Version 0.5.5 * Totally new plugin system * Uses shared library for core (libfirestorm.so) * Neaten up a lot of the APIs, remove loads of redundant stuff * New mesg backend interface * Don't bother registering generators * Add new notification framework * Re-write preprocessors to use notifiers * Move signatures over to mpool * [IDX] Change on-disk structures * [IDX] New index writing API * fix build script * Use notifier for elog spools, allow no logging * Free up system notifiers * Use RTLD_LAZY if RTLD_NOW not supported * Change target API, remove alert arg. * Write indexes safely * Fix "severe insanity" warnings * Support floating point arguments (Jamie Twycross) * Actually free preprocessor structures * Strip escapes from snort msgs * Tidyup up signal handling code, make more robust * Enforce log timeout periods even if no packets arrive * Tidy up argument parsing code, use strtoul/strtod * Add skunkdb support to indexing library * Fix TCP state serialization / deserialization bug * Loads of minor bug fixes all over the map * Fix memory-contents leakage in elog * Allow string values to be parsed by query parser * Allow querying of skunkdb values * Move from binary trees to n-ary trees in detect code * Fix depth/nocase/offset if they dont occur right after 'content' * Remove limits on log message sizes * Add notifiers for signals * Automatically index elog files in gnome-firestorm-console * Add realtime mode which calls mlockall(2) and sched_set_scheduler() * Dynamically expanding initial log buffer * Add effective_user directive * Use notifier subsystem to perform cleanups * Make everything large-file aware * Add http_normalize preprocessor * Type support for IDX queries * Make snort file reading code more robust * Add NULL/LOOPBACK protocol for BSD virtual interfaces * Fix endian problems with Linux SLL and NULL/LOOPBACK protocol * Unify matchers and idx_fields * Add fobuf/fibuf types for args parsing * Display help for conversion programs * Merge pcap and pcapfile plugins * Fix bugs where wrong packet flags were being set * Set source information on packets * Add a sniffer utility Version 0.5.4 * Fix IPX crash bug (spotted by Antonatos Spiros) * Fixed fagrouter crash bug * Add elog indexing support to firecat * Add concatenation support to firecat * Changed root dir to be /var/lib/firestorm not /var/firestorm * Incorporate Matt Halls RPM spec (matt at ecsc dot co dot uk) * Fix TCP options parsing * Fix backwards compatiblity with TCP stream elog data * Global TCP memory accounting * Fix backwards compatiblity with HTTP elog data * Parse protocol version in HTTP requests * Firecat didn't error when an input file failed to open * Fixup some debian packaging issues * Add query support to firecat * Add index list mode to firecat to view indexes * dump target now requires 'append' in order to append * Fix crash bugs in argument parsing * Cleanup error messages * Don't append with target plugins * Remove an erroneous debug message from ipfrag * Add window matcher for better snort compatibility * Fix crash bug in elog GTK tree Version 0.5.3 * Balance alerts between multiple alert spools. * Added function indexes to each C file in the core. * Tidy up firecat a little * Fix target API, remove hup handler, return errors on close. * Make alerts point to generators * Documentation spelling fixes (John Leach) * Remove stupid detect_set() * Only use getopt_long() if available * Check for mmap packet socket properly in new makefiles * Setwise string matching (50% performance increase) * Use rule ordering, not most-specific for multiple match * Start tinkering with creating a debian package * Start tinkering with gnome-firestorm-console * Use MADV_SEQUENTIAL for tcpdump * Fix dsize bug, fix off-by-one offset bug * Add syslog target * Fix log ip address bug for ipfrag * Don't double free fragments when timed out * Convert dump and elog_write to fbuf (remove writev dependance) * Add ethereal patch to contrib * Fix TCP in-window SYN alert for retransmits * Add new fvec structure and remove sys/uio.h dependance * Much better HTTP decoder * Add constructors and destructors for flows * Add intelligent TCP stream reassembly * Decode things inside HTTP CONNECT requests * Reimplement strtouint with strtoul * Merge IPX snort rule upport * Increase PKT_LAYERS to 16 * Fix window sizing bug in tcpstream * Support and recognise HTTP post data * Support HTTP chunked encoded responses * Make token bucket filters hierarchical * Complete debian support * Make http_method matcher properly case sensitive Version 0.5.2 * Use list head for LRU in tcpstream * Manual page updates (John Leach) * Obfuscate email addys in changelog - they are published on the web * Fixed