home :: news :: download :: developers :: documentation
[RELEASE]: Version 0.5.5
Posted By: Gianni Tedesco - Wed Jul 14 2004
After possibly the longest inter-release gap ever firestorm 0.5.5 finally dropped. There are LOTS of changes. This ought to be the fastest firestorm yet. Lots of bugs have been fixed and large file support has been added. The GNOME firestorm console finally has rudimentary support for filtering. There is now a packet sniffer application included in the package which is used for testing the capture subsystem.
Mailing List Archives
Posted By: Gianni Tedesco - Sat Jan 31 2004
Thanks to John, the firestorm mailing list is now archived (and spam free). Also to keep you all updated, version 0.5.5 is on the way. There are a lot of performance improvements, bugfixes, and other things to amuse and entertain, so hopefully the long wait will be almost worth it. Sucks to have a jay-oh-bee.
New Server + New Screenshot
Posted By: Gianni Tedesco - Thu Oct 17 2003
We are now running on a fast new server, which is nice. It's also totally private, and not owned by any company, which allows me some freedom - heh. I also changed the analyst console gui to use HTML for displaying packets which is a little more pleasent on the eye (sorry for the blurring). I have had no time for firestorm since moving to Luxembourg last month but as soon as I get a laptop for home, that will all change. And I can promise you some very interesting developments in the new version.
Changes to Hosting
Posted By: Gianni Tedesco - Thu Aug 28 2003
This site will be moving to a new server and a new IP address at some point over the next week or so. We will have much more bandwidth and a faster box (not that either is an issue currently). I will also be dropping the CVS service which is now pretty much redundant. Service interruptions should be minimal. The new version (0.5.5) is well on it's way and will have fully working and tested binary packages (hurrah).
[RELEASE]: Versin 0.5.4
Posted By: Gianni Tedesco - Tue Aug 05 2003
This has been tagged in CVS but I've been holding off for ages in order to get binaries done but realised I won't have time. I'm going to be leaving the country for a few months and have other things to think about (although hacking is still happening). This should incorporate all of the bugfixes people have been having problems with. New features are the start of indexing and filtering support in firecat. The 0.5.5 branch (which is also using subversion instead of CVS) already has some more work in this area and is worth taking a look at.
[RELEASE]: Version 0.5.3
Posted By: Gianni Tedesco - Sun Jun 08 2003
This new version has a lot of experimental changes so is of low priority. Most notable of the changes is TCP stream reassembly which will be maturing greatly over the next few releases and also a first cut at supporting the IPX protocol, snort rules and all. There are some rather large performance and scalability improvements in a number of areas and also a few small bugfixes and API cleanups. The elog ethereal patch and the new GNOME UI is also bundled with this release.
TCP stream reassembly in CVS
Posted By: Gianni Tedesco - Fri Apr 25 2003
As of today firestorm has TCP stream reassembly support. Just download the latest snapshot/CVS and add reassemble=yes on to your tcpstream configuration and you are ready to test it. There are still limitations however. Right now it only reassembles in-order segments (out-of-order segment queuing is coming later), it also sucks up memory.
The reassembly technique is quite smart, it uses the application layer decoders to determine whether or not to start reassembling traffic. What this means is that there is effectively zero performance degradation until someone tries to evade the sensor using TCP evasion techniques. As an example if a packet comes along with "GET /AAAAAAAAAAAAAAAAAAA HT", reassembly will be enabled until it sees the next packet which contains "TP/1.0\r\n\r\n". The two packets are then sewn together and matched to the rules and reassembly is again disabled for that connection.
Real GNOME analyst console! :)
Posted By: Gianni Tedesco - Mon Mar 17 2003
Work has finally begun on the GNOME-based firestorm analyst console, you can get the code from CVS or download a snapshot. At the moment you can only open elog files and browse around them, but the future looks promising. Check out the obligatory screenshot [531KB]. (Yes of course I eat my own dogfood).
Ethereal Elog Updated
Posted By: Gianni Tedesco - Wed Mar 05 2003
John Leach has updated his ethereal patch and submitted it for inclusion to the ethereal folks. The patch allows you to read, sort and search your IDS data in the familiar ethereal interface that we all know and love so well. You can get the patch and the mandatory screenshot at his site.
Ethereal Elog Decode
Posted By: Gianni Tedesco - Tue Jan 28 2003
Thanks to the hard work of John Leach, you can now open firestorm extended logs in ethereal. You can get a screenshot but no code just yet. Please pester him (john at johnleach dot co dot uk) to finish it and release it ;)
[RELEASE]: Version 0.5.2
Posted By: Gianni Tedesco - Sun Jan 19 2003
Most of the changes in this version are internal API cleanups and some performance improvements. Lots of bugfixes though, so this will keep you going until 0.5.3, which will be something special. Oh, and while you're at it check out the new documentation.
Screenshots of firestorm GUI console
Posted By: Gianni Tedesco - Wed Jan 15 2003
I have the first version of a firestorm GUI console in planned. You will be able to view, filter and sort events and not much else in the first version. Nothing to show yet, but I thought I'd upload some screenshots of my fiddling with GNOME2. The first shot was going to be a signature manager and the second one will be my starting point for the interface. Lame huh? Just you wait ;)
[RELEASE]: Version 0.5.1
Posted By: Gianni Tedesco - Tue Dec 03 2002
Sane and bugfixed version of 0.5.0, dont use 0.5.0, it sucks.
