*** * Using this file is deprecated, use svn look at the logs. *** 2004-02-06 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c (process_data): * plugins/reports/xmlmod/xmlmod.c (process_additional_data): Use the len returned by idmef_additionaldata_data_to_string(). 2004-02-05 Yoann Vandoorselaere * plugins/decodes/prelude-nids/packet-decode.c (ip_dump): fix typo... 2004-02-04 Yoann Vandoorselaere * plugins/decodes/prelude-nids/packet-decode.c (data_dump): new way of dumping packet. Don't generate an hexadecimal dump, use the raw packet data. 2004-02-03 Yoann Vandoorselaere * plugins/reports/xmlmod/xmlmod.c (process_additional_data): * plugins/reports/textmod/textmod.c (process_data): fix for latest idmef_additionaldata_data_to_string change. We still need to sort out how we are going to handle binary data through (marked as FIXME). 2004-02-01 Yoann Vandoorselaere * plugins/decodes/prelude-nids/packet-decode.c (data_dump): Store payload size as an additional data integer. 2004-01-31 Yoann Vandoorselaere * plugins/decodes/prelude-nids/packet-decode.c (data_dump): stop converting the packet payload to hexadecimal here. We now just attach the raw payload to the alert additional data. Further operation on the payload is up to the frontend. 2004-01-11 Yoann Vandoorselaere * prelude-manager.conf.in: remove invalid section. 2004-01-07 Yoann Vandoorselaere * prelude-manager-db-create.sh.in (manager_user): less confusing database creation message, reported and corrected by Sami Haahtinen . 2004-01-07 Nicolas Delon * src/idmef-message-scheduler.c: (process_message) fit idmef_message changes 2004-01-01 Nicolas Delon * plugins/reports/textmod/textmod.c: (process_data) fit idmef_additionaldata_data_to_string changes * plugins/reports/xmlmod/xmlmod.c (process_additional_data) fit idmef_additionaldata_data_to_string changes Happy new year to our ChangeLog readers ! ;) 2003-12-28 Yoann Vandoorselaere * plugins/reports/db/db.c (process_message): no need to check if enabled is set. If we are not enabled, we won't be called. (set_db_state, plugin_init): add a port option. (plugin_init): s/dbname/name/ 2003-12-28 Nicolas Delon * plugins/reports/db/db.c: plugin rework, the configuration process has changed to something more user friendly * prelude-manager.conf.in: updated to the new libpreludedb plugin configuration process for the Xmlmod plugin, add the "format" keyword to the configuration example 2003-12-28 Yoann Vandoorselaere * src/server-generic.c (setup_client_socket): * manager-adduser/manager-adduser.c (handle_client_connection): s/socket_io/sys_io/ * src/prelude-manager.c (main): ignore SIGPIPE. 2003-12-27 Yoann Vandoorselaere * plugins/decodes/prelude-nids/decode.c: cleanup. If a source / target already exist then use them. 2003-12-26 Nicolas Delon * plugins/reports/db/db.c: fit last changes in libpreludedb (add two includes) 2003-12-25 Yoann Vandoorselaere * plugins/decodes/prelude-nids/decode.c (decode_message): (nids_decode_run): take care about un-set idmef field. Be more verbose on error. * plugins/decodes/prelude-nids/passive-os-fingerprint.c (passive_os_fingerprint_dump): fix an undefined reference. Make it faster, by avoiding an unnecessary idmef_string_t and idmef_data_t allocation/copy. Fix includes. * src/decode-plugins.c (decode_plugins_run): remove all the 'used_plugins_list' code... It's not needed with the new IDMEF API, and moreover, was causing a sigsegv because the plugin freeing func where not called anymore. * src/idmef-message-scheduler.c (read_idmef_message): be more verbose on error. * plugins/decodes/prelude-nids/packet-decode.c (tcp_dump): (ip_dump, tcpopts_dump, ipopts_dump, arp_dump, ether_dump, udp_dump, data_dump, igmp_dump, icmp_dump, nids_packet_dump): cleanup, update all function declaration to fit API change requirements. Always add 1 to the string length. Use _nodup function variant where required. * plugins/reports/textmod/textmod.c (process_analyzer): fix a sigsegv on corrupted alert. 2003-12-14 Nicolas Delon * plugins/filters/skeleton/skeleton.c: fix a compil issue 2003-12-13 Yoann Vandoorselaere * manager-adduser/manager-adduser.c (handle_plaintext_account_creation): call getuid() instead of using 0. Which made account creation fail in case you are not running manager-adduser as root. * src/server-generic.c (handle_connection): use calloc(). 2003-06-11 Stéphane Loeuillet * src/idmef-util.c : (idmef_get_db_timestamp) Included patch from Laurent Pautet closing bug #84 : a space was missing in inserted timestamp. only worked for MySQL 3.2x to 4.0.x, not for MySQL 4.1.x nor PostgreSQL 2003-06-11 Yoann Vandoorselaere * manager-adduser/manager-adduser.c: Include an heavily modified patch from Krzysztof Zaraska sun_path. * src/pconfig.c (pconfig_init): set config.addr to NULL as the default. (set_sensor_listen_address): use strrchr() instead of strchr so that we can handle Ipv6 address. * configure.in: check wether Ipv6 is available on this system. Define HAVE_IPV6 if it is. Use AC_DEFINE_UNQUOTED in place of AC_DEFINE everywhere. We are now able to accept both Ipv6 and Ipv4 connection. * src/idmef-util.c (idmef_additional_data_to_string): fix GCC strict-aliasing warning by using an union. * manager-adduser/ssl-register-client.c (recv_ack): fix GCC strict-aliasing warning. 2003-05-14 Yoann Vandoorselaere * src/idmef-message-scheduler.c: no need for stop_processing to be an atomic variable, as it is protected by the input_mutex. (wait_for_message): unlock the mutex before exiting the thread. 2003-05-11 Yoann Vandoorselaere * Included patch from Sylvain Gil , in order for Prelude Manager to compile under MacOSX: * acinclude.m4 (macosx): added AC_CHECK_TYPE * configure.in (macosx): use $LIBPRELUDE_LIBS add -no-cpp-precomp to CPPFLAGS on macosx check for socklen_t 2003-05-10 Yoann Vandoorselaere * manager-adduser/ssl-register-client.c (ssl_register_client): remove call to memset(). (wait_install_request): remove call to prelude_io_close. 2003-05-03 Yoann Vandoorselaere * configure.in (pthread_cflags): update to new libprelude-config scheme for getting pthread cflags. Update libprelude requirements to 0.8.6. * src/idmef-message-scheduler.c (wait_for_message): stop enabling asynchronous cancelation when waiting for the input condition variable. Exit when stop_processing is set and we have no more data to process. (idmef_message_scheduler_exit): stop using pthread_cancel() because it's result heavily depend on the architecture. Set stop_processing to 1, and signal the input condition. * plugins/decodes/prelude-nids/packet-decode.c (dump_tcp_flags): dump ECNECHO and CWR. (switch_ethertype): handle ETHERTYPE_ARP. (tcp_dump): dump a fingerprint even if ECNECHO or CWR flags are set. * plugins/decodes/prelude-nids/nethdr.h: TH_RES1 and TH_RES2 become TH_ECNECHO and TH_CWR. * configure.in: remove trailing '/' from plugins directory. * Makefile.am (install-data-local): remove trailing '/' from $(DESTDIR). * plugins/decodes/prelude-nids/packet-decode.c (ip_dump): fix a bug were ip_len would always be dumped as being 0. (tcp_dump): TH_OFF() * 4. 2003-05-01 Yoann Vandoorselaere * plugins/decodes/prelude-nids/nethdr.h (IP_V): (TH_OFF): fix macro. * plugins/decodes/prelude-nids/passive-os-fingerprint.h: wscale is now an int. Mss changed from int16_t to int, so that it can accept -1 and the whole tcp window range. This fix some Ettercap compatibility problem, plus a possible failed assertion. * plugins/decodes/prelude-nids/passive-os-fingerprint.c (passive_os_fingerprint_dump): cleanup. * plugins/decodes/prelude-nids/packet-decode.c (ip_dump): (tcp_dump): correct the way we compute pof.len (ettercap want the ip + ip option + tcp + tcp option size. 2003-04-29 Yoann Vandoorselaere * plugins/reports/xmlmod/Makefile.am: move xmldtddir out of the automake conditional. 2003-04-28 Yoann Vandoorselaere * configure.in: * NEWS: bump version number to 0.8.7 * plugins/decodes/prelude-nids/Makefile.am (noinst_HEADERS): include passive-os-fingerprint.h * plugins/db/mysql/Makefile.am: * plugins/db/pgsql/Makefile.am: always install .sql file. * configure.in: chmod +x prelude-manager-db-create.sh. 2003-04-28 Krzysztof Zaraska * plugins/decodes/prelude-nids/passive-os-fingerprint.h: include and instead of 2003-04-27 Yoann Vandoorselaere * prelude-manager-db-create.sh.in: Included patch from Patrick Marie , fixing bug #0000072 and part of #0000073. This patch is a rewrite of the PostgreSQL database/user/tables creation. 2003-04-27 Yoann Vandoorselaere * plugins/decodes/prelude-nids/optparse.c (printopt): * plugins/decodes/prelude-nids/packet-decode.c (ether_dump): (icmp_dump): (igmp_dump): (data_dump): (udp_dump): (ip_dump): (tcp_dump): check snprintf() return value more carefully. (nids_packet_dump): continue anyway if one of the dumping function fail. * src/server-generic.c (server_generic_new): update to fit latest server-logic API changes. * src/server-logic.c: update server-logic version. This one fix numerous bug and race, and got tested on an heavily loaded IRC server. 2003-04-27 Yoann Vandoorselaere * acconfig.h: obsoleted by the AC_DEFINE() and AC_DEFINE_UNQUOTED() correction. Removed. * configure.in: use AC_REAL_PATH_GENERIC for searching pgsql and mysql database. use AC_PATH_GENERIC for searching the XML2 library. Correct use of AC_DEFINE and AC_DEFINE_UNQUOTED. * acinclude.m4: AC_PATH_GENERIC become AC_REAL_PATH_GENERIC. Now take more argument : the _real_ script name (allow to search for pg_config, mysql_config), if the script support the prefix option, and the cflags and libs argument name. AC_PATH_GENERIC now call AC_REAL_PATH_GENERIC. You can now provide a prefix for pgsql, mysql, and xml2. This fix bug #0000070 (" Problems with the --enable-pgsql configuration options" * prelude-manager-db-create.sh.in: Included modified patch from Michael Boman , fixing bug #0000073 : "prelude-manager-db-create.sh can only use local databases". Modification to the patch include correction for a variable name typo, echo-ing the dbport to put in the Manager configuration file, and FreeBSD /bin/sh compatibility modification (removed [[ ]] syntax, and multi conditionnal test within if). 2003-04-27 Yoann Vandoorselaere * prelude-manager-db-create.sh.in: Included patch from Patrick Marie , fixing bug #0000074 : "prelude-manager-db-create.sh doesn't work with FreeBSD. /bin/sh. Multi conditionnal "if" in test(1) are not supported, neither [[ ]] syntax." 2003-04-24 Yoann Vandoorselaere * ChangeLog: * plugins/db/pgsql/pgsql.c: * plugins/db/mysql/mysql.c: previous commit reverted, because the modification were invalid, and the ChangeLog entry wrong. * plugins/db/pgsql/pgsql.c: (set_dbport): (plugin_init): (db_connect): * plugins/db/mysql/mysql.c: (db_connect): use dbport variable. (set_dbport): impl. (plugin_init): add a dbport option. Patch from Michael Boman : Both mysql and pgsql now have a new command line option to assign port number : dbport. Now works with MySQL v4.0+ (does not use mysql_connect which have been deprecated, use mysql_real_connect instead) 2003-03-18 Krzysztof Zaraska * plugins/decodes/prelude-nids/passive-os-fingerprint.h: include and instead of (FreeBSD compatibility fix). 2003-01-29 Yoann Vandoorselaere * plugins/decodes/prelude-nids/packet-decode.c (ip_dump): fix a bug pointed out by Laurent Oudot , where packet dumped wouldn't show the DF (Don't Fragment) flag. Include a modified patch (fixed coding style, and a few bugs), from Laurent Oudot , this patch implement passive os fingerprint, adding a fingerprint to the alert additional data. * plugins/decodes/prelude-nids/packet-decode.c (ip_dump): (tcp_dump): * plugins/decodes/prelude-nids/optparse.c (tcp_optval): (is_1byte_option): fill the POF structure. * plugins/decodes/prelude-nids/decode.c (msg_to_packet): zero the POF structure, and call passive_os_fingerprint_dump() once the packet has been read. * plugins/decodes/prelude-nids/Makefile.am (DEFS): add passive-os-fingerprint.c to the compilation. * plugins/decodes/prelude-nids/passive-os-fingerprint.h: * plugins/decodes/prelude-nids/passive-os-fingerprint.c: new files. 2003-01-24 Yoann Vandoorselaere * plugins/decodes/prelude-nids/packet-decode.c (arp_dump): fix some bug in ARP packet dump. 2003-01-23 Krzysztof Zaraska * manager-adduser/ssl-register-client.c: Modified to use arbitrary length certificate buffer. This is done in accordance with fixing a buffer overrun in sensor-adduser utility. Although the problem did not cause security issues with manager-adduser utility, as the oversized certificate was rejected immediately after being received, a fix was necessary to maintain the required interoperatibility between sensor-adduser and manager-adduser: both tools now allow the use of any size certificates. 2002-11-28 Yoann Vandoorselaere * src/sensor-server.c (forward_message_to_all): new generic function, to forward message to a list of sensors/managers/admins. moved a lot of the option code to libprelude. * src/pconfig.c (print_help): fit prelude-getopt API change. 2002-11-14 Yoann Vandoorselaere * src/sensor-server.c: we now have differents kind of connections list : the admins connection list, the managers connection list, and the sensors connection list. (close_connection_cb): only delete the client from it's list if the client was added to a list. (read_connection_cb): handle PRELUDE_MSG_OPTION_REQUEST and PRELUDE_MSG_OPTION_REPLY messages. (read_client_type): handle PRELUDE_CLIENT_TYPE_ADMIN. (handle_declare_admin): add the client to the admins list. (handle_declare_sensor): add the client to the sensors list. (handle_declare_child_relay): add the client to the managers list. (handle_declare_ident): this function is now used for any kind of client registration (sensors, admins, but not yet managers). Don't add the client to it's list here. (reply_sensor_option): read the option reply message emited by a sensor, and forward this message to the destination administrative client using forward_option_reply_to_admin(). (request_sensor_option): read the option request message emited by an administrative client, and forward this message to the destination sensors using forward_option_request_to_sensor(). (forward_option_request_to_sensor): implemented. Forward an admin option request message to the sensors this message is addressed to. (forward_option_reply_to_admin): implemented. Forward a sensor option reply message, to the admin that emited the option request. (forward_to_all_managers): implemented. Forward a message to all connected managers. (search_cnx): implemented. Search a connection in the given list, with the given analyzerid. * src/server-generic.c: use log_client() macro where needed. * src/include/server-generic.h (SERVER_GENERIC_OBJECT): include client_type and client port. (log_client): new macro, to automate logging of activity. 2002-11-13 Yoann Vandoorselaere * src/Makefile.am: * src/admin-server.c: remove from the build. * src/pconfig.c (pconfig_init): remove admin server configuration option. * src/include/pconfig.h: remove admin_server_* stuff from the config structure. admin-server will soon be part of the sensor-server core. 2002-11-12 Yoann Vandoorselaere * COPYING.OpenSSL: * README: Permit linking with OpenSSL so that Debian package might be distributed. 