 | * cmake: add FLEX build macro | |
489 | * doc: update sensitive data documentation | |
490 | * doc: update user/js_norm.txt for PDF | |
491 | * flow: add an event for retry packets | |
492 | * flow: added an event to allow post processing of new expected flows | |
493 | * flow: fix deferred trust clear when packet is dropped | |
494 | * flow, stream: added code to track and event for one-sided TCP sessions and generate an event for established or one-sided flows | |
495 | * http_inspect: add decompression failure check before normalization | |
496 | * http_inspect: remove port from xff header | |
497 | * ips_option: keep cursor intact for a negated content mismatched | |
498 | * ips_option: keep cursor intact for a negated hash mismatched | |
499 | * js_norm: implement Enhanced JS Normalization for PDF | |
500 | * js_norm: use FLEX macro to build parser | |
501 | * process: watchdog to abort snort when multiple packet thread becomes unresponsive | |
502 | * smb: handling smb duplicate sessions | |
503 | * stream: add logic to ensure metaACKs cause flushing | |
504 | ||
913bb577 SC |
505 | 2022-11-17: 3.1.47.0 |
506 | ||
507 | * appid: add a changed bit for discovery finished | |
508 | * appid: ntp detection improvements | |
509 | * appid: service, client and payload detection by lua detectors and third-party when first packet re-inspection is enabled | |
510 | * doc: add JavaScript Normalization section to user manual | |
511 | * doc: add js_norm alerts to builtin_stubs.txt | |
512 | * http_inspect: subdivide dev_notes into topics | |
513 | * http_inspect: move Enhanced JS Normalizer from NHI to a standalone component | |
514 | * js_norm: implement standalone Enhanced JavaScript Normalizer | |
515 | * main: dump packet trace after publishing finalize event since verdict could be modified. | |
516 | * main: update to improve performance by making packet tracer checks before calling function. | |
517 | * netflow: implement deferred trust, cleanup | |
518 | * packet_io: allow ACT_TRUST to be used as a delayed action. | |
519 | * packet_io: the most strict delayed action takes precedence. | |
520 | * smtp: do not accumulate cmds across policies and reloads. Avoids memory and performance problem. | |
521 | * stream: add info about the splitter lifetime to dev_notes | |
522 | * stream: ignore flushing from meta-ack if sent after FIN | |
523 | * stream: remove splitter from session before inspectors | |
524 | * stream: set splitter only on initialized tcp sessions or if midstream sessions are allowed | |
525 | * wizard: remove inspector's ref counter increments from MagicSplitter | |
526 | ||
7070c568 SC |
527 | 2022-11-04: 3.1.46.0 |
528 | ||
529 | * appid: check for empty patterns in lua detector api input | |
530 | * appid: publish client and payload ids set in eve process event handler and ssl lookup api only after appid discovery is complete | |
531 | * detection: add config option for SSE | |
532 | * detection: skip a rule variable copy for a single-branched node | |
533 | * doc: add information about handling multiple detection in SSE | |
534 | * doc: specified which packages are sent on rejection | |
535 | * helpers: fix duplicate scratch_handler | |
536 | * http_inspect: add override to destructor | |
537 | * http_inspect: move LiteralSearch::setup for http_param to its module | |
538 | * main: add variables to lua environment | |
539 | * netflow: if LAST_SWITCHED isn't provided, use packet time | |
540 | * parser: improve port_object hash function | |
541 | * ports: align fields of PortObject and PortObject2 | |
542 | * ports: enable checks in debug build only | |
543 | ||
c9fe72d9 SC |
544 | 2022-10-25: 3.1.45.0 |
545 | ||
546 | * detection: check Pig run number in node state conditions. Fixes crash introduced in 3.1.44.0. | |
547 | ||
02c049a8 SC |
548 | 2022-10-20: 3.1.44.0 |
549 | ||
550 | * appid: return APP_ID_NONE only if hsession is not present for http3 | |
551 | * detection: add stateful signature evaluation | |
552 | * flow, reputation, protocols: remove reputation information from packet and flow | |
553 | * http_inspect: inspect multiple MIME attachments per message section | |
554 | * http_inspect: maximum_pipelined_requests | |
555 | * http_inspect: MIME partial inspections | |
556 | * http_inspect: remove rule option timing features | |
557 | * lua: add sensitive data rules | |
558 | * reputation: added profiling to the event handlers | |
559 | * reputation: fix for array indexing error when searching for reputation file entries | |
560 | * reputation: refactor event generation for matches | |
561 | * s7commplus: adding wizard support for s7commplus | |
562 | * utils: add possibility to process keywords as identifiers | |
563 | ||
2013e080 SC |
564 | 2022-10-05: 3.1.43.0 |
565 | ||
566 | * actions: fix action logging for suppressed events | |
567 | * appid: handle multistream http protocols(http2,http3) together | |
568 | * appid: return appid set by eve for http/3 if no hsession is present, but prefer hsession appid over eve | |
569 | * appid: updating devnotes for first packet API | |
570 | * detection: refactor set next packet to use the dummy active object when there is no packet | |
571 | * flow: disable inspection for and HA flow unless the state is setup or inspect | |
572 | * http2_inspect: std::list - remove indirection from stream list | |
573 | * http_inspect: allowed and disallowed methods | |
574 | * reputation, sfrt: refactor reputation to remove global variables | |
575 | ||
47645fae SC |
576 | 2022-09-22: 3.1.42.0 |
577 | ||
578 | * appid: custom lua detector api to map ip and port to appids on the first packet | |
579 | * appid: added a snort config to control client-process mapping | |
580 | * appid: dppid service detection prioritized over third party detection | |
581 | * appid: cache support for unprocessed ssl packets | |
582 | * appid: handle http event for httpx(2,3) traffic | |
583 | * content: fix retry | |
584 | * content: fix adjustment of depth/within when offset/distance are negative | |
585 | * detection: add http3 to http ips buffers | |
586 | * detection: add option to reduce rtns by port values | |
587 | * doc: added smtp rule 124:17 | |
588 | * flow: abstract class added to work on stream based connections | |
589 | * http2_inspect: updated with abstracted httpx(2,3) flags | |
590 | * http_inspect: abstract inspection of httpx(2,3) | |
591 | * http_inspect: http_max_header_line and http_max_trailer_line rule options | |
592 | * http_inspect: rework range rule options | |
593 | * ips_options: change ips.obfuscate_pii to be true by default | |
594 | * ips: trace all node evaluations | |
595 | * memory: fix typo in peg counter help text | |
596 | * netflow: evaluate all matching netflow rules, not just the first match | |
597 | * parser: add implicit http3 to http ips options otn | |
598 | * parser: remove platform dependency from parse_int function | |
599 | * payload_injector: accomodate httpx(2,3) stream id values | |
600 | * pub_sub: handle httpx(2,3) traffic | |
601 | * reputation: use the thread specific reputation data for aux ip event | |
602 | * rna: handle httpx(2,3) traffic | |
603 | * stream: export support for creating udp session | |
604 | * trace: ips variables are dumped as hex | |
605 | * utils: remove alert for an opening tag in string literals | |
606 | * wizard: deprecate client_first option | |
607 | ||
1233e400 SC |
608 | 2022-09-07: 3.1.41.0 |
609 | ||
610 | * appid: send intermediate messages for appid reload commands to the socket | |
611 | * file_api: corrected the formatting of File Statistics output | |
612 | * file_id: Update Office Documents rules | |
613 | * flow: update flow statistics before processing a flow | |
614 | * framework, rna, pub_sub: make data bus get_packet method a const | |
615 | * netflow: log even when not all info is present | |
616 | * sd_pattern: add and improve built-in patterns | |
617 | * stream: free flow data, if flow is blocked | |
618 | * stream: use a const packet to populate the flow key | |
619 | * utils: refactor JS normalizer unit tests | |
620 | ||
e0bff55d RC |
621 | 2022-08-25: 3.1.40.0 |
622 | ||
623 | * appid: activate appid debug object before printing logs from http event handler | |
624 | * appid: do not clear client version when deleting appid session data | |
625 | * ChangeLog: change to md format | |
626 | * daq: Remove duplicate entries from static module list; thanks to raging-loon for reporting the issue | |
627 | * doc: add section on commit messages to the dev guide | |
628 | * doc: specify parallelization in make in tutorial; Thanks to nitronarcosis for reporting the issue and suggesting a fix | |
629 | * ffi: add get_module_version(name, type) for conditional config | |
630 | * flow: fix deferred trust for trust followed by defer | |
631 | * gid: upper bound changed to match event_filter and rate_filter implementation limits | |
632 | * help: enclose --help-config string defaults in single quotes | |
633 | * helpers: make install_oops_handle and remove_oops_handle so_public, install process.h and sigsafe.h | |
634 | * http_inspect: add doc for http_num_cookies | |
635 | * http_inspect: add more identifiers to js_norm lists | |
636 | * http_inspect: http_num_cookies rule option | |
637 | * http_inspect: parameters for header alerts | |
638 | * hyperscan: add warning when deserialization fails that includes error code | |
639 | * ip_proto: enable match on PDUs | |
640 | * managers: only publish the reloaded flow event for existing flows with an old policy | |
641 | * parameter: add int_list | |
642 | * parameter: simplify multi validation | |
643 | * reputation: make reputation handle flow setup, reloaded, and packet without flow events | |
644 | * stream: typo in dev_notes; Thanks to RobinLanglois for the fix | |
645 | * style: change max line length to 120 including \n | |
646 | * telnet: use the same splitter as ftp_server | |
647 | * utils: allow closing tag in external scripts | |
648 | * vlan: add configurable TPIDs; Thanks to ozkankirik for reporting the issue | |
649 | ||
ff6db5e6 | 650 | 2022-08-10: 3.1.39.0 |
651 | ||
652 | * cmake: add --enable-luajit-static option to enable LuaJit linked statically | |
653 | * http_inspect: request and response shouldn't be available for pkt_data | |
654 | * ips_options: remove obfuscate_pii caching in sd_pattern option | |
655 | * main, managers: remove the reload_module command | |
656 | * netflow: pass a flag if the initiator and responder were swapped | |
657 | * parser: remove 138 from builtin GID exceptions | |
658 | * rna: Added log message for missing 'rna.conf' path | |
659 | * utils: fix compilation warning [-Wcomma] | |
660 | * utils: fix JS split to reflect tokens correction and re-normalization | |
661 | * utils: validate escaped JavaScript identifiers | |
662 | ||
663 | 2022-07-28: 3.1.38.0 | |
664 | ||
665 | * appid: restart inspection for ssl session inside http tunnel | |
666 | * appid: set persistent flag for sunrpc expected session | |
667 | * appid: send more packets to third-party for FTP user name extraction | |
668 | * detection: separate the branch/leaf result to different variables | |
669 | * http_inspect: remove dependency of JS normalization depth on HTTP depth | |
670 | * http_inspect: add more explicit js type values to otag type check | |
671 | * http_inspect: do not stop normalization in case of opening script tag | |
672 | * http2_inspect: add support for GOAWAY frames | |
673 | * http2_inspect: add support for PRIORITY frames | |
674 | * http_inspect: directly call detection | |
675 | * http2_inspect: interface to http_inspect now uses real reassembled packet | |
676 | * pub_sub: add definitions for ssl block and block with reset messages | |
677 | * snort2lua: change the conversion of sensitive data rules | |
678 | * stream: removed all instances of 'cap_weight' config parameter | |
679 | * stream: removed macro references for 'cap_weight' config parameter | |
680 | * utils: add static initialization of norm_names | |
681 | * utils: continue JS normalization after opening tag seen | |
682 | ||
683 | 2022-07-19: 3.1.37.0 | |
684 | ||
685 | * reputation: print LogMessage in reputation only when in verbose mode | |
686 | * utils: fix Unicode LS PS handling in JavaScript | |
687 | ||
688 | 2022-07-14: 3.1.36.0 | |
689 | ||
690 | * appid: fix stats cleanup | |
691 | * dce_smb: fix stats cleanup | |
692 | * file_api: fix stats cleanup | |
693 | * http_inspect: do not abort midstream pickups | |
694 | * normalizer: make normalizer and tcp_normalizer peg counts shared | |
695 | * stream: fix stats cleanup | |
696 | * utils: fix arrow functions parsing | |
697 | * utils: fix parsing of decimal number literals | |
698 | ||
699 | 2022-07-08: 3.1.35.0 | |
700 | ||
701 | * sandbox: must propagate file_id for includer logic | |
702 | ||
703 | 2022-07-07: 3.1.34.0 | |
704 | ||
705 | * build: remove unnecessary type casts | |
706 | * dce_rpc: set presistent flag for dcerpc pinhole session | |
707 | * file_id: fix rules_file path resolution | |
708 | * http2_inspect: consider continuation when checking headers length | |
709 | * log: add log_value and log_limit overloads with built-in integer types | |
710 | * utils: make shutdown timing stats more precise; | |
711 | Thanks to trevor tao <trevor.tao@arm.com> for the update | |
712 | ||
713 | 2022-06-30: 3.1.33.0 | |
714 | ||
715 | * file_api: implement file type identification over ips engine | |
716 | * filters: check if a configured gid value is supported by filter's implementation | |
717 | * framework: update base API version to 14 | |
718 | * ftp_telnet: make active ftp expected session in the correct direction | |
719 | * http2_inspect: fix unit tests depending on REG_TEST | |
720 | * http_inspect: implement uniform alerts when splitter aborts | |
721 | * hyperscan: delete databases upon error | |
722 | * lua: update sid and rev fields | |
723 | * main: move trace related code to trace folder | |
724 | * netflow: fix v5 header time value | |
725 | * parser: update do_hash() function to work correctly with port variables | |
726 | * parser: use std::string in ExpandVars | |
727 | * rna: allow rna to fire an event when a new netflow connection is detected | |
728 | * rna: use the longest user agent fingerprint among multiple matches | |
729 | * wizard: update wizard's patterns to follow the proto option | |
730 | ||
731 | 2022-06-16: 3.1.32.0 | |
732 | ||
733 | * appid: config for logging eve process to client mappings | |
734 | * dce_smb: reduce smb_max_credit range to avoid uint16_t overflow | |
735 | * detection: remove redundant FIXIT | |
736 | * ftp_telnet: correct the implementation for check_encrypted and encrypted_data config, handle form-feed as | |
737 | non-encrypted traffic | |
738 | * ftp_telnet: handle all space characters as a seperator between FTP request command and arguments | |
739 | * http_inspect: add explicit check for HTML script opening tag ending | |
740 | * http_inspect: remove unneeded header inclusions and improve cleanup before trailers | |
741 | * ips_options: improve ips_hash and ips_cvs code coverage | |
742 | * log: Fixed missing include for Clear Linux build | |
743 | * logger: added reload function to create new files when snort reloads | |
744 | * main: add null check for scratch handler | |
745 | * mime: cleanup | |
746 | * modules: resolve int type mismatch in config options | |
747 | * netflow: fix build on MacOS | |
748 | * netflow: implement RNA integration for host/service discovery | |
749 | * netflow: support memcap reconfiguration upon reload | |
750 | * openssl: Openssl minimum version is set to 1.1.1 | |
751 | * profiler: fix issue with negative number cast to unsigned for max_depth | |
752 | * rna: reduce range for ttl, fix cast for df, minor and major options; | |
753 | Thanks to liangxwa01 for pointing this out | |
754 | * stream_tcp: fix splitter abort handling | |
755 | * stream_tcp: flip the server_side flag in fallback() and assert what it should be | |
756 | * utils, parser: remove redundant fixits | |
757 | * utils: remove curly brace parsing from regex literals | |
758 | * utils: remove redundant checks in regex groups | |
759 | * wizard: use const reference instead of copying | |
760 | ||
761 | 2022-06-02: 3.1.31.0 | |
762 | ||
763 | * appid: add lock_guard to prevent data race on reload | |
764 | * appid: do not delete third-party connection when third-party reload is in progress and the context swap is not complete | |
765 | * dce_rpc: convert tree tracker to shared ptr | |
766 | * doc: add class track description to user doc | |
767 | * filters: add correct handling of by_src and by_dst; | |
768 | Thanks to Albert O'Balsam for reporting the bug | |
769 | * host_tracker: rename generic files and classes | |
770 | * http2_inspect: add alert and infraction for non-Data frame too long | |
771 | * http_inspect: add Content-Type header validation for Enhanced JS Normalizer | |
772 | * http_inspect: add field for raw_body | |
773 | * http_inspect: add handling of binary, octal and big integers to JS Normalizer | |
774 | * http_inspect: change js processed data tracking | |
775 | * http_inspect: implement general approach of checking Content-Type header | |
776 | * hyperscan: reallocate hyperscan scratch space when patterns are reloaded during appid detector reload | |
777 | * netflow: enforce memcap for session record and template LRU caches | |
778 | * perf_monitor: fix timestamp for idle processing | |
779 | * utils: add keyword new support and object tracking | |
780 | * utils: allow script closing tag in single-line comments | |
781 | ||
782 | 2022-05-19: 3.1.30.0 | |
783 | ||
784 | * build: Update dependent libdaq version to 3.0.7 | |
785 | * doc: update clone link in README; | |
786 | Thanks to billchenchina | |
787 | * doc: user documentation update for obfuscate_pii and --help-module | |
788 | * framework: add method to get unquoted string from configuration value | |
789 | * http2_inspect: Templatize variable length integer decoding of integer and string | |
790 | * http_inspect: add ignoring defined object properties for Enchanced JS normalizer | |
791 | * http_inspect: avoid sending compressed data to JS normalizer | |
792 | * http_inspect: check if input available before JavaScript normalization | |
793 | * mime: set partial_header to null after deletion | |
794 | * perf_monitor: remove unused flatbuffers support | |
795 | * piglets: remove unused test harness | |
796 | * smb: handle file context cleanup | |
797 | * snort3: remove SMB detection from service_netbios.cc | |
798 | * stream: refactor flush_queued_segments | |
799 | * stream_tcp: add null check for get_current_wire_packet() in dce too | |
800 | * stream_tcp, pop: add sync_on_start method to StreamSplitter | |
801 | * stream_tcp: provide a context and a wire packet where needed, when calling into reassembly from outside regular | |
802 | processing (handle_timeouts) | |
803 | * utils: add Latin-1 decoding of JavaScript unescape-like functions | |
804 | * utils: allow regex literals after operator | |
805 | * utils: fix regex char classes parsing | |
806 | * utils: turn debug-build assertion into a product-build code | |
807 | * wizard: fix code style | |
808 | ||
809 | 2022-05-04: 3.1.29.0 | |
810 | ||
811 | * appid: add alpn matchers | |
812 | * dce_rpc: update address space id in the smb keys | |
813 | * doc: rule text updates | |
814 | * flow, network_inspectors, policy_selectors, stream: make address space id 32 bits and add a tenant id to the daq header | |
815 | * flow, side_channel, utils: fix clang issues | |
816 | * flow: add inline cppcheck suppressions | |
817 | * flow: change the padding and bits in the flow key to make it more clear | |
818 | * http_inspect: install header files, create a virtual base class for http_inspect and http_stream_splitter | |
819 | * http_inspect: move mime processing outside of file and detect depth | |
820 | * main: update analyzer command log message to copy the variable arguments before using them for the remote response | |
821 | * wizard: update glob storage due to shared memory | |
822 | ||
823 | 2022-04-25: 3.1.28.0 | |
824 | ||
825 | * appid: add bytes_in_use and items_in_use peg counts | |
826 | * appid: ssl service detection for segmented server hello done | |
827 | * binder: add binder actions to flow reassignment; | |
828 | Thanks to Meridoff for the original report of the issue | |
829 | * bufferlen: add missing relative override | |
830 | * conf: add cip and s7commplus to the default snort.lua | |
831 | * content: auto no-case non-alpha patterns | |
832 | * dce_rpc: Handling only named ioctls for smb | |
833 | * detection: add missing fast pattern buffer translations | |
834 | * detection: make CursorActionType generic | |
835 | * detection: map buffers to services | |
836 | * detection: rearrange startup rule counts | |
837 | * detection: remove now obsolete get buf support | |
838 | * doc: add clarification on default bindings in developer notes and user notes | |
839 | * events: add action logging to the event | |
840 | * flow, managers, binder: only publish flow state reloaded event from internal execute | |
841 | * flow: only select policies when deleting flow data if there is a policy selector | |
842 | * flow, snort_config: change service back to a pointer and add a method to return a non-volatile pointer for service | |
843 | * flow: use a flag instead off shared pointer use count for has service check | |
844 | * framework: make Cursor SO_PUBLIC | |
845 | * ftp: fix FTP response parsing | |
846 | * ftp: flush FTP cmds ending in just carriage return | |
847 | * host_cache: bytes_in_use and items_in_use peg counts | |
848 | * host_cache: fix unit test broken on some platforms | |
849 | * inspectors: add / update api buffer lists | |
850 | * ips: eliminate direct dependence on get_fp_buf of all ibt (by using rule options) | |
851 | * ips: eliminate PM_TYPE_* to make fast pattern buffers generic | |
852 | * ips: further limit port group rules | |
853 | * ips_options: eliminate obsolete RULE_OPTION_TYPE_BUFFER_* | |
854 | * ips_options: fix cursor action type overrides | |
855 | * main: check policy exists instead of index when setting network policy by id | |
856 | * mime: handle MIME header lines split between inspection sections and improve folded header line processing | |
857 | * mms: add check that BerElement argument isn't null before calling BerReader::read | |
858 | * mms: adding manual updates for the new service inspector for the IEC61850 MMS protocol | |
859 | * mms: adding new service inspector for the IEC61850 MMS protocol | |
860 | * mms_data: make a fast pattern buffer | |
861 | * mms: moved creation of TpktFlowData inspector ID to process init | |
862 | * module_manager: fix memory pegs display issue during packet processing, while also correctly computing the memory | |
863 | pegs in Analyzer::term | |
864 | * netflow: framework for netflow V5 and V9 events | |
865 | * packet_io: add rewrite action logging | |
866 | * parser: update dev notes | |
867 | * raw_data: only search pkt_data if no alt buffer or raw_data rules included in group | |
868 | * service inspectors: update fast pattern access | |
869 | * sfip: improve warning suppression | |
870 | * smtp: SMTPData initialization changed from memset to constructor | |
871 | * smtp: STARTTLS command injection event processing | |
872 | * stream: add can_set_no_ack() api to check if policy allows no-ack mode | |
873 | * stream: add current_flows, uni_flows and uni_ip_flows peg counts | |
874 | * utils: limit JS regex stack size | |
875 | * utils: track groups and escaped symbols in JavaScript regex literals | |
876 | ||
877 | 2022-04-07: 3.1.27.0 | |
878 | ||
879 | * ac_full: refactor api access | |
880 | * ac_full: remove cruft | |
881 | * ac_std: fix case translation buffer size | |
882 | * alerts: remove obsolete stateful parameter | |
883 | * appid: provide client appid set by encrypted visibility engine to ssl through the ssl appid lookup api | |
884 | * build: compile against libatomic if present; | |
885 | Thanks to W. Michael Petullo <mike@flyn.org> | |
886 | * control, shell: add a command to set the network policy to be used by subsequent commands | |
887 | * dce_rpc: handle cleanup path and race conditions for dce traffic | |
888 | * detection: do not check ips policy when builtin events are queued | |
889 | * detection: fixup dump of detection option tree | |
890 | * detection: minor refactoring of rule header access | |
891 | * detection: override match queue limit for offload | |
892 | * detection: remove cruft | |
893 | * detection: skip match deduplication for hyperscan | |
894 | * file_api: handle user_file_data cleanup | |
895 | * hext: change stdin designation from tty to - since the trough uses dash | |
896 | * http2_inspect: reduce holes in objects | |
897 | * http_inspect: add unescape text processing for Enhanced JS Normalizer | |
898 | * http_inspect: decode String.fromCodePoint() JavaScript function | |
899 | * http_inspect: delete alerts 119:279 and 119:280 | |
900 | * http_inspect: provide current packet to trace | |
901 | * http_inspect: support headers Restrict-Access-To-Tenants, Restrict-Access-Context | |
902 | * hyperscan: ensure adequate scratch when deserializing | |
903 | * rate_filter: move to inspection policy | |
904 | * search_engine: add fast pattern only count at startup | |
905 | * search_engine: always build ac_full since it is a hard default case | |
906 | * search_engine: fix .debug = true output | |
907 | * search_engine: fix adjustment for fast_pattern_offset | |
908 | * search_engine: fix fast pattern only eligibility check | |
909 | * search_engine: remove obsolete warning on max_pattern_len change | |
910 | * search_engine: remove search_optimize parameter (always true) | |
911 | * search_engine: truncated patterns not eligible as fast pattern only contents | |
912 | * search_engines: add and refactor unit tests | |
913 | * search_engines: ensure SearchTool with hyperscan gets multi-match mode | |
914 | * search_engines: remove the legacy ac_banded algorithm | |
915 | * search_engines: remove the legacy ac_sparse algorithm | |
916 | * search_engines: remove the legacy ac_sparse_bands algorithm | |
917 | * search_engines: remove the legacy ac_std algorithm | |
918 | * sfip: suppress compiler warning | |
919 | * utils: add string concatenation for Enchanced JS Normalizer | |
920 | * utils: allow opening/closing tags in external scripts | |
921 | * utils: fix JS Normalizer benchmark build | |
922 | * utils: fix tracking variable when the output buffer is reset | |
923 | * utils: harden script opening tag sequence | |
924 | ||
925 | 2022-03-23: 3.1.26.0 | |
926 | ||
927 | * actions: revert bf62a22d43bb2d15b7425c5ec3e3118ead470e8d | |
928 | * actions: set a delayed action on Reject IPS Action hit | |
929 | * analyzer: avoid distilling sticky verdicts | |
930 | * appid: appid api to provide the path to appid detector directory | |
931 | * appid: make appid a global inspector | |
932 | * appid: sum stats at tterm and null the thread local stats pointer after delete | |
933 | * control: make sure reload commands with empty argument is handled correctly | |
934 | * event: add new static member update_and_get_event_id() | |
935 | * file_api: Handling user_file_data cleanup | |
936 | * flow: make service a shared pointer to handle reload properly | |
937 | * framework: update base API version to 13 | |
938 | * http_inspect: do file decompression and utf decoding on non-MIME uploads | |
939 | * http_inspect, mime: VBA macro decompression for HTTP MIME file uploads | |
940 | * inspector, main, inspector_manager: add support for thread local data in inspectors and commands updating reload_id | |
941 | * main: add the control connection to the analyzer command and a method to log a message to both console and the remote | |
942 | connection | |
943 | * main: fix and reenable the distill_verdict unit test | |
944 | * managers: add a faster get_inspectors method | |
945 | * managers: add get_inspector unit tests | |
946 | * managers: move inspection policies into the corresponding network policy | |
947 | * packet_io: fix active action so the first reset occurred takes effect | |
948 | * policy_selectors: add a method to select policies based on DAQ_FlowStats_t | |
949 | * reputation: add a command to reload repuation data | |
950 | * stream: reusable stream splitter | |
951 | ||
952 | 2022-03-09: 3.1.25.0 | |
953 | ||
954 | * appid: do not add duplicate process to client app mapping for the same process name | |
955 | * file_id: remove unused decompression and decode depth parameters | |
956 | * http_inspect: add http_header_test, http_trailer_test rule options | |
957 | * http_inspect: add override to fix warning | |
958 | * http_inspect: add unescape function tracking for Enhanced JS Normalizer | |
959 | * http_inspect: call mime in a loop for each attachment | |
960 | * http_inspect: remove feature to disable raw detection upon flow depth | |
961 | * http_inspect: use http_inspect decompression config parameters for HTTP MIME traffic instead of file_id | |
962 | * mime: fix resetting state after every attachment and check state instead of decode object | |
963 | * mime: return at the end of each attachment and set the file_data for http | |
964 | * process: add watchdog to detect packet threads dead lock or dead loop | |
965 | * ssh: NULL check for session pointer before access | |
966 | * stream_tcp: call final flush only when the seglist has no gaps | |
967 | * stream_tcp: clarify small segments help text and remove usage from lua | |
968 | * utils: check for NULL before calling fclose() | |
969 | * utils: check more likely branches at first | |
970 | * utils: combine ignore list with normalization map | |
971 | * utils: fix compilation issues in js_tokenizer | |
972 | * utils: improve Flex matching patterns | |
973 | * utils: pre-compute ID normalized names | |
974 | * utils: refactor the alias lookup | |
975 | * utils: wrap unordered set with a fast lookup table | |
976 | * watchdog: remove unused code | |
977 | ||
978 | 2022-02-23: 3.1.24.0 | |
979 | ||
980 | * detection_filter: update dev notes to show multithreaded behavior | |
981 | * doc: fix typos in text; | |
982 | Thanks to Greg Myers <myersg86> for reporting the issue | |
983 | * http_inspect: refactor HttpIpsOption | |
984 | * latency: disabling time out functionality on implicit enable | |
985 | * mime: stop setting the file_data buffer for raw non-file MIME parts | |
986 | * netflow: add dev_notes.txt | |
987 | * sfdaq: fix for underflow of outstanding counter | |
988 | * stream: Remove preemptive prunes peg count | |
989 | ||
990 | 2022-02-09: 3.1.23.0 | |
991 | ||
992 | * detection: add dir abort check in skip_raw_tcp | |
993 | * doc: add notes about CLI/Lua precedence | |
994 | * doc: fix incorrect http builtin rule sid | |
995 | * event: make apis SO_PUBLIC to access in .so | |
996 | * filters: allow detection filter to sum events across threads | |
997 | * http_inspect: HttpStreamSplitter::reassemble verifies gzip file magic and checks for FEXTRA flag | |
998 | * main: ignore Snort module's option if it duplicates CLI option | |
999 | * main: parse snort module before others | |
1000 | * main: remove default values for other-module parameters in snort module | |
1001 | * main: stop with error on include(nil) attempt | |
1002 | * packet_io: decrease daq module's parameters priority | |
1003 | * stream: defer flush_queued_segments() if flow->clouseau | |
1004 | * stream_tcp: better place for setting delayed_finish_flag | |
1005 | * stream_tcp: fix a bug in which in some cases we did not call splitter finish() in each direction, by calling | |
1006 | flush_queued_segments() in perform_fin_recv_flush() on FIN with data packets | |
1007 | * stream_tcp: introduce TcpStreamTracker::delayed_finish_flag and call splitter finish from flush_on_data_policy | |
1008 | if delayed_finish_flag is true | |
1009 | * stream_tcp: wrap flow->clouseau in searching_for_service() | |
1010 | ||
1011 | 2022-01-31: 3.1.22.0 | |
1012 | ||
1013 | * appid: give priority to custom process to app mappings over ODP mappings | |
1014 | * appid: rename efp (encrypted fingerprint) to eve (encrypted visibility engine) | |
1015 | * detection: change output format of dump-rule-state | |
1016 | * pub_sub: export assistant_gadget_event.h header file | |
1017 | * stream: set the max number of flows pruned while idle to 400 | |
1018 | ||
1019 | 2022-01-25: 3.1.21.0 | |
1020 | ||
1021 | * appid: do not delay detection of SMB service for the sake of version detection | |
1022 | * control: fix macro definitions | |
1023 | * copyright: Update year to 2022 | |
1024 | * http_inspect: correct comment regarding header splitting rules | |
1025 | * http_inspect: forward 0.9 request lines to detection | |
1026 | * http_inspect: http_version_match uses msg section version id | |
1027 | * http_inspect: webroot traversal | |
1028 | * main: move policy selector and flow tracking from snort config to policy map | |
1029 | * main: only add policies to the user policy map at the end of table processing | |
1030 | * policy: add a file_policy to the network policy and use it | |
1031 | * stream: QUIC stream dependent changes | |
1032 | * stream_tcp: ensure that we call splitter finish() only once per flow, per direction | |
1033 | * wizard: remove extra semicolon | |
1034 | ||
1035 | 2022-01-12: 3.1.20.0 | |
1036 | ||
1037 | * appid: handle SNI in efp event | |
1038 | * appid: make peg counts consistent with what is reported to external components | |
1039 | * appid: update appid api to include ssh in the list of service inspectors that need inspection | |
1040 | * dnp3, gtp, file_type: fix assert while parsing string param | |
1041 | * doc: update JavaScript normalization docs | |
1042 | * http2_inspect: don't send data frames to the http stream splitter when it's not expecting them | |
1043 | * http2_inspect: hardening | |
1044 | * http_inspect: version update, http_version_match rule option | |
1045 | * stream_tcp: limit reassembly size for AtomSplitter; | |
1046 | Thanks to barosch78 and DAKOIT for their help in the process of finding the root cause | |
1047 | * stream_tcp: Skip seglist gap in post-ack mode if data is acked beyond the gap | |
1048 | * stream_user: change packet type from PDU to USER for hext daq, user codec, and stream_user | |
1049 | * wizard: make max_search_depth applicably for curses | |
1050 | ||
1051 | 2021-12-15: 3.1.19.0 | |
1052 | ||
1053 | * appid,ssh: roll AppId's SSH detector into SSH service inspector | |
1054 | * appid: remove hard-coded SSH client patterns which are available as part of ODP | |
1055 | * build: add cppcheck suppressions for unusedFunctions | |
1056 | * build: clean up some cppcheck style issues | |
1057 | * build: move flex options to the template file | |
1058 | * cmake: fix CMP0115 Warning | |
1059 | * daq: sort --daq-list output by module name | |
1060 | * dce_smb: add new smb counters | |
1061 | * file_api: add null check for user file data | |
1062 | * file_api: handle file_data | |
1063 | * framework,appid: generate NO_SERVICE event when no inspector can be attached to a flow; wait for the event in appid | |
1064 | before declaring service as unknown for the flow | |
1065 | * http_inspect,http2_inspect: refuse midstream pickups | |
1066 | * http_inspect: add JavaScript builtin de-aliasing | |
1067 | * http_inspect: rename js normalization options | |
1068 | * http_inspect: use correct detect_length for partial inspection cleanup | |
1069 | * loggers: fix truncated alert_syslog messages | |
1070 | * lua: configure a list of JS ignored IDs in default_http_inspect table | |
1071 | * managers: continue inspectors probe when packet has disable_inspect flag | |
1072 | * mime: add the support for vba macro data extraction of MS office files transferred over mime protocols | |
1073 | * parser: fix missing-prototypes warning in parse_ports.cc | |
1074 | * parser: fix parsing of portsets | |
1075 | * rpc: remove RpcSplitter altogether and use LogSplitter instead | |
