-
Notifications
You must be signed in to change notification settings - Fork 9
/
ChangeLog
528 lines (405 loc) · 15.7 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
Mon May 14 10:05:32 EDT 2018 (njh)
----------------------------------
*: Renamed project as sniff2ban
Wed 8 Oct 14:29:33 BST 2014 (njh)
----------------------------------
sniff2ban.c: Fix read after free
Wed 16 Apr 21:29:35 BST 2014 (njh)
----------------------------------
sniff2ban.c: Improved handling of EEXISTS
Catch shellshocker
Thu Aug 2 09:23:39 BST 2012 (njh)
----------------------------------
Version 0.17
Wed Aug 1 21:10:29 BST 2012 (njh)
----------------------------------
README: Updated the sysnopsis text
Sun Jun 10 15:52:40 BST 2012 (njh)
----------------------------------
sniff2ban.c: Catch HTTP probes which use POST
Sun Apr 22 11:31:10 BST 2012 (njh)
----------------------------------
sniff2ban.c: Catch HTTP probes which use HEAD
Thu Apr 12 21:12:15 BST 2012 (njh)
----------------------------------
sniff2ban.c: Fix error message when bind fails on systems without libpcap
Thu Apr 12 20:56:08 BST 2012 (njh)
----------------------------------
sniff2ban.c: Catch FHScan Core 1.1
Thu Feb 16 09:33:15 EST 2012 (njh)
----------------------------------
sniff2ban.c, configure.ac: Added --enable-dovecot-scanning
Catch failed attempts to login to dovecot
Mon Jan 23 22:03:07 GMT 2012 (njh)
----------------------------------
sniff2ban.c: Added new HTTP attack sig
Reduce number of times a blocked SSH port is reblocked
later
Fri Jan 13 14:37:48 GMT 2012 (njh)
----------------------------------
sniff2ban.c: Added --tmpdir argument
Fri Jan 13 13:01:59 GMT 2012 (njh)
----------------------------------
sniff2ban.c: Put the tmp file in the system place, not /tmp
Fri May 13 14:28:40 EDT 2011 (njh)
----------------------------------
README: Document how to compile using tinycc
Wed Mar 2 20:29:13 GMT 2011 (njh)
----------------------------------
sniff2ban.c: Fix compilation problem when SSH scanning is enabled
but HTTP scanning isn't
Thu Feb 17 20:53:05 EST 2011 (njh)
----------------------------------
sniff2ban.c: Suggestion for how to avoid errors sending to clamd
Fri Feb 11 23:38:30 EST 2011 (njh)
----------------------------------
sniff2ban.c: Fix handling of TCP connection to clamd which could
eat sockets
Fri Feb 11 13:11:08 EST 2011 (njh)
----------------------------------
sniff2ban.c: Proof of concept, added --enable-ssh-scanning. I suggest
you do NOT enable it for now because the code
hasn't been hardened or optimised
Sun Feb 6 14:50:28 EST 2011 (njh)
----------------------------------
sniff2ban.c: Do perror, if verbose, when a send fails
Sat Feb 5 21:52:37 EST 2011 (njh)
----------------------------------
sniff2ban.c: Set MSG_NOSIGNAL on send if available
Sat Feb 5 14:23:22 EST 2011 (njh)
----------------------------------
sniff2ban.c: Ignore SIGPIPE - useful if sends to clamd fail
Wed Feb 2 21:34:33 GMT 2011 (njh)
----------------------------------
sniff2ban.c: Better error message if sniff2ban can't determine
how to talk to clamd
Tue Feb 1 22:37:21 EST 2011 (njh)
----------------------------------
Version 0.16
Tue Feb 1 19:11:49 GMT 2011 (njh)
----------------------------------
configure.ac: Now links on Darwin
Tue Feb 1 17:50:46 GMT 2011 (njh)
----------------------------------
sniff2ban.c, configure.ac: Now compiles on Darwin, but doesn't link yet
To link on Darwin, run configure then amend Makefile
adding -lresolv to the LIBS line
Wed Oct 27 14:09:57 BST 2010 (njh)
----------------------------------
sniff2ban.c: If there is no memmem but there is strncasecmp, use
that in preference to strcmp
