ChangeLog

2015-22-04 Joel Cornett <jocornet@cisco.com>
Snort 2.9.7.3
    * src/build.h:
      updating build number to 217

    * src/: decode.h, detection-plugins/sp_clientserver.c,
      dynamic-plugins/sf_engine/sf_snort_packet.h,
      dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      dynamic-preprocessors/dcerpc2/dce2_session.h,
      dynamic-preprocessors/sdf/spp_sdf.c,
      preprocessors/HttpInspect/server/hi_server.c,
      preprocessors/Stream6/snort_stream_tcp.c,
      preprocessors/snort_httpinspect.c, preprocessors/spp_normalize.c:
      Added mode safety checks to normalization.
      Fixed an issue in PAF where the start of the PDU after flushing was not
      being set correctly in some case.
      Improved Stream reassembly of HTTPS sessions

    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Stability improvements for ftp_telnet preprocessor

    * doc/snort_manual.pdf, doc/snort_manual.tex,
      src/detection-plugins/sp_base64_decode.c,
      src/detection-plugins/sp_base64_decode.h,
      src/detection-plugins/sp_file_data.c:
      Improved performance for file preprocessor
      Documentation changes

    * src/dynamic-preprocessors/appid/: service_plugins/service_base.c,
      service_state.c:
      Various OpenAppId improvements

    * configure.in:
      Fixed issue with configure script handling of -Werror compiler flags

    * src/decode.c:
      Improved decoding of IPv6 extensions

    * src/detection-plugins/detection_options.c:
      Fixed an issue where the protected_content rule option was not
      backtracking correctly in some cases

    * src/snort.c:
      Fixed snort handling of PID files

    * tools/: u2openappid/u2openappid.c, u2spewfoo/u2spewfoo.c:
      Fixed usage info.

    * src/dynamic-preprocessors/sip/: Makefile.am, sf_sip.dsp, sip_dialog.c,
      sip_parser.c, spp_sip.c:
      Added PAF support for TCP traffic

    * src/: log_text.c, log_text.h, output-plugins/spo_alert_fast.c,
      output-plugins/spo_alert_full.c:
      Extended support for OpenAppId logging to cmg and console output loggers

    * src/dynamic-preprocessors/appid/service_plugins/service_ssl.c:
      Improved SSLv3 handling for OpenAppId

2014-24-12 Victor Roemer <viroemer@cisco.com>
Snort 2.9.7.2
    * src/build.h:
      updating build number to 177

    * src/preprocessors/Stream6/snort_stream_tcp.c:
	  Resolved an issue where the inline normalization preprocessor
	  incorrectly resized packets when 'preprocessor normalize_tcp: trim'
	  was enabled.

    * src/decode.c, src/encode.c:
      Added support for Cisco FabricPath decoding/encoding.
      Ensure flow_id is copied into the DAQ_PktHdr_t.

    * src/snort.h, src/sfutil/sfrt.c, src/sfutil/sfrt.h
      src/target-based/sftarget_reader.c:
      Moved ntohl conversion inside of the sfrt api for both IPv4 and IPv6.

    * src/target-based/sftarget_protocol_reference.c
      Lookup application protocol id only after the session is established.
      Assign application protocol id to the session when using host attribute table.

    * src/util.c:
      Changes for suppressing configuration logging.

    * src/file-process/file_service.c:
      Assign the file config to a file context prior to checking if HTTP continuation.

2014-10-10 Carter Waxman <cwaxman@cisco.com>
Snort 2.9.7.0
    * src/build.h: updating build number to 149
    
    * src/dynamic-preprocessors/appid/spp_appid.c:
      Fixed issue in which AppID would be disabled after a reload.
    
    * configure.in:
      Added dependency for OpenSSL when building with --enable-openappid
    
    * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex:
      Added documentation for the new Extended X-Forwarded-For
      capabilities

    * src/preprocessors/Stream6/snort_stream_tcp.c:
      Reused the TcpSessionCleanup logic to add a function to flush queued unacked segments.

2014-09-15 Joel Cornett <jocornet@cisco.com>
Snort 2.9.7.0-rc
    * src/build.h:
      updating build number to 147

    * configure.in,
      src/sfdaq.c:
      Fixed C99 compliance issue with DAQ.

    * src/preprocessors/:
      Stream6/snort_stream_tcp.c,
      spp_session.c:
      Improved stability of TCP session decoding.

    * tools/u2streamer/u2streamer.c:
      Improved stability of u2streamer tool.

    * src/snort.c:
      Fixed issue with daemonization mode. Thanks to Eugenio Perez
      for noting the issue and proposing a fix.

    * src/:
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      preprocessor/Stream6/snort_stream_tcp.c,
      encode.c, encode.h, snort.c, snort.h:
      Added support to detect heartbleed attacks.

    * build/dobuild.sh,
      rpm/README.build_rpms, rpm/generate-all-rpms, rpm/snort.spec,
      src/dynamic-preprocessors/appid/Makefile.am:
      Added OpenAppID to snort RPM.

    * doc/: README.active, README.file_ips, INSTALL, snort_manual.tex: 
      Updated documentation.

    * doc/INSTALL:
      Added common configuration mistakes and fixes to INSTALL.
      Thanks to Bill Parker for the documentation.

    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Improved FTP traffic handling.

    * src/dynamic-preprocessors/appid/detector_plugins:
      detector_http.c, detector_imap.c, detector_pop3.c:
      Improved stability of OpenAppID preprocessor parsing HTTP
      headers.

    * src/:
      parser.c, snort.c, snort.h, util.c:
      Added a new option `--suppress-config-log` to Snort command
      line arguments. This option suppresses logging of
      configuration information to output.

    * src/:
      active.c, active.h,
      preprocessors/Stream6/snort_stream_ip.c,
      preprocessors/Stream6/snort_stream_tcp.c,
      preprocessors/Stream6/snort_stream_udp.c:
      Fixed issue with blacklisting of flow traffic.

    * src/preprocessors:
      spp_session.c, spp_stream6.c:
      Improved stability of Stream6 preprocessor.

    * configure.in,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/imap/snort_imap.h,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/pop/snort_pop.h,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/snort_smtp.h,
      src/dynamic-preprocessors/ssl_common/ssl_include.h,
      src/dynamic-preprocessors/ssl_common/ssl_inspect.c,
      src/dynamic-preprocessors/ssl_common/ssl_session.h,
      src/encode.c:
      Fixed encoding issue with DAQ packet headers.

    * doc/README.ssl,
      doc/snort_manual.pdf,
      doc/snort_manual.tex,
      etc/gen-msg.map,
      preproc_rules/preprocessor.rules,
      src/dynamic-preprocessors/ssl_common/ssl.c,
      src/dynamic-preprocessors/ssl_common/ssl.h,
      src/dynamic-preprocessors/ssl_common/ssl_config.c,
      src/dynamic-preprocessors/ssl_common/ssl_config.h,
      src/dynamic-preprocessors/ssl_common/ssl_inspect.c,
      src/dynamic-preprocessors/ssl_common/ssl_inspect.h,
      src/dynamic-preprocessors/ssl_common/ssl_session.h:
      Added support to detect heartbleed attacks.

    * doc/snort_manual.tex,
      src/dynamic-examples/dynamic-rule/detection_lib_meta.h,
      src/dynamic-plugins/sf_dynamic_engine.h,
      src/dynamic-plugins/sf_dynamic_meta.h,
      src/dynamic-plugins/sf_dynamic_preprocessor.h,
      src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/preprocessors/Stream6/snort_stream_tcp.c,
      src/decode.c, src/decode.h, src/encode.c, src/parser.c,
      src/parser.h, src/snort.c, src/snort.h:
      Added a new config option `max_ip6_extensions` to change the
      maximum number of IPv6 extension headers decoded. Thanks to
      Antonio Atlasis for providing data to the ChangeLog.

    * src/dynamic-preprocessors/modbus/:
      modbus_paf.h, modbus_roptions.c, spp_modbus.c:
      Improved traffic handling by modbus preprocessor

    * src/:
      dynamic-preprocessors/dns/spp_dns.c,
      dynamic-preprocessors/imap/spp_imap.c,
      dynamic-preprocessors/pop/spp_pop.c,
      dynamic-preprocessors/smtp/spp_smtp.c,
      dynamic-preprocessors/ssh/spp_ssh.c,
      preprocessors/spp_session.c:
      Fixed issue with stream configuration state changing across
      reloads. Thanks to Eugenio Perez for noting the issue.

    * src/dynamic-preprocessors/appid/Makefile.am:
      Fixed compilation issue with OpenAppID on OpenBSD.

    * src/plugbase.c:
      Improved implementation of plugin API.

    * src:
      detection-plugins/sp_ftpbounce.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Improved stability of FTP preprocessor.

    * configure.in,
      src/dynamic-preprocessors/appid/appIdConfig.c,
      src/dynamic-preprocessors/appid/appIdConfig.h,
      src/dynamic-preprocessors/appid/flow.h,
      src/dynamic-preprocessors/appid/fw_appid.c,
      src/dynamic-preprocessors/appid/fw_appid.h,
      src/dynamic-preprocessors/appid/luaDetectorApi.h:
      Fixed compilation issues with OpenAppID on Mac OS X.

    * src/preprocessors/:
      perf-flow.c, spp_perfmonitor.c:
      Minimum flow-ip-memcap changed to 8200.

    * src/sf_sdlist.c:
      Fixed implementation of `sf_sdlist`. Thanks to Yang Zhang
      for noting the issue.

    * src/:
      preprocessors/Stream6/snort_stream_tcp.c,
      preprocessors/spp_frag3.c,
      preprocessors/spp_normalize.c:
      active.h, decode.c,
      Check checksum configuration as well as na_policy_mode
      setting before drop.

    * src/preprocessors/snort_httpinspect.c:
      Improved handling in HTTPInspect preprocessor.

    * src/sfutil/mpse.c:
      Fixed building snort with --disable-perfprofiling. Thanks to
      Yonatan Ben-David for noting the issue.

    * src:
      encode.c, encode.h:
      Fixed ICMPv6 encoding issue.

    * etc/snort.conf,
      src/detection-plugins/sp_file_type.c,
      src/dynamic-preprocessors/Makefile.am,
      src/dynamic-preprocessors/ftptelnet/Makefile.am,
      src/dynamic-preprocessors/imap/Makefile.am,
      src/dynamic-preprocessors/pop/Makefile.am,
      src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      src/dynamic-preprocessors/smtp/Makefile.am,
      src/dynamic-preprocessors/ssl/Makefile.am,
      src/preprocessors/Session/Makefile.am,
      src/win32/WIN32-Prj/sf_engine.dsp,
      src/win32/WIN32-Prj/snort.dsp,
      src/win32/WIN32-Prj/snort.dsw,
      src/win32/WIN32-Prj/snort_installer.nsi:
      Fixed Win32 and distcheck build issues.

    * doc/OpenDetectorDeveloperGuide.docx,
      doc/OpenDetectorDeveloperGuide.pdf,
      src/dynamic-preprocessors/appid/Makefile.am,
      src/dynamic-preprocessors/appid/appInfoTable.c,
      src/dynamic-preprocessors/appid/detector_plugins/detector_http.c,
      src/dynamic-preprocessors/appid/detector_plugins/detector_http.h,
      src/dynamic-preprocessors/appid/fw_appid.c,
      src/dynamic-preprocessors/appid/httpCommon.h,
      src/dynamic-preprocessors/appid/luaDetectorApi.c,
      src/dynamic-preprocessors/appid/service_plugins/service_base.c,
      src/dynamic-preprocessors/appid/service_plugins/service_rtmp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_rtmp.h:
      Added RTMP detector (w/ metadata) to OpenAppID and updated
      Lua API.

2014-06-04 Carter Waxman <cwaxman@cisco.com>
Snort 2.9.7.0.beta
    * src/build.h:
      updating build number to 109

    * src/: detection-plugins/sp_base64_decode.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
      Use correct buffer size for base64 decoding.
      Fix the bound check for base64_decode rule. Thanks Joshua providing the
      patch.

    * src/: detect.c,
      dynamic-preprocessors/reputation/spp_reputation.c,
      dynamic-preprocessors/reputation/shmem/shmem_config.h,
      dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
      preprocessors/session_api.h, preprocessors/spp_session.c:
      Improved reputation performance by only checking IPs once per
      session. Changed control socket to respond 0 when reloading empty IP
      reputation lists. Avoid registering reputation preprocessor when there are no IP lists

    * src/: active.c, fpdetect.c,
      dynamic-preprocessors/dcerpc2/dce2_smb.c,
      file-process/file_resume_block.c: 
      Fixed build issue when configuring with --disable-active-response
      --disable-react --disable-flexresp3 (Reported by Jeremy Hoel)

    * src/parser.c
      src/preprocessors/Session/stream5_ha.c,
      src/preprocessors/Stream6/snort_stream_icmp.c,
      src/preprocessors/Stream6/snort_stream_tcp.c,
      src/preprocessors/Stream6/snort_stream_udp.c,
      src/preprocessors/spp_session.c:
      Fixed configuration parsing issues.

    * src/: fpcreate.c, fpdetect.c:
      Fixed rule protocol mapping when using target-based detection.

    * src/preprocessors/perf-base.c: 
      Added field in now files for number of normalizers used.

    * src/preprocessors/Stream6/snort_stream_tcp.c:
      Fix handling of data on syn for Mac OSX reassembly.

    * src/dynamic-plugins/sf_dynamic_plugins.c:
      Remove optional field check to improve compatiblity for DragonFlyBSD.
      Thanks Joshua Kinard providing patch.

    * src/detect.c:
      Fixed AppID not correctly handling packets without sessions (Discovered by
      James Lay)

    * src/preprocessors/snort_httpinspect.c:
      Fixed issue with HTTP session data handling. (Discovered by James Lay)

    * src/snort.c:
      Fixed parsing of custom rule types on reload.

    * src/util.c:
      Fixed timestamp arithmetic error (Reported by David Turnbull)

    * src/: sf_protocols.h, preprocessors/perf-base.c,
      preprocessors/perf-base.h, preprocessors/session_api.h,
      preprocessors/spp_session.c, preprocessors/spp_stream6.c,
      preprocessors/stream_api.h,
      preprocessors/Stream6/stream_common.c,
      preprocessors/Stream6/stream_common.h:
      Fixed IP protocol number type (Reported by Joshua Kinard)

    * src/: strlcatu.h, strlcpyu.h:
      Wrap function signatures for strlcat/strlcpy.  Thanks to James
      Golab for reporting the issue.

     * doc/: snort_manual.pdf, snort_manual.tex:
      Typos fixed (Credit to Jenah J. Sigurdson)
    
    * src/: encode.h, parser.c, dynamic-preprocessors/imap/imap_paf.c,
      dynamic-preprocessors/pop/pop_paf.c,
      dynamic-preprocessors/smtp/smtp_paf.c,
      file-process/file_mail_common.h, preprocessors/stream_api.h,
      preprocessors/Stream6/stream_paf.c:
      Fixed PAF flushing behavior when encountering gaps.
      paf_max now has a hard flush limit of ~64,000. Email protocols will
      flush within 1500 characters of paf_max.

    * src/: dynamic-preprocessors/dns/spp_dns.c,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/pop/snort_pop.c,
      preprocessors/session_api.h, preprocessors/spp_rpc_decode.c,
      preprocessors/spp_session.c,
      preprocessors/Stream6/snort_stream_tcp.c:
      Changed flushing to use receiver's flush policy in all functions.
      Updated POP, IMAP, DNS, RPC, and SSL to use the correct directions.
      Added SSN_TO_SERVER(SSN_FROM_CLIENT) and SSN_TO_CLIENT(SSN_FROM_SERVER)
      to make code more readable (Discovered by John Enure).

    * src/detection_util.c:
      Fixed Http buffer name initialization.

    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
      Fixed URI parsing and normalization.

    * doc/README.file_ips, src/plugbase.c, src/rule_option_types.h,
      src/detection-plugins/Makefile.am,
      src/detection-plugins/detection_options.c,
      src/detection-plugins/sp_file_type.c,
      src/file-process/file_api.h, src/file-process/file_service.c,
      src/file-process/libs/file_config.c,
      src/file-process/libs/file_config.h,
      src/file-process/libs/file_identifier.c,
      src/file-process/libs/file_lib.c,
      src/file-process/libs/file_lib.h:
      Allow registration of the same file type callback.
      Harden file_type and file_group rule options.
      Fix file id to always use the matched file id.
      File identifier rule options 'type' and 'ver' no longer accept
      arbitrary ASCII characters as valid arguments, only
      permitting [A-Za-z0-9_.] characters.
      Snort's 'file_type' rule option now checks for trailing comma (,)
      and pipe (|) separators and other typo like mistakes.

    * configure.in,
      src/active.c,
      src/active.h,
      src/decode.c,
      src/detection-plugins/detection_options.c,
      src/detection-plugins/sp_replace.c,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/parser.c,
      src/parser.h,
      src/preprocessors/Stream6/snort_stream_tcp.c,
      src/preprocessors/normalize.c,
      src/preprocessors/normalize.h,
      src/preprocessors/perf-base.c,
      src/preprocessors/perf-base.h,
      src/preprocessors/spp_normalize.c,
      src/preprocessors/spp_normalize.h,
      src/preprocessors/spp_session.c,
      src/snort.c,
      src/snort.h:
      Added would-normalize normalization statistics for inline_test mode.
      Normalization behavior now enabled / configured using na_policy_mode.
      Fix typos in spp_normalize.c (Thanks to Gregory S Thomas for mentioning).

    * doc/README.normalize, doc/snort_manual.pdf, doc/snort_manual.tex,
      src/preprocessors/normalize.c, src/preprocessors/perf-base.c,
      src/preprocessors/perf-base.h, src/preprocessors/spp_normalize.c,
      src/preprocessors/spp_normalize.h,
      src/preprocessors/Stream6/snort_stream_tcp.c:
      TCP normalization configurations have been split into more granular options.
      URP normalization is now ENABLED with the "urp" keyword instead of
      DISABLED. New performance monitor stats have been introduced for these
      changes.

    * src/decode.h,
      src/detect.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/preprocessors/Session/session_expect.c,
      src/preprocessors/Stream6/snort_stream_tcp.c,
      src/preprocessors/spp_stream6.c,
      src/preprocessors/stream_api.h:
      Changed priority of ftp-telnet reassembly to improve performance.
      Process end of file data correctly for ftp data channel.

    * etc/file_magic.conf, 
      src/sfutil/sf_email_attach_decode.c:
      File type UUENCODED is now all caps.
      Set file data pointer correctly after UU decoding ends.

    * src/: dynamic-preprocessors/imap/imap_config.c,
      dynamic-preprocessors/pop/pop_config.c,
      dynamic-preprocessors/smtp/smtp_config.c,
      file-process/file_mime_config.c, file-process/file_mime_config.h:
      +0 and -0 are no longer valid values for decoding depth.
    
    * src/dynamic-preprocessors/dnp3/spp_dnp3.c:
      Validate DNP3 packets before processing.
    
    * src/: snort.c, snort.h, sfutil/intel-soft-cpm.c,
      sfutil/intel-soft-cpm.h:
      Fixed issues during reload.

    * configure.in,
      doc/README.http_inspect,
      doc/snort_manual.pdf,
      doc/snort_manual.tex,
      etc/gen-msg.map,
      preproc_rules/preprocessor.rules,
      src/generators.h,
      src/preprocessors/HttpInspect/Makefile.am,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      src/preprocessors/HttpInspect/files/Makefile.am,
      src/preprocessors/HttpInspect/files/file_decomp.c,
      src/preprocessors/HttpInspect/files/file_decomp_PDF.c,
      src/preprocessors/HttpInspect/files/file_decomp_SWF.c,
      src/preprocessors/HttpInspect/files/include/file_decomp.h,
      src/preprocessors/HttpInspect/files/include/file_decomp_PDF.h
      src/preprocessors/HttpInspect/include/Makefile.am,
      src/preprocessors/HttpInspect/include/file_decomp.h,
      src/preprocessors/HttpInspect/include/file_decomp_PDF.h,
      src/preprocessors/HttpInspect/include/file_decomp_SWF.h,
      src/preprocessors/HttpInspect/include/hi_eo_events.h,
      src/preprocessors/HttpInspect/include/hi_include.h,
      src/preprocessors/HttpInspect/include/hi_ui_config.h,
      src/preprocessors/HttpInspect/server/hi_server.cr,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/snort_httpinspect.h,
      src/preprocessors/spp_httpinspect.c,
      src/util.c:
      Added ability for HttpInspect to decompress DEFLATE and LZMA encoded
      SWF content and DEFLATE encoded pdf content.

    * src/preprocessors/spp_perfmonitor.c:
      Fixed race condition in perf montitor during reload.

    * src/preprocessors/HttpInspect/client/hi_client.c,
      src/preprocessors/HttpInspect/include/hi_client.h,
      src/preprocessors/HttpInspect/include/hi_ui_config.h,
      src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
      src/preprocessors/snort_httpinspect.c:
      Added Enhanced XFF support to HttpInspect.

    * src/profiler.c:
      Fixed duplicate profiler entries when using multiple policies.

    * configure.in, src/Makefile.am, src/dump.c, src/dump.h,
      src/snort.c, src/control/sfcontrol.h, tools/control/Makefile.am,
      tools/control/README.snort_dump_packets_control,
      tools/control/sfcontrol.c, tools/control/snort_dump_packets.c:
      Added control socket command to dump packets.

    * src/: preprocessors/snort_httpinspect.c,
      preprocessors/snort_httpinspect.h,
      preprocessors/HttpInspect/client/hi_client.c,
      preprocessors/HttpInspect/include/hi_ui_config.h,
      preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h,
      preprocessors/HttpInspect/session_inspection/hi_si.c,
      preprocessors/HttpInspect/user_interface/hi_ui_config.c,
      preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c,
      sfutil/util_jsnorm.c, sfutil/util_jsnorm.h:
      Removed dead max_pipeline and inspection_type configurations.
      Improved memory efficiency of unicode->ascii map.
      Expanded possible number of preprocessor alerts for HttpInspect from 31 to 63.

    * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
      Fixed FindPiiRecursively to better handle partial matches.

    * src/dynamic-preprocessors/sip/sip_parser.c:
      Fixed handling SDP when caller and callee have identical session
      ids.

    * src/: dynamic-preprocessors/Makefile.am,
      dynamic-preprocessors/sip/sip_config.h,
      dynamic-preprocessors/sip/sip_dialog.c,
      dynamic-preprocessors/sip/spp_sip.h, preprocessors/Makefile.am,
      preprocessors/sip_common.h, preprocessors/spp_stream6.c,
      preprocessors/stream_api.h:
      Support better SIP parsing and call handling.
    
    * Makefile.am,
      configure.in,
      doc/Makefile.am,
      doc/README,
      doc/README.frag3,
      doc/USAGE,
      doc/WISHLIST,
      doc/snort_manual.tex,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      dynamic-preprocessors/ftptelnet/ftpp_si.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/ssl_common/ssl_config.c,
      dynamic-preprocessors/ssl_common/ssl_include.h,
      dynamic-preprocessors/ssl_common/ssl_inspect.c,
      etc/Makefile.am,
      etc/gen-msg.map,
      libs/ssl_include.h,
      rpm/snort.spec,
      snort.8,
      src/Makefile.am,
      src/active.c,
      src/active.h,
      src/byte_extract.c,
      src/checksum.h,
      src/debug.c,
      src/decode.c,
      src/decode.h,
      src/detect.c,
      src/detect.h,
      src/detection-plugins/detection_options.c,
      src/detection-plugins/detection_options.h,
      src/detection-plugins/sp_asn1.c,
      src/detection-plugins/sp_asn1_detect.c,
      src/detection-plugins/sp_byte_check.c,
      src/detection-plugins/sp_byte_check.h,
      src/detection-plugins/sp_byte_jump.c,
      src/detection-plugins/sp_byte_jump.h,
      src/detection-plugins/sp_clientserver.c,
      src/detection-plugins/sp_clientserver.h,
      src/detection-plugins/sp_dsize_check.c,
      src/detection-plugins/sp_dsize_check.h,
      src/detection-plugins/sp_flowbits.c,
      src/detection-plugins/sp_flowbits.h,
      src/detection-plugins/sp_ftpbounce.c,
      src/detection-plugins/sp_ftpbounce.h,
      src/detection-plugins/sp_icmp_code_check.c,
      src/detection-plugins/sp_icmp_code_check.h,
      src/detection-plugins/sp_icmp_id_check.c,
      src/detection-plugins/sp_icmp_id_check.h,
      src/detection-plugins/sp_icmp_seq_check.c,
      src/detection-plugins/sp_icmp_seq_check.h,
      src/detection-plugins/sp_icmp_type_check.c,
      src/detection-plugins/sp_icmp_type_check.h,
      src/detection-plugins/sp_ip_fragbits.c,
      src/detection-plugins/sp_ip_fragbits.h,
      src/detection-plugins/sp_ip_id_check.c,
      src/detection-plugins/sp_ip_id_check.h,
      src/detection-plugins/sp_ip_proto.c,
      src/detection-plugins/sp_ip_proto.h,
      src/detection-plugins/sp_ip_same_check.c,
      src/detection-plugins/sp_ip_same_check.h,
      src/detection-plugins/sp_ip_tos_check.c,
      src/detection-plugins/sp_ip_tos_check.h,
      src/detection-plugins/sp_ipoption_check.c,
      src/detection-plugins/sp_ipoption_check.h,
      src/detection-plugins/sp_isdataat.c,
      src/detection-plugins/sp_isdataat.h,
      src/detection-plugins/sp_pattern_match.c,
      src/detection-plugins/sp_pattern_match.h,
      src/detection-plugins/sp_pcre.c,
      src/detection-plugins/sp_react.c,
      src/detection-plugins/sp_react.h,
      src/detection-plugins/sp_replace.c,
      src/detection-plugins/sp_replace.h,
      src/detection-plugins/sp_respond.h,
      src/detection-plugins/sp_respond3.c,
      src/detection-plugins/sp_rpc_check.c,
      src/detection-plugins/sp_rpc_check.h,
      src/detection-plugins/sp_session.c,
      src/detection-plugins/sp_session.h,
      src/detection-plugins/sp_tcp_ack_check.c,
      src/detection-plugins/sp_tcp_ack_check.h,
      src/detection-plugins/sp_tcp_flag_check.c,
      src/detection-plugins/sp_tcp_flag_check.h,
      src/detection-plugins/sp_tcp_seq_check.c,
      src/detection-plugins/sp_tcp_seq_check.h,
      src/detection-plugins/sp_tcp_win_check.c,
      src/detection-plugins/sp_tcp_win_check.h,
      src/detection-plugins/sp_ttl_check.c,
      src/detection-plugins/sp_ttl_check.h,
      src/detection_filter.c,
      src/detection_filter.h,
      src/detection_util.c,
      src/detection_util.h,
      src/dynamic-examples/Makefile.am,
      src/dynamic-plugins/sf_convert_dynamic.c,
      src/dynamic-plugins/sf_convert_dynamic.h,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/dynamic-plugins/sf_dynamic_preprocessor.h,
      src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c,
      src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h,
      src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c,
      src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.h,
      src/dynamic-plugins/sf_src/dynamic_plugins.c,
      src/dynamic-plugins/sf_src/dynamic_preprocessor.h,
      src/dynamic-plugins/sp_dynamic.c,
      src/dynamic-plugins/sp_dynamic.h,
      src/dynamic-plugins/sp_preprocopt.c,
      src/dynamic-plugins/sp_preprocopt.h,
      src/dynamic-preprocessors/Makefile.am,
      src/dynamic-preprocessors/ftptelnet/Makefile.am,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
      src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
      src/dynamic-preprocessors/ftptelnet/pp_telnet.c,
      src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/imap/Makefile.am,
      src/dynamic-preprocessors/imap/imap_config.c,
      src/dynamic-preprocessors/imap/imap_config.h,
      src/dynamic-preprocessors/imap/imap_log.c,
      src/dynamic-preprocessors/imap/imap_log.h,
      src/dynamic-preprocessors/imap/imap_util.c,
      src/dynamic-preprocessors/imap/imap_util.h,
      src/dynamic-preprocessors/imap/sf_imap.dsp,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/imap/snort_imap.h,
      src/dynamic-preprocessors/imap/spp_imap.c,
      src/dynamic-preprocessors/imap/spp_imap.h,
      src/dynamic-preprocessors/libs/Makefile.am,
      src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp,
      src/dynamic-preprocessors/libs/ssl.c,
      src/dynamic-preprocessors/libs/ssl.h,
      src/dynamic-preprocessors/libs/ssl_include.h,
      src/dynamic-preprocessors/pop/Makefile.am,
      src/dynamic-preprocessors/pop/pop_config.c,
      src/dynamic-preprocessors/pop/pop_config.h,
      src/dynamic-preprocessors/pop/pop_log.c,
      src/dynamic-preprocessors/pop/pop_log.h,
      src/dynamic-preprocessors/pop/pop_util.c,
      src/dynamic-preprocessors/pop/pop_util.h,
      src/dynamic-preprocessors/pop/sf_pop.dsp,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/pop/snort_pop.h,
      src/dynamic-preprocessors/pop/spp_pop.c,
      src/dynamic-preprocessors/pop/spp_pop.h,
      src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c,
      src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_config.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_config.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_lib.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
      src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      src/dynamic-preprocessors/sip/sf_sip.dsp,
      src/dynamic-preprocessors/smtp/Makefile.am,
      src/dynamic-preprocessors/smtp/sf_smtp.dsp,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/snort_smtp.h,
      src/dynamic-preprocessors/ssl/Makefile.am,
      src/dynamic-preprocessors/ssl/sf_ssl.dsp,
      src/dynamic-preprocessors/ssl_common/ssl.c,
      src/dynamic-preprocessors/ssl_common/ssl.h,
      src/dynamic-preprocessors/ssl_common/ssl_config.c,
      src/dynamic-preprocessors/ssl_common/ssl_config.h,
      src/dynamic-preprocessors/ssl_common/ssl_ha.c,
      src/dynamic-preprocessors/ssl_common/ssl_ha.h,
      src/dynamic-preprocessors/ssl_common/ssl_include.h,
      src/dynamic-preprocessors/ssl_common/ssl_inspect.c,
      src/dynamic-preprocessors/ssl_common/ssl_inspect.h,
      src/dynamic-preprocessors/ssl_common/ssl_session.h,
      src/encode.c,
      src/encode.h,
      src/event.h,
      src/event_queue.c,
      src/event_wrapper.c,
      src/fpcreate.c,
      src/fpcreate.h,
      src/fpdetect.c,
      src/fpdetect.h,
      src/generators.h,
      src/hashstring.c,
      src/hashstring.h,
      src/idle_processing.c,
      src/log.c,
      src/log.h,
      src/log_text.c,
      src/mempool.c,
      src/mempool.h,
      src/mstring.c,
      src/mstring.h,
      src/output-plugins/spo_alert_fast.c,
      src/output-plugins/spo_alert_fast.h,
      src/output-plugins/spo_alert_full.c,
      src/output-plugins/spo_alert_full.h,
      src/output-plugins/spo_alert_sf_socket.c,
      src/output-plugins/spo_alert_syslog.c,
      src/output-plugins/spo_alert_syslog.h,
      src/output-plugins/spo_alert_test.c,
      src/output-plugins/spo_alert_test.h,
      src/output-plugins/spo_alert_unixsock.c,
      src/output-plugins/spo_alert_unixsock.h,
      src/output-plugins/spo_csv.c,
      src/output-plugins/spo_csv.h,
      src/output-plugins/spo_log_ascii.c,
      src/output-plugins/spo_log_ascii.h,
      src/output-plugins/spo_log_null.c,
      src/output-plugins/spo_log_null.h,
      src/output-plugins/spo_log_tcpdump.c,
      src/output-plugins/spo_log_tcpdump.h,
      src/output-plugins/spo_unified2.h,
      src/packet_time.c,
      src/parser.c,
      src/parser.h,
      src/parser/IpAddrSet.c,
      src/parser/IpAddrSet.h,
      src/pcrm.c,
      src/pcrm.h,
      src/plugbase.c,
      src/plugbase.h,
      src/plugin_enum.h,
      src/ppm.c,
      src/preprocessors/HttpInspect/include/hi_client.h,
      src/preprocessors/HttpInspect/include/hi_paf.h,
      src/preprocessors/HttpInspect/utils/hi_paf.c,
      src/preprocessors/Session/stream5_ha.c,
      src/preprocessors/normalize.c,
      src/preprocessors/normalize.h,
      src/preprocessors/perf-base.c,
      src/preprocessors/perf-base.h,
      src/preprocessors/perf-event.c,
      src/preprocessors/perf-event.h,
      src/preprocessors/perf-flow.c,
      src/preprocessors/perf-flow.h,
      src/preprocessors/perf.c,
      src/preprocessors/perf.h,
      src/preprocessors/session_api.h
      src/preprocessors/sfprocpidstats.c,
      src/preprocessors/sfprocpidstats.h,
      src/preprocessors/spp_arpspoof.c,
      src/preprocessors/spp_arpspoof.h,
      src/preprocessors/spp_bo.c,
      src/preprocessors/spp_bo.h,
      src/preprocessors/spp_frag3.c,
      src/preprocessors/spp_frag3.h,
      src/preprocessors/spp_normalize.c,
      src/preprocessors/spp_normalize.h,
      src/preprocessors/spp_perfmonitor.c,
      src/preprocessors/spp_perfmonitor.h,
      src/preprocessors/spp_rpc_decode.c,
      src/preprocessors/spp_rpc_decode.h,
      src/preprocessors/spp_session.c,
      src/preprocessors/spp_stream5.c,
      src/preprocessors/spp_stream5.h,
      src/preprocessors/stream_api.c,
      src/preprocessors/stream_api.h,
      src/preprocessors/stream_expect.c,
      src/preprocessors/stream_expect.h,
      src/profiler.c,
      src/profiler.h,
      src/rate_filter.c,
      src/rate_filter.h,
      src/rules.h,
      src/sf_protocols.h,
      src/sf_sdlist.c,
      src/sf_sdlist.h,
      src/sf_sdlist_types.h,
      src/sfdaq.c,
      src/sfdaq.h,
      src/sfthreshold.c,
      src/sfutil/acsmx.c,
      src/sfutil/acsmx.h,
      src/sfutil/acsmx2.c,
      src/sfutil/bitop.h,
      src/sfutil/bitop_funcs.h,
      src/sfutil/getopt.h,
      src/sfutil/mpse.c,
      src/sfutil/mpse.h,
      src/sfutil/sf_email_attach_decode.c,
      src/sfutil/sf_email_attach_decode.h,
      src/sfutil/sf_ip.c,
      src/sfutil/sf_iph.c,
      src/sfutil/sf_sechash.c,
      src/sfutil/sf_sechash.h,
      src/sfutil/sha2.h,
      src/sfutil/util_jsnorm.c,
      src/sfutil/util_jsnorm.h,
      src/sfutil/util_unfold.c,
      src/sfutil/util_unfold.h,
      src/signature.h,
      src/snort.c,
      src/snort.h,
      src/snort_debug.h,
      src/spo_plugbase.h,
      src/tag.c,
      src/tag.h,
      src/util.c,
      src/util.h,
      src/win32/WIN32-Code/getopt.c,
      src/win32/WIN32-Code/inet_aton.c,
      src/win32/WIN32-Code/misc.c,
      src/win32/WIN32-Includes/config.h,
      src/win32/WIN32-Includes/getopt.h,
      src/win32/WIN32-Prj/snort_installer.nsi,
      ssl/ssl_setup.c,
      tools/control/sfcontrol.c:
      Refactor SSL code to make a library for state processing across
      non-native protocols that use SSL via STARTTLS. Update IMAP/POP/FTP/SSL
      preprocessors to use new SSL library, and activation of PAF for those
      protocols. Add ability to share basic state for SSL.

    * configure.in,
      doc/README.session,
      doc/README.stream5,
      doc/snort_manual.pdf,
      doc/snort_manual.tex,
      dynamic-preprocessors/dns/spp_dns.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/gtp/spp_gtp.c,
      dynamic-preprocessors/imap/spp_imap.c,
      dynamic-preprocessors/modbus/spp_modbus.c,
      dynamic-preprocessors/pop/spp_pop.c,
      dynamic-preprocessors/sip/spp_sip.c,
      dynamic-preprocessors/smtp/spp_smtp.c,
      dynamic-preprocessors/ssh/spp_ssh.c,
      etc/sf_rule_options,
      preprocessors/Session/session_common.c,
      preprocessors/Session/session_common.h,
      preprocessors/Session/session_expect.c,
      preprocessors/Stream6/snort_stream_ip.c,
      preprocessors/Stream6/snort_stream_tcp.c,
      preprocessors/Stream6/snort_stream_tcp.h,
      preprocessors/Stream6/snort_stream_udp.c,
      preprocessors/Stream6/stream_common.h,
      preprocessors/session_api.h,
      preprocessors/snort_httpinspect.c,
      preprocessors/spp_rpc_decode.c,
      preprocessors/spp_session.c,
      preprocessors/spp_stream6.c,
      preprocessors/stream_api.h,
      preprocids.h,
      src/Makefile.am,
      src/active.c,
      src/active.h,
      src/build.h,
      src/detect.c,
      src/detect.h,
      src/detection-plugins/Makefile.am,
      src/detection-plugins/sp_clientserver.c,
      src/detection-plugins/sp_flowbits.c,
      src/detection-plugins/sp_pattern_match.c,
      src/detection-plugins/sp_pattern_match.h,
      src/dynamic-examples/Makefile.am,
      src/dynamic-examples/dynamic-preprocessor/spp_example.c,
      src/dynamic-output/plugins/output_lib.h,
      src/dynamic-output/plugins/output_plugin.c,
      src/dynamic-plugins/sf_convert_dynamic.c,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/dynamic-plugins/sf_dynamic_preprocessor.h,
      src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      src/dynamic-plugins/sp_preprocopt.c,
      src/dynamic-preprocessors/Makefile.am,
      src/dynamic-preprocessors/dcerpc2/dce2_cl.c,
      src/dynamic-preprocessors/dcerpc2/dce2_config.c,
      src/dynamic-preprocessors/dcerpc2/dce2_config.h,
      src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
      src/dynamic-preprocessors/dcerpc2/dce2_roptions.c,
      src/dynamic-preprocessors/dcerpc2/dce2_session.h,
      src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.h,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
      src/dynamic-preprocessors/dnp3/dnp3_roptions.c,
      src/dynamic-preprocessors/dnp3/spp_dnp3.c,
      src/dynamic-preprocessors/dnp3/spp_dnp3.h,
      src/dynamic-preprocessors/dns/spp_dns.c,
      src/dynamic-preprocessors/dns/spp_dns.h,
      src/dynamic-preprocessors/file/file_agent.c,
      src/dynamic-preprocessors/file/file_event_log.c,
      src/dynamic-preprocessors/file/spp_file.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
      src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
      src/dynamic-preprocessors/ftptelnet/pp_telnet.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
      src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      src/dynamic-preprocessors/gtp/gtp_roptions.c,
      src/dynamic-preprocessors/gtp/spp_gtp.c,
      src/dynamic-preprocessors/imap/imap_config.c,
      src/dynamic-preprocessors/imap/imap_config.h,
      src/dynamic-preprocessors/imap/sf_imap.dsp,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/imap/snort_imap.h,
      src/dynamic-preprocessors/imap/spp_imap.c,
      src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp,
      src/dynamic-preprocessors/modbus/modbus_decode.c,
      src/dynamic-preprocessors/modbus/modbus_roptions.c,
      src/dynamic-preprocessors/modbus/spp_modbus.c,
      src/dynamic-preprocessors/modbus/spp_modbus.h,
      src/dynamic-preprocessors/pop/pop_config.c,
      src/dynamic-preprocessors/pop/pop_config.h,
      src/dynamic-preprocessors/pop/pop_util.c,
      src/dynamic-preprocessors/pop/sf_pop.dsp,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/pop/snort_pop.h,
      src/dynamic-preprocessors/pop/spp_pop.c,
      src/dynamic-preprocessors/reputation/spp_reputation.c,
      src/dynamic-preprocessors/sdf/spp_sdf.c,
      src/dynamic-preprocessors/sip/sip_dialog.c,
      src/dynamic-preprocessors/sip/sip_roptions.c,
      src/dynamic-preprocessors/sip/spp_sip.c,
      src/dynamic-preprocessors/smtp/sf_smtp.dsp,
      src/dynamic-preprocessors/smtp/smtp_config.c,
      src/dynamic-preprocessors/smtp/smtp_config.h,
      src/dynamic-preprocessors/smtp/smtp_util.c,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/spp_smtp.c,
      src/dynamic-preprocessors/ssh/spp_ssh.c,
      src/encode.c,
      src/encode.h,
      src/event_queue.c,
      src/event_wrapper.c,
      src/file-process/file_api.h,
      src/file-process/file_mime_process.c,
      src/file-process/file_mime_process.h,
      src/file-process/file_service.c,
      src/file-process/file_stats.c,
      src/file-process/libs/file_config.c,
      src/file-process/libs/file_config.h,
      src/fpcreate.c,
      src/fpdetect.c,
      src/generators.h,
      src/parser.c,
      src/parser.h,
      src/plugbase.c,
      src/plugbase.h,
      src/ppm.c,
      src/preprocessors/HttpInspect/include/hi_ui_config.h,
      src/preprocessors/HttpInspect/session_inspection/hi_si.c,
      src/preprocessors/Makefile.am,
      src/preprocessors/Session/Makefile.am,
      src/preprocessors/Session/session_common.c,
      src/preprocessors/Session/session_common.h,
      src/preprocessors/Session/session_expect.c,
      src/preprocessors/Session/session_expect.h,
      src/preprocessors/Session/snort_session.c,
      src/preprocessors/Session/snort_session.h,
      src/preprocessors/Session/stream5_ha.c,
      src/preprocessors/Session/stream5_ha.h,
      src/preprocessors/Stream6/Makefile.am,
      src/preprocessors/Stream6/snort_stream_icmp.c,
      src/preprocessors/Stream6/snort_stream_icmp.h,
      src/preprocessors/Stream6/snort_stream_ip.c,
      src/preprocessors/Stream6/snort_stream_ip.h,
      src/preprocessors/Stream6/snort_stream_tcp.c,
      src/preprocessors/Stream6/snort_stream_tcp.h,
      src/preprocessors/Stream6/snort_stream_udp.c,
      src/preprocessors/Stream6/snort_stream_udp.h,
      src/preprocessors/Stream6/stream_common.c,
      src/preprocessors/Stream6/stream_common.h,
      src/preprocessors/Stream6/stream_paf.c,
      src/preprocessors/Stream6/stream_paf.h,
      src/preprocessors/perf-base.c,
      src/preprocessors/portscan.c,
      src/preprocessors/session_api.c,
      src/preprocessors/session_api.h,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/snort_httpinspect.h,
      src/preprocessors/spp_arpspoof.c,
      src/preprocessors/spp_bo.c,
      src/preprocessors/spp_frag3.c,
      src/preprocessors/spp_httpinspect.c,
      src/preprocessors/spp_normalize.c,
      src/preprocessors/spp_perfmonitor.c,
      src/preprocessors/spp_rpc_decode.c,
      src/preprocessors/spp_session.c, 
      src/preprocessors/spp_session.h,
      src/preprocessors/spp_sfportscan.c,
      src/preprocessors/spp_stream5.c,
      src/preprocessors/spp_stream5.h,
      src/preprocessors/spp_stream6.c,
      src/preprocessors/spp_stream6.h,
      src/preprocessors/stream_api.h,
      src/preprocessors/stream_expect.c,
      src/preprocessors/stream_expect.h,
      src/preprocids.h,
      src/sf_sdlist.c,
      src/sf_sdlist.h,
      src/sfdaq.c,
      src/sfdaq.h,
      src/sfutil/sfPolicy.c,
      src/sfutil/sfPolicy.h,
      src/sfutil/sfPolicyData.h,
      src/sfutil/sfPolicyUserData.h,
      src/sfutil/sf_email_attach_decode.h,
      src/sfutil/sfrf.c,
      src/sfutil/sfthd.c,
      src/sfutil/test/sf_ip_test.c,
      src/snort.c,
      src/snort.h,
      src/target-based/sftarget_protocol_reference.c,
      src/target-based/sftarget_reader.c,
      src/target-based/sftarget_reader.h,
      src/util.c,
      src/win32/WIN32-Prj/snort.dsp,
      tools/Makefile.a:
      Split the session tracking and reassembly functionality of Stream5
      into new Session and Stream preprocessors.

    * configure.in,
      doc/INSTALL,
      doc/Makefile.am,
      doc/README.appid,
      doc/snort_manual.tex,
      src/detect.c,
      src/detection-plugins/Makefile.am,
      src/detection-plugins/detection_options.c,
      src/detection-plugins/sp_appid.c,
      src/detection-plugins/sp_appid.h
      src/dynamic-plugins/sf_dynamic_common.h,
      src/dynamic-plugins/sf_dynamic_define.h,
      src/dynamic-plugins/sf_dynamic_meta.h,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/dynamic-plugins/sf_dynamic_preprocessor.h,
      src/dynamic-plugins/sf_engine/Makefile.am,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/dynamic-preprocessors/Makefile.am
      src/dynamic-preprocessors/Makefile.am,
      src/dynamic-preprocessors/appid/Makefile.am,
      src/dynamic-preprocessors/appid/appId.h,
      src/dynamic-preprocessors/appid/appIdConfig.c,
      src/dynamic-preprocessors/appid/appIdConfig.h,
      src/dynamic-preprocessors/appid/appIdStats.c,
      src/dynamic-preprocessors/appid/appIdStats.h,
      src/dynamic-preprocessors/appid/appInfoTable.c,
      src/dynamic-preprocessors/appid/appInfoTable.h,
      src/dynamic-preprocessors/appid/attribute.h,
      src/dynamic-preprocessors/appid/client_plugins/Makefile.am,
      src/dynamic-preprocessors/appid/client_plugins/client_app_aim.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_aim.h,
      src/dynamic-preprocessors/appid/client_plugins/client_app_api.h,
      src/dynamic-preprocessors/appid/client_plugins/client_app_base.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_base.h,
      src/dynamic-preprocessors/appid/client_plugins/client_app_bit.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_bit_tracker.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_msn.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_msn.h,
      src/dynamic-preprocessors/appid/client_plugins/client_app_rtp.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_sip.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_sip.h,
      src/dynamic-preprocessors/appid/client_plugins/client_app_smtp.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_smtp.h,
      src/dynamic-preprocessors/appid/client_plugins/client_app_ssh.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_template.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_timbuktu.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_tns.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_vnc.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_ym.c,
      src/dynamic-preprocessors/appid/client_plugins/client_app_ym.h,
      src/dynamic-preprocessors/appid/commonAppMatcher.c,
      src/dynamic-preprocessors/appid/commonAppMatcher.h,
      src/dynamic-preprocessors/appid/detector_plugins/Makefile.am,
      src/dynamic-preprocessors/appid/detector_plugins/detector_api.h,
      src/dynamic-preprocessors/appid/detector_plugins/detector_base.c,
      src/dynamic-preprocessors/appid/detector_plugins/detector_base.h,
      src/dynamic-preprocessors/appid/detector_plugins/detector_http.c,
      src/dynamic-preprocessors/appid/detector_plugins/detector_http.h,
      src/dynamic-preprocessors/appid/detector_plugins/detector_imap.c,
      src/dynamic-preprocessors/appid/detector_plugins/detector_kerberos.c,
      src/dynamic-preprocessors/appid/detector_plugins/detector_pop3.c,
      src/dynamic-preprocessors/appid/detector_plugins/detector_sip.c,
      src/dynamic-preprocessors/appid/detector_plugins/detector_sip.h,
      src/dynamic-preprocessors/appid/detector_plugins/http_url_patterns.c,
      src/dynamic-preprocessors/appid/detector_plugins/http_url_patterns.h,
      src/dynamic-preprocessors/appid/diffScript.sh,
      src/dynamic-preprocessors/appid/doxy_api.c,
      src/dynamic-preprocessors/appid/flow.c,
      src/dynamic-preprocessors/appid/flow.h,
      src/dynamic-preprocessors/appid/flow_error.h,
      src/dynamic-preprocessors/appid/fw_appid.c,
      src/dynamic-preprocessors/appid/fw_appid.h,
      src/dynamic-preprocessors/appid/hostPortAppCache.c,
      src/dynamic-preprocessors/appid/hostPortAppCache.h,
      src/dynamic-preprocessors/appid/host_tracker.h,
      src/dynamic-preprocessors/appid/httpCommon.h,
      src/dynamic-preprocessors/appid/luaDetectorApi.c,
      src/dynamic-preprocessors/appid/luaDetectorApi.h,
      src/dynamic-preprocessors/appid/luaDetectorFlowApi.c,
      src/dynamic-preprocessors/appid/luaDetectorFlowApi.h,
      src/dynamic-preprocessors/appid/luaDetectorModule.c,
      src/dynamic-preprocessors/appid/luaDetectorModule.h,
      src/dynamic-preprocessors/appid/rna_flow.h,
      src/dynamic-preprocessors/appid/service_plugins/Makefile.am,
      src/dynamic-preprocessors/appid/service_plugins/dcerpc.c,
      src/dynamic-preprocessors/appid/service_plugins/dcerpc.h,
      src/dynamic-preprocessors/appid/service_plugins/service_MDNS.c,
      src/dynamic-preprocessors/appid/service_plugins/service_MDNS.h,
      src/dynamic-preprocessors/appid/service_plugins/service_api.h,
      src/dynamic-preprocessors/appid/service_plugins/service_base.c,
      src/dynamic-preprocessors/appid/service_plugins/service_base.h,
      src/dynamic-preprocessors/appid/service_plugins/service_battle_field.c,
      src/dynamic-preprocessors/appid/service_plugins/service_battle_field.h,
      src/dynamic-preprocessors/appid/service_plugins/service_bgp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_bgp.h,
      src/dynamic-preprocessors/appid/service_plugins/service_bit.c,
      src/dynamic-preprocessors/appid/service_plugins/service_bootp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_bootp.h,
      src/dynamic-preprocessors/appid/service_plugins/service_dcerpc.c,
      src/dynamic-preprocessors/appid/service_plugins/service_dcerpc.h,
      src/dynamic-preprocessors/appid/service_plugins/service_direct_connect.c,
      src/dynamic-preprocessors/appid/service_plugins/service_direct_connect.h,
      src/dynamic-preprocessors/appid/service_plugins/service_dns.c,
      src/dynamic-preprocessors/appid/service_plugins/service_dns.h,
      src/dynamic-preprocessors/appid/service_plugins/service_flap.c,
      src/dynamic-preprocessors/appid/service_plugins/service_flap.h,
      src/dynamic-preprocessors/appid/service_plugins/service_ftp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_ftp.h,
      src/dynamic-preprocessors/appid/service_plugins/service_irc.c,
      src/dynamic-preprocessors/appid/service_plugins/service_irc.h,
      src/dynamic-preprocessors/appid/service_plugins/service_lpr.c,
      src/dynamic-preprocessors/appid/service_plugins/service_lpr.h,
      src/dynamic-preprocessors/appid/service_plugins/service_mysql.c,
      src/dynamic-preprocessors/appid/service_plugins/service_mysql.h,
      src/dynamic-preprocessors/appid/service_plugins/service_netbios.c,
      src/dynamic-preprocessors/appid/service_plugins/service_netbios.h,
      src/dynamic-preprocessors/appid/service_plugins/service_nntp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_nntp.h,
      src/dynamic-preprocessors/appid/service_plugins/service_ntp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_ntp.h,
      src/dynamic-preprocessors/appid/service_plugins/service_pattern.c,
      src/dynamic-preprocessors/appid/service_plugins/service_pattern.h,
      src/dynamic-preprocessors/appid/service_plugins/service_radius.c,
      src/dynamic-preprocessors/appid/service_plugins/service_radius.h,
      src/dynamic-preprocessors/appid/service_plugins/service_rexec.c,
      src/dynamic-preprocessors/appid/service_plugins/service_rexec.h,
      src/dynamic-preprocessors/appid/service_plugins/service_rfb.c,
      src/dynamic-preprocessors/appid/service_plugins/service_rfb.h,
      src/dynamic-preprocessors/appid/service_plugins/service_rlogin.c,
      src/dynamic-preprocessors/appid/service_plugins/service_rlogin.h,
      src/dynamic-preprocessors/appid/service_plugins/service_rpc.c,
      src/dynamic-preprocessors/appid/service_plugins/service_rpc.h,
      src/dynamic-preprocessors/appid/service_plugins/service_rshell.c,
      src/dynamic-preprocessors/appid/service_plugins/service_rshell.h,
      src/dynamic-preprocessors/appid/service_plugins/service_rsync.c,
      src/dynamic-preprocessors/appid/service_plugins/service_rsync.h,
      src/dynamic-preprocessors/appid/service_plugins/service_sip.c,
      src/dynamic-preprocessors/appid/service_plugins/service_sip.h,
      src/dynamic-preprocessors/appid/service_plugins/service_smtp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_smtp.h,
      src/dynamic-preprocessors/appid/service_plugins/service_snmp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_snmp.h,
      src/dynamic-preprocessors/appid/service_plugins/service_ssh.c,
      src/dynamic-preprocessors/appid/service_plugins/service_ssh.h,
      src/dynamic-preprocessors/appid/service_plugins/service_ssl.c,
      src/dynamic-preprocessors/appid/service_plugins/service_ssl.h,
      src/dynamic-preprocessors/appid/service_plugins/service_telnet.c,
      src/dynamic-preprocessors/appid/service_plugins/service_telnet.h,
      src/dynamic-preprocessors/appid/service_plugins/service_template.c,
      src/dynamic-preprocessors/appid/service_plugins/service_tftp.c,
      src/dynamic-preprocessors/appid/service_plugins/service_tftp.h,
      src/dynamic-preprocessors/appid/service_plugins/service_timbuktu.c,
      src/dynamic-preprocessors/appid/service_plugins/service_tns.c,
      src/dynamic-preprocessors/appid/service_plugins/service_util.h,
      src/dynamic-preprocessors/appid/service_state.c,
      src/dynamic-preprocessors/appid/service_state.h,
      src/dynamic-preprocessors/appid/spp_appid.c,
      src/dynamic-preprocessors/appid/spp_appid.h,
      src/dynamic-preprocessors/appid/tools/u2openappid/Makefile.am,
      src/dynamic-preprocessors/appid/tools/u2streamer/Makefile.am,
      src/dynamic-preprocessors/appid/util/Makefile.am,
      src/dynamic-preprocessors/appid/util/OutputFile.c,
      src/dynamic-preprocessors/appid/util/OutputFile.h,
      src/dynamic-preprocessors/appid/util/acsmx.c,
      src/dynamic-preprocessors/appid/util/acsmx.h,
      src/dynamic-preprocessors/appid/util/acsmx2.c,
      src/dynamic-preprocessors/appid/util/acsmx2.h,
      src/dynamic-preprocessors/appid/util/bnfa_search.c,
      src/dynamic-preprocessors/appid/util/bnfa_search.h,
      src/dynamic-preprocessors/appid/util/common_util.h,
      src/dynamic-preprocessors/appid/util/fw_avltree.c,
      src/dynamic-preprocessors/appid/util/fw_avltree.h,
      src/dynamic-preprocessors/appid/util/ip_funcs.h,
      src/dynamic-preprocessors/appid/util/mpse.c,
      src/dynamic-preprocessors/appid/util/mpse.h,
      src/dynamic-preprocessors/appid/util/sf_error.h,
      src/dynamic-preprocessors/appid/util/sf_mlmp.c,
      src/dynamic-preprocessors/appid/util/sf_mlmp.h,
      src/dynamic-preprocessors/appid/util/sf_multi_mpse.c,
      src/dynamic-preprocessors/appid/util/sf_multi_mpse.h,
      src/dynamic-preprocessors/appid/util/sfghash.c,
      src/dynamic-preprocessors/appid/util/sfghash.h,
      src/dynamic-preprocessors/appid/util/sfhashfcn.c,
      src/dynamic-preprocessors/appid/util/sfhashfcn.h,
      src/dynamic-preprocessors/appid/util/sfksearch.c,
      src/dynamic-preprocessors/appid/util/sfksearch.h,
      src/dynamic-preprocessors/appid/util/sflsq.c,
      src/dynamic-preprocessors/appid/util/sflsq.h,
      src/dynamic-preprocessors/appid/util/sfmemcap.c,
      src/dynamic-preprocessors/appid/util/sfmemcap.h,
      src/dynamic-preprocessors/appid/util/sfutil.c,
      src/dynamic-preprocessors/appid/util/sfutil.h,
      src/dynamic-preprocessors/appid/util/sfxhash.c,
      src/dynamic-preprocessors/appid/util/sfxhash.h,
      src/dynamic-preprocessors/file/file_agent.c,
      src/dynamic-preprocessors/imap/spp_imap.c,
      src/event.h,
      src/event_wrapper.c,
      src/file-process/file_service.c,
      src/file-process/file_stats.c,
      src/file-process/file_stats.h,
      src/log.c,
      src/log.h,
      src/output-plugins/spo_alert_unixsock.c,
      src/output-plugins/spo_unified2.c,
      src/plugbase.c,
      src/plugin_enum.h,
      src/ppm.c,
      src/preprocessors/HttpInspect/client/hi_client.c,
      src/preprocessors/HttpInspect/include/hi_client.h,
      src/preprocessors/HttpInspect/include/hi_ui_config.h,
      src/preprocessors/HttpInspect/include/hi_util.h,
      src/preprocessors/HttpInspect/server/hi_server.c,
      src/preprocessors/perf-base.c,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/spp_httpinspect.c,
      src/preprocessors/spp_sfportscan.c,
      src/preprocessors/spp_stream5.c,
      src/preprocessors/str_search.c,
      src/preprocessors/str_search.h,
      src/preprocessors/stream_api.h,
      src/preprocids.h,
      src/rule_option_types.h,
      src/sf_protocols.h,
      src/sfutil/Makefile.am,
      src/sfutil/Unified2_common.h,
      src/sfutil/acsmx.c,
      src/sfutil/acsmx2.c,
      src/sfutil/bnfa_search.c,
      src/sfutil/mpse.c,
      src/sfutil/mpse.h,
      src/sfutil/mpse_methods.h,
      src/sfutil/sfPolicy.h,
      src/sfutil/sf_ip.h,
      src/sfutil/sfdebug.h,
      src/sfutil/sfghash.c,
      src/sfutil/sfghash.h,
      src/sfutil/sfhashfcn.c,
      src/sfutil/sfksearch.c,
      src/sfutil/sflsq.c,
      src/sfutil/sflsq.h,
      src/sfutil/sfmemcap.c,
      src/sfutil/sfrt.h,
      src/sfutil/sfxhash.c,
      src/sfutil/sfxhash.h,
      src/signature.h,
      src/snort.c,
      src/snort.h,
      src/snort_debug.h,
      src/tag.c,
      src/target-based/sftarget_protocol_reference.c,
      src/target-based/sftarget_protocol_reference.h,
      src/util.c,
      tools/Makefile.am,
      tools/file_server/file_server.c,
      tools/u2openappid/Makefile.am,
      tools/u2openappid/u2openappid.c,
      tools/u2spewfoo/u2spewfoo.c
      tools/u2spewfoo/u2spewfoo.c,
      tools/u2streamer/Makefile.am,
      tools/u2streamer/SpoolFileIterator.c,
      tools/u2streamer/SpoolFileIterator.h,
      tools/u2streamer/TimestampedFile.c,
      tools/u2streamer/TimestampedFile.h,
      tools/u2streamer/Unified2.c,
      tools/u2streamer/Unified2.h,
      tools/u2streamer/Unified2File.c,
      tools/u2streamer/Unified2File.h,
      tools/u2streamer/UnifiedLog.c,
      tools/u2streamer/UnifiedLog.h,
      tools/u2streamer/sf_error.c,
      tools/u2streamer/sf_error.h,
      src/dynamic-preprocessors/appid/util/common_util.c,
      tools/u2streamer/u2streamer.c:
      Improved support for AppID preprocessor.
      Removed Lua dependency in favor of LuaJIT.
      Fixed appid with Lua/LuaBitOp (no LuaJIT), support FreeBSD
      Fixed OpenBSD, FreeBSD openAppId support, Removed support for Lua
      Added metadata extraction to SSL for AppID. Changed some Lua API names.
      Refactored to use common data structures.
      Fixed return value checks for fseek(), strdup, malloc(), and stat()
      and removed deprecated library calls (Thanks to Bill Parker for
      reporting the issues).

2014-02-21 Steven Sturges <ssturges@sourcefire.com>
	* configure.in, src/detect.c, src/event.h, src/event_wrapper.c,
	  src/log.c, src/log.h, src/plugbase.c, src/plugin_enum.h,
	  src/ppm.c, src/preprocids.h, src/rule_option_types.h,
	  src/sf_protocols.h, src/signature.h, src/snort.c, src/snort.h,
	  src/snort_debug.h, src/tag.c, src/detection-plugins/Makefile.am,
	  src/detection-plugins/detection_options.c,
	  src/dynamic-plugins/sf_dynamic_common.h,
	  src/dynamic-plugins/sf_dynamic_define.h,
	  src/dynamic-plugins/sf_dynamic_meta.h,
	  src/dynamic-plugins/sf_dynamic_plugins.c,
	  src/dynamic-plugins/sf_dynamic_preprocessor.h,
	  src/dynamic-plugins/sf_engine/Makefile.am,
	  src/dynamic-plugins/sf_engine/sf_snort_packet.h,
	  src/dynamic-preprocessors/Makefile.am,
	  src/output-plugins/spo_alert_unixsock.c,
	  src/output-plugins/spo_unified2.c,
	  src/preprocessors/snort_httpinspect.c,
	  src/preprocessors/spp_httpinspect.c,
	  src/preprocessors/spp_sfportscan.c,
	  src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
	  src/preprocessors/HttpInspect/client/hi_client.c,
	  src/preprocessors/HttpInspect/include/hi_client.h,
	  src/preprocessors/HttpInspect/include/hi_ui_config.h,
	  src/preprocessors/HttpInspect/include/hi_util.h,
	  src/preprocessors/HttpInspect/server/hi_server.c,
	  src/preprocessors/Stream5/stream5_common.h,
	  src/sfutil/Unified2_common.h, src/sfutil/sfPolicy.h,
	  src/sfutil/sf_ip.h, src/sfutil/sfrt.h,
	  src/target-based/sftarget_protocol_reference.c,
	  src/target-based/sftarget_protocol_reference.h,
	  tools/Makefile.am, tools/u2spewfoo/u2spewfoo.c,
	  tools/: Makefile.am, u2spewfoo/u2spewfoo.c,
	  u2openappid/Makefile.am, u2openappid/u2openappid.c,
	  u2streamer/Makefile.am, u2streamer/SpoolFileIterator.c,
	  u2streamer/SpoolFileIterator.h, u2streamer/TimestampedFile.c,
	  u2streamer/TimestampedFile.h, u2streamer/Unified2.c,
	  u2streamer/Unified2.h, u2streamer/Unified2File.c,
	  u2streamer/Unified2File.h, u2streamer/UnifiedLog.c,
	  u2streamer/UnifiedLog.h, u2streamer/sf_error.c,
	  u2streamer/sf_error.h, u2streamer/u2streamer.c,
	  src/dynamic-preprocessors/appid/: Makefile.am, appId.h,
	  appIdConfig.c, appIdConfig.h, appIdStats.c, appIdStats.h,
	  appInfoTable.c, appInfoTable.h, attribute.h, commonAppMatcher.c,
	  commonAppMatcher.h, diffScript.sh, doxy_api.c, flow.c, flow.h,
	  flow_error.h, fw_appid.c, fw_appid.h, hostPortAppCache.c,
	  hostPortAppCache.h, host_tracker.h, httpCommon.h,
	  luaDetectorApi.c, luaDetectorApi.h, luaDetectorFlowApi.c,
	  luaDetectorFlowApi.h, luaDetectorModule.c, luaDetectorModule.h,
	  rna_flow.h, service_state.c, service_state.h, spp_appid.c,
	  spp_appid.h, detector_plugins/Makefile.am,
	  detector_plugins/detector_api.h,
	  detector_plugins/detector_base.c,
	  detector_plugins/detector_base.h,
	  detector_plugins/detector_imap.c,
	  detector_plugins/detector_kerberos.c,
	  detector_plugins/detector_pop3.c,
	  detector_plugins/detector_http.c,
	  detector_plugins/detector_http.h,
	  detector_plugins/http_url_patterns.c,
	  detector_plugins/http_url_patterns.h,
	  util/Makefile.am, util/OutputFile.c, util/OutputFile.h,
	  util/acsmx.c, util/acsmx.h, util/acsmx2.c, util/acsmx2.h,
	  util/bnfa_search.c, util/bnfa_search.h, util/common_util.h,
	  util/fw_avltree.c, util/fw_avltree.h, util/ip_funcs.h,
	  util/mpse.c, util/mpse.h, util/sf_error.h, util/sf_mlmp.c,
	  util/sf_mlmp.h, util/sf_multi_mpse.c, util/sf_multi_mpse.h,
	  util/sfghash.c, util/sfghash.h, util/sfhashfcn.c,
	  util/sfhashfcn.h, util/sfksearch.c, util/sfksearch.h,
	  util/sflsq.c, util/sflsq.h, util/sfmemcap.c, util/sfmemcap.h,
	  util/sfutil.c, util/sfutil.h, util/sfxhash.c, util/sfxhash.h,
	  client_plugins/Makefile.am, client_plugins/client_app_aim.c,
	  client_plugins/client_app_aim.h, client_plugins/client_app_api.h,
	  client_plugins/client_app_base.c,
	  client_plugins/client_app_base.h,
	  client_plugins/client_app_bit.c,
	  client_plugins/client_app_bit_tracker.c,
	  client_plugins/client_app_msn.c, client_plugins/client_app_msn.h,
	  client_plugins/client_app_rtp.c, client_plugins/client_app_sip.c,
	  client_plugins/client_app_sip.h,
	  client_plugins/client_app_smtp.c,
	  client_plugins/client_app_smtp.h,
	  client_plugins/client_app_ssh.c,
	  client_plugins/client_app_template.c,
	  client_plugins/client_app_timbuktu.c,
	  client_plugins/client_app_tns.c, client_plugins/client_app_vnc.c,
	  client_plugins/client_app_ym.c, client_plugins/client_app_ym.h,
	  service_plugins/Makefile.am, service_plugins/dcerpc.c,
	  service_plugins/dcerpc.h, service_plugins/service_MDNS.c,
	  service_plugins/service_MDNS.h, service_plugins/service_api.h,
	  service_plugins/service_base.c, service_plugins/service_base.h,
	  service_plugins/service_battle_field.c,
	  service_plugins/service_battle_field.h,
	  service_plugins/service_bgp.c, service_plugins/service_bgp.h,
	  service_plugins/service_bit.c, service_plugins/service_bootp.c,
	  service_plugins/service_bootp.h,
	  service_plugins/service_dcerpc.c,
	  service_plugins/service_dcerpc.h,
	  service_plugins/service_direct_connect.c,
	  service_plugins/service_direct_connect.h,
	  service_plugins/service_dns.c, service_plugins/service_dns.h,
	  service_plugins/service_flap.c, service_plugins/service_flap.h,
	  service_plugins/service_ftp.c, service_plugins/service_ftp.h,
	  service_plugins/service_irc.c, service_plugins/service_irc.h,
	  service_plugins/service_lpr.c, service_plugins/service_lpr.h,
	  service_plugins/service_mysql.c, service_plugins/service_mysql.h,
	  service_plugins/service_netbios.c,
	  service_plugins/service_netbios.h,
	  service_plugins/service_nntp.c, service_plugins/service_nntp.h,
	  service_plugins/service_ntp.c, service_plugins/service_ntp.h,
	  service_plugins/service_pattern.c,
	  service_plugins/service_pattern.h,
	  service_plugins/service_radius.c,
	  service_plugins/service_radius.h,
	  service_plugins/service_rexec.c, service_plugins/service_rexec.h,
	  service_plugins/service_rfb.c, service_plugins/service_rfb.h,
	  service_plugins/service_rlogin.c,
	  service_plugins/service_rlogin.h, service_plugins/service_rpc.c,
	  service_plugins/service_rpc.h, service_plugins/service_rshell.c,
	  service_plugins/service_rshell.h,
	  service_plugins/service_rsync.c, service_plugins/service_rsync.h,
	  service_plugins/service_sip.c, service_plugins/service_sip.h,
	  service_plugins/service_smtp.c, service_plugins/service_smtp.h,
	  service_plugins/service_snmp.c, service_plugins/service_snmp.h,
	  service_plugins/service_ssh.c, service_plugins/service_ssh.h,
	  service_plugins/service_ssl.c, service_plugins/service_ssl.h,
	  service_plugins/service_telnet.c,
	  service_plugins/service_telnet.h,
	  service_plugins/service_template.c,
	  service_plugins/service_tftp.c, service_plugins/service_tftp.h,
	  service_plugins/service_timbuktu.c,
	  service_plugins/service_tns.c, service_plugins/service_util.h,
	  src/detection-plugins/: sp_appid.c, sp_appid.h,
	  doc/README.appid:
	  New Open App ID feature to identify application protocol, client,
	  server, and web application and be able to leverage that within
	  Snort rules.

2014-02-19 Steven Sturges <ssturges@sourcefire.com>
    * doc/snort_manual.pdf, doc/snort_manual.tex, src/active.c,
      src/active.h, src/encode.h, src/detection-plugins/sp_react.c:
      Added Active_SendBigData to active.c for sending multi-packet react
      pages. Modified react.c to use Active_SendBigData to allow payload
      that spans a single TCP packet (1500+ bytes).

    * src/: preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/stream5_paf.c,
      preprocessors/Stream5/stream5_paf.h,
      dynamic-preprocessors/pop/Makefile.am,
      dynamic-preprocessors/pop/pop_config.c,
      dynamic-preprocessors/pop/pop_config.h,
      dynamic-preprocessors/pop/pop_log.c,
      dynamic-preprocessors/pop/pop_log.h,
      dynamic-preprocessors/pop/pop_paf.c,
      dynamic-preprocessors/pop/pop_paf.h,
      dynamic-preprocessors/pop/pop_util.c,
      dynamic-preprocessors/pop/sf_pop.dsp,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/pop/snort_pop.h,
      dynamic-preprocessors/pop/spp_pop.c,
      dynamic-preprocessors/smtp/Makefile.am,
      dynamic-preprocessors/smtp/sf_smtp.dsp,
      dynamic-preprocessors/smtp/smtp_config.c,
      dynamic-preprocessors/smtp/smtp_config.h,
      dynamic-preprocessors/smtp/smtp_log.c,
      dynamic-preprocessors/smtp/smtp_log.h,
      dynamic-preprocessors/smtp/smtp_paf.c,
      dynamic-preprocessors/smtp/smtp_paf.h,
      dynamic-preprocessors/smtp/smtp_util.c,
      dynamic-preprocessors/smtp/smtp_util.h,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/smtp/snort_smtp.h,
      dynamic-preprocessors/smtp/spp_smtp.c, file-process/Makefile.am,
      file-process/file_api.h, file-process/file_mail_common.h,
      file-process/file_mime_config.c, file-process/file_mime_config.h,
      file-process/file_mime_process.c,
      file-process/file_mime_process.h, file-process/file_service.c,
      dynamic-preprocessors/imap/Makefile.am,
      dynamic-preprocessors/imap/imap_config.c,
      dynamic-preprocessors/imap/imap_config.h,
      dynamic-preprocessors/imap/imap_log.c,
      dynamic-preprocessors/imap/imap_log.h,
      dynamic-preprocessors/imap/imap_paf.c,
      dynamic-preprocessors/imap/imap_paf.h,
      dynamic-preprocessors/imap/imap_util.c,
      dynamic-preprocessors/imap/sf_imap.dsp,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/imap/snort_imap.h,
      dynamic-preprocessors/imap/spp_imap.c,
      preprocessors/snort_httpinspect.c, preprocessors/stream_api.h,
      preprocessors/HttpInspect/include/hi_ui_config.h,
      sfutil/sf_email_attach_decode.h,
      dynamic-preprocessors/Makefile.am,
      dynamic-preprocessors/file/file_agent.c: 
      add paf support to smtp/impa/pop protocols.

    * src/dynamic-preprocessors/ssh/spp_ssh.c: 
      count the max_client_bytes once the session is encrypted. Fix the
      ProcessSSHKeyExchange to parse server new keys

    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c: 
      Fix ftp-data perfstats profiling.  

    * configure.in, src/decode.h, src/sfdaq.c, src/sfdaq.h,
      src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
      src/dynamic-preprocessors/sip/sip_dialog.c,
      src/dynamic-preprocessors/ssh/spp_ssh.c,
      src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
      src/preprocessors/stream_expect.c,
      src/preprocessors/stream_expect.h: 
      Add ability to specify details about dynamic protocols/data channels
      via DAQ.

    * src/preprocessors/Stream5/snort_stream5_tcp.c: 
      Checked for existence of policy_id parameter on Stream5 TCP policy.  

    * src/preprocessors/perf-base.c: 
      Ensure pkt_stats cannot go below zero 
      
    * etc/sf_rule_options, src/Makefile.am, src/fpcreate.c,
      src/parser.c, src/parser.h, src/snort.c, src/snort.h,
      src/detection-plugins/sp_pattern_match.c,
      src/detection-plugins/sp_pattern_match.h,
      src/dynamic-plugins/sf_convert_dynamic.c,
      src/dynamic-plugins/sf_dynamic_define.h,
      src/dynamic-plugins/sf_dynamic_meta.h,
      src/dynamic-plugins/sf_engine/Makefile.am,
      src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      src/sfutil/Makefile.am, src/hashstring.c, src/hashstring.h,
      sfutil/sf_sechash.c, sfutil/sf_sechash.h,
      src/file-process/file_capture.c,
      src/file-process/file_resume_block.c,
      src/file-process/libs/Makefile.am,
      src/file-process/libs/file_lib.c, src/sfutil/Makefile.am,
      src/sfutil/md5.c, src/sfutil/md5.h, src/sfutil/sf_sechash.c,
      src/sfutil/sf_sechash.h, src/sfutil/sha2.c, src/sfutil/sha2.h,
      src/win32/WIN32-Prj/snort.dsp, configure.in, 
      doc/snort_manual.pdf, doc/snort_manual.tex: 
      Protected Rule Content feature.  Updating the minor revision number for
      the engine API for share library rules.  Augmented the logic in configure.in
      to force the -lcrypto library to be included in the link.  Added
      implementations of SHA2 and MD5 algorithms to Snort to allow use with older
      versions of OpenSSL.

    * doc/: snort_manual.pdf, snort_manual.tex: 
      Modified descriptions of urilen, dsize, and flags rule options.  

    * doc/snort_manual.pdf, doc/snort_manual.tex,
      src/sfutil/sfPolicy.c: 
      Added check in binding mappings to prevent Snort from loading binding
      policy_ids > 4095, having it reject the configuration on load. Updated
      documentation to include config binding policy_id.  

    * src/preprocessors/spp_stream5.c: 
      New minimum max_tcp sessions is now 2.

    * src/: dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      preprocessors/spp_stream5.c, preprocessors/stream_api.h,
      preprocessors/stream_expect.c, preprocessors/stream_expect.h:
      Change preprocessor order for when FTP data is handled.
      
    * src/: dynamic-examples/dynamic-preprocessor/Makefile.am,
      dynamic-plugins/sf_engine/Makefile.am,
      dynamic-preprocessors/dcerpc2/Makefile.am,
      dynamic-preprocessors/dnp3/Makefile.am,
      dynamic-preprocessors/dns/Makefile.am,
      dynamic-preprocessors/file/Makefile.am,
      dynamic-preprocessors/ftptelnet/Makefile.am,
      dynamic-preprocessors/gtp/Makefile.am,
      dynamic-preprocessors/imap/Makefile.am,
      dynamic-preprocessors/modbus/Makefile.am,
      dynamic-preprocessors/pop/Makefile.am,
      dynamic-preprocessors/reputation/Makefile.am,
      dynamic-preprocessors/rzb_saac/Makefile.am,
      dynamic-preprocessors/sdf/Makefile.am,
      dynamic-preprocessors/sip/Makefile.am,
      dynamic-preprocessors/smtp/Makefile.am,
      dynamic-preprocessors/ssh/Makefile.am,
      dynamic-preprocessors/ssl/Makefile.am: 
      Install libraries into user defined libdir.  Thanks to cjgd7-facebook
	  for reporting the issue.

    * src/: detection-plugins/detection_options.c,
      detection-plugins/sp_pattern_match.c,
      detection-plugins/sp_pattern_match.h,
      dynamic-plugins/sf_convert_dynamic.c: 
      Update 'within' rule limits to handle extraction of a 0
      via byte_extract.

    * src/detection-plugins/: sp_byte_check.c, sp_byte_extract.h,
      sp_byte_jump.c, sp_isdataat.c, sp_pattern_match.c: 
      Modified error outputs to include the specific offending rule option.  

2013-12-30 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.6.0
	* src/build.h:
	  updating build number to 47

	* doc/README.file, doc/README.file_ips,
	  etc/file_magic.conf, etc/Makefile.am:
	  Added file_magic.conf and fixed a few typos.  Thanks to Joshua Kinard for
	  pointing them out.

	* doc/snort_manual.tex: 
      Update snort team members 

	* src/detection-plugins/sp_file_type.h,
	  src/dynamic-preprocessors/libs/sf_preproc_info.h, 
	  tools/file_server/file_server.c: 
      Clean up copyright and attribution.  
 
	* src/dynamic-preprocessors/sdf/spp_sdf.c: 
      Fix seconndary check for reassembled packets.  

	* doc/: README.GTP, README.PerfProfiling, README.dcerpc2,
	  README.file, README.frag3, README.ftptelnet, README.http_inspect,
	  README.imap, README.multipleconfigs, README.normalize,
	  README.pop, README.reload, README.reputation, README.rpc_decode,
	  README.sfportscan, README.sip, README.unified2, USAGE, WISHLIST,
	  snort_manual.pdf, snort_manual.tex, README.SMTP, README.counts, 
	  README.asn1, README.active, README, NEWS, INSTALL: 
	  Corrected typos in documentation.  Thanks to Mahendra Ladhe for
	  pointing out the mistakes and providing a patch.  

	* src/: file-process/file_capture.c,
	  file-process/file_mime_process.c,
	  dynamic-preprocessors/imap/snort_imap.c,
	  dynamic-preprocessors/smtp/snort_smtp.c,
	  dynamic-preprocessors/file/file_inspect_config.c,
	  dynamic-preprocessors/pop/snort_pop.c,
	  sfutil/sf_email_attach_decode.h: 
      Enable detetion on all file data 

	* src/sfutil/: sfxhash.c, sfxhash.h: 
	  Fix alignment of sfxhash node on sparc. Thanks to Markus Lude.

	* src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c: 
 	  Identify EOF on single segment PDU transimssions.
	  
	* src/dynamic-preprocessors/dcerpc2/dce2_memory.c: 
 	  Avoid checking memcap for DCE/RPC configuration data.

	* src/preprocessors/Stream5/snort_stream5_tcp.c: 
 	  Tweak retransmit handling to ensure full right overlap condition holds 

2013-11-22 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.6.0.rc

    * src/build.h: updating build number to 43

    * configure.in, doc/README.ha, doc/snort_manual.pdf,
      doc/snort_manual.tex, doc/Makefile.am: 
      Add Stream5 HA documentation and mark --enable-ha and
      --enable-side-channel as experimental.

    * rpm/snort.spec: 
      Install snort_control, u2boat, u2spewfoo from spec file.
      Thanks to Bradley Turnbough for mentioning it.

    * src/preprocessors/Stream5/snort_stream5_tcp.c: 
      using sequence number overlapping to trigger retransmission
	  handler.  This fixed issue on file blocking.  

    * src/dynamic-preprocessors/: pop/pop_log.c, smtp/smtp_log.c,
      imap/imap_log.c: 
 	  avoid mail decoding prepocessor alerts when they not enabled
	  in config.

    * doc/snort_manual.tex,
      src/: active.c, active.h, decode.c, detect.c, fpdetect.c,
      detection-plugins/sp_react.c,
      dynamic-plugins/sf_dynamic_plugins.c,
      file-process/file_resume_block.c, file-process/file_service.c,
      output-plugins/spo_alert_fast.c, output-plugins/spo_unified2.c,
      preprocessors/spp_bo.c, preprocessors/spp_frag3.c,
      preprocessors/Stream5/snort_stream5_ip.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/snort_stream5_udp.c: 
 	  alerts get wdrop when active is suspended; code for cdrop is ready
	  but disabled 

    * src/: file-process/file_api.h, file-process/file_resume_block.c,
      file-process/file_service.c, file-process/libs/file_lib.h,
      dynamic-preprocessors/file/file_agent.c: 
  	  Add file id to file API callbacks to support multiple file contexts.  

    * preproc_rules/decoder.rules, src/decode.c, src/generators.h: 
 	  Validate authentication headers. New decoder rules (116:465 and 116:466).
    
	* doc/snort_manual.pdf, doc/snort_manual.tex,
      src/detection-plugins/sp_icmp_code_check.c: 
 	  Added data validation checks to the icode rule option. The parser
	  phase will now throw fatal errors for illegal values.  
      Update manual to reflect the additional data validation.

    * src/preprocessors/Stream5/: snort_stream5_ip.c,
      snort_stream5_udp.c: 
 	  Force block for block rule in inline test mode.  

    * src/: dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      preprocessors/stream_api.h,
      preprocessors/Stream5/snort_stream5_tcp.c: 
 	  Don't put gaps in reassembled packets 

    * src/: preprocessors/Stream5/snort_stream5_session.c,
      side-channel/sidechannel.c: 
 	  The global list in the session cache is ordered from MRU (head) to
	  LRU (tail), so correctly walk backward rather than forward from the
	  LRU looking for sessions to time out.  Clean up compiler warning in
	  Side Channel.  

    * src/file-process/: libs/file_lib.c, file_api.h, file_capture.c,
      file_service.c, file_service.h: 
      Add multiple file contexts support for file API.  

    * src/: dynamic-preprocessors/ftptelnet/ftpp_si.c,
      dynamic-preprocessors/ftptelnet/ftpp_si.h,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
      preprocessors/Stream5/snort_stream5_tcp.c: 
 	  Add EndOfFile stream event callback. Remove EOF logic from
	  FTP/Preprocessor in lieu of new callback.

    * src/: file-process/file_service.c,
      file-process/file_service_config.c,
      file-process/file_service_config.h, snort.c: 
      make sure file configuration is initialized during reload.  

2013-10-18 Hui Cao <hcao@sourcefire.com>
Snort 2.9.6.0.beta
    * doc/: Makefile.am, README.file, README.file_ips: 
 	  Add readme for experimental file type ips rule keywords.

    * src/detection-plugins/sp_icmp_code_check.c:
      Allow a negative value in the ICMP icode x<>y range check.  This
      permits the rule to include a check for zero

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Disable detection when the TCP connection was already closed.

    * src/: dynamic-preprocessors/ftptelnet/ftpp_si.h,
      dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      file-process/file_api.h:
      Fix FTP-Data file processing.

    * src/snort_bounds.h:
      Avoid assertion for zero size memory copy

    * src/: dynamic-plugins/sf_dynamic_plugins.c,
      detection-plugins/sp_react.c:
      Only inject response page when session is established.

    * src/dynamic-preprocessors/smtp/smtp_log.h,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/snort_smtp.h,
      preproc_rules/preprocessor.rules, etc/gen-msg.map:
      Add a new preprocessor alert to detect Cyrus SASL authentication
      attack.

    * src/dynamic-preprocessors/ssh/spp_ssh.c:
      Set_reassembly to ABSOLUTE only if the traffic is SSH.
      Statefully process ssh version/ssh key exchange
      init/key exchange and/or encrypted data within a single
      reassembled packet. Thanks to Florian Westphal for reporting this.

    * src/file-process/file_mime_process.c:
      For IMAP, the MIME and message will be inside fetch
      body, which will be end at ")".

    * src/: dynamic-preprocessors/dns/spp_dns.c,
      dynamic-preprocessors/ssh/spp_ssh.c,
      Change preprocessor reassembly policy; Changed SSH preprocessor state
      transition based on the dir rather than both.

    * src/: preprocessors/Stream5/snort_stream5_tcp.c:
      Ignore the gap when turning on reassembly dynamically on the very
      first packet of the session.

    * src/dynamic-preprocessors/dnp3/spp_dnp3.c:
      Fix the incorrect mempool warnings. Thanks to Bram for reporting this

    * doc/snort_manual.pdf, doc/snort_manual.tex, configure.in,
      src/snort.c, src/util.c:
      Trim freed memory before and after configuration reload.

    * src/: dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      file-process/file_mime_process.c,
      sfutil/sf_email_attach_decode.c:
      Allow 7bit decoding of binary file attachments.
 