1076 | * snort2lua: fix conversion of variable sets | |
1077 | * stream: add PKT_MORE_TO_FLUSH flag and use it in TcpReassembler::scan_data_post_ack() to signal AtomSplitter whether | |
1078 | to flush or not | |
1079 | * stream: fix issue with atom splitter not returning FLUSH | |
1080 | * stream_tcp: remove unnecessary special adjustment methods | |
1081 | * utils: (JSTokenizer) fix braces initialization compilation error (gcc5) | |
1082 | * utils: fix state adjustment in JS Tokenizer | |
1083 | * utils: place init/deinit routine under a single function | |
1084 | * utils: update JS normalizer unit tests | |
1085 | * vlan: implement vlan encode function | |
1086 | ||
1087 | 2021-12-01: 3.1.18.0 | |
1088 | ||
1089 | * alert_sf_socket: remove obselete logger | |
1090 | * appid: exclude stubs from coverage | |
1091 | * build: remove config.h from headers | |
1092 | * build: remove unreachable code | |
1093 | * build: update configure options | |
1094 | * catch: update catch to v2.13.7 | |
1095 | * dev_notes.txt: fix miscellaneous typos | |
1096 | * doc: remove mention of Automake | |
1097 | * doc: update builtin_subs.txt with EVENT_JS_SCOPE_NEST_OVERFLOW alert | |
1098 | * doc: update module usage and inspector types in the dev guide | |
1099 | * doc: update user/http_inspect.txt with http_inspect.js_norm_max_scope_depth option description | |
1100 | * doc: update wizard documentation | |
1101 | * file_api: file_data changes | |
1102 | * framework: add support for multiple tenant | |
1103 | * framework: don't call a gadget's eval() or clear() after its stream splitter aborted | |
1104 | * framework: replace Value::get_long() with a platform-independent type | |
1105 | * framework: update base API version to 11 | |
1106 | * helpers: fix stream unit test on 32 bit platforms | |
1107 | * http2_inspect: discard with padding | |
1108 | * http_inspect: fix total_bytes peg count | |
1109 | * http_inspect: new rule options num_headers, num_trailers | |
1110 | * http_inspect: store ole data in msg_body | |
1111 | * http_inspect: update comments for asserts in eval and clear | |
1112 | * http_inspect: update dev_notes.txt | |
1113 | * hyperscan: disable bogus unit test leak warnings | |
1114 | * ips_options: create LiteralSearch object for vba decompression at the time of snort initialization | |
1115 | * memory: add max rss to verbose memory output | |
1116 | * memory: add original overload manager | |
1117 | * memory: add support for jemalloc | |
1118 | * memory: expand profile report field widths | |
1119 | * memory: fix accounting issues | |
1120 | * memory: free space per DAQ message, not per allocation | |
1121 | * memory: move mem_stats to MemoryCap | |
1122 | * memory: refactoring | |
1123 | * memory: refactor pruning and update unit tests | |
1124 | * memory: remove explicit allocation tracking | |
1125 | * memory: update dev notes | |
1126 | * perf_monitor: allow constraint seconds = 0 | |
1127 | * piglets: refactor support code | |
1128 | * reputation: remove unused sfrt code | |
1129 | * rna: refactor unit test stubs | |
1130 | * search_engines: remove unused test code | |
1131 | * stream_tcp: delete unused unit test cruft | |
1132 | * stream_tcp: only fallback if stream splitter aborted and don't keep processing fragments after MagicSplitter returned | |
1133 | STOP | |
1134 | * stream_tcp: remove unused unit test code | |
1135 | * stream_user: refactor, remove cruft | |
1136 | * unified2: remove cruft | |
1137 | * utils: do output adjustment in case of carryover | |
1138 | * utils: enable batch mode for Flex | |
1139 | * utils: (JSNormalizer) add program scope tracking and alias resolution | |
1140 | * utils: (JSNormalizer) rework the split over multiple chunks behavior | |
1141 | * utils: pass an address into memset instead of object | |
1142 | * utils: reduce flex generation of unused js normalizer code | |
1143 | * utils: reset Normalizer context when new script starts | |
1144 | * vba: fix buffer overflow in ole parser | |
1145 | * wizard: add patterns to match unknown HTTP and SIP methods | |
1146 | * wizard: change default value of max_search_depth from 64 to 8192 | |
1147 | * wizard: remove telnet IAC pattern | |
1148 | ||
1149 | 2021-11-17: 3.1.17.0 | |
1150 | ||
1151 | * appid: restore the log of reload detectors complete message | |
1152 | * build: remove HAVE_HYPERSCAN conditional from installed header | |
1153 | * detection: add allow_missing_so_rules | |
1154 | * detection: ensure PDUs indicate parent when available | |
1155 | * dnp3: update builtin rule description | |
1156 | * doc: arp_spoof builtins | |
1157 | * doc: back orifice builtin rules | |
1158 | * doc: spell correction | |
1159 | * doc: update builtin alerts description for dnp3 | |
1160 | * doc: update builtin alerts description for modbus, HTTP/2 | |
1161 | * doc: update builtin alerts description for portscan | |
1162 | * doc: update builtin rule documentation for http_inspect | |
1163 | * doc: update builtin rules documentation for dce_smb, dce_tcp, dce_udp, rpc_decode | |
1164 | * doc: updated builtin rules documentation for ssh | |
1165 | * http2_inspect: hardening | |
1166 | * http2_inspect: http1_header buffer always created immediately after decode_headers | |
1167 | * http2_inspect: push promise error state check | |
1168 | * http2_inspect: truncated trailers without frame data | |
1169 | * ips_option: Enabling trace for vba_data options and fixing memory leak while extracting vba_data | |
1170 | * main: use dynamic buffer on demand in trace print functions | |
1171 | * u2spewfoo: Fixed incorrect usage line | |
1172 | ||
1173 | 2021-11-03: 3.1.16.0 | |
1174 | ||
1175 | * appid: during initialization, skip loading of Lua detectors that don't have validate function | |
1176 | * appid: in packet threads, skip loading of detectors that don't have validate function on reload | |
1177 | * appid: provide API to give client_app_detection_type | |
1178 | * codec: geneve - ensure injected packets have geneve port in outer udp header | |
1179 | * detection: refactor mpse serialization | |
1180 | * detection: rename PortGroup to the more apt RuleGroup (and related) | |
1181 | * detection: replace PortGroup::alloc/free with ctor/dtor | |
1182 | * doc: add SIP built-in rule documentation | |
1183 | * doc: update built-in rule doc for SMTP, IMAP and POP inspectors | |
1184 | * doc: update built-in rules documentation for dns module | |
1185 | * doc: update built-in rules documentation for ftp-telnet | |
1186 | * doc: updated builtin rules documentation for gtp module | |
1187 | * flow: fix warning in flow_cache.cc | |
1188 | * flow: use the same pkt_type to link and unlink unidirectional flows | |
1189 | * http2_inspect: refactor decoded_headers_buffer for hpack decoding | |
1190 | * http_inspect: eliminate cumulative js data processing | |
1191 | * http_inspect: handle unordered PDUs for inline/external JavaScript normalization | |
1192 | * http_inspect: improve file decompression | |
1193 | * hyperscan: sort patterns for dump / load stability | |
1194 | * ips: correct fast pattern port group counts | |
1195 | * mpse: add md5 check to deserialization | |
1196 | * reload: add logs to track reload process | |
1197 | * reload: move out reload progress flag to reload tracker | |
1198 | * search_engine: support hyperscan serialization | |
1199 | * search_engine: support port group serialization | |
1200 | * sip: track memory for sip sessions | |
1201 | * ssl: disable inspection on alert only at fatal level | |
1202 | * stream_tcp: fix init_wscale() to take into account the DECODE_TCP_WS flag | |
1203 | * tcp: remove the obsolete __GNUC__ block from TcpOption::next() | |
1204 | * tcp: stop on the EOL option in TcpOptIteratorIter::operator++() | |
1205 | * utils: add get methods to peek in internal buffer | |
1206 | * utils: correct Normalizer's output upon the next scan | |
1207 | * wizard: update globbing and max_pattern | |
1208 | ||
1209 | 2021-10-21: 3.1.15.0 | |
1210 | ||
1211 | * appid: detect client based on longest matching user agent pattern | |
1212 | * appid: update the name of the lua API function that adds process name to client app mappings | |
1213 | * build: fix in CodeCoverage.cmake to generate *.gcda *.o files as needed by gcov | |
1214 | * dce_smb: optimize handling pruning of flows in stress environment | |
1215 | * decompress, http_inspect: add support for processing ole files and for vba_data ips option | |
1216 | * doc: add punctuation to builtin stubs, fix formatting | |
1217 | * doc: builtin rule documentation updates | |
1218 | * http2_inspect: partial header with priority flag set | |
1219 | * http_inspect: add automatic semicolon insertion | |
1220 | * http_inspect: document built-in alerts | |
1221 | * http_inspect: do not normalize JavaScript built-in identifiers | |
1222 | * http_inspect: hardening | |
1223 | * http_inspect: implement JIT (just-in-time) for JavaScript normalization | |
1224 | * http_inspect, ips_option: decouple the vba_data ips option from http_inspect and add the trace debug option to vba_data | |
1225 | * policy: update policy clone code to avoid corrupting active configuration | |
1226 | * protocols: prevent infinite loop over tcp options | |
1227 | * rna: call set_smb_fp_processor function in reload tuner | |
1228 | * rna: do not do service discovery for future flows | |
1229 | ||
1230 | 2021-10-07: 3.1.14.0 | |
1231 | ||
1232 | * appid: enhance RPC service detector to handle RPC Bind version 3 | |
1233 | * appid: fix update_allocations signature in unit test | |
1234 | * appid: log appid daq trace first followed by subscriber modules | |
1235 | * appid: provide api for Lua detectors to map process name to client app | |
1236 | * doc: add descriptions for 119:265-271 builtin alerts | |
1237 | * doc: update builtin stub rule reference strings | |
1238 | * file: add file policy id and other config data as part of packet tracer command under File phase | |
1239 | * file_api: add decompress_buffer_size | |
1240 | * flow: add total flow latency to flowstats | |
1241 | * http2_inspect: compare scanned bytes to total received during reassemble | |
1242 | * http2_inspect: protect against reassemble with more than MAX_OCTETS | |
1243 | * http_inspect: change format of normalized JS identifiers | |
1244 | * ips_options: rename script_data buffer to js_data | |
1245 | * latency: add configuration for implicit enable | |
1246 | * lua: fix Talos tweak snaplen | |
1247 | * rna: support CPE new os RNA event | |
1248 | * snort_config: adding api for enabling latency module | |
1249 | * utils: add custom i/o stream buffers to JS normalizer | |
1250 | * utils: adjust output streambuffer expanding strategy and reserved memory | |
1251 | * utils: fix compilation error of js_identifier_ctx_test for clang | |
1252 | ||
1253 | 2021-09-22: 3.1.13.0 | |
1254 | ||
1255 | * appid: prioritize appid's client detection over third-party | |
1256 | * appid: stay in success state after RPC is detected | |
1257 | * builtins: add --dump-builtin-options | |
1258 | * catch: enable benchmarking | |
1259 | * cip, iec104: update stub rule messages for consistent format | |
1260 | * control: explicitly include ctime header in control.h | |
1261 | * detection: add fast patterns only once per service group | |
1262 | * doc: add support for details on builtin rules in the reference | |
1263 | * doc: update reference for 2:1 and 129:13 | |
1264 | * doc: update the documentation of "replace" option and "rewrite" action | |
1265 | * doc: update user tutorial with '--enable-benchmark-tests' option | |
1266 | * file_api: new api added for url | |
1267 | * file_api: revert store processing flow in context | |
1268 | * flow: don't do memcap pruning if pruning is in progress | |
1269 | * host_cache: Avoid data race in cache size access | |
1270 | * host_tracker: Removing unused methods | |
1271 | * http_inspect: http_raw_trailer fast pattern | |
1272 | * http_inspect: pass file_api the uri with the filename and extract the filename from the uri path | |
1273 | * http_inspect: remove memrchr for portability | |
1274 | * netflow: use device ip and template id to ensure that the template cache keys are unique | |
1275 | * output: adopt the orphaned tag alert (2:1) | |
1276 | * rna: Avoid data races in vlan and mac address | |
1277 | * rna: Avoid infinite loop in ICMPv6 options | |
1278 | * smb: added a null check when current_flow is not present | |
1279 | * snort2lua: Fixed version output (issue #213); | |
1280 | Thanks to A-Pisani for the fix | |
1281 | * stream: change session_timeout default for tcp, ip, icmp and user | |
1282 | * stream: fix session timeout of expired flows | |
1283 | * trough: Avoid data race in file count | |
1284 | * utils: add benchmark tests for JSNormalizer | |
1285 | * utils: add reference and description for ClamAV test cases | |
1286 | * utils: avoid using pubsetbuf which is STL implementation dependent | |
1287 | * utils: fix typo in js_normalizer_test | |
1288 | ||
1289 | 2021-09-08: 3.1.12.0 | |
1290 | ||
1291 | * decoder: icmp6 - use source and destination addresses from packet to compute icmp6 checksum when NAT is in effect | |
1292 | * http_inspect: enable traces for JS Normalizer | |
1293 | * http_inspect: include cookies in http_raw_header | |
1294 | * http_inspect: reduce void space in HttpFlowData | |
1295 | * stream_tcp: add pegs for maximum observed queue size | |
1296 | * stream_tcp: normalize data when queue limits are enabled | |
1297 | * stream_tcp: only update window on right edge acks | |
1298 | * stream_tcp: set sequence number in trimmed packets up to the queue limit and increase defaults | |
1299 | ||
1300 | 2021-08-26: 3.1.11.0 | |
1301 | ||
1302 | * build: update help for --enable-tsc-clock to include arm; | |
1303 | Thanks to liangxwa01 for reporting the issue | |
1304 | * codec: geneve: fix incorrect parsing of option header length | |
1305 | * data_bus: support ordered call of handlers | |
1306 | * dns, ssh: remove obsolete stream insert checks | |
1307 | * doc: Add js_norm_max_template_nesting description | |
1308 | * flow: introduce bidirectional flag for expected session | |
1309 | * flow: set the client initiated flag before publishing the flow state setup event | |
1310 | * framework: update base API version to 8 | |
1311 | * framework: version rollback | |
1312 | * http_inspect: add builtin rule for consecutive commas in accept-encoding header | |
1313 | * http_inspect: Add JavaScript template literals normalization | |
1314 | * http_inspect: check if Normalizer has consumed input | |
1315 | * http_inspect: hard-code infraction enum numbers | |
1316 | * http_inspect: http_raw_header, http_raw_trailer field support | |
1317 | * http_inspect: refactor NormalizedHeader | |
1318 | * http_inspect: support more infractions and events | |
1319 | * http_inspect: two new built-in rules | |
1320 | * inspection: process wizard matches on defragged packets | |
1321 | * ips: add action_map table to map rule types, eg block -> alert | |
1322 | * ips: add action_override which applies to all rules | |
1323 | * lua: update comments in the default config | |
1324 | * modbus: check record length for write file record command | |
1325 | * normalize: remove tcp.trim config | |
1326 | * payload_injector: check if stream is established on flow rather than the packet flag to handle retries | |
1327 | * policy: put inspection policy accessors in public space | |
1328 | * policy: reorganize for sanity | |
1329 | * README: mention vars in default config | |
1330 | * sip: deprecate max_requestName_len in favor of max_request_name_len | |
1331 | * smb: Invoke SMB debug in destructor when packet thread available | |
1332 | * stream_tcp: update API called by payload_injector to check for unflushed queued TCP segments | |
1333 | * style: remove crufty comments | |
1334 | * style: remove C style (void) arglists | |
1335 | * style: remove or update crufty preprocessor comments | |
1336 | * utils: address compiler warning | |
1337 | * utils: support streamed processing of JS text | |
1338 | * wizard: support more HTTP and SIP methods | |
1339 | ||
1340 | 2021-08-11: 3.1.10.0 | |
1341 | ||
1342 | * appid: update netbios-ss (SMB) detector to extract SMB domain from SMBv2, and more intelligently handle payload | |
1343 | appid detection | |
1344 | * appid: use packet thread odp context while creating SIP session | |
1345 | * build: install DAQ modules and Snort plugins in separate folders | |
1346 | * dce_smb: restore file tracker size post deletion | |
1347 | * dns: add DNS splitter | |
1348 | * doc: update user manual for identifier normalization | |
1349 | * file_api: add infra and file debugs to existing debugging framework | |
1350 | * ftp: remove unused defines and crufty comments | |
1351 | * http_inspect: add JavaScript identifiers normalization | |
1352 | * http_inspect: change the default value of request_body_app_detection config parameter to true | |
1353 | * smtp: remove unused defines | |
1354 | * ssh: handle traffic with invalid version string | |
1355 | * ssh: handle version string packets that also contain key exchange data | |
1356 | * stream_tcp: skip unordered segments if last flushed position already moved past | |
1357 | * telnet: correct help for ayt_attack_thresh | |
1358 | * wizard: add wizard max_pattern option and update HTTP/SIP aware methods patterns | |
1359 | ||
1360 | 2021-07-28: 3.1.9.0 | |
1361 | ||
1362 | * actions: allow session data to stay accessible for loggers for reject rule action | |
1363 | * byte_options: address compiler warnings | |
1364 | * control: add idle expire removal to control channels | |
1365 | * dump_stats: direct output back to command channel | |
1366 | * events: use instance_id to make event_id unique across threads | |
1367 | * file_api: handle file_cache inspection for non-zero offset | |
1368 | * http2_inspect: change xor to or in assert that was failing due to uninitialized variable | |
1369 | * http2_inspect: fix HPACK dynamic table size update management | |
1370 | * http2_inspect: remove unused variables | |
1371 | * http_inspect: add peg count for script bytes processed | |
1372 | * http_inspect: add rule option http_raw_header_complete | |
1373 | * http_inspect: don't allocate 0-length partial inspection buffer | |
1374 | * ips_options: add catch tests for byte_test, byte_jump, byte_math, byte_extract | |
1375 | * ips_options: address compiler warnings | |
1376 | * ips_options: refactor byte_extract, byte_test, byte_math, byte_jump and related tests | |
1377 | * lua: update HTTP/2 default_wizard hex with S2C pattern match | |
1378 | * stats: update file and appid stats to use Log functions provided from stats.cc | |
1379 | ||
1380 | 2021-07-15: 3.1.8.0 | |
1381 | ||
1382 | * appid: support SSH client detection through lua detector | |
1383 | * dce_rpc: fix crash when expected session comes after snort reload | |
1384 | * dce_rpc: handling raw packets | |
1385 | * dce_smb: added trace messages and multiple level logging for SMB module | |
1386 | * dce_smb: fixed macro definition for SMB_DEBUG | |
1387 | * doc: fix build warnings; | |
1388 | Thanks to jiangrj (github.com/jiangrij) for reporting the issue | |
1389 | * dump_config: support modules without config options in text format | |
1390 | * file_api: handling overlap segments | |
1391 | * http2_inspect: clean data cutter internal state after exhausting flow depth | |
1392 | * http_inspect: add built-in alert for script tags in a short form | |
1393 | * packet_io: check if unreachable_candidate before sending unreachable | |
1394 | * packet_io: unreachable packets shouldn't be sent for ICMP | |
1395 | * snort2lua: set raw_data buffer for rawbytes and B flag in PCRE | |
1396 | * wizard: make SSH spell more specific | |
1397 | ||
1398 | 2021-06-30: 3.1.7.0 | |
1399 | ||
1400 | * appid: enhance netbios service detector to identify SMB versions as web app | |
1401 | * appid: update documentation | |
1402 | * appid: update the DNS detector to support the all record request | |
1403 | * control: resolve socket issues due to race conditions | |
1404 | * doc: updates for http2_inspect | |
1405 | * framework: update base API version to 3 | |
1406 | * main: implement test_features run flag to enable debug-like output | |
1407 | * mime: track memory for mime sessions | |
1408 | * payload_injector: don't inject if there are unflushed S2C TCP packets queued | |
1409 | * reputation: include list id for daq trace log | |
1410 | * sfip: fix unit tests for non-regtest builds | |
1411 | * snort2lua: fix lua conversion of unsupported http preproc options without parameters | |
1412 | * snort2lua: remove footprint size config | |
1413 | * stream: fix is_ack_valid to return true even when current ack is to the left of snd_una, per RFC793 | |
1414 | ||
1415 | 2021-06-16: 3.1.6.0 | |
1416 | ||
1417 | * appid: extract auxiliary ip when uri is provided by third-party | |
1418 | * appid: perform detection on request body for HTTP2 traffic | |
1419 | * appid: remove error message when userappid.conf is not present | |
1420 | * appid: remove unused metadata offset functionality | |
1421 | * appid: support fragmented metadata | |
1422 | * appid: use 32 bits for storing protocol field in RPC port map message | |
1423 | * codecs: geneve - add support for Geneve encapsulation | |
1424 | * codecs: geneve - add vni to alert_csv and alert_json | |
1425 | * codecs: support inner flow NAT | |
1426 | * control: allow compile with shell disabled | |
1427 | * control: clean up cppcheck issues | |
1428 | * control: expose ContrlConn API | |
1429 | * control: refactor control channel management to better handle control responses | |
1430 | * control: remove SHELL compile flag from header | |
1431 | * control: remove unused IdleProcessing functionality | |
1432 | * dce_rpc: SMB multichannel - add smb multichannel file support | |
1433 | * dce_rpc: SMB multichannel - handle negotiate command to create expected flow | |
1434 | * dce_rpc: SMB multichannel - introduce locks | |
1435 | * dce_rpc: SMB multichannel - make session cache global | |
1436 | * dce_rpc: SMB multichannel - own memory tracking in global cache | |
1437 | * dce_rpc: fix warnings | |
1438 | * dce_rpc: handle reload prune for smb session cache | |
1439 | * dce_rpc: store shared pointer of session tracker | |
1440 | * doc: update JS normalizer options | |
1441 | * file_api: increase file count only once per file | |
1442 | * file_api: store processing flow in context | |
1443 | * filters: change rate filter to use network policy id instead of ips policy id | |
1444 | * filters: support rate filter to work with PDUs | |
1445 | * flow: enable support for multiple expected sessions | |
1446 | * ftp: create additional expected session if negotiated IP is different from server IP on packet | |
1447 | * gtp : check protocol type according to gtp version | |
1448 | * host_cache: remove unused lua mock code from the tests | |
1449 | * http2_inspect: don't perform valid sequence check on rst_stream frame | |
1450 | * http2_inspect: improve request line generation and checks | |
1451 | * http2_inspect: rule options and doc clean up | |
1452 | * http2_inspect: track dynamic table memory allocation | |
1453 | * http_inspect: add JS Normalizer to dev_notes | |
1454 | * http_inspect: add JS normalization for external scripts | |
1455 | * http_inspect: additional memory tracking | |
1456 | * http_inspect: extend built-in alerts for Javascript processing | |
1457 | * http_inspect: improve MPSE in HttpJsNorm (script start conditions) | |
1458 | * http_inspect: limit section size target for file processing | |
1459 | * http_inspect: publish event for http/2 request bodies | |
1460 | * http_inspect: support partial detect for Javascripts | |
1461 | * http_inspect: track memory footprint of zlib inflation | |
1462 | * http_inspect: update test mock api | |
1463 | * iec104: delete trailing spaces | |
1464 | * ips_options: fix intrusion alerts generation for tcp rpc PORTMAP traffic when rpc_decode is bound to the flow | |
1465 | * main: add support for resuming particular thread | |
1466 | * main: fix config dump for list-based inspector aliases | |
1467 | * mime: store extra data in stash | |
1468 | * packet_io: enable expected session flags | |
1469 | * protocols: remove inline specifiers for functions defined within a structure declaration | |
1470 | * pub_sub: add get_uri_host() to HttpEvent | |
1471 | * pub_sub: update HttpEvent::get_host to get_authority - now always includes port if there is one | |
1472 | * reputation: daq trace log | |
1473 | * reputation: support auxiliary IP matching upon reload | |
1474 | * rna: filter DHCP events and some refactoring | |
1475 | * rna: update last seen time on deleted host rediscovery | |
1476 | * stream: enable support for multiple expected sessions | |
1477 | * stream_tcp: populate flow contents in context for non-wire packets | |
1478 | * time: make Periodic class SO_PUBLIC | |
1479 | * trace: place trace options under the DEBUG_MSGS macro | |
1480 | * utils: fix warning about empty statement | |
1481 | * utils: refactor JSTokenizer | |
1482 | * utils: rework JSNormalizer class | |
1483 | ||
1484 | 2021-05-20: 3.1.5.0 | |
1485 | ||
1486 | * appid: Publish an event when appid debug command is issued | |
1487 | * appid: do memory accounting of api stash object, dns/tls/third-party sessions | |
1488 | * appid: mark payload detection as done after either http request or response is inspected | |
1489 | * appid: set monitor flags on future flows | |
1490 | * dce_rpc: fix expected session protocol id | |
1491 | * dce_rpc: update memory tracking for smb session data | |
1492 | * dce_rpc: use find_else_insert in smb session cache to avoid deadlock | |
1493 | * file_api: fix spell source error | |
1494 | * flow: Adding stash API to save auxiliary IP | |
1495 | * flow: Enhancing APIs to stash auxiliary IP | |
1496 | * flow: memory tracking updates | |
1497 | * hash: add new insert method in lru_cache_shared | |
1498 | * http2_inspect: add assert in clear | |
1499 | * http2_inspect: concurrent streams limit is configurable | |
1500 | * http2_inspect: fix non-standard c++ | |
1501 | * http2_inspect: handle trailer after reaching flow depth | |
1502 | * http2_inspect: implement window_update frame | |
1503 | * http2_inspect: optimize processing after reaching flow depth | |
1504 | * http2_inspect: track stream memory incrementally instead of all up front | |
1505 | * http2_inspect: update discard print | |
1506 | * http2_inspect: update state and delete streams after reaching flow depth | |
1507 | * http_inspect: IP reputation support | |
1508 | * http_inspect: don't disable detection for flow if it's an HTTP/2 flow | |
1509 | * ips_options: fix relative base64_decode | |
1510 | * memory: free_space cleanup | |
1511 | * netflow: additional check before v5/v9 decode | |
1512 | * netflow: version 9 decoding and filtering | |
1513 | * packet_tracer: IPS daq trace log | |
1514 | * packet_tracer: file daq trace log | |
1515 | * parser: Remove rule merge in dump mode | |
1516 | * parser: reduce RTNs only after states applied | |
1517 | * reputation: track monitor ID via flow; minor code cleanup | |
1518 | * shell: exit gracefully when sanbox lua is misconfigured | |
1519 | * stream_tcp: Deleting session when both talker and listener are closed | |
1520 | * stream_tcp: Using window base for reset validation | |
1521 | ||
1522 | 2021-04-21: 3.1.4.0 | |
1523 | ||
1524 | * appid: (fix style) Local variable 'version' shadows outer variable | |
1525 | * appid: Delete third-party connections with context only if third-party reload is not in progress | |
1526 | * appid: clean up lua stack on C->lua function exit | |
1527 | * appid: clean-up parameters in service_bootp | |
1528 | * appid: detect payload based on dns host | |
1529 | * appid: in continue state for ftp traffic, do not change service to unknown on validation failure | |
1530 | * appid: monitor only the networks specified in rna configuration | |
1531 | * appid: refactor to set http scan flags in one place | |
1532 | * appid: remove detectors which are available in odp | |
1533 | * appid: remove duplicate rtmp code | |
1534 | * binder: update flow data inspector on a service change | |
1535 | * build: add better support for flex lexer; | |
1536 | Thanks to Özkan KIRIK and Moin for reporting the issue | |
1537 | * codecs: use held packet SYN in Tcp header creation | |
1538 | * copyright: Update year to 2021 | |
1539 | * dce_rpc: Added a cleanup condition for DCERPC in close request | |
1540 | * dce_rpc: DCERPC Support over SMBv2 | |
1541 | * dce_rpc: Fixed prototype mismatch. Smb2Tid doesn't need to be inline | |
1542 | * doc: add documentation for script_data ips option | |
1543 | * doc: revert documentation related to script_data ips option | |
1544 | * framework: Adding IT_FIRST inspector type to analyze the first packet of a flow | |
1545 | * hash: prepond object creation in LRU cache find_else_create | |
1546 | * host_tracker: fix bug in set_visibility | |
1547 | * http2_inspect: fix possible read-after-free in hpack decoder | |
1548 | * http2_inspect: free streams in completed/error state | |
1549 | * http_inspect: fix end of script match after reload | |
1550 | * http_inspect: remove detained inspection config | |
1551 | * ips: allow null detection trees with negated lists | |
1552 | * ips_options: add sticky buffer script_data ips option within normalized javascripts payload | |
1553 | * main: Adding reload id to track config/module/policy reloads | |
1554 | * main: Log holding verdict only if packet was actually held | |
1555 | * main: Update memcap for detained packets | |
1556 | * netflow: add device list configuration | |
1557 | * netflow: add filter matching for v5 decoder | |
1558 | * netflow: get correct zone info from packet | |
1559 | * packet_io: If packet has no daq_instance, use thread-local daq_instance | |
1560 | * packet_tracer: Appid daq trace log | |
1561 | * packet_tracer: fix trace condition for setting IP_PROTO | |
1562 | * payload_injector: send go away frame | |
1563 | * pcre: revert change that disabled jit | |
1564 | * reputation: Registering inspector to the IT_FIRST type | |
1565 | * rna: add the smb fingerprint processor to the get_or_create / set processor api | |
1566 | * ssl: refactoring SSLData out so it can be reused | |
1567 | * stream: Add held packet to retry queue when requested | |
1568 | * stream: Add partial_flush. Flush one side of flow immediately | |
1569 | * stream: IP frag packets won't have a flow so do not try to hold them | |
1570 | * stream: fetch held packet SYN | |
1571 | * stream: fix race condition in HPQReloadTuner | |
1572 | * stream: store held packet SYN | |
1573 | * utils: enable Flex C++ mode via its option | |
1574 | ||
1575 | 2021-03-27: 3.1.3.0 | |
1576 | ||
1577 | * actions: Dynamically construct the default eval order for all the loaded IPS actions | |
1578 | * actions: Make all IPS actions pluggable | |
1579 | * appid: Make netbios domain available through appid API | |
1580 | * appid: SMB fingerprinting support | |
1581 | * cmake: Add flex build dependency | |
1582 | * dce_rpc: Refactor SMB code | |
1583 | * detection: Update detection.alert, to be used instead of reputation.total_alerts | |
1584 | * detection: Update dump_rule_meta function to only print rules from default IPS policy | |
1585 | * detection: Update the rtn's listHead to reflect the new action set in the rule state | |
1586 | * doc: Update http_inspect feature documentation | |
1587 | * flow: Add packet tracer output to DAQ expected flow requests | |
1588 | * host_tracker: Fully populate local hostclient before logging | |
1589 | * http2_inspect: Alert on uppercase header name encoded in HPACK | |
1590 | * http_inspect: Add JavaScript whitespace normalization | |
1591 | * http_inspect: Add normalization_depth config option | |
1592 | * http_inspect: Alert on HTTP/2 upgrade attempts | |
1593 | * http_inspect: Integrate JSNormalizer (whitespace normalization) keeping the old one | |
1594 | * packet_io: Update for the removal of the RETRY DAQ verdict | |
1595 | * packet_tracer: Do not log non-IP packets when enabled from shell and a constraint is set | |
1596 | * parser: Support duped RTN if its header has been changed | |
1597 | * rate_filter: Get the available IPS actions dynamically to configure the new_action | |
1598 | * rna: Make discovery filter use client and server interfaces if they are not unknown | |
1599 | * rna: SMB fingerprinting support | |
1600 | * snort2lua: Delete conversion of disable_replace option | |
1601 | * snort2lua: Fix lua conversion of http preproc options | |
1602 | * snort: Add -h to output the help overview (same as --help) | |
1603 | * snort_config: Remove is_active_enabled and set_active_enabled functions | |
1604 | * style: Change C++ comment NULL to null | |
1605 | * style: Remove unnecessary cruft | |
1606 | * style: Remove unused cruft | |
1607 | * utils: Add JSNormalizer | |
1608 | ||
1609 | 2021-03-11: 3.1.2.0 | |
1610 | ||
1611 | * action_manager: Remove unused cached reject action | |
1612 | * appid: Always get appid inspector from default inspection policy | |
1613 | * appid: Fixes for cppcheck warnings | |
1614 | * appid: Get uri from http event even when http host is not present | |
1615 | * appid: Load lua detectors for packet threads from compiled lua bytecode during detector reload | |
1616 | * appid: Remove app forecast method | |
1617 | * appid: Remove detectors for obsolete apps - AOL instant messenger and Yahoo messenger | |
1618 | * appid: Send reloading detectors message to socket immediately | |
1619 | * appid: Update IMAP service detector pattern | |
1620 | * appid: Use opportunistic tls event to set decryption countdown for SMTP detector | |
1621 | * binder: Apply host attribute table information at the beginning of flow setup | |
1622 | * binder: Clean up std namespace usage | |
1623 | * binder: Use service inspector caching to improve get_gadget() performance | |
1624 | * binder: Use the first match for non-terminal binding usage | |
1625 | * build: Do one more pass of modernizing the C++ code | |
1626 | * dce_rpc: Handle async responses in smbv2 | |
1627 | * dce_rpc: Pass proper file id in file api from smb1 | |
1628 | * decompress: Add support for streaming ZIPs | |
1629 | * detection: Use IP and port variables from the targeted policy | |
1630 | * doc: Remove http detained inspection from user manual | |
1631 | * doc: Update documentation for ips.states | |
1632 | * file_magic: Add pattern for pcapng | |
1633 | * flow: Add new flag to indicate elephant flow | |
1634 | * ftp_telnet: Implement init_partial_flush for ftp data | |
1635 | * ftp_telnet: Respect telnet_cmds config for raising 125:1 | |
1636 | * host_attributes: Update api to reduce use of shared_pointer | |
1637 | * http2_inspect: Limit number of concurrent streams | |
1638 | * http2_inspect: Process rst_stream frame | |
1639 | * http_inspect: IPv6 authority in URI | |
1640 | * http_inspect: Javascript support cleanup | |
1641 | * http_inspect: Partial inspection for 0 length chunk | |
1642 | * http_inspect: Remove detained inspection | |
1643 | * http_inspect: Remove unused events | |
1644 | * http_inspect: Temporarily restore detained_inspection parameter | |
1645 | * iec104: Add documentation for iec104 service inspector | |
1646 | * iec104: Additional input sanitization, syntax, and style changes | |
1647 | * iec104: Integrate new iec104 protocol service inspector | |
1648 | * inspector_manager: Instantiate default binder as long as a wizard or stream are present | |
1649 | * ips_options: Update cursor position for relative pcre | |
1650 | * ipv4: Correct the calculation for illegal fragment offset checks | |
1651 | * log: Add printf format attribute to TextLog_Print() and clean up the fallout | |
1652 | * log: Base logging the Ethernet header on proto bits rather than DLT | |
1653 | * loggers: Fix excessive byte reordering when printing MPLS labels in CSV and JSON | |
1654 | * main: Fix accumulating and printing codec stats at run time | |
1655 | * managers: Enforce strict parsing for binder aliases | |
