2011-03-23 Steven Sturges <ssturges@sourcefire.com>
* src/build.h:
Increment Snort build number to 134
* src/: decode.h, encode.c:
* src/dynamic-plugins/sf_engine/: sf_snort_packet.h:
* src/preprocessors/: spp_sfportscan.c, spp_frag3.c:
* src/output-plugins/: spo_alert_fast.c:
* src/preprocessors/Stream5/: stream5_common.c:
Updated portscan to set protocol correctly in raw packet for
IPv6 and changed the encoder to recognize portscan packets as pseudo
packets so that the checksum isn't calculated
* src/: sfdaq.c, util.c:
Improve handling of DAQ failure codes when Snort is shutting down.
* src/preprocessors/spp_perfmonitor.c:
Update perfmonitor to create now files prior to dropping privs
2011-03-16 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.5
* src/build.h:
Increment Snort build number to 132
* src/snort.c:
* src/preprocessors/: normalize.c, perf-base.c, perf-base.h,
Stream5/snort_stream5_tcp.c:
TCP timestamp options are only NOPed by the Normalization preprocessor
if Stream5 has seen a full 3-way handshake, and timestamps weren't
negotiated.
The IPS mode reassembly policy has been refactored to do stream
normalization within the first policy.
Packets injected by the normalization preprocessor are now counted
in the packet statistics.
* doc/snort_manual.tex:
* src/: parser.c, parser.h:
* src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
Added a "config vlan_agnostic" setting that globally disables Stream's
use of vlan tag in session tracking.
* src/: snort.c, preprocessors/normalize.c,
preprocessors/spp_normalize.c, preprocessors/spp_normalize.h,
preprocessors/perf-base.c, preprocessors/perf-base.h:
* doc/: README.normalize, snort_manual.pdf, snort_manual.tex:
Fixed the normalization preprocessor to call its post-initialization
config functions during a policy reload.
Packets can no longer be trimmed below the minimum ethernet frame
length. Trimming is now configurable with the "normalize_ip4: trim;"
option. TOS clearing is now configurable with "normalize_ip4: tos;".
The "normalize_ip4: trim" option is automatically disabled if the
DAQ can't inject packets. If the DAQ tries and fails to inject
a given packet, the wire packet is not blocked.
Updated documentation regarding these changes.
* src/detection-plugins/sp_cvs.c:
Fixed a false positive in the CVS detection plugin. It was incorrectly
parsing CVS entries that had a '+' in between the 3rd and 4th slashes.
* src/preprocessors/HttpInspect/: client/hi_client.c,
server/hi_server.c:
Changed a pointer comparison to a size check for code readability.
Belated thanks to Dwane Atkins and Parker Crook for reporting a
related issue that was fixed in Snort 2.9.0.4 build 111.
Moved the zlib initialization such that gzipped responses are still
inspected if the zipped data starts after the first Stream-reassembled
packet is inspected.
* src/decode.c:
Fixed an issue with decoding too many IP layers in a single packet. The
Teredo proto bit was not unset after hitting the limit on IP layers.
Thanks to Dwane Atkins for reporting this issue.
IPv6 fragmented packets are no longer inspected unless they have an
offset of zero and the next layer is UDP. This behavior is consistent
with IPv4 decoding.
Thanks to Martin Schütte for reporting an issue where fragged ICMPv6
packets were being inspected.
The decoder no longer attempts to decode Teredo packets inside of
IPv4 fragments, instead waiting for the reassembled packet.
* src/encode.c:
Fixed a problem where encoded packets had their lengths calculated
incorrectly. This caused the active response feature to generate
incorrect RST packets if the original packet had a VLAN tag.
* preproc_rules/preprocessor.rules:
Updated references to rule 125:1:1
* src/preprocessors/spp_perfmonitor.c:
Perfmonitor files are now created after Snort changes uid/gid.
* src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
Fixed the size formatting of an error message argument when
compiling with --enable-rzb-saac.
Thanks to Cleber S. Brandão for reporting this issue.
* etc/snort.conf:
Updated the default snort.conf with max compress and decompress
depths to enable unlimited decompression of gzipped HTTP responses.
* snort.8:
Fixed the man page's URL regarding the location of Snort rules.
Thanks to Michael Scheidell for reporting an out-of-date man page section.
* doc/README.http_inspect, doc/snort_manual.tex,
src/preprocessors/snort_httpinspect.c:
HTTP Inspect's "unlimited_decompress" option now requires that
"compress_depth" and "decompress_depth" are set to their max values.
* src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_dynamic_engine.h,
preprocessors/Stream5/snort_stream5_tcp.c:
Fixed an error that prevented compiling with --disable-dynamicplugin.
Thanks to Jason Wallace for reporting this issue.
* src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c,
snort_ftptelnet.h, spp_ftptelnet.c:
Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside
the ftp_telnet preprocessor to avoid a naming conflict with similar
functions in HTTP Inspect.
Thanks to Bruce Corwin for reporting this issue.