    * src/dynamic-preprocessors/sdf/: spp_sdf.c, spp_sdf.h:
      Avoid partial rule tree match during reload.

    * src/tag.c:
      Fix boundary check error so that the global tagged packet limit
      doesn't allow an extra tag.

    * src/: file-process/file_mime_process.h, file-process/file_api.h,
      file-process/file_mime_process.c, file-process/file_service.c,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/imap/spp_imap.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/pop/spp_pop.c:
      Add simple PAF support for POP and IMAP.

    * src/: util.c, util.h, sfutil/sf_ip.c, sfutil/sf_ip.h: Bugs
      Add sfip_convert_ip_text_to_binary() to enforce platform agnostic
      IPv4 syntax. Make sure xatou(), xatol(), and xatoup() return values
      within specified range
 
    * doc/snort_manual.tex:
      Update the document to include the '<=' and '>=' operators to
      the byte_test command

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Make sure INTERNAL_EVENT_SESSION_ADD event only in the
      ESTABLISHED state.

    * src/sfutil/sf_email_attach_decode.c:
      Check the QP encoding string is valid to avoid decoding end of line
      incorrectly.

    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Tweak config output to correspond to config input.
      Thanks to Reinoud Koornstra for the suggestion.

    * src/preprocessors/Stream5/: snort_stream5_icmp.c,
      snort_stream5_ip.c, snort_stream5_tcp.c, snort_stream5_udp.c:
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/ssl/spp_ssl.c,
      encode.c, dynamic-preprocessors/dcerpc2/dce2_cl.c,
      dynamic-preprocessors/dcerpc2/dce2_session.h,
      dynamic-preprocessors/dcerpc2/snort_dce2.c,
      dynamic-preprocessors/dns/spp_dns.c,
      dynamic-preprocessors/imap/snort_imap.c:
      preprocessors/spp_rpc_decode.c, preprocessors/spp_stream5.c,
      preprocessors/stream_api.h, preprocessors/stream_expect.c:
      Handle out of order SSL handshake in SMTP.
      Thanks to Bram for the reporting this.

    * src/preprocessors/perf-base.c:
      Update the header printed at top of now file.

    * src/preprocessors/perf-base.c:
      Change name of stat from Blocked Packets to Block Verdicts.

    * src/preprocessors/Stream5/snort_stream5_session.c:
      Timeout a session when session timeout reaches instead of waiting for
      session nominal timeout.

    * configure.in, src/plugbase.c, src/rule_option_types.h,
      src/snort.c, src/detection-plugins/Makefile.am,
      src/detection-plugins/: sp_file_type.c, sp_file_type.h,
      src/detection-plugins/detection_options.c,
      src/dynamic-preprocessors/Makefile.am,
      src/file-process/Makefile.am, src/file-process/file_api.h,
      src/file-process/file_service.c,
      src/file-process/file_service_config.c,
      src/file-process/file_service_config.h,
      src/file-process/libs/Makefile.am,
      src/file-process/libs/file_config.c,
      src/file-process/libs/file_config.h,
      src/file-process/libs/file_lib.c,
      src/file-process/libs/file_lib.h,
      src/preprocessors/spp_stream5.c, tools/Makefile.am,
      doc/: README.file, README.file_ips, Makefile.am:
      File inspection keywords for IPS rules.

    * src/dynamic-preprocessors/sdf/: sdf_pattern_match.c,
      sdf_pattern_match.h, spp_sdf.c, spp_sdf.h:
      Add stateful pattern match of sdf patterns across packets.

    * mkinstalldirs, doc/snort_manual.tex, src/detect.c,
      src/detection_util.h, src/fpdetect.c, src/parser.c, src/tag.c,
      src/tag.h, src/target-based/sf_attribute_table.y,
      tools/u2spewfoo/u2spewfoo.c:
      Support single session capture via tag rule option.
      Log all packets to the same place as original alert. 
      Enable tagging on pass rules.

    * src/: dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/imap/snort_imap.h,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/pop/snort_pop.h,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/smtp/snort_smtp.h, file-process/file_api.h,
      file-process/file_mime_process.c, preprocessors/str_search.c,
      preprocessors/str_search.h, sfutil/bnfa_search.c:
      Add Stateful mime boundary search when split between packets.
 
    * src/preprocessors/HttpInspect/client/hi_client.c:
      Change the uri search to start from method end instead of the start
      of payload.

    * configure.in, doc/README.file, doc/snort_manual.pdf,
      src/parser.c, src/preprocids.h, src/snort.c, src/util.c,
      src/detection-plugins/.cvsignore,
      src/dynamic-examples/Makefile.am,
      src/dynamic-plugins/sf_engine/.cvsignore,
      src/dynamic-preprocessors/Makefile.am,
      src/dynamic-preprocessors/file/Makefile.am,
      src/dynamic-preprocessors/file/file_agent.c,
      src/dynamic-preprocessors/file/file_agent.h,
      src/dynamic-preprocessors/file/file_event_log.c,
      src/dynamic-preprocessors/file/file_event_log.h,
      src/dynamic-preprocessors/file/file_inspect_config.c,
      src/dynamic-preprocessors/file/file_inspect_config.h,
      src/dynamic-preprocessors/file/file_sha.c,
      src/dynamic-preprocessors/file/file_sha.h,
      src/dynamic-preprocessors/file/sf_file.dsp,
      src/dynamic-preprocessors/file/spp_file.c,
      src/dynamic-preprocessors/file/spp_file.h,
      src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      src/file-process/Makefile.am, src/file-process/circular_buffer.c,
      src/file-process/circular_buffer.h, src/file-process/file_api.h,
      src/file-process/file_capture.c, src/file-process/file_capture.h,
      src/file-process/file_mempool.c, src/file-process/file_mempool.h,
      src/file-process/file_resume_block.c,
      src/file-process/file_service.c, src/file-process/file_service.h,
      src/file-process/file_service_config.c,
      src/file-process/file_service_config.h,
      src/file-process/file_stats.c, src/file-process/file_stats.h,
      src/file-process/libs/file_config.c,
      src/file-process/libs/file_config.h,
      src/file-process/libs/file_identifier.c,
      src/file-process/libs/file_identifier.h,
      src/file-process/libs/file_lib.c,
      src/file-process/libs/file_lib.h,
      src/file-process/libs/file_sha256.h, tools/Makefile.am,
      tools/file_server/Makefile.am,
      tools/file_server/README.file_server,
      tools/file_server/file_server.c:
      Add file capture feature and introduce file inspect preprocessor

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Parse error if there are missing direction specifiers.
      Thanks to Bram Fabeg for the report.
 
    * src/ipv6_port.h:
      Remove duplicate macro for GET_ORIG_IPH_PROTO.

    * doc/: README.decode, README.gre, README.mpls, snort_manual.pdf,
      snort_manual.tex:
      Update manual and other docs related to tunneling.
      Thanks to Jason Poley for noting it.

    * src/parser.c:
      Not so silently skip duplicate service metadata.

    * src/: log.c, mempool.c, parser.c, snort.c, util.c,
      detection-plugins/sp_ip_tos_check.c,
      detection-plugins/sp_pattern_match.c,
      detection-plugins/sp_replace.c, detection-plugins/sp_session.c,
      detection-plugins/sp_tcp_win_check.c,
      dynamic-preprocessors/dns/spp_dns.c,
      dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/sdf/sdf_pattern_match.c,
      output-plugins/spo_log_ascii.c, output-plugins/spo_log_tcpdump.c,
      preprocessors/HttpInspect/utils/hi_paf.c,
      preprocessors/Stream5/snort_stream5_tcp.c:
      Replace obsolete bzero and index calls.  Credits to Bill Parker

    * src/dynamic-preprocessors/: smtp/snort_smtp.c, ssl/spp_ssl.c,
      libs/ssl.c, libs/ssl.h:
      Check for SSL type only when the SSL handshake is not complete.
      Don't check for type in SSL data.
      Thanks to Bram Fabeg for reporting this.

    * src/preprocessors/: HttpInspect/server/hi_server.c,
      HttpInspect/server/hi_server_norm.c, Stream5/snort_stream5_tcp.c:
      Only check charset bom once per response body;
      Only set charset once per charset=

    * src/profiler.c:
      Fix issue when reading pcaps from command line and using multiple
      policies and --pcap-reset.

    * src/detection-plugins/detection_options.c:
      Don't count RTN perf time in OTN perf time.
      Credits to Reinoud for reporting this.
 
    * doc/README.flowbits:
      Fix typo in flowbits isnotset examples

    * src/snort.c, src/snort.h, src/util.c, snort.8,
      doc/snort_manual.pdf, doc/snort_manual.tex:
      Add a command line switch --no-interface-pidfile to snort.
 
    * src/preprocessors/: spp_stream5.c, Stream5/stream5_common.h:
      Updated Stream's exit stats to use 'filtered' instead of dropped. 

    * src/: detection_util.h, dynamic-preprocessors/sip/spp_sip.c:
      Don't set sip/http buffers to null

    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
      Return mismatch if requested http buffer was not set

    * src/snort.c: Bugs Fixed:
      Capture packet data for sigabrt and sigbus

    * doc/README.dcerpc2, doc/snort_manual.pdf, doc/snort_manual.tex,
      etc/gen-msg.map, preproc_rules/preprocessor.rules, src/active.c,
      src/active.h, src/encode.c, src/encode.h, src/generators.h,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/dynamic-plugins/sf_dynamic_preprocessor.h,
      src/dynamic-preprocessors/dcerpc2/dce2_co.c,
      src/dynamic-preprocessors/dcerpc2/dce2_config.c,
      src/dynamic-preprocessors/dcerpc2/dce2_config.h,
      src/dynamic-preprocessors/dcerpc2/dce2_event.c,
      src/dynamic-preprocessors/dcerpc2/dce2_event.h,
      src/dynamic-preprocessors/dcerpc2/dce2_memory.c,
      src/dynamic-preprocessors/dcerpc2/dce2_memory.h,
      src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
      src/dynamic-preprocessors/dcerpc2/dce2_smb.h,
      src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.h,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.h,
      src/dynamic-preprocessors/dcerpc2/includes/smb.h,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/file-process/file_api.h,
      src/file-process/file_mime_process.c,
      src/file-process/file_service.c,
      src/file-process/libs/file_identifier.c,
      src/file-process/libs/file_identifier.h,
      src/file-process/libs/file_lib.c,
      src/file-process/libs/file_lib.h,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c:
      Add SMB file support

2013-10-18 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.5.6
    * src/build.h:
      updating build number to 208

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      add NULL check for preprocessors that check for PAF before
      they check for any actual tcp session

    * src/detection-plugins/: sp_byte_check.c, sp_byte_jump.c,
      sp_isdataat.c, sp_pattern_match.c:
      Test if the byte extracted distance and/or offset is within
      bounds of the search buffer.  Thanks to Nathan Fowler for
      noting the issue.

    * src/preprocessors/HttpInspect/client/hi_client.c:
      clear cookie normalization buffer to avoid accidental null
      dereference in pipelined request.  Thanks to Michael Galapchuk
      for reporting the problem.

2013-09-02 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.5.5
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      disable all detection (not just content-base) for packets on previously
      blocked sessions

    * src/preprocessors/perf.c:
      Write perfmon entry when both packet count and time conditions are met,
      rather than waiting for a multiple of the packet count after the time is
      reached.

    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Stop inspection of the entire session when TLS data is present with
      ignore_tls_data enabled in SMTP - Check for midstream pickups and
      gaps when we miss server hello, and stop inspection as soon as we get
      client hello when ignore_tls_data is turned on

    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
      changed pcre relative match with HTTP buffers to be not allowed in .so
      rules (same as in text rules)

2013-07-03 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.5.3
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed handling of partial segment purging.  Thanks to Lode Mertens
      for reporting the issue.

    * configure.in, src/active.c, src/decode.c, src/decode.h,
      src/detect.c, src/detection_util.c, src/detection_util.h,
      src/encode.c, src/encode.h, src/fpcreate.c, src/fpdetect.c,
      src/log_text.c, src/parser.c, src/plugbase.c, src/ppm.c,
      src/ppm.h, src/profiler.c, src/snort.c, src/util.c, src/util.h,
      src/detection-plugins/detection_options.c,
      src/detection-plugins/sp_byte_check.c,
      src/detection-plugins/sp_ftpbounce.c,
      src/detection-plugins/sp_pattern_match.c,
      src/detection-plugins/sp_pattern_match.h,
      src/detection-plugins/sp_pcre.c, src/detection-plugins/sp_pcre.h,
      src/detection-plugins/sp_replace.c,
      src/detection-plugins/sp_rpc_check.c,
      src/detection-plugins/sp_urilen_check.c,
      src/dynamic-examples/dynamic-preprocessor/spp_example.c,
      src/dynamic-plugins/sf_convert_dynamic.c,
      src/dynamic-plugins/sf_dynamic_common.h,
      src/dynamic-plugins/sf_dynamic_define.h,
      src/dynamic-plugins/sf_dynamic_engine.h,
      src/dynamic-plugins/sf_dynamic_meta.h,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/dynamic-plugins/sf_dynamic_preprocessor.h,
      src/dynamic-plugins/sp_dynamic.c,
      src/dynamic-plugins/sf_engine/Makefile.am,
      src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
      src/dynamic-plugins/sf_engine/examples/bug26266.c,
      src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
      src/dynamic-plugins/sf_engine/examples/fake_snort.c,
      src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c,
      src/dynamic-preprocessors/dcerpc2/dce2_http.h,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
      src/dynamic-preprocessors/dnp3/spp_dnp3.c,
      src/dynamic-preprocessors/dns/spp_dns.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
      src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      src/dynamic-preprocessors/gtp/spp_gtp.c,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/imap/spp_imap.c,
      src/dynamic-preprocessors/isakmp/spp_isakmp.c,
      src/dynamic-preprocessors/modbus/spp_modbus.c,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/pop/spp_pop.c,
      src/dynamic-preprocessors/reputation/reputation_config.h,
      src/dynamic-preprocessors/reputation/spp_reputation.c,
      src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c,
      src/dynamic-preprocessors/sdf/spp_sdf.c,
      src/dynamic-preprocessors/sip/sip_dialog.c,
      src/dynamic-preprocessors/sip/sip_parser.c,
      src/dynamic-preprocessors/sip/spp_sip.c,
      src/dynamic-preprocessors/smtp/spp_smtp.c,
      src/dynamic-preprocessors/ssh/spp_ssh.c,
      src/dynamic-preprocessors/ssl/spp_ssl.c,
      src/file-process/file_service.c,
      src/file-process/libs/file_config.c,
      src/output-plugins/spo_unified2.c, src/preprocessors/portscan.c,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_bo.c,
      src/preprocessors/spp_frag3.c,
      src/preprocessors/spp_httpinspect.c,
      src/preprocessors/spp_perfmonitor.c,
      src/preprocessors/spp_rpc_decode.c,
      src/preprocessors/spp_sfportscan.c,
      src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
      src/preprocessors/HttpInspect/client/hi_client.c,
      src/preprocessors/HttpInspect/normalization/hi_norm.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c,
      src/preprocessors/Stream5/snort_stream5_udp.c,
      src/preprocessors/Stream5/stream5_common.h, src/sfutil/sf_iph.c,
      src/sfutil/sf_iph.h, src/sfutil/test/unit_hacks.c:
      Performance improvements and other refactorings. Notable changes
      include: improved HTTP buffer implementation and replaced run-time
      packet checks with assertions.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Ensure proper counting of sessions initializing.

    * doc/Makefile.am, doc/faq.pdf, doc/faq.tex:
      Remove Snort FAQ from source package since its now live on the web.

    * src/preprocessors/: spp_stream5.c, stream_expect.c,
      stream_expect.h:
      Add a memcap to expected session tracking.

    * src/sfutil/sfrt_flat.c:
      Check for memory allocation failure in both IPV4 and IPV6 tables.

    * src/control/sfcontrol.c:
      Do not timeout during shutdown and fix stop processing code in the
      control socket thread.  Add the thread to the list before creation
      of the thread to prevent a race condition.

2013-06-04 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.5
    * src/: snort.c, preprocessors/spp_stream5.c:
      when block rules fire during shutdown, log them as alert instead
      of drop

    * src/: active.c, active.h,
      preprocessors/Stream5/snort_stream5_session.c:
      don't allow blocks or actions from pruned sessions (unrelated to
      current packet)

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      don't generate 129:1 in syn-sent

    * src/preprocessors/Stream5/: snort_stream5_tcp.c,
      snort_stream5_udp.c, stream5_common.h:
      don't apply window or mss on midstream pickups
      remove unused flags
      eliminate read-mode check when determining window

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      don't reassemble on the tracked whitelisted flows
      fix sequence number validation on ack to zero window syn+ack
      fix timestamp tracking to use window base instead of next expected

    * src/preprocessors/spp_stream5.c:
      when stream5 disables inspection, ensure non-content rules are not run

    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
      When removing a pipe tracker, NULL out static request tracker's
      pipe tracker for pipe tracker that was dynamically allocated. 

    * src/file-process/libs/file_identifier.c:
      Update some comments and avoid adding the same file magic

    * src/preprocessors/: spp_stream5.c, stream_api.h,
      Stream5/snort_stream5_tcp.c:
      swap client/server on midstream pickup if we identify server by service
      using client port

    * src/file-process/libs/file_identifier.c:
      Remove the code that parent file type might overwrite child file type.

    * preproc_rules/preprocessor.rules, src/generators.h,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      src/preprocessors/HttpInspect/include/hi_eo_events.h,
      src/preprocessors/HttpInspect/utils/hi_paf.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c:
      HTTP PAF abort improvements

    * doc/: README.frag3, snort_manual.pdf, snort_manual.tex:
      Added config event_trace description to Snort manual.  Removed
      commas from Frag3 example configurations, thanks to Nicholas
      Horton for mentioning this.
 
    * src/: dynamic-preprocessors/reputation/reputation_config.c,
      sfutil/sfrt_flat.c, sfutil/sfrt_flat.h, sfutil/sfrt_flat_dir.c:
      Copy reputation info from another list when a duplicate address is
      inserted. 

    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Fix issue when SMTP BDAT command specifies 0 length.

    * src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c:
      Don't sort the manifest file.

    * src/: snort.h, util.c:
      Fix FatalError to actually exit when initializing in the failopen
      thread. 

    * src/dynamic-preprocessors/reputation/reputation_config.c:
      Update to use more accurate ip list file parsing and validation. 

    * src/: active.h, snort.c, dynamic-plugins/sf_dynamic_plugins.c,
      preprocessors/spp_stream5.c, preprocessors/stream_api.h,
      preprocessors/Stream5/snort_stream5_tcp.c:
      ensure that force blocks persist

    * src/dynamic-preprocessors/reputation/shmem/: shmem_config.c,
      shmem_config.h, shmem_datamgmt.c, shmem_datamgmt.h, shmem_mgmt.c:
      Refactor/cleanup of shared memory, data management logic. 

    * src/: dynamic-examples/dynamic-rule/detection_lib_meta.h,
      dynamic-plugins/sf_dynamic_meta.h,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      preprocessors/spp_stream5.c, preprocessors/stream_api.h:
      Add a stream API function to populate a session key given a packet.
      Also, export REQ_ENGINE_LIB_MAJOR and REQ_ENGINE_LIB_MINOR from snort

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      allow stream5 to track whitelisted sessions

    * src/: snort.c, dynamic-preprocessors/dnp3/spp_dnp3.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/stream5_paf.c, sfutil/sfPolicy.c,
      sfutil/sfPolicy.h:
      disable config by vlan or net selection if -DPOLICY_BY_ID_ONLY

    * src/: snort.c, snort.h, dynamic-preprocessors/smtp/spp_smtp.c,
      preprocessors/Stream5/stream5_ha.c,
      preprocessors/Stream5/stream5_ha.h, win32/WIN32-Code/misc.c,
      win32/WIN32-Includes/config.h, win32/WIN32-Prj/snort.dsp:
      don't compile pcap reload for Win, add function for ffs() which
      is not defined in windows. 

    * src/preprocessors/snort_httpinspect.c:
      Support large file processing in post raw data (not in MIME format)

    * src/: decode.c, decode.h, fpcreate.c, fpdetect.c, parser.c,
      parser.h, plugbase.c, plugbase.h, rate_filter.c, rate_filter.h,
      sfthreshold.c, sfthreshold.h, snort.c, snort.h, spo_plugbase.h,
      util.c, util.h, control/sfcontrol.c, control/sfcontrol.h,
      detection-plugins/detection_options.c,
      detection-plugins/detection_options.h,
      detection-plugins/sp_asn1.c, detection-plugins/sp_base64_data.c,
      detection-plugins/sp_base64_decode.c,
      detection-plugins/sp_byte_check.c,
      detection-plugins/sp_byte_extract.c,
      detection-plugins/sp_byte_jump.c,
      detection-plugins/sp_clientserver.c, detection-plugins/sp_cvs.c,
      detection-plugins/sp_dsize_check.c,
      detection-plugins/sp_file_data.c,
      detection-plugins/sp_flowbits.c,
      detection-plugins/sp_ftpbounce.c,
      detection-plugins/sp_icmp_code_check.c,
      detection-plugins/sp_icmp_id_check.c,
      detection-plugins/sp_icmp_seq_check.c,
      detection-plugins/sp_icmp_type_check.c,
      detection-plugins/sp_ip_fragbits.c,
      detection-plugins/sp_ip_id_check.c,
      detection-plugins/sp_ip_proto.c,
      detection-plugins/sp_ip_same_check.c,
      detection-plugins/sp_ip_tos_check.c,
      detection-plugins/sp_ipoption_check.c,
      detection-plugins/sp_isdataat.c,
      detection-plugins/sp_pattern_match.c,
      detection-plugins/sp_pattern_match.h,
      detection-plugins/sp_pcre.c, detection-plugins/sp_pcre.h,
      detection-plugins/sp_pkt_data.c, detection-plugins/sp_react.c,
      detection-plugins/sp_replace.c, detection-plugins/sp_replace.h,
      detection-plugins/sp_respond3.c,
      detection-plugins/sp_rpc_check.c, detection-plugins/sp_session.c,
      detection-plugins/sp_tcp_ack_check.c,
      detection-plugins/sp_tcp_flag_check.c,
      detection-plugins/sp_tcp_seq_check.c,
      detection-plugins/sp_tcp_win_check.c,
      detection-plugins/sp_ttl_check.c,
      detection-plugins/sp_urilen_check.c,
      dynamic-examples/dynamic-preprocessor/sf_preproc_info.h,
      dynamic-examples/dynamic-preprocessor/spp_example.c,
      dynamic-examples/dynamic-rule/detection_lib_meta.h,
      dynamic-output/libs/output_lib.c,
      dynamic-output/plugins/output_api.h,
      dynamic-output/plugins/output_common.h,
      dynamic-output/plugins/output_lib.h,
      dynamic-output/plugins/output_plugin.c,
      dynamic-plugins/sf_convert_dynamic.c,
      dynamic-plugins/sf_convert_dynamic.h,
      dynamic-plugins/sf_dynamic_detection.h,
      dynamic-plugins/sf_dynamic_engine.h,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h,
      dynamic-plugins/sp_preprocopt.c, dynamic-plugins/sp_preprocopt.h,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
      dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
      dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
      dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c,
      dynamic-plugins/sf_preproc_example/sf_preproc_info.h,
      dynamic-preprocessors/dcerpc2/dce2_config.c,
      dynamic-preprocessors/dcerpc2/dce2_config.h,
      dynamic-preprocessors/dcerpc2/dce2_paf.c,
      dynamic-preprocessors/dcerpc2/dce2_paf.h,
      dynamic-preprocessors/dcerpc2/dce2_roptions.c,
      dynamic-preprocessors/dcerpc2/dce2_roptions.h,
      dynamic-preprocessors/dcerpc2/snort_dce2.c,
      dynamic-preprocessors/dcerpc2/spp_dce2.c,
      dynamic-preprocessors/dnp3/dnp3_paf.c,
      dynamic-preprocessors/dnp3/dnp3_paf.h,
      dynamic-preprocessors/dnp3/dnp3_roptions.c,
      dynamic-preprocessors/dnp3/dnp3_roptions.h,
      dynamic-preprocessors/dnp3/spp_dnp3.c,
      dynamic-preprocessors/dns/spp_dns.c,
      dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c,
      dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
      dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      dynamic-preprocessors/gtp/gtp_roptions.c,
      dynamic-preprocessors/gtp/gtp_roptions.h,
      dynamic-preprocessors/gtp/spp_gtp.c,
      dynamic-preprocessors/imap/imap_config.h,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/imap/spp_imap.c,
      dynamic-preprocessors/modbus/modbus_paf.c,
      dynamic-preprocessors/modbus/modbus_paf.h,
      dynamic-preprocessors/modbus/modbus_roptions.c,
      dynamic-preprocessors/modbus/modbus_roptions.h,
      dynamic-preprocessors/modbus/spp_modbus.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/pop/spp_pop.c,
      dynamic-preprocessors/reputation/reputation_config.c,
      dynamic-preprocessors/reputation/reputation_config.h,
      dynamic-preprocessors/reputation/spp_reputation.c,
      dynamic-preprocessors/reputation/shmem/shmem_common.h,
      dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
      dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
      dynamic-preprocessors/sdf/sdf_detection_option.c,
      dynamic-preprocessors/sdf/sdf_detection_option.h,
      dynamic-preprocessors/sdf/spp_sdf.c,
      dynamic-preprocessors/sdf/spp_sdf.h,
      dynamic-preprocessors/sip/sip_roptions.c,
      dynamic-preprocessors/sip/sip_roptions.h,
      dynamic-preprocessors/sip/spp_sip.c,
      dynamic-preprocessors/sip/spp_sip.h,
      dynamic-preprocessors/smtp/smtp_config.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/smtp/spp_smtp.c,
      dynamic-preprocessors/ssh/spp_ssh.c,
      dynamic-preprocessors/ssl/spp_ssl.c, file-process/file_service.c,
      output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c,
      output-plugins/spo_alert_sf_socket.c,
      output-plugins/spo_alert_syslog.c,
      output-plugins/spo_alert_test.c,
      output-plugins/spo_alert_unixsock.c, output-plugins/spo_csv.c,
      output-plugins/spo_log_ascii.c, output-plugins/spo_log_null.c,
      output-plugins/spo_log_tcpdump.c, output-plugins/spo_unified2.c,
      parser/IpAddrSet.c, parser/IpAddrSet.h, preprocessors/portscan.c,
      preprocessors/portscan.h, preprocessors/spp_arpspoof.c,
      preprocessors/spp_bo.c, preprocessors/spp_frag3.c,
      preprocessors/spp_httpinspect.c, preprocessors/spp_normalize.c,
      preprocessors/spp_perfmonitor.c, preprocessors/spp_rpc_decode.c,
      preprocessors/spp_sfportscan.c, preprocessors/spp_stream5.c,
      preprocessors/stream_api.h,
      preprocessors/HttpInspect/include/hi_paf.h,
      preprocessors/HttpInspect/include/hi_ui_server_lookup.h,
      preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c,
      preprocessors/HttpInspect/utils/hi_paf.c,
      preprocessors/Stream5/snort_stream5_session.h,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/snort_stream5_tcp.h,
      preprocessors/Stream5/snort_stream5_udp.c,
      preprocessors/Stream5/snort_stream5_udp.h,
      preprocessors/Stream5/stream5_common.c,
      preprocessors/Stream5/stream5_common.h,
      preprocessors/Stream5/stream5_ha.c,
      preprocessors/Stream5/stream5_ha.h,
      preprocessors/Stream5/stream5_paf.c,
      preprocessors/Stream5/stream5_paf.h, sfutil/Makefile.am,
      sfutil/acsmx.c, sfutil/acsmx.h, sfutil/acsmx2.c, sfutil/acsmx2.h,
      sfutil/bnfa_search.c, sfutil/bnfa_search.h,
      sfutil/intel-soft-cpm.c, sfutil/intel-soft-cpm.h, sfutil/mpse.c,
      sfutil/mpse.h, sfutil/sfPolicy.c, sfutil/sfPolicy.h,
      sfutil/sfPolicyData.h, sfutil/sfPolicyUserData.c,
      sfutil/sfPolicyUserData.h, sfutil/sfksearch.c,
      sfutil/sfksearch.h, sfutil/sfrf.c, sfutil/sfrf.h, sfutil/sfrt.c,
      sfutil/sfrt.h, sfutil/sfthd.c, sfutil/sfthd.h,
      sfutil/test/sfrf_test.c, sfutil/test/sfthd_test.c,
      sfutil/test/unit_hacks.c, sfutil/test/unit_hacks.h,
      target-based/sftarget_reader.c, target-based/sftarget_reader.h:
      Add a control channel command that reloads the snort configuration.  If
      a restart is needed, the command will return an error and the new
      configuration will be freed.    Using this can replace the HUP signal,
      which does not have a means of feedback to the user.

    * preproc_rules/preprocessor.rules, src/generators.h,
      src/dynamic-preprocessors/imap/imap_log.c,
      src/dynamic-preprocessors/imap/imap_log.h,
      src/dynamic-preprocessors/pop/pop_log.c,
      src/dynamic-preprocessors/pop/pop_log.h,
      src/dynamic-preprocessors/smtp/smtp_log.c,
      src/dynamic-preprocessors/smtp/smtp_log.h,
      doc/README.imap, doc/README.pop:
      Removed the decoding failure alert for bitencoded/non-encoded
      attachments since it was invalid as we don't decoded these attachments. 

    * src/preprocessors/spp_frag3.c:
      Continue to track fragments if rebuilt packet caused a drop.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed POST_SESSION_CLEANUP() macro to not log messages when Stream5
      is configured with "prune_log_max 0".  Thanks to Gregory S Thomas
      for pointing out the issue.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Skip MAC address verification on packets being routed by a DAQ Module. 

    * src/: decode.c, parser.c:
      Disallow rule-type decode rules with a sid that exceed
      DECODE_INDEX_MAX. 

    * src/decode.c:
      Fixed MPLS header length check. Credits to Jacob Baines for the
      find.
 
    * src/fpdetect.c:
      When decoding Teredo and the inner IPv6 doesn't have any payload,
      reset do_detect_content to ensure content matches are checked when
      evaluating rules against the outer IPv4 'payload'.  Thanks to Yun
      Zheng Hu & L0rd Ch0de1m0rt for reporting the issue & crafting
      traffic to reproduce. 

    * doc/snort_manual.tex:
      Add reference 'msb' to the list of valid ones in the Snort manual. 

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      flush and free application data on receipt of TCP RST in the
      close-wait state

    * src/: snort.c, preprocessors/spp_stream5.c,
      preprocessors/stream_api.h, preprocessors/stream_expect.c,
      preprocessors/Stream5/snort_stream5_icmp.c,
      preprocessors/Stream5/snort_stream5_ip.c,
      preprocessors/Stream5/snort_stream5_session.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/snort_stream5_tcp.h,
      preprocessors/Stream5/snort_stream5_udp.c,
      preprocessors/Stream5/snort_stream5_udp.h,
      preprocessors/Stream5/stream5_common.c,
      preprocessors/Stream5/stream5_common.h,
      preprocessors/Stream5/stream5_ha.c,
      preprocessors/Stream5/stream5_ha.h, side-channel/Makefile.am,
      side-channel/dmq.c, side-channel/dmq.h, side-channel/rbmq.c,
      side-channel/rbmq.h, side-channel/sidechannel.c,
      side-channel/sidechannel_define.h,
      configure.in:
      Add the ability to share basic session state for Stream via a
      side channel

    * src/: fpdetect.c, parser.c, snort.c, snort.h, util.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
      dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/stream5_paf.c:
      Improve some processing performance for small packets

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      fix alerts on packets with same src/dst ports
      fix prior alert tracking to prevent redundant alerts
      fix missing u2 packets.
 
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Copy remaining data to normalization buffer if already normalizing
      and in AUTH state.
 
    * src/ppm.c:
      Apply event filter support for PPM rules. 

    * src/: preprocessors/snort_httpinspect.c,
      dynamic-preprocessors/dcerpc2/snort_dce2.c,
      dynamic-plugins/sf_engine/sf_snort_packet.h,
      detection-plugins/detection_options.c,
      detection-plugins/detection_options.h, decode.h,
      detection_util.c, encode.c, encode.h, fpdetect.c:
      update the packet number check in detection to include
      the rebuilt packet count.

    * doc/snort_manual.tex:
      Update description for rawbytes rule option

    * src/sfutil/sfrt_flat.c:
      correct return value for memory allocation failures

    * src/: file-process/file_mime_process.c,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/smtp/snort_smtp.c:
      Check log_state in case of allocation failure

    * src/: file-process/file_mime_process.c,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/pop/snort_pop.c:
      Processing each mime attachment after the boundary is found. 

    * doc/README.http_inspect, doc/faq.pdf, doc/snort_manual.pdf,
      etc/gen-msg.map, preproc_rules/preprocessor.rules,
      src/generators.h,
      src/dynamic-preprocessors/dcerpc2/dce2_config.c,
      src/preprocessors/spp_stream5.c,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      src/preprocessors/HttpInspect/include/hi_eo_events.h,
      src/preprocessors/HttpInspect/utils/hi_paf.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c:
      Correct handling of head responses
      Flush extra line feeds with following PDUs (skipped over by http_inspect)
      add profiling for PAF
      Make PAF debug output more readable

    * src/: detect.c, detect.h, generators.h, snort.c, snort.h, util.c,
      output-plugins/spo_log_tcpdump.c, preprocessors/perf-base.c,
      preprocessors/perf-base.h:
      Add a new column for total_alert_pkts to permonitor stats. 

    * src/preprocessors/: perf-base.c, perf.c:
      Fix insolent file handling in perfmonitor. 

    * src/sfutil/sf_vartable.c:
      Free allocation on failure. 

    * src/sfutil/sf_ipvar.c:
      Refactor sfip_node_t list freeing; Free sfip_node_t list on
      allocation failure. 

    * snort.8:
      Update snort.8

    * src/: dynamic-preprocessors/ftptelnet/hi_util_kmap.c,
      dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      preprocessors/HttpInspect/utils/hi_util_kmap.c:
      Check for NULL parameter pointer before copying into file name.
      Alloc key node after checking for zero length.  Remove
      unnecessary curr_ch NULL check. 

    * src/control/sfcontrol.c:
      Fix error checks for CS_TYPE_MAX to be greater than or equal to.

    * src/dynamic-preprocessors/dcerpc2/: dce2_smb.c, dce2_smb.h:
      Remove unneccessary NULL check of session pointer.  Fix set SMB
      fingerprint functions to just set flag and not return anything. 

    * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
      Closed file before returning on error.  NULL terminated string gotten
      from fread() before passing to strtok_r.    Checked return value of
      fseek(), ftell() and fread().  Added log messages for errors. 

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      don't do PAF on midstream pickup sessions
      do midstream pickup on SYN/ACK when packet is within require_3whs
      grace period. 

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      fix midstream pickup when server data is seen before client.  Thanks to
      John Eure for reporting the issue. 

    * src/preprocessors/perf-flow.c:
      Don't skip logging of flows with 0 packet count for flow-ip tracking. 

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      fix multi-pdu per segment flushing

    * src/preprocessors/snort_httpinspect.c:
      check http session tracker for file upload processing

    * src/: encode.c, preprocessors/snort_httpinspect.c,
      preprocessors/spp_frag3.c,
      preprocessors/Stream5/snort_stream5_tcp.c:
      Adjust stream reassembly for a few edge cases
 
    * src/preprocessors/snort_httpinspect.c:
      fix the parsing of max gzip mem

    * src/: snort.c, dynamic-output/plugins/output.h,
      dynamic-output/plugins/output_base.c:
      Print dynamic output modules with other plugins durring startup. 

    * doc/snort_manual.pdf, etc/gen-msg.map,
      preproc_rules/decoder.rules, src/decode.c, src/decode.h,
      src/encode.c, src/generators.h, src/sf_protocols.h:
      Add decoding support for ERSpan type 2 and type 3 when ERSpan
      is inside GRE. 

    * src/: snort.c, snort.h:
      Add --pcap-reload Snort flag to reload between pcap runs. 

    * doc/README.daq, doc/faq.pdf, doc/snort_manual.pdf,
      doc/snort_manual.tex, src/decode.h, src/fpdetect.c, src/snort.c,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/smtp/smtp_util.c,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/file-process/file_mime_process.c,
      src/output-plugins/spo_unified2.c,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/snort_httpinspect.h,
      src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
      src/preprocessors/Stream5/snort_stream5_tcp.c,
      src/preprocessors/Stream5/snort_stream5_tcp.h:
      Ensure logging of extra data captured after alert

    * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c:
      When a writer is in read mode, ensure the size is the shared memory
      segment size.

    * src/file-process/: libs/file_lib.c, file_service.c:
      Only display the file stats for types in the current configuration

    * src/: dynamic-preprocessors/ftptelnet/ftpp_si.h,
      preprocessors/spp_stream5.c, preprocessors/stream_api.h,
      preprocessors/Stream5/snort_stream5_session.c,
      control/sfcontrol.c:
      Add a stream api function to return the session key given a session
      pointer.  Expose the SessionKey structure to dynamic preprocessors. 
      For ICMP "sessions", include ICMP type as an element in the key,
      thereby making it a different "session" if the type varies.  Echo
      replies are keyed the same as requests.

    * doc/snort_manual.pdf, doc/snort_manual.tex, src/parser.c,
      src/parser.h, src/snort.c, src/snort.h, doc/README.reload:
      Remove "config read_bin_file" documentation

    * src/: decode.c, decode.h, sfutil/sf_ip.h, sfutil/sf_iph.c,
      preprocessors/perf-base.c,
      dynamic-preprocessors/dcerpc2/snort_dce2.c,
      dynamic-plugins/sf_engine/sf_snort_packet.h,
      dynamic-preprocessors/sdf/spp_sdf.c:
      Update IP6RawHdr structure and fix version extraction for little
      endian machines.  Reduce size of sfip_t by 4 bytes. 

    * src/detection-plugins/sp_pattern_match.c:
      Error if relative rule option used after fast pattern only. 

    * preproc_rules/decoder.rules, src/decode.c, src/generators.h:
      Add decoder alert for IPv6 Routing Type 0 headers. 

    * src/encode.c:
      Replace usage of ScAdapterInlineMode() with DAQ_GetInterfaceMode(). 

    * src/: rate_filter.h, dynamic-preprocessors/sdf/sdf_us_ssn.h,
      dynamic-preprocessors/sdf/spp_sdf.h, sfutil/sfrt_flat_dir.h:
      Cleanup recursive header inclusions. 

    * src/decode.h:
      Fix macros for token ring header field extraction. 

    * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
      Move SSN advertisement check before stricter validation. 

    * doc/: README.dcerpc2, snort_manual.pdf, snort_manual.tex:
      Update dce_stub_data documentation. 

    * src/parser.c:
      Cleanup function ValidateIPList().
 
    * src/dynamic-output/plugins/output_base.c:
      Remove dead code path.

    * src/detection-plugins/sp_respond3.c:
      FatalError if Resp3_Parse() is called with bad parameters. 

    * src/: snort_bounds.h, preprocessors/perf-base.c:
      Add error recovery to the perfstats logging code.
 
    * src/output-plugins/: spo_alert_fast.c, spo_alert_full.c:
      Add printing of GID:SID:Rev even if there is no msg in a rule. 

    * src/dynamic-preprocessors/: smtp/spp_smtp.c, pop/spp_pop.c,
      imap/spp_imap.c:
      Initialize file depth to all the configurations, not just the default.

    * configure.in, src/decode.h,
      src/detection-plugins/sp_clientserver.c,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
      src/dynamic-preprocessors/dcerpc2/dce2_paf.h,
      src/dynamic-preprocessors/dcerpc2/dce2_session.h,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
      src/dynamic-preprocessors/dnp3/dnp3_paf.c,
      src/dynamic-preprocessors/dnp3/dnp3_paf.h,
      src/dynamic-preprocessors/dnp3/spp_dnp3.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
      src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      src/dynamic-preprocessors/modbus/modbus_paf.c,
      src/dynamic-preprocessors/modbus/modbus_paf.h,
      src/dynamic-preprocessors/modbus/spp_modbus.c,
      src/file-process/file_mime_process.c,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/spp_httpinspect.c,
      src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
      src/preprocessors/HttpInspect/client/hi_client.c,
      src/preprocessors/HttpInspect/include/hi_paf.h,
      src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
      src/preprocessors/HttpInspect/server/hi_server.c,
      src/preprocessors/HttpInspect/utils/hi_paf.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c,
      src/preprocessors/Stream5/snort_stream5_tcp.h,
      src/preprocessors/Stream5/stream5_paf.c,
      src/preprocessors/Stream5/stream5_paf.h:
      Add support for PAF activation by service and hardened PAF (removed
      --disable-paf from configure.in)

    * etc/gen-msg.map, src/decode.c, src/decode.h, src/generators.h,
      preproc_rules/decoder.rules:
      Support decoding of ICMPv6 Node Info Query and Node Info Response.
      Added decoder event for invalid codes therein. 

    * src/preprocessors/: HttpInspect/mode_inspection/hi_mi.c,
      HttpInspect/client/hi_client.c, HttpInspect/include/hi_client.h,
      snort_httpinspect.h:
      Log XFF data on raw packet when reassembly is turned off.

    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
      Refactor dead code path in DCE2_SmbTransactionGetName(). 

    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
      Factor out dead code path in ftpp_ui_client_lookup_add().

    * src/preprocessors/spp_bo.c:
      Remove redundant dereferences to array pointer.

    * src/sfutil/sfrf.c:
      Factor out dead code path in SFRF_ConfigAdd(). 

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Factor out dead code path in Stream5ProcessTcp().
 
    * src/fpcreate.c:
      Factor out dead code path in fpCreatePortObject2PortGroup(). 

    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c,
      src/dynamic-preprocessors/dcerpc2/dce2_config.c:
      Factor out dead code paths in DCE2 Preproc. 

    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
      Factor out dead code paths in SetCursorInternal().
 
    * src/dynamic-preprocessors/sip/: sip_roptions.c, spp_sip.c,
      spp_sip.h:
      add user defined SIP method to parsing policy instead of running policy

    * src/preprocessors/HttpInspect/include/hi_eo_events.h,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      etc/gen-msg.map, src/generators.h,
      preproc_rules/preprocessor.rules,
      src/preprocessors/HttpInspect/client/hi_client.c:
      Add preprocessor alert when snort sees unescaped space within the URI
      Log IPs followed by portnum from the XFF header

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Remove unnecessary check for NULL on array type. 

    * src/preprocessors/spp_frag3.c:
      Remove unnecessary check for NULL on array type. 

    * src/snort.c:
      Remove unnecessary check for NULL on array type. 

    * tools/u2boat/u2boat.c:
      Make sure ConvertRecord func pointer is valid before called. 

    * src/detection-plugins/sp_byte_extract.c:
      Fix value check for byte extract "multiplier" arg. 

    * src/: util.c, util.h:
      Remove dead functions from util.c

    * tools/u2spewfoo/u2spewfoo.c:
      Check for error and prevent leaks with realloc in u2spewfoo.
      Thanks to William Parker for reporting it.

    * src/: parser.c, dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-preprocessors/dcerpc2/dce2_config.c,
      dynamic-preprocessors/dns/spp_dns.c:
      Fix dead code paths

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Reset overlap count when 129:7 is triggered to avoid repeated false
      positives

    * src/dynamic-preprocessors/smtp/: snort_smtp.c, snort_smtp.h:
      Handle 535 response codes - authentication failed. 

    * doc/README.SMTP, doc/snort_manual.tex,
      src/dynamic-preprocessors/smtp/smtp_config.c,
      src/dynamic-preprocessors/smtp/smtp_config.h,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/snort_smtp.h:
      Added new configuration options "data_cmds", "binary_data_cmds" and
      "auth_cmds" to the smtp preprocessor.

    * doc/README.reload, doc/snort_manual.tex, src/snort.c,
      src/preprocessors/perf-base.c, src/preprocessors/perf-base.h,
      src/preprocessors/perf-flow.c, src/preprocessors/perf-flow.h,
      src/preprocessors/perf.c, src/preprocessors/perf.h,
      src/preprocessors/spp_perfmonitor.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c:
      Added "flow-file" configuration option and optional arguments
      to "atexitonly" for perfmonitor preprocessor.
 
    * src/: detection-plugins/sp_pattern_match.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      Adjust detection option pointer and distance for content matches
      with negative distances that put pointer before start of buffer. 

    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
      Ensure all request and response fields are reset
 
    * src/generators.h, preproc_rules/preprocessor.rules,
      src/preprocessors/spp_frag3.c:
      Remove dead preprocessor alerts from Frag3, GIDs 123:9, 123:10
      that are covered by 116:458. 

    * src/: dynamic-preprocessors/ftptelnet/ftpp_si.c,
      dynamic-preprocessors/ftptelnet/ftpp_si.h,
      dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
      dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      preprocessors/stream_api.h,
      preprocessors/Stream5/snort_stream5_tcp.c:
      Set reassembly on ftp-data for file processing and file_data ptr
      for ftp-data channel.

    * src/: decode.c, decode.h, encode.c, sf_protocols.h, snort.c:
      Whitelist encrypted ESP tunnels if decoding ESP traffic. 

    * src/detection-plugins/sp_react.c:
      Fix issue where react action was lost when Snort reloads. 

    * src/dynamic-preprocessors/: imap/snort_imap.c, imap/spp_imap.c,
      smtp/snort_smtp.c, smtp/spp_smtp.c, pop/snort_pop.c,
      pop/spp_pop.c:
      Enforce target based config setting for file processing.

    * src/file-process/file_mime_process.c:
      Make sure signature context is created at any file position. 

    * src/dynamic-preprocessors/: pop/snort_pop.c, pop/snort_pop.h,
      smtp/snort_smtp.c, smtp/snort_smtp.h:
      Using boundary to check end of file

    * src/: decode.h, dynamic-plugins/sf_engine/sf_snort_packet.h,
      output-plugins/spo_unified2.c, preprocessors/spp_sfportscan.c:
      Update portscan unified2 events to log type of portscan in
      protocol field instead of 0xFF.
 
    * doc/: README.asn1, snort_manual.pdf, snort_manual.tex:
      Update asn1 rule option documentation to remove reference to
      byte_test updating relative pointer.  Thanks to Brandon Castel
      for bringing this to our attention. 

    * src/: file-process/file_mime_process.c,
      file-process/file_mime_process.h,
      preprocessors/HttpInspect/client/hi_client.c,
      file-process/Makefile.am, file-process/file_api.h,
      file-process/file_mime_config.c, file-process/file_mime_config.h,
      file-process/file_resume_block.c,
      file-process/file_resume_block.h, file-process/file_service.c,
      file-process/file_service.h, file-process/file_service_config.c,
      preprocessors/snort_httpinspect.c,
      preprocessors/snort_httpinspect.h,
      preprocessors/spp_httpinspect.c,
      preprocessors/HttpInspect/include/hi_client.h,
      preprocessors/HttpInspect/include/hi_ui_config.h,
      dynamic-preprocessors/imap/spp_imap.c,
      file-process/libs/file_config.c, file-process/libs/file_config.h,
      sfutil/sf_email_attach_decode.c, snort.c:
      Add support for http file upload. 

    * doc/: PROBLEMS, README.WIN32, README.daq, faq.tex,
      snort_manual.tex:
      Update READMEs and FAQ and Snort Manual to standardize the format of
      references to libpcap.  Also update location of winpcap.  Thanks to
      Joshua Kinard and Bryan Jones for pointing out the discrepancies. 

    * src/preprocessors/spp_sfportscan.c:
      Fix portscan to only prep a pseudo-packet if actually generating an alert

    * src/file-process/: file_api.h, file_service.c:
      Add packet to file api calls to determine if the session is inline. 

    * src/dynamic-preprocessors/sip/sip_config.c:
      Fatal error during SIP preprocessor configuration
      if a standard or user defined method cannot be allocated. 

    * src/: file-process/file_resume_block.c,
      file-process/file_service.c, file-process/file_service.h,
      snort.c:
      Move file resume cache clean to restart or snort exit

    * src/file-process/: file_api.h, file_resume_block.c:
      File API change to support logging file resume blocking.

    * src/: preprocessors/Stream5/snort_stream5_tcp.c,
      file-process/Makefile.am, file-process/file_api.h,
      file-process/file_mime_process.c,
      file-process/file_mime_process.h,
      file-process/file_resume_block.c,
      file-process/file_resume_block.h, file-process/file_service.c,
      file-process/file_service_config.c,
      dynamic-preprocessors/pop/pop_config.c,
      dynamic-preprocessors/pop/pop_config.h,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/pop/snort_pop.h,
      dynamic-preprocessors/pop/spp_pop.c,
      dynamic-preprocessors/smtp/smtp_config.c,
      dynamic-preprocessors/smtp/smtp_config.h,
      dynamic-preprocessors/smtp/smtp_util.c,
      dynamic-preprocessors/smtp/smtp_util.h,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/smtp/snort_smtp.h,
      dynamic-preprocessors/smtp/spp_smtp.c,
      dynamic-preprocessors/imap/imap_config.c,
      dynamic-preprocessors/imap/imap_config.h,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/imap/snort_imap.h,
      dynamic-preprocessors/imap/spp_imap.c, util.c, util.h,
      file-process/libs/file_config.c, file-process/libs/file_config.h,
      file-process/libs/file_lib.h,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h:
      File blocking, http resume blocking, file statistics, and file name
      support for pop, imap. 

    * src/output-plugins/spo_alert_unixsock.c:
      Update to use memset and memmove instead of bzero/bcopy.    Thanks to
      Bill Parker for the suggestion. 

    * doc/: README.dcerpc2, snort_manual.pdf, snort_manual.tex:
      Update dcerpc2 preprocessor documentation to remove -1 as a default
      and valid value to max_frag_len. 

    * src/preprocessors/spp_perfmonitor.c:
      Make sure perfmonitor evaluation function is added to each policy's
      preprocessor evaluation list. 

    * configure.in, doc/INSTALL, doc/README.reputation,
      doc/snort_manual.pdf, doc/snort_manual.tex, src/fpcreate.c,
      src/fpcreate.h, src/parser.c, src/parser.h,
      src/rule_option_types.h, src/snort.c, src/snort.h,
      src/detection-plugins/detection_options.c,
      src/dynamic-examples/Makefile.am, src/dynamic-output/Makefile.am,
      src/dynamic-output/libs/Makefile.am,
      src/dynamic-plugins/sf_convert_dynamic.c,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/dynamic-plugins/sp_dynamic.c,
      src/dynamic-plugins/sp_preprocopt.c,
      src/dynamic-preprocessors/Makefile.am,
      src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
      src/dynamic-preprocessors/dnp3/sf_dnp3.dsp,
      src/dynamic-preprocessors/dns/sf_dns.dsp,
      src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/gtp/sf_gtp.dsp,
      src/dynamic-preprocessors/imap/sf_imap.dsp,
      src/dynamic-preprocessors/isakmp/sf_isakmp.dsp,
      src/dynamic-preprocessors/libs/Makefile.am,
      src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp,
      src/dynamic-preprocessors/modbus/sf_modbus.dsp,
      src/dynamic-preprocessors/pop/sf_pop.dsp,
      src/dynamic-preprocessors/reputation/sf_reputation.dsp,
      src/dynamic-preprocessors/sdf/sf_sdf.dsp,
      src/dynamic-preprocessors/sip/sf_sip.dsp,
      src/dynamic-preprocessors/smtp/sf_smtp.dsp,
      src/dynamic-preprocessors/ssh/sf_ssh.dsp,
      src/dynamic-preprocessors/ssl/sf_ssl.dsp,
      src/preprocessors/spp_httpinspect.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c,
      src/preprocessors/Stream5/stream5_common.c,
      src/win32/WIN32-Prj/sf_engine.dsp,
      src/win32/WIN32-Prj/sf_testdetect.dsp,
      src/win32/WIN32-Prj/snort.dsp:
      Removed --disable-dynamicplugin configure option and hardened
      dynamic plugin code. 

    * src/: dynamic-plugins/sf_engine/sf_snort_packet.h,
      dynamic-preprocessors/ftptelnet/ftpp_si.c,
      dynamic-preprocessors/ftptelnet/ftpp_si.h,
      dynamic-preprocessors/ftptelnet/ftpp_ui_config.h,
      dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      preprocessors/spp_stream5.c, preprocessors/stream_api.h,
      preprocessors/Stream5/snort_stream5_tcp.c:
      File processing for ftp-data channel.

    * src/dynamic-preprocessors/dcerpc2/: dce2_smb.c, dce2_smb.h:
      Remove NetBIOS session state. 

    * src/: plugbase.c, output-plugins/Makefile.am,
      output-plugins/spo_unified.c, output-plugins/spo_unified.h:
      Remove deprecated unified support.  Same functionality is
      supported with unified2. 

    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
      Correct setting FID in reassembled packets on big endian systems. 

    * doc/INSTALL, doc/snort_manual.pdf, doc/snort_manual.tex,
      src/output-plugins/spo_alert_unixsock.c:
      Update alert_unixsock output plugin and documentation for use on FreeBSD.

    * src/: decode.c, decode.h:
      Add RFC 5925 (The TCP Authentication Option) option as a valid TCP
      option and tag RFC 2385 (Protection of BGP Sessions via the TCP MD5
      Signature Option) option as obsolete. 

    * rpm/snort.spec, doc/snort_manual.tex,
      src/win32/WIN32-Prj/snort_installer.nsi,
      src/win32/WIN32-Includes/config.h:
      Set version to 2.9.5

2013-04-18 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.4.6
    * src/build.h:
      updating build number to 73

    * doc/README.counts, doc/snort_manual.pdf, doc/snort_manual.tex,
      src/decode.c, src/parser.c, src/snort.h:
      Added config tunnel_verdicts and tunnel bypass for whitelist and
      blacklist verdicts for 6in4 or 4in6 encapsulated traffic.

    * src/preprocessors/spp_frag3.c:
      Don't update IP options length and count in frag3 after allocating
      option buffer when receiving duplicate 0 offset fragments with IP
      options.

2013-03-20 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.4.5
    * src/build.h:
      updating build number to 71

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      prevent pruning when dup'ing a seglist node to avoid broken
      flushed packets

    * src/detection-plugins/detection_options.c:
      recursively search patterns within the HTTP uri
      buffers until the buffer ends.

    * src/preprocessors/HttpInspect/: client/hi_client.c,
      client/hi_client_norm.c, include/hi_client.h:
      Remove proxy information from the normalized URI buffer.  Thanks
      to L0rd Ch0de1m0rt for reporting the issue.

    * src/: control/sfcontrol.c, preprocessors/Stream5/snort_stream5_tcp.c:
      fix logging of unified2 packet data when alerting on a packet containing
      multiple HTTP PDUs

2013-02-19 Bhagyashree Bantwal <bbantwal@sourcefire.com>
Snort 2.9.4.1
    * src/build.h: updating build number to 69

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Only check for TCP Window Slam on client packets.

    * src/: control/sfcontrol.c, control/sfcontrol.h,
      preprocessors/spp_stream5.c, preprocessors/stream_api.h,
      preprocessors/Stream5/snort_stream5_session.c,
      preprocessors/Stream5/stream5_common.h
      Add a stream API function to return a session key given a session.
      Expose the session key

    * src/target-based/sftarget_reader.c:
      Change routing table layout for ip6 attribute lookups to
      be more space efficient

    * src/preprocessors/spp_frag3.c:
      Forcibly drop excessive overlaps

    * src/preprocessors/spp_frag3.c:
      Propagate address_space_id from raw packet to frag3
          rebuilt packet DAQ header

    * src/: encode.c, encode.h,
      preprocessors/Stream5/snort_stream5_tcp.c:
      Update packet encoding to propagate the address_space_id in DAQ header

    * configure.in, src/decode.c:
      Define NO_NON_ETHER_DECODER by default in Snort builds. Add
      --enable-non-ether-decoders as a configure flag.

    * src/dynamic-preprocessors/: pop/snort_pop.c, pop/snort_pop.h,
      smtp/snort_smtp.c, smtp/snort_smtp.h:
      Use MIME boundary for end of file indication even for the last file

    * src/dynamic-preprocessors/reputation/spp_reputation.c:
      only inspect ingress zone for passive interface.

    * doc/README.reputation:
    * src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c:
      When a writer is in read mode, the size should be the shared
          memory segment size.

    * src/: control/sfcontrol.c, control/sfcontrol.h,
      dynamic-preprocessors/reputation/spp_reputation.c:
      Only decode outer header in main control section. Payload is handled by the handler.

    * src/dynamic-preprocessors/reputation/: spp_reputation.c
      shmem/shmem_mgmt.c:
      update share memory for snort readers that are idle.

    * src/parser.c:
      make sure otn is different from original and and that option functions weren't
      already freed before freeing the dup list.

    * src/dynamic-preprocessors/: smtp/spp_smtp.c, imap/spp_imap.c,
      pop/spp_pop.c:
      Initialize file depth to all the policies, not just default
      policy

    * src/dynamic-preprocessors/: pop/spp_pop.c, smtp/snort_smtp.c,
      imap/spp_imap.c:
      check whether mime decoding is disabled before allocating memory.

    * doc/: snort_manual.pdf, snort_manual.tex:
      changed doc default to 10 max_attribute_services_per_host.

    * src/: parser.c, parser.h, snort.c, snort.h,
      preprocessors/spp_frag3.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      target-based/sftarget_hostentry.c,
      target-based/sftarget_reader.c, target-based/sftarget_reader.h:
      remove unused AttributeData and change attribute table to use uints instead of
      AttributeData to reduce host/service from 5208/5192 to 80/16
      bytes respectively.  Add config max_attribute_services_per_host
      to change from default of 10.  Unused AttributeData includes
      operating system, vendor, and version for host and application
      and version for service.  Note that the data is still parsed from
      hosts.xml but not actually stored in memory.    Also tweak some
      stream5 debug code that threw warnings.

    * src/: file-process/file_service.c,
      preprocessors/snort_httpinspect.c:
      avoid processing partial HTTP content.

    * src/: encode.c, encode.h,
      preprocessors/Stream5/snort_stream5_tcp.c:
      Make sure daq supports zones and interfaces in the daq header.

    * src/: encode.c, encode.h,
      preprocessors/Stream5/snort_stream5_tcp.c:
      Maintain ingress and egress interfaces and zones and daq flags
      in the tcp session to be used to populate reassembled packets correctly.

2012-10-30 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.4
    * src/build.h:
      updating build number to 37

    * doc/README.counts, doc/snort_manual.tex, doc/snort_manual.pdf,
      src/active.c, src/active.h, src/decode.c, src/parser.c,
      src/parser.h, src/snort.c, src/snort.h, src/util.c:
      added config tunnel_verdicts and tunnel bypass for whitelist and
      blacklist verdicts for gtp or teredo encapsulated traffic.

    * src/dynamic-preprocessors/smtp/: snort_smtp.c, snort_smtp.h:
      Handle MS Exchange X-EXPS and XEXCH50 commands in the SMTP
      preprocessor.

2012-10-16 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.4 RC
    * src/build.h:
      updating build number to 35

    * src/file-process/libs/: file_identifier.c, file_identifier.h
      Fixed one issue when inserting a file magic in between another
      file magic. In addition, avoid cloning nodes which are not used
      by other node.  This improves memory assuage (from 10M down to
      4M)

    * src/: detect.c, plugbase.c, plugbase.h, snort.c, snort.h,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h
      Added 2 new dpd functions. One turns off detection, the other
      re-enables a given preprocessor. After the preprocessors are
      configured, the preprocessor list is filtered if detection is
      off.

    * src/active.c :
      allow TCP RST response to segments w/o data

    * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine.c,
      sf_snort_plugin_api.c, sf_snort_plugin_api.h,
      sf_snort_plugin_byte.c, sf_snort_plugin_content.c,
      sf_snort_plugin_hdropts.c, sf_snort_plugin_pcre.c
      Changed logic of option evaluations for SO rules that use a custom
      evaluation function to match that of the SO rule builtin logic
      when the NOT_FLAG is used.

    * src/detection-plugins/: sp_flowbits.c, sp_flowbits.h
      Use appropriate interger types and comparisons.

    * src/preprocessors/HttpInspect/: client/hi_client.c,
      server/hi_server.c
      fix win32 warnings

    * src/: active.c, fpdetect.c, preprocessors/spp_stream5.c
      don't enable active response unless configured

    * src/: dynamic-plugins/sf_engine/sf_snort_packet.h,
      preprocessors/spp_stream5.c, file-process/file_service.c,
      decode.h
      avoid logging incorrect file name/file size when multiple files
      within one packet.

    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
      Fix Win32 build warnings.

2012-09-20 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.4 Beta
    * configure.in, doc/snort_manual.pdf, src/parser.c, src/parser.h,
      src/sfdaq.h, src/snort.h,
      src/dynamic-preprocessors/sip/sip_dialog.c,
      src/preprocessors/spp_frag3.c, src/preprocessors/spp_stream5.c,
      src/preprocessors/stream_api.h,
      src/preprocessors/Stream5/snort_stream5_session.c,
      src/preprocessors/Stream5/snort_stream5_session.h,
      src/preprocessors/Stream5/stream5_common.h:
      Add use of address_space_id in stream & frag hash keys when DAQ
      provides it.

    * src/: dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      dynamic-preprocessors/smtp/snort_smtp.c,
      preprocessors/snort_httpinspect.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      sfutil/sf_email_attach_decode.h,
      win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp,
      win32/WIN32-Prj/snort.dsw:
      Fix a few Win32 warnings.

    * src/preprocessors/Stream5/snort_stream5_tcp.c
      ensure that the LWS policy matches that of the server (instead of
      the dest)

    * COPYING, LICENSE, contrib/snortpp.c, doc/README, src/active.h,
      src/byte_extract.c, src/byte_extract.h, src/checksum.h,
      src/cpuclock.h, src/debug.c, src/decode.h, src/detect.c,
      src/detect.h, src/detection_filter.c, src/detection_filter.h,
      src/detection_util.c, src/detection_util.h, src/encode.c,
      src/encode.h, src/event.h, src/event_queue.c, src/event_queue.h,
      src/event_wrapper.c, src/event_wrapper.h, src/fpcreate.c,
      src/fpcreate.h, src/fpdetect.c, src/fpdetect.h, src/generators.h,
      src/idle_processing.c, src/idle_processing.h,
      src/idle_processing_funcs.h, src/ipv6_port.h, src/log.c,
      src/log.h, src/log_text.c, src/log_text.h, src/mempool.c,
      src/mempool.h, src/mstring.c, src/mstring.h, src/obfuscation.c,
      src/obfuscation.h, src/packet_time.c, src/packet_time.h,
      src/parser.c, src/parser.h, src/pcap_pkthdr32.h, src/pcrm.c,
      src/pcrm.h, src/plugbase.c, src/plugbase.h, src/plugin_enum.h,
      src/ppm.c, src/ppm.h, src/preprocids.h, src/profiler.c,
      src/profiler.h, src/rate_filter.c, src/rate_filter.h,
      src/rule_option_types.h, src/rules.h, src/sf_protocols.h,
      src/sf_sdlist.c, src/sf_sdlist.h, src/sf_sdlist_types.h,
      src/sf_types.h, src/sfdaq.c, src/sfdaq.h, src/sfthreshold.c,
      src/sfthreshold.h, src/signature.c, src/signature.h, src/snort.c,
      src/snort.h, src/snort_bounds.h, src/snort_debug.h,
      src/snprintf.c, src/snprintf.h, src/spo_plugbase.h,
      src/strlcatu.h, src/strlcpyu.h, src/tag.c, src/tag.h,
      src/treenodes.h, src/util.c, src/util.h, src/control/sfcontrol.c,
      src/control/sfcontrol.h, src/control/sfcontrol_funcs.h,
      src/detection-plugins/detection_options.h,
      src/detection-plugins/sp_asn1.c, src/detection-plugins/sp_asn1.h,
      src/detection-plugins/sp_asn1_detect.c,
      src/detection-plugins/sp_asn1_detect.h,
      src/detection-plugins/sp_base64_data.c,
      src/detection-plugins/sp_base64_data.h,
      src/detection-plugins/sp_base64_decode.c,
      src/detection-plugins/sp_base64_decode.h,
      src/detection-plugins/sp_byte_check.h,
      src/detection-plugins/sp_byte_extract.h,
      src/detection-plugins/sp_byte_jump.h,
      src/detection-plugins/sp_clientserver.c,
      src/detection-plugins/sp_clientserver.h,
      src/detection-plugins/sp_cvs.c, src/detection-plugins/sp_cvs.h,
      src/detection-plugins/sp_dsize_check.c,
      src/detection-plugins/sp_dsize_check.h,
      src/detection-plugins/sp_file_data.c,
      src/detection-plugins/sp_file_data.h,
      src/detection-plugins/sp_flowbits.c,
      src/detection-plugins/sp_flowbits.h,
      src/detection-plugins/sp_ftpbounce.c,
      src/detection-plugins/sp_ftpbounce.h,
      src/detection-plugins/sp_hdr_opt_wrap.c,
      src/detection-plugins/sp_hdr_opt_wrap.h,
      src/detection-plugins/sp_icmp_code_check.c,
      src/detection-plugins/sp_icmp_code_check.h,
      src/detection-plugins/sp_icmp_id_check.c,
      src/detection-plugins/sp_icmp_id_check.h,
      src/detection-plugins/sp_icmp_seq_check.c,
      src/detection-plugins/sp_icmp_seq_check.h,
      src/detection-plugins/sp_icmp_type_check.c,
      src/detection-plugins/sp_icmp_type_check.h,
      src/detection-plugins/sp_ip_fragbits.c,
      src/detection-plugins/sp_ip_fragbits.h,
      src/detection-plugins/sp_ip_id_check.c,
      src/detection-plugins/sp_ip_id_check.h,
      src/detection-plugins/sp_ip_proto.c,
      src/detection-plugins/sp_ip_proto.h,
      src/detection-plugins/sp_ip_same_check.c,
      src/detection-plugins/sp_ip_same_check.h,
      src/detection-plugins/sp_ip_tos_check.c,
      src/detection-plugins/sp_ip_tos_check.h,
      src/detection-plugins/sp_ipoption_check.c,
      src/detection-plugins/sp_ipoption_check.h,
      src/detection-plugins/sp_isdataat.c,
      src/detection-plugins/sp_isdataat.h,
      src/detection-plugins/sp_pattern_match.c,
      src/detection-plugins/sp_pattern_match.h,
      src/detection-plugins/sp_pcre.h,
      src/detection-plugins/sp_pkt_data.c,
      src/detection-plugins/sp_pkt_data.h,
      src/detection-plugins/sp_react.c,
      src/detection-plugins/sp_react.h,
      src/detection-plugins/sp_replace.c,
      src/detection-plugins/sp_replace.h,
      src/detection-plugins/sp_respond.h,
      src/detection-plugins/sp_respond3.c,
      src/detection-plugins/sp_rpc_check.c,
      src/detection-plugins/sp_rpc_check.h,
      src/detection-plugins/sp_session.c,
      src/detection-plugins/sp_session.h,
      src/detection-plugins/sp_tcp_ack_check.c,
      src/detection-plugins/sp_tcp_ack_check.h,
      src/detection-plugins/sp_tcp_flag_check.c,
      src/detection-plugins/sp_tcp_flag_check.h,
      src/detection-plugins/sp_tcp_seq_check.c,
      src/detection-plugins/sp_tcp_seq_check.h,
      src/detection-plugins/sp_tcp_win_check.c,
      src/detection-plugins/sp_tcp_win_check.h,
      src/detection-plugins/sp_ttl_check.c,
      src/detection-plugins/sp_ttl_check.h,
      src/detection-plugins/sp_urilen_check.c,
      src/detection-plugins/sp_urilen_check.h,
      src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h,
      src/dynamic-examples/dynamic-preprocessor/spp_example.c,
      src/dynamic-examples/dynamic-rule/detection_lib_meta.h,
      src/dynamic-examples/dynamic-rule/rules.c,
      src/dynamic-examples/dynamic-rule/sid109.c,
      src/dynamic-examples/dynamic-rule/sid637.c,
      src/dynamic-output/libs/output_lib.c,
      src/dynamic-output/plugins/output.h,
      src/dynamic-output/plugins/output_api.h,
      src/dynamic-output/plugins/output_base.c,
      src/dynamic-output/plugins/output_common.h,
      src/dynamic-output/plugins/output_lib.h,
      src/dynamic-output/plugins/output_plugin.c,
      src/dynamic-plugins/sf_convert_dynamic.h,
      src/dynamic-plugins/sf_dynamic_common.h,
      src/dynamic-plugins/sf_dynamic_define.h,
      src/dynamic-plugins/sf_dynamic_detection.h,
      src/dynamic-plugins/sf_dynamic_engine.h,
      src/dynamic-plugins/sf_dynamic_meta.h,
      src/dynamic-plugins/sp_dynamic.h,
      src/dynamic-plugins/sp_preprocopt.h,
      src/dynamic-plugins/sf_engine/bmh.c,
      src/dynamic-plugins/sf_engine/bmh.h,
      src/dynamic-plugins/sf_engine/sf_decompression.c,
      src/dynamic-plugins/sf_engine/sf_decompression.h,
      src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      src/dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c,
      src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.c,
      src/dynamic-plugins/sf_engine/examples/sfsnort_dynamic_detection_lib.h,
      src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c,
      src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h,
      src/dynamic-plugins/sf_preproc_example/sf_preproc_info.h,
      src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.c,
      src/dynamic-plugins/sf_preproc_example/spp_nfs_setup.h,
      src/dynamic-preprocessors/dcerpc2/dce2_cl.c,
      src/dynamic-preprocessors/dcerpc2/dce2_cl.h,
      src/dynamic-preprocessors/dcerpc2/dce2_co.c,
      src/dynamic-preprocessors/dcerpc2/dce2_co.h,
      src/dynamic-preprocessors/dcerpc2/dce2_config.c,
      src/dynamic-preprocessors/dcerpc2/dce2_config.h,
      src/dynamic-preprocessors/dcerpc2/dce2_debug.c,
      src/dynamic-preprocessors/dcerpc2/dce2_debug.h,
      src/dynamic-preprocessors/dcerpc2/dce2_event.c,
      src/dynamic-preprocessors/dcerpc2/dce2_event.h,
      src/dynamic-preprocessors/dcerpc2/dce2_http.c,
      src/dynamic-preprocessors/dcerpc2/dce2_http.h,
      src/dynamic-preprocessors/dcerpc2/dce2_list.c,
      src/dynamic-preprocessors/dcerpc2/dce2_list.h,
      src/dynamic-preprocessors/dcerpc2/dce2_memory.c,
      src/dynamic-preprocessors/dcerpc2/dce2_memory.h,
      src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
      src/dynamic-preprocessors/dcerpc2/dce2_paf.h,
      src/dynamic-preprocessors/dcerpc2/dce2_roptions.c,
      src/dynamic-preprocessors/dcerpc2/dce2_roptions.h,
      src/dynamic-preprocessors/dcerpc2/dce2_session.h,
      src/dynamic-preprocessors/dcerpc2/dce2_smb.h,
      src/dynamic-preprocessors/dcerpc2/dce2_stats.c,
      src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
      src/dynamic-preprocessors/dcerpc2/dce2_tcp.c,
      src/dynamic-preprocessors/dcerpc2/dce2_tcp.h,
      src/dynamic-preprocessors/dcerpc2/dce2_udp.c,
      src/dynamic-preprocessors/dcerpc2/dce2_udp.h,
      src/dynamic-preprocessors/dcerpc2/dce2_utils.c,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.h,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.h,
      src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h,
      src/dynamic-preprocessors/dcerpc2/includes/smb.h,
      src/dynamic-preprocessors/dnp3/dnp3_map.h,
      src/dynamic-preprocessors/dnp3/dnp3_paf.c,
      src/dynamic-preprocessors/dnp3/dnp3_paf.h,
      src/dynamic-preprocessors/dnp3/dnp3_reassembly.c,
      src/dynamic-preprocessors/dnp3/dnp3_reassembly.h,
      src/dynamic-preprocessors/dnp3/dnp3_roptions.c,
      src/dynamic-preprocessors/dnp3/dnp3_roptions.h,
      src/dynamic-preprocessors/dnp3/spp_dnp3.c,
      src/dynamic-preprocessors/dnp3/spp_dnp3.h,
      src/dynamic-preprocessors/dns/spp_dns.c,
      src/dynamic-preprocessors/dns/spp_dns.h,
      src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c,
      src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h,
      src/dynamic-preprocessors/ftptelnet/ftp_client.h,
      src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c,
      src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h,
      src/dynamic-preprocessors/ftptelnet/ftp_server.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_eo.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_include.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h,
      src/dynamic-preprocessors/ftptelnet/ftpp_util_kmap.h,
      src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c,
      src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h,
      src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c,
      src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h,
      src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
      src/dynamic-preprocessors/ftptelnet/pp_ftp.h,
      src/dynamic-preprocessors/ftptelnet/pp_telnet.c,
      src/dynamic-preprocessors/ftptelnet/pp_telnet.h,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h,
      src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h,
      src/dynamic-preprocessors/gtp/gtp_config.c,
      src/dynamic-preprocessors/gtp/gtp_config.h,
      src/dynamic-preprocessors/gtp/gtp_debug.h,
      src/dynamic-preprocessors/gtp/gtp_parser.c,
      src/dynamic-preprocessors/gtp/gtp_parser.h,
      src/dynamic-preprocessors/gtp/gtp_roptions.c,
      src/dynamic-preprocessors/gtp/gtp_roptions.h,
      src/dynamic-preprocessors/gtp/spp_gtp.c,
      src/dynamic-preprocessors/gtp/spp_gtp.h,
      src/dynamic-preprocessors/imap/imap_config.c,
      src/dynamic-preprocessors/imap/imap_config.h,
      src/dynamic-preprocessors/imap/imap_log.c,
      src/dynamic-preprocessors/imap/imap_log.h,
      src/dynamic-preprocessors/imap/imap_util.c,
      src/dynamic-preprocessors/imap/imap_util.h,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/imap/snort_imap.h,
      src/dynamic-preprocessors/imap/spp_imap.c,
      src/dynamic-preprocessors/imap/spp_imap.h,
      src/dynamic-preprocessors/isakmp/spp_isakmp.c,
      src/dynamic-preprocessors/isakmp/spp_isakmp.h,
      src/dynamic-preprocessors/libs/sf_preproc_info.h,
      src/dynamic-preprocessors/libs/sfcommon.h,
      src/dynamic-preprocessors/libs/sfparser.c,
      src/dynamic-preprocessors/libs/ssl.c,
      src/dynamic-preprocessors/libs/ssl.h,
      src/dynamic-preprocessors/modbus/modbus_decode.c,
      src/dynamic-preprocessors/modbus/modbus_decode.h,
      src/dynamic-preprocessors/modbus/modbus_paf.c,
      src/dynamic-preprocessors/modbus/modbus_paf.h,
      src/dynamic-preprocessors/modbus/modbus_roptions.c,
      src/dynamic-preprocessors/modbus/modbus_roptions.h,
      src/dynamic-preprocessors/modbus/spp_modbus.c,
      src/dynamic-preprocessors/modbus/spp_modbus.h,
      src/dynamic-preprocessors/pop/pop_config.c,
      src/dynamic-preprocessors/pop/pop_config.h,
      src/dynamic-preprocessors/pop/pop_log.c,
      src/dynamic-preprocessors/pop/pop_log.h,
      src/dynamic-preprocessors/pop/pop_util.c,
      src/dynamic-preprocessors/pop/pop_util.h,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/pop/snort_pop.h,
      src/dynamic-preprocessors/pop/spp_pop.c,
      src/dynamic-preprocessors/pop/spp_pop.h,
      src/dynamic-preprocessors/reputation/reputation_config.h,
      src/dynamic-preprocessors/reputation/reputation_debug.h,
      src/dynamic-preprocessors/reputation/reputation_utils.c,
      src/dynamic-preprocessors/reputation/reputation_utils.h,
      src/dynamic-preprocessors/reputation/spp_reputation.c,
      src/dynamic-preprocessors/reputation/spp_reputation.h,
      src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c,
      src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_config.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_config.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_lib.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
      src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c,
      src/dynamic-preprocessors/sdf/sdf_credit_card.c,
      src/dynamic-preprocessors/sdf/sdf_credit_card.h,
      src/dynamic-preprocessors/sdf/sdf_detection_option.c,
      src/dynamic-preprocessors/sdf/sdf_detection_option.h,
      src/dynamic-preprocessors/sdf/sdf_pattern_match.c,
      src/dynamic-preprocessors/sdf/sdf_pattern_match.h,
      src/dynamic-preprocessors/sdf/sdf_us_ssn.c,
      src/dynamic-preprocessors/sdf/sdf_us_ssn.h,
      src/dynamic-preprocessors/sdf/spp_sdf.h,
      src/dynamic-preprocessors/sip/sip_config.h,
      src/dynamic-preprocessors/sip/sip_debug.h,
      src/dynamic-preprocessors/sip/sip_dialog.c,
      src/dynamic-preprocessors/sip/sip_dialog.h,
      src/dynamic-preprocessors/sip/sip_parser.c,
      src/dynamic-preprocessors/sip/sip_parser.h,
      src/dynamic-preprocessors/sip/sip_roptions.h,
      src/dynamic-preprocessors/sip/sip_utils.c,
      src/dynamic-preprocessors/sip/sip_utils.h,
      src/dynamic-preprocessors/sip/spp_sip.c,
      src/dynamic-preprocessors/sip/spp_sip.h,
      src/dynamic-preprocessors/sip/test/sip_test.c,
      src/dynamic-preprocessors/smtp/smtp_config.c,
      src/dynamic-preprocessors/smtp/smtp_config.h,
      src/dynamic-preprocessors/smtp/smtp_log.c,
      src/dynamic-preprocessors/smtp/smtp_log.h,
      src/dynamic-preprocessors/smtp/smtp_normalize.c,
      src/dynamic-preprocessors/smtp/smtp_normalize.h,
      src/dynamic-preprocessors/smtp/smtp_util.c,
      src/dynamic-preprocessors/smtp/smtp_util.h,
      src/dynamic-preprocessors/smtp/smtp_xlink2state.c,
      src/dynamic-preprocessors/smtp/smtp_xlink2state.h,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/snort_smtp.h,
      src/dynamic-preprocessors/smtp/spp_smtp.h,
      src/dynamic-preprocessors/ssh/spp_ssh.c,
      src/dynamic-preprocessors/ssh/spp_ssh.h,
      src/dynamic-preprocessors/ssl/spp_ssl.c,
      src/dynamic-preprocessors/ssl/spp_ssl.h,
      src/output-plugins/spo_alert_fast.c,
      src/output-plugins/spo_alert_fast.h,
      src/output-plugins/spo_alert_full.c,
      src/output-plugins/spo_alert_full.h,
      src/output-plugins/spo_alert_sf_socket.c,
      src/output-plugins/spo_alert_sf_socket.h,
      src/output-plugins/spo_alert_syslog.c,
      src/output-plugins/spo_alert_syslog.h,
      src/output-plugins/spo_alert_test.c,
      src/output-plugins/spo_alert_test.h,
      src/output-plugins/spo_alert_unixsock.h,
      src/output-plugins/spo_csv.c, src/output-plugins/spo_csv.h,
      src/output-plugins/spo_log_ascii.c,
      src/output-plugins/spo_log_ascii.h,
      src/output-plugins/spo_log_null.c,
      src/output-plugins/spo_log_null.h,
      src/output-plugins/spo_log_tcpdump.c,
      src/output-plugins/spo_log_tcpdump.h,
      src/output-plugins/spo_unified.c,
      src/output-plugins/spo_unified.h,
      src/output-plugins/spo_unified2.c,
      src/output-plugins/spo_unified2.h, src/parser/IpAddrSet.c,
      src/parser/IpAddrSet.h, src/preprocessors/normalize.c,
      src/preprocessors/normalize.h, src/preprocessors/perf-base.c,
      src/preprocessors/perf-base.h, src/preprocessors/perf-event.c,
      src/preprocessors/perf-event.h, src/preprocessors/perf-flow.c,
      src/preprocessors/perf-flow.h, src/preprocessors/perf.c,
      src/preprocessors/perf.h, src/preprocessors/portscan.c,
      src/preprocessors/portscan.h, src/preprocessors/sfprocpidstats.c,
      src/preprocessors/sfprocpidstats.h,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/snort_httpinspect.h,
      src/preprocessors/spp_arpspoof.c,
      src/preprocessors/spp_arpspoof.h, src/preprocessors/spp_bo.c,
      src/preprocessors/spp_bo.h, src/preprocessors/spp_frag3.c,
      src/preprocessors/spp_frag3.h,
      src/preprocessors/spp_httpinspect.h,
      src/preprocessors/spp_normalize.c,
      src/preprocessors/spp_normalize.h,
      src/preprocessors/spp_perfmonitor.h,
      src/preprocessors/spp_rpc_decode.c,
      src/preprocessors/spp_rpc_decode.h,
      src/preprocessors/spp_sfportscan.c,
      src/preprocessors/spp_sfportscan.h,
      src/preprocessors/spp_stream5.c, src/preprocessors/spp_stream5.h,
      src/preprocessors/str_search.c, src/preprocessors/str_search.h,
      src/preprocessors/stream_api.c, src/preprocessors/stream_api.h,
      src/preprocessors/stream_expect.c,
      src/preprocessors/stream_expect.h,
      src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c,
      src/preprocessors/HttpInspect/client/hi_client_norm.c,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      src/preprocessors/HttpInspect/include/hi_ad.h,
      src/preprocessors/HttpInspect/include/hi_client.h,
      src/preprocessors/HttpInspect/include/hi_client_norm.h,
      src/preprocessors/HttpInspect/include/hi_client_stateful.h,
      src/preprocessors/HttpInspect/include/hi_cmd_lookup.h,
      src/preprocessors/HttpInspect/include/hi_eo.h,
      src/preprocessors/HttpInspect/include/hi_eo_events.h,
      src/preprocessors/HttpInspect/include/hi_eo_log.h,
      src/preprocessors/HttpInspect/include/hi_include.h,
      src/preprocessors/HttpInspect/include/hi_mi.h,
      src/preprocessors/HttpInspect/include/hi_norm.h,
      src/preprocessors/HttpInspect/include/hi_paf.h,
      src/preprocessors/HttpInspect/include/hi_reqmethod_check.h,
      src/preprocessors/HttpInspect/include/hi_return_codes.h,
      src/preprocessors/HttpInspect/include/hi_server.h,
      src/preprocessors/HttpInspect/include/hi_server_norm.h,
      src/preprocessors/HttpInspect/include/hi_si.h,
      src/preprocessors/HttpInspect/include/hi_stateful_inspect.h,
      src/preprocessors/HttpInspect/include/hi_ui_config.h,
      src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h,
      src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h,
      src/preprocessors/HttpInspect/include/hi_uri.h,
      src/preprocessors/HttpInspect/include/hi_urilen_check.h,
      src/preprocessors/HttpInspect/include/hi_util.h,
      src/preprocessors/HttpInspect/include/hi_util_hbm.h,
      src/preprocessors/HttpInspect/include/hi_util_kmap.h,
      src/preprocessors/HttpInspect/include/hi_util_xmalloc.h,
      src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
      src/preprocessors/HttpInspect/normalization/hi_norm.c,
      src/preprocessors/HttpInspect/server/hi_server_norm.c,
      src/preprocessors/HttpInspect/session_inspection/hi_si.c,
      src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
      src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c,
      src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c,
      src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c,
      src/preprocessors/HttpInspect/utils/hi_paf.c,
      src/preprocessors/HttpInspect/utils/hi_util_hbm.c,
      src/preprocessors/HttpInspect/utils/hi_util_kmap.c,
      src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c,
      src/preprocessors/Stream5/snort_stream5_icmp.c,
      src/preprocessors/Stream5/snort_stream5_icmp.h,
      src/preprocessors/Stream5/snort_stream5_ip.c,
      src/preprocessors/Stream5/snort_stream5_ip.h,
      src/preprocessors/Stream5/snort_stream5_session.c,
      src/preprocessors/Stream5/snort_stream5_session.h,
      src/preprocessors/Stream5/snort_stream5_tcp.c,
      src/preprocessors/Stream5/snort_stream5_tcp.h,
      src/preprocessors/Stream5/snort_stream5_udp.c,
      src/preprocessors/Stream5/snort_stream5_udp.h,
      src/preprocessors/Stream5/stream5_common.c,
      src/preprocessors/Stream5/stream5_common.h,
      src/preprocessors/Stream5/stream5_paf.c,
      src/preprocessors/Stream5/stream5_paf.h,
      src/sfutil/Unified2_common.h, src/sfutil/acsmx.c,
      src/sfutil/acsmx.h, src/sfutil/acsmx2.h, src/sfutil/asn1.c,
      src/sfutil/asn1.h, src/sfutil/bitop.h, src/sfutil/bitop_funcs.h,
      src/sfutil/bnfa_search.h, src/sfutil/getopt.h,
      src/sfutil/intel-soft-cpm.c, src/sfutil/intel-soft-cpm.h,
      src/sfutil/ipobj.c, src/sfutil/ipobj.h, src/sfutil/mpse.c,
      src/sfutil/segment_mem.c, src/sfutil/segment_mem.h,
      src/sfutil/sfActionQueue.c, src/sfutil/sfActionQueue.h,
      src/sfutil/sfPolicy.c, src/sfutil/sfPolicy.h,
      src/sfutil/sfPolicyUserData.c, src/sfutil/sfPolicyUserData.h,
      src/sfutil/sf_base64decode.c, src/sfutil/sf_base64decode.h,
      src/sfutil/sf_email_attach_decode.c,
      src/sfutil/sf_email_attach_decode.h, src/sfutil/sf_ip.c,
      src/sfutil/sf_ip.h, src/sfutil/sf_iph.h, src/sfutil/sf_ipvar.c,
      src/sfutil/sf_ipvar.h, src/sfutil/sf_seqnums.h,
      src/sfutil/sf_textlog.c, src/sfutil/sf_textlog.h,
      src/sfutil/sf_vartable.c, src/sfutil/sf_vartable.h,
      src/sfutil/sfeventq.c, src/sfutil/sfeventq.h,
      src/sfutil/sfghash.c, src/sfutil/sfghash.h,
      src/sfutil/sfhashfcn.c, src/sfutil/sfhashfcn.h,
      src/sfutil/sfksearch.c, src/sfutil/sfksearch.h,
      src/sfutil/sflsq.c, src/sfutil/sflsq.h, src/sfutil/sfmemcap.c,
      src/sfutil/sfmemcap.h, src/sfutil/sfportobject.c,
      src/sfutil/sfportobject.h, src/sfutil/sfprimetable.c,
      src/sfutil/sfprimetable.h, src/sfutil/sfrf.c, src/sfutil/sfrf.h,
      src/sfutil/sfrim.c, src/sfutil/sfrt.c, src/sfutil/sfrt.h,
      src/sfutil/sfrt_dir.c, src/sfutil/sfrt_dir.h,
      src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h,
      src/sfutil/sfrt_flat_dir.c, src/sfutil/sfrt_flat_dir.h,
      src/sfutil/sfrt_lctrie.c, src/sfutil/sfrt_lctrie.h,
      src/sfutil/sfrt_trie.h, src/sfutil/sfsnprintfappend.c,
      src/sfutil/sfsnprintfappend.h, src/sfutil/sfthd.c,
      src/sfutil/sfthd.h, src/sfutil/sfxhash.c, src/sfutil/sfxhash.h,
      src/sfutil/strvec.c, src/sfutil/strvec.h,
      src/sfutil/util_jsnorm.c, src/sfutil/util_jsnorm.h,
      src/sfutil/util_math.c, src/sfutil/util_math.h,
      src/sfutil/util_net.c, src/sfutil/util_net.h,
      src/sfutil/util_str.c, src/sfutil/util_str.h,
      src/sfutil/util_unfold.c, src/sfutil/util_unfold.h,
      src/sfutil/util_utf.c, src/sfutil/util_utf.h,
      src/sfutil/test/sf_ip_test.c, src/sfutil/test/sfrf_test.c,
      src/sfutil/test/sfrt_test.c, src/sfutil/test/sfthd_test.c,
      src/sfutil/test/unit_hacks.c, src/sfutil/test/unit_hacks.h,
      src/target-based/sf_attribute_table.y,
      src/target-based/sftarget_hostentry.c,
      src/target-based/sftarget_hostentry.h,
      src/target-based/sftarget_protocol_reference.c,
      src/target-based/sftarget_protocol_reference.h,
      src/target-based/sftarget_reader.c,
      src/target-based/sftarget_reader.h,
      src/win32/WIN32-Code/getopt.c, src/win32/WIN32-Code/inet_aton.c,
      src/win32/WIN32-Code/misc.c, src/win32/WIN32-Code/name.h,
      src/win32/WIN32-Code/win32_service.c,
      src/win32/WIN32-Includes/config.h,
      src/win32/WIN32-Includes/getopt.h,
      src/win32/WIN32-Includes/inttypes.h,
      src/win32/WIN32-Includes/stdint.h,
      src/win32/WIN32-Includes/WinPCAP/pthread.h,
      src/win32/WIN32-Includes/WinPCAP/sched.h,
      src/win32/WIN32-Includes/WinPCAP/semaphore.h,
      tools/control/sfcontrol.c, tools/u2boat/u2boat.c,
      tools/u2boat/u2boat.h, tools/u2spewfoo/u2spewfoo.c:
      Updated the address of the Free Software Foundation.