1656 | * managers: Pass the configuration to default module's end() | |
1657 | * managers: Perform sanity checks on set_alias() parameters | |
1658 | * memory: Free memory space while updating allocation | |
1659 | * module: Introduced new api to clear global active module counters | |
1660 | * module_manager: Enforce interest in global modules only in the default policy | |
1661 | * mpls: Add next layer autodetection and implement codec logging | |
1662 | * mpls: Refactor mpls.enable_mpls_overlapping_ip into packet.mpls_agnostic | |
1663 | * mpls: Remove enable_mpls_multicast option | |
1664 | * packet_capture: Add group filter for packet capture | |
1665 | * packet_tracer: Add daq buffer to hold daq logs | |
1666 | * perf_monitor: Fix finalizing JSON output files for trackers | |
1667 | * portscan: Fix decoy and distributed scan logic | |
1668 | * portscan: Fix delimiter for ports in config | |
1669 | * portscan: Fix IP scans not alerting | |
1670 | * protocols: Add initial support for multilayer compound codecs | |
1671 | * protocols: Add peg count for decodes that exceeded the max layers | |
1672 | * protocols: Consistently encapsulate exported protocol headers in the snort namespace | |
1673 | * reputation: Add peg count for total alerts | |
1674 | * reputation: Remove deprecated redundant terms | |
1675 | * rna: Discover NetBIOS name | |
1676 | * snort: Clear snort counter for modules, daq, file_id, appid | |
1677 | * snort: Update for DAQ_FlowStats_t structure and field name changes | |
1678 | * snort_config: Clean up and annotate command line config merge process | |
1679 | * snort_config: Remove unnecessary command line options | |
1680 | * stream: Always use latest splitter from tracker after paf_check | |
1681 | * stream: Do not update service from appid to host attributes if nothing is changed | |
1682 | * stream: Set block pending flag when a flow is dropped | |
1683 | * stream_tcp: Ensure flows aren't pruned while processing a PDU | |
1684 | * stream_tcp: Flush queued segments when FIN is received | |
1685 | * stream_tcp: Support data on SYN by default with or without Fast Open option | |
1686 | * trans_bridge: Lift the log() implementation from the root Ethernet codec | |
1687 | * wizard: Add support for sslv2 detection | |
1688 | ||
1689 | 2021-01-28: 3.1.1.0 | |
1690 | ||
1691 | * appid: Add support for snmpv3 report pdu | |
1692 | * appid: Always store container session api object in stash | |
1693 | * appid: Do not process sip event for an existing session after detector reload | |
1694 | * appid: Remove unused code; cleanup FIXIT comments related to reload | |
1695 | * appid: Send reload detectors and third-party messages to socket immediately if appid is not | |
1696 | enabled | |
1697 | * codecs: Update tcp naptha check to make sure it is ipv4 traffic | |
1698 | * file_api: Remove file context after file name set if processing is complete | |
1699 | * file_api: Stop processing signature when type verdict is 'FILE_VERDICT_STOP' | |
1700 | * flow: Update direction and interface info in HA flow | |
1701 | * ftp: Use Stream packet holding to handle ftp-data EoF | |
1702 | * http_inspect: Add chunked processing to dev notes | |
1703 | * http_inspect: Provide file_id to set file name and read new return value | |
1704 | * http_inspect: Validate and normalize scheme | |
1705 | * http_inspect: Validate URI scheme length | |
1706 | * inspector: Add a global reference count for uses that are not thread specific | |
1707 | * lrucache: Changes for memcap for support constant cache objects with variable size | |
1708 | * managers: Clean all inactive inspectors warning about ones that are still referenced | |
1709 | * mime: Provide file_id to set file name and read new return value | |
1710 | * payload_injector: Inject settings frame | |
1711 | * rna: Minimize synchronization overhead | |
1712 | ||
1713 | 2021-01-13: 3.1.0.0 | |
1714 | ||
1715 | * appid: Store stats in map | |
1716 | * appid: Tear down third-party when appid gets disabled | |
1717 | * build: Add support for version sublevel and build via CMake | |
1718 | * dce_rpc: Handle Flow from File inspection | |
1719 | * host_cache: Add command to output host_cache usage, pegs, and memcap | |
1720 | * http2_inspect: Add total_bytes peg to track HTTP/2 data bytes inspected | |
1721 | * http_inspect: Abort on HTTP/2 connection preface | |
1722 | * http_inspect: Add total_bytes peg to track HTTP data bytes inspected | |
1723 | * http_inspect: Alert on truncated chunked and content-length message bodies | |
1724 | * http_inspect: Support stretch for Http2 | |
1725 | * log: Reuse TextLog buffer for a large data; | |
1726 | Thanks to Chris White for reporting the issue | |
1727 | * packet_io: IDS mode should not give blacklist verdict for Intrusion event | |
1728 | * rna: Fix version, vendor and user string comparison at maximum length | |
1729 | * rna: Perform appropriate filter check based on the event type | |
1730 | * rna: Revert rna performance optimizations | |
1731 | * rpc_decode: Implement adjust_to_fit for RPC splitter | |
1732 | * stream_tcp: Delete redundant calls to check if the tcp packet contains a data payload | |
1733 | * stream_tcp: Fix issues causing overrun of the pdu reassembly buffer, make splitters | |
1734 | authoritative of size of the reassembled pdu | |
1735 | * stream_tcp: On midstream pickup, when first packet is a data segment, set flag on talker tracker | |
1736 | to reinit seglist base seg on first received data packet | |
1737 | * stream_tcp: Remove obsolete flush_data_ready() function | |
1738 | ||
1739 | 2020-12-20: 3.0.3 build 6 | |
1740 | ||
1741 | * active: Fix falling back on using raw IP for active responses when no device is specified | |
1742 | * appid: Add support for apps, http host, url and tls host in HA | |
1743 | * appid: Allow checking appid availability for a given http/2 stream | |
1744 | * appid: Change terms used in code, logs and peg counts | |
1745 | * appid: Do not override http fields with empty values | |
1746 | * appid: Dump userappid configurations upon reloading third-party | |
1747 | * appid: For http2 flow, return service id as http2 when no streams are yet created | |
1748 | * appid: Mark reload third-party complete after unloading old library and creating new third-party | |
1749 | context | |
1750 | * appid: Print more descriptive error message when lua detector registers invalid pattern | |
1751 | * binder: Pass service to get_bindings on flow service change | |
1752 | * binder: Specify service inspector type when getting a gadget instance | |
1753 | * build: Clean up various cppcheck warnings | |
1754 | * catch: Avoid using INTERNAL_CATCH_UNIQUE_NAME in our headers | |
1755 | * catch: Update to Catch v2.13.3 | |
1756 | * dce_rpc: Fixed incorrect access of FileFlows while pruning the flow | |
1757 | * file_api: Fixed stats which weren't cleared when there were no stats for signature processing | |
1758 | * file_api: Handle resume block when multiple file rules are configured with store option enabled | |
1759 | * flow: Pause logging during timeout processing | |
1760 | * helpers: Handle SIGILL and SIGFPE with the oops handler | |
1761 | * high_availability: Add check for packet key equals HA key before consume | |
1762 | * host_attributes: Better error handling for reload to eliminate double free and memory leaks | |
1763 | * http2_inspect: Check for invalid flags | |
1764 | * http2_inspect: Fix bug with exceeding inspection depth | |
1765 | * http2_inspect: Fix empty queue access and some bookkeeping | |
1766 | * http2_inspect: Handle connection close during headers frames | |
1767 | * http2_inspect: Handle discard | |
1768 | * http2_inspect: HI error handling improvements | |
1769 | * http2_inspect: Improve error handling | |
1770 | * http2_inspect: Remove 0 length scan for most cases | |
1771 | * http_inspect: Explicit memory allocation for transactions and partial inspections | |
1772 | * http_inspect: Script detection for HTTP/2 | |
1773 | * inspector_manager: Remove unused inspector_exists_in_any_policy() function | |
1774 | * inspector: Remove obsolete metapacket processing functionality | |
1775 | * main: Convert Request to shared_ptr to avoid memory problems | |
1776 | * main: Fix memory leak in reload_config() caused by incorrect code merge | |
1777 | * managers: Add inspector type in the help module output | |
1778 | * managers: Don't allow a referenced inspector to stall emptying the trash | |
1779 | * managers: Track removed inspectors during reload and call tear_down and tterm to release | |
1780 | resources | |
1781 | * packet_io: Export forwarding_packet() function | |
1782 | * packet_tracer: Fix the debug session information for non-ip packets | |
1783 | * parser: Add escaping for double quotes and special chars in a rule body | |
1784 | * parser: Fix escape logic for --dump-rule-meta output | |
1785 | * reload: Reset default policies after failed reload | |
1786 | * request: Expose methods to be used in plugins | |
1787 | * rna: Do null check in the Inspector rather than the Module in the control commands | |
1788 | * rna: Generate new host event for CDP traffic | |
1789 | * rna: Make the mac cache persist over reload config | |
1790 | * rna: Reduce host cache lock usage to improve performance | |
1791 | * rna: Remove unused function | |
1792 | * rna: Replace some tabs with spaces as per style guidelines | |
1793 | * rna: Support data purge command | |
1794 | * rna: Support DHCP fingerprint matching and event generation | |
1795 | * rna: Use service ip and port provided by appid for DHCP discovery events | |
1796 | * shell: Change terms used in code, logs and peg counts | |
1797 | * shell: Support for loading configuration in lua sandbox | |
1798 | * snort: Add OopsHandlerSuspend for suspending Snort's crash handler | |
1799 | * stream: Fix stream clean up when going from enabled to disabled | |
1800 | * stream_ha: Only flush on HA deactivate if not in STANDBY, set HA state to STANDBY when new Flow | |
1801 | is created | |
1802 | * stream_tcp: Initialize the alerts array to empty when a TcpReassembler instance is initialized | |
1803 | or reset | |
1804 | * stream_tcp: Set interfaces in both directions | |
1805 | ||
1806 | 2020-11-16: 3.0.3 build 5 | |
1807 | ||
1808 | * appid: Add unit test to verify HA data for flow unmonitored by appid | |
1809 | * appid: Handle cppcheck warnings | |
1810 | * appid: Prefix http/2 decrypted urls with https:// | |
1811 | * appid: Support client login failure event | |
1812 | * flow: Do not remove the flow during pruning/reload during IPS event with block action | |
1813 | * flow: Flesh out swap_roles() to swap more client/server fields | |
1814 | * flow: Set client initiated flag based on DAQ reverse flow flag, track on syn config, and syn-ack | |
1815 | packet | |
1816 | * ftp: Handle FTP detection when ftp data segment size changes | |
1817 | * host_tracker: Ignore IP family when comparing SfIp keys in the host cache | |
1818 | * http2_inspect: Data frame redesign | |
1819 | * http2_inspect: Multi-segment reassemble discard bug fix | |
1820 | * http2_inspect: Perform hpack decoding on push_promise frames | |
1821 | * http2_inspect: Refactor data cutter | |
1822 | * http2_inspect: Refactor scan() | |
1823 | * http2_inspect: Remove const cast | |
1824 | * http2_inspect: Send push_promise frames through http_inspect | |
1825 | * ips_options: Don't move cursor in byte_math | |
1826 | * main: Set up logging flags globally to avoid dependencies on a particular SnortConfig object | |
1827 | * payload_injector: Refactoring | |
1828 | * payload_injector: Remove content length and connection for HTTP/2 | |
1829 | * rna: Add command to delete MAC hosts and protos | |
1830 | * rna: Delete payloads when clients, services are deleted; add unit tests | |
1831 | * rna: Discover banner on service version or response events | |
1832 | * rna: Don't process packet in eval if eth bit not set | |
1833 | * rna: Log src mac from packet containing CDP message when host type change event is generated | |
1834 | * rna: Support banner discovery | |
1835 | * rna: Support change service event with null version and vendor | |
1836 | * rna: Support user login failure discovery | |
1837 | * smtp: Make sure the ssl search abandoned flag is preserved for reset | |
1838 | * stream_tcp: Remove redundant/unneeded asserts that check if tcp event is for a meta-ack | |
1839 | psuedo-packet | |
1840 | * thread_config: Show thread ID when logging binding information | |
1841 | * trace: Add missing packet information to some of the messages | |
1842 | ||
1843 | 2020-10-27: 3.0.3 build 4 | |
1844 | ||
1845 | * actions: Add support to react for HTTP/2 | |
1846 | * appid: Fix -Wunused-private-field Clang warning in service_state.h | |
1847 | * build: Various build fixes for OS X | |
1848 | * file_api: Remove deletion of file_mempool | |
1849 | * framework: Fix ConnectorConfig dtor to be virtual | |
1850 | * ips: Move IPS variables to sub-tables which designate type | |
1851 | * lua: Update default_variables with 'nets', 'paths', and 'ports' tables in snort_defaults.lua | |
1852 | * module: Fix modules that accept their configuration as a list | |
1853 | * payload_injector: Support pages > 16k | |
1854 | * rna: Add unit tests for TCP fingerprint methods | |
1855 | * snort: Remove support for -S option | |
1856 | * src: Clean up zero-initialization of arrays | |
1857 | * tools: Update snort2lua to convert custom variables into ips.variables.nets/.paths/.ports tables | |
1858 | * trace: Add timestamps in trace log messages for stdout logger | |
1859 | ||
1860 | 2020-10-22: 3.0.3 build 3 | |
1861 | ||
1862 | * actions: Update react documentation | |
1863 | * actions: Use payload_injector for react | |
1864 | * appid: Add service group and asid in AppIdServiceStateKey | |
1865 | * appid: Continue appid inspection after third-party identifies an application | |
1866 | * appid: Do not reset third-party session after third-party reload | |
1867 | * build: Updates for libdaq changes that introduce significant groups in flow stats | |
1868 | * codecs: Remove PIM and Mobility from bad protocol lists | |
1869 | * dce_rpc: Add ingress/egress group and asid in SmbFlowKey and Smb2SidHashKey | |
1870 | * doc: Tweak the template regex in get_differences.rb | |
1871 | * dump_config: Don't print names for list elements | |
1872 | * file_api: Add ingress/egress group and asid in FileHashKey | |
1873 | * file_magic: Update POSIX tar archive pattern | |
1874 | * flow: Add source/dest group id in flow key | |
1875 | * flow: Stale and deleted flows due to EOF should generate would have dropped event | |
1876 | * ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted | |
1877 | data channels | |
1878 | * host_cache: Add delete host, network protocol, transport protocol, client, service, tcp | |
1879 | fingerprint and user agent fingerprint commands | |
1880 | * host_tracker: Implement client and server delete commands | |
1881 | * http2_inspect: Handle stream creation for push promise frames | |
1882 | * ips_options: Fix retry calculation in IPS content when handling "within" field | |
1883 | * lua: Use default IPS variables in the default config | |
1884 | * main: Add lua variables for snort version and build | |
1885 | * managers: Delete obsolete variable parsing code | |
1886 | * managers: Skip snort_set lua function for non-table top level keys in finalize.lua | |
1887 | * meta: Do not dump elided header fields or default message | |
1888 | * meta: Dump full rule field | |
1889 | * meta: Dump missing port field | |
1890 | * packet: Add two new apis to parse ingress/egress group from packet's daq pkt_hdr | |
1891 | * packet_tracer: Add groups in logging based on significant groups flag | |
1892 | * port_scan: Add group and asid in PS_HASH_KEY | |
1893 | * rna: Change ip to client instead of server for login events | |
1894 | * rna: Change logic for payload discovery, eventing | |
1895 | * rna: Conditionalize reload tuner registration on get_inspector() | |
1896 | * rna: Log user-agent device information | |
1897 | * rna: Move registration of reload tuner to configure() | |
1898 | * snort2lua: Update comments for deleted rule_state options | |
1899 | * ssh: Fix code indentation and CI breakage | |
1900 | * ssh: SSH splitter implementation | |
1901 | * stream: Initialize flow key's flags.ubits with 0 | |
1902 | * stream_tcp: Don't attempt to drop 'meta_ack packets', there is no wire packet for these acks | |
1903 | * style: Clean up accumulated tabs and trailing whitespace | |
1904 | * trace: Refactor the test code | |
1905 | * trace: Skip trace reload if no initial config present | |
1906 | * utils: Add a generic function to get random seeds | |
1907 | ||
1908 | 2020-10-07: 3.0.3 build 2 | |
1909 | ||
1910 | * appid: Create events for client user name, id and login success | |
1911 | * appid: Inform third-party about snort's idle state during reload | |
1912 | * appid: Reload detector patterns on reload_config for the sake of hyperscan | |
1913 | * appid: Update appid to use instance based reload tuner | |
1914 | * binder: Allow binding based on address spaces | |
1915 | * binder: Allow directional binding based on interfaces | |
1916 | * binder: Enforce directionality, add intfs, rename groups, cleanup | |
1917 | * framework: Update packet constraints comparison to check only set fields | |
1918 | * host_tracker: Update host tracker to use instance based reload tuner | |
1919 | * http2_inspect: Fix frame padding handling | |
1920 | * http2_inspect: Free up HI flow data when we are finished with it | |
1921 | * http2_inspect: Stream state tracking | |
1922 | * http_inspect: Implement can_start_tls(), add support of ssl search abandoned event | |
1923 | * http_inspect: Support for custom xff type headers | |
1924 | * main: Change reload memcap framework to use object instances | |
1925 | * main: Remove deprecated rule_state module | |
1926 | * main: Update host attribute class to use instance based reload tuner | |
1927 | * normalizer: Move TTL configuration toggle to inspector configure() | |
1928 | * perf_monitor: Update perf monitor to use instance based reload tuner | |
1929 | * policy: Copy uuid, user_policy_id, and policy_mode when an inspection policy is cloned | |
1930 | * pop: Generate alert for unknown command if file policy is attached | |
1931 | * port_scan: Update port scan to use instance based reload tuner | |
1932 | * rna: Add event_time to rna logger events | |
1933 | * rna: Add payload discovery logic | |
1934 | * rna: Check user-agent processor early to skip some work | |
1935 | * rna: Port host type discovery logic | |
1936 | * rna: Set the thread local fingerprint processors during reload_config | |
1937 | * rna: Update rna to use instance based reload tuner | |
1938 | * rna: Update methods for user-agent processor | |
1939 | * rna: User discovery for successful login | |
1940 | * snort2lua: Convert rule_state into ips.states | |
1941 | * stream_tcp: Update trace messages to use trace framework | |
1942 | * stream: Update stream to use instance based reload tuner | |
1943 | * trace: Update parser unit tests | |
1944 | * wizard: Clean up parameter parsing and make it a bit stricter | |
1945 | ||
1946 | 2020-09-23: 3.0.3 build 1 | |
1947 | ||
1948 | * ac_bnfa: Disable broken fail state reduction | |
1949 | * appid: Check third party context version while deleting connections | |
1950 | * appid: Use third party payload if available for HTTP tunneled | |
1951 | * cmake: Support cmake build type configuration | |
1952 | * dce_rpc: Handle compound requests for upload | |
1953 | * dce_rpc: Modify logs to show if file context is found or not found | |
1954 | * dump_config: Sort config options before printing | |
1955 | * file_api: Update lookup and block timeout from config at file cache creation | |
1956 | * flowbits: Evaluate checkers after setters for fast pattern matches | |
1957 | * ftp: Add APPE to upload commands | |
1958 | * http2_inspect: Convert to new stream states | |
1959 | * http2_inspect: Fix how implement_reassemble uses frame_type | |
1960 | * http2_inspect: Refactor HI interactions out of frame constructors | |
1961 | * http_inspect: Extract filename from content-disposition header for HTTP uploads | |
1962 | * module_manager: Keep a list of modules supporting reload_module | |
1963 | * netflow: Cache support and more v5 decoding | |
1964 | * payload_injector: Don't inject if stream id is even | |
1965 | * profiler: Fix issue where flushed pattern matches caused rule_eval to be profiled under mpse | |
1966 | * reputation: Change terms used in code, logs, and peg counts | |
1967 | * rna: Add unit test to validate VLAN handling | |
1968 | * rna: Avoid conflicts with other fingerprint definitions | |
1969 | * rna: Service discovery with multiple vendor and version support | |
1970 | * rna: Support user agent fingerprints | |
1971 | * s7commplus: V3 header support | |
1972 | * search_engine: Fix peg type for max_queued | |
1973 | * stream_tcp: Add an assert to catch tcp state/event combination that should not occur | |
1974 | * stream_tcp: Add PegCount for tcp packets received with an invalid ack | |
1975 | * stream_tcp: Arrange TCP tracker member vars to optimize storage requirements, add helper | |
1976 | functions to access private splitter functions | |
1977 | * stream_tcp: Delete redundant calls to flush data when FIN is received | |
1978 | * stream_tcp: Delete unused packet action flags, set action flags via its setter | |
1979 | * stream_tcp: Fix issues with stream_tcp handling of the TCP MSS option | |
1980 | * stream_tcp: Handle bad tcp packets consistently when normalizing in ips mode | |
1981 | * stream_tcp: Implement helper function to return true if the TCP packet is a data segment, false | |
1982 | otherwise | |
1983 | * stream_tcp: Merge the setup methods of the TcpStreamSession and TcpSession classes into a single | |
1984 | method in TcpSession | |
1985 | * stream_tcp: Refactor tcp handling of no flags to drop packet before any processing, don't | |
1986 | generate event | |
1987 | * stream_tcp: Refactor tracker and reassembler classes to improve encapsulation and move member | |
1988 | variables to appropriate class | |
1989 | * stream_tcp: Remove FIXIT-H because by definition an Ack Sent event in TcpStateNone means the | |
1990 | SYN-ACK was not seen, so no way to do the check suggested | |
1991 | * stream_tcp: Remove FIXIT-H to add ack validation, the ack is already validated when processed on | |
1992 | the listener side | |
1993 | * target_based: Support reload of host attribute table via signal as well as control channel | |
1994 | command | |
1995 | ||
1996 | 2020-09-13: 3.0.2 build 6 | |
1997 | ||
1998 | * active: Remove per packet prevent trust action | |
1999 | * appid: Add check for nullptr before setting tls host | |
2000 | * appid: Clear services set in host attribute table upon detector reload | |
2001 | * appid: Detect SMTP after decryption | |
2002 | * appid: Dump user appid configuration on reload detectors | |
2003 | * appid: Generate events for service info changes | |
2004 | * appid: Pass snort protocol id instead of appid while creating future flow | |
2005 | * appid: Reorder third-party reload to keep only one handle open at a time | |
2006 | * appid: Send swap response for reload_odp and reload_third_party commands in control thread | |
2007 | * appid: Set payload to unknown for out-of-order flows | |
2008 | * appid: Skip detection for existing sessions after detector reload; rename reload_odp command to | |
2009 | reload_detectors | |
2010 | * appid: Support json logging in appid_listener | |
2011 | * appid: Update appid stats for decrypted flows | |
2012 | * appid: Update appid warning messages to print module name in lowercase | |
2013 | * build: Fix minor cppcheck warnings | |
2014 | * build: Updates for libdaq changes to interface group field width and naming | |
2015 | * byte_jump: Fix jump relative to extracted length w/o relative offset | |
2016 | * cmake: Restore accidentally removed caching of static DAQ modules | |
2017 | * dce_rpc: Introduce smb2 logs | |
2018 | * doc: Update the config dump in JSON format (all policies) | |
2019 | * doc: Update the config dump in JSON format (main policy) | |
2020 | * doc: Update trace.txt with info about 'trace.modules.all' option | |
2021 | * dump_config: Add --dump-config="top" to dump the main policy config only | |
2022 | * dump_config: Dump config in JSON format to stdout | |
2023 | * file_api: Increase default max_files_per_flow limit to 128 | |
2024 | * flow: Add a deferred trust class to allow plugins to defer trusting sessions | |
2025 | * flow: Disabled inspection for FlowState::RESET | |
2026 | * flow: Reset the flow before removing | |
2027 | * helpers: Add unit tests for special characters escaping | |
2028 | * helpers: Fix build on systems without sigaction | |
2029 | * helpers: Rework DiscoveryFilter to monitor IP lists based on interface rather than group | |
2030 | * helpers: Use sig_t instead of sighandler_t for better BSD compatibility | |
2031 | * host_tracker: Fix allocator unit test to work on 32-bit systems again | |
2032 | * http2_inspect: Convert circular_array to std:vector | |
2033 | * http2_inspect: Fix continuation frame check | |
2034 | * http2_inspect: Fix hpack dynamic table init | |
2035 | * http2_inspect: Prepare http2_inspect and http_inspect for HTTP/2 trailers | |
2036 | * http2_inspect: Refactor hpack decoding and send trailer to http_inspect for processing | |
2037 | * http_inspect: Declare get_type_expected const | |
2038 | * http_inspect: Don't use the URL to cache file verdicts for uploads | |
2039 | * http_inspect: Script detection | |
2040 | * http_inspect: Script detection and concurrency fixes | |
2041 | * http_inspect: Support hyperscan literal search for accelerated blocking | |
2042 | * http_method: Make available for fast pattern with first body section | |
2043 | * imap: Publish OPPORTUNISTIC_TLS_EVENT on successfull completion on START_TLS, add a new state to | |
2044 | avoid publishing start_tls events multiple times | |
2045 | * ips_options: Ensure all options use base class hash and compare methods | |
2046 | * ips: Use the policies in the flow when creating pseudo packet | |
2047 | * main: Turn off signal handlers later to catch more during snort shutdown | |
2048 | * managers: Immediately stop executing inspectors when inspection is disabled | |
2049 | * mime: Fix off-by-1 error with filename and email id capture | |
2050 | * mime: Minor code cleanup | |
2051 | * netflow: Introduce netflow as a service inspector | |
2052 | * packet_io: Added reason for ActiveStatus WOULD | |
2053 | * packet_io: Do not allow trust unless the action is allow or trust | |
2054 | * payload_injector: Assume http1, if packet does not have a gadget | |
2055 | * payload_injector: Fix warning | |
2056 | * payload_injector: Support http2 injection | |
2057 | * payload_injector: Support translation of header field value with length > 127 | |
2058 | * perf_monitor: Convert the perf_monitor inspector configure warnings to errors | |
2059 | * pop: Publish start_tls events, support for ssl search abandoned | |
2060 | * reputation: Change from group-based to interface-based IP lists | |
2061 | * rna: Add protocols on logging host trackers | |
2062 | * rna: Implement update_timeout for MAC hosts | |
2063 | * rna: Remove dependency on uuid library | |
2064 | * rna: Remove redefinition of USHRT_MAX | |
2065 | * rna: Removing unused command and exporting swapper | |
2066 | * rna: Support client discovery from appid event changes | |
2067 | * rna: Support service discovery from appid event changes | |
2068 | * rna: Tcp fingerprints configuration, storage, matching and event generation | |
2069 | * snort2lua: Remove obsolete and unused code | |
2070 | * snort2lua: Remove unused unit test files | |
2071 | * snort: Address fatal shutdown stability issues | |
2072 | * stream_ip: Fix zero fragment built-in rule triggering for some reassembly policies | |
2073 | * style: Replace some tabs that snuck in with proper spaces | |
2074 | * tests: Fix the majority of memory leaks in CppUTest unit tests | |
2075 | * trace: Add support for modules.all option | |
2076 | * trace: Update loggers to support extended output with n-tuple packet info | |
2077 | * utils: Add sys/time.h to util.h for struct timeval definition | |
2078 | * wizard: Fix the error message about invalid pattern | |
2079 | ||
2080 | 2020-08-12: 3.0.2 build 5 | |
2081 | ||
2082 | * cip: Fix the trailing parameter for the module | |
2083 | * dce_rpc: Set dce_rpc as a control channel inspector | |
2084 | * flow: Check expected flows in flow control and add direction swap flag to expected flows | |
2085 | * framework: Add an API to check if the module can be bound in the binder | |
2086 | * ftp: Add opportunistic TLS support | |
2087 | * ftp: Fix direction for active FTP data transfers | |
2088 | * helpers: Extend printed JSON syntax | |
2089 | * http2_inpsect: Fix for flush on data frame boundray w/o end of stream | |
2090 | * http_inspect: Do finish() after partial inspection | |
2091 | * lua: Add TCP port 80 binding to the connectivity and balanced tweaks | |
2092 | * main: Add printing modules help in JSON format | |
2093 | * managers: Print the instance type of the inspector module with --help-module | |
2094 | * rna: Add RNA MAC-based discovery logic | |
2095 | * rna: Discover network and transport protocols | |
2096 | * stream_tcp: Add check to prevent reentry to TCP session cleanup when flushing a PDU | |
2097 | ||
2098 | 2020-08-06: 3.0.2 build 4 | |
2099 | ||
2100 | * appid: Clear service appid entries in dynamic host cache on ODP reload | |
2101 | * appid: Generate event notification when dns host is set | |
2102 | * dce_rpc: Fix for smb crash while tcp session pruning | |
2103 | * dce_rpc: Fix for smb session cleanup issue | |
2104 | * dce_rpc: Use file name hash as file id | |
2105 | * doc: Add documentation for dumping consolidated config in text format | |
2106 | * flow: Fixing free_flow_data logic | |
2107 | * http_inspect: Code clean up | |
2108 | * http_inspect: Test tool enhancement | |
2109 | * main: Dump consolidated config in the text format | |
2110 | * rna: Fix redefined macro warnings in between unit-test tools | |
2111 | * rna: TCP fingerprint input and retrieval | |
2112 | * utils: Keep deprecated attribute table pegcounts | |
2113 | ||
2114 | 2020-07-28: 3.0.2 build 3 | |
2115 | ||
2116 | * active: Move Active enabled flag into SnortConfig | |
2117 | * appid: For http traffic, if payload cannot be detected, set it to unknown | |
2118 | * appid: Move appid data needed by external components to stash | |
2119 | * appid: Support ODP reload for multiple packet threads and new session | |
2120 | * dce_rpc: Improve PAF autodetection for heavily segmented TCP traffic | |
2121 | * doc: Split Snort manual into separate user, reference, and upgrade docs | |
2122 | * doc: Update default text manuals | |
2123 | * doc: Update extending.txt about TraceLogger plugin | |
2124 | * file_api: Log event generated when lookup timedout | |
2125 | * ftp_telnet: Remove global config variable shared between multiple threads to prevent data race | |
2126 | * http2_inpsect: Fix interaction with tool tcpclose | |
2127 | * http2_inspect: Fix stream_in_hi | |
2128 | * http2_inspect: General code cleanup | |
2129 | * http_inspect: Do partial inspections incrementally | |
2130 | * http_inspect: Reduce memory used by partial inspections | |
2131 | * main: Rename the config options to ignore flowbits and rules warnings | |
2132 | * parser: Add support for variables with each ips policy | |
2133 | * payload_injector: Add HTTP page translation | |
2134 | * payload_injector: Extend utility to support HTTP/2 (no injection) | |
2135 | * pub_sub: Added a method in HttpEvent to retrieve true client-ip address from HTTP header based | |
2136 | on priority | |
2137 | * rna: Fingerprint reader class and lookup table for tcp fingerprints | |
2138 | * snort_defaults: Remove the NOTIFY, SUBSCRIBE, and UPDATE HTTP methods | |
2139 | * stream_tcp: Only perform paws validation on real packets, skip this on meta-ack packets | |
2140 | * stream_tcp: When clearing a session during meta-ack processing pass a nullptr as the Packet* | |
2141 | parameter | |
2142 | * target_based: Add mutex lock to ensure host service accesses are thread safe | |
2143 | * target_based: Move host attribute peg counts from the process pegs to stats specific to host | |
2144 | attribute operations | |
2145 | * target_based: Refactor host attribute to use the LruCacheShared data store class to support | |
2146 | thread safe access | |
2147 | * target_based: Streamline host attribute table activate and swap logic on startup and reload | |
2148 | * trace: Add support for extending TraceLogger as a passive inspector plugin | |
2149 | * wizard: Abandon the wizard on UDP flows after the first packet | |
2150 | * wizard: Abort the splitter once we've hit the max PDU size | |
2151 | * wizard: Add peg counts for abandoned searches per protocol | |
2152 | * wizard: Improve wizard tracing to indicate direction and abandonment | |
2153 | * wizard: Properly terminate hex matching | |
2154 | * wizard: Report spell and hex configuration errors and warnings | |
2155 | ||
2156 | 2020-07-15: 3.0.2 build 2 | |
2157 | ||
2158 | * appid: Moving thread local ODP stuff to a new class | |
2159 | * binder: delete obsolete network_policy parsing code | |
2160 | * build: Fix static analyzer complaints about unused stored values | |
2161 | * daq: Fix calculation of outstanding packets stat to properly use the delta | |
2162 | * dce_rpc: adding support for multiple smbv2 sessions for same tcp connection | |
2163 | * dce_rpc: Invalid endpoint mapper message | |
2164 | * dce_rpc: SMB ID invalid memory access | |
2165 | * http_inspect: send MIME full message body for file processing | |
2166 | * main: add config options --ignore-warn-rules and --ignore-warn-flowbits to snort module | |
2167 | * mime: mime no longer overwrites file_data buffer for http packets | |
2168 | * smtp: generate SSL_SEARCH_ABANDONED event when no STARTTLS is detected | |
2169 | * smtp: support opportunistic SSL/TLS switch over | |
2170 | * stream_tcp: coding style improvements | |
2171 | * stream_tcp: eliminate direct references to the Packet* wherevever possible within the TCP state | |
2172 | machine context | |
2173 | * stream_tcp: eliminate use of STREAM_INSERT_OK as return code, it conveyed no useful information | |
2174 | and was ultimately unused | |
2175 | * stream_tcp: implement meta-ack pseudo packet as thread local that is reused on each meta-ack TSD | |
2176 | * stream_tcp: implement support for processing meta-ack information when present | |
2177 | * stream_tcp: meta-ack from daq is in network order not host, remove conversion from host to | |
2178 | network | |
2179 | * stream_tcp: process meta-ack info in any flush policy mode | |
2180 | * trace: add support for DAQ trace filtering | |
2181 | ||
2182 | 2020-07-06: 3.0.2 build 1 | |
2183 | ||
2184 | * appid: Appid coverity issues | |
2185 | * appid: Create lua states and lua detectors in control thread | |
2186 | * appid: Delete stale third-party connections when reloading third-party on midstream | |
2187 | * appid: Fix the format of the IPv6 strings in the Service State unit tests | |
2188 | * appid: include appid session api in appid event | |
2189 | * appid: use configured search method for multi-pattern matching | |
2190 | * build: Eradicate u_int usage | |
2191 | * build: Fix unit tests to build and work properly on a 32-bit system | |
2192 | * build: Fix various cppcheck warnings about constness | |
2193 | * build: Increment version to 3.0.2 | |
2194 | * build: Miscellaneous 32-bit build fixes | |
2195 | * build: Use sanity check results (HAVE_*) for optional packages in CMake | |
2196 | * cmake: Properly handle SIGNAL_SNORT_* options in configure_cmake.sh | |
2197 | * codecs: add tunnel bypass logic based on DAQ payload_offset | |
2198 | * dce_tcp: parse only endpoint mapper messages | |
