applications/internet

snort-openappid - An open source Network Intrusion Detection System (NIDS) with open AppId support

Website: http://www.snort.org/
License: GPL
Vendor: Snort.org
Description:
Snort is an open source network intrusion detection system, capable of
performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be
used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
and much more.

Snort has three primary uses. It can be used as a straight packet sniffer
like tcpdump(1), a packet logger (useful for network traffic debugging,
etc), or as a full blown network intrusion detection system.

You MUST edit /etc/snort/snort.conf to configure snort before it will work!

Please see the documentation in /usr/share/doc/snort-2.9.8.0 for more
information on snort features and configuration.

Packages

snort-openappid-2.9.8.0-1.fc18.x86_64 [6.5 MiB] Changelog by Lawrence R. Rogers (2015-11-17):
- Release 2.9.8.0-1
	[*] New additions
	 *  SMBv2/SMBv3 support for file inspection.
	 *  Port override for metadata service in IPS rules.
	 *  AppID Lua detector performance profiling.
	 *  Perfmon dumps stats at fixed intervals from absolute time.
	 *  New preprocessor alert (120:18) to detect SSH tunneling over HTTP
	 *  New config option |disable_replace| to disable replace rule option.
	 *  New Stream configuration |log_asymmetric_traffic| to control logging to syslog.
	 *  New shell script in tools to create simple Lua detectors for AppID.
	[*] Improvements
	 *  sfip_t refactored to use struct in6_addr for all ip addresses.
	 *  Post-detection callback for preprocessors.
	 *  AppID support for multiple server/client detectors evaluating on same flow.
	 *  AppID API for DNS packets.
	 *  Memory optimizations throughout.
	 *  Support sending UDP active responses.
	 *  Fix perfmon tracking of pruned packets.
	 *  Stability improvements for AppID.
	 *  Stability improvements for Stream6 preprocessor.
	 *  Added improved support to block malware in FTP preprocessor.
	 *  Added support to differentiate between active and passive FTP connections.
	 *  Improvements done in Stream6 preprocessor to avoid having duplicate packets 
	    in the DAQ retry queue.
	 *  Resolved an issue where reputation config incorrectly displayed 'blacklist' in
	    priority field even though 'whitelist' option was configured.
	 *  Added support for multiple expected sessions created per packet
	 *  Active response now supports MPLS
snort-openappid-2.9.7.6-1.fc18.x86_64 [5.8 MiB] Changelog by Lawrence R. Rogers (2015-08-13):
- Release 2.9.7.6-1
    * src/build.h:
	  updating build number to 285

    * src/dynamic-preprocessors/reputation/reputation_config.c:
          Fixed unexpected behaviour in reputation config where blacklist is displayed
	  in priority field even though whitelist option is set [reported by Mike Cox].	

    * src/preprocessors/Stream6/snort_stream_tcp.c:
	  Fixed issue where XFF/ExtraData is not always logged when 'drop' rules trigger [reported by Mike Cox].
	  Fixed issue in TCP session deletion when being called from Stream5 HA.

    * src/: active.h, file-process/file_service.c:
	  ACTIVE_DROP is changed to ACTIVE_FORCE_DROP when file_verdict is pending.

    * src/dynamic-preprocessors/appid/fw_appid.c:
	  Fixed issue where openappid does not provide the Content-Type field for use with CHPAddAction.

    * doc/snort_manual.tex:
	  Corrected errors in snort_manual.tex [reported by Gabriel Corre].
	  
    * preproc_rules/preprocessor.rules
	  src/preprocessors/: session_api.h, snort_httpinspect.c,
	  HttpInspect/event_output/hi_eo_log.c, HttpInspect/include/hi_eo_events.h
	  Stream6/snort_stream_tcp.c:
	  Enhancement done to detect 'SSH tunneling over HTTP'.

    * src/sfutil/sfportobject.c:
	  Fixed Memory leaks [reported by Bill Parker].