    * src/dynamic-preprocessors/dnp3/spp_dnp3.c:
      Check default config before dereferencing memcap.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      fix handling of gaps in PAF.

    * src/dynamic-preprocessors/smtp/: smtp_util.c, snort_smtp.c,
      snort_smtp.h:
      get individual file names for multiple file attachments within
      one smtp packet

    * src/dynamic-output/plugins/output_plugin.c:
      Don't change vlanId into network byte order in the dynamic output API.

    * src/dynamic-preprocessors/imap/: snort_imap.c, snort_imap.h:
      Add a flag to indicate end of MIME to avoid incorrect data end marker

    * src/sfutil/sf_email_attach_decode.h:
      change decode length calculation when file depth is larger than max int

    * src/: preprocessors/HttpInspect/include/hi_paf.h,
      sfutil/sf_email_attach_decode.h,
      preprocessors/HttpInspect/utils/hi_paf.c:
      auto enable http ports when file policy is enabled

    * src/sfutil/sfthd.c:
      Global thresholds can be disabled with count -1.

    * src/sfutil/sfthd.c:
      allow gen_id 0 sig_id 0 and gen_id X sig_id 0 together

    * src/: decode.h, preprocessors/snort_httpinspect.c:
      file data is only valid with PAF processing

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      don't flag missing packets when PAF flushing to allow better recovery
      from gaps

    * src/dynamic-preprocessors/: smtp/smtp_config.c,
      imap/imap_config.c, imap/spp_imap.c, pop/pop_config.c,
      pop/spp_pop.c:
      Enable file data configurations for preprocessors when file processing
      is enabled

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      fixed check for hole in seglist while PAF scanning

    * src/: snort.c, dynamic-examples/Makefile.am,
      dynamic-plugins/Makefile.am, dynamic-preprocessors/Makefile.am,
      dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      preprocessors/spp_stream5.c, target-based/Makefile.am,
      target-based/sftarget_reader.c, target-based/sftarget_reader.h:
      Add an API call to add a service to a host in the attribute table.
      Remove the unused live attribute table code.

    * doc/README.ppm, doc/snort_manual.tex, etc/gen-msg.map,
      preproc_rules/preprocessor.rules, src/detect.c, src/generators.h,
      src/parser.c, src/ppm.c, src/ppm.h:
      added 134:3 and IPs and ports to log messages for PPM packet events

    * src/snort.c:
      force drop TCP/UDP now gets DAQ blacklist instead of DAQ block verdict

    * doc/README.stream5, etc/gen-msg.map,
      preproc_rules/preprocessor.rules, src/generators.h,
      src/preprocessors/Stream5/snort_stream5_tcp.c:
      add 129:20 for midstream traffic we don't pick up.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      fix normalize_tcp to not block duplicate SYNs

    * src/parser.c, src/snort.c, src/preprocessors/snort_httpinspect.c,
      src/preprocessors/snort_httpinspect.h, src/snort.h,
      src/dynamic-preprocessors/smtp/smtp_config.h,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/imap/imap_config.h,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/imap/spp_imap.c,
      src/dynamic-preprocessors/pop/pop_config.h,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/pop/spp_pop.c,
      src/sfutil/sf_email_attach_decode.h,
      src/preprocessors/HttpInspect/include/hi_ui_config.h,
      configure.in, src/detection-plugins/sp_file_data.c:
      file_depth integration, openssl integration, reload configuration

    * src/dynamic-preprocessors/: libs/ssl.c, libs/ssl.h,
      ssl/spp_ssl.c:
      Add SSLv3/TLS backwards compatibiltiy with SSLv2 ClientHello in the
      ssl preprocessor.

    * src/: preprocessors/snort_httpinspect.c,
      src/dynamic-preprocessors/: imap/snort_imap.c, pop/snort_pop.c,
      smtp/snort_smtp.c:
      add file type id support for HTTP post, smtp, imap, and pop

    * src/: snort_debug.h, control/sfcontrol.c,
      preprocessors/Stream5/snort_stream5_tcp.c:
      Do not delete application session data on last ACK.

    * src/output-plugins/spo_unified.c:
      Add deprecated warning for unified output plugin.

    * src/decode.h:
      Add support for decoding PPP type 0x57 (IPv6) for PPPoE

    * src/Makefile.am, src/generators.h, src/parser.c, src/parser.h,
      src/preprocids.h, src/snort.c, src/snort_debug.h, configure.in,
      src/dynamic-preprocessors/Makefile.am,
      src/preprocessors/snort_httpinspect.c,
      src/detection-plugins/sp_file_data.c,
      src/dynamic-examples/Makefile.am:
      add file type identification and file signature sha256 calculation
      for HTTP.

    * src/: util.c, dynamic-preprocessors/dcerpc2/spp_dce2.c,
      dynamic-preprocessors/dnp3/spp_dnp3.c,
      dynamic-preprocessors/dns/spp_dns.c,
      dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      dynamic-preprocessors/gtp/spp_gtp.c,
      dynamic-preprocessors/imap/spp_imap.c,
      dynamic-preprocessors/isakmp/spp_isakmp.c,
      dynamic-preprocessors/modbus/spp_modbus.c,
      dynamic-preprocessors/pop/spp_pop.c,
      dynamic-preprocessors/reputation/spp_reputation.c,
      dynamic-preprocessors/sip/spp_sip.c,
      dynamic-preprocessors/ssh/spp_ssh.c,
      dynamic-preprocessors/ssl/spp_ssl.c:
      Remove IPv6 tag from snort -V

    * configure.in, doc/README.ipv6, doc/README.unified2,
      doc/README.variables, doc/snort_manual.tex, src/decode.h,
      src/detect.c, src/detect.h, src/encode.c, src/fpdetect.c,
      src/ipv6_port.h, src/log.c, src/log_text.c, src/parser.c,
      src/sf_protocols.h, src/snort.c, src/snort.h, src/tag.c,
      src/util.c, src/util.h, src/detection-plugins/sp_ftpbounce.c,
      src/detection-plugins/sp_icmp_id_check.c,
      src/detection-plugins/sp_icmp_seq_check.c,
      src/detection-plugins/sp_ip_same_check.c,
      src/detection-plugins/sp_session.c,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/dynamic-preprocessors/dynamic_preprocessors.dsp,
      src/dynamic-preprocessors/dcerpc2/dce2_config.c,
      src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
      src/dynamic-preprocessors/dnp3/sf_dnp3.dsp,
      src/dynamic-preprocessors/dnp3/spp_dnp3.c,
      src/dynamic-preprocessors/dns/sf_dns.dsp,
      src/dynamic-preprocessors/dns/spp_dns.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_si.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c,
      src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c,
      src/dynamic-preprocessors/ftptelnet/pp_ftp.c,
      src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c,
      src/dynamic-preprocessors/gtp/sf_gtp.dsp,
      src/dynamic-preprocessors/gtp/spp_gtp.c,
      src/dynamic-preprocessors/imap/sf_imap.dsp,
      src/dynamic-preprocessors/imap/spp_imap.c,
      src/dynamic-preprocessors/isakmp/spp_isakmp.c,
      src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp,
      src/dynamic-preprocessors/modbus/sf_modbus.dsp,
      src/dynamic-preprocessors/modbus/spp_modbus.c,
      src/dynamic-preprocessors/pop/sf_pop.dsp,
      src/dynamic-preprocessors/pop/spp_pop.c,
      src/dynamic-preprocessors/reputation/sf_reputation.dsp,
      src/dynamic-preprocessors/reputation/spp_reputation.c,
      src/dynamic-preprocessors/sdf/sf_sdf.dsp,
      src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      src/dynamic-preprocessors/sip/sf_sip.dsp,
      src/dynamic-preprocessors/sip/sip_dialog.c,
      src/dynamic-preprocessors/sip/spp_sip.c,
      src/dynamic-preprocessors/smtp/sf_smtp.dsp,
      src/dynamic-preprocessors/ssh/sf_ssh.dsp,
      src/dynamic-preprocessors/ssh/spp_ssh.c,
      src/dynamic-preprocessors/ssl/sf_ssl.dsp,
      src/dynamic-preprocessors/ssl/spp_ssl.c,
      src/output-plugins/spo_alert_sf_socket.c,
      src/output-plugins/spo_log_ascii.c,
      src/output-plugins/spo_unified2.c, src/parser/IpAddrSet.c,
      src/parser/IpAddrSet.h, src/preprocessors/normalize.c,
      src/preprocessors/perf-base.c, src/preprocessors/perf-base.h,
      src/preprocessors/perf-flow.c, src/preprocessors/portscan.c,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/spp_arpspoof.c, src/preprocessors/spp_frag3.c,
      src/preprocessors/spp_normalize.c,
      src/preprocessors/spp_normalize.h,
      src/preprocessors/spp_sfportscan.c,
      src/preprocessors/spp_stream5.c,
      src/preprocessors/stream_expect.c,
      src/preprocessors/HttpInspect/session_inspection/hi_si.c,
      src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c,
      src/preprocessors/Stream5/snort_stream5_icmp.c,
      src/preprocessors/Stream5/snort_stream5_session.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c,
      src/preprocessors/Stream5/snort_stream5_udp.c,
      src/preprocessors/Stream5/stream5_common.c,
      src/preprocessors/Stream5/stream5_common.h, src/sfutil/ipobj.c,
      src/sfutil/ipobj.h, src/sfutil/sfPolicy.c, src/sfutil/sf_ip.h,
      src/sfutil/sf_iph.h, src/sfutil/sf_ipvar.h, src/sfutil/sfrf.c,
      src/sfutil/sfrt.c, src/sfutil/sfrt.h, src/sfutil/sfrt_dir.c,
      src/sfutil/sfrt_flat.c, src/sfutil/sfrt_flat.h,
      src/sfutil/sfrt_flat_dir.c, src/sfutil/sfthd.c,
      src/sfutil/util_net.c, src/sfutil/util_net.h,
      src/sfutil/test/Makefile.am, src/sfutil/test/sfrf_test.c,
      src/sfutil/test/sfthd_test.c, src/sfutil/test/unit_hacks.c,
      src/sfutil/test/unit_hacks.h,
      src/target-based/sf_attribute_table.y,
      src/target-based/sftarget_reader.c,
      src/target-based/sftarget_reader.h,
      src/win32/WIN32-Prj/build_all.dsp,
      src/win32/WIN32-Prj/sf_engine.dsp,
      src/win32/WIN32-Prj/sf_engine_initialize.dsp,
      src/win32/WIN32-Prj/snort.dsp,
      src/win32/WIN32-Prj/snort_initialize.dsp,
      src/win32/WIN32-Prj/snort_installer.nsi:
      Remove IPv4 only code paths

2012-07-30 Hui Cao <hcao@sourcefire.com>
Snort 2.9.3.1
    * src/build.h:
      Updated build number to 40

    * src/sfutil/acsmx2.c:
      Release memory during return.

    * src/dynamic-preprocessors/sip/sip_config.c:
      Free method struct when method->methodName is NULL.

    * src/: detection-plugins/detection_options.c,
      detection-plugins/sp_byte_check.c,
      detection-plugins/sp_byte_extract.c,
      detection-plugins/sp_byte_jump.c, dynamic-plugins/sp_dynamic.c,
      dynamic-plugins/sp_preprocopt.c:
      Fix constant expression in hashing routines for 64bit platforms.

    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
      Fix Samba chained OpenAndX -> Write command handling. 

    * src/active.c:
      Check for TCP RST flag regardless of other flags to block resetting
      resets.

    * src/: active.c, decode.c, detection-plugins/sp_pcre.c,
      dynamic-plugins/sf_convert_dynamic.c,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      dynamic-plugins/sp_dynamic.c,
      dynamic-preprocessors/dnp3/dnp3_map.c,
      dynamic-preprocessors/reputation/reputation_config.c,
      dynamic-preprocessors/sdf/spp_sdf.c,
      dynamic-preprocessors/sip/sip_config.c,
      dynamic-preprocessors/sip/sip_roptions.c,
      dynamic-preprocessors/smtp/spp_smtp.c,
      output-plugins/spo_alert_unixsock.c,
      preprocessors/spp_httpinspect.c, preprocessors/spp_perfmonitor.c,
      preprocessors/HttpInspect/client/hi_client.c,
      preprocessors/HttpInspect/server/hi_server.c,
      sfutil/bnfa_search.c, sfutil/sf_iph.c,
      target-based/sf_attribute_table_parser.l:
       Parse time memory cleanup

    * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
       Fixed issue on big endian systems where behaviour was incorrect.

2012-07-10 Todd Wease <twease@sourcefire.com>
Snort 2.9.3

    * src/build.h:
      Updated build number to 37

    * src/preprocessors/HttpInspect/server/hi_server.c:
      When paf is turned on, the flow depth on raw packets should be checking
      if max_seq was set.

    * src/preprocessors/HttpInspect/client/hi_client.c:
      Rearranged check in hi_client_extract_header() to stop processing when
      there is no more data.

    * src/dynamic-preprocessors/smtp/: smtp_util.c, snort_smtp.c:
      Clear flags for filename logging if there are no ending quotes for MIME
      attachement filename.  Thanks to Rick Chisholm for helping us track down
      the issue.

    * doc/CREDITS:
      Update rmkml's email address.

    * src/preprocessors/: snort_httpinspect.h, HttpInspect/server/hi_server.c:
      Fix application of flow_depth for transfers of files over 2GB.

2012-06-06 Russ Combs <rcombs@sourcefire.com>
Snort 2.9.3 RC

    * src/build.h: updating build number to 33

    * src/: checksum.h, decode.c, encode.c:

      Dropped dnets checksumming functionality.

    * src/: decode.h, encode.c,
      dynamic-plugins/sf_engine/sf_snort_packet.h:

      Remove unused policyEngineData.

    * src/preprocessors/: Stream5/snort_stream5_tcp.c,
      HttpInspect/utils/hi_paf.c:

      Need to check for NULL since a timeout can release proto specific
      data.

      Fix mid-stream pickup sequence tracking.

    * src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h,
      HttpInspect/server/hi_server.c:

      Apply server flow depth to session when PAF is turned on.

    * src/preprocessors/Stream5/: snort_stream5_session.c,
      stream5_common.h:

      Change SessionKey to a SessionKey pointer.

    * src/dynamic-output/plugins/: output_lib.h, output_plugin.c:

      Add dynamic output API for DAQ interface mode.

    * src/: dynamic-output/plugins/output_base.c, plugbase.c,
      spo_plugbase.h:

      Remove older output plugin when new one is available.

    * src/dynamic-plugins/: sf_dynamic_plugins.c,
      sf_engine/sf_snort_detection_engine.c:

      Force exact versioning match of running dynamic engine and dynamic
      engine used to build SO rules.

    * src/: sfdaq.c, sfdaq.h, dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h:

      Add API for checking whether DAQ can whitelist.

    * src/: parser.c, parser.h, snort.c:

      Added config disable-attribute-reload-thread to snort.conf.

      Snort now provides snort.conf(line #) on errors durring parsing.

    * src/: parser.c, detection-plugins/sp_pattern_match.c,
      detection-plugins/sp_pattern_match.h:

      Warn users when rules contain relative options off of
      fast_pattern:only content matches.

    * src/dynamic-preprocessors/sdf/spp_sdf.c:

      SDF now only looks at rebuilt packets.

    * src/control/sfcontrol.c,
      src/dynamic-preprocessors/reputation/reputation_config.c,
      src/dynamic-preprocessors/reputation/reputation_config.h,
      src/dynamic-preprocessors/reputation/spp_reputation.c,
      src/dynamic-preprocessors/reputation/spp_reputation.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
      tools/control/sfcontrol.c:

      Add ability to query reputation pp with control socket.

      User can now query reputation pp for routing table and management
      information.

      Fixed bug to prevent IP Reputation from trying to allocate too much
      memory.

    * doc/: Makefile.am, README.unified2, snort_manual.tex:

      Add README.unified2 to Makefile.am.

      Add documentation for unified2 file format.

      Add smb_fingerprint_policy documentation to snort manual.

    * src/preprocessors/Stream5/stream5_paf.c:

      Ensure PAF is configured on reload the same as it was on restart.

    * src/preprocessors/spp_stream5.c:

      Fix stream5 issue on reload were it wasn't validating or registering
      preprocessor function when new policy is added.

    * configure.in, doc/INSTALL, doc/README.decoder_preproc_rules,
      doc/snort_manual.pdf, doc/snort_manual.tex, etc/snort.conf,
      rpm/snort.spec, src/event_queue.c, src/event_queue.h,
      src/event_wrapper.c, src/fpcreate.c, src/fpcreate.h,
      src/fpdetect.c, src/fpdetect.h, src/parser.c, src/parser.h,
      src/ppm.c, src/signature.h, src/snort.h,
      src/detection-plugins/detection_options.c,
      src/detection-plugins/detection_options.h,
      src/preprocessors/spp_frag3.c, src/sfutil/sfeventq.c,
      src/sfutil/sfeventq.h, src/win32/WIN32-Prj/snort.dsp:

      Removed --enable-decoder-preprocessor-rules configure option and
      hardened preprocessor and decoder rule event code.  To enable old
      behavior such that specific preprocessor and decoder rules don't
      have to be explicity added to snort.conf, add "config
      autogenerate_preprocessor_decoder_rules" to your snort.conf.

    * src/: profiler.h, dynamic-output/plugins/output_lib.h,
      dynamic-plugins/sf_dynamic_preprocessor.h, sfutil/sfPolicy.h,
      sfutil/sf_ip.h:

      Added a function, sfip_fast_equals_raw, that does the minimum needed
      to determine if 2 IPs are equal.  Added profiler macros that allow for
      unique variable names.  Moved GetPolicyFunc definition to sfPolicy.h.

    * src/: snort.c, detection-plugins/sp_flowbits.c,
      detection-plugins/sp_flowbits.h, dynamic-plugins/sp_dynamic.c:

      Fix flowbit group toggle.

      Fix issue with SO rules that reuse a flowbits structure when all
      stubs aren't enabled.

    * src/dynamic-preprocessors/smtp/: smtp_config.c, snort_smtp.c,
      snort_smtp.h, spp_smtp.c:

      SMTP PP now only allocates its mempools 1 time.

      Fix build on legacy systems that don't support c99 declarations.

      Fix memory leak on reload.

    * src/: detect.c, ppm.c:

      Fix PPM when PPM rules are dynamically generated and there are
      multiple policies.

2012-04-26 Russ Combs <rcombs@sourcefire.com>
Snort 2.9.3 Beta

    * src/build.h:

      Updating build number to 22.

    * src/: snort.c, control/sfcontrol.c:

      Stop daq before tearing down control socket and freeing idle
      processors.

    * src/control/sfcontrol.c, src/control/sfcontrol.h,
      tools/control/sfcontrol.c:

      - Return the correct codes with responses.
      - Use macros to define the codes.
      - Update the client to receive multiple status (0x0009) messages
        followed by a success or error message.

    * doc/snort_manual.tex,
      src/preprocessors/Stream5/snort_stream5_session.c,
      src/preprocessors/Stream5/stream5_common.h,
      src/preprocessors/spp_stream5.c,
      src/detection-plugins/sp_flowbits.c,
      src/detection-plugins/sp_flowbits.h, src/parser.c, src/snort.h:

      - Flowbits can belong to multiple groups.
      - Restrict the syntax of flowbit name and group names to alphanumeric
        string including periods, dashes, and underscores.
      - Changed the maximal flowbit size to be 2048.
      - Changes the error syntax when maximum number of flowbit ID
        exceeds allowed value.
      - Thanks to Cees <celzinga@gmail.com> for providing information about
        the size bug.

    * src/: preprocessors/spp_stream5.c, preprocessors/stream_api.h,
      dynamic-preprocessors/sip/sip_dialog.c:

      Ignore sessions already started through updated stream API. 

    * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h,
      tools/u2spewfoo/u2spewfoo.c:

      - Remove *_NG logging from Unified2.
      - Snort unified2 doesn't log to *_NG formats anymore.

    * src/tag.c:

      Fix compiler warning on FreeBSD in mis-matched format string.

    * src/preprocessors/spp_arpspoof.c:

      - Fix handling when arpspoof_detect_host was set without arpspoof.
      - Fix compiler warnings on FreeBSD by utilizing modern ip6 code.
      - Verify snort works correctly, and doesn't cause warnings on
        FreeBSD.

    * src/: detection-plugins/Makefile.am,
      dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:

      Remove unnecessary cruft.

    * src/output-plugins/spo_alert_unixsock.c:

      Don't rely on UNIX_PATH_MAX value being 108.

    * src/: active.c, encode.c, encode.h:

      Force drop/resets resulting in ICMP unreachables will have the
      code for administratively prohibited while ips ICMP unreachables
      remain port unreachable.

    * src/dynamic-output/: dynamic_output.dsp Makefile.am,
      src/dynamic-output/libs: Makefile.am output_lib.c snort_output.pc.in,
      src/dynamic-output/plugins: Makefile.am output_api.h output_base.c,
      output_common.h output.h output_lib.h output_plugin.c

      Added dynamic output plugin support.

    * configure.in, snort.8, contrib/Makefile.am, contrib/README,
      contrib/create_mssql, contrib/create_mysql,
      contrib/create_oracle.sql, contrib/create_postgresql,
      contrib/mysql.php3, contrib/pgsql.php3, contrib/snortdb-extra.gz,
      doc/INSTALL, doc/Makefile.am, doc/README.ARUBA,
      doc/README.database, doc/faq.tex, doc/snort_manual.tex,
      etc/snort.conf, m4/Makefile.am, m4/libprelude.m4, rpm/snort.spec,
      src/plugbase.c, src/snort.c, src/snort.h,
      src/output-plugins/Makefile.am,
      src/plugins/output_base.c, plugins/output_lib.h,
      src/plugins/output_plugin.c,
      src/output-plugins/spo_alert_arubaaction.c,
      src/output-plugins/spo_alert_arubaaction.h,
      src/output-plugins/spo_alert_prelude.c,
      src/output-plugins/spo_alert_prelude.h,
      src/output-plugins/spo_database.c,
      src/output-plugins/spo_database.h,
      src/win32/Makefile.am,
      src/win32/WIN32-Prj/snort_installer.nsi,
      win32/WIN32-Prj/snort.dsp, win32/WIN32-Prj/snort.dsw:
      win32/WIN32-Prj/snort_installer.nsi,
      win32/WIN32-Prj/snort_installer_options.ini:

      Remove deprecated output plugins aruba, prelude, mysql, oracle and
      mssql from Snort. 

    * src/detection-plugins/sp_flowbits.c,
      src/detection-plugins/sp_flowbits.h,
      src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
      src/snort_debug.h, src/dynamic-plugins/sf_convert_dynamic.c,
      src/dynamic-plugins/sf_dynamic_engine.h,
      src/dynamic-plugins/sp_dynamic.c,
      src/dynamic-plugins/sp_dynamic.h, doc/README.flowbits,
      doc/snort_manual.tex, doc/snort_manual.pdf:

      Flowbit OR feature.  Fixed the so_rules check issue and also the so stub
      file generated.

    * doc/README.SMTP, doc/README.imap, doc/README.pop,
      doc/snort_manual.tex, etc/gen-msg.map,
      src/dynamic-preprocessors/imap/imap_config.c,
      src/dynamic-preprocessors/imap/imap_log.h,
      src/dynamic-preprocessors/imap/imap_util.c,
      src/dynamic-preprocessors/imap/imap_util.h,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/pop/pop_config.c,
      src/dynamic-preprocessors/pop/pop_log.h,
      src/dynamic-preprocessors/pop/pop_util.c,
      src/dynamic-preprocessors/pop/pop_util.h,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/smtp/smtp_config.c,
      src/dynamic-preprocessors/smtp/smtp_log.h,
      src/dynamic-preprocessors/smtp/smtp_util.c,
      src/dynamic-preprocessors/smtp/smtp_util.h,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/spp_smtp.c:

      - SMTP/IMAP/POP will now extract non-encoded attachments when
        content-type MIME headers are present.
      - SMTP will not decode when ignore_data is present.
      - Content-Transfer-Encoding should take precendence over
        Content-Type.
      - Content-type should first check if boundary in non MIME header
        state.
      - Fix SMTP stat msg.

    * doc/README.http_inspect, doc/faq.pdf, doc/snort_manual.pdf,
      doc/snort_manual.tex, src/preprocessors/snort_httpinspect.c,
      src/preprocessors/snort_httpinspect.h,
      src/preprocessors/spp_httpinspect.c,
      src/preprocessors/HttpInspect/server/hi_server.c:

      Update http_inspect decompression to not allocate compress/decompress
      buffers per session.

    * src/preprocessors/HttpInspect/normalization/hi_norm.c:

      - Fix the handling of % encoded ?.  HI no longer treats % encoded
        ? as start of query string.

    * src/preprocessors/HttpInspect/: include/hi_paf.h, utils/hi_paf.c:

      Provide access method for HI main to handle simple responses.

    * src/preprocessors/HttpInspect/: server/hi_server.c,
      client/hi_client.c:

      - Fix extraction of Transfer-Encoding header.
      - Handle chunk extensions when de-chunking.
      - Fix handling of packets beyond flow depth when PAF is turned on.
      - Add code to handle simple responses and not generate false
        positive.

    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:

      Frag related fixes:

      - Check ip6 extension order on frags, including inner on first frag.
      - Added 116:458 for no offset and no more.
      - Added 116:459 for frag w/o data.

    * src/: decode.c, decode.h:

      - Properly decode pflog version 4.
      - Salutations to Ryan McBride for the pflog v4 patch. 

    * src/dynamic-preprocessors/sip/sip_parser.c:

      Add compact form support of VIA header to SIP.

    * src/dynamic-preprocessors/ftptelnet/pp_telnet.c:

      Don't presume 3 bytes of junk in a telnet stream is encryption
      unless midstream pickup.

    * src/: fpdetect.c, pcrm.c, pcrm.h:

      Process any->any rules even when a service matches in the attribute
      table

    * src/preprocessors/spp_frag3.c:

      - Drop bad fragments BEFORE inserting them into tracker.
      - Ensure that all fragments are dropped in inline mode when the
        first fragment is bad.

    * src/target-based/sftarget_reader_live.c:

      - Initialize the value of ret and fix some obscure formatting.
      - Thanks to William Parker for notifying us.

    * src/: debug.c, snort.c:

      Fix placement of int error to avoid warning.

    * doc/README.dcerpc2, doc/faq.pdf, doc/snort_manual.pdf,
      doc/snort_manual.tex, etc/gen-msg.map,
      preproc_rules/preprocessor.rules, src/generators.h,
      src/dynamic-preprocessors/Makefile.am,
      src/dynamic-preprocessors/dcerpc2/dce2_cl.c,
      src/dynamic-preprocessors/dcerpc2/dce2_co.c,
      src/dynamic-preprocessors/dcerpc2/dce2_co.h,
      src/dynamic-preprocessors/dcerpc2/dce2_config.c,
      src/dynamic-preprocessors/dcerpc2/dce2_config.h,
      src/dynamic-preprocessors/dcerpc2/dce2_debug.h,
      src/dynamic-preprocessors/dcerpc2/dce2_event.c,
      src/dynamic-preprocessors/dcerpc2/dce2_event.h,
      src/dynamic-preprocessors/dcerpc2/dce2_http.c,
      src/dynamic-preprocessors/dcerpc2/dce2_list.c,
      src/dynamic-preprocessors/dcerpc2/dce2_list.h,
      src/dynamic-preprocessors/dcerpc2/dce2_memory.c,
      src/dynamic-preprocessors/dcerpc2/dce2_memory.h,
      src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
      src/dynamic-preprocessors/dcerpc2/dce2_roptions.c,
      src/dynamic-preprocessors/dcerpc2/dce2_session.h,
      src/dynamic-preprocessors/dcerpc2/dce2_smb.c,
      src/dynamic-preprocessors/dcerpc2/dce2_smb.h,
      src/dynamic-preprocessors/dcerpc2/dce2_stats.h,
      src/dynamic-preprocessors/dcerpc2/dce2_tcp.c,
      src/dynamic-preprocessors/dcerpc2/dce2_tcp.h,
      src/dynamic-preprocessors/dcerpc2/dce2_udp.c,
      src/dynamic-preprocessors/dcerpc2/dce2_utils.c,
      src/dynamic-preprocessors/dcerpc2/dce2_utils.h,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.c,
      src/dynamic-preprocessors/dcerpc2/snort_dce2.h,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.c,
      src/dynamic-preprocessors/dcerpc2/spp_dce2.h,
      src/dynamic-preprocessors/dcerpc2/includes/smb.h,
      src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      src/sfutil/Makefile.am, src/sfutil/sf_seqnums.h,
      src/win32/WIN32-Prj/snort.dsp:

      Update SMB request/response handling to handle server to client
      evasions where SMB header values aren't echoed in response.
 
      - Add support for SMB_COM_WRITE_ANDX "raw" mode.
      - Add support for additional commands for opening, reading from and
        writing to SMB named pipes
      - Update handling of SMB_COM_WRITE_RAW.
      - Add global configuration option for determining Windows/Samba policy
        on a per session basis and new preprocessor events.
      - Add tracking of named pipe state - byte or message mode.
      - Update SMB_COM_TRANSACTION handling to better support out of order
        displacements and parameters.
      - Updates to SMB ByteCount, data offset and data length handling.
      - Update for Transaction error, where Samba throws out transaction
        on error and correct data offset passed in to function.
      - Don't set dcerpc2 rule options and stop processing dcerpc data
        when server response indicates encrypted packet privacy.
      - Fix dcerpc2 PAF when target based is enabled to not abort if
        protocol undefined.
      - Added processing of chained SMB_COM_WRITE_ANDXs for Samba policies. 

    * src/preprocessors/Stream5/snort_stream5_tcp.c:

      - Correctly log TCP segments to unified2 when there are multiple alerts on
        the same reassembled packet.
      - Purge after flush at session shutdown to avoid reprocessing it when the
        cache is freed causing strange dce2 alerts.

    * configure.in:

      If pkg-config macros do not exist then configure script would be
      invalid. If it does not exist define a macro that does nothing and
      continue.

    * configure.in, src/debug.c, src/decode.c, src/log.c, src/parser.c,
      src/snort_debug.h, src/util.c,
      src/dynamic-preprocessors/dnp3/spp_dnp3.c,
      src/dynamic-preprocessors/libs/ssl.c,
      src/dynamic-preprocessors/modbus/spp_modbus.c,
      src/sfutil/sf_ip.c,
      src/sfutil/sf_ip.h, tools/u2boat/u2boat.c,
      tools/u2spewfoo/u2spewfoo.c:

      Fix compilation warnings.

    * src/snort.c:

      Check return of DAQ_Acquire in failopen thread see description.

    * src/dynamic-preprocessors/reputation/shmem/: shmem_config.h,
      shmem_mgmt.c, shmem_mgmt.h,
      src/sfutil/sfrt_flat_dir.c:

      - Disable timeout for shared memory readers.
      - Readers and writer updates their own active flags.
      - Update the entry value along with length update.

    * src/Makefile.am, src/decode.h, src/parser.c, src/parser.h,
      src/snort.c, src/snort.h,
      src/dynamic-preprocessors/reputation/reputation_config.c,
      src/dynamic-preprocessors/reputation/reputation_config.h,
      src/dynamic-preprocessors/reputation/spp_reputation.c,
      src/dynamic-preprocessors/reputation/spp_reputation.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
      src/dynamic-output/libs/Makefile.am,
      src/dynamic-output/libs/output_lib.c, configure.in,
      src/sfutil/sfrt.h, src/sfutil/sfrt_flat.c,
      src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c,
      src/sfutil/sfrt_flat_dir.h,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/dynamic-plugins/sf_dynamic_preprocessor.h,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      doc/: README.reputation, snort_manual.pdf, snort_manual.tex:

      - Reputation preprocessor updates to support zones and handle
        ingress/egress groups and zone zero.
      - Enforce default policy for reputation preprocessor.
      - Check for NULL when servicing the shared memory.
      - Update documents for white action configuration, manifest file
        for reputation Preprocessor.

    * rpm/snort.spec:

      Remove all of the dead cruft from snort.spec.

    * src/parser.c:

      Fix a parsing memory leak scenario by freeing the tokens on failure.

    * preproc_rules/decoder.rules:

      Update decoder rules to have more accurate names.  Same alert,
      new name.

    * src/output-plugins/spo_unified2.c:

      Set would drop when interface not inline.

    * src/: dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      sfutil/sf_email_attach_decode.c, sfutil/sf_email_attach_decode.h,
      doc/: README.SMTP, README.imap, README.pop, snort_manual.tex:

      SMTP/POP/IMAP decoding changes:
 
      - Change the memory allocation for decoding. Allocate only when we see
        attachments.  Do not allocate at the beginning of the session.
      - Apply the decoding depths to attachments instead of all attachments in
        a session.
      - Alert when decoding fails and not when decoding depths are exceeded.
      - Reset decode bytes read only after processing the entire attachment.
        Attachments can span multiple packets.

2012-3-17 Steven Sturges <ssturges@sourcefire.com>
Snort 2.9.2.2
    * src/build.h:
        Updated to build 121.

    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
        Fix HTTP URI normalization when URI has more than 2k slashes. 

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Fixed split fin-ack tracking and flush/free app data on reset
        when listener is in fin-wait-1, fin-wait-2, or closing state.

    * src/: encode.c, encode.h, snort.c, snort.h,
        Fix generation of response packets on fragmented IPv6 packet
        by using the frag reassembled packet to encode.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Fix logical byte count and remove unreachable code

    * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:
        Update to handle IPv6 traffic for processing of IP header
        options within .so rules.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Expand slam threshold to <= 4 and fix for non-reassembled
        sessions.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Check seq within window relative to window base.

    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
        Fix flow flags for single segment PDUs from PAF. 

    * doc/: faq.pdf, faq.tex, snort_manual.pdf, snort_manual.tex:
        Remove references to deprecated servers.

    * src/dynamic-preprocessors/sip/sip_parser.c:
        Unknown method alert is generated only after verifying the
        packet is SIP. Don't generate alerts for a. multiple SIP
        messages within one UDP packet (140:17) and b. mismatched
        content length (140:18) simultaneously.

    * doc/: INSTALL, snort_manual.pdf, snort_manual.tex:
        Updates to the manual to fix formatting, clarify detection_filter,
        and remove obsolete configure options. Thanks to Larry Hughes,
        Eoin Miller, Beenph and Joshua Kinard for reading it!

    * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
      src/dynamic-preprocessors/sip/sip_config.c,
      src/dynamic-preprocessors/sip/sip_config.h,
      src/dynamic-preprocessors/sip/sip_dialog.c,
      src/dynamic-preprocessors/sip/sip_dialog.h,
      src/dynamic-preprocessors/sip/spp_sip.c,
      src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map:
        Limit number of dialogs within a stream session.  Thanks
        to Filip Valder for providing the information. 

    * src/active.c:
        Allow repeated responses to non-TCP/UDP traffic.

    * src/: sfdaq.c, sfdaq.h, output-plugins/spo_unified2.c:
        Correctly log blocked flag in unified2 events when an interface
        is passive. 

    * doc/: README.filters, snort_manual.pdf, snort_manual.tex:
        Update README & manual to document -1 as acceptable value for
        event_filter.

    * src/: snort.c:
        Add stats output to dirty pig shutdown.

    * src/: preprocessors/Stream5/stream5_common.c:
        Update initialization for stream_ip.

    * doc/snort_manual.pdf, src/byte_extract.c, src/util.h,
      src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
        Make byte extraction of strings only allow for positive values.
 
    * src/preprocessors/HttpInspect/client/hi_client.c:
        Check for paf_max before marking a packet as request body.

    * doc/: README.SMTP, snort_manual.pdf, snort_manual.tex,
      preproc_rules/preprocessor.rules, src/generators.h,
      src/dynamic-preprocessors/smtp/smtp_config.h,
      src/dynamic-preprocessors/smtp/smtp_util.c,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/spp_smtp.c:
        Added SMTP preproc shutdown stats.  Remove the decoding memcap
        exceeded alert and displaying this info instead. 

    * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c,
      spp_ftptelnet.c:
        Update parsing for ftptelnet config.

    * src/dynamic-preprocessors/modbus/spp_modbus.c:
        Update to free the modbus session data.

    * src/: snort_bounds.h,
      preprocessors/HttpInspect/server/hi_server_norm.c:
        Update javascript normalization to call a safeboundsmemmove
        function when the src and dst buffers overlap.

    * src/preprocessors/HttpInspect/client/hi_client.c:
        Change the code to not look for POST data (while parsing method)
        when PAF is enabled and process request packets when the
        method is undefined.

    * src/dynamic-preprocessors/pop/: snort_pop.c, snort_pop.h:
        Decode data following +OK response without the octets string.

    * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
        Made macro in dcerpc2 preprocessor used for progressing through
        data more robust. 

    * src/preprocessors/: snort_httpinspect.h,
      HttpInspect/client/hi_client.c, HttpInspect/server/hi_server.c:
        Eliminate false positives (no content-length or transfer-encoding)
        when chunk size spans across multiple packets. Thanks to Daniel
        Dallmann for reporting the issue.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Update handling of retransmitted segments overlapping the
        window on the left

    * src/preprocessors/HttpInspect/server/hi_server.c:
        Set the file_data to the raw HTTP response body (de-chunked/
        normalized) when decompression fails due to false GZIP headers.
        Set the inspect_body flag after resetting the decompress_data
        flag to allow extraction of HTTP response body across packets
        when decompression fails entirely.  Thanks to Eoin Miller for
        reporting this issue. 

    * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex,
      src/preprocessors/: snort_httpinspect.c, snort_httpinspect.h:
        Remove the Max on the gzip memcap. Thanks to Eoin Miller for
        the request.

    * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_paf.c,
      dce2_session.h, dce2_smb.c, dce2_smb.h, snort_dce2.c,
      snort_dce2.h:
        State tracking improvements to SMB processing in the dcerpc2
        preprocessor when missing packets on a session.

    * tools/u2spewfoo/u2spewfoo.c:
        Tweaks to dump u2 files in the presence of certain errors.

    * src/encode.c:
        Fix overhead calculation to ensure sufficient buffer space for
        defragging a maximum length IP datagram regardless of encapsulations.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Fix false positives on 129:16.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Fix stream5 to not purge too early when normalizing streams.

    * src/decode.c:
        Remove redundant clearing of pointer in error case.  Thanks
        to Josh Kinard for pointing out the error.

    * src/preprocessors/spp_normalize.c:
        Change normalizer priority to ensure ahead of frag3 regardless
        of conf ordering.

    * src/detection-plugins/sp_react.c, doc/README.active,
      doc/snort_manual.pdf, doc/snort_manual.tex:
        Don't allow more than one % in a user-defined HTML page used
        for react rule options.  Thanks to Cleber S. Brandão for
        reporting the issue.

    * configure.in:
        Update configure script to correctly display 'Disable' help
        verbage for the --disable-xxx options.  Thanks to Kungu Panda for
        pointing it out. 

    * src/: plugbase.c, plugbase.h, snort.c,
      output-plugins/spo_alert_arubaaction.c,
      output-plugins/spo_alert_fast.c, output-plugins/spo_alert_full.c,
      output-plugins/spo_alert_prelude.c,
      output-plugins/spo_alert_syslog.c,
      output-plugins/spo_alert_test.c,
      output-plugins/spo_alert_unixsock.c, output-plugins/spo_csv.c,
      output-plugins/spo_database.c, output-plugins/spo_log_ascii.c,
      output-plugins/spo_log_null.c, output-plugins/spo_log_tcpdump.c,
      output-plugins/spo_unified.c, output-plugins/spo_unified2.c:
        Update unified2 output to rotate the unified2 file on reload. 

    * src/dynamic-preprocessors/smtp/smtp_util.c:
        Truncate the trailing end of the email id when the
        rcpt to or mail from addresses are too long.

    * doc/snort_manual.tex, doc/README.GTP, src/:
      dynamic-plugins/sf_dynamic_plugins.c, util.c, util.h:
        Throttle the so rules memcap error message.

2012-1-17 16:16  Hui Cao <hcao@sourcefire.com>
Snort 2.9.2.1
     All files: updated copyright to 2012

    * src/build.h: pdated build number to 107

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Fixed building when -DREG_TEST not used with --enable-debug. 
        Tweaked r_win_base initialization upon midstream pickup to work with tighter
        sequence number validation.
        Updated TCP session tracking to avoid requeuing retransmitted data
        Add tweaks for paf_max flushing of chunked http data

    * src/dynamic-preprocessors/reputation/shmem/: shmem_config.c,
      shmem_config.h, shmem_mgmt.c, shmem_mgmt.h:
        Avoided writer updating reader's zero segment pointer.
        Changed shared memory update timeout to a larger value.

    * src/generators.h,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      src/preprocessors/HttpInspect/include/hi_eo_events.h,
      src/preprocessors/HttpInspect/utils/hi_paf.c,
      doc/README.http_inspect, etc/gen-msg.map,
      preproc_rules/preprocessor.rules:
        Added an alert on http/0.9 simple requests (119:32)

    * preproc_rules/: decoder.rules, preprocessor.rules:
        Bump a few rule rev's that were out of sync w/ VRT

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Changed Warning -> WARNING
        Don't attempt to flush if the grinder failed when pruning a session

    * src/: preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/stream5_common.h, sfutil/test/unit_hacks.c:
         Auto-disable stream reassembly on paf abort if auto-enabled


    * src/: detection-plugins/sp_dsize_check.c,
      dynamic-preprocessors/dnp3/spp_dnp3.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/stream5_paf.c:
        Fixed handling PAF flushing anomalies but purging afflicted segments

    * src/sfutil/: sfrt_dir.c, sfrt_flat_dir.c, sfrt_flat_dir.h:
        Fixed the wrong value of calculating memory allocated.
        Changed sfrt length field from char to uint8_t

    * src/: decode.c, dynamic-preprocessors/gtp/gtp_parser.c:
        Added checking invalid extension header length for GTPv1

    * src/: preprocessors/stream_expect.c, profiler.h:
        Fixed some compiler warnings

    * src/: decode.c, dynamic-preprocessors/gtp/gtp_parser.c
        Added checking invalid extension header length

    * doc/: README.GTP, snort_manual.pdf, snort_manual.tex:
        Added a simple user case to the GTP document.

    * src/dynamic-preprocessors/modbus/modbus_decode.c:
        Fixed a couple errors in modbus request/response length checking.
 
    * etc/reference.config:
        Added 'msb' to reference.conf for Microsoft Bulletin url

    * src/detection-plugins/sp_flowbits.c:
        When same flowbit is defined both in default group and user specified group,
        that flowbit will be changed to specified group. 

    * src/dynamic-preprocessors/dnp3/: dnp3_paf.c, dnp3_reassembly.c,
      spp_dnp3.c, spp_dnp3.h:
        Added #define statements for several "magic numbers" in DNP3 code

    * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c:
        Fixed a bug where the DNP3 preprocessor would generate alerts for "reserved
        function" on valid DNP3 functions. 

    * src/dynamic-preprocessors/dnp3/dnp3_roptions.c:
       Added parser errors for missing dnp3_func and dnp3_ind arguments. 

    * src/: generators.h, preprocessors/HttpInspect/client/hi_client.c,
      preprocessors/HttpInspect/event_output/hi_eo_log.c,
      preprocessors/HttpInspect/include/hi_eo_events.h:
        Added a preprocessor alert to alert when a HTTP method being parsed is not a GET
        or a POST or not defined by the user.

    * src/preprocessors/HttpInspect/: client/hi_client.c,
      server/hi_server.c:
       Added checking bounds before unfolding. 

    * Makefile.am, configure.in:
        Cleanup very dated rules files. 

    * src/: snort.c, win32/WIN32-Includes/stdint.h:
        Don't add handlers signal values that aren't supported on Windows.

    * src/dynamic-preprocessors/reputation/reputation_config.c:
        Corrected the variable name called to create IP talbe. 
 
2011-12-14 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.2
    * src/build.h: updating build number to 78

    * snort.8:
        Fixed spelling errors. Thanks to Neline van Ginkel for the report.

    * src/: snort.c, preprocessors/spp_perfmonitor.c:
        Perfmonitor "now" files are created after Snort drops privileges.

    * src/output-plugins/spo_unified2.c:
        Only log IPv6 extra data when the packet is IPv6.

    * src/preprocessors/HttpInspect/: server/hi_server.c, client/hi_client.c:
        Fixed unfolding of HTTP Headers across packet boundaries.
        Thanks to Jim Hranicky for reporting this issue on the RC build.

    * src/preprocessors/spp_httpinspect.c:
        HTTP Inspect should check for hi_swap_config in HttpInspectInit()
        only when snort is compiled with --enable-reload.
        Fixed build errors on Win32.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        When pruning a session, don't attempt to flush if the grinder
        failed to decode a TCP header.
        Thanks to Jim Hranicky for reporting this issue on the RC build.

2011-11-23 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.2 RC
    * src/build.h: updating build number to 75

    * src/preprocessors/spp_httpinspect.c:
        Fixed an issue with HTTP Inspect server conf reload
        (when the HTTP Inspect is turned on from off between a reload)

    * src/preprocessors/spp_stream5.c:
        Fixed a memory leak caused by initializing the expected channel
        more than once.

    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
        Fixed a segfault during dcerpc2 startup when stream5 is not enabled.

    * src/preprocessors/spp_normalize.c:
        Added support to turn normalization off or on during a Snort reload.

    * src/dynamic-preprocessors/modbus/spp_modbus.c:
        Moved the check for truncated PDUs past the port check, to avoid
        false positives.

    * src/sfutil/bitop_funcs.h:
        Fixed an error in the allocation of flowbit groups, where bytes
        were interpreted as bits.

    * src/detection-plugins/sp_flowbits.c:
        Fixed a flowbits issue where the "isset" operation failed when
        there was only a single flowbit in a group.
        Fixed the error message logged when the same flowbit is added
        to two groups.

    * src/ipv6_port.h:
    * src/: dynamic-preprocessors/gtp/gtp_parser.c,
      dynamic-preprocessors/gtp/gtp_roptions.c,
      dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/reputation/reputation_config.c,
      sfutil/segment_mem.c, encode.c:
        Compiler warning cleanup.

    * doc/: README.reload, snort_manual.pdf, snort_manual.tex:
        Updated the reload documentation to mention the caveat that exists
        with reload and fail-open in OpenBSD when Snort is run on primary
        network interface.

    * src/dynamic-preprocessors/dnp3/: dnp3_reassembly.c,
      dnp3_reassembly.h, dnp3_roptions.c, spp_dnp3.c:
        Added support for multiple DNP3 PDUs in a single DNP3 payload.
        Fixed an issue where the DNP3 preprocessor only identified the
        minimum reserved address, instead of all reserved addresses.

    * src/dynamic-preprocessors/dnp3/spp_dnp3.h:
        Updated an incorrect minimum DNP3 memcap to match the documented
        minimum of 4144 bytes.

    * src/output-plugins/spo_unified2.c:
        Snort will fatal error when the user configures the same filename
        for options "alert_unified2" and "log_unified2".

    * src/sfutil/: sfrt.c, sfrt.h, sfrt_dir.c, sfrt_dir.h:
        Added the ability to delete entries in the sfrt table.

    * src/preprocessors/snort_httpinspect.c,
      src/preprocessors/spp_frag3.c, src/preprocessors/spp_normalize.c,
      src/preprocessors/spp_stream5.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c,
      src/preprocessors/Stream5/stream5_common.c,
      src/dynamic-preprocessors/reputation/reputation_config.c,
      etc/gen-msg.map, src/detection-plugins/sp_flowbits.c,
      src/detection-plugins/sp_replace.c,
      src/output-plugins/spo_alert_sf_socket.c, src/decode.c,
      src/detect.c, src/generators.h, src/sfdaq.c, src/snort.c,
      src/tag.c, src/util.c, src/dynamic-plugins/sf_dynamic_plugins.c,
      src/sfutil/acsmx2.c, configure.in,
      src/dynamic-preprocessors/dnp3/spp_dnp3.c,
      src/target-based/sftarget_protocol_reference.c:
    * src/dynamic-preprocessors/dnp3/dnp3_roptions.c:
        Made the format of warning messages consistent.

    * src/dynamic-preprocessors/: dnp3/spp_dnp3.c, modbus/spp_modbus.c:
        Providing an empty port list now causes a fatal error.

    * src/dynamic-preprocessors/dnp3/spp_dnp3.h:
        Fixed reserved address check on big-endian machines.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Changed identification of TCP retransmits by comparing payloads
        instead of TCP checksums.

    * src/decode.h, src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/dynamic-preprocessors/imap/snort_imap.c,
      src/dynamic-preprocessors/pop/snort_pop.c,
      src/dynamic-preprocessors/smtp/smtp_util.c,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/output-plugins/spo_unified2.c,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/snort_httpinspect.h,
      src/preprocessors/spp_httpinspect.c,
      src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
      src/preprocessors/HttpInspect/include/hi_ui_config.h,
      src/sfutil/Unified2_common.h, tools/u2spewfoo/u2spewfoo.c:
        Enable logging of normalized JavaScript to unified2 when built
        without --enable-sourcefire.
            - Changed extra data logging to log packet-specific data
              (gzip/normalized) after each packet.
            - Updated u2spewfoo to read the normalized JavaScript
              extra data.

    * src/dynamic-preprocessors/dnp3/dnp3_reassembly.c:
        Fixed a bug where "dnp3_data" rules would not work if the content
        was broken up by CRCs or split across multiple DNP3 segments.
        As a result, DNP3 rules that inspect the DNP3 headers now require
        "rawbytes" to work correctly, as the DNP3 reassembly buffer is
        inspected by default.

    * etc/gen-msg.map, preproc_rules/preprocessor.rules,
      src/dynamic-preprocessors/dnp3/spp_dnp3.h:
        Removed DNP3 rule 145:5, and decremented the SIDs of rules 145:6
        and 145:7. The old 145:5 was never able to be triggered.
        Updated references for rules 119:15 and 137:1.

    * rpm/snort.spec:
        Updated the RPM spec file to use wildcards for linking and installing
        preprocessors. Thanks to Tim Brigham for the suggestion.

    * src/detection_util.h:
        Increased the URI buffer size from 4096 to 8192 to normalize and
        detect longer URIs.

    * src/preprocessors/: spp_frag3.c, spp_stream5.c,
      Stream5/snort_stream5_tcp.c, Stream5/snort_stream5_udp.c:
        Change the printing function of tracker/session sizes
        (TcpSession/UdpSession/StreamLWSession/FragTarcker) from fprintf
        to LogMessage.
        Fix handling of "first" and "vista" policies in stream5 that,
        under certain circumstances with overlaps and gaps, could cause
        the stream5 segmentation list to get out of order.

    * doc/snort_manual.pdf, doc/snort_manual.tex,
      src/detection-plugins/sp_dsize_check.c:
        Enable the "dsize" rule option with rebuilt packets, if it is the
        start of a PDU. Thanks to Dave Bertouille for reporting this problem.

    * src/dynamic-preprocessors/modbus/modbus_decode.c:
        Added length checking for Modbus "Read File Record" and
        "Write File Record" requests.

    * src/output-plugins/spo_unified2.c, src/sfutil/Unified2_common.h,
      tools/u2spewfoo/u2spewfoo.c:
        Added new Unified2 event structs with extra application ID data.
        Updated u2spewfoo to read these fields.

    * src/detection-plugins/: sp_asn1_detect.c, sp_byte_check.c,
      sp_byte_jump.c, sp_isdataat.c:
        Allow rule evaluation to continue if the doe_ptr reaches the end
        of a buffer, but a negative offset brings it back in-bounds.
        Thanks again to Dave Bertouille for the suggestion.

    * src/target-based/sf_attribute_table.y:
        Allow empty attribute_value in attribute table.

    * configure.in,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
        Added Protocol-Aware Flushing support for FTP.

    * snort.8:
        Updated the man page to include more signals that have been used.
        Made some format changes, thanks to Markus Lude.

    * doc/Makefile.am:
        Fixed an error while running "make distcleancheck".

    * doc/snort_manual.pdf, doc/snort_manual.tex,
      src/win32/WIN32-Includes/config.h, configure.in, src/snort.c,
      src/snort.h, src/util.c, src/control/sfcontrol.c,
      src/target-based/sftarget_reader.c:
        Redefined default signals, and added support for signal
        customization.


2011-10-28 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.2 Beta
    * src/build.h: updating build number to 64

    * src/preprocessors/: snort_httpinspect.c,
      HttpInspect/include/hi_ui_config.h,
      HttpInspect/server/hi_server.c,
      HttpInspect/server/hi_server_norm.c,
      HttpInspect/user_interface/hi_ui_config.c:
    * src/sfutil/: util_jsnorm.c, util_jsnorm.h:
        Updated the HTTP preprocessor to normalize HTTP responses that include
        javascript escaped data in their bodies. This expands Snort's coverage
        in detecting HTTP client-side attacks.
        See the Snort Manual and README.http_inspect for configuration details.

    * doc/README.modbus:
    * src/dynamic-preprocessors/modbus/: Makefile.am, modbus_decode.c,
      modbus_decode.h, modbus_paf.c, modbus_paf.h, modbus_roptions.c,
      modbus_roptions.h, sf_modbus.dsp, spp_modbus.c, spp_modbus.h:
        Added the Modbus preprocessor, which decodes the Modbus protocol and
        provides new rule options for some protocol fields.
        See the Snort Manual and README.modbus for more details.

    * doc/README.dnp3:
    * src/dynamic-preprocessors/dnp3/: Makefile.am, dnp3_map.c, dnp3_map.h,
      dnp3_paf.c, dnp3_paf.h, dnp3_reassembly.c, dnp3_reassembly.h,
      dnp3_roptions.c, dnp3_roptions.h, sf_dnp3.dsp, spp_dnp3.c, spp_dnp3.h:
        Added the DNP3 preprocessor, which decodes the DNP3 protocol
        and provides new rule options for some protocol fields.
        The preprocessor also performs reassembly of segmented DNP3 traffic.
        See the Snort Manual and README.dnp3 for more details.

    * doc/README.gtp:
    * src/decode.c:
    * src/dynamic-preprocessors/gtp/: Makefile.am, gtp_config.c,
      gtp_config.h, gtp_debug.h, gtp_parser.c, gtp_parser.h, gtp_roptions.c,
      gtp_roptions.h, sf_gtp.dsp, spp_gtp.c, spp_gtp.h
        Added a packet decoder and preprocessor for the GTP protocol.
        These support detecting attacks over GTP (GPRS Tunneling Protocol).
        See the Snort Manual and README.gtp for more details.

    * doc/faq.pdf, doc/faq.tex, src/Makefile.am, src/debug.c,
      src/smalloc.h, src/snort_debug.h,
      src/dynamic-plugins/sf_dynamic_common.h,
      src/dynamic-preprocessors/dcerpc2/dce2_paf.c,
      src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      src/dynamic-preprocessors/gtp/gtp_debug.h,
      src/dynamic-preprocessors/sip/sip_debug.h,
      src/parser/IpAddrSet.c,
      src/preprocessors/HttpInspect/utils/hi_paf.c,
      src/preprocessors/Stream5/stream5_paf.c:
        Expanded the debug bits from 32 to 64 bits.

    * src/preprocessors/: spp_stream5.c, Stream5/snort_stream5_icmp.c,
      Stream5/snort_stream5_icmp.h, Stream5/snort_stream5_ip.c,
      Stream5/snort_stream5_ip.h, Stream5/snort_stream5_udp.c,
      Stream5/snort_stream5_udp.h:
        Cleaned up application data for non-TCP sessions after
        a block or timeout.

    * src/preprocessors/spp_sfportscan.c:
        Negative memcap numbers are no longer allowed.

    * src/preprocessors/HttpInspect/server/hi_server.c:
        HTTP responses with incorrect status messages are now inspected.

    * src/preprocessors/Stream5/stream5_paf.c:
        Fixed PAF callback registration during Snort reload.

    * src/parser.c:
        Fixed crash when setting HOME_NET to an empty variable.
        Thanks to Elof for reporting this issue.

    * src/preprocessors/spp_normalize.c:
        Don't register the packet callback if Snort is not inline.
        Fixed a crash in the normalizer during Snort reload.

    * src/: sfdaq.c, sfdaq.h, snort.c, snort.h, util.c:
        Fixed a possible segfault upon fatal error during Snort reload.

    * src/win32/WIN32-Prj/snort_installer.nsi:
        Updated Windows project files for new preprocessors.

    * doc/: snort_manual.pdf, snort_manual.tex:
        Updated the Snort manual for new features.
        Updated the names of contributors to match those found on snort.org.
        Updated the 'config cs_dir' path to be relative to pid-path.

        Described the FlowIP CSV file format. Thanks to Eoin Miller for
        pointing out the lack of documentation.

    * src/preprocessors/: perf-base.c, perf-base.h, perf.c, perf.h,
      spp_frag3.c, spp_frag3.h, Stream5/snort_stream5_tcp.c:
        Added frag3 and stream5 memory usage to perfmon output.

    * src/control/sfcontrol.c:
        Added counters to bypass the work queue mutex when nothing
        is queued.
        Cleaned up compiler warnings.

    * src/preprocessors/HttpInspect/client/hi_client.c:
        When the same IP is parsed multiple times for XFF/True-client-IP
        , the duplicate entries are freed from memory.

    * src/preprocessors/: stream_expect.c, spp_stream5.c, stream_api.h,
      stream_expect.h, Stream5/snort_stream5_session.c,
      Stream5/snort_stream5_session.h, Stream5/stream5_common.h:
        Changed instances of "char" to "uint8_t" when dealing with
        protocol numbers, preventing a potential issue when Snort
        supports protocols > 128. Thanks to Joshua Kinard for
        providing a patch for this issue.

    * src/detection-plugins/sp_react.c:
        Added a content-length header to the react responses.

    * src/: decode.h, dynamic-plugins/sf_engine/sf_snort_packet.h,
      dynamic-preprocessors/imap/snort_imap.c,
      dynamic-preprocessors/pop/snort_pop.c,
      dynamic-preprocessors/smtp/smtp_config.h,
      dynamic-preprocessors/smtp/smtp_util.c,
      dynamic-preprocessors/smtp/smtp_util.h,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/smtp/snort_smtp.h,
      dynamic-preprocessors/smtp/spp_smtp.c,
      output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c,
      preprocessors/snort_httpinspect.h,
      preprocessors/spp_httpinspect.c, preprocessors/spp_stream5.c,
      preprocessors/stream_api.h,
      preprocessors/HttpInspect/include/hi_ui_config.h,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/snort_stream5_tcp.h,
      preprocessors/Stream5/stream5_common.h:
        Reduced the memory usage per TCP session for extra data event
        logging.

    * src/dynamic-preprocessors/sip/spp_sip.c:
        Changed a description in the SIP exit stats.

    * configure.in, src/snort.c, src/util.c,
      src/target-based/sftarget_reader.c:
        Where possible, sigaction() is used instead of signal() to
        establish signal handlers.

    * src/util.c:
        Fixed an error in the calculation of dropped packets.
        Thanks to Will Metcalf for identifying the issue.

    * src/preprocessors/: perf-flow.c, perf-flow.h:
        Fixed a bug where packets longer than 4500 bytes were not logged
        in the perfmon flow stats.

    * src/: active.c, decode.c, decode.h, encode.c, parser.c,
      sf_protocols.h, snort.c:
        Fix PPPoE support and active responses to ICMP.
        Thanks to Eric Lauzon for identifying an issue with PPPoE traffic.

    * etc/gen-msg.map, preproc_rules/preprocessor.rules,
      src/generators.h,
      src/preprocessors/HttpInspect/client/hi_client.c,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      src/preprocessors/HttpInspect/include/hi_client.h,
      src/preprocessors/HttpInspect/include/hi_eo_events.h:
        Added new preprocessor alerts:
          1) Both true-client-ip and XFF headers exist in single packet
          2) Multiple client-ips with different values in the same session

    * etc/gen-msg.map:
        Fixed an error with incorrect SID numbers for some SMTP preprocessor
        rules. Thanks to Eric Olsen for identifying the issue.

    * src/: decode.h, detect.c, encode.c, encode.h, plugbase.c,
      plugbase.h, snort.c, snort.h,
      detection-plugins/detection_options.c,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      dynamic-plugins/sf_engine/sf_snort_packet.h,
      dynamic-preprocessors/dcerpc2/snort_dce2.c,
      dynamic-preprocessors/sdf/spp_sdf.c,
      output-plugins/spo_alert_fast.c, preprocessors/spp_frag3.c,
      preprocessors/spp_rpc_decode.c, preprocessors/spp_sfportscan.c,
      preprocessors/stream_api.h,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/stream5_common.c:
        Refactored packet flags. Added new packet flags for raw in-order
        stream segment discrimination.

    * src/preprocessors/snort_httpinspect.c:
        Fixed an issue where gzip logging code misinterpreted the data
        being passed to it.

        Increased max_method_len to 256.
        Thanks to rmkml for identifying the issue.

    * src/: preprocessors/spp_rpc_decode.c,
      dynamic-preprocessors/dcerpc2/dce2_roptions.c,
      dynamic-preprocessors/dcerpc2/dce2_smb.c:
        Fixed compiler warnings.

    * src/sfutil/bnfa_search.c:
        Fixed code defined by #ifdef ALLOW_NFA_FULL to compile and run.
        Thanks to Brian Hwang for reporting the issue.

    * src/: dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      dynamic-plugins/sp_dynamic.h,
      dynamic-preprocessors/reputation/reputation_config.c,
      dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
      dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h:
        The paths to whitelist & blacklist files are now relative to
        the location of snort.conf.

    * src/preprocessors/Stream5/snort_stream5_session.c:
        Don't prune blocked sessions if pruning for memcap.

    * src/preprocessors/spp_stream5.c:
        Fixed session data lookup for meta data messages.

    * etc/: sf_rule_options, sf_rule_validation.conf:
        Updated rule validation files with new rule options.

    * configure.in, doc/INSTALL, doc/README.ARUBA, doc/README.database,
      doc/README.ipv6, doc/snort_manual.tex,
      src/output-plugins/spo_alert_arubaaction.c,
      src/output-plugins/spo_alert_prelude.c,
      src/output-plugins/spo_database.c:
        Added deprecation warnings for database, alert_aruba_action,
        and alert_prelude output plugins. These output plugins are
        considered deprecated with this release and will be removed
        in Snort 2.9.3.

    * src/: plugbase.c, plugbase.h, preprocids.h, profiler.c, sfdaq.c,
      sfdaq.h, snort.c, snort.h, dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      preprocessors/spp_stream5.c, preprocessors/stream_api.h,
      preprocessors/Stream5/snort_stream5_icmp.c,
      preprocessors/Stream5/snort_stream5_ip.c,
      preprocessors/Stream5/snort_stream5_session.c,
      preprocessors/Stream5/snort_stream5_session.h:
        Added API and DAQ functions to get flow start and end events
        directly from the DAQ when no stream data is available.

    * src/sfdaq.c:
        Prevent underflow when calculating outstanding packets.
        Thanks to Hussein Bahaidarah for reporting this issue.

        Don't unload daq modules if --disable-dlclose was a configure
        option.

    * src/: active.c, dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h:
        Snort dynamic API changes to inject response packets.

2011-10-20 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.1.2
    * configure.in,
      rpm/snort.spec,
      src/build.h,
      src/win32/WIN32-Includes/config.h,
      src/win32/WIN32-Prj/snort_installer.nsi:
        Incremented version numbers to Snort 2.9.1.2, Build 84.

    * src/preprocessors/snort_httpinspect.c,
      src/sfutil/util_utf.c:
        Fixed an issue where Snort would sometimes stop processing traffic
        in a persistent HTTP 1.1 connection with a UTF-32 encoded response
        followed by a UTF-16 encoded response.

2011-10-05 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.1.1
    * src/decode.c:
        Fixed decode.c to allow building with --enable-debug.

    * src/: dynamic-plugins/sf_engine/sf_decompression.c,
      dynamic-plugins/sf_engine/sf_decompression.h,
      preprocessors/snort_httpinspect.h,
      preprocessors/HttpInspect/server/hi_server.c:
        Fixed http_inspect decompression and decompression API to decompress
        both raw and zlib deflated data.
        Support locating utf charset when spaces are present.

    * src/: preprocessors/HttpInspect/server/hi_server_norm.c,
      sfutil/util_utf.h:
        Added "Byte Order Mark" support for unicode in http_inspect.

    * src/detection-plugins/sp_urilen_check.c:
        Fixed potential false positives when using urilen detection option.

    * src/preprocessors/Stream5/stream5_paf.c:
        Fixed flushing beyond "paf_max".
        Verify paf configuration before enabling.

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Free application and protocol state when a session is blocked.
        Ensure that seglist_next is NULL after being freed.

    * src/dynamic-preprocessors/smtp/smtp_util.c:
        Fixed an issue with SMTP logging while running in inline mode.

    * src/dynamic-preprocessors/reputation/Makefile.am,
      src/dynamic-preprocessors/reputation/reputation_config.c,
      src/dynamic-preprocessors/reputation/reputation_config.h,
      src/dynamic-preprocessors/reputation/spp_reputation.c,
      src/dynamic-preprocessors/reputation/spp_reputation.h,
      src/Makefile.am, src/idle_processing.c, src/idle_processing.h,
      src/idle_processing_funcs.h, src/plugbase.c, src/plugbase.h,
      src/snort.c, src/snort.h, src/util.c, src/util.h,
      src/dynamic-examples/Makefile.am,
      src/dynamic-preprocessors/reputation/shmem/shmem_config.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_config.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_lib.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_mgmt.h,
      src/control/Makefile.am, src/control/sfcontrol.c,
      src/control/sfcontrol.h, src/control/sfcontrol_funcs.h,
      src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.c,
      src/dynamic-preprocessors/reputation/shmem/sflinux_helpers.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_common.h,
      src/dynamic-preprocessors/reputation/shmem/shmem_datamgmt.c,
      src/dynamic-preprocessors/reputation/shmem/shmem_lib.h,
      src/sfutil/Makefile.am, src/sfutil/segment_mem.c,
      src/sfutil/segment_mem.h, src/sfutil/sfrt_flat.c,
      src/sfutil/sfrt_flat.h, src/sfutil/sfrt_flat_dir.c,
      src/sfutil/sfrt_flat_dir.h,
      src/dynamic-preprocessors/Makefile.am, tools/control/Makefile.am,
      tools/control/README.snort_control, tools/control/sfcontrol.c,
      src/dynamic-plugins/sf_dynamic_plugins.c,
      src/dynamic-plugins/sf_dynamic_preprocessor.h, configure.in,
      tools/Makefile.am:
        - Added support for shared memory between Snort processes.
          This is used in the IP Reputation preprocessor to share a single copy
          of IP whitelists & blacklists.
        - Added a control channel, so that commands may be issued to
          a running Snort process by way of a Unix socket.

    * src/preprocessors/HttpInspect/utils/hi_paf.c:
        Ensure HTTP 1.1 responses without length indicators (e.g. 304)
        are flushed at the end of the headers.
        Preprocessor rule 120:8 is fired at end of headers if content-length
        and transfer-encoding: chunked are not present, but not for response
        codes 1XX, 204, 304.

    * doc/README.reputation, doc/snort_manual.pdf,
      doc/snort_manual.tex:
        Updated Snort documentation, added documentation for Shared Memory
        and the Control Socket.

    * src/: dynamic-preprocessors/reputation/sf_reputation.dsp,
      dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      win32/WIN32-Includes/stdint.h, win32/WIN32-Prj/snort.dsp,
      win32/WIN32-Prj/snort.dsw:
        Updated Win32 build files.


2011-08-23 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.1
    * src/build.h:
        Updated build number to 71.

    * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c,
      src/decode.h, src/generators.h, src/snort.c,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h:
        Fixed an issue with decoding large numbers of IPv6 extension headers.
        Added rule 116:456 to safeguard against too many IPv6 extension headers.
        Thanks to Martin Sch�tte for reporting the issue.

    * src/detection-plugins/sp_urilen_check.c,
      src/detection-plugins/sp_urilen_check.h:
        Fixed the urilen rule option to look at reassembled packets.
        Added an extra parameter to specify whether to check raw or normalized
        uri buffer. Will check raw uri buffer by default.

    * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
      dynamic-preprocessors/dns/sf_dns.dsp,
      dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
      dynamic-preprocessors/imap/sf_imap.dsp,
      dynamic-preprocessors/isakmp/sf_isakmp.dsp,
      dynamic-preprocessors/pop/sf_pop.dsp,
      dynamic-preprocessors/reputation/sf_reputation.dsp,
      dynamic-preprocessors/sdf/sf_sdf.dsp,
      dynamic-preprocessors/sip/sf_sip.dsp,
      dynamic-preprocessors/smtp/sf_smtp.dsp,
      dynamic-preprocessors/ssh/sf_ssh.dsp,
      dynamic-preprocessors/ssl/sf_ssl.dsp,
      win32/WIN32-Prj/sf_engine.dsp:
        Fixed a bug where the sensitive_data preprocessor gave an error while
        loading sensitive data rules.
 
    * doc/README.http_inspect, etc/gen-msg.map,
      preproc_rules/preprocessor.rules, src/generators.h,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      src/preprocessors/HttpInspect/include/hi_eo_events.h,
      src/preprocessors/HttpInspect/utils/hi_paf.c:
        Added two HTTP Inspect preprocessor rules:
        119:28 - post w/o content-length or transfer-encoding: chunked
        120:8 - message with invalid content-length or chunk size
 
    * src/preprocessors/spp_httpinspect.c:
        Fixed a bug where Snort wouldn't reload, giving the error that
        "Changing decompress_depth requries a restart".

    * etc/gen-msg.map:
        Commented out four rules from gen-msg.map, 133:44 through 133:47,
        because they were not yet implemented. 

    * preproc_rules/preprocessor.rules:
        Added a CVE reference for Rule 119:19.
        Added a reference to SMTP preprocessor rule 124:4. 
        Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor
        alert that was missing the corresponding rule.

    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
        PAF tweak for single-segment full PDUs matching only-stream

    * src/snort.c:
        Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD.
        Set default paf_max to 16K.

    * doc/: README.reputation, snort_manual.pdf, snort_manual.tex:
        Added a use case in the IP Reputation preprocessor documentation.

    * src/: dynamic-preprocessors/reputation/reputation_config.c,
      dynamic-preprocessors/reputation/sf_reputation.dsp,
      win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi:
        Fixed the IP Reputation preprocessor so that it would build on Windows.

    * src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h,
      server/hi-server.c, utils/hi_paf.c:
        Support up to full 32-bit content-lengths

    * src/preprocessors/Stream5/stream5_paf.c:
        Fixed compilation with the options "--disable-target-based --enable-paf".

    * src/preprocessors/Stream5/snort_stream5_tcp.c:
        Fixed an error in IDS mode when segments overlap and the sequence
        number wraps.

    * tools/u2spewfoo/Makefile.am:
        Added the u2spewfoo Windows project file to the Snort source tarball.

2011-07-19 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.1 RC
    * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
      preproc_rules/preprocessor.rules,
      src/dynamic-preprocessors/sip/sip_parser.c,
      src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map:
        Added three new SIP preprocessor alerts.

    * src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c,
      stream5_paf.h:
        Allow multiple preprocs to scan for PDUs on the same port.
        This fixes a problem with DCE autodetect using the same
        ports as HTTP.

    * src/build.h:
        Updated build number to 63.

    * src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c,
      detection-plugins/sp_tcp_win_check.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
      preprocessors/spp_normalize.c:
        Fixed some compiler warnings.

    * src/: detection-plugins/detection_options.c,
      detection-plugins/sp_flowbits.h,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
        Only set/clear/toggle/unset a flowbit when all of the rule
        matches, including the IPs and Ports. Thanks to Eoin Miller
        for reporting the issue.

    * src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am,
      dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am,
      pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am,
      sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am,
      ssh/Makefile.am, ssl/Makefile.am:
        Fixed dynamic preprocesor Makefiles so that they can be built
        in parallel.

    * doc/README.http_inspect, doc/snort_manual.pdf,
      doc/snort_manual.tex, etc/gen-msg.map,
      preproc_rules/preprocessor.rules, src/generators.h,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/snort_httpinspect.h,
      src/preprocessors/HttpInspect/client/hi_client.c,
      src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
      src/preprocessors/HttpInspect/include/hi_eo_events.h,
      src/preprocessors/HttpInspect/include/hi_ui_config.h,
      src/preprocessors/HttpInspect/include/hi_util.h,
      src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
      src/sfutil/util_unfold.c:
        Added a new HTTP Inspect preprocessor rule, GID 119 SID 26.
        This rule checks for 200+ whitespaces in a folded header line
        from an HTTP request. A new config option was added to configure
        the allowable amount whitespace.

        Added a new configuration option to http_inspect server configuration:
        "small_chunk_length { <chunk_size> <num_consec_chunks> }", with
        preprocessor rules for both client and server. Consecutive chunk lengths
        less than or equal to <chunk_size> will cause an event to be generated.

        See README.http_inspect for more information.

    * src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
      dynamic-preprocessors/dns/sf_dns.dsp,
      dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
      dynamic-preprocessors/imap/sf_imap.dsp,
      dynamic-preprocessors/isakmp/sf_isakmp.dsp,
      dynamic-preprocessors/sdf/sf_sdf.dsp,
      dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
      dynamic-preprocessors/sip/sf_sip.dsp,
      dynamic-preprocessors/smtp/sf_smtp.dsp,
      dynamic-preprocessors/ssh/sf_ssh.dsp,
      dynamic-preprocessors/ssl/sf_ssl.dsp,
      win32/WIN32-Prj/sf_engine.dsp,
      win32/WIN32-Prj/sf_engine_initialize.dsp,
      win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp:
        Fixed the Win32 build to (1) not use .pch, and (2) correct sed
        patterns on ipv6_port.h.

    * src/output-plugins/spo_alert_sf_socket.c:
        Fixed a problem where Snort's generic IP address structure was
        being sent by the socket output plugin.
        The output plugin now only generates events for IPv4 packets,
        and is guaranteed to use uint32_t IPv4 addresses for interoperability.

    * src/sfutil/: sfrt.c, sfrt.h:
        Optimized some memory usage.

    * configure.in:
        Add check for pkg-config and provide instructions to get it if
        pkg-config is not installed.

    * src/preprocessors/Stream5/: snort_stream5_tcp.c,
      stream5_common.h:
        Show single segment PAF packets and only short-circuit at
        correct sequence.
        When aborting PAF, flush at paf_max.
        Tweaked retransmission check to use actual sequence numbers
        instead of the adjusted sequence numbers.
        Changed the pseudo-random flush point after each flush.

    * src/snort.c:
        Fixed a compilation error when active response is disabled.

    * src/snort.h:
        Fixed a bug where Snort wouldn't daemonize on OpenBSD if the
        process was running as root. Thanks to Olaf Schreck for reporting
        this issue.

    * src/preprocessors/: perf-base.c, perf-base.h, perf-event.c,
      perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h,
      spp_perfmonitor.c:
        Split out Perfmon submodule Init and Reset, so that everything is
        initialized when the Perfmonitor preprocessor is initialized.
        Previously, some data was initialized on the first packet.

    * src/detection-plugins/sp_tcp_flag_check.c:
        Fixed a couple spots where the "1" and "2"
        flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for
        reporting the issue and supplying a patch.

    * doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
      src/dynamic-preprocessors/sip/sip_parser.c,
      src/dynamic-preprocessors/sip/spp_sip.h,
      preproc_rules/preprocessor.rules, etc/gen-msg.map:
        Added a new SIP preprocessor alert for missing content type headers.
        Fixed an issue where the SIP preprocessor checked for Stream5 even if
        the SIP preprocessor was disabled.

    * etc/unicode.map:
        Updated unicode.map to match the unicode standard on Windows 7 SP1.

    * etc/snort.conf:
        Sync'ed to VRT's latest snort.conf.

    * src/: decode.c, detect.c:
        Tweaked the preprocessing loop to bypass app preprocs if no
        app data.

    * src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c,
      src/dynamic-preprocessors/reputation/Makefile.am,
      src/dynamic-preprocessors/reputation/reputation_config.h,
      src/dynamic-preprocessors/reputation/reputation_utils.c,
      src/dynamic-preprocessors/reputation/sf_reputation.dsp,
      src/dynamic-preprocessors/reputation/spp_reputation.c,
      src/dynamic-preprocessors/reputation/spp_reputation.h,
      src/dynamic-preprocessors/reputation/reputation_config.c,
      src/dynamic-preprocessors/reputation/reputation_debug.h,
      src/dynamic-preprocessors/reputation/reputation_utils.h,
      doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf,
      doc/snort_manual.tex, preproc_rules/preprocessor.rules,
      src/dynamic-preprocessors/Makefile.am, configure.in,
      src/preprocids.h, etc/gen-msg.map:
        Added the IP Reputation preprocessor. This preprocessor provides
        the ability to whitelist and blacklist packets based on IP addresses.
        See README.reputation for more information.

    * src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-preprocessors/dcerpc2/Makefile.am,
      dynamic-preprocessors/dcerpc2/dce2_config.c,
      dynamic-preprocessors/dcerpc2/dce2_debug.h,
      dynamic-preprocessors/dcerpc2/dce2_paf.c,
      dynamic-preprocessors/dcerpc2/dce2_paf.h,
      dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
      dynamic-preprocessors/dcerpc2/snort_dce2.c:
        Added protocol-aware flushing support for the dcerpc2 preprocessor.

    * src/dynamic-plugins/sf_convert_dynamic.c:
        Added the ability to convert shared object rules that use the
        preprocessor rule option.

    * src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c,
      HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c,
      Stream5/snort_stream5_tcp.c:
        Don't enable paf unless stream ports configured
        for the given direction; add "(PAF)" to http inspect ports output
        to indicate when enabled; and only register port for given
        direction if corresponding flow depth is set.

        Support full 32-bit content-lengths and chunk sizes, and flush/abort
        when exceeded.

    * doc/README.SMTP, doc/snort_manual.tex,
      src/dynamic-preprocessors/smtp/smtp_config.h,
      src/dynamic-preprocessors/smtp/smtp_util.c,
      src/dynamic-preprocessors/smtp/snort_smtp.c,
      src/dynamic-preprocessors/smtp/snort_smtp.h,
      src/dynamic-preprocessors/smtp/spp_smtp.c:
        Fixed performance issue: allocate the buffers used
        for filename, mailfrom and rcptto logging using mempool
        ('memcap' used to allocate the mempool).
        Added a fatal error when b64_decode_depth is used with
        enable_mime_decoding.

2011-06-13 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.1 Beta
    * configure.in:
        Updates to configure.in.
        - Fix zlib checks to use correctly named variable for checking zlib
          header and library existence.
        - Enable IPv6 by default in builds.  Can use --disable-ipv6 to turn it off.
          using --enable-zlib, configure should fail.  snort -V should show
          IPv6 by default and VRT config should load without modification.
        - Added a new option, "--enable-large-pcap", which allows Snort to read
          pcap files that are larger than 2 GB.
        - Changed the default ./configure options to match the requirements
          for the bundled snort.conf
    * doc/: INSTALL, README.imap, README.pop,
      README.SMTP, README.stream5, README.sip, README.tag,
      README.http_inspect, README.counts, README.normalize,
      snort_manual.pdf, snort_manual.tex:
        Updated documentation for Snort 2.9.1:
        - Added documentation for new SIP, POP and IMAP preprocessors
        - Updated README.stream5 with documentation for
          Protocol Aware Flushing (PAF)
        - Updated README.http_inspect with memcap information,
          clarified "http_cookie" information, and documentation for
          "log_uri" and "log_hostname".
        - Fixed a typo in README.counts
        - Updated "byte_extract" section to reflect syntax changes
        - Improved the explanation of "max_queued_events"
        - Added documentation for the ESP decoder, which is now configurable
        - Improved the explanation of "rawbytes"
        - Fixed an incorrect example in README.tag.
    * etc/snort.conf:
        Synced snort.conf with VRT's latest version.

        Added configurations for new preprocessors.
    * preproc_rules/: decoder.rules, preprocessor.rules
        Added new preprocessor rules for SIP, SMTP, POP, and IMAP.

        Added decoder rules 116:453, 116:454, and 116:455. These rules
        were formerly covered by VRT rules.
    * src/build.h: Updated build number to 46
    * src/decode.c:
        TCP and UDP decoder rules that require a fully-decoded packet will
        only fire if the checksum is correct and the port number is not ignored.