2199 | * detection: remove checksum drop fixit | |
2200 | * detection: remove unused code | |
2201 | * framework: fix global data bus cloning during reload module and policy | |
2202 | * helpers: Add a signal-safe formatted printing utility class | |
2203 | * helpers: Add support for dumping a backtrace via libunwind on fatal signals | |
2204 | * helpers: Dump additional information to stderr when a fatal signal is received | |
2205 | * helpers: Revamp signal handler installation and removal | |
2206 | * http2_inspect: Make print_flow_issues() regtest-only | |
2207 | * inspectors: add a virtual disable method for controls | |
2208 | * ips: add http fast pattern buffers | |
2209 | * ips: add ips service vs buffer checks; add missing services | |
2210 | * ips: enable non-service rules when service is detected | |
2211 | * ips: minimize port group construction for any-any and bidirectional rules | |
2212 | * ips: refactor fast pattern selection | |
2213 | * ips: update detection trees for earliest header checks | |
2214 | * main: configure and set main thread affinity | |
2215 | * main: set thread type for main thread | |
2216 | * managers: format lua whitelist output and ignore internal whitelist keywords | |
2217 | * max_detect: detained inspection disabled pending further work | |
2218 | * mpse: remove unused pattern trimming support | |
2219 | * oops_handler: Operate on DAQ message instead of Snort Packets | |
2220 | * payload_injector: add payload injection utility | |
2221 | * regex: convert to same syntax as pcre plus fast_pattern option | |
2222 | * rna: Adding initial support for reload_fingerprint command | |
2223 | * rna: remove custom_fingerprint_dir from configuration | |
2224 | * snort_defaults.lua: remove unused AIM_SERVERS var | |
2225 | * snort: fix --dump-rule-meta with ips.states | |
2226 | * stream_ip: Avoid modifying the original fragmented packet during rebuild | |
2227 | * stream_ip: use lowercase fragmentation policy names for verbose output | |
2228 | * stream: lock xtradata stream_impl to avoid data race on logging | |
2229 | * trace: add thread type and thread instance id to each log message for stdout logger | |
2230 | * tweaks: enable file signature for sec and max until depth issue resolved | |
2231 | * tweaks: updates for efficacy and performance | |
2232 | * wizard: Add FTP pattern to recognize FileZilla FTP Server | |
2233 | ||
2234 | 2020-06-18: 3.0.1 build 5 | |
2235 | ||
2236 | * actions: on a reload_config() free the memory allocated for react page on previous configuration | |
2237 | loading | |
2238 | * actions: refactor to store react page response in std::string | |
2239 | * active: add a facility to prevent a DAQ whitelist verdict | |
2240 | * appid: add api to check if appid needs inspection | |
2241 | * appid: add braces to fix static analysis complaint | |
2242 | * appid: add response message to reload_third_party | |
2243 | * appid: check fqn before registering rrt | |
2244 | * appid: for http2, if metadata doesn't give a match on payload, set payload id to unknown | |
2245 | * appid: free memory allocated when appid is configured initially and then not configured on a | |
2246 | subsequent reload | |
2247 | * appid: lua APIs to get IP and port tunneled through a proxy | |
2248 | * appid: match http2 response to request | |
2249 | * appid: remove unnecessary stuff from appid apis | |
2250 | * appid: revert snort protocol id changes and fixed warnings | |
2251 | * appid: set appid_tlshost_bit when we set tls_cname | |
2252 | * appid: set snort protocol id on the flow and remove ssl squelch code | |
2253 | * appid: update cert viz API to handle subject alt name and SNI mismatch | |
2254 | * codecs: fix issues found by static analysis | |
2255 | * dce_rpc: suppport for DCE/RPC future session | |
2256 | * detection: do not apply global rule state to the empty policy | |
2257 | * doc: update user manual for trace feature | |
2258 | * file_api: making sure that file malware inspection is turned off and only file-type detection is | |
2259 | enabled when file_id config is defined without any parameter | |
2260 | * flow: make client_initiated flag depend on the DAQ reverse flow flag | |
2261 | * hash: replace the cache entry if found | |
2262 | * host_cache: add new peg to module test | |
2263 | * host_cache: allowing module to accept 64 bit memcap value | |
2264 | * http2_inspect: fix hpack infractions | |
2265 | * http2_inspect: partial inspect with less than 8 bytes of frame header in the same packet | |
2266 | * http2_inspect: track memory usage for http_inspect flows in http2_inspect | |
2267 | * log: fix issues found by static analysis | |
2268 | * managers: add inspector execution and timing traces to InspectorManager | |
2269 | * packet: add client and server direction methods that use the client initiator flow flag | |
2270 | * parser: free memory allocated for RTN when SO rule load fails | |
2271 | * parser: print loaded and shared rules for each ips policy | |
2272 | * perf_monitor: fix count and interval during disable cli execution | |
2273 | * port_scan: cleanup port scan memory allocations in module tterm | |
2274 | * rpc_decode: remove unused config object | |
2275 | * search_engines: fix potential memory leaks and an error in a printed value | |
2276 | * service_inspectors: remove some redundant initializations and lookups, move some field | |
2277 | initializations into the constructor | |
2278 | * shell: if initial load of snort configuration fails release memory allocated for modules and | |
2279 | plugins | |
2280 | * snort2lua: deprecate react::msg option, display of rule message in react page not currently | |
2281 | supported | |
2282 | * snort2lua: fix issues found by static analysis | |
2283 | * snort_config: only perform FatalError cleanup from main thread | |
2284 | * stream: add final check to free allocated memory when module tterm is called | |
2285 | * stream: fixed ip family in the flow->key during StreamHAClient::consume | |
2286 | * stream_tcp: fix issues for tcp simultaneous close | |
2287 | * stream_tcp: unconditionally release held packets that have timed out, regardless of flushing | |
2288 | * trace: add control channel command | |
2289 | * trace: add support for passing in the packet pointer to loggers | |
2290 | * trace: filter traces by packet constraints | |
2291 | * trace: fix for trace messages in the test-mode ('-T' option) | |
2292 | * trace: remove redundant include | |
2293 | ||
2294 | 2020-05-20: 3.0.1 build 4 | |
2295 | ||
2296 | * appid: Do not allocate DNS session for non-DNS flows and update memory tracker for HTTP sessions | |
2297 | * appid: Get inspector for the current snort config during reload | |
2298 | * binder: print configured bindings in show() method | |
2299 | * build: fix cppcheck warnings and typos | |
2300 | * coverity: fixed issues discovered by Coverity tool | |
2301 | * daq: Configure DAQ instances with total instances and instance IDs | |
2302 | * dce_rpc: code style cleanups | |
2303 | * dce_rpc: generate alert when dce splitter aborts due to invalid fragment length | |
2304 | * flow: If a retry packet does not belong to a flow, block it | |
2305 | * ftp_telnet: fix FTP race condition | |
2306 | * http2_inspect: change partial flush handling | |
2307 | * log: do not truncate config option names in ConfigLogger | |
2308 | * loggers: when logging alert only use inspector buffers and name when the inspector's paf | |
2309 | splitter is assigned for the direction of the alert" | |
2310 | * main: Fixing some issues reported by Coverity | |
2311 | * managers: print alphabetically sorted verbose inspector config output within an inspection | |
2312 | policy | |
2313 | * mpse: constify snort config args | |
2314 | * network_inspectors: Fixing a few minor issues reported by Coverity | |
2315 | * parser: print enabled rules for each ips policy | |
2316 | * search_tool: refactor initialization | |
2317 | * snort_config: constify Inspector::show and remove unnecessary logger args | |
2318 | * snort_config: make const for packet threads | |
2319 | * snort_config: minimize thread local access to snort_config | |
2320 | * snort_config: pseudo packet initialization | |
2321 | * snort_config: refactor access methods | |
2322 | * snort_config: use provided conf | |
2323 | * stream: add a configurable timeout for held packets | |
2324 | * stream: move held packet timeout to Stream and support changing it on reload | |
2325 | * stream_tcp: call splitter->finish() before reassemble() when flushing when PAF aborts due to gap | |
2326 | in queued data | |
2327 | * stream_tcp: change the DAQ verdict from drop to blacklist for held packets that timed out | |
2328 | * stream_tcp: clear gadget from Flow object once fallback has happened in both directions | |
2329 | * stream_tcp: only clear gadget after both splitters have aborted | |
2330 | * stream_tcp: when paf aborts due to gap in data set splitter state to ABORT | |
2331 | * trace: move module trace configuration into the trace module | |
2332 | ||
2333 | 2020-05-06: 3.0.1 build 3 | |
2334 | ||
2335 | * appid: Do not process retry packets but continue processing future packets in AppId | |
2336 | * appid: Extract metadata for tunneled HTTP session | |
2337 | * appid: Make unit tests multithread safe | |
2338 | * appid: On API call store new values and publish an event for them immediately | |
2339 | * appid: remove old http2 support | |
2340 | * appid: store appids for http traffic in http session | |
2341 | * appid: support for multi-stream http2 session | |
2342 | * appid: Update miscellaneous appid on first decrypted packet | |
2343 | * build: add support for ccache | |
2344 | * file_api: fix file stats | |
2345 | * file_api: mark processing of file complete after type detection if signature not enabled | |
2346 | * http2_inspect: add peg count to track max concurrent http2 file transfers | |
2347 | * http2_inspect: fix handling leftover data with padding | |
2348 | * http2_inspect: protect against unexpected eval calls | |
2349 | * http2_inspect: support stream multiplexing | |
2350 | * http2_inspect: update padding check only for header and data frames | |
2351 | * http_inspect: add support for http2 file processing | |
2352 | * json: add stream formatter helper | |
2353 | * managers: sort the inspector list in inspection policy using the instance name | |
2354 | * memory: expose memory_cap.h to plugins | |
2355 | * parameter: reject reals assigned to ints | |
2356 | * rna: Update dev notes to describe usage | |
2357 | * snort: add classtype, priority, and references to --dump-rule-meta output | |
2358 | * snort: convert --dump-rule-{meta,state,deps} to json format | |
2359 | * so rules: allow #fragments in references in so rule stubs | |
2360 | * stream: Fix for stream pegs dumping zero values into perf_monitor_base.csv | |
2361 | ||
2362 | 2020-04-23: 3.0.1 build 2 | |
2363 | ||
2364 | * appid: Change sessionAPI to accomodate stream_index | |
2365 | * appid: detect payload for first http2 stream | |
2366 | * appid: Fix thread-safety issues in appid | |
2367 | * appid: mark third-party inspection as done for expected flows | |
2368 | * appid: Populate url for QUIC sessions by extracting QUIC SNI metadata from third-party | |
2369 | * appid: remove thirdparty processing for http2 traffic | |
2370 | * appid: remove unused code | |
2371 | * appid: remove unused config options and rename "debug" option | |
2372 | * appid: set up packet counters to make sure flows with one-way data don't pend forever | |
2373 | * appid: Support org unit in SSL lookup API and do not overwrite the API provided data | |
2374 | * codecs: Clean up CiscoMetaData implementation | |
2375 | * codecs: GRE checksum updated for injected and rewritten packets | |
2376 | * codecs: Update GRE flags and offset for injected packets | |
2377 | * control: Disable request unit-test in cmake if shell is disabled | |
2378 | * control: Fixing data races in request read and response | |
2379 | * file: apply cached verdict on already seen file | |
2380 | * file_magic: Update category for HWP and MSOLE2 | |
2381 | * flowbits: eliminate extraneous FlowBitState | |
2382 | * flowbits: fix reload mapping | |
2383 | * flowbits: refactor implementation | |
2384 | * flowbits: relocate bitop.h to helpers | |
2385 | * flowbits: remove extraneous count | |
2386 | * flowbits: remove unused group support | |
2387 | * flow: track allocations for each flow, update cap_weights | |
2388 | * framework: Remove unused InspectorData template | |
2389 | * ftp_data: fix ids flushing at EOF | |
2390 | * ftp: whitelisting reason support | |
2391 | * host_tracker: Move all HostCacheAlloc template implementions to the header | |
2392 | * http2_inspect: discard split connection preface | |
2393 | * http2_inspect: flush pending data when a non-data frame is received | |
2394 | * http2_inspect: handle the case of leftover header only (no body) | |
2395 | * http2_inspect: support 0 length data frames | |
2396 | * http_inspect: add fragment to http_uri | |
2397 | * http_inspect: cut over to wizard on successful CONNECT response | |
2398 | * http_inspect: enhance processing of connect messages | |
2399 | * http_inspect: fix duplicated detained_inspection print in show() | |
2400 | * http_inspect: make script tag check case insensitive | |
2401 | * http_inspect: register extra-data callbacks in constructor | |
2402 | * hyperscan: simplify scratch memory initialization | |
2403 | * inspectors: designate service inspectors control channels for avc only | |
2404 | * inspectors: designate service inspectors for file carving | |
2405 | * inspectors: designate service inspectors for start tls | |
2406 | * inspectors: update verbose config output in show() method to a new format | |
2407 | * ips_context: add support to fallback to avc only | |
2408 | * ips: fix rule state mapping and policy lookup | |
2409 | * ips: remove plugins cruft from option tree node (rule body) | |
2410 | * latency: check if ip header is present before deferring it | |
2411 | * latency: use test_timeout config option to deterministically trigger latency events for ifdef | |
2412 | REG_TEST | |
2413 | * loggers: Add SGT field to CSV and JSON loggers | |
2414 | * main: Make test_log() static in snort_debug.cc | |
2415 | * managers: print inspectors' config output for every inspection policy configured | |
2416 | * metadata-filter: apply to so rule stubs | |
2417 | * output: allow error messages in quiet mode | |
2418 | * packet_io: log daq batch size | |
2419 | * packet_io: log daq pool size | |
2420 | * perf_monitor: Enable or disable flow-ip-profiling using shell commands | |
2421 | * plugin_manager: make erase from plug_map safer | |
2422 | * plugin_manager: make sure --show-plugins option picks up SO plugins | |
2423 | * reload: update ReloadError response messages to use consistent wording across all messages | |
2424 | * session: remove unused IPS option | |
2425 | * sip: Support pinhole for sip early media | |
2426 | * snort2lua: make qos configuration values deleted from firewall | |
2427 | * snort: add --dump-rule-deps | |
2428 | * snort: add --dump-rule-state | |
2429 | * snort: add flowbits set and checked to --dump-rule-meta | |
2430 | * snort: add rule text to --dump-rule-meta | |
2431 | * snort: enable --dump-rule-meta to work without a conf | |
2432 | * snort: initial implementation of --dump-rule-meta | |
2433 | * snort: remove inappropriate fatal errors | |
2434 | * snort: remove unused --pcap-reload option | |
2435 | * so rules: allow stub gid:sid:rev to override so | |
2436 | * so rules: allow stub header to override so header | |
2437 | * stream_tcp: remove unused session printing cruft | |
2438 | * target_based: refactor host attribute table logic into a c++ class, eliminate dead code | |
2439 | * target_based: refactor to improve design of the host attribute classes | |
2440 | * target_based: refactor to load host attribute table from file | |
2441 | * time: make packet_gettimeofday public | |
2442 | * trace: refactor stdout/syslog logging of trace into logger framework | |
2443 | ||
2444 | 2020-03-31: 3.0.1 build 1 | |
2445 | ||
2446 | * analyzer: Send detained packet event when a packet is held | |
2447 | * appid: use http2 inspector for detection even if third-party module is present | |
2448 | * build: Increment version to 3.0.1 | |
2449 | * dce_rpc: Fixed missing space in string | |
2450 | * doc: add FIXIT-E description | |
2451 | * http2_inspect: handle Cl and TE headers, and end_stream flags set on headers frames | |
2452 | * http2_inspect: multiple data frames support | |
2453 | * http_inspect: added FIXIT for thread safety | |
2454 | * http_inspect: eliminate empty body sections for missing message bodies | |
2455 | * latency: remove action config option and convert the log handler to trace_log message | |
2456 | * mime: fix data race in mime config | |
2457 | * modules: Support verbosity level for module trace options, modify trace logging macros | |
2458 | * service_inspectors: standardize verbose config startup output for SMTP, POP and IMAP inspectors | |
2459 | * snort2lua: remove conversion of deprecated options pkt-log and rule-log | |
2460 | * so_rule: fix reload of shared object rules that use flow data | |
2461 | * src: update high priority "to be fixed" comments (FIXIT-H) | |
2462 | * stream_tcp: Out-of-order ACK processing fix | |
2463 | ||
2464 | 2020-03-25: build 270 | |
2465 | ||
2466 | * active: Base hold_packet() decision on DAQ message pool usage | |
2467 | * active: Fix direction of RST packet being sent to server | |
2468 | * active: Move packet hold realization for Stream detainment to verdict handling | |
2469 | * active: Send entire buffer at once when send_data uses ioctl | |
2470 | * appid: Adding UT for client_app_aim_test | |
2471 | * appid: Fix SMB session data memory leak | |
2472 | * appid: Include DNS over TLS port for classification | |
2473 | * appid: Restart service detection on start of decryption | |
2474 | * appid: Support appid detection for outer protocol service | |
2475 | * appid: Support detection for first stream in http/2 session | |
2476 | * binder: Ignore the network_policy binding | |
2477 | * build: Bump the C++ compiler supported feature set requirement to C++14 | |
2478 | * build: Don't try to use libuuid headers/libraries when not found; | |
2479 | Thanks to James Lay <jlay@slave-tothe-box.net> for reporting the issue | |
2480 | * build: Refactor included headers | |
2481 | * codecs: Add new proto bit for udp tunneled traffic | |
2482 | * codecs: Add vxlan codec | |
2483 | * dce_rpc: Inspect midstream sessions for file inspection | |
2484 | * file_api: Reading the new data for the overlapped file_data | |
2485 | * filters: Update threshold tracking functions | |
2486 | * flow: Allow the ExpectCache to force prune, so that we can always make room when the cache is | |
2487 | full | |
2488 | * flow: Change the ExpectCache prune logic to only remove a specified number of oldest entries, | |
2489 | regardless of node expiration time | |
2490 | * flow: Do away altogether with the loop in ExpectCache::prune, just remove one, only when the | |
2491 | cache is full | |
2492 | * http2_inspect: Refactor data cutter - preparation for multi packet processing | |
2493 | * http2_inspect: Support single data frame sent to http, multiple flushes | |
2494 | * http2_inspect: Update dev notes with memory calculations | |
2495 | * http_inspect: Create http2 message body type | |
2496 | * http_inspect: Gzip detained inspection | |
2497 | * http_inspect: Refactor print_section for message bodies | |
2498 | * loggers: Update usage to GLOBAL for all loggers | |
2499 | * lua: Enable a rewrite plugin in a default config | |
2500 | * main: Check if flow state is blocked while applying verdicts | |
2501 | * main: Setting higher maximum pruning when idle | |
2502 | * snort2lua: Convert a replace option to a rewrite plugin/action | |
2503 | * snort2lua: Don't print out network_policy binding | |
2504 | * stream: Short-circuit stream when handling retry packets in no-ack mode | |
2505 | * stream_tcp: Cancel hold requests on the current packet when flushing | |
2506 | * stream_tcp: Finalize held packets in TcpSession::clear_session() | |
2507 | * stream_tcp: Moved retry check to TcpSession::process | |
2508 | ||
2509 | 2020-03-12: build 269 | |
2510 | ||
2511 | * active: Add ability to inject resets and payload via IOCTLs | |
2512 | * appid: Add support for third-party reload on midstream session | |
2513 | * appid: detect apps using x-working-with http field in response header | |
2514 | * appid: Enhance ssl appid lookup api to store SNI and CN provided by SSL for app detection | |
2515 | * appid: fix thread-safety issues in mdns detector | |
2516 | * appid: handle CERTIFICATE STATUS handshake type in SSL detector | |
2517 | * appid: move client/service pattern detectors and service discovery manager to odp context | |
2518 | * appid: Support third-party reload when snort is running with multiple packet threads | |
2519 | * base64_decode: use standard detection context data buffer | |
2520 | * build: fix build on big-endian systems | |
2521 | * build: Fix LibUUID detection on OS X | |
2522 | * build: Fix various build issues on FreeBSD and OS X | |
2523 | * build: refactor trace logs | |
2524 | * build: tweak includes | |
2525 | * build: use const and auto references where possible | |
2526 | * byte_math: Snort2 bug fix port of integer over and under flow detection | |
2527 | * classifications: update implementation with unordered map | |
2528 | * classifications: use consistent variable names | |
2529 | * cmake: Fix building without lzma library | |
2530 | * detection: added support for trace config option to take a list of strings with verbosity level | |
2531 | instead of bitmask | |
2532 | * detection: refactoring updates to detection, moved DetectionModule into a separate file | |
2533 | * flow: added initiator bytes/packets onto flow | |
2534 | * flow: Add missing time.h include for struct timeval | |
2535 | * flow: free the flow data before deleting the actual flow | |
2536 | * flow: turn off deferred whitelist on DONE if no whitelist was seen | |
2537 | * flow_cache: fix memory deallocation bug due to inverted return value from hash release node | |
2538 | * framework: add generic conversion of trace strings to bitmaks | |
2539 | * ftp: Whitelist ftp session after max sig depth reached | |
2540 | * ghash: fix thread race condition with GHash member variables when a GHash instance is global | |
2541 | * hash: add unit tests for new HashLruCache class | |
2542 | * hash: delete unused sfmemcap.[h|cc] and remove unnecessary includes | |
2543 | * http2_inspect: abort for nhi errors | |
2544 | * http2_inspect: send data frames to http - full frames only in a single flush | |
2545 | * http_inspect: change http_uri to only include path and query for absolute and absolute path uris | |
2546 | * http_inspect: improve precautions for stream interactions | |
2547 | * http_inspect: Properly mock HttpModule::peg_counts in http_transaction_test | |
2548 | * main: do FileService::post_init after inspectors are configured | |
2549 | * parser: remove legacy parsing code | |
2550 | * plugin_manager: add support for reload so_rule plugins | |
2551 | * pub_sub: add http2 info to http pub messages | |
2552 | * reference: update implementation with unordered map | |
2553 | * reload: add description of reload error to the response message of the reload_config command | |
2554 | * reputation: remove reputation monitor flag from packet, track verdict on flow | |
2555 | * rules: add constructors for references and classifications | |
2556 | * rules: fix warnings and startup counts for duplicates | |
2557 | * rules: remove cruft | |
2558 | * rules: simplify implementation of services, classifications, and references by using std::string | |
2559 | * rules: update --gen-msg-map to include all configured rules with references | |
2560 | * service_inspectors: added counters to track total number of data bytes processed in SMTP, POP, | |
2561 | SSH and FTP | |
2562 | * service: update implementation to vector | |
2563 | * sfdaq: convert parsing related error messages in DAQ init to ParseErrors | |
2564 | * sfdaq: Made get_stats public for plugins | |
2565 | * smb: Fix malware over size 131kb not being detected in SMBv2/SMBv3 | |
2566 | * snort_config: footprint REG_TEST, no check for stream inspector add/rm, etc | |
2567 | * stats: update shutdown timing stats | |
2568 | * stream: Addressing inconsistent stream stats and some data races | |
2569 | * stream_ip: added counters to track total number of data bytes processed | |
2570 | * stream_tcp: no_ack applies only to ips mode | |
2571 | * stream_udp: added counters to track total number of data bytes processed | |
2572 | * style: remove tabs and too long lines | |
2573 | * utils: add unit tests for MemCapAllocator class | |
2574 | * utils: create memory allocation class based on sfmemcap functionality | |
2575 | * utils: handle out-of-range time | |
2576 | * xhash: refactor XHash and HashFnc to eliminate c-style callbacks and simplify ctor options | |
2577 | * xhash: rename hashfcn.[cc|h] to hash_keys.[cc|h] | |
2578 | * xhash/zhash: refactor duplicated code into a common base class, xhash/zhash will subclass this | |
2579 | new base class | |
2580 | * zhash: make zhash a subclass of xhash, eliminate duplicate code | |
2581 | * zhash: refactor to use hash_lru_cache and hash_key_operations classes | |
2582 | ||
2583 | 2020-02-21: build 268 | |
2584 | ||
2585 | * appid: Adding support for appid detection on decrypted SSL sessions | |
2586 | * appid: Adding support for wildcard ports in static host port cache | |
2587 | * appid: clean up ENABLE_APPID_THIRD_PARTY from configure_cmake | |
2588 | * appid: cleanup terminology | |
2589 | * appid: delete odp context on exit | |
2590 | * appid: detect payload for http tunnel traffic | |
2591 | * appid: do not reload third party on reload_config | |
2592 | * appid: Don't mark HTTP session done if the ssl detector is still in progress | |
2593 | * appid: Fix array initialization on Appid | |
2594 | * appid: get rid of ENABLE_APPID_THIRD_PARTY flag | |
2595 | * appid: handle invalid uri in http tunnel traffic | |
2596 | * appid: load app mapping data to odp context | |
2597 | * appid: move dns, sip, ssl and http pattern matchers to odp context; move client discovery | |
2598 | manager to odp context | |
2599 | * appid: move odp config, host-port cache and length cache to a separate class OdpContext; remove | |
2600 | obsolete port detector code | |
2601 | * appid: reset tp packet counters each time we do reinspect | |
2602 | * appid: support third party reload when snort is running with single packet thread | |
2603 | * bufferlen: match on total length unless remaining is specified | |
2604 | * build: Clean up accumulated tabs and trailing whitespace in the code | |
2605 | * build: clean up non-hyperscan builds | |
2606 | * build: Fix more Clang 9 compiler warnings | |
2607 | * build: Remove some extraneous semicolons (compiler warnings) | |
2608 | * build: Rename parameters that shadow class members (compiler warnings) | |
2609 | * build: Updates across the board for stricter Clang const-casting warnings | |
2610 | * catch: Update to Catch v2.11.1 | |
2611 | * cip: explicitly include sys/time.h header | |
2612 | * codecs: Use unions for checksum pseudoheaders | |
2613 | * content: add hyperscan content literal matching alternative to boyer-moore | |
2614 | * content: delete flawed hyper search test | |
2615 | * content: use hs_compile if hs_compile_lit is not available | |
2616 | * copyright: update year to 2020 | |
2617 | * dce_tcp: fixup flow data handling | |
2618 | * detection: add config option to enable conversion of pcre expressions to use the regex engine | |
2619 | * detection: add hyperscan_literals option | |
2620 | * detection: add pcre_override to enable/disable pcre/O | |
2621 | * detection: signature evaluation looping based on literal contents only (exclude regex) | |
2622 | * doc: manual updates for HTTP/2 | |
2623 | * doc: update documentation for lua whitelist | |
2624 | * doc: update reload_limitations.txt | |
2625 | * file_api: enable Active when there are reset rules in the file policy | |
2626 | * framework: introduce ScratchAllocator class to help with scratch memory management | |
2627 | * gtp_inspect: fix default port binding | |
2628 | * hash: refactor ghash implementation to convert it to an actual C++ class | |
2629 | * hash: refactor key compare function prototype and functions to return boolean | |
2630 | * hash: refactor to move common definitions into hash_defs.h | |
2631 | * hash: refactor xhash to be a real C++ class | |
2632 | * host_tracker: Check lock in a separate thread in unit-test | |
2633 | * host_tracker: make current_size atomic to save some locks | |
2634 | * host_tracker: Support host_cache reload with RRT when memcap changes | |
2635 | * http2_inspect: add transfer encoding chunked at end of decoded http1 header block | |
2636 | * http2_inspect: data frame http inspection walking skeleton first phase | |
2637 | * http2_inspect: fast pattern support | |
2638 | * http2_inspect: fix string decode error | |
2639 | * http2_inspect: frame data no longer in file_data | |
2640 | * http2_inspect: integration with NHI | |
2641 | * http2_inspect: support disabling detection for uninteresting HTTP/2 frames | |
2642 | * http2_inspect: support HPACK dynamic table size updates | |
2643 | * http_inspect: add http_param rule option | |
2644 | * http_inspect: gzip splitting beyond request_depth should use correct target size | |
2645 | * http_inspect: no duplicate built-in events for a flow | |
2646 | * http_inspect: patch H2I-related xtra data crash | |
2647 | * http_inspect: process multiple files simultaneously over HTTP/1.1 | |
2648 | * http_inspect: refactoring | |
2649 | * http_inspect: update test tool to support the HTTP/2 macros and new insert command | |
2650 | * http_inspect: when detection is disabled, disable all rules not just content rules | |
2651 | * http_inspect/http2_inspect: H2I unified2 extra data logging | |
2652 | * hyperscan: convert thread locals to scan context | |
2653 | * inspectors: ensure correct lookup by type, name, or service | |
2654 | * inspectors: print label for type and alias in inspector manager. Remove printing module name in | |
2655 | inspectors ::show() method | |
2656 | * ips: alert service rules check ports | |
2657 | * ips_pcre: compile/evaluate pcre rule option regular expressions with the hyperscan regex engine | |
2658 | when possible | |
2659 | * ips_pcre: support the O & R modifiers when converting pcre to regex | |
2660 | * ips: refactor rule parsing | |
2661 | * ips: remove dead code from rule parser | |
2662 | * ips: use service "file" instead of "user" | |
2663 | * loggers: update vlan logging in csv and json loggers | |
2664 | * lua: Added missing file magic pattern for FLIC | |
2665 | * lua: Added missing file magic pattern for IntelHEX | |
2666 | * lua: fix typo in default smtp's alt_max_command_line_len | |
2667 | * lua: update default lua files to whitelist the defined tables | |
2668 | * main: add verbose inspector output during reload | |
2669 | * main: make IPS actions (reject, react, replace) configurable per-IPS policy | |
2670 | * main: move config_lua to Shell::configure | |
2671 | * memory: Treating config value memory.cap as per thread instead of global | |
2672 | * metadata: add --metadata-filter to load matching rules only | |
2673 | * mime: support simultaneous file processing of MIME-encoded files over HTTP/1.1 | |
2674 | * module_manager: add snort_whitelist_append and snort_whitelist_add_prefix FFIs | |
2675 | * normalizer: disable all normalizations by default except for tcp.ips | |
2676 | * packet_io: provide default reset action (bidirectional reset for TCP, ICMP unreachable for the | |
2677 | rest) | |
2678 | * packet_io: refactor Active and IPS Actions to start disentangling them | |
2679 | * parser: add service http2 to http rules | |
2680 | * parser: store local copy of service name | |
2681 | * pcre: ensure use of maximal ovector size and simplify logic | |
2682 | * port_scan: Supporting reload config when memcap changes | |
2683 | * protocols: provide direct access to the CiscoMetaData layer | |
2684 | * regex: convert thread locals to scan context | |
2685 | * reload: eliminate FatalError calls that can't happen because snort_calloc always returns valid | |
2686 | memory | |
2687 | * rna: use standard uint8_t type instead of u_int8_t | |
2688 | * search_engine: trivial reformatting | |
2689 | * smtp: update defaults to better align with Snort 2 | |
2690 | * snort2lua: conversion of path containing variables | |
2691 | * snort: add new warn flag warn-conf-strict that will throw out warning when table is not found | |
2692 | * snort: Adding some verbose logs for appid, file_id, and reputation inspectors | |
2693 | * stream_tcp: ensure that flows with mss and timestamps are picked up on syn | |
2694 | * tweaks: set reasonable stream_ip.min_fragment_length values | |
2695 | * tweaks: update per new normalizer defaults | |
2696 | * tweaks: update policy configs to better align with Snort 2 | |
2697 | ||
2698 | 2019-12-20: build 267 | |
2699 | ||
2700 | * appid: Adding command for third-party reload | |
2701 | * appid: cleanup unused code | |
2702 | * binder: assitant gadget support | |
2703 | * build: Const-ify reference arguments as suggested by cppcheck | |
2704 | * catch: Add infrastructure for standalone Catch unit tests | |
2705 | * catch: Update to Catch v2.11.0 | |
2706 | * codec: Added GRE::encode method | |
2707 | * control: Convert IdleProcessing unit tests to standalone Catch | |
2708 | * dce_rpc: Convert HTTP proxy and server splitter unit tests to standalone Catch | |
2709 | * file_api: When multiple files are processed simultaneously per flow, store the files on the | |
2710 | flow, not in the cache. Don't cache files until the signature has been computed | |
2711 | * file_magic: add file magic for .jar, .rar, .alz, .egg, .hwp and .swf files | |
2712 | * framework: Convert parameter and range unit tests to standalone Catch | |
2713 | * gtp: alerts should be raised for missing TEID in gtp msg | |
2714 | * helpers: Convert Base64Encoder unit tests to standalone Catch | |
2715 | * http2_inspect: add Stream class | |
2716 | * http2_inspect: parse settings frames | |
2717 | * http_inspect: support limited response depth | |
2718 | * ips: do not use includer for any rules file includes | |
2719 | * ips: fix --show-file-codes for inclusion from -c file | |
2720 | * lru_cache_shared: added find_else_insert to add user managed objects to the cache | |
2721 | * lua: Convert LuaStack unit tests to standalone Catch | |
2722 | * lua: Link lua_stack_test against libdl to handle the static luajit case | |
2723 | * packet_capture: ignore PDUs and defragged packets, include non-IP packets | |
2724 | * perf_monitor: Convert CSV, FBS, and JSON formatter unit tests to standalone Catch | |
2725 | * perf_monitor: tuning for flow_ip_memcap on reload | |
2726 | * profiler: Convert MemoryContext and ProfilerStatsTable unit tests to standalone Catch | |
2727 | * reload: fix issue where resource tuning was not being called when in idle context | |
2728 | * rule_state: allow empty tables | |
2729 | * search_engine: fix expected count of MPSEs when offloading | |
2730 | * sfip: Convert SfIp unit tests to standalone Catch | |
2731 | * sfip: Use REG_TEST-style IP stringification for standalone Catch tests | |
2732 | * stream_tcp: fix TcpState post increment operator to stop increment at max value (and use | |
2733 | correct max value) | |
2734 | * stream_tcp: refactor stream_tcp initialization to create reassemblers during plugin init | |
2735 | * stream_tcp: refactor to initialize tcp normalizers during plugin init | |
2736 | * stream/tcp: Remove some unused Catch includes | |
2737 | * time: Convert periodic and stopwatch unit tests to standalone Catch | |
2738 | * utils: Convert bitop unit tests to standalone Catch | |