* src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c,
perf-flow.h:
Fixed comparisons between signed and unsigned int, which lead to
a faulty length check.
Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this
issue.Snort 2.9.1 introduces the following new capabilities:
* Protocol aware reassembly support for HTTP and DCE/RPC
preprocessors. Updates to Stream5 allowing Snort to more
intelligently inspect HTTP and DCE/RPC requests and responses.
See README.stream5 subsection related to Protocol Aware Flushing
(PAF).
* SIP preprocessor to identify SIP call channels and provide
rule access via new rule option keywords. Also includes new
preprocessor rules for anomalies in the SIP communications.
See the Snort Manual and README.sip for details.
* POP3 & IMAP preprocessors to decode email attachments in
Base64, Quoted Printable, and uuencode formats, and updates
to SMTP preprocessor for decoding email attachments encoded
as Quoted Printable and uuencode formats. See the Snort
Manual, README.pop, README.imap, and README.SMTP for details.
* Support for reading large pcap files.
* Logging of HTTP URL (host and filename), SMTP attachment
filenames and email recipients to unified2 when Snort generates
events on related traffic.
* IP Reputation preprocessor, allowing Snort to blacklist or
whitelist packets based on their IP addresses. This preprocessor
is still in an experimental state, so please report any issues
to the Snort team. See README.reputation for more information.
Additionally, the following updates and improvements have been made:
* Updates to give shared library rules direct access to gzip
decoding capabilities.
* Rule Option Improvements:
- Updates to content modifier http_cookie to not include
the HTTP header names themselves in the buffer. This change
may affect existing rules that leverage this keyword.
- Updates to the file_data and base64_data rule option keywords
and added a pkt_data rule option keyword that sets the buffer
to be used for subsequent content/pcre/etc rule options.
- Updates to the tcp flag rule option keyword to support 'C'
and 'E' for CWR and ECN bits.
- Updates to byte_extract rule option keyword to support
the same string formats as with byte_test and byte_jump.
* Updates to Snort's build infrastructure and autoconf script
for portability and improved checks for library dependencies.
To facilitate easier building of Snort on many of the different
platforms supported, Snort now uses pkg-config to check for
certain library locations. Obtain pkg-config from freedesktop.org.
* Many updates and improvements to the Snort documentation. Special
thanks to all of the contributors from the Snort community for
working with us and making the documentation more accurate and
usable.
* Updates to the sensitive data preprocessor for handling HTTP
traffic and reducing false positives.
* Updates to Snort's config parsing to provide more meaningful
error messages relating to snort.conf errors and configuration
display at startup.
* Updates to Snort's active response packets whether via response
keyword or part of inline normalization.
* Improvements to HTTP Inspect processing of chunked HTTP data.
Additional HTTP Inspect alerts for evasion attempts such as small
chunks and excessive whitespace in folded headers.
* Updates to the statistics Snort prints to console or syslog
at exit for different preproessors.
2.9.1.0 Changelog:
Snort 2.9.1
* src/build.h:
Updated build number to 71.
* etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c,
src/decode.h, src/generators.h, src/snort.c,
src/dynamic-plugins/sf_engine/sf_snort_packet.h:
Fixed an issue with decoding large numbers of IPv6 extension headers.
Added rule 116:456 to safeguard against too many IPv6 extension headers.
Thanks to Martin Schutte for reporting the issue.
* src/detection-plugins/sp_urilen_check.c,
src/detection-plugins/sp_urilen_check.h:
Fixed the urilen rule option to look at reassembled packets.
Added an extra parameter to specify whether to check raw or normalized uri buffer. Will check raw uri buffer by default.
* src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dns/sf_dns.dsp,
dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
dynamic-preprocessors/imap/sf_imap.dsp,
dynamic-preprocessors/isakmp/sf_isakmp.dsp,
dynamic-preprocessors/pop/sf_pop.dsp,
dynamic-preprocessors/reputation/sf_reputation.dsp,
dynamic-preprocessors/sdf/sf_sdf.dsp,
dynamic-preprocessors/sip/sf_sip.dsp,
dynamic-preprocessors/smtp/sf_smtp.dsp,
dynamic-preprocessors/ssh/sf_ssh.dsp,
dynamic-preprocessors/ssl/sf_ssl.dsp,
win32/WIN32-Prj/sf_engine.dsp:
Fixed a bug where the sensitive_data preprocessor gave an error while loading sensitive data rules.
* doc/README.http_inspect, etc/gen-msg.map,
preproc_rules/preprocessor.rules, src/generators.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/utils/hi_paf.c:
Added two HTTP Inspect preprocessor rules:
119:28 - post w/o content-length or transfer-encoding: chunked
120:8 - message with invalid content-length or chunk size
* src/preprocessors/spp_httpinspect.c:
Fixed a bug where Snort wouldn't reload, giving the error that
"Changing decompress_depth requries a restart".
* etc/gen-msg.map:
Commented out four rules from gen-msg.map, 133:44 through 133:47,
because they were not yet implemented.
