04-06-03   Wow, over a year since the last update.  Well, this is "2.0" but not           quite the 2.0 we were expecting.  It's vastly more capable than the            1.8.x and 1.9.x releases, more stable, audited, well tested in a            commericial test environment (thanks to Sourcefire) and generally           just "better" than what has come before, but it's not the            revolutionary leap that I had envisioned.  Will that leap happen           someday?  Probably, but the timeline will shift and things will            look different than we have been talking about for the last 18           months.           Snort is pretty high profile now, we've got new open source IDSes            nipping at our heels (amazing how they all claim to be "better" than           Snort, yet usually only encompass a small subset of it's features).           I continue to be amazed by the robustness of the architecture that           was developed over three years ago and the latest and greatest           improvements that have been added, the new detection engine from           Norton & Roelker has racked up impressive performance numbers,            Chris Green's sheparding of the stream4 and frag2 preprocessors as           I've been out doing "business things" has been great as well.           Speaking of business, if you like Snort but are interested in a            commercially supported version with enterprise scalability, take           a look at Sourcefire (http://www.sourcefire.com).  There are other           companies that put "Snort on a box" out there (google for them),           but Sourcefire is taking Snort in new directions (and I started it).           Snort is still free (and always will be), but if you find yourself           saying "I need to deploy and manage [5|10|20|100] Snort sensors,           is there anyone who can help me?", give us a shout.           As for features, we've got quite a few new ones for 2.0:            * Higher performance (due to a new pattern matcher and rebuilt               detection engine)            * Better decoders            * Enhanced stream reassembly and defragmentation            * Tons of bug fixes            * Updated rules            * Updated snort.conf            * New detection keywords (byte_test, byte_jump, distance,               within) & stateful pattern matching            * New HTTP flow analyzer            * Enhanced anomaly detection (HTTP, RPC, TCP, IP, etc)            * Better self preservation in stateful subsystems            * Xrefs fixed            * Flexresp works faster and more effectively            * Better chroot()'ing            * Fixed 802.1q decoding            * Better async state handling            * New alerting option: -A cmg!!             * Major tagging updates03-14-02   Ok We're going to start being better about doing this more regularly.           This release has many many fixes over 1.8.3.  Lots of bugs           in stream4 have been ironed out thanks to Phil Wood.  The           ICMP decoders have been rewritten.           The major "gotcha" with this release will be that rules           with <- used as the direction operator are no longer           accepted.  This is a bug fix in that it was assumed to be           -> before ( unless you compiled with a specific define set           ).           * (This is a summary of recent changes -- not all mine)           * Fixed stream4 offset initialization           * Double Open of snort log file           * Lots of new rules           * Fatal error on problems other than -> and <>           * Fixed stream4 several low memory conditions           * Error checking in stream4/frag2 argument parsing           * snortdb schema updates to 1.05           * --with-pcap-includes should now look at specified pcap           * packet statistics now should be more accurate with regards to lost             packets werwerwerwerwer            * double PID file write           * S4 alignment problems on Sparc fixed           * new snmptrap code           * documentation updates           * Stability fixes in frag211-29-01    And the hits keep on coming.  There were some other things broken            in 1.8.2 that needed to get fixed (flexresp was totally             inoperative, crashbug in frag2, etc).  Anyway, this one has had             some pretty decent testing done on the core functionality and             everything seems to be running nicely now.                        Major repairs include a fix to frag2 on Linux platforms, the icmp            decoder and printout routines were updated to match the data            structures that I implemented in 1.8.1 and the flexresp code was            repaired and should now be faster, plus the usual rule updates.  I            also added a new "-B" command line switch to convert IP addresses             in a pcap file to a new specified IP subnet addresses.            On to 2.0...            11-02-01    Ok, I lied.  There was enough little stuff to fix in 1.8.1 that I            decided to do a 1.8.2 release.  This is just about fully a bugfix            release, but Snort is now more stable and more usable than it's been            in quite a while, and should do a good job of tiding people over             while we transition to 2.0 and the codebase gets a little more             "fluid".            Here's the list of fixes:            * fixed UTC timestamps            * fixed SIGUSR1 handling, should reset properly now after getting               a signal            * fixed PID path generation code, PID files go in the right place               now            * fixed stability problems in stream4            * fixed stability problems in frag2            * tweaks to spo_unified for better integration with barnyard            * added -f switch to turn off fflush() calls in binary logging mode            * added new config keyword to stream4, "log_flushed_streams", which               causes all buffered packets in the stream reassembler for that               session to be logged in the event of an event on that stream               (must be used in conjunction with spo_log_tcpdump)            * added packet precacheing for flexresp TCP packets, responses               should be generated more quickly            * fixed rules parser code for various failure modes            * several new rules files and a new classification system            After this release we're going to reorganize the whole source tree            and do a quick 1.9 release with the new code layout.  Once that's             done, we're going to begin coding 2.0 in earnest in December,             hopefully doing our initial release sometime in the February time            frame. 08-14-01    I was planning on getting this release out sooner than this (since            it's largely a bugfix release) but my wife and I went and had a             baby 2 weeks ago, which effected the schedule a little. ;) Anyway,            barring any major problems the Snort 1.x code will now be going            into maintenance mode as we begin development on 2.0.            