home :: news :: download :: developers :: documentation
[RELEASE]: Version 0.5.5
Posted By: Gianni Tedesco - Wed Jul 14 2004
After possibly the longest inter-release gap ever firestorm 0.5.5 finally
dropped. There are LOTS of changes. This ought to be the fastest firestorm
yet. Lots of bugs have been fixed and large file support has been added.
The GNOME firestorm console finally has rudimentary support for filtering.
There is now a packet sniffer application included in the package which is
used for testing the capture subsystem.
Mailing List Archives
Posted By: Gianni Tedesco - Sat Jan 31 2004
Thanks to John, the firestorm
mailing list is now archived (and spam free).
Also to keep you all updated, version 0.5.5 is on the way. There are a
lot of performance improvements, bugfixes, and other things to amuse and
entertain, so hopefully the long wait will be almost worth it. Sucks to
have a jay-oh-bee.
New Server + New Screenshot
Posted By: Gianni Tedesco - Thu Oct 17 2003
We are now running on a fast new server, which is nice. It's also
totally private, and not owned by any company, which allows me some
freedom - heh. I also changed the analyst console gui to use HTML
for displaying packets which
is a little more pleasent on the eye (sorry for the blurring). I
have had no time for firestorm since moving to Luxembourg last month
but as soon as I get a laptop for home, that will all change. And I
can promise you some very interesting developments in the new
version.
Changes to Hosting
Posted By: Gianni Tedesco - Thu Aug 28 2003
This site will be moving to a new server and a new IP address at
some point over the next week or so. We will have much more
bandwidth and a faster box (not that either is an issue currently).
I will also be dropping the CVS service which is now pretty much
redundant. Service interruptions should be minimal. The new version
(0.5.5) is well on it's way and will have fully working and tested
binary packages (hurrah).
[RELEASE]: Versin 0.5.4
Posted By: Gianni Tedesco - Tue Aug 05 2003
This has been tagged in CVS but I've been holding off for ages in order
to get binaries done but realised I won't have time. I'm going to be
leaving the country for a few months and have other things to think
about (although hacking is still happening). This should incorporate
all of the bugfixes people have been having problems with. New features
are the start of indexing and filtering support in firecat. The 0.5.5
branch (which is also using subversion instead of CVS) already has some
more work in this area and is worth taking a look at.
[RELEASE]: Version 0.5.3
Posted By: Gianni Tedesco - Sun Jun 08 2003
This new version has a lot of experimental changes so is of low
priority. Most notable of the changes is TCP stream reassembly which
will be maturing greatly over the next few releases and also a first
cut at supporting the IPX protocol, snort rules and all. There are some
rather large performance and scalability improvements in a number of
areas and also a few small bugfixes and API cleanups. The elog ethereal
patch and the new GNOME UI is also bundled with this release.
TCP stream reassembly in CVS
Posted By: Gianni Tedesco - Fri Apr 25 2003
As of today firestorm has TCP stream reassembly support. Just download the
latest snapshot/CVS and add reassemble=yes on to your tcpstream configuration
and you are ready to test it. There are still limitations however. Right now
it only reassembles in-order segments (out-of-order segment queuing is coming
later), it also sucks up memory.
The reassembly technique is quite smart, it uses the application layer
decoders to determine whether or not to start reassembling traffic. What
this means is that there is effectively zero performance degradation
until someone tries to evade the sensor using TCP evasion techniques.
As an example if a packet comes along with "GET /AAAAAAAAAAAAAAAAAAA
HT", reassembly will be enabled until it sees the next packet which
contains "TP/1.0\r\n\r\n". The two packets are then sewn together and
matched to the rules and reassembly is again disabled for that
connection.
Real GNOME analyst console! :)
Posted By: Gianni Tedesco - Mon Mar 17 2003
Work has finally begun on the GNOME-based firestorm analyst console,
you can get the code from CVS or download a
snapshot. At the moment you can only open elog files and browse
around them, but the future looks promising. Check out the
obligatory screenshot
[531KB]. (Yes of course I eat my own dogfood).
Ethereal Elog Updated
Posted By: Gianni Tedesco - Wed Mar 05 2003
John Leach has
updated his ethereal patch and submitted it for inclusion to
the ethereal folks. The patch allows you to read, sort and search
your IDS data in the familiar ethereal interface that we all know
and love so well.
You can get
the patch and the mandatory
screenshot at his site.
Ethereal Elog Decode
Posted By: Gianni Tedesco - Tue Jan 28 2003
Thanks to the hard work of John Leach, you can now open firestorm
extended logs in ethereal. You can get a screenshot but no code just yet. Please pester him (john at
johnleach dot co dot uk) to finish it and release it ;)
[RELEASE]: Version 0.5.2
Posted By: Gianni Tedesco - Sun Jan 19 2003
Most of the changes in this version are internal API cleanups and some
performance improvements. Lots of bugfixes though, so this will keep
you going until 0.5.3, which will be something special. Oh, and while
you're at it check out the new documentation.
Screenshots of firestorm GUI console
Posted By: Gianni Tedesco - Wed Jan 15 2003
I have the first version of a firestorm GUI console in planned. You
will be able to view, filter and sort events and not much else in the
first version. Nothing to show yet, but I thought I'd upload some
screenshots of my fiddling with GNOME2. The
first shot was going to be a
signature manager and the second one
will be my starting point for the interface. Lame huh? Just you wait ;)
[RELEASE]: Version 0.5.1
Posted By: Gianni Tedesco - Tue Dec 03 2002
Sane and bugfixed version of 0.5.0, dont use 0.5.0, it sucks.