* preproc_rules/preprocessor.rules:
Added a CVE reference for Rule 119:19.
Added a reference to SMTP preprocessor rule 124:4.
Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor
alert that was missing the corresponding rule.
* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
PAF tweak for single-segment full PDUs matching only-stream
* src/snort.c:
Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD.
Set default paf_max to 16K.
* doc/: README.reputation, snort_manual.pdf, snort_manual.tex:
Added a use case in the IP Reputation preprocessor documentation.
* src/: dynamic-preprocessors/reputation/reputation_config.c,
dynamic-preprocessors/reputation/sf_reputation.dsp,
win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi:
Fixed the IP Reputation preprocessor so that it would build on Windows.
* src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h,
server/hi-server.c, utils/hi_paf.c:
Support up to full 32-bit content-lengths
* src/preprocessors/Stream5/stream5_paf.c:
Fixed compilation with the options "--disable-target-based --enable-paf".
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Fixed an error in IDS mode when segments overlap and the sequence
number wraps.
* tools/u2spewfoo/Makefile.am:
Added the u2spewfoo Windows project file to the Snort source tarball.
Snort 2.9.1 RC
* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
preproc_rules/preprocessor.rules,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map:
Added three new SIP preprocessor alerts.
* src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c,
stream5_paf.h:
Allow multiple preprocs to scan for PDUs on the same port.
This fixes a problem with DCE autodetect using the same
ports as HTTP.
* src/build.h:
Updated build number to 63.
* src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c,
detection-plugins/sp_tcp_win_check.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
preprocessors/spp_normalize.c:
Fixed some compiler warnings.
* src/: detection-plugins/detection_options.c,
detection-plugins/sp_flowbits.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/examples/Makefile.am,
dynamic-plugins/sf_engine/examples/flowbits_test.c,
dynamic-plugins/sf_engine/examples/rules.c,
dynamic-plugins/sf_engine/examples/web-client_test.c:
Only set/clear/toggle/unset a flowbit when all of the rule
matches, including the IPs and Ports. Thanks to Eoin Miller
for reporting the issue.
* src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am,
dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am,
pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am,
sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am,
ssh/Makefile.am, ssl/Makefile.am:
Fixed dynamic preprocesor Makefiles so that they can be built
in parallel.
* doc/README.http_inspect, doc/snort_manual.pdf,
doc/snort_manual.tex, etc/gen-msg.map,
preproc_rules/preprocessor.rules, src/generators.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/snort_httpinspect.h,
src/preprocessors/HttpInspect/client/hi_client.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/include/hi_ui_config.h,
src/preprocessors/HttpInspect/include/hi_util.h,
src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
src/sfutil/util_unfold.c:
Added a new HTTP Inspect preprocessor rule, GID 119 SID 26. This rule checks for 200+ whitespaces in a folded header line from an HTTP request. A new config option was added to configure the allowable amount whitespace.
Added a new configuration option to http_inspect server configuration:
"small_chunk_length { <chunk_size> <num_consec_chunks> }", with preprocessor rules for both client and server. Consecutive chunk lengths less than or equal to <chunk_size> will cause an event to be generated.
See README.http_inspect for more information.
* src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dns/sf_dns.dsp,
dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
dynamic-preprocessors/imap/sf_imap.dsp,
dynamic-preprocessors/isakmp/sf_isakmp.dsp,
dynamic-preprocessors/sdf/sf_sdf.dsp,
dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
dynamic-preprocessors/sip/sf_sip.dsp,
dynamic-preprocessors/smtp/sf_smtp.dsp,
dynamic-preprocessors/ssh/sf_ssh.dsp,
dynamic-preprocessors/ssl/sf_ssl.dsp,
win32/WIN32-Prj/sf_engine.dsp,
win32/WIN32-Prj/sf_engine_initialize.dsp,
win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp:
Fixed the Win32 build to (1) not use .pch, and (2) correct sed
patterns on ipv6_port.h.
* src/output-plugins/spo_alert_sf_socket.c:
Fixed a problem where Snort's generic IP address structure was being sent by the socket output plugin.
The output plugin now only generates events for IPv4 packets, and is guaranteed to use uint32_t IPv4 addresses for interoperability.
* src/sfutil/: sfrt.c, sfrt.h:
Optimized some memory usage.
* configure.in:
Add check for pkg-config and provide instructions to get it if pkg-config is not installed.
* src/preprocessors/Stream5/: snort_stream5_tcp.c,
stream5_common.h:
Show single segment PAF packets and only short-circuit at
correct sequence.
When aborting PAF, flush at paf_max.
Tweaked retransmission check to use actual sequence numbers
instead of the adjusted sequence numbers.
Changed the pseudo-random flush point after each flush.
* src/snort.c:
Fixed a compilation error when active response is disabled.
* src/snort.h:
Fixed a bug where Snort wouldn't daemonize on OpenBSD if the process was running as root. Thanks to Olaf Schreck for reporting this issue.