Tue Aug 24 11:15:15 BST 2010 (njh)
----------------------------------
sniff2ban.c Honour -d/-k quicker when an attacker is detected
Sun Aug 1 20:13:01 BST 2010 (njh)
----------------------------------
sniff2ban.c: Added the --version flag
Sun Aug 1 16:50:38 BST 2010
----------------------------------
Version 0.15.1
Sun Aug 1 16:20:39 BST 2010 (njh)
----------------------------------
sniff2ban.c: Properly END the clamd session
Sat Jul 31 20:57:50 BST 2010 (njh)
----------------------------------
sniff2ban.c: Use clamd IDSESSION
Sat Jul 31 20:12:52 BST 2010 (njh)
----------------------------------
configure.ac: Handle netstats that use -? instead of --help
Fri Jul 16 10:33:17 BST 2010 (njh)
----------------------------------
sniff2ban.c: Some tidying and extra signatures
Wed Jun 9 10:37:13 EDT 2010 (njh)
----------------------------------
sniff2ban.c: More efficient checking if clamd_conf isn't found
Wed Jun 9 02:50:01 BST 2010 (njh)
----------------------------------
sniff2ban.c: Syslog entry now differentiates between the different type of problem
Fri Jun 4 16:37:30 BST 2010 (njh)
----------------------------------
sniff2ban.c: Added signature for "Toata dragostea mea pentru iEdi"
Tue Jun 1 10:09:21 EDT 2010 (njh)
----------------------------------
sniff2ban.c: Added signature for "Toata dragostea mea pentru diavola"
Tue Jun 1 10:04:19 EDT 2010 (njh)
----------------------------------
sniff2ban.c: Added new Morpheus signature
Thu May 20 18:40:42 EDT 2010 (njh)
----------------------------------
sniff2ban.c: Allow '--help'
Tue May 11 22:30:05 EDT 2010 (njh)
----------------------------------
sniff2ban.c: When verbose, say that HTTP scanning is on
Fri Apr 30 16:12:23 EDT 2010 (njh)
----------------------------------
configure.ac: More informative message about why we're looking for
netstat, and why it isn't fatal if netstat
doesn't support the -W flag
Tue Apr 20 08:32:10 BST 2010 (njh)
----------------------------------
Version 0.15
Sun Apr 18 21:11:45 BST 2010 (njh)
----------------------------------
sniff2ban.c,configure.ac: Added support for OpenBSD
Thu Apr 8 11:26:38 BST 2010 (njh)
----------------------------------
sniff2ban.c: Start table driven code for HTTP probes
Tue Apr 6 11:57:42 BST 2010 (njh)
----------------------------------
sniff2ban.c Find probes for Mambo
Mon Apr 5 19:48:23 BST 2010 (njh)
----------------------------------
sniff2ban.c: Fix some of the HTTP probe scanning
Sat Apr 3 16:56:33 BST 2010 (njh)
----------------------------------
sniff2ban.c: Scan for more HTTP probes
Mon Mar 29 17:33:29 BST 2010 (njh)
----------------------------------
sniff2ban.c: More informative message when a site is blocked
Sun Mar 28 21:30:42 BST 2010 (njh)
----------------------------------
sniff2ban.c: Remove hardcode 80 for HTTP port
Sat Mar 27 16:49:54 GMT 2010 (njh)
----------------------------------
sniff2ban.c, configure.in: Tidied --enable-http-scanning
Sat Mar 27 15:49:35 GMT 2010 (njh)
----------------------------------
sniff2ban.c, configure.in: Added SITES_ENABLED_DIR
Sat Mar 27 13:59:48 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Report requests CONNECT to a remote port 25 via our
port 80
Fri Mar 26 22:53:00 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Report HTTP requests for sites other than us
Wed Mar 24 14:51:53 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Added simple checks for HTTP hacks
Wed Mar 24 09:10:15 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Code tidy
Tue Mar 23 21:34:06 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Added the -W flag. When this is set we don't scan
data sent from whitelisted addresses.
