2003-12-09  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* NEWS: updated.
	* configure.in: bump version number.

2003-12-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (capture_get_device_address): 
	* src/pconfig.c (set_capture_from_device): 
	don't issue a warning if we can't retrieve devices address.
	This might happen in case the interface is not bound to any
	addr (stealth). The warning here used to confuse the user.

2003-12-05  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/capture.c (setup_capture_from_device): 
	change the error message, that was sometime misinterpreted by the user,
	to a message notifying the user the interface is configured in stealth
	mode.

2003-11-09  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* Makefile.am (EXTRA_DIST): add COPYING.OpenSSL.

2003-10-28  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/rules-default.c (signature_match_content): 
	fix detect_offset_end calculation. This could impact
	with some rule that use different, absolute offset.

2003-10-22  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* NEWS: updated.
	* configure.in: bump version number to 0.8.5.
	
2003-10-21  Stephane Loeuillet  <stephane.loeuillet@tiscali.fr>

	* plugins/detects/snortrules/ruleset/prelude.rules:
	file deleted. this is a generated file and should have never been
	there in the first place.

2003-10-21  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/tcp-stream.c (split_segment_if_needed): 
	(is_segment_splited):  (store_last_packet): 
	(free_unsplited_chunk): implemented.

	(tcp_stream_reasm): fix long time happening assertion
	failure due to partly acked packet. Code cleanup.

2003-10-05  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* NEWS: 
	* configure.in: release 0.8.4.

	* libpcap.tar: libpcap.diff: Included patch from
	Laurent Cheylus <foxy@free.fr>, that fix capture on 
	DLT_RAW and DLT_LOOP devices. The problem was that
	OpenBSD doesn't use the same id for theses devices.
	
	* libpcap.tar: libpcap.diff: Merge libpcap-0.7.2 in. And
	include pcap-dlpi.c modification for real.
	
2003-09-30  Yoann Vandoorselaere  <yoann@prelude-ids.org>

       * capture.c (capture_start): 
        Fix for OpenBSD broken thread handling.

	* plugins/detects/snortrules/ruleset/Makefile.am (EXTRA_DIST): 
	add missing classification and reference.config.

	* src/tcp-stream.c (tcp_stream_get_state): 
	don't lock the timer mutex here. As we might be called
	from the reassembly stack itself, that might already own
	the lock.

2003-09-28  Nicolas Delon  <delon.nicolas@wanadoo.fr>
	
	* src/Makefile.am:
	make prelude-nids compiles with BSD make

2003-09-24  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* NEWS: updated.
	* configure.in: bump version number to 0.8.3.
	
	* plugins/detects/snortrules/ruleset/Makefile.am (preluderuleset_DATA): 
	added missing Snort 2.0.x rulesets files.

2003-09-21  Yoann Vandoorselaere  <yoann@prelude-ids.org>
	
	* configure.in: bump version number to 0.8.2.
	remove profiling option. Require libprelude 0.8.6.

	* NEWS: updated.

2003-09-21  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/detects/snortrules/rules-scanner.l:
	handle backslash-escaped characters in values correctly. 

	* src/rules-default.c(signature_content_rule):
	fixed a possible buffer overflow. 

2003-09-21  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/include/Makefile.am (noinst_HEADERS): 
	* src/Makefile.am (prelude_nids_SOURCES): 
	string-matching.[ch] are now part of prelude-nids.

	Fix my mail address everywhere.

	* plugins/detects/snortrules/snort-rules.c (resolve_variable): 
	fix a bug where replace_str() free the original string and 
	allocate a new one, but we were still holding a reference to 
	the old one. 
	
	* plugins/detects/snortrules/ruleset/prelude.rules.in:
	autogenerated.
	
	* plugins/detects/snortrules/ruleset: update to latest 
	snort ruleset.
	
	* src/rules-default.c (signature_get_content_rule): 
	when ending the hexa part of a content word, set 
	back to the "normal" state, not the "literal" state.
	
2003-08-09  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* src/capture.c:
	(freebsd_poll_workaround): implemented correctly

2003-07-17  Sylvain GIL <prelude-code@toootella.org>
 
        * configure.in: removed CFLAGS resetting (fixed #91)

2003-06-12  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* plugins/detects/snortrules/snort-keys.c: 
	arrange test priority so that we use almost
	two time less memory when tcp-reassembly test
	are activated.