* src/preprocessors/: perf-base.c, perf-base.h, perf-event.c,
perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h,
spp_perfmonitor.c:
Split out Perfmon submodule Init and Reset, so that everything is
initialized when the Perfmonitor preprocessor is initialized.
Previously, some data was initialized on the first packet.
* src/detection-plugins/sp_tcp_flag_check.c:
Fixed a couple spots where the "1" and "2" flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for reporting the issue and supplying a patch.
* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h,
preproc_rules/preprocessor.rules, etc/gen-msg.map:
Added a new SIP preprocessor alert for missing content type headers.
Fixed an issue where the SIP preprocessor checked for Stream5 even if the SIP preprocessor was disabled.
* etc/unicode.map:
Updated unicode.map to match the unicode standard on Windows 7 SP1.
* etc/snort.conf:
Sync'ed to VRT's latest snort.conf.
* src/: decode.c, detect.c:
Tweaked the preprocessing loop to bypass app preprocs if no app data.
* src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c,
src/dynamic-preprocessors/reputation/Makefile.am,
src/dynamic-preprocessors/reputation/reputation_config.h,
src/dynamic-preprocessors/reputation/reputation_utils.c,
src/dynamic-preprocessors/reputation/sf_reputation.dsp,
src/dynamic-preprocessors/reputation/spp_reputation.c,
src/dynamic-preprocessors/reputation/spp_reputation.h,
src/dynamic-preprocessors/reputation/reputation_config.c,
src/dynamic-preprocessors/reputation/reputation_debug.h,
src/dynamic-preprocessors/reputation/reputation_utils.h,
doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf,
doc/snort_manual.tex, preproc_rules/preprocessor.rules,
src/dynamic-preprocessors/Makefile.am, configure.in,
src/preprocids.h, etc/gen-msg.map:
Added the IP Reputation preprocessor. This preprocessor provides the ability to whitelist and blacklist packets based on IP addresses.
See README.reputation for more information.
* src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c,
dynamic-preprocessors/dcerpc2/Makefile.am,
dynamic-preprocessors/dcerpc2/dce2_config.c,
dynamic-preprocessors/dcerpc2/dce2_debug.h,
dynamic-preprocessors/dcerpc2/dce2_paf.c,
dynamic-preprocessors/dcerpc2/dce2_paf.h,
dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dcerpc2/snort_dce2.c:
Added protocol-aware flushing support for the dcerpc2 preprocessor.
* src/dynamic-plugins/sf_convert_dynamic.c:
Added the ability to convert shared object rules that use the preprocessor rule option.
* src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c,
HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c,
Stream5/snort_stream5_tcp.c:
Don't enable paf unless stream ports configured for the given direction; add "(PAF)" to http inspect ports output to indicate when enabled; and only register port for given direction if corresponding flow depth is set.
Support full 32-bit content-lengths and chunk sizes, and flush/abort when exceeded.
* doc/README.SMTP, doc/snort_manual.tex,
src/dynamic-preprocessors/smtp/smtp_config.h,
src/dynamic-preprocessors/smtp/smtp_util.c,
src/dynamic-preprocessors/smtp/snort_smtp.c,
src/dynamic-preprocessors/smtp/snort_smtp.h,
src/dynamic-preprocessors/smtp/spp_smtp.c:
Fixed performance issue: allocate the buffers used for filename, mailfrom and rcptto logging using mempool ('memcap' used to allocate the mempool).
Added a fatal error when b64_decode_depth is used with enable_mime_decoding.
* src/dynamic-plugins/sf_engine/examples: all rule files:
Fixed compiler warnings.
* configure.in:
Updates to configure.in.
Fix zlib checks to use correctly named variable for checking zlib header and library existence.
Enable IPv6 by default in builds. Can use --disable-ipv6 to turn it off.
Using --enable-zlib, configure should fail. snort -V should show IPv6 by default and VRT config should load without modification.
Added a new option, "--enable-large-pcap", which allows Snort to read pcap files that are larger than 2 GB.
Changed the default ./configure options to match the requirements for the bundled snort.conf
* doc/: INSTALL, README.imap, README.pop,
README.SMTP, README.stream5, README.sip, README.tag,
README.http_inspect, README.counts, README.normalize,
snort_manual.pdf, snort_manual.tex:
Updated documentation for Snort 2.9.1:
Added documentation for new SIP, POP and IMAP preprocessors
Updated README.stream5 with documentation for Protocol Aware Flushing (PAF)
Updated README.http_inspect with memcap information, clarified "http_cookie" information, and documentation for "log_uri" and "log_hostname".
Fixed a typo in README.counts
Updated "byte_extract" section to reflect syntax changes
Improved the explanation of "max_queued_events"
Added documentation for the ESP decoder, which is now configurable
Improved the explanation of "rawbytes"
Fixed an incorrect example in README.tag.
* etc/snort.conf:
Synced snort.conf with VRT's latest version.
Added configurations for new preprocessors.
* preproc_rules/: decoder.rules, preprocessor.rules
Added new preprocessor rules for SIP, SMTP, POP, and IMAP.
