----[ Version 0.6.0 ]---- FOCUS: Move towards architectural soundness o integrate signatures, fields, types and indexes for totally flexible packet matching. o Fix snort fieldhacks to use correct fields for each protocol o Reimplement bool type o Reimplement last few matchers o Lazily auto-allocate sig.proto generators o Fully manage rulesets within pipeline.c (call optimize method) o Implement pipeline_rules_delete_all() o Reimplement indexing and querying in pipeline API o New indexing code, new DB format o Index -> offset table (reverse lookup fields) o Split idx_onode keys from results and use smallest types possible o Allow for differentiation of results (when 2 offsets have same val) o New querying code o Automate index usage o Make pipeline API usable for gnome-firestorm-console, then use it o Finish elog-spool exporter o non-buffered writeout path o synchronous writeout mode o double check do_dir_fsync is called where necessary o Elog updates o Move to elog 0.3 o Add backwards compatibility reading for 0.2 o Miscellaneous bug fixes o Fix uricontent o Change strtouint -> strtou32/strtou64 o Make rate/burst in query API take timestamp_t o Fix ICMP decoding o Fix firecat usage for elog files o Problem with http_uri when http_normalize is off o Fix HTTP state serialization finally. o Sprinkle __public and __private all over libfirestorm o Support select, kqueue (bsd), /dev/poll (solaris), SIGIO o Test on FreeBSD and Solaris o Update documentation. o Make sure args are exported and displayed as much as possible o Multiple captures now allowed, discuss semantics o Multiple exporters now allowed, output directive format changed o Firecat options changed o Make sure elog version problems give clear error messages o Captures must all be initialised before exporters... o Update website with new docs o Put new profiles and graphs on website ----[ Version 0.6.1 ]---- FOCUS: Finish off core signature API changes allowing for dynamic rulebase o Update + optimize detect API o Investigate replacing layer array with list o change detect API so nodes return a child bitmask, this allows higher level manipulation of the linkages, allows for optimize method to swap in a new data structure, but may increase cache footprint. o Use IDDs for online queries of integer types o Remove recursion in detect.c o Shrink size of struct detect o Change detect API to not rely solely on alerts o Allow boolean logic in queries o Pass parse trees from parsers o Integrate new query scheduler with detect.c allowing unindexed fields o Investigate implementing high-level tree optimizations o Native firestorm query language o Remove snort compatibility fields and use normal fields + boolean logic o Update snort compatibility, where possible o Allow arbitrary pipeline creation (no GUI just yet) o Capdev improvements o Allow pcap captures to be filtered with an extra option. Document. o Allow setting of promiscuous mode in linux capdev o Add a wiretap capdev o Use fobuf for mesg o Local printf implementation with support for fvec strings and other firestorm types o Allow local printf implementation to use fobuf efficiently o On EINTR in fobuf/fibuf/flbuf/fdctl, call callbacks o Miscellaneous bugfixes o Fix flbuf interface to not use callbacks o Allow deletion from mpools o add mpool_cap() to realloc down the last slab o Make sure firestorm_die_error/firestorm_exit may not be hit at runtime and also ratelimit any mesg() that may be caused by a packet. o Add install hooks to do steps in README unless --no-post-install is sent to configure or something... o Allow logging of all received packets in firestorm-nids o IPv6 support (at least to get at ipv4 inside tunnels) o Merge linkerset patch o Documentation o Start to flesh out the development guide o Add more to the user guide ----[ Version 0.6.2 ]---- FOCUS: Polish up the console o Allow signature removal o activate/dynamic rules o Remove GtkHTML dependancy o Remove dprint method of protocols, use field API o Support ranges and bitfields in field API and use them like ethereal in gnome-firestorm-console o File->Save as in GUI o args: Add ARGTYPE_DATE/ARGTYPE_TIME (specific time/length of time) o args: Support validator functions and extended error reporting o args: Support constraints o args: Support combos o HAL support in GUI o Interface finding API for capdevs o merge pmacros.h with sys.h (add assembly optimized byteswapping functions) o Serious work on tcpstream o Implement all timeouts o Do segment re-ordering o Support SACK o MMX/SSE/Altivec TCP checksumming o Optimize reassembly ----[ Version 0.6.3 ]---- FOCUS: Move to multi-sensor architecture o Alert throttling stuff o Needs to come before stormwall because spool layout may change for substreams in elog files o Revive stormwall o Supervisor that runs stormwall and child nids processes this allows getting rid of signal based messaging and means that all processes will have a common ancestor from which to obtain handles to shared resources. o 2-way low-latency interactive connection between sensor and console. This takes high priority messages from the sensor, and sends correlation information, reconfiguration requests from the console. o For untrusted links, a high latency bulk transfer system with surveillance countermeasures will be used to send alerts, or any information the transmission of which may be triggered by an attacker. Over a dedicated secured IDS link the normal system will be used instead of this. o Configurable secure transport for both types of link (dedicated/untrusted) network. That means authentication + confidentiality. Probably TLS. Maybe a workalike that doesn't use ASN.1 or support insecure ciphers/hashes. ---[ Version 0.6.4 ]--- FOCUS: Alert correlation functionality