??/??/????: 0.9.6 - ??/??/2003: 0.9.6b24 - [03/09/2003] rdd - acid_stat_common.php (PortscanPktCnt): detect spp_portscan2 events correctly - acid_stat_common.php (PrintGeneralStats): honor the $show_stats setting correctly with regard to unique signature classifications - acid_state_common.php (UniqueLinkCnt), acid_stat_iplink.php: fixed scrolling through the IP links page - [03/06/2003] rdd - create_acid_tbls_[ pgsql | mysql].sql: added index for acid_event.[cid | sid] - acid_net.inc (acidGetHostByAddr): fixed bug in the calculation of expired DNS cache entries - acid_conf.php: * fixed signature references for nessus and url reference systems * set $show_previous_alert = 0 by default - acid_stat_common.inc, acid_cache.inc, acid_stat_alerts.php: SQL optimizations - acid_db.inc (acidExecute): log LIMIT statements into the trace log - print more intelligent titles about the unit of data being displayed - [03/05/2003] rdd - acid_cache.inc: rewrote all the sensor caching SQL to catch a couple of odd conditions, and be a bit more efficient (maybe) - [02/10/2003] rdd - conform to RFC822 when sending email (i.e., don't send bare \n use \r\n). Reported: Chris Muth - 01/08/2003: 0.9.6b23 - [01/08/2003] rdd - 2003-2004 added to combo-boxes as time criteria - [12/12/2002] rdd - acid_net.inc detect invalid IP adddress cache entries and update them appropriately - [11/12/2002] Christian Berg - Check if PHP safe_mode is used before trying to set_time_limit() - [10/15/2002] rdd - acid_qry_sqlcalls.php: fixed SQL generated when sorting by IP protocol on the Alert Listing page - acid_graph_form.php: replace typo of ') - tweaked SQL to always quote constants for better index use with the PostgreSQL query optimizer (reported: Mike Gahagan ) - fix to ICMP decode - added timezone to date in email export - updated McAfee and Snort signature reference URLs - complete re-write of state handling code (support without using PHP's register_globals) - input validation checks for criteria variables - addded $external_sig_link configuration variable to eliminate hardcoded URLs in the signature references - added ICAT signature reference support - use JPGraph library for alert graphing - added pie chart support - added classification vs. number of alerts chart - added sensor vs. number of alerts chart - 03/03/2002: 0.9.6b21 - CSV-formatted email alert action - fixed bug in SQL generated when classification criteria is not set for a signature - import current criteria in time profile of alerts histograms - added support for custom PHP session handlers: $use_user_session, $user_session_path, and $user_session_function configuration variables (reported: Marty Linder ) - fixed SQL in acidSQL_UNIXTIMESTAMP to support PostgreSQL 7.2 (reported: Michael von Riegen ) - 02/05/2002: 0.9.6b20 - fixed output of error when the email alert action fails (Mike Pursifull) - fixed ICMP type=3 decode when padding is not present in payload (reported: Steven Bennett ) - fixed SQL bug when referencing an event whose signature has no classification against a MS SQL server (Charlie Hand ) - added != operator for signature criteria - added $use_sig_list configuration variable to support signature combo box in the search form (Steve Halligan ) - fixed bug in DNS lookup cache expiration (Lucas de Carvalho Ferreira ) - 11/29/2001: 0.9.6b19 - fixed bug in PostgreSQL and MS-SQL SQL in the IP link statistics page - fixed bug in SQL generated for searches using 'src or dst' IP address criteria - 11/13/2001: 0.9.6b18 - fixed bug with unescaped whois information being written to the database (reported: Mike Shaw ) - fixed bug in archiving alerts which have a null signature (reported: Paul Davis ) - added support for emailing alerts as an attachment (Marek Stiefenhofer ) - added $action_email_from, $action_email_subject, $action_email_msg, $action_email_mode configuration variables - added support for MSSQL (Charles Hand ) - fixed the error message in acidPConnect() and acidConnect() in the case the connection failed (Charles Hand ) - fixed off-by-one error in acidFieldExists() (Charles Hand ) - Decode of ICMP destination unreachable and time exceeded messages (Mike Daulie ) - fixed bug in email alert action which caused printable characters to be escaped as though they were HTML - added ability to rebuild the event, DNS, and whois cache - fixed "back" button support