	* src/nids-alert.c (NIDS_CLASS): fix IDS class.

2003-06-09  Stephane Loeuillet  <stephane.loeuillet@tiscali.fr>

	* /plugins/detects/snortrules/snort-rules.c :
	fix small typo

2003-06-09  Yoann Vandoorselaere  <yoann@prelude-ids.org>
	
	* plugins/detects/snortrules/snort-keys.c (match_tcp_flow): 
	sanity check on the packet before calling tcp_stream_get_state().
	This might avoid bad things to happen.

	(init_key_parser): hook byte_test and byte_jump test to the parser.

	(parse_byte_test): 
	(parse_byte_jump): make them a leaf test. So that it's run in 
	the specified rules order (after content, eventually).

2003-06-06  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/rules-default.c (signature_match_content): 
	ooops ! detect_offset_end is always absolute.

	* src/tcp-stream.c: suppressed reassembly_min_length. 
	We do not want this to be static...

	(tcp_stream_init_config): Randomly initialize flush_point_index.

	(tcp_stream_init_config): set high priority on the --tcp-reasm
	option:	we want it to be loaded before the signature engine, so
	that the signature engine know wether to enable the flow testing key.

	(status_got_ack): use get_random_flush_point() instead of
	reassembly_min_length.

	(get_random_flush_point): use the Snort stream4 table in
	order to allocate a random flush point. 

	Theses change should make it harder for an attacker to know
	where to cut it's payload in order to not be detected. Also,
	this make tcp-stream use much less memory.
	
2003-06-05  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/rules-default.c (signature_match_content): 
	reset detect_offset_end to 0 if a pattern fail.

	Always take care of detect_offset_end (even if distance
	and within are not used), so that we match a little faster.

	(signature_engine_get_last_matched_offset): new function,
	used for byte_test / byte_jump test.
	
	* plugins/detects/snortrules/snort-keys.c (parse_reference): 
	Fix it so that it now assume the list is in correct order.

	(parse_tcp_flags): set the right variable when we set a TCP 
	flags mask.

	(rule_intersection_byte_test): 
	(rule_match_byte_test): 
	(rule_equal_byte_test): 
	(rule_delete_byte_test): 
	(rule_copy_byte_test): 
	(get_byte_operator): 
	(get_byte_key): 
	(parse_byte_test): 
	(byte_compare): 
	(match_byte_generic): 
	(match_byte_test): 
	(match_byte_jump): 
	(init_key_parser):

	Implemented. This add "byte_test" and "byte_jump" test capability to 
	the snortrules plugin. The parser for theses test isn't activated yet 
	because the cause is not yet finished even thought "byte_test" itself 
	is functional.

	* plugins/detects/snortrules/rules-grammar.y: 
	Invert rules_and() argument. This was causing some leaf test 
	(namely content test) to be inverted, which can now make a 
	rules fail as we keep advancing the payload, and don't start at 0 
	again.

	Also, invert signature_parser_link_parameters() arguments, so that 
	the parameters linked list is in the right order, and we don't have 
	to mess when arguments order matter.
	
	* plugins/detects/snortrules/snort-keys.c (init_key_parser): 
	forgot to enable within and distance parsing in my last commit.

2003-06-03  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/rules.c (signature_engine_process_packet): 
	call signature_engine_start_new_match().
	
	(signature_engine_process_packet): fit renamed
	report_only_one member.

	* src/rules-default.c (signature_match_content): 
	handle distance and within signature attribute 
	(require an updated libprelude for BoyerMoore function
	API change).
	
	(signature_engine_start_new_match): set detect_offset_end
	to 0.

	(signature_get_content_rule): use calloc() instead of
	malloc, so that we don't have to initialize each field
	one by one.

	(signature_parse_distance):
	(signature_parse_within): implemented.
	
	Theses change allow us to handle the "distance" and "within" signatures 
	attribute, for snort 2.0.x compatibility.
	
	* src/pconfig.c (get_report_all): impl. 
	Return current state for report-all option.

	(get_statefull_only): impl.

	(set_report_all): set to 1 if 0, and to 0 if 1. 
	
	(pconfig_set): hook get_report_all() and get_statefull_only. 
	