    * doc/snort_manual.tex:
	  Corrected the information about unified2 record structure [reported by Avery Rozar].
	
    * etc/snort.conf, src/preprocessors/snort_httpinspect.c,
          src/preprocessors/snort_httpinspect.h,
          src/preprocessors/HttpInspect/client/hi_client.c,
          src/preprocessors/HttpInspect/server/hi_server.c,
          src/preprocessors/Stream6/stream_paf.c:
	  Fixed issue where original client IP in intrusion event is incorrectly
	  populated with XFF of the last GET request.

    * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h,
          HttpInspect/server/hi_server.c,
          snort_httpinspect.c, snort_httpinspect.h,
          HttpInspect/server/hi_server.c:
	  Http unlimited decompression will now decompress the entire stream.

    * src/decode.c:
	  Added a check so that min_ttl decoder do not drop packet in alert mode.
	  
    * etc/snort.conf, src/preprocessors/snort_httpinspect.c,
          src/preprocessors/snort_httpinspect.h,
          src/preprocessors/HttpInspect/client/hi_client.c,
          src/preprocessors/HttpInspect/server/hi_server.c
	  Fixed issue where original client IP in intrusion event is incorrectly populated with XFF of the last GET request.
snort-openappid-2.9.7.5-1.fc18.x86_64 [5.8 MiB] Changelog by Lawrence R. Rogers (2015-07-01):
- Release 2.9.7.5-1
    * src/build.h:
      updating build number to 262

    * src/preprocessors/Stream6/snort_stream_tcp.c: 
      Improved handling of asymmetric traffic

    * src/active.c: 
      Active responses no longer set the FIN flag on the last segment
      transmitted

    * src/dynamic-preprocessors/appid/luaDetectorApi.c:
      Added sanity checks to client api
      
    * doc/snort_manual.pdf,
      src/: dynamic-preprocessors/dcerpc2/dce2_paf.c,
      dynamic-preprocessors/dnp3/dnp3_paf.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/imap/imap_paf.c,
      dynamic-preprocessors/pop/pop_paf.c,
      dynamic-preprocessors/sip/sip_paf.c,
      dynamic-preprocessors/smtp/smtp_paf.c,
      preprocessors/session_api.h, preprocessors/spp_stream6.c,
      preprocessors/stream_api.h,
      preprocessors/HttpInspect/utils/hi_paf.c,
      preprocessors/Session/session_common.h,
      preprocessors/Stream6/snort_stream_tcp.c,
      preprocessors/Stream6/snort_stream_tcp.h,
      preprocessors/Stream6/stream_paf.c,
      preprocessors/Stream6/stream_paf.h: 
      Multiple PAF clients can Read/Write to the same user data

    * src/: file-process/file_api.h, file-process/file_mail_common.h,
      file-process/file_mime_process.c,
      sfutil/sf_email_attach_decode.c, sfutil/sf_email_attach_decode.h: 
      Fixed filename parsing from Mime body for UUencoded MIME

    * src/preprocessors/perf-base.c,
      src/preprocessors/Stream6/snort_stream_tcp.c: 
      Prunes triggered by timeouts are now accounted by perfmonitor.

    * src/preprocessors/spp_session.c: 
      Log warning instead of Fatal Error
      if a stream5_global config is in a non-default policy
      
    * src/detection-plugins/sp_base64_decode.c: 
      Removed unused checks
      
    * src/snort.c:
      Improved reliability of configuration reloads

    * src/preprocessors/snort_httpinspect.c: 
      Fixed issue in http
      file processing where SHAs may not always be correct.

    * doc/snort_manual.pdf,
      src/sfutil/sf_email_attach_decode.c: 
      Fixed handling new line chars in QP encoding
      

    * src/preprocessors/snort_httpinspect.c: 
      Fixed inconsistent behavior when configuring "max_gzip_mem -1"

Listing created by Repoview-0.6.6-4.el7