bug where tcp_match was being called instead of udp_match * Fixed firestat * Fixed bug in tcp serialization * Fixed bugs in tcp state tracking logic * Don't inline tcpstream_tcpseg * Alert on suspicious TCP state violations * Fix0r vlan and ipx decodes (John Leach) * Add arp printing (John Leach) * Don't put in redundant "0/0" ip address nodes (spotted by John Leach) * Fix 802.3-novell encapsulation hack * Always check for NULL args in matchers * Use slab cache for tcp sessions * Restore vim syntax file * Overhaul plugin API, a bit better now * Fix minor bug in detect routines (spotted by John Leach) * Unfuck capdev/capture header dependencies * Neaten up plugin error messages * Lots of internal and plugin API cleanups * Change logging semantics, choose spool dir only * Start the firestorm user manual in docbook * TCP SYN timeouts * Fix timestamping on diagnostic logs * Buffer alert I/O, massive throughput increase * Run preprocessors in dispatch() again Version 0.5.1 * Rewrite configuration code, back to a single config file * Use hash table for matchers * Split mesg() out in to its own file, tidied and optimised * Fix shutdown sequence for linux capdev * Bring back the man pages * Don't make a application data layer if zero len * Infrastructure to serialize session data * Serialize tcp and http state information * Allow generator-wide rate-limiting * Remove debugging cruft from string matchers * Fix parsing of 'rate' in snort signatures * Made log target more robust * Made firecat more user friendly * Go back to a dispatcher model * Fix ominous bug in string matching, dont match TCP headers! * Audit decode plugins for common mistakes Version 0.5.0 * Support alert prioritisation * Add support for 802.3, 802.3-novell, LLC and SNAP * Make 802.1q plugin use ethernet registrations * Fix IP address matching for big-endian machines * Fix tcpdump plugin when using byte-swapped files * Fix depth/offset/nocase/regex to work with multiple content matches * Split up matchers in to seperate files (greg at ecsc dot co dot uk) * New rule matching code for tcp/ip snort signatures * Alerts on most specific rule if it matches more than one * Beef up strtouint (hex and octal encodings) * Implement matcher comparisons everywhere * Use automake 1.6, set default prefix to /usr * Fix crash bug and memory leak in ipfrag introduced in 0.4.6 * Remove strtoul() from all over the place * allow less-than/greater-than for ttl and ip_proto * Fix ip address lists to work with negation * Detect errors in hex chars in content rules * Resolve IP protocols from names (won't work in a chroot) * Use autoconf for plugins * Add RPC matcher * Support snort classtypes * Add some new fields to log target * Remove pluggable logging, replace with elog * Do file-size based log rotation with upper bounds on time * Centralise output routines to prepare for GUI apps * Add firecat - a tool for converting elogs to other types of data * Overhaul configuration, startup order and installation * Remove delta2 heuristic in booyer moore, use less mem, just as fast * Fix a bunch of bugs in string matching generally * IPX / SAP decoders * Add stormwall daemon to monitor logfiles etc... * Support RFC1323 window scaling * Support RFC1323 PAWS (bugs and all) * Fix tcpstream to support half closed connections * Catch errors on poll() in linux capdev * Remove preproc_dispatch() do everything in decode * Fix many potential bugs with decoding * Add burstable token-bucket rate-limiting to alert subsystem Version 0.4.6 * Substantially cleanup the capture subsystem. * Cleanup use of serial numbers in capdev code * Return void from decode functions * Call preproc_dispatch() from inside decode functions * Remove realm bitmasks, stop the voices! * Move ipfrag and tcpstream in to tcpip plugin * Don't split up tcp rules if stateful inspection is off * Fix memory leak in signature committal * Added memprof hack * Re-write of tcp state tracking code * Add IGMP decode plugin * Removed concept of realms just use protos * Add mtu option to linux mmap capdev * Add IrDA decoder plugin * Pass private data to args_parse() and to callbacks * Fix crash bug if no captures are specified in the config * Add new log output plugin * Always check for libprelude * Add extended log output plugin (firestorm native files) * Add boolean data types to args_parse * Add http decoder (primitive) * Implement uricontent properly * Add DNS matching module (dns_recursive/dns_iterative) * Snort sid/rev support * Make log target log http_method, http_uri, sid and rev work * Add http_method matcher * Fix file clobbering bug in dump (greg at ecsc dot co dot uk) * Fix various bugs in dump output module (greg at ecsc dot co dot uk) * Fix