2002-11-11 Yoann Vandoorselaere * src/relaying.c: new file providing thread safe operation on client-mgr... * src/server-logic.c (remove_connection): the client key is now contained within the client datatype itself to ease client removal, when we are not events driven. (server_logic_stop): lock the server mutex, so that we don't walk the list while a new client is potentially added. (server_logic_remove_client): new function, so that we can remove a given client, not in an event driven fashion. (remove_connection): Instead of using pthread_exit(), use pthread_cancel() on the thread datatype contained within the server set. This function can now be called to remove a connection without exiting() the calling thread which might be different from the thread handling the set. (remove_connection): only exchange data if needed. * src/server-generic.c (close_connection_cb): don't try to destroy the client if FD is set to NULL, meaning one of the server subsystem took the control over this file descriptor. (server_generic_add_client): new function, use to manualy add a client to our server. (handle_connection): use calloc() instead of malloc, so that data are zeroed. * src/sensor-server.c (handle_declare_child_relay): renamed from handle_declare_relay() we are the parent relay and the relay connected to us forward us messages (child). (close_connection_cb): if we are a parent manager connected to a children manager, and that the connection got closed, notify our subsystem that the connection is dead, so that we retry connecting later. (read_connection_cb): call read_client_type if needed. (read_client_type): implemented. Read the type of the client. Call handle_declare_(child|parent)_relay depending on what the peer declare. (handle_declare_parent_relay): implemented. A parent relay is connecting to us, this mean *we* have to forward it the messages we get. First search if the same parent relay did already connect to ourself, and if yes, reuse the created client, this way we do support fallback to saving to a file as soon as we know the parent relay (uppon first connection). * src/pconfig.c (set_child_manager): (set_parent_manager): use relay.c specific function in order to create the client-mgr for the given manager. * plugins/reports/xmlmod/Makefile.am (DEFS): * plugins/reports/textmod/Makefile.am (DEFS): 64 bits file offset support. 2002-10-29 Sylvain Gil * plugins/reports/xmlmod/xmlmod.c: added a \n to all idmef-message output to be more syslog like 2002-10-25 Sylvain Gil * plugins/reports/xmlmod/xmlmod.c: added -d option that will disable file buffering for xml output file. 2002-09-23 Yoann Vandoorselaere * NEWS: updated. * configure.in: bump version to 0.8.6. * manager-adduser/manager-adduser.c (generate_one_shot_password): simplify / remove uneeded code. * plugins/reports/xmlmod/xmlmod.c: only include libxml/parser.h, which take care of dependency. (set_dtd_check): stop using the obsolete xmlDoValidityCheckingDefaultValue global variable. 2002-09-20 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c (process_alert): fix typo (information, not informations). Thanks to Igor Genibel for pointing this out. * plugins/db/mysql/mysql.sql: * plugins/db/pgsql/postgres.sql: add missing field for good File table handling. * src/idmef-db-output.c (insert_file_list): increase file_ident on each File insertion. (insert_file): take a file_ident argument. 2002-09-18 Yoann Vandoorselaere * plugins/db/mysql/mysql.sql: add the file_ident member to the Prelude_Inode table. Add the ident member to the Prelude_File table. * src/server-logic.c (remove_connection): Instead of maintaining a table of free connection, keep the free connection at the end of the connection array. (server_logic_stop): Use cancelation to kill every server logic threads. (child_reader): instead of polling the whole table, which is slow, and will fail on implementation not following the standard (linux 2.2.x), we can now use the index of the connection table (connection are now kept in order). 2002-09-10 Yoann Vandoorselaere * configure.in: bump version number to 0.8.5. 2002-09-09 Yoann Vandoorselaere * src/idmef-db-output.c (insert_analyzer): use parent_type instead of the 'A' string constant. Fix a possible IDMEF heartbeat insertion error. 2002-09-02 Yoann Vandoorselaere * configure.in: bump version number to 0.8.4. * plugins/reports/xmlmod/Makefile.am (EXTRA_DIST): correct inclusion of idmef-message.dtd * plugins/reports/xmlmod/xmlmod.c (process_message): free the XML document in case of unknown message. 2002-08-29 Yoann Vandoorselaere * plugins/reports/xmlmod/idmef-message.dtd: new file, IDMEF dtd. * plugins/reports/xmlmod/xmlmod.c: Brand new IDMEF-XML output plugin. Support dumping to a file, and stderr. You can specify wether the output should be formatted, and if a DTD check should be done. 2002-08-28 Yoann Vandoorselaere * configure.in: correct OpenSSL, PgSQL, MySQL test. 2002-08-26 Yoann Vandoorselaere * NEWS: updated. * configure.in: bump version number to 0.8.3. * src/db-plugins.c (generate_dynamic_query): fix a possible off by one in case DB_MAX_INSERT_QUERY_LENGTH is used. Add a carriage return at the end of the error dump. (db_plugin_insert): fix off by one. carriage return at the end of the error dump. 2002-08-16 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c (process_inode): formatting fix. * src/idmef-message-read.c (file_get): handle MSG_INODE_TAG, call inode_get(). * plugins/reports/textmod/textmod.c (process_file): formatting fix. 2002-08-15 Krzysztof Zaraska * plugins/db/pgsql/pgsql.c (db_insert): call PQclear() after query to avoid memory leaks. 2002-08-13 Krzysztof Zaraska * plugins/reports/debug/debug.c: print error message when message type is unknown * plugins/reports/debug/debug.c: use separate counters for alerts and heartbeats 2002-08-13 Krzysztof Zaraska * plugins/db/mysql/mysql.c (db_insert): include result of mysql_error() in error message 2002-08-04 Yoann Vandoorselaere * src/server-generic.c (unix_server_start): call prelude_get_socket_filename() on addr.sun_path directly (stop using a temporary buffer with strncpy()). This avoid a potentially missing \0 on really long filename. This problem was pointed out by Guillaume Pelat 2002-08-01 Yoann Vandoorselaere * configure.in: bump version number to 0.8.2. * plugins/db/mysql/mysql.c: include not , thanks to Yann Droneaud for pointing this out. * configure.in: bump version number to 0.8.1. * plugins/decodes/prelude-nids/optparse.c: include sys/types.h, fix from Krzysztof Zaraska so that it compile on FreeBSD - STABLE. 2002-07-30 Yoann Vandoorselaere * configure.in: update version number to 0.8.0. 2002-07-29 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c: include string.h * plugins/decodes/prelude-nids/optparse.c: use our own extract functions. 2002-07-25 Yoann Vandoorselaere * plugins/db/pgsql/Makefile.am: * plugins/db/mysql/Makefile.am: correct SQL scripts installation. * docs/api/Makefile.am: remove check for gtk-doc on make dist... As we cannot force distcheck to pass the --enable-gtkdoc configure argument, it would fail anyway. 2002-07-23 Yoann Vandoorselaere * src/pconfig.c (set_pidfile): strdup pidfile. * plugins/filters/skeleton/skeleton.c (set_skeleton_rule): strdup filter_rule. * plugins/reports/textmod/textmod.c (set_logfile): strdup logfile. * prelude-manager-db-create.sh (manager_user): moved to prelude-manager-db-create.sh.in, to include absolute path to the SQL scripts. * plugins/db/pgsql/Makefile.am (install-data-local): install postgresql.sql * plugins/db/mysql/Makefile.am (install-data-local): install mysql.sql 2002-07-22 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c (process_string_list): don't print anything if list is empty. (process_process): put a whitespace before arg and env. 2002-07-17 Yoann Vandoorselaere * src/idmef-message-scheduler.c (process_message): check that relay_filter_available is 0. Fix a bug where a relay manager would relay the same message 2 times. * plugins/reports/textmod/textmod.c (print): call va_start() / va_end() once by do_print() call. Avoid a SIGSEGV on some architecture (like PPC). 2002-06-27 Yoann Vandoorselaere * fit prelude-getopt API change. 2002-06-18 Yoann Vandoorselaere * src/report-plugins.c (report_plugins_run): call filter plugins on reporting plugins category, and drop if a plugin filter the alert. Same for per plugin filter. * src/prelude-manager.c (main): call filter_plugins_init(). * src/idmef-message-scheduler.c (process_message): call relaying filter, don't relay if message is filtered. * src/idmef-db-output.c (idmef_db_output): call filter of category database. return if we are filtered. * src/filter-plugins.c: allow filter plugins to hook to a plugin. API cleanup. Make it possible to associate private plugin data with a filter entry. * plugins/Makefile.am (SUBDIRS): add filters. * configure.in: define filter_plugins stuff 2002-06-17 Yoann Vandoorselaere * src/include/plugin-filter.h: * src/filter-plugins.c: begining of filtering plugins. * src/idmef-db-output.c (insert_inode): implemented. * src/idmef-message-read.c (file_linkage_get): (file_access_get): (inode_get): (file_get): implemented. (target_get): handle MSG_FILE_TAG. * src/idmef-db-output.c (insert_file_access): don't dump permission as our database schemas is not suitable for this right now. * plugins/reports/textmod/textmod.c (process_string_list): new function, work on idmef_string_item_t object. (process_file_access): dump permission list. (process_process): dump env and arg list. * plugins/reports/debug/debug.c (dump_idmef_inode_func): use dump_member_ptr for the change_time member. Which is a pointer. (dump_idmef_file_access_func): use dump_idmef_list() for the permission list. 2002-06-14 Yoann Vandoorselaere * Makefile.am (install-data-local): use $(DESTDIR) as the top prefix for installing stuff. 2002-06-13 Yoann Vandoorselaere * src/idmef-db-output.c (insert_process): fix another typo. 2002-06-10 Yoann Vandoorselaere * configure.in (gtk_doc_min_version): only install gtkdoc if requested. 2002-06-09 Yoann Vandoorselaere * src/idmef-db-output.c (insert_process): insert Process Arg and Process Env. 2002-06-07 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c (print): don't crash if out_fd is NULL. 2002-06-02 Yoann Vandoorselaere * plugins/db/pgsql/postgres.sql: analyzerID is INT8, and not VARCHAR. also, changed some INT4 for ident to INT8. 2002-06-01 Yoann Vandoorselaere * src/ssl.c (handle_ssl_error): new function, handle SSL error better. * src/server-generic.c (authenticate_client): if is_ssl is set and that handle_authentication return 0, then return and do not accept the connection. This fix possible grave problem with SSL connection. * manager-adduser/ssl-register-client.c (ssl_register_client): use des_set_key instead of des_set_key_checked, so that it compile with older OpenSSL version. * manager-adduser/manager-adduser.c (main): call prelude_set_program_name, cause it will be used for SSL certificate subject generation. 2002-05-31 Laurent Oudot * prelude-manager-db-create.sh: small bug fix and better "look" to help at understanding the installation process for an end user. 2002-05-31 Krzysztof Zaraska * src/idmef-util.c: fix convertions of milisecond values 2002-05-31 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c (process_heartbeat): make heartbeat output look better. * src/idmef-util.c (idmef_get_db_timestamp): new function, return a timestamp formatted for DB output. (idmef_get_timestamp): modified so that it return time in a readable format. (idmef_get_idmef_timestamp): new function, return a timestamp following IDMEF specs. * src/idmef-db-output.c (insert_file): (insert_analyzertime): (insert_createtime): (insert_detecttime): use idmef_get_db_timestamp() instead of idmef_get_timestamp(). 2002-05-30 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c (process_analyzer): print process and analyzer if any. * src/idmef-message-read.c (idmef_message_read): as of now, ident is always set from the Manager. (idmef_message_read): add a missing break statement, call idmef_heartbeat_get_ident(). * src/sensor-server.c (read_connection_cb): remove FIXME message. This is for a later release. * plugins/reports/textmod/textmod.c (process_analyzer): print analyzerId. * src/idmef-util.c (idmef_additional_data_to_string): * src/idmef-message-read.c (additional_data_get): * plugins/decodes/prelude-nids/packet-decode.c: modify to fit the new idmef_additional_data_t structure. * src/idmef-util.c (idmef_additional_data_to_string): use extract_function() for the ntpstamp, integer, real, and all the string case. 2002-05-29 Yoann Vandoorselaere * src/idmef-message-read.c (additional_data_get): Don't use extract_idmef_string() for IDMEF additionalData data member. The content might be binary, and then not end with \0. * src/idmef-util.c (idmef_additional_data_to_string): new function, take care of converting the IDMEF AdditionalData data member to a string suitable to be outputed in the IDMEF database. * src/idmef-db-output.c (insert_data): use idmef_additional_data_to_string() to get the data. * plugins/reports/textmod/textmod.c (process_data): use idmef_additional_data_to_string. We should now be able to deal with any kind of data type. * docs/api/Makefile.am: workaround a possible build breakage if gtkdoc isn't present. 2002-05-24 Yoann Vandoorselaere * src/server-generic.c (setup_client_socket): don't try to use TCP wrappers if we are listening on an UNIX socket. 2002-05-22 Yoann Vandoorselaere * plugins/db/mysql/mysql.sql: * plugins/db/pgsql/postgres.sql: portlist is varchar. 2002-05-17 Baptiste Malguy * src/pconfig.c (pconfig_init): replaced the default value "unix" by "127.0.0.1" for the config.addr field. 2002-05-16 Baptiste Malguy * src/*-plugins.c (*_plugins_init): don't return an error if the plugin directory doesn't exist. But do so in case of permission problem. 2002-05-16 Yoann Vandoorselaere * configure.in: save LIBS variable in orig_libs... Then restore it. We don't want everything to link with libwrap / libnsl. 2002-05-16 Baptiste Malguy * src/include/*.h: added some #ifndef/#define and #endif in the header files for dependency inclusion purposes. 2002-05-14 Vincent Glaume * src/server-generic.c: for a server using a unix socket, the filename we use is now build depending on the listening port, which is done using the new prelude_get_socket_filename() implementation in libprelude. 2002-05-13 Yoann Vandoorselaere * configure.in: * src/server-generic.c: correct TCP wrappers check. (authenticate_client): call accept() callback when handle_authentication return value is 0. * src/server-generic.c (handle_plaintext_authentication): don't set is_authenticated to 1 if sending authentication result failed. This could lead to a possible SIGSEGV. * src/sensor-server.c (accept_connection_cb): correct typo. * src/server-logic.c (handle_fd_event): handle POLLIN before POLLHUP. The two bits may be set in the revents field, and we want to proceed the available data. 2002-05-08 Yoann Vandoorselaere * src/sensor-server.c (handle_request_ident): removed. (read_ident_message): remove handling of PRELUDE_MSG_ID_REQUEST. The Manager is no more responssible for analyzer ID allocation. (sensor_server_new): remove initialization of analyzer ident object. Fix daemon mode for Prelude Manager. Prelude-Manager should fork() before thread are created. * src/prelude-manager.c (main): don't start the daemon here. * src/pconfig.c (set_daemon_mode): call prelude_daemonize() here. (pconfig_init): option for pidfile have higher priority than daemon option. 2002-05-06 Yoann Vandoorselaere * docs/api/Makefile.am: included PATCH from Yann Droneaud so that make distcheck work again with newest automake. 