Added decoder rules 116:453, 116:454, and 116:455. These rules
were formerly covered by VRT rules.
* src/build.h: Updated build number to 46
* src/decode.c:
TCP and UDP decoder rules that require a fully-decoded packet will only fire if the checksum is correct and the port number is not ignored.
ESP decoding is now configurable, and off by default.
The "config enable_decode_oversized_alerts" option now applies to packets where the UDP header claims there is more data than actually exists.
The Teredo decoder now only processes packets in the Teredo prefix
(2001:0000::/32) or the link-local prefix (fe80::/16).
* src/detection-plugins/sp_cvs.c:
Fixed a false positive in the CVS detection plugin.
* doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c:
Made some changes to the byte_extract syntax:
Writing "string" without a number type defaults to decimal.
The "string" and "hex/dec/oct" options are now independent of each other, like in byte_test and byte_jump. You can write "string,dec", "hex,string", "string,relative,oct", etc.
Specifying one of "hex", "dec", and "oct" without using "string"
results in an error.
byte_extract options can no longer be delimited by spaces. This does not affect "align <num>" or "multiplier <num>".
* src/: parser.c, util.c, util.h,
detection-plugins/sp_base64_decode.c,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,
dynamic-plugins/sp_dynamic.c,
dynamic-preprocessors/smtp/smtp_util.c,
preprocessors/HttpInspect/client/hi_client.c,
preprocessors/HttpInspect/server/hi_server.c,
sfutil/sf_base64decode.c, sfutil/sf_base64decode.h:
Changes include the following:
- Attempt dechunkind only when transfer-encoding: chunked is present.
- Override the content length with transfer encoding
- SnortStrcasestr uses slen now.
- unfolding : trim spaces when required.
* src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c,
sfutil/sf_ipvar.h, sfutil/sf_vartable.c:
Update Frag3/Stream5 to print bound addresses, better descriptsions of detect anomalies and port lists.
- Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds
- Updated Frag3 to print meaningful detect anomalies configuration
- Updated Stream5 to print that there are more ports than those printed.
* src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c,
sf_decompression.h, sf_snort_detection_engine.c,
sf_snort_plugin_api.h:
Added a Decompression API that wraps Zlib for use with dynamic
plugins. See sf_decompression.h for more details.
* src/: fpcreate.c, fpdetect.c, treenodes.h:
Update pattern matcher and sort functions to correctly sort by priority as well as implement sorting by content_length (which was never done with 2.8.2 addition of rule option tree).
Added a warning when max-pattern-len is defined twice.
Packets will no longer be tagged or logged if they are filtered or passed.
* src/preprocessors/Stream5:
Ensured that reassembly doesn't require packet dropping in IPS mode.
The message "additional ports configured but not printed" is only printed when that is actually the case.
* src/snort.c:
fix output of filename / shutdown alerts sequence when iterating over multiple pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or
-A console:test).
Fixed an issue with reloading Snort while the default output options were used.
When reading several pcap files with --pcap-dir, Snort will move on
to the next file if one fails to load.
* src/output-plugins/spo_alert_full.c:
Update alert_full to print rule references, regardless of whether
there is TCP/UDP/etc.
* src/output-plugins/spo_log_tcpdump.c:
convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0
fix 'mixed decls and code' compiler warning
* src/: decode.h, detect.c, detection_util.c, detection_util.h,
fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c,
rule_option_types.h, detection-plugins/Makefile.am,
detection-plugins/detection_options.c,
detection-plugins/sp_base64_data.c,
detection-plugins/sp_byte_check.c,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_jump.c,
detection-plugins/sp_file_data.c,
detection-plugins/sp_ftpbounce.c,
detection-plugins/sp_isdataat.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c,
detection-plugins/sp_pkt_data.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_dynamic_common.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_dynamic_engine.h,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,
dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_packet.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
dynamic-preprocessors/ftptelnet/pp_ftp.c,
dynamic-preprocessors/ftptelnet/pp_telnet.c,
dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
dynamic-preprocessors/smtp/smtp_util.c,
dynamic-preprocessors/smtp/snort_smtp.c,
dynamic-preprocessors/smtp/snort_smtp.h,
preprocessors/snort_httpinspect.c,
preprocessors/snort_httpinspect.h,
preprocessors/spp_rpc_decode.c,
preprocessors/HttpInspect/server/hi_server.c,
preprocessors/HttpInspect/server/hi_server_norm.c,
preprocessors/Stream5/snort_stream5_tcp.c:
The "file_data" and "base64_data" rule options now set the buffer
for any rule options that follow them. This applies to both relative and non-relative rule options.
The detection code now uses 3 separate buffers:
- "Alt Detect": set by file_data, base64_data, etc.
- "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect
- Raw packet data
The AltDetect buffer can also be set by custom .so rules.
* src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c,
src/sfutil/Unified2_common.h:
IPv6 source and destination addresses are now logged in Unified2 as extra data events. This is configured with "config log_ipv6_extra_data".