Mon Mar 15 11:36:47 GMT 2010 (njh)
----------------------------------
configure.ac: Added fixes for Solaris
Sun Mar 14 11:17:19 GMT 2010 (njh)
----------------------------------
configure.ac/sniff2ban.c: Load libresolv on Linux/x86_x64
Sun Mar 14 10:51:45 GMT 2010 (njh)
----------------------------------
configure.ac/sniff2ban.c: Support systems without res_query()
Sun Mar 14 10:18:49 GMT 2010 (njh)
----------------------------------
configure.ac/sniff2ban.c: Support for FreeBSD7.0
TODO: "make install" doesn't work on this platform
Fri Mar 5 20:14:53 EST 2010 (njh)
----------------------------------
configure.ac: Added HAVE_IPHDR (still needs to be fully used)
Tue Mar 2 09:11:12 EST 2010 (njh)
----------------------------------
configure.ac: Look for lsof in /usr/pkg/sbin for NetBSD
Mon Mar 1 10:49:14 EST 2010 (njh)
----------------------------------
configure.ac: Add check for __sighandler_t
Mon Mar 1 10:15:06 EST 2010 (njh)
----------------------------------
configure.ac: Fix problems when using ksh to run configure
Sat Feb 27 09:41:19 EST 2010 (njh)
----------------------------------
sniff2ban.c, configure.ac: Look for fchown
Fri Feb 26 17:10:20 EST 2010 (njh)
----------------------------------
sniff2ban.c: More autoconf work
Wed Feb 24 15:52:27 EST 2010 (njh)
----------------------------------
sniff2ban.c: If we can't find clamd.conf then continue, but the
socketname MUST be given
Wed Feb 24 09:33:35 EST 2010 (njh)
----------------------------------
*: On systems other than Linux, pcap is required
Tue Feb 23 12:36:13 EST 2010 (njh)
----------------------------------
configure.ac: Find clamd.conf
Mon Feb 22 19:04:22 EST 2010 (njh)
----------------------------------
configure.ac/sniff2ban.c: Look for netstat -W and/or lsof
Sat Feb 20 16:30:41 EST 2010 (njh)
----------------------------------
*: Started playing with autoconf and automake
Fri Feb 19 12:24:55 EST 2010 (njh)
----------------------------------
Changelog: Renamed to ChangeLog
Fri Feb 12 17:43:14 EST 2010 (njh)
----------------------------------
Version 0.10
Fri Feb 12 10:32:42 EST 2010 (njh)
----------------------------------
sniff2ban.c: Added HAVE_NETSTAT_WIDE so that sniff2ban will now
use lsof if netstat doesn't have the -W option
Wed Feb 10 21:30:28 EST 2010 (njh)
----------------------------------
README: Note that the -k option needs a netstat that supports
-W
Wed Feb 10 19:21:20 EST 2010 (njh)
----------------------------------
sniff2ban.c: If the socket name isn't given then take a guess
what it should be
README: Document the above
Sun Jan 17 15:55:42 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Small performance improvements
Sun Jan 17 06:00:54 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Slight speed improvement to add_ip_to_whitelist()
Fri Jan 15 11:55:15 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Fixed compiler warning on Solaris
README: Removed the note to add -lresolv on Solaris, since that's always in
Thu Jan 14 22:13:21 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Handle hostnames that are too long (don't ISPs ever read specs??)
Wed Jan 13 12:13:39 GMT 2010 (njh)
----------------------------------
hashtable*: Added some ideas from OpenZap
Tue Jan 12 08:38:46 GMT 2010 (njh)
----------------------------------
sniff2ban.c: Fixed compiler warning
Sun Dec 27 05:37:56 GMT 2009 (njh)
----------------------------------
README, Makefile: Be explicit about the need to run as root
Mon Dec 21 02:04:26 GMT 2009
----------------------------------
Version 0.07
Wed Dec 16 12:12:32 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Fix -S bug that was stopping anything from being killed
Wed Dec 16 10:59:47 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Added the -S flag. Use the 'x' glibc extension to fopen.