        ESP decoding is now configurable, and off by default.

        The "config enable_decode_oversized_alerts" option now applies to
        packets where the UDP header claims there is more data than actually exists.
        The Teredo decoder now only processes packets in the Teredo prefix
        (2001:0000::/32) or the link-local prefix (fe80::/16).
    * src/detection-plugins/sp_cvs.c:
        Fixed a false positive in the CVS detection plugin.
    * doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c:
        Made some changes to the byte_extract syntax:
        - Writing "string" without a number type defaults to decimal.
        - The "string" and "hex/dec/oct" options are now independent of each
          other, like in byte_test and byte_jump.
          You can write "string,dec", "hex,string", "string,relative,oct", etc.
        - Specifying one of "hex", "dec", and "oct" without using "string"
          results in an error.
        - byte_extract options can no longer be delimited by spaces.
          This does not affect "align <num>" or "multiplier <num>".
    * src/: parser.c, util.c, util.h,
      detection-plugins/sp_base64_decode.c,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      dynamic-plugins/sp_dynamic.c,
      dynamic-preprocessors/smtp/smtp_util.c,
      preprocessors/HttpInspect/client/hi_client.c,
      preprocessors/HttpInspect/server/hi_server.c,
      sfutil/sf_base64decode.c, sfutil/sf_base64decode.h:
        Changes include the following:
        - Attempt dechunkind only when transfer-encoding: chunked is present.
        - Override the content length with transfer encoding
        - SnortStrcasestr uses slen now.
        - unfolding : trim spaces when required.
    * src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c,
      sfutil/sf_ipvar.h, sfutil/sf_vartable.c:
        Update Frag3/Stream5 to print bound addresses, better descriptsions of detect
        anomalies and port lists.
        - Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds
        - Updated Frag3 to print meaningful detect anomalies configuration
        - Updated Stream5 to print that there are more ports than those printed.
    * src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c,
      sf_decompression.h, sf_snort_detection_engine.c,
      sf_snort_plugin_api.h:
        Added a Decompression API that wraps Zlib for use with dynamic
        plugins. See sf_decompression.h for more details.
    * src/: fpcreate.c, fpdetect.c, treenodes.h:
        Update pattern matcher and sort functions to
        correctly sort by priority as well as implement sorting by
        content_length (which was never done with 2.8.2 addition of rule
        option tree).

        Added a warning when max-pattern-len is defined twice.

        Packets will no longer be tagged or logged if they are filtered or passed.
    * src/preprocessors/Stream5:
        Ensured that reassembly doesn't require packet dropping in IPS mode.
        The message "additional ports configured but not printed" is only printed
        when that is actually the case.
    * src/snort.c:
        fix output of filename / shutdown alerts sequence when iterating over multiple
        pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or
        -A console:test).

        Fixed an issue with reloading Snort while the default output options
        were used.

        When reading several pcap files with --pcap-dir, Snort will move on
        to the next file if one fails to load.
    * src/output-plugins/spo_alert_full.c:
        Update alert_full to print rule references, regardless of whether
        there is TCP/UDP/etc.
    * src/output-plugins/spo_log_tcpdump.c:
        convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0
        fix 'mixed decls and code' compiler warning
    * src/: decode.h, detect.c, detection_util.c, detection_util.h,
      fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c,
      rule_option_types.h, detection-plugins/Makefile.am,
      detection-plugins/detection_options.c,
      detection-plugins/sp_base64_data.c,
      detection-plugins/sp_byte_check.c,
      detection-plugins/sp_byte_extract.c,
      detection-plugins/sp_byte_jump.c,
      detection-plugins/sp_file_data.c,
      detection-plugins/sp_ftpbounce.c,
      detection-plugins/sp_isdataat.c,
      detection-plugins/sp_pattern_match.c,
      detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c,
      detection-plugins/sp_pkt_data.h,
      dynamic-plugins/sf_convert_dynamic.c,
      dynamic-plugins/sf_dynamic_common.h,
      dynamic-plugins/sf_dynamic_define.h,
      dynamic-plugins/sf_dynamic_engine.h,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      dynamic-plugins/sf_engine/sf_snort_packet.h,
      dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
      dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/pp_telnet.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/smtp/smtp_util.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      dynamic-preprocessors/smtp/snort_smtp.h,
      preprocessors/snort_httpinspect.c,
      preprocessors/snort_httpinspect.h,
      preprocessors/spp_rpc_decode.c,
      preprocessors/HttpInspect/server/hi_server.c,
      preprocessors/HttpInspect/server/hi_server_norm.c,
      preprocessors/Stream5/snort_stream5_tcp.c:
        The "file_data" and "base64_data" rule options now set the buffer
        for any rule options that follow them. This applies to both relative
        and non-relative rule options.

        The detection code now uses 3 separate buffers:
        - "Alt Detect": set by file_data, base64_data, etc.
        - "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect
        - Raw packet data

        The AltDetect buffer can also be set by custom .so rules.
    * src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c,
      src/sfutil/Unified2_common.h:
        IPv6 source and destination addresses are now logged in Unified2
        as extra data events. This is configured with "config log_ipv6_extra_data".
    * src/dynamic-preprocessors/sip/Makefile.am,
      src/dynamic-preprocessors/sip/sf_sip.dsp,
      src/dynamic-preprocessors/sip/sip_config.c,
      src/dynamic-preprocessors/sip/sip_config.h,
      src/dynamic-preprocessors/sip/sip_debug.h,
      src/dynamic-preprocessors/sip/sip_dialog.c,
      src/dynamic-preprocessors/sip/sip_dialog.h,
      src/dynamic-preprocessors/sip/sip_parser.c,
      src/dynamic-preprocessors/sip/sip_parser.h,
      src/dynamic-preprocessors/sip/sip_roptions.c,
      src/dynamic-preprocessors/sip/spp_sip.c,
      src/dynamic-preprocessors/sip/spp_sip.h,
      src/dynamic-preprocessors/sip/sip_roptions.h,
      src/dynamic-preprocessors/sip/sip_utils.c,
      src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip,
      etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am,
      src/dynamic-preprocessors/sip/test/sip_test.c, configure.in,
      src/dynamic-preprocessors/Makefile.am:
        Added a new preprocessor for SIP traffic.
        See README.sip and the Snort Manual for more information.
    * src/: dynamic-preprocessors/dcerpc2/dce2_utils.c,
      dynamic-preprocessors/dcerpc2/spp_dce2.c,
      preprocessors/spp_frag3.c:
        Make Frag3 OpenBSD Vuln alert only happen if the frag policy is
        'linux' (which includes OpenBSD).  The 'bsd' policy is NOT used
        for OpenBSD, which is the only OS on which the vulnerability was
        present.

        This reduces false positives to only occur when frag3 policy is
        linux and its an actual linux system, rather than the alert
        occuring regardless of frag policy.
    * src/: detection-plugins/Makefile.am,
      detection-plugins/sp_byte_extract.c,
      detection-plugins/sp_byte_extract.h,
      dynamic-plugins/sf_convert_dynamic.c,
      dynamic-plugins/sf_engine/Makefile.am,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
      dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
      dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
        Added support for ByteExtract variables to the .so rule versions of
        Content, ByteTest, ByteJump, and isdataat.
    * src/: encode.c, preprocessors/spp_normalize.c,
      preprocessors/Stream5/snort_stream5_tcp.c,
      preprocessors/Stream5/stream5_common.c:
        Fixed the TTL on encoded response packets.
    * src/: fpcreate.c, fpdetect.c,
      detection-plugins/sp_pattern_match.c,
      detection-plugins/sp_pattern_match.h,
      dynamic-plugins/sf_dynamic_define.h,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
        Update to not inspect HTTP method buffer with Snort's fast pattern engine.
        Rules with only HTTP method content end up as non-content rules.
        This eliminates a short cycle of searches with fast pattern on every
        initial HTTP request.
    * src/dynamic-preprocessors/pop/: all files
        Added a new preprocessor for POP traffic.
        See README.pop for more information.
    * src/dynamic-preprocessors/imap/: all files
        Added a new preprocessor for IMAP traffic.
        See README.imap for more information.
    * src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h:
        Base64 decoding was moved to its own section in sfutil, for use
        by the new email preprocessors.

        Added support for uuencoded email attachments.
    * src/dynamic-preprocessors/sdf/spp_sdf.c:
        The Sensitive Data preprocessor now inspects the "file_data" buffer, used
        for HTTP response bodies & decoded email attachments.
    * src/: snort.c, preprocessors/spp_stream5.c,
      preprocessors/stream_api.h:
        Update Snort to return a DAQ verdict of whitelist (meaning don't
        send Snort any more packets) for sessions that are being ignored
        in both directions or ports that are configured to ignore.  For
        DAQ modules and hardware that supports it, this should result in
        a performance gain because Snort no longer has to decode packets
        that are part of that connection.
    * src/util.c:
        Added an error message when opening a pid file fails.
    * src/preprocessors/HttpInspect/: client/hi_client.c,
      server/hi_server.c:
        The Set-Cookie: and Cookie: headers wont be included in the cookie buffers.
    * configure.in, src/active.c, src/active.h, src/decode.h,
      src/encode.c, src/encode.h, src/log_text.c, src/log_text.h,
      src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c,
      src/sfdaq.h, src/snort.h, src/snort_debug.h,
      src/detection-plugins/sp_react.c,
      src/detection-plugins/sp_respond3.c,
      src/dynamic-plugins/sf_dynamic_define.h,
      src/dynamic-plugins/sf_engine/sf_snort_packet.h,
      src/preprocessors/snort_httpinspect.c,
      src/preprocessors/spp_httpinspect.c,
      src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
      src/preprocessors/HttpInspect/Makefile.am,
      src/preprocessors/HttpInspect/include/Makefile.am,
      src/preprocessors/HttpInspect/include/hi_paf.h,
      src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
      src/preprocessors/HttpInspect/server/hi_server.c,
      src/preprocessors/HttpInspect/utils/Makefile.am,
      src/preprocessors/HttpInspect/utils/hi_paf.c,
      src/preprocessors/Stream5/Makefile.am,
      src/preprocessors/Stream5/snort_stream5_icmp.c,
      src/preprocessors/Stream5/snort_stream5_session.c,
      src/preprocessors/Stream5/snort_stream5_tcp.c,
      src/preprocessors/Stream5/snort_stream5_tcp.h,
      src/preprocessors/Stream5/snort_stream5_udp.c,
      src/preprocessors/Stream5/stream5_common.c,
      src/preprocessors/Stream5/stream5_common.h,
      src/preprocessors/Stream5/stream5_paf.c,
      src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h:
        Added support in Stream5 for Protocol Aware Flushing (PAF).
        PAF allows Snort to statefully scan a stream and reassemble a complete
        PDU regardless of segmentation.

        Added PAF support to HTTP Inspect, allowing the preprocessor to determine
        when HTTP sessions are flushed by Stream5.

        See README.stream5 for more details.
    * src/preprocessors/: stream_ignore.h, stream_ignore.c,
      Stream5/snort_stream5_udp.c:
        added support for ignoring UDP channels. Light weight session
        will be created to track UDP channel, even ports are not
        monitored.
    * src/win32/: most files
        Updated Snort and its libraries to build/link against MFC.

2011-03-23 Steven Sturges <ssturges@sourcefire.com>
  * src/build.h:
      Increment Snort build number to 134
  * src/: decode.h, encode.c:
  * src/dynamic-plugins/sf_engine/: sf_snort_packet.h:
  * src/preprocessors/: spp_sfportscan.c, spp_frag3.c:
  * src/output-plugins/: spo_alert_fast.c:
  * src/preprocessors/Stream5/: stream5_common.c:
      Updated portscan to set protocol correctly in raw packet for
      IPv6 and changed the encoder to recognize portscan packets as pseudo
      packets so that the checksum isn't calculated
  * src/: sfdaq.c, util.c:
      Improve handling of DAQ failure codes when Snort is shutting down.
  * src/preprocessors/spp_perfmonitor.c:
      Update perfmonitor to create now files prior to dropping privs

2011-03-16 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.5
  * src/build.h:
      Increment Snort build number to 132
  * src/snort.c:
  * src/preprocessors/: normalize.c, perf-base.c, perf-base.h,
    Stream5/snort_stream5_tcp.c:
      TCP timestamp options are only NOPed by the Normalization preprocessor
      if Stream5 has seen a full 3-way handshake, and timestamps weren't
      negotiated.

      The IPS mode reassembly policy has been refactored to do stream
      normalization within the first policy.

      Packets injected by the normalization preprocessor are now counted
      in the packet statistics.
  * doc/snort_manual.tex:
  * src/: parser.c, parser.h:
  * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
      Added a "config vlan_agnostic" setting that globally disables Stream's
      use of vlan tag in session tracking.
  * src/: snort.c, preprocessors/normalize.c,
    preprocessors/spp_normalize.c, preprocessors/spp_normalize.h,
    preprocessors/perf-base.c, preprocessors/perf-base.h:
  * doc/: README.normalize, snort_manual.pdf, snort_manual.tex:
      Fixed the normalization preprocessor to call its post-initialization
      config functions during a policy reload.

      Packets can no longer be trimmed below the minimum ethernet frame
      length. Trimming is now configurable with the "normalize_ip4: trim;"
      option. TOS clearing is now configurable with "normalize_ip4: tos;".

      The "normalize_ip4: trim" option is automatically disabled if the
      DAQ can't inject packets. If the DAQ tries and fails to inject
      a given packet, the wire packet is not blocked.

      Updated documentation regarding these changes.
  * src/detection-plugins/sp_cvs.c:
      Fixed a false positive in the CVS detection plugin. It was incorrectly
      parsing CVS entries that had a '+' in between the 3rd and 4th slashes.
  * src/preprocessors/HttpInspect/: client/hi_client.c,
    server/hi_server.c:
      Changed a pointer comparison to a size check for code readability.
      Belated thanks to Dwane Atkins and Parker Crook for reporting a
      related issue that was fixed in Snort 2.9.0.4 build 111.

      Moved the zlib initialization such that gzipped responses are still
      inspected if the zipped data starts after the first Stream-reassembled
      packet is inspected.
  * src/decode.c:
      Fixed an issue with decoding too many IP layers in a single packet. The
      Teredo proto bit was not unset after hitting the limit on IP layers.
      Thanks to Dwane Atkins for reporting this issue.

      IPv6 fragmented packets are no longer inspected unless they have an
      offset of zero and the next layer is UDP. This behavior is consistent
      with IPv4 decoding.
      Thanks to Martin Sch�tte for reporting an issue where fragged ICMPv6
      packets were being inspected.

      The decoder no longer attempts to decode Teredo packets inside of
      IPv4 fragments, instead waiting for the reassembled packet.
  * src/encode.c:
      Fixed a problem where encoded packets had their lengths calculated
      incorrectly. This caused the active response feature to generate
      incorrect RST packets if the original packet had a VLAN tag.
  * preproc_rules/preprocessor.rules:
      Updated references to rule 125:1:1
  * src/preprocessors/spp_perfmonitor.c:
      Perfmonitor files are now created after Snort changes uid/gid.
  * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
      Fixed the size formatting of an error message argument when
      compiling with --enable-rzb-saac.
      Thanks to Cleber S. Brand�o for reporting this issue.
  * etc/snort.conf:
      Updated the default snort.conf with max compress and decompress
      depths to enable unlimited decompression of gzipped HTTP responses.
  * snort.8:
      Fixed the man page's URL regarding the location of Snort rules.
      Thanks to Michael Scheidell for reporting an out-of-date man page section.
  * doc/README.http_inspect, doc/snort_manual.tex,
    src/preprocessors/snort_httpinspect.c:
      HTTP Inspect's "unlimited_decompress" option now requires that
      "compress_depth" and "decompress_depth" are set to their max values.
  * src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h,
    dynamic-plugins/sf_dynamic_engine.h,
    preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed an error that prevented compiling with --disable-dynamicplugin.
      Thanks to Jason Wallace for reporting this issue.
  * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c,
    snort_ftptelnet.h, spp_ftptelnet.c:
      Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside
      the ftp_telnet preprocessor to avoid a naming conflict with similar
      functions in HTTP Inspect.
      Thanks to Bruce Corwin for reporting this issue.
  * src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c,
    perf-flow.h:
      Fixed comparisons between signed and unsigned int, which lead to
      a faulty length check.
      Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this
      issue.

2011-02-28 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.4
  * src/build.h:
      Increment Snort build number to 111.
  * src/preprocessors/HttpInspect/client/hi_client.c:
    src/preprocessors/HttpInspect/server/hi_server.c:
      Fixed a bug in the way partial HTTP headers are handled.

2011-02-10 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.4
  * src/build.h: Increment Snort build number to 110
  * snort.8, src/snort.c:
    Updated Snort man page to match the output of "snort --help".
    Removed "-o" from the list of valid options, since it was removed
    a while ago.
    The verdict from defragged packets are no longer cleared, so that
    they can be applied to the raw packet.
    Thanks to Markus Lude for submitting a patch that fixed errors in the
    man page.
  * src/fpcreate.c:
    Deletec the call to fpDeletePortGroup() prior to calling FatalError().
  * src/parser.c:
    Fixed portvar parsing code to correctly dislpay names of undefined
    portvars.
  * src/preprocessors/Stream5/snort_stream5_tcp.c:
    Fixed a FIN sequence number handling issue, where RST after FIN caused a
    false positive on Stream5 preprocessor rule 129:15.
    Thanks to Jason Wallace for pointing out the issue.
  * doc/: INSTALL, README.frag3, README.http_inspect, README.stream5,
    snort_manual.tex, snort_manual.pdf:
    Added documentation for the option "small-segments".
    Updated team members.
    Clarified some undocumented "flow" options.
    Minor edits to punctuation on "ssl_version" examples.
    Re-worded uricontent's description.
    Added missing semicolons to rule option examples.
    Updated "enable_cookie" documentation.
    Added documentation for "iis_encode" in http_encode keywords.
    Improved the description of the "disable" keyword.
    Added "--enable-sourcefire" description.
    Thanks to Joshua Kinard for sending in several patches to the manual.
  * doc/: Makefile.am, README.rzb_saac:
    Added SaaC readme. 
  * configure.in, doc/Makefile.am, doc/README.rzb_saac, src/snort.c,
    src/util.c, src/util.h,
    src/dynamic-plugins/sf_engine/examples/Makefile.am,
    src/dynamic-preprocessors/Makefile.am,
    src/dynamic-preprocessors/dns/spp_dns.c,
    src/dynamic-preprocessors/rzb_saac/Makefile.am,
    src/dynamic-preprocessors/rzb_saac/rzb_debug.c,
    src/dynamic-preprocessors/rzb_saac/rzb_debug.h,
    src/dynamic-preprocessors/rzb_saac/rzb_http-client.c,
    src/dynamic-preprocessors/rzb_saac/rzb_http-client.h,
    src/dynamic-preprocessors/rzb_saac/rzb_http-collector.h,
    src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c,
    src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h,
    src/dynamic-preprocessors/rzb_saac/rzb_http-server.c,
    src/dynamic-preprocessors/rzb_saac/rzb_http-server.h,
    src/dynamic-preprocessors/rzb_saac/rzb_http.h,
    src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c,
    src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h,
    src/dynamic-preprocessors/rzb_saac/sf_preproc_info.h,
    src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c:
    Added Razorback SaaC to the dynamic-preprocessors.
    Use --enable-rzb-saac to build it.  Moved the initgroups call to a
    separate function and call it from the main thread.
  * src/detection-plugins/sp_clientserver.c:
    Fixed an erroneous error check so that "no_frag" and "no_stream" can be
    used in the same "flow" rule option.
  * src/detection-plugins/sp_pattern_match.c:
    Rules that use a "depth" value lower than the length of their content
    now cause an error. Depth should be >= the content length.
  * src/detection-plugins/sp_tcp_flag_check.c:
    Changed the reserved bits flags "1, 2" to "C, E". The old values can still
    be used for backwards compatability.
  * preproc_rules/preprocessor.rules:
    Added references to FTP and SMTP preprocessor rules. 
  * src/dynamic-plugins/sf_engine/examples/: detection_lib_meta.h:
    Removed extraneous ifdef
  * src/: preprocessors/spp_frag3.c, preprocessors/spp_sfportscan.c,
    dynamic-preprocessors/dcerpc2/dce2_config.c:
    Added startup log message to show that the preprocessors are
    inactive when added to snort.conf as "disabled".
    Updated frag3 startup log to indicate the memcap frmo which prealloc
    fragments were generated.
  * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
    Updated the Frag3KeyCmp and Stream5KeyCmp functions to handle 32bit
    sparc platforms where 64bit pointer comparisons can cause bus
    errors. Thanks to Stephan for reporting this issue.
  * src/: preprocessors/portscan.c, win32/WIN32-Includes/config.h:
    Portscan preprocessor's hash table is now allocated based on
    the memcap, instead of being the same size.
  * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_utils.c, dce2_smb.c:
    Fixed a bug that caused dcerpc2 to reassemble some segments incorrectly.
    If extra bytes at the end of a request corrupt the next request, they
    will be discarded.
  * src/dynamic-preprocessors/ssl/spp_ssl.c:
    Updated the SSL preproc to count the packets it processes,
    instead of counting all packets to enter the intiial function.
  * doc/: faq.tex, faq.pdf:
    Updated FAQ based on snort.org reorganization. 
  * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex:
    Updated cookie documentation.
    Cookie buffer includes "Cookie" header name for HTTP requests and
    "Set-Cookie" for HTTP responses. When enable_cookie is disabled,
    cookie buffer points to the HTTP header
  * src/preprocessors/snort_httpinspect.c:
    Fixed the error message during parsing of HTTP inspect
    server config. Make it a warning. 
  * src/: detection_util.h, preprocessors/snort_httpinspect.c,
    preprocessors/spp_httpinspect.c,
    preprocessors/HttpInspect/client/hi_client.c,
    preprocessors/HttpInspect/include/hi_client.h,
    preprocessors/HttpInspect/include/hi_norm.h,
    preprocessors/HttpInspect/include/hi_ui_config.h,
    preprocessors/HttpInspect/normalization/hi_norm.c,
    preprocessors/HttpInspect/server/hi_server.c:
      Fixed a false positive due to a large chunk length followed
      by a small packet.
      Moved the lookup table such that they are initialized only once.
      When de-chunking returns error, the data is now inspected as a
      normal body.
      Moved the Initialize function out of hi_ui_config.h.
      CRLFs are no longer placed in the status message buffer.
  * many files:
    Updated all Sourcefire copyright notices to the year 2011.

2010-12-20 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.3
  * src/build.h:
      Increment Snort build number to 98
  * doc/: snort_manual.tex, snort_manual.pdf:
      Fixed Snort manual descriptions of some rule options.
      Changed whitespace in several areas to be more consistent.
      Max mime mem example changed from 1000 to 4000.
      Updated manual for distance / within / offset / depth combos.
      Thanks to Joshua Kinard for submitting several fixes.
  * doc/INSTALL:
      Update doc/INSTALL with instructions for building on OpenBSD.
  * src/dynamic-preprocessors/smtp/smtp_config.c:
      Print alert_unknown_commands in SMTP config of snort output.
      Print the SMTP MIME config details with snort output.
  * src/: decode.c, decode.h, snort.c:
      discriminate between ip4 and ip6 raw packets
      Thanks to Gerald Maziarski for reporting this issue.
  * src/detection-plugins/: detection_options.c, sp_byte_jump.c,
      sp_pattern_match.c:
      restore doe flags along with doe pointer.
  * preproc_rules/preprocessor.rules:
      Updated preprocessor.rules references to match VRT.
  * src/dynamic-preprocessors/smtp/spp_smtp.c:
      When the SMTP preprocessor is started in a
      "disabled" state, it no longer requires Stream5.
  * src/decode.c:
      Truncated ESP traffic is now handled correctly.
      Thanks to rmkml for bringing the issue to our attention.
  * src/: decode.c, fpdetect.c:
      Fixed a problem with handling UDP/IPv6 over Teredo where the inner UDP
      header was malformed.
  * preproc_rules/preprocessor.rules:
      Added a reference to preprocessor.rules.
  * src/dynamic-preprocessors/smtp/spp_smtp.c:
      When the SMTP preprocessor is started in a
      "disabled" state, it no longer requires Stream5.
  * src/detection-plugins/: detection_options.c, sp_pattern_match.c:
      Update content to check for HTTP_RESP_BODY in packet flag
      if option is relative and not using rawbytes.
  * etc/snort.conf:
      Update with snort.conf from VRT
  * src/dynamic-plugins/sf_engine/examples/detection_lib_meta.h:
      Bumped minor version number in  example detection lib.
  * src/preprocessors/spp_frag3.c:
      Fix memory leak when there are two zero offset
      fragments with different IP options.  Previous code was blindly
      copying new IP options over top of existing ones.
  * src/dynamic-plugins/sf_engine/: sf_snort_detection_engine.c,
      sf_snort_plugin_api.h:
      Fixed overlaps in various flags in the Shared Object rule API.
      Shared Object rules from previous 2.9.0 versions need to be recompiled.
  * src/detection-plugins/sp_pattern_match.c:
      Moved non-zero initializations in the PatternMatchData struct
      to the NewNode() function. This fixes the use of depth, offset,
      distance, and within on uricontent options.
      Reject invalid combinations of distance/within and offset/depth
      including repeated keywords.
      Thanks to Dave Bertouille and Daniel Clemens for pointing out issues here.
  * src/: snort.c, util.c, util.h:
      write correct pid to file for glibc2.2 / linux threads
  * src/preprocessors/: snort_httpinspect.c,
      HttpInspect/mode_inspection/hi_mi.c:
      Fixed an instance where HTTP session data was not checked.
DAQ 0.5
  * daq/os-daq-modules/Makefile.am:
      The IPFW DAQ now builds on OpenBSD.
      Thanks to Ross Lawrie, Randall Rioux, and many others for reporting this.

2010-11-15 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.2
    * preproc_rules/preprocessor.rules:
          Added a reference to an 0day ProFTP bug in a FTP
          preprocessor rule.
    * src/build.h:
          Increment Snort build number to 92
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
          Count only acked segs for flushing post-ack.  Thanks to Eoin Miller
          for helping track this issue and provide test scenarios.
    * src/detection_util.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
          fix file_data:mime in So rules. content matches following
          file_data:mime should not enter fast pattern matcher. Reset file_data_ptr once
          stream flush is done and stream reassembled packet is processed.
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
          Fix return value for SSL rule options
    * src/: plugbase.h, preprocessors/snort_httpinspect.c:
          Set the dce preproc bit in HTTP only when server flow depth is -1
    * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_smb.c,
      dce2_utils.c, dce2_utils.h, includes/smb.h:
          use offset or remaining fields and overwrite
          as appropriate instead of always appending data
    * src/preprocessors/HttpInspect/server/hi_server.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
          Fixed a couple of memory leaks.
    * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
          Fixed an error in the handling of HTTP Session Data.
    * doc/: README.http_inspect,snort_manual.pdf, snort_manual.tex:
          Update to the snort manual. remove the stream5
          alerts. reference the gen-msg.map.
    * preprocessors/Stream5/snort_stream5_tcp.c:
          urgent pointer handling corrected for one
          byte of urgent data at the start of a segment.  The general case
          of an N-byte urgent payload prefix would be handled here by
          removing the == 1 limit in urg_offset == 1 but that restrictio
          is not safe until we flush urgent data.  As is, urgent data is
          never flushed in reassembled packets and can only be detected i
          raw packets.
          pointer handling.
    * src/: decode.h, detection_util.h, plugbase.h,
      preprocessors/snort_httpinspect.c,
      preprocessors/snort_httpinspect.h,
      preprocessors/HttpInspect/server/hi_server.c,
          Apply server flow depth on a session basis
          rather than per packet basis.  This change improves the
          performance by disabling detect on packet when the packet is
          beyond the specified flow depth. server_flow_depth now takes
          values from -1 to 65535
    * src/parser.c:
          Correct setting of dup_opt_func and cleanup existing opt_func list before
          hand to address parse-time leak.

2010-11-01 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.1
    * doc/: snort_manual.pdf, snort_manual.tex:
           Added "flush_factor".
           Fixed incorrect line wrap (thx Shawn Thompson). 
           values for within and depth updated
    * src/build.h:
           Increment Snort build number to 82.
    * src/preprocessors/HttpInspect/: client/hi_client.c,
      server/hi_server.c:
           HTTP header buffers (raw/normalized) now include the missing \n (of \r\n\r\n). 
    * src/target-based/sf_attribute_table.y:
          Set YYMAXDEPTH to something that covers large number of services for a single host. 
    * src/parser.c, src/preprocessors/spp_stream5.c,
      doc/snort_manual.pdf, doc/snort_manual.tex:
           Fix use of config flowbits_size and update default to 1024. 
    * src/detection-plugins/sp_pcre.c:
           Correct calculation of offset to its original now that libpcre is fixed. 
    * src/: detection-plugins/sp_pcre.c, win32/WIN32-Includes/pcre.h,
      win32/WIN32-Includes/pcreposix.h, win32/WIN32-Libraries/pcre.lib:
           Update Win32 libpcre to newer version and use --enable-newline-is-cr instead of
           --enable-newline-is-any.  Also added comments to sp_pcre.c in terms of how Snort is
           interpreting the ovector from pcre_exec.
    * etc/gen-msg.map:
           Added rules 120:4 and 120:5 to gen-msg.map. 
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
           Fix issue when handling overlap limit enforcement.  Thanks to rmkml
           and Miguel Alvarez for pointing out the issue.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
           fix flush after initial when acks are withheld
           conditional on NORMALIZER
           process stream after window slam unless normalizing
           fully separate pre-ack flush from post-ack flush to ensure switching on policy for listener direction;
           allow window limit greater than 16-bit; tweak flush point tracing.
           added preprocessor rule 129:19, window slam
    * src/preprocessors/Stream5/: snort_stream5_tcp.c,
      stream5_common.h:
           add stream5_tcp: flush_factor <#>
    * doc/snort_manual.tex, src/detection-plugins/sp_ttl_check.c:
          Allow >= and <= with ttl keyword. Also fix the parsing for ttl. Update manual
    * src/util.c:
           Make parent_wait variable volatile so it doesn't get optimized out.
    * src/decode.c:
           In CheckIPv4_MinTTL(), use the ttl passed as an argument instead of the packet's IP header.
    * preproc_rules/preprocessor.rules:
           adds preprocessor rule 129:19
    * etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c,
      src/generators.h:
           Ported .so rule for ICMP DOS to decoder. 
    * etc/gen-msg.map, src/generators.h,
    * src/: active.c, encode.c, detection-plugins/sp_react.c:
           set ack number appropriately
    * src/preprocessors/snort_httpinspect.c:
          file data ptr should be set to the decode buffer when the http response body is normalized. 
    * src/preprocessors/HttpInspect/: client/hi_client.c,
      server/hi_server.c:
          inspect stream inserted packets to check if they have a valid HTTP response.
          When there is a single segment HTTP response inspect the body.
          Dont wait for the reassembled packet ( due to flush point issues)
    * src/: detection_util.h, fpdetect.c,
      detection-plugins/sp_byte_check.c,
      detection-plugins/sp_byte_extract.c,
      detection-plugins/sp_byte_jump.c,
      detection-plugins/sp_ftpbounce.c,
      detection-plugins/sp_isdataat.c,
      detection-plugins/sp_pattern_match.c,
      detection-plugins/sp_pcre.c, preprocessors/snort_httpinspect.c,
      preprocessors/HttpInspect/server/hi_server.c:
           When extended_response_inspection is not enabled check for "HTTP".
           If present, apply flow depth otherwise do not disable detect and dont apply flow depth. 
    * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex:
           Update Manual and README.http_inspect
    * src/signature.c:
           remove commented out printfs
    * src/preprocessors/HttpInspect/server/hi_server.c:
          inspect stream reassembled packets only when stream reassembly is turned on. 
    * tools/u2boat/Makefile.am:
          Update Makefile to include docdir
    * src/encode.c:
           don't calculate checksum for pseudo-packets
    * src/: decode.c, decode.h, detect.c, detection_util.c,
      detection_util.h, fpdetect.c, log.c, log_text.c, mstring.c,
      detection-plugins/detection_options.c,
      detection-plugins/sp_asn1.c, detection-plugins/sp_base64_data.c,
      detection-plugins/sp_base64_decode.c,
      detection-plugins/sp_byte_check.c,
      detection-plugins/sp_byte_extract.c,
      detection-plugins/sp_byte_jump.c,
      detection-plugins/sp_file_data.c,
      detection-plugins/sp_ftpbounce.c,
      detection-plugins/sp_isdataat.c,
      detection-plugins/sp_pattern_match.c,
      detection-plugins/sp_pcre.c, detection-plugins/sp_urilen_check.c,
      dynamic-plugins/sf_dynamic_common.h,
      dynamic-plugins/sf_dynamic_engine.h,
      dynamic-plugins/sf_dynamic_plugins.c,
      dynamic-plugins/sf_dynamic_preprocessor.h,
      dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
      dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
      dynamic-preprocessors/ftptelnet/pp_ftp.c,
      dynamic-preprocessors/ftptelnet/pp_telnet.c,
      dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
      dynamic-preprocessors/smtp/smtp_util.c,
      dynamic-preprocessors/smtp/snort_smtp.c,
      output-plugins/spo_unified2.c, preprocessors/snort_httpinspect.c,
      preprocessors/spp_httpinspect.c, preprocessors/spp_rpc_decode.c,
      preprocessors/HttpInspect/client/hi_client.c,
      preprocessors/HttpInspect/normalization/hi_norm.c,
      preprocessors/HttpInspect/server/hi_server.c,
      preprocessors/HttpInspect/server/hi_server_norm.c,
      preprocessors/Stream5/snort_stream5_tcp.c:
          add buffer length attribute to alt decode buffer and don't set alt decode flag for alt_dsize changes
          which are indicated by that value being non-zero. 
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
          purge listener for pre-ack
          Flip the direction to match that the configurations in stream5_tcp. 
    * src/: decode.h, preprocessors/spp_httpinspect.c,
      preprocessors/HttpInspect/normalization/hi_norm.c:
          add new keyword to http_encode to detect ascii encoding
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
           Propigate noalert back to detection option tree.
    * src/: parser.c, signature.c, signature.h:
          Allow multiple .so rules to reference a single soid metadata. 
    * doc/: README.active, README.daq, snort_manual.pdf,
      snort_manual.tex:
          clarify use of multiple --daq and config daq. 
    * src/parser.c:
          error on  multiple --daq args

2010-10-04 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0
    * doc/Makefile.am:
    * doc/README.FLEXRESP:
    * doc/README.FLEXRESP2:
    * doc/README.http_inspect:
    * doc/README.INLINE:
    * doc/README.ipv6:
    * doc/README.stream5:
    * doc/README.wireless:
    * doc/snort_manual.tex:
      Removed obsolete README files. Updated README.ipv6.
      Documented other changes made below.

    * etc/gen-msg.map:
    * preproc_rules/preprocessor.rules:
    * src/generators.h:
      Added new preprocessor rules for HTTP Inspect and Frag3.
      Removed an old preprocessor rule for the already-removed dcerpc
      preprocessor.

    * rpm/snort.spec:
    * src/build.h:
      Updated version numbers.

    * src/dynamic-plugins/sp_dynamic.c:
    * src/fpcreate.c:
      Shared Object rules which use HTTP Content as their Fast Pattern
      should now work correctly.

    * src/decode.c:
    * src/decode.h:
    * src/detection-plugins/detection_options.c:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/sdf/sdf_detection_option.c:
    * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
    * src/dynamic-preprocessors/sdf/spp_sdf.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/parser.c:
    * src/ppm.c:
    * src/ppm.h:
    * src/profiler.c:
    * src/target-based/sf_attribute_table_parser.l:
      Miscellaneous code cleanup.
      Other preprocessor rules had to be modified as part of the new Stream5
      rule option listed below.

    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
    * src/preprocessors/HttpInspect/include/hi_norm.h:
    * src/preprocessors/HttpInspect/include/hi_server_norm.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/server/hi_server.c:
    * src/preprocessors/HttpInspect/server/hi_server_norm.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_httpinspect.h:
    * src/preprocessors/spp_httpinspect.c:
    * src/sfutil/util_utf.c:
    * src/sfutil/util_utf.h:
    * src/sfutil/Makefile.am:
    * snort_head/snort/src/win32/WIN32-Prj/snort.dsp:
      HTTP Inspect now handles "chunked" Transfer-Encoding for any Content-Encoding,
      not just for gzipped responses.
      HTTP Inspect now decompresses responses with "Content-Encoding: deflate".
      HTTP Inspect now normalizes server responses that use UTF-16 or UTF-32
      charsets.

    * src/preprocessors/portscan.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed an issue with some Stream5 sessions not being cleared until shutdown.
      Fixed a bug that caused false positives on Stream5 rule 129:4.
      Fixed a bug where Stream5 reassembled on all ports when sfportscan was in
      snort.conf, but in a "disabled" state.
      Added a preprocessor rule option, enabled by Stream5. The syntax is
      "reassembly: <on|off>,<client|server|both> [,noalert]". It enables/disables
      Stream reassembly for the session that matches the rule.

2010-09-03 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0 RC
    * Fixed clean shutdown after reload.
    * Fixed tagging to log tagged packets regardless of filtering.
    * Fixed mempool initialization of free list count bug reported by
      zhangz@risinginfo.com.
    * Snort resized packets are now dropped and injected as required by DAQs.
    * Fixed Snort I/O Totals reporting injected packets with IPFW when NO
      packets are injected externally.
    * Tweaked Snort's dynamic preprocessor example.
    * More informative dynamic preprocessor loading error messages.
    * Added preprocessor alerts added to alert when Snort sees a client hello
      after a server hello or when Snort sees a server hello without a client
      hello when trustservers is disabled.
    * Documentation Updates: Updates to HTTP inspect README and Snort Manual.
    * Added parser error to fragoffset: Error when !, < and > operators are
      used with each other.
    * Updated README for daq with updated information on firewalls with FreeBSD
      and OpenBSD
    * Added more complete error checking to "byte_extract" rule option parsing.
    * The Sensitive Data preprocessor no longer searches HTTP headers for PII, as
      this introduced unnecessary false positives. In addition, the
      "us_social_nodashes" rule is now off by default to avoid false positives.
    * Added a new decoder alert for IPv6 extension headers that don't follow the
      RFC's recommended order.
    * Fixed a bug in the validation of IPv6 option lengths.
    * Fixed a bug in the normalization of HTTP responses with both gzipped
      Content-Encoding and chunked Transfer-Encoding.
    * Teredo packets with another layer of UDP on top will now display the correct
      port numbers in console output.
    * Reduced false positives on decoder alerts when "config deep_teredo_inspection"
      is enabled.
    * Fixed a problem with evaulating UDP rules on Teredo traffic, where the result
      of rule evaluation on the outer UDP
    * Changed the default search methond in snort.conf from "ac-bnfa" to "ac-split".

2010-06-23 Steven Sturges <ssturges@sourcefire.com>
    * doc/README.active:
    * doc/README.http_inspect:
    * doc/README.ssl:
    * doc/snort_manual.tex:
      Updated descripgions of rule options.
    * etc/gen-msg.map:
      Update messages for IPv6 decoder events.
    * src/win32/Makefile.am:
    * src/win32/WIN32-Includes/libnet/Devioctl.h:
    * src/win32/WIN32-Includes/libnet/gnuc.h:
    * src/win32/WIN32-Includes/libnet/ifaddrlist.h:
    * src/win32/WIN32-Includes/libnet/IPExport.h:
    * src/win32/WIN32-Includes/libnet/IPHlpApi.h:
    * src/win32/WIN32-Includes/libnet/IPTypes.h:
    * src/win32/WIN32-Includes/libnet/libnet-asn1.h:
    * src/win32/WIN32-Includes/libnet/libnet-functions.h:
    * src/win32/WIN32-Includes/libnet/libnet.h:
    * src/win32/WIN32-Includes/libnet/libnet-headers.h:
    * src/win32/WIN32-Includes/libnet/libnet-macros.h:
    * src/win32/WIN32-Includes/libnet/LibnetNT.h:
    * src/win32/WIN32-Includes/libnet/libnet-ospf.h:
    * src/win32/WIN32-Includes/libnet/libnet-structures.h:
    * src/win32/WIN32-Includes/libnet/Ntddpack.h:
    * src/win32/WIN32-Includes/libnet/packet_types.h:
    * src/win32/WIN32-Includes/libnet/NTDDNDIS.H:
    * src/win32/WIN32-Includes/libnet/PACKET32.H:
    * src/win32/WIN32-Includes/mysql/config-netware.h:
    * src/win32/WIN32-Includes/mysql/config-os2.h:
    * src/win32/WIN32-Includes/mysql/config-win.h:
    * src/win32/WIN32-Includes/mysql/libmysqld.def:
    * src/win32/WIN32-Includes/mysql/libmysql.def:
    * src/win32/WIN32-Includes/mysql/m_ctype.h:
    * src/win32/WIN32-Includes/mysql/m_string.h:
    * src/win32/WIN32-Includes/mysql/my_dbug.h:
    * src/win32/WIN32-Includes/mysql/my_getopt.h:
    * src/win32/WIN32-Includes/mysql/my_global.h
    * src/win32/WIN32-Includes/mysql/my_pthread.h:
    * src/win32/WIN32-Includes/mysql/mysqld_error.h:
    * src/win32/WIN32-Includes/mysql/mysql_embed.h:
    * src/win32/WIN32-Includes/mysql/my_sys.h:
    * src/win32/WIN32-Includes/mysql/raid.h:
    * src/win32/WIN32-Libraries/libnet/LibnetNT.lib:
    * src/inline.c:
    * src/inline.h:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond2.c:
      Remove dead files.
    * src/active.c:
    * src/preprocessors/normalize.c:
    * src/preprocessors/spp_normalize.c:
      DAQ capability updates
    * src/decode.c:
    * src/decode.h:
    * src/generators.h:
      IPv6 decoding updates
    * src/decode.c:
    * src/log.c:
    * src/log.h:
    * src/log_text.c:
    * src/log_text.h:
      Improvement of packet output when obfuscating IP addresses.
    * src/detection-plugins/sp_byte_jump.c:
      Updates to multiplier parameter handling.
    * src/detection-plugins/sp_react.c:
      Added HTTP header to response payload.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Update to handling string format detection.
    * src/dynamic-preprocessors/libs/ssl.c:
    * src/dynamic-preprocessors/libs/ssl.h:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
      Updates to handling of SSL rule options when handshake says SSLv2
      but certificate is SSLv3 and interaction with Stream reassembled
      packets.
    * src/dynamic-preprocessors/sdf/spp_sdf.c:
      Display configuration information at startup.
    * src/fpdetect.c:
      Improved handling of gzip decoded buffer for fast pattern searches.
    * src/parser.c:
      Updates to parsing of IP variables with negated IP ranges.
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/server/hi_server.c:
      Chunk encoding processing updates.
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/Makefile.am:
    * src/preprocessors/HttpInspect/include/hi_cmd_lookup.h:
    * src/preprocessors/HttpInspect/Makefile.am:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
    * src/preprocessors/HttpInspect/utils/Makefile.am:
    * src/preprocessors/HttpInspect/utils/hi_cmd_lookup.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_httpinspect.h:
    * src/preprocessors/spp_httpinspect.c:
      Use lookup for HTTP method validation.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Updated state tracking for FIN_WAIT_2 and LAST_ACK
    * src/sfdaq.c:
    * src/sfdaq.h:
    * src/snort.c:
    * src/util.c:
      Handle -g/-u limited with DAQ modules that require root privs.

2010-06-16 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0 Beta
    * Snort uses the DAQ library for packet acquisition and injection.
      ./configure --enable-inline and --enable-ipfw are deleted.  Just run ./snort
      -Q to activate inline mode for DAQs that support it.  See the README.daq there
      for more.
    * A normalizer preprocessor has been added to help minimize evasion vectors.
      Use ./configure --enable-normalizer to build and config normalize_* to
      enable.  See README.normalize for more.
    * Flexresp and flexresp2 have been replaced with a new flexresp3 module that
      supports the rule keywords from each.  ./configure --enable-flexresp
      --enable-flexresp2 are deprecated.
    * The react rule option has been rewritten to correct a number of issues.  You
      can also customize the injected content with config react.  Use ./configure
      --enable-react to build.
    * config min_ttl is now policy specific.  You can also set a normalization
      value with config new_ttl.
    * Snort has a new active response capability.  Build it with ./configure
      --enable-active-response.  This mode enables automatically sending TCP resets
      and ICMP unreachables.  See README.active for more.
    * Passive mode Snort can now inject packets for drop, sdrop, and reject rules.
      In addition, block and sblock rules have been added as synonyms for drop and
      sdrop to help avoid confusion between dropped packets and blocked packets.
      Configure with config response.
    * Snort shutdown output now includes new counts so you can see if any events
      are not being reported due to event queue and pattern matching
      configurations.  Also, ./configure --enable-timestats has been eliminated but
      the shutdown output of packet rates has been made standard.
    * BPFs can be written for IPv6.
    * ./snort -T has bee expanded to validate more than just the conf.  For
      example, you can now validate BPFs.
    * Snort no longer depends on libnet and uses libdnet instead.
    * Added the "byte_extract" detection option. This saves bytes from the packet
      into variables for use by other options.
    * Added support for byte_extract variables in the following rule options
      * content (offset, depth, distance, within)
      * byte_test (offset, comparison value)
      * byte_jump (offset)
      * isdataat (offset)
    * Added decoder support for Teredo tunneling (IPv6 over UDP over IPv4).
    * Added decoder support for Encapsulated Security Payload (ESP) with NULL encryption.
    * Added 18 decoder rules for different types of malformed IPv6 headers.
    * Moved 24 content-less rules into the packet decoder.
    * The Sensitive Data preprocessor now prints its configuration on startup.
    * Fixed the Snort RPM so that it installs the Sensitive Data preprocessor.
    * Updated the description of the "-h" option in the Snort help output.
    * Added a tools directory, with "u2boat" and "u2spewfoo". These programs can be
      used to turn Unified2 files into pcaps and console output, respectively.
    * Replaced Unified with Unified2 in snort.conf.
    * Moved the rules/ directory into its own separate tarball.
    * Snort will print encapsulated layers in text output.
    * Initial iteration of DCE/RPC preprocessor removed.
    * SO rule updates.  Updated storeRuleData() and getRuleData() API
      functions.  Added dynamic allocation functions allocRuleData() and
      freeRuleData() mainly for data stored on a stream session and to
      utilize a new configuration option to put a memcap on the amount of
      data SO rules allocate.
    * Fixed possible non-runtime memory leak in SO rule preprocessor rule
      options.
    * Added negation support to SSL preprocessor rule options ssl_state and
      ssl_version
    * Added support for Intel's Soft CPM for use as a fast pattern matcher.
    * Fixed issue when specifying a --pcap-dir where Snort would fatal
      error if there was a broken symbolic link under the directory.
    * Fixed an issue where copying an SO rule stub to modify the rule
      action, IPs and/or ports didn't work as expected.
    * Set state in SSL preprocessor even if record is truncated.
    * Fixed inconsistency with flowbits behaviour if stream session timed
      out.  stream5 now resets flowbits on a timeout.
    * Snort will now fatal error if adaptive profiles is enabled in any
      policy other than the default policy.
    * Fixed false positives caused by using the fast_pattern option with
      the "only" argument on an http content in a rule.
    * Fix OpenBSD compile with --enable-prelude.
    * Fixed issue in SO rules converted to text rules that were not
      setting mutliplier correctly.
    * Fixed inconsistencies in behaviour with user defined rule types.
    * Snort will now throw validation error for ipvar definition with
      negated ip list that is more general that other ip list in
      definition.
    * Added support for IP variable substitution.
    * Created new decoder event for ICMP PATH MTU denial of service
      attempt.
    * Fixed SSL preprocessor to potentially update state before
      reassmebled packet is decoded.
    * Added a new argument "mime" to the detection option "file_data".
      This argument will set the doe_ptr to the start of the base64 decoded
      MIME attachment. New config options "enable_mime_decoding", "max_mime_depth"
      and "max_mime_mem" are added to SMTP configuration to support this feature.
    * Added the "base64_decode" and "base64_data" detection option.
      The "base64_decode" decodes the base64 encoded data. The "base64_data"
      points the doe_ptr to the start of the base64 decoded buffer.
    * Added a new mode "inline-test". This mode simulates the inline mode of snort,
      allowing evaluation of inline behavior without affecting traffic. The command
      line option --enable-inline-test and snort config option policy_mode:inline_test
      added to support this feature. The drop rules will be loaded and will be
      triggered as a Wdrop (Would Drop) alert.
    * Added the support to extract the original client IP from the X-Forwarded-For
      or True-Client-IP headers. This client IP will now be logged to the unified2
      output when HTTP Inspect is configured with enable_xff.
    * Added support to u2spewfoo to read the Orginal Client IP, Wdrop Alerts, Gzip decompressed Data.
    * Added support to print the Gzip decompressed data with cmg output.

2010-04-16 Ryan Jordan <ryan.jordan@sourcefire.com>
    * doc/README.dcerpc:
    * doc/README.dcerpc2:
    * doc/README.flowbits:
    * doc/README.frag3:
    * doc/README.http_inspect:
    * doc/README.PerfProfiling:
    * doc/README.sensitive_data:
    * doc/README.sfportscan:
    * doc/README.stream5:
    * doc/snort_manual.tex:
       Updated Snort documentation

    * etc/classification.config:
    * etc/gen-msg.map:
    * etc/snort.conf:
       Replaced snort.conf with the version we ship in the rules tarball.
       Fixed a duplicate entry in gen-msg.map.

    * src/decode.c:
    * src/decode.h:
      Added alert for IPv6/UDP packets with zero checksum.

    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_isdataat.c:
       For byte_test, byte_jump, and isdataat, only do an in bounds check of
       the doe_ptr if the rule option is relative and will be using the doe_ptr.
    * src/detection-plugins/sp_pattern_match.c:
       Fixed a valgrind error.
    * src/detection-plugins/sp_react.c:
       Removed instances of the word "porn" from Snort.

    * src/dynamic-plugins/sf_convert_dynamic.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-plugins/sp_dynamic.c:
       Changed the parsing of dynamic detection plugins to register dynamic
       rules per policy.

    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/stream_ignore.h:
    * src/target-based/sftarget_protocol_reference.c:
       The FTP preprocessor now marks data channels with the "ftp-data"
       service identifier. Adaptive profiling must be turned on for this.

    * src/dynamic-preprocessors/sdf/sdf_credit_card.c:
    * src/dynamic-preprocessors/sdf/sdf_detection_option.c:
    * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
    * src/dynamic-preprocessors/sdf/sdf_pattern_match.h:
    * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
    * src/dynamic-preprocessors/sdf/spp_sdf.c:
    * src/dynamic-preprocessors/sdf/spp_sdf.h:
    * src/generators.h:
       Moved the sensitive data preprocessor's preproc rule to GID 139.
       Fixed the ability to reload Snort with sensitive_data turned on.
       Fixed bugs in the parsing of "sd_pattern" rules that overlapped.
       U.S. Social Security numbers are now required to have non-digits on
         either side in order to cause a match.

    * src/mempool.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/HttpInspect/include/hi_mi.h:
    * src/preprocessors/HttpInspect/include/hi_server.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_util.h:
    * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/server/hi_server.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_httpinspect.h:
       Added a "max_gzip_mem" option to http_inspect. Use this to set
         the maximum amount of memory used for gzip decompression.
       The "+" sign is now normalized to a space.
       Added a "disable" option to http_inspect so that a memcap can
         be set without enabling http_inspect across all VLANs.

    * src/preprocessors/sfprocpidstats.c:
    * src/preprocessors/sfprocpidstats.h:
    * src/preprocessors/spp_perfmonitor.c:
       Fixed a memory leak.

    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
       Fixed an issue that could cause Snort to take minutes to reload.

    * src/snort.c:
       Unblocked signals that Snort does not handle itself.

    * src/win32/Makefile.am:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Includes/mysql/config-netware.h:
    * src/win32/WIN32-Includes/mysql/config-os2.h:
    * src/win32/WIN32-Includes/mysql/config-win.h:
    * src/win32/WIN32-Includes/mysql/errmsg.h:
    * src/win32/WIN32-Includes/mysql/libmysqld.def:
    * src/win32/WIN32-Includes/mysql/libmysql.def:
    * src/win32/WIN32-Includes/mysql/m_ctype.h:
    * src/win32/WIN32-Includes/mysql/m_string.h:
    * src/win32/WIN32-Includes/mysql/my_alloc.h:
    * src/win32/WIN32-Includes/mysql/my_dbug.h:
    * src/win32/WIN32-Includes/mysql/my_getopt.h:
    * src/win32/WIN32-Includes/mysql/my_global.h:
    * src/win32/WIN32-Includes/mysql/my_list.h:
    * src/win32/WIN32-Includes/mysql/my_pthread.h:
    * src/win32/WIN32-Includes/mysql/mysql_com.h:
    * src/win32/WIN32-Includes/mysql/mysqld_error.h:
    * src/win32/WIN32-Includes/mysql/mysql_embed.h:
    * src/win32/WIN32-Includes/mysql/mysql.h:
    * src/win32/WIN32-Includes/mysql/mysql_time.h:
    * src/win32/WIN32-Includes/mysql/mysql_version.h:
    * src/win32/WIN32-Includes/mysql/my_sys.h:
    * src/win32/WIN32-Includes/mysql/raid.h:
    * src/win32/WIN32-Includes/mysql/typelib.h:
    * src/win32/WIN32-Prj/snort.dsw:
    * src/win32/WIN32-Prj/snort_installer.nsi:
       Updated the MySQL client library in the Windows build.
       Fixed a conflict between MSSQL headers and the newer Windows Platform SDK.


2010-01-27 Ryan Jordan <ryan.jordan@sourcefire.com>
    * doc/Makefile.am:
       Added README.sensitive_data
    * doc/README.dcerpc2:
       Removed "events" from default configuration.
    * doc/README.http_inspect:
       Added support for extended ascii codes in HTTP request URI using a new configurable option "extended_ascii_uri"
       Changed the pattern match to search only the HTTP response body when extended response inspection is enabled. Also copy only the decompressed data into the decode buffer.
    * doc/README.INLINE:
       Content replacement now allows replacement strings of varying sizes.
    * doc/README.multipleconfigs:
       Limit number of individual networks per line to 512.
    * doc/README.stream5:
       Removed "min_ttl" option, added the latest stream alerts.
    * doc/snort_manual.tex:
       Fixed typos, updated the Snort manual to match the README updates.
       Eliminated the kick-ass and the lotion.
       Updated with new PCRE options.
    * etc/classification.config:
       Cleaned up classification.config. Thanks to Guise McAllaster for reporting this issue.
    * etc/gen-msg.map:
       Added sig ID for http_inspect's chunk size mismatch.
    * etc/snort.conf:
       Fixed typos. Default "dynamicengine" entry is now specified by directory.
    * src/build.h:
       Updated build number.
    * src/checksum.h:
      checksum calculation for icmpv6 added . also fixed a warning in hi_client.c
    * src/configure.in:
      Updated makefile/configure script to optionally build dynamic examples.
      Thanks to Markus Lude for raising the issue.

      Fixed linker option on Solaris 10 to use nanosleep.
      Thanks to Randal T. Rioux for reporting this issue.
    * src/decode.c:
      checksum calculation for icmpv6 added . also fixed a warning in hi_client.c
    * src/decode.h:
      Change the pattern match to search only the HTTP response body when extended response inspection is enabled. Also copy only the decompressed data into the decode buffer.
    * src/detect.c:
       Formatting changes.
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_ip_proto.c:
       Replaced strol and strtoul with inline functions that reset errno first.
    * src/detection-plugins/sp_pattern_match.c:
       Check if file_data is within the packet boundaries and set the search depth accordingly.
    * src/detection-plugins/sp_pcre.c:
       Pcre new options fix. Raw options and status options werent matching as expected.
    * src/detection-plugins/sp_replace.c:
       checksum calculation for icmpv6 added . also fixed a warning in hi_client.c
    * src/dynamic-examples/Makefile.am:
    * src/Makefile.am:
       Update makefile/configure script to optionally build dynamic examples.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
       Replaced strol and strtoul with inline functions that reset errno first.
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/event_queue.c:
    * src/event_queue.h:
    * src/preprocessors/spp_frag3.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/sfutil/sfeventq.h:
    * src/snort.c:
    * src/snort.h:
       Fixed a bug where Snort would log a packet other than the one triggering the alert.
    * src/dynamic-preprocessors/dcerpc2/dce2_debug.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/libs/sfparser.c:
    * src/output-plugins/spo_unified2.c:
    * src/parser.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
       Replaced strol and strtoul with inline functions that reset errno first.
    * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h:
    * src/dynamic-preprocessors/dns/sf_preproc_info.h:
    * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
    * src/dynamic-preprocessors/smtp/sf_preproc_info.h:
    * src/dynamic-preprocessors/ssh/sf_preproc_info.h:
    * src/dynamic-preprocessors/ssl/sf_preproc_info.h:
       Updated build version number.
    * src/dynamic-preprocessors/sdf/.cvsignore:
       Added .cvsignore file
    * src/dynamic-preprocessors/sdf/sdf_credit_card.c:
    * src/dynamic-preprocessors/sdf/sdf_credit_card.h:
       Added license text.
       Added check for the Issuer Number in credit card numbers.
    * src/dynamic-preprocessors/sdf/sdf_detection_option.c:
    * src/dynamic-preprocessors/sdf/sdf_detection_option.h:
    * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
    * src/dynamic-preprocessors/sdf/sdf_pattern_match.h:
       Added license text.
       Fixed error when using the same sensitive data rule in multiple policies.
       Sensitive data rules must use the preprocessor's generator ID.
    * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
    * src/dynamic-preprocessors/sdf/sdf_us_ssn.h:
       Added license text.
    * src/dynamic-preprocessors/sdf/spp_sdf.c:
    * src/dynamic-preprocessors/sdf/spp_sdf.h:
       Fixed double-free when the preprocessor was enabled in multiple policies.
       Added the ability to search HTTP Uri buffers for sensitive data.
       Fixed the pcap header for pseudo-packets generated by the preprocessor.
    * src/fpcreate.c:
       OpenBSD update
    * src/generators.h:
       Added alert for HTTP chunk size mismatch.
    * src/obfuscation.c:
       Made a debug message optionally compilable.
    * src/output-plugins/spo_log_tcpdump.c:
       Fix use of -L option to work correctly.
       Thanks to Allan Adkins for reporting this issue.
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/HttpInspect/include/hi_util.h:
    * src/preprocessors/HttpInspect/server/hi_server.c:
      Added http response stats.
      Added support for extended ascii codes in HTTP request URI
        using a new configurable option "extended_ascii_uri"
      Added an alert for incorrect chunk size fields.
    * src/preprocessors/perf.c:
       Fixed null deref when "rotate stats" signal was caught w/out perfmon enabled.
    * src/preprocessors/snort_httpinspect.c:
       Fixed a case where the HTTP Inspect preprocessor would disable the Sensitive Data preprocessor.
    * src/preprocessors/spp_httpinspect.c:
       Decompressed bytes read will now be based on the total out of zstream.
    * src/target-based/sftarget_reader.c:
       attribute table printing - converting to host order before printing the ip address
    * src/util.c:
    * src/util.h:
      adding zlib version information for snort -V
    * src/win32/Makefile.am:
       Add zlib 1.2.3 to Win32 build.
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Includes/zlib/zconf.h:
    * src/win32/WIN32-Includes/zlib/zlib.h:
    * src/win32/WIN32-Prj/snort.dsp:
       Add zlib 1.2.3 to Win32 build.
    * src/win32/WIN32-Prj/snort_installer.nsi:
       Added Sensitive Data preproc to Windows installer script.

2009-12-21 Ryan Jordan <ryan.jordan@sourcefire.com>
    * doc/README.dcerpc:
      Added deprecation notice.
    * doc/README.dcerpc2:
      Added note about fast pattern contents.
    * doc/README.filters:
      Slight change to indicate that filters were introduced in 2.8.5,
      which is no longer the current version.
    * doc/README.flowbits:
      Added documentation for flowbit groups.
    * doc/README.http_inspect:
      Added documentation for new HTTP rule options.
    * doc/snort_manual.tex:
      Updated for HTTP rule options and other cleanup.
    * doc/TODO:
      Removed obfuscation code from the TODO.
    * etc/gen-msg.map:
      Added new Stream5 alert for the "TCP 4-way handshake"
    * etc/snort.conf:
      Fixed typos. Added examples for Unified2 output and Sensitive Data
      preprocessor config.
    * rpm/snort.spec:
      Updated version number.
    * src/bounds.h:
      Formatting change. Added "SafeMemCheck" function. Modified "SafeMemcpy"
      and "SafeMemset" to use it.
    * src/build.h:
      Updated build number.
    * src/debug.c:
      Moved definition for snort_conf.
    * src/decode.h:
      Made changes for HTTP response gzip support.
    * src/detect.c:
      Updated to use new Obfuscation API.
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
      Added support for ac "split" pattern matcher to use less memory with
      improved performance over ac-bnfa.  Thanks to Charlie Lasswell for
      the ideas!
    * src/detect.h:
    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/inline.c:
    * src/profiler.c:
    * src/rate_filter.h:
    * src/rules.h:
    * src/tag.c:
    * src/tag.h:
    * src/treenodes.h:
      OTNs and RTNs were moved to their own header file.
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/Makefile.am:
    * src/detection-plugins/sp_file_data.c:
    * src/detection-plugins/sp_file_data.h:
      New detection option "file_data" was added.
    * src/detection-plugins/detection_options.h:
    * src/rule_option_types.h:
      Moved option_type_t to its own header file.
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_flowbits.h:
      allowing flowbits group name only with set and toggle operations
      check if the content rules have http modifiers.
    * src/detection-plugins/sp_replace.c:
      need to check from the relative depth for bounds
      adjust the bounds while replacing to prevent buffer overflow.
      allow replace with different size strings. enhancement to replace.
    * src/detection-plugins/sp_isdataat.c:
      negated isdataat support.
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
      Update pattern match parsing to error on invalid rules.
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_dsize_check.c:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ipoption_check.c:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_proto.h:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_pcre.h:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_rpc_check.c:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_tcp_ack_check.c:
    * src/detection-plugins/sp_tcp_flag_check.c:
    * src/detection-plugins/sp_tcp_seq_check.c:
    * src/detection-plugins/sp_tcp_win_check.c:
    * src/detection-plugins/sp_ttl_check.c:
    * src/detection-plugins/sp_urilen_check.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
      Updated calls to RegisterRuleOption() to match new definiton.
    * src/dynamic-plugins/sf_convert_dynamic.c:
      Updated conversion of Content and PCRE rule options to match HTTP changes.
    * src/dynamic-plugins/sf_dynamic_common.h:
      Updated HTTP flags.
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
      Added definition of OTN Handler.  A detection option or preprocessor can
      register one of these to get the OTN of any rule using its rule option.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
      Added several items to DynamicPreprocessorData, to allow dynamic
      preprocessors to call more Snort functions.
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
      Check for HTTP modifiers to Content and PCRE options in shared object
      rules.
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
      Added missing Packet member to SFSnortPacket.
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
      Moved DCERPC_FragType definition.
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_sfportscan.c:
      Added "disabled" option to frag3_global, stream5_global, portscan,
      dcerpc, and dcerpc2 preprocessor configurations so that memcaps can be
      specified in the default configuration w/o enabling that preprocessor.
      This allows specification of the preprocessors only in the desired
      configuration.
    * src/dynamic-preprocessors/dcerpc/Makefile.am:
    * src/dynamic-preprocessors/dcerpc2/Makefile.am:
    * src/dynamic-preprocessors/dns/Makefile.am:
    * src/dynamic-preprocessors/dns/sf_dns.dsp:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
    * src/dynamic-preprocessors/smtp/Makefile.am:
    * src/dynamic-preprocessors/ssh/Makefile.am:
    * src/dynamic-preprocessors/ssl/Makefile.am:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
    * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
    * src/dynamic-preprocessors/ssl/sf_ssl.dsp:
      Fix make dist to include all required files.
    * src/dynamic-preprocessors/dcerpc2/dce2_event.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_list.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
    * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h:
      Changed use of some integers to enumerated types.
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
      Added dce_iface options to the fast pattern matcher.
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Added sensitive data to the list of preprocs that get re-enabled after
      disabling detection.
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
      Removed config file/line from error message since not set at this point.
      Also removed redundant "dcerpc2 configuration" text.
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/treenodes.sed:
      Included more header files for use in dynamic preprocessors.
    * src/dynamic-preprocessors/sdf/Makefile.am:
    * src/dynamic-preprocessors/sdf/sdf_credit_card.c:
    * src/dynamic-preprocessors/sdf/sdf_credit_card.h:
    * src/dynamic-preprocessors/sdf/sdf_detection_option.c:
    * src/dynamic-preprocessors/sdf/sdf_detection_option.h:
    * src/dynamic-preprocessors/sdf/sdf_pattern_match.c:
    * src/dynamic-preprocessors/sdf/sdf_pattern_match.h:
    * src/dynamic-preprocessors/sdf/sdf_us_ssn.c:
    * src/dynamic-preprocessors/sdf/sdf_us_ssn.h:
    * src/dynamic-preprocessors/sdf/sf_preproc_info.h:
    * src/dynamic-preprocessors/sdf/sf_sdf.dsp:
    * src/dynamic-preprocessors/sdf/spp_sdf.c:
    * src/dynamic-preprocessors/sdf/spp_sdf.h:
    * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
    * src/preprocids.h:
    * doc/README.sensitive_data:
    * doc/snort_manual.tex:
      Added Sensitive Data preprocessor. It performs detection of Personally
      Identifiable Information, such as credit card numbers and U.S. Social
      Security numbers.
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
      Formatting change.
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
      Content rules with the new HTTP modifiers can use the fast pattern
      matcher.
    * src/generators.h:
      Added SIDs for new preprocessor alerts.
    * src/Makefile.am:
      Added new files to Makefile.
    * src/obfuscation.c:
    * src/obfuscation.h:
    * src/util.c:
    * src/util.h:
      Fixed output obfuscation, and added an Obfuscation API for use in
      preprocessors & output plugins.
    * src/log.c:
    * src/log.h:
    * src/log_text.c:
    * src/log_text.h:
    * src/output-plugins/spo_alert_fast.c:
    * src/output-plugins/spo_alert_full.c:
    * src/output-plugins/spo_alert_prelude.c:
    * src/output-plugins/spo_alert_sf_socket.c:
    * src/output-plugins/spo_alert_syslog.c:
    * src/output-plugins/spo_alert_test.c:
    * src/output-plugins/spo_alert_unixsock.c:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_log_ascii.c:
    * src/output-plugins/spo_log_null.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified2.c:
    * src/output-plugins/spo_unified.c:
      Modified several output plugins to print obfuscated data using the new
      Obfuscation API.
    * src/parser.c:
    * src/parser.h:
      Added support for OTN handlers.  Added support for using new http
      content options with the fast pattern matcher.
    * src/pcrm.c:
    * src/pcrm.h:
      Formatting changes.
    * src/plugbase.c:
    * src/plugbase.h:
      Added OTN handler argument to the RegisterRuleOption() function.
      Initialized the "file_data" rule option.
    * src/ppm.c:
    * src/ppm.h:
      Remove non-portlists code.
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/include/hi_client.h:
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
    * src/preprocessors/HttpInspect/include/hi_mi.h:
    * src/preprocessors/HttpInspect/include/hi_norm.h:
    * src/preprocessors/HttpInspect/include/hi_server.h:
    * src/preprocessors/HttpInspect/include/hi_server_norm.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_util.h:
    * src/preprocessors/HttpInspect/include/Makefile.am:
    * src/preprocessors/HttpInspect/Makefile.am:
    * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/server/hi_server.c:
    * src/preprocessors/HttpInspect/server/hi_server_norm.c:
    * src/preprocessors/HttpInspect/server/Makefile.am:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_httpinspect.h:
    * src/preprocessors/spp_httpinspect.c:
      New feature for HTTP Inspect to split requests into 5 components -
      Method, URI, Header (non-cookie), Cookies, Body.
      Added HTTP server specific configurations to normalize HTTP header
      and/or cookie buffers.  Provided content and PCRE modifiers to allow
      searches within one or more of those individual buffers.  Added content
      modifier to allow rule writer to specify content to be used for fast
      pattern matcher.  Updated dynamic rule API to allow searches within
      the new buffers.
    * src/preprocessors/perf.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/perf-flow.c:
    * src/preprocessors/perf-flow.h:
    * src/preprocessors/perf.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
      Add Flow-IP stats to the Performance Monitor preprocessor.
      Write out a commented line to the now file the first time perfmon
      Reduce performance overhead when FlowIP stats aren't enabled.
    * src/preprocessors/sfprocpidstats.c:
      Changed GetCpuName() to catch errno when sscanf() sets it.
    * src/preprocessors/spp_rpc_decode.c:
      Fixed warnings when compiled in Win32.
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/preprocessors/stream_api.h:
      Added detection of "4-way TCP Handshake" when require_3whs is enabled.
      Added "disabled" option so that memcaps can be configured in the default
      policy w/out enabling the preprocessor.  Added support for output
      obfuscation.
    * src/prototypes.h:
    * src/sys_include.h:
      Removed more obsolete/unused files.
    * src/sfthreshold.c:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/ipobj.c:
    * src/sfutil/ipobj.h:
    * src/sfutil/Makefile.am:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_ip.h:
    * src/sfutil/sf_iph.c:
    * src/sfutil/sf_ipvar.c:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfPolicyUserData.c:
    * src/sfutil/sfPolicyUserData.h:
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfrf.c:
    * src/sfutil/sfrt_trie.h:
    * src/sfutil/sf_vartable.c:
      Cleaned up warnings, especially when compiled with ICC.
    * src/sfutil/util_net.c:
    * src/sfutil/util_net.h:
      Fix ip obfuscation to not modify packet data and only obfuscate for
      text outputs.
    * src/signature.c:
    * src/signature.h:
    * src/snort.c:
    * src/snort.h:
      Remove non-portlists code.
    * src/target-based/sf_attribute_table_parser.l:
    * src/target-based/sftarget_reader.c:
      Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed.
    * src/win32/WIN32-Code/syslog.c:
    * src/win32/WIN32-Code/win32_service.c:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/win32/WIN32-Prj/snort.dsw:
    * src/win32/WIN32-Prj/snort_installer.nsi:
      Win32 project files updated to reflect Makefile changes.

2009-12-15 Ryan Jordan <ryan.jordan@sourcefire.com>
    * doc/snort_manual.tex:
      Clarified the documentation for output plugins alert_fast, alert_full,
      log_tcpdump, and alert_csv. Added documentation for log limits.
    * etc/gen-msg.map:
    * src/generators.h:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/include/hi_client.h:
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
      Changes to improve handling of pipelined requests and chunked
      encodings based on content length header field.
    * src/preprocessors/snort_httpinspect.c:
      Fix error message for validation of client_flow_depth.
    * src/build.h:
      Updated build number
    * src/codes.c:
    * src/codes.h:
    * src/detection-plugins/sp_respond2.h:
      Removed unused code.
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
      Set IPv6 UDP DCE/RPC reassembly headers.
    * src/dynamic-preprocessors/Makefile.am:
      Exported more files to allow re-building of some .so files on NetBSD.
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.h:
      Fixed an issue where the SSH preprocessor would erroneously alert on
      "protocol mismatch" when autodetect was turned on.
    * src/log.h:
    * src/parser.c:
      Fixed reloading of auto-iface variables after privileges had been dropped.
      Thanks to Pablo Catalina for reporting this issue.
    * src/output-plugins/spo_alert_prelude.c:
      Fixed compiling on AIX 6, or with --enable-prelude and --enable-ipv6.
      Thanks to Rnadall Rioux for reporting the AIX issues.
      Thanks to Markus Lude for reporting the prelude & IPv6 issues.
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/stream_api.h:
      Set smaller flush point appropriate for RPC header.
    * src/sfutil/Makefile.am:
    * src/sfutil/sf_ipvar.c:
      Fixed an error where negative IP lists were not always being checked.
    * src/sfutil/sfPolicy.c:
    * src/sfutil/sfPolicy.h:
      Fix to return correct vlan/ip id.
    * src/sfutil/sfrt.h:
    * src/sfutil/sfrt_trie.h:
      More compile fixes on AIX 6.
    * src/snort.c:
    * src/target-based/sftarget_reader.c:
      Fix issues at startup and perfstats rotation with old versions of
      libc (2.2, 2.3) & linux threads.
    * src/util.h:
      Added a function prototype for InitTimeStats.
    * src/win32/WIN32-Includes/config.h:
      Formatting changes.

2009-10-21 Ryan Jordan <ryan.jordan@sourcefire.com>
    * doc/README.filters:
      added missing _.
    * doc/snort_manual.tex:
      Update to add PCRE modifiers that were left out of table 3.8.
      Fixed typos.
    * src/build.h:
      Updated build number.
    * src/codes.c:
    * src/codes.h:
      Removed unused code.
    * src/decode.c:
      When label > NUM_RESERVED_LABELS, iRet should be set based on the payload
      type
    * src/configure.in:
    * src/Makefile.am:
    * src/dynamic-examples/Makefile.am:
    * src/dynamic-examples/dynamic-preprocessor/Makefile.am:
    * src/dynamic-examples/dynamic-preprocessor/spp_example.c:
      Added the dynamic-examples back to the Makefile, and updated the example
      preprocessor to support multiple policies & config reloading.
    * src/detection-plugins/sp_pcre.c:
      fixed warning: ISO C90 forbids mixed declarations and code
    * src/detection-plugins/sp_respond2.h:
      separate flexresp interface from implementation
      Made react, resp, and resp2 independent except that libnet is only
      initialized/closed once regardless of build combinations.
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Fixed a bug where dynamic rules were not initialized correctly after a
      snort.conf reload.
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/parser.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/preprocessors/stream_api.h:
      Fixed segfault when adding policies on reload
      Fixed potentially freed stream5 configuration being read on clean exit
      Fixed potentially wrong stream5 configuration being used during reload
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
      Make log message a debug message
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      changing the return value
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
      Fixed SSH preprocessor to use "FLPOLICY_IGNORE" when turning off Stream
      reassembly, as opposed to "FLPOLICY_NONE"
    * src/fpcreate.c:
    * src/profiler.c:
      Updated uses of IPPROTO_IP to ETHERNET_TYPE_IP
    * src/output-plugins/spo_alert_sf_socket.c:
      fixed otn lookup; due to not calling "first" function the configured
      gid/sids would not be found and so no no alerts would go out the socket
      and no errors reported.
    * src/log.c:
      use orig api and family for embedded icmp packet printing.
      Fixed out-of-bounds access when printing IPv6 packets using -v.
    * src/output-plugins/spo_database.c:
      Included missing "last_cid" column when inserting a new sensor into the
      table while "ignore_bpf" was turned on.
    * src/preprocessors/perf-base.c:
      Fixed inaccurate wire speed stats.
    * src/preprocessors/HttpInspect/client/hi_client.c:
      Updated previous bugfix to check for more possible return values.
    * src/preprocessors/spp_perfmonitor.c:
      Check if packet is stream rebuilt.  Don't include in stats.
    * src/sfutil/sf_ip.h:
      processing of 0.0.0.0/x enabled. Only 0.0.0.0/32 is considered as "any".
    * src/sfutil/sfPolicy.c:
      fixed segfault when more than 10 policies were applied.
    * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
    * src/output-plugins/spo_alert_syslog.c:
    * src/win32/WIN32-Code/syslog.c:
    * src/win32/WIN32-Prj/sf_engine_initialize.dsp:
    * src/win32/WIN32-Prj/snort_initialize.dsp:
      Fix syslog output under Windows.
    * src/snort.c:
      enable -Q output with --help for !IPFW && !WIN32 builds; change text to
      be more accurrate.
    * src/snort.h:
      Handled MPLS BOS.
    * src/target-based/sf_attribute_table_parser.l:
    * src/target-based/sf_attribute_table.y:
    * src/target-based/sftarget_reader.c:
      Use bison built in YYACCEPT and YYABORT so stack is cleaned up and freed
      Free host entries that are not inserted into routing table due to
      max_attribute_hosts limit

2009-09-15 Ryan Jordan <ryan.jordan@sourcefire.com>
    * doc/README.frag3:
      Removed ttl_limit option, as it has been deprecated.
    * doc/README.ftptelnet:
      Added the ignore_telnet_erase_cmds option.
    * doc/README.ssh:
      Fixed the documentation to reflect changes in SSH for 2.8.5.
    * doc/snort_manual.tex:
      Duplicated the above doc changes for the manual. Clarified order
      of rule actions.
    * etc/gen-msg.map:
      Punctuation changes.
    * etc/snort.conf:
      Fix the example SSH configuration, and turn it on by default. This
      should increase performance in situations where a lot of SSH traffic
      was inspected.
    * rpm/snort.spec:
      Updated version number.
    * src/build.h:
      Updated build number.
    * configure.in:
      Added configure switch to disable core files.
    * src/codes.c:
    * src/codes.h:
      Removed old/unused code.
    * src/debug.c:
    * src/sfutil/sfportobject.c:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
      redirect stdin/stdout/stderr to /dev/null
      for debug write to file and change ownership of file to dropped privs
    * src/decode.c:
      Allow support for label values of 0 or 2 at locations other than bottom
      of stack.
    * src/decode.h:
    * src/win32/WIN32-Prj/snort_installer.nsi:
      Moved a couple rules into the decoder.
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/detection_options.h:
    * src/detection-plugins/Makefile.am:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_react.h:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond2.h:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond.h:
    * src/detection-plugins/sp_session.c:
    * src/win32/WIN32-Prj/snort.dsp:
      Made react, resp, and resp2 independent except that libnet is only
      initialized/closed once regardless of build combinations.
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Added a new check to handle loading of older libraries.
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
    * src/dynamic-preprocessors/dns/sf_preproc_info.h:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/sf_preproc_info.h:
    * src/dynamic-preprocessors/ssh/sf_preproc_info.h:
    * src/dynamic-preprocessors/ssh/spp_ssh.h:
    * src/dynamic-preprocessors/ssl/sf_preproc_info.h:
      Changed the build numbers of preprocessors.
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_stream5.c:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
      Fixed compile warnings.
    * src/preprocessors/spp_sfportscan.c:
      Don't include vlan header in portscan event/log packet.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Fix core by adjusting IPv6 buffer size
    * src/profiler.c:
      Clean up preprocessor profiler formatting.
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
      Changed limit on max_server_version_len to 255.
    * src/dynamic-preprocessors/smtp/smtp_log.h:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/generators.h:
      Gave xlink2state smtp preprocessor alert a unique sid.
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Fixed memory leaks.
    * src/fpcreate.c:
      Fixed potential segfault with multiplie policies.
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf-event.c:
    * src/preprocessors/perf-event.h:
    * src/preprocessors/perf-flow.c:
    * src/preprocessors/perf-flow.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/sfutil/sfActionQueue.c:
      IPv6-related changes.
    * src/mempool.c:
      Check return values from mempool_init and fatal if bad when freeing
      pools, set to NULL.
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/sfutil/sfPolicy.c:
      Added additional error-checking.
    * src/output-plugins/spo_unified.c:
    * src/parser.c:
    * src/parser.h:
    * src/signature.c:
    * src/signature.h:
      Fixed a couple invalid reads & writes.
    * src/plugbase.c:
      Check configuration for all policies.
    * snort_head/snort/snort.8:
      Updated man page to reflect doc changes.

2009-07-13 Ryan Jordan <ryan.jordan@sourcefire.com>
    * src/win32/WIN32-Prj/sf_testdetect.dsp:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/win32/WIN32-Prj/snort.dsw:
       Win32 updates.
    * configure.in:
       Update for module pack confliction.
    * snort.8:
       Removed obsolete option -o
    * doc/CREDITS:
       Updated credits to reflect Snort 2.8.5 work
    * doc/INSTALL:
       Indentation changes, update for Mac
    * doc/Makefile.am:
       Added README.filters
    * doc/README.filters:
       New README, describes the new filtering features in Snort 2.8.5
    * doc/README.frag3:
       Added the overlap_limit and min_fragment_length options
    * doc/README.ftptelnet:
       Indentation changes
    * doc/README.http_inspect:
       Added post_depth option.
    * doc/README.INLINE:
       Changed "snort_inline" to "Snort Inline"
    * doc/README.PerfProfiling:
       Updated stats output to reflect "Rev" column
    * doc/README.reload:
       New README, describes how to reload a Snort configuration in 2.8.5
    * doc/README.ssh:
       Updated the README to reflect changes in the SSH preprocessor for 2.8.5
    * doc/README.thresholding:
       Updated to indicate that "threshold" is deprecated in favor of "event_filter".
    * doc/snort_manual.tex:
       Updated to include 2.8.5 features, formatting updates.
       Removed old references to Stream4.
    * etc/gen-msg.map:
       Moved XMAS attack handling to decoder.
       Gave xlink2state smtp preprocessor alert unique sid.
    * etc/threshold.conf:
       Updated with formatting changes, deprecation notice for "threshold"
    * src/build.h:
       New build number.
    * src/codes.c:
    * src/codes.h:
       Removed unused files.
    * src/decode.c:
    * src/decode.h:
       Made some options policy-specific. Removed a couple poorly-performing
       rules and made them into decoder checks instead.
    * src/detect.c:
    * src/ppm.h:
       Don't reset packet time
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_asn1_detect.c:
       Removed redundant check.
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_isdataat.h:
       Moved flags & struct to header file.
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_replace.c:
    * src/detection-plugins/sp_replace.h:
       Check for combination of "replace" and "http_*" options, which are
       incompatible.
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond.c:
       Renamed respond's config so it didn't conflict with gloabl Snort config.
    * src/dynamic-plugins/sf_convert_dynamic.c:
    * src/dynamic-plugins/sf_convert_dynamic.h:
       Added a missing handler for "isdataat" options in .so rules.
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
    * src/ipv6_port.h:
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_ip.h:
       Changed variables from "uintX_t" to "u_intX_t".
    * src/dynamic-preprocessors/dcerpc2/dce2_cl.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_event.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_stats.h:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
       Added detection for DCE/RPC server->client attacks.
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
       Fixed memory leak.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
       Fixed some FTP false positives.
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
       Fixed multiple policy support in these preprocessors.
    * src/fpdetect.c:
    * src/rules.h:
       One rule can have different actions in different policies.
    * src/generators.h:
       Changed SSL preprocessor's ID to avoid conflict with DCE/RPC 2
    * src/inline.c:
       Win32 updates
    * src/log.c:
       Fixed issue with verbose output while in IDS mode.
    * src/mempool.c:
    * src/mempool.h:
    * src/preprocessors/portscan.c:
    * src/sfutil/Makefile.am:
    * src/sfutil/sfActionQueue.c:
    * src/sfutil/sfActionQueue.h:
       Made several config options specific to bound policies.
    * src/output-plugins/spo_unified2.h:
       Used 104 and 105 for the VLAN+MPLS event records.
    * src/parser/IpAddrSet.c:
    * src/parser/IpAddrSet.h:
       Clean up IpAddrSet in rate filter and suppress
    * src/parser.c:
    * src/parser.h:
       Fixed warnings
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_httpinspect.c:
       HTTP Inspect now allows 1024 server profiles. The storage size was
       reduced.
    * src/preprocessors/spp_frag3.c:
       Fixed problem where Snort wouldn't reload if prealloc_memcap was specified.
    * src/preprocessors/spp_perfmonitor.c:
       Fixed problem where "now" file stopped updating after a reload.
    * src/preprocessors/spp_sfportscan.c:
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfrf.c:
    * src/sfutil/sfthd.c:
    * src/sfutil/sfthd.h:
       Fixed memory leaks.
    * src/preprocessors/spp_stream5.c:
    * src/sfutil/sfPolicyUserData.c:
    * src/sfutil/sfPolicyUserData.h:
    * src/target-based/sftarget_reader.c:
    * src/target-based/sftarget_reader.h:
       Update for linuxthreads.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
       Added -H command-line option. Uses 192 for all TCP flushpoints.
       Only useful for repeatability while testing Snort.
    * src/profiler.c:
       Added rule revision to profiling output.
    * src/rate_filter.c:
    * src/rate_filter.h:
       Automatically enable "session delete" events with "session add" events.
    * src/sf_sdlist.c:
    * src/sfutil/sf_ipvar.c:
       Formatting changes
    * src/sf_types.h:
       Win32 updates
    * src/snort.c:
    * src/snort.h:
       Several fixes involving policy reload
    * src/util.c:
       Formatting changes, updated references to snort.org.
    * src/util.h:
       Don't allow 0 for threshold count or seconds.