2002-05-05 Yoann Vandoorselaere * src/include/Makefile.am: * src/Makefile.am: * Makefile.am: * src/idmef-message-scheduler.c: fix make distcheck. 2002-04-30 Yoann Vandoorselaere * src/pconfig.c (set_relay_manager): prelude_client_mgr_new now take a type of client argument, set it to PRELUDE_CLIENT_TYPE_MANAGER. 2002-04-30 Laurent Oudot * prelude-db-create.sh: fix some bugs that occured with old version of different shells (owing to Arnaud Guignard's test). 2002-04-28 Yoann Vandoorselaere * src/server-generic.c (server_generic_new): memset sin_zero member to 0. This should avoid INET server startign problem on some system. 2002-04-24 Yoann Vandoorselaere * plugins/decodes/prelude-nids/packet-decode.c (ip_dump): print protocol. * src/sensor-server.c (handle_request_ident): only convert ident to network byte order if WORDS_BIGENDIAN is not defined. 2002-04-17 Yoann Vandoorselaere * plugins/reports/debug/debug.c: comment unused. * configure.in (CFLAGS): remove -Wstrict-prototype until OpenSSL header are corrected. 2002-04-12 Yoann Vandoorselaere * plugins/decodes/prelude-nids/packet-decode.c (icmp_dump): (nids_packet_dump): ICMP message can be > ICMP_MINLEN. Move the check in the icmp_dump() function. * prelude-manager.conf.in (logfile): add missing ';' (Thanks to Yann Droneaud for pointing this out). * src/plugins-util.c (prelude_string_to_hex): don't increment text pointer if we are at the end of the buffer. This fix bug #0000020 (Non ASCII character in hexadecimal dump). 2002-04-11 Krzysztof Zaraska * plugins/reports/debug/debug.c: added missing call to process analyzer information 2002-04-09 Krzysztof Zaraska * plugins/reports/debug/debug.c: added -s (--silent) option 2002-04-09 Yoann Vandoorselaere * configure.in: stop using profile-arcs for optimised build. GCC generate bugged code with it. * plugins/decodes/prelude-nids/packet-decode.c: (nids_packet_dump): use ICMP_MINLEN as the size for the ICMP header. * plugins/decodes/prelude-nids/packet-decode.c: snprintf return the len not including ending \0, so idmef string len should be set to returned len + 1. (#0000015) * plugins/decodes/prelude-nids/decode.c (gather_protocol_infos): use idmef_string_set to set sport / dport service name. (#0000015) Additionally, getservbyport have to be called with port in 2002-04-08 Yoann Vandoorselaere * prelude-manager.conf.in: more comment in default configuration file. * Makefile.am (install-data-local): Only install default configuration file if it does not exit... If a configuration file is already present, warn the user and install in prelude-manager.conf-dist. 2002-04-07 Krzysztof Zaraska * src/idmef-message-read.c: changed inclusion order to fix compilation warnings on FreeBSD. 2002-04-07 Krzysztof Zaraska * plugins/reports/debug/debug.c: totally rewritten. The purpose of this plugin is to walk the IDMEF tree, find and report found inconsistencies in data structures. It is designed for people writing sensors / decode plugins to check if they generate the structures correctly, so Manager or some unaware report plugin will not crash. Note that this plugin may even crash (especially when run with -a option), so it should _not_ be used in a production environment (e.g. for logging alerts). Thanks to Yoann Vandoorselaere for helping with the code. 2002-04-07 Baptiste Malguy * src/db-plugins.c (generate_dynamic_query): (db_plugin_insert): * src/include/plugin-db.h: * plugins/db/mysql/mysql.c (db_insert): * plugins/db/pgsql/pgsql.c (db_insert): added a dynamic management of the SQL query buffer to both avoid a too short buffer truncating queries and allowing big queries when necessary. 2002-04-04 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c (process_node): fix output. * manager-adduser/manager-adduser.c (handle_authentication_method): don't give up until an error occur, or we get prelude_msg_finished. 2002-04-01 Laurent Oudot * prelude-db-create.sh: Added postgresql support for the IDMEF database 2002-03-29 Yoann Vandoorselaere * src/server-logic.c (server_logic_process_requests): (child_reader): don't accept connection before the thread install the signal handler for SIGUSR1. 2002-03-29 Krzysztof Zaraska * src/idmef-message-read.c: include (fix compilation warnings on FreeBSD) 2002-03-28 Krzysztof Zaraska * INSTALL: * README: minor language corrections 2002-03-26 Yoann Vandoorselaere * src/server-logic.c (child_reader): remove wrong lock. 2002-03-25 Yoann Vandoorselaere * src/server-generic.c (handle_plaintext_authentication): use extract_string_safe(). * src/sensor-server.c (handle_declare_ident): use extract_uint64_safe(). * src/idmef-message-read.c (extract_idmef_string): use extract_string_safe, and implicitly return if needed. (idmef_message_read): use extract_uint8_safe(). (extract_int): use the needed extract_ function. * plugins/decodes/prelude-nids/packet-decode.c (get_address): (ether_dump): (arp_dump): (ip_dump): (tcp_dump): (udp_dump): update to use the new extract_* functions. (nids_packet_dump): Include the header size in the table, and bound check provided len with the header size. * plugins/decodes/prelude-nids/decode.c (get_address): (packet_to_idmef): * manager-adduser/manager-adduser.c (handle_plaintext_account_creation): 2002-03-22 Yoann Vandoorselaere * src/db-plugins.c (db_plugins_available): new function, return 0 if there is active db plugins, -1 otherwise. * src/report-plugins.c (report_plugins_available): new function, return 0 if there is active report plugins, -1 otherwise. * src/idmef-message-scheduler.c (process_message): don't read the IDMEF message if there is no active plugins (we are probably only a relay manager in this case). 2002-03-21 Yoann Vandoorselaere * plugins/decodes/prelude-nids/decode.c (msg_to_packet): put an array delimiter for safety (an attacker that successfuly authenticated could send a packet without p_end set). * plugins/decodes/prelude-nids/packet.h: updated to recent version. 2002-03-20 Yoann Vandoorselaere * db-inst.sh: cleanup, fix several bug, simplify, also rename it to prelude-db-create.sh 2002-03-19 Yoann Vandoorselaere * src/ssl.c (ssl_close_session): this is done by prelude-io. Removed. (ssl_init_server): call setup_openssl_thread(). (setup_openssl_thread): malloc the OpenSSL array of mutexs, and initialize them. Setup the OpenSSL callback function. (thread_lock_cb): OpenSSL callback for locking / unlocking a mutex. (thread_id_cb): OpenSSL callback to get ID of the calling thread. Theses change aim to avoid problem by using the same SSL context from multiple thread. The OpenSSL documentation is very small (almost inexistant) on this subject thought, so anyone with knowledge of how OpenSSL and thread cohabitate is welcome to review the code. 2002-03-19 Laurent Oudot * db-inst.sh (file added): this small script should help at installing databases used in the project (frontend, idmef, mysql, postgresql...) 2002-03-17 Krzysztof Zaraska * src/idmef-message-read.c (source_get): fix a bug causing an error when end of message (MSG_END_OF_TAG) is reached 2002-03-14 Yoann Vandoorselaere * plugins/db/pgsql/postgres.sql: * plugins/db/mysql/mysql.sql: added PostgreSQL and MySQL database creation script, by Oudot Laurent * manager-adduser/ssl-register-client.c (create_manager_key_if_needed): * manager-adduser/manager-adduser.c (handle_plaintext_account_creation): use 0 as the UID argument. 2002-03-11 Yoann Vandoorselaere * prelude-manager.conf.in (sensors-srvr): comment admin-srvr by default, this won't be enabled for 0.8 2002-03-07 Krzysztof Zaraska * src/sensor-server.c: fix warnings on compilation 2002-03-07 Krzysztof Zaraska * plugins/db/pgsql/Makefile.am: fixed linker flags 2002-03-06 Yoann Vandoorselaere * src/server-generic.c (server_generic_new): UNIX keyword is obsoleted. Resolve the server address in the good place. (inet_server_start): don't resolve server addr here, take a sockaddr_in structure as argument. 2002-02-28 Yoann Vandoorselaere * src/sensor-server.c (handle_request_ident): use a mutex to protect ident creation. * manager-adduser/Makefile.am (DEFS): * src/Makefile.am (DEFS): * plugins/decodes/prelude-nids/Makefile.am: * plugins/reports/textmod/Makefile.am (DEFS): * plugins/db/pgsql/Makefile.am (DEFS): * plugins/db/mysql/Makefile.am (DEFS): libprelude include dir should be *after* local include dir. 2002-02-27 Yoann Vandoorselaere * plugins/decodes/prelude-nids/decode.c: include netinet/in.h 2002-02-21 Yoann Vandoorselaere * src/idmef-message-read.c (additional_data_get): don't call ntohl directly, use extract_int. * plugins/decodes/prelude-nids/decode.c (get_address): * plugins/decodes/prelude-nids/packet-decode.c (get_address): correct typo in #ifdef. 2002-02-20 Yoann Vandoorselaere * acinclude.m4: remove commented out line containing AM_PATH_GTK, cause even thought it is commented, a bug in aclocal make it try to find this macro, and to fail on system were it is not available. Thanks to Pierre-Jean Turpeau for pointing and fixing this problem. * src/sensor-server.c (read_connection_cb): avoid a NULL pointer dereference on invalid messages, thanks to Pierre-Jean Turpeau for pointing, and debugging the problem. 2002-02-18 Yoann Vandoorselaere * src/idmef-db-output.c (insert_snmp_service): (insert_file): (insert_web_service): Correct argument lists. 2002-02-13 Yoann Vandoorselaere * manager-adduser/ssl-register-client.c (create_manager_key_if_needed): fix a typo, thanks to Sebastien Tricaud for pointing this out. 2002-02-08 Yoann Vandoorselaere * prelude-manager.conf.in (admin-srvr): update. 2002-02-07 Yoann Vandoorselaere * plugins/db/mysql/mysql.c (db_insert): arguments are const. * manager-adduser/manager-adduser.c (handle_plaintext_account_creation): (is_already_existing): fit latest prelude-auth change. * Makefile.am: install prelude-manager.conf with mode 600 cause it can contain database password. * manager-adduser/manager-adduser.c (is_already_existing): do not fail if the same user and pass already exist. 2002-02-07 Krzysztof Zaraska * plugins/decodes/prelude-nids/packet-decode.c: fixed LIST_HEAD warning on FreeBSD 2002-02-06 Yoann Vandoorselaere * src/prelude-manager.c (cleanup): only close admin server if it is enabled. * src/ssl.c (load_certificate_if_needed): new function, stat the certificate file and reload it if it changed. (ssl_auth_client): call load_certificate_if_needed() (ssl_init_server): use TLSv1 server method as suggested by Michael Samuel . * manager-adduser/manager-adduser.c (handle_authentication_method): only activate SSL when compiled in. (main): check ssl_create_manager_key return value. 2002-02-05 Yoann Vandoorselaere * src/idmef-db-output.c: stop passing pointer to ident. Stop using const everywhere. Allocate Identity by alert, for some IDMEF object. * src/idmef-message-read.c (web_service_get): * manager-adduser/manager-adduser.c (main): call ssl_create_manager_key_if_needed() so that we create the key if it doesn't exist. * manager-adduser/ssl-register-client.c: (ssl_create_manager_key_if_needed): new function. 2002-02-04 Yoann Vandoorselaere * manager-adduser updated. * src/server-generic.c (handle_plaintext_authentication): correct return value. (server_generic_new): when 127.0.0.1 is specified, start an UNIX server. 2002-02-01 Yoann Vandoorselaere * src/idmef-message-scheduler.c (get_message_from_file): made the "fifo corrupted" message a little more informative. (init_file_output): use prelude_open_persistant_tmpfile() function to open needed files. (queue_message_to_fd): avoid a possible deadlock on out of disk space condition. 2002-01-28 Yoann Vandoorselaere * configure.in: update gtk-doc detection routine. Check if we support un-aligned access. * plugins/decodes/prelude-nids/optparse.c: * plugins/decodes/prelude-nids/packet-decode.c: * plugins/decodes/prelude-nids/decode.c: re-activated. You should now get packet dump in your alert. 2001-01-27 Krzysztof Zaraska * configure.in: if mysql_config is not present try to find libmysqlclient.so and mysql.h. This fallback should not be considered completely reliable since it will not detect extra flags that may be needed for compiling against libmysqlclient. * configure.in: added workaround for false negatives while checking for mysql_real_escape_string. 2002-01-26 Yoann Vandoorselaere * src/idmef-message-read.c (analyzer_get): read analyzer ident. * plugins/reports/textmod/textmod.c (process_analyzer): print ostype and osversion if available. * src/idmef-message-read.c (analyzer_get): read ostype and osversion. * src/idmef-util.c (idmef_node_category_to_string): add "hosts" category. * src/idmef-db-output.c (insert_userid): (insert_linkage): (insert_file_access): (insert_analyzer): (insert_file): fit latest DB change. (insert_target): better error checking. (insert_assessment): (insert_overflow_alert): (insert_tool_alert): (insert_correlation_alert): (insert_file_list): implemented. 2002-01-25 Yoann Vandoorselaere * src/idmef-util.c: never assert() here. Return NULL and dump a warning. * src/idmef-db-output.c: use provided macro to access idmef_string. Handle error better. * src/idmef-message-read.c: * plugins/reports/textmod/textmod.c: * plugins/reports/debug/debug.c: * plugins/decodes/prelude-nids/decode.c: use provided macro to access idmef_string. 2002-01-23 Yoann Vandoorselaere * plugins/reports/textmod/textmod.c: new plugin, handling logfile output and stderr output. (process_assessment): avoid NULL pointer dereference. * prelude-manager.conf.in: added default configuration entry for TextMod. * configure.in (CFLAGS): * plugins/reports/Makefile.am (SUBDIRS): add TextMod plugin to the build. 2002-01-22 Yoann Vandoorselaere * src/idmef-util.c: * src/idmef-message-read.c: * src/idmef-db-output.c: IDMEF v6 compliance. * plugins/db/mysql/mysql.c (db_escape): * configure.in: detect if we have mysql_real_escape_string(), use mysql_escape_string() if not. 2002-01-21 Yoann Vandoorselaere * src/server-logic.c: the continue_processing variable is now a volatile sig_atomic_t. (server_logic_stop): just set the continue_processing variable to 0. * src/prelude-manager.c (init_manager_server): stop using a separate thread for the administration server. We are now able to multiplex event for differents servers. * src/server-generic.c (server_generic_start): now take an array of server_generic_t, as well as a nserver count. (handle_connection): new function. (wait_connection): poll on the server(s) socket(s). Call handle_connection() when needed. We are now able to multiplex accept for differents server. * src/sensor-server.c: (admin_server_new): (admin_server_close): * src/admin-server.c (admin_server_new): (admin_server_close): return a new server_generic_t. We don't want to keep the server identifier global. Function that used to use the global identifier now take a server_generic_t as argument. 2002-01-20 Krzysztof Zaraska * configure.in: added AC_CANONICAL_SYSTEM macro to fix autoconf 2.5x problem 2002-01-19 Yoann Vandoorselaere * Fit libprelude header change. Resolve address when needed for server creation. 