infinite loop bug (VERY rare) in string matching * Add rest of GPL license to COPYING (as pointed out by the FSF) * Add snort-rules, add Makefile to install them * Add really cool RPM spec - configures stuff for you * Handle HUP signal to rotate logs (greg at ecsc dot co dot uk) * Checksum TCP segments * Fix some minor issues in snort parsing Version 0.4.5 * Support IP address lists in snort rules * Fix permissions of ascii logfile (john at johnleach dot co dot uk) * Make 'depth' modifier actually work - oops! * Test for mmap packet socket in configure * Check for sigaction() in configure, else use signal() * TCP matching now keeps seperate rule chains for state/direction * Implemented the 'flow' keyword * gcc3 warning fixes * Added libprelude output plugin * Added acinclude.m4 to be able to check for libprelude * Better error reporting in snort parsing (john at johnleach dot co dot uk) * Added new argument parsing library for consistent plugin options * Moved ipfrag over to args_parse() * Linux capdev can now configure number of blocks to use * Add contrib/hier.sh to make hacking setup easier * Some build fixes (amr-aysha at medracen dot net) * Added regex match (snort style regex, not PCRE or anything) * Count number of criteria as we go in signature_criteria() * Allow specification of dump format in dump output plugin * Check for uio/writev, dump just does 2 write()s if not present * specify --with-prelude to check for prelude libs etc.. * Use array instead of linked list in tcpip signature engine * Parse options for ascii output plugin, add nohex and len options * Remove unused matcher compare functions * Change captures over to arguments Version 0.4.4 * Fix pcapfile bug * added fragoffset matcher * Allow variables for ports in snort rules * TCP connection tracking / stateful inspection * Added 'stateless' keyword support * IP headers inside ICMP are decoded fully * Figure out pkttype from linux SLL if possible * Added cleanup handlers to preprocessors * Use LRU for ipfrag eviction, much faster * Timeout ip fragments, configurable timeout * Allow variable negation * Hack icmp matching to alert like snort * Only match the first ip-fragment! * Fix linux SLL decode bug * Support escaped characters in string match * Change args_parse api, return -1 on error, 0 on user error ersion 0.4.3 * Check ihl<=tot_len in ip decode * Check packet length in ipopts decode * Check we have the whole packet in ifprag * Fix bug where reassembled fragments could get matched twice * Fix interactions between linux capture and ipfrag * Lots of fixes for ipfrag * Actually account memory for fragment payloads * Add 802.1q (vlan) decoder * Allow 'ascii' logging to file * Timestamp ascii alerts * linux capdev allows interface specification * dump output, to log to tcpdump files * Finally get timestamp code correct! * Marked firestorm.conf as config in RPM * Implement minttl option for ipfrag * extend 'output' config to make it per-generator Version 0.4.2 * Fix two decoding bugs for reassembled ip fragments * Fix timestamp for reassembled ipfrag fragments * Quote author email address in plugin error messages * Allow require for plugins * Fix hi/lo watermark default values for ipfrag * Parse hi/lo watermark values for ipfrag * Restructure alerting subsystem * Catch SIGHUP to rotate logs (not firestorm.log) * Implement 'output' keyword in config file * icmp_id/icmp_seq only checks echo/echoreply packets * Get rid of atoi() everywhere. Use strtouint() instead. * Add --with-libpcap-libraries and --with-libpcap-includes * Implement nocase string matcher * IP fragmentation attacks detected by preprocessor * tcpdump exploits detected by ip decoder * Some optimisations in the signature engine * Fix crash bug in IP decoder * Make sure content and dsize matchers match data not headers * Put serial numbers on packets * Don't track ip fragments inside fragments, wait for a reassemble * Linux SLL protocol now implemented * Check TCP packet lengths better * Do IP checksums. Still match packets but don't use them in ipfrag * Calculate checksums on reassembled IP fragments (dunno why) Version 0.4.1 * Get rid of madvise() in capdev.tcpdump * Fix ipaddr/port negation bug in tcp/ip/udp matching * Negation of ipaddr/port works on bidirectional snort rules * Centralised alerting subsystem * Finished ICMP matching code * Implement icmp_id and icmp_seq (can be ranges) * Fix TCP,UDP,ICMP decode bug * Micro-optimisations in TCP and ICMP matching code * Implement 'require' keyword in config file * Split string matching in to seperate plugin * Oops, actually implement IP ID matcher! * IP Options matcher * Depth and Offset supported in content matcher * Fix RPM and tarball binary builds