2009-05-06 Ryan Jordan <ryan.jordan@sourcefire.com>
    * etc/gen-msg.map:
      Added new messages for MPLS and Frag3.
    * etc/snort.conf:
      Modified an example port number, and added overlap_limit to the default
      frag3_engine config.
    * src/detect.c:
    * src/detect.h:
    * src/detection_filter.c:
    * src/detection_filter.h:
    * src/rate_filter.c:
    * src/rate_filter.h:
    * src/sfthreshold.c:
    * src/sfthreshold.h:
      Added support for detection_filter, rate_filter, and event_filter.
      See doc/README.filters for more info.
    * src/detection-plugins/Makefile.am:
    * src/detection-plugins/sp_hdr_opt_wrap.c:
    * src/detection-plugins/sp_hdr_opt_wrap.h:
    * src/dynamic-plugins/Makefile.am:
    * src/dynamic-plugins/sf_convert_dynamic.c:
    * src/dynamic-plugins/sf_convert_dynamic.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Changed the way .so rules are handled, to take advantage of the Rule
      Option Tree.
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_check.h:
      Added support for ">=" and "<=" test options.
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_flowbits.h:
    * src/dynamic-plugins/sp_dynamic.c:
      Flowbits are now part of the rule stub that gets generated when
      dumping dynamic rules.
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/detection-plugins/sp_replace.c:
    * src/detection-plugins/sp_replace.h:
      Content replacement code moved out to sp_replace.{c,h}
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_pcre.h:
      PCRE matches are no lnoger repeated if anchored.
    * src/decode.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
      Packet structure re-arranged, and other code cleanup.
    * src/dynamic-preprocessors/ssh/Makefile.am:
    * src/dynamic-preprocessors/ssh/sf_preproc_info.h:
    * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.h:
      Updated SSH preprocessor. Config options have been modified, see
      README.ssh for details.
    * src/parser.c:
      Fixed handling of IP lists with mis-matched brackets.
    * src/output-plugins/spo_unified2.c:
    * src/output-plugins/spo_unified2.h:
      MPLS and VLAN records have been consolidated into Unified2Event_v2.
    * src/win32/Makefile.am:
    * src/win32/WIN32-Code/inet_aton.c:
    * src/win32/WIN32-Code/misc.c:
    * src/win32/WIN32-Code/syslog.c:
    * src/win32/WIN32-Code/win32_service.c:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Includes/stdint.h:
    * src/win32/WIN32-Prj/build_all.dsp:
    * src/win32/WIN32-Prj/sf_engine_initialize.dsp:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/win32/WIN32-Prj/snort.dsw:
    * src/win32/WIN32-Prj/snort_initialize.dsp:
    * src/win32/WIN32-Prj/snort_installer.nsi:
      Updated Win32 installer to include new Snort files.
    * rpm/snort.spec:
      Updated RPM to include new Snort files.
    * doc/CREDITS:
    * doc/README.filters:
    * doc/README.frag3:
    * doc/README.http_inspect:
    * doc/README.ssh:
    * doc/README.thresholding:
    * doc/snort_manual.tex:
      Documentation updates.

    In addition, the following files were modified to enable:
      - Reloading snort.conf without restarting Snort
      - Applying multiple snort.confs on a per-vlan or per-CIDR block basis
      - Compiler warning clean-up
    * src/bounds.h:
    * src/byte_extract.c:
    * src/byte_extract.h:
    * src/checksum.h:
    * src/cpuclock.h:
    * src/debug.c:
    * src/decode.c:
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/detection_options.h:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_asn1_detect.c:
    * src/detection-plugins/sp_asn1_detect.h:
    * src/detection-plugins/sp_asn1.h:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_byte_jump.h:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_clientserver.h:
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_cvs.h:
    * src/detection-plugins/sp_dsize_check.c:
    * src/detection-plugins/sp_dsize_check.h:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_ftpbounce.h:
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_code_check.h:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_id_check.h:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_seq_check.h:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_icmp_type_check.h:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_fragbits.h:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ip_id_check.h:
    * src/detection-plugins/sp_ipoption_check.c:
    * src/detection-plugins/sp_ipoption_check.h:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_ip_same_check.h:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_ip_tos_check.h:
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_isdataat.h:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_react.h:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond2.h:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond.h:
    * src/detection-plugins/sp_rpc_check.c:
    * src/detection-plugins/sp_rpc_check.h:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_session.h:
    * src/detection-plugins/sp_tcp_ack_check.c:
    * src/detection-plugins/sp_tcp_ack_check.h:
    * src/detection-plugins/sp_tcp_flag_check.c:
    * src/detection-plugins/sp_tcp_flag_check.h:
    * src/detection-plugins/sp_tcp_seq_check.c:
    * src/detection-plugins/sp_tcp_seq_check.h:
    * src/detection-plugins/sp_tcp_win_check.c:
    * src/detection-plugins/sp_tcp_win_check.h:
    * src/detection-plugins/sp_ttl_check.c:
    * src/detection-plugins/sp_ttl_check.h:
    * src/detection-plugins/sp_urilen_check.c:
    * src/detection-plugins/sp_urilen_check.h:
    * src/dynamic-plugins/sf_dynamic_common.h:
    * src/dynamic-plugins/sf_dynamic_define.h:
    * src/dynamic-plugins/sf_dynamic_detection.h:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
    * src/dynamic-preprocessors/dcerpc/Makefile.am:
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
    * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h:
    * src/dynamic-preprocessors/dcerpc/smb_file_decode.c:
    * src/dynamic-preprocessors/dcerpc/smb_file_decode.h:
    * src/dynamic-preprocessors/dcerpc/smb_file_structs.h:
    * src/dynamic-preprocessors/dcerpc/smb_structs.h:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_cl.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_debug.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_debug.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_event.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_event.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_http.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_list.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_session.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_stats.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_tcp.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
    * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc2/includes/smb.h:
    * src/dynamic-preprocessors/dcerpc2/Makefile.am:
    * src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.h:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
    * src/dynamic-preprocessors/dns/Makefile.am:
    * src/dynamic-preprocessors/dns/sf_dns.dsp:
    * src/dynamic-preprocessors/dns/sf_preproc_info.h:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/dns/spp_dns.h:
    * src/dynamic-preprocessors/dynamic_preprocessors.dsp:
    * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
    * src/dynamic-preprocessors/ftptelnet/pp_telnet.h:
    * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
    * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h:
    * src/dynamic-preprocessors/libs/sfcommon.h:
    * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp:
    * src/dynamic-preprocessors/libs/sfparser.c:
    * src/dynamic-preprocessors/libs/ssl.c:
    * src/dynamic-preprocessors/libs/ssl.h:
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
    * src/dynamic-preprocessors/smtp/Makefile.am:
    * src/dynamic-preprocessors/smtp/sf_preproc_info.h:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/dynamic-preprocessors/smtp/smtp_config.h:
    * src/dynamic-preprocessors/smtp/smtp_log.c:
    * src/dynamic-preprocessors/smtp/smtp_normalize.c:
    * src/dynamic-preprocessors/smtp/smtp_normalize.h:
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/dynamic-preprocessors/smtp/smtp_util.h:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/ssl/Makefile.am:
    * src/dynamic-preprocessors/ssl/sf_preproc_info.h:
    * src/dynamic-preprocessors/ssl/sf_ssl.dsp:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.h:
    * src/event.h:
    * src/event_queue.c:
    * src/event_queue.h:
    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/generators.h:
    * src/inline.c:
    * src/inline.h:
    * src/ipv6_port.h:
    * src/log.c:
    * src/log.h:
    * src/log_text.c:
    * src/log_text.h:
    * src/Makefile.am:
    * src/mempool.c:
    * src/mstring.c:
    * src/mstring.h:
    * src/output-plugins/spo_alert_arubaaction.c:
    * src/output-plugins/spo_alert_fast.c:
    * src/output-plugins/spo_alert_full.c:
    * src/output-plugins/spo_alert_prelude.c:
    * src/output-plugins/spo_alert_sf_socket.c:
    * src/output-plugins/spo_alert_syslog.c:
    * src/output-plugins/spo_alert_test.c:
    * src/output-plugins/spo_alert_unixsock.c:
    * src/output-plugins/spo_alert_unixsock.h:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_database.h:
    * src/output-plugins/spo_log_ascii.c:
    * src/output-plugins/spo_log_ascii.h:
    * src/output-plugins/spo_log_null.c:
    * src/output-plugins/spo_log_null.h:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
    * src/output-plugins/spo_unified.h:
    * src/parser/IpAddrSet.c:
    * src/parser/IpAddrSet.h:
    * src/parser.h:
    * src/pcap_pkthdr32.h:
    * src/pcrm.c:
    * src/pcrm.h:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/ppm.c:
    * src/ppm.h:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/include/hi_client_stateful.h:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/HttpInspect/include/hi_reqmethod_check.h:
    * src/preprocessors/HttpInspect/include/hi_si.h:
    * src/preprocessors/HttpInspect/include/hi_stateful_inspect.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_uri.h:
    * src/preprocessors/HttpInspect/include/hi_urilen_check.h:
    * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
    * src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf-event.c:
    * src/preprocessors/perf-event.h:
    * src/preprocessors/perf-flow.c:
    * src/preprocessors/perf-flow.h:
    * src/preprocessors/perf.h:
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/sfprocpidstats.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_httpinspect.h:
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_bo.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_frag3.h:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_httpinspect.h:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_perfmonitor.h:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_sfportscan.h:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/spp_stream5.h:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.h:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/stream_ignore.c:
    * src/preprocessors/stream_ignore.h:
    * src/preprocessors/str_search.h:
    * src/preprocids.h:
    * src/profiler.c:
    * src/profiler.h:
    * src/rules.h:
    * src/sf_types.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/asn1.c:
    * src/sfutil/asn1.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/ipobj.c:
    * src/sfutil/Makefile.am:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/sfeventq.c:
    * src/sfutil/sfeventq.h:
    * src/sfutil/sfghash.c:
    * src/sfutil/sfghash.h:
    * src/sfutil/sfhashfcn.c:
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_ip.h:
    * src/sfutil/sf_iph.c:
    * src/sfutil/sf_ipvar.c:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
    * src/sfutil/sflsq.c:
    * src/sfutil/sflsq.h:
    * src/sfutil/sfPolicy.c:
    * src/sfutil/sfPolicy.h:
    * src/sfutil/sfPolicyUserData.c:
    * src/sfutil/sfPolicyUserData.h:
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfportobject.h:
    * src/sfutil/sfrf.c:
    * src/sfutil/sfrf.h:
    * src/sfutil/sfrt.c:
    * src/sfutil/sfrt_dir.c:
    * src/sfutil/sfrt_dir.h:
    * src/sfutil/sfrt.h:
    * src/sfutil/sfrt_lctrie.c:
    * src/sfutil/sfrt_lctrie.h:
    * src/sfutil/sfrt_trie.h:
    * src/sfutil/sf_textlog.h:
    * src/sfutil/sfthd.c:
    * src/sfutil/sfthd.h:
    * src/sfutil/sf_vartable.c:
    * src/sfutil/sf_vartable.h:
    * src/sfutil/sfxhash.c:
    * src/sfutil/util_math.c:
    * src/sfutil/util_math.h:
    * src/sfutil/util_net.c:
    * src/sfutil/util_net.h:
    * src/signature.c:
    * src/signature.h:
    * src/snort.c:
    * src/snort.h:
    * src/snprintf.c:
    * src/spo_plugbase.h:
    * src/tag.c:
    * src/tag.h:
    * src/target-based/sf_attribute_table_parser.l:
    * src/target-based/sf_attribute_table.y:
    * src/target-based/sftarget_hostentry.c:
    * src/target-based/sftarget_hostentry.h:
    * src/target-based/sftarget_protocol_reference.c:
    * src/target-based/sftarget_protocol_reference.h:
    * src/target-based/sftarget_reader.c:
    * src/target-based/sftarget_reader.h:
    * src/util.c:
    * src/util.h:

2009-04-20 Ryan Jordan <ryan.jordan@sourcefire.com>
    * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
      Changed DCE2 configuration such that events are disabled by default.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Fixed false positive when an additional /r/n followed the QUIT command.
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
      Fixed infinite loop when parsing SSH configuration.
    * src/output-plugins/spo_database.c:
      Fixed an issue that prevented Snort from inserting records into the
      sensor table of a MySQL database. Thanks to David Cecchino for pointing
      out this issue.
    * src/parser.c:
    * src/sfutil/ipobj.c:
      Fixed handling of IP lists that begin with variables, when IPv6 was
      enabled.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Handle case where require_3whs is configured, no session has been
      created and an ACK is received with a RST flag. Thanks to Jeff Johnson
      for reporting the problem.
    * src/sfthreshold.c:
    * src/sfutil/sf_ipvar.c:
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfthd.c:
    * src/sfutil/sf_vartable.c:
    * src/util.c:
      Fixed issues with use of IPv6 address variables.
    * rpm/snort.spec:
      Added DCE2 preprocessor to RPM spec file. Thanks to Scott Fabbri, c0uch,
      and Andrew Pendray for reporting this.
    * doc/snort_manual.tex:
      Updated to add Bhagyasree Bantwal, newest member of Snort Team.

2009-03-11 Steven Sturges <ssturges@sourcefire.com>
    * src/util.c:
      Fix for IPv6 on Win32 to define interface variables.
    * src/win32/WIN32-Prj/snort_installer_options.ini:
      Update for IPv6 intalls.

2009-03-10 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Correctly pass operation to allow flowbits checked-but-not-set and
      set-but-not-checked validation to work between text and shared rules.
    * src/dynamic-plugins/sf_dynamic_define.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
      Handle relative PCREs the same as text rules.  Fix misnamed macro.
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_event.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
      Address False positives seen in testing.
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
      Add missing attribute check when FTP traffic is picked up mid-TCP stream.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Fix handling of EPRT command for IPv6.
    * src/output-plugins/spo_unified2.c:
      unlink output file in test mode.
    * src/fpcreate.c:
    * src/fpdetect.c:
    * src/parser.c:
      Fix logging to syslog for rule counts at startup.
    * src/generators.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/stream5_common.h:
    * etc/gen-msg.map:
      Add stream5 option to restrict the number of consecutive
      small TCP segments inserted for reassembly without seeing an ACK.
      Generate alert (gid:129,sid:12) when that limit is exceeded.
      Allow overriding of this configuration on a port basis via an
      ignore_ports option.
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_ip.h:
      Fixed issues w/ IPv6 comparisons and /32 used with IPv6.  Added
      and updated unit test code.  Thanks to mamcmil on snort.org
      forums for pointing out the problem.
    * src/win32/WIN32-Prj/snort_installer.nsi:
    * src/win32/WIN32-Prj/snort_installer_options.ini:
    * src/win32/WIN32-Prj/sf_engine.dsp:
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
    * src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp:
    * src/dynamic-preprocessors/dns/sf_dns.dsp:
    * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
    * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
    * src/dynamic-preprocessors/ssl/sf_ssl.dsp:
    * configure.in:
    * rpm/snort.spec:
    * src/win32/WIN32-Includes/config.h:
      2.8.4 Final build changes.  Allow IPv6 to be installed via windows
      installer.

2009-02-06 Todd Wease <twease@sourcefire.com>
    * snort.8:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      Added command line option "--require-rule-sid" to require every rule have
      an sid.
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/detection_options.h:
      Fix compilation issue with --disable-dynamicplugin.  Thanks to
      Jason Wallace for bringing this to our attention.
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Push dynamic engine minor version to 10 and build version to 16.
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
      Fix preprocessor rule option processing for dynamic detection rules.
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Add checks for header and method buffers when fast pattern is not
      specified in dynamic detection rules.
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.c:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/sfutil/acsmx2.c:
    * src/sfutil/bnfa_search.c:
      Update uses of isprint() to check for isascii() as well where only
      printable ascii characters are relevant.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Update smtp preprocessor to use stream5 direction data when determining
      if preprocessor is configured to process traffic.
    * doc/README.stream5:
    * doc/snort_manual.tex:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Add range checking in stream5 preprocessor for prune_log_max and update
      error messages to indicate 0 is a valid value for prune_log_max,
      max_queued_segs and max_queued_bytes.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Update to stream5 preprocessor to handle ECN and CWR bits in the SYN
      packet.  Thanks to Lothar Braun for bringing this to our attention.
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_ip.h:
      Fix configuration parsing of IPv6 addresses to allow /32 cidr.
    * src/decode.c:
    * src/decode.h:
    * src/detect.c:
    * src/detect.h:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_proto.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.h:
    * src/parser.c:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/rules.h:
    * src/snort.c:
      Added rule and preprocessor filtering by protocol so that traffic will
      not be evaluated for which there are no rules or preprocessors interested
      in that traffic.
    * src/decode.c:
      Fixed IPv6 decoder for Sparc memory alignment in IPv6 enabled binary.
    * src/decode.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/log_text.c:
    * src/sfutil/sf_iph.c:
      Fixed issue in IPv6 enabled binary, where ICMP (not ICMP6) over IPv6
      would cause a segfault.
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/detection_options.h:
    * src/profiler.c:
    * src/profiler.h:
      Fixed inconsistent results in rule profiling.  Thanks to Geoff
      Whittington for bringing this to our attention.
    * src/detection-plugins/sp_byte_jump.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Added new "post_offset" argument to byte jump rule option to move some
      designated amount after the byte jump.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
    * src/plugbase.c:
    * src/target-based/sftarget_reader.c:
    * src/target-based/sftarget_reader.h:
      Added functionality to the dynamic-plugin API to check whether adaptive
      profiles is configured and to check whether or not a preprocessor is
      configured.
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
      Fatal error if both dcerpc and dcerpc2 preprocessors are configured.
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_rpc_decode.c:
      Updates to stream5 filtering so that stream5 does not track sessions for
      which there are no rules that could fire on that traffic or preprocessors
      that are interested in that traffic.
    * doc/README.dcerpc2:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * etc/gen-msg.map:
    * etc/snort.conf:
      Added dcerpc2 preprocessor documentation.
    * src/dynamic-preprocessors/dcerpc2/dce2_cl.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
      Added performance profiling statistics to the dcerpc2 preprocessor.
    * src/dynamic-preprocessors/dcerpc2/dce2_cl.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
    * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc2/includes/smb.h:
      Fix for architectures requiring strict memory alignment such as Sparc in
      the dcerpc2 preprocessor.
    * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.h:
      Updated configuration error reporting in the dcerpc2 preprocessor.
    * src/dynamic-preprocessors/dcerpc2/dce2_cl.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_tcp.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_udp.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_session.h:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.h:
      Updated dcerpc2 preprocessor autodetection and handling of missed
      packets to limit false positives.
    * src/dynamic-preprocessors/dcerpc2/dce2_cl.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_debug.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_list.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_memory.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_stats.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
      Updated dcerpc2 preprocessor logging.
    * preproc_rules/preprocessor.rules:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_event.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_event.h:
    * src/generators.h:
      Added new preprocessor event to the dcerpc2 preprocessor to alert on
      Bind or Alter Context PDUs that don't have any context items.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Updated ftp_telnet preprocessor to consider the AUTH command as the
      beginning of a possibly encrypted session.
    * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
      Pushed the ftp_telnet preprocessor minor version to 2 and build
      version to 11.
    * src/decode.c:
    * src/snort.h:
    * src/util.c:
      Added additional ethertypes to Vlan decoder.
    * configure.in
    * src/output-plugins/spo_database.c:
      Added reconnect capability to MySQL database output plugin.  Thanks to
      Ian Mitchell and other users on the lists for bringing this to our
      attention.
    * src/output-plugins/spo_unified2.c:
    * src/output-plugins/spo_unified2.h:
      Added code to better handle logging to an NFS mounted share.
    * src/parser.c:
      Command line BPF filter now overrides configuration in snort.conf.
    * src/parser.c:
      Command line log directory now overrides configuration in snort.conf.
    * src/parser.c:
    * src/snort.c:
      Fixed read back mode to reallow reading from stdin.  Thanks to John
      Gerber for bringing this to our attention.
    * src/plugbase.c:
    * src/util.c:
      Fixed compilation on HPUX 11.11.  Thanks to Lars Ebeling for bringing
      this to our attention.
    * src/preprocessors/spp_rpc_decode.c:
      Continue defragmentation even when alerting on fragmentation in the
      rpc_decode preprocessor.
    * src/preprocessors/spp_stream5.c:
      Stream5 will now fatal error if there isn't at least one of track tcp,
      track udp or track icmp.
    * src/sfthreshold.c:
    * src/sfutil/sfthd.c:
    * src/sfutil/sfthd.h:
      Allow a count of -1 to threshold configuration option to disable all
      thresholding for that object.
    * src/snort.c:
      Fixed issue with SIGHUP and handling of daemonize flag.
    * preproc_rules/decoder.rules:
    * preproc_rules/preprocessor.rules:
      Added decoder/preprocessor rules for MPLS and DCE/RPC.
    * snort.8:
      Update manpage for "-x", "--conf-error-out" and "--exit-check" command
      line options.

2008-12-30 Steven Sturges <ssturges@sourcefire.com>
    * src/output-plugins/spo_database.c:
      Update to check for a missing host name when connecting to a
      MySQL database and fail gracefully.  Thanks to Chris Benedict
      for the report.
    * doc/README.stream5:
    * doc/snort_manual.pdf:
    * doc/snort_manual.tex:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/stream5_common.h:
      Update Stream5 to better handle out-of-sequence server responses
      when not doing server-side reassembly.  Add limits on number of
      bytes and segments queued to prevent one session from consuming
      all memory.
    * src/target-based/sf_attribute_table.y:
      Force bison to use malloc/free instead of alloca for older versions
      of bison.
    * src/target-based/sf_attribute_table_parser.l:
    * src/target-based/sftarget_reader.c:
      Don't fatal error when reloading an attribute table beyond the
      configured limit.  Only display warning to syslog/console.

2008-10-03 Todd Wease <twease@sourcefire.com>
    * configure.in:
    * src/decode.c:
    * src/decode.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp:
    * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
    * src/fpdetect.c:
    * src/generators.h:
    * src/ipv6_port.h:
    * src/log.c:
    * src/log_text.c:
    * src/output-plugins/spo_alert_test.c:
    * src/output-plugins/spo_csv.c:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/stream_ignore.c:
    * src/sfutil/ipobj.c:
    * src/sfutil/ipobj.h:
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_ip.h:
    * src/sfutil/sf_iph.c:
    * src/sfutil/sf_ipvar.c:
    * src/sfutil/sfrt.c:
    * src/sfutil/sfrt.h:
    * src/sfutil/sfrt_dir.c:
    * src/sfutil/sfrt_dir.h:
    * src/snort.c:
    * src/target-based/sf_attribute_table.y:
    * src/target-based/sftarget_reader.c:
    * src/target-based/sftarget_reader.h:
    * src/win32/WIN32-Prj/sf_engine.dsp:
      IPv6 updates and support for sfportscan, ftp_telnet, frag3 and dns
      preprocessors and adaptive IPS.
    * etc/gen-msg.map:
    * src/decode.h:
    * src/detect.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_cl.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_cl.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_co.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_config.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_debug.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_debug.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_event.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_event.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_http.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_http.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_list.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_list.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_memory.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_memory.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_roptions.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_session.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_smb.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_stats.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_stats.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_tcp.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_tcp.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_udp.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_udp.h:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.c:
    * src/dynamic-preprocessors/dcerpc2/dce2_utils.h:
    * src/dynamic-preprocessors/dcerpc2/includes/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc2/includes/smb.h:
    * src/dynamic-preprocessors/dcerpc2/Makefile.am:
    * src/dynamic-preprocessors/dcerpc2/sf_dce2.dsp:
    * src/dynamic-preprocessors/dcerpc2/sf_preproc_info.h:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.c:
    * src/dynamic-preprocessors/dcerpc2/snort_dce2.h:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.c:
    * src/dynamic-preprocessors/dcerpc2/spp_dce2.h:
    * src/dynamic-preprocessors/Makefile.am:
    * src/generators.h:
    * src/output-plugins/spo_alert_fast.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/sf_types.h:
    * src/sfutil/sfrt.c:
    * src/sfutil/sfrt.h:
    * src/util.c:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/win32/WIN32-Prj/snort.dsw:
      Addition of dcerpc2 preprocessor.  Addition of new rule options
      supported by preprocessor.
    * src/detect.c:
    * src/detect.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/fpdetect.c:
    * src/parser.c:
    * src/preprocessors/HttpInspect/include/hi_si.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/target-based/sftarget_protocol_reference.c:
    * src/target-based/sftarget_protocol_reference.h:
      Add adaptive support for http_inspect, rpc, smtp, dcerpc, dcerpc2, dns,
      ftp_telnet, ssh and ssl preprocessors.
    * configure.in:
    * src/detect.c:
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_asn1.h:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_check.h:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_byte_jump.h:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_clientserver.h:
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_cvs.h:
    * src/detection-plugins/sp_dsize_check.c:
    * src/detection-plugins/sp_dsize_check.h:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_flowbits.h:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_ftpbounce.h:
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_code_check.h:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_id_check.h:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_seq_check.h:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_icmp_type_check.h:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_fragbits.h:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ip_id_check.h:
    * src/detection-plugins/sp_ipoption_check.c:
    * src/detection-plugins/sp_ipoption_check.h:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_proto.h:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_ip_same_check.h:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_ip_tos_check.h:
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_isdataat.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_pcre.h:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_react.h:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond2.h:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond.h:
    * src/detection-plugins/sp_rpc_check.c:
    * src/detection-plugins/sp_rpc_check.h:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_session.h:
    * src/detection-plugins/sp_tcp_ack_check.c:
    * src/detection-plugins/sp_tcp_ack_check.h:
    * src/detection-plugins/sp_tcp_flag_check.c:
    * src/detection-plugins/sp_tcp_flag_check.h:
    * src/detection-plugins/sp_tcp_seq_check.c:
    * src/detection-plugins/sp_tcp_seq_check.h:
    * src/detection-plugins/sp_tcp_win_check.c:
    * src/detection-plugins/sp_tcp_win_check.h:
    * src/detection-plugins/sp_ttl_check.c:
    * src/detection-plugins/sp_ttl_check.h:
    * src/detection-plugins/sp_urilen_check.c:
    * src/detection-plugins/sp_urilen_check.h:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
    * src/dynamic-preprocessors/dns/sf_dns.dsp:
    * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
    * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
    * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
    * src/dynamic-preprocessors/ssl/sf_ssl.dsp:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/parser.c:
    * src/pcrm.c:
    * src/pcrm.h:
    * src/plugbase.c:
    * src/ppm.c:
    * src/ppm.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_frag3.h:
    * src/preprocessors/str_search.c:
    * src/profiler.c:
    * src/profiler.h:
    * src/rules.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
    * src/snort.c:
    * src/win32/WIN32-Prj/sf_engine.dsp:
    * src/win32/WIN32-Prj/snort.dsp:
      Harden rule option tree code.
    * configure.in:
    * doc/Makefile.am:
    * doc/snort_manual.tex:
    * doc/README.sfportscan:
    * src/detect.c:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_flowbits.c:
    * src/fatal.h:
    * src/generators.h:
    * src/Makefile.am:
    * src/parser.c:
    * src/plugbase.c:
    * src/preprocessors/flow/common_defs.h (removed):
    * src/preprocessors/flow/flow.c (removed):
    * src/preprocessors/flow/flow_cache.c (removed):
    * src/preprocessors/flow/flow_cache.h (removed):
    * src/preprocessors/flow/flow_callback.c (removed):
    * src/preprocessors/flow/flow_callback.h (removed):
    * src/preprocessors/flow/flow_class.c (removed):
    * src/preprocessors/flow/flow_class.h (removed):
    * src/preprocessors/flow/flow_config.h (removed):
    * src/preprocessors/flow/flow_error.h (removed):
    * src/preprocessors/flow/flow.h (removed):
    * src/preprocessors/flow/flow_hash.c (removed):
    * src/preprocessors/flow/flow_hash.h (removed):
    * src/preprocessors/flow/flow_print.c (removed):
    * src/preprocessors/flow/flow_print.h (removed):
    * src/preprocessors/flow/flow_stat.c (removed):
    * src/preprocessors/flow/flow_stat.h (removed):
    * src/preprocessors/flow/int-snort (removed):
    * src/preprocessors/flow/Makefile.am (removed):
    * src/preprocessors/flow/portscan (removed):
    * src/preprocessors/Makefile.am:
    * src/preprocessors/portscan.c (removed):
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_stream4_session.c (removed):
    * src/preprocessors/snort_stream4_session.h (removed):
    * src/preprocessors/snort_stream4_udp.c (removed):
    * src/preprocessors/snort_stream4_udp.h (removed):
    * src/preprocessors/spp_flow.c (removed):
    * src/preprocessors/spp_flow.h (removed):
    * src/preprocessors/spp_stream4.c (removed):
    * src/preprocessors/spp_stream4.h (removed):
    * src/preprocessors/stream.h (removed):
    * src/preprocids.h:
    * src/snort.c:
    * src/win32/WIN32-Prj/snort.dsp:
      Removal of stream4 and flow preprocessors from code base.
    * src/tag.c:
    * src/tag.h:
    * src/ubi_BinTree.c (removed):
    * src/ubi_BinTree.h (removed):
    * src/ubi_SplayTree.c (removed):
    * src/ubi_SplayTree.h (removed):
      Tagging now uses a hash table instead of a splay tree for data
      storage.
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/plugbase.c:
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
      Support rules with content rule options that are only not contents.
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_dsize_check.c:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ipoption_check.c:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_rpc_check.c:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_tcp_ack_check.c:
    * src/detection-plugins/sp_tcp_flag_check.c:
    * src/detection-plugins/sp_tcp_seq_check.c:
    * src/detection-plugins/sp_tcp_win_check.c:
    * src/detection-plugins/sp_ttl_check.c:
    * src/detection-plugins/sp_urilen_check.c:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Add override keyword support.  Argument to a rule option can be
      overriden and processed elsewhere.  Added for support of new byte_test
      and byte_jump rule option argument "dce".
    * src/detection-plugins/detection_options.c:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_common.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
      Add hash and compare functions for preprocessors to rule option tree.
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_httpinspect.h:
      Make sure Stream5 is enabled when parsing most arguments to flow rule
      option.  Make sure http_inspect is enabled when parsing uricontent or http
      content modifiers.
    * src/detection-plugins/sp_clientserver.c:
      Added no_frag and only_frag arguments to flow rule option.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
      Added dynamic callbacks for logging and resetting event queue.
    * doc/README.stream5:
    * doc/snort_manual.tex:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_httpinspect.h:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/preprocessors/stream_api.h:
      Port and service based filtering to improve performance.  Stream5 will
      ignore traffic (if it is configured to do so) for which there are no
      rules or preprocessors configured to look at this traffic.
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      ftp_telnet_protocol server configurations now support multiple IP
      addresses and netmasks.
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_httpinspect.c:
      http_inspect preprocessor server configurations now support multiple IP
      addresses and netmasks.
    * doc/README.http_inspect:
    * doc/snort_manual.tex:
    * src/generators.h:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
      Add a "max_headers" and "max_header_length" options to http_inspect
      server configuration.
    * src/preprocessors/HttpInspect/client/hi_client.c:
      Fix to correctly identify end of http client body request.
    * src/profiler.c:
    * src/profiler.h:
    * src/ppm.c:
    * src/ppm.h:
      Update to handle rule latency threhsolding with rule option tree.
    * doc/README.ftptelnet:
    * doc/snort_manual.tex:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Added "ignore_data_chan" option to ftp_telnet preprocessor to deprecate
      confusing "data_chan" option.
    * src/preprocessors/spp_stream5.c:
      Fix to alert on dropped packet in midstream session.
    * doc/CREDITS:
    * doc/snort_manual.tex:
      Update for new members of Snort team - Dilbagh Chahal and Ryan Jordan.
    * etc/snort.conf:
      Add "trustservers" do default ssl preprocessor configuration.
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap-stdinc.h:
      Updates to compile in Visual Studio 2008.

2008-09-15 Todd Wease <twease@sourcefire.com>
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/detection_options.h:
    * src/fpcreate.c:
    * src/generators.h:
    * src/ppm.c:
    * src/ppm.h:
    * src/profiler.c:
    * src/rules.h:
    * etc/gen-msg.map:
      Update rule latency thresholding.
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/spp_stream4.c:
    * doc/README.flow:
    * doc/README.flow-portscan:
    * doc/README.stream4:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      The flow and stream4 preprocessors will be deprecated in a
      future release.

2008-08-12 Todd Wease <twease@sourcefire.com>
    * src/bounds.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * doc/README.dcerpc:
    * doc/snort_manual.tex:
      DCE/RPC preprocessor changes to handle abnormal TCP segmentation.
      Added option to reassemble fragmentation buffers early.  Updated
      documentation.
    * src/decode.c:
    * src/decode.h:
    * src/preprocessors/Stream5/snort_stream5_session.c:
      Fixed handling of MPLS label in checking Stream session uniqueness
      when IPv4 packets are received and build is IPv6.
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
      MPLS stats are now printed, whether compiled for MPLS or not.
    * src/detection-plugins/sp_pattern_match.c:
      Fixed checksum calculation for IPv6 case for 'replace' rule option.
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Added check to not register so rule if it has already been registered.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
      Added better handling of SMTP data header options to avoid false
      positives occuring with data header buffer overlflow smtp preprocessor
      event.  Thanks to rmkml for bringing this to our attention.
    * src/event_queue.c:
    * src/signature.c:
      Added checks to only allow one rule without an SID defined.  Thanks to
      Christian Mock for bringing this to our attention.
    * src/parser.c:
    * doc/README.PerfProfiling:
      Updated performance profiling README to document new 'filename' option.
      Fixed handling of 'filename' option in the rule profiling configuration.
    * src/plugbase.c:
      Changed plugins startup output to use log function instead of printf().
    * src/preprocessors/HttpInspect/client/hi_client.c:
      Fixes to avoid false positives on http_inspect preprocessor events for
      bare byte encoding and oversize request-uri directory.
    * doc/CREDITS:
      Credits updates.
    * doc/README.decode:
    * doc/snort_manual.tex:
      Fixed some spelling errors and confusing syntax.  Thanks to Hari Sekhon
      for pointing many of these out.

2008-07-18 Todd Wease <twease@sourcefire.com>
    * src/detection-plugins/sp_dsize_check.c:
      Fix issue with rule option "dsize" range check.
      Thanks to Bhadresh Patel for bringing this to our attention.
    * src/detection-plugins/sp_pcre.c:
      Fix issue with evaluating PCRE rule options with /U modifier that
      are followed by a relative content rule option.
      Many thanks to Bamm Visscher for doing the research, finding the
      offending rule and producing the test case necessary to track
      down and fix the issue.  Also thanks to others on the snort users
      list - craig for starting a thread and JJ Cummings for confirming
      it was not a logging issue.

2008-07-11 Todd Wease <twease@sourcefire.com>
    * src/byte_extract.c:
      Added byte test for 3 bytes.
    * src/debug.c:
    * src/debug.h:
    * src/dynamic-preprocessors/libs/ssl.c:
    * src/dynamic-preprocessors/libs/ssl.h:
    * src/dynamic-preprocessors/ssl/sf_preproc_info.h:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.h:
      Updates to SSL preprocessor to make it work with stream
      reassembly, multiple handshake records and disabling detection.
    * src/decode.c:
    * src/preprocessors/spp_frag3.c:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      Fix MPLS fragmentation reassembly issue.
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/detection_options.h:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_dsize_check.c:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ipoption_check.c:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_rpc_check.c:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_tcp_ack_check.c:
    * src/detection-plugins/sp_tcp_flag_check.c:
    * src/detection-plugins/sp_tcp_seq_check.c:
    * src/detection-plugins/sp_tcp_win_check.c:
    * src/detection-plugins/sp_ttl_check.c:
    * src/detection-plugins/sp_urilen_check.c:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/sfutil/sfhashfcn.h:
      Move hash rot macros.
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
    * src/dynamic-preprocessors/dns/sf_dns.dsp:
    * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
    * src/dynamic-preprocessors/libs/sfdynamic_preproc_libs.dsp:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
    * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
    * src/dynamic-preprocessors/ssl/sf_ssl.dsp:
    * src/win32/WIN32-Prj/sf_engine.dsp:
    * src/win32/WIN32-Prj/snort.dsp:
      Update Win32 project files to include MPLS.
    * src/util.c:
      For read mode, reset errno after gathering pcaps from
      a directory.
    * etc/sid-msg.map:
      Updates.

2008-06-16 Todd Wease <twease@sourcefire.com>
    * src/cpuclock.h:
      Fixed compilation issue on HPUX machines related to performance
      profiling and the assembly instructions used for getting cpu
      clock ticks.  Thanks to Pavan Raj and Jaipal Reddy for pointing
      this out.
    * src/decode.c:
    * src/decode.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/generators.h:
    * src/log.c:
    * src/log.h:
    * src/output-plugins/spo_unified2.c:
    * src/parser.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * configure.in:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * doc/README.mpls:
      Added MPLS decoding support.
    * src/decode.c:
    * src/generators.h:
    * etc/gen-msg.map:
      Fixed alert message for IP datagram being greater than captured
      length.
    * src/decode.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/detection-plugins/sp_pcre.c:
    * src/dynamic-plugins/sf_dynamic_common.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
    * src/fpcreate.c:
    * src/fpdetect.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/include/hi_client.h:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/server/hi_server.c:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
    * src/util.c:
    * src/util.h:
    * doc/README.http_inspect:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      New Feature for HTTP Inspect to split requests into 5 components -
      Method, URI, Header (non-cookie), Cookies, Body.  Added HTTP server
      specific configurations to normalize HTTP header and/or cookie buffers.
      Provided content and PCRE modifiers to allow searches within one or
      more of those individual buffers.  Added content modifier to allow rule
      writer to specify content to be used for fast pattern matcher.
      Updated dynamic rule API to allow searches within the new buffers.
    * src/detection-plugins/sp_flowbits.c:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      Provided command line switch to bail on rule parsing failure.
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/preprocessors/spp_httpinspect.c:
      Fixed some configuration error checking.
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
      Fixed false negative when using 'trustservers' option.
    * src/output-plugins/spo_database.c:
      Fixed issue where when using the 'ruletype' keyword with database
      output, events were getting logged using both the default log method
      and the ruletype log method.  Thanks to Agent Smith for pointing this
      out.
    * src/output-plugins/spo_unified2.c:
      Fixed issue in unified2 code where the timestamp of an event on
      a stream reassembled packet was using the last stream segment
      instead of the first.
    * src/parser.c:
    * src/profiler.c:
    * src/snort.h:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Provided option to rule and preprocessor profiling configurations to
      log to file instead of syslog.
    * src/preprocessors/perf-flow.c:
      Packet size distribution reported by snort flow stats do not count
      reassmbled packets anymore.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Update Stream5 to flush bytes up to ACK if ACK falls in the middle
      of a segment instead of including entire segment in reassembled
      packet.
    * src/snort.c:
      Reset packet processor when reading multiple pcaps and pcap reset
      option is used.
    * doc/README.decode:
      Update GRE decoder alerts.

2008-06-04 Todd Wease <twease@sourcefire.com>
    * src/fpdetect.c:
    * src/detection-plugins/detection_options.c:
      Fix issue where pass rules weren't getting precedence
      over alert rules.  Thanks to Jason Haar for pointing
      this out.
    * src/snort.c:
      Reset data link for new pcap when reading multiple pcaps.
    * etc/gen-msg.map:
      Add IPv6 decoder events.

2008-05-07 Todd Wease <twease@sourcefire.com>
    * src/decode.c:
    * src/decode.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
      Fix issue in ICMP6 code that made an incorrect calculation
      when the ICMP6 type was an echo or an echo reply.
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/detection_options.h:
    * src/profiler.c:
    * src/profiler.h:
      Pattern Matcher Caching & Rule Processing Performance Improvements.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Fix memory leak caused by missed or dropped traffic.
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
      Remove redundant macro.
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * doc/README.decoder_preproc_rules:
      Add documentation on the use of decoder and preprocessor rules.

2008-04-30 Todd Wease <twease@sourcefire.com>
    * src/decode.c:
    * src/decode.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/fpcreate.c:
    * src/fpdetect.c:
    * src/profiler.c:
      Process IP rules by fast pattern searching payload of outer IP,
      then evaluating matching rules against IP header & payload of
      inner & outer IP.  This is to address false positives and
      false negatives in IP rules.
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_cvs.h:
    * src/preprocessors/spp_frag3.c:
      Fix typos.  Thanks to rmkml for pointing this out.
    * src/ipv6_port.h:
    * src/log.c:
    * src/log_text.c:
      Update log to correct datagram length macro for IPv6.
    * src/detection-plugins/sp_pcre.c:
    * src/dynamic-plugins/sf_dynamic_define.h:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
      Expose a pcre wrapper function to detection library rules via plugin api.

2008-04-14 Todd Wease <twease@sourcefire.com>
    * configure.in:
    * src/detect.c:
    * src/detect.h:
    * src/detection-plugins/Makefile.am:
    * src/detection-plugins/detection_options.c:
    * src/detection-plugins/detection_options.h:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_asn1.h:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_check.h:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_byte_jump.h:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_clientserver.h:
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_cvs.h:
    * src/detection-plugins/sp_dsize_check.c:
    * src/detection-plugins/sp_dsize_check.h:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_flowbits.h:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_ftpbounce.h:
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_code_check.h:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_id_check.h:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_seq_check.h:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_icmp_type_check.h:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_fragbits.h:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ip_id_check.h:
    * src/detection-plugins/sp_ipoption_check.c:
    * src/detection-plugins/sp_ipoption_check.h:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_proto.h:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_ip_same_check.h:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_ip_tos_check.h:
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_isdataat.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_pcre.h:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_react.h:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond2.h:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond.h:
    * src/detection-plugins/sp_rpc_check.c:
    * src/detection-plugins/sp_rpc_check.h:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_session.h:
    * src/detection-plugins/sp_tcp_ack_check.c:
    * src/detection-plugins/sp_tcp_ack_check.h:
    * src/detection-plugins/sp_tcp_flag_check.c:
    * src/detection-plugins/sp_tcp_flag_check.h:
    * src/detection-plugins/sp_tcp_seq_check.c:
    * src/detection-plugins/sp_tcp_seq_check.h:
    * src/detection-plugins/sp_tcp_win_check.c:
    * src/detection-plugins/sp_tcp_win_check.h:
    * src/detection-plugins/sp_ttl_check.c:
    * src/detection-plugins/sp_ttl_check.h:
    * src/detection-plugins/sp_urilen_check.c:
    * src/detection-plugins/sp_urilen_check.h:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/event_queue.c:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/parser.c:
    * src/pcrm.h:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/ppm.c:
    * src/ppm.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_frag3.h:
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
    * src/rules.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
      Pattern Matcher Caching & Rule Processing Performance Improvements.
    * configure.in:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/event_wrapper.c:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/parser/IpAddrSet.c:
    * src/parser.c:
    * src/parser.h:
    * src/pcrm.c:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/stream_ignore.c:
    * src/preprocessors/stream_ignore.h:
    * src/profiler.c:
    * src/sfthreshold.c:
    * src/sfthreshold.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfportobject.h:
    * src/sfutil/sfthd.c:
    * src/sfutil/sfthd.h:
    * src/sfutil/sf_vartable.c:
    * src/sfutil/sf_vartable.h:
    * src/signature.c:
    * src/signature.h:
    * src/snort.c:
    * src/spo_plugbase.h:
    * src/target-based/sftarget_protocol_reference.c:
    * src/target-based/sftarget_protocol_reference.h:
    * src/target-based/sftarget_reader.c:
    * src/win32/WIN32-Prj/sf_engine.dsp:
    * src/win32/WIN32-Prj/snort.dsp:
      Added configuration option to clean up all initialization
      memory at shutdown.
    * src/decode.h:
    * src/preprocessors/snort_httpinspect.c:
      Add counter for HTTP pipeline requests.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Fixed issue where some FTP traffic was being labeled as
      encrypted when it was not.
    * src/output-plugins/spo_database.c:
      Free SQL statement.  Thanks to Carter Browne for pointing this out.
    * snort.8:
    * doc/snort_manual.tex:
    * src/snort.c:
    * src/util.c:
      Update to indicate --pid-path specifies the directory for the
      PID file.  Thanks to Lee Clemens for pointing out the ambiguity.
    * src/snort.c:
      For --pcap-show option, print to stdout instead of stderr.
    * doc/snort_manual.tex:
    * src/snort.h:
      Set minimum max attribute hosts to 32 instead of 8192.
    * src/target-based/sf_attribute_table_parser.l:
      Allow ! character in attribute table grammar for string values.
    * src/snort.c:
    * src/util.c:
      Print log message with BPF filter passed to Snort.
    * src/sfutil/mpse.c:
      Fix issue with default case (which isn't ever hit) of pattern
      matcher performance stats not being calculated correctly.
      Thanks to Wang Zhen for pointing this out.
    * src/parser.c:
      Fixed string comparison for "portvar" and "ipvar" to use
      correct string length.  Thanks to Eric Duda for pointing
      this out.
    * doc/INSTALL:
      Update MAC OSX install notes.
    * doc/README.arpspoof:
      Update arpspoof documentation.
    * etc/snort.conf:
      Update frag3_global configuration example.

2008-04-03 Steven Sturges <ssturges@sourcefire.com>
    * rpm/snort.spec:
      Add ssl preprocessor.  Thanks fo Andrew Pendray for noticing.

2008-03-12 Todd Wease <twease@sourcefire.com>
    * src/decode.c:
    * doc/README.gre:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * doc/Makefile.am:
      Disable PPP decoding if architecture requires word alignment,
      e.g. SPARC machines.
    * src/dynamic-preprocessors/dcerpc/smb_structs.h:
      Fix endian issue when determining if SMB is using unicode strings.
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
      Fix issue where FTPTelnet sometimes determines incorrect direction
      with midstream session.
    * src/generators.h:
    * src/preprocessors/spp_frag3.c:
    * doc/README.frag3:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * etc/gen-msg.map:
      Update frag3 to remove enforcement of ttl_limit. Add preprocessor
      alert for min_ttl anomaly.
    * doc/README.ipip:
    * doc/Makefile.am:
      Added README doc for IP in IP decoding.
    * doc/README.stream4:
    * etc/gen-msg.map:
      Fixed some typos.  Thanks to rmkml for pointing this out.

2008-03-06 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * doc/README.ssl:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Improve handling for change cipher records and rule options.
      Indicate that trustservers option only makes sense when
      noinspect_encrypted is used.

2008-03-05 Steven Sturges <ssturges@sourcefire.com>
    * doc/README.variables:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Fix a few misspellings.  Thanks to Markus Lude for letting us know.

2008-03-04 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
    * src/win32/WIN32-Prj/snort_installer.nsi:
    * rpm/snort.spec:
    * src/win32/WIN32-Includes/config.h:
      2.8.1 RC prep
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * doc/README.arpspoof (added):
    * doc/README.pcap_readmode (added):
    * snort.8:
      Document new multiple pcap command line options and ARP Spoof
      preprocessor configuration.
    * doc/README.dcerpc:
    * doc/README.http_inspect:
    * doc/README.stream4:
      Update to include information about alerts generated from various
      preprocessors.
    * src/decode.c:
    * src/log_text.c:
    * src/parser.c:
    * src/profiler.c:
    * src/detection-plugins/sp_cvs.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
    * src/dynamic-preprocessors/libs/sfcommon.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/sfutil/bitop_funcs.h:
    * src/sfutil/sf_iph.c:
    * src/sfutil/sfportobject.c:
    * src/target-based/sftarget_reader.c:
    * src/win32/WIN32-Includes/rpc/types.h:
      Win32 compiler warning cleanup.
    * src/decode.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/win32/WIN32-Prj/sf_engine.dsp:
      Reorganize to provide better compatibility with shared libraries.
    * src/detect.c:
    * src/detect.h:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/dynamic-plugins/sf_dynamic_common.h:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/output-plugins/spo_alert_fast.c:
    * src/snort.c:
    * src/snort.h:
      Update to logging of DCE/RPC defragmented packets when using
      console/fast output modes.
    * src/preprocids.h:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
      Add ability for dynamic rules to store and retrieve data on stream
      session.
    * src/detection-plugins/sp_pcre.c:
      Fix compile warning with older versions of PCRE library.
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Update default configuration for FTP's STRU command.

2008-01-27 Todd Wease <twease@sourcefire.com>
    * src/decode.c:
    * src/decode.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/generators.h:
    * src/preprocessors/spp_frag3.c:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * etc/gen-msg.map:
      Added IP in IP encapsulation support for both IPv4 and IPv6.
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/snort.c:
      Enforce stricter versioning when loading shared objects.  Vesions
      of shared libraries - engine and dynamic preprocessors - will not
      load if from an older version of Snort.
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
      Fatal error if commas are not used in SSL dynamic preprocessor
      configuration.  Thanks to Chris Rohlf for bringing this to our
      attention.
    * src/generators.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * etc/gen-msg.map:
      Update Stream5 to alert on data without TCP flags when non-linux
      policy.  Thanks to Chris Eagle, Naval Postgraduate School, for
      bringing this to our attention.
    * src/parser.c:
      Generate a parsing error if an empty IP list is used (this is
      equivalent to !any).  Thanks to Chris Rohlf for bring this to
      our attention.
    * src/parser.c:
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfportobject.h:
      Various port object changes.
      Update to handle open port ranges (ie, 1024:) and print error
      lines from config file parsing.
      Added support for handling embedded lists with negations.
      Use more compatible strrchr() instead of rindex().
      Add stricter configuration checks - thanks to Rmkml for bringing
      this to our attention.
    * src/target-based/sftarget_reader.c:
      Use inet_pton() instead of inet_aton.
    * src/target-based/sftarget_reader.c:
    * src/util.c:
      Set uid and gid of target-based thread if not already set.
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Update to describe new pcre match limit options.
    * src/win32/WIN32-Prj/snort.dsp:
      Remove system dependent Oracle paths from project.
    * src/fpcreate.c:
      Correctly set the max_size when a longer pattern.
    * src/profiler.c:
      Add Percent of Total column to output.
    * src/sfutil/sf_textlog.c:
      Added format string to prevent messages with certain format
      from crashing Snort.

2007-12-10 Todd Wease <twease@sourcefire.com>
    * configure.in:
      Require PCRE version 6 or better
    * src/dynamic-preprocessors/smtp/Makefile.am:
    * src/dynamic-preprocessors/smtp/smtp_log.c:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/stream_api.h:
      Reduce command line and response line overflow false positives
      in SMTP preprocessor when Snort is missing packets.  Only alert
      on one unique SMTP event per session.
    * configure.in:
      Add check for Phil Woods pcap so that pcap stats are computed
      correctly.  Thanks to John Hally for bringing this to our
      attention.
    * doc/INSTALL:
      Update for building on Mac OSX 10.5.  Thanks to Martin Fong
      for bringing this to our attention.
    * doc/README.asn1:
    * doc/README.dcerpc:
    * doc/README.dns:
    * doc/README.flow-portscan:
    * doc/README.frag3:
    * doc/README.ssh:
    * doc/README.stream5:
      Update to include information about alerts generated from various
      preprocessors.
    * doc/snort_manual.pdf:
    * doc/snort_manual.tex:
      Add info on stream_size option added with Stream5.
    * etc/gen-msg.map:
      Update to include GRE alerts
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
      Allow specifying metadata within a shared library rule.
    * src/decode.c:
      Update for decoding IP6 header lengths.
    * src/detect.c: 
    * src/parser.c: 
      Correctly handle rule-type keyword.  Thanks to Tung Tran for bringing
      this to our attention.
    * src/log_text.c:
    * src/log.c:
      Fix issue with printing IPv6 addresses.
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Update default configuration to allow optional string to STRU command.
    * src/dynamic-preprocessors/libs/sfparser.c:
    * src/dynamic-preprocessors/libs/ssl.c:
    * src/dynamic-preprocessors/libs/ssl.h:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
      Updates to better handle SSLv2 recognition.
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/stream.h:
      Fix misaligned structures for Sparc 64bit OpenBSD.  Thanks to Markus Lude
      for helping us track down the problem.
    * src/preprocessors/spp_stream4.c:
      Warn if configured with stream4 & target-based attributes.
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_ip.h:
    * src/sfutil/sf_iph.c:
    * src/sfutil/sf_ipvar.c:
      Code cleanup for IPv6 related changes.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Handle additional cases of multiple sequences of TCP SYN packets
      on a session that has previously been reset.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Add checks for missing packets in reassembly.
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfxhash.c:
      Code cleanup.
    * src/target-based/sf_attribute_table_parser.l:
    * src/target-based/sftarget_reader.c:
      Better handling for starting attribute reload thread
      and logging parsing errors.
    * src/fpcreate.c: 
    * src/fpdetect.c: 
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_dsize_check.c:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_ipoption_check.c:
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_rpc_check.c:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_tcp_ack_check.c:
    * src/detection-plugins/sp_tcp_flag_check.c:
    * src/detection-plugins/sp_tcp_seq_check.c:
    * src/detection-plugins/sp_tcp_win_check.c:
    * src/detection-plugins/sp_ttl_check.c:
    * src/detection-plugins/sp_urilen_check.c:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      Added performance profiling stats for rule option evaluation.  Add
      limits to pcre matching that could affect performance.


2007-11-12 Todd Wease <twease@sourcefire.com>
    * src/byte_extract.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
      Allow byte_jump 'string' option to support variable-length
      numeric data.
    * src/cpuclock.h:
    * configure.in:
      Add support for rule and preprocessor profiling times for
      Sparc v9 processors.
    * src/decode.h:
    * src/decode.c:
    * doc/README.gre:
    * src/generators.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/snort.h:
    * src/util.c:
    * src/util.h:
    * configure.in:
      Update GRE decoder to support PPTP GRE v.1 header.  Add new
      GRE decoder alerts and README.  Integrate with IPv6 codebase.
    * src/decode.c:
    * src/decode.h:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
      Update decoder to work will all 3 versions of pflog files.
      Thanks to Ronaldo Maia for reporting this issue.
    * src/parser.c:
    * src/parser.h:
    * src/snort.c:
    * src/snort.h:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/util.c:
    * src/util.h:
    * src/decode.c:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/mempool.c:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf-flow.c:
    * src/preprocessors/perf.h:
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.h:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/profiler.c:
    * src/profiler.h:
    * src/sfthreshold.c:
    * src/sfthreshold.h:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
    * src/tag.c:
    * src/tag.h:
      Snort can now read multiple pcaps on the command line.  The
      '-r' flag can be given multiple times, as well as options for
      reading a list of pcaps on the command line, a file containing
      pcaps to read and/or a directory to recurse through gathering
      pcaps.  Multiple filters can be used and an option to reset Snort
      to a post initialization state for each pcap read can be given.
    * src/detect.c:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/parser.c:
    * src/parser.h:
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfportobject.h:
    * src/sfutil/sfrim.h:
      Portlists code consolidation and general cleanup.
    * src/detect.c:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_respond.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/fpdetect.c:
    * src/ipv6_port.h:
    * src/output-plugins/spo_alert_sf_socket.c:
    * src/output-plugins/spo_log_ascii.c:
    * src/output-plugins/spo_unified2.c:
    * src/output-plugins/spo_unified.c:
    * src/preprocessors/HttpInspect/include/hi_si.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/stream.h:
    * src/preprocessors/stream_ignore.c:
    * src/preprocessors/stream_ignore.h:
    * src/sfthreshold.c:
    * src/sfthreshold.h:
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_ip.h:
    * src/sfutil/sf_ipvar.c:
    * src/sfutil/sfthd.c:
    * src/sfutil/sfthd.h:
    * src/tag.c:
      IPv6 data type name changes to avoid library namespace conflicts.
    * src/detection-plugins/sp_pattern_match.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/preprocessors/snort_stream4_udp.c:
    * src/rules.h:
    * src/sf_sdlist.c:
    * src/sf_types.h:
      Fix compiler warnings.
    * src/detection-plugins/sp_pcre.c:
    * src/fpdetect.c:
      Fixed issue where some rules will continue to match on a Uri, even
      after the first packet.
    * src/dynamic-plugins/Makefile.am:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/fpcreate.c:
      Enabled target-based code to properly assess dynamic rule flow.
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
    * src/dynamic-preprocessors/dns/sf_dns.dsp:
    * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
    * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
    * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
      Update Win32 project files to include target-based and GRE defines.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Allow white space prior to FTP command.
    * src/preprocids.h:
    * doc/README.ssl:
    * doc/snort_manual.tex:
    * etc/snort.conf:
    * configure.in:
    * src/win32/WIN32-Prj/snort.dsw:
    * src/dynamic-preprocessors/ssl/Makefile.am:
    * src/dynamic-preprocessors/ssl/sf_preproc_info.h:
    * src/dynamic-preprocessors/ssl/sf_ssl.dsp:
    * src/dynamic-preprocessors/ssl/spp_ssl.c:
    * src/dynamic-preprocessors/ssl/spp_ssl.h:
    * src/win32/WIN32-Includes/config.h:
      Added SSL preprocessor.
    * src/ipv6_port.h:
      Update IP_CLEAR to clear all fields.  Update IP_COPY_VALUE to copy each
      field individually.
    * src/log.c:
    * src/output-plugins/spo_alert_fast.c:
    * src/output-plugins/spo_alert_full.c:
    * src/log_text.h:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/log_text.c:
    * src/log_text.h:
    * src/sfutil/sf_textlog.c:
    * src/sfutil/sf_textlog.h:
      Added rollover of logs upon reaching configured limit - applies to
      alert_full, alert_fast, log_tcpdump, alert_csv.
    * src/log.c:
      Added IP obfuscation for IPv6 addresses.
    * src/plugbase.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * doc/README.stream4:
    * doc/README.stream5:
    * doc/snort_manual.tex:
    * etc/snort.conf:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/detection-plugins/sp_cvs.c:
    * src/detection-plugins/sp_cvs.h:
      CVS detection plugin.  Currently only looks for an invalid entry.  Ports
      514 and 2401 added to default ports for stream reassembly.
    * src/ppm.c:
    * src/ppm.h:
    * src/profiler.c:
    * doc/snort_manual.tex:
      Fix microseconds calculations. Add ability to use ppm with readback mode.
      Add documentation to Snort Manual.
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
    * doc/README.http_inspect:
    * doc/snort_manual.tex:
    * etc/gen-msg.map:
      Added overly long http header detection.
    * src/preprocessors/perf-base.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
      Fixed issue where packets were being blocked when Snort, running in inline
      mode, was shutting down.
    * src/preprocessors/spp_frag3.c:
      Fixed issue where frag3 does not initialize correctly without any
      configuration arguments.  Thanks to Jason Carr for reporting this.
    * src/preprocessors/spp_sfportscan.c:
      Fix endian issue in sfportscan when IP addresses are logged.
      Thanks to Jerry Litteer for reporting this.
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/stream_api.h:
      Added function to stream api for returning whether or not there are
      missing segments.  Only supported in stream5.
    * src/preprocessors/str_search.c:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
      Fixed issue where MPSE global counter was being reset by SMTP for each new
      pattern matcher it created.
    * src/sfutil/sf_vartable.c:
    * src/sfutil/sf_vartable.h:
    * doc/README.variables:
    * doc/snort_manual.tex:
      Fix segfault with duplicate variables in IPv6 code (enabled with
      --enable-ipv6).
    * src/target-based/Makefile.am:
    * src/target-based/sf_attribute_table_parser.l:
    * src/target-based/sftarget_reader.c:
      Target based cleanup.
    * src/util.c:
      Fixed incorrect calculation of pcap recevied and dropped.
    * src/win32/WIN32-Prj/sf_engine.dsp:
    * src/win32/WIN32-Prj/snort.dsp:
      Added GRE and target-based to default Win32 build.
    * doc/INSTALL:
    * doc/README.ftptelnet:
    * doc/README.http_inspect:
    * doc/README.sfportscan:
    * doc/README.stream4:
    * doc/README.stream5:
    * doc/README.variables:
    * doc/snort_manual.tex:
      Documentation updates. Thanks to Jeff Dell for pointing out
      unified/unified2 errors in Snort Manual and inconsistencies in
      sfportscan documentation.

2007-11-06 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Includes/pcre.h:
    * src/win32/WIN32-Includes/pcreposix.h:
    * src/win32/WIN32-Libraries/pcre.lib:
      Update Win32 LibPCRE to version 7.4.

2007-11-05 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Fix debug to correctly call inet_ntoa.  Thanks to rmkml for reporting
      the problem.

2007-09-07 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
    * src/build.h:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Prj/snort_installer.nsi:
    * rpm/snort.spec:
    * snort.8:
      2.8.0 Final release prep.  Update spec file to relocate installed
      schemas and be more consistent with location of docs.
    * src/parser.c:
      Initialize rule_count variables.  Thanks to Ken Steele for pointing
      it out.
    * src/signature.c:
    * src/detection-plugins/sp_urilen_check.c:
    * src/plugbase.c:
      Fix typos in comments.  Thanks rmkml for reviewing.
    * src/tag.c:
    * src/sfutil/sf_ip.c:
    * src/sfutil/sf_iph.c:
      Cleanup printing of IPv6 Addresses.
    * src/detection-plugins/sp_pcre.c:
      Initialize the found offset so that it contains correct value
      when not found.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Improve checking on ftp commands from client.
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
      Disable ftptelnet when compiled with IPv6.
    * src/decode.c:
    * src/snort.c:
      After logging alert for BSD IPv6 Fragmentation vulnerability,
      reset the pseudo packet that is used for logging purposes.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Memory cleanup of mime boundary regular expressions at Snort exit.
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/spp_sfportscan.c:
      Memory cleanup of portscan hash table at Snort exit.
    * src/output-plugins/spo_alert_prelude.c:
      Correctly get IP Header length for logging.
    * src/output-plugins/spo_alert_sf_socket.c:
      Complete initialization after rules are read for specific GID/SID
      alerts to log via sf socket.
    * src/output-plugins/spo_unified2.c:
      Code cleanup.
    * src/preprocessors/spp_frag3.c:
      Handle VLAN tags in fragmented traffic and include in rebuilt packets
      if part of original traffic.
    * src/preprocessors/spp_stream5.c:
      Initialize memory for flowbits after all configuration is processed,
      as config flowbitsize option might change default.  Handle byte
      alignment issue on Solaris with the flowbits data structure used
      by Stream5.  Thanks to JJC & Shane Castle for helping us troubleshoot
      these issues and testing the patches.
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/stream_api.h:
      Handle strange sequences of multiple TCP Reset packets on the same
      session when some of those Resets also contain other flags.  Thanks
      to Siim Poder for reporting the problem.

2007-08-31 Steven Sturges <ssturges@sourcefire.com>
    * src/parser.c:
      Updates to prevent variable defintions of the same name as a portvar,
      var and ipvar.
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Fix copying of IP address from packet when determining client config
      that resulted from IPv6 port.
    * src/output-plugins/spo_alert_prelude.c:
      Updates to write GID in alert data.  Thanks to Yoann Vandoorselaere
      for the update.
    * src/output-plugins/spo_unified2.c:
      Don't write tagged packets the same as unified.  Packets that are
      part of stream reassembly refer to the original event directly from
      the packet record header.
    * src/sfutil/sfportobject.c:
    * src/sfutil/sfportobject.h:
      Code cleanup and free data correctly on parsing errors.

2007-08-30 Steven Sturges <ssturges@sourcefire.com>
    * doc/Makefile.am:
      Include README.ipv6 & README.variables in the distribution tarball.
      Thanks to Jeff Dell for pointing out that it was missing.
    * RELEASE.NOTES:
      Fix some spelling errors.  Thanks rmkml for pointing it out.
    * etc/snort.conf:
      Update to use new portvar syntax for HTTP_PORTS, ORACLE_PORTS,
      and SHELLCODE_PORTS.  Thanks to rmkml for mentioning this.

2007-08-22 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
    * src/sf_types.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Fixes to build 2.8.0 Beta on OpenBSD.
    * doc/README.variables:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Update PortList documentation.

2007-08-20 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
    * src/build.h:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Prj/snort_installer.nsi:
    * rpm/snort.spec:
      2.8.0 Beta prep.
    * src/Makefile.am:
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/event.h:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
    * src/output-plugins/spo_unified2.c:
    * src/pcap_pkthdr32.h (added):
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/preprocessors/stream_api.h:
    * src/snort_packet_header.h (removed):
    * src/win32/WIN32-Prj/snort.dsp:
    * src/snort.c:
      Renamed snort_packet_header.h to pcap_pkthdr32.h and changed instances of
      SnortPktHdr with pcap_pkthdr except in Event struct and unified code where
      pcap_pkthdr32 is used because 32 bit timevals are required.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/util.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_httpinspect.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/snort.c:
      Added framework for preprocessors to print stats at exit or USR1 signal.
      Preprocessors register a function that will print the stats and they will
      be printed when DropStats() is called.
    * src/detection-plugins/sp_pattern_match.c:
      Commented out 'content-list' rule option code since it is
      broken and there are no plans in the near future to fix it.
    * src/checksum.h:
    * src/decode.c:
    * src/decode.h:
    * src/detect.c:
    * src/detect.h:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_ttl_check.c:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-preprocessors/dynamic_preprocessors.dsp:
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
    * src/dynamic-preprocessors/dns/sf_dns.dsp:
    * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
    * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
    * src/dynamic-preprocessors/ftptelnet/ftpp_include.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/generators.h:
    * src/ipv6.c (removed):
    * src/ipv6.h (removed):
    * src/ipv6_port.h (added):
    * src/log.c:
    * src/Makefile.am:
    * src/output-plugins/spo_alert_arubaaction.c:
    * src/output-plugins/spo_alert_fast.c:
    * src/output-plugins/spo_alert_full.c:
    * src/output-plugins/spo_alert_prelude.c:
    * src/output-plugins/spo_alert_sf_socket.c:
    * src/output-plugins/spo_alert_syslog.c:
    * src/output-plugins/spo_alert_unixsock.c:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_log_ascii.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
    * src/output-plugins/spo_unified2.c:
    * src/parser/IpAddrSet.c:
    * src/parser/IpAddrSet.h:
    * src/parser.c:
    * src/parser.h:
    * src/plugbase.c:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/HttpInspect/include/hi_si.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/snort_stream4_udp.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.h:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/stream.h:
    * src/preprocessors/stream_ignore.c:
    * src/preprocessors/stream_ignore.h:
    * src/rules.h:
    * src/sfthreshold.c:
    * src/sfthreshold.h:
    * src/sfutil/ipobj.c:
    * src/sfutil/Makefile.am:
    * src/sfutil/sf_ip.c (added):
    * src/sfutil/sf_ip.h (added):
    * src/sfutil/sf_iph.c (added):
    * src/sfutil/sf_iph.h (added):
    * src/sfutil/sf_ipvar.c (added):
    * src/sfutil/sf_ipvar.h (added):
    * src/sfutil/sfthd.c:
    * src/sfutil/sfthd.h:
    * src/sfutil/sf_vartable.c (added):
    * src/sfutil/sf_vartable.h (added):
    * src/snort.c:
    * src/snort.h:
    * src/tag.c:
    * src/util.c:
    * src/win32/WIN32-Prj/build_all.dsp:
    * src/win32/WIN32-Prj/sf_engine.dsp:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/win32/WIN32-Prj/snort.dsw:
    * src/win32/WIN32-Prj/snort_installer.nsi:
    * doc/README.ipv6:
      Added 1st phase of support for IPv6.  Added support for ip variables
      and improved IP address list handling.  See README.ipv6 for specifics
      on what portions of Snort fully support IPv6.  Certain preprocessors
      are not supported -- and cannot be turned on with an IPv6 enabled
      snort.
    * src/output-plugins/spo_unified.c:
      Added configuration option to not append timestamps to unified log/alert
      files.
    * src/output-plugins/spo_unified2.c (added):
    * src/output-plugins/spo_unified2.h (added):
    * src/plugbase.c:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Added unified2 logging/output format.
    * src/cpuclock.h (added):
    * src/detect.c:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/Makefile.am:
    * src/parser.c:
    * src/ppm.c (added):
    * src/ppm.h (added):
    * src/profiler.h:
    * src/rules.h:
    * src/snort.c:
      Added support for packet performance monitoring.  Allows Snort to be
      configured to only spend a certain time period on a given packet
      and/or rule and automatically suspend performance-intensive rules.
      See README.ppm for details.
    * src/bounds.h:
    * src/byte_extract.c:
    * src/byte_extract.h:
    * src/debug.c:
    * src/debug.h:
    * src/decode.c:
    * src/decode.h:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_asn1_detect.c:
    * src/detection-plugins/sp_asn1_detect.h:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_session.c:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_engine/bmh.c:
    * src/dynamic-plugins/sf_engine/bmh.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_client.h:
    * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/log.c:
    * src/log.h:
    * src/mstring.c:
    * src/mstring.h:
    * src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/include/hi_ad.h:
    * src/preprocessors/HttpInspect/include/hi_client.h:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/HttpInspect/include/hi_mi.h:
    * src/preprocessors/HttpInspect/include/hi_norm.h:
    * src/preprocessors/HttpInspect/include/hi_server.h:
    * src/preprocessors/HttpInspect/include/hi_util.h:
    * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/server/hi_server.c:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf-flow.c:
    * src/preprocessors/perf-flow.h:
    * src/preprocessors/perf.h:
    * src/preprocessors/portscan.c:
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
    * src/sfutil/asn1.c:
    * src/sfutil/asn1.h:
    * src/sfutil/bitop_funcs.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/snort.c:
      Changed packet payload pointers to use const qualifier to
      eliminate inadvertant writes to the packet buffer.
    * src/preprocessors/HttpInspect/include/hi_util_kmap.h:
    * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h:
    * src/preprocessors/HttpInspect/util/hi_util_kmap.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h:
    * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
      Cleanup memory at Snort exit from session & client configurations.
    * src/debug.h:
    * src/preprocids.h:
    * src/generators.h:
      Added defines for SKYPE.
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
      Fixed a few typos in comments. Thanks to rmkml for pointing them out.
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Cleaned up a few typos in various sections.  Thanks to rmkml, Joel
      Ebrahimi for pointing out the misspellings & errors.
    * src/decode.h:
    * src/detect.c:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/parser.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_frag3.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/preprocessors/stream_api.h:
    * src/rules.h:
    * src/sfutil/Makefile.am:
    * src/sfutil/sfrt.c (added):
    * src/sfutil/sfrt.h (added):
    * src/sfutil/sfrt_dir.c (added):
    * src/sfutil/sfrt_dir.h (added):
    * src/sfutil/sfrt_trie.h (added):
    * src/signature.c:
    * src/signature.h:
    * src/snort.c:
    * src/snort.h:
    * src/target-based/Makefile.am (added):
    * src/target-based/sf_attribute_table_parser.l (added):
    * src/target-based/sf_attribute_table.y (added):
    * src/target-based/sftarget_hostentry.c (added):
    * src/target-based/sftarget_hostentry.h (added):
    * src/target-based/sftarget_protocol_reference.c (added):
    * src/target-based/sftarget_protocol_reference.h (added):
    * src/target-based/sftarget_reader.c (added):
    * src/target-based/sftarget_reader.h (added):
    * src/util.c:
      Added experimental support for Target-Based processing for Stream
      reassembly, IP Frag reassembly, and rule processing.  Enable via
      --enable-targetbased option to configure.  A thread is created to
      reload the attribute table upon receipt of a signal 30.
    * src/detect.c:
    * src/detect.h:
    * src/detection-plugins/sp_clientserver.c:
    * src/detection-plugins/sp_clientserver.h:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/parser.c:
    * src/parser.h:
    * src/pcrm.c:
    * src/pcrm.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/rules.h:
    * src/sfutil/sfportobject.c (added):
    * src/sfutil/sfportobject.h (added):
    * src/sfutil/sfrim.c (added):
    * src/sfutil/sfrim.h (added):
    * src/signature.c:
    * src/signature.h:
    * src/snort.c:
    * src/util.c:
      Added Port Lists & Port Range functionality and added port variable
      handling. 
    * preproc_rules/preprocessor.rules:
    * preproc_rules/decoder.rules:
    * preproc_rules/Makefile.am:
    * configure.in:
    * etc/snort.conf:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_dsize_check.c:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_id_check.c:
    * src/detection-plugins/sp_icmp_seq_check.c:
    * src/detection-plugins/sp_icmp_type_check.c:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_ip_id_check.c:
    * src/detection-plugins/sp_ip_optioncheck.c:
    * src/detection-plugins/sp_ip_proto.c:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_ip_tos_check.c:
    * src/detection-plugins/sp_isdataat.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond2.c:
    * src/detection-plugins/sp_rpc_check.c:
    * src/detection-plugins/sp_session.c:
    * src/detection-plugins/sp_tcp_ack_check.c:
    * src/detection-plugins/sp_tcp_flag_check.c:
    * src/detection-plugins/sp_tcp_seq_check.c:
    * src/detection-plugins/sp_tcp_win_check.c:
    * src/detection-plugins/sp_ttl_check.c:
    * src/detection-plugins/sp_urilen_check.c:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/event_queue.c:
    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/parser.c:
    * src/plugbase.c:
    * src/plugbase.h:
      Added support to provide action control (alert, drop, pass, etc)
      over preprocessor and decoder generated events, as well as references
      and classifications via a rule.  These rules do not include IP
      addresses as the individual preprocessor/decoder configuration
      dictates the traffic to which an event applies.  In conjunction
      with this, certain post-processing rule options (tag, logto, etc)
      may be added to those rules, while other options that relate to data
      inspection (content, byte_test, etc) may not.  Enable via
      --enable-decoder-preprocessor-rules option to configure.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
      Search for other shared library extensions on OpenBSD.  Thanks to
      Nikns Siankin for the request.
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-preprocessors/dcerpc/Makefile.am:
    * src/dynamic-preprocessors/dns/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/smtp/Makefile.am:
    * src/dynamic-preprocessors/ssh/Makefile.am:
      Fixes to correct shared library extension on MAC OS.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/generators.h:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Added basic TCP session hijacking detection.  Detection based on MAC
      address used during TCP 3-way handshake and MAC address in subsequent
      packets.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * doc/README.stream5:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Added stream_size rule option (only supported by Stream5).
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/generators.h:
      Improved detection for encrypted ftp sessions, reducing false positives.
      Added detection of subnegotiation begin commands without matching
      subnegotiation end (evasion attempt).
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/dynamic-preprocessors/smtp/smtp_config.h:
    * src/dynamic-preprocessors/smtp/smtp_log.c:
    * src/dynamic-preprocessors/smtp/smtp_log.h:
    * src/dynamic-preprocessors/smtp/smtp_normalize.c:
    * src/dynamic-preprocessors/smtp/smtp_normalize.h:
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/dynamic-preprocessors/smtp/smtp_util.h:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.h:
    * doc/README.SMTP:
    * etc/snort.conf:
    * src/generators.h:
      Rework much of preprocessor to improve searches, additional
      vulnerability checks.  Updates include changes to handle case
      insensitive searches.  Alert on header name length (Exim exploit) and
      check for valid mime headers.  Add port 587 (see RFC 2476) to
      default ports.  Improved normalization to separate commands and data.
      Updates to config parsing and console startup output.
    * src/parser.c:
      Handle duplicate rules by using the newer revision or the earlier
      appearing rule (if same revision).
    * src/sf_types.h (added):
    * src/preprocessors/flow/flow_cache.c:
    * src/preprocessors/flow/flow_cache.h:
    * src/preprocessors/flow/portscan/flowps.c:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/preprocessors/flow/portscan/scoreboard.c:
    * src/preprocessors/flow/portscan/server_stats.c:
    * src/preprocessors/flow/portscan/unique_tracker.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf-event.c:
    * src/preprocessors/perf-event.h:
    * src/profiler.c:
    * src/sfutil/util_math.c:
    * src/sfutil/util_math.h:
    * src/snort.h:
    * src/snprintf.h:
    * src/util.c:
    * src/util.h:
    * src/win32/WIN32-Includes/stdint.h:
    * src/win32/WIN32-Includes/WinPCAP/time_calls.h:
      Updated logging to print 64bit values on various platforms in a more
      portable manner.
    * configure.in:
    * src/decode.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * src/util.h:
    * src/win32/WIN32-Includes/config.h:
      Fixed issue with various versions of pcap reporting received &
      dropped stats differently.  Pcap versions 0.9 & higher accumulate
      stats, whereas earlier versions do not.
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/sfghash.c:
    * src/sfutil/sfhashfcn.c:
    * src/sfutil/sfhashfcn.h:
    * src/sfutil/sfprimetable.c (added):
    * src/sfutil/sfprimetable.h (added):
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
      Improve performance of pattern match engines to not evaluate a rule
      with a pattern that has already been seen and the rule already
      processed.  This changes takes into account if that rule fails because of
      an unset flowbit (which may have been set by another rule).  Changed hash
      table hash functions to use power of two computations instead of prime
      numbers.
    * src/util.c:
      Added PCRE library version information to Snort startup banner.

2007-07-27 Steven Sturges <ssturges@sourcefire.com>
    * etc/snort.conf:
      Turn off flow since Stream5 is now enabled by default.
    * src/snort.c:
      Fix printing of threshold counts until after all rules are read.
      This issue did not affect thresholding, only display of thresholding.
      Thanks to Jeffrey Denton for reporting the problem.
    * src/sfutil/ipobj.c:
      Fix free of invalid pointer when using a negated IP list.
      This is used by sfportscan preprocessor configuration parsing.
      Thanks to Anders Ostrem for reporting the problem.
    * src/preprocessors/Stream5/snort_stream5_session.c:
      Fixed issue when experimental ICMP tracking is used without using
      the TCP or UDP session tracking.  ICMP was attempting to lookup
      TCP or UDP sessions from uninitialized session cache.  Thanks to
      Koji Shikata for reporting the problem.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed invalid session pointer when rule tries to use flowbits after
      session ends.  Thanks to rmkml for initially reporting the problem.

2007-07-06 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed potential invalid memory access when require 3whs option is used.

2007-06-28 Steven Sturges <ssturges@sourcefire.com>
    * src/sfutil/acsmx2.c:
    * src/sfutil/bnfa_search.c:
      Revert previous changes as they resulted in some false negatives
      with mixed case patterns and rules.  Will address in a future release.
    * src/detection-plugins/sp_react.c:
      Fixed problem with segfault with flexresp.  Thanks to Keith Pachulski
      for reporting the issue.

2007-06-20 Steven Sturges <ssturges@sourcefire.com>
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/bnfa_search.c:
      Performance improvement to track the last state of a pattern that
      match, so if it hits that state again immediately, don't go
      re-evaluate all of the same rules.
    * src/decode.c:
    * src/detect.c:
    * src/snort.h:
    * src/util.c:
      Properly handle UDP checksum if checksum value is 0 in header (do not
      calculate).  Add stat that tracks number of failed checksums.
    * src/detection-plugins/sp_pcre.c:
      Add /P flag to PCRE detection to check HTTP inspect's normalized
      client request body.
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-examples/Makefile.am:
      Fix header file replication.
    * src/output-plugins/spo_alert_prelude.c:
      Update to write data at Snort exit.  Thanks Yoann Vandoorselaere for
      the patch.
    * src/parser.c:
      Update to max line length.  Mark 'stateless' option to be deprecated,
      use flow:stateless.

2007-06-19 Steven Sturges <ssturges@sourcefire.com>
    * src/byte_extract.h:
    * src/event_queue.h:
    * src/event_wrapper.h:
    * src/inline.h:
    * src/ipv6.c:
    * src/ipv6.h:
    * src/packet_time.h:
    * src/plugin_enum.h:
    * src/preprocids.h:
    * src/sfthreshold.h:
    * src/snort_packet_header.h:
    * src/detection-plugins/sp_asn1.h:
    * src/detection-plugins/sp_asn1_detect.h:
    * src/detection-plugins/sp_flowbits.h:
    * src/detection-plugins/sp_ip_proto.c:
    * src/dynamic-examples/Makefile.am:
    * src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h:
    * src/dynamic-examples/dynamic-preprocessor/spp_example.c:
    * src/dynamic-examples/dynamic-rule/detection_lib_meta.h:
    * src/dynamic-examples/dynamic-rule/rules.c:
    * src/dynamic-examples/dynamic-rule/sid109.c:
    * src/dynamic-examples/dynamic-rule/sid637.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h:
    * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c:
    * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
    * src/dynamic-preprocessors/smtp/sf_preproc_info.h:
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_httpinspect.h:
    * src/preprocessors/snort_stream4_session.h:
    * src/preprocessors/snort_stream4_udp.h:
    * src/preprocessors/spp_flow.h:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_httpinspect.h:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_sfportscan.h:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
    * src/preprocessors/stream.h:
    * src/preprocessors/HttpInspect/anomaly_detection/hi_ad.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/include/hi_ad.h:
    * src/preprocessors/HttpInspect/include/hi_client.h:
    * src/preprocessors/HttpInspect/include/hi_client_norm.h:
    * src/preprocessors/HttpInspect/include/hi_eo.h:
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
    * src/preprocessors/HttpInspect/include/hi_eo_log.h:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/HttpInspect/include/hi_mi.h:
    * src/preprocessors/HttpInspect/include/hi_norm.h:
    * src/preprocessors/HttpInspect/include/hi_return_codes.h:
    * src/preprocessors/HttpInspect/include/hi_server.h:
    * src/preprocessors/HttpInspect/include/hi_si.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_ui_iis_unicode_map.h:
    * src/preprocessors/HttpInspect/include/hi_ui_server_lookup.h:
    * src/preprocessors/HttpInspect/include/hi_util.h:
    * src/preprocessors/HttpInspect/include/hi_util_hbm.h:
    * src/preprocessors/HttpInspect/include/hi_util_kmap.h:
    * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h:
    * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/server/hi_server.c:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
    * src/preprocessors/HttpInspect/utils/hi_util_hbm.c:
    * src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
    * src/preprocessors/HttpInspect/utils/hi_util_xmalloc.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.h:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/Stream5/stream5_common.h:
    * src/preprocessors/flow/common_defs.h:
    * src/preprocessors/flow/flow.c:
    * src/preprocessors/flow/flow.h:
    * src/preprocessors/flow/flow_cache.c:
    * src/preprocessors/flow/flow_cache.h:
    * src/preprocessors/flow/flow_callback.c:
    * src/preprocessors/flow/flow_callback.h:
    * src/preprocessors/flow/flow_class.c:
    * src/preprocessors/flow/flow_class.h:
    * src/preprocessors/flow/flow_config.h:
    * src/preprocessors/flow/flow_error.h:
    * src/preprocessors/flow/flow_hash.c:
    * src/preprocessors/flow/flow_hash.h:
    * src/preprocessors/flow/flow_print.c:
    * src/preprocessors/flow/flow_print.h:
    * src/preprocessors/flow/flow_stat.c:
    * src/preprocessors/flow/flow_stat.h:
    * src/preprocessors/flow/int-snort/flow_packet.c:
    * src/preprocessors/flow/int-snort/flow_packet.h:
    * src/preprocessors/flow/portscan/flowps.c:
    * src/preprocessors/flow/portscan/flowps.h:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/preprocessors/flow/portscan/flowps_snort.h:
    * src/preprocessors/flow/portscan/scoreboard.c:
    * src/preprocessors/flow/portscan/scoreboard.h:
    * src/preprocessors/flow/portscan/server_stats.c:
    * src/preprocessors/flow/portscan/server_stats.h:
    * src/preprocessors/flow/portscan/unique_tracker.c:
    * src/preprocessors/flow/portscan/unique_tracker.h:
    * src/sfutil/acsmx2.h:
    * src/sfutil/asn1.c:
    * src/sfutil/asn1.h:
    * src/sfutil/ipobj.c:
    * src/sfutil/ipobj.h:
    * src/sfutil/sfeventq.c:
    * src/sfutil/sfeventq.h:
    * src/sfutil/sfghash.c:
    * src/sfutil/sfghash.h:
    * src/sfutil/sfhashfcn.c:
    * src/sfutil/sfhashfcn.h:
    * src/sfutil/sflsq.c:
    * src/sfutil/sflsq.h:
    * src/sfutil/sfmemcap.c:
    * src/sfutil/sfmemcap.h:
    * src/sfutil/sfsnprintfappend.c:
    * src/sfutil/sfsnprintfappend.h:
    * src/sfutil/sfthd.c:
    * src/sfutil/sfthd.h:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
    * src/sfutil/util_math.c:
    * src/sfutil/util_math.h:
    * src/sfutil/util_net.c:
    * src/sfutil/util_net.h:
    * src/sfutil/util_str.c:
    * src/sfutil/util_str.h:
    * src/win32/WIN32-Code/inet_aton.c:
    * src/win32/WIN32-Code/name.h:
      Update copyright dates & info and add GPL header.

2007-06-01 Steven Sturges <ssturges@sourcefire.com>
    * src/util.c:
      Update to hourly timestats from Bill Parker.

2007-06-01 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_frag3.c:
      Fix configuration parsing to validate parameters for memcap,
      max_frags, prealloc_frags.  Thanks to Joel Ebrahimi for pointing
      out the issue.