2739 | ||
2740 | 2019-12-04: build 266 | |
2741 | ||
2742 | * appid: Add new pattern to pop3, don't concatenate ssl certs, use openssl-1.1 compliant APIs | |
2743 | * appid: Enabling host cache for unknown SSL flows | |
2744 | * appid: Fix for better classification on pinholed data session and control session for | |
2745 | rshell/rexec | |
2746 | * appid: Format detected apps stats in columns akin to file stats | |
2747 | * appid: Handle memcap during reload_config using RRT | |
2748 | * appid: Minor cleanup | |
2749 | * cmake: Cache static DAQ module info in FindDAQ | |
2750 | * file_api: Fixed eventing when FILE_SIG_DEPTH failed when store files enabled | |
2751 | * flow: Add ability to defer whitelist verdict | |
2752 | * flow: Clean up unit test compiler warnings | |
2753 | * flow: Disabling the inspection if the Flow state is BLOCK | |
2754 | * http2_inspect: Generate status lines for responses and be more lenient on RFC violations | |
2755 | * http2_inspect: Implement hpack dynamic index lookups | |
2756 | * http_inspect: Implement show method for verbose config output | |
2757 | * http_inspect: Update user manual for detained inspection | |
2758 | * hyperscan: Select max scratch from among all compiler threads | |
2759 | * ips: Add support for parallel fast-pattern MPSE FSM compilation | |
2760 | * ips: Only use multiple threads for rule group compilation at startup | |
2761 | * ips: Support 2 rule vars same as Snort 2 | |
2762 | * mpse: Only hyperscan currently supports parallel compilation | |
2763 | * port_scan: Only update scanner for ICMP if we have one | |
2764 | * profiler: Fix module profile for multithreaded runs | |
2765 | * search_engine: Ensure configured search_method is applied to search tools | |
2766 | * search_engine: Process intermediate fast-pattern matches in batches of 32 same as Snort 2 | |
2767 | * search_engine: Raise an error if any MPSE compilation fails | |
2768 | * sfip: Replace copy setter with implicit copy constructor | |
2769 | * stats: Removal of mallinfo as it only support 32bit | |
2770 | * stream_tcp: Move and update the libtcp source files to the tcp source directory to consolidate | |
2771 | the stream tcp code into one component (libtcp goes away) | |
2772 | * stream_tcp: Updates from PR review comments | |
2773 | ||
2774 | 2019-11-22: build 265 | |
2775 | ||
2776 | * analyzer_command: support resource tuning on reload | |
2777 | * appid: Adding Lua-C API to handle midstream traffic | |
2778 | * cip: ips rule support for Common Industrial Protocol (CIP) | |
2779 | * ftp: handling multiple ftp server config validation | |
2780 | * detection: disable rule evaluation when detection is disabled for offload packets | |
2781 | * detection: fix post-inspection state clearing issue | |
2782 | * flow: check if there are offloaded packets in the flow before clearing out the alert count | |
2783 | * http2_inspect: add frame class and refactor stream splitter | |
2784 | * http2_inspect: fix unit tests to build without REGTEST defined | |
2785 | * main: Improve performance of control connection polling | |
2786 | * plugin_manager: allow loading individual plugin files in plugin-path | |
2787 | * reject: Setting defaults for reset and control options | |
2788 | * snort: update reload resource tuner to return status indicating if there is work to be done in | |
2789 | the packet thread | |
2790 | * stream: register reload resource tuner unconditionally. move checks for config changes to the | |
2791 | tuner tinit method | |
2792 | * stream_tcp: fix state machine instantiation | |
2793 | * wizard: handle NBSS startup in dce_smb_curse | |
2794 | ||
2795 | 2019-11-06: build 264 | |
2796 | ||
2797 | * appid: Handle DNS responses with compression pointers at last record | |
2798 | * dce_smb: deprecate config for smb_file_inspection, use smb_file_depth only | |
2799 | * detection: negated fast patterns are last choice | |
2800 | * http2_inspect: fix bugs in splitting long data frames and padding | |
2801 | * http_inspect: change accelerated_blocking to detained_inspection | |
2802 | * http_inspect: remove deprecated @fileclose command from test tool | |
2803 | * imap, pop, smtp: changed default decode depths to unlimited | |
2804 | * ips: define a builtin GID range to prevent unloaded SIDs from firing on all packets | |
2805 | * ips_option::enable: fix dynamic plugin build | |
2806 | * lua: tweak default conf and add tweaks for various scenarios | |
2807 | * normalizer: make tcp.ips defaults to true | |
2808 | * port_scan: increase default memcap to a more reasonable 10M | |
2809 | * s7commplus: Initial working version of s7commplus service inspector | |
2810 | * search_engine: stop searching if queue limit is reached | |
2811 | * stream: implement reload resource tuner for stream to adjust the number of flow objects as | |
2812 | needed when the stream 'max_flows' configuration option changes | |
2813 | * telnet: fix check_encrypted help string | |
2814 | ||
2815 | 2019-10-31: build 263 | |
2816 | ||
2817 | * appid: for ssl sessions, set payload id to unknown after ssl handshake is done if the payload id | |
2818 | was not not found | |
2819 | * appid: check inferred services in host cache only if there were updates | |
2820 | * appid: Updating the path to userappid.conf | |
2821 | * build: Clean up snort namespace usage | |
2822 | * build: generate and tag build 263 | |
2823 | * binder: Use reloaded snort config when getting inspector | |
2824 | * codecs: Relax requirement for DAQ packet decode data offsets when bypassing checksums | |
2825 | * content: rewrite boyer_moore for performance | |
2826 | * data_bus: add unit test cases | |
2827 | * detection: enhance fast pattern match queuing | |
2828 | * dns: made changes to make sure DNS parsing is thread safe | |
2829 | * doc: update default manuals | |
2830 | * file_api: Put FileCapture in the snort namespace | |
2831 | * ftp: fix for missing prototype warning | |
2832 | * ftp: catch invalid server command format | |
2833 | * http_inspect: test tool single-direction abort fix | |
2834 | * http_inspect: add more config initializers | |
2835 | * http2_inspect: generate request start line from pseudo-headers | |
2836 | * http2_inspect: abort on header decode error | |
2837 | * http2_inspect: stop sharing a variable between scan and reassemble | |
2838 | * http2_inspect: decode indexed header fields in the HPACK static table | |
2839 | * http2_inspect: Move HPACK decompression out of stream splitter into a separate class | |
2840 | * http2_inspect: Abort on bad connection preface | |
2841 | * http2_inspect: cleanup | |
2842 | * http2_inspect: discard connection preface | |
2843 | * ips: add states member, similar to rules, by convention use for rule state stubs with enable | |
2844 | * mime: Put MailLogConfig in the snort namespace | |
2845 | * packet: fix reset issues | |
2846 | * packet_io: do not retry packets that do not have a daq instance | |
2847 | * policy: Avoid unintended insertion of policy into map if it does not exist | |
2848 | * pub_subs: made default pub_subs policy-independent | |
2849 | * rule_state: deprecat, replace with ips option enable to avoid LuaJIT limitations | |
2850 | * stream_tcp: fix stability issues | |
2851 | * stream_tcp: If no-ack is on, rewrite ACK value to be the expected ACK | |
2852 | ||
2853 | 2019-10-09: build 262 | |
2854 | ||
2855 | * analyzer: move setting pkth to nullptr to after publishing finalize event | |
2856 | * analyzer: publish other message event for unknown DAQ messages | |
2857 | * appid: add support for bittorrent detection over standard ports | |
2858 | * appid: add support for Lua detector callback mechanism | |
2859 | * appid: add support for wildcard ports in host tracker | |
2860 | * appid: extract forward ip from http tunneled traffic and use it for dynamic host cache lookup | |
2861 | * appid: fix populating dns_query for DNS traffic | |
2862 | * binder: allow binder to support global level service inspectors | |
2863 | * binder: remove global check for stream inspectors and revert module_map changes | |
2864 | * codecs: fix checksumming a single byte of unaligned data | |
2865 | * codecs: use checksum validation from DAQ packet decode data when available | |
2866 | * detection: consistently prefer service rules over port rules | |
2867 | * detection: do not split service groups by ip proto to avoid extra searches | |
2868 | * detection: map file rules to services | |
2869 | * detection: non-service rules must match on rule header proto | |
2870 | * detection: remove cruft from match accumulator | |
2871 | * detection: remove more cruft from match tracker | |
2872 | * detection: remove the inappropriate match tracker from mpse batch setup | |
2873 | * detection: remove unnecessary match data from eval context | |
2874 | * detection: support alert file rules w/o optional services | |
2875 | * detection: update trace to indicate eval task | |
2876 | * detection: use reference for signature eval data | |
2877 | * doc: add Snort2Lua note on ips rule action rewrite | |
2878 | * flow: check if control packet has a valid daq instance before setting up daq expected flow and | |
2879 | add pegcounts for expected flows | |
2880 | * flow: patch to allocate Flow objects individually on demand. Once allocated the Flow objects are | |
2881 | reused until snort exits or reload changes the max_flows setting | |
2882 | * flow: when walking uni_list stop before reaching head | |
2883 | * helpers: discovery filter support for zone matching | |
2884 | * helpers: implement port exclusion in discovery filter | |
2885 | * http2_inspect: cut headers from frame_data buffer | |
2886 | * http2_inspect: parse hpack header representations and decode string literals | |
2887 | * http2_inspect: validate connection preface | |
2888 | * ips_options: minor code style changes | |
2889 | * libtcp: turn off no-ack mode if packet is out of order | |
2890 | * lua: added move constructor and move assignment operator to Lua::State to fix segv | |
2891 | * lua: fixed whitespace to match style guidelines | |
2892 | * managers: add null check in reload_module to prevent crash when trying to reload module that has | |
2893 | not been configured | |
2894 | * profiler: increase width of checks and alloc fields so values don't run together | |
2895 | * protocols: remove reference to obsolete DAQ_PKT_FLAG_HW_TCP_CS_GOOD flag | |
2896 | * pub_sub: replace DaqMetaEvent and OtherMessageEvent with DaqMessageEvent | |
2897 | * reputation: prevent reload module crash when reputation is not configured in lua at startup | |
2898 | * reputation: SIDs for source and destination-triggered events added | |
2899 | * snort2lua: convert snort2 port bindings into snort3 service bindings for inspectors configured | |
2900 | in wizard and add --bind-port option to enable port bindings conversion | |
2901 | * snort2lua: remove identity related options from firewall | |
2902 | * snort2lua: reset the sticky buffer name while converting unchanged sticky rule options and | |
2903 | file_data | |
2904 | * stream: clean up cppcheck warnings | |
2905 | * stream: clean up update_direction | |
2906 | * stream: code cleanup and dead-code removal | |
2907 | * unit-tests: fix compiler warnings that snuck into CppUTest unit tests | |
2908 | * utils: prevent integer overflow/underflow when reading BER elements | |
2909 | ||
2910 | 2019-09-12: build 261 | |
2911 | ||
2912 | * analyzer: Process retry queue and onloads when no DAQ messages are received | |
2913 | * appid: Enabled API for SSL to lookup appid | |
2914 | * appid: Support FTP banners on multiple packets with split response code | |
2915 | * build: Address miscellaneous cppcheck warnings | |
2916 | * build: Const-ify reference arguments as suggested by cppcheck | |
2917 | * build: Update CMake logic for unversioned LibSafeC pkg-config name | |
2918 | * doc: add bullets for $var parameter names and maxXX limits | |
2919 | * http_inspect: accelerated blocking for chunked message bodies | |
2920 | * http2_inspect: send raw encoded headers to detection | |
2921 | * managers: Make InspectorManager::thread_stop() a no-op if thread_init() was never called | |
2922 | * rna: generate an RNA_EVENT_CHANGE when a host is seen after the last log event and the current | |
2923 | time is past the update timeout | |
2924 | * rna: support for bidirectional flow with UDP, IP, and ICMP traffic | |
2925 | * rna: Support for filtering rna events by host ip | |
2926 | * rule_state: switch from regex parameter names to simpler parsing | |
2927 | * snort2lua: only emit max_flows and pruning_timeout options in converted lua file if the option | |
2928 | is used in the snort2 conf file | |
2929 | * stream: fix problem with accelerated blocking partial inspection | |
2930 | * style: update link for google c++ style guide | |
2931 | ||
2932 | 2019-08-28: build 260 | |
2933 | ||
2934 | * appid: handle 'change cipher spec' in 'server hello' to allow some app detection for tls 1.3 | |
2935 | traffic | |
2936 | * binder: updated change_service event to support service reset via wizard | |
2937 | * host_tracker: derive LruCacheSharedMemcap from the general LruCacheShared that tracks size in | |
2938 | bytes, rather than number of items and instantiate host_cache from LruCacheSharedMemcap | |
2939 | * http2_inspect: Remove pkt_data buffer option | |
2940 | * reload: fix coding style issues, support multiple in progress analyzer commands, support | |
2941 | associated AC state for execute method, move reload tune logic for ACSwap to the execute command | |
2942 | * rna: Support for rna unified2 logging | |
2943 | * stream_tcp: clear consecutive small segs count upon non-small segs only | |
2944 | ||
2945 | 2019-08-21: build 259 | |
2946 | ||
2947 | * analyzer_command: Import into snort namespace and add the ability to retrieve the DAQ instance | |
2948 | from an Analyzer | |
2949 | * appid: delay port-based detection until a non-zero payload packet is seen for the session | |
2950 | * appid: fix discovery unit test that was failing intermittently | |
2951 | * appid: Fix for app name not getting evaluated for port/protocol based detectors | |
2952 | * appid: support for bittorrent detection when UDP tracker packet arrives after the TCP resumed | |
2953 | session has already started | |
2954 | * build: Fix miscellaneous cppcheck warnings | |
2955 | * codec: Adapt to new DAQ message metadata source for Real IP/port info | |
2956 | * file_api: generate events each time file is seen, not just first time | |
2957 | * finalize_packet: pass verdict by reference in inspector event | |
2958 | * flow: add virtual destructor to stash generic object | |
2959 | * flow: Bypass HA write for unsupported Tunnel flows | |
2960 | * flow: delete stale flow on receiving NEW_FLOW flag | |
2961 | * flow: if no 'get_ssn' handler configured then skip processing of the flow | |
2962 | * flow: introduced variable for handling idle session timeouts and flag for actively pruning flows | |
2963 | based on the expire_time | |
2964 | * flow: make a single flow cache for all the protocols | |
2965 | * flow: refactor flow config object to work with single flow cache concept | |
2966 | * flow: refactor uni list managment into a separate class and instantiate an instance for ip flows | |
2967 | and another for all non-ip flows | |
2968 | * flow: release session object allocated for a flow when the Flow object is reused and the PktType | |
2969 | of the new flow is different from the previous use | |
2970 | * flow: Add packet tracer message when a new session is started | |
2971 | * ftp_telnet: add support for ftp file resume block by calculating path hash used as file id | |
2972 | * hash: add back size(), get_max_size() and remove() functions to lru_cache_shared | |
2973 | * hash: add unit test for explicitly testing get / set max size | |
2974 | * host_cache: Refactoring code to fix multithreading issues and to remove redundancy | |
2975 | * http2: huffman string decode | |
2976 | * http2_inspect: add HI test tool | |
2977 | * http_inspect: remove 0-byte workaround | |
2978 | * ips_options: add ber_data and ber_skip | |
2979 | * main: Implement reload memcap framework | |
2980 | * pcre: add peg counts for PCRE_ERROR_MATCHLIMIT and PCRE_ERROR_RECURSIONLIMIT return status from | |
2981 | pcre_exec() | |
2982 | * reputation: Fixed issues with reputation monitor | |
2983 | * rna: Add new hosts with IP-address into host cache | |
2984 | * snort2lua: Combine proto specific cache options for max_session in one max_flows option | |
2985 | * stream_tcp: add API for switching to no_ack mode | |
2986 | * stream_tcp: fix 3-1-2 ordering markup | |
2987 | * stream: update checks for modified stream config to work with updates to stream config options | |
2988 | * stream: updated the protocol setup and process logic of TCP,UDP,IP,ICMP and USER sessions for | |
2989 | setting and updating idle session timeouts | |
2990 | * time: Make TscClock fail to compile on non-x86/AArch64 systems | |
2991 | * wizard: Avoid host cache service insertion since we are using flow service | |
2992 | * xhash: Ported sfxhash_change_memcap() from snort2 to snort3 | |
2993 | ||
2994 | 2019-07-17: build 258 | |
2995 | ||
2996 | * analyzer: 1024 contexts max is a better default until configurable | |
2997 | * appid: fix header order in appid_session | |
2998 | * codec: add support of ignore_vlan flag from daq header | |
2999 | * detection: allocate scratch after configuration | |
3000 | * detection: immediately onload after offloading when running regression tests | |
3001 | * detection: on PDUs change search order to set check_ports correctly | |
3002 | * detection: reduce hard number of contexts to work with pcap default | |
3003 | * detection: start offload threads before packet threads are pinned | |
3004 | * detection: use offload_threads = N with -z = 1 | |
3005 | * flow: Extend stash to support uint32_t and make it SO_PUBLIC | |
3006 | * flow: Fixes for DAQ-backed HA implementation | |
3007 | * flow: remove config.h from flow_stash_keys | |
3008 | * high_availability: high availability support in Snort2Lua | |
3009 | * host_cache: Adding command and config option to dump hosts | |
3010 | * host_cache: Closing va_list after usage using va_end | |
3011 | * http2: decode HPACK uint | |
3012 | * http2: hpack string decode | |
3013 | * http_inspect: perf improvements | |
3014 | * http_inspect: send headers to detection separately | |
3015 | * ips: add missing non-fast-pattern warning | |
3016 | * ips: refactor fast pattern searching | |
3017 | * mpse: api init and print methods are optional | |
3018 | * no_ack: Purge segment list withouth waiting for ack when using no_ack feature | |
3019 | * pcre: cap the pcre_match_limit_recursion based on the stack size available | |
3020 | * profiler: convert ips options to use optional profiles | |
3021 | * profiler: eliminate deep profiling | |
3022 | * profiler: implement general exclusion | |
3023 | * profiler: include onload/offload efforts in mpse | |
3024 | * profiler: refactor | |
3025 | * profiler: split out paf from stream_tcp | |
3026 | * profiler: track DAQ message receives and finalizes | |
3027 | * snort: remove out-of-date Snort 2 version from -V | |
3028 | * stream: add convenient method for flow deletion | |
3029 | * stream_tcp: Add no-ack policy to handle flows that have no ACKs for data | |
3030 | * stream_tcp: fix non-deep detect profile exclusion | |
3031 | * talos.lua: various fixes for command line usage | |
3032 | ||
3033 | 2019-06-19: build 257 | |
3034 | ||
3035 | * analyzer: publish finalize packet event before calling finalize_message | |
3036 | * appid: Protocol based detection for non-TCP non-UDP traffic | |
3037 | * appid: support for dynamic host cache lookup-based app detection | |
3038 | * build: Fix unused parameter warnings in unit tests | |
3039 | * check: Fix missing semicolons on CHECK calls | |
3040 | * detection: adding pegcounts for fallback, offload failures | |
3041 | * detection: add peg for onload wait conditions | |
3042 | * detection: fix check for disabled rules | |
3043 | * detection: fix creation of service map to use ips policy id | |
3044 | * detection: on PDUs search TCP/UDP portgroups even when user_mode services exist | |
3045 | * doc: Remove perpetually out-of-date copy of LibDAQ's README | |
3046 | * doc: Update documentation to reflect post-DAQng reality | |
3047 | * flow: check if flow is actually deleted before updating memstats | |
3048 | * flow: Implement storing and importing HA data via DAQ IOCTLs | |
3049 | * http_inspect: stop clearing http data snapshots from ips contexts on flow deletion | |
3050 | * http_inspect/stream: accelerated blocking | |
3051 | * http_inspect: test tool enhancement | |
3052 | * icmp4: verify checksum before the type validation | |
3053 | * ips_options: add relative parameter to so option | |
3054 | * perf_mon: removed flow_ip_handler from PerfMonitor | |
3055 | * regex: fix repeated search offset | |
3056 | * rna: Fixing doc build failure due to asciidoc format issue | |
3057 | * rna: Implementing event-driven RNA inspections | |
3058 | * rna: Introducing barebone RNA module and inspector | |
3059 | * rna: Renaming peg counts and adding a warning when config changes | |
3060 | * smtp: Fix handle_header_line and normalize_data unit tests | |
3061 | * smtp: pass packet pointer instead of nullptr to SMTP_CopyToAltBuffer | |
3062 | * stream: Do not validate timestamp until peer timestamp is set | |
3063 | * stream_ip: Checking null inspector while updating session | |
3064 | ||
3065 | 2019-05-22: build 256 | |
3066 | ||
3067 | * DAQng: Port Snort and its DAQ modules to DAQ3 | |
3068 | - Massive refactoring of the Analyzer thread | |
3069 | - Handle multiple offloaded wire packets | |
3070 | - Port hext and file DAQ modules to DAQng | |
3071 | - Reimplement the RETRY verdict internal to Snort | |
3072 | - Revamp skip-n/exit-after-n/pause-after-n handling | |
3073 | - Update lua tweaks with new DAQ configuration format | |
3074 | - Update sfdaq unit tests for DAQng | |
3075 | - Update snort2lua to convert to new DAQ configuration | |
3076 | * filters: add peg count for when the thd_runtime XHash table gets full | |
3077 | * filters: make thd_runtime and rf_hash thread local and allocate them from thread init | |
3078 | rather than from Module::end() | |
3079 | * http_inspect: fix status_code_num bug in HttpMsgHeader::update_flow() that leads to | |
3080 | assert on input.length()>0 in norm_decimal_integer | |
3081 | * main: Fix File Descriptor leaks | |
3082 | * main: Include analyzer.h in snort.c | |
3083 | * packet_io: Refactor the Trough a bit | |
3084 | * perf_mon: Fixed time stamp and memory leak issue | |
3085 | - Add real timestamp to empty perf_stats data | |
3086 | - Updated dbus default subscription code and perf_mon event subscirption code | |
3087 | to resolve memory leak and invalid event subscription from reloading | |
3088 | - Moved flow_ip_tracker to thread local | |
3089 | * perf_monitor: Fixing heap-use-after-free after reload failure | |
3090 | * port_scan: Change minimum memcap value to 1024 to avoid divide by zero crash | |
3091 | * rule_state: change enable values "true" / "false" to "yes" / "no" | |
3092 | * snort2lua: Remove sticky buffer duplicates | |
3093 | * stream: disable inspection of flow on reset | |
3094 | ||
3095 | 2019-05-03: build 255 | |
3096 | ||
3097 | * ips: add includer for better relative path support | |
3098 | * module_manager: Fix potential null deref in module parameter dumping | |
3099 | ||
3100 | 2019-04-26: build 254 | |
3101 | ||
3102 | * analyzer: Print pause indicator from analyzer threads | |
3103 | * appid: remove inspector reference from detectors | |
3104 | * build: Remove perpetually stale reference to lua_plugffi.h | |
3105 | * build: remove unused cruft; clean up KMap | |
3106 | * config: replace working dir overrides with --include-path | |
3107 | * context: only clear ids_in_use in dtor | |
3108 | * file_type: remove redundant error message | |
3109 | * log_pcap, packet_capture: Don't try to use a DAQ pkthdr as a PCAP pkthdr | |
3110 | * Lua: update tweaks per latest include changes | |
3111 | * main: Use epoll (for linux systems) instead of select to get rid of limit on fd-set-size and for | |
3112 | time efficiency | |
3113 | * snort2lua: fix histogram option change comment | |
3114 | * snort2lua: Integer parameter range check | |
3115 | * stream_tcp: Try to work with a cleaner Packet when purging at shutdown | |
3116 | * test: remove cruft | |
3117 | ||
3118 | 2019-04-17: build 253 | |
3119 | ||
3120 | * build: delete unused code called out by cppcheck | |
3121 | * doc: remove mention of obsolete LUA_PATH, SNORT_LUA_PATH, and required snort_config library | |
3122 | * flow_cache: Pruning one stream when excess pruning skips even if max_sessions is reached | |
3123 | * ftp_server: fix normalization and PDU parsing issues | |
3124 | * helpers: directory: use readdir instead of readdir_r | |
3125 | * Lua: apply the necessary builtin defaults from one place | |
3126 | * Lua: internalize snort_config.lua dependency | |
3127 | * Lua: build-time stringify Lua files for use as C++ variables | |
3128 | * Lua: remove dependency on SNORT_LUA_PATH | |
3129 | * mime: fix decompression for multiple files | |
3130 | * parser: update include file handling | |
3131 | * parser: fix defaults for alerts.order and network.checksum_eval | |
3132 | ||
3133 | 2019-04-10: build 252 | |
3134 | ||
3135 | * appid: Fix NetworkSet compilation on big-endian systems | |
3136 | * appid: Reduce variable scope in service_mdns | |
3137 | * appid: Reduce variable scope in service_rpc | |
3138 | * codecs/ipv4: Use struct in_addr when calling inet_ntop() | |
3139 | * dce_rpc: Fix const cast warnings in dce_smb2 | |
3140 | * detection: Don't send zero size searches to the regex offloader | |
3141 | If a batch search request had nothing in it to be | |
3142 | searched for there is no purpose in sending it to | |
3143 | the offloader | |
3144 | * detection: Ensure offload search engine started with appropriate regex offloader | |
3145 | If the offload_search_method is not specified then by | |
3146 | default it will be the same as the normal search_method | |
3147 | If this search method is an async mpse it needs started | |
3148 | using the MpseRegexOffload offloader otherwise it needs | |
3149 | started using the ThreadRegexOffload offloader | |
3150 | * file_api: add extract filename to FileFlow from mime header | |
3151 | * file_api: Add timer to limit how long we want for pending file lookup | |
3152 | * file_api: If configured, reset session when lookup times out | |
3153 | * file_api: Make expiration timers more granular | |
3154 | * file_api: use more generic form of timercmp and fix timersub call | |
3155 | * file_api: use timersub_ms, updates to packettracer logs | |
3156 | * flow: add the override keyword to some member function to keep cppcheck happy | |
3157 | * flow: add test to check that a handler is not getting stash events that it's not listening to | |
3158 | * flow: stash publish event | |
3159 | * flow: unit test for stash publish | |
3160 | * ftp_telnet: Fix potential NULL pointer arithmetic in check_ftp() | |
3161 | * ftp_telnet: Fix val-never-used warning in DoNextFormat() | |
3162 | * http_inspect: Fix val-never-used warning in check_oversize_dir() | |
3163 | * http_inspect: Give HttpTestInput a destructor to clean up its file handle | |
3164 | * log: Fix potential NULL pointer arithmetic warning in log_text | |
3165 | * mpse: Adding performance profiling stats to Mpse batch search | |
3166 | The Mpse batch search function does not have any | |
3167 | performance profiling so this function is now wrapped | |
3168 | to facilitate the addition of performance stats | |
3169 | * normalize: Remove redundant check during configuration | |
3170 | * offload: simplify zero byte bypass | |
3171 | * offload: Framework changes to support polling for completed | |
3172 | batch searches | |
3173 | When a batch search is issued, currently we poll to | |
3174 | determine if that batch has completed its search | |
3175 | This change facilitates polling to return any batch | |
3176 | that has completed its search | |
3177 | * packet_io: Changes to allow daq retries to work properly | |
3178 | * packet_io: add entry for retry in act_str due to re-ordering | |
3179 | * packet_io: re-order ACT_RETRY to be before ACT_DROP | |
3180 | * packet_tracer: Pass filename string parameter by reference | |
3181 | * perf_monitor: Pass ModuleConfig string parameter by reference | |
3182 | * port_scan: Reduce variable scope in configuration | |
3183 | * rule_state: rule_state: do not require rules in all policies | |
3184 | * rules: remove cruft from tree nodes | |
3185 | * sfip: Reduce variable scopes in sf_ipvar | |
3186 | * sfip: Switch test debug flag to a cpp macro | |
3187 | * sfrt: Reduce variable scope in _dir_remove_less_specific() | |
3188 | * sip: Give SipSplitterUT a proper copy constructor | |
3189 | * snort2lua: Adding support for appid tp_config_path conversion | |
3190 | * snort2lua: Convert rawbytes to raw_data sticky buffer | |
3191 | * so rules: fixup shutdown sequencing | |
3192 | * so rules: make plain stubs same as protected | |
3193 | * so rules: use stub strictly as a key | |
3194 | * stream: set retransmit flag | |
3195 | * stream_ip: Fix sign comparison and val-never-used issues in defrag | |
3196 | * stream_tcp: Fix shadowed variable when profiling deeply | |
3197 | * u2spewfoo: update due to re-ording of retry action | |
3198 | ||
3199 | 2019-03-31: build 251 | |
3200 | ||
3201 | * ActionManager: actions are tracked per packet for accurate packet suspension | |
3202 | * DetectionEngine: make onload safe for reentrance | |
3203 | * DetectionEngine: stall when out of contexts | |
3204 | * Flow: is_offloaded is now is_suspended | |
3205 | * IpsContext: removed useless SUSPENDED_OFFLOAD state | |
3206 | * Mpse: Addition and use of offload search method/engine | |
3207 | * Mpse: fixed build warning about constness of get_pattern_count | |
3208 | * MpseBatch: refactor into separate files | |
3209 | * Packet: fixed thread safety in onload flag checks | |
3210 | * RegexOffload: onload whatever is ready | |
3211 | * RegexOffload: refactor into mode-specific subclasses | |
3212 | * appid: Fix for FTP detection with multiline server response split across multiple packets | |
3213 | * appid: add unit test to make sure the AppIdServiceStateKey::operator<() is OK and modify | |
3214 | existing service cache memcap test to alternate ipv4 and ipv6 addresses | |
3215 | * appid: change the service queue to store map iterators rather than the actual keys, as | |
3216 | (a) map iterators are stable and (b) sizeof(map::iterator)=8 while sizeof(key)=28 | |
3217 | * appid: compute the size of the memory used for a service cache entry only once, as it is | |
3218 | constant, and make it global | |
3219 | * appid: fix AppIdServiceStateKey::operator<() | |
3220 | * appid: fix client discovery to only check on the first data packet | |
3221 | * appid: fix comment in client_discovery.cc | |
3222 | * appid: fix double free in service_state_queue and address reviewers comments | |
3223 | * appid: fixup profiling | |
3224 | * appid: get rid of the map::find() in MapList::add(), just try to emplace directly | |
3225 | * appid: implement service cache touch(). Must figure out where to call it from | |
3226 | * appid: implement service discovery state queue to honor memcap | |
3227 | * appid: introduce min memcap of 1024 with a default of 1Mb and refactor | |
3228 | AppIdServiceState::remove() to accept a ServiceCache_t::iterator rather than ip, proto, | |
3229 | port and decrypted | |
3230 | * appid: introduce the do_touch flag to the add/get functions and call those functions with | |
3231 | the appropriate flag | |
3232 | * appid: keep cppcheck happy | |
3233 | * appid: more cppcheck clean-up | |
3234 | * appid: pass HostPortKey by reference in HostPortKey::operator<() | |
3235 | * appid: put the service_state_cache and the service_state_queue into a class in its own | |
3236 | right and refactor the code | |
3237 | * appid: remove forgotten WhereMacro | |
3238 | * appid: rename some global variables in http_url_patterns_test.cc to suppress cppcheck messages | |
3239 | * appid: replace the custom AppIdServiceCacheKey::operator< with memcmp in both service_state.h | |
3240 | and host_port_app_cache.cc | |
3241 | * appid: return void in ClientDiscovery::exec_client_detectors() and set client_disco_state to | |
3242 | FINISHED in all cases except when the client validate returns APPID_INPROCESS | |
3243 | * appid: set a range for app_stats_period parameter | |
3244 | * appid: skip empty detectors | |
3245 | * appid: the service queue should be of type AppIdServiceStateKey | |
3246 | * appid: unit test for service cache and call the touch function | |
3247 | * appid: untabify service_state.h and test/service_state_test.cc | |
3248 | * appid: update unit test file | |
3249 | * binder: Reset flow gadget and protocol ID on failed rebinding | |
3250 | * binder: store user set ips policy id from lua | |
3251 | * build: Add better support for libiconv on systems with iconv-providing libc | |
3252 | * build: fix always true warning | |
3253 | * build: fix constness warnings | |
3254 | * build: fix cppcheck warnings for file_connector, tcp_connector, ports, snort2lua, and | |
3255 | piglet_plugins, | |
3256 | * build: fix override warning | |
3257 | * catch: Update to Catch v2.7.0 | |
3258 | * cd_tcp: some light refactoring | |
3259 | * conf: remove obscure and slow automatic iface var assignments; use Lua instead | |
3260 | * config: Use basename_r() function for FreeBSD versions < 12.0.0 | |
3261 | * control: Avoid deleting objects on write failures so that they get deleted from main thread | |
3262 | during read polling | |
3263 | * copyright: update year to 2019 | |
3264 | * cppcheck: fix some basic warnings | |
3265 | * dce_rpc: Added support to handle smb header compounding | |
3266 | * dce_rpc: Limiting each signature alert to once per session using 'limit_alerts' config | |
3267 | * dce_rpc: fix cppcheck warnings | |
3268 | * dce_rpc: fix style warning non-boolean returned | |
3269 | * decompress: add zip file decompression | |
3270 | * detection, snort2lua: added global rule state options for legacy conversions | |
3271 | * detection: Add search batching infrastructure | |
3272 | * detection: allow suspension of entire chains of contexts | |
3273 | * detection: fixed incorrect log messages | |
3274 | * detection: only swap offload configs when they change | |
3275 | * detection: split fast pattern processing when using context suspension | |
3276 | * doc: add a section for reload limitations | |
3277 | * doc: update default manuals | |
3278 | * doc: update reload limitations - adding/removing stream_* | |
3279 | * file: fixed data race at shutdown | |
3280 | * file_api: Added nullptr checking to prevent segfaults when file mempool is not configured | |
3281 | * file_api: call FileContext::set_file_name() from FileFlows::set_file_name with | |
3282 | fname = nullptr, in order to generate file event | |
3283 | * file_api: fail the reload if max_files_cache is changed or if capture was initially enabled | |
3284 | and capture_memcap or capture_block_size change | |
3285 | * file_api: fix policy lookup | |
3286 | * file_capture: refactor max size handling | |
3287 | * filters: call get_ips_policy instead of get_network_policy when building the key for | |
3288 | rate filter | |
3289 | * flow: Added a support to store generic objects in a stash | |
3290 | * flow: support for flow stash - allows storage of integers and strings | |
3291 | * flow_control: remove unused session flag | |
3292 | * fp_detect: suspend instead of onload if fp_local can't occur yet | |
3293 | * hash: Added lru_cache_shared.h to HASH_INCLUDES | |
3294 | * hash: Moved list_iter assignment inside to avoid improper memory access in LruCacheShared | |
3295 | * http_inspect: disable reg test assertion until interface with stream_tcp is updated | |