2003-06-02  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/tcp-stream.c (tcp_stream_get_state): 
	renamed from tcp_stream_is_known(). Take a packet_container_t
	as argument, instead of ip and tcp headers.

	(tcp_stream_get_state): return STREAM_STATELESS instead
	of -1 if stream is unknown.

	* src/include/tcp-stream.h (STREAM_PACKET_REASSEMBLED): 
	add STREAM_PACKET_REASSEMBLED, STREAM_PACKET_NOT_REASSEMBLED
	and STREAM_STATELESS state.

	* plugins/detects/snortrules/snort-keys.c (PRIORITY_TCP_FLOW): 
	TCP flow is priority 10.

	(match_tcp_flow): 
	(init_key_parser): 
	(parse_tcp_flow): Use a flags_t datatype instead of an integer 
	to describe a flow (allow setting of multiple flow).

	(get_flow_num): use strcasecmp() instead of strcmp(). Some Snort
	ruleset provide broken rules with flow information in uppercase.
	Handle stateless, only_stream and no_stream flow information.

	(get_flow_num): implement "stateless" flow: just do not try to 
	match the stream state.

	(get_flow_num): implement "only_stream" flow: only match reassembled
	packet.

	(get_flow_num): implement "no_stream" flow: only match packet not
	reassembled.
	
2003-05-21  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/tcp-stream.c (update_stream_data): 
	removed a redondant test. Also, don't handle possible
	overlap here, and let insert_stream_chunk do it instead
	(this should fix a possible duplicate in the reassembly
	list).

	(update_stream_data): if this sequence was already ACKED, 
	don't ignore the packet. It might contain a valid acknowledgment.

	(tcp_stream_reasm): correct assertion.

2003-05-21  Stephane Loeuillet  <stephane.loeuillet@tiscali.fr>

	* plugins/detects/snortrules/snort-rules.c :

	(parse_signature): avoid NULL pointer dereference when an
	incomplete rule is parsed

	 (try "alert tcp any any <> any any" without this change)

	This should fix bug 0080 reported by John Green

	* plugins/detects/snortrules/Makefile.am :

	replace YFLAGS and LFLAGS by AM_YFLAGS and AM_LFLAGS to avoid
	 ./autogen.sh (automake) writing a warning.

2003-05-19  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/capture.c (setup_capture_from_device): 
	set to_ms to PCAP_READ_TIMEOUT.
	
	(do_capture_from_single_devices): cnt is -1.

	(pcap_dump_stat_from_device): no need to set ps_recv
	to 0. If pcap_stats() return an error (device is a file),
	then print our own packet counter result, and return.
	
	* plugins/detects/snortrules/snort-keys.c:
	include ctype.h.
	 
	(init_key_parser): fragbits and flags key now
        accept multiple arguments (mask).

	(create_any_flags_rules):
	(create_not_flags_rules):
	(create_all_flags_rules):
	(create_exact_flags_rules):
	(parse_flags_mode): implemented.

	(do_parse_tcp_flags):
	(parse_ip_flags): only do parsing.
        
	(parse_tcp_flags):
	(parse_fragbits): cleanup. Separate in separate
	functions. Share the flags handling code. Use all
        the implemented function above.

2003-05-19  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/tcp-stream.c (free_chunk): 
	only free the chunk here.
	
	(search_previous_stream_chunk): use list_for_each_safe().

	(tcp_stream_reasm): fix only known TCP stream reassembly
	crash, when we didn't get the awaited offset. Simplify this
	function a lot. 

	Directly increment the buf pointer, instead of using a separate
	index to address it.

	Remove dead code.

2003-05-11  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/capture.c: remove errorneous commit, 
	including stropts.h.

	* plugins/detects/arpspoof/arpspoof.c 
	(get_watch): impl.
	(set_watch): free the old watch_list if any.

	* src/capture.c (setup_capture_from_device):
        pcap_read() will always return on BSD when setting
        to_ms to 0 or -1. Setting it to 500 ms. This should
        be good for performance as well.

2003-05-06  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/capture.c (pcap_dump_stat_from_device): 
	show the percentage of drop. Include the buggy percentage
	computed by Snort for comparison.

	* src/optparse.c: reentrancy fix.

	* src/tcp-stream.c (host_del): 
	renamed from host_free(). Unlink the stream, but do not
	free it here.
	
