2011-02-10 Ryan Jordan Snort 2.9.0.4 * src/build.h: Increment Snort build number to 110 * snort.8, src/snort.c: Updated Snort man page to match the output of "snort --help". Removed "-o" from the list of valid options, since it was removed a while ago. The verdict from defragged packets are no longer cleared, so that they can be applied to the raw packet. Thanks to Markus Lude for submitting a patch that fixed errors in the man page. * src/fpcreate.c: Deletec the call to fpDeletePortGroup() prior to calling FatalError(). * src/parser.c: Fixed portvar parsing code to correctly dislpay names of undefined portvars. * src/preprocessors/Stream5/snort_stream5_tcp.c: Fixed a FIN sequence number handling issue, where RST after FIN caused a false positive on Stream5 preprocessor rule 129:15. Thanks to Jason Wallace for pointing out the issue. * doc/: INSTALL, README.frag3, README.http_inspect, README.stream5, snort_manual.tex, snort_manual.pdf: Added documentation for the option "small-segments". Updated team members. Clarified some undocumented "flow" options. Minor edits to punctuation on "ssl_version" examples. Re-worded uricontent's description. Added missing semicolons to rule option examples. Updated "enable_cookie" documentation. Added documentation for "iis_encode" in http_encode keywords. Improved the description of the "disable" keyword. Added "--enable-sourcefire" description. Thanks to Joshua Kinard for sending in several patches to the manual. * doc/: Makefile.am, README.rzb_saac: Added SaaC readme. * configure.in, doc/Makefile.am, doc/README.rzb_saac, src/snort.c, src/util.c, src/util.h, src/dynamic-plugins/sf_engine/examples/Makefile.am, src/dynamic-preprocessors/Makefile.am, src/dynamic-preprocessors/dns/spp_dns.c, src/dynamic-preprocessors/rzb_saac/Makefile.am, src/dynamic-preprocessors/rzb_saac/rzb_debug.c, src/dynamic-preprocessors/rzb_saac/rzb_debug.h, src/dynamic-preprocessors/rzb_saac/rzb_http-client.c, src/dynamic-preprocessors/rzb_saac/rzb_http-client.h, src/dynamic-preprocessors/rzb_saac/rzb_http-collector.h, src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.c, src/dynamic-preprocessors/rzb_saac/rzb_http-fileinfo.h, src/dynamic-preprocessors/rzb_saac/rzb_http-server.c, src/dynamic-preprocessors/rzb_saac/rzb_http-server.h, src/dynamic-preprocessors/rzb_saac/rzb_http.h, src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.c, src/dynamic-preprocessors/rzb_saac/rzb_smtp-collector.h, src/dynamic-preprocessors/rzb_saac/sf_preproc_info.h, src/dynamic-preprocessors/rzb_saac/spp_rzb-saac.c: Added Razorback SaaC to the dynamic-preprocessors. Use --enable-rzb-saac to build it. Moved the initgroups call to a separate function and call it from the main thread. * src/detection-plugins/sp_clientserver.c: Fixed an erroneous error check so that "no_frag" and "no_stream" can be used in the same "flow" rule option. * src/detection-plugins/sp_pattern_match.c: Rules that use a "depth" value lower than the length of their content now cause an error. Depth should be >= the content length. * src/detection-plugins/sp_tcp_flag_check.c: Changed the reserved bits flags "1, 2" to "C, E". The old values can still be used for backwards compatability. * preproc_rules/preprocessor.rules: Added references to FTP and SMTP preprocessor rules. * src/dynamic-plugins/sf_engine/examples/: detection_lib_meta.h: Removed extraneous ifdef * src/: preprocessors/spp_frag3.c, preprocessors/spp_sfportscan.c, dynamic-preprocessors/dcerpc2/dce2_config.c: Added startup log message to show that the preprocessors are inactive when added to snort.conf as "disabled". Updated frag3 startup log to indicate the memcap frmo which prealloc fragments were generated. * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c: Updated the Frag3KeyCmp and Stream5KeyCmp functions to handle 32bit sparc platforms where 64bit pointer comparisons can cause bus errors. Thanks to Stephan for reporting this issue. * src/: preprocessors/portscan.c, win32/WIN32-Includes/config.h: Portscan preprocessor's hash table is now allocated based on the memcap, instead of being the same size. * src/dynamic-preprocessors/dcerpc2/: dce2_co.c, dce2_utils.c, dce2_smb.c: Fixed a bug that caused dcerpc2 to reassemble some segments incorrectly. If extra bytes at the end of a request corrupt the next request, they will be discarded. * src/dynamic-preprocessors/ssl/spp_ssl.c: Updated the SSL preproc to count the packets it processes, instead of counting all packets to enter the intiial function. * doc/: faq.tex, faq.pdf: Updated FAQ based on snort.org reorganization. * doc/: README.http_inspect, snort_manual.pdf, snort_manual.tex: Updated cookie documentation. Cookie buffer includes "Cookie" header name for HTTP requests and "Set-Cookie" for HTTP responses. When enable_cookie is disabled, cookie buffer points to the HTTP header * src/preprocessors/snort_httpinspect.c: Fixed the error message during parsing of HTTP inspect server config. Make it a warning. * src/: detection_util.h, preprocessors/snort_httpinspect.c, preprocessors/spp_httpinspect.c, preprocessors/HttpInspect/client/hi_client.c, preprocessors/HttpInspect/include/hi_client.h, preprocessors/HttpInspect/include/hi_norm.h, preprocessors/HttpInspect/include/hi_ui_config.h, preprocessors/HttpInspect/normalization/hi_norm.c, preprocessors/HttpInspect/server/hi_server.c: Fixed a false positive due to a large chunk length followed by a small packet. Moved the lookup table such that they are initialized only once. When de-chunking returns error, the data is now inspected as a normal body. Moved the Initialize function out of hi_ui_config.h. CRLFs are no longer placed in the status message buffer. * many files: Updated all Sourcefire copyright notices to the year 2011.