2007-05-30 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/dynamic-preprocessors/smtp/smtp_util.h:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Cleanup xlink2state processing and remove potential read beyond
      end of packet.
    * src/preprocessors/stream_api.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Update handling of timed out session cleanup when the 'same' (IPs/ports)
      session is picked up midstream.

2007-05-23 Steven Sturges <ssturges@sourcefire.com>
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * doc/README.stream5:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/stream5_common.h:
      Update Stream5 to use 65535 << 14 as max allowable value for
      the 'max_window' option.
    * src/decode.c:
    * src/detect.c:
    * src/snort.c:
    * src/snort.h:
      When checking for IPv6 BSD frag vulnerability, use a pseudo packet
      with false IPv4 headers for logging purposes rather than writing
      the IPv4 header within the original packet buffer.
    * src/preprocessors/spp_frag3.c:
      Update to not change original packet buffer when rebuilding fragments
      with IP options.
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_rpc_decode.h:
      Update to use the altdecode buffer for normalization.

2007-05-22 Steven Sturges <ssturges@sourcefire.com>
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Update for 2.7.0.
    * configure.in:
    * src/debug.c:
    * src/debug.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/win32/WIN32-Includes/config.h:
      Check for wchar.h and don't try to use it if not present.
      Fixes builds on OpenBSD 3.5 and others.
    * src/dynamic-plugins/sf_dynamic_detection.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
    * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/ppftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/dynamic-preprocessors/smtp/smtp_util.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/event_queue.c:
    * src/event_queue.h:
    * src/ipv6.c:
    * src/ipv6.h:
    * src/mempool.c:
    * src/parser.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/sfutil/asn1.c:
    * src/sfutil/asn1.h:
    * src/sfutil/sfeventq.c:
    * src/sfutil/sfeventq.h:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
    * src/sfutil/sfxhash.c:
    * src/snort.c:
      Added code to cleanup memory at Snort exit/restart.
    * src/output-plugins/spo_log_tcpdump.c:
      Update to timestamp writing on 64bit platforms.
    * src/dynamic-preprocessors/smtp/smtp_normalize.c:
      Update normalization for postfix and sendmail servers that
      normalize any space except '\n'.
    * src/preprocessors/str_search.c:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/mpse.c:
      Use BNFA, smaller memory footprint for searches from SMTP.
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/include/hi_eo_log.h:
    * src/preprocessors/HttpInspect/include/hi_si.h:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
      Update way in which Body vs URI's are normalized, checked for
      anomalies and alerted on.
    * src/preprocessors/snort_stream4_udp.c:
      Fix use of ignore_any keyword when dealing with portscan
      and/or rules that have flow/flowbits.
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Update to timestamp handling and anomaly detection with invalid
      timestamps on RST packets.
    * src/snort.c:
    * src/snort.h:
      Add --loop option to be used with -r for pcap readback mode.

2007-05-09 Adam Keeton <akeeton@sourcefire.com>
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/include/hi_si.h:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
      Added code to prevent URI-related alerts from firing when the
      body is being normalized.

2007-05-08 Adam Keeton <akeeton@sourcefire.com>
    * src/preprocessors/HttpInspect/client/hi_client.c:
      Fixed pointer initialization relating to POST normalization.

2007-04-27 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/dynamic-plugins/sf_dynamic_common.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Provide new rule keyword modifier for content option that allows a
      rule to search for a pattern in the body of an HTTP client request.
    * src/util.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/include/hi_client.h:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/include/hi_util_xmalloc.h:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
    * src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
      Update to normalize the body of a client request to allow rules to
      check specifically for parameters of a POST or GET request.  Also
      add stats that are part of the hourly stats that track various
      HTTP encodings and normalizations that have occured.
    * src/preprocessors/spp_stream4.c:
      Fix potential memory leak.
    * doc/README.ipv6:
      Updates for clarity.
    * doc/faq.tex:
    * configure.in:
      Add minimal PCRE version.
    * etc/gen-msg.map:
    * src/decode.c:
    * src/generators.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Handle TCP window scale option that is > 14.  Added decoder alert for
      this and adjust the scale per RFC 1323 in Stream5.
    * etc/snort.conf:
      Make Stream5 the default stream engine.
    * src/decode.c:
      Add alert for multiple GRE encapsulations.
    * src/ipv6.c:
      Additional structure name changes to avoid conflicts on Win32.
    * src/parser.c:
      Update the maximum number of entries in an IP List to 1024 (was 128).
      Added ability to configure Timestats interval, default is 3600 seconds
      (1 hour) when enabled via --enable-timestats.
    * src/snort.c:
    * src/snort.h:
    * src/util.h:
      Revised signal handler for Timestats.
    * src/util.c:
      Update Timestats to include Wifi, GRE, Frag & TCP Stream info.  Thanks
      to Bill Parker for the update.
    * src/detection-plugins/sp_icmp_code_check.c:
    * src/detection-plugins/sp_icmp_type_check.c:
      Update to parsing of icmp rule options for better grammar enforcement.
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond2.c:
      Specify TCP window of 0 for RST packets that are sent.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-preprocessors/sf_dynamic_preproc_lib.c:
      Make Preprocess() function available to dynamic preprocessors.  Thanks
      Vladimir Shcherbakov for the request.
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
      Code cleanup and a minor reorganization.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Fix truncated buffer in when compiled in debug mode.
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Update to track additional stats for TCP session cache and session states.
    * src/preprocessors/spp_perfmonitor.c:
      Fix behaviour of 'accumlate' option.
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Update for 64bit platforms.
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * doc/README.stream5:
      Updates to config validation.  Code cleanup for readability.  Update
      TCP Window Scale use and sequence validation to be RFC 1323 compliant.
      Document min/max values for parameters, etc.

2007-04-13 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.h:
    * src/decode.c:
    * src/ipv6.c:
      Changed structure declaration and usage to not conflict with OpenBSD.

2007-03-28 Steven Sturges <ssturges@sourcefire.com>
    * rpm/snort.spec:
      Remove smp_flags from spec file to not parallelize building.
    * doc/README.ipv6
    * etc/gen-msg.map:
    * src/Makefile.am:
    * src/decode.c:
    * src/decode.h:
    * src/generators.h:
    * src/ipv6.c (added):
    * src/ipv6.h (added):
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
    * src/win32/WIN32-Prj/snort.dsp:
      Added ability for Snort to track fragmented ICMPv6 to check for the
      remote BSD exploit (Bugtraq ID 22901, CVE-2007-1365).
    * src/win32/WIN32-Code/syslog.c:
    * src/win32/WIN32-Code/win32_service.c:
    * src/plugbase.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/stream_ignore.c:
    * src/profiler.c:
    * src/snort.c:
      Cleanup to use safe snprintf and strncpy functions, check return values
      of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer
      bounds checks.
    * src/parser.c:
      Fix issue with printing rule information twice.
    * src/profiler.h:
    * src/preprocessors/spp_flow.c:
      Fix miscalculation of processor time attributable to flow.
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
      Added hasXXX functions for Content, ByteTest, and PCRE.
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
    * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h:
    * src/dynamic-preprocessors/dcerpc/smb_structs.h:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
      Code cleanup to perform bounds checking, validation of memcpy
      success, remove potential memory leak.  Code readability improvements
      and update DCE endianness checks.
    * src/dynamic-preprocessors/dns/sf_preproc_info.h:
    * src/dynamic-preprocessors/dns/spp_dns.c:
      Code cleanup for initialization of memory allocations and add
      early termination when at end of packet payload.
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Code cleanup for initialization of memory allocations and remove
      dead/unused code for directory and user state tracking.
    * src/dynamic-preprocessors/smtp/sf_preproc_info.h:
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/dynamic-preprocessors/smtp/smtp_log.c:
    * src/dynamic-preprocessors/smtp/smtp_normalize.c:
    * src/dynamic-preprocessors/smtp/smtp_normalize.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Code cleanup for initialization of memory allocations, fix normalization
      to prevent read beyond packet payload.  Generate SMTP command overflow
      even if packet payload doesn't contain complete command (missing LF).
    * src/preprocessors/spp_frag3.c:
      Further update to handle iptables (and other datalink layers) that
      do not have ethernet headers to be included in rebuilt fragment.
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/Stream5/stream5_common.h:
    * doc/README.stream5:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Add verification of options for ICMP, TCP, UDP configurations are
      within reasonable limits.  Reorganize reassembly flush initialization.
      Print list of UDP rules that are effectively ignored with ignore_any_rules
      option.  Update session timeout handling.
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/Stream5/snort_stream5_session.c:
      Allow use of limit on number of nodes in hash table instead of
      relying on memcap for limiting sessions.
    * src/bounds.h:
    * src/debug.c:
    * src/detect.c:
    * src/fpdetect.c:
    * src/log.c:
    * src/parser.c:
    * src/pcrm.c:
    * src/plugbase.c:
    * src/profiler.c:
    * src/sfthreshold.c:
    * src/snort.c:
    * src/ubi_BinTree.c:
    * src/util.c:
    * src/util.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_session.c:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/output-plugins/spo_alert_prelude.c:
    * src/output-plugins/spo_alert_syslog.c:
    * src/output-plugins/spo_alert_unixsock.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_log_ascii.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
    * src/parser/IpAddrSet.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/snort_stream4_udp.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/stream_ignore.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/flow/flow_print.c:
    * src/preprocessors/flow/flow_print.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/ipobj.c:
    * src/sfutil/sfghash.c:
    * src/sfutil/sfmemcap.c:
    * src/sfutil/sfxhash.c:
      Cleanup to use safe snprintf and strncpy functions, check return values
      of SafeMemcpy, use calloc or SnortAlloc, and other static size buffer
      bounds checks.  Add handling for FatalError not returning for static
      code analysis tools.
    * src/sfutil/sfthd.c:
      Fix memory leak in global config.  Thanks Boris Lytochkin for pointing
      this out.

2007-02-20 Steven Sturges <ssturges@sourcefire.com>
    * src/util.c:
      Update copyright date to include 2007.

2007-02-17 Steven Sturges <ssturges@sourcefire.com>
    * src/parser.c:
      Code cleanup, remove tab characters going to syslog.
    * src/detection-plugins/sp_clientserver.c:
      Handle flow keyword with Stream5 UDP sessions.
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
      Add bounds checking to ReassembleSMBWriteX; use Safememcpy for calculated
      length buffer copies.

2007-02-09 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
      Added support for libpcap that depends on libpfring.  Thanks to
      Jason Wallace for the patch.  Also updated description as to why
      libpcap check might fail and what files might be missing, thanks
      to James Affeld for that suggestion.
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Update configuration parsing and validation checks and fix issue
      with static flushpoints not really being static.
    * src/output-plugins/spo_database.c:
      Code cleanup to check that a query was not truncated when using
      snprintf and guarantee NULL terminated string.

2007-02-07 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
    * src/detection-plugins/sp_ip_same_check.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_react.c:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/parser.c:
    * src/plugbase.c:
    * src/preprocessors/flow/flow_print.c:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/preprocessors/flow/portscan/scoreboard.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_stream4.c:
    * src/snort.c:
    * src/tag.c:
    * src/win32/WIN32-Code/misc.c:
      Code & warning cleanup.
    * src/parser.c:
      Add file and line number to an error message.  Thanks to
      rmkml for pointing out the omission.

2007-02-05 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/fpdetect.c:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_log_ascii.c:
    * src/parser/IpAddrSet.c:
    * src/parser.c:
    * src/plugbase.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/mode_inspection/hi_mi.c:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/server/hi_server.c:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_server_lookup.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/sfutil/acsmx2.c:
    * src/sfutil/ipobj.c:
    * src/signature.c:
    * src/snort.c:
    * src/tag.c:
    * src/ubi_BinTree.c:
    * src/util.h:
      More code cleanup, eliminate warnings on Win32 platform.

2007-02-02 Steven Sturges <ssturges@sourcefire.com>
    * doc/README.stream5:
      Cleanup spelling, etc.
    * src/bounds.h:
    * src/preprocessors/spp_frag3.c:
      Fix issue when Snort is inline using iptables, without either the
      ipconntrack or NAT modules.  This should not occur using the recommended
      snort inline configuration, since the OS is supposed to handle IP
      fragment reassembly.  The Ethernet header doesn't exist in the packet
      received by Snort, causing snort to dereference an invalid pointer.
      Thanks to Panda Software and Joel Ebrahimi for reporting the issue."
    * src/parser.c:
      Fix benign warning when using -E on Win32.
    * src/plugbase.c:
    * src/preprocessors/spp_telnet_negotiation.c (removed):
    * src/preprocessors/spp_telnet_negotiation.h (removed):
    * src/preprocessors/Makefile.am:
    * src/win32/WIN32-Prj/snort.dsp:
      Removed deprecated telnet preprocessor.
    * src/profiler.c:
    * src/profiler.h:
      Added profiling code for 64 bit Intel and PPC platforms.
    * src/decode.h:
    * src/detect.c:
    * src/fpdetect.c:
    * src/log.c:
    * src/mstring.c:
    * src/parser.c:
    * src/plugbase.c:
    * src/profiler.c:
    * src/profiler.h:
    * src/sfthreshold.c:
    * src/signature.c:
    * src/snort.c:
    * src/strlcatu.c:
    * src/strlcpyu.c:
    * src/ubi_BinTree.c:
    * src/util.c:
    * src/util.h:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_react.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_ttl_check.c:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sf_engine/bmh.c:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/output-plugins/spo_alert_fast.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_log_ascii.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-flow.c:
    * src/preprocessors/perf.c:
    * src/preprocessors/portscan.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_stream4_udp.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/str_search.c:
    * src/preprocessors/stream.h:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
    * src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/flow/flow.h:
    * src/preprocessors/flow/int-snort/flow_packet.h:
    * src/preprocessors/flow/portscan/flowps.c:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx2.c:
    * src/sfutil/bitop_funcs.h:
    * src/sfutil/getopt_long.c:
    * src/sfutil/ipobj.c:
    * src/sfutil/sfghash.c:
    * src/sfutil/sflsq.c:
    * src/sfutil/sfsnprintfappend.c:
    * src/sfutil/sfxhash.c:
    * src/win32/WIN32-Code/misc.c:
    * src/win32/WIN32-Code/syslog.c:
    * src/win32/WIN32-Code/win32_service.c:
      Code cleanup, change malloc/calloc to SnortAlloc, use safer functions
      SnortSnprintf, SnortStrncpy, etc.  Check pointers before use.
    * src/win32/WIN32-Code/win32_service.c:
      Fix issue with service initialization and parameter validation.
      Thanks Hideki Saito for pointing out the problem.
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
      Code cleanup, update calculating for valid length to handle
      alternate padding.  Update to use safer functions.
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
      Allow portscan to work with Stream5 UDP session tracking (because
      it replaces flow preprocessor).  Added API function to get direction
      of packet (not supported in Stream4).
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.h:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/stream5_common.h:
      Stream5 config parsing improvements.  Check option parameters for
      reasonable values (prevent huge memcaps, etc).

2007-01-29 Steven Sturges <ssturges@sourcefire.com>
    * src/debug.c:
    * configure.in:
      Handle platforms that don't support vswprintf and vwprintf.  Thanks
      Nikns Siankin for pointing that out for OpenBSD.
    * src/profiler.h:
    * src/profiler.c:
    * src/rules.h:
      Use 64 bit values to store profiling counters.
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Added a table for content modifiers and links to their respective
      sections.  Removed old preprocessor sections and moved ASN.1 from
      preprocessor to detection plugins section.  Added section for Stream5.
    * src/win32/WIN32-Prj/snort.dsp:
      Always use DYNAMIC_PLUGIN.
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Includes/LibnetNT.h:
      Code cleanup.
    * src/detection-plugins/sp_flowbits.c:
    * src/preprocessors/spp_stream5.c:
      Fix issue with flowbits for UDP streams.
    * src/detection-plugins/sp_flowbits.c:
      Add check when stream4 or stream5 are not enabled to still support
      flowbits.  Will be removed when Flow preprocessor and Stream4 are
      deprecated.  Thanks to Nathan Ching for pointing out the issue.
    * src/snort.c:
      Fix to allow dynamic rules to load correctly.
    * doc/README.stream4:
    * doc/README.stream5:
      Cleanup.

2007-01-18 Steven Sturges <ssturges@sourcefire.com>
    * etc/generators:
    * src/generators.h:
      Remove generator IDs that are no longer used.
    * doc/README.tag
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Added info on snort.conf config option tagged_packet_limit and added
      README.tag info file for the tag option in rules.
    * doc/README.http_inspect:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Emphasized in httpinspect documentation that a flow_depth between
      1 and 1460 will only inspect at most that many bytes of a server's
      response, stream reassembled or not and that rules written to inspect
      more than flow_depth bytes will be ineffective.  Thanks to Christian
      Seifert for pointing this out.

2007-01-17 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
    * snort.8:
    * RELEASE.NOTES:
    * etc/snort.conf:
    * rpm/snort.spec:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Prj/snort_installer.nsi:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Update for 2.7.0 Beta
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/win32/Makefile.am:
    * src/win32/WIN32-Code/getopt.c:
    * src/win32/WIN32-Code/getopt_long.c:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Includes/getopt.h:
    * src/win32/WIN32-Includes/getopt1.h:
    * src/win32/WIN32-Includes/stdint.h:
    * src/win32/WIN32-Prj/.cvsignore:
    * src/win32/WIN32-Prj/sf_engine.dsp:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/win32/WIN32-Prj/snort.dsw:
      Update Win32 build enviornment for 2.7.0.
    * doc/README.stream5:
    * doc/README.ftptelnet:
      Fix a few typos and add better descriptions for alerts.
    * etc/gen-msg.map:
    * etc/generators.h:
      Add Stream5 alert.
    * etc/snort.conf:
    * src/preprocessors/spp_frag2.c (removed):
    * src/preprocessors/spp_frag2.h (removed):
    * src/preprocessors/Makefile.am:
    * src/plugbase.c:
    * src/plugbase.h:
      Remove deprecated Frag2.
    * src/sfutil/mwm.c (removed):
    * src/sfutil/mwm.h (removed):
      Remove deprecated mwm pattern matcher.
    * src/detection-plugins/sp_ipoption_check.c:
    * src/decode.h:
    * src/decode.c:
    * src/log.c:
      Add handling of IP Option ESEC (Extended Security).
    * src/debug.h:
    * src/bounds.h:
    * src/fpcreate.h:
    * src/fpdetect.h:
    * src/tag.c:
    * src/detection-plugins/sp_respond2.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_include.h:
    * src/preprocessors/portscan.h:
    * src/preprocessors/snort_stream4_udp.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/HttpInspect/include/hi_include.h:
    * src/preprocessors/flow/common_defs.h:
    * src/sfutil/bitop_funcs.h:
      Move definition of INLINE for inline functions to a common place.
    * src/debug.c:
    * src/debug.h:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
      Add DebugWideMessageFunc for use with Wide Character sets, however
      it does not write to syslog.
    * src/debug.c:
    * src/decode.c:
    * src/detect.c:
    * src/detect.h:
    * src/fpcreate.c:
    * src/fpdetect.c:
    * src/log.c:
    * src/mstring.c:
    * src/parser.c:
    * src/pcrm.c:
    * src/plugbase.c:
    * src/profiler.h:
    * src/sf_sdlist.c:
    * src/sfthreshold.c:
    * src/sfthreshold.h:
    * src/signature.c:
    * src/snort.c:
    * src/snort.h:
    * src/tag.c:
    * src/util.c:
    * src/util.h:
    * src/detection-plugins/sp_ip_fragbits.c:
    * src/detection-plugins/sp_pcre.c:
    * src/detection-plugins/sp_rpc_check.c:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/smtp/smtp_confic.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.h:
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/str_search.c:
    * src/preprocessors/stream_ignore.c:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/asn1.c:
    * src/sfutil/asn1.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/ipobj.c:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/mwm.c:
    * src/sfutil/mwm.h:
    * src/sfutil/sfeventq.c:
    * src/sfutil/sfghash.c:
    * src/sfutil/sfghash.h:
    * src/sfutil/sfhashfcn.c:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
    * src/sfutil/sflsq.c:
    * src/sfutil/sflsq.h:
    * src/sfutil/sfmemcap.c:
    * src/sfutil/sfsnprintfappend.c:
    * src/sfutil/sfthd.c:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
    * src/sfutil/util_match.c:
    * src/sfutil/util_net.c:
      Code cleanup, change malloc to calloc, use safer functions
      SnortAlloc, SnortStrdup.  Check pointers before use.
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
    * src/sfutil/mwm.c:
    * src/sfutil/mwm.h:
      Added caller usable state tracking to pattern matcher.
    * src/parser.c:
    * src/parser.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
      To better handle rule options that are provided by dynamic
      preprocessors, make 2 passes through snort.conf at startup.
    * src/parser.c:
    * src/snort.c:
      Improve dynamicengine keyword and commandline option to allow for
      specifying directory or file.
    * src/detect.c:
    * src/event_queue.c:
    * src/event_queue.h:
    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/fpcreate.c:
    * src/parser.c:
    * src/signature.c:
    * src/signature.h:
      Unify logging to a single code path and added ability to have
      rule stubs for preprocessor and decoder events.
    * src/snort.c:
      Fix code that looks for .snortrc.  Thanks to Benjamin Bennett
      for pointing out the issue.
    * src/preprocessors/portscan.c:
    * src/preprocessors/spp_sfportscan.c:
      Fix false alert where destination IP was not in range reported by
      sfportscan alert.
    * src/preprocessors/spp_sfportscan.c:
      Reset threshold checking at end of portscan alerting so that other
      events generated for packet wouldn't use old value returned from
      testing portscan thresholding/suppression.  Thanks to Andreas
      Ostling for pointing this out.
    * src/preprocessors/spp_frag3.c:
      Cleanup of GRE code for GRE nested fragments.
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.h:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_session.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/Stream5/stream5_common.h:
      Added memcap for TCP reassembly packet storage.  Reduced memory
      consumption of session tracking data structures.  Added target-based
      reassembly for HPUX 11, HPUX 10.2, Windows 2003, Windows Vista.
      Added target-based support for processing of TCP timestamps, TCP
      Resets, and repeated SYN packets.  Improved Session cache management.
      Update flushpoint management.  Improved handling of midstream
      session establishment.  Code cleanup to use safe functions for
      memory allocation.  Set tcp policy for both sides of session,
      rather that by first packet seen, correctly does target-based
      reassembly for each side.  Simplify code handling sessions to ignore.

2007-01-07 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
    * src/decode.h:
      Fixed issue where GRE decoder was attempting to assign a potentially
      negative value to an unsigned integer.  This value, which would then
      be positive, was then checked to see if it was less than zero, which
      would indicate whether the calculated length of the header was greater
      than the length of the rest of the packet capture.  This would always
      return false and the assumed length of the packet would potentially
      be larger than the actual length, leading to a potential dereferning
      of invalid memory.  Thanks to Chris Rohlf for pointing this out.

2006-12-04 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Configuration validation update.
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
      Additional updates for bounds checking.
    * src/detection-plugins/sp_isdataat.c:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Added an option to specify rawbytes for the buffer.

2006-11-30 Steven Sturges <ssturges@sourcefire.com>
    * src/tag.c:
      Fix logging of tagged packets when -G (event source ID) is used.
    * src/event.h:
    * src/snort_packet_header.h:
    * src/output-plugins/spo_unified.c:
      Fix unified to work correctly on 64bit platforms.  Thanks Nikns Siankin
      for the report.  Nikns provides a patch to barnyard that may be
      required to use this functionality on a 64bit systems.  Grab the
      patch from here: http://secure.lv/~nikns/stuff/barnyard_64bit.diff
    * src/snort.c:
    * src/snort.h:
      Reorganize code for inline fail-open to create pattern matcher rule
      groups in the thread.
    * src/util.c:
      Code cleanup
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
      Fix segfault caused by integer overflow and add additional checks
      to protect against other underflow/overflow conditions.
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Add capability to have multiple application layer preprocessors store
      data within the stream to better handle autodetection and multi-protocol
      packets.  Fix additional issue with high CPU and reprocessing rebuilt
      packets that are split across a sequence wrap. 

2006-11-22 Steven Sturges <ssturges@sourcefire.com>
    * preprocessors/spp_stream4.c:
      Fix problem with snort using high CPU and reprocessing the same
      rebuilt packets at session end or ACK in middle of packet when
      there are gaps in the packet sequence.

2006-11-16 Andrew Mullican <amullican@sourcefire.com>
    * etc/gen-msg.map:
      Add DCE/RPC preprocessor alert.

2006-11-07 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
      Updates for printing of options and handling of memcap.
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Add print for config option.
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_session.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
      Add UDP session tracking stats.  Improved TCP Timestamp handling.
      Seperate MacOS policy from BSD, as they differ slightly.  Improved
      performance of session pruning.
    * src/snort.c:
      Updates to inline thread initialization. 

2006-10-30 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
      Fix debug prints.
    * src/detection-plugins/sp_isdataat.c:
      Fix problem with this option not being marked as relative when
      'relative' is used.  This change should've been made with changes
      for not rechecking non-relative options on 2006-08-16.

2006-10-27 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
      Output user-selected server profile at startup.
    * src/parser.c:
      Detect corrupt files and handle mixed windows and unix line endings.
    * doc/README.dcerpc:
      Update description of DCE/RPC auto-detect.
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h:
    * src/dynamic-preprocessors/dcerpc/smb_structs.h:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
      Fix various bugs relating to unicode, ntohs, bounds-checking,
      and SMB chained AndX commands.
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
      Print out mempcap and max_frag_size on startup.

2006-10-23 Steven Sturges <ssturges@sourcefire.com>
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Updated stream4 documentation in the Snort manual to reflect
      new UDP options and inline option updates.  Corrected error with
      event_queue parameter - changed max_events to max_queue.
    * doc/faq.tex:
      Updated FAQ to reflect disuse of ACID in favor of BASE.
      Added references to FLoP and Mudpit as output systems for Snort.
      Added references to two IDS books.
    * doc/README.decode:
      Added README file for the Snort decoder
    * doc/README.stream4:
      Made minor changes to language
    * etc/snort.conf:
      Added commented out decoder options with description -
      enable_decode_oversized_alerts and enable_decode_oversized_drops
    * doc/README.http_inspect:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
      Updated tab_uri_delimiter section in document to reflect deprecation. 
      Removed the deprecated tab_uri_delimiter from server profiles since
      it's redundant with whitespace_chars.
    * src/preprocessors/snort_httpinspect.c:
      Allow user-specified ports to override internal defaults.
    * src/detection-plugins/sp_pattern_match.c:
      Fix error message with max pattern size.
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/dns/spp_dns.h:
      Fix spelling of obsolete in macros.
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Fix spelling of DETECT_ANOMALIES macro.
    * src/profiler.c:
      Removed tabs from preprocessor stats output.  Tabs aren't compliant
      with syslog RFC.
    * doc/README.ftptelnet:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Added documentation on Telnet configuration option detect_anomalies
    * src/preprocessors/spp_stream4.c:
      Fixed potential for infinite loop when only part of a packet being
      used in reassembly is ACK'd.
    * src/preprocessors/perf-base.c:
      Fixed packet count stats when in readback mode.

2006-10-13 Steven Sturges <ssturges@sourcefire.com>
    * src/detection-plugins/sp_flowbits.c:
      Fixed an off-by-one error message that prevented the maximum number
      of flowbits from being used.  Include number of flowbits used in
      summary of flowbits usage.
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/dns/spp_dns.h:
      Fix parser to properly error if misconfigured ports.
    * src/decode.c:
    * src/decode.h:
    * src/parser.c:
      Added new config option "enable_decode_oversized_alerts" and
      "enable_decode_oversized_drops" to allow alerting on packets with
      extra bytes at the end of their payload

2006-10-12 Steven Sturges <ssturges@sourcefire.com>
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * RELEASE.NOTES:
      Prepare for 2.6.1 RC.
    * configure.in:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      Start a thread if running in inline mode that passes traffic through
      once pcap is opened and snort is not ready to start inspection (ie,
      loading rules, creating pattern matcher, etc).  Thread is terminated
      when snort is ready to process packets.
      Compiled in via --enable-inline-init-failopen option to configure
      script.  Disable by --disable-inline-init-failopen commandline option or
      'config disable_inline_init_failopen' in snort.conf/user.conf in the
      case that the interface is fail-closed.  Requires libpthread.
    * src/parser.c:
      Require a sid for every rule.
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
      Verifies that the stream preprocessor is enabled.
      Version string bounds checking now uses the length of the version
      string versus the length of the entire payload.
    * src/preprocessors/snort_stream4_udp.c:
      Update UDP session stats (packet count, start/end time, bytes, etc).
    * doc/README.stream4:
    * doc/Makefile.am:
      Finally a description for Stream4.  Thanks Todd!
    * src/parser.c:
    * src/signature.c:
      Allow for variable metadata in rule options.  Ignore unknown metadata
      fields.
    * etc/gen-msg.map:
    * src/decode.c:
    * src/generators.h:
      Added additional TCP length checking and UDP length checking and new
      decode alerts for anomalous lengths.

2006-10-09 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
      Fix problem with reassembly of server side traffic.  Thanks
      rmkml and Crusoe Researchers for notifying us of the issue.
    * src/preprocessors/spp_stream4.c:
    * src/generators.h:
    * etc/gen-msg.map:
      Fix Stream4 to handle duplicate SYN packets by purging existing
      packets queued for reassembly after the seq of the SYN.  Also,
      properly handle retransmitted data that is overlapping the current
      packet and when trimmed overlapping the next packet.

2006-10-04 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
      Fixed issue in GRE code where data could
      potentially be dereferenced past the end
      of the packet.
    * src/parser.c:
      Fix log message.
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/snort_stream4_session.h:
    * src/preprocessors/snort_stream4_udp.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Add stats tracking for UDP sessions to perfmonitor and stream4's
      session stats (keepstats option).  Update Stream4 to purge
      UDP session cache on a timeout basis, similar to the way TCP
      session cache is purged.  Remove cache_clean_percent option.
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
      Fixes for CORE SMB fragmentation.  Also, fix for perf-profiling.

2006-09-27 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
      Fix issue with use of Stream4 cache_clean_percent option
      that resulted in a segfault when the max session limit was
      reached.  Thanks to Jason Ish for reporting the problem.
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * doc/README.http_inspect:
      Split the IIS profile in the HTTP inspect preprocessor into
      IIS, ISS4, and ISS5_0.  ISS 4.0 and ISS 5.0  both support double
      decoding, but ISS 5.1 and beyond do not.  Double decoding alerts
      are now disabled in the ISS profile, but remain enabled for the
      IIS 4.0 and IIS 5.0 profiles.  Thanks to Pratap Ramamurthy for
      pointing out that IIS 5.1 does not support double decoding
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * src/util.h:
      Fixed issue where iface_ADDRESS variable wasn't getting set before
      configuration file was read. Now all up interfaces will get a
      variable created.  Note that these will NOT get set if the
      readmode flag is set.  Thanks to Paul Melson for reporting the
      problem.
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Handle reassembly of first packet for midstream pickups (first packet
      wasn't part of an established session at that point, so some rules
      might fail).
    * src/preprocessors/Stream5/snort_stream5_session.c:
      Fix handling of cache clean by percent.
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
      Fix problem with relative options not being marked as relative (for
      distance/within keywords).

2006-09-21 Steven Sturges <ssturges@sourcefire.com>
    * src/generators.h:
    * src/snort.c:
    * src/sfutil/bitop_funcs.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Update for GRE additions and compilation on Win32.
    * src/preprocessors/spp_stream4.c:
      Fix issue with alerts missing in DEBUG mode.
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
      Fix signedness issue that caused HttpInspect to miss certain
      oversized chunk alerts.
    * src/sfutil/ipobj.c:
      Fix parsing that prevented multiple IP lists from being parsed
      correctly.  This fixes a problem with sfportscan configuration when
      'watch_ip', 'ignore_scanners', and 'ignore_scanned' options are
      used together.  Thanks to Rob Sharp and Husnu Demir for reporting
      the bug.

2006-09-18 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
    * doc/INSTALL:
    * gen-msg.map:
    * src/decode.c:
    * src/decode.h:
    * src/generators.h:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_stream4.c:
      Added support to decode GRE encapsulated traffic.  Only IP as transport
      protocol is supported and only one layer of encapsulation will be
      decoded - packets with multiple GRE headers will be discarded.  Thanks
      Todd Wease (and welcome to the Snort team!) for this contribution.
    * configure.in:
    * doc/README.ARUBA:
    * doc/Makefile.am:
    * doc/snort_manual.tex:
    * src/plugbase.c:
    * src/output-plugins/Makefile.am:
    * src/output-plugins/spo_alert_arubaaction.c:
    * src/output-plugins/spo_alert_arubaaction.h:
      Added support for communcation with an Aruba Networks wireless
      mobility authentication/access control system.
    * configure.in:
      GCC 4.x.x has strict aliasing on by default with optimization level 2.
      However, Snort uses aliases in a number of places.  configure now checks
      the gcc compiler version for 4 and disables strict aliasing with
      -fno-strict-aliasing.  Thanks to Ronald Henderson and Keith Konecnik
      for simultaneously (and independently) discovering and reporting this
      issue.

2006-09-15 Steven Sturges <ssturges@sourcefire.com>
    * src/detection-plugins/sp_pattern_match.c:
      Cleanly fail with content patterns that are > 2048 bytes.
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
      Fix memcap to be global.  Turn off memcap alerts by default.
      Add config item to enable alerting on exceeded memcap.
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/mpse.c:
      Code cleanup

2006-09-13 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
    * src/decode.h:
    * src/log.c:
    * src/log.h:
    * src/generators.h:
    * etc/gen-msg.map:
      Added code to print original datagram for all ICMP error types if
      alerted on.
      Fix to print original datagram on alert if original datagram was ICMP.
      Thanks to John Papapanos for pointing out the above 2 issues.
      Added additional decoder alerts for ICMP error types.
      Removed fragtracking of ICMP original datagram - it never made sense
      since only an ICMP response to the first frag is ever returned.
      Fixed issue where data and size pointers were not set correctly for
      ICMP error types.
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Remove checks for duplicate alerts within a given session, as
      this is now handled within the general alerting mechanism
      and session tracking.
    * src/parser.c:
      When a variable was redefined, a call to LogMessage() was missing a
      parameter.  Thanks to Greg Baran for pointing this out.

2006-09-11 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
      Fix to remove uses of strlen or wcslen.  Properly validate andXOffset.
      Fix bug in DCE/RPC fragment reassembly.

2006-09-07 Steven Sturges <ssturges@sourcefire.com>
    * src/util.c:
      Fix output for the USR1 signal when calculating statistics for
      pcap counts.  Keep a tally of packets seen/dropped/etc and
      use deltas, rather than the 'most recent' value when determining
      percentages after each USR1 signal.  Thanks to Colin Grady for
      pointing out the issue.
    * src/parser.c:
      Allow for a line without an end of line marker in snort.conf.

2006-09-06 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
    * src/detect.c:
    * src/log.c:
    * src/snort.c:
    * src/detection-plugins/sp_respond.c:
    * src/detection-plugins/sp_respond2.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
      Fix memory leak in ascii and cmg output modules.
      Remove calls to ClearDumpBuf() from related calls
      PrintIPPkt() and PrintNetData(), as it is no longer
      needed.

2006-08-31 Steven Sturges <ssturges@sourcefire.com>
    * rpm/snort.spec:
    * etc/snort.conf:
      Add DNS preprocessor to packaging and config.
    * doc/Makefile.am:
    * doc/README.stream5:
      Add Stream5 README.

2006-08-30 Steven Sturges <ssturges@sourcefire.com>
    * src/sfutil/ipobj.c:
      Additional fix for parsing of IP lists that are not space seperated.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Treat spaces as part of a filename in 'string' parameter validation.
      Thanks Bamm Visscher for pointing out the issue.
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/snort_stream4_session.h:
      Remove the ifdef'd splay tree code for packet and session storage.
      It has been replaced by a hash table and is no longer needed.
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/stream5_common.h:
      Add a few functions to the Stream API to allow a protocol
      analyzer to change the reassembly characteristics (direction,
      flush policy) for an individual session.
    * configure.in:
    * doc/Makefile.am:
    * doc/README.dns:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * etc/gen-msg.map:
    * src/build.h:
    * src/debug.h:
    * src/generators.h:
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/dns/Makefile.am:
    * src/dynamic-preprocessors/dns/sf_preproc_info.h:
    * src/dynamic-preprocessors/dns/spp_dns.c:
    * src/dynamic-preprocessors/dns/spp_dns.h:
      Add a dynamic preprocessor to decode and analyze DNS responses
      over TCP and UDP.  The TCP portion is stateful and requires
      stream is enabled.

2006-08-29 Steven Sturges <ssturges@sourcefire.com>
    * src/detection-plugins/sp_pattern_match.c:
      Fix unchecked free.  Thanks Krzysztof Burghardt for
      pointing out the problem.
    * src/sfutil/acsmx2.c:
      Fixed off by one to sparse index calculation and off by 2 ps
      increment for SparseBands.

200-08-24 Steven Sturges <ssturges@sourcefire.com>
    * src/fpcreate.c:
    * src/sfutil/mpse.c:
    * src/sfutil/Makefile.am:
      Fix issues with using lowmem.  It was reporting an out of
      memory error.  This was broken with the addition of the
      smaller memory Aho-Corasick pattern matcher.

2006-08-17 Steven Sturges <ssturges@sourcefire.com>
    * doc/README.dcerpc:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * etc/snort.conf:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
      Change config option max_memory to memcap for DCE/RPC.

2006-08-16 Steven Sturges <ssturges@sourcefire.com>
    * src/rules.h:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pcre.c:
      Resolve issue with rechecking rule options that follow a content or
      PCRE that are relative.  Only recheck if the next option is relative.
      Thanks to Randy Smith for pointing out the issue.
    * configure.in:
      Enable dynamicplugins by default.  Can override
      with --disable-dynamicplugin.
    * snort.8:
    * doc/snort_manual.pdf:
    * doc/snort_manual.tex:
    * doc/Makefile.am:
    * doc/README.ssh:
    * doc/README.dcerpc:
    * etc/snort.conf:
    * src/win32/WIN32-Prj/snort_installer.nsi:
      Added SSH and DCE/RPC preprocessor sections and description of
      new command line options.

2006-08-15 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
      Remove obsolete file.
    * src/preprocessors/Stream5/Makefile.am:
      Update to include header files.
    * src/preprocessors/Stream5/stream5_common.c:
    * src/preprocessors/flow/flow_cache.c:
    * src/sfutil/util_math.c:
    * src/sfutil/util_math.h:
      Cleanup Win32 warnings.
    * src/sfutil/mpse.c:
    * src/win32/WIN32-Prj/snort.dsp:
    * src/win32/WIN32-Prj/snort.dsw:
      Remove references to MWM and sfksearch.

2006-08-14 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
    * etc/gen-msg.map:
    * etc/snort.conf:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_flowbits.h:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
    * src/dynamic-preprocessors/Makefile.am:
    * src/preprocessors/Makefile.am:
    * src/preprocessors/spp_stream5.c:
    * src/preprocessors/spp_stream5.h:
    * src/preprocessors/Stream5/snort_stream5_tcp.c:
    * src/preprocessors/Stream5/snort_stream5_tcp.h:
    * src/preprocessors/Stream5/snort_stream5_udp.c:
    * src/preprocessors/Stream5/snort_stream5_udp.h:
    * src/preprocessors/Stream5/snort_stream5_icmp.c:
    * src/preprocessors/Stream5/snort_stream5_icmp.h:
    * src/preprocessors/Stream5/Makefile.am:
    * src/preprocessors/stream_api.h:
    * src/generators.h:
    * src/plugbase.h:
    * src/Makefile.am:
    * src/plugin_enum.h:
      New target-based Stream module.  Moved flow & flowbits to
      be part of Stream API.
    * src/debug.h:
    * src/generators.h:
    * src/preprocids.h:
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/dcerpc/Makefile.am:
    * src/dynamic-preprocessors/dcerpc/dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.c:
    * src/dynamic-preprocessors/dcerpc/dcerpc_util.h:
    * src/dynamic-preprocessors/dcerpc/dcerpc_config.c:
    * src/dynamic-preprocessors/dcerpc/sf_dcerpc.dsp:
    * src/dynamic-preprocessors/dcerpc/sf_preproc_info.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.c:
    * src/dynamic-preprocessors/dcerpc/smb_andx_decode.h:
    * src/dynamic-preprocessors/dcerpc/smb_andx_structs.h:
    * src/dynamic-preprocessors/dcerpc/smb_file_decode.c:
    * src/dynamic-preprocessors/dcerpc/smb_file_decode.h:
    * src/dynamic-preprocessors/dcerpc/smb_file_structs.h:
    * src/dynamic-preprocessors/dcerpc/smb_structs.h:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/snort_dcerpc.h:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.c:
    * src/dynamic-preprocessors/dcerpc/spp_dcerpc.h:
      New dynamic DCE/RPC protocol normalizer.
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/ssh/sf_ssh.dsp:
    * src/dynamic-preprocessors/ssh/Makefile.am:
    * src/dynamic-preprocessors/ssh/spp_ssh.c:
    * src/dynamic-preprocessors/ssh/spp_ssh.h:
    * src/dynamic-preprocessors/ssh/sf_preproc_info.h:
      New dynamic ssh protocol normalizer.
    * src/detection-plugins/sp_clientserver.c:
    * src/preprocessors/Makefile.am:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/snort_stream4_udp.c:
    * src/preprocessors/snort_stream4_udp.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Stream4 UDP session tracking support.  Reassembly performance
      improvements.  Add ability to block TCP sessions.
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_rc4.c:
      Added RC4 dynamic rule option.
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
    * src/pcrm.c:
    * src/sfutil/Makefile.am:
    * src/sfutil/bnfa_search.c:
    * src/sfutil/bnfa_search.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
      Added smaller memory consumption pattern matcher.
    * src/decode.h:
    * src/fpdetect.c:
    * src/inline.c:
      Improved handling for stateless rules.
    * configure.in:
    * src/parser.c:
    * src/parser.h:
    * src/rules.h:
    * src/snort.c:
    * src/snort.h:
      Remove use of ifdefs for rule state.
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      Add ability to give directory or specific library for dynamic
      engine.
    * src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Add alerts and normalization for telnet subnegotiation begin
      that doesn't have a matching end.  Could result in an evasion
      over the FTP command channel.
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
      Added counter for segments queued for reassembly.
    * src/snort.c:
    * src/dynamic-plugins/sf_dynamic_detection.h:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
      Improved handling of different versions of same shared library.
    * src/detect.c:
    * src/dynamic-plugins/sf_engine/bmh.c:
    * src/dynamic-plugins/sf_engine/bmh.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
    * src/output-plugins/spo_alert_fast.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/sfutil/acsmx.c:
      Code cleanup, 2.6.1 Beta prep.

2006-08-09 Steven Sturges <ssturges@sourcefire.com>
    * doc/faq.tex:
    * doc/faq.pdf:
      Add information on snort responding to kill signal.

2006-08-02 Steven Sturges <ssturges@sourcefire.com>
    * src/output-plugins/spo_alert_prelude.c:
      Update to provide links to Snort classification reference information.
      Thanks Yoann Vandoorselaere.
    * src/sfutil/ipobj.c:
      Fix parsing of IP lists that are not space seperated.
    * src/configure.in:
      Update for HPUX 11.
    * src/snort.c:
    * src/util.c:
      Fix race condition with daemonization.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
      Update for shared library extensions on HP & MAC.  Thanks J. Aaron
      Pendergrass for raising the HP issues and testing.

2006-07-25 Andrew Mullican
    * src/preprocessors/HttpInspect/client/hi_client.c:
      Fix to HttpInspect to check for non-RFC whitespace (ie, CR) after URI.
    * src/preprocessors/spp_frag3.c:
      Eliminate spurious log messages.

2006-07-20 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
      No longer require HELO (or EHLO) first in an SMTP conversation.
      Some servers (such as ArGoSoft) don't require it.
    * src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
      Handle normalization when Subnegotiation Begin doesn't have a
      matching Subnegotiation End command by normalizing just the
      begin.  Thanks to Pratap Ramamurthy for pointing out the
      potential issue.

2006-07-14 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.h:
    * src/detect.c:
    * src/fpdetect.c:
      Handle pass rule that hits a pipelined URI and an alert
      that matches a secondary pipelined URI.
    * src/preprocessors/spp_frag3.c:
      Fix issue with First policy when dealing with whole overlaps.
      Thanks Russ S for sending in the bug report.
    * src/preprocessors/spp_stream4.c:
      Performance improvement for logging tagged packets.  Thanks Victor
      Julien for pointing out the area for improvement.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Fix potential access violation.

2006-07-12 Steven Sturges <ssturges@sourcefire.com>
    * src/output-plugins/spo_database.c:
      Update to gracefully disconnect from Oracle DB.  Thanks to
      Nikns Siankin for the patch.
    * src/output-plugins/spo_csv.c:
      Fix issue with parsing config other than default.
    * src/decode.c:
    * src/parser.c:
    * src/snort.h:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Change default inline behaviour to not drop packets with decoder
      errors, invalid IP & TCP options and invalid checksums.  Drop
      behaviour can be enabled by using new options, noted in the
      Snort Manual.

2006-06-30 Steven Sturges <ssturges@sourcefire.com>
    * schemas/Makefile.am:
      Add create_db2 srcipt to be included in distro.
    * src/mstring.c:
      Address potential read overflow.
    * src/sfthreshold.c:
    * src/tag.c:
    * src/win32/WIN32-Includes/stdint.h:
    * src/win32/WIN32-Includes/NETINET/IN_SYSTM.h:
      Code cleanup.
    * src/snort.c:
    * src/util.c:
      Fix issue with daemonization on MAC OSX and parent not exiting
      cleanly.
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * src/util.h:
    * snort.8:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Provide support for locking the PID file so that no additional snort
      process is able to start using the same PID file.  Can be overridden
      with --nolock-pidfile.
    * src/detection-plugins/sp_pattern_match.c:
      Fix issue with replace option and replaced data always being placed
      at the beginning of the packet.
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Fix issue with parsing default server configuration on Win32 platform.
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/dynamic-preprocessors/smtp/smtp_util.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
      Fix potential read beyond end of buffer and update configuration to
      use less memory.
    * src/preprocessors/spp_stream4.c:
      Fix reassembly issue.
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
      Handle additional whitespace characters on a per server configured
      basis.  Defaults are to treat Htab (\t, 9), VTab (\v, 11),
      Form Feed (\f, 12), and CR (\r, 13) as whitespace.
    * src/sfutil/ipobj.c:
      Revise IP list parsing code.

2006-05-31 Steven Sturges <ssturges@sourcefire.com>
    * src/inline.c:
      Update to handle signals received when no traffic is flowing
      when snort is compiled with inline ipq.  Thanks Victor Julien
      for the patch.
    * configure.in:
      Fix issue with using postgresql and dynamic plugins.
      Thanks Nikns Siankin for pointing out the issue.
    * src/sfutil/ipobj.c:
      Fix problem when parsing multiple hosts in an IP list.

2006-05-24 Steven Sturges <ssturges@sourcefire.com>
    * etc/gen-msg.map:
    * src/generators.h:
    * src/preprocessors/spp_stream4.c:
      Fix potential evasion in Stream4.  Thanks Brandon Franklin for the
      find.
    * src/snort.c:
    * src/parser.c:
    * src/dynamic-plugins/sf_engine/bmh.c:
    * src/preprocessors/HttpInspect/utils/hi_util_hbm.c:
    * src/preprocessors/flow/flow_cache.c:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/sfutil/acsmx2.c:
    * src/sfthreshold.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/flow/portscan/server_stats.c:
    * src/preprocessors/flow/portscan/server_stats.h:
      Further code review cleanup.  Cleanup possible null pointer
      dereferences, memory leaks, etc.
    * src/preprocessors/HttpInspect/client/hi_client.c:
      Fix to HttpInspect to check for non-RFC whitespace (ie, CR) after URI.
      Thanks to Blake Hartstein for mentioning the problem.

2006-05-17 Steven Sturges <ssturges@sourcefire.com>
    * src/detection-plugins/sp_rpc_check.c:
    * src/dynamic-plugins/sf_engine/bmh.c:
    * src/dynamic-plugins/sf_engine/bmh.h:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
    * src/preprocessors/HttpInspect/utils/hi_util_hbm.c:
    * src/sfutil/acsmx.c:
    * src/sfutil/event_wrapper.c:
    * src/sfutil/mwm.c:
    * src/sfutil/sfthd.c:
      Further code review cleanup.  Cleanup possible null pointer
      dereferences, memory leaks, etc.
    * src/decode.h:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
      Move SPARC_TWIDDLE to common place.

2006-05-12 Steven Sturges <ssturges@sourcefire.com>
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * doc/README.sfportscan:
      Proofreading updates.
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf.h:
      Correctly close performance stats file on HUP and exit.
    * src/snort.c:
    * src/snort.h:
    * configure.in:
      Signal handler updates for SEGV and HUP.  Define CATCHSEGV in
      snort.c to trap segv signals.  Can also define NOCOREFILE to
      prevent snort from leaving a core file on receipt of a segv.
    * src/parser.c:
      Fix variable definition parsing code to handle user supplied
      value if variable isn't defined.  Thanks to Jeremey Hewlett for
      pointing out the problem.
    * src/snort.c:
    * src/detection-plugins/sp_session.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_unified.c:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
    * src/sfutil/mwm.c:
      Further code review cleanup.  Cleanup possible null pointer
      dereferences, memory leaks, etc.

2006-05-01 Steven Sturges <ssturges@sourcefire.com>
    * rpm/snort.spec:
    * etc/snort.conf:
      Include a default path for the dynamicpreprocessors and engine.
    * src/detect.c:
    * src/parser.c:
    * src/pcrm.c:
    * src/sfthreshold.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_iis_unicode_map.c:
    * src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
    * src/preprocessors/flow/flow_cache.c:
    * src/preprocessors/flow/portscan/server_stats.c:
    * src/sfutil/ipobj.c:
    * src/sfutil/mpse.c:
    * src/sfutil/sfghash.c:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfxhash.c:
      Code review cleanup.  Cleanup possible null pointer dereferences,
      memory leaks, etc.  Thanks to Adam Keeton (and welcome to the project)!

2006-04-27 Steven Sturges <ssturges@sourcefire.com>
    * RELEASE.NOTES:
      Add information about memory consumption with pattern matching
      engines.
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Update to list all options for pattern matching and note that
      Wu-Manber is going to be deprecated.
    * src/util.c:
      Update output info to account for packets buffered by pcap but
      not yet received by snort.  Corrected protocol breakdown.
    * src/output-plugins/spo_database.c:
      Update to correctly strip timestamp precision for MySQL.
      Thanks Axton Grams for the patch and Nikns Siankin and
      Vlatko Kosturjak for testing.
      Update to handle when interface isn't specified in config or
      commandline (finial initialization done post PCAP initialization).
      Thanks Jonathan Miner for pointing out the problem.
    * schemas/create_db2:
      Updated to include gid in schema and version 107 to
      match the other schemas.  Thanks Vlatko Kosturjak for the
      update.
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
      Fix compilation problems with Sun CC and others that support C99
      standard.  Thanks Chris Kern for noticing the problem.
    * src/preprocessors/spp_stream4.c:
    * src/sfutil/acsmx2.h:
      Fix compilation problems with Sun CC compiler.

2006-04-11 Steven Sturges <ssturges@sourcefire.com>
    * src/fpdetect.c:
    * src/profiler.h:
    * src/rules.h:
    * src/detection-plugins/sp_flowbits.c:
      Update rule performance profiling to handle flowbits:noalert
      option correctly (it is a match even though there wasn't an
      alert).
    * src/output-plugins/spo_database.c:
      Updates to be ANSI SQL compiliant.  Thanks Vlatko Kosturjak
      for the updates.
    * src/preprocessors/spp_stream4.c:
      Fix incorrectly ignored Reset packets with overlapped/retransmitted
      data.
    * src/inline.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/preprocessors/stream_api.h:
      Allow retransmitted packets through in inline mode if they have not
      been ACK'd by other side.

2006-03-29 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
      Do not check beyond 4 characters for an FTP command.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Free SMTP session memory.
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Updates to previous checks for duplicate alerts.  Better
      performance.  Fix cleanup when stream is flushed.

2006-03-24 Steven Sturges <ssturges@sourcefire.com>
    * src/snort.c:
      Update to fix signal handling issue with libprelude and to
      disable segv signal handler when compiled for Debug mode.
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Display warnings with configurations that are required
      for other detection capabilities (ie, normalization is
      required for ayt threshold and encryption detection).
    * src/dynamic-preprocessors/smtp/smtp_config.c:
      Clear default ports if ports are specified.
      Correctly handle specifying valid commands as invalid.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
      Fix alerts possibly giving incorrect information.
      Move debug code inside DEBUG ifdef; fix possible SEGV in
      debug code. Disable detection for to-be-rebuilt packets.
    * src/preprocessors/spp_frag3.c:
      Correctly calculate the number of preallocated frags when
      preallocating based on a memory limit.
    * configure.in:
    * src/snort.c:
      Remove pcap_setnonblock() call.  Was causing performance
      problems on certain OSs.  Reverts change made with previous
      checkins.
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/preprocessors/stream_api.h:
    * src/fpdetect.c:
      Fix potential issue for duplicate alerts on the same data in
      the original packet and the Stream reassembled packet.
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Proofreading...

2006-03-15 Steven Sturges <ssturges@sourcefire.com>
    * schemas/create_mssql:
    * schemas/create_mysql:
    * schemas/create_oracle.sql:
    * schemas/create_postgresql:
      Updated to include gid in schemas.  Schema version 107. 
      Thanks Nikns Siankin for the updates and all the testing.
    * src/profiler.h:
      Add support for AMD processor.  Thanks Alex Kirk for trying this out.
    * configure.in:
    * src/snort.c:
      Use pcap_setnonblock() if available to help with snort exiting
      on SIGTERM (and others) when no traffic is flowing.
    * src/decode.c:
      Fix pflog decoding for OpenBSD platforms.
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * doc/INSTALL:
      Updates for FreeBSD 6.x compilation.  Thanks Richard Bejtlich for
      testing.
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Fixed a few typos and added a warning about the to be deprecated
      telnet decode preprocessor.

2006-03-07 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
      Fixed potential segfault condition in stateless mode.
    * src/preprocessors/spp_frag3.c:
      Added Fatal error messages for unknown config options.
    * src/snort.c:
    * src/preprocessors/spp_perfmonitor.c:
      Code cleanup

2006-03-02 Steven Sturges <ssturges@sourcefire.com>
    * configure.in:
    * src/output-plugins/spo_alert_prelude.c:
      Additional fixes from Yoann Vandoorselaere.  Require libprelude
      version 0.9.6.
    * src/preprocessors/spp_perfmonitor.c:
      Initialize the pcap counters the first time we get a packet.
    * src/fpdetect.c:
      Fix leaking of classification info between rules and
      preprocessor/decoder alerts.

2006-02-28 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-preprocessors/Makefile.am:
      Install required header files when --enable-dynamicplugin used
      with configure.
    * src/preprocessors/spp_stream4.c:
      If ignoring a packet because it is a duplicate (retransmitted),
      drop it if in inline mode.  Original packet was either dropped
      or passed through.

2006-02-27 Steven Sturges <ssturges@sourcefire.com>
    * src/detection-plugion/sp_flowbits.c:
      Update parsing to handle spaces and correct keyword checking.

2006-02-23 Steven Sturges <ssturges@sourcefire.com>
    * src/snort.c:
    * src/snort.h:
    * src/fpdetect.c:
    * src/parser.c:
    * src/event_queue.h:
    * doc/README:
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
    * snort.8:
      Changed command line options --flush-all-events to --process-all-events
      and --alert-on-drop to --treat-drop-as-alert.  Updated docs/manpage.
    * src/output-plugins/spo_unified.c:
      Fix unified log file rollover to correctly write magic numbers.
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
      Update some comments relative to endianness.
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
      Fix issues with SMTP preprocessor causing rules to not fire.
      Thanks Andy Mullican for the fix.

2006-02-22 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_frag3.c:
    * doc/README.frag3:
      Added option to preallocate frags based on a memcap (combination
      of memcap and prealloc_frags options).  Perform preallocation
      post-pcap open because of memory issues with certain versions
      of pcap.

2006-02-21 Steven Sturges <ssturges@sourcefire.com>
    * src/output-plugins/spo_alert_prelude.c:
      packet_to_data()
      Standardize AdditionalData fields name. Support more packet fields,
      remove unused one. Send rule revision and TCP/IP options code/value
      as AdditionalData.  Thanks Yoann Vandoorselaere for the updates.
      event_to_reference()
      Double check that system->url is not NULL.
      Support ICMP headers, patch from Andrea Barisani.
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
      Updates to signal handlers to better deal with reentrant
      issues in syslog and libc.
    * src/dynamic-plugins/sf_dynamic_plugins.c:
      Print warning if dynamic library directory doesnt exist or is empty.
      Thanks Andy Mullican for the fix.

2006-02-20 Steven Sturges <ssturges@sourcefire.com>
    * src/sfutil/sfeventq.c:
      Fix issue when more than max events are added to event queue.
    * src/parser.c:
    * src/plugbase.c:
    * src/plugbase.h:
    * src/snort.c:
    * src/output-plugins/spo_unified.c:
    * src/output-plugins/spo_log_tcpdump.c:
      Fix issue with output plugins that depend on datalink and
      snaplen (which are set in OpenPcap).  Caused by reordering
      of initialization on 2006-01-26.  Thanks Matt Bedynek and
      Jeremy Hewlett for the find.

2006-02-17 Steven Sturges <ssturges@sourcefire.com>
    * doc/INSTALL:
      Updated to include current options and added a
      section for compilation on MAC OSX.
    * src/signature.c:
      Strip whitespaces from reference system and id. This fixes a
      reference lookup problem resulting in an invalid URL in case
      the reference begins with a space character (example:
      reference: x,y; would fail).  Thanks Yoann Vandoorselaere
      for the patch.

2006-02-16 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_frag3.c:
      Fix ip options handling.  Thanks to Vyacheslav Burdjanadze for
      finding the issue.
    * src/dynamicpreprocessors/ftptelnet/snort_ftptelnet.c:
      Fix processing of configuration without options.
    * src/snort.c:
      Fix OpenPcap merge issue.

2006-02-15 Steven Sturges <ssturges@sourcefire.com>
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Update perfmonitor section.  Thanks to Passreality for
      pointing out the omissions.
    * src/preprocessors/spp_stream4.c:
      Only increment memory counter once per allocation.

2006-02-14 Steven Sturges <ssturges@sourcefire.com>
    * doc/snort_manual.tex:
    * doc/snort_manual.pdf:
      Updates to manual for 2.6.0
    * src/win32/WIN32-Prj/snort.dsp:
      Added missing files.

2006-02-13 Steven Sturges <ssturges@sourcefire.com>
    * src/parser.c:
      Handle longer lines for config
    * src/sfutil/acsmx2.c:
      Change visual name of Aho-Corasick sparse bands.
    * src/preprocessors/spp_frag3.c:
      When a timeout occurs on a Fragmented session, purge the existing
      fragments and treat it as a new session.  Allows for proper
      defragmentation, per OS target configuration.

2006-02-09 Steven Sturges <ssturges@sourcefire.com>
    * src/util.c:
      Fix -M flag to log Fatal and regular Error messages to syslog as
      well.  Thanks Andy Mullican.
    * snort.8:
    * doc/README:
    * src/snort.c:
      Add info on additional commandline switches.
    * src/preprocessors/spp_stream4.c:
      Fix compilation issue on some platforms.

2006-02-08 Steven Sturges <ssturges@sourcefire.com>
    * src/parser.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
      Allow default configuration without options

2006-02-06 Steven Sturges <ssturges@sourcefire.com>
    * etc/snort.conf:
    * src/dynamic-examples/dynamic-preprocessor/Makefile.am:
    * src/dynamic-examples/dynamic-rule/Makefile.am:
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/smtp/Makefile.am:
      Add info to snort.conf on how to load dynamic libraries
      and update Makefiles to use path similar t othat of
      snort.conf.
    * src/parser.c:
      Fixed error message when dynamic<xxx> token is used.

2006-02-03 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-examples/dynamic-preprocessor/Makefile.am:
    * src/dynamic-examples/dynamic-rule/Makefile.am:
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/smtp/Makefile.am:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
      Fix installation directories
    * src/preprocessors/Makefile.am:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/stream_api.c:
      Fixes for MacOS X compilation.

2006-02-02 Steven Sturges <ssturges@sourcefire.com>
    * src/detect.c:
    * src/event_queue.c:
    * src/event_queue.h:
    * src/fpdetect.c:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
    * src/sfutil/sfeventq.c:
      Changed rule ordering to better handle drop and pass rules
      when other alerts trigger on the same packet.  Thanks Marc
      Norton for the changes.
    * src/profiler.c:
    * src/profiler.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
      Win32 fixes.
    * src/snort.c:
      Fix SigHup processing.
    * src/util.c:
      Code Cleanup.
    * src/detection-plugins/sp_pattern_match.c:
      Return non-zero when search goes out-of-bounds.
    * src/preprocessors/snort_httpinspect.c:
      Fix from Chris Sherwin for pipelined requests.
    * src/preprocessors/spp_frag3.c:
      Change noisy LogMessage to Debug.

2006-01-30 Steven Sturges <ssturges@sourcefire.com>
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
      Include config.h if required.
    * configure.in:
    * src/Makefile.am:
    * src/dynamic-examples/.cvsignore:
    * src/dynamic-examples/Makefile.am:
    * src/dynamic-examples/dynamic-preprocessor/.cvsignore:
    * src/dynamic-examples/dynamic-preprocessor/Makefile.am:
    * src/dynamic-examples/dynamic-preprocessor/sf_preproc_info.h:
    * src/dynamic-examples/dynamic-preprocessor/spp_example.c:
    * src/dynamic-examples/dynamic-rule/.cvsignore:
    * src/dynamic-examples/dynamic-rule/Makefile.am:
    * src/dynamic-examples/dynamic-rule/detection_lib_meta.h:
    * src/dynamic-examples/dynamic-rule/rules.c:
    * src/dynamic-examples/dynamic-rule/sid109.c:
    * src/dynamic-examples/dynamic-rule/sid637.c:
      Added examples for manual of dynamic preprocessor and dynamic rule
      library.
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/smtp/Makefile.am:
      More fixes to cleanup.

2006-01-26 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
      Fixed a few retranmission alerts that are not toggled
      off by diasble_evasion_alerts config.
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * src/util.h:
      Addressed some startup issues when running daemon mode.
      Configuration is validated prior to daemonizing, therefore
      if config errors exist, snort will exit, returning error to
      initialization script/process.  Parent process doesn't exit
      until config file is read and a child is forked and has
      created its pid file.  Thanks to Marc Norton and Chris Sherwin
      for their work on this.
      Fixed issue with opening pcap prior to reading it from a
      config file.  Thanks Martin Olsson for noting this.
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/smtp/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
      Fixed builds on FreeBSD.

2006-01-24 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/Makefile.am:
      Win32 Updates.
    * doc/Makefile.am:
      Added files.
    * src/win32/WIN32-Prj/snort.dsp:
      Removed deprecated src files.
    * src/win32/WIN32-Prj/snort_installer.nsi:
      Added dynamic modules, updated version number.

2006-01-23 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_flow.c:
      Fixed error message when parsing flow configuration.
    * src/snort.c:
    * src/snort.h:
      Fixed issue with creating PID files.
    * src/util.c:
      Fixed issue with DropStats and unopened pcap.
    * src/Makefile.am:
    * src/dynamic-plugins/Makefile.am:
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/smtp/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/sfutil/Makefile.am:
      Updates to handle make dist and make distcheck.
      Win32 Updates.

2006-01-20 Steven Sturges <ssturges@sourcefire.com>
    * schemas/create_mysql:
    * src/output-plugins/spo_database.c:
      Updated to write GID when logging events.  Thanks to Graham Keeling
      for the patch and Kevin Johnson for helping test.
    * src/snort.c:
    * doc/README:
    * snort.8:
      Added info on new command line options.
    * src/snort.c:
      Updated CreatePidFile to use interface name if available when in
      inline mode (and using a bridging interface).

2006-01-19 Steven Sturges <ssturges@sourcefire.com>
    * src/util.c:
      Updated Timestats to print packet stats per hour and breakdown
      per protocol.  Thanks Bill Parker for the update.  To use this
      feature, use --enable-timestats.
    * src/sfutil/sfthd.c:
      Fix parameter ordering in test routine.  Thanks Yin Zhaohui for the find.
    * src/detect.c:
      Fixed DEBUG_WRAP statement.  Thanks Yin Zhaohui for pointing this out.

2006-01-19 Steven Sturges <ssturges@sourcefire.com>
    * autojunk.sh:
    * configure.in:
      Added use of libtool to build dynamically loadable modules,
      --enable-dynamicplugin. 
      Added performance profiling, --enable-perfprofiling.
      Added separation of rules being enabled from them appearing in
      snort.conf, --enable-rulestate. 
      Added pthread linkage, --enable-pthread.
    * src/win32/WIN32-Prj/snort.dsp:
    * src/win32/WIN32-Prj/snort.dsw:
    * src/win32/WIN32-Prj/build_all.dsp:
      Added dynamically loadable modules and updated workspace for
      other project files (new preprocessors, DLLs, and utility project
      to build everything).
    * RELEASE.NOTES:
    * doc/Makefile.am:
    * doc/README:
      Updated for new files and 2.6.0 release preparation.
    * doc/README.PerfProfiling:
    * src/profiler.c:
    * src/profiler.h:
      Added performance profiling metrics.  Can measure both rules
      and preprocessor performance.  Enable via --enable-perfprofiling.
      See profiler.h for MACROs to use and various preprocessors for
      examples.
    * doc/README.SMTP:
    * src/dynamic-preprocessors/smtp/.cvsignore:
    * src/dynamic-preprocessors/smtp/Makefile.am:
    * src/dynamic-preprocessors/smtp/sf_preproc_info.h:
    * src/dynamic-preprocessors/smtp/sf_smtp.dsp:
    * src/dynamic-preprocessors/smtp/smtp_config.c:
    * src/dynamic-preprocessors/smtp/smtp_config.h:
    * src/dynamic-preprocessors/smtp/smtp_log.c:
    * src/dynamic-preprocessors/smtp/smtp_log.h:
    * src/dynamic-preprocessors/smtp/smtp_normalize.c:
    * src/dynamic-preprocessors/smtp/smtp_normalize.h:
    * src/dynamic-preprocessors/smtp/smtp_util.c:
    * src/dynamic-preprocessors/smtp/smtp_util.h:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.c:
    * src/dynamic-preprocessors/smtp/smtp_xlink2state.h:
    * src/dynamic-preprocessors/smtp/snort_smtp.c:
    * src/dynamic-preprocessors/smtp/snort_smtp.h:
    * src/dynamic-preprocessors/smtp/spp_smtp.c:
    * src/dynamic-preprocessors/smtp/spp_smtp.h:
    * src/preprocessors/spp_xlink2state.c (removed):
    * src/preprocessors/spp_xlink2state.h (removed):
    * src/preprocessors/xlink2state.c (removed):
    * src/preprocessors/xlink2state.h (removed):
      Added dynamically loadable SMTP preprocessor.  Thanks Andy Mullican
      for the work and research.  Renders xlink2state mini preprocessor
      defunct.
    * doc/README.ftptelnet:
    * src/dynamic-preprocessors/ftptelnet/.cvsignore:
    * src/dynamic-preprocessors/ftptelnet/Makefile.am:
    * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_bounce_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftp_client.h:
    * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftp_cmd_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftp_server.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_eo.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_eo_events.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_eo_log.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_include.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_return_codes.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_si.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_client_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_config.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.c:
    * src/dynamic-preprocessors/ftptelnet/ftpp_ui_server_lookup.h:
    * src/dynamic-preprocessors/ftptelnet/ftpp_util_kmap.h:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_kmap.h:
    * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.c:
    * src/dynamic-preprocessors/ftptelnet/hi_util_xmalloc.h:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.c:
    * src/dynamic-preprocessors/ftptelnet/pp_ftp.h:
    * src/dynamic-preprocessors/ftptelnet/pp_telnet.c:
    * src/dynamic-preprocessors/ftptelnet/pp_telnet.h:
    * src/dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp:
    * src/dynamic-preprocessors/ftptelnet/sf_preproc_info.h:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.h:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.c:
    * src/dynamic-preprocessors/ftptelnet/spp_ftptelnet.h:
    * src/preprocessors/spp_telnet_negotiation.c:
      Added dynamically loadable FTP/Telnet preprocessor.  Thanks
      Steven Sturges for the work and research.  Replaces telnet
      decoder.
    * doc/README.sfportscan:
    * src/preprocessors/spp_sfportscan.c:
      Updated for preprocessor protocol ordering.
      Added performance measurements.
      Added ACK scan detection and false positive prevention with
      sessions picked up midstream and dropped packets.
    * etc/gen-msg.map:
    * etc/generators:
    * src/generators.h:
      Added generator IDs for new preprocessors.
    * etc/snort.conf:
      Added examples for new preprocessors
    * src/Makefile.am:
      Added performance metric modules, new subdirs.
    * src/build.h:
      Seperated build version from snort.h.
    * src/debug.h:
      Added new preprocessors.
    * src/decode.c:
    * src/detect.c:
      Performance measurments of packet decoder, detection, rule evaluation
      and preprocessors.
    * src/decode.h:
    * src/detect.h
      Change to use dynamicly sized preprocessor array since more than 32
      preprocessors may be loaded.
    * src/inline.c:
    * src/inline.h:
      Updated to always set drop flag for packets that are dropped
      for logging purposes.
    * src/plugbase.c:
    * src/plugbase.h:
    * src/plugin_enum.h:
    * src/preprocids.h:
      Support for new preprocessors, added checks to verify preprocessor
      configuration.  Removed deprecated preprocessors.  Added cleanup
      and shutdown functionality for preprocessors.  Move preprocessor
      bitmasks from plugbase.h into preprocids.h.  Added protocol stack
      based ordering of preprocessors, so that IP-layer preprocessors are
      run before TCP/UDP layer ones.
    * src/snort.c:
    * src/snort.h:
      Added longname option support.  Added dynamic module commandline
      options, see README for details.  Updated signal handling and
      exit/restart code.  Switched to using pcap_dispatch from pcap_loop
      for better control of packet processing.  Added performance measurements.
      Fixed -T flag and commandline help functionality.  Added -M flag
      to write messages/warnings to syslog (doesn't write alert data there)
      when not in daemon mode.
    * src/tag.c:
      Put limit on tagging to alleviate overloaded databases that result
      in every packet being tagged on high bandwidth sensors.  Prevents
      database DoS with tagging rules.
    * src/util.c:
    * src/util.h:
      Fixed issue with reentrant signal handlers.  At exit because of signal,
      snort now logs to snort_exit file instead of syslog.  Updated pid
      file creation when in Inline mode.
    * src/detection-plugins/Makefile.am:
    * src/detection-plugins/sp_asn1.c
    * src/detection-plugins/sp_asn1_detect.c:
    * src/detection-plugins/sp_asn1_detect.h:
    * src/detection-plugins/sp_urilen_check.c:
    * src/detection-plugins/sp_urilen_check.h:
      Modularized ASN1 detection code.
      Added URI Length check rule keyword.  Thanks to Chris Sherwin
      for the new functionality.
    * src/dynamic-plugins/.cvsignore:
    * src/dynamic-plugins/Makefile.am:
    * src/dynamic-plugins/sf_dynamic_common.h:
    * src/dynamic-plugins/sf_dynamic_detection.h:
    * src/dynamic-plugins/sf_dynamic_engine.h:
    * src/dynamic-plugins/sf_dynamic_meta.h:
    * src/dynamic-plugins/sf_dynamic_plugins.c:
    * src/dynamic-plugins/sf_dynamic_preprocessor.h:
    * src/dynamic-plugins/sp_dynamic.c:
    * src/dynamic-plugins/sp_dynamic.h:
    * src/dynamic-plugins/sp_preprocopt.c:
    * src/dynamic-plugins/sp_preprocopt.h:
    * src/dynamic-plugins/sf_engine/.cvsignore:
    * src/dynamic-plugins/sf_engine/Makefile.am:
    * src/dynamic-plugins/sf_engine/bmh.c:
    * src/dynamic-plugins/sf_engine/bmh.h:
    * src/dynamic-plugins/sf_engine/sf_snort_detection_engine.c:
    * src/dynamic-plugins/sf_engine/sf_snort_packet.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_byte.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_content.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_loop.c:
    * src/dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c:
    * src/win32/WIN32-Prj/sf_engine.dsp:
    * src/rules.h:
      Added dynamically loadable rule detection capability. 
      Can write compiled rules that are "blackboxed", yet still loaded
      at runtime.  Thanks Andy Mullican, Steven Sturges and Marc Norton.
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/fpdetect.c:
      Performance measurments, added support for dynamic rule detection,
      and fix issue with non-content rules not being evaluated.
    * src/parser.c:
    * src/parser.h:
      Added dynamic rule and preprocessor parsing, rule state parsing,
      performance profiling parsing.
    * src/signature.c:
    * src/signature.h:
      Added 'gid' and 'metadata' fields to rules.
    * src/detection-plugins/sp_pcre.c:
      Provide ability to turn off PCRE checks via config nopcre.
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
    * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.h:
    * src/dynamic-preprocessors/.cvsignore:
    * src/dynamic-preprocessors/Makefile.am:
    * src/dynamic-preprocessors/dynamic_preprocessors.dsp:
    * src/dynamic-preprocessors/initialize_headers.sh:
    * src/dynamic-preprocessors/sf_dynamic_initialize/.cvsignore:
    * src/dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp:
      Added dynamically loadable preprocessor support.  Simplifies
      development of preprocessors for quicker release of new preprocessor
      code.  Thanks Andy Mullican, Steven Sturges and Marc Norton.
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/perf.c:
      Added metric for inline blocked packets.
    * src/preprocessors/perf-flow.c:
    * src/preprocessors/perf-flow.h:
      Added better performance tracking for flow data for ports under 1024
      and those above.
    * src/preprocessors/portscan.c:
      Added code to ignore certain ports.  Added performance measurements.
    * src/preprocessors/snort_httpinspect.c:
      Updated for stream API.  Added performance measurements.
    * src/preprocessors/spp_frag2.c:
      Updated for preprocessor protocol ordering.
      To be deprecated in next release.  Added performance measurements.
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_sfportscan.c:
      Updated for preprocessor protocol ordering.
      Added performance measurements.
    * src/preprocessors/Makefile.am:
    * src/preprocessors/spp_portscan.c (removed):
    * src/preprocessors/spp_portscan.h (removed):
    * src/preprocessors/spp_portscan2.c (removed):
    * src/preprocessors/spp_portscan2.h (removed):
    * src/preprocessors/spp_conversation.c (removed):
    * src/preprocessors/spp_conversation.h (removed):
      Deprecated old portscan preprocessors.
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
      Modularized this code for use by the dynamic SMTP preprocessor.
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_flowbits.h:
    * src/event_wrapper.c:
    * src/output-plugins/spo_alert_sf_socket.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
    * src/preprocessors/stream.h:
    * src/preprocessors/stream_api.h:
    * src/preprocessors/stream_ignore.c:
    * src/preprocessors/stream_ignore.h:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream4.h:
      Added api for Stream4 to help with development of next generation
      Stream processing.  Flowbits are now stored as part of the Stream.
      Updated output plugins to use Stream api for logging reassembled
      packets.  Added performance measurements.
    * src/sfutil/Makefile.am:
    * src/sfutil/getopt.h:
    * src/sfutil/getopt1.h:
    * src/sfutil/getopt_long.c:
      Added longname commandline option support.
    * src/sfutil/ipobj.c:
    * src/sfutil/ipobj.h:
      Updated IP Set to include port sets.
    * src/sfutil/mpse.c:
      Added performance measurements.
    * src/snort_packet_header.h:
    * src/win32/WIN32-Includes/libnet/gnuc.h:
    * src/debug.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/output-plugins/spo_alert_prelude.c:
    * src/preprocessors/flow/flow_cache.c:
    * src/preprocessors/flow/portscan/flowps.c:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/preprocessors/flow/portscan/server_stats.c:
    * src/sfutil/bitop.h:
    * src/sfutil/bitop_funcs.h:
    * src/sfutil/mwm.h:
    * src/sfutil/sfghash.h:
    * src/sfutil/sfksearch.c:
    * src/sfutil/sfksearch.h:
    * src/.cvsignore:
      Misc code cleanup.

2006-01-09 Steven Sturges <ssturges@sourcefire.com>
    * src/sfutil/mwm.c:
      Fixed bug with multiple recurring patterns in Wu-Manbher implementation.
      Thanks to Evan Stawnyczy for pointing it out and Marc Norton for the
      fix.
    * src/parser/IpAddrSet.c:
      Fixed problem with parsing conf file and rules when DNS is not working.
      Thanks Martin Olsson for mentioning this and testing the fix.
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/perf-base.c:
      Handle wrapping on 64-bit platforms

2005-11-17 Andrew Mullican <amullican@sourcefire.com>
    * src/sfutil/sfxhash.c:
    * src/preprocessors/portscan.c:
      Add tracker without using bogus data, to avoid internal buffer overrun.
      Thanks Sandro Poppi for the find.

2005-11-11 Steven Sturges <ssturges@sourcefire.com>
    * src/snort.c:
      Allow value of 0 to be used with -G flag
    * src/preprocessors/spp_bo.c:
      Code Cleanup
    * src/preprocessors/spp_frag3.c:
      Fix memory leak and mishandling of IP Options.  Thanks Yin
      Zhaohui for the find.

2005-10-16 Steven Sturges <ssturges@sourcefire.com>
    * etc/gen-msg.map:
    * etc/snort.conf:
    * src/generators.h:
    * src/preprocessors/spp_bo.c:
      Fixed potential buffer overflow in BackOrifice preprocessor and
      added an alert on attempt to overflow buffer in snort.  Thanks
      Andy Mullican for the fix.

2005-10-11 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Prj/snort_installer.nsi:
      Updated to mention WinPCAP 3.1 with correct website.  Thanks
      Gianluca Varenni for mentioning the discrepancy.

2005-10-04 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Libraries/libnet/LibnetNT.lib:
    * src/win32/WIN32-Prj/LibnetNT.dll:
      Rebuilt and updated LibnetNT linked with WinPCAP 3.1.

2005-09-23 Steven Sturges <ssturges@sourcefire.com>
    * src/output-plugins/spo_log_database.c:
    * schemas/create_mysql:
      Fixes to address schema being a keyword in MySQL 5.0.  Thanks Wes Young,
      Adolfo Gomez, and Aleem Mawji for the updates.

2005-09-19 mfr <roesch@sourcefire.com>
    * src/output-plugins/spo_log_tcpdump.c:
      don't try to actually open the log file when in test mode

2005-09-19 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Includes/NETINET/IP.H:
    * src/win32/WIN32-Includes/NETINET/IP_VAR.H:
    * src/win32/WIN32-Includes/libnet/LibnetNT.h:
      Always use winsock2.h

2005-09-16 mfr <roesch@sourcefire.com>
    * src/snort.c:
      New command line switch, -K, to explicitly set logging mode.  Available
      arguments are "none", "pcap" and "ascii".
      Pcap mode is now the default logging mode of Snort.
      CheckLogDir() is no longer called in IDS mode until after reading in
      the snort.conf file to prevent unncessary exiting due to logdir being
      specified in snort.conf and inadvertantly checking for the existence
      of /var/log/snort.
    * src/util.c:
      Included CheckLogDir() call in CreatePidFile() on the off chance
      we have to fall back to using pv.log_dir which can happen due to
      the IDS mode logdir check being removed in src/snort.c
    * src/decode.c:
      Added check for bad length of TCP SACK option.
    * snort.8:
      Updated for -K command line switch
    * doc/README:
      Updated for new command line options and default logging mode.

2005-09-16 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_frag3.c:
      Additional fixes to better handle various targets and extensions to
      the Shankar/Paxson model.  Thanks Judy Novak for all of the OS
      testing & pcap work.

2005-09-14 Andrew Mullican <amullican@sourcefire.com>
    * etc/gen-msg.map
    * src/generators.h
    * src/preprocessors/spp_rpc_decode.c:
      Added new alert on zero-length RPC fragment.

2005-09-14 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Includes/pcap-namedb.h (removed):
    * src/win32/WIN32-Includes/pcap.h (removed):
    * src/win32/WIN32-Includes/WinPCAP/Devioctl.h:
    * src/win32/WIN32-Includes/WinPCAP/Gnuc.h:
    * src/win32/WIN32-Includes/WinPCAP/Ntddndis.h:
    * src/win32/WIN32-Includes/WinPCAP/Ntddpack.h:
    * src/win32/WIN32-Includes/WinPCAP/Packet32.h:
    * src/win32/WIN32-Includes/WinPCAP/Win32-Extensions.h:
    * src/win32/WIN32-Includes/WinPCAP/bittypes.h:
    * src/win32/WIN32-Includes/WinPCAP/bucket_lookup.h:
    * src/win32/WIN32-Includes/WinPCAP/count_packets.h:
    * src/win32/WIN32-Includes/WinPCAP/ip6_misc.h:
    * src/win32/WIN32-Includes/WinPCAP/memory_t.h:
    * src/win32/WIN32-Includes/WinPCAP/normal_lookup.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap-bpf.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap-int.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap-stdinc.h:
    * src/win32/WIN32-Includes/WinPCAP/pcap.h:
    * src/win32/WIN32-Includes/WinPCAP/pthread.h:
    * src/win32/WIN32-Includes/WinPCAP/remote-ext.h:
    * src/win32/WIN32-Includes/WinPCAP/sched.h:
    * src/win32/WIN32-Includes/WinPCAP/semaphore.h:
    * src/win32/WIN32-Includes/WinPCAP/tcp_session.h:
    * src/win32/WIN32-Includes/WinPCAP/time_calls.h:
    * src/win32/WIN32-Includes/WinPCAP/tme.h:
    * src/win32/WIN32-Includes/mysql/Libmysql.def (removed):
    * src/win32/WIN32-Includes/mysql/config-netware.h:
    * src/win32/WIN32-Includes/mysql/config-os2.h:
    * src/win32/WIN32-Includes/mysql/config-win.h:
    * src/win32/WIN32-Includes/mysql/dbug.h (removed):
    * src/win32/WIN32-Includes/mysql/errmsg.h:
    * src/win32/WIN32-Includes/mysql/libmysql.def:
    * src/win32/WIN32-Includes/mysql/libmysqld.def:
    * src/win32/WIN32-Includes/mysql/m_ctype.h:
    * src/win32/WIN32-Includes/mysql/m_string.h:
    * src/win32/WIN32-Includes/mysql/my_alloc.h:
    * src/win32/WIN32-Includes/mysql/my_dbug.h:
    * src/win32/WIN32-Includes/mysql/my_getopt.h:
    * src/win32/WIN32-Includes/mysql/my_global.h:
    * src/win32/WIN32-Includes/mysql/my_list.h:
    * src/win32/WIN32-Includes/mysql/my_pthread.h:
    * src/win32/WIN32-Includes/mysql/my_sys.h:
    * src/win32/WIN32-Includes/mysql/mysql.h:
    * src/win32/WIN32-Includes/mysql/mysql_com.h:
    * src/win32/WIN32-Includes/mysql/mysql_embed.h:
    * src/win32/WIN32-Includes/mysql/mysql_time.h:
    * src/win32/WIN32-Includes/mysql/mysql_version.h:
    * src/win32/WIN32-Includes/mysql/mysqld_error.h:
    * src/win32/WIN32-Includes/mysql/raid.h:
    * src/win32/WIN32-Includes/mysql/typelib.h:
    * src/win32/WIN32-Libraries/Packet.lib:
    * src/win32/WIN32-Libraries/wpcap.lib:
    * src/win32/WIN32-Libraries/mysql/mysqlclient.lib:
    * src/win32/WIN32-Prj/snort.dsp:
      Updated to use WinPCAP 3.1 and MySql client 4.13.  Preparation for
      Snort 2.4.1 release on Win32.

2005-09-14 Steven Sturges <ssturges@sourcefire.com>
    * src/snort.c:
      Mark -z option as to be deprecated.

    * src/preprocessors/spp_frag3.c:
      Fix issue with Teardrop alerts introduced with last update.

2005-09-01 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
    * src/decode.h:
      Fix snort decoder to correctly handle PPP over Ethernet decoding.
      Thanks Aristeu Gil Alves Jr for the pcap.

    * src/snort.c:
    * src/util.c:
    * configure.in:
      Added patch for time stats from Bill Parker.  Enable with
      configure --enable-timestats.

    * src/snort.c:
      Do not allow -T (test mode) & -D (daemonize) together.

    * src/preprocessors/spp_frag3.c:
      Fix issue with Teardrop alerts.