	(update_stream_status): 
	(tcp_stream_is_known): call timer_lock_critical_region() /
	timer_unlock_critical_region() to avoid a race with timer
	code execution context.

	(tcp_stream_expire_cb): remove invalid call to timer_reset(),
	resulting in an invalid pointer dereference.

	(tcp_stream_kill_one_side): free the stream().

	(tcp_stream_expire): call timer_destroy() after host_del().
	host_del() moved at the top of the function, to avoid timer
	lock contention. free() the stream. Remove an invalid pointer
	dereference by the way.

	* src/ip-fragment.c (ipq_kill): move timer_destroy()
	call after hostdb_del call, so that the timer mutex
	also protect the host table.

	(ip_defrag): call timer_lock_critical_region() / 
	timer_unlock_critical_region().

	* configure.in: remove un-needed check for aligned
	access, as this test is already done by libprelude, and
	exported in libprelude-config CFLAGS.

	Correct the use of AC_DEFINE_UNQUOTED().

	* plugins/detects/scandetect/scandetect.c (generic_packet): 
	use timer_lock_critical_region / timer_unlock_critical_region.
	
	(expire_cnx): move host_del and timer_destroy call at the top
	of the function, so that we get less thread contention.

2003-04-29  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* libpcap.tar: updated tarball, with the newer 
	libpcap.diff patch.

	* libpcap.diff: updated PCAP patch. Include zero copy
	patch for pcap-dlpi.c, so that prelude-nids work on
	Solaris 8.

	* src/rules.c (signature_engine_process_packet): 
	add a return at the end of the function to avoid GCC
	warning for an unused goto statement, which is in fact
	used in case -DDEBUG is enabled.

	* src/capture.c (freebsd_poll_workaround): 
	new function. Called from setup_capture_from_device().
	Avoid a warning.

	* src/capture.c: include stropts.h, fix a compilation
	error under Solaris 8.

2002-11-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* COPYING.OpenSSL: 
	* README: Permit linking with OpenSSL so that Debian 
        package might be distributed.

2002-10-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* libpcap.tar: directly include a patched version of
	libpcap tarball, so that we don't rely on the patch
	program.
	
	* src/Makefile.am: included patch from 
	Yann Droneaud <meuh@tuxfamily.org>, improving the 
	libpcap handling.

2002-09-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (setup_capture_from_device): 
	only turn BIOCIMMEDIATE on if we are running on FreeBSD.
	This fix a Solaris compilation problem.

2002-08-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: bump version number to 0.8.1.

	* src/capture.c (setup_capture_from_device): 
	* src/pconfig.c (set_capture_from_device): 
	don't abort if capture_get_device_address return an error, 
	it is possible that this devices have no address.

	* plugins/detects/snortrules/snort-keys.c (parse_ip_type): 
	(parse_ip_src): 
	(parse_ip_dst): 
	(parse_portsrc): 
	(parse_portdst): don't take a set of parameters as argument,
	so that negation on a set work again. Else the lower layer
	of the parser won't see it's a set.

	* plugins/detects/snortrules/rules-grammar.y: 
	fix from Guillaume Pelat <endymion@linux-secure.com>,
	making set ([x,y]) work again when it is at the end of
	the list.

2002-07-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: update version number to 0.8.0. 

2002-07-27  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* docs/man/prelude-nids.8: corrected short option name for --report-all

2002-07-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/pconfig.c (set_capture_from_file): dup inputfile
	(set_capture_to_file): dup outputfile.
	(set_bpf_rule): dup bpf.
	(set_pidfile): dup pidfile

	* plugins/protocols/http/unicode-to-ascii.c (unicode_set_table_file): 
	strdup cp_file.
	(unicode_load_table): free cp_file.

2002-07-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (pcap_dump_stat_from_device): 
	return dev->packet_counter for calculation of the
	global packet number. ps_recv don't work for all kind
	of devices, and contain ps_drop.

2002-07-18  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* src/nids-alert.c: include <pthread.h>. Needed for FreeBSD. 

2002-07-17  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-keys.c 
	(init_key_parser): handle fragoffset.
	
	(parse_fragoffset): parse fragoffset.

	* src/rules-default.c (signature_match_fragoffset): 
	new function, match frag offset.