2002-01-18 Yoann Vandoorselaere * src/prelude-manager.c (cleanup): cleanly exit all the stuff. (start_admin_server): admin server is not detached. * src/idmef-message-scheduler.c: implement safe cancellation. So we don't lost in memory report on exit. * src/server-logic.c (child_reader): detach the thread as soon as it is created... Do not wait it to be killed. Use SIG_SETMASK, not SIG_BLOCK. * src/server-generic.c (handle_plaintext_connection): use the extract_string macro to verify that the string are ok. 2002-01-17 Yoann Vandoorselaere * src/pconfig.c (create_account): (pconfig_init): commented out until we find the correct solution to sensor-adduser. * configure.ac: updated. * src/sensor-server.c (option_list_to_xml): (option_list_to_xml): don't return here. Wait end of message. (handle_declare_ident): if the client is a Relaying Manager, put it at the end of the client list (default route). (sensor_server_broadcast_admin_command): Search for the analyzerid. If the analyzer is not directly connected here, broadcast the message to every Relaying Manager connected. * Makefile.am (install-data-local): fix directory creation. * src/sensor-server.c (read_connection_cb): relay option list message if this Manager is a relay. 2002-01-16 Yoann Vandoorselaere * src/sensor-server.c: (option_list_to_xml): return 0 on error for protocol compatibility purpose. * src/server-generic.c: print cleaner information. * src/server-logic.c: much work... Correct several race condition, redid part of the code, fix fd leak. I couldn't reproduce a race here, but if someone with an SMP machine could test it would be even better. (server_logic_process_requests): Add the first set connection before creating the set thread, as we don't notify the connection arrival in this case (first set connection). This avoid a race where the connection is added *after* the created thread started polling. 2002-01-14 Yoann Vandoorselaere * Too much change to list. Use prelude-path API everywhere. * src/ssl.c (ssl_auth_client): (do_ssl_accept): * src/server-generic.c (authenticate_client): hack to fully handle SSL authentication in non blocking mode. * plugins/reports/debug/debug.c: correct return value, Prelude coding style, remove print help, as it is handled by prelude-getopt. (get_address_as_text): made static. (get_address): ditto. 2002-01-14 Krzysztof Zaraska * plugins/reports/debug/debug.c: * plugins/reports/debug/Makefile.am: add a new debug report plugin * configure.ac: * plugins/reports/Makefile.am: builds new debug report plugin * src/include/report.h: include include include 2002-01-11 Yoann Vandoorselaere * src/idmef-util.c: * src/idmef-db-output.c: * src/idmef-message-read.c: include * src/server-generic.c (handle_connection): better authentication handling. (send_plaintext_authentication_result): new function. (handle_plaintext_connection): call send_plaintext_authentication_result(). 2002-01-10 Yoann Vandoorselaere * src/server-generic.c (close_connection_cb): always free client->addr. * src/server-logic.c: reduce the number of duplicated pointer between the different server interface. (server_logic_process_requests): create the thread after creating the set. (server_logic_process_requests): send the SIGUSR1 signal to the existing set after the connection is added. (create_fd_set): don't create the new thread before adding the connection. This could result in a race. (child_reader): catch the SIGUSR1 signal. Use an infinite timeout. add_connection will send us the SIGUSR1 signal when a new connection is available, so that poll() is interupted, and we take the new fd into account. (child_reader): avoid the pollfd copy. Use the number of currently used fds as the pollfd delimiter for poll. Do not use the maximum value. (handle_fd_event): test for POLLERR|POLLHUP|POLLNVAL *before* testing for POLLIN. Because the first is often associated with the second. * src/server-generic.c: Fit server-logic API change. Now we use prelude-message verywhere and are fully async. * src/sensor-server.c: * src/admin-server.c: fit server generic API change. thread locking. * src/server-logic.c (restart_poll): handler for SIGUSR1. (child_reader): handle SIGUSR1. (child_reader): no need to lock / copy the set of FDs. (child_reader): poll only needed descriptor. (server_logic_process_requests): * src/server-generic.c (tcpd_auth): use the log() macro. * src/include/report.h: fix include. 2002-01-07 Yoann Vandoorselaere * src/idmef-message-read.c (userid_get): (time_get): * src/idmef-db-output.c (insert_userid): the uid field is not a string anymore, but an unsigned 32 bits integer. (insert_createtime): (insert_detecttime): (insert_analyzertime): handle idmef_time_t object change. * src/idmef-func.c: removed. Most of theses function are now in libprelude - idmef-tree-func.c. Function specific to prelude-manager got moved to idmef-util.c 2002-01-06 Krzysztof Zaraska * src/sensor-server.c: added #include (FreeBSD compatibility fix) 2002-01-05 Yoann Vandoorselaere * src/pconfig.c (set_relay_manager): correct typo. * src/db-plugins.c (subscribe): (unsubscribe): set global plugin pointer. (db_plugins_run): do nothing if global plugin pointer is NULL. * src/include/Makefile.am (includedir): correct prefix. * src/sensor-server.c (handle_request_ident): When getting this message, allocate an analyzer identity to the other peer. (handle_declare_ident): When getting this message, set the analyzerid for this connection to declared ident. (read_ident_message): handle ident declaration, and ident request. (sensor_server_broadcast_admin_command): analyzerid is not a string. (sensor_server_new): use the prelude_ident API to create a 64 bits integer mapped on a file. * src/idmef-message-read.c: moved type checking function to libprelude. 2002-01-04 Yoann Vandoorselaere * src/prelude-manager.c: * src/pconfig.c (pconfig_init): port to use prelude-getopt API * src/sensor-server.c (option_list_to_xml): handle all message to xml translation here. (read_connection_cb): always set msg to NULL so we don't destroy it twice. * src/pconfig.c (print_help): stop using old plugin option API. Use prelude-getopt. * src/prelude-manager.c (main): * src/decode-plugins.c: * src/report-plugins.c: * src/db-plugins.c: fit plugins API change allowing asynchronous subscribtion / un-subscribtion of plugin. * plugins/decodes/prelude-nids/decode.c: * plugins/db/pgsql/pgsql.c: * plugins/db/mysql/mysql.c: fit plugins API change allowing asynchronous subscribtion / un-subscribtion of plugin. Add support for prelude-getopt. 2002-01-02 Yoann Vandoorselaere * src/server-generic.c (unix_server_start): everyone should be able to access the UNIX socket. Set mode 777. 2002-01-02 Krzysztof Zaraska * plugins/db/mysql/Makefile.am: added @LIBPRELUDE_CFLAGS@ to DEFS to get -I options right * src/decode.c: added #include (FreeBSD compat. fix) * src/decode.c: * src/admin-server.c: * src/idmef-message-read.c: added #include (FreeBSD compat. fix) 2001-12-30 Yoann Vandoorselaere * configure.ac: add --enable-profiling * src/server-logic.c: * src/prelude-manager.c: * src/idmef-message-scheduler.c: include threads.h in case profiling is enabled. * Added missing CREDITS file, taken from prelude-nids and updated with the necessary entry. 2001-12-28 Yoann Vandoorselaere * src/server-generic.c (inet_server_start): (unix_server_start): * src/report-plugins.c (report_plugin_register): * src/decode-plugins.c (decode_plugin_register): * src/db-plugins.c (db_plugin_register): remove \t put garbage in syslog log. * src/server-generic.c (inet_server_start): fit prelude-io API change. * src/sensor-server.c (read_connection_cb): handle new prelude_message return value. Also handle the case where we get an unknow message. * src/prelude-manager.c (cleanup): does an exit() so that buffered IO can be flushed. * manager-adduser/ssl-register-client.c (ssl_register_client): fit prelude_io API change. 2001-12-27 Yoann Vandoorselaere * src/prelude-manager.c (main): Use sensor_server_new() / admin_server_new() to setup server. * src/idmef-message-scheduler.c: completly rew-worked. low / mid priority now work. * src/idmef-func.c (free_alert): handle the case where passed alert is NULL. Which can happen on bad message. (free_heartbeat): handle the case where passed heartbeat is NULL. Which can happen on bad message. 2001-12-26 Yoann Vandoorselaere * src/sensor-server.c (sensor_server_new): * src/admin-server.c (admin_server_new): move server initialisation here. * src/idmef-db-output.c (insert_snmp_service): (insert_web_service): (insert_service): implement snmp and web service. All function take a pointer to the 64 bits id, avoid copying. * src/idmef-message-read.c (service_get): handle snmp and web service. (web_service_get): (snmp_service_get): new functions. * src/server-generic.c (setup_connection): handle case were EOF is returned. Remove a debugging message. * src/sensor-server.c: cleanup. Add necessary locking. * src/report-plugins.c (report_plugins_run): work with an IDMEF message, not an IDMEF alert. * src/prelude-manager.c (main): start administration server. * src/pconfig.c (configure_admin_server): set listening address to 0.0.0.0 if none is configured. * src/idmef-message-read.c (extract_uint64): (extract_uint32): (extract_uint16): (extract_uint8): New function that check wether the destination variable won't overflow. (extract_str): Check that a string is NULL terminated. (extract_int): (extract_string): Macro for error handling automation. Handle missing IDMEF stuff. * src/idmef-func.c: allocate what need to be allocated. Free allocated data when idmef_message_free() is called. * src/idmef-db-output.c: all ident are now 64 bits integer. (idmef_db_output): work with an IDMEF message, not with an IDMEF alert. * src/decode-plugins.c: (decode_plugins_run): used decode plugins are saved into the new used_decode_plugins list. (decode_plugins_free_data): Call free callback function for plugin in used_decode_plugins list and put the plugins back into the main plugins list. * src/db-plugins.c (db_plugins_run): take an IDMEF message as argument, not an IDMEF alert. * plugins/decodes/prelude-nids/nids-alert-id.h: update to fit latest prelude-nids alert format change. * plugins/decodes/prelude-nids/decode.c (nids_decode_free): new plugin function that free allocated data. (plugin_init): setup free callback function. (gather_protocol_infos): strdup the return value from getservbyport() as the buffer may be rewwritten. 2001-12-19 Yoann Vandoorselaere * src/sensor-server.c: new file. (sensor_server_broadcast_admin_command): public function the admin server use to broadcast command to sensor. * src/admin-server.c: new file. (admin_server_broadcast_sensor_optlist): public function that the sensor server use to broadcast the option list to administration server. * src/server-generic.c: renamed server.c into server-generic.c, modified so that the API is more complete. * src/server-logic.c (child_reader): ignore signal. * src/prelude-manager.c (main): adapt to servers API change. We do not start administration server yet. * src/pconfig.c (configure_admin_server): (configure_listen_address): (configure_listen_port): cleanup. (print_help): (pconfig_init): remove option that are now handled by libprelude. * src/alert-scheduler.c (process_alert): ignore signal. * configure.ac (CFLAGS): add -DREENTRANT. 2001-12-14 Yoann Vandoorselaere * src/idmef-db-output.c: * src/db-plugins.c: Reverted to one database plugin loaded at a time. * plugins/db/pgsql/pgsql.c (db_insert_id): (plugin_init): (do_query): remove unused. * plugins/db/mysql/mysql.c (db_insert_id): (plugin_init): * src/db-plugins.c (db_plugins_insert_id): * src/include/plugin-db.h: remove insert_id() related stuff since it is deprecated. * src/server.c: complete reentrancy. * src/server-logic.c: modified so that it pass a global server pointer (specified by the caller) when the callback are called. * src/prelude-manager.c (main): initialize the IDENT generation subsystem. Handle server.c API change. * src/idmef-func.c (idmef_ident_init): (idmef_ident_exit): new function. Init alert ident. (fill_alert_infos): use prelude_ident. * src/idmef-db-output.c (idmef_db_output): convert ident to char here. (insert_analyzertime): (insert_detecttime): (insert_createtime): (insert_data): (insert_classification): (insert_analyzer): (insert_target): (insert_source): (insert_service): (insert_process): (insert_user): (insert_userid): (insert_node): (insert_address): Passed ident is now a char *. Remove deprecated use of db_plugins_insert_id, as we now handle IDENT ourselve. 2001-12-13 Yoann Vandoorselaere * src/server-logic.c (remove_connection): (handle_fd_event): pass global server data to the callbacks functions. (server_logic_new): Take a global server data argument. * src/server.c (inet_server_start): take addr and port as argument. 2001-12-12 Yoann Vandoorselaere * src/server.c: Update to fit server-logic change. Better reantrancy. * src/server-logic.c: rename server_t to server_logic_t. * src/pconfig.c (print_help): print help for database plugins. * plugins/db/pgsql/pgsql.c (db_insert_id): (db_insert): improve error message. (print_help): (plugin_init): s/MySQL/PgSQL/ * configure.ac: check for PostgreSQL header, show conditionally enabled plugins. 2001-12-11 Yoann Vandoorselaere * configure.ac : Ability to disable MySQL / PostgreSQL plugin on command line. * acconfig.h: * plugins/db/pgsql/Makefile.am: Only enable PostgreSQL / MySQL compilation if needed. * configure.ac (COMMON_LIBS): applied patch from Krzysztof Zaraska ("use == operator for test in configure, but valid one is =") 2001-12-10 Yoann Vandoorselaere * plugins/db/pgsql/pgsql.c: start of PostgreSQL plugin. (db_escape): escape single quote character. (db_insert_id): instruct PostgreSQL to update sequence. * src/idmef-db-output.c: generic layer responssible for outputing the IDMEF tree into the active databases. * src/db-plugins.c (db_plugins_insert): take a variable number of arguments, all to be escaped. * plugins/reports/mysql/Makefile.am: * plugins/reports/mysql/mysql.c: removed. * plugins/db/mysql/mysql.c: cleanup. (plugin_init): set escape function. 2001-12-08 Yoann Vandoorselaere * src/alert-scheduler.c (process_message): call db_plugins_run(). * src/idmef-db-output.c: new file containing the, now generic, code contained by the old mysql plugins. This code call db plugin in order to output to the database... * src/db-plugins.c (db_plugins_run): new function, only call idmef_db_output() if at least one db plugin is enabled. * src/idmef-db-output.c (idmef_db_output): Use db_plugins_insert_id(). * src/include/plugin-db.h: * src/db-plugins.c (db_plugins_insert_id): * plugins/db/mysql/mysql.c (db_insert_id): plugin-db have an insert_id function permitting the Manager to pass a generated ID, or to tell the plugin to use auto increment (and gather the value). * src/decode-plugins.c (decode_plugins_run): * src/report-plugins.c (report_plugins_run): specify the member to run in the plugin_run() macro call. * plugins/db/mysql/mysql.c: first cut at a mysql plugin done the right way(tm). * src/Makefile.am (-DDB_PLUGIN_DIR): * src/db-plugins.c : New interface for database plugins. * src/report-plugins.c: Don't be affraid if there is no reporting plugins loaded. It can be normal now that there is Manager relaying and database plugin (and counter measure plugin to come). * src/prelude-manager.c (main): Initialize db plugins. 2001-12-07 Yoann Vandoorselaere * src/idmef-func.c (idmef_additional_data_free): add missing function. 2001-12-05 Yoann Vandoorselaere * src/pconfig.c: get rid of the config_quiet configuration variable that was needed by libprelude. Use prelude_log_use_syslog() when needed. 2001-12-03 Yoann Vandoorselaere * src/server.c (server_close_connection_cb): print the remote end address when closing the connection. 