Aug 17, 2006 - version 1.6.2 Applied all 1.6.1 patches Added Solaris support (alpha) (may require manual path corrections to CFLAGS in Makefile to compile) Added -a --arprarp-decode option to decode arp and rarp requests and replies this maps interesting ARP/RARP (0x0806/0x8035) fields to the following: hardware type => s_port - type of hardware address, value 1 for Ethernet protocol type => d_port - protocol type of address being mapped, value 0x0800 for IP addresses operation => proto - operation type, for ARP: 1 = request and 2 = reply, for RARP: 3 = request and 4 = reply hardware length => src_bytes - length of ethernet address, value 6 for Ethernet protocol length => dst_bytes - length of protocol address, value 4 for IP addresses sender address => s_ip - ARP: requesting or replying IP, RARP: empty for both request and reply operations target address => d_ip - ARP: target host, RARP: reply address, empty for request operations Added -HH --human-readable-header option to print field names to initial row in stat and realtime output files Added --use-pcap-time option, now disables using alarm() to perform erase and flush actions, set as optional for linux and BSD. However, calls to alarm() on solaris cause program termination so these are disabled in favor of enforcing use-pcap-time at compile time on solaris. Replaced references to 80211 with 8021Q, (i.e. --strip-8021Q ) Nov 1, 2004 - version 1.6.1 Fixed compile problem with BSD (struct ether_addr in net/ethernet.h ) problem introduced in version 1.6.0 with addition of src_mac and dst_mac -reported by Bamm and Rich Fixed bug in sample init.d/sancpd startup script -reported on #snort-gui Increased counters from 32bit to 64bit values: src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collected, and climit Sep 13, 2004 - version 1.6.0 Fixed major bug with reading from a pcap file using -r option affecting how packets are decoded. symptom: munged tcp/ip header values in stats and realtime output when reading from a pcap file New default output fields added: src_mac and dst_mac; see columns 49 and 50 Updated doc/fields.LIST Sep 02, 2004 - version 1.5.7 Disabled additional logging of realtimes to console, use -K to re-enable this 'feature.' Added forking -D (daemon) mode and suppresses -K, if enabled May 26, 2004 - version 1.5.6 Resolved permission error when using options -u and -g to change the effective UID and GID. error msg: "Unable to read from interface any (socket: Operation not permitted)" May 06, 2004 - version 1.5.5 Increased byte and packet counters to 64bit values, rather than 32 bit Database tables supporting these as 32bit values should be changed to support 64bit values. The statistical output fields affected by this change are: src_pkts dst_pkts src_bytes dst_bytes climit collected May 05, 2004 - version 1.5.4 Increased byte and packet counters to 32bit values, rather than 16 bit "This change was crappy as all hell, but was necessary." -quote Fixed incorrect behaviour of -R command line switch -- some version changes are missing -- Jan 01, 2004 - version 1.4.1 Added ability to track last connection id assigned. Stored as 64bit value in .cnxid file Added -C (--last_cnxid) option to specify the last connection id assigned, must be greater than the value stored in the .cnxid file. Dec 15, 2003 - version 1.4.0 Expanded rules to handle ethernet protocol numbers; but only IP is parsed beyond the ethernet header Concept of a 'default' rule is more clearly expressed in the configuration file itself New rules format - we now require ethernet protocol to be specified New var support for rules and known_ports definition vars can be used for: ethernet protocol, ip address, ip protocol, tcp/udp ports Added three new 'default' and rule options: rule id (rid), status number, and node id -support for rule management and connection profile tagging: use 'rid' -support for a connection classification system: use 'status' -support for multiple instance/multiple interface support: use 'node' Expanded rule delimiters to include space, tab, comma, and equal signs BPF filter can be specified in the configuration file Extensive work done on configuration dump output. It now prints in a re-usable format, displays all defaults, known_ports, vars, and rules. Fixed memory leak issues with vars. Fixed open file handle issues Nov 30, 2003 - version 1.3.1 re-combined conf and rules (rewrote code to handle both interchangably) standardized the argument and rules parsers fixed problem with -F and -r options (when used together) fixed some fileHandle class problems regarding storing filenames Nov 26, 2003 - version 1.3.0 Split configuration and rules into two files sancp.conf, sancp.rules Redesigned rules Changed many command line options, removed others Renamed output files (stats,pcap,realtime) Updated the documentation Made many code changes to support new configuration and rule options Nov 17, 2003 Specify one of seven special syslog facilities LOG_LOCAL1-7; the default facility is LOG_DAEMON. i.e. --log_facility "LOCAL1" Specify user and group for sancp to run under (setuid and setgid called after opening pcap handles) GMT supported (as default), use --local_time to force sancp to record timestamps using the local/system timezone. Grouped most global variables into a central structure. Oct 21, 2003 Added os_info fields for destination to connection log output added -NO2 option which disables printing this additional information (for backwards compatability) Fixed bad mss value Oct 13, 2003 Added 'lag' option Changed error messages to go to syslog Made a few corrections to documentation Updated Makefile Made a few changes to rule parsing routine Added quiet_mode Added daemon_mode Cleaned up pcapFileHandle.cc Cleaned up fileHandle.cc Added a few more global variables to gVars