[go: up one dir, main page]

File: ChangeLog

package info (click to toggle)
sagan 1.1.2-0.3
  • links: PTS
  • area: main
  • in suites: stretch
  • size: 3,328 kB
  • ctags: 1,771
  • sloc: ansic: 14,200; sh: 4,484; asm: 1,002; perl: 282; makefile: 135
file content (73 lines) | stat: -rw-r--r-- 4,878 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
09/23/2016 - 	Sagan 1.1.2. released.

		* Added "srcport" for "threshold" and "after".  
		* Fixes around "dstport" for threshold" and "after"
		* Fixed display of source/destination IP addresses in tools/sagan-peek.c
		* Change "artistic" style from "GNU" to "Linux".  This allows better formatting of source code on smaller screens.
		* New pthread mutex to address corruptions of mmap / files.
		* tools/sagan-peek.c now has command line option to specify mmap file location. Various other improvements.
		* Better error checking in src/processors/sagan-track-clients.c
		* New MD5, SHA1 and SHA256 in src/parsers/parse-hash.c
		* Minor Bluedot lookup fixes. 
		* Fixes for "after" and "threshold" when dealing with "usernames". (Username tracking).
		* Added "file" option for sagan.conf to reference a file to load.  For example, "var MYVAR file:/path/to/my/values.txt". 
		  For more information,  see https://github.com/beave/sagan/issues/75 

08/17/2016 -	Sagan 1.1.1 released.

		* Added meta_offset, meta_depth, meta_within and meta_distince Champ Clark (cclark@quadrantsec.com)
		* Major changes/restructuring to sagan-meta-content.c - Adam Hall (ahall@quadrantse.com)
		* Fix major memory issue when loading large sets of rules.  Related to meta_content! (Champ Clark)
		* Minor build fix when liblognorm is disabled - Champ Clark 
		* Minor stdbool.h issue & added PKG_PROG_PKG_CONFIG to configure.ac 
		* Remove old unneeded liblognorm headers. Champ Clark 
		* memset replacement of strlcpy,  minor clean up,  minor bug fixes. (Adam & Champ)

07/06/2016 -    Sagan 1.1.0 released.

		The Basics:
		-----------

		* Sagan now "remembers" where it left off between restarts/reboots/etc.
		* You can now create rules that focus on certain IP address or IP address ranges (ie - $EXTERNAL_NET/$HOME_NET).
		* Sagan can treat "old" Bluedot IP reputation threat Intel differently than "new" threat intel.
		* We added "qdee.pl",  a SDEE poll routine to the "extra" directory.
		* A lot of bugs were fixed 

		The Details:
		------------

		* Moved all "threshold", "after", "flowbits", and "client tracking" to mmap files.  This means that Sagan "remembers" between restarts where it "left off"! 
		* Introduced "tools/sagan-peek.c" which allows you to exmaine Sagan mmap files.  Useful in debugging or just "seeing" what Sagan is "tracking".
		* $EXTERNAL_NET and $HOME_NET now function as expected.  Previous versions of Sagan did not have any concept of $EXTERNAL_NET/$HOME_NET and were ignored.  Adam Hall @ Quadrant made Sagan "aware" of "traffic flow".  Values in a rule for source/destination are tested _after_ normalization.
		* Added "mdate" (modification date) and "cdate" (creation data) to Bluedot. This allows Sagan to not trigger "aged" Bluedot Threat Intel.  For example, do _not_ alert if an IP address is seen and the Intel is over X hours/days/months/years old.
		* Threholding based on 'dstport' merged,  thanks to Bruno Coudoin.  See:  https://github.com/beave/sagan/commit/44d6752acf27d61bcd57e35f930b0f6e11dadbc7
		* Added parsing for IPTables "SPT" and "DPT"t port for iptables, thanks to Bruno Coudoin.  https://github.com/beave/sagan/commit/9de9cffd224a44f93c80eca62e6ead617a4b97a6
		* Added "qdee" to the "extra" directory.  This allows Sagan to parse older style Cisco IDS output.  This polls using the SDEE protocol. See https://github.com/beave/sagan/commit/61c4a7dd611161697785c889630dd3c8333ec8b5
		* Removed support for libjsonc (json-c) and moved to libfastjson.

		The Bugs Fixed:
		---------------

		* Correct issue for when Sagan cannot open a file (-F/--file) due to permissions.
		* Removed unused "SigArgs" array.
		* Clean exit when Sagan cannot load Maxmind GeoIP2 data file.
		* Change "normalize: {type}" to "normalize;".  All normalization rules now come from one file.  This keeps Sagan in line with liblognorm development.
		* Sagan now "warns" the user if old style "normalize" is encountered. See: https://github.com/beave/sagan/commit/ba3de9e43bc8623b361e34ce06a2e7808e045f88 and https://github.com/rsyslog/liblognorm/issues/206
		* Fix json_object_object_get_e) compile time warnings. See: https://github.com/beave/sagan/commit/e9bdea5b7fa5b25c1d7e740a4c856c70a1046d1d
		* Minor ARM CPU fixes.
		* Various "meta_content" fixes.  When using "meta_content" with large amounts of search data would sometimes cause failures. 
		* Major bug fixes involving "client tracking".  Thanks to Adam Hall @ Quadrant Information Security!
		* Sagan now attempts to create the FIFO if it is not detected.  Thanks to Cabrol Perales.
		* A lot of smaller bug fixes.  See: https://github.com/beave/sagan/commits/master

11/19/2015 - 	Sagan 1.0.1 released.

		* Add unified2 "extra data" field to store the orignal syslog
		  source.
		* Added threshold by "username". 
		* Minor code clean up. 

10/23/2015 -    Sagan 1.0.0 released.