Evading Network Intrusion Detection Systems
Posted By: Gianni Tedesco - Sun Dec 01 2002
This has been there a while but firestorm users should be aware.
I have started keeping some
notes detailing how to evade network IDS software (including
firestorm). If you know of any other specific details regarding
any bit of NIDS software please let me know, I am quite interested
in this kind of thing.
[RELEASE]: Version 0.5.0
Posted By: Gianni Tedesco - Mon Nov 19 2002
It's been a while but hopefully this new version will have plenty
for you to get your teeth in to. The configuration and setup has
changed quite a lot so check out the README
file for new instructions. The new system brings us closer towards
the goal of remote logging and on-the-fly sensor re-configuration.
The new version has lots of major bugfixes, including a fix for a
crash-bug discovered soon after the 0.4.6 release. There are 2 new
snort keywords 'rate' and 'burst' allowing you to ratelimit the alerts
that certain rules can generate. There should also be some performance
improvements due to a new patent-not-pending algorithm for matching the
rules. I hope you like it.
[RELEASE]: Version 0.4.6
Posted By: Gianni Tedesco - Mon Aug 19 2002
Version 0.4.6 fixes a few small bugs. Big improvements have been
made to the TCP state tracking code which make it much more accurate
and efficient. There is a new output module which produces parsable
text logs. There is a simplistic HTTP decoder which allows uricontent
to work properly for the first time. Snort sid/rev are supported.
Snort rules are now bundled with the default distribution and a number
of packaging improvements have been made. SIGHUP is now handled fully
for log rotation. A new extended log output plugin has also been added
which provides logs in native firestorm format.
[RELEASE]: Version 0.4.5
Posted By: Gianni Tedesco - Mon Jun 24 2002
This new version is basically just bugfixes and small feature
additions. New features include support for snort IP address lists
and also support for the 'flow' keyword and regex string matching.
With this release all of the rules that ship with snort should work
straight out of the box with no modification (except for rpc.rules).
Also if you compile with the --with-prelude option you can now use
firestorm to log remotely to
prelude-manager.
Also notable is the fact that some config file options have changed
so you will need to update existing firestorm.confs out there. See
the sample config file and man page for more info.
[RELEASE]: Version 0.4.4
Posted By: Gianni Tedesco - Sun Jun 09 2002
TCP stateful inspection is here. No more stick/snot woes. Firestorm
now tracks the state of TCP connections only alerting on TCP packets
which are part of an established stream. For rules that need to be
able to match packets that aren't part of valid streams the snort
'stateless' keyword can be used. There have also been major updates
to the ipfrag module which now supports configurable reassembly
timeouts and uses an LRU list for oom eviction (which is much faster).
Snort rule parsing has been improved and there have been plenty of
bugfixes too.
[RELEASE]: Version 0.4.3
Posted By: Gianni Tedesco - Sun May 26 2002
This release packs a whole host of bugfixes. The other main
changes are in the alerting subsystem. You can now log to
tcpdump files ('dump' module) and the ascii logs can now
live outside the main firestorm logfile. You will be pleased
to hear that output modules can now be configured differently
depending on which module generated the alert. (eg: stateful
ip fragmentation attacks can be logged as ascii, while alerts
generated by the TCP signature engine can be logged to a
tcpdump file, while all other alerts log to both).
[RELEASE]: Version 0.4.2
Posted By: Gianni Tedesco - Sun May 12 2002
Version 0.4.2 is mainly a bugfix release. Lots of bugs have
been squashed so it should now be as stable as a table. There
are a few new features too, such as case insensitive string
matching, the ability to configure output plugins and the
ability to tune IP defragmentation settings. All users are
recommended to upgrade to this version. Check the NEWS file
(on the download page) for details of bugfixes and new features.
[RELEASE]: Version 0.4.1
Posted By: Gianni Tedesco - Sun May 05 2002
Version 0.4.1 has been released with a few bugfixes and a bunch
of feature enhancements. Most of the feature enhancements are just
the porting across of old plugins. ICMP now works fully, the content
matcher now supports depth and offset. There is now an IP options
matcher. The 'require' keyword in the config file works now. Binary
builds should now work properly aswell.
[RELEASE]: Version 0.4.0 aka Greasy weasel!
Posted By: Gianni Tedesco - Wed Apr 23 2002
No I haven't just been wasting my time making dumb websites! Over
about the last six weeks I have been busily re-writing the firestorm
core. The new release series (0.4.x) is much nicer code, supports
preprocessors, will allow cooler features, and most importantly
it is dick-wavingly fast, especially when it comes to IP
defragmentation. It supports all of the old features with a few minor
omissions, you can't use icmp snort rules yet and the logging support
is limited. It is basically a matter of porting the old plugins so
you will see all this stuff in the next release or so. Head on over
to the download section and give it a go.
[ANNOUNCE]: New website design
Posted By: Gianni Tedesco - Mon Apr 22 2002
With great reservation, I timidly unveil the new website. It kinda
needed the changes. There was too much information to stay on one
page really. I have kept the pages standards compliant, we are still
perfect HTML 3.2 and render perfectly in links, lynx, mozilla, gtkhtml,
konqueror and friends. The pages still don't stuff my favourite fonts
down your throat but they do stuff my favourite colours in your face
though (if you use a graphical browser). If you don't like the colours,
you should be able to disable them with relative ease. Hopefully the
site should be more efficient to navigate now though.
This page is public domain. No trademarks, no patents, no copywrongs.