root/fwsnort/tags/fwsnort-0.8.2/ChangeLog

fwsnort-0.8.2 (02/17/2007):
    - Updated to newer IPTables::Parse module that uses the array of hash
      references method of returning iptables policy data.
    - Added --Dump-ipt and --Dump-snort rules to allow iptables policy and
      Snort rules to be dumped to STDOUT.
    - Added bleeding-all.rules file from http://www.bleedingsnort.com/
    - Added patches/bm_goodshift_fix.patch patch file that fixes an
      initialization bug in the Boyer-Moore text search implementation in the
      kernel (linux-2.6.x/lib/ts_bm.c) which caused slightly repetitive
      patterns to only match at specific offsets with the string match
      extension.
    - Bugfix to ensure that a depth cannot be less that an offset (these
      translate to the --to and --from command line arguments to iptables).
    - Bugfix to escape '$' chars in iptables search strings.
    - Added cd_rpmbuilder to make it easy to automatically build RPM files of
      fwsnort.
    - Added support for the iptables OUTPUT chain.
    - Added the ChangeLog.svn file so that all of the changed files and
      corresponding svn commit messages can be viewed (this file is built from
      release to release).

fwsnort-0.8.1 (11/11/2005):
    - Updated to use the string match extension "--algo bm" argument if
      fwsnort is being run on a 2.6.14 (or greater) kernel.
    - Updated to handle the Snort "offset" and "depth" keywords via the
      --from and --to options to the string match extension in the 2.6.14
      kernel.
    - Created RPM package of fwsnort.
    - Minor man page updates.

fwsnort-0.8.0 (07/11/2005):
    - Completely re-structured fwsnort w.r.t. how it creates Netfilter
      chains.  There are no longer any per-interface chains (this
      greatly simplifies the Netfilter chains).
    - Added three new chains "FWSNORT_INPUT_ESTAB", "FWSNORT_OUTPUT_ESTAB"
      and "FWSNORT_FORWARD_ESTAB" to which tcp connections in the
      ESTABLISHED state are jumped.  This allows fwsnort to use the
      Netfilter tcp connection tracking mechanism to ignore Stick and Snot
      style attacks (similar to the flow:established Snort rule option).
    - Added true variable resolution (i.e. HTTP_SERVERS -> HOME_NET -> any)
      for the Snort rule header.  This directly emulates the behavior of
      the Snort IDS.
    - Added IP protocol support in the translation of the Snort rule
      header.  The Snort rule translation rate is now at about 53% for
      Snort-2.3.
    - Bugfix for ipopts Snort option (several arguments are not supported
      by the ipv4options extension).
    - Better tests for Netfiler TTL, TOS, and ipv4options matches.
    - Replaced IGNORE_IP and IGNORE_NET keywords with single IGNORE_ADDR
      keywork in fwsnort.conf.
    - Updated to correctly handle ICMP type and code rules (itype and
      icode Snort options) via the "--icmp-types type/code" convention.
    - Added support for emulating the dsize Snort option through the use
      of the Netfilter length match.
    - Changed --type argument to --include-types and added list support
      so it accepts things like "chat,ddos".  Also added --exclude-types
      command line argument.
    - Added support for multiple sid's (as a comma separated list) in
      --snort-sids argument.  Also added --exclude-sids argument to remove
      a list of sids from translation.
    - Added support for the replace Snort option (originally from the
      Snort_inline project).  The requires the replace string patch.
    - Added support for restricting jump rules to a list of interfaces
      via the --restrict-intf argument.
    - Added kernel patch to extend the maximum packet length that the
      string match extension will attempt to search from 1024 bytes to
      2048 bytes (requires a kernel re-compile of course).
    - Added DRP and REJ strings to logging prefix if --ipt-drop or
      --ipt-reject is specified.
    - Added snortspoof.pl, which is a simple perl script that emulates
      the Stick and Snot tools.

fwsnort-0.7.0 (06/05/2005):
    - Added support for the Snort pass action by using the ACCEPT target.
    - Added support for the Snort log action by using the ULOG target
      (which can then log the packet via the pcap writer).
    - Added support for all fwsnort alerts to be logged via the ULOG
      target instead of the LOG target.
    - Added support for the "resp" keyword to allow it to drive the
      Netfilter argument to the REJECT target.
    - Added "pcre" to the unsupported list... this knocks the fwsnort
      translation rate down to about 50% for Snort-2.3 rules (pcre is
      heavily utilized).
    - Added "priority" and "rev" to comment lines.

fwsnort-0.6.5 (03/20/2005):
    - Updated to not attempt to download Snort rules from snort.org
      because the rules are no longer available for automatic downloads
    - Changed the install.pl script and the --update-rules mode for
      fwsnort to download the latest signature set from
      http://www.bleedingsnort.com/.
      (Snort.org is now offering pay-service around their rule sets).
    - Added signature test for the "flowbits" keyword.

fwsnort-0.6.4 (12/18/2004):
    - Updated to Snort-2.3 rules.  FWSnort can convert a total of 1710
      out of 2559 total Snort-2.3 rules.
    - Updated to new Snort rules download link for --update-rules mode:
      http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz
    - Updated to standard [+], [-], and [*] prefixes for info, warning
      and die logging messages.
    - Added --replace-string patches.

fwsnort-0.6.3 (04/04/2004):
    - Added ignore functionality for both IPs and networks
    - Split --ipt-block into --ipt-drop and --ipt-reject to add DROP
      or REJECT rules respectively.
    - Added --add-deleted option to allow rules in the "deleted.rules"
      file to be added.

fwsnort-0.6.2 (03/19/2004):
    - Added --internal-net and --dmz-net options so that internal and
      dmz networks can be manually specified without having to parse
      the output of ifconfig.  This is most useful for running fwsnort
      on a linux system that is acting as a bridge where no ip addresses
      are assigned to the interfaces.
    - Bugfix for missing icmp-port-unreachable rejects for UDP packets.

fwsnort-0.6.1 (02/01/2004):
    - Bugfix for not adding dmz interface rules to INPUT chain.
    - Bugfix for not getting the DMZ interface network.

fwsnort-0.6 (01/04/2004):
    - Speed increase and disk access decrease by writing iptables
      commands to the iptables script only after all lines have been
      generated.
    - Bugfix for DMZ interface.
    - Bugfix for multiple ip_proto fields.
    - Removed the ip protocol as an allowed protocol for translation.
    - Bugfix for negated port numbers.
    - Removed "<-" rule direction since not even snort supports this.
    - Fixed snort rule updates from snort.org.

fwsnort-0.5 (12/21/2003):
    - Added "-j REJECT --reject-with tcp-reset" for tcp sessions
      if the --ipt-block option is specified.
    - Added ability to download latest snort rules from snort.org.
    - Added --no-ipt-jumps.
    - Added better checking for iptables build characteristics such
      as the LOG target and wether or not the ipv4options extension
      is compiled in.
    - Added config preservation code from psad in install.pl.