in the single alert listing, search page, first alert listing from the search page, single IP stats page - fixed bug related to improperly remembered state when viewing the contents of an Alert group from the AG screen when global criteria is defined - fixed bug in queries built with the != operator applied to IP addresses - fixed bug in event caching of certain pre-processor alerts - fixed bug in SQL for custom searches when using an IP address and an IP field - added IP link statistics page - added $main_page_detail configuration variable - fixed bug in alert archiving which caused signature references and classification not be copied (reported: Ryan Hill ) - 10/24/2001: 0.9.6b17 - last 72-hour, 24-hour, and today snapshot for IP addresses - reduced the expontential session memory usage by the page history functionality / back button - added toggle for back button support (adds $maintain_history configuration variable) - added $external_port_link configuration variable - added classification statistics page - 10/02/2001: 0.9.6b16 - fixed bug in generated SQL for Alert graphing when begin/end time are specified (reported: Andreas Hasenack ) - fixed bug in GetQueryResultsID() using strtok() with PHP 4.0.6.7rc2 (reported: Chris Koontz , Robert Settle ) - fixed bug in single alert display when previous page had a sort criteria causing the browsing buttons (next, previous) not to display the correct alerts in the sequence - added links for external DNS resolution and alernate external whois links (adds $external_dns_link, $external_all_link configuration variables) (Diane Davidowicz ) - added support for 'url' references (Robert Grabowsky ) - fixed bug in archiving action which resulted in alerts being identified as duplicates (already archived) due to inproper counting which tables needed to be archived. - 09/17/2001: 0.9.6b15 - application "back" button - SQL trace log (adds $sql_trace_mode and $sql_trace_file configuration variables) - variable DB connection methods (adds $db_connect_method configuration variable) - last 72-hour snapshot added for Alert Listing, and unique alerts - 09/12/2001: 0.9.6b14 - config parameter 'html_no_cache': whether a HTML no-cache directive should be sent to the browser - abstracted the functionality of displaying query results into OO classes: QueryResultsOutput and QueryState - substantial re-organization of functions among the library files - Summary statistics links for query results (adds $show_summary_stat configuration variable) - additional page timing via OO class EventTiming (adds $debug_time_mode configuration variable) - TCP and UDP port statistics - modified sensor stats to accepts criteria (Addam Schroll ) - fixed signature support in DDL SQL for DB v0 with event caching - selectively clear criteria from query results - fixed bug in alert graphing when x-value overflowed the GET parameter string - CIDR notation for IP criteria - fixed bug with alert action with blobs (e.g. signatures, sensors) where the number of alerts exceeded the number of blobs - 07/29/2001: 0.9.6b13 - Alert caching: caching of data into the acid_event table - signature classification support - print timing information on page loading time ($debug_time_mode) - cache (DNS, whois, event cache) maintenance page - fixed chart begin/end time form input so it "remembers" previously entered hour and day of month criteria (Sean Walberg ) - fixed bug in archiving that prevented layer-4 data from being copied (Addam Schroll ) - fixed bug in acid_stat_alerts so that sig_names (in DB schema v0) are properly URI encoded (Addam Schroll ) - fix for DB schema v0 update SQL for the event cache (Addam Schroll ) - 07/09/2001: 0.9.6b12 - acidGetDBVersion() added to class acidCon() - removed BCMath requirement; a modified acidip2long() and acidlong2ip() can provide 32-bit unsigned IP operations (Christopher Ostmo ) - fixed bug in delete alert actions on signatures and sensors whereby the number of alerts for the query was improperly decremented. (reported: Jeffrey Dell ) - 07/04/2001: 0.9.6b11 - fixed bug related to extraneous criteria being present in queries from the IP address statistics listing (acid_stat_ipaddr) (reported: Roeland Weve ) - fixed bug with Unique alert listings not transferring time-based criteria correctly to other pages linked from it. (reported: Andreas Hasenack ) - Removed all remaining SQL references to ip_src? or ip_dst? since these fields are no longer present in DB schema v103. Note: This breaks classful IP searching (e.g. 127.0 => 127.0.