2002-07-07  Yoann Vandoorselaere  <yoann@prelude-ids.org>

	* src/nids-alert.c (nids_alert): 
	protect acces to the msgbuf using a mutex, this fix
	a possible crash when an alert was emited asynchronously
	from a timer.

2002-07-04  Yoann Vandoorselaere  <yoann@mandrakesoft.com>
	
	* src/rules.c (ri_add_run_fun): 
	check if leaf_match is equal to the added leaf match 
	before sharing a leaf. This fix a bug were OR'ed content
	would be matched together (as AND'ed). IE: this make 
	content-list work.

2002-07-04  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/rules-operations.c (copy_leaf): new function,
	return a copy of the leaf tests.

	(copy_rule): call copy_leaf(), this avoid problem 
	when using rules_and() on 2 rules with differents leafs.

	The cause of this bug, and the way to fix it were found by 
	Philippe Biondi <biondi@cartel-securite.fr>.

2002-07-03  Philippe BIondi  <biondi@cartel-securite.fr>
	* plugins/detects/snortrules/rules-grammar.y:
	fixed the "<-" rule decoding

2002-07-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/rules.c (signature_engine_process_packet): 
	move the "packet processed" debuging printf() after run
	function are called, to ease debugging.

	* plugins/detects/snortrules/snort-keys.c (parse_portsrc): 
	(parse_portdst): handle port list.
	(parse_ip_type): handle ip address list.
	(parse_content_list): handle content-list.
	(init_key_parser): ipsrc, ipdst, portsrc, portdst can now
	take several arguments.

2002-07-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (capture_stats): 
	if capend is not set, do it. Fix a bug when not
	capturing from a file, with the time being reported
	incorrectly.
	
	(dump_system_stats): compute the ressource usage,
	removing resource usage before capture. This avoid
	to account for the signature engine compilation.

	(capture_start): get rusage before capture.
	(capture_start): set capend to 0.

2002-06-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/rules-default.c (signature_match_content): 
	compute offset to calculate depth.

2002-06-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* fit latest prelude-getopt API change.

	* src/rules-default.c (signature_get_content_rule): 
	simplify parsing code, also always escape \ character.

2002-06-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (tcp_stream_is_known): 
	return a bits vector containing information about the
	source of the packet (client or server) + if the stream
	is established or not.

	* plugins/detects/snortrules/snort-keys.c (parse_tcp_flow): 
	flow test can take several arguments.
	(get_flow_num): get the specified flow.
	(match_tcp_flow): match the tcp flow, always return 0 if 
	tcp_stream is disabled.

	* plugins/detects/snortrules/snort-rules.c (parse_signature_file): 
	use prelude_read_multiline().

	* plugins/protocols/telnet/telnet.c (decode_packet): 
	don't assert() in case skip is bigger than data len. This
	can happen if the payload is cuted in several segment, and
	that the current segment stop before the end of an option.

	(decode_telnet): handle case where IAC character is escaped.

2002-06-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (handle_overlap): 
	move some of the log() to dprint().

	* Makefile.am (install-data-local): 
	use $(DESTDIR) as the top prefix for installing stuff.

2002-06-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (twh_got_client_syn): 
	set OPTION_CLIENT_SACK_PERMITTED if packet->tcp_sack is TRUE.

	(twh_got_server_syn_ack): 
	set OPTION_SERVER_SACK_PERMITTED if packet->tcp_sack is TRUE.

	(get_last_data_offset): 
	new function, return the highest offset + len of the stream queue.

	(status_got_ack): if this is a ACK retransmission, and that SACK
	was enabled for the connection, and that the packet doesn't contain
	the SACK option, drop the packet.
	
	* src/optparse.c (remember_needed_option): 
	set tcp_sack field to TRUE in case the SACK or the
	SACK permitted option are present.

	* src/tcp-stream.c (status_got_ack): 
	don't emit warning in case of ACK retransmission.

2002-06-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in (CFLAGS): 
	only enable gtkdoc if requested.

2002-06-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-rules.c (plugin_init): 
	--snortrules is hooked to config.

2002-06-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c (nids_alert_init_subsystem): 
	use prelude_analyzer_fill_infos().

2002-06-04  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (is_old_retransmission): 
	improve checking. use dprint.
	