Wed Dec 16 09:12:05 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Print out the name of the process being killed with the
-k option
Mon Dec 7 15:04:39 GMT 2009 (njh)
----------------------------------
sniff2ban.c The output from netstat is now printed if verbose >= 3
Mon Dec 7 14:28:44 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Faster parsing of netstat's output
Sun Dec 6 18:53:23 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Stopped killing self with -k if netstat's output can't be parsed
Sun Dec 6 13:29:43 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Added the -k option
Thu Oct 15 13:55:53 EDT 2009 (njh)
----------------------------------
Makefile: Added make install
sniff2ban.c: Corrected the fputs added on 5/9/09
Wed Sep 9 20:26:14 BST 2009 (njh)
----------------------------------
sniff2ban.c: Handle long hostnames better
Sat Sep 5 21:52:42 BST 2009 (njh)
----------------------------------
sniff2ban.c: Print a message on stderr if clamd has gone away
Tue Jul 28 11:17:52 BST 2009 (njh)
----------------------------------
sniff2ban.c: Better handling of some (broken) pcap_lookupnets
which mask deviceaddr with devicemask before
they return
Mon Jul 13 09:42:22 BST 2009 (njh)
----------------------------------
sniff2ban.c: Allow hostnames to be whitelisted as well as IPv4
addresses and ranges
Tue May 12 09:02:15 EDT 2009 (njh)
----------------------------------
Version 0.06
Sat Apr 25 19:29:44 BST 2009 (njh)
----------------------------------
sniff2ban.c: Rejig what we are doing when we wait for the iptables
command to finish
Tue Apr 21 21:00:19 BST 2009 (njh)
----------------------------------
sniff2ban.c: Use waitpid() instead of wait()
Tue Apr 21 20:10:23 BST 2009 (njh)
----------------------------------
sniff2ban.c: Fix a core dump
Tue Apr 21 13:36:37 BST 2009 (njh)
----------------------------------
sniff2ban.c: Call iptables via fork()/exec(), not system()
Mon Apr 20 10:20:00 BST 2009 (njh)
----------------------------------
sniff2ban.c: Allow /netmask to be added to whitelist addresses
Sun Apr 19 15:42:01 BST 2009 (njh)
----------------------------------
sniff2ban.c: Add levels of verbosity
Fri Apr 17 14:51:26 BST 2009 (njh)
----------------------------------
sniff2ban.c: When a FIN packet is received scan and recover
system resources
When a SYN packet is received scan and remove
previous data from that IP:Host
Thu Apr 16 14:48:32 BST 2009 (njh)
----------------------------------
Version 0.05
Wed Apr 15 12:19:51 BST 2009 (njh)
----------------------------------
sniff2ban.c: Added support for Solaris10 (using libpcap)
Wed Apr 15 11:21:59 BST 2009 (njh)
----------------------------------
sniff2ban.c: Added support for FreeBSD7.0 (using libpcap)
Tue Apr 14 08:49:09 BST 2009 (njh)
----------------------------------
sniff2ban.c: Fixed NetBSD related warnings when compiling on Linux
Mon Apr 13 17:42:15 BST 2009 (njh)
----------------------------------
sniff2ban.c: Added support for NetBSD4.0 (using libpcap)
Added -v option (verbose)
Sun Apr 12 19:20:21 BST 2009 (njh)
----------------------------------
sniff2ban.c: Use libpcap to filter non TCP packets
Sat Apr 11 18:31:13 BST 2009 (njh)
----------------------------------
sniff2ban.c: Improved handling of --dont-drop-self option, when
using libpcap
Sat Apr 11 16:23:05 BST 2009 (njh)
----------------------------------
sniff2ban.c: Ignore pcap_next failures
Fri Apr 10 18:58:33 BST 2009 (njh)
----------------------------------
sniff2ban.c: Started to remove the dependences on Linux (untested)
Fri Apr 10 18:43:11 BST 2009 (njh)
----------------------------------
sniff2ban.c: Added support for libpcap to capture the data
(define LIBPCAP in the source to enable)
Wed Apr 8 14:59:12 BST 2009 (njh)
----------------------------------
Version 0.04
Mon Apr 6 10:44:48 BST 2009 (njh)
----------------------------------
sniff2ban.c: Communication method to clamd is now specified
at the command line
Fri Apr 3 15:47:16 BST 2009 (njh)
----------------------------------
sniff2ban.c: Make a note about how to configure to talk to clamd
Mon Mar 30 15:49:12 BST 2009 (njh)
----------------------------------
Version 0.03
Sat Mar 28 16:22:51 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Fix problem detected by valgrind
Thu Mar 26 09:18:36 GMT 2009 (njh)
----------------------------------
Version 0.02
Tue Mar 24 15:47:18 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Take the interface out of promiscuous mode when quitting
Tue Mar 24 13:54:48 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Not all temporary files were being deleted on exit
Tue Mar 24 13:10:13 GMT 2009 (njh)
----------------------------------
sniff2ban.c: Add -s option to not drop the given interface