3296 | * http_inspect: patch around buffer ownership confusion | |
3297 | * ips_context: minimize iterations to clear data | |
3298 | * ips_options: implement FileTypeOption::hash() and FileTypeOption::operator==(), inherited | |
3299 | from IpsOption, using the types bitset array, in order to distinguish between different | |
3300 | file type options | |
3301 | * loggers: add alert_talos, use in talos tweak | |
3302 | * loggers: alert_talos: fix copyright, author, unneeded check | |
3303 | * loggers: alert_talos: fix copyright, warnings | |
3304 | * loggers: alert_talos: fix cppcheck error | |
3305 | * loggers: alert_talos: fix include order | |
3306 | * loggers: alert_talos: fix memory leak | |
3307 | * loggers: workaround for cppcheck's false warning | |
3308 | * lua: make RTF file magic more generic | |
3309 | * main: log message when all pthreads started (REG_TEST only) | |
3310 | * main: shell commands and signals executed only after snort finish startup | |
3311 | * memory: Use only one variable to keep track of allocated and deallocated memory | |
3312 | * memory: add configurable L3/L4 specific weights for better estimation against cap | |
3313 | * memory: add size_of to various FlowData subclasses | |
3314 | * memory: apply fudge factor to tracking to better align with RSS | |
3315 | * memory: basic flow data allocation tracking | |
3316 | * memory: basic flow pruning | |
3317 | * memory: beware the perf_monitor, for she stealeth your numbers | |
3318 | * memory: do not re-enter the pruner | |
3319 | * memory: fix re-entry check | |
3320 | * memory: increase default tcp cache cap weight; fix default values | |
3321 | * memory: initial preemptive pruning based on flow data | |
3322 | * memory: refactor stats | |
3323 | * memory: remove overloading manager to make way for new implementation | |
3324 | * memory: remove useless thread local | |
3325 | * memory: require subclass implementation of FlowData::size_of() | |
3326 | * memory: track session allocations | |
3327 | * mime: add file decompression | |
3328 | * misc: fixed warnings generated from latest gcc | |
3329 | * packet tracer: initialize sf_ip structs | |
3330 | * policy: allow an empty policy be set explicitly | |
3331 | assigned to it | |
3332 | * policy: Rename TRUE/FALSE to ENABLE/DISABLED | |
3333 | * port_scan: Fail reload if memcap changed | |
3334 | * profile: convert remaining layer 2 or greater profile scopes to the deep, dark underbelly | |
3335 | * profiler: add quick exit if not configured to minimize overhead | |
3336 | * profiler: add quick exit if not configured to minimize overhead (rule times) | |
3337 | * protocols: fix style warning non-boolean value returned | |
3338 | * react: sending reset to server only | |
3339 | * regex_offload: fix stats for thread | |
3340 | * reload: differentiate between restart required and bad config | |
3341 | * reload: fail reload if stream is in the original config and stream_* is added/removed | |
3342 | * reload: prompt reload failure and require restart when stream cache were changed | |
3343 | * reload: send reload completed message to control channel instead of logging it | |
3344 | * rule eval: ensure leaf children are properly counted | |
3345 | * rule_state: add rtn but disable if block is set on non-inline deployment | |
3346 | * rule_state: added default rule state to ips policy | |
3347 | * rule_state: added per-ips-policy rule states | |
3348 | * rules: do not preallocate actions | |
3349 | * safec: Update to work with modern versions of LibSafeC | |
3350 | * sfip: add a FIXIT for checking that the current implementation of _is_lesser(), which only | |
3351 | compares same-family ips is OK | |
3352 | * sip: update sip options to use has_tcp_data instead of is_tcp | |
3353 | * snort2lua: Create dev_notes.txt for sticky buffers | |
3354 | * snort2lua: adding when.role for specific inspectors | |
3355 | * snort2lua: change the -l short option to --dont-convert-max-sessions | |
3356 | * snort2lua: combining multiple zone in one binder rule | |
3357 | * snort2lua: comment gid 147 file rules | |
3358 | * snort2lua: convert file_capture config options | |
3359 | * snort2lua: do generate the tcp_cache instance even when we don't convert tcp_max to | |
3360 | max_sessions | |
3361 | * snort2lua: do not translate max_sessions from snort.conf to snort.lua | |
3362 | * snort2lua: fix pcre option issues | |
3363 | * snort2lua: fix sticky buffer duplication | |
3364 | * snort2lua: fixed duplication of split_any_any from config: detection | |
3365 | * snort2lua: introduce command line option -l to suppress conversion of max_tcp, max_udp, | |
3366 | max_icmp and max_ip to max_sessions | |
3367 | * snort2lua: move obfuscate_pii to the ips table from the output table | |
3368 | * snort_config: Add a setter for setting run_flags and set it to TRACK_ON_SYN for hs_timeout | |
3369 | config | |
3370 | * ssl: Count calls to disable_content for ssl sessions | |
3371 | * stream: Change StreamSplitter::scan to take a Packet instead of a Flow | |
3372 | * stream: Pass Packet in flush_pdu_* -> paf_eval -> paf_callback chain | |
3373 | * stream: fixed ignore_flow segfault bug caused by allocating generic flow data instead of | |
3374 | inspector specific flow data | |
3375 | * stream: log StreamBase::config in StreamBase::show() | |
3376 | * stream: purge remaining flows before shutdown counts | |
3377 | * stream_tcp: add track_only to disable reassembly | |
3378 | * stream_tcp: consolidate segment node and data | |
3379 | * stream_tcp: disambiguate seglist trace | |
3380 | * stream_tcp: do not purge partially acked segment | |
3381 | * stream_tcp: fix up stream order flags | |
3382 | * stream_tcp: fixup allocation tracking for overlapped segments | |
3383 | * stream_tcp: implement reserve seglist | |
3384 | * stream_tcp: initialize priv_ptr for pdus | |
3385 | * stream_tcp: patch around premature application of delayed actions that yoink the seglist | |
3386 | * stream_tcp: remove seglist node cruft | |
3387 | * stream_tcp: reset paf segment when switching splitters | |
3388 | * stream_tcp: simplify paf init | |
3389 | * stream_tcp: support unidirectional flushing similar to Snort 2 | |
3390 | * stream_tcp: tweak PAF scanning | |
3391 | * stream_tcp: tweak ips mode flushing | |
3392 | * stream_udp: ensure all flows are cleared fully | |
3393 | * time: Adding timersub_ms function to return timersub in milliseconds | |
3394 | ||
3395 | 2018-12-06: build 250 | |
3396 | ||
3397 | * actions: Fix incorrect order of IPS reject unreachable codes and adding forward option | |
3398 | * active: added peg count for injects | |
3399 | * active, detection: active state is tied to specific packet, not thread | |
3400 | * appid: Don't build unit test components without ENABLE_UNIT_TESTS | |
3401 | * appid: Fix heap overflow issue for a fuzzed pcap | |
3402 | * build: accept generator names with spaces in configure_cmake.sh | |
3403 | * build: clean up additional warnings | |
3404 | * build: fix come cppcheck warnings | |
3405 | * build: fix some int format specifiers | |
3406 | * build: fix some int type conversion warnings | |
3407 | * build: reduce variable scope to address warnings | |
3408 | * detection: enable offloading non-pdu packets | |
3409 | * detection, stream: fixed assuming packets were offloaded when previous packets on flow have | |
3410 | been offloaded | |
3411 | * file_api: choose whether to get file config from current config or staged one | |
3412 | * file: fail the reload if capture is enabled for the first time | |
3413 | * framework: Clone databus to new config during module reload | |
3414 | * loggers: Use thread safe strerror_r() instead of strerror() | |
3415 | * main: support resume(n) command | |
3416 | * managers: update action manager to support reload | |
3417 | * module_manager: Fix configuring module parameter defaults when modules have list parameters | |
3418 | * parameter: add max31, max32, and max53 for int upper bounds | |
3419 | * parameter: add maxSZ upper bound for int sizes | |
3420 | * parameter: build out validation unit tests | |
3421 | * parameter: clean up some signed/unsigned mismatches | |
3422 | * parameter: clean up upper bounds | |
3423 | * parameter: remove arbitrary one day limit on timers | |
3424 | * parameter: remove ineffective -1 from pcre_match_limit* | |
3425 | * parameter: reorgranize for unit tests | |
3426 | * parameter: use bool instead of int for bools | |
3427 | * parameter: use consistent default port ranges | |
3428 | * perf_monitor: Actually allow building perf_monitor as a dynamic plugin | |
3429 | * perf_monitor: fix benign parameter errors | |
3430 | * perf_monitor: fixed fbs schema generation when not building with DEBUG | |
3431 | * protocols: add vlan_idx field to Packet struct and handle multiple vlan type ids; | |
3432 | Thanks to ymansour for reporting the issue | |
3433 | * regex worker: removed assert that didn't handle locks cleanly | |
3434 | * reputation: Fix iterations of layers for different nested_ip configs and show the | |
3435 | blacklisted IP in events | |
3436 | * sip: Added sanity check for buffer boundary while parsing a sip message | |
3437 | * snort2lua: add code to output control = forward under the reject module | |
3438 | * snort2lua: Fix compiler warning for catching exceptions by value | |
3439 | * snort2lua: Fix pcre H and P option conversions for sip | |
3440 | * snort: add --help-limits to output max* values | |
3441 | * snort: Default to a snaplen of 1518 | |
3442 | * snort: fix command line parameters to support setting in Lua; | |
3443 | Thanks to Meridoff <oagvozd@gmail.com> for reporting the issue | |
3444 | * snort: remove obsolete and inadequate -W option; | |
3445 | Thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue | |
3446 | * snort: terminate gracefully upon DAQ start failure; | |
3447 | Thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue | |
3448 | * so rules: add robust stub parsing | |
3449 | * stream: fixed stream_base flow peg count sum_stats bug | |
3450 | * stream tcp: fixed applying post-inspection operations to wrong rebuilt packet | |
3451 | * stream tcp: fixed sequence overlap handling when working with empty seglist | |
3452 | * style: clean up comment to reduce spelling exceptions | |
3453 | * thread: No more breaks for pigs (union busting) | |
3454 | * tools: Install appid-detector-builder.sh with the other tools; | |
3455 | Thanks to Jonathan McDowell <noodles-github@earth.li> for reporting the issue | |
3456 | ||
3457 | 2018-11-07: build 249 | |
3458 | ||
3459 | * appid: Fixing profiler data race and registration issues | |
3460 | * appid: make third party appid stats configurable | |
3461 | * appid: Remove detector flows from the list for faulty lua detectors | |
3462 | * build: remove dead code | |
3463 | * build: support dynamic imap, pop, and smtp | |
3464 | * comments: additional cleanup | |
3465 | * comments: delete obsolete comments | |
3466 | * comments: fixup format, spelling, priority, etc | |
3467 | * comments: remove XXX and convert to FIXIT where appropriate | |
3468 | * connectors: Fix TCP connector unit test compilation on Alpine Linux (musl) | |
3469 | * cppcheck: cleanup some warnings | |
3470 | * dcerpc: fixed build warning with struct packing | |
3471 | * dcerpc: fixed setting endianness on one packet and checking on another | |
3472 | * detection : add function to clear ips_id from unit tests | |
3473 | * detectionengine: Only clear inspector data after offloads have completed | |
3474 | * detection/http_inspect: Save a snapshot HTTP buffers in the IPS context to support offload | |
3475 | of HTTP flows | |
3476 | * doc: Adding performance consideration for developers | |
3477 | * file_api: revert deleting gid 146 so existing 146 rulesets dont attempt empty rule eval | |
3478 | * fixits: prioritize for RC | |
3479 | * flow: fixed build warning | |
3480 | * flow: track multiple offloads | |
3481 | * fp_detect: onload before running local to ensure event ordering | |
3482 | * framework: replace the newly introduced loop to reset the reload_type flags with the | |
3483 | existing Inspector::update_policy function | |
3484 | * framework: set the reload_type flags to RELOAD_TYPE_NONE at the end of reload, in | |
3485 | anticipation of future reloads | |
3486 | * host_tracker: fixed uppcase IP param issue | |
3487 | * http2_inspect: Change http2 GID from 219 to 121 | |
3488 | * ips_flowbits: move static structures to snort config | |
3489 | * main: initialize shell_map and other maps in PolicyMap::clone() | |
3490 | * main: size analyzer notification ring appropriately | |
3491 | * manual: fix some typos | |
3492 | * mime: made the mime hdr info and current search thread local | |
3493 | * mime: move the decode buffer used by mime attachments to mime context data | |
3494 | * packet_tracer: can't emplace vector<bool> until c++14 | |
3495 | * parser: bad filename during reload is not a fatal error | |
3496 | * perfmon: fix issue for report correct stats after passing -n pkts | |
3497 | * perf_monitor: trackers keep copy of the relevant config items from the inspector | |
3498 | * reload: fixed smtp seg fault when reload failed | |
3499 | * reputation: delete old conf before allocating a new one in ReputationModule::begin() if | |
3500 | conf not null | |
3501 | * rule_state: indicate list format | |
3502 | * search_tool: include bytes searched in pattern match stats | |
3503 | * search_tool: validate ac_full and ac_bnfa wrt search and search_all | |
3504 | * snort2lua: Add support for enable/disable iprep logging using suppress mechanism | |
3505 | * snort2lua: Avoid returning reference of local variable | |
3506 | * snort2lua: comment out deleted gid 146 rules | |
3507 | * snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string | |
3508 | sanity checks | |
3509 | * snort2lua: fixed paf_max to stream_tcp.max_pdu convertion | |
3510 | * snort2lua: tweak for style consistency | |
3511 | * snort: add --rule-path to load rules from all files under given dir | |
3512 | * snort: Code refactoring - replacing push_back/insert by emplace_back/emplace, keeping | |
3513 | reputation_id in flow instead of flow_data, and appid code improvements | |
3514 | * source: fix some typos | |
3515 | * source: minor refactoring | |
3516 | * spell: fix typo | |
3517 | * stream, detection, flow: don't force onloads between pdus unless absolutey necessary | |
3518 | * stream: fixed build warning | |
3519 | * stream: only delete flows after all onloads | |
3520 | * stream tcp: don't delete flow data on rst, let session close handle it | |
3521 | * textlog: removed unused TextLog_Tell function | |
3522 | * thread_idle: call timeout flows with packet time for pcap replay | |
3523 | * utils: fixed deprecation build warning on register keyword | |
3524 | ||
3525 | 2018-09-26: build 248 | |
3526 | ||
3527 | * appid: adding detector builder and fixing stats to recognize custom appid; | |
3528 | Thanks to Wang Jun <traceflight@outlook.com> for reporting the issue | |
3529 | * appid: fixing ubuntu check tests | |
3530 | * appid: fix valgrind issues in SIP event handler | |
3531 | * appid: FreeBSD unit-test fix | |
3532 | * appid: supporting pub-sub mechanism for app changes | |
3533 | * build: add libnsl and libsocket to Snort for Solaris builds | |
3534 | * build: fall back on TI-RPC if no built-in RPC DB is found | |
3535 | * build: introduce a more robust check for GNU strerror_r | |
3536 | * daqs: include unistd.h directly for better cross-platform compatibility | |
3537 | * dce_rpc: add DCE2_CO_REM_FRAG_LEN_LT_SIZE (133:31) to the TCP rule map | |
3538 | * dce_rpc: add DCE2_SMB_NB_LT_COM (133:11) to the SMB rule map | |
3539 | * detection: added post-onload callbacks | |
3540 | * detection: allocate ips context data using hard coded max_ips_id == 32 | |
3541 | * detection: don't use s_switcher to get file data | |
3542 | * detection: run active actions at onload | |
3543 | * detection: use packet to reference context | |
3544 | * file_api: fix off-by-one bug that was hurting performance | |
3545 | * file_api: move the check on REJECT or BLOCK inside an upper if clause for performance reasons | |
3546 | * file_api: set disable flow inspection as soon as the verdict is REJECT | |
3547 | * file_api: treat a BLOCK verdict the same as a REJECT verdict, for good measure | |
3548 | * http_inspect: split and inspect immediately upon reaching depth | |
3549 | * latency: added cleanup for RegexOffload threads | |
3550 | * lua: changing default FTP EPSV string format | |
3551 | * main: pause-after-n support | |
3552 | * managers: handle tinit for inspectors added during reload | |
3553 | * managers: if a plugin doesn't have tinit, still mark it as initialized | |
3554 | * reputation: early return on parsing error causing uninitialized id | |
3555 | * reputation: fix SI doesn't block traffic if Any Zone is specified | |
3556 | ||
3557 | 2018-08-27: build 247 - Beta | |
3558 | ||
3559 | * appid: change map to unordered map | |
3560 | * appid: declare SMTPS early in STARTTLS state on success response code | |
3561 | * appid: fix data-race issues from ips_appid_option and improve app_name search | |
3562 | * detection: avoid repeating detection by always doing non-fast-pattern rules immediately | |
3563 | (applies to experimental offload only) | |
3564 | * docs: update default html, pdf, and text user manuals | |
3565 | * reputation: reevaluate current flows upon reload | |
3566 | * stream_tcp: avoid duplicating split sement data | |
3567 | * build: removing use of u_char and u_short macros (github #53) | |
3568 | ||
3569 | 2018-08-13: build 246 | |
3570 | ||
3571 | * active: Add an upper limit of 255 to min_interval | |
3572 | * appid: Avoid snort crash upon lua file errors | |
3573 | * appid: Fixes for TNS, eDonkey, and debug logs in Lua detectors | |
3574 | * appid: Single lua-state per thread | |
3575 | * appid: code clean-up | |
3576 | * appid: create developer notes document | |
3577 | * appid: make the code compatible with the latest version of snort2 | |
3578 | * appid: refactor detector initialization | |
3579 | * appid: fix multithreading issues (data races) from app_forecast | |
3580 | * appid: many other updates | |
3581 | * binder: Make two passes at binder rules - one for policy IDs and then everything else | |
3582 | * binder: Refactor binder as a passive, event-driven inspector | |
3583 | * byte_test: update operator parsing, remove dead code | |
3584 | * catch: Update to Catch v2.2.3 | |
3585 | * codecs: Handle raw IP packets in Snort proper | |
3586 | * codecs: fix dynamic build of root codecs | |
3587 | * decode: alternate checksum calculation to improve runtime performance | |
3588 | * detection: don't offload when 0 threads are configured | |
3589 | * detection: save the ropts used for dce rule options in ips context to support offload | |
3590 | * detection: various bug fixes for offload emulation | |
3591 | * doc: Update regarding the build issue with --enable-tcmalloc flag and known workarounds | |
3592 | * doc: added active response section to user manual | |
3593 | * doc: corrections to tutorial section | |
3594 | * doc: update known problems | |
3595 | * events: remove manager cruft | |
3596 | * file_id: fix uninitialized | |
3597 | * file_magic: Update file_magic.lua to cover all file types and versions | |
3598 | * framework: Enable dynamic building of ips_{pcre,regex,sd_pattern} + Hyperscan MPSE | |
3599 | * framework: Scratch handlers for SnortState | |
3600 | * framework: fixed adding probe to wrong SnortConfig | |
3601 | * http_inspect: URI normalization added to dev_notes | |
3602 | * http_inspect: add perfmon to splitter | |
3603 | * http_inspect: bug fix and cleanup | |
3604 | * http_inspect: memory reduction and misc cleanup | |
3605 | * http_inspect: renumbered events to avoid current and future conflicts with Snort 2.X | |
3606 | * inspector: Rename ::update() to ::remove_inspector_binding() to better reflect what it does | |
3607 | * ips: Remove unused IPS module stats | |
3608 | * ips_fragbits: Removed dead code | |
3609 | * packet_tracer: Report user policy IDs and add network policy | |
3610 | * parser: reset parse error count before reload to avoid confusion | |
3611 | * perf_monitor: fix for reload | |
3612 | * perf_monitor: format error in dev_notes | |
3613 | * policy: Add the ability to set network policy based on user-specified ID | |
3614 | * policy: Export querying policies by user ID and setting runtime policies | |
3615 | * profiler: Don't clobber max entry count when recursing | |
3616 | * reload: do not set policies for incremental reload case | |
3617 | * reload: set policies upon swap to avoid dangling pointers when idle | |
3618 | * reputation: make sure reputation inspector is called in default policy | |
3619 | * reputation: support reload module | |
3620 | * sfip: if ips_policy doesn't exist, allow for ipvar parsing without vartable | |
3621 | * sip: Ported sip-splitter implementation from snort2 | |
3622 | * snort.lua: add inline tweaks | |
3623 | * snort.lua: add talos defaults | |
3624 | * snort.lua: fix tweaks path; | |
3625 | Thanks to brastult@cisco.com for reporting the issue | |
3626 | * snort.lua: fix community rules filename; | |
3627 | Thanks to mike@flyn.org for reporting the issue | |
3628 | * snort2lua: Handle sidechannel config | |
3629 | * snort2lua: add conversion for shared memory | |
3630 | * snort2lua: added missing keyword to nap parsing | |
3631 | * snort2lua: don't try to index into empty lines | |
3632 | * snort2lua: fixed nap ip parsing | |
3633 | * snort2lua: merge multiple nap rules with the same id | |
3634 | * snort2lua: translate file_type rule option | |
3635 | * snort: match delete[] with new[] | |
3636 | * snort: wrap snort SO_PUBLIC symbols in the snort namespace | |
3637 | * ssh: added test code | |
3638 | * stream_ip: match delete[] with new[]; don't create zero length trackers | |
3639 | * stream_tcp: 86 r_nxt_ack as tracker state for next rx seq, use rcv_nxt instead | |
3640 | * stream_tcp: back out fin handling changes for bug not relevant to snort3 | |
3641 | * tcp_connector_test: fixed version-sensitive build problem | |
3642 | ||
3643 | 2018-05-21: build 245 | |
3644 | ||
3645 | * CodecManager: removed unused code | |
3646 | * DataBus: fixed creating DataHandler when one doesn't exist | |
3647 | * Debug messages: cleanup for service inspectors. New traces for detection, stream | |
3648 | * Debug: Final debug messages cleanup, removal of macros from snort_debug | |
3649 | * Ipv4Codec: removed random ip id pool and replaced randoms on demand | |
3650 | * PacketManager: moved encode storage to heap | |
3651 | * PerfMonitor: fixed subscribing to flow events multiple times | |
3652 | * ProtoRef: Converge on single name for SnortProtocolId. Fix threading problems | |
3653 | * Reset: Always queue reject and test packet type in RejectAction::exec | |
3654 | * SFDAQModule: moved daq stats here. fixed stats not being output from perfmon | |
3655 | * Snort2lua: Add ftp_data to multiple files when needed, once per file | |
3656 | * Snort2lua: Translate ftp_server relative to default configurations | |
3657 | * Snort: moved s_data to heap | |
3658 | * active: Enable when max_responses is enabled | |
3659 | * alert: moved alert json. unixsock out from extra to snort3 | |
3660 | * appid: Add AppID debug command | |
3661 | * appid: Enable Third-Party Code for Packet Processing | |
3662 | * appid: Fix bug where Service and Application ID's set to port number instead of service appid | |
3663 | * appid: Fixing service discovery states | |
3664 | * appid: Only import dynamic detector pegcounts once | |
3665 | * appid: Refactor debug command | |
3666 | * appid: Refactor debug command, use SfIp, and fix non-Linux compilation | |
3667 | * appid: Third party integration support | |
3668 | * appid: appid session unit test changes | |
3669 | * appid: change metadata buffers from std::string to pointers, to avoid extra copying | |
3670 | * appid: clean-up code for performance and implement is_tp_processing_done() | |
3671 | * appid: create referer object only for non-null string | |
3672 | * appid: do not inspect out-of-order flows, ignore zero-payload packets for client/service | |
3673 | discovery | |
3674 | * appid: fix memory leak in appid_http_event_test and warning in appid_http_session.cc | |
3675 | * appid: fix segfault due to dereferencing null host pointer | |
3676 | * appid: fix tabs and indentation | |
3677 | * appid: fixed http fields, referer payload and appid debug | |
3678 | * appid: make tp_attribute_data more localized, so we only allocate/deallocate it if needed | |
3679 | * appid: moved HttpFieldIds to appid_http_session | |
3680 | * appid: peg count / dynamic peg count update. Split peg counts into the ones known at | |
3681 | compile time and dynamic ones. Update stats , module manager and module to support | |
3682 | dumping dynamic stats | |
3683 | * appid: report when third party appid is done inspecting | |
3684 | * appid: sip: moved pattern thread local to class instance | |
3685 | * base64_decode: moved buffer storage to regular heap | |
3686 | * binder: Fix UBSAN invalid value type runtime error | |
3687 | * build: 244 | |
3688 | * build: Add --enable-ub-sanitizer option for undefined behavior sanitizer | |
3689 | * build: Add some header includes for FreeBSD | |
3690 | * build: Clean up CMake string APPENDing for configure options | |
3691 | * build: Clean up HAVE_* definition checks | |
3692 | * build: Define NDEBUG if debugging is not enabled | |
3693 | * build: Fix building unit tests on FreeBSD | |
3694 | * build: Modernize code with =default for special member functions | |
3695 | * build: Modernize code with virtual/override/final cleanups | |
3696 | * build: Remove bashisms from most shell scripts | |
3697 | * build: add cmake configure switches for NO_PROFILER, NO_MEM_MGR and DEEP_PROFILING | |
3698 | * build: add disable-docs to disable doc build | |
3699 | * build: fix various drops const qualifier cases | |
3700 | * build: fix various warnings: | |
3701 | * build: propogate snort3 tsc build option to the extra build system | |
3702 | * byte_extract: fix cursor update | |
3703 | * byte_jump: fix from_beginning | |
3704 | * byte_math: allow rvalue == 0 except for division | |
3705 | * catch: Update to Catch v2.2.1 | |
3706 | * clock: Allow use of ARM64 CNTVCT_EL0 register for timing (#46); | |
3707 | Thanks to j.mcdowell@titan-ic.com for the patch | |
3708 | * clock: use uint64_t with tsc clock instead of std::chrono for performance | |
3709 | * cmake: Add --enable-appid-third-party to configure_cmake.sh | |
3710 | * cmake: Add support for building with tcmalloc | |
3711 | * cmake: Rework FindPCAP logic and ignore SFBPF | |
3712 | * cmake: fixed checks for functions | |
3713 | * cmake: update for iconv | |
3714 | * codecs: add config option to detection to enable check and alert for address anomalies | |
3715 | * daq_hext: Make IpAddr() static to fix compiler warning | |
3716 | * dce_co_process_ctx_id needs to update its caller's (DCE2_CoCtxReq) frag_ptr as it is | |
3717 | called in a loop in order to parse each dce/rpc ctx item, otherwise it ends up parsing | |
3718 | the same ctx item over and over | |
3719 | * dce_rpc: fix parsing of dce/rpc ctx items | |
3720 | * dce_rpc: pass frag_ptr by reference | |
3721 | * debug: Remove debug messages from appid, arp_spoof, and perf_monitor | |
3722 | * debug: Remove debug messages from detection and ips_options | |
3723 | * debug: Remove debug messages from stream | |
3724 | * decompress/file_decomp_pdf.cc: implicit fallthrough | |
3725 | * detect: moving thread locals identified to ips context | |
3726 | * detection: fixed uninitialized MpseStash | |
3727 | * doc: add doc for module trace | |
3728 | * encoders: fixed off-by-one error in underlying buffer handling | |
3729 | * extra: Port some CMake options from Snort prime | |
3730 | * extra: splitted extra out to snort3_extra repo | |
3731 | * file_api: combine file cache for file resume and partial file processing | |
3732 | * file_connector: Fix address-of-packed-member compiler warnings | |
3733 | * file_decomp_pdf.cc: unreachable code return | |
3734 | * file_type: Require strings instead of integers for types. Handle versions | |
3735 | * flow: SO_PUBLIC FlowKey | |
3736 | * framework: align PktType and proto bits | |
3737 | * framework: remove bogus PktType for ARP and just use proto bits instead | |
3738 | * ftp_server: Added Flow::set_service and fixed FtpDataFlowData::handled_expected | |
3739 | * ftp_server: Added ability get TCP options length from TcpStreamSession | |
3740 | * ftp_server: Added accessors to Stream so TcpStreamSession can be private | |
3741 | * ftp_server: Base last_seg_size off of MSS | |
3742 | * ftp_server: Provide FLOW_SERVICE_CHANGE pub/sub event | |
3743 | * ftp_server: ftp_server requires that ftp_client and ftp_data be configured | |
3744 | * hashfcn: Fix UBSAN integer overflow runtime error | |
3745 | * hashfcn: Fix UBSAN left shift of negative value runtime error | |
3746 | * http_inspect: broken chunk performance improvement | |
3747 | * http_inspect: bugfix and new alert for gzip underrun | |
3748 | * http_inspect: embedded white space in Content-Length | |
3749 | * http_inspect: handling of run-to-connection-close bodies beyond depth | |
3750 | * http_inspect: know more Content-Encodings by name | |
3751 | * http_inspect: patch around regression failures until a permanent solution is implemented | |
3752 | * http_inspect: performance enhancements for file processing beyond detection depth | |
3753 | * ip: replaced REG_TEST with -H option for ipv4 codec fixed seed | |
3754 | * ips_byte_jump: Fix UBSAN left shift of negative value runtime error | |
3755 | * ips_byte_math: Fix UBSAN left shift of negative value runtime error | |
3756 | * ips_flags: remove dead code | |
3757 | * javascript: moved decode buffer to stack | |
3758 | * memory: disable with -DNO_MEM_MGR | |
3759 | * memory_manager.cc: dangling references | |
3760 | * packet_capture, cmake: Remove SFBPF dependencies | |
3761 | * packet_capture: adding analyzer command to initialize dump file | |
3762 | * packet_tracer: Fix compiler warning when compiling with NDEBUG | |
3763 | * packet_tracer: Modularize and add constraint-based shell enablement | |
3764 | * parameter: Fix UBSAN shift exponent is too large for 32-bit type runtime error | |
3765 | * parser: allow arbitrary rule gids | |
3766 | * pop, imap, and smtp: changes to MIME configuration parameters | |
3767 | * port_scan: include open ports with alerts instead of separate | |
3768 | * profile: disable with -DNO_PROFILER | |
3769 | * profiler: add deep profiler option | |
3770 | * reload: enabled reloading ips_actions; added parse error check for reloading | |
3771 | * repuation: remove the limit for zone id | |
3772 | * reputation: add zone support | |
3773 | * search_engine: revert default detect_raw_tcp to false | |
3774 | * service inspectors: debug cleanup | |
3775 | * sfip: A version of set() which automatically determines the family | |
3776 | * sfip: removed ntoa. use ntop(SfIpString) instead | |
3777 | * snort2lua: Add reject action when active responses is enabled | |
3778 | * snort2lua: conversion of gid 120 to 119 | |
3779 | * snort2lua: enable reject action when firewall is enabled | |
3780 | * snort: -r- will read packets from stdin | |
3781 | * spell check: fix memeory and indicies typos | |
3782 | * steam_tcp: change singleton names from linux to new_linux to avoid spurious collisions | |
3783 | with defines | |
3784 | * stream ip: refactored to use MemoryManager allocators | |
3785 | * stream: assume gid 135 so those rules are handled as standard builtins | |
3786 | * stream: be selective about flow creation for scans | |
3787 | * stream: refactor flow control for new PktTypes | |
3788 | * stream: remove usused ignore_any_rules from tcp and udp | |
3789 | * stream: respect tcp require_3whs | |
3790 | * stream: warning: potential memory leaks | |
3791 | * stream_tcp: refactor tcp normalizer and reassembler to eliminate dynamic heap allocations | |
3792 | per flow | |
3793 | * stream_tcp: switch to splitter max | |
3794 | * stream_tcp: tweak seglist cursor handling | |
3795 | * target_based: 100% coverage on snort_protocols.cc | |
3796 | * target_based: unit tests for ProtocolReference class | |
3797 | * tcp codec: count bad ip6 checksums correctly; | |
3798 | Thanks to j.mcdowell@titan-ic.com for reporting the issue | |
3799 | * tcp: allow data handlding for packet with invalid ack | |
3800 | * time: initialize Stopwatch::start_time member variable to 0 ticks when TSC clock is enabled | |
3801 | * trace: add traces for deleted debug messages | |
3802 | * wizard: Fix UBSAN out-of-bounds access runtime error | |
3803 | * zhash: cleanup cruftiness | |
3804 | ||
3805 | 2018-03-15: build 244 | |
3806 | ||
3807 | * appid: unit-tests for http detector plugins | |
3808 | * build: address compiler warnings, spell check and static analyzer issues | |
3809 | * build: extirpate autotools usage | |
3810 | * build: fix compilation issue on FreeBSD with extra | |
3811 | * byte_jump: updated byte_jump post_offset option to support variable | |
3812 | * cmake: update CMake config to use GNUInstallDirs and match automake | |
3813 | * daq: hext DAQ can generate start of flow and end of flow meta events | |
3814 | * doc: add documentation for ftp telnet | |
3815 | * doc: fix including config_changes.txt when ruby is not present | |
3816 | * doc: update ftp time format link | |
3817 | * doc: updates for HTTP/2 | |
3818 | * http_inspect: handle white space before chunk length | |
3819 | * inspectors: probes run regardless of active policy | |
3820 | * logger: update Hext Logger to subscribe and log DAQ Meta Packets | |
3821 | * main: reload hosts while reloading config | |
3822 | * memory: override C++14 delete operators as well | |
3823 | * packet tracer: added ability to direct logging to file | |
3824 | * perf_monitor: fixed flow_ip outputting erroneous values | |
3825 | * perf_monitor: query modules for stats only after they have all loaded | |
3826 | * snort: --rule-to-text [<delim>] raw string output | |
3827 | * snort: allow colon separated directories for --daq-dir | |
3828 | * snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort' | |
3829 | namespace | |
3830 | ||
3831 | 2018-02-12: build 243 | |
3832 | ||
3833 | * build: enable gdb debugging info by default | |
3834 | * build: fix cppcheck warnings | |
3835 | * build: fix static analysis issue | |
3836 | * comments: fix 6isco typos | |
3837 | * copyright: update year to 2018 | |
3838 | * detection: use detection limit (alt_dsize) | |
3839 | * detection: trace fast pattern searches with 0x20 | |
3840 | * detection: do not change search_engine.inspect_stream_inserts configuration | |
3841 | * doc: update default manuals | |
3842 | * flow: support episodic detection | |
3843 | * help: upper case proto acronyms etc | |
3844 | * http_inspect: apply request/response depth to packet data | |
3845 | * http_inspect: suppress raw packet inspection beyond request/response depth | |
3846 | * main: Export AnalyzerCommand and main_broadcast_command() | |
3847 | * rules: fix path variable expansion | |
3848 | * search_engine: rename inspect_stream_inserts to detect_raw_tcp for clarity | |
3849 | default to true for 2.X rule sets | |
3850 | * rules: update fast pattern selection to exclude redundant port groups | |
3851 | when service groups are present | |
3852 | * wizard: count user scans and hits separate from tcp | |
3853 | ||
3854 | 2018-01-29: build 242 | |
3855 | ||
3856 | * build: add STATIC to add_library call of port_scan to build it statically | |
3857 | otherwise link will fail (Makefile.am already build only the static version); | |
3858 | Thanks to Fabrice Fontaine <fontaine.fabrice@gmail.com> | |
3859 | * doc: update snort2lua for .rules files | |
3860 | * doc: fixed some typos | |
3861 | * expect: removed a single-element structure ExpectFlows | |
3862 | * file_api: give FilePolicyBase a default virtual destructor | |