	(update_state_generic): put TCP window check here.

	(status_got_rst): 
	(status_got_fin): 
	(update_stream_data): remove TCP window check.
	
	(update_stream_data): fix assertion.

2002-06-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/http/http.c (iss_sequence_to_unicode): 
	when we successfully decode an ISS sequence, don't forget
	to replace the encoded sequence by the decoded character.

2002-05-31  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c (send_heartbeat): 
	new function, send an heartbeat.
	
	(nids_alert_init_subsystem): support for sending heartbeat.

	* src/prelude.c (main): 
	init nids_alert after initializing libprelude (as nids-alert
	now use libprelude related function at initialization, we 
	have to init libprelude first).

	* plugins/protocols/http/http.c (decode_http_packet): 
	avoid FALSE positive when lot of non contiguous space are
	in the packet. Now count space before, and after method.

	(decode_http_packet): disable empty URI detection, cause we
	might be getting a portion of the data sent to port 80 (which 
	might be after the URL, like client settings).

	This tend to generate a lot of false positive. The known fix
	is to enable tcp stream reassembly, but still, it don't mean
	you won't get the alert.

2002-05-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c (nids_alert): 
	remove debuging printf().
	
	(nids_alert_init_subsystem): initialize the
	analyzer structure here, and use idmef_analyzer_send() later.

	(nids_alert_new): send detect time too.

	(nids_alert_new): no need to htonl() the
	time...

	* plugins/protocols/http/http.c: 
	stop looking at CGI null and directory traversal, 
	this have to be done throught signature.

	(plugin_init): lot of new option, setup the is_whitespace table.

	(decode_http_packet): alert on empty URL.

	(decode_http_packet): 
	if end_on_url_param is set, stop processing the URI
	as soon as we find a parameter.

	(decode_http_packet): 
	if number of whitespace before the URL begin is 
	too important, emit an alert.
	
	(decode_http_packet): 
	don't set first_space_found until we found some
	data (method).

	(decode_http_packet): change '\' to '/' if 
	iis_flip_backslash is set.

	(decode_http_packet): use the is_whitespace table
	to know if current character is a space.

	(process_escaped_data): only warn on escaped '%'
	if check_double_encode is set. Only call 
	read_http_encapsulated_utf8_sequence() if 
	is_utf8_sequence return 0.

	(is_utf8_sequence): new function, check that
	the sequence byte is >= 0xc0 and <= 0xfd. 

	(read_http_encapsulated_utf8_sequence): remove
	old check... check_cgi_null and directory_traversal
	are now done with signature. Also, there is no
	need to warn for an UTF-8 sequence that hide ASCII
	character (covered by the overlong alert).

	(http_sequence_to_unicode): emit an alert in case
	the UTF-8 sequence is overlong.

	(utf8_data_remove_header): 
	Take a pointer to a int as argument, that is used
	to tell wether the UTF-8 sequence is overlong or not.

	Also, check that the first byte are >= 0x80, and 
	<= 0xbf, as specified by the UTF-8 specs (this
	is better than our previous check).

	(log_invalid_utf8): 
	(log_unknown): change impact severity to low.

	* src/Makefile.am (libpcap/pcap.h libpcap/libpcap.a): 
	Patch from Yann Droneaud <ydroneaud@meuh.eu.org> to 
	have better libpcap dependancies.

	* src/tcp-stream.c (update_stream_data): 
	check if there is data int he packet before trying 
	to access theses data. Fix a possible invalid pointer
	dereference.

	* plugins/detects/snortrules/snort-keys.c (parse_sid): 
	(parse_revision): 
	
	integer additional data are uint32... Also use htonl()
	to move the data to network byte order. Use the new
	idmef_additional_data_set_data function().

2002-05-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c (nids_alert): 
	use idmef_send_additional_data_list() to send the list of data
	the caller may have provided.

	(nids_alert_init): init the list of the alert.

	* plugins/detects/snortrules/snort-rules.c (signature_matched_cb): 
	if there is a rule revision / sid, associte it with the alert.

	* plugins/detects/snortrules/snort-keys.c (parse_sid): 
	(parse_revision): new function. Create an additional data
	structure for each ID / rev.

2002-05-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (update_stream_status): 
	ooops fix grave bug I introduced in my last checkin.
	Compare against direction, not ret.