This version adds the following:            * SNMP alerts            * IDMEF XML output (the Silicon Defense plugin is integrated into               the main codebase now)            * Limited regex support in the rules language            * New packet counters for stream4 and frag2            * New normalization mode for http_decode            And a slew of bug fixes.  We should get to work on 2.0 shortly, so            hopefully the next release of this NEWS file will be talking about            that!  (knock on wood...)            07-09-01    Well, this one was a long time coming, but I think it was worth the            wait.  Snort can now perform stateful inspection, has improved             defragmentation capabilities, uses less memory, leaks less of the            memory that it does use, is faster, and has a bunch of other good            stuff.  Truely, this is probably the ultimate development of the            1.X series of Snort.  After this version we will begin development            on Snort 2.0, which will have a great many new features, be faster            and more flexible, and generally be about the finest network             intrusion detection system that an open source community can build.            See the Changelog (read all the way back to January of this year)             for changes and additions, there are far to many to list here.              Some of the highlights include            * stateful inspection            * new tcp stream reassembly code            * new ip defragmenter            * new protocol available for the rules language: ip            * more extensive printouts of cross reference and info in alerts            * new normalizer preprocessors for telnet, rpc            * 2 new output plugins (unified, csv)            * 5 new preprocessors (stream4, frag2, bo, telnet_decode,               rpc_decode)            * 10 new rule options            * unique rule IDs            * A whole slew of command line options (7 at last count)            * Mega bug-fixes from 1.7            Snort can now leap tall buildings in a single bound.            The future holds 2.0, which will revisit most of the code in Snort.            It probably won't be released for another 6 months or so, but for             the time being I'm happy with what we've produced here and I think            most people will be happy with it too.            Please read the USAGE, FAQ, README, man page and any other docs you            can before asking your questions, there's a good chance that the            answer you're looking for is in there.            Commercial plug: If you decide that you need or want to take your            Snort installation to the next level, Sourcefire Inc.             (http://www.sourcefire.com) is now producing commercial network             intrusion detection appliances based on Snort with data analysis,            management, and rules GUIs built-in.  See the web site for more            information, if you want to have a commercially supported,             professional Snort deployment, Sourcefire is the company to call.     01-02-01    Welcome to version 1.7. This version features clean compiles            on following architectures and platforms:            * Linux 2.0.X, Linux 2.1.X, Linux 2.2.X (i386)            * FreeBSD 3.x, 4.x (i386)            * SunOS/gcc 5.5, 5.5.1, 5.6, 5.7, 5.8 (sparc)            * OpenBSD 2.7, 2.8            * Tru64/gcc             * HPUX 11.0/gcc            Other platforms/architectures should be supported as well, we just             don't have them available for testing on the moment.                      There are a ton of bug fixes and new features in this version, have            a look at the ChangeLog to see many of them.  I think that this             will be the last full point release of the 1.X codebase, we're             starting design work on the 2.0 series and I hope that we'll be             putting it out there in the not too distant future (less than six            months!).              It's been a long road to 1.7, the amount of code in the program             compared to the initial release over two years ago is incredible.            We're just getting rolling though, and 2.0 is going to bring a             great number of changes including more plugin interfaces (packet            acquisition and decode), faster/cleaner code (I hope ;) and a            better design for performing more types of analysis.            Big changes in this version: snort-lib renamed to snort.conf, IP            defragmentation plugin now 100% on all architectures, tcp stream            reassembly, statistical anomaly detection, three new command line            switches (-L,-I,-X), IP address lists, a cool "automatic variable"            in the rules file that automatically picks up the IP address and            netmask of a named interface, more packet header printouts,             detection plugins for TOS and the IP fragment bits, as well as a            plugin that allows reference data to be attached to rules and a             completely rewritten active response module, etc.            I hope everyone likes this release, we've put a ton of work into it            to make sure that it's functional and stable while still being             easy to use for everyone.            07-22-00    Welcome to version 1.6.3.  This version features clean compiles            on all architectures and OS's that I have access to, some             elusive bug fixes in the decoders, a little bit better             packet printing, full-time ARP packet decoding (instead of only            when the -a option is spec'd), and an upgraded portscan            detector.  The moral of the story with the 1.6.1->1.6.2.2             release cycle was "don't release when you're working on the            road".  This will be the last version release until the            Hiverworld IDS ships as I need to dedicate myself fully to            that cause.  Please watch http://www.snort.org for information            on the availability for an upgraded defragmentation             preprocessor, the one shipping with this version should be            treated as *beta* code!  07-08-00    It wouldn't be a relase without a disaster, and in that vein            we lost the ability to compile cleanly on Linux boxes with             version 1.6.1.  Typical.  Lessons learned: I need to reinstall            a RedHat box at Snort Labs so that I can do compile tests            before release.  C'est la vie.07-06-00    Version 1.6.1 is finally ready to see the light of day.  This            release is mostly a bug fix with a few minor feature additions            for runtime security.  Version 1.7 is a few months behind in             development due to my busy schedule at Hiverworld where I'm             putting together a completely new (not Snort-based) IDS.