2001-11-22 Yoann Vandoorselaere * plugins/decodes/prelude-nids/Makefile.am: * src/Makefile.am (prelude_manager_LDADD): no need to link with XML library anymore... * src/idmef-message-read.c: remove lot of debugging stuff. * src/idmef-func.c (idmef_get_timestamp): use : separate date and hour by an empty space, not a 'T' because it is annoying for database operations. * plugins/reports/mysql/Makefile.am: use mysql_config output. * plugins/decodes/prelude-nids/decode.c (nids_decode_run): use tail recursivity instead of a loop, this make this function more readable. * src/idmef-message-read.c (process_get): PID is a 32 bits unsigned integer. 2001-11-16 Yoann Vandoorselaere * plugins/reports/mysql/mysql.c (print_target): output in Prelude_Target table. Attribute is decoy, not spoofed. * src/idmef-func.c (idmef_target_new): (idmef_source_new): set spoofed and decoy attribute to default to unknow. * src/Makefile.am (INCLUDES): Include local headers *before* installed headers. * plugins/reports/mysql/mysql.c: alert ident is auto incremented. Also fix some missing insert. * plugins/decodes/prelude-nids/decode.c: Remove code that is now handled by generic IDMEF message subsystem. * src/idmef-message-read.c: new file. Read IDMEF message. * src/include/idmef-func.h: moved idmef.h here. 2001-11-14 Yoann Vandoorselaere * Kill warning everywhere. * plugins/reports/mysql/mysql.c: quote passed argument. Now do what it is supposed to do : Insert data in a MySQL database. * configure.ac (CFLAGS): fix typo that resulted in no more warning. * src/idmef.c (idmef_alert_new): Init address list. * plugins/reports/mysql/mysql.c: cleanup + lot of work toward complete MySQL support. * src/include/idmef.h: * src/idmef.c: Add enum to string convertion function. Fix analyzer class. 2001-11-14 Sylvain GIL * plugins/reports/mysql/mysql.c: sql output code for all funcs, no runtime test has been done yet. 2001-11-10 Yoann Vandoorselaere Forwarding between Manager should work now. * src/pconfig.c (configure_relay): get the relaying entry. (pconfig_init): call configure_relay(). (manager_relay_msg_if_needed): new public function. This have nothing to do here, and the content of this file might be moved to prelude-manager.c soon. * src/prelude-manager.c (main): caught SIGTERM signal. * src/alert-scheduler.c (process_message): new function. (process_alert): call process_message(). Move all the processing stuff into this new function. (process_message): call the message relaying function (manager_relay_msg_if_needed). * plugins/reports/mysql/mysql.c (dprintf): (print_address): (print_node): (print_userid): (print_user): (print_process): (print_service): (print_source): (print_analyzer): (print_classification): Use the new dprintf macro to only print field that are set. This still have to be replaced with correct MySQL output. * plugins/decodes/prelude-nids/decode.c (msg_to_packet): return -1 on error. (nids_decode_run): check msg_to_packet return value. * prelude-manager.conf.in : Add a commented exemple about how to use Manager relaying using the new relay-addr config entry. 2001-11-08 Yoann Vandoorselaere * prelude-manager.conf.in : remove SSL configuration stuff, as it is now asked in manager-adduser. 2001-11-07 Yoann Vandoorselaere * src/alert-scheduler.c (alert_scheduler_exit): made static. (alert_scheduler_init): use atexit to call alert_scheduler_exit(). 2001-11-06 Yoann Vandoorselaere * plugins/reports/mysql/mysql.c: use plugin configuration API to gather database required configuration (dbhost, dbuser, dbpass). Coding style correction. (db_escape): set NULL string pointer to point on an empty string. This fix a MySQL module crash. 2001-11-06 Sylvain GIL * plugins/reports/mysql/mysql.c: first real mysql calls 2001-11-05 Yoann Vandoorselaere * manager-adduser/manager-adduser.c: include config.h 2001-10-30 Yoann Vandoorselaere * src/server.c: deal with prelude-auth API change. Stop using deprecated socket-op function. Use prelude-io instead. * manager-adduser/manager-adduser.c: Handle the case when the openssl library is not installed. * src/server.c: socket-op interface is replaced by prelude-io interface. 2001-10-23 Yoann Vandoorselaere * src/prelude-manager.c (main): (cleanup): report plugins are back. * src/report-plugins.c (report_plugins_run): * src/decode-plugins.c (decode_plugins_run): cleanup, take a pointer to the IDMEF native binary structure as argument. * src/alert-scheduler.c (process_alert): call message decoder the reporting plugins. * src/Makefile.am (INCLUDES): remove libprelude-sensors CFLAGS from there. * plugins/reports/Makefile.am (SUBDIRS): compile mysql plugin. * plugins/decodes/prelude-nids/decode.c: Fit API change, translate the NIDS message to the native prelude-Manager IDMEF format. * plugins/Makefile.am (SUBDIRS): reports plugins directory is back. * manager-adduser/Makefile.am (INCLUDES): put $(top_srcdir) in the include path. Should fix an error with config.h not in the path. * configure.ac: Do not check for libprelude-sensors, Create mysql plugin Makefile. 2001-10-18 Yoann Vandoorselaere * src/server.c (server_read_connection_cb): Fit prelude message API change. (server_close_connection_cb): ditto. (wait_connection): Set client socket non blocking. * src/server-logic.c: Adapt to work with prelude_io_t object instead of directly using file descriptor. * src/alert-scheduler.c: Include pthread.h (init_file_output): correct pthread_mutex_init usage. (get_alert_from_file): prelude_msg_read() now take a prelude_io_t object as argument. (alert_schedule): fit API change. 2001-10-16 Yoann Vandoorselaere * A lot of modification. Complete API change, use OOP model in non time critical place for maintainability reason. 2001-10-05 Yoann Vandoorselaere * src/auth.c (get_account_infos): better error reporting. (auth_check): ditto. (auth_check): logging of succeed / failed authentication is the caller job. * plugins/decodes/prelude-nids/decode.c (build_port): Try to get information about the source and destination port using the getservbyport() function. Also include the protocol used by this packet. 2001-10-04 Yoann Vandoorselaere * plugins/decodes/prelude-nids/decode.c (build_port): Better service description. 2001-10-03 Yoann Vandoorselaere * src/ssl.c: (ssl_auth_client): return the SSL object. As of now, we should be able to get several SSL connection at one time. And we shouldn't be leaking SSL objects anymore. * src/server.c: Lot of cleanup. Adapt to server-logic API change. Keep connection information in a per fd structure. * src/server-logic.c: Lot of API change in order to be able more than one server. * src/prelude-manager.c: correct include path. * src/Makefile.am (INCLUDES): add libxml2 cflags, (prelude_manager_LDADD): link with libxml2. Stop linking statically to the pthread library. * plugins/decodes/prelude-nids/decode.c: correct libxml2 include path. * plugins/decodes/prelude-nids/Makefile.am (INCLUDES): add libxml2 cflags. * configure.ac: correct AC_PATH_GENERIC usage. check for libxml2 and pthread library. 2001-09-28 Yoann Vandoorselaere * src/server-logic.c (child_reader): do not try to handle events on fd if revents is 0 (nothing occured on this fd). Use a different method to store connection key. Should be bug free this time. * src/ssl.c (ssl_init_server): use PRELUDE_MANAGER_CONF instead of PRELUDE_REPORT_CONF. call ssl_read_config() with a NULL section name. Use SENSORS_CERTIFICATE instead of PRELUDE_CERTS and MANAGER_KEY instead of REPORT_KEY. (ssl_create_certificate): ditto. * src/ssl-register-client.c (send_own_certificate): rename REPORT_KEY to MANAGER_KEY. (wait_certificate): rename PRELUDE_CERTS to SENSORS_CERTIFICATES. (ssl_register_client): pass a NULL section name to ssl_read_config, to that the ssl configuration key don't need to be in a specific section. * src/server.c (data_available_cb): Take a void pointer to client data. Theses clientdata are in fact the read function to be used for this file descriptor (ssl_read or read). (setup_unix_connection): Return a readfunc_t pointer. (setup_inet_connection): Return a readfunc_t pointer (pointer on the read function to use) or NULL on error. (wait_connection): If the setup_unix / setup_inet _connection() call fail, close the client socket, but don't pass the FD to server_process_request(). Pass the returned read function pointer as clientdata for the server_process_request() call. (setup_connection): Fix bad ssl_read_delimited() usage. Don't pass a static buffer, as ssl_read_delimited() will alocate the buffer to store read data. * src/server-logic.c: new type : manager_cnx_t, containing information about a connection (pointer on a member of a pollfd, and pointer on connection specific data). (remove_connection): (add_connection): (handle_fd_event): (child_reader): (create_fd_set): (server_process_requests): Make the necessary change so that it is possible to associate private data per connection. * src/pconfig.c (configure_listen_address): (configure_listen_port): (configure_as_daemon): (configure_quiet): Rename configuration file section from Prelude Report to Prelude Manager. (pconfig_init): Store plaintext authentication information in prelude-manager.auth instead of prelude-report.auth. * Makefile.am (preludeconf_DATA): Rename generated filename from prelude-report.conf to prelude-manager.conf 2001-09-26 Yoann Vandoorselaere * src/Makefile.am (bin_PROGRAMS): Rename from prelude-report to prelude-manager. (prelude_report_LDADD): link to the posix thread library. (prelude_report_SOURCES): remove cnx.c, add server-logic.c. prelude-report.c renamed to prelude-manager.c * src/prelude-report.c (main): (cleanup): update function name (report server is now called Manager). * src/server-logic.c: New file. contain all the server logic. * src/server.c: This file now only contain the basic server setup. This update bring an optimised architecture for the Prelude Manager, as defined in http://www.geocrawler.com/lists/3/SourceForge/1578/0/6666462/ 2001-09-14 Yoann Vandoorselaere * src/server.c (wait_connection): server mode is back on. * src/cnx.c (wait_raw_report): cleanup. Stop asking for report-infos. * plugins/decodes/prelude-nids/nids-alert-id.h : Sync with Prelude NIDS ID header file. * plugins/decodes/prelude-nids/decode.c (nids_decode_run): work on NIDS alert -> IDMEF message generation. 2001-09-02 Sylvain GIL * plugins/decodes/prelude-nids/Makefile.am Install nids decode plugin in correct directory 2001-09-02 Yoann Vandoorselaere * plugins/decodes/prelude-nids/decode.c (plugin_init): set id field to ID_PRELUDE_NIDS_ALERT. * src/cnx.c (wait_raw_report): Handle the decode_plugins_run return value. (wait_raw_report): added a special case if alert id is ID_IDMEF_ALERT. Include alert-id.h. * plugins/decodes/prelude-nids/decode.c (nids_decode_run): Add code to decode alert message. (plugin_init): this is now a real plugin. 2001-08-28 Yoann Vandoorselaere * src/decode-plugins.c (decode_plugins_run): the decoding plugins take a socket as argument, not an alert. * src/cnx.c (flush_unknow_data): new function, called to flush private data that weren't recognized by any decode plugins on the socket. (wait_raw_report): If sensor_data_id is not ID_NO_DATA, then start the decoding_plugins. Call flush_unknow_data() if no decoding plugins matched the data. * src/ssl.c: pass a config_t as argument to ssl_read_config(). * src/ssl-register-client.c (ssl_register_client): take a config_t argument. * src/prelude-report.c (main): call the decode_plugins init function. * src/auth.c (get_account_infos): (auth_check): handle socket-op.c API change. * src/cnx.c (setup_connection): handle socket-op.c API change. (setup_connection): remove XDR support. * src/decode-plugins.c: new file, handle decode plugins. 2001-08-19 Yoann Vandoorselaere * src/prelude/rules_parsing.c (signature_parser_add_post_processing): renamed from add_post_processing. (signature_parser_post_processing): now return an int. Remove the rule_parsed variable (used to communicate with yacc/lex), This belong to the rule parser plugin. * src/prelude/Makefile.am (prelude_SOURCES): rules_grammar.y and rules_lexer.c belong to the rules parser plugin. * src/prelude/protocol-plugins.c (protocol_plugin_init_port_list): Ooops, not memcmp... memset. * src/prelude/rules-type.c (print_segment): Remove un-necessary \n. (print_flags): ditto. (print_integer): ditto. (print_ip): ditto. * src/prelude/capture.c (set_device_variable): (setup_capture_from_device): Set the device_ADDRESS variable. This fix bug #452731. * src/prelude/rules.c (signature_engine_process_packet): Convert the leaf test result to boolean then XOR it against leaf_match->inversed. * src/plugins/detects/rules/rules.c (parse_signature_file): don't set rule counter to 0 here. This fix the bug were 0 rules added / ignored when reported in case there was several rules files included. 2001-08-18 Yoann Vandoorselaere * configure.ac: bump version number to 0.4.1. * src/prelude/include/plugin-detect.h: * src/prelude/detect-plugins.c (detect_plugins_run): * src/plugins/detects/arpspoof/arpspoof.c: Final version is now able to look at ARP cache overwrite attack. Use a hash table to store ARP entry. The hash function is a little weak, but it will be ok for now. * prelude-report.conf.in: Update to fit latest changes. * src/plugins/reports/xmlmod/xmlmod.c: * src/plugins/reports/filemod/filemod.c: * src/plugins/reports/htmlmod/htmlmod.c: * src/plugins/reports/execmod/execmod.c: * src/plugins/protocols/telnet/telnet.c: * src/plugins/protocols/rpc/rpc-plugin.c: * src/plugins/protocols/http/http.c: * src/plugins/detects/scandetect/scandetect.c: * src/plugins/detects/rules/rules.c: * src/plugins/detects/debug/debug.c: * src/plugins/detects/arpspoof/arpspoof.c: Update to fit latest configuration API change. * src/libprelude/plugin-common.c: Several cleanup, comment the code a little. (plugin_config_get): (generate_options_string): (get_missing_options): New function to be used by plugin to get their configuration. This will remove the configuration mess in all plugins. * prelude.conf: Update the configuration file to fit the latest changes. * src/libprelude/config-engine.c (config_get): If entry is found but not followed by an '=' character return an empty string, not NULL. Also, all config line should end with a ';' except section line. * src/prelude/Makefile.am (t): Applied patch from Sylvain Gil . This should fix the problem some people where having with Prelude not compiling because of the way it include libpcap. * include/nethdr.h: added some definition for ARP header. * src/plugins/detects/arpspoof/arpspoof.c: Start of the ArpSpoof detection plugins. 2001-08-17 Yoann Vandoorselaere * prelude-report.conf.in: new file. * prelude-report.conf: deleted. * configure.ac : generate prelude-report.conf from prelude-report.conf.in * Makefile.am (install-data-local): log directory is a subdirectory of $(localstatedir). This was done with the help of Sylvain Gil * prelude.spec: updated. 