*.*) - Browser portability: fixed rendering issues in Konqueror with '>' and '<' translation (Ian Sharkey ); fixed HTML of traffic profile graph to improve rendering in Opera (Andreas Steinmetz ) - Improved graphs generation: auto-sizing of the x-axis labels (Ian Sharkey ); sending proper MIME type and cache control headers (Andreas Steinmetz ) - SQL optimizations to improve speed (Ryan Poppa , Dave Randolph , rdd) - No-cache HTTP header (Dave Randolph ) - Parsing of Snort spp_portscan log file (Blake Frantz ) - fixed bug in chart graphing (reported: Mark Menke ) and alert histogram that caused invalid days to be added to the end of a month (i.e. view 31th day of month, when month only has 28 days) - 06/18/2001: 0.9.6b10 - full internal support for manipulating IP addresses as 32-bit integers (required the bcmath library, --enable-bcmath) - fixed links from event listing on single IP statistics page - fixed bug with the browsing between alerts on the alert display when the only criteria is layer-4 protocol - re-organized related code out of acid_common.php into separate *.inc - fixed bug with email export when old-style inline references are used in the signature name (reported: Wozz: ) - DNS hostname caching - fixed bug in SQL generated for "Last x Unique Alerts" (reported: Andreas Hasenack ) - increased debugging information and explicit test for a correct version of PHP - Hyperlink IP address in portscan messages (Michael Bell ) - Native whois queries with caching (requires --enable-sockets) - configuration parameter (max_script_runtime) to set max_execution_time PHP variable for time consuming operations - fixed bug with shared state incorrectly being carried over from acid_stat_ipaddr links back to query results (reported: , Andreas Hasenack ) - previous timestamp of unique alert; link to the actual first/previous/last alert added on the unique alert page (Ryan Poppa ) - complete re-write of alert actions; new alert action API - archive alert action - several updates to alert data graphing: chart period, begin/end time (Michael Bell ), thresholds, label rotation - 05/08/2001: 0.9.6b9 - alert data graphing via PHPlot - 'resolve_IP' parameter added to define whether FQDN are displayed on the unique IP added page - fixed bug in export/emailing alert action related to signature normalization in schema v100 (reported: Wozz: ) - added export/emailing of alerts in a summary format - fixed bug in portscan traffic % graph where the schema < v100 were given SQL for schema v100+ - 05/03/2001: 0.9.6b8 - fixed bug with alert action from the Query Results page which used the "Entire Query" specifier. (reported: Frank Reid ) - fixed bug with Time profile incorrectly displaying the specific alerts, and Query form improperly processing IP addresses due to use of PHP sessions. (reported: Cornett Wood , Steve Hutchins ) - fixed bug in scrolling through the alert display code (reported: Roeland Weve ) - catch DB schema flaw with ./create_postgresql v100 that defined event.signature as TEXT (reported: Roeland Weve ) - code security: explicitly import and initialize POST/GET variables - added check of PHP build to confirm that the necessary DB libraries were built - complete migration of shared state into PHP sessions - fixed bug with criteria form converting user input to PostgreSQL SQL; using acidSQL_UNIXTIME - fixed bug in portscan 'traffic profile' graph not reflecting schema v100 changes (reported: Helio ) - optimized performance of Unique Alert listing - 03/26/2001: 0.9.6b7 - snapshot: most frequent IP addresses - sorting capability and query optimization on Unique Address listing - support for DB schema v1.0.0 (100) (normalized signatures, rule references) - migration shared state of 'most' pages into PHP sessions (cookie-based) - 03/23/2001: 0.9.6b6 - fixed bug in UDP/ICMP 'traffic profile' graphs not displaying the correct background color (fix: Guillaume ) - fixed bug with sorting order in Unique Alert listing when number of alerts exceeds $show_row (fix: Luigi Gangitano ) - fixed typo bug in "most frequent alerts" which caused the destination address link to improperly display the unique IP address and Alert display page (fix: James Stahr ) - snapshot: all alerts in 24 hrs (Steve Halligan ) - fixed divide-by-zero error in number of alert count with the sensor statistics when no alerts exist (fix: Cornett Wood ) - support for rule references (rdd, Cornett Wood ; bugs: Steve Halligan ) - fixed another division-by-zero dealing due to portscans (fix: Mark Motley ) - 02/12/2001: 0.9.6b5 - fixed bug in specifying time criteria consisting only of dates in main search - added FQDN to the unique address listing - wrap ascii-text logged payload at 70-columns when printing alert (Frank Reid ) - 02/08/2001: 0.9.6b4 - fixed bug in alert display page when printing the packet payload (reported: Jason Haar ) - fixed bug in Today's Unique Alert listing so that when drilling into specific alert instances, only today's are actually shown (reported: Jason Haar ) - 02/08/2001: 0.9.6b3 - fixed bug which caused when clicking on '# of occurrences' from unique address listing from a unique alerts listing (reported: Erek Adams ) - display src/dest port when applicable with the IP address on query results - added "# of alerts in AG" column in "list_all" view of the AG - more complete sort capability in general query results, AGs, and unique alerts - AG and delete actions supported from the sensor or unique alert page - percentage graph of portscan traffic on main page - improved export of alerts in the email messages - fixed divide-by-zero bug in sensor statistics (reported: Cornett Wood ) - 01/29/2001: 0.9.6b2 - Database abstraction implemented - Support for MySQL and PostgreSQL - 01/22/2001: 0.9.6b1 - fixed bug which prevented the ability to scroll through "Unique Events" (reported: Jason Boyer ) - updated Alert Decode to also support ascii sensor logging - fixed bug with emailing results from "Unique Event statistics" (fix: Steve Halligan reported: Jeff Oxenreider ) 01/18/2001 : 0.9.5 - added alert groups (AG) - aggregate stats based on sensor (Stuart Stock ) - added alert purging - added stats for single IP address (# of alerts, sensors) and whois lookups (Jeff Seeley , Bill Marquette ) - added unique IP addresses list (testing: Nathan Spande - added ability to email query results (Steve Halligan, agent33@geeksquad.com) - fixed bug in alert arrival time graph when # of alerts was less than 1% - generalized the IP proto decode - fixed bug in criteria description when printing 'Last X' alerts - updated DB check version code to be aware of new AG tables - main and last-X alerts page refresh - added sensor name as a search criteria - added AG name as a search criteria - signatures hyperlink to CVE, bugtraq, McAfee, or whitehats (Paul Harrington ) which spawn a new browser window (Jason Harr jason.haar@timble.co.nz) - added snapshot: today's alerts - automated ACID's table and index creation - added sort criteria for the search results (timestamp, signature) - fixed bug in flags search criteria where PSH and RST were transposed (reported: Jed Pickel ) - fixed bug associated with using '_'-character in style sheet classes which caused them not be valid under certain configurations. (solution reported by: Jed Pickel ) - improved human-readable criteria description for queries (added descriptive text when TCP flags are criteria, removed extraneous blank lines) - fixed bug in hex-encoded packet payload printing of ASCII equivalent - added warning messages when erroneous search criteria is entered - today's unique alerts - Java-script to automatically select-all in the query results (Bill Marquette ) - Added ability to enter IP address criteria as either an octet or a single string (testing: Frank Reid, ) - Added source/destination as a type of IP address criteria - Most recent unique alerts - Most frequent alerts 09/14/2000 : 0.9.4 - fixed bug in mysql_connect() calls where the $alert_port variable was being ignored 09/13/2000 : 0.9.3 - fixed bug in protocol graphs on main page - fixed bug in the title display when acid_pkt_main is called - added ability to drill into packets from the arrival time graph - added FQDN and sensor information on packet lookup - added check for Snort DB version to catch old Snort DB or whether the SQL creation was not run 09/11/2000 : 0.9.2 - initial public release - added alert arrival time graphing 09/09/2000 : 0.9.1 - fixed bug in how JOINS are made in query - added last x-number of alerts by protocol feature 09/08/2000 : 0.9.0 - limited release