* src/dynamic-preprocessors/sip/Makefile.am,
src/dynamic-preprocessors/sip/sf_sip.dsp,
src/dynamic-preprocessors/sip/sip_config.c,
src/dynamic-preprocessors/sip/sip_config.h,
src/dynamic-preprocessors/sip/sip_debug.h,
src/dynamic-preprocessors/sip/sip_dialog.c,
src/dynamic-preprocessors/sip/sip_dialog.h,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/sip_parser.h,
src/dynamic-preprocessors/sip/sip_roptions.c,
src/dynamic-preprocessors/sip/spp_sip.c,
src/dynamic-preprocessors/sip/spp_sip.h,
src/dynamic-preprocessors/sip/sip_roptions.h,
src/dynamic-preprocessors/sip/sip_utils.c,
src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip,
etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am,
src/dynamic-preprocessors/sip/test/sip_test.c, configure.in,
src/dynamic-preprocessors/Makefile.am:
Added a new preprocessor for SIP traffic.
See README.sip and the Snort Manual for more information.
* src/: dynamic-preprocessors/dcerpc2/dce2_utils.c,
dynamic-preprocessors/dcerpc2/spp_dce2.c,
preprocessors/spp_frag3.c:
Make Frag3 OpenBSD Vuln alert only happen if the frag policy is 'linux' (which includes OpenBSD). The 'bsd' policy is NOT used for OpenBSD, which is the only OS on which the vulnerability was present.
This reduces false positives to only occur when frag3 policy is linux and its an actual linux system, rather than the alert occurring regardless of frag policy.
* src/: detection-plugins/Makefile.am,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_extract.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_engine/Makefile.am,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
Added support for ByteExtract variables to the .so rule versions of
Content, ByteTest, ByteJump, and isdataat.
* src/: encode.c, preprocessors/spp_normalize.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.c:
Fixed the TTL on encoded response packets.
* src/: fpcreate.c, fpdetect.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pattern_match.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
Update to not inspect HTTP method buffer with Snort's fast pattern engine.
Rules with only HTTP method content end up as non-content rules.
This eliminates a short cycle of searches with fast pattern on every initial HTTP request.
* src/dynamic-preprocessors/pop/: all files
Added a new preprocessor for POP traffic.
See README.pop for more information.
* src/dynamic-preprocessors/imap/: all files
Added a new preprocessor for IMAP traffic.
See README.imap for more information.
* src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h:
Base64 decoding was moved to its own section in sfutil, for use by the new email preprocessors.
Added support for uuencoded email attachments.
* src/dynamic-preprocessors/sdf/spp_sdf.c:
The Sensitive Data preprocessor now inspects the "file_data" buffer, used for HTTP response bodies & decoded email attachments.
* src/: snort.c, preprocessors/spp_stream5.c,
preprocessors/stream_api.h:
Update Snort to return a DAQ verdict of whitelist (meaning don't send Snort any more packets) for sessions that are being ignored in both directions or ports that are configured to ignore. For DAQ modules and hardware that supports it, this should result in a performance gain because Snort no longer has to decode packets that are part of that connection.
* src/util.c:
Added an error message when opening a pid file fails.
* src/preprocessors/HttpInspect/: client/hi_client.c,
server/hi_server.c:
The Set-Cookie: and Cookie: headers wont be included in the cookie buffers.
* configure.in, src/active.c, src/active.h, src/decode.h,
src/encode.c, src/encode.h, src/log_text.c, src/log_text.h,
src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c,
src/sfdaq.h, src/snort.h, src/snort_debug.h,
src/detection-plugins/sp_react.c,
src/detection-plugins/sp_respond3.c,
src/dynamic-plugins/sf_dynamic_define.h,
src/dynamic-plugins/sf_engine/sf_snort_packet.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/spp_httpinspect.c,
src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
src/preprocessors/HttpInspect/Makefile.am,
src/preprocessors/HttpInspect/include/Makefile.am,
src/preprocessors/HttpInspect/include/hi_paf.h,
src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
src/preprocessors/HttpInspect/server/hi_server.c,
src/preprocessors/HttpInspect/utils/Makefile.am,
src/preprocessors/HttpInspect/utils/hi_paf.c,
src/preprocessors/Stream5/Makefile.am,
src/preprocessors/Stream5/snort_stream5_icmp.c,
src/preprocessors/Stream5/snort_stream5_session.c,
src/preprocessors/Stream5/snort_stream5_tcp.c,
src/preprocessors/Stream5/snort_stream5_tcp.h,
src/preprocessors/Stream5/snort_stream5_udp.c,
src/preprocessors/Stream5/stream5_common.c,
src/preprocessors/Stream5/stream5_common.h,
src/preprocessors/Stream5/stream5_paf.c,
src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h:
Added support in Stream5 for Protocol Aware Flushing (PAF). PAF allows Snort to statefully scan a stream and reassemble a complete PDU regardless of segmentation.
Added PAF support to HTTP Inspect, allowing the preprocessor to determine when HTTP sessions are flushed by Stream5.