2001-08-15 Yoann Vandoorselaere * configure.ac: Bump version to 0.4.0. Handle the case when pthread_ function are in libc_r. * src/plugins/protocols/rpc/rpc-decode.c: * src/prelude-report/ssl.c: * src/prelude/rules_default.c: * src/prelude/write-func.c: * src/libprelude/ssl_config.c: * src/prelude/ssl.c: Portability fix. 2001-08-14 Yoann Vandoorselaere * Added missing copyright notice everywhere. * src/plugins/detects/rules/rules.c (plugin_init): Change contact informations, and set author to : "The Prelude Team". * src/prelude/rqueue.c: Change support mail address. * src/prelude/packet-decode.c (handle_ip_fragment): Fix cast. (handle_ip_fragment): do not free allocated_data here, this is packet_release job. (handle_ip_fragment): Commented out the hlen > caplen test done after defragmentation. This should never happen (put an assert instead). * include/packet.h: captured_data and allocated data are unsigned char ptr. 2001-08-13 Yoann Vandoorselaere * src/prelude/pconfig.c (pconfig_set): * src/prelude/rules.c (signature_engine_process_packet): Added the -o option (report-all), the effect of this option is to report all matching signature against a packet. * Makefile.am (install-data-local): create /var/log/prelude at install time. * prelude-report.conf (logfile): log in /var/log/prelude/prelude.log * src/libprelude/auth-common.c (ask_account_infos): Added a fprintf explaining what to do. * src/prelude/rules_default.c (match_id): (match_seq): Use network to host byte order translation function. (match_ack): ditto. (match_icmp_id): ditto. (match_icmp_seq): ditto. * src/prelude/rules_default.c: Integrated patch by Laurent Oudot that implement the TCP window test (Snort 1.8 compatibility). * src/prelude/rules_default.c (parse_sameip): (match_sameip): New function, handle the sameip test. (signature_engine_init): handle the sameip test. (match_win): * include/list.h (list_entry): Use void pointer. 2001-08-12 Yoann Vandoorselaere * src/plugins/detects/rules/rules.c (signature_matched_cb): Call the rqueue_report function (renamed). * src/prelude-report/report-infos.c (get_cleartext_alert_kind): handle the guess alert kind. * src/prelude/rules_operations.c: * src/prelude/rules_default.c: * src/prelude/rules.c: Warnings fix. * src/prelude/Makefile.am: Make dist should work now. 2001-08-11 Yoann Vandoorselaere * src/prelude/include/Makefile.am (noinst_HEADERS): (EXTRA_DIST): add missing headers files. * src/prelude/Makefile.am (DEFS): correct for new method of compilation. * src/libprelude/include/Makefile.am (noinst_HEADERS): add missing headers files. * Makefile.am (SUBDIRS): remove libpcap from SUBDIRS. (EXTRA_DIST): add libpcap.tar and libpcap.diff. 2001-08-10 Yoann Vandoorselaere * src/plugins/protocols/telnet/telnet.c: Options / config file handling. * src/plugins/protocols/rpc/rpc-plugin.c : * src/plugins/protocols/rpc/rpc-decode.c: Big cleanup, almost total rew-write. Handle fragment records the right way. 2001-08-09 Yoann Vandoorselaere * src/plugins/protocols/telnet/telnet.c: New plugin, that handle telnet nogotiation character. * src/plugins/protocols/rpc/rpc-decode.c (decode_rpc): correct handling of the msg_type enumeration. * src/plugins/protocols/rpc/rpc-plugin.c (setup_own_default): default port is 111. * src/prelude/pconfig.c (print_usage): Request protocol plugin option printing. * src/libprelude/config-engine.c (chomp): Only NULL terminate the line if it is ended with a \n. * src/plugins/protocols/rpc/: completly rew-written the RPC plugin. * src/prelude/protocol-plugins.c (protocol_plugin_is_port_ok): (protocol_plugin_add_port_to_list): (protocol_plugin_add_string_port_to_list): (protocol_plugin_init_port_list): new function. This is the port_list API used by protocol plugins to see if a packet match a set of destination port. * src/plugins/protocols/http/http.c (match_uricontent): If there is no preprocessed URI, analyze the raw data. (decode_http_packet): return 0 when we matched an URI, as the payload is not modified. cleaned up, fixed some bugs. 2001-08-08 Yoann Vandoorselaere * src/prelude/packet-decode.c (packet_new): (SliceAndStoreDataPkt): Set application layer depth. (SliceAndStoreTcpPkt): (SliceAndStoreUdpPkt): Set transport layer depth. (SliceAndStoreIpPkt): Set network layer depth. * src/prelude/rules_default.c: * src/prelude/rqueue.c (determine_alert_kind): * src/plugins/protocols/rpc/rpc.c (decode_rpc): * src/plugins/protocols/http/http.c (http_decode): Modified to use the new packet_t member. * include/proto.h: depth_* enum are no longer used. * include/packet.h: new members : network_layer_depth, application_layer_depth, transport_layer_depth. This is used to locate certain kind of headers in the packet. This fix the bug people using not fully understood link layer protocol were having. Converted some member to int8_t in the packet_container_t structure. 2001-08-07 Yoann Vandoorselaere * src/plugins/protocols/rpc/rpc.c: * src/plugins/protocols/http/http.c: Add command line / configuration file options handling. The HTTP protocol plugin now also handle a portlist. 2001-08-06 Yoann Vandoorselaere * src/prelude/rules_default.c (match_ip_src): (match_ip_dst): correct debuging output. * src/libprelude/plugin-common.c (plugin_register): Only increase plugins_id_max if the plugin registered succesfully. (plugin_get_highest_id): cleanup (plugin_load_single): don't increase plugins_id_max here. * src/prelude/include/timer.h: * src/prelude/include/hostdb.h: * src/prelude/tcp-stream.c (tcp_stream_new): cleanup. * src/prelude/rules_default.c (match_content): this function is static. * src/prelude/rules.c (MAX_RULES_CALLED): set to 10000 instead of 50. This is a temporary workarround for getting all leaf match tested. * src/prelude/rsend.c (expire): * src/prelude/ip_fragment.c (ip_defrag_init): Id that are gonna be used into the host database should always be allocated before first hostdb usage. * src/prelude/prelude.c (main): call ip_defrag_init(). 2001-08-03 Yoann Vandoorselaere * src/plugins/protocols/http/http.c: New protocol plugin that decode the http protocol. It also provide the uricontent key (Snort compatibility). * src/prelude/rules_default.c (signature_engine_match_content): renamed from match_content, and made public. This function is to be accessed by certain protocol plugins. (signature_parser_parse_content): renamed from parse_content, and made public. This function is to be accessed by certain protocol plugins. (parse_content_list): New function, to handle the content-list test. This is not working yet. (signature_engine_init): handle the content-list test, fit other changes. (parse_depth): error checking. (parse_offset): error checking. (signature_engine_match_content): comment the code. 2001-08-02 Yoann Vandoorselaere * src/prelude/rqueue.c (plugin_rqueue_report): fix a bug that was making a crash possible when the alert kind was guessed. * src/prelude/rules_default.c: remove the ignore key macro (that was creating a new function for each use of this macro) just add a dummy function for test that we want to ignore. (match_ip_src): (match_ip_dst): Added temporary debuging printf in theses function. (signature_engine_init): handle the sid, rev, react, resp, logto, key correctly (Snort 1.8 compatibility) (match_ip_proto): new function that match an IP packet protocol member. (signature_engine_init): Handle the ip_proto test (Snort 1.8 compatibility). * src/prelude/packet-decode.c (SliceAndStoreDataPkt): fix several possible bug related to protocol plugins handling. (SliceAndStoreIpPkt): Match the packet against the new IP root node. (SliceAndStoreIcmpPkt): Len should *never* be zero (use ICMP_MINLEN if the type is unknow). This should fix a report server crash we were seeing. * src/prelude/prelude.c: Updated copyright notice. * src/plugins/detects/rules/rules.c (get_protocol_node): handle the "ip" protocol (Snort 1.8 compatibility). * src/prelude/ip_fragment.c (ip_frag_destroy): (nfrag): minor cleanup. The frag_item_t structure don't need a prev member. 2001-07-31 Yoann Vandoorselaere * src/prelude/packet-decode.c (SliceAndStoreIcmpPkt): len should *never* be 0. If we don't know the Icmp type, handle the first 8 bytes of the icmp packet. Not the rest. 2001-07-30 Yoann Vandoorselaere * src/plugins/protocols/rpc/rpc.c: complete version of the RPC plugins. * src/prelude/rules_default.c (match_ip_src): (match_ip_dst): (match_port_src): (match_port_dst): (match_tcp_flags): (match_fragbits): (match_ttl): (match_tos): (match_id): (match_data_size): (match_seq): (match_ack): (match_itype): (match_icode): (match_icmp_id): (match_icmp_seq): (match_ipopts): (match_content): Matching function always return -1 on faillure. This is for coherency with the rest of the Prelude sources. * src/prelude/rules.c (signature_engine_process_packet): check explicitly that the match_packet function pointer return a negative value or not. Do the same for leaf function call (now test function return -1 in case of error). * src/prelude/packet-decode.c (packet_new): set the new protocol plugins members. (handle_ip_fragment): turn IP defragmentation back on. (SliceAndStoreDataPkt): if there is no more payload after a protocol plugin ran, just return. (SliceAndStoreDataPkt): comment the function. (SliceAndStoreDataPkt): analyze the part of the payload not handled by a protocol plugin. But always dump the whole payload (including protocol plugin data) at reporting time. * include/packet.h: Comment the different structures. add the protocol_plugin_id and protocol_plugin_data members to the packet_container_t structure. Theses members are used to store private protocol data by the protocol plugins. * src/prelude-report/report-infos.c (udp_dump): convert to host byte order before printing the len value of an UDP packet. * src/plugins/protocols/Makefile.am (SUBDIRS): this file was missing. 2001-07-26 Yoann Vandoorselaere * src/plugins/protocols/rpc/rpc.c: (match_rpc): current_data is not a pointer. (add_rpc_rules): better error checking. (parse_rpc): no parse the rpc rule cleanly. * src/prelude/rules_default.c (parse_port_type): fix bug where a rule containing the port 0, would be rejected. Port 0 is a valid port. Ditto for port 65535. (signature_engine_init): handle the classtype rule (used in Snort 1.8), this avoid us to reject rules using it. 2001-07-25 Yoann Vandoorselaere * src/plugins/Makefile.am (SUBDIRS): * src/plugins/protocols/Makefile.am (SUBDIRS): * configure.in (CFLAGS): add the protocols plugins directory / rpc protocols plugins directory to the compilation path. * src/plugins/protocols/rpc/decode.c (parse_rpc): squeleton for the rpc plugin. * src/prelude/include/plugin-protocol.h (plugin_protocol): (plugin_set_protocol): new macro. 2001-07-23 Yoann Vandoorselaere * src/prelude/include/rules.h: leaf_match_f_t now take a void pointer not a data_t. * src/prelude/rules_operations.c (add_leaf_match_by_id): new function to add a leaf match with care of it's priority. Not used for now. (add_rule_leaf_match): Now take a void argument pointing on a data type to pass when executing the leaf test callback. * src/prelude/rules_default.c: (match_ipopts): don't use a flag_t anymore. (match_content): use the new string_t structure, do not loop throught the global rule data anymore. (parse_offset): ditto (parse_depth): ditto (parse_content): ditto (set_nocase): new function (set the global string pointer to NULL for each rule parsed). (signature_engine_init): parse_ipopts is now a leaf test, add the new set_nocase() function to the post processing list. (parse_ipopts): Ipopts test are now leaf tests. This'll correct the memory problem we had because of theses test and the factorial tree duplication they result in. * src/prelude/rules.c (signature_engine_process_packet): Do not pass global rules data anymore, pass the data corresponding to our test. Coding style change. -1 is always to be returned in case of error. 2001-07-03 Yoann Vandoorselaere * src/prelude/include/packet-decode.h: don't include pcap.h here, as it will be a problem for people that don't have libpcap installed (as we use our own local libpcap). To avoid warning, declare an opaque pcap_pkthdr structure. 2001-07-01 Yoann Vandoorselaere * src/plugins/reports/filemod/filemod.c: flush the file descriptor. * src/prelude-report/server.c (wait_connection): (unix_server_start): (inet_server_start): Don't use tcp wrapper if we arre listening on an UNIX socket. * configure.in (LIBWRAP_PATH): tcp wrapper check wasn't working anymore. * src/prelude-report/server.c (tcpd_auth): oops, correct a double declaration. * Still working on code readability, function renaming... Also fixed several bug and simplified several function. 2001-06-22 Yoann Vandoorselaere * Too much change to list, Signature engine modified to fit the Prelude coding style, several part simplified, function renaming, try to make as much auto documenting code as possible. 2001-06-21 Yoann Vandoorselaere Applied portability patch from Jeremie Brebec * src/libprelude/rxdr.c (xdr_alert): convert the time_t argument to an unsigned long. use xdr_u_long(). * src/libprelude/plugin-common.c (RTLD_NOW): if RTLD_NOW isn't defined, define it to have the same value as RTLD_LAZY. * configure.in: check for inet_aton. 2001-06-20 Yoann Vandoorselaere * include/nethdr.h: use uintxx_t not u_intxx_t which isn't portable. Do not define the arphdr structure (this is creating conflict on several OS), instead, make the arphdr_t type. Thanks to Jeremie Brebec who pointed this out. 2001-06-18 Yoann Vandoorselaere * src/plugins/detects/rules/rules.c: big, big cleanup. 2001-06-14 Yoann Vandoorselaere * src/libprelude/plugin-common.c (plugin_load_from_dir): fix a memory leak on error condition. 2001-06-13 Yoann Vandoorselaere * src/prelude-report/cnx.c (wait_raw_report): (wait_xdr_report): reference the new alert_t plugin member. * src/prelude/write-func.c (write_raw_report): (writev_raw_report): update to use the new alert_t plugin member. * src/prelude/rqueue.c (plugin_rqueue_report): (prelude_rqueue_report): set the alert->plugin member to a localy declared plugin (prelude_core_plugin). * src/plugins/reports/xmlmod/xmlmod.c (create_plugin_infos): * src/plugins/reports/htmlmod/html.c (output_plugin_infos): * src/plugins/reports/filemod/filemod.c (filemod_run): * src/plugins/reports/execmod/execmod.c (execmod_run): * src/libprelude/rxdr.c (xdr_alert): * src/libprelude/alert-common.c (read_alert): (alert_free): update to use the new alert_t plugin member. * include/alert-prv.h: instead of declaring plugin_generic_t member here, use a plugin_generic_t pointer. This make the code cleaner. * src/prelude-report/optparse.c (ip_optval): Corrected a 2 bytes out of bound access (thanks to Electric Fence). The code was assuming the kind and length bytes of the option were still in the buffer. * configure.in: * src/plugins/reports/xmlmod/Makefile.am: * src/plugins/reports/xmlmod/xmlmod.c: Big change : revert to not using libxml, as it involve several performance drawback for what we want to do that I don't want to deal with. 2001-06-12 Yoann Vandoorselaere * src/plugins/reports/xmlmod/xmlmod.c (xmlmod_run): (create_xml_document): use xmlNewDocRawNode. * src/plugins/reports/xmlmod/Makefile.am (xmlmoddir): New xmlmod plugin, convert a report to XML. This will serve as a future replacement to htmlmod when combined to a stylesheet. * src/plugins/reports/Makefile.am (SUBDIRS): include the xmlmod subdirectory. * prelude-report.conf: Add default config for the new xml reporting plugin. * configure.in: Add an entry for the new xml reporting plugin. * src/plugins/reports/filemod/filemod.c (check_opts): * src/plugins/reports/execmod/execmod.c (check_opts): * src/plugins/reports/htmlmod/htmlmod.c (check_opts): close the config file on error. Also, fix a bug in some of thoses function where the plugin would be disabled, if the enable flag was set on the command line *and* in the config file. * src/plugins/reports/htmlmod/html.c: cleanup the mess. (create_detailled_report): divided into several function. (output_hexdump): new function, also, escape "<", ">", and "&" character that were handled by the browser, even inside a 
 tag. (So the report isn't screwed anymore
	when payload is html).
	