3863 | * file: gracefully handle not having file policy configured in dce_smb | |
3864 | * flow: provided access to all expected flows created by a packet | |
3865 | * inspection events: added mandatory expected flow pub sub support | |
3866 | * inspector_manager: fix acquire and use of default policy | |
3867 | * profiler: fixed missing include | |
3868 | * sfdaq: export can_whitelist() and modify_flow_opaque()file_api: | |
3869 | move VerdictName array out of file_api.h | |
3870 | * snort2lua: fix file_rule_path and fw_log_size handling in firewall preprocessor | |
3871 | * snort2lua: make sure file_magic table comes before file_id table | |
3872 | * snort2lua: detect commented 'alert' rules and convert them from snort to snort3 format | |
3873 | Leave the rules commented out in the snort3 rules file | |
3874 | * snort2lua: convert *.rules files line-by-line | |
3875 | * unit tests: updated Catch | |
3876 | * unit tests: added ability to run Catch tests from dynamic modules | |
3877 | * utils, flatbuffers: added a uniform interface for 64-bit endian swaps | |
3878 | ||
3879 | 2017-12-15: build 241 | |
3880 | ||
3881 | * add back the ref count for file config | |
3882 | * alert_csv: various fixes to match alert_json | |
3883 | * alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers | |
3884 | * alert_json: various fixes; | |
3885 | Thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issues | |
3886 | * appid: close all Lua states when thread exits | |
3887 | * appid: gracefully handle failed Lua state instantiation; | |
3888 | Thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue | |
3889 | * appid: only update session flags and discovery state if service id actually set to http | |
3890 | * appid: patch to update the appid discovery state when an http event results in setting of the | |
3891 | service id for a flow | |
3892 | * appid: return false from is_third_party_appid_available when no third party module is available | |
3893 | * appid: tweak warnings and errors | |
3894 | * binder: activate profiler support | |
3895 | * binder: add FIXIT re creating default bindings when the wizard is not configured | |
3896 | * binder: fix ingress / egress test | |
3897 | * binder: minor perf and readability tweaks | |
3898 | * build: fixed build issues on OSX with clang with cd_pbb, alert_json | |
3899 | * build: fixed several dyanmic modules on OSX / clang | |
3900 | * build: suppress appid warnings for valid case statement fall throughs | |
3901 | * byte_test: fix string bounds check | |
3902 | * catch: Update to Catch v2.0.1 | |
3903 | * cmake: add --define to configure_cmake.sh for arbitrary defines | |
3904 | * codec: added wlan support for arp_spoof | |
3905 | * codec: updated MIPv6 and merged cd_pim.cc, cd_swpie.cc and cd_sun_ud.cc to cd_bad_proto.cc | |
3906 | * conf: remove OPTIONS from SIP and HTTP spells to avoid confusion with RTSP | |
3907 | * conf: remove client to server spells for FTP, IMAP, POP, and SMTP to avoid false pickups | |
3908 | * control: must execute from default policy only | |
3909 | * control: process flow first | |
3910 | * cppcheck: More miscellaneous fixes, mostly for new Catch | |
3911 | * daq: explicitly initialize more fields in SFDAQInstance constructor | |
3912 | * daq: handle real IP and port | |
3913 | * data_bus: also publish to default policy | |
3914 | * data_bus: refactor basic access for pub / sub | |
3915 | * dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / dce_udp = dcerpc) | |
3916 | * detection: fix option tree looping issue | |
3917 | * detection: rename ServiceInfo to SignatureServiceInfo | |
3918 | * doc: fix type in style section | |
3919 | * doc: update default manuals | |
3920 | * file api: move file verdict enforcement out of file policy | |
3921 | * file api: support file verdict delay during signature lookup | |
3922 | * file policy and file config update to allow user define customized file policy through file api | |
3923 | * file policy: add support for file event logging | |
3924 | * file_api: Set the FileContext verdict, not a local verdict | |
3925 | * file_id: add interface to access file info from file capture | |
3926 | * file_id: support groups | |
3927 | * hash: Rename SFGHASH, SFXHASH, SFHASHFCN to something resonable | |
3928 | * http_inspect: add profiler support | |
3929 | * http_inspect: fix bugs related to stream interaction | |
3930 | * http_inspect: use configured max_pdu as base target reassembly size | |
3931 | * inspection: default policy mode depends on adaptor mode | |
3932 | * ips options: error if lookup fails due to bad case, typos, etc; | |
3933 | Thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue | |
3934 | * memory: no stats output unless configured | |
3935 | * normalizer: added test mode | |
3936 | * normalizer: fix enable checks | |
3937 | * parsing: resolve paths from the current config directory instead of process directory | |
3938 | * policy: added inspection policy config | |
3939 | * port_scan: add alert_all to make alerting on all events in window optional | |
3940 | * port_scan: fix flow checks | |
3941 | * profiler: fix focus of eventq | |
3942 | * reputation: tweak warning message | |
3943 | * rules: default msg = "no msg in rule" | |
3944 | * sfrt: remove cruft and reformat header | |
3945 | * shell: fixed crash when issuing control commands | |
3946 | * sip: use log splitter for tcp | |
3947 | * snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder | |
3948 | * snort2lua: Convert file_magic.conf to Lua format | |
3949 | * snort2lua: added inspection uuid | |
3950 | * snort2lua: added na_policy_mode. added ability amend tables if created | |
3951 | * snort2lua: added normalize_tcp: ftp | |
3952 | * snort2lua: fix stream_size: to_client, to_server conversion | |
3953 | * snort2lua: future proof --bind-wizard binding order | |
3954 | * snort2lua: no sticky buffer for relative pcre | |
3955 | * snort2lua: remove when udp from binding to support tcp too | |
3956 | * snort2lua: tweak const name for clarity (internal) | |
3957 | * snort2lua: urilen:<> --> bufferlen:<=> | |
3958 | * snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces | |
3959 | from LeakSanitizer | |
3960 | * soid: allow stub to contain any or all options | |
3961 | --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static | |
3962 | * stream: change tcp idle timeout to 3600 to match 2.X nominal timeout | |
3963 | * stream_*: separate session profiler data from flow cache profiler data | |
3964 | * stream_ip: fix non-frag counting | |
3965 | * stream_size: fix eval packet checks | |
3966 | * stream_tcp: delete superfluous memsets to zero | |
3967 | * stream_tcp: ignore flush requests on unitialized sessions (early abort condition) | |
3968 | * stream_tcp: instantiate wizard only when needed | |
3969 | * stream_tcp: remove empty default state action | |
3970 | * stream_user: clear splitter properly | |
3971 | * target_based: Install header | |
3972 | * wizard: abort if no match | |
3973 | * wizard: activate profiler support | |
3974 | * wizard: usage is inspect | |
3975 | ||
3976 | 2017-10-31: build 240 | |
3977 | ||
3978 | * active: fix packet modify vs resize handling | |
3979 | * alert_csv: rename dgm_len to pkt_len | |
3980 | * alert_csv: add b64_data, class, priority, service, vlan, and mpls options | |
3981 | * alert_json: initial json event logger | |
3982 | * alerts: add log_references to store and log rule references with alert_full | |
3983 | * appid: enable SSL certificate pattern matching | |
3984 | * appid: fix build with LuaJIT 2.1 | |
3985 | * appid: reorganize AppIdHttpSession to minimize padding | |
3986 | * appid: add count for applications detected by port only | |
3987 | * appid: create exptected flow immediately after ftp PORT command for active mode | |
3988 | * appid: handle sip events before packets | |
3989 | * appid: overhaul peg counting for discovered appids | |
3990 | * appid: use ac_full search method since it supports find_all; force enable dfa flag | |
3991 | * binder: added network policy selection | |
3992 | * binder: added zones | |
3993 | * binder: allow src and dst specifications for ports and nets | |
3994 | * binder: check interface on packet instead of flow | |
3995 | * binder: fixed nets check falling through on failure | |
3996 | * build: clean up a few ICC 2018 and GCC 7 warnings | |
3997 | * build: fix linking against external libiconv with autotools | |
3998 | * build: fix numerous analyzer errors and leaks | |
3999 | * build: fix numerous clang-tidy warnings | |
4000 | * build: fix numerous cppcheck warnings | |
4001 | * build: fix numerous valgrind errors | |
4002 | * build: fixed issues on OSX | |
4003 | * catch: update to Catch v1.10.0 | |
4004 | * cd_icmp6: fix encoded cksum calculation | |
4005 | * cd_pbb: initial version of codec for 802.1ah; | |
4006 | Thanks to jan hugo prins <jhp@jhprins.org> for | |
4007 | reporting the issue | |
4008 | * cd_pflog: fix comments; | |
4009 | Thanks to Markus Lude <markus.lude@gmx.de> for the 2X patch | |
4010 | * content: fix relative loop condition | |
4011 | * control: delete the old binder while reloading inspector | |
4012 | * control: update binder with new inspector | |
4013 | * daq: add support for DAQ_VERDICT_RETRY | |
4014 | * daq: add support for packet trace | |
4015 | * daq: add support tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS by config and flags | |
4016 | * data_log: update to new http_inspect | |
4017 | * dce_rpc: remove connection-oriented rules from dce_smb module | |
4018 | * dce_smb: unicode filename support | |
4019 | * doc: add module usage and peg count type | |
4020 | * doc: add POP, IMAP and SMTP to user manual features | |
4021 | * doc: add port scan feature | |
4022 | * flow key: support associating router solicit/reply packets to a single session | |
4023 | * http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after | |
4024 | status line or headers | |
4025 | * http_inspect: add random increment to message body division points | |
4026 | * http_inspect: added http_raw_buffer rule option | |
4027 | * http_inspect: create message sections with body data that has been dechunked and unzipped but | |
4028 | not otherwise nortmalized | |
4029 | * http_inspect: handle borked reassembly gracefully; | |
4030 | Thanks to João Soares <joaopsys@gmail.com> for reporting the issue | |
4031 | * http_inspect: support for u2 extra data logging | |
4032 | * http_inspect: test tool improvements | |
4033 | * http_inspect: true IP enhancements | |
4034 | * inspectors: add control type and ensure appid is run ahead of other controls | |
4035 | * inspectors: add peg count for max concurrent sessions | |
4036 | * ips: add uuid | |
4037 | * loggers: add base64 encoder based on libb64 from devolve | |
4038 | * loggers: use standard year/mon/day format | |
4039 | * main: fix potential memory leak when queuing analyzer commands | |
4040 | * memory: align allocator metadata such that returned memory is also max_align_t-aligned | |
4041 | * memory: output basic startup heap stats | |
4042 | * messages: output startup warnings and errors to stderr instead of stdout | |
4043 | * messages: redirect stderr to syslog as well | |
4044 | * modules: add usage designating global, context, inspect, or detect policy applicability | |
4045 | * mss: add extra rule option to check mss | |
4046 | * parser: disallow invalid port range !:65535 (!any) | |
4047 | * parser: tweak performance | |
4048 | * pcre: fix relative search with ^ | |
4049 | * pop: service name is pop3 | |
4050 | * replace: fix activation sequence | |
4051 | * rules: warn only once per gid:sid of no fast pattern | |
4052 | * search_engine: port the optimized port table compilation from 2.9.12 | |
4053 | * search_engines: Fix case sensitive ac_full DFA matching | |
4054 | * shell: delete inspector from the default inspection policy | |
4055 | * shell: fix --pause to accept control commands while in paused state | |
4056 | * sip: sip_method can use data from any sip inspector of any inspection policy | |
4057 | * snort.lua: align default conf closer to 2.X | |
4058 | * snort.lua: expand default conf for completeness and clarity | |
4059 | * snort_defaults.lua: update default servers and ports | |
4060 | * snort2lua: correctly identify ftpbounce and sameip as unsupported rule options | |
4061 | * snort2lua: added XFF configuration to unsupported list | |
4062 | * snort2lua: added config protected_content to deleted list | |
4063 | * snort2lua: added config_na_policy_mode to unsupported list | |
4064 | * snort2lua: added dynamicoutput to deleted list | |
4065 | * snort2lua: added firewall to unsupported list | |
4066 | * snort2lua: added nap.rules zone translation | |
4067 | * snort2lua: added nap_selector support | |
4068 | * snort2lua: added nap_selector to unsupported list | |
4069 | * snort2lua: added sf_unified2 to unsupported list and matching log/alert to deleted | |
4070 | * snort2lua: bindings now merge and propagate to top level of corresponsing policy | |
4071 | * snort2lua: config policy_id converts to when ips_policy_id | |
4072 | * snort2lua: convert dsize:a<>b to dsize:a<=>b for consistency with other rule options | |
4073 | * snort2lua: do not convert sameip; handle same as ftpbounce (no longer supported) | |
4074 | * snort2lua: enforced ordering to bindings in binder table | |
4075 | * snort2lua: fix null char in -? output | |
4076 | * snort2lua: fixed extra whitespace generation | |
4077 | * snort2lua: logto is not supported | |
4078 | * snort2lua: removed port dce proxy bindings to fix http_inspect conflicts | |
4079 | * snort2lua: search_engine.split_any_any now defaults to true | |
4080 | * snort: -T does not compile mpse; --mem-check does | |
4081 | * snort: add warnings count to -T ouptut | |
4082 | * snort: add --dump-msg-map | |
4083 | * snort: exit with zero from usage | |
4084 | * snort: fix --dump-builtin-rules to accept optional module prefix | |
4085 | * stdlog: support snort 3> log for text alerts | |
4086 | * target: add rule option to indicate target of attack | |
4087 | * thread: add logging directory ID offset controlled by --id-offset option | |
4088 | * u2spewfoo: fix build on FreeBSD | |
4089 | * unified2: add legacy_events bool for out-of-date barnyard2 | |
4090 | * unified2: log buffers as cooked packets with legacy events | |
4091 | * wscale: add extra rule option to check tcp window scaling | |
4092 | ||
4093 | 2017-07-25: build 239 | |
4094 | ||
4095 | * rules: remove sample.rules; Talos will publish Snort 3 rules on snort.org | |
4096 | * logging: fix handling of out of range timeval; | |
4097 | Thanks to kamil@frankowicz.me for reporting the issue | |
4098 | * wizard: fix direction issue | |
4099 | * wizard: fix imap spell | |
4100 | ||
4101 | 2017-07-24: build 238 | |
4102 | ||
4103 | * check: update hyperscan and regex tests | |
4104 | * cpputests: clean up some header include issues | |
4105 | * daq_socket: update to support query of pci | |
4106 | * detection: fix debug print of fast pattern only | |
4107 | * detection: rule evaluation trace utility | |
4108 | * doc: update concepts and differences | |
4109 | * file_api: memory leak fixed | |
4110 | * file_id: fixes for file capture exit | |
4111 | * http_inspect: added 119:97 for lower case letters in version field | |
4112 | * http_inspect: alert 119:96 added for unsolicited 206 response | |
4113 | * http_inspect: specific alert added 119:95 for Content-Encoding chunked | |
4114 | * ipv6: fix flow label access method; | |
4115 | Thanks to schrx3b6 for the patch | |
4116 | * loggers: remove units options; all limits expressed in MB | |
4117 | * mpse: Remove Intel Soft CPM support | |
4118 | * mpse: make regex capability generic | |
4119 | * mpse: only use literals for fast patterns if search_method is not hyperscan | |
4120 | * output: add packet trace feature | |
4121 | * perf_monitor: fixed main table (perf_monitor) having same name as pegs for | |
4122 | * perfmon field | |
4123 | * regex: fix pass through of mpse flags to hyperscan | |
4124 | * replace: do not trip over fast pattern only | |
4125 | * rpc: revert to positional params, fix tcp logic, clean up formatting | |
4126 | * rules: promote metadata:service to a separate option since it is not metadata | |
4127 | * snort2lua: Fixed incorrect file names errors | |
4128 | * snort2lua: move footprint to stream from stream_tcp | |
4129 | * spell check: fix message and comment typos | |
4130 | * stream: add ip_proto as part of flow key | |
4131 | * stream: fix user dependency on flush bucket | |
4132 | * text logs: fix default unlimited file size | |
4133 | * u2: add event3 to u2spewfoo | |
4134 | * u2: convert thread local buffers to heap | |
4135 | * u2: deprecate ip4 and ip6 specific events and add a single event for both | |
4136 | * u2: remove obsolete configurations | |
4137 | * u2: support mixed IP versions | |
4138 | ||
4139 | 2017-07-13: build 237 | |
4140 | ||
4141 | * build: add support for appending EXTRABUILD to the BUILD string | |
4142 | * build: Clean up some ICC 2017 warnings | |
4143 | * build: clean up some GCC 7 warnings | |
4144 | * build: support OpenSSL 1.1.0 API | |
4145 | * build: clean up some cppcheck warnings | |
4146 | * appid: port some missing 2.9.X FEAT_OPEN_APPID code | |
4147 | * appid: fix thread-unsafe sharing of HTTP pattern tables | |
4148 | * DAQ: fix leaking instance memory when configure fails | |
4149 | * daq_hext and daq_file: pass PCI via query method | |
4150 | * icmp6: reject non-ip6, raise 116:474 | |
4151 | * http_inspect: header normalization improvements | |
4152 | * http_inspect: port fixes for UTF decoding | |
4153 | * http_inspect: added 119:87 - 119:90 for expect / continue issues | |
4154 | * http_inspect: added 119:91 for Transfer-Encoding header not valid for HTTP 1.0 | |
4155 | * http_inspect: added 119:92 for Content-Transfer-Encoding | |
4156 | * http_inspect: added 119:93 for issues with chunked message trailers | |
4157 | * PDF decompression: fix missing reset in state machine transition | |
4158 | * ftp_server: implement splitter to improve EOF processing | |
4159 | * port_scan: merge global settings into main module and other improvements | |
4160 | * perf_monitor: add JSON formatter | |
4161 | * ssl: add splitter to improve PDU processing | |
4162 | * detection: fix segfault in DetectionEngine::idle sans thread_init | |
4163 | * rules: tolerate spaces in positional parameters; | |
4164 | Thanks to Joao Soares for reporting the issue | |
4165 | * ip and tcp options: fix max length handling and clean up logging | |
4166 | * cmg: improved alert formatting | |
4167 | * doc: updates re control channel | |
4168 | * snort2lua: added line number and file name to error output | |
4169 | * snort2lua: fix removal of ignore_ports in stream_tcp.small_segments | |
4170 | * snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments | |
4171 | * snort2lua: update for port_scan | |
4172 | ||
4173 | 2017-06-15: build 236 | |
4174 | ||
4175 | * appid: clean up shutdown stats | |
4176 | * appid: fix memory leak | |
4177 | * conf: update defaults | |
4178 | * decode: updated ipv6 valid next headers | |
4179 | * detection: avoid superfluous leaf nodes in detection option trees | |
4180 | * http_inspect: improved handling of badly terminated chunks | |
4181 | * http_inspect: improved transfer-encoding header processing | |
4182 | * ips options: add validation for range check types such as dsize | |
4183 | * perf_monitor: add more tcp and udp peg counts | |
4184 | * perf_monitor: update cpu tracker output to thread_#.cpu_* | |
4185 | * port_scan: alert on all scan attempts so blocking is possible | |
4186 | * port_scan: make fully configurable | |
4187 | * sip: fix get body buffer for fast patterns | |
4188 | * ssl: use stop-and-wait splitter (protocol aware splitter is next) | |
4189 | * stream_ip: fix 123:7 | |
4190 | ||
4191 | 2017-06-01: build 235 | |
4192 | ||
4193 | * http_inspect: improve handling of improper bare \r separator | |
4194 | * appid: fix bug where TNS detector corrupted the flow data object | |
4195 | * search_engine: set range for max_queue_events parameter; | |
4196 | Thanks to Navdeep.Uniyal@neclab.eu for reporting the issue | |
4197 | * arp_spoof: reject non-ethernet packets | |
4198 | * stream_ip: remove dead code and tweak formatting | |
4199 | * ipproto: remove unreachable code | |
4200 | * control_mgmt: add support for daq module reload | |
4201 | * control_mgmt: add support for unix sockets | |
4202 | * doc: update default manuals | |
4203 | * doc: update differences section | |
4204 | * doc: update README | |
4205 | ||
4206 | 2017-05-21: build 234 | |
4207 | ||
4208 | * byte_math: port rule option from 2X and add feature documentation | |
4209 | * pgm: don't calculate checksum if header length is not divisible by 4 | |
4210 | * appid: fix sip event handling, http pattern lists, thread locals | |
4211 | * build: fix issues with OpenSolaris and FreeBSD builds | |
4212 | * cmake: fix issues with libpcap and miscellaneous | |
4213 | * offload: refactor for initial (experimental) version of regex offload to other threads | |
4214 | * cmg: revamp hex buffer dump format with 16 or 20 bytes per line | |
4215 | * rules: reject positional parameters containing spaces | |
4216 | ||
4217 | 2017-05-11: build 233 | |
4218 | ||
4219 | * packet manager: ensure ether type proto ids don't masquerade as ip proto ids; | |
4220 | Thanks to Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> for reporting the issue | |
4221 | * codec manager: fix off-by-1 mapping array size; | |
4222 | Thanks to Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> for reporting the issue | |
4223 | * codec: fix extraction of ether type from cisco metadata | |
4224 | * appid: add new unit tests to the cmake build, fix missing lib reference to sfip | |
4225 | * sfghash: clean up and add unit tests | |
4226 | * http: fix 119:38 false positive | |
4227 | * main: fix compiler warnings when SHELL is not enabled | |
4228 | * perf_monitor: fix flatbuffers handling of empty strings | |
4229 | * modbus: port fix for false positives on length field | |
4230 | * http: port simple UTF decoding w/o byte order mark | |
4231 | * build: updated code to resolve cppcheck warnings | |
4232 | * cleanup: fix typos in source code string literals and comments | |
4233 | * doc: fix typos | |
4234 | ||
4235 | 2017-04-28: build 232 | |
4236 | ||
4237 | * build: clean up Intel compiler warnings and remarks | |
4238 | * build: fix FreeBSD compilation issues | |
4239 | * cmake: fix building with and without flatbuffers present | |
4240 | * autoconf: check for lua.hpp as well as luajit.h to ensure C++ support | |
4241 | * shell: make commands non-blocking | |
4242 | * shell: allow multiple remote connections | |
4243 | * snort2lua: fix generated stream_tcp bindings | |
4244 | * snort2lua: fix basic error handling with non-conformant 2.X conf | |
4245 | * decode: fix 116:402 | |
4246 | * dnp3: fix 145:5 | |
4247 | * appid: numerous fixes and cleanup | |
4248 | * http_server: removed (use new http_inspect instead) | |
4249 | * byte_jump: add bitmask and from_end (from 2.9.9 Snort) | |
4250 | * byte_extract: add bitmask (from 2.9.9 Snort) | |
4251 | * flatbuffers: add version to banner if present | |
4252 | * loggers: build alert_sf_socket on all platforms | |
4253 | ||
4254 | 2017-04-07: build 231 | |
4255 | ||
4256 | * add decode of MPLS in IP | |
4257 | * add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack) | |
4258 | * cleanup: remove dead code | |
4259 | ||
4260 | 2017-03-27: build 230 | |
4261 | ||
4262 | * require hyperscan >= 4.4.0, check runtime support; | |
4263 | Thanks to justin.viiret@intel.com for submitting the patch | |
4264 | * fix search tool issue with empty pattern database; | |
4265 | Thanks to justin.viiret@intel.com for reporting the issue | |
4266 | * fix sip_method to error out if sip not instantiated | |
4267 | * major appid overhaul to address lingering concerns: refactor, cleanup, | |
4268 | simplify | |
4269 | * major detection overhaul to address lingering concerns: refactor, cleanup, | |
4270 | release memory ASAP | |
4271 | * add FlatBuffers output format to perf_monitor | |
4272 | also added tool to convert FlatBuffers files to yaml | |
4273 | * add regex.fast_pattern; do not use for fast pattern unless explicitly indicated | |
4274 | * update copyrights to 2017 | |
4275 | ||
4276 | 2017-03-17: build 229 | |
4277 | ||
4278 | * fixed mpse to ensure all search methods return consistent results | |
4279 | * updated search tool to use fast pattern config's search method | |
4280 | (benefits appid, http_inspect, imap, pop, and smtp) | |
4281 | * snort2lua parsing bug fixes to recognize incomplete constructs | |
4282 | * http_inspect: added alert 119:81 for nonprinting character in header name | |
4283 | * http_inspect: added alert 119:82 for bad Content-Length value | |
4284 | * http_inspect: added alert 119:83 for header wrapping; CR and LF parsed as whitespace | |
4285 | ||
4286 | 2017-03-02: build 228 - Alpha 4 | |
4287 | ||
4288 | * update hypercsan mpse: print error message and erroneous pattern when compilation fails | |
4289 | * update rule parser: add multiple byte orders warning | |
4290 | * fix pid file: create regardless of priv drop settings | |
4291 | * fix dce_rpc: mark generated iface patterns as literal | |
4292 | * snort2lua: mark appid conf and thirdparty_appid_dir as unsupported (temporary) | |
4293 | * snort2lua: fix a couple of typos in table API output | |
4294 | * snort2lua: fix sticky buffer following uricontent | |
4295 | * doc: add DAQ configuration documentation | |
4296 | * doc: move LibDAQ README to Reference, update, and fix typos | |
4297 | * doc: update default manuals | |
4298 | ||
4299 | 2017-02-24: build 227 | |
4300 | ||
4301 | * allow arbitrary / unused gids in text rules | |
4302 | * support DAQs w/o explicit sources (nfq, ipfw) | |
4303 | * fix up peg help (remove _) | |
4304 | * fix u2 logging of PDUs | |
4305 | ||
4306 | 2017-02-16: build 226 | |
4307 | ||
4308 | * add PDF/SWF decompression to http_inspect | |
4309 | * add connectors to generated reference parts of manual | |
4310 | * add feature documentation for HA, side_channel, and connectors | |
4311 | * add feature documentation for http_inspect | |
4312 | * update default manuals | |
4313 | * fix privilege dropping and chroot behavior | |
4314 | * fix perf_monitor segfault when tterm is called before tinit | |
4315 | * fix stream_tcp counter underflow bug and handle max and instant stats | |
4316 | * fix lzma length calculation bug | |
4317 | * fix bogus 129:20 alerts | |
4318 | * fix back orifice compiler warning with -O3 | |
4319 | * fix bug that could cause hang on ctl-C | |
4320 | * fix memory leak after reload w/o changing search engine | |
4321 | * fix off by one error when reassembling after TCP FIN received | |
4322 | * fix cmake doc build to include plugins on SNORT_PLUGIN_PATH | |
4323 | * fix compiler warnings in dce_http_server and dce_http_proxy | |
4324 | * fix appid reload issue | |
4325 | * snort2lua - changes for rpc over http | |
4326 | * snort2lua - changes to convert config alertfile: <filename> | |
4327 | * snort2lua - changes to add file_id when smb file inspection is on | |
4328 | * snort2lua - add deprecated option stream5_tcp: log_asymmetric_traffic | |
4329 | ||
4330 | 2017-02-01: build 225 | |
4331 | ||
4332 | * implement RPC over HTTP by adding dce_http_server and dce_http_proxy | |
4333 | * port disable_replace option from snort 2.x and add snort2lua support | |
4334 | * port ssh tunnel over http detection | |
4335 | * fix stream splitter handling during final flush of session data | |
4336 | * fix appid to use HTTP inspection events to detect webdav methods | |
4337 | * fix unit test build to work w/o REG_TEST | |
4338 | * fix shell to add missing newline to Lua execution error responses | |
4339 | * fix support for content strings with escaped quotes ("foo\"bar"); | |
4340 | Thanks to secres@linuxmail.org for reporting the issue | |
4341 | * fix various reload issues | |
4342 | * fix various thread sanitizer issues | |
4343 | * fix session disposal to always be after logging | |
4344 | * fix appid pattern matching issues | |
4345 | * fix appid dns flow counts | |
4346 | * fix shell resume after command line --pause | |
4347 | * fix sd_pattern validation boundary conditions | |
4348 | * build: don't disable asserts when compiling with code coverage | |
4349 | * autoconf: update to latest versions of autoconf-archive macros | |
4350 | * main: add asynchronous, broadcastable analyzer commands | |
4351 | * add salt to flow hash | |
4352 | * normalize peg names to lower snake_case | |
4353 | * update default manuals | |
4354 | ||
4355 | 2017-01-17: build 224 | |
4356 | ||
4357 | * fix various stream_tcp flush issues | |
4358 | * fix various cmake issues | |
4359 | * fix appid counting of kerberos flows | |
4360 | * fix expected flow leak when expiring nodes during lookup; | |
4361 | Thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue | |
4362 | * fix autoconf retrieving PCRE cppflags from pkg-config | |
4363 | * fix stream_user reassembly | |
4364 | * remove unused appid.thirdparty_appid_dir | |
4365 | * build and install plugins as modules instead of libraries | |
4366 | * obfuscate stream rebuilt payload | |
4367 | * updates for latest zlib | |
4368 | * disable smb2 processing when file service is disabled | |
4369 | * refactor includes; prune the set of installed headers | |
4370 | * don't build alert_sf_socket on OSX | |
4371 | * added CPP flags used to build Snort to snort.pc for extras and other | |
4372 | plugins to use | |
4373 | ||
4374 | 2016-21-16: build 223 | |
4375 | ||
4376 | * port 2983 smb active response updates | |
4377 | * fix reload crash with file inspector | |
4378 | * fix appid service dispatch handling issue; | |
4379 | Thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue | |
4380 | * fix paf-type flushing of single segments; | |
4381 | Thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue | |
4382 | * fix daemonization; | |
4383 | Thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue | |
4384 | * also fixes double counting of reassembled buffers | |
4385 | * fix fallback from paf to atom splitter if flushing past gap | |
4386 | * fix thread termination segfaults after DAQ module initialization fails | |
4387 | * fix non-x86 builds - do not build tsc clock scaling | |
4388 | * added appid to user manual features | |
4389 | * update default user manuals | |
4390 | * minor refactor of flush loop for clarity | |
4391 | * improve http_inspect Field class | |
4392 | * refactor plugin loading | |
4393 | ||
4394 | 2016-12-16: build 222 | |
4395 | ||
4396 | * add JavaScript Normalization to http_inspect | |
4397 | * fix appid service check dispatch list | |
4398 | * fix modbus_data handling to not skip options; | |
4399 | Thanks to FabianMalte.Kopp@b-tu.de for reporting the issue | |
4400 | * fix sensitive data filtering documentation issues | |
4401 | * build: Illumos build fixes | |
4402 | * build: Address some cppcheck concerns | |
4403 | * miscellaneous const tweaks | |
4404 | * reformat builtin rule text for consistency | |
4405 | * reformat help text for consistency | |
4406 | * refactor user manual for clarity | |
4407 | * update default user manuals | |
4408 | ||
4409 | 2016-12-09: build 221 | |
4410 | ||
4411 | * fix appid handling of sip inspection events | |
4412 | * fix wizard to prevent use-after-free of service name | |
4413 | * fix various issues reported by cppcheck | |
4414 | * fix reload race condition | |
4415 | * fix cmake + clang builds | |
4416 | * add padding guards around hash key structs | |
4417 | * update manual for dce_* inspectors | |
4418 | * refactor IP address handling | |
4419 | ||
4420 | 2016-12-01: build 220 | |
4421 | ||
4422 | * fixed uu and qp decode issue | |
4423 | * fixed file signature calculation for ftp | |
4424 | * fixed file resume blocking | |
4425 | * fix 135:2 to be upon completion of 3-way handshake | |
4426 | * fix memory leak with libcrypto use | |
4427 | * fix multithreaded use of libcrypto | |
4428 | * fix default snort2lua output for gtp and modbus | |
4429 | * fix Lua ordering issue with net and port vars | |
4430 | * fix miscellaneous multithreading issues with appid | |
4431 | * fix comment in snort.lua re install directory use; | |
4432 | Thanks to Yang Wang for sending the pull request | |
4433 | * add alternate fast patterns for dce_udp endianness | |
4434 | * removed underscores from all peg counts | |
4435 | * document sensitive data use | |
4436 | * user manual refactoring and updates | |
4437 | ||
4438 | 2016-11-21: build 219 | |
4439 | ||
4440 | * add dce auto detect to wizard | |
4441 | * add MIME file processing to new http_inspect | |
4442 | * add chapters on perf_monitor and file processing to user manual | |
4443 | * appid refactoring and cleanup | |
4444 | * many appid fixes for leaks, sanitizer, and analyzer issues | |
4445 | * fix appid pattern matching for http | |
4446 | * fix various race conditions reported by thread sanitizer | |
4447 | * fix out-of-order FIN handling | |
4448 | * fix cmake package name used in HS and HWLOC so that REQUIRED works | |
4449 | * fix out-of-tree doc builds | |
4450 | * fix image sizes to fit page; | |
4451 | Thanks to wyatuestc for reporting the issue | |
4452 | * fix fast pattern selection when multiple designated; | |
4453 | Thanks to j.mcdowell@titanicsystems.com for reporting the issue | |
4454 | * change -L to -K in README and manual; | |
4455 | Thanks to jncornett for reporting the issue | |
4456 | * support compiling catch tests in standalone source files | |
4457 | * create pid file after dropping privileges | |
4458 | * improve detection and use of CppUTest in non-standard locations | |
4459 | ||
4460 | 2016-11-04: build 218 | |
4461 | ||
4462 | * fix shutdown stats | |
4463 | * fix misc appid issues | |
4464 | * rewrite appid loading of lua detectors | |
4465 | * add sip inspector events for appid | |
4466 | * update default manuals | |
4467 | ||
4468 | 2016-10-28: build 217 | |
4469 | ||
4470 | * update appid to 2983 | |
4471 | * add inspector events from http_inspect to appid | |
4472 | * fix appid error messages | |
4473 | * fix flow reinitialization after expiration | |
4474 | * fix release of blocked flow | |
4475 | * fix 129:16 false positive | |
4476 | ||
4477 | 2016-10-21: build 216 | |
4478 | ||
4479 | * add build configuration for thread sanitizer | |
4480 | * port dce_udp fragments | |
4481 | * build: clean up some ICC warnings | |
4482 | * fix various unit test leaks | |
4483 | * fix -Wmaybe-uninitialized issues | |
4484 | * fix related to appid name with space and SSL position | |
4485 | ||
4486 | 2016-10-13: build 215 | |
4487 | ||
4488 | * added module trace facility | |
4489 | * port block malware over ftp for clients/servers that support REST command | |
4490 | * port dce_udp packet processing | |
4491 | * change search_engine.debug_print_fast_pattern to show_fast_patterns | |
4492 | * overhaul appid for multiple threads, memory leaks, and coding style | |
4493 | * fix various appid patterns and counts | |
4494 | * fix fast pattern selection | |
4495 | * fix file hash pruning issue | |
4496 | * fix rate_filter action config and apply_to clean up | |
4497 | ||
4498 | 2016-10-07: build 214 | |
4499 | ||
4500 | * updated DAQ - you *must* use DAQ 2.2.1 | |
4501 | * add libDAQ version to snort -V output | |
4502 | * add support http file upload processing and process decode/detection depths | |
4503 | * port sip changes to avoid using NAT ip when calculating callid | |
4504 | * port dce_udp autodetect and session creation | |
4505 | * fix static analysis issues | |
4506 | * fix analyzer/pig race condition | |
4507 | * fix explicit obfuscation disable not working | |
4508 | * fix ftp_data: Gracefully handle cleared flow data | |
4509 | * fix LuaJIT rule option memory leak of plugin name | |
4510 | * fix various appid issues - initial port is nearing completion | |
4511 | * fix http_inspect event 119:66 | |