See README.stream5 for more details.
* src/preprocessors/: stream_ignore.h, stream_ignore.c,
Stream5/snort_stream5_udp.c:
Added support for ignoring UDP channels. Light weight session will be created to track UDP channel, even ports are not monitored.
* src/win32/: most files
Updated Snort and its libraries to build/link against MFC.Snort 2.9.1.1
* src/decode.c:
Fixed decode.c to allow building with --enable-debug.
* src/: dynamic-plugins/sf_engine/sf_decompression.c,
dynamic-plugins/sf_engine/sf_decompression.h,
preprocessors/snort_httpinspect.h,
preprocessors/HttpInspect/server/hi_server.c:
Fixed http_inspect decompression and decompression API to decompress
both raw and zlib deflated data.
Support locating utf charset when spaces are present.
* src/: preprocessors/HttpInspect/server/hi_server_norm.c,
sfutil/util_utf.h:
Added "Byte Order Mark" support for unicode in http_inspect.
* src/detection-plugins/sp_urilen_check.c:
Fixed potential false positives when using urilen detection option.
* src/preprocessors/Stream5/stream5_paf.c:
Fixed flushing beyond "paf_max".
Verify paf configuration before enabling.
* src/preprocessors/Stream5/snort_stream5_tcp.c:
Free application and protocol state when a session is blocked.
Ensure that seglist_next is NULL after being freed.
* src/dynamic-preprocessors/smtp/smtp_util.c:
Fixed an issue with SMTP logging while running in inline mode.
* src/dynamic-preprocessors/reputation/Makefile.am,
src/dynamic-preprocessors/reputation/reputation_config.c,
src/dynamic-preprocessors/reputation/reputation_config.h,
src/dynamic-preprocessors/reputation/spp_reputation.c,
src/dynamic-preprocessors/reputation/spp_reputation.h,
src/Makefile.am, src/idle_processing.c, src/idle_processing.h,
src/idle_processing_funcs.h, src/plugbase.c, src/plugbase.h,
src/snort.c, src/snort.h, src/util.c, src/util.h,
src/dynamic-examples/Makefile.am,
src/dynamic-preprocessors/reputation/shmem/shmem_config.c,
src/dynamic-preprocessors/reputation/shmem/shmem_config.h,
src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
src/control/Makefile.am, src/control/sfcontrol.c,
src/control/sfcontrol.h, src/control/sfcontrol_funcs.h,
src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c,
src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h,
src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
src/dynamic-preprocessors/reputation/shmem/shmem_lib.h,
src/sfutil/Makefile.am, src/sfutil/segment_mem.c,
src/sfutil/segment_mem.h, src/sfutil/sfrt_flat.c,
src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c,
src/sfutil/sfrt_flat_dir.h,
src/dynamic-preprocessors/Makefile.am, tools/control/Makefile.am,
tools/control/README.snort_control, tools/control/sfcontrol.c,
src/dynamic-plugins/sf_dynamic_plugins.c,
src/dynamic-plugins/sf_dynamic_preprocessor.h, configure.in,
tools/Makefile.am:
- Added support for shared memory between Snort processes.
This is used in the IP Reputation preprocessor to share a single copy
of IP whitelists & blacklists.
- Added a control channel, so that commands may be issued to
a running Snort process by way of a Unix socket.
* src/preprocessors/HttpInspect/utils/hi_paf.c:
Ensure HTTP 1.1 responses without length indicators (e.g. 304)
are flushed at the end of the headers.
Preprocessor rule 120:8 is fired at end of headers if content-length
and transfer-encoding: chunked are not present, but not for response
codes 1XX, 204, 304.
* doc/README.reputation, doc/snort_manual.pdf,
doc/snort_manual.tex:
Updated Snort documentation, added documentation for Shared Memory
and the Control Socket.
* src/: dynamic-preprocessors/reputation/sf_reputation.dsp,
dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
win32/WIN32-Includes/stdint.h, win32/WIN32-Prj/snort.dsp,
win32/WIN32-Prj/snort.dsw:
Updated Win32 build files.[*] New Additions
* SCADA (DNP3 and Modbus) preprocessors. Added two new preprocessors
to support writing rules for detecting attacks for control systems.
New rule keywords are supported, and DNP3 leverages Stream5 PAF
support for TCP reassembly. See the Snort Manual, README.dnp3 and
README.modbus for details of the configurations and new rule
options.
* GTP decoding and preprocessor. Updated the Snort packet decoders
and added a preprocessor to support detecting attacks over GTP (GPRS
Tunneling Protocol). Snort's GTP support handles multiple versions
of GTP and has a rich configuration set. See the Snort Manual and
README.GTP for details.
* Updates to the HTTP preprocessor to normalize HTTP responses that
include javascript escaped data in the HTTP response body. This
expands Snort's coverage in detecting HTTP client-side attacks.
See the Snort Manual and README.http_inspect for configuration
details.
* Added Protocol-Aware Flushing (PAF) support for FTP.