	(output_pktdump): new function.
	(output_report_infos): new function.
	(output_plugin_infos): new function.

	* src/prelude/rsave.c (backout_existing_report): 
	new function.

	* src/prelude/protocol-plugins.c (protocol_plugins_run): 
	return an integer (the len of the handled part of the payload),
	also, break as soon as a protocole plugin that can handle the
	payload is found.
	(protocol_plugins_run): Initialize ret, cause the list
	could be empty.

	* src/prelude/packet-decode.c (SliceAndStoreDataPkt): 
	Run the protocol plugins.

2001-06-11  Yoann Vandoorselaere  

	* src/prelude/prelude.c (main): use do_init_nofail
	macros for loading of protocol plugin, we don't want
	to exit if this subsystem fail.

	* src/libprelude/include/common.h (do_init_nofail): 
	new macros (do not exit in case of faillure).

	* src/prelude-report/report-plugins.c: 
	Some cleanup.
	
	(report_plugins_init): Issue a warning and return -1
	if no plugin were loaded.


	* src/prelude/include/rqueue.h (prelude_do_report): 
	(plugin_do_report): initialize the report member to
	NULL. Good catch, by Jeremie Brebec 

	* src/prelude/rsave.c (setup_fd): Create the target
	directory if it doesn't exist (we don't want to fail
	here).

2001-06-11  Yoann Vandoorselaere  

	* src/prelude/packet-decode.c (SliceAndStoreTcpPkt): 
	* src/prelude/rqueue.c (determine_alert_kind): 
	Disable tcp stream for the moment, it's not ready.

	* src/prelude/ip_fragment.c (ip_frag_destroy): 
	(ip_frag_reasm): release packet.
	(ip_frag_create): lock packet.

	Lock the initial fragmented packet.

2001-06-07  Yoann Vandoorselaere  

	* src/prelude/include/plugin-protocol.h: 
	run function for this plugin return an integer.
	The plugin_protocol_t structure also contain a list of detection
	plugin.

	* src/prelude/protocol-plugins.c (plugin_subscribe): intialize
	the list that contain detect plugin for this protocol plugin.
	(protocol_plugins_run): use plugin_run_with_return_value() macro.
	If a protocol plugin return 0 (which mean it could handle the payload),
	start the detection plugin associated with this protocol plugin.
	(protocol_plugins_search): New function, search for a protocol plugin
	that can handle passed in protocol.

	* src/prelude/detect-plugins.c (register_to_plugin_provided_protocol): 
	New function, search a protocol plugin that handle the protocol
	specified by the detect plugin. Associate the detection plugin 
	to the protocol plugin if found.
	(register_to_internal_protocol): renamed.

	* include/proto.h: added p_external to the protocol enumeration.
	This is to be used to specify a protocol plugin.

	* src/libprelude/include/plugin-common-prv.h (plugin_run_with_return_value): 
	new macro, permit to get the plugin_run function return value.

2001-06-06  Yoann Vandoorselaere  

	* src/prelude/include/detect-plugins.h: move the content
	of this header to plugin-detect.h. Removed.

	* include/packet.h: Add a refcount member,
	and two member containing data and tcp depth.

	* src/prelude/capture.c (pktalloc): 
	(setup_capture_from_device): Use malloc, stop using recycler here.

	* src/libprelude/plugin-common.c (plugin_request_new_id): 
	new function that return a valid, not used, plugin identity.

	Many change in this commit, we stop using recycler because of
	the locking issue they bring and the little, almost non existant
	performance improvment they bring. We'll see for reinclusion later.
	Some cleanup.
	
2001-05-27  Yoann Vandoorselaere  

	* src/prelude/rqueue.c (plugin_rqueue_report): 
	(prelude_rqueue_report): if alert kind is guess,
	check if the packet is part of a known stream.

	* src/plugins/detects/rules/rules.c: use the guess
	alert kind.

	* include/alert.h (enum): new kind of alert : guess,
	which will use the tcp_stream provided mechanism to test
	if the stream is known.

	* src/prelude/tcp-stream.c: completly reworked the tcp
	stream reassembler... This one should now work and fix 
	all leak. It also implement it's own hash table (inspired
	from tcpdump one) instead of hostdb in order to gather
	connection in duplex ( src / dst in the same entry wether
	they are reversed or not).

2001-05-24  Yoann Vandoorselaere  

	* src/prelude/optparse.c (option_is_set): new function
	check if a given option is in the option buffer.
	Return 0 on success, -1 on error.

	* src/prelude/hostdb.c (host_free): renamed host_del
	to host_free() as it make more obvious what this function
	does.
	(hostdb_del): call packet_release before calling host_free().

2001-05-23  Yoann Vandoorselaere  

	* src/prelude/tcp-stream.c (tcp_stream_is_known): 
	new function, tell if the current tcp packet is part 
	of a tcp stream.
	(sequence_match_current_packet): 
	(sequence_match_new_packet): 
	New function.

	* src/prelude/recycler.c 
	(RecyclerLockChunk): Decrease the semaphore count. 
	(RecyclerReleaseChunk): Increase the semaphore count.
	(RecyclerGetChunk): Wait for the semaphore count to be positive,
	but don't decrease it when sem_wait() return.

	* src/prelude/include/recycler.h: declare recycler_get_chunk_nowait()
	here.

	* src/prelude/recycler.c (RecyclerGrow): got rid of an
	unused variable.

	* src/plugins/detects/scandetect/scandetect.c (new_cnx): 
	don't lock the packet here anymore.
	(expire_cnx): ditto.
	(_cnxInfo ): don't need to carry a pointer to the packet
	anymore.

	* src/prelude/ip_fragment.c (ip_frag_create): don't
	lock the packet anymore, as hostdb is doing it for us.
	(ipq_kill): ditto.
	(ip_frag_reasm): ditto.

	* src/prelude/hostdb.c (hostdb_new): now take the
	packet_container_t argument and manage locking it.
	(hostdb_del): release the packet when refcount is 0.

	* src/prelude/tcp-stream.c: still working on tcp stream
	reassembly... The core should now be stable, and it's 
	cleaner.

	* src/prelude/prelude.c: include pcap.h to avoid warnings.

	* src/prelude/packet-decode.c (SliceAndStoreTcpPkt): 
	call tcp_stream_store().

	* src/prelude/tcp-stream.c: start of TCP stream reassembly code.
	We don't reassemble the whole data yet, but it will be easy.

	There is some problem with using the hostdb hash table for this stuff,
	and we end up having duplicate entry. Whole goal would be to make hostdb
	generic enought to be handle to handle this.

2001-05-21  Yoann Vandoorselaere  

	* src/prelude/ip_fragment.c (ip_frag_queue): return an int.
	(ip_frag_queue): remove the err: goto, and replace it with
	return -1. return 0 on success.

	(ip_frag_reasm): don't kill ip queue here in case of error.
	
	(ip_defrag): check the ip_frag_queue /ip_frag_reasm return value, 
	kill queued entry on any error.

	This fix a leak on fragmentation attack detection.
	
2001-05-04  Yoann Vandoorselaere  

	* include/nethdr.h: add missing compatibility header.
	* Modify the whole sources to use the new type.
	
2001-05-03  Yoann Vandoorselaere  

	* src/plugins/reports/htmlmod/html.c (create_detailled_report): 
	use report infos provided kind.

	* src/prelude-report/report-infos.c (get_cleartext_alert_kind): 
	new function, return a readable kind for the current report.

	* src/prelude/rqueue.c (rqueue_init): new function,
	create the Report Queue recycler.

	* src/prelude/prelude.c (main): call decode_init()
	here. (main): call rqueue_init().

	* src/prelude/packet-decode.c (decode_init): use
	MAX_PKTINUSE for recycler creation.

	* src/prelude/capture.c (capture_start): don't call
	decode_init() here.

	* src/prelude/async-write.c: remove the MAX_IO limit.
	This limit is now achieved in rqueue.c when there is no
	more free chunk in the recycler.

	* include/packet.h (MAX_PKTINUSE): define the maximum 
	number of packet that can be locked simultaneously in 
	Prelude. (Attack Detection / Alert reporting).

	* src/plugins/reports/execmod/execmod.c: new plugin
	that execute a given program with a report as argument.
	[untested].


2001-04-27  Yoann Vandoorselaere  

	* src/libprelude/include/rules.h: Remove rules_t type
	which is redondant with rule_t. Include a list member
	to rule_t.

2001-04-26  Yoann Vandoorselaere  

	* src/libprelude/rules_parsing.c: 
	* src/libprelude/include/rules-variable.h (variable_unset): 
	* src/libprelude/rules-variable.c:

	Move the variable code to it's own file, cause this is 
	generic code and is much cleaner.

2001-04-24  Yoann Vandoorselaere  

	* too many changes to list,
	  we do not use memcpy to copy the packet anymore,
	  we furnish a patched version of libpcap that allow Prelude
	  to use it's own packet memory managment.

	  This avoid us a lot of recycler hack,
	  and this represent a BIG performance gain.

2001-04-20  Yoann Vandoorselaere  

	* src/prelude/capture.c (search_datalink_handler): 
	Add DLT_LOOP, and DLT_RAW to the list.

	* src/prelude/packet-decode.c (SliceAndStoreRawPkt): 
	New function, for PPPOE handling.

	* src/prelude/capture.c (search_datalink_handler): 
	Print the datalink type as an integer.

2001-04-19  Yoann Vandoorselaere  

	* src/prelude/packet-decode.c (SliceAndStoreIcmpPkt): 
	Better ICMP handling.
	When handling ICMP unreachable code, also decode
	associated IP header/availlable data.

	* src/plugins/detects/rules/rules.c: subscribe to
	all protocol.
	(_r_parse_rules_file): redesign parser to be more
	modular / readable.
	Each keyword as it's own function.

2001-04-07  Yoann Vandoorselaere  

	* Merged back prelude_0_3 stable branch into HEAD.

2001-04-06  Yoann Vandoorselaere  

	* src/prelude/packet-decode.c (handle_ip_fragment): 
	(SliceAndStoreIpPkt): move the fragment handling
	part in another function.
	(SliceAndStoreIpPkt): check the option before any
	fragment operation.

	* include/packet.h (struct __tcphdr): 
	(struct __iphdr): 
	Snapend member is unused.
	
	* src/plugins/reports/htmlmod/htmlmod.c: 
	complete re-work, should fix almost all problem there
	was with the previous plugins.
	
	Also, we now use a symlink to point to the latest report
	which avoid us to move generated file arround...
	this also make counting the number of report directory 
	at init time a O(1) operation, not O(n), 
	thanks to Renaud Chaillat  for this idea.
	
	* src/plugins/reports/htmlmod/Makefile.am : 
	* src/plugins/reports/htmlmod/html.c: 
	* src/plugins/reports/htmlmod/html.h: 
	Move all code responssible for HTML code generation
	to html.c.

	* src/prelude-report/prelude_report.c (cleanup): 
	reset the signal to it's default behavior before
	anything else.

2001-04-05  Yoann Vandoorselaere  

	* src/prelude-report/server.c (is_unix_socket_already_used): 
	(unix_server_start): This should now handle the case where
	a UNIX socket already exist on filesystem but isn't used.

	* src/prelude-report/ssl_register_client.c: 
	(wait_connection): 
	(send_own_certificate): 
	(wait_certificate): 
	(ssl_register_client): 
	BIG cleanup, divided into several function.

	* src/libprelude/ssl_gencrypto.c (get_full_hostname): 
	new function.
	(add_DN_object): defaut name for certificate if the
	full machine name.

	* src/plugins/reports/htmlmod/htmlmod.c (html_run): 
	handle case where there is no more disk space.