2002-05-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c:
	Now handle overlaping TCP segment and TCP PAWS.
	
	(status_got_ack): backup offset_acked before modifying it,
	so we won't get false evasive FIN detection.
	
	(update_state_generic): use is_old_retransmission(),
	update PAWS.

	(update_stream_data): adjust data offset if needed.

	(is_old_retransmission): 
	check if a retransmission is too old, and we should not process it.
	
	(handle_overlap): handle segment overlap.

	(search_previous_stream_chunk): use handle_overlap().

	(is_retransmission_time_okay): new function, test if
	retransmission time is suspicious. Commented out for now.

	
2002-05-24  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/include/hostdb.h: 
	remove unused member.

	* src/hostdb.c: 
	made it faster for big endian architecture, by avoid 
	using extract_ipv4_address(). Also, no need to associate
	a packet with an hostdb entry anymore. Cleanup.

	* src/prelude.c: include timer.h

	(main): call timer_flush() on normal exit, this allow
	to get alert depending on timer, when reading packet
	from a capture file.

2002-05-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/ruleset/convert_ruleset: 
	minor update... It won't work thought.

	* plugins/detects/snortrules/ruleset/reference.config: 
	new file.

	* plugins/detects/snortrules/ruleset/prelude.rules: 
	* plugins/detects/snortrules/ruleset/Makefile.am (preluderuleset_DATA): 
	include reference.config

	* plugins/detects/snortrules/snort-rules.c (parse_reference): 
	new function, gather the reference argument, and call add_reference(),
	to store the newly parsed reference.

	(parse_config): handle reference parameter.

	* plugins/detects/snortrules/snort-keys.c: 
	new structure holding reference parsed from config file.

	(add_reference): new function, add a reference to the
	reference list. If reference name is bugtraq, cve, or
	vendor-specific, then associate it with the wanted
	idmef_classification_origin_t field.

	(parse_reference): search for the wanted reference in
	our list of reference. Preprocess URL.

2002-05-20  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/pconfig.c (pconfig_set): 
	new option, to disable promiscuous mode globally,
	or per interface.
	
	(set_promiscuous_mode_off): impl.
	
	* src/capture.c (capture_from_device): 
	(setup_capture_from_device): 
	take a promisc argument.

2002-05-19  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (get_stream_direction): 
	Use the IP address as well as the source port, 
	to guess stream direction. This fix problem when two
	hosts are talking together using the same port.

	(set_reasm_expire_time): 
	(tcp_stream_init_config): new option, permit to tell how much 
	time an inactive session is kept (default is 120 seconds)

	(status_got_rst): if state is SYN-SENT, check if ACK acknowledge
	initial sequence. Else, only try to verify if the window is respected
	if we got an ACK (we might not if we are only seeing one end of the
	connection).

	(search): 
	(host_key): 
	(tcp_stream_new): 

	Don't use extract_ipv4_addr(), which use memmove() (which is slow).
	Use align_uint32 which'll provide a big speedup on big endian
	architecture.
	
2002-05-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (pcap_dump_stat_from_device): 
	if pcap_stats() fail, use our own packet_counter to dump
	statistics.
	
	(capture_stats): dump the time it took to process all the packet.
	(capture_start): record time when starting/stopping packet capture.

	* plugins/detects/scandetect/scandetect.c (do_report_if_needed): 
	instead of using gettimeofday() to compute the time a scan took,
	use the pcap timestamp. Avoid calculating wrong time when reading
	packet from a savefile.

	(modify_cnx): always keep track of the last packet received,
	so that we can use the pcap timestamp to deduce the scanning time.

	* libpcap.diff: 
	fix a bug when reading from a savefile... Allocate a new
	buffer for each packet, instead of reusing the old one, 
	this could lead to wrong information being reported in alert
	that kept trace of an old packet.

	* src/rules-default.c (signature_match_datasize): 
	fix a bug when matching dsize... If there is no data
	in the packet (application_layer_depth is -1), compare
	the segment against len of 0.

2002-05-17  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/shellcode/shellcode.c 
	(plugin_init): 
	(set_port_list): 
	(shellcode_run): add a port list option...