4512 | * fix ac_full initialization performance | |
4513 | * fix stream_tcp left overlap on hpux, solaris | |
4514 | * fix/remove 129:5 ("bad segment") events | |
4515 | * file_mempool: fix initializing total pool size | |
4516 | * fix bpf includes | |
4517 | * fix builds for OpenSolaris | |
4518 | * expected: push expected flow information through the DAQ module | |
4519 | * expected: expected cache revamp and related bugfixes | |
4520 | * ftp_data: add expected data consumption to set service name and fix bugs | |
4521 | * build: remove lingering libDAQ #ifdefs | |
4522 | * defaults: update FTP default config based on Snort2's hardcoded one | |
4523 | * rename default_snort_manual.* to snort_manual.* | |
4524 | * build docs only by explicit target (make html|pdf|text) | |
4525 | * update default manuals to build 213 | |
4526 | * tolerate more spaces in ip lists | |
4527 | * add rev to rule latency logs | |
4528 | * change default latency actions to none | |
4529 | * deleted non-functional extra decoder for i4l_rawip | |
4530 | ||
4531 | 2016-09-27: build 213 | |
4532 | ||
4533 | * ported full retransmit changes from snort 2X | |
4534 | * fixed carved smb2 filenames | |
4535 | * fixed multithread hyperscan mpse | |
4536 | * fixed sd_pattern iterative validation | |
4537 | ||
4538 | 2016-09-24: build 212 | |
4539 | ||
4540 | * add dce udp snort2lua | |
4541 | * add file detection when they are transferred in segments in SMB2 | |
4542 | * fix another case of CPPUTest header order issues | |
4543 | * separate idle timeouts from session timeouts counts | |
4544 | * close tcp on rst in close wait, closing, fin wait 1, and fin wait 2 | |
4545 | * doc: update style guide for 'using' statements and underscores | |
4546 | * packet_capture: Include top-level pcap.h for backward compatibility | |
4547 | * main: remove unused -w commandline option | |
4548 | * lua: fix conflict with _L macro from ctype.h on OpenBSD | |
4549 | * cmake: clean dead variables out of config.cmake.h | |
4550 | * build: fix 32-bit compiler warnings | |
4551 | * build: fix illumos/OpenSolaris build and remove SOLARIS/SUNOS defines | |
4552 | * build: remove superfluous LINUX and MACOS definitions | |
4553 | * build: remove superfluous OPENBSD and FREEBSD definitions | |
4554 | * build: entering 'std' namespace should be after all headers are included | |
4555 | * build: clean up u_int*_t usage | |
4556 | * build: remove SPARC support | |
4557 | * build: clean up some DAQ header inclusion creep | |
4558 | ||
4559 | 2016-09-22: build 211 | |
4560 | ||
4561 | * fix hyperscan detection with nocase | |
4562 | * fix shutdown sequence | |
4563 | * fix --dirty-pig | |
4564 | * fix FreeBSD build re appid / service_rpc | |
4565 | ||
4566 | 2016-09-20: build 210 | |
4567 | ||
4568 | * started dce_udp porting | |
4569 | * added HA details to stream/* dev_notes | |
4570 | * added stream.ip_frag_only to avoid tracking unwanted flows | |
4571 | * updated default stream cache sizes to match 2.X | |
4572 | * fixed tcp_connector_test for OSX build | |
4573 | * fixed binder make files to include binder.h | |
4574 | * fixed double counting of ip and udp timeouts and prunes | |
4575 | * fixed clearing of SYN - RST flows | |
4576 | ||
4577 | 2016-09-14: build 209 | |
4578 | ||
4579 | * add dce iface fast pattern for tcp | |
4580 | * add --enable-tsc-clock to build/use TSC register (on x86) | |
4581 | * update latency to use ticks during runtime | |
4582 | * tcp stream reassembly tweaks | |
4583 | * fix inverted detection_filter logic | |
4584 | * fix stream profile stats parents | |
4585 | * fix most bogus gap counts | |
4586 | * unit test fixes for high availability, hyperscan, and regex | |
4587 | ||
4588 | 2016-09-09: build 208 | |
4589 | ||
4590 | * fixed for TCP high availability | |
4591 | * fixed install of file_decomp.h for consistency between Snort and extras | |
4592 | * added smtp client counters and unit tests | |
4593 | * ported Smbv2/3 file support | |
4594 | * ported mpls encode fixes from 2983 | |
4595 | * cleaned up compiler warnings | |
4596 | ||
4597 | 2016-09-02: build 207 | |
4598 | ||
4599 | * ported smb file processing | |
4600 | * ported the 2.9.8 ciscometadata decoder | |
4601 | * ported the 2.9.8 double and triple vlan tagging changes | |
4602 | * use sd_pattern as a fast-pattern | |
4603 | * rewrite and fix the rpc option | |
4604 | * cleanup fragbits option implementation | |
4605 | * finish up cutover to the new http_inspect by default | |
4606 | * added appid counts for rsync | |
4607 | * added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse | |
4608 | * moved file capture to offload thread | |
4609 | * numerous fixes, cleanup, and refactoring for appid | |
4610 | * numerous fixes, cleanup, and refactoring for high availability | |
4611 | * fixed regex as fast pattern with hyperscan mpse | |
4612 | * fixed http_inspect and tcp valgrind errors | |
4613 | * fixed extra auto build from dist | |
4614 | ||
4615 | 2016-08-10: build 206 | |
4616 | ||
4617 | * ported appid rule option as "appids" | |
4618 | * moved http_inspect (old) to http_server (in extras) | |
4619 | * moved new_http_inspect to http_inspect | |
4620 | * added smtp.max_auth_command_line_len | |
4621 | * fixed asn1:print help | |
4622 | * fixed event queue buffer log size | |
4623 | * fixed make distcheck; | |
4624 | Thanks to jack jackson <jsakcon@gmail.com> for reporting the issue | |
4625 | ||
4626 | 2016-08-05: build 205 | |
4627 | ||
4628 | * ported smb segmentation support | |
4629 | * converted sd_pattern to use hyperscan | |
4630 | * fixed help text for rule options ack, fragoffset, seq, tos, ttl, and win | |
4631 | * fixed endianness issues with rule options seq and win | |
4632 | * fixed rule option session binary vs all | |
4633 | ||
4634 | 2016-07-29: build 204 | |
4635 | ||
4636 | * fixed issue with icmp_seq and icmp_id field matching | |
4637 | * fixed off-by-1 line number in rule parsing errors | |
4638 | * fix cmake make check issue with new_http_inspect | |
4639 | * added new_http_inspect unbounded POST alert | |
4640 | ||
4641 | 2016-07-22: build 203 | |
4642 | ||
4643 | * add oversize directory alert to new_http_inspect | |
4644 | * add appid counts for mdns, timbuktu, battlefield, bgp, and netbios services | |
4645 | * continue smb port - write and close command, deprecated dialect check, smb fingerprint | |
4646 | * fix outstanding strndup calls | |
4647 | ||
4648 | 2016-07-15: build 202 | |
4649 | ||
4650 | * fix dynamic build of new_http_inspect | |
4651 | * fix static analysis issues | |
4652 | * fix new_http_inspect handling of 100 response | |
4653 | * port appid detectors: kereberos, bittorrent, imap, pop | |
4654 | * port smb reassembly and raw commands processing | |
4655 | * snort2lua updates for new_http_inspect | |
4656 | * code refactoring and cleanup | |
4657 | ||
4658 | 2016-06-22: build 201 | |
4659 | ||
4660 | * initial appid port - in progress | |
4661 | * add configure --enable-hardened-build | |
4662 | * add configure --pie (position independent executable) | |
4663 | * add new_http_inspect alert for loss of sync | |
4664 | * add peg counts for new_http_inspect | |
4665 | * add peg counts for sd_pattern | |
4666 | * add file_log inspector to log file events | |
4667 | * add filename support to file daq | |
4668 | * add high availability support for udp and icmp | |
4669 | * add support for safe C library | |
4670 | * continue porting of dce_rpc - smb transaction processing (part 2) | |
4671 | * various snort2lua updates and fixes | |
4672 | * fix default prime tables for internal hash functions | |
4673 | * fix new_http_inspect bounds issues | |
4674 | * fix icc warnings | |
4675 | * miscellaneous cmake and auto tools build fixes | |
4676 | * openssl is now a mandatory dependency | |
4677 | ||
4678 | 2016-06-10: build 200 | |
4679 | ||
4680 | * continued porting of dce_rpc - smb transaction processing | |
4681 | * tweaked autotools build foo | |
4682 | * add / update unit tests | |
4683 | * fix additional memory leaks | |
4684 | * fix compiler warnings | |
4685 | * fix static analysis issues | |
4686 | * fix handling of bpf file failures | |
4687 | ||
4688 | 2016-06-03: build 199 | |
4689 | ||
4690 | * add new http_inspect alerts abusive content-length and transfer-encodings | |
4691 | * add \b matching to sensitive data | |
4692 | * add obfuscation for sensitive data | |
4693 | * add support for unprivileged operation | |
4694 | * fix link with dynamic DAQ | |
4695 | * convert legacy allocations to memory manager for better memory profiling | |
4696 | ||
4697 | 2016-05-27: build 198 | |
4698 | ||
4699 | * add double-decoding to new_http_inspect | |
4700 | * add obfuscation support for cmg and unified2 | |
4701 | * cleanup compiler warnings and memory leaks | |
4702 | * fixup cmake builds | |
4703 | * update file processing configuration | |
4704 | * prevent profiler double counting on recursion | |
4705 | * additional unit tests for high availability | |
4706 | * fix multi-DAQ instance configuration | |
4707 | ||
4708 | 2016-05-02: build 197 | |
4709 | ||
4710 | * fix build of extras | |
4711 | * fix unit tests | |
4712 | ||
4713 | 2016-04-29: build 196 | |
4714 | ||
4715 | * overhaul cmake foo | |
4716 | * update extras to better serve as examples | |
4717 | * cleanup use of protocol numbers and identifiers | |
4718 | * continued stream_tcp refactoring | |
4719 | * continued dce2 port | |
4720 | * more static analysis memory leak fixes | |
4721 | ||
4722 | 2016-04-22: build 195 | |
4723 | ||
4724 | * added packet_capture module | |
4725 | * initial high availability for UDP | |
4726 | * changed memory_manager to use absolute instead of relative cap | |
4727 | * cmake and pkgconfig fixes | |
4728 | * updated catch headers to v1.4.0 | |
4729 | * fix stream_tcp config leak | |
4730 | * added file capture stats | |
4731 | * static analysis updates | |
4732 | * DAQ interface refactoring | |
4733 | * perf_monitor refactoring | |
4734 | * unicode map file for new_http_inspect | |
4735 | ||
4736 | 2016-04-08: build 194 | |
4737 | ||
4738 | * added iterative pruning for out of memory condition | |
4739 | * added preemptive pruning to memory manager | |
4740 | * dce segmentation changes | |
4741 | * dce smb header checks port - non segmented packets | |
4742 | * added thread timing stats to perf_monitor | |
4743 | * fixed so rule input / output | |
4744 | * fixed protocol numbering issues | |
4745 | * fixed 129:18 | |
4746 | * update extra version to alpha 4 -; | |
4747 | Thanks to Henry Luciano <cuncator@mote.org> for reporting the issue | |
4748 | * remove legacy/unused obfuscation api | |
4749 | * fixed clang, gcc, and icc, build warnings | |
4750 | * fixed static analysis issues | |
4751 | * fixed memory leaks (more to go) | |
4752 | * clean up hyperscan pkg-config and cmake logic | |
4753 | ||
4754 | 2016-03-28: build 193 | |
4755 | ||
4756 | * fix session parsing abort handling | |
4757 | * fix shutdown memory leaks | |
4758 | * fix building against LuaJIT using only pkg-config | |
4759 | * fix FreeBSD build | |
4760 | * perf_monitor config and format fixes | |
4761 | * cmake - check all dependencies before fatal error | |
4762 | * new_http_inspect unicode initialization bug fix | |
4763 | * new_http_inspect %u encoding and utf 8 bare byte | |
4764 | * continued tcp stream refactoring | |
4765 | * legacy search engine cleanup | |
4766 | * dcd2 port continued - add dce packet fragmentation | |
4767 | * add configure --enable-address-sanitizer | |
4768 | * add configure --enable-code-coverage | |
4769 | * memory manager updates | |
4770 | ||
4771 | 2016-03-18: build 192 | |
4772 | ||
4773 | * use hwloc for CPU affinity | |
4774 | * fix process stats output | |
4775 | * add dce rule options iface, opnum, smb, stub_data, tcp | |
4776 | * add dce option for byte_extract/jump/test | |
4777 | * initial side channel and file connector for HA | |
4778 | * continued memory manager implementation | |
4779 | * add UTF-8 normalization for new_http_inspect | |
4780 | * fix rule compilation for sticky buffers | |
4781 | * host_cache and host_tracker config and stats updates | |
4782 | * miscellaneous warning and lint cleanup | |
4783 | * snort2Lua updates for preproc sensitive_data and sd_pattern option | |
4784 | ||
4785 | 2016-03-07: build 191 | |
4786 | ||
4787 | * fix perf_monitor stats output at shutdown | |
4788 | * initial port of sensitive data as a rule option | |
4789 | * fix doc/online_manual.sh for linux | |
4790 | ||
4791 | 2016-03-04: build 190 | |
4792 | ||
4793 | * fix console close and remote control disconnect issues | |
4794 | * added per-thread memcap calculation | |
4795 | * add statistics counters to host_tracker module | |
4796 | * new_http_inspect basic URI normalization with configuration options | |
4797 | * format string cleanup for parser logging | |
4798 | * fix conf reload by signal | |
4799 | ||
4800 | 2016-02-26: build 189 | |
4801 | ||
4802 | * snort2lua for dce2 port (in progress) | |
4803 | * replace ppm with latency | |
4804 | * added rule latency | |
4805 | * fixed more address sanitizer bugs | |
4806 | * fixed use of debug vs debug-msgs | |
4807 | * add missing ips option hash and == methods | |
4808 | * perf_monitor configuration | |
4809 | * fix linux + clang build errors | |
4810 | * trough rewrite | |
4811 | ||
4812 | 2016-02-22: build 188 | |
4813 | ||
4814 | * added delete/delete[] replacements for nothrow overload; | |
4815 | Thanks to Ramya Potluri for reporting the issue | |
4816 | * fixed a detection option comparison bug which wasted time and space | |
4817 | * disable perf_monitor by default since the reporting interval should be set | |
4818 | * memory manager updates | |
4819 | * valgrind and unsanitary address fixes | |
4820 | * snort2lua updates for dce2 | |
4821 | * build issue fix - make non-GNU strerror_r() the default case | |
4822 | * packet latency updates | |
4823 | * perfmon updates | |
4824 | ||
4825 | 2016-02-12: build 187 | |
4826 | ||
4827 | * file capture added - initial version writes from packet thread | |
4828 | * added support for http 0.9 to new_http_inspect | |
4829 | * added URI normalization of headers, cookies, and post bodies to new_http_inspect | |
4830 | * configure_cmake.sh updates to better support scripting | |
4831 | * updated catch header (used for some unit tests) | |
4832 | * continued dce2 port | |
4833 | * fixed misc clang and dynamic plugin build issues | |
4834 | * fixed static analysis issues and crash in new_http_inspect | |
4835 | * fixed tcp paws issue | |
4836 | * fixed normalization stats | |
4837 | * fixed issues reported by Bill Parker | |
4838 | * refactoring updates to tcp session | |
4839 | * refactoring updates to profiler | |
4840 | ||
4841 | 2016-02-02: build 186 | |
4842 | ||
4843 | * update copyright to 2016, add missing license blocks | |
4844 | * fix xcode builds | |
4845 | * fix static analysis issues | |
4846 | * update default manuals | |
4847 | * host_module and host_tracker updates | |
4848 | * start perf_monitor rewrite - 1st of many updates | |
4849 | * start dce2 port - 1st of many updates | |
4850 | * remove --enable-ppm - always enabled | |
4851 | ||
4852 | 2016-01-25: build 185 | |
4853 | ||
4854 | * initial host_tracker for new integrated netmap | |
4855 | * new_http_inspect refactoring for time and space considerations | |
4856 | * fix profiler depth bug | |
4857 | * fatal on failed IP rep segment allocation -; | |
4858 | Thanks to Bill Parker | |
4859 | * tweaked style guide wrt class declarations | |
4860 | ||
4861 | 2016-01-08: build 184 | |
4862 | ||
4863 | * added new_http_inpsect rule options | |
4864 | * fixed build issue with Clang and thread_local | |
4865 | * continued tcp session refactoring | |
4866 | * fixed rule option string unescape issue | |
4867 | ||
4868 | 2015-12-11: build 183 | |
4869 | ||
4870 | * circumvent asymmetric flow handling issue | |
4871 | ||
4872 | 2015-12-11: build 182 - Alpha 3 | |
4873 | ||
4874 | * added memory profiling feature | |
4875 | * added regex fast pattern support | |
4876 | * ported reputation preprocessor from 2X | |
4877 | * synced to 297-262 | |
4878 | * removed '_q' search method flavors - all are now queued | |
4879 | * removed PPM_TEST | |
4880 | * build and memory leak fixes | |
4881 | ||
4882 | 2015-12-04: build 181 | |
4883 | ||
4884 | * perf profiling enhancements | |
4885 | * fixed build issues and memory leaks | |
4886 | * continued pattern match refactoring | |
4887 | * fix spurious sip_method matching | |
4888 | ||
4889 | 2015-11-25: build 180 | |
4890 | ||
4891 | * ported dnp3 preprocessor and rule options from 2.X | |
4892 | * fixed various valgrind issues with stats from sip, imap, pop, and smtp | |
4893 | * fixed captured length of some icmp6 types | |
4894 | * added support for hyperscan search method using rule contents | |
4895 | (regex to follow) | |
4896 | * fixed various log pcap issues | |
4897 | * squelch repeated ip6 ooo extensions and bad options per packet | |
4898 | * fixed arp inspection bug | |
4899 | ||
4900 | 2015-11-20: build 179 | |
4901 | ||
4902 | * user manaul updates | |
4903 | * fix perf_monitor.max_file_size default to work on 32-bit systems,; | |
4904 | Thanks to noah_dietrich@86penny.org for reporting the issue | |
4905 | * fix bogus 116:431 events | |
4906 | * decode past excess ip6 extensions and bad options | |
4907 | * add iface to alert_csv.fields | |
4908 | * add hyperscan fast pattern search engine - functional but not yet used | |
4909 | * remove --enable-perf-profiling so it is always built | |
4910 | * perf profiling changes in preparation for memory profiling | |
4911 | * remove obsolete LibDAQ preprocessor conditionals | |
4912 | * fix arp inspection | |
4913 | * search engine refactoring | |
4914 | ||
4915 | 2015-11-13: build 178 | |
4916 | ||
4917 | * document runtime link issue with hyperscan on osx | |
4918 | * fix pathname generation for event trace file | |
4919 | * new_http_inspect tweaks | |
4920 | * remove --enable-ppm-test | |
4921 | * sync up auto tools and cmake build options | |
4922 | ||
4923 | 2015-11-05: build 177 | |
4924 | ||
4925 | * idle processing cleanup | |
4926 | * fixed teredo payload detection | |
4927 | * new_http_inspect cleanup | |
4928 | * update old http_inspect to allow spaces in uri | |
4929 | * added null check suggest by Bill Parker | |
4930 | * fix cmake for hyperscan | |
4931 | * ssl and dns stats updates | |
4932 | * fix ppm config | |
4933 | * miscellanous code cleanup | |
4934 | ||
4935 | 2015-10-30: build 176 | |
4936 | ||
4937 | * tcp reassembly refactoring | |
4938 | * profiler rewrite | |
4939 | * added gzip support to new_http_inspect | |
4940 | * added regex rule option based on hyperscan | |
4941 | ||
4942 | 2015-10-23: build 175 | |
4943 | ||
4944 | * ported gtp preprocessor and rule options from 2.X | |
4945 | * ported modbus preprocessor and rule options from 2.X | |
4946 | * fixed 116:297 | |
4947 | * added unit test build for cmake (already in autotools builds) | |
4948 | * fixed dynamic builds (187 plugins, 138 dynamic) | |
4949 | ||
4950 | 2015-10-16: build 174 | |
4951 | ||
4952 | * legacy daemonization cleanup | |
4953 | * decouple -D, -M, -q | |
4954 | * delete -E | |
4955 | * initial rewrite of profiler | |
4956 | * don't create pid file unless requested | |
4957 | * remove pid lock file | |
4958 | * new_http_inspect header processing, normalization, and decompression tweaks | |
4959 | * convert README to markdown for pretty github rendering | |
4960 | (contributed by gavares@gmail.com) | |
4961 | * perfmonitor fixes | |
4962 | * ssl stats updates | |
4963 | ||
4964 | 2015-10-09: build 173 | |
4965 | ||
4966 | * added pkt_num rule option to extras | |
4967 | * fix final -> finalize changes for extras | |
4968 | * moved alert_unixsock and log_null to extras | |
4969 | * removed duplicate pat_stats source from extras | |
4970 | * prevent tcp session restart on rebuilt packets; | |
4971 | Thanks to rmkml for reporting the issue | |
4972 | * fixed profiler configuration | |
4973 | * fixed ppm event logging | |
4974 | * added filename to reload commands | |
4975 | * fixed -B switch | |
4976 | * reverted tcp syn only logic to match 2X | |
4977 | * ensure ip6 extension decoder state is reset for ip4 too since ip4 | |
4978 | packets may have ip6 next proto | |
4979 | * update default manuals | |
4980 | ||
4981 | 2015-10-01: build 172 | |
4982 | ||
4983 | * check for bool value before setting fastpath config option in PPM | |
4984 | * update manual related to liblzma | |
4985 | * fix file processing | |
4986 | * refactor non-ethernet plugins | |
4987 | * fix file_decomp error logic | |
4988 | * enable active response without flow | |
4989 | * update bug list | |
4990 | ||
4991 | 2015-09-25: build 171 | |
4992 | ||
4993 | * fix metadata:service to work like 2x | |
4994 | * fixed issues when building with LINUX_SMP | |
4995 | * fixed frag tracker accounting | |
4996 | * fix Xcode builds | |
4997 | * implement 116:281 decoder rule | |
4998 | * udpated snort2lua | |
4999 | * add cpputest for unit testing | |
5000 | * don't apply cooked verdicts to raw packets | |
5001 | ||
5002 | 2015-09-17: build 170 | |
5003 | ||
5004 | * removed unused control socket defines from cmake | |
5005 | * fixed build error with valgrind build option | |
5006 | * cleanup *FLAGS use in configure.ac | |
5007 | * change configure.ac compiler search order to prefer clang over gcc | |
5008 | * update where to get dnet | |
5009 | * update usage and bug list | |
5010 | * move extra daqs and extra hext logger to main source tree | |
5011 | * fix breakloop in file daq | |
5012 | * fix plain file processing | |
5013 | * fix detection of stream_user and stream_file data | |
5014 | * log innermost proto for type of broken packets | |
5015 | ||
5016 | 2015-09-10: build 169 | |
5017 | ||
5018 | * fix chunked manual install | |
5019 | * add event direction bug | |
5020 | * fix OpenBSD build | |
5021 | * convert check unit tests to catch | |
5022 | * code cleanup | |
5023 | * fix dev guide builds from top_srcdir | |
5024 | ||
5025 | 2015-09-04: build 168 | |
5026 | ||
5027 | * fixed build of chunked manual; | |
5028 | Thanks to Bill Parker for reporting the issue | |
5029 | * const cleanup | |
5030 | * new_http_inspect cookie processing updates | |
5031 | * fixed cmake build issue with SMP stats enabled | |
5032 | * fixed compiler warnings | |
5033 | * added unit tests | |
5034 | * updated error messages in u2spewfoo | |
5035 | * changed error format for consistency with Snort | |
5036 | * fixed u2spewfoo build issue | |
5037 | * added strdup sanity checks; | |
5038 | Thanks to Bill Parker for reporting the issue | |
5039 | * DNS bug fix for TCP | |
5040 | * added --catch-tags [footag],[bartag] for unit test selection | |
5041 | ||
5042 | 2015-08-31: build 167 | |
5043 | ||
5044 | * fix xcode warnings | |
5045 | ||
5046 | 2015-08-21: build 166 | |
5047 | ||
5048 | * fix link error with g++ 4.8.3 | |
5049 | * support multiple script-path args and single files | |
5050 | * piglet bug fixes | |
5051 | * add usage examples with live interfaces; | |
5052 | Thanks to Aman Mangal <mangalaman93@gmail.com> for reporting the problem | |
5053 | * fixed port_scan packet selection | |
5054 | * fixed rpc_decode sequence number handling and buffer setup | |
5055 | * perf_monitor fixes for file output | |
5056 | ||
5057 | 2015-08-14: build 165 | |
5058 | ||
5059 | * flow depth support for new_http_inspect | |
5060 | * TCP session refactoring and create libtcp | |
5061 | * fix ac_sparse_bands search method | |
5062 | * doc and build tweaks for piglets | |
5063 | * expanded piglet interfaces and other enhancements | |
5064 | * fix unit test return value | |
5065 | * add catch.hpp include from https://github.com/philsquared/Catch | |
5066 | * run catch unit tests after check unit tests | |
5067 | * fix documentation errors in users manual | |
5068 | ||
5069 | 2015-08-07: build 164 | |
5070 | ||
5071 | * add range and default to command line args | |
5072 | * fix unit test build on osx | |
5073 | * DAQ packet header conditional compilation for piglet | |
5074 | * add make targets for dev_guide.html and snort_online.html | |
5075 | * cleanup debug macros | |
5076 | * fix parameter range for those depending on loaded plugins; | |
5077 | Thanks to Siti Farhana Binti Lokman <sitifarhana.lokman@postgrad.manchester.ac.uk> | |
5078 | for reporting the issue | |
5079 | ||
5080 | 2015-07-30: build 163 | |
5081 | ||
5082 | * numerous piglet fixes and enhancements | |
5083 | * BitOp rewrite | |
5084 | * added more private IP address; | |
5085 | Thanks to Bill Parker for reporting the issue | |
5086 | * fixed endianness in private IP address check | |
5087 | * fix build of dynamic plugins | |
5088 | ||
5089 | 2015-07-22: build 162 | |
5090 | ||
5091 | * enable build dependency tracking | |
5092 | * cleanup automake and cmake foo | |
5093 | * updated bug list | |
5094 | * added Lua stack manager and updated code that manipulated a persistent lua_State; | |
5095 | Thanks to Sancho Panza (sancho@posteo.de) for reporting the issue | |
5096 | * piglet updates and fixes | |
5097 | * dev guide - convert snort includes into links | |
5098 | * fixup includes | |
5099 | ||
5100 | 2015-07-15: build 161 | |
5101 | ||
5102 | * added piglet plugin test harness | |
5103 | * added piglet_scripts with codec and inspector examples | |
5104 | * added doc/dev_guide.sh | |
5105 | * added dev_notes.txt in each src/ subdir | |
5106 | * scrubbed headers | |
5107 | ||
5108 | 2015-07-06: build 160 - Alpha 2 | |
5109 | ||
5110 | * fixed duplicate patterns in file_magic.lua | |
5111 | * warn about rules with no fast pattern | |
5112 | * warn if file rule has no file_data fp | |
5113 | * run fast patterns according to packet type | |
5114 | * update / expand shutdown output for detection | |
5115 | * binder sets service from inspector if not set | |
5116 | * allow abbreviated rule headers | |
5117 | * fix cmake build on linux w/o asciidoc | |
5118 | * add bugs list to manual | |
5119 | * fix memory leaks | |
5120 | * fix valgrind issues | |
5121 | * fix xcode analyzer issues | |
5122 | ||
5123 | 2015-07-02: build 159 | |
5124 | ||
5125 | * added file processing to new_http_inspect | |
5126 | * ported sip preprocessor | |
5127 | * refactoring port group init and start up output | |
5128 | * standardize / generalize fp buffers | |
5129 | * add log_hext.width | |
5130 | * tweak style guide | |
5131 | * fix hosts table parsing | |
5132 | ||
5133 | 2015-06-19: build 158 | |
5134 | ||
5135 | * nhttp splitter updates | |
5136 | * nhttp handle white space after chunk length | |
5137 | * refactor of fpcreate | |
5138 | * refactor sfportobject into ports/* | |
5139 | * delete flowbits_size, refactor bitop foo | |
5140 | * rename PortList to PortBitSet etc. to avoid confusion | |
5141 | * fix ssl assertion | |
5142 | * cleanup cache config | |
5143 | ||
5144 | 2015-06-11: build 157 | |
5145 | ||
5146 | * port ssl from snort | |
5147 | * fix stream_tcp so call splitter finish only if scan was called | |
5148 | * changed drop rules drop current packet only | |
5149 | * unchanged block rules block all packets on flow | |
5150 | * added reset rules to function as reject | |
5151 | * deleted sdrop and sblock rules; use suppressions instead | |
5152 | * refactored active module | |
5153 | * updated snort2lua | |
5154 | ||
5155 | 2015-06-04: build 156 | |
5156 | ||
5157 | * new_http_inspect switch to bitset for event tracking | |
5158 | * fixed stream tcp handling of paf abort | |
5159 | * fixed stream tcp cleanup on reset | |
5160 | * fixed sequence of flush and flow data cleanup for new http inspect | |
5161 | ||
5162 | 2015-05-31: build 155 | |
5163 | ||
5164 | * update default manuals | |
5165 | * fix autotools build of manual wrt plugins | |
5166 | * file processing fixup | |
5167 | * update usage from blog | |
5168 | * add file magic lua | |
5169 | * xcode analyzer cleanup | |
5170 | ||
5171 | 2015-05-28: build 154 | |
5172 | ||
5173 | * new_http_inspect parsing and event handling updates | |
5174 | * initial port of file capture from Snort | |
5175 | * stream_tcp reassembles payload only | |
5176 | * remove obsolete REG_TEST logging | |
5177 | * refactor encode_format*() | |
5178 | * rewrite alert_csv with default suitable for reg tests and debugging | |
5179 | * dump 20 hex bytes per line instead of 16 | |
5180 | * add raw mode hext DAQ and logger; fix dns inspector typo for tcp checks | |
5181 | * document raw hext mode | |
5182 | * cleanup flush flags vs dir | |
5183 | * add alert_csv.separator, delete alert_test | |
5184 | * tweak log config; rename daq/log user to hext | |
5185 | * cleanup logging | |
5186 | * stream_tcp refactoring and cleanup | |
5187 | ||
5188 | 2015-05-22: build 153 | |
5189 | ||
5190 | * new_http_inspect parsing updates | |
5191 | * use buckets for user seglist | |
5192 | * fix u2 to output data only packets | |
5193 | * added DAQs for socket, user, and file in extras | |
5194 | * changed -K to -L (log type) | |
5195 | * added extra DAQ for user and file | |
5196 | * added stream_user for payload processing | |
5197 | * added stream_file for file processing | |
5198 | ||
5199 | 2015-05-15: build 152 | |
5200 | ||
5201 | * fixed config error for inspection of rebuilt packets | |
5202 | * ported smtp inspector from Snort | |
5203 | * static analysis fix for new_http_inspect | |
5204 | ||
5205 | 2015-05-08: build 151 | |
5206 | ||
5207 | * doc tweaks | |
5208 | * new_http_inspect message parsing updates | |
5209 | * misc bug fixes | |
5210 | ||
5211 | 2015-04-30: build 150 | |
5212 | ||
5213 | * fixed xcode static analysis issues | |
5214 | * updated default manuals | |
5215 | * added packet processing section to manual | |
5216 | * additional refactoring and cleanup | |
5217 | * fix http_inspect mpse search | |
5218 | * fixed urg rule option | |
5219 | * change daq.var to daq.vars to support multiple params | |
5220 | reported by Sancho Panza | |
5221 | * ensure unknown sources are analyzed | |
5222 | * pop and imap inspectors ported | |
5223 | ||
5224 | 2015-04-28: build 149 | |
5225 | ||
5226 | * fixed build issue with extras | |
5227 | ||
5228 | 2015-04-28: build 148 | |
5229 | ||
5230 | * fixed default validation issue reported by Sancho Panza | |
5231 | * refactored snort and snort_config modules | |
5232 | * file id refactoring and cleanup | |
5233 | * added publish-subscribe handling of data events | |
5234 | * added data_log plugin example for pub-sub | |
5235 | ||
5236 | 2015-04-23: build 147 | |
5237 | ||
5238 | * change PT_DATA to IT_PASSIVE; supports named instances, reload, and consumers | |
5239 | ||
5240 | 2015-04-16: build 146 | |
5241 | ||
5242 | * added build of snort_manual.text if w3m is installed | |
5243 | * added default_snort_manual.text w/o w3m | |
5244 | * add Flow pointer to StreamSplitter::finish() | |
5245 | ||
5246 | 2015-04-10: build 145 | |
5247 | ||
5248 | * nhttp clear() and related changes | |
5249 | * abort PAF in current direction only | |
5250 | * added StreamSplitter::finish() | |
5251 | * allow relative flush point of zero | |
5252 | * added Inspector::clear() | |
5253 | * new http refactoring and cleanup | |
5254 | * new http changes - events from splitter | |
5255 | * fix dns assertion; remove unused variables | |
5256 | ||
5257 | 2015-03-31: build 144 | |
5258 | ||
5259 | * reworked autotools generation of api_options.h | |
5260 | * updated default manuals | |
5261 | * ported dns inspector | |
5262 | ||
5263 | 2015-03-26: build 143 | |
5264 | ||
5265 | * ported ssh inspector | |
5266 | * apply service from hosts when inspector already bound to flow | |
5267 | * ensure direction and service are applied to packet regardless of flow state | |
5268 | * enable active for react / reject only if used in configuration | |
5269 | * fixed use of bound ip and tcp policy if not set in hosts | |
5270 | * eliminate dedicated nhttp chunk buffer | |
5271 | * minor nhttp cleanup in StreamSplitter | |
5272 | ||
5273 | 2015-03-18: build 142 | |
5274 | ||
5275 | * fixed host lookup issue | |
5276 | * folded classification.lua and reference.lua into snort_defaults.lua | |
5277 | * apply defaults from parameter tables instead of relying on ctors etc | |
5278 | * fix static analysis issues reported by xcode | |
5279 | * change policy names with a-b form to a_b for consistency | |
5280 | * make all warnings optional | |
5281 | * fix ip and tcp policy defines | |
5282 | * fix ip and icmp flow client/server ip init | |
5283 | * added logging examples to usage | |
5284 | ||
5285 | 2015-03-11: build 141 | |
5286 | ||
5287 | * added build foo for lzma; refactored configure.ac | |
5288 | * enhancements for checking compatibility of external plugins | |
5289 | * added doc/usage.txt | |
5290 | ||
5291 | 2015-02-27: build 140 | |
5292 | ||
5293 | * uncrustify, see crusty.cfg | |
5294 | * updated documentation on new HTTP inspector, binder, and wizard | |
5295 | ||
5296 | 2015-02-26: build 139 | |
5297 | ||
5298 | * additional http_inspect cleanup | |
5299 | * documented gotcha regarding rule variable definitions in Lua | |
5300 | * sync 297 http xff, swf, and pdf updates | |
5301 | ||
5302 | 2015-02-20: build 138 | |
5303 | ||
5304 | * sync ftp with 297; replace stream event callbacks with FlowData virtuals | |
5305 | ||
5306 | 2015-02-12: build 137 | |
5307 | ||
5308 | * updated manual from blog posts and emails | |
5309 | * normalization refactoring, renaming | |
5310 | * fixed icmp4 encoding | |
5311 | * methods in codec_events and ip_util namespaces are now protected | |
5312 | Codec methods | |
5313 | * 297 sync of active and codecs | |
5314 | ||
5315 | 2015-02-05: build 136 | |
5316 | ||
5317 | * fix up encoders | |
5318 | * sync stream with 297 | |
5319 | * fix encoder check for ip6 extensions | |
5320 | * sync normalizations with 297 | |
5321 | ||
5322 | 2015-01-29: build 135 | |
5323 | ||
5324 | * fixed freebsd build error | |
5325 | * fix default hi profile name | |
5326 | * updated default snort manuals | |
5327 | ||
5328 | 2015-01-26: build 134 | |
5329 | ||
5330 | * sync Mpse to 297, add SearchTool | |
5331 | * 297 sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based | |
5332 | * addition of mime decoding stats and updates to mime detection limits | |
5333 | * snort2lua changed to add bindings for default ports if not explicitly | |
5334 | configured | |
5335 | * added md5, sha256, and sha512 rule options based on Snort 2.X | |
5336 | protected_content | |
5337 | ||
5338 | 2015-01-20: build 133 | |
5339 | ||
5340 | * fixes for large file support on 32-bit Linux systems (reported by Y M) | |
5341 | * changed u2 base file name to unified2.log | |
5342 | * updated doc based on tips/tricks blog | |
5343 | * fixed active rule actions (react, reject, rewrite) | |
5344 | * moved http_inspect profile defaults to snort_defaults.lua | |
5345 | * add generalized infractions tracking to new_http_inspect | |
5346 | * updated snort2lua to override default tables (x = { t = v }; x.t.a = 1) | |
5347 | * additional codec refactoring | |
5348 | * added pflog codecs | |
5349 | * fixed stream_size rule option | |
5350 | ||
5351 | 2015-01-05: build 132 | |
5352 | ||
5353 | * added this change log | |
5354 | * initial partial sync with Snort 297 including bug fixes and variable | |
5355 | renaming | |
5356 | * malloc info output with -v at shutdown (if supported) | |
5357 | * updated source copyrights for 2015 and reformatted license foo for | |
5358 | consistency | |
5359 | ||
5360 | 2014-12-16: build 131 | |
5361 | ||
5362 | * fix asciidoc formatting and update default manuals | |
5363 | * updates to doc to better explain github builds | |
5364 | * fix default init for new_http_inspect | |
5365 | * fix cmake issues reported by Y M | |
5366 | * add missing g++ dependency to doc reported by Bill Parker | |
5367 | * add general fp re-search solution for fp buffers further restricted | |
5368 | during rule eval; fixes issue reported by @rmkml | |
5369 | * add missing sanity checks reported by bill parker | |
5370 | * tweak READMEs | |
5371 | ||
5372 | 2014-12-11: build 130 | |
5373 | ||
5374 | * alpha 1 release | |
5375 |