	* src/prelude/rsave.c (sendfile_send): fix a typo.
	(sendfile_send): cast st.st_size to size_t.

2001-04-03  Yoann Vandoorselaere  

	* src/plugins/reports/htmlmod/htmlmod.c (write_host_infos): 
	don't gather packet information ourself, use the informations
	provided in the report_infos structure.

	* src/prelude-report/report-infos.c (arp_dump): use inet_ntoa.
	(create_pktdump): fill sport / dport / saddr / daddr.

	* src/plugins/reports/htmlmod/htmlmod.c (write_host_infos): 
	use report_infos structure. Do not take a Packet_t argument,
	but a report_infos_t argument.
	(update_host_index): Suit write_host_infos changes.

	* src/prelude-report/include/report-infos.h: sp and dp
	are uint16_t.


2001-04-15  Yoann Vandoorselaere  

	* src/prelude/rwrite.c: removed writing function
	from there, use function now provided in write-func.c

	* src/prelude/rsave.c (backup_report): 
	use writev_raw_report().

	* src/libprelude/alert-common.c (do_read): 
	use socket_read_nowait().
	(read_alert): use socket_read() for the first read call.
	(alert_read): protocol and len member are now written in
	two time, adapt read call.

	* configure.in (enable_sendfile): oops, 
	HAVE_SENDFILE was never defined.

	* src/libprelude/socket-op.c (do_socket_read): 
	(socket_write): 
	oops fix a bug where errno was set to EINTR
	but was checked even when read was returning 0.
	This was causing an endless loop.

2001-04-13  Yoann Vandoorselaere  

	* src/libprelude/alert-common.c (read_alert):
	* src/prelude/rwrite.c (write_raw_report): 
	* include/alert-prv.h (alert_message_len): 
	* src/prelude/rqueue.c (prelude_rqueue_report): 
	(plugin_rqueue_report): 
	Don't write more than what is needed.

	* include/packet.h (struct __iphdr): 
	(struct __tcphdr ): opts_len should not be unsigned.

	* src/prelude/packet-decode.c (SliceAndStoreNullPkt): 
	don't call incr_depth (we don't stock anything about this
	layer).
	(SliceAndStorePppPkt): ditto.
	(SliceAndStorePppBsdosPkt): ditto. 
	(SliceAndStoreFddiPkt): ditto.

	* src/prelude/pconfig.c: no need to include pcap.h here.

	* src/prelude/capture.c: use poll() instead of select(),
	that avoid us set managment...
	capture function share more code.
	commented public function.
	

2001-04-12  Yoann Vandoorselaere  

	* src/prelude/rwrite.c (rwrite_write): if there is an error
	writing the report, send the PIPE signal to the main thread
	anyway.

	* src/libprelude/socket-op.c (socket_write):(do_socket_read): 
	cast buf to unsigned char (pointer arithmetic not allowed
	on pointer to void).

	* src/prelude/rqueue.c (prelude_rqueue_report): 
	move the vsnprintf call out of the report_new() func.

	* src/plugins/reports/htmlmod/htmlmod.c :
	use PATH_MAX, not NAME_MAX.
	(plugin_init): create the default HTML page if
	symlink does not exist.

	* src/prelude-report/report-infos.c (tcp_dump): 
	(tcp_dump): use %ld in snprintf for seq/ack.

	* include/nethdr.h: include sys/types.h

	* src/prelude/packet-decode.c (SliceAndStoreIgmpPkt): 
	(SliceAndStoreIcmpPkt): use portable structure name.

	* src/prelude-report/report-infos.c: 
	* src/prelude/hostdb.c: 
	* src/prelude/ip_fragment.c:
	Correct header inclusion.
	
	* src/prelude-report/cnx.c: 
	* src/prelude/rwrite.c: 
	* src/libprelude/rxdr.c:
	include rpc/types.h

	* include/nethdr.h: 
	* include/packet.h: 
	all needed header for portable network compilation
	should go in nethdr.h

	* src/prelude-report/server.c (inet_server_start): 
	call auth_init() here.

	* src/prelude-report/cnx.c (setup_connection): 
	use socket_read/write_delimited().

	* src/prelude-report/auth.c (get_account_infos): 
	use socket_read_delimited().
	(separate_string): avoid un-necessary strlen() call.
	(cmp): cleanup.
	(auth_check): use socket_write_delimited.

	* src/prelude/rsend.c (setup_connection): 
	read / write config_string function were renamed...
	(do_connect): oops, auth_init / auth_client call was
	not ok.

	* src/prelude/auth.c (write_auth_infos): cleanup, use
	socket_write_delimited.
	(read_auth_result): use socket_read_delimited(),
	we do not need a so large buffer.

	* src/libprelude/socket-op.c (do_socket_read): new function.
	(socket_read): use do_socket_read().
	(socket_read_nowait): new function, use do_socket_read().
	(socket_read_delimited): renamed from read_config_string.
	(socket_write_delimited): renamed from write_config_string.

	* configure.in: cleanup, check for some function
	in libnsl and libsocket for portability.

2001-04-11  Yoann Vandoorselaere  

	* src/libprelude/auth-common.c (parse_auth_line): 
	use strtok instead of strsep, as strsep isn't ANSI.

	* configure.in: Version is 0.3b1
	* Merge stable change from head to prelude_0_3 branch.
	
2001-04-11  Yoann Vandoorselaere  

	* src/prelude-report/report-infos.c: define ARPOP_* and
	ARPHRD_* ourself, as it is not defined in many system.

	* src/prelude-report/optparse.c: define IPOPT_SECURITY
	and IPOPT_RA if not defined in common include file.

	* src/prelude/rsend.c (inet_connect): 
	use IPPROTO_TCP in setsockopt, not SOL_TCP (non standard).

	* src/libprelude/include/compat.h: 
	* src/libprelude/compat.c : new file.
	(getopt_long): provide a wrapper to getopt_long function
	if it is not present on this system.

	Include compatibility header where it's needed.
	Include in the build.
	
	* src/prelude/ip_fragment.c: 
	include netinet/in_systm.h

	* src/prelude/pconfig.c: 
	* src/plugins/detects/scandetect/scandetect.c: 
	* src/plugins/detects/debug/debug.c: 
	* src/libprelude/include/plugin-common.h: 
	do not include getopt.h, this is not a standard header,
	and this have nothing to do here.

	
	* src/prelude-report/optparse.c (tcp_optval): 
	* src/libprelude/include/extract.h:
	use uint32_t instead of u_int32_t.

	* include/packet.h: 
	include sys/socket.h, net/if.h

	* configure.in: check for getopt_long.

2001-04-10  Yoann Vandoorselaere  

	* src/libprelude/socket-op.c: new file.
	(socket_read): read as many byte as requested or die.
	(socket_write): write as many byte as requested or die.
	(read_config_string):
	(write_config_string): 

	* src/prelude/rwrite.c (write_raw_report): 
	use a macro that check the return value of
	the write() call for us. It make the code much more readable.

	* src/prelude/rsend.c (set_options): new function.
	(setup_connection): divide in two function.
	(setup_connection): use the new function call
	read_config_string / write_config_string.

	* src/libprelude/alert-common.c: 
	(read_alert): use a macro that check the return value of
	the read() call for us. It make the code much more readable.

	* src/libprelude/common.c: removed.
	* configure.in: cleanup.

2001-04-09  Yoann Vandoorselaere  

	* src/prelude/rqueue.c (report_new): return -1
	when updating.

2001-04-07  Yoann Vandoorselaere  

	* Merged back prelude_0_3 stable branch into HEAD.

2001-04-06  Yoann Vandoorselaere  

	* src/prelude/packet-decode.c (handle_ip_fragment): 
	(SliceAndStoreIpPkt): move the fragment handling
	part in another function.
	(SliceAndStoreIpPkt): check the option before any
	fragment operation.

	* include/packet.h (struct __tcphdr): 
	(struct __iphdr): 
	Snapend member is unused.
	
	* src/plugins/reports/htmlmod/htmlmod.c: 
	complete re-work, should fix almost all problem there
	was with the previous plugins.
	
	Also, we now use a symlink to point to the latest report
	which avoid us to move generated file arround...
	this also make counting the number of report directory 
	at init time a O(1) operation, not O(n), 
	thanks to Renaud Chaillat  for this idea.
	
	* src/plugins/reports/htmlmod/Makefile.am : 
	* src/plugins/reports/htmlmod/html.c: 
	* src/plugins/reports/htmlmod/html.h: 
	Move all code responssible for HTML code generation
	to html.c.

	* src/prelude-report/prelude_report.c (cleanup): 
	reset the signal to it's default behavior before
	anything else.

2001-04-05  Yoann Vandoorselaere  

	* src/prelude-report/server.c (is_unix_socket_already_used): 
	(unix_server_start): This should now handle the case where
	a UNIX socket already exist on filesystem but isn't used.

	* src/prelude-report/ssl_register_client.c: 
	(wait_connection): 
	(send_own_certificate): 
	(wait_certificate): 
	(ssl_register_client): 
	BIG cleanup, divided into several function.

	* src/libprelude/ssl_gencrypto.c (get_full_hostname): 
	new function.
	(add_DN_object): defaut name for certificate if the
	full machine name.

	* src/plugins/reports/htmlmod/htmlmod.c (html_run): 
	handle case where there is no more disk space.

	* src/prelude/rsave.c (sendfile_send): fix a typo.
	(sendfile_send): cast st.st_size to size_t.

2001-04-03  Yoann Vandoorselaere  

	* src/plugins/reports/htmlmod/htmlmod.c (write_host_infos): 
	don't gather packet information ourself, use the informations
	provided in the report_infos structure.

	* src/prelude-report/report-infos.c (arp_dump): use inet_ntoa.
	(create_pktdump): fill sport / dport / saddr / daddr.

	* src/plugins/reports/htmlmod/htmlmod.c (write_host_infos): 
	use report_infos structure. Do not take a Packet_t argument,
	but a report_infos_t argument.
	(update_host_index): Suit write_host_infos changes.

	* src/prelude-report/include/report-infos.h: sp and dp
	are uint16_t.


2001-04-02  Yoann Vandoorselaere  

	* src/prelude/ip_fragment.c: Use uint8_t.

	* src/prelude/hostdb.c: 
	* include/packet.h: added missing include in_systm.h 
	for BSD kind system.

	* src/libprelude/plugin-common.c: getopt.h isn't
	a standard header... getopt() function should be
	defined in unistd.h

	* src/libprelude/ssl_gencrypto.c: include e_os.h
	in order for this to compile with OpenSSL 0.9.5.

2001-03-30  Yoann Vandoorselaere  

	* src/libprelude/ssl_gencrypto.c (ssl_gen_crypto): 
	* src/libprelude/ssl_registration_msg.c (save_cert):

	Set umask before creating the certificate / creating the key.
	This is a workaround because of our lack of knowledge about
	a BIO function that would permit to set permission.
	We use umask instead of chmod() to avoid a potential race
	(window of time where the destination file would be readable
	by all). I also put a FIXME for this issue.

2001-03-29  Yoann Vandoorselaere  

	* configure.in: 
	bump version to 0.3.

	* src/plugins/reports/htmlmod/htmlmod.c (create_link_if_needed): 
	use a relative path.

	* src/prelude-report/server.c (wait_connection):
	call report_server_close() on return.
	
	(report_server_close): new function, 
	close server socket.

	* src/prelude/rsave.c (backout_report): set fd to -1
	after a backout. Return -1 if fd is not valid 
	(and do not try anything).

	* src/prelude/rsend.c (setup_connection): cleanup.

2001-03-28  Yoann Vandoorselaere  

	* src/prelude-report/cnx.c (wait_xdr_report): 
	set the packet member after the memset.

	* src/prelude/rwrite.c (rwrite_write): 
	* src/prelude/async-write.c (flush_aio_queue): 
	unlock the packet and free the alert here not
	in rwrite_write().

	* src/prelude/rsave.c (save_report): forgot
	to write some member of alert_t to filedes.

	* src/prelude-report/cnx.c (wait_xdr_report): oops.

	* src/prelude-report/report-infos.c (report_infos_get): 
	set date_end member to NULL if there is no ending date.

	* src/plugins/reports/htmlmod/htmlmod.c (create_dir): 
	don't return an error if errno is EEXIST.

	* src/plugins/reports/sysplug/sysplug.c: use rinfo
	pre - decoded date.

	* src/prelude/pconfig.c (pconfig_set): 
	(configure_port): 
	(configure_address): 
	* src/prelude-report/pconfig.c: 
	(configure_listen_port): 
	(configure_listen_address): 

	Fixed bug reported by Jeremie Brebec 
	related to data in the prelude config file never being
	read.
	
	* src/prelude-report/cnx.c (wait_raw_report): pass an
	alert_t to report_infos_get, not a packet.

	* src/prelude-report/report-infos.c (report_infos_get): 
	* src/prelude-report/include/report-infos.h (report_infos_get): 
	Now take an alert argument.
	Convert the start / end time_t into date here cause the ctime()
	function is expensive.
	
	* src/prelude-report/optparse.c: remove \n from string.

	* src/prelude/timer.c (wake_up_timer): removed a
	debuging printf.

	* src/prelude/recycler.c (RecyclerIsLocked): return
	the current refcount for this chunk.

	* src/prelude/detect-plugins-api.c (packet_release):
	(packet_lock): 
	Cleanly deal with the recycler refcount.
	Document thoses function.

2001-03-27  Yoann Vandoorselaere  

	* src/libprelude/rxdr.c (xdr_ip): en/de code ip_hl
	member.

	* src/prelude/capture.c (capture_from_single_device): 
	put back our filedes in our set on timeout.

	* src/prelude/ip_fragment.c (ip_defrag): never
	call ip_frag_destroy() directly, call ipq_kill().
	We were leaking a timer on some very special case,
	resulting in an assert later when walking the timer
	list.

2001-03-26  Yoann Vandoorselaere  

	* src/plugins/reports/htmlmod/htmlmod.c (html_run): 
	use the .html extension.

	* src/prelude/packet-decode.c (decode_init): maximum data size
	was determined using snaplen. This is wrong, and was resulting
	in a crash on big defragmented packet.
	Maximum defragmented packet size is 65535 bytes, 
	use this size for now.

2001-03-23  Yoann Vandoorselaere  

	* src/libprelude/plugin-common.c 
	(plugin_get_opts): 
	some version of getopt where crashing on this...
	always set a default argv when argc is 0.

	(plugin_set_args): 
	Set help_flag to 1 if argc && argv are NULL.
	
	* src/prelude-report/pconfig.c: removed -x (--use-xdr) 
	flag from prelude-report, it now turn on XDR if Prelude client
	request it.

2001-03-23  root  

	* src/prelude-report/cnx.c (setup_connection): check errno.

2001-03-23  Yoann Vandoorselaere  

	* src/prelude/rwrite.c: 
	* src/prelude/rsend.c (setup_connection): 
	* src