Release Notes: Several checks were added, the alert data from Snort got a tag, and a restart of Snort is now checked. getpacket now has base 64 support. The statistics are now generated via the control thread so some signals are no longer necessary. The exit handler was rewritten and a cache for signatures was added. This cache can accelerate the insert rate by up to a factor of two and is implemented as a red black tree. During runtime, the only SELECT statement is for the signature ID, and all other operations are INSERT statements. The idea is to cache all signatures that caused an alert.
Release Notes: The interface name can be included. The database can now be accessed via TCP. The drop and alert feature can be deactivated. Alerts can be dropped without writing the information to the drop socket. A command line option was added to getpacket to avoid following tagged packets. The consistency checks for alert packets were enhanced, and several checks were added. Some bugs were removed, especially one regarding the sensor name, in which parts of the previous connected sensor were appended with a newline.
Release Notes: A control thread was added so that some parameters can be chaned during runtime. The restriction of one snort process per sensor was removed. This way it is also possible to encrypt the communication via stunnel or an SSH tunnel. If the server process gets terminated (SIGINT or SIGTERM), then all cached alerts are save in swap files. The new (unofficial) scheme 107 is supported, and the configure script was enhanced. Recreation of pcap files is now possible on 64-bit systems. Some bugs were fixed.
Release Notes: Event_references is now unique among restarts of snort so that getpacket is able to rebuild only packets of the same tagged session.Additional packet information like MAC addresses and vendor information can be printed out. This release has a -Z option to disable the use of UTC time within the database (the local timezone is used instead). Some minor bugs are fixed and configure makes some additional checks.
Release Notes: With a slight extension of the database, it is possible to rebuild a stream of tagged packets with the program getpacket. rules.pl is now able to work with rules without given priority/classification (this happens mostly with some bleeding snort rules). A lot of minor bugs were fixed. Some are essential for sensors with a small amount of RAM and rebuilding large TCP packets within stream4. Log and error messages are improved.
Release Notes: With recent snort versions (2.1.3 or 2.2.0RC1), it is now possible to additionally write log packets to the database. The -Q command line option was added to snort to avoid writing anything to /var/log/snort. sockserv and servsock now verify the result of (m|c)alloc and invoke drop to free some memory if it fails. A bug in the threaded signal handler on Linux was removed, which resulted in a remaining thread during a SIGTERM or SIGINT on a heavily loaded system. Finally, a bug in fpg was removed, which could have resulted in a SIGSEGV on special rules.
Release Notes: Debug functions are now used, and the debug code is now inserted by default and can be activated on startup. A rules.pl script that is able to insert the signatures with references in the database was added. This speeds up later inserts of alerts since no rule has to be inserted. A negative UnixSocketPriority reverts the order for the alert socket, and a value of -2 alerts only on priorities of 1 or 2. Servsock now prints the sensor name together with the PID in the statistics output.
Release Notes: A rare bug condition was removed. If a network packet without higher payload generated an alert, then the database routine failed to insert the payload and the alert was lost. This usually happens with alerts generated by a preprocessor; here it was an invalid TCP option in the TCP header. Normal snort rules match on contents, and hence you have a payload. Further, the external errno variable in the snort patch is replaced with an include of errno.h to be compatible with newer versions of strerror.
Release Notes: If the database has gone during inserts, all alerts are written to a swap file and reloaded if the database is back and the remote sensor reconnects. Therefore, a handshake initialization between sensors and the central server were added. An extension of the database scheme was added to store additional network packet information. With this information, a pcap file can be rebuilt to be analyzed with tcpdump or ethereal.
Release Notes: A strange bug in the combination of printing to syslog and using the daemon mode has been fixed. The daemon mode closes all opened file descriptors. The syslog() call will then print on the first opened file descriptor which is the network connection to the remote processes. Some minor (cosmetic) bugs are removed.