Evading Network Intrusion Detection Systems
Posted By: Gianni Tedesco - Sun Dec 01 2002
This has been there a while but firestorm users should be aware. I have started keeping some notes detailing how to evade network IDS software (including firestorm). If you know of any other specific details regarding any bit of NIDS software please let me know, I am quite interested in this kind of thing.
[RELEASE]: Version 0.5.0
Posted By: Gianni Tedesco - Mon Nov 19 2002
It's been a while but hopefully this new version will have plenty for you to get your teeth in to. The configuration and setup has changed quite a lot so check out the README file for new instructions. The new system brings us closer towards the goal of remote logging and on-the-fly sensor re-configuration. The new version has lots of major bugfixes, including a fix for a crash-bug discovered soon after the 0.4.6 release. There are 2 new snort keywords 'rate' and 'burst' allowing you to ratelimit the alerts that certain rules can generate. There should also be some performance improvements due to a new patent-not-pending algorithm for matching the rules. I hope you like it.
[RELEASE]: Version 0.4.6
Posted By: Gianni Tedesco - Mon Aug 19 2002
Version 0.4.6 fixes a few small bugs. Big improvements have been made to the TCP state tracking code which make it much more accurate and efficient. There is a new output module which produces parsable text logs. There is a simplistic HTTP decoder which allows uricontent to work properly for the first time. Snort sid/rev are supported. Snort rules are now bundled with the default distribution and a number of packaging improvements have been made. SIGHUP is now handled fully for log rotation. A new extended log output plugin has also been added which provides logs in native firestorm format.
[RELEASE]: Version 0.4.5
Posted By: Gianni Tedesco - Mon Jun 24 2002
This new version is basically just bugfixes and small feature additions. New features include support for snort IP address lists and also support for the 'flow' keyword and regex string matching. With this release all of the rules that ship with snort should work straight out of the box with no modification (except for rpc.rules). Also if you compile with the --with-prelude option you can now use firestorm to log remotely to prelude-manager. Also notable is the fact that some config file options have changed so you will need to update existing firestorm.confs out there. See the sample config file and man page for more info.
[RELEASE]: Version 0.4.4
Posted By: Gianni Tedesco - Sun Jun 09 2002
TCP stateful inspection is here. No more stick/snot woes. Firestorm now tracks the state of TCP connections only alerting on TCP packets which are part of an established stream. For rules that need to be able to match packets that aren't part of valid streams the snort 'stateless' keyword can be used. There have also been major updates to the ipfrag module which now supports configurable reassembly timeouts and uses an LRU list for oom eviction (which is much faster). Snort rule parsing has been improved and there have been plenty of bugfixes too.
[RELEASE]: Version 0.4.3
Posted By: Gianni Tedesco - Sun May 26 2002
This release packs a whole host of bugfixes. The other main changes are in the alerting subsystem. You can now log to tcpdump files ('dump' module) and the ascii logs can now live outside the main firestorm logfile. You will be pleased to hear that output modules can now be configured differently depending on which module generated the alert. (eg: stateful ip fragmentation attacks can be logged as ascii, while alerts generated by the TCP signature engine can be logged to a tcpdump file, while all other alerts log to both).
[RELEASE]: Version 0.4.2
Posted By: Gianni Tedesco - Sun May 12 2002
Version 0.4.2 is mainly a bugfix release. Lots of bugs have been squashed so it should now be as stable as a table. There are a few new features too, such as case insensitive string matching, the ability to configure output plugins and the ability to tune IP defragmentation settings. All users are recommended to upgrade to this version. Check the NEWS file (on the download page) for details of bugfixes and new features.
[RELEASE]: Version 0.4.1
Posted By: Gianni Tedesco - Sun May 05 2002
Version 0.4.1 has been released with a few bugfixes and a bunch of feature enhancements. Most of the feature enhancements are just the porting across of old plugins. ICMP now works fully, the content matcher now supports depth and offset. There is now an IP options matcher. The 'require' keyword in the config file works now. Binary builds should now work properly aswell.
[RELEASE]: Version 0.4.0 aka Greasy weasel!
Posted By: Gianni Tedesco - Wed Apr 23 2002
No I haven't just been wasting my time making dumb websites! Over about the last six weeks I have been busily re-writing the firestorm core. The new release series (0.4.x) is much nicer code, supports preprocessors, will allow cooler features, and most importantly it is dick-wavingly fast, especially when it comes to IP defragmentation. It supports all of the old features with a few minor omissions, you can't use icmp snort rules yet and the logging support is limited. It is basically a matter of porting the old plugins so you will see all this stuff in the next release or so. Head on over to the download section and give it a go.
[ANNOUNCE]: New website design
Posted By: Gianni Tedesco - Mon Apr 22 2002
With great reservation, I timidly unveil the new website. It kinda needed the changes. There was too much information to stay on one page really. I have kept the pages standards compliant, we are still perfect HTML 3.2 and render perfectly in links, lynx, mozilla, gtkhtml, konqueror and friends. The pages still don't stuff my favourite fonts down your throat but they do stuff my favourite colours in your face though (if you use a graphical browser). If you don't like the colours, you should be able to disable them with relative ease. Hopefully the site should be more efficient to navigate now though.
This page is public domain. No trademarks, no patents, no copywrongs.