    * src/preprocessors/spp_portscan.c:
    * src/preprocessors/spp_portscan2.c:
      Add deprecation warning.  These will be deprecated in the next
      snort build.

2005-08-31 Steven Sturges <ssturges@sourcefire.com>
    * src/snort.c:
    * src/decode.c:
    * src/decode.h:
      Added decoder for IPEnc for Open BSD.  Thanks Jason Ish for the
      patch (long time ago) and Chris Kuethe for reraising the issue.

    * src/snort.c:
      Allow snort to use usernames (-u) and groupnames (-g) that include
      numbers.  Thanks to Shaick for the patch.

2005-08-29 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_sfportscan.c:
    * etc/snort.conf:
    * doc/README.sfportscan:
      Change ip_proto to ip for portscan configuration.  Thanks David Bianco
      for pointing this out and Andy Mullican for the updates.

    * src/snort.c:
      Fix broken -T option.  Thanks Andy Mullican for the fix.

    * src/output-plugins/spo_alert_prelude.c:
      Fix for prelude initialization.  Thanks Yoann Vandoorselaere for the
      update.

    * src/preprocessors/spp_frag3.c:
    * doc/README.frag3:
      Update to address Solaris reassembly issues.  Update README to
      include info about new target-based policy.

2005-08-23 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_frag3.c:
      Resolve some issues with handling of overlap conditions, multiple
      fragments with MoreFrags bit not set and added target based policies
      for windows and solaris (since they are actually different in
      certain cases).

    * src/preprocessors/stream.h:
      Added data structure padding to fix issues with 64bit Solaris.

    * src/log.c:
      Fix problem in sniffer mode when incomplete TCP option data is received.
      Thanks A Hernandez for the find.

    * src/decode.c:
      Set the source & dest ports used for logging before doing checksum
      verification.  If invalid checksum, ports will be logged (even though
      they may be invalid).
      Wrapped alerts for same src/dst and loopback in mode==IDS & decoder
      alert checks.

    * src/plugbase.h:
      Use hex values for preprocessor bitmask constants instead of the
      decimal equivalent.

    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_byte_check.c:
      Allow for signed offset values to handle negative offset in
      rules.  Fixes potential issue on 64-bit architectures.

    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
      For content matches, when subsequent rule options fail, start searching
      again in correct location instead of again at end of the currently
      found pattern.

    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/perf.h:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/spp_xlink2state.c:
    * src/preprocessors/str_search.c:
    * src/preprocessors/xlink2state.c:
    * src/sfutil/asn1.c:
    * src/sfutil/mpse.h:
    * src/plugbase.c:
    * src/snort.c:
      Code/compiler warning cleanup.


2005-08-15 Steven Sturges <ssturges@sourcefire.com>
    * src/decode.c:
    * src/win32/WIN32-Includes/NETINET/IN_SYSTM.H:
      Updated Win32 to handle pflog patch.

2005-08-15 Steven Sturges <ssturges@sourcefire.com>
    * src/output-plugins/spo_alert_prelude.c:
    * etc/snort.conf:
      Fix GCC4 warning, make the arguments parser more robust and
      less fault tolerant. Correct parsing of IDMEF severity mapping.
      Don't try to initialize Prelude support when 'output alert_prelude'
      is not specified.  Removed deprecated documentation from the conf
      file.  Thanks Yoann Vandoorselaere for the updates.

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/stream.h:
      Fixed problem on Solaris when reassembling at exit.
      Thanks Andrew Rucker Jones for identifying the issue.

    * src/decode.c:
    * src/decode.h:
    * src/snort.c:
      Added support for new OpenBSD pflog format.  Older pflog format,
      OpenBSD 3.3 and earlier, is still supported.  Thanks Breno Leitao
      and Christian Reis for the patch.

    * src/decode.c:
    * src/decode.h:
    * src/util.c:
      Added statistics counter for ETH_LOOPBACK packets.  Thanks rmkml
      for the patch.

2005-07-29 mfr <roesch@sourcefire.com>
    * rpm/snort.spec:
      Fix epoch inclusion for RPM generation

2005-07-29 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
      Fixed debug prints for new flush behavior changes.

    * src/detection-plugins/sp_pattern_match.c:
      Added checks to ensure some syntax correctness for content
      rules.  Thanks Erik de Castro Lopo for the patch.

2005-07-27 mfr <roesch@sourcefire.com>
    * etc/snort.conf:
      Changed snort.conf to reflect flush_behavior changes

2005-07-24 mfr <roesch@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
      Fix parsing problem in the flush_behavior config directive

    * etc/snort.conf:
      Turn perfmonitor off by default

2005-07-22 Steven Sturges <ssturges@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
      Changed flush_behavior to use names instead of numeric value.
      New behaviors names are 'default', 'large_window', and 'random'

2005-07-22 Steven Sturges <ssturges@sourcefire.com>
    * src/win32/WIN32-Includes/config.h:
      Changed Snort version number

    * src/detection-plugins/sp_pattern_match.c:
      Fixed error message for replace

2005-07-22 mfr <roesch@sourcefire.com>
    * src/preprocessors/HttpInspect/client/Makefile.am:
    * src/preprocessors/HttpInspect/event_output/Makefile.am:
      More cleanup

2005-07-22 mfr <roesch@sourcefire.com>
    * src/preprocessors/HttpInspect/anomaly_detection/Makefile.am:
    * src/preprocessors/HttpInspect/mode_inspection/Makefile.am:
    * src/preprocessors/HttpInspect/normalization/Makefile.am:
    * src/preprocessors/HttpInspect/server/Makefile.am:
    * src/preprocessors/HttpInspect/session_inspection/Makefile.am:
    * src/preprocessors/HttpInspect/user_interface/Makefile.am:
    * src/preprocessors/HttpInspect/utils/Makefile.am:
      Remove references to files in other directories

2005-07-22 mfr <roesch@sourcefire.com>
    * rpm/snort.spec:
      Fixup the spec file to reflect new method of rules distribution

2005-07-22 mfr <roesch@sourcefire.com>
    * configure.in:
      Fix PostgreSQL support

2005-07-21 mfr <roesch@sourcefire.com>
    * src/snort.h:
      Bump build number

2005-07-21 mfr <roesch@sourcefire.com>
    * rpm/snort.spec:
    * rpm/generate-all-rpms:
      Setup for 2.4.0 release, removed inline build option from RPM generation
      for the time being

    * configure.in:
    * Makefile.am:
    * doc/Makefile.am:
      Updated for 2.4.0 release to remove references to sig docs and rules,
      which are now external to the distro

    * etc/snort.conf:
      Updated snort.conf for 2.4 release

2005-07-20 mfr <roesch@sourcefire.com>
    * autojunk.sh:
      Added --copy switch to automake call, patch from
      Jeff Nathan <jeff@snort.org>

    * congfigure.in:
      Added maintainer mode call to prevent endless configure reruns.  From
      Jeff Nathan <jeff@snort.org>

2005-07-20 Steven Sturges <ssturges@sourcefire.com>

    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf.c:
      Improved file handling of perfmon stats file rollover.

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Provided ability to use 2 sets of static flushpoints as well as
      random flushpoints for reassembly.  Thanks Jason Brvenik for the
      patch.

    * src/plugbase.c:
    * src/plugbase.h:
    * src/preprocessors/snort_stream4_session.h:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/spp_stream4.c:
    * src/snort.c:
    * src/snort.h:
      Added code to process unflushed Streams at snort exit
      and when stream is purged from cache because of memory
      issues.

    * src/preprocessors/spp_telnet_negotiation.c:
      Small fix for normalization of subnegotiation options.

2005-07-19 mfr <roesch@sourcefire.com>
    * doc/BUGS:
      Updated BUGS file for 2.4 release.

    * configure.in:
      Added PostgreSQL fixes and exit code patch from Javier
      Fernandez-Sanguino Pena <jfs@computer.org>

2005-07-18 mfr <roesch@sourcefire.com>
    * doc/README:
      Updated the README file to reflect the current version of Snort and
      command line switches that are available (and the ones that no longer
      are available as well...)

2005-07-11 Steven Sturges <ssturges@sourcefire.com>

    * src/detection-plugins/sp_byte_jump.c:
      Fixed log message.

    * src/log.c:
      Convert ICMP Router Advertisement time to host byte order before
      printing.

    * src/snort.c:
    * src/snort.h:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf.h:
    * src/preprocessors/spp_perfmonitor.c:
      Use singal to rollover perf stats file without having to restart
      snort.  Thanks Andrew Mullican for the patch.

    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/spp_frag3.c:
      Performance update for Frag3.  Also added stats fields to Perfmon
      for Frag3.

    * src/sfutil/mwm.c:
      Fix to handle multiple instances (different case) of the same pattern
      when the matching one occurs later than the others.

    * src/snort.c:
    * src/output-plugins/spo_alert_prelude.c:
    * src/output-plugins/spo_alert_prelude.h:
      Fix to handle heartbeat and pthread issues with Prelude.  Thanks Yoann
      Vandoorselaere for the patch.

    * src/sfutil/mwm.c:
    * src/preprocessor/spp_sfportscan.c:
    * src/preprocessor/HttpInspect/normalization/hi_norm.c:
      Data initialization fixes.  Thanks Yoann Vandoorselaere
      for the patch.

    * src/output-plugins/spo_database.c:
      Update for Oracle output.  Thanks Joel Esler for the fix.
 
    * src/output-plugins/spo_unified.c:
      Provide additional reliabilty for NT_SPECIAL_OUTPUT.  Thanks
      Eric Lauzon for the fix.

2005-06-10 Jeremy Hewlett <jh@snort.org>

    * src/output-plugins/spo_alert_prelude.c:
      Handle case when Packet pointer is NULL for Portscan alerts.

    * src/preprocessors/spp_frag3.c:
    * src/decode.c:
      Fixed processing of fragmented UDP traffic.

2005-05-20 Jeremy Hewlett <jh@snort.org>

    * src/preprocessors/spp_perfmonitor.c:
      Fixed misprinted filename (mnorton).

    * src/snort.c:
      Allow -T flag when MUST_SPECIFY_DEVICE is enabled (mnorton).

2005-05-19 Jeremy Hewlett <jh@snort.org>

    * src/parser/IpAddrSet.c:
      Fixed problem with parsing IP addresses of 255.255.255.255 for
      rules (ssturges).

2005-05-18 Jeremy Hewlett <jh@snort.org>

    * src/decode.h:
    * src/decode.c:
    * src/generators.h:
    * src/preprocessors/spp_frag3.c:
      Added processing of IP Options in fragmented packets (ssturges).
      Thanks Brice Cotte for getting us discussing this topic.

    * src/preprocessors/snort_stream4_session.c:
      Fixed potential memory corruption (ssturges).

2005-05-09 Jeremy Hewlett <jh@snort.org>

    * src/parser.c:
      Increase  limit  on  number  of rule options to 256 (was 64).
      Report error if limit is reached -- previously,  extra  options
      were ignored.  Also increased max line length to 4096 chars, from
      1024.

2005-05-09 Andrew Mullican <amullican@sourcefire.com>

    * src/preprocessors/xlink2state.c:
      Bugfix for PowerPC architecture.

2005-05-05 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/perf-base.c:
      Updated  to  better  match  true  on  the  wire and user data
      values (Marc Norton).

2005-04-28 Jeremy Hewlett <jh@sourcefire.com>

    * src/snort.c:
      Added check for MUST_SPECIFY_DEVICE #ifdef, which if used,
      requires either a -i or -r commandline switch to start snort.  If
      not used, current behavior remains (Marc Norton).

    * autojunk.sh:
    * configure.in:
    * Makefile.am:
    * etc/snort.conf:
    * m4/libprelude.m4:
    * m4/Makefile.am:
    * src/plugbase.c:
    * src/output-plugins/Makefile.am:
    * src/output-plugins/spo_alert_prelude.c:
    * src/output-plugins/spo_alert_prelude.h:
      Added support for prelude, enable with --enable-prelude. Thanks
      Yoann Vandoorselaere!

2005-04-26 Jeremy Hewlett <jh@sourcefire.com>

    * src/parser/IpAddrSet.c:
      Fixed Snort not resolving hostnames that start with a numeric and
      also parsing of invalid CIDR blocks (Daniel Cid).

    * src/plugbase.c:
    * src/plugbase.h:
      Remove unused functions str2s, hex2s, and int2s (Andy Mullican).
      Thanks Jeff Nathan for pointing this out.

    * src/preprocessors/spp_rpc_decode.c:
      Ignore multiple rpc requests if in a rebuilt packet (Thanks Andy
      Mullican).

    * src/inline.c:
      File descriptor clean up from Will Metcalf.

2005-04-22 Andrew Mullican <amullican@sourcefire.com>

    * etc/gen-msg.map:
    * src/generators.h:
    * src/plugbase.c:
    * src/preprocessors/Makefile.am:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream4.h:
    * src/preprocessors/spp_xlink2state.c:
    * src/preprocessors/spp_xlink2state.h:
    * src/preprocessors/xlink2state.c:
    * src/preprocessors/xlink2state.h:
    * src/preprocessors/str_search.c:
    * src/preprocessors/str_search.h:
      Added xlink2state mini-preprocessor to catch MS Exchange buffer
      X-Link2State data overflow.

2005-04-11 Jeremy Hewlett <jh@sourcefire.com>

    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
      Fixed error messages in byte_jump & byte_test rule options (Marc
      Norton).

    * detection_plugins/sp_byte_jump.c:
      Fixed issue with 'multiplier' option.  It is now being done before
      the 'align' option.  This helps with rules that look at SMB
      traffic (Steve Sturges).

    * src/preprocessors/flow/flow_cache.c:
    * src/preprocessors/Makefile.am:
    * src/preprocessors/snort_stream4_session.c:
    * src/preprocessors/snort_stream4_session.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream4.h:
    * src/sfutil/sfxhash.c:
    * src/sfutil/sfxhash.h:
    * etc/snort.conf:
      Performance Improvements to Flow & Stream4 session management.
      Also added limit to number of active sessions for Stream4, default
      of 8192.  Old memcap value now only applies to packets stored for
      reassembly.  Configure using preprocessor stream4: max_sessions
      16384 in snort.conf (Steve Sturges).

    * src/preprocessor/spp_perfmonitor.c:
    * src/preprocessor/spp_perfmonitor.h:
    * src/snort.c:
      Added -Z flag to set full path name to PerfMonitor stats file.
      This will override the file or snortfile configuration option
      (Marc Norton).

2005-04-05 Jeremy Hewlett <jh@sourcefire.com>

    * src/detect.c:
    * src/fpdetect.c:
    * src/log.c:
    * src/snort.c:
    * src/snort.h:
    * src/tag.c:
    * src/output-plugins/spo_unified.c:
      Added a -G flag that specifies an instance identifier for the event
      logs.  Can be used when running multiple instances of snort, either
      on different CPUs or on same CPU but different interface.  Each
      snort instance will use the value specified to generate unique
      event ids.  Can specify either a decimal value (-G 1) or hex value
      preceeded by 0x (-G 0x11). Thanks Steve Sturges.

    * src/decode.h:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
      Fix to remove unnecessary ICMP echo extension, and update output
      plugins to use ICMP header info. Thanks Kevin Douglas for finding
      this and Andrew Mullican for the fix.

    * src/decode.h:
    * src/detect.c:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * etc/snort.conf:
      Add option to Stream4 to limit server-side inspection for improved
      performance.  Similar to HttpInspect's flow-depth, this option
      limits rule-inspection of server traffic to the set number of bytes
      (in 1 or more packets) until another client request is seen.  Thanks
      Steve Sturges & Marc Norton

    * src/plugbase.c:
      Fix issue generating ascii strings.  Thanks Sandro Poppi for the fix.

2005-04-01 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_sfportscan.c:
      Additional fixes for suppression issue with sfPortscan and Open
      Ports.  Fix for packets logged with bogus ip lengths (related to
      Open Port alerts). Thanks Andy Mullican.

2005-03-25 Jeremy Hewlett <jh@sourcefire.com>

    * src/output-plugins/spo_alert_syslog.c:
    * src/snort.c:
      Add snort's PID to syslog. Thanks Steve Sturges.

    * src/preprocessors/spp_stream4.c:
      Added to default ports in Stream4 and cleaned up Stream4
      configuration processing. Thanks Steve Sturges.

    * src/preprocessors/spp_frag3.c:
      Added packet dump (debug only) to Frag3. Patch from Steve Sturges.

    * src/sfthreshold.c:
      Added detail to config error messages for thresholding. Patch from
      Steve Sturges.

    * src/fpdetect.c:
    * src/plugbase.h:
    * src/detection-plugins/sp_flowbits.c:
    * src/preprocessors/spp_sfportscan.c:
      Code Cleanup (general), thanks Steve Sturges.

    * rpm/snort.org.spec:
    * rpm/snort.logrotate:
      Added schemas to distro, and 'sharedscripts' to logrotate. General
      clean up of spec file. Thanks Josh Kelley for pointing this out.

2005-03-25 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_sfportscan.c:
      Fixed suppression issue with sfPortscan and Open Ports. Patch from
      Andy Mullican.

2005-03-15 Jeremy Hewlett <jh@sourcefire.com>

    * src/decode.c:
    * src/parser/IpAddrSet.c:
    * src/parser/IpAddrSet.h:
    * src/preprocessors/spp_frag3.c:
    * etc/generators:
      Updates/Fixes to Frag3 IP reassembler (thanks ssturges):
      1) Push first fragmented UDP packet through, but do not inspect
      other fragmented packets (until rebuilt). 
      2) Printing of Configuration Info
      3) Code readability

    * src/parser.c:
      Removal of comment parsing code added for 2.3.1.

    * src/decode.c:
    * src/generators.h:
      Added support for detection of Lookback & Same src/dest attacks in
      the packet decoder. This obsoletes sids 527, 528. Thanks Marc
      Norton for the feature.

    * src/detection-plugins/Makefile.am:
    * src/plugbase.c:
    * src/detection-plugins/sp_ftpbounce.c:
    * src/detection-plugins/sp_ftpbounce.h:
      Added FTP Bounce detection Plugin. Thanks Steve Sturges.

    * src/detection-plugins/sp_flowbits.c:
      Increased Flowbits hash table size. Thanks Marc Norton.

    * src/fpcreate.c:
      Performance improvement in pattern matcher from Marc Norton.

    * src/decode.c:
    * src/decode.h:
    * src/fpdetect.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_frag3.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/snort.c:
    * src/snort.h:
      Eliminate duplicate alerts on Rebuilt Streams/IP reassembled packets.
      Patch from Andy Mullican and Steve Sturges.

    * src/preprocessors/portscan.c:
    * src/preprocessors/sfportscan.c:
    * doc/README.sfportscan:
    * etc/generators:
    * etc/gen-msg.map:
      Added handling of midstream sessions in portscan preprocessors.
      Thanks Andy Mullican.

    * src/generators.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
    * src/ubi_BinTree.c:
    * src/ubi_BinTree.h:
    * src/ubi_SplayTree.c:
    * src/ubi_SplayTree.h:
    * etc/gen-msg.map:
    * etc/snort.conf:
      Stream4 fixes - Handle PAWS, NULL TCP Flags in established session,
      limit overlaps in established session, update ACK when server sends
      RST. Performance changes for cleaning up session cache. Thanks
      Steve Sturges and Andy Mullican for the patches.

    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
    * src/preprocessors/snort_httpinspect.c:
    * doc/README.http_inspect:
      Added uri_tab_delimiter option to HttpInspect. Patch from Andy
      Mullican.

    * src/preprocessors/perf-base.c:
      Updates to PerfMon to handle multiple CPUs properly. Thanks Steve Sturges.

    * src/preprocessors/spp_telnet_negotiation.c:
      Fixed telnet decoder bug when ignoring Sub-negotiation end command.
      Thanks Steve Sturges.

2005-03-08 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_flow.c:
    * src/detection-plugins/sp_flowbits.c:
      Increased number of flowbits (mnorton)

2005-03-08 Steven Sturges <ssturges@sourcefire.com>

    * src/parser.c:
      Fixed parsing of comments at end of line in config file.   In
      snort.conf, anything that follows a # on a line is considered a
      comment.

2005-03-04 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_sfportscan.c:
      Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX.
      Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and
      Jonathan Miner for working with us on this.

2005-01-28 Jeremy Hewlett <jh@sourcefire.com>

    * src/decode.c:
    * src/decode.h:
    * src/output-plugins/spo_unified.c:
    * src/preprocessors/HttpInspect/utils/hi_util_kmap.c:
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/sfthreshold.c:
      Fixed compiler warnings and code formatting (tabs to spaces).

2005-01-20 Andrew Mullican <amullican@sourcefire.com>

    * src/generators.h:
    * src/preprocessors/spp_bo.c:
      Added 2 BackOrifice alerts (1 client, 1 server) so that some alerts
      can be suppressed.

2005-01-18 Steven Sturges <ssturges@sourcefire.com>

    * src/plugbase.c:
    * src/plugbase.h:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/snort_httpinspect.h:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_httpinspect.c:
    * src/snort.c:
      Change to verify that preprocessors have sufficient configuration
      data to correctly operate.

    * src/preprocessors/spp_frag3.c:
      Fixes to Frag3 to only have one instance of preprocessor.  Uses
      policy context internally based on destination address of packet.
      Previously, each Frag3 Policy would result in a separate
      preprocessor instance.  Also fixed use of ttl_limit option.

2005-01-18 Andrew Mullican <amullican@sourcefire.com>

    * src/decode.c:
    * src/decode.h:
    * src/parser.c:
      Added ability to ignore packets based on port.  Syntax in
      snort.conf is
        config ignore_ports: <tcp|udp> <list of ports separated by whitespace>
      where list of ports can also include port ranges (ports separated by :).

2005-01-17 Steven Sturges <ssturges@sourcefire.com>

    * src/inline.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/perf.h:
    * src/preprocessors/sfprocpidstats.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_frag3.c:
    * src/preprocessors/spp_perfmonitor.c:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
      Performance fixes to get correct 'on-the-wire' statistics.  Added
      'atexitonly' option for perfmonitor that results in performance
      stats only being dumped when snort exits, rather than periodically
      throughout snort's lifetime.
 
2005-01-13 Steven Sturges <ssturges@sourcefire.com>

    * src/preprocessors/spp_frag3.c:
      Fixed parsing of frag3 options to use space delimited options to
      handle IP address lists correctly.

    * etc/snort.conf:
      Updated example options for frag3

2005-01-13 Marc Norton <mnorton@sourcefire.com>

    * src/preprocessors/spp_sfportscan.c:
      Fixed arithmetic to correctly set the ip packet length in the ip
      header prior to writing the portscan info to the packet. Thanks Jon
      Hart for the test case and finding the bug.

2004-12-23 Steven Sturges <ssturges@sourcefire.com>

    * src/detect.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/parser.c:
    * src/plugbase.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/snort_httpinspect.c:
    * src/preprocessors/spp_conversation.c:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_stream4.c:
    * src/sfthreshold.c:
    * src/snort.c:
    * src/util.c:
    * src/util.h:
    * src/sfutil/Makefile.am:
    * src/sfutil/sfsnprintfappend.c:
    * src/sfutil/sfsnprintfappend.h:
      Fixed problem with logging that appeared in Snort 2.3.0 RC2, where
      single lines were broken up when sent to syslog. Thanks Sekure for
      pointing out the problem with thresholding.

    * src/sfthreshold.c:
      Fixed xatou function to check for non-digit parameter. Thanks nnposter for submitting
      a patch!

2004-12-20 Jeremy Hewlett <jh@sourcefire.com>

    * src/decode.h:
    * src/win32/WIN32-Includes/config.h:
    * src/win32/WIN32-Includes/stdint.h:
    * src/win32/WIN32-Includes/syslog.h:
      Reduces the number of warning on MingW/gcc. Thanks Gisle Vanem for
      the patch!

2004-12-17 Jeremy Hewlett <jh@sourcefire.com>

    * src/decode.c:
      Fixed issue with snort not properly decoding ppp links on MacOS X.
      Thanks Allan Jensen for reporting this and working with us on the
      fix (Roelker).

2004-12-14 Jeremy Hewlett <jh@sourcefire.com>

    * doc/README.http_inspect:
      Updated documentation on flow_depth and HTTP headers per
      conversations with Joe Patterson. Thanks Joe!

2004-12-09 Jeremy Hewlett <jh@sourcefire.com>

    * src/preprocessors/spp_arpspoof.c:
      Added variable names to function prototypes and made cosmetic
      changes to debug messages.  In ARPspoofHostInit() fixed a problem
      where the list of configured IP/MAC entries would contain only one
      entry and leaked memory.  In DetectARPattacks() made a small
      performance improvement by eliminating a copy of the ARP source
      protocol (IP) address (Jeff Nathan).

    * src/snort.h:
    * src/snort.c:
    * src/parser.c:
      Fixed a problem affecting MacOS X where linking may fail with
      non-standard libraries when global symbols are encountered multiple
      times. Removed duplicate globals and externed globals in headers.
      Defined globals in source. Made sure frag2 is only linked once
      (Jeff Nathan).

2004-12-08 Daniel Roelker <djr@sourcefire.com>

    * src/detect.c:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/fpdetect.c:
    * src/inline.c:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      If the 'Q' option (inline) is set, set a global variable that can
      be used externally.

    * src/preprocessors/snort_httpinspect.c:
      Update error message when IIS Unicode map file is not found.

    * src/preprocessors/spp_stream4.c:
      Ignore RST|ACK midstream pickup case so we don't get an evasive TCP
      alert.  Thanks for the report, Sekure.

    * src/util.c:
    * src/util.h:
    * src/snort.c:
      Change SanityChecks() to CheckLogDir() so the function name now
      makes sense.  Move CheckLogDir() to after parsing snort.conf (for
      IDS mode), so the logdir config will work if the default or
      command-line logdir does not exist on the system.

2004-11-19 Steven Sturges <ssturges@sourcefire.com>

    * src/preprocessors/spp_telnet_negotiation.c:
      Fixed issues with how telnet options are handled.

2004-11-18 Steve Sturges <ssturges@sourcefire.com>

    * src/detection-plugins/sp_pcre.c:
      Fixed bug when setting the doe_ptr on a successful pcre match.
      It is now set relative to base_ptr.

    * src/detection-plugins/sp_byte_jump.c:
      Added from_beginning and multiplier options for byte_jump.
      from_beginning skips bytes from the beginning of the content,
      instead of from the location immediately following the number
      of bytes to skip.  multiplier takes a numeric argument, and
      skips x times that number of bytes.

2004-11-04 Andrew Mullican <amullican@sourcefire.com>

    * src/detect.c:
    * src/detect.h:
    * src/log.c:
      In "fast" output, now log only actual packet contents when UDP
      data length is greater than actual data length. Thanks Brian
      Caswell for spotting this.

2004-11-04 Jeremy Hewlett <jh@sourcefire.com>

    * configure.in:
      Added --enable-64bit-gcc to set up the build environment for 64bit
      (tested only on Solaris9). Still are some memory alignment issues
      to work out before 64bit mode is fully functional, Patches are
      welcomed. Thanks Chris Baker for doing 64bit testing.

    * src/sfutil/sfmemcap.c:
      Better support for 64bit Snort (mnorton).

2004-11-04 Andrew Mullican <amullican@sourcefire.com>

    * src/output-plugins/spo_unified.c:
      Fixed reference times to match log time for first packet, for an event
      generated by a reassembled packet.  Incremented event ID to give
      unique ID for each packet.  Also made unified logging compatible with
      Windows.

2004-11-02 Jeremy Hewlett <jh@sourcefire.com>

    * configure.in:
      Changed linking order of libmysqlclient.

    * src/detection-plugins/sp_rpc_check.c:
    * src/preprocessors/spp_frag2.c:
    * src/sfutil/acsmx2.c:
      Fixes for compilation on 64-bit Solaris.  Snort 2_3 branch compiles
      cleanly (jhewlett, mnorton). Should be a few more changes coming
      shortly.

    * src/plugbase.c:
      Compilation fix for AIX. Thanks Markus Waldeck.

    * src/preprocessors/spp_perfmonitor.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/perf-base.h:
    * src/preprocessors/perf.c:
    * src/preprocessors/perf.h:
      perfmonitor config line can now be configured with accumulate or
      reset. (mnorton). Thanks Barry Basselgia for pointing out the issue.
      Thanks Scott Dexter and Andreas Ostling for doing some initial
      testing.

2004-10-21 Daniel Roelker <droelker@sourcefire.com>

    * src/preprocessors/HttpInspect/client/hi_client.c:
      Don't include the version string length as part of the
      directory length.  Caused some false positives if the oversize
      directory length was set to small numbers.  Thanks Jeremy
      Hewlett for catching this one.

    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/snort_httpinspect.c:
      Fix false positives that were occurring on some events.  Thanks
      to Vjay Larosa for the report.

    * src/preprocessors/perf-base.c:
    * src/preprocessors/sfprocpidstats.c:
      Fix linux perfmonitoring stats for the 2.6 kernel.  Thanks to
      everyone that reported this bug.

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/stream.h:
      Add an enforce_state keyword to stream4 so we won't pick up midstream
      sessions.  This works well for asynchronous links and also for
      just monitoring legitimate traffic. 

2004-10-13 Daniel Roelker <droelker@sourcefire.com>

    * src/detect.c:
      Fix suppression/thresholding bug for non-rule alerts.  Thanks to
      Alex Butcher for reporting it to us.

2004-10-11 mfr <roesch@sourcefire.com>

    * src/util.c:
      Fix divide by zero bug in TimeStats()

2004-10-05 Daniel Roelker <droelker@sourcefire.com>

    * src/parser.c:
      Fix bug in preprocessor error statement that referenced freed
      memory.  Thanks to Dennis George for submitting fix.

    * src/detection-plugins/sp_pattern_match.c:
      Fix content option modifiers so that they check the option specified
      and not offset.  Thanks to Petr Kurtin for pointing out this bug.

2004-10-04 Daniel Roelker <droelker@sourcefire.com>

    * src/decode.c:
      Fix TCP/IP options print bug that was found by Marcin Zgorecki.

    * src/plugbase.c:
      Move portscan initialization into preprocessors, not plugins.

    * preprocessors/portscan.c:
      Inspect invalid TCP initiators that stream4 doesn't track for portscans.
      Log open ports on TCP portsweeps when we can.  Thanks to #snort and
      SGUIL guys for their comments and feedback.  Also, thanks to David
      Lowless for his portscan testing in the UK.

2004-10-04 mfr <roesch@sourcefire.com>
    * src/preprocessor/spp_frag3.c:
    * src/preprocessor/spp_frag3.h:
    * src/generators.h:
    * src/plugbase.c:
    * src/plugbase.h:
      New target-based IP defragmenter for Snort.

    * src/parser/IpAddrSet.h:
    * src/parser/IpAddrSet.c:
      Added functions for improved set parsing, generation, finding

    * src/preprocessors/flow/flow_cache.c:
      Reformatted output printing for flowcache_stats() function

    * src/preprocessor/spp_arpspoof.c:
    * src/preprocessor/spp_bo.c:
    * src/preprocessor/spp_conversation.c:
    * src/preprocessor/spp_flow.c:
    * src/preprocessor/spp_frag2.c:
    * src/preprocessor/spp_httpinspect.c:
    * src/preprocessor/spp_perfmonitor.c:
    * src/preprocessor/spp_portscan.c:
    * src/preprocessor/spp_rpc_decode.c:
    * src/preprocessor/spp_stream4.c:
    * src/preprocessor/spp_telnet_negotiation.c:
    * src/preprocessor/spp_stream4.c:
      Added context pointer handling to PreprocessorFunctionNode calls
 
    * src/sfutil/sflsq.h: 
    * src/sfutil/sflsq.c: 
      Added a couple a list node delete and add function for the current ptr

    * src/sfutil/sfxhash.h: 
    * src/sfutil/sfxhash.c: 
      Exposed sfxhash_free_node() function as a public function

    * src/util.c:
    * src/snort.c:
      Added a modified version of Bill Parker's <dogbert@netnevada.net> run
      timing patch
 
2004-09-20 Daniel Roelker <droelker@sourcefire.com>

    * src/util.c:
      Fix ts_print to work correctly for localtime logging.

    * src/fpdetect.c:
      Thresholded drop/sdrop rules should still drop the packet, but we
      just won't alert on them.  Thanks to Brian Starrfield for finding
      this bug.

2004-09-17 Daniel Roelker <droelker@sourcefire.com>

    * src/detect.c:
      Fix tagging issue that would tag rebuilt TCP streams, which for most
      output plugins this means we just relog the packets that we've
      already logged.  Thanks Jeremy Hewlett and Daniel Cid for finding
      this bug.

    * src/event_queue.c:
    * src/event_queue.h:
      Only flush a TCP stream on rule alerts and not on preprocessor alerts.
      Thanks Jeremy Hewlett and Daniel Cid for finding this bug.

2004-09-13 Jeremy Hewlett <jh@sourcefire.com>

    * src/detection_plugins/sp_react.c:
    * src/detection_plugins/sp_react.h:
      Wrap sp_react in #ifdef tests so it can be enabled concurrently
      with sp_respond2 (Jeff Nathan).

    * src/detection_plugins/sp_respond.c:
    * src/detection_plugins/sp_respond.h:
      Wrap sp_respond in #ifdef tests so it is mutually exclusive of
      sp_respond2 (Jeff Nathan).

    * configure.in:
    * doc/Makefile.am:
    * doc/README.FLEXRESP2:
    * src/parser.c:
    * src/snort.h:
    * src/detection_plugins/Makefile.am:
    * src/detection_plugins/sp_respond2.c:
    * src/detection_plugins/sp_respond2.h:
      Import version 2 of the flexible response system written by
      Jeff Nathan

2004-09-08 Daniel Roelker <droelker@sourcefire.com>

    * src/decode.c:
      Drop bad checksums if we're in inline mode and we're doing checksums.
      Thanks to William Metcalf and Victor Julien for this patch.

    * doc/CREDITS:
      Updated CREDITS with some major SourceFire contributors that were
      not mentioned.

2004-09-07 Daniel Roelker <droelker@sourcefire.com>

    * src/inline.c:
    * src/inline.h:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
      Make reject rule type work with linux bridging.  Added config option
      'layer2resets', which by default uses the interface specified by
      the ipq packet.  In addition, you can also specify a src mac address
      so the sensor interface information is not apparent.  Thanks to
      William Metcalf and Victor Julien for this feature.

2004-09-02 Daniel Roelker <droelker@sourcefire.com>

    * src/detect.c:
    * src/fpdetect.c:
    * src/preprocessors/spp_stream4.c:
      Add inline state configuration for stream4, so we will drop packets that
      are not part of an existing TCP session and are not valid TCP
      initiators.  Thanks Will Metcalf and Victor Julien for the initial
      implementation.  Add functionality for drop/sdrop rules that will still
      drop a packet if the rule specifies "flow: established".  We silently
      drop the packet, so as not to be DOS'd by stick/snot attacks.  If the
      user wants the alerts, then add in the stream4 configuration of
      'midstream_drop_alerts'.

    * src/rules.h:
    * src/detection_plugins/sp_clientserver.c:
      Add not_established keyword to the flow detection option.  This allows
      snort to do dynamic firewall rulesets.  Experimental for now, so if
      any wants to try let me know.

    * src/preprocessors/snort_httpinspect.c:
      Fix conditions where snort would log double web alerts that contained
      only content options (no uricontents).  Thanks to kawa for finding and
      reporting this bug.

2004-08-31 Daniel Roelker <droelker@sourcefire.com>

    * src/fpdetect.c:
      If InlineMode() is set, than the flow: established check will also
      look to see if the TCP stream was picked up in midstream.  If it was,
      then we assume it's established.  This also blocks packets that are
      generated by stick/snot type attacks, whereas before these packets
      were just being passed through because flow: established was not valid.

2004-08-27 Daniel Roelker <droelker@sourcefire.com>

    * src/sfutil/sfmemcap.c:
      Fix 64-bit bug found and tested by Ryan Matteson (matty91@bellsouth.net)
      and Clay McClure (clay@daemons.net).  Thanks guys.

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/snort_httpinspect.c:
      When we pick up TCP sessions in midstream, don't use stream4 direction
      to tell us how to inspect client and server traffic.  Performance
      enhancement for some sites.

    * src/preprocessors/portscan.c:
      Add more comments and make portscan detail printouts more readable.

2004-08-20 Daniel Roelker <droelker@sourcefire.com>

    * src/util.c:
      Make ts_print work correctly with timezones.  Thanks to Dagobert
      Kellner for the fix.

2004-08-19 Daniel Roelker <droelker@sourcefire.com>

    * src/util.c:
      Log an error when the user tries to setuid/gid and snort is being
      run in inline.  Thanks Matt Brannigan for finding this bug.

2004-08-13 Daniel Roelker <droelker@sourcefire.com>

    * src/detection-plugins/sp_pattern_match.c:
      Ignore replace rule options when snort isn't in GIDS mode. (Roelker)

    * src/decode.h:
    * src/detect.h:
      Set a packet_flag for drop alerts.  This lets the output plugins
      know that we just dropped the packet that we logged.  (Roelker)

2004-08-11 Daniel Roelker <droelker@sourcefire.com>

    * src/inline.c:
    * src/spo_unified.c:
      Make inline alerts work with unified output.  Thanks for the help
      in unified format Andrew Baker.

    * src/util.c:
      Added ASCII pig (thanks Dug Song) and snort team to snort initialization
      printout.

    * src/output-plugins/spo_log_tcpdump.c:
      Check to make sure we have a pointer before we reference a structure
      element.

2004-08-05 Daniel Roelker <droelker@sourcefire.com>

    * src/log.c:
    * src/detect.c:
      Make tagging work for more than 1 second.  (Daniel Roelker)

    * src/detect.c:
    * src/fpdetect.c:
      Get thresholding/suppression to work for alerts that do not
      contain an iph header (primarily decode alerts).  Thanks
      Brian Caswell.

2004-08-04 Daniel Roelker <droelker@sourcefire.com>

    * src/snort.c:
      Fix inline printf's during initialize.  Also fix return code on
      invalid input for startup.  This helps scripts so it returns
      an error if the command line arguments in the script are wrong.
      Thank you Matt Brannigan for this fix.

2004-07-28 Daniel Roelker <droelker@sourcefire.com>

    * configure.in:
      Added --include-pcre* configuration option to help cross compiling.
      Thanks Erik de Castro Lopo.

    * src/event_queue.c:
      Fix bug in multi-event logging when thresholding/suppression was enabled
      for events in the queue.  Thanks once again to Andreas Ostling.

    * src/output-plugins/spo_log_tcpdump.c:
      When a rebuilt stream causes an alert, log out the original packets
      instead of the rebuilt packet.  Thanks Marty Roesch.

    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
      Turn off some alerts in the profile that were causing false positives.

    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
      Turn off encoding alerts in HTTP parameter field.  The parameter field
      is still normalized, it just doesn't alert.  This helps reduce alerts
      that are generated from complex parameter queries.

2004-07-08 Daniel Roelker <droelker@sourcefire.com>

    * etc/gen-msg.map:
    * src/generators.h:
    * src/plugbase.c:
    * src/decode.h:
    * src/preprocessors/portscan.c:
    * src/preprocessors/portscan.h:
    * src/preprocessors/spp_sfportscan.c:
    * src/preprocessors/spp_sfportscan.h:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/flow/flow.h:
      Added new portscan detector.  We now detect tcp, udp, icmp, and
      ip protocol scans.  Along with the following scan types (using
      nmap terminology): portscan, decoy portscan, portsweep, and
      distributed portscan.  The initial version will have three sensitivity
      levels, so if you want to change values manually go to portscan.c and
      change the values there.  I don't want to confuse people out of the
      gate with lots of value configurations, so try these preset levels
      and give us feedback.  (Daniel Roelker)

2004-07-06 Daniel Roelker <droelker@sourcefire.com>

    * configure.in:
    * src/decode.c:
    * src/decode.h:
    * src/detect.c:
    * src/detect.h:
    * src/fpdetect.c:
    * src/inline.c:
    * src/inline.h:
    * src/mstring.c:
    * src/parser.c:
    * src/rules.h:
    * src/snort.c:
    * src/snort.h:
    * src/detection-plugins/sp_pattern_match.c:
    * src/detection-plugins/sp_pattern_match.h:
    * src/output-plugins/spo_database.c:
    * src/preprocessors/spp_stream4.c:
      Added IPS functionality from snort_inline.  Thanks everyone that was
      involved in that project.  For more info, go check out
      http://snort-inline.sourceforge.net.

    * src/log.c:
      Fixed memory leak in "fast" output.  Thanks for your bug report
      sekure@gmail.com.

2004-06-22 Chris Reid <chris.reid@codecraftconsultants.com>

    * src/snort.c:
      Clear error code which under Windows was causing a
      subsequent false failure in parsing threshold rules.
      (thanks to Rich Adamson)

2004-06-16 Daniel Roelker <droelker@sourcefire.com>

    * src/sfutil/asn1.c:
    * src/sfutil/asn1.h:
    * src/detection-plugins/sp_asn1.c:
    * src/detection-plugins/sp_asn1.h:
    * src/debug.h:
    * src/snort.c:
      Added ASN.1 parsing and detection functionality to snort.
      Please refer to README.asn1 for more information on rule
      usage. (Roelker)

    * src/parser.c:
      Added parsing check from Andreas Ostling so that users don't
      assume that destination port lists are allowed because no
      error is given.

    * src/preprocessors/spp_stream4.c:
      Fixed rebuilt TCP packet munging reported by Steve Halligan.
      Thanks a lot for getting this problem down to pcap so we could
      analyze the problem.

    * src/detect.c:
    * src/event_queue.c:
    * src/log.c:
    * src/preprocessors/spp_stream4.c:
    * src/sfutil/sfeventq.c:
      Improve TCP reassembly flushing for TCP streams that have already
      generated an alert.  This was illustrated by Brian Bailey in his
      SANS GIAC practical examination.  Thanks for working with us on
      this one.

2004-05-06 Daniel Roelker <droelker@sourcefire.com>

    * src/detection-plugins/sp_pattern_match.c:
      Fixed rule read up error when parsing hexmode content options.
      Thanks for pointing it out Marty.  (Roelker)

    * src/preprocessors/spp_stream4.c:
      Fixed null pointer dereference when detect_scans were enabled and
      creating a new session that had funky flags.  Thanks to Chad
      Kreimendahl for reporting the bug and testing the fix.  (Roelker)

    * src/snort.h:
      at build 28

2004-04-22 Daniel Roelker <droelker@sourcefire.com>

    * src/decode.c:
    * src/detect.c:
    * src/event_queue.c:
    * src/event_queue.h:
    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/parser.c:
    * src/preprocessors/spp_arpspoof.c:
    * src/preprocessors/spp_bo.c:
    * src/preprocessors/spp_conversation.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_rpc_decode.c:
    * src/preprocessors/spp_stream4.c
    * src/sfutil/sfeventq.c:
    * src/sfutil/sfeventq.h:
    * src/signature.c:
    * src/signature.h:
    * src/snort.c:
      Added new event queueing algorithm, so Snort logs multiple events
      per packet/stream.  The algorithm uses two ordering methods:  priority
      and content length.  (Roelker)

    * src/fpcreate.c:
    * src/fpcreate.h:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/acsmx.c:
    * src/sfutil/acsmx.h:
    * src/sfutil/mpse.c:
    * src/sfutil/mpse.h:
      New Aho-Corasick pattern matchers (Norton).  Added content length
      tracking on otnx structures.

    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/snort_httpinspect.c:
      Added webroot alert.  This alert is generated when a URL directory
      traversal traverses past the webroot.  Added new URI discovery
      technique pointed out by Kanatoko.

    * src/tag.c:
      Revert to old tagging behavior.  Will add new functionality in a future
      version.

    * src/util.c:
      Changed Snort post-processing stats to unsigned so users won't get
      negative stats.  Thanks to various people from the community for
      reporting this.

2004-03-22 Chris Reid <chris.reid@codecraftconsultants.com>

    * src/plugbase.c:
    * src/plugbase.h:
    * src/output-plugins/spo_database.c:
      Updated how current/utc times are calculated, as well
      as how they are formatted (thanks Marcus Janoski)

2004-03-18 mfr <roesch@sourcefire.com>

    * src/sfutil/acsmx2.c:
      Fixed _toupper/_tolower calls on non-Win32 machines (again).

    * src/preprocessors/spp_stream4.c:
      Uncommented ssnptr set in BuildPacket() for Dan

2004-03-17 mfr <roesch@sourcefire.com>

    * src/parser.c:
      Added FatalError() in ProcessIP if closing IP-list '[' isn't found

    * src/util.c:
      Revamped DropStats() function to use screen real estate more efficiently

    * src/event_wrapper.c:
      QueueEvent checks to see if we're in MODE_IDS before queuing events and
      ClearEventQueue() checks to make sure that the event_list has been
      initialized.

    * src/sfutil/acsmx2.c:
      Fixed _toupper/_tolower calls on non-Win32 machines.

    * src/sfutil/acsmx2.c:
      Fixed acsmx.h call to acsmx2.h.

    * doc/Makefile.am:
      Mark snort_manual.pdf for cleanup too.


2004-03-16 Jeremy Hewlett <jh@sourcefire.com>

    * src/snort.c:
    * src/sfutil/acsmx2.c:
    * src/sfutil/acsmx2.h:
    * src/sfutil/Makefile.am:
      New Aho-Corasick pattern matcher from Marc Norton - memory usage reduced by 75%.

    * src/snort.h:
      Build 26

2004-03-15 Jeremy Hewlett <jh@sourcefire.com>

    * src/parser.c:
      "config checksum_mode" now supports multiple arguments on one line
      instead of multiple lines.

2004-03-15 Daniel Roelker <droelker@sourcefire.com>

    * src/util.c:
      Calculate dropped packets and received packets correctly.  Thanks
      Yoann Vandoorselaere for pointing this out.

2004-03-08 Daniel Roelker <droelker@sourcefire.com>

    * configure.in:
      Thanks to Erik de Castro Lopo for removing warnings.

    * src/decode.c:
    * src/decode.h:
    * src/detect.c:
    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/snort.c:
      New event queuing and logging for decoder and stream4 events (Marty).

    * src/fpdetect.c:
      Return value for fpEvalPacket and reset BITOP array on HTTP
      pipelines (Marty/Roelker).

    * src/generators.h:
    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/client/hi_client_norm.c:
    * src/preprocessors/HttpInspect/event_output/hi_eo_log.c:
    * src/preprocessors/HttpInspect/include/hi_eo_events.h:
    * src/preprocessors/HttpInspect/include/hi_ui_config.h:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
      Added non-rfc chunk length encoding support, thanks for pointing it out
      H.D. Moore, and added webroot alert which alerts on webroot directory
      traversals (Roelker).

    * src/debug.h:
    * src/preprocessors/Makefile.am:
    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_stream4.h:
    * src/preprocessors/stream.h:
      Added new TCP state engine (Marty).

    * src/output-plugins/spo_unified.c:
      Added stream packet logging for unified output, when alerting on
      rebuilt streams (Marty).

    * src/preprocessors/spp_conversation.c:
      Fixed conversation parsing faults so users can operate this
      preprocessor (Roelker).

    * src/snort_packet_header.h:
      Added for future support (Marty).

    * src/snort.h:
      Now on build 25.
 
2004-02-25 Jeremy Hewlett <jh@sourcefire.com>

    * src/output-plugins/spo_csv.c:
      Additional fixes from Alan Milligan with CSV output, thanks!

    * src/sfutil/bitop.h:
      Cleaning up unsigned/signed warnings

    * src/snort.h:
      Moving to build 24

2004-02-25 Chris Reid <chris.reid@codecraftconsultants.com>

    * src/output-plugins/spo_database.c:
      Removed escaping of '%' and '_' characters in MySQL (thanks
      Kristofer Karas).

2004-02-23 Jeremy Hewlett <jh@sourcefire.com>

    * snort.8:
      Updated -T info to include where snort looks for "snort.conf." Thanks
      Drew Smith for pointing that out.

    * doc/snort_manual.tex:
      Doc updates for thresholding - rule thresholds must contain a sid.

    * src/detect.c:
    * src/plugbase.c:
      Changed some startup messages from printf to LogMessage to be more
      consistent. Thanks for the patch, nnposter(at)users.sourceforge.net.

    * src/snort.h:
      Touched source code - bumping to 23

2004-02-17 Jeremy Hewlett <jh@sourcefire.com>

    * src/output-plugins/spo_csv.c:
      Fixed minor problems with CSV output not printing out src,srcport,
      dst,dstport properly.  Thanks for the patch, Bill Guyton. Good spot!

    * src/snort.h:
      Now at build 22

2004-02-13 mfr <roesch@sourcefire.com>
    * templates/sp_template.h:
    * templates/sp_template.c:
    * templates/spp_template.h:
    * templates/spp_template.c:
      Updated to match the current reality of Snort.

2004-02-10 Jeremy Hewlett <jh@sourcefire.com>

    * src/bounds.h:
    * src/event.h:
    * src/signature.h:
      Added fix for compiling on Tru64 - bitypes.h now wrapped in an ifdef.
      Thanks Hari Gopal and Darryl Cook for pointing out the problem and
      testing.

    * etc/snort.conf:
    * doc/snort_manual.tex:
      Various fixes pointed out by JP Vossen and Felipe Franciosi.

2004-02-09 Jeremy Hewlett <jh@sourcefire.com>

    * src/Makefile.am:
      Removed unnecessary libintsnort.a, which was causing problems for some
      trying to compile on Solaris without the default system tools (ie: the
      "ar" problem).

2004-02-05 Jeremy Hewlett <jh@sourcefire.com>

    * Makefile.am:
      Fixed tab vs space problem on Solaris. Thanks for the report, Chad
      Kreimendahl!

2004-02-05 Daniel Roelker <droelker@sourcefire.com>

    * src/preprocessors/flow/portscan/flowps.c:
    * src/preprocessors/flow/portscan/flowps_snort.c:
      Fixed alert_once bug that was discovered by Kevin Amorin.  Thanks for
      pointing out the particulars of the problem, so we could do a quick
      fix.

2004-01-30 Daniel Roelker <droelker@sourcefire.com>

    * src/decode.h:
    * src/detection-plugins/Makefile.am:
    * src/detection-plugins/sp_flowbits.c:
    * src/detection-plugins/sp_flowbits.h:
    * src/parser.c:
    * src/plugbase.c:
    * src/preprocessors/flow/flow_cache.c:
    * src/preprocessors/flow/flow_cache.h:
    * src/preprocessors/flow/flow.h:
    * src/preprocessors/spp_flow.c:
    * src/preprocessors/spp_flow.h:
    * src/sfutil/bitop.h:
    * src/snort.c:
      Added Flowbits detection functionality.  Thanks Brian Caswell for
      initial code prototype.

    * src/sys_include.h:
    * src/ubi_BinTree.c:
    * src/ubi_BinTree.h:
    * src/ubi_SplayTree.c:
    * src/ubi_SplayTree.h:
      No more Log variables.  Die, die, die . . .

2004-01-21 Jeremy Hewlett <jh@sourcefire.com>

    * contrib/perfstats.c:
      Added utility to parse out perfmon stats

    * RELEASE.NOTES:
      Added file to keep track of release notes. ChangeLog will migrate to
      more detailed, code-oriented comments.

2004-01-20 Jeremy Hewlett <jh@sourcefire.com>

    * src/detect.c:
      Tagged Packets no longer have NULL msg name.

    * src/output-plugins/spo_csv.c:
      Minor CSV fixes from Elias Levy (Thanks Elias!)

    * doc/snort_manual.pdf:
    * doc/snort_manual.tex:
      Minor LaTeX fixes from Jen Harvey (Thanks Jen!)

2004-01-16 Jeremy Hewlett <jh@sourcefire.com>

    * src/decode.h:
    * src/preprocessors/spp_stream4.c:
      Fixed http_inspect double alerting on pkts and rebuilt streams.  (Thanks
      Andreas Ostling)

    * src/detect.c:
      Fixed double incrementing of pc.log_pkts on non-rule events.

    * src/detect.h:
       Removed duplicated SnortEvent() function.

    * src/event_wrapper.c:
      Added additional checks to GenerateSnortEvent().

    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/include/hi_si.h:
    * src/preprocessors/HttpInspect/session_inspection/hi_si.c:
    * src/preprocessors/snort_httpinspect.c:
      http_inspect proxy_alert now supports normal proxy networks setups.
      http_inspect default server only valid if specified in config. (Thanks
      Brent Erickson)

    * src/snort.c:
      Error on multiple interfaces on command line.
      Corrected pcap_compile error.  (Thanks Andreas Ostling).

    * src/output-plugins/spo_csv.c:
      Added string escaping for the msg.

2004-01-13  Chris Reid  <chris.reid@codecraftconsultants.com>

    * Added Oracle support into Win32 version.  Much appreciation
      to Adam Peterson and SPL Worldgroup Inc. for sponsoring this
      development!  This option will now be available within the
      Win32 installer thanks to their contribution.

2004-1-13 Jeremy Hewlett <jh@sourcefire.com>

    * src/detection-plugins/sp_session.c:
      Fixed vague error message with directory creation problems (Thanks
      Kenneth Ingham)

    * src/event_wrapper.c:
    * src/event_wrapper.h:
    * src/preprocessors/flow/flow.c:
    * src/preprocessors/flow/flow_cache.h:
    * src/preprocessors/flow/flow_callback.h:
    * src/preprocessors/flow/flow.h:
    * src/preprocessors/flow/flow_stat.c:
    * src/preprocessors/flow/flow_stat.h:
    * src/preprocessors/flow/portscan/flowps.c:
    * src/preprocessors/flow/portscan/flowps.h:
    * src/preprocessors/flow/portscan/flowps_snort.c:
    * src/preprocessors/flow/portscan/scoreboard.c:
    * src/preprocessors/flow/portscan/scoreboard.h:
    * src/preprocessors/flow/portscan/server_stats.c:
    * src/preprocessors/flow/portscan/server_stats.h:
    * src/preprocessors/flow/portscan/unique_tracker.c:
    * src/sfutil/util_net.c:
    * src/sfutil/util_net.h:
      Fixed compilation problems on Solaris and some versions of BSD.
      Thanks to the Snort community for your support. These fixes change the
      variable type to u_int32 to remove the need for stdint.h

    * src/output-plugins/spo_alert_unixsock.c:
      Close Socket when Snort receives SIGHUP (Based on patch submitted by
      Neetu Nangia)

    * src/output-plugins/spo_csv.c:
      Added GID, SID, and Rev to csv output (Thanks Brennen Reynolds)

    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/spp_stream4.c:
      Fixed build warnings on FreeBSD 5.0

    * src/parser.c:
      config chroot readded

    * src/parser.c:
    * src/parser.h:
      Added additional error checking for custom rules (Thanks Andreas
      Ostling)

    * src/preprocessors/flow/flow_print.c:
      Flow now honors -q (quiet)

    * src/preprocessors/HttpInspect/client/hi_client.c:
    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
      Fixed issue with no_alert not quieting some alerts

    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
      Removed non_rfc_chars from default profiles

    * src/sfthreshold.c:
    * src/sfutil/sfthd.c:
    * src/sfutil/sfthd.h:
      Added suppression negation (Thanks Andreas Ostling)

    * src/sfthreshold.c:
      Fixed backwards display of IP addresses on Solaris

    * doc/FAQ:
    * doc/README.csv:
    * doc/README.http_inspect:
    * doc/README.thresholding:
    * doc/snort_manual.pdf:
    * doc/snort_manual.tex:
      Minor clarifications and additions.

2004-1-5  Daniel Roelker <droelker@sourcefire.com>

    * src/fpdetect.c:
      Fixes the signature error that user's were getting after changes
      to the AddMatch and SelectEvent routines.  Thanks Andreas Ostling,
      Ron Shuck, Jon Hart, and Chris Keladis.

2003-12-22  Daniel Roelker <droelker@sourcefire.com>

    * src/parser.c:
      Andreas Ostling parser fixes and updated error messages.

2003-12-20  Chris Reid  <chris.reid@codecraftconsultants.com>

    * Win32 version wouldn't run as a service.  Thanks to
      Michael Steele for pointing this out.

2003-12-17  Chris Reid  <chris.reid@codecraftconsultants.com>

    * Updated Win32 to 2.1.
    * src/output-plugins/spo_database.c:
      Better support for ODBC.  Better memory management (thanks
      Jeff Nathan).  Improved escaping of SQL strings.

2003-12-17  Daniel Roelker <droelker@sourcefire.com>

    * Snort 2.1 Release

    * src/decode.h:
      Options struct element len, changed to octet.  Thanks
      Andrew Rucker.

    * src/detection-plugins/sp_pattern_match.c:
      Infinite looping patch during specific recursion processing.
      Thanks Lawrence Reed.

    * src/detection-plugins/sp_pcre.c:
      Fixed pcre URI matching.  Thanks Jeremy Hewlett.

    * sp_respond.c:
      Fixes to help respond actions to correlate more closely to
      RFCs and now doesn't allow users to shoot themselves in
      the foot.

    * src/preprocessors/HttpInspect/normalization/hi_norm.c:
      Only log DOUBLE DECODE alerts if it's in the URL and not
      the parameter section.

    * src/preprocessors/spp_stream4.c:
      Sync stream4 up with the various versions of it.  Fix
      problem of out-of-order ACKS that was recognized by
      Andrew Rucker.  Also fixed off-by-one bug on reassembled
      streams that was introduced by previous stream4 patch.

    * src/sfutil/mwm.c:
    * src/sfutil/mwm.h:
      Fixed memory access bug in mwm content matching that multiple
      users were able to reproduce.

    * src/tag.c:
      Pkt tagging configuration now works correctly.  Thanks Jeremy
      Hewlett for pointing this out.

2003-12-08  Chris Reid  <chris.reid@codecraftconsultants.com>

    * Updated Snort 2.1 Win32 installer
    * Updated spo_database.c to escape sensor name strings.
      This had been causing a problem under Windows with MySQL
      because of WinPcap sensor names having embedded backslashes.

2003-12-03  Chris Reid  <chris.reid@codecraftconsultants.com>

    * Updated Snort 2.1 beta to support Win32

2003-11-18  Daniel Roelker <droelker@sourcefire.com>

    * src/detection-plugins/sp_ip_proto.c:
      Re-added ip_proto structure to ds_list so that the high-speed
      detection engine once again optimizes on ip_proto rules.

2003-11-14  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/flow/portscan/flowps_snort.c:

      * when using pktkludge output format, make destination address
           the last one seen.

2003-11-07  Daniel Roelker <droelker@sourcefire.com>

    * src/preprocessors/HttpInspect/user_interface/hi_ui_config.c:
      Added some additional config options to server profiles all and iis.

    * src/preprocessors/HttpInspect/client/hi_client.c:
      Return invalid URI for configs that don't allow a tab as a URI
      delimiter instead of processing.  This helps reduce false positives
      for servers that won't accept tabs as valid.

    * autojunk.sh:
      Added --add-missing to automake so the flow dependencies get installed.

    * src/detection-plugins/sp_dsize_check.c:
      Validate dsize argument so that it is a decimal number and a
      positive integer.

2003-11-07  Martin Roesch <roesch@sourcefire.com>

    * src/sfthreshold.c (print_thresholding):
      Cleaned up linewrapped separators, cosmetic cleanup for 80-col
      terminals

2003-11-06  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_pattern_match.c (CheckANDPatternMatch):
       Fixed a bug in sp_pattern_match that was introduced with the
      recursive processing in 2.0.3 that resulted in a core dump due
      to an OOB read

2003-11-04  Chris Green  <cmg@sourcefire.com>

    * src/log.c (PrintIPHeader): print frag size as the size of the
    datagram - header

2003-11-04  Marc Norton <mnorton@sourcefire.com>

    * src/snort.c (SnortMain): display thresholding information at
    start up

2003-10-30  Chris Green  <cmg@sourcefire.com>

    * src/log.c (PrintIPHeader):
    make fragsize print out the size of the payload rather than the
    size of the header

2003-10-28  Marc Norton <mnorton@sourcefire.com>
    * src/sfutil/mwm.c:
      fixed bug with search-method mwm resulting in retesting removing
      an active rule on occasion (Thanks to Raul Siles &  David Perez
          for a reproducible test case!)

2003-10-28  Chris Green  <cmg@sourcefire.com>

    * src/util.c (read_infile): make snort FatalErrror on bpf filter
              problems (reported by Fran Loehmann)

2003-10-27  Chris Green  <cmg@sourcefire.com>


    * src/preprocessors/spp_flow.c
    (DEFAULT_MEMCAP):
      make default memcaps much smaller
    (FlowInit):
      display correct memcap

2003-10-20  Chris Green  <cmg@sourcefire.com>

    * configure.in:
      - removed smb alerting since it should be moved to barnyard

    Major 2.1 Features
     - Suppression/Thresholding by
     - HttpInspect replaces http_decode by Dan
     - Flow ( replaces spp_conversation )
     - Flow-Portscan
     - PCRE (www.pcre.org) is now required to build
     - pcre keyword for regular expressions incorporated
         - isdataat keyword to help with rule writing

     See the doc/ subdirectory for more details

2003-10-02  Chris Green  <cmg@sourcefire.com>

    * src/parser.c (RuleType): func == NULL bug fix for Bart Haagdorens

    * Incorporated Steve Grubb's HUP fix for -u users that aren't
          doing Chroot.

2003-09-22  Chris Green  <cmg@sourcefire.com>

    * back from honeymoon

    * src/preprocessors/spp_stream4.c (BuildPacket):
      fixed DEBUG compilation/zero_flushed_buffers option

2003-09-10  Chris Green  <cmg@sourcefire.com>

    * Snort 2.0.2

    * added flush_data_diff_size and zero_flushed_buffers for
        stream4_reassemble

    * added threhsolding (see doc/README.thresholding) from
         Sourcefire/Marc Norton

2003-09-02  Chris Reid  <chris.reid@codecraftconsultants.com>

        * Updated Win32 code to properly support logging to
          the Windows Event Log without including the Microsoft-
          generated warning, as was previously observed.

2003-08-06  Chris Green  <cmg@sourcefire.com>

    * src/decode.c (DecodeTCP):
      fixed TCP_LARGE_OFFSET with patch from Bob Perkins

2003-07-28  Chris Reid  <chris.reid@codecraftconsultants.com>

        * Updated sp_pattern_match.c and win32_service.c to play nice with
          Visual Studio .NET (thanks for feedback from Louis Jagoe).

2003-07-25  Chris Green  <cmg@sourcefire.com>

    * Makefile.am (dist-hook):
      - add signatures kludges to fix up official tarballs
      - fixed verstuff.pl to interpolate variables

    * spp_arpspoof patches from Jeff Nathan

      - Replaced unchecked malloc() calls with SnortAlloc
          - Changed the parameter name ipmel to ip_mac_entry_list in functions
            operating on this list for clarity
          - Re-ordered sanity tests in the preprocessor function to prevent a null
            pointer dereference and to identify early exit conditions
          - Minor optimization to the overwrite detection code: if the overwrite list
            hasn't been initialized return when entering the overwrite condition tests
      - Use FreeToks instead of for() and free() for mSplit tokens.
          - Implemented a CleanExit function suitable for CleanExit and Restart.
          - Added CallLogFuncs calls to accompany all CallAlertFuncs calls (previously
            CallLogFuncs was not used at all).

    * src/decode.c (DecodeVlan):
       - compile with --enable-debug

2003-07-22  Chris Green  <cmg@sourcefire.com>

    * Shortly after release:
     - added verstuff.pl
     - added dist-hook to run verstuff.pl to make the published
          tarballs up to date on snort version

    * Snort 2.0.1 Released

2003-07-18  Chris Green  <cmg@sourcefire.com>

    * src/decode.c (DecodeUDP):
    - fixed UDP checksums to not incorrectly calculate with a header
    in host byte order
     Thanks to Marc Norton & Jeremy Hewlett for helping

    * src/detect.c (Preprocess):
     - completely ignore invalid IP checksums throughout snort if we
           are checking them.

2003-07-09  Chris Green  <cmg@sourcefire.com>

    * src/decode.c (DecodeIEEE80211Pkt):
         - fixed vlan decoding on lots of advice + patch from Michael
     J. Pomraning over at SecurePipe.  Thanks!

2003-07-03  Chris Green  <cmg@sourcefire.com>

    * src/decode.c (DecodeIP):
      - removed redundant flag setting operation

2003-07-01  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/http-resp.c (IsHttpServerData):
     - ensure TCP state on discarded traffic

    * src/preprocessors/spp_stream4.c (GetDirection):
     - switch to using IP addresses

    * src/preprocessors/spp_frag2.c (Frag2Defrag):
     - ignore packets with bad checksums

2003-06-09  Marc Norton  <marc.norton@sourcefire.com>

    * src/fpdetect.c:
      fixed pass not always superceding Alert when rule order was
      Pass-Alert-Log

    * src/fpcreate.c:
      This fixes an initialization problem with the iBirDirection flag.

2003-06-04  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_bo.c:
      log packet data

2003-05-30  Chris Green  <cmg@sourcefire.com>

    * src/snort.c: removed obsolete global flow variable

2003-05-28  Chris Reid  <chris.reid@codecraftconsultants.com>

        * Win32 patches from Fulvio Risso (of WinPcap) so -i parameter
          can support both "-i 1" format, and also support named interfaces
          like "-i \Device\Packet_{12345678-90AB-CDEF-1234567890AB}".
          Fulvio also provided a more streamlined Win32 print_interface().

2003-05-27  Chris Green  <cmg@sourcefire.com>

    * src/output-plugins/spo_alert_sf_socket.c:
      - made compile w/ debug

    * src/detection-plugins/sp_session.c (OpenSessionFile):
      refactored to do fatal error inside the lower level function
      where filename is defined.  Bug Reported by Jon Werrett.

2003-05-27  Andrew R. Baker <andrewb@sourcefire.com>

    * Changed evalIndex to give precendence to help work around
        problems with rule ordering when not using -o

2003-05-14  Andrew R. Baker <andrewb@sourcefire.com>

* src/Makefile.in:
    * src/plugbase.h:
    * src/spo_plugbase.h:
    * src/output-plugins/spo_alert_fast.c:
    * src/output-plugins/spo_alert_full.c:
    * src/output-plugins/spo_alert_sf_socket.c:
    * src/output-plugins/spo_alert_smb.c:
    * src/output-plugins/spo_alert_syslog.c:
    * src/output-plugins/spo_alert_unixsock.c:
    * src/output-plugins/spo_csv.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_log_ascii.c:
    * src/output-plugins/spo_log_null.c:
    * src/output-plugins/spo_log_tcpdump.c:
    * src/output-plugins/spo_unified.c:
          Relocated Output Plugin API definitions to spo_plugbase.h

    * src/detect.c:
    * src/rules.h:
          added support for per OptTreeNode output functions

    * src/plugbase.c:
    * src/output-plugins/Makefile.in:
    * src/output-plugins/spo_alert_sf_socket.c:
    * src/output-plugins/spo_alert_sf_socket.h:
          Sourcefire UNIX datagram socket output plugin


2003-05-16  Chris Green  <cmg@sourcefire.com>

    * patches from jeff nathan
     - config.h before HAVE's in strc*
     - add OSX kludged support for /sw/include to libnet defaults
    * added doc/signatures to Makefile.am

2003-05-13  Chris Reid  <chris.reid@codecraftconsultants.com>

        * Added sanity check in CleanExit() to prevent double-freeing
          of memory during recursive call to CleanExit(). (Mark Scott)

2003-05-13  Chris Green  <cmg@sourcefire.com>

    * patches from Jeff Nathan
      - calloc checks in detection-plugins
      - old version of autoheader doesn't like arguments to

    * add timersub.h to Makefile.am

    * src/detection-plugins/sp_byte_check.c (ByteTest):
      - FatalError if hex/oct are used w/o specifying the string parameter

    * src/detection-plugins/sp_byte_jump.c (ByteTest):
      - FatalError if hex/oct are used w/o specifying the string parameter

    * src/preprocessors/spp_frag2.c (RebuildFrag):
     fix integer wrap around on large packets resulting in invalid IP
     dgrm lengths with large packets for frag2. Thanks to Jason Royes for
     pointing it out.

      will truncate large packets so that the total resulting frame is
     less than 65535 unless you define DONT_TRUNCATE in config.h

     This is unfortunately required for compatiblity for other pcap
     applications.

    * src/decode.c (DecodeTCP):
         move port number assignment above option decoding so people don't
     complain about decoder events on port 0.

2003-05-02  Chris Reid  <chris.reid@codecraftconsultants.com>

        * updated Win32 LibnetNT.dll (tested by Rich Adamson)

2003-04-28  Chris Green  <cmg@sourcefire.com>

    * updated create_postgresql (Frank Knobbe)
    * solaris forte C compiler patches from Taso Devetzis)

2003-04-25  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_tcp_win_check.c (SetupTcpWinCheck):
     - removed initialization message in debug

2003-04-24  Chris Green  <cmg@sourcefire.com>

    * src/decode.c (DecodeTCPOptions):
     - only alert on T/TCP if there is a CCECHO

    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:
    * src/byte_extract.c:
    * src/byte_extract.h:
      - move the common extraction code to a single place
      - fix 2 byte extraction code on little endian architectures
        (Thanks to Jason Miller)

    * src/bounds.h (inBounds):
      - remove #include <snort.h>

2003-04-21  Chris Green  <cmg@sourcefire.com>

    * src/mwm.c (mwmPrepHashedPatternGroups):
     - upon a fatal error, yell about
       config detection: search-method lowmem

2003-04-16  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_pattern_match.c (ParsePattern):
    - u_int -> int for size check
    - (slightly) more readable string handling code

    * src/timersub.h:
      import timersub macro from glibc and upcased it

    * src/snort.c (InterfaceThread):
      - Use TIMERSUB

    * src/detect.c (AlertAction):
      AlertFlushStream takes one argument now

    * src/parser.c (ParseConfig):
     disable_tcpopt_ttcp_alerts parsing --
    Thanks for pointing it out Jeff Dell

    * src/preprocessors/spp_stream4.c:
     - removed unused argument to DeleteSpd
    (AlertFlushStream):
    - get the ssnptr variable from the packet structure
    - unified logic for server and client side
    - removed memthresholding because of large delays

    * src/decode.h
    (_Stream):
        - get rid of dataPtr ( it's always the same thing as &s->data )
    - add bytes_tracked variable for more memory protection

     * src/preprocessors/spp_stream4.c:
    - macroize sequence number type checks
         (StoreStreamPkt):
    - watch for how many packets we accept

2003-04-14  Chris Green  <cmg@sourcefire.com>

    * Snort 2.0.0 Released

2003-04-09  Chris Green  <cmg@sourcefire.com>

    * src/log.c,spo_database.c
    (PrintTcpOptions):
    (PrintIpOptions):
     - correctly print out

    * src/log.c,spo_database.c
    (PrintTcpOptions):
    (PrintIpOptions):
     - correctly print out

    * src/decode.c:
     Last bastions of ErrorMessage @ decode in non-verbose mode

2003-04-09  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_byte_jump.c:
     - another argument parsing bug ( Thanks Judy )

2003-04-07  Chris Green  <cmg@sourcefire.com>

    * src/decode.c:
     Change all classifications to DECODE_CLASS


    * src/detection-plugins/sp_byte_check.c (ByteJump/ByteCheck) - do
    not SetUseDoe() for these functions. Doe is set automatically and
    use_doe is only needed to be set by people wishing to make the
    previous pattern match relative.

    Build 69

    * src/decode.h
      - handle more FIN conditions

    * src/preprocessors/spp_stream4.c (ReassembleStream4):
      - adjusted established check

    * src/preprocessors/spp_stream4.c (NotForStream4):
      - refactoring

2003-04-04  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_byte_jump.c (ByteJump):
    - make offsets work for byte_test and byte_jump
     (Thanks Judy and Dan)

2003-04-03  Chris Green  <cmg@sourcefire.com>
        2.0.0rc3

    * etc/snort.conf:
      config detection: search-method lowmem

      Incorporates a lower memory pattern matcher from Marc Norton for
      people running into not being able to update to 2.0 due to
      memory issues.

    * src/snort.c (SnortMain):
     - move InitOutputPlugins down ( 1.9 forward fix from Nick )

2003-04-01  Chris Green  <cmg@sourcefire.com>

    Build 67

    * src/output-plugins/spo_alert_unixsock.c:
     - moved unix socket format to .h
     - moved default socket location to the logdir
       ( patches from Nick Zitzmann <dreamless@attbi.com>)


    2.0.0 RC2

2003-03-31  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (CreateNewSession):
     - don't act like a happy wallaby if the IP transport doesn't support
       ECN but the reserved flags make it through crystal clear

    * src/preprocessors/spp_frag2.c (_FragTracker):
      only do 1 fragment tracker alert for things like teardrop

    * src/preprocessors/spp_stream4.c:
     - DisableDetect() instead of do_detect()
     - flush on write ssn stats (andrewb fix)

    * src/decode.c (DecodeUDP):
     - correctly decode UDP packets (andrewb fix)


2003-03-27  Chris Reid  <chris.reid@codecraftconsultants.com>
    * src/tag.c
      #ifdef should have been #ifndef

    * src/acsmx.h
      Have WIN32 use definition of "inline" from config.h
      instead of a locally defined one

    * src/output-plugins/spo_alert_syslog.c
    * etc/snort.conf
      Changed Win32 default host to "127.0.0.1"
      (thanks to Rich Adamson)

    * src/win32/WIN32-Prj/snort_installer.nsi
      Added further installation instructions to help cut
      down on the number of 'newbie' questions.

2003-03-28  Chris Green  <cmg@sourcefire.com>

    * src/parser.c (ParseConfig):
     - make disable ipopt work (Thanks Tim Slighter)

    * src/tag.c
    (PrintTagNode):
    new f()
          - added static cling
    (ParseTag): fixed parser
    (AddTagNode):
     - fixed src/dst tagging
     - unified both tag cache logics

    * src/debug.h:
    * src/debug.c:
      added DebugThis()

    * etc/snort.conf
      make the config options do what they say

    * src/output-plugins/spo_alert_syslog.c (ParseSyslogArgs):
     - only warn if we are parsing snort.conf ( -s )

    * src/tag.h (SetTags):
     - damn #if 0

    * configure.in:
      - remove snmp/ssl

2003-03-27  Chris Reid  <chris.reid@codecraftconsultants.com>

    Build 63

    * src/snort.c
    * src/output-plugins/spo_alert_syslog.c
      Win32 '-s' now takes no arguments.  Host/port info is
      configured only within snort.conf (output alert_syslog).

2003-03-27  Chris Green  <cmg@sourcefire.com>

    * configure.in:
      - changed to make DEBUG do -O0 and -g with gcc
        (-ggdb makes gdb confused. go fig.)

    * src/snort.c (ParseCmdLine):
      -s means syslog() not -s args on win32

    * src/output-plugins/spo_alert_syslog.c (ParseSyslogArgs):
      - SnortAlloc
      - allow -s to work again 

2003-03-26  Chris Green  <cmg@sourcefire.com>

    * src/decode.c (DecodeTCP):
      - bad format args (thanks Tim!)

    RC1

    * Incorporated Patches from Jeff Nathan
      - libnet configure should work again
      - randomize flexible response ttls
      - add stop descriptor leaking

    * src/decode.c (DecodeIPOptions):
      truncation alerts for IP options too!
      (InitDecoderFlags):
       added decoder flags function

    * src/log.c (Print(I|Tc)cpOptions):
     - print out everything that I can

2003-03-25  Chris Green  <cmg@sourcefire.com>

    * src/signature.c (ReferenceSystemAdd):
     - fixed the dang linked list

    * rules/Makefile.in (EXTRA_DIST):
      added pop2.rules

    * src/decode.h (_Stream):
     - removed current_seq to save memory

    * src/preprocessors/spp_stream4.c
     - added isBetween inline function 
    (UpdateState):
     - incorrect ACTION_ACK_CLIENT_DATA
     (StoreStreamPkt):
     - comment clarification

    * src/bounds.h:
      - added new file
      - moved standard bounds checking functions to this file 

    * src/detection-plugins/sp_react.c (ParseReact):
     - give react a half a chance of working
     (SendTCP):
     - see above

    * src/detection-plugins/sp_clientserver.c (ParseFlowArgs):
     - fatal error on unknown option

    * src/output-plugins/spo_database.c
     (UpdateLastCid):
      - added missing free()
     (Database):
      - correctly write out the class_id junk

    * src/output-plugins/spo_alert_smb.c 
    (AlertSmb):
     - print out the ports like was intended

    * src/preprocessors/spp_portscan2.c (SLog):
      - use fprintf for what it was designed for

    * src/preprocessors/spp_portscan.c (LogScanInfoToSeparateFile):
      - use fprintf for what it was designed for

    * src/log.c
    (PrintArpHeader):
     - wireless arp printing fix
    (PrintTcpOptions):
     - strncpy -> memcpy
    (PrintEapolKey):
     - aligned printf

    * src/decode.c (DecodeTRPkt):
     - more truncation style alerts

2003-03-24  mfr <roesch@sourcefire.com>
    * src/preprocessors/spp_stream4.c:
         - changed PruneSessionCache() to only do timeout flushes if
           we're over 50% of the memcap (should help performance)

        * src/log.c:
         - fixed broken Frag Size calculation in IP header printout routine

2003-03-21  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_session.c:
     - fixed memory leak on filename creation

    * src/preprocessors/spp_stream4.c (Stream4InitReassembler):
     - make serveronly work

    * src/preprocessors/spp_telnet_negotiation.c (NormalizeTelnet):
     - check the byte, then increment

    * src/detection-plugins/sp_byte_check.c (ByteTestParse):
      more input validation for byte_check/byte_jump

    * src/log.c (PrintWifiHeader):
      - watch out for NULL bssid's

    * src/tag.c
      (TagHost):
      - removed redundant check
      (AddTagNode):
      - accumulate the tag seconds rather than the idx->seconds

    * src/detection-plugins/sp_pattern_match.c (PayloadSearchRegex):
         - actually die on a regex option
       ( might actually get it developed later )

    * src/decode.c
     (DecodeIEEE80211Pkt):
      - more truncated packet alerts
     (DecodePPPoEPkt):
      - alert on truncated pppoe pkts
      - separate decoder for encapsulated PPP
     (DecodeVlan):
      - alert on truncated Vlan headers
         (DecodeUDP):
      - use the UDP header length field
        instead of capture length

    * src/detection-plugins/sp_byte_jump.c:
        src/detection-plugins/sp_byte_check.c:
      - protect against negative offsets
        ( don't rely on negative offsets working in the long term )
      - don't continue when we can't parse string numbers

    * src/detection-plugins/sp_respond.c (Respond):
       - missing iph check

    * src/detection-plugins/sp_ip_proto.c (IpProtoDetectorFunction):
      - missing iph check

    * sspp_asn1, fnord, spo_xml, spo_SnmpTrap
      - removed ( will be available later as a contrib )

    * src/preprocessors/spp_http_decode.c:
         - switch to using chars for lookup tables
         - removed extraneous sprintfing
     - removed old TBD feature code

2003-03-17  Chris Green  <cmg@sourcefire.com>

    * src/snort.c (FPUTS_WIN32):
      - changed to blank space rather than NULL

    Build 60

     New Options added to snort.conf
         config: disable_tcpopt_experimental_alerts
         config: disable_tcpopt_obsolete_alerts
         config: disable_ttcp_alerts
         config: disable_tcpopt_alerts

    * src/preprocessors/spp_stream4.c
    (ReassembleStream4):
      - DisableDetect only if the emergency_status is NULL.
    (CreateNewSession):
      - fixed return logic with detect scans

    * etc/gen-msg.map: WARNINGS: -> snort_decoder:
      - new tcpopt events

    * src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
      - change to use DisableDetect() instead of do_detect = 0;
        (disables futher preprocessors)
        (RPC_CLASS): Use the same classification as the other decoder alerts

    * src/snort.h (_progvars):
     - added DecoderFlags structure for enabling/disabling decoder alerts

    * src/snort.h (_progvars):
          - added tcpopt_alert_flag

    * src/decode.c (DecodeTCP):
      - print out warnings on bad header lengths in verbose mode
      (DecodeTCPOptions):
      - nearly complete rewrite to identify whizbang things like
        bubba and skeeter options!

2003-03-14  Chris Reid  <chris.reid@codecraftconsultants.com>
        Build 59 (really this time)

        * src/detect.c
          - corrected un-initialized memory in CreateRuleType()

        * src/snort.c
          - rationalize Unix vs. Win32 command-line options
          - add optarg for Win32 syslog '-s' parameter
          - bugfix for Win32 syslog initialization
          - thanks to Rich Adamson and L. Christopher Luther for helping
            with the syslog fixes

        * src/util.c
          - provide Win32 fix for SetChroot()

        * many files
          - added missing CVS ID tags
          - added missing copyrights

2003-03-13  Chris Green  <cmg@sourcefire.com>
    Build 59

    * src/preprocessors/spp_stream4.c(TcpActionAsync):
     - update server side seq numbers on Async State machine

    * src/preprocessors/spp_stream4.c
    (BuildPacket):
     - Use Constants for IP Lens
     - Move SPARC_TWIDDLE to only initialization

    * src/preprocessors/spp_frag2.c
      - removed killme variable from InsertFrag
        - untabified
     (RebuildFrag):
       - converted to creating fake packets the same way as stream4

2003-03-10  Chris Green  <cmg@sourcefire.com>

    Build 58

    * src/util.c:
      - new functions SetChroot, CurrentWorkingDir,
             SigChrootHupHandler, GetAbsolutePath
      - Chroot + HUP == "tough luck for now

    * src/snort.c (SnortMain):
      - Chroot after parsing the rules file
      - use fully qualified pathname for logdir in chroot case

    * src/output-plugins/spo_unified.c (UnifiedInitAlertFile):
      - removed a printf

2003-03-05  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_byte_check.c (ByteTest):
       - never touch doe_ptr on a successful match
       - inBounds check off by one when seeing if enough to read
    * src/detection-plugins/sp_byte_jump.c (ByteJump):
       - inBounds check off by one when seeing if enough to read
    * src/detection-plugins/sp_pattern_match.c (uniSearchReal):
       - inBounds check off by one when seeing if enough to read

2003-03-04  Chris Green  <cmg@sourcefire.com>

    * src/util.h (inBounds):
      end is always dsize + len so it should be p < end

    * src/preprocessors/spp_stream4.c (UpdateState):
      - added return ACTION_ACK_CLIENT_DATA

    * src/detection-plugins/sp_pattern_match.h (_PatternMatchData):
      - changed check_distance to use_doe ( check_distance was not used )

    * src/detection-plugins/sp_pattern_match.c
    (uniSearchReal):
          - new function to unify uniSearchCI & uniSearch
         - all "work" related to distance, within, depth, and offset done
           in one place now

    (CheckANDPatternMatch):
      - condensed this down to be a very small wrapper around uniSearch
       ( now !content will alert with offset on small packets)
    (CheckUriPatternMatch):
      - condensed this down to be a very small wrapper around uniSearch

    * src/detection-plugins/sp_byte_check.c:
    * src/detection-plugins/sp_byte_jump.c:

     - inBounds function
     - doe_ptr
     - SetUseDoe
     - TEXTLEN constant

    * src/generators.h (RPC_MULTIPLE_RECORD_STR):
          fixed cut and pasto

    * src/util.h (inBounds):
      added new inBounds function to check a ptr position against a
      known start and end location

    * src/mstring.c (mSearch):
      subsequent offsets adjusted correctly (Marty)

    * src/preprocessors/spp_rpc_decode.c
      - redefine MSB
      - write fraghdr back into pkt
      - removed extraneous printf

    * src/preprocessors/spp_rpc_decode.c:
       - readded config.h and strings.h (Thanks Chad)

    * src/preprocessors/spp_stream4.c
      - suspend renabling mode fixes

2003-03-03  Chris Green  <cmg@sourcefire.com>
    * src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
       - alignment errors on non-x86 platforms
       - added new space delimited options
             alert_fragments
             no_alert_multiple_requests
             no_alert_large_fragments
             no_alert_incomplete
       - corrected buffer overflow in fragment normalization

2003-02-28  Daniel Roelker <droelker@sourcefire.com>
    * src/bitop.h:
    * src/fpcreate.c:
    * src/fpdetect.c:
        - Fixed a problem when snort runs with only uricontent matches
          and no contents.  In this case an element in the bitop structure
          never got initialized, so it's not good to reference that.
          Problem was caught by Chris Green doing some unit testing.

2003-02-27  Chris Reid  <chris.reid@codecraftconsultants.com>
    * src/win32/WIN32-Prj/snort.dsp
    * src/win32/WIN32-Prj/snort.mak
    * src/win32/WIN32-Prj/snort.dep
       - Removed an unnecessary file from the project (name.mc)
    * src/win32/WIN32-Prj/build_releases.bat
       - Script to easily compile all configurations of snort.
    * src/win32/WIN32-Prj/snort_installer.nsi
    * src/win32/WIN32-Prj/snort_installer_options.ini
       - Scripts to build a Win32 installation program for snort.
         Thanks to Chris Green for suggesting we use NSIS!