[*] Improvements
* Updates to Stream preprocessor to be able to track and store
"stream" data for non TCP/UDP flows. Also improvements to handle
when memory associated with a blocked stream is released and usable
for other connections.
* Updates to dce_stub_data to make it act the same as file_data
and pkt_data rule option keywords in how it interacts with
subsequent content/pcre/etc rule options.
* Updates to how Snort handles and processes signals received
from the OS.
* Enabled logging of normalized JavaScript to unified2 without the
use of the --enable-sourcefire configuration option.
* Improved handling of gaps and overlaps for "first" and "vista"
policies in Stream5.
* Added support for signal handler customization. At compile-time,
Snort can be customized to use different signal numbers.
This allows problems with overlapping signals to be fixed on a
per-platform basis, which is especially helpful for the BSDs.
See the Snort Manual for more details.Snort 2.9.3
* src/build.h:
Updated build number to 37
* src/preprocessors/HttpInspect/server/hi_server.c:
When paf is turned on, the flow depth on raw packets should be checking
if max_seq was set.
* src/preprocessors/HttpInspect/client/hi_client.c:
Rearranged check in hi_client_extract_header() to stop processing when
there is no more data.
* src/dynamic-preprocessors/smtp/: smtp_util.c, snort_smtp.c:
Clear flags for filename logging if there are no ending quotes for MIME
attachement filename. Thanks to Rick Chisholm for helping us track down
the issue.
* doc/CREDITS:
Update rmkml's email address.
* src/preprocessors/: snort_httpinspect.h, HttpInspect/server/hi_server.c:
Fix application of flow_depth for transfers of files over 2GB.[*] New additions
* Added tracking of FTP data channel for file transfers as file_data
for Snort rules.
* Add support for doing PAF based on services loaded thru the
attribute table and hardened PAF code/removed --disable-paf
* Added decoding support for Cisco ERSPAN
* Added tracking of HTTP uploads as file_data for Snort rules.
* Added ability to use event filters with PPM rules
* Added a control channel command to reload the Snort configuration to
give feedback on new configuration. This improves on the older sigHUP
which would just result in Snort exiting and restarting if the new
configuration required a restart.
* Added a configuration option to perfmon to write flow-ip data to a
file
* New decoding alert for IPv6 Routing type 0 header.
* Added the ability to sync basic session state from one Snort to
another via a side channel communication between the two Snort
instances. NOTE: This is currently experimental.
[*] Improvements
* Improved Stream's midstream pickup handling for TCP state processing,
sequence validation, and reassembly. Thanks to John Eure.
* Added a parse error for a rule if there is a relative content used
after a content that is 'fast_pattern only'.
* Improved HTTP PAF reassembly capabilities to be better aligned on PDU
boundaries, terminate if not actually HTTP, and to include all
appropriate line feeds.
* Hardened the code related to dynamic modules. Removed --disable-
dynamicplugin configuration option since rule and preprocessor shared
libraries are here to stay.
* Improved parsing of IP lists for reputation
* Update to Teredo processing and Snort rule evaluation when the inner
IPv6 packet doesn't have payload. Thanks to Yun Zheng Hu &
L0rd Ch0de1m0rt for reporting the issue & crafting traffic to reproduce.
* Improved logging of packets associated with alerts when a Stream
reassembled packet triggers multiple Snort rules.
* Improvements to the Snort manual including documentation of specific
rule options and configuration items. Thanks to Nicholas Horton and many others.
* Removed a bunch of dead code paths, updated to use more current memory
functions for easier code maintenance and portability. Thanks to William Parker.
[*] Deletions
* Remove deprecated unified support, use unified2 for all of your
logging needs. [*] New additions
* Add support to do file specific processing within DCERPC preprocessor for
files being transferred over SMB.
* File capture and storage -- saves files as they traverse the network via a
new preprocessor that ties in support within HTTP, FTP, SMTP, POP, IMAP,
and SMB. See README.file and README.file_server (under tools/file_server)
for details.
* Add <= and >= operators to byte_test rule option.
* Update SMTP to detect Cyrus SASL authentication attack.
* Add capability to capture a single session from start to end.
* EXPERIMENTAL: Add support to leverage file type identification in snort
rules. See README.file_ips for details.
[*] Improvements
* Only inject active responses when a TCP session is established.
* Update the POP and IMAP protocols to support simple PAF for improved
identification and capture of files.
* Update SMTP, POP, IMAP to improve inspection when mime boundaries are
split across packets.
* Address issue to address end of line incorrectly for Quoted Printable
email attachments.
* Handle out of order SSL handshake in SMTP when STARTTLS is used and
fix checks for SSL type only within the SSL hand shake.
* Update sensitive data preprocessor to handle a stateful search of
patterns across multiple packets.
* Address a few issues in the Snort manual and other READMEs for flowbits
and tunneling.
* Save off packet data for quicker debugging in case of a SIGABRT or SIGBUS.
* Fix alignment of sfxhash node for SPARC platforms.