2003-02-19  Chris Reid  <chris.reid@codecraftconsultants.com>
    * src/snort.c
       - Win32 '-s' parameter wasn't configured to accept an optarg,
         but code expected one, causing null-pointer violation.

2003-02-16  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
       * remove broken checks.

    * src/preprocessors/spp_telnet_negotiation.c (NormalizeTelnet):
       * remove broken checks.

2003-02-15  bmc <bmc@snort.org>
    * src/preprocessors/spp_asn1.c
       - don't bother decodeing the packet if its 0 bytes
    * src/preprocessors/spp_fnord.c
       - don't bother decodeing the packet if its 0 bytes
       - set DEBUG to DEBUG_PLUGIN instead of DEBUG_STREAM
    * src/preprocessors/spp_http_decode.c
       - don't bother decodeing the packet if its 0 bytes
       - if stream4 is enabled, only decode if if is client data
         on an established session
         (This makes using internal_alerts useful)
    * src/preprocessors/spp_rpc_decode.c
       - don't bother decodeing the packet if its 0 bytes
       - if stream4 is enabled, only decode if if is client data
         on an established session
    * src/preprocessors/spp_telnet_negotiation.c
       - don't bother decodeing the packet if its 0 bytes
       - if stream4 is enabled, only decode if if is client data
         on an established session

2003-02-15  bmc <bmc@snort.org>
    * src/detection-plugins/sp_byte_jump.c
       actually verify that it needs aligning before aligning. 
       (more than 0 doesn't need aligned)

2003-02-15  bmc <bmc@snort.org>
    * src/detection-plugins/sp_byte_jump.c
       0 is already aligned to a 32-bit boundry...

2003-02-14  bmc <bmc@snort.org>
    * src/mstring.c
       Fix so --enable-debug actually compiles

2003-02-14  mfr <roesch@sourcefire.com>
    * src/parser.c
        Fixed XferHeader() function to copy the not_*p_flag to the RTNs...

    * src/detection-plugins/sp_ip_proto.c 
        ip_proto options can now be stacked

2003-02-14  mfr <roesch@sourcefire.com>
    * src/fpdetect.c
      src/mstring.c
      src/detection-plugins/sp_byte_check.c
      src/detection-plugins/sp_byte_jump.c
      src/detection-plugins/sp_pattern_match.c
        Fixed distance/within/byte_test/byte_jump relative (stateful)
        pattern matching and the like.  Complete reimplementation of
        payload position tracking.  Tested with several different attack
        scenarios with 100% detection rate, please test!

2003-02-04  Chris Reid  <chris.reid@codecraftconsultants.com>

    * src/snort.c
        Added sanity checks on command-line parameters, for whenever a user
        forgets to put spaces between (ie.) /SERVICE/INSTALL.  This only
        applies to /SERVICE parameter for Win32.

    * src/util.c
      - Updated Win32 banner for version 2.0
      - Modified FatalError to generate a Win32 EventLog entry
        if this is a Win32 Service build, otherwise no errors
        are ever presented to the user.

    * src/mwm.c
      - Added an include of config.h, for Windows build.
      - Changed variable names "small" and "large" into "small_value"
        and "large_value" to prevent compile errors under Visual C++.

    * src/mpse.c
    * src/pcrm.c
      - Added an include of config.h, for Windows build.

    * src/parser/IpAddrSet.c
    * src/preprocessors/perf-flow.c
      - Added ifndef/endif around non-Win32 header files.

    * src/preprocessors/perf-base.c
      - Added changes to allow it to compile under Win32.

    * src/preprocessors/perf.h
      - Prevent definition of UINT64 under Win32.

    * src/preprocessors/spp_asn1.c
    * src/preprocessors/spp_bo.c
    * src/preprocessors/spp_fnord.c
      - Added documentation.

    * src/win32/WIN32-Includes/config.h
      - Added definition for UINT64 and uint64
      - Changed VERSION to '2.0.0beta'

    * src/win32/WIN32-Code/win32_service.c
      - Changed how Win32 registry is opened for reading (was KEY_ALL_ACCESS,
        now is KEY_READ).  Problem (and patch) was reported by Michael Miller.

    * src/win32/WIN32-Prj/snort.dsp
      - Removed all references to SFStats compile options, since these stats
        provide little useful information under Win32 due to API differences
        between Win32 and Unix, specifically the lack of a native getrusage().

    * src/win32/WIN32-Prj/snort.ncb
      src/win32/WIN32-Prj/snort.opt
      src/win32/WIN32-Prj/snort.plg
      - Truncated the contents of these files.

2003-01-26  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c
     (AlertFlushStream):
         - Fixed problem where an alert on a stream
        would update sequence numbers incorrenctly
      - moved StoreStreamPkt up to avoid crash

       Thanks to Lawrence Reed for pointing out problems and almost
       perfect solutions

    * src/detection-plugins/sp_clientserver.c (CheckForReassembled):
       missing return in opt node check
       affects only flow: only_stream

2002-1-17  Daniel Roelker <droelker@sourcefire.com>
    * src/preprocessors/spp_perfmonitor.c:
        Added 'snortfile' parameter to perfmonitor so users can use the
        default snort directory to log performance statistics.  Suggested
        by L. Reed.

    * src/preprocessors/spp_stream4.c:
        Fixed performance statistic counter for total stream4 sessions.  When
        a new session is created, we make sure that it was created before
        incrementing the counter.  Fixed by L. Reed.

2003-01-07  mfr <roesch@sourcefire.com>
    * configure.in
        Added patch from Jeff Nathan to fix libnet detection

2003-01-05  mfr <roesch@sourcefire.com>
    * src/util.h
        Added self preservation control struct for the new SPAlloc function.

    * src/util.c
        Added self preservation-aware memory allocator, this allows coders
        to add new subsystems requiring self preservation techniques using
        a single allocation interface and management mechanism.

    * src/detection-plugins
        Changed the URI and AND checking modules to use the context pointer
        on the fp_list struct instead of the ds_list.  This will cause
        all content/uricontent checks to be checked in the sequence that
        they appear in a rule so that all the distance/within and
        relative byte_test/byte_jump stuff will work properly.  Merry Xmas
        cazz!

    * src/preprocessors/spp_frag2.c
        Changed frag2 to use the new SPAlloc mechanism as a testing
        platform.  If this works right I'll convert all the other stuff
        over to it as well.

2002-12-19  Andrew R. Baker <andrewb@sourcefire.com>

    * src/detect.c:
    * src/fpdetect.c:
    * src/fpdetect.h:
    * src/parser.h:
    * src/rules.h:
    * src/snort.c:
    * src/snort.h:
        Fix custom rule types and arbitrary rule ordering that were broken
        with the new detection engine.

2002-12-13  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_frag2.c (Frag2Defrag):
       - added "state_protection" config mechanism to enable/disable
         the thresholding operations

    * src/preprocessors/spp_stream4.c:
       - mark sessions that have been picked up midstream
           - protect against people setting up snort behind a tap without
         setting asynchronous link
       - added "state_protection" config mechanism to enable/disable
         the thresholding operations

    * src/decode.h (SSNFLAG_MIDSTREAM): added a midstream pickup flag

2002-12-12  Daniel J. Roelker <droelker@sourcefire.com>

    * src/fpcreate.c:
    * src/fpdetect.c:
        Fixed bi-directional rule functionality when unique port was the
        destination port in a bi-directional rule.  Reported by Brian
        Caswell.

2002-11-26  Andrew R. Baker <andrewb@sourcefire.com>
    * src/parser.c:
        fixed argument handling bugs for snaplen and read_bin_file config
        directives in snort.conf

    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * src/util.h:
        Modifications to signal handling and CleanExit/Restart

2002-11-26  Daniel Roelker <droelker@sourcefire.com>

    * src/checksum.h: 
        Problem with ICMP checksum.  Routine did not return the compliment
        of the checksum.  Thanks to Del Armstrong for point this out.

    * src/decode.c:
        Also, UDP checksums are only done if the checksum is 0.  Otherwise,
        we don't do them, even if the config is set for that.  Again,
        thanks to Del Armstrong for pointing this out.

2002-11-26  Chris Green  <cmg@sourcefire.com>

    * src/output-plugins/spo_database.c (BeginTransaction):
     * removing BEGIN for oracle ( Chad Kreimendahl )

2002-11-25  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c
    (TcpActionAsync):
    (TcpAction):
       -- removed extra decrements for last_ack
       was causing a high false alarm rate for new \r\n rules.

            Thanks to Jens Krabbenhoeft for helping on this one

           -- disable nmap scans from alerting when we don't use detect_scans.

        Thanks to Chad Kreimendahl for this one


2002-11-24  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c:
       - fix argument parsing for emergency modes

    * src/preprocessors/spp_frag2.c (ParseFrag2Args):
            - fix argument parsing for emergency modes

2002-11-19  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c:
      fixed a bug where we would shift to suspend mode if
      stream4_reassemble wasn't enabled

2002-11-18  Chris Green  <cmg@sourcefire.com>

        Merging in mfr/cmg mitigations for extreme bogus session loads

    * src/preprocessors/spp_stream4.c:
        self_preservation_threshold: <bare new sessions/second>
            self_preservation_period: <duration of SP mode>
            suspend_threshold: <bare new sessions/second>
            suspend_period: <duration of suspended operations>
            emergency_ports: <port list>  <-- port list that will be reassembled
    * src/preprocessors/spp_frag2.c:
        self_preservation_threshold: <bare new sessions/second>
            self_preservation_period: <duration of SP mode>
            suspend_threshold: <bare new sessions/second>
            suspend_period: <duration of suspended operations>

               added Emergency / Suspend mode

    * src/generators.h: added Emergency / Suspend alerts to

       stream4/frag2 - in the future, these should not generate packet
       log alerts but they are required to for the current view of the
       world

    * src/detect.h (DisableDetect): added function


2002-11-16  Chris Green  <cmg@sourcefire.com>

    * src/snort.h:
      - added a define SNORT_20 so that code will be easier to merge around

2002-11-13  Andrew R. Baker <andrewb@sourcefire.com>
    * src/log.c:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
    * src/util.c:
    * src/output-plugins/spo_log_ascii.c:
    * src/output-plugins/spo_log_tcdump.c:
    * src/output-plugins/spo_unified.c:
    * src/output-plugins/spo_xml.c:
    * src/preprocessors/spp_portscan.c:
    * src/preprocessors/spp_stream4.c:
        Changes to cleanup the chroot process

2002-11-12  Andrew R. Baker <andrewb@sourcefire.com>
    * src/output-plugins/spo_log_ascii.c:
        fixed output file issues for ascii logging

2002-11-11  Andrew R. Baker <andrewb@sourcefire.com>
    * src/log.h:
    * src/parser.c:
    * src/plugbase.c:
    * src/snort.c:
    * src/snort.h:
        Cleanup command line alert and log configuration

    * src/decode.c:
    * src/snort.c:
    * src/snort.h:
        updated run mode determination and representation
        relocated log_dir sanity check
        relocated test_mode_flag check to outside InterfaceThread
        moved global variable declarations into snort.c from snort.h

    * src/snort.c:
        replaced ReadConfFile with ConfigFileSearch.  The configuration file
        is now only read in once place.

    * src/log.c:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
    * src/output-plugins/spo_alert_fast.c:
    * src/output-plugins/spo_alert_full.c:
    * src/output-plugins/spo_alert_syslog.c:
    * src/output-plugins/spo_database.c:
    * src/output-plugins/spo_unified.c:
    * src/preprocessors/perf-base.c:
    * src/preprocessors/spp_portscan.c:
        removed more vestiges of the multiple interface pthread support

2002-11-10 Brian Caswell <bmc@snort.org>
    * src/detection_plugins/sp_byte_test.c:
        added support for & and ^

2002-11-07  Daniel J. Roelker <droelker@sourcefire.com>
    * src/preprocessors/spp_http_decode.c:
        Fixed an infinite loop bug that occurred in my last update to
        http_decode that dealt with an off-by-one bug.  Fixed now.  Pointed
        out by Jens Krabbenhoeft and Nathan Labadie.

2002-11-07  Andrew R. Baker <andrewb@sourcefire.com>
    * src/snort.c:
    * src/snort.h:
        Removed unused MTU support code

2002-11-06  Daniel J. Roelker <droelker@sourcefire.com>
    * src/mwm.c:
    * src/mwm.h:
        Fixed another bug in mwm search routines when dealing with identical
        one byte patterns in multiple rules.  There was a theoretical
        possibility of overwriting a one byte rule group (example: "~") with
        another rule group of ("|00 7e|").  This has now been fixed and
        should be the last of the one byte pattern problems.

2002-11-06  Daniel J. Roelker <droelker@sourcefire.com>
    * src/mwm.c:
    * src/mwm.h:
        Fixed bug when comparing multiple one byte rules with the same one
        byte pattern.  Problem pointed out by Brian Caswell.

2002-11-06  Andrew R. Baker <andrewb@sourcefire.com>
    * src/snort.c:
    * src/snort.h:
    * src/decode.c:
    * doc/README:
        removed -6 (show IPv6) and -x (show IPX) command line options (they
            never did much anyway)
        cleaned up ARP, IPv6, and IPX packet counting

    * src/preprocessors/Makefile.am:
        add missing header (perf-event.h) to libspp_a_SOURCES

2002-11-05  mfr <roesch@sourcefire.com>
    * src/plugbase.c:
    * src/detection_plugins/sp_byte_jump.c:
    * src/detection_plugins/sp_byte_jump.h:
      Added byte_jump, we can now decode a length from the app layer and jump
      the detect_offset_end (last match pointer) up that number of bytes,
      great for decoding RPC with Snort rules

2002-11-04  mfr <roesch@sourcefire.com>
    * src/detect.c:
    * src/fpdetect.c:
      fixed case where multiple rules can have partial matches on content and
      fuxor the detect_offset_end calculations (i.e. reset the offset for
      every OTN in the system)

2002-11-04  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_byte_check.c:
      Make big,little arguments actually interpret the data correctly

2002-11-04  Andrew R. Baker <andrewb@sourcefire.com>

    * src/parser.c:
    * src/rules.h:
    * src/snort.c:
    * src/snort.h:
    * snort.8:
        remove ghetto message reference option (it has not worked since May)

    * src/output-plugins/spo_alert_fast.c:
    * src/snort.c:
        added "-A cmg" alerting mode

2002-11-02  Chris Green  <cmg@sourcefire.com>

    * HAVE_STRINGS_H all over the place for bzero/Solaris
      first reported by John Whitson

2002-11-1  Daniel Roelker <droelker@sourcefire.com>

    * src/preprocessors/spp_http_decode.c:
        Fixed potential off-by-one bugs.  Also fixed %25xx encoding and
        %uxxxx encoding for ascii characters.  Still much work to be done
        but most of this will be added in the next version.

2002-11-01  mfr <roesch@sourcefire.com>
    * src/detection_plugins/sp_byte_test.c:
        fixed range checks, inclusion of strings.h, byte boundry checks

2002-11-01  mfr <roesch@sourcefire.com>
    * src/detection_plugins/sp_byte_test.c:
        added test rules to the sp_byte_test.c header comment block

2002-11-01  mfr <roesch@sourcefire.com>
    * src/detect.c:
    * src/mstring.c:
    * src/detection_plugins/sp_pattern_match.c:
        fixed various "issues" with the distance/within code, should work
        much better now
        also removed redundent calls to pattern matcher for rules with mlutiple
        content checks

    * src/plugbase.c:
    * src/plugbase.h:
    * src/plugin_enum.h:
    * src/detection_plguins/sp_byte_test.c:
    * src/detection_plguins/sp_byte_test.h:
        added sp_byte_test, detection plugin that let's us perform discrete
        value checks on numbers that are encoded in packet payloads, either
        in straight binary representation or as strings

2002-11-01  Andrew R. Baker <andrewb@snort.org>

    * src/decode.c:
        fix logic for generating decoder alerts

    * src/decode.c:
    * src/parser.c:
    * src/snort.c:
    * src/snort.h:
    * doc/README:
        removed broken support for the "-a" (show arp) command line switch

2002-10-31  Andrew R. Baker <andrewb@snort.org>

    * src/util.c (GenHomenet & GenObfuscationMask):
        fix invalid reference to optarg

    * configure.in:
    * src/snort.h:
    * src/snort.c:
        removed pthread support (still need to remove MAX_INTERFACES cruft)

2002-10-30  Chris Green  <cmg@sourcefire.com>

    * (Repository): removed autogenerated files
          use sh autojunk.sh to recreate them if you are using
       CVS to compile

2002-10-30  Andrew R. Baker <andrewb@snort.org>

    * src/parser/IpAddrSet.c:
    * src/parser/IpAddrSet.h:
        add API for IpAddrSet data structure

    * removed "extern char *file_name" and "extern int file_line" from
        scattered places in the source

2002-10-29  Andrew R. Baker <andrewb@snort.org>

    * src/detection-plugins/*.c:
        add multiple options checks for plugins

2002-10-23  Chris Green  <cmg@snort.org>

    * src/log.c more output clean ups from James Hoagland

2002-10-22  Chris Green  <cmg@snort.org>

    * strtol fixes ( Dave Ockwell-Jenner )

    * Merged in Glenns changes for net-snmp port declartion

    * src/parser.c (ParseRuleOptions):
      threshold added back

    * src/preprocessors/spp_portscan2.c (DEFAULT_MAX_SCANNER):
      change defaults back down
   

2002-10-22  Daniel Roelker <droelker@sourcefire.com>

    * src/fpdetect.c:
      Bogus port 0 initialization in fpEvalHeaderTcp/Udp. (Dirk Geschke)

2002-10-18  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_clientserver.c (CheckFromClient):
      hide this under a DEBUG_CS

    * src/preprocessors/spp_stream4.c (AlertFlushStream):
      make AlertFlushStream adjust the base_seq upon a flush point
      (Thanks so much to qru for a reproducable test case... this was
      a PITA)

2002-10-16  Chris Green  <cmg@sourcefire.com>

    * src/util.c (CreatePidFile):
          use pv.log_dir instead of local variable (Cameron Humpries)
   
    * src/log.c (PrintICMPHeader):
      Removed newline amidst a sea of complains from James Hoagland & other
      users :)

2002-10-16  Roman Danyliw <roman@danylw.com>
        * src/output-plugin/database.c:
          - escape the signature name before trying to write it to the
            signature.sig_name field (Dirk Geschke)

2002-10-16  Dan Roelker <droelker@sourcefire.com>
    * src/fpdetect.c:
        - Reverted no content rule checks back to the original
          snort behavior.  Reassembled packets are now inspected
          against no content rules.
          (Jens Krabbenhoeft)

    * src/preprocessors/spp_perfmonitor.c:
        - Adjusted newlines for console statistics prettiness.

2002-10-14  Roman Danyliw <roman@danyliw.com>
        * src/output-plugin/database.c:
          - Transaction abstraction functions (Begin/Commit/Rollback)
          - Fixed transaction SQL for MS-SQL
          - Fixed incorrect return value for MS-SQL Insert()
            (Hans Nilsson)

2002-10-13  Chris Green  <cmg@sourcefire.com>

    * src/log.c (PrintXrefs):
      newlines on Xrefs... pointed out by too many people to count :)

    * src/preprocessors/spp_portscan2.c (targetCompareFunc):
      - target compare function incorrect logic
        (pointed out by Pat Gorman)

2002-10-12  Roman Danyliw <roman@danyliw.com>
        * src/output-plugin/database.c:
          - Fixed (PostgreSQL) sensor initialization to the sensor table
            by setting a default last_cid value
          - Fixed schema detection bug on MS-SQL enabled builds

2002-10-09  Chris Green  <cmg@sourcefire.com>

    * changed FatalError/exit codes
    * merged Sourcefire modifications into snort-head
    * kick off of snort-2.0 dev cycle
      win32 probably doesn't work yet. :-)

2002-10-09  Marc Norton    <mnorton@sourcefire.com>
            Daniel Roelker <droelker@sourcefire.com>

    * src/decode.h:
       p->preprocessors for enable/disable status
   
    * src/fpcreate.c, src/fpcreate.h, src/fpdetect.c, src/fpdetect.h:
      Added new detection engine.  fpcreate.* creates the new detection
      engine and intializes the detection engine components.  fpdetect.*
      analyzes packets as they come in and decides what happens to them.
   
    * src/pcrm.c, src/pcrm.h:
      Added new signature detection classification.
   
    * src/mpse.c, src/mpse.h (Norton):
      Added an interface for multi-pattern match routines.

    * src/mwm.c, src/mwm.h (Norton):
      Added modified Wu-Manber style multi-pattern matcher.

    * src/acsmx.c, src/acsmx.h (Norton):
      Added Aho-Corasick state machine, using a deterministic finite
      automata.
   
    * src/bitop.h:
      Added inline functionality for bit operations.  Used in the new
      detection engine.
   
    * src/preprocessors/spp_httpflow.*, src/preprocessors/http-resp.*:
       Added an http protocol flow preprocessor that analyzes client
       and server traffic.  Useful for HTTP performance.

    * src/preprocessors/spp_perfmonitor.*, src/preprocessors/perf*.*:
      Added a performance monitor that keeps stats on snort.  Some of
      those stats are Mbits/sec, Alerts/sec, TCP state information,
      network traffic flows and percentages, etc.
   
    * src/preprocessors/sfprocpidstats.c:
      Added functionality for multiple CPU stats on linux.  For use in
      spp_perfmonitor, etc.

    * src/parser.c:
      Added a new config option, 'detection'.  This option allows the
      user to configure certain aspects of the detection engine.

    * src/checksum.h:
      Added new optimized inline checksumming routines.
   
    * src/mstring.c:
      Optimized mSearch and mSearchCI.
   
   
2002-10-09  Chris Green  <cmg@sourcefire.com>

    * src/snort.c (ParseCmdLine):
       - syslog option on non-win32 does not take the extra argument
         (Andrea Barisani)
    * updated snort.dsp to not require getrusage
   
2002-10-01  Chris Green  <cmg@sourcefire.com>

    * Fixes from Chris Reid

      - varchar sql arguments for mssql
      - usertime -> systemtime misses
      - snort project file updates

2002-09-26  Chris Green  <cmg@sourcefire.com>

    * configure scripts updated to handle net-snmp as well as ucd
      (Glenn Mansfield Keeni and Abe Katsuhisa)

2002-09-25  Chris Green  <cmg@sourcefire.com>
          
    * src/preprocessors/spp_http_decode.c:
           moved setting the uri_count to this preprocessor to handle false
           alerts on reassembled packets.


2002-09-17  Roman Danyliw <roman@danyliw.com>
    * src/output-plugin/spo_database.c
         - make sure that a packet payload larger than those supported
           in the SQL INSERT are properly terminated.

2002-09-12  Roman Danyliw <roman@danyliw.com>

    * src/output-plugin/spo_database.c
         - made the updating of the sensor.last_cid more efficient by
           only storing the new cid value at shutdown
         - removed extranous CR/LF from sensor name

2002-09-05  Chris Green  <cmg@sourcefire.com>

    * src/log.c (PrintICMPHeader): off by one error in printing
          Thanks to Dave Goldsmith

2002-09-05  Roman Danyliw <roman@danyliw.com>

       * src/output-plugin/spo_database.c: (DatabaseInit)
         - added ignore_bpf configuration option (from Michael Boman)

         ignore_bpf - Do we want to create a new sensor definition everytime
                the BPF filter is changed? The options are:

                [no|0]: (default) Create a new sensor definition if BPF
                        filter has been modified

                [yes|1]: Ignore the BPF part when looking for the server
                         definition

2002-09-03  Roman Danyliw <roman@danyliw.com>

       * src/output-plugin/spo_database.c

         - DB schema v106
         - Added the sensor.last_cid field to the schema so the
           database can store the last used cid for a given sensor.
           This field will ensure that a cid will never be reused.

           Upgrading from v105 -> v106 is as simple as:

           mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL;
           mysql> UPDATE schema SET vseq=106;

            psql> ALTER TABLE sensor ADD last_cid INT8;
            psql> UPDATE schema SET vseq=106;
     
         - Improved error messages

2002-09-02  Chris Green  <cmg@sourcefire.com>

    * configure.in:
      - cleaned up win32 source packaging

2002-08-27  Andrew R. Baker <andrewb@sourcefire.com>
    * src/preprocessors/spp_asn1.c:
        do not check fragments

2002-08-26  mfr    <roesch@sourcefire.com>
    * src/threshold.c src/threshold.h src/detect.c src/rules.h src/parser.c
    added thresholds to snort rules language, docs to come

2002-08-26  Andrew R. Baker <andrewb@sourcefire.com>
    * src/util.c:
        fix GenHomenet and GetObsfMask functions

2002-08-19  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_perfmonitor.c (ParsePerfMonitorArgs): typo in fmt string

2002-08-18  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_rpc_decode.c:
      Port changes from Andreas Ostling ( just like all the other ones now )
    * win32/perf stuff from Chris Reid
      Will probably break again later
      the perf stuff is very highly subject to change
    * project fixes from Chris Reid

2002-08-16  Brian Caswell <bmc@snort.org>
        * src/util.c
          - allow daemon mode to dump stats to syslog

2002-08-15  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c
    (ParseStream4Args):
     - FatalError on unknown argument
    (ReassembleStream4):
     - Correctly mark sessigons as established with
       asynchronous_link enabled   

2002-08-14  Chris Green  <cmg@sourcefire.com>

    * src/snort.c (ParseCmdLine):
         -R <id>    Include 'id' in snort_intf<id>.pid file name
     (Phil Wood)
   
    * src/snort.c (ProcessPacket):
      reset uri_count (test case pointed out by Dan Roelker/Sourcefire)
      
    * src/preprocessors/spp_http_decode.c:
      uri_count set if not alerting.
 
   

2002-08-13  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_conversation.c:
      new option alert_odd_protocols
      set allowed_ip_protocols to the numbers you like and it will alert on all bad protocols

    * src/detection-plugins/sp_session.c (LogSessionData):
           sp_session.c:221: warning: suggest parentheses around && within ||

    * src/detection-plugins/sp_pattern_match.c (CheckANDPatternMatch):
       bug with mutliple decoded alternative contents

2002-08-13  Roman Danyliw <roman@danyliw.com>
        * src/output-plugins/spo_database.c (CheckDBVersion):
          fixed logic to detect the DB schema version correctly when support for
          MS-SQL and another database are present

2002-08-13  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_telnet_negotiation.c:
      - cleaner alt_dsize checks
      - make sure that we don't decode 1 byte
        past the end of the buffer
      -(SetTelnetPorts):
        preprocessor telnet_decode: 21 23 25 119
        (now with port lists!)

    * src/detection-plugins/sp_pattern_match.c (PayloadSearchRawbytes):
      new pattern match option!

      rawbytes -- used to inspect the raw packet data instead of the
      alternatively decode application packet buffer   

    * src/decode.h (DECODE_BLEN): my favorite constant typo.

    * src/preprocessors/spp_stream4.c (Stream4InitReassembler):
      turning off server side reassembly by default ( was what the
      default said it was )

    * src/detection-plugins/sp_tcp_flag_check.c (ParseTCPFlags):
      adding mask bits to the flag checks
          (limitation pointed out by Dirk Mueller)

      example: flags: S,12

      This checks the SYN flag is set regardless of the values of the
      ECN bits.  tcp_flags & (0xFF ^ tcp_mask); for those of you that
      like to think in C

    * src/detection-plugins/sp_pattern_match.c (Check{AND|OR}PatternMatch):
      - normalization of telnet stuff into a separate buffer
        (this means logged packets will now look like they should on the wire)

2002-08-12  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_telnet_negotiation.c (SetupTelNeg):
      - only allow this to be called telnet_decode
      - removing redundant function calls

    * src/perf-event.c (ProcessEventStats):
       - set to 0 (djr@sourcefire)
   
2002-08-12  Roman Danyliw <roman@danyliw.com>
        * src/output-plugins/spo_database.c (Database)
          - Fixed length bug in code that generates the SQL INSERT statement
            into signature table

2002-08-08  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_arpspoof.c (ARPspoofPreprocFunction):
      - include packet w/ alert (Jeff Nathan)

2002-08-07  Chris Green  <cmg@sourcefire.com>

    * preprocessor perfmonitor
       --enable-perfmonitor
      lots of statistics from Dan/Marc/Sourcefire

2002-08-06  Chris Green  <cmg@sourcefire.com>

    * src/checksum.h:
       Integrated fix from Marc Norton/Sourcefire
       occasional endianess bug in checksum routines
       inlined checksum

2002-08-05  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (UpdateState):
       make session initiators more lenient

2002-08-04  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (BuildPacket):
      - Session fix ( a different approach from Andreas Ostling )
    (UpdateState)
    (UpdateStateAsync)
      - Move == TH_ACK checks to nearly the last of the checks and make catch all
        odder flag combinations   
      - ttl_limit will only alert if the packet ttl is less than 10

    (TcpAction*):
        - removed stream_pkt->packet_flag sets new ( makes
        no sense because we overwrite the packet_flags in BuildPacket
        ( pointed out by arron walters -- ended up
          being the source of a few other bugs )


2002-07-30  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (BuildPacket):
     - Mark the session direction establishments correctly
       (thanks to Andreas Ostling for noticing )

2002-07-29  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (ReassembleStream4):
      - make unestablished sessions and established sessions mutually
       exclusive
      - use &
   

2002-07-26  Chris Green  <cmg@sourcefire.com>

    * src/decode.c:
      added decode_alert_flag

      one may disable decoder alerts by using

      config disable_decode_alerts

    * src/preprocessors/spp_portscan2.c (PrunePortscanners):
      Portscan2 fixes from Jed Haile ( thanks :-) )

    * src/decode.c (DecodeICMP):
      8 bytes of extra info in a redirect, not 4
   

2002-07-23  Chris Green  <cmg@sourcefire.com>

    * Phil Wood ASN.1 fix
    * Phil Wood Classification fix
    * Andreas Ostling's BPF comment improvement
    * Just for the record, marty added distance/width as content options
       distance means there must be atleast N bytes between 2 matches
       width means that there must be a match within N bytes
   

2002-07-23  Andrew R. Baker <andrewb@sourcefire.com>
    * src/output-plugins/spo_SnmpTrap.c:
        - fix null pointer dereference for non-IP packets

2002-07-09  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_dsize_check.c (CheckDsizeRange):
       - changed dsize check to always return 0 on fake tcp pkts
         ( mirrors change made on all other functions .. )

2002-07-08  Chris Green  <cmg@sourcefire.com>

    *  Merged in win32 fixes from Chris Reid (thanks again!)

2002-07-05  Andrew R. Baker <andrewb@sourcefire.com>
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_stream4.c:
        - fixed packet_flags problem with rebuilt packets

2002-07-03  Chris Green  <cmg@sourcefire.com>

    * src/output-plugins/spo_SnmpTrap.c:
      - lots of *nArgs = 0 instead of NULL
      - added prototype for ipv6_print_hashing

2002-07-02  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (TcpAction):
       - switched to using psuedo random flush points

    * src/preprocessors/spp_portscan2.c (PrunePortscanners):
       - fixed double delete of a tree node

    * compilation fixes from Chris Reid for win32 (Thanks!)

2002-07-01  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_conversation.c
      (ConvCompareFunc):

              - fixed session equalness bug ( portscan2
          should actually seem reasonable now )
      (ConvFunc):
       - changed to use conf_flags for session initiation

 

2002-06-28  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c
    * src/decode.h (PKT_STREAM_INSERT):
      added a packet marker for inserted stream packets

2002-06-27  Chris Green  <cmg@sourcefire.com>

    * src/util.c (FatalError): fflush(*)

    * src/detection-plugins/sp_dsize_check.c:
      dsize checks always will return 0 for
      rebuilt stream packets 

    (CheckDsizeRange):
      added min<>max range support for dsize option
      Thanks to Andreas �stling

    * src/parser.c (ParseConfig): missing return
       for config daemon
   
       thanks to Bill McCarty <bmccarty@apu.edu>

2002-06-26  Chris Green  <cmg@sourcefire.com>

    *  From Jeff Nathan:
       Moved resp* stuff to the OTN instead of RTN

    *  spp_conversation rewrite
    *  portscan2

    *  SNMP updates from Glenn Mansfield Keeni <glenn@cysols.com>
   
2002-06-24  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_icmp_seq_check.c (ParseIcmpSeq):
       htons(ds_ptr->icmp_seq) from Andereas Ostling

2002-06-20  Andrew R. Baker     <andrewb@sourcefire.com>   
    * src/detect.c:
        fix event reference time for unified output

2002-06-20  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_portscan2.c
      - parsing fixes from Phil Wood
    * src/util.c:
      - FreeToks fixes from Phil Wood

2002-06-16  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c
       Andrew Hintz bug reports
   
       (BuildPacket):
       - reinjected packets are now marked as established as well as rebuilt
       (UpdateState):
       - Server initiated: APF -> AF -> A was not
         properly terminating session

2002-06-13  Chris Green  <cmg@sourcefire.com>

    * src/output-plugins/spo_log_tcpdump.c (LogTcpdump):
       fixed broken -b -l . mode
          ( assuming iph is set doesn't work )

2002-06-12  Chris Green  <cmg@sourcefire.com>

    * src/util.c (read_infile):
       close fd for -F

2002-06-11  Chris Green  <cmg@sourcefire.com>
    * src/preprocessors/spp_arpspoof.c:
       Fixes from Jeff Nathan

    * src/preprocessors/spp_asn1.c (ASN1Decode):
       ASN1 fix from Chris Reid

2002-06-08  Chris Green  <cmg@sourcefire.com>

    * src/generators.h (FRAG2_TTL_EVASION_STR):
       changed TTL Limit exceeded message to make more clear

2002-06-08  Andrew R. Baker <andrewb@sourcefire.com>

    * src/output-plugins/spo_log_tcpdump.c:
    * src/detect.c:
    * src/decode.h:
        make obfuscation work for all output plugins


2002-06-07  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (ReassembleStream4):
       - accidentally inverted logic for async/normal sessions
       - marking streams as established correctly   

2002-06-05  Chris Green  <cmg@sourcefire.com>

    * src/generators.h (STREAM4_TTL_EVASION_STR):
      changed so that people recognize message as ttl_limit related
      and not message related

2002-06-04  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_http_decode.c:
     - fixed include order ( fixes compile on FreeBSD )

    * src/preprocessors/spp_frag2.c (InsertFrag):
     - allow duplicate first fragment to be disabled

2002-06-03  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_clientserver.c (ParseFlowArgs):
      - added {no_stream,only_stream} keywords to flow:
        used to suppress reassembled streams from being alerted on

    * src/plugbase.h: changed machine/param.h -> sys/param.h

2002-06-03  Andrew R. Baker <andrewb@sourcefire.com>
    * src/output-plugins/log_tcpdump.c:
        fix obfuscation

2002-06-02  Chris Green  <cmg@sourcefire.com>

    * src/Makefile.am:
      added plug_base.h  ( pointed out by Jeff Nathan )

2002-05-30  mfr <roesch@sourcefire.com>
    * src/log.c
      src/decode.c:
        Fixed non-functional embedded packet decode and printout for ICMP
        UNREACH and REDIRECT packets

2002-05-30  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_frag2.c (Frag2Init):
      - left frag2 alerts on by default by accident
        (diabled)

2002-05-28  Chris Green  <cmg@sourcefire.com>

    * src/detect.c (CallLogFuncs):
       moved the traversal of the plugins ahead of the setting the
       packet logged flag since both check ( should both check? )
   
2002-05-28  Andrew R. Baker <andrewb@sourcefire.com>
    * src/log.c:
        fix NULL pointer deref problem printing priority/class info

2002-05-27  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_http_decode.c
      (SetPorts):
        - fatal error on invalid port description

    * rules.c
     (VarGet):
      - fatal error if undefined variable is called
     (ExpandVars):
      - don't expand variables inside "'s

2002-05-21  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (StoreStreamPkt):
      - sheltered fast restransmission under evasion_alerts
      - missing returns

2002-05-20  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_http_decode.c:
      - added newer unidecode function from rfp
      - added "internal_alerts" keyword
          
   
2002-05-19  Andrew R. Baker <andrewb@sourcefire.com>
    * src/output-plugins/spo_log_ascii.c:
    * src/preprocessors/spp_conversation.c:
    * src/preprocessors/spp_conversation.h:
    * src/preprocessors/spp_portscan2.c:
    * src/preprocessors/spp_portscan2.h:
        - corrected some global namespace pollution


2002-05-15  mfr <roesch@sourcefire.com>
    * looked over and indented the hell out of spp_conversation and
      spp_portscan2
    * put a FreeToks() function into util.c to clean up after mSplit()'s
    * other sundry stuff, conversation and portscan2 should be ready for
      testing from what I can see now

2002-05-15  Andrew R. Baker <andrewb@sourcefire.com>

    * src/output-plugins/spo_SnmpTrap.c:
    * src/output-plugins/spo_alert_smb.c:
    * src/detections-plugins/sp_react.c:
        - fixes for new SigInfo system

    * src/output-plugins/spo_idmef.c:
    * src/output-plugins/spo_idmef.h:
    * doc/README.IDMEF:
    * src/plugbase.c:
    * src/plugin_enum.h:
        - remove IDMEF instead of leaving it in a broken state
   
2002-05-14  Chris Green  <cmg@sourcefire.com>

    * src/util.h (GenObfuscationMask):
      make compile on OS X

2002-05-14  Andrew R. Baker <andrewb@sourcefire.com>
    * *.[ch]:
       - proper implementation of priority and reference signature metadata
       - other work surrouding signature metadata

2002-05-14  Chris Green  <cmg@sourcefire.com>

    * templates/sp_template.[ch]:
      - updated template for plugbase and modularity

    * src/preprocessors/spp_stream4.c (CreateNewSession):
       - added SYN_SENT initialization state

    * src/preprocessors/spp_http_decode.c:
      - fixed includes for WIN32 (Chris Reid)
   
    * src/preprocessors/spp_stream4.c (_Stream4Data):
      - added asynchronous_link
        useful for places that only see one side of a conversation
   
      - (UpdateState):
         mark session as established on asynch links

2002-05-13  Chris Green  <cmg@sourcefire.com>

    * src/snort.c (ProcessPacket):
         - added min_ttl check in front of Preprocess Check
    * src/snort.h (_progvars):
      - added min_ttl as a snort-wide configuration option
        config min_ttl: 1 to drop all things less than 1
        config min_ttl: 0 to have none (default)

    * src/decode.c
      (DecodeTCP):
       - fixed bug where we didn't just toss invalid packet after
       alerting on it in decoder
      (DecodeEapolKey):
       - removed CallLogPlugins redundant call

    * src/generators.h
       - moved all plugin alert descriptions here

    * src/plugin_enum.h:
       - moved all PLUGIN_ constants to a single header

    * src/detection-plugins/sp_pattern_match.h:
       - cleaned up commented define

    * src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
       - commented out spurious debug code
   
    * src/preprocessors/spp_stream4.c  (StoreStreamPkt):
       - disable evasion alerts
  
2002-05-12  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_http_decode.c
         (PreprocUrlDecode):
      - more debug code
      - set p->uri_count

    * src/parser.c (ParseConfig):
       - cleaned up some NULL dereferences

2002-05-09  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c:
      - moved SSNFLAG defines to decode.h so that we have access to the
              Session data outside of spp_stream4
          - added SSNFLAG_HTTP_1_1, SSNFLAG_SEEN_PMATCH
      - moved Session,Stream to decode.h
   
       (ReassembleStream4):
         session_flags converted to & check instead of == for establishment

    * src/decode.h
      - added HTTP version constants

2002-05-08  Chris Green  <cmg@sourcefire.com>

    * src/decode.h
    (_Packet):
       - removed URI
       - added uri_count
        (_HttpUri):
       - changed to added parameters
        (_UriParam):
       - added parameter datastructure
        (VTH_VLAN):
       - fixed missing paren

    * src/preprocessors/spp_http_decode.c
    (SetPorts):
          - removing strncasecmp
    (PreprocUrlDecode):
      - moved to using UriBufs

    * src/decode.c:
      Added UriBufs

    * src/decode.h:
      - changed to use TRH and VLAN macros
        bitpacked notation expunging should be done

2002-05-07  Chris Green  <cmg@sourcefire.com>

    * src/decode.h (_TCPHdr):
       - changed to use TCP_OFFSET, TCP_X2 Macros

    * src/parser.c (ParseConfig):
    * src/snort.c (ParseCmdLine):
   
      -  Fixed notcp,noicmp,noudp,noip to only disable
    - strcasecmp instead of strncasecmp

    * src/preprocessors/spp_http_decode.c:
      integrated spp_http_decode.c from rfp
      new option set:
        * unicode:  decode unicode
        * iis_alt_unicode: %u000 encoding
        * double_encode  : detect IIS decoding
        * abort_invalid_hex: detect only up
                             until the first broken encoding
        * drop_url_parm: don't decode the stuff following ?
        * iis_flip_slash: substitute / for \ ( C:\DOS\RUN )
        * full_whitespace:  treat \r and <tab> as <space>   

2002-05-06  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c:
      fixed retranmission checksum alerts to live under evasion

    * src/detection-plugins/sp_pattern_match.h:
       commented out PATTERN_FAST until it works

    * src/generators.h:
       internal alerts from spp_http_decode

2002-05-01  Andrew R. Baker <andrewb@sourcefire.com>
    * src/plugbase.c:
    * src/output-plugins/spo_unified.c:
        cleaned up startup message printing

2002-04-25  Chris Green  <cmg@sourcefire.com>

    * Introduced IP_VER, IP_HLEN, SET_IP_VER, SET_IP_HLEN after
    thinking about tcpdump and what Fyodor had talked to me about
    months ago regarding cross platform compatiblity.  No more
    twiddling.

    Plugins that use ip_ver, ip_hlen should be tested.  No more bit
    packed notation allowed in the source tree.

    * src/preprocessors/spp_stream4.c:
       separated evasion alerts from retransmission/state

       evasion alerts default to being on now

       disable with disable_evasion_alerts

2002-04-24  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_frag2.c (Frag2Init):
      fixex argument parsing

    * src/preprocessors/spp_http_decode.c:
      don't process fragments

    * src/preprocessors/spp_frag2.c
    (InsertFrag):
      make sure that we don't run out of memory if someone sends us the
            same fragment over and over again

      duplicate first frag is a special case

2002-04-23  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_frag2.c
      (InsertFrag):
    - adding detection of attack where we would start
      reassembling packet fully before the full fragtracker is there

    * src/detect.c (EvalPacket):
      - fixed alert ip rules
         (got clobbered when playing detection engine optimizations )

      - generate proper events when decode errors happen

    * src/plugbase.c (InitPlugIns): SetupFragOffset()

    * src/detection-plugins/sp_ip_fragbits.c:
      - added fragoffset:

        fragoffset: [!<>] <integer>

        defined in fragbits so that I can backport it.

    * src/preprocessors/spp_frag2.c (InsertFrag):
    -  alert on frag2 overlaps

        To do this requires keeping the packets around for a while
        longer to detect all the multiple fragments and overlaps

        Changed the PruneCache to notice when things are completed and
        prune them in addition to just by time. Frag mem faults are
        going to increase because of this but each time one occurs,
        there should be plenty to expire.
   

2002-04-22  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_frag2.c
      (Frag2Defrag):
        Warn/Discard on fragments with IP Options set.
      (ParseFrag2Args):
        min_ttl
        ttl_limit
        detect_state_problems
   
    * src/debug.h
       DEBUG_FRAG2

    * src/preprocessors/spp_stream4.c
     (TraverseFunc):
       - added next seq check on reassembly
       - added alerts on retransmitted sequences...
                   its ugly as sin right now
        (_Stream):
       - next_seq added

     (StoreStreamPkt):
       - added check for restranmitting too fast w/ a different data size
       - added tcp checksum retransmission checking
         (how much do I need to worry about
          data with the same checksum and different payloads...
          just throw it away for the moment)
   

2002-04-19  Chris Green  <cmg@sourcefire.com>

    * More win32 Service patches from Chris Reid ( Thanks! )

2002-04-18  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_frag2.c (Frag2Defrag):
                      added ttl_limit detection

    * src/generators.h (FRAG2_TTL_EVASION): added
   

    * src/preprocessors/spp_stream4.c (StoreStreamPkt):
       -- first cut at TTL evasion detection
          keyword: ttl_limit <count> for TCP Sessions


2002-04-16  Andrew R. Baker <andrewb@sourcefire.com>

    * src/preprocessors/spp_stream4.c:
    * src/preprocessors/spp_frag2.c:
    * src/preprocessors/spp_asn1.c:
    * src/log.c:
    * src/detect.c:
        fix broken event reference info for unified output

2002-04-15  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (ParseStream4Args):
      added missing parsing line back in

2002-04-10  Andrew R. Baker <andrewb@sourcefire.com>
    * src/output-plugins/spo_unified.c:
        fix unified brokeness

2002-04-10  Andrew R. Baker <andrewb@sourcefire.com>
    * src/plugbase.h:
    * src/plugbase.c:
    * src/parser.h:
    * src/parser.c:
        Plugin API cleanup
   
    * src/output-plugins/spo_log_tcpdump.c:
        make log file timestamps work the same as in unified

2002-04-09  Chris Green  <cmg@sourcefire.com>

    *  src/spp_portscan2.c:  new changes from Jed/Jason

2002-04-08  Andrew R. Baker <andrewb@sourcefire.com>
    * add profiling configuration option
    * src/parser.c:
        correct NULL pointer dereference

2002-04-08  Chris Green  <cmg@sourcefire.com>

    * src/debug.c (GetDebugLevel):
       accidenatlly returning debuglevel instead of debug_level

    * src/log.c (PrintIPHeader):
       Modified fragment offset calculation (reported by Judy Novak)

2002-04-07  Chris Green  <cmg@sourcefire.com>
    * Fixed --enable-debug
    * src/preprocessors/spp_asn1.c:
       Missing includes

2002-04-06  Chris Green  <cmg@sourcefire.com>
    * src/detect.c (EvalHeader):
       Corrected incorrect ignore with -z est and PKT_REBUILT_STREAM

    * src/detection-plugins/sp_tcp_ack_check.c (ParseTcpAck):
    * src/detection-plugins/sp_tcp_seq_check.c (ParseTcpSeq):
       Phil Wood's Parsing Change

2002-04-05  Martin Roesch <roesch@sourcefire.com>
    * detection engine now walks RTN and OTN lists iteratively instead of
                    recursively, I guess we should cowtow to the x86 crowd...

    * RTNs are now sorted by destination port number allowing for earlier exit
    from the detection engine in the average case and improving performance

    * destination port is now the first thing checked when an RTN is processed
    (for UDP/TCP traffic)

2002-04-05  Chris Green  <cmg@sourcefire.com>

    * Merged in Nick L. Petroni, Jr.'s 802.11b stuff

    * src/detection-plugins/sp_pattern_match.c:
            Integrated Mike Fisk's SetMatch stuff ( large performance
        increase -- thanks for being so patient with me )
   

2002-04-04  Chris Green  <cmg@sourcefire.com>

    * src/snort.c (SnortMain):
        Extra call to initoutput plugins commented out..

    * src/detect.c (CallAlertPlugins):
        DEBUG_WRAPPED Andrew's printfs'

2002-04-03  Chris Green  <cmg@sourcefire.com>

    * src/debug.h:
       DEBUG_WRAP defined
    DEBUG WRAP used everywhere...

    * src/preprocessors/spp_conversation.c:
      ignore rebuilt stream

2002-04-02  Andrew R. Baker <andrewb@sourcefire.com>

    * Modularization cleanup

2002-04-02  Chris Green  <cmg@sourcefire.com>

    * src/debug.c (GetDebugLevel):
      only initialize debug_level once ( now easier to use gdb set command )

    * src/preprocessors/spp_portscan.c:
       No processing on reassembled stream packets
    * lots of compilation fixes
    * started added spp_conversation

2002-04-01  Andrew R. Baker <andrewb@sourcefire.com>

    * config.h should be included almost everywhere....


2002-03-31  Chris Green  <cmg@sourcefire.com>

    * src/detection-plugins/sp_pattern_match.c (CheckUriPatternMatch):
       Check for URI.uri with a packet flag
    * src/preprocessors/spp_http_decode.c (PreprocUrlDecode):
     - Moved decode ignore check up ( I don't think this is actually
        used anywhere )
     - Moved  somefunctions into CheckHTTPDecode
    * decode.h:
     - Changed URI.uri to u_int_8t[URI_SIZE]
     - URI_SIZE is 512 (should create an alert when that size is exceeded)
         - Added PKT_HTTP_DECODE to show if URI was filled in
   
2002-03-31  Andrew R. Baker <andrewb@sourcefire.com>

    * start work on cleaning up the output API

2002-03-30  Chris Green  <cmg@sourcefire.com>

    * src/output-plugins/spo_alert_unixsock.c:
        lots more checking for valid packets on
        things like portscan alerts

2002-03-29  Andrew R. Baker <andrewb@sourcefire.com>

    * src/parser.c :
        Add support for "special" output plugins

    * src/output-plugins/spo_unified.h :
    * src/output-plugins/spo_unified.c :
        Initial work towards a true unified output.

2002-03-29  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c (ReassembleStream4):
    * src/snort.h:
        removed pv.fake_packet check (old stream stuff)

2002-03-27  Chris Green  <cmg@sourcefire.com>

    * src/preprocessors/spp_stream4.c :
        More debug messages in Stream4 

    * doc/PROBLEMS:
           Added file to document bugs that we really can't work
           around easily and aren't necessarily ours.

    * src/parser.c (ParseRuleOptions): filename -> file_name for compilation

2003-03-26  Andrew R. Baker <andrewb@sourcefire.com>
    * src/output-plugins/spo_unified.c:
        fix file rotation bug in spo_unified
        write IPs in host order like everything else is
    * src/parser.c:
        updates to the rule parser.  now we only complain for unrecognized
            rule options.
   
2002-03-26  Chris Green  <cmg@sourcefire.com>

    * src/detect.c (DumpChain):
        DebugMessage stuff..

2002-03-25  Chris Green  <cmg@sourcefire.com>

    * stop stream4 from clobbering itself (Pascal Bouchaeine)


2002-03-24  Chris Green  <cmg@sourcefire.com>

    * src/plugbase.c (RegisterPlugin):
        - allow multiple plugins to start with same prefix

2002-03-23 Brian Caswell <bmc@snort.org>
   * initial add of flow: to signatures

2002-03-21  Chris Green  <cmg@sourcefire.com>

   * Place IP checks after port checks for 1.9
     (based on patch from Christian Mock)
   * Fixed test header checks (greatly responsible for
     slowness on multiple CIDR blocks) (Christian Mock)
   
   
2002-03-19  Chris Green  <cmg@sourcefire.com>

    * Fixed Teardrop detection in frag2 ( Forward bugfix from Marty )
    * Replaced most instances of #ifdef DEBUG\nprintf(...) with
      DebugMessage

2002-03-11 bmc <bmc@snort.org>
    * readded this file :)
    * renabled udp portscan detection
    * updated ICMP text printing (few bugs, few new features)
    * updated BUGS for jackasses on Bugtraq
    * fixed a bunch of stream4 stuff
    * cleaned a ton of signatures (see signature CVS logs for info)
    * number of FAQ updates
    * removed unstable/orphaned/unmaintained/deprecated code as we
      get ready for 2.0
    * massive directory structure reordering
    * frag2 options code cleanup (cmg)
    * fixed pattern match exit conditions (cmg)
    * improved stats calculation (phil wood)
    * tweaked decoder code
    * improved ICMP ASCII output
    * fixed no-packet bug in spo_unified
    * moved alert code in spp_frag2 so packet is logged for teardrop
    * many stream4 fixes
    * added sp_clientserver (to client, to server, from client, from server)
    * cleaned infinate loop in regex
    * fix double PID write (reported by phil wood)
    * updated docs
    * ton of new signatures
    * split rules.c into parser.c|h and detect.c|h
    * smarter pruning for segments that have only partially been streamed
    * ethernet headers are now filled in for rebuilt packets
    * added case for stream segments that hadn't been completely handled in
      previous flush
    * added another interface init call when entering daemon mode for linux
      boxen that lose promisc mode when the process forks
    * strncat in sp_reference
    * opts[1] fix to plugin args passing
    * updated changes to db stuff from Roman
    * removed $default_directory from mysql_directory definition to allow
      --with-mysql to work again and select a non-default installation
    * fixed calloc call for PPPoE debug #ifdef DEBUG
    * Fixed pointer math for Stream4 sesesion
      ( IOU: Phil Wood; 1 Bar tab )
    * Fixed suicidal tree pruning
    * ifdef AF_INET6 for decode.c and removal of spp_asn1.h from plugbase.h
    * cleaned up decode.c indentation, etc
    * added classifications for spp_fnord
    * mods to icmp ASCII log code for more informational printouts
    * added enhanced conf file parsing for frag2 (Chris Green)
    * added pattern match fixes (Chris Green)
    * other stuff that escapes me right now
    * pflog decoder support from Robert Fleck <rfleck@cigital.com> added

    * cleaned up decode.c indentation, etc
    * added classifications for spp_fnord
    * mods to icmp ASCII log code for more informational printouts
    * added enhanced conf file parsing for frag2 (Chris Green)
    * added pattern match fixes (Chris Green)
    * added enhanced resolution of TCP retransmissions to stream4
    * changed default behavior of frag2 to favor old data over new
   
    * fixed screwed up fragbits printout
    * Fixed pointer arithmetic in calls to PrintNetData (thanks to Andreas
     �stling bugreports)
    * ntohs(p->iph->ip_len) -- should we have a p->ip_len?
    * don't complain about NULL ptr if p->dsize == 0
    * Still has one nit in that a badly framed packet is counted twice in -v
      mode2

2001-11-29 bmc <bmc@snort.org>
    * Fixed crash in frag2 under Linux
    * Fixed flexresp code, session sniping should work again and be faster
      to boot
    * Fixed ICMP decoder and printout routines for new ICMP header data
      structs in decode.h
    * Added -B command line switch to translate IP addresses in pcap files
      from one subnet to another (see the man page).
    * Added spo_log_null to give users an option to deactivate logging
      output from the snort.conf file.

2001-11-02 mfr <roesch@sourcefire.com>
    * fixed UTC timestamps
    * fixed SIGUSR1 handling, should reset properly now after getting a signal
    * fixed PID path generation code, PID files go in the right place now
    * fixed stability problems in stream4
    * fixed stability problems in frag2
    * tweaks to spo_unified for better integration with barnyard
    * added -f switch to turn off fflush() calls in binary logging mode
    * added new config keyword to stream4, "log_flushed_streams", which causes
      all buffered packets in the stream reassembler for that session to be
      logged in the event of an event on that stream (must be used in
      conjunction with spo_log_tcpdump)
    * added packet precacheing for flexresp TCP packets, responses should be
      generated more quickly
    * fixed rules parser code for various failure modes
    * several new rules files and a new classification system

2001-08-14 mfr <roesch@sourcefire.com>
    * SNMP alerting support added by Glenn Mansfield Keeni & K. Jayanthi
    * IDMEF output support compiled in by default now
    * regex keyword code repaired, limited wildcard regex now available
    * new packet counters added to Snort stats output for frags and streams
    * http_decode preprocessor modified to normalize %u encoding
    * new detection modes in frag2, Snort picks up fragmentation
      attacks (teardrop, etc) much better now
    * repaired frag2 IP defragmenter, now 100% stable and functional
    * tweaks made to stream4 TCP stream reassembler, now 100% stable
    * Win32 code integrated with main Snort source now
    * fix for -r mode crash when no other command line options specified
    * fix for logfile names using ":" under win32
    * tag code repaired
    * spp_arpspoof repaired
    * stream4 alerts are now off by default
    * syslog alerts now support standard GEN:SID:REV data

2001-08-04 fy <fygrave@tigerteam.net>
    * A couple of coredump fixes from Phil Wood
    * Solaris compilation fixes (and other minor tweaks I don't
      remember)
    * Incorporated WIN32 patches (and fixes) from Chris Reid
    * ms-sql support from Chris Reid
    * contrib/create_mssql

2001-07-09 mfr <roesch@sourcefire.com>
    * added new IP defragmenter, spp_frag2
    * added new stateful inspection/tcp stream reassembly plugin, spp_stream4
    * Snort can now statefully detect ECN traffic (less false alarms)
    * stream4 can now keep session statistics in a "session.log" file
    * added new high-speed unified binary output system, spo_unified
    * added new data structs/management for tag code
    * added -k switch to tune checksum verification behavior
    * added -z switch to provide stateful verification of alerts
    * modified bahavior of http_decode, now only alerts once per packet
    * added unique Snort ID's to every Snort rule, plus generator, revision
      and event ID info to each alert
    * detection engine only alerts once per packet now, tcp stream code doesn't
      generate another alert packet if a previous one already alerted for that
      stream
    * fixed signal handling on svr4 systems
    * added enhanced cross reference printout to full/fast/syslog alert modes
    * added new high speed checksum verification (on x86) routines
    * added new ARP spoof detection preprocessor from Jeff
      Nathan <jeff@wwti.com>

2001-04-20 fy <fygrave@tigerteam.net>
    * a couple of fixes in spp_defrag.c
    * spelling fixes in 'classification.config' file

2001-04-19 bmc <bmc@mitre.org>
    * added ability to tag sessions & hosts (By Seconds, Bytes, and Packets)
    * ip protocol rule support
    * added 802.1q VLAN support 
    * extensive configuration file config options (you can put your
      commandline options in snort.conf now)
    * priority & classification plugin by Brian Caswell
    * output plugin support for priority, classification, and refs 
    * rpc_decode plugin (Defeats attacks laid out by Robert Graham's SideStep)
    * telnet negotiation normalization plugin (Defeats attacks laid out
      by Robert Graham's SideStep)
    * BackOrifice plugin (Can bruteforce BO keys.  Defeats attacks laid out
      by Robert Graham's SideStep)
    * uricontent keyword pattern match.  (Now you can look at the URL instead
      of the entire packet)
    * added -T commandline option  (Does entire setup process, but stops
      after its done setting up) great for snort.conf testing!!
    * added -L commandline option.  Specify filename of the binary output
      log when combined with "-b"
    * added -G commandline option.  Turn on "ghetto" backwards
      compatability for people that need
      references in the MSG field
    * added -I commandline option.  Prints the interface that the
      alert was received on
    * added -y commandline option.  Adds YEAR to the timestamps
    * Fixed timestamp output problem on some ARCHs
    * ability for non-root users to sniff.  (If the user can usually
      sniff from pcap) By Brian Caswell
    * Improved UNICODE detection by Koji Shikata
    * added sp_tcp_win_check.  TCP Window Size can be looked now
    * added CSV output (see README.csv for more information) By Brian Caswell
    * added sp_same_ip_check.  Checks for the same SRC & DST (Usually sign
      of a DOS attack) by Phil Wood
    * added variable lookups for include directives (eg 'include
      $RULESPATH/myrules.rules')
    * linux_sll (interface 'any') support fixed (According to the new
      libpcap spec) By Fyodor
    * new debugging code.  No more #ifdef DEBUG.  (see debug.c for more
      info) Idea from Eugene Tsyrklevich
    * strl* family functions (mostly for future developers, we'd encourage
      these to be used) (original code also supplied by Eugene)
    * new tcp stream reassembly module by Chris Cramer
    * include directives now are relative to snort.conf file location
      (unless full path in a config file is given)
    * snort will look for /etc/snort.conf and ./snort.conf if no config
      is given on the commandline
    * minor null ptr fixes and patches there and here (thanks to all of
      you guys who helped tracking them down, really :-) - Fyodor)
    * optiomized database schema (Support for references, added
      signature normalization, ....)
    * UTC cleanup by Andrew Baker
    * http_ignorehosts added from Matt Wachinski

2001-03-14 fy <fygrave@tigerteam.net>
    * tcp stream reassembly updates by Chris Cramer
    * path fixes for include <file> (now relative path'es will be substituted
      by path of the main file)
    * DLT_LINUX_SLL support fixes
    * strlcat/stlcpy functions are being incorporated
    * Attempt to support MacOS platform.
    * A bunch of fixes for MTU dicovery routine
    * New debugging routines. (see BUGS file for more info).

2001-01-02  mfr <roesch@md.prestige.net> fy <fygrave@tigerteam.net>
    * tcp stream reassembly preprocessor (beta) by Chris Cramer
    * Defragmentation plugin is now fully functional on all architectures
    * SPADE (Statistical anomaly detection) preprocessor has been added by
      James Hoagland
    * Added IIS/UNICODE attack detection to HTTP decoder
    * Reference plugin has been added by Joe McAlerney
    * New active response module: sp_react
    * Added "any" keyword to IP options (ipopts) plugin
    * IP fragmentation bits detection plugin added
    * Added TOS detection plugin from Erich Meier
      <Erich.Meier@informatik.uni-erlangen.de>
    * Database output plugin improved in many ways by Jed Pickel
    * Oracle support added to database output plugin
    * XML output plugin by Jed Pickel/Roman Danyliw/CERT
    * IP address list support added with lots of help from Phil Wood
    * <interface>_ADDRESS variable implementation, specifying an interface name
      in the rules file as part of this variable automatically sets the IP/mask
      as the IP address/netmask of the specified interface
    * Rule parser is more anal about rule verification now, doesn't crash as
      readily
    * Arbitrary output types support added by Andrew Baker
    * Activate/dynamic rules allow rules to turn on/off other rules!
    * ICMP unreach. printout dumps encapsulated headers now
    * Improved TCP/IP options printout code, doesn't flood on 0 length options
    * Packet checksumming implemented for all supported protocols by Chris
      Cramer
    * TCP flags now print out in proper (bitwise) order
    * Added new fields to the packet header dumps including IP header length,
      TCP/UDP header length, Urgent pointer printout, IP Reserved bit printout,
      ICMP Type/Code explicit value printout
    * -X switch dumps packet byte data for data link through application layer
    * -L switch to privde a filename for binary log files specified with the -b
      switch
    * Added -I switch to print interface name in Snort alerts (first i/f only)
    * Fixed -S command line switch so it isn't overridden by variables in the
      rules file
    * Corrected PID file misadventures
    * Added a bunch of new statistics to the packet stats printout
    * Added SIGUSR1 handler, Snort will dump packet stats to console/syslog
      when it receives a SIGUSR1
    * Memory management cleaned up/lots more free()'s to match up with
      malloc()'s
    * Added snprintf code to the distro for safety
    * UID = 0 code added for sniffer mode
    * fixed default alert filename for daemon mode
    * Updated USAGE file to resemble Snort's current reality
    * Changed snort-lib to snort.conf, Jed Pickel added lots of documentation
      to the file as well (thanks Jed!)
    * Pid file will not be created if -D switch is not used.
    * chroot behaviour has been changed, now, if chroot is used, you have
      to have snort.conf file within chroot directory (and all the other
      relevant files as well). The only file which will be placed outside
      chroot directory is snort pid file.

2000-07-22  mfr <roesch@md.prestige.net>
    * Fixed compilation problems on all non-BSD operating systems
    * Added better configuration support for locating libpcap
    * Fixed    ICMP ping packet id/sequence printouts
    * Made allowances for 64-bit machines in the decoders
    * Updated the portscan detector to the latest version
    * Disabled the defragmenter by default (in the rules file)
    * Added a patch from Dave Dittrich to make daemon mode alerts
      filenames conform to the data in the documentation
    * Revamped the ICMP data structures to mimic those found in *BSD
      and provide for higher fidelity decoding/printout in the future
    * Repaired the output plugins so that they operate properly now
    * For the record, the payload dump conforms to the length of the
      IP datagram now and does not show pad bytes added by the minimum
      Ethernet frame size

2000-07-08  mfr <roesch@md.prestige.net>
    * Fixed Tru64 u_int* type declarations
    * Added check for pcap.h into configuration script
    * Fixed timeval problems on Linux boxen

2000-07-06  mfr <roesch@md.prestige.net>
    * New preprocessor plugin: IP defragmentation!!
    * New output plugins cover all old logging and alerting options
        * New output plugin now logs to MySQL, PostgreSQL, unixODBC databases
    * Updated portscan detection functionality
        * Added quote removal for most plugin parsers
        * -C crash bug fixed
        * PID/PATH_VARRUN file fixes
        * Converted many putc(3) calls to fputc(3) for portability
        * Transport layer decoders use ip_len field for length metric now
        * String tokenizer code modified for more reliable operation
        * Fixed flexible response code sequence prediction
        * Fixed DEBUG ifdef's so DEBUG mode code will compile correctly on all
          platforms
        * Set automake options so that people don't need gmake anymore to build
          Snort on BSD systems
        * Fixed SMB alert code large tmp file hole
        * Added sigsetmask code to fix SIGHUP weirdness
        * Added execvp option for SIGHUP restart code
        * Added ARP header printout validation
        * Added Session logging file integrity checking
        * Added -u/-g setuid/gid capability switches
        * Added -O IP address obfuscation switch
        * Added -t chroot switch
        * Fixed non-TCP/UDP/ICMP transport layer decoding & logging
        * Fixes and additions to the portscan preprocessor
        * Database logging plugin has been modified extensively, see the
          www.incident.org website for more information
        * Switched TCP flags printout routine to ensure proper RFP output
          scan output. ;)
        * Fixed default log/alert function code so that these functions are
          never NULL

2000-03-20  mfr <roesch@md.prestige.net>
    * Version 1.6 released!

2000-03-18  mfr <roesch@md.prestige.net>
    * Modified the PID write out code to work in all run modes, and made
      the system detect/verify the _PATH_VARRUN variable and define it
      if necessary.
    * Integrated a HUP patch from J Cheeseman to prevent the command line
      parser from screwing up the command line at HUP time.
    * Added a little tweak from Fyodor for Makefile.in
    * Made exit code delete the PID file in all run modes.

2000-03-16  mfr <roesch@md.prestige.net>
    * Activated the BPF compiler optimization switch in snort.c
    * Added support for unconfigured/stealthed network interfaces
    * CP added a default definition for _PATH_VARRUN
    * CP added checks for paths.h existence

2000-03-15  mfr <roesch@md.prestige.net>
    * Moved the "session" keyword code to a plugin
    * Added Postgres database logging module from Jed Pickel
    * Added Token Ring layer 2 printout routine
    * Added "-q" support to the output plugin modules
    * Revamped the output plugin subsystem so that it conforms to the
      API standards laid out in the rest of Snort
    * CP set defaults for the alerting and logging facilities
    * Added Tru64/Alpha support

2000-02-26  mfr <roesch@md.prestige.net>
    * modified minfrag proprocessor to only catch tiny frags on the home
      net ("home" keyword) or any traffic ("any" keyword)
    * implemented command line override of output plugins, alert and log
      switches on the command line will disable output plugins in favor of
      their configured activity
    * added -C command line switch to print packet payloads as ASCII only,
      with no hexdump
    * fixed a stupid crash bug on the "logto" keyword parser
    * put in a couple of command line switch validators to catch potential
      invalid arguments
    * fixed a potential crash bug in the ClearDumpBuf() function

2000-02-07  mfr <roesch@md.prestige.net>
    * Added INADDR_BROADCAST patch from Steve Beaty <beaty@emess.mscd.edu>
    * Added syslog PID patch from Ralf Hildebrant
    * Added IPv6 counter from Erich Meier
      <Erich.Meier@informatik.uni-erlangen.de>
    * Added SunOS patch from Denis Ducamp <Denis.Ducamp@hsc.fr>
    * Added content-list rules from

2000-01-17 cp <fygrave@tigerteam.net>
    * Update of Patrick's portscan preprocessor. (and apropriate fixes)
    * Minor fix to configure.in from Herb Commodore.

2000-01-12 cp <fygrave@tigerteam.net>
    * John Wilson's update to insensitive pattern match code added.
    * Patrick Mullen's patch to log.c applied.
    * Patrick Mullen's changes to rules.c added.
    * Source Port traffic rules ajusted not to pull alerts on 53<-->53 UDP
      traffic.
    * Changed name ParseFlags to --> ParseTCPFlags in sp_tcp_flag_check.*
      since that's what it really is.
    * Added RCS Id tags to all the files and libs. Once they are commited
      at md.prestige.net, they should take proper values. :)

2000-01-08 cp <fygrave@tigerteam.net>
    * Patch from Herb Commodore <herb@nc.rr.com> to configure applied
    * Imrovements to content-matching code and implementation of
      case-insensitive matching from John Wilson <tug@wilson.co.uk)
      are added.
    * "zero netmask" problem fixed.
    * Patrick Mullen's portscan preprocessor is added. log.c routines
      have been fixed to handle NULL pointers.
    * binary logging routines have been changed to use libpcap procedures
      which should fix certain problems with binary logging.
    * Fix in rules.c to complain about bogus preprocessor names.

2000-01-03  mfr  <roesch@clark.net>
        * fixed a problem with pass rules not being applied properly
        * fixed a #include ordering statement for Slackware 4.0 installs
        * fixed banner output for the -V option
        * Token Ring decoding is now fully functional
        * Added packet buffer cleanup code to all protocol decoders
        * fixed a problem with improper TCP option output
        * Added a Snort man page
   
1999-12-08  mfr  <roesch@clark.net>
    * preprocessor plugins (major new functionality!)
    * detection plugins (major new functionality!)
    * variables can now be specified in the rules file
    * include files can now be specified in the rules file
    * Session recording capability
    * Rules may now contain multiple "content" match keywords
    * New IP options detection module, allows IP option inspection
    * New HTTP decoder preprocessor defeats evasive web scans (whisker.pl)
    * detection engine has been heavily modified to implement the new
      "linked-list-of-function-pointers" concept, which makes the detection
      engine more efficient, more flexible, and faster!
    * TCP options decoder split into decode/log modules and recoded
    * IP options decoder split into decode/log modules and recoded
    * Token Ring layer 2 decoder (still in development)
    * ISDN-Raw layer 2 decoder (I4L)
    * ISDN-IP layer 2 decode (I4L)
    * ISDN-Cisco layer 2 decode (I4L)
    * Fixed PPP layer 2 decoder
    * NULL/Loopback layer 2 decoder
    * daemon mode code cleanup
    * tcpdump readback mode code cleanup
    * experimental support for UNIX socket alerting
    * fixed C++ comments in snort.c
    * binary log files now update properly (fflush added)
    * internal rules list integrity testing
    * IP fragments are no longer sent to the detection engine, just
      the preprocessor's.  This is incentive for me (or someone) to write
      an IP defragmentation preprocessor!
    * post-decode call function call sequence has been modified to go into
      the preprocessor system instead of the detection engine

1999-10-18  mfr  <roesch@clark.net>
    * snort.c: * added session dump command line switch

    * log.c: * added sesion data logging functionsi: OpenSessionFile(),
           DumpSessionData().
   
    * decode.c: * fixes snaplen issues with reading back tcpdump files.


1999-10-13  mfr  <roesch@clark.net>
    * snort.c: * threw out tcpdump file readback code and implemented
             open_pcap_offline solution.  Has addded benefit of
             allowing BPF filters to be used to modify file readback
             streams. 
           * Fixed MTU snafu.

    * decode.c: * Rewrote ARP decoder.  The decoder is much simpler (but
              the log routines are far more complex)
            * Horsed around with the TCP and IP option decoders.  I
              think they work better now...

    * log.c: * Added ARP printout and logging routines.  ARP is now
           handled in a much more consistent and correct manner.
         * Fixed stupid crash bug in LogPkt()

    * rules.c: * Added in greater-than and less-than modifiers for dsize
             option keyword.  You now have another (cheap!) way to look
             for buffer overflows

           * Removed range checking for the ICMP icode and itype
             option keywords so that DoS attacks and covert activity
             could be more easily filtered/monitored

1999-09-26  mfr  <roesch@clark.net>
    * snort.c: * new command line options -A, -F, -N, -p, -b
           * logging and alerting functions are now selected and
             assigned to function pointers for faster/more efficient
             logging
           * got rid of -f command line option (superceded by -b)
           * put in new cleanup code for readback mode
           * ripped read_infile from tcpdump to read BPF filter files
   
    * decode.c: * code cleanup in support of new functionality

    * rules.c: * added support for the exception operator to work for ports
           * fixed stupid pointer initialization bug in
             ProcessHeadNode() file, fixed crashes on non-PC arch.
           * new option keywords: dsize, offset, depth
           * cleaned up crappy logic around the logging functions with
             nice clean function pointers (aaaahhhh....)
           * added bidirectional rules functionality (now Snort goes
             both ways....)

    * log.c: * broke out alerting function into seperate subfunctions
         * ditto logging functions
         * fixed string termination code in the SMB alerter so that it
           can now alert to more than one box at a time
         * cleaned up syslog messages
         * finally fixed the SMB "alert once" problem (kudos to Gandalf
           Schaufelberger for that one)

1999-08-06  mfr  <roesch@clark.net>
    * log.c: * added code to AlertMsg to make sure that there was in fact
           an alert message to print out

    * libraries: * fixed the backdoor and scan libraries so they should
               flase alarm less often

1999-08-05  mfr  <roesch@clark.net>
    * snort.c: * activated CyberPsychotic's daemon mode code (use the
             -D switch for daemon mode
           * default logging directory changed from "." to
             /var/log/snort
                   * sanity checks performed on the default log dir now

    * decode.c: * changed the truncated Ethernet header notification to
              only go off in verbose mode
            * removed cruft

    * rules.c: * Added Ron Snyder's "address negation" patch.  Rules may
             now contain "!" on the IP addresses to indicate anything
             BUT the given address

    * log.c: * added support for the new default logging directory

    * configure.in: * fixed some more sparc configuration problems

    * other: * CyberPsychotic sent a new ftp buffer overflow rule in

1999-08-04  mfr  <roesch@clark.net>
    * snort.c: * fixed some DEBUG statements
           * enabled the daemon mode code (this is still
             experimental)
    * decode.c: * fixed various and sundry DEBUG code
            * fixed the TCP option decoder so it wouldn't overflow
              its prinout buffer and cleaned up the temp buffer
    * rules.c: * fixed some DEBUG code
      
    * log.c: * fixed a buffer copy problem with the daemon mode alert
           logging
         * fixed the SMB alerting code and the standard log output
           when in SMB alerting mode
         * cleaned up some of the fragment logging code
         * fixed the logto rules option coding to work properly
    * configure.in: * fixed a whole bunch of little problems that are
              screwing up big endian/non-PC machines.  This
              version should work and compile much more cleanly
               on all architectures!

    * other: fixed a bad rule in the RULES.SAMPLE file and another bad
         one in the misc-lib file

1999-08-01  mfr  <roesch@clark.net>
    * rules.c: Wrote brand new detection engine.  The new engine uses
               a 2-dimensional linked list with recursive node walking.
               Rules are grouped by address/port commonality and then
               option chains are linked to common head blocks.  This
               reduces the number of tests required to find a specific
               test to perform, and reduces the total number of tests
               performed on a given packet in all cases by 200-500%
               over version 1.1.

    * decode.c: Rewrote the packet decode engine.  The new engine
            performs far fewer copies and tries to set pointers
            to defer expensive function calls as late as possible.
            The PrintIP and Net data structures have been eliminated
            so that there is no global data required to perform tests
            or log a given packet.  This will make any future multi-
            threading efforts much easier.

    * log.c: * Much of the logging system was rewritten to take advantage
               of the new detection and decoding engines.
   
         * Made the SMB alerting a configure-time option.  If you
           want to use the SMB alerting feature, you need to specify
           a "--enable-smbalerts" when you run configure.  This is a
           safety measure, read the INSTALL file for the reasons why!

    * snort.c: Fixed a bug in the netmask generation code that wouldn't
           allow certain CIDR blocks to be represented.  Thanks to
           Nick Rogness <nick@trinux.rapidnet.com> for the heads
           up on this one!

1999-06-21  mfr  <roesch@clark.net>
   
    * snort.c: * Added new command line switches: -f, -M, -r. 
               -f: Record fragmented packets in tcpdump format
               -M: Send alerts via WinPopup messages (requires Samba)
               -r: Read and process files generated by tcpdump

           * Fixed startup dumpout code to not drop people if they just
             want to log all packets to the system

           * Added static netmask generation, this rids Snort of the
             need to link to libm, which makes it more Trinux friendly.

    * rules.c: * Added new rule option types:
              logto: log packets matching this rule to the specified
                             log file
              minfrag: set the minimum size of fragmented packets, which
                   allows alerts to be generated for traffic coming
                   from things like nmap or fragrouter
              tcp flags: Added the ability to include the reserved bits
                     of the tcp flags into the rules set.  These
                     flags are specified with a "1" and "2. 
                     Inclusion of these flags allows Queso
                                 fingerprinting attempts to be detected.
              id: The IP ID field may be specified.  This is nice for
              picking up handcrafted packets with recognizable ID
              fields, like 31337 or other "elite" numbers.
              ack: The TCP ack field.  Using this, nmap tcp "pings" may
               be detected.
              seq: The TCP sequence number.  This is provided for
               completeness (I figured since I was putting in the
               ack field, I may as well include the sequence as
               well)
           * Rewrote the content parser.  It now accepts "\" as a
             literal character, so things like "\|" or "\~" will work
             properly.

           * fixed the parenthesis finder for the options code

           * adjusted the acceptable character range in the rule
             parsers

    * log.c: * fragment logging more descriptive and correct

         * fixed IP header logging for ICMP and fragmented packets

         * improved "bad packet" printing/logging

         * fixed IP option output code

         * IP packet ID field now displayed

    * decode.c: * fixed IP fragment decoders and logic streams.

            * fragments are now fed thru the rules set (sorta)

1999-05-17  mfr  <roesch@clark.net>

    * snort.c: Added "-x" command line switch to explicitly activate IPX
           packet notification so people in mixed protocol environments
                   can maintain sanity.  Also added in the new packet counter to
           generate statistics on exit of the number/percentage of
           each type of packet that Snort sees.

    * decode.h: Removed the references to u_int16_t and u_int32_t and
            replaced them with u_short and u_long.  The u_int*_t
            variables caused portability headaches.  Also added in the
            new patch from Chris S. for the  WORDS_MUSTALIGN definition
            for S/Linux version.

    * log.h: Fixed the LOG_AUTH/LOG_AUTHPRIV problem that Solaris users
         were having.

    * decode.c: Added the new packet statistics counters throughout the
            code.  Cleaned up the IPX code a bit. 

    * rules.c: Cleaned up the isspace(3) (et al) calls.

    * etc: Made lots of tweaks to the autoconf stuff to get the S/Linux
           and HP-UX versions to compile cleanly out of the box.

1999-04-28  mfr  <roesch@clark.net>

    * rules.c: Added the code to change the order the rules are applied in.

    * snort.c: Added two new command line switches: "-o" and "-s".

    * decode.c: Added in new layer 2 decoding for SLIP and RAW packet
                types.

        * log.c: Added code to send alert notification to syslog.

1999-04-17  mfr  <roesch@clark.net>

    * rules.c: Rewrote the rules option parser.  It's now a much more
                   consistant interface for both reading rules into the program
                   and writing them as a user.  Added in new rule types to
                   alert on TTL values, and ICMP types/codes.

    * log.c: Most of the logging code has been dramatically rewritten as
                 well, and it now works much better.

    * mstring.c: Added the notion of a meta character to mSplit() so that
                     it was possible to not split on every single occurence of
                     a character in a string.

    * decode.c: Smoothed out all the logging system calls to work nicely
                    with the new log code.

1999-04-08  mfr  <roesch@clark.net>

    * rules.c: Moved AlertPkt() and LogPkt() to log.c

    * log.c: Totally revamped the logging code to be more logical and
                 have less duplication in the code.  There are now seperate
                 logging functions for each of the layers of the packet. 
                 PrintIPPkt() has been totally rewritten, PrintFragHeader has
                 been eliminated, and two functions have been moved over from
                 rules.c and completely rewritten as well.

    * decode.c: Reworked the routines which called the logging functions.

1999-04-06  mfr  <roesch@clark.net>

    * decode.c: added code to display/log the Fragment ID field of the IP
                    header.  Got a nice patch from Sebastian to add in TOS
                    decoding as well.  Added ethernet header logging and
                    display code.

    * mstring.c: fixed the match() routine.  It had a tendency to miss some
                     things some of the time.  (oops!)  Content based matching
                     should work all the time now.

    * log.c: added code to display some of the new stuff that's decoded.

    * snort.c: add a new command line switch: "-e".  This will display the
                   ethernet header data in both the log files and on the screen.

1999-03-24  mfr  <roesch@clark.net>
   
        * decode.c: fixed the damned TCP and IP options decoders.  These things
                    were a friggin pain in the ass to program up properly.
                    Recoding them stopped the huge loop that they had a bad
                    tendancy to get stuck in, thereby making the rest of the
                    program nigh infinitely more useful for just about any
                    friggin problem under the friggin sun.  Frig it.

    * log.c: Stopped the insanity of unnessary carriage returns in the log
                 files and on screen printouts.  Another PITA.

        * rules.c: Fixed output formatting yet again.


1999-03-21  mfr  <roesch@clark.net>

    * snort.c: fixed a bug in the timestamp code so the month prints out
                   right

    * decode.c: added code to detect and decode IP and TCP Options.  Also
                 added code to print packet fragments with truncated headers
                 into a PACKET_FRAG file which gets dumped in the default log
                 directory.

    * log.c: added code and data structures to print out IP and TCP Options
                 plus I fixed the f'd up fragment print out logic.  Changed
                 OpenLogFile() to include a mode argument for packet fragment
                 print out.

    * rules.c: rewired the entire rules test routine and added some long
                   needed goto's into the program.  I feel manly now.  Also
                   added a new rule field: TCP flags.  This allows us to
                   alert/log/pass on tcp flags.  Also added in port range
                   functionality, you can now specify a range of ports, or
                   greater than/less than a specified port.


1999-03-08  mfr  <roesch@clark.net>

    * snort.c: Ripped off the timestamp printout routines from tcpdump
           and stuffed them into snort.c, yum yum.  This gives us
           millisecond timestamping on the packets for those of you
           interested in such things.


1999-03-06  mfr  <roesch@clark.net>

    * mstring.c: mContainsSubstring has been replaced.  mContainsSubstring
             is a brute force pattern matcher, and is therefore very
             slow and not too efficient.  The new routine, match(),
             implements a Boyer-Moore string search algorithm and is
             much faster in the general case and much more tolerent of
             "poor" pattern selection.

    * log.c: PrintNetData has been completely rewritten.  It should now be
                 much faster and only needs to generate the print out buffer
                 once per packet.  This routine was a major source of slow
                 down/dropped packets before.  You still shouldn't use verbose
                 mode with the "-d" command line switch if you're using Snort
                 as an IDS, because it's still slow enough to drop some large
                 packets.  Packet print out has changed as well, with the
                 different packet layers seperated by onto their own lines
                 (well, mostly).  Fragmented packets are now recorded in a
                 "FRAG" file.

    * decode.c: Snort now detects fragmented packets, plus the DF and MF
                    bits, and decodes the fragment offset. 

    * snort.c: Now displays packet collected/dropped statistics when
                   shutting down.


1999-02-18  mfr  <roesch@clark.net>

    * snort.c: Code cleanup and some error checking was added.  The system
           now accepts the interface name you give it at the command
           line.  Fixed a problem with underallocating the interface
           name buffer for names specified on the command line. 
           Suprisingly, this only came to light when tested on the
             Sparc architecture.

    * log.c: ICMP logging now includes the ICMP code description in the
         filename.  This makes it easier to see what you're interested
         in without having to go digging into the log files.

    * decode.c: Made the ICMP types and codes a little more compatible with
            being used as a filename.


1999-01-28  mfr  <roesch@clark.net>

        * rules.c: Rules sorting is now implemented.  There are actually three
                   seperate lists (Pass, Log, Alert) now, with the rules being
                   placed on to the lists in the order they're read from the
                   rules file.  The rule execution order was changed, now
                   Alert rules are applied first, then Pass Rules, the Log
                   rules.  Content based rules are available now, the actual
                   application layer data can be searched, both binary and
                   text, for a specific pattern to activate a rule on.

        * decode.c: Minor changes to reflect the new rules structure.


1999-01-19  mfr  <roesch@clark.net>

        * snort.c: Modularized the code, big time!  New source modules are log,
                   rules, decode, and mstring.  Dumped SetFlow() for now.

        * rules.c: Rules based packet logging now enabled!

        * log.c: Now keeps track of TCP/UDP conversations better!

        * decode.c: Enhanced decoding of packets, including ICMP ECHO seq and
                    id!


1999-01-08  mfr  <roesch@clark.net>

        * snort.c: Made a fix to SetFlow() so that it wouldn't dump the
                   program if it got traffic from 0.0.0.0 or 255.255.255.255.

        * snort.h: Removed the "#define VERSION" since it's handled in config.h.

        * README: Proper README file included with this distro


1998-12-21  mfr  <roesch@clark.net>
    * snort.c: Made this file, figured out autoconf