	* src/tcp-stream.c:

	(update_stream_status): 
	explain why we return -1 on valid SYN...
	(return -1 so that the caller know it have to
	 analyze the packet (SYN won't be part of the reassembled packet)).
	
	(update_state_generic): 
	preserve the status_got_* return value.

	(update_server_state): 
	(update_client_state): 
	(status_got_ack): 
	(status_got_rst): 
	(status_got_fin): 
	(twh_got_server_syn_ack): 
	(update_stream_data): 
	return tcp_stream_unknown on faked packet.

	(set_reasm_port_list): create the port list.
	(tcp_stream_init_config): add a port list option.

	(tcp_stream_store): 
	If we have a list of port to reassemble, 
	check that the packet is going to this port.
	
	* src/tcp-stream.c (tcp_stream_init_config): 
	--tcp-stream is a parent option.

	(update_stream_data): don't queue the data if 
	tcp_stream_reasm_from variable doesn't match direction.

	New --client-only option, tell to reasm data from client only.
	New --server-only option, tell to reasm data from server only.
	New --both option, tell to reasm in both direction.
	New --min-length option, set the minimum length before reasm.

	set the default for reassembly_min_length to 8192.
	set the default for reassembly direction to client-only.
	
	* src/pconfig.c (pconfig_set): 
	remove TCP reasm option from here, they are now registered from
	tcp_stream_init_config().

	* prelude-nids.conf.in: added commented configuration
	for TCP stream reassembly.

2002-05-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (update_stream_status): 
	return tcp_stream_start if we created a new session.
	return tcp_stream_unknown if the packet isn't associated
	with any existing / created session.

	* src/packet-decode.c (capture_tcp): 
	if tcp_stream_store say that the packet is not part of a 
	stream and that the user specified the -z option, ignore
	the packet.

	* src/pconfig.c (pconfig_set): new -z option,
	telling prelude-nids to ignore TCP packet not associated with
	a stream.

2002-05-16  Baptiste Malguy <baptiste@malguy.net>

	* src/*-plugins.c (*_plugins_init):
	don't return an error if the plugin directory doesn't exist.
	But do so in case of permission problem.
	
2002-05-15 Vincent Glaume <glaume@enseirb.fr>

	* src/tcp-stream.c (status_got_ack):
	drop old acknowledgments.

2002-05-15  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-rules.c (resolve_variable): 
	use isalnum... This fix a problem when using variable that contain
	decimal character. Thanks to Baptiste Malguy <baptiste@malguy.net>
	for pointing this out.
	
	* plugins/detects/arpspoof/arpspoof.c (check_cache_overwrite): 
	fix an alignment problem, use align_uint32() to align arp_spa.

	(plugin_init): --arpwatch require an argument.

2002-05-06  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* src/capture.c: reverse previous commit regarding BIOCIMMEDIATE,
	it was causing problems on FreeBSD. The workaround is back to
	its original shape. 

2002-05-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/http/Makefile.am: 
	* src/Makefile.am: 
	* configure.in: 
	patch from Yann Droneaud <meuh@sherkan.tuxfamily.net>,
	make distcheck work again - and cleanly.

	It happen that polling() on the device FD cost a lot
	of CPU time. Something arround 40% - 50% CPU. We don't know
	of any possible fix for now, except to avoid using poll() 
	when looking at only one device.

	* src/capture.c:
	(setup_capture_from_device): 
	(setup_fd_set): 
	only set BIOCIMMEDIATE when setting up the pollfd array
	for capturing on multiple devices.

	(setup_global_bpf_cb): 
	(capture_start): avoid creating an invalid BPF if
	there is no active client at the moment.

	(do_capture_from_single_devices): new function,
	use pcap_loop.

	(capture_start): use do_capture_from_single_devices()
	in case there is only one interface active.

2002-05-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c (NIDS_MODEL): change analyzer 
	model from Prelude to Prelude NIDS.

2002-05-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c 
	(twh_got_client_syn): 
	(twh_got_server_syn_ack):
	ISN is set to SEQ + 1.

	(insert_stream_chunk): check for overlap before
	allocating a new chunk.

	(update_client_state): don't store data unless
	we got an initial SYN.

	(status_got_rst): fix evasive RST detection.

	(inject_packet): don't use inject_packet_slow_path()
	for now, it might leak memory.

	(update_client_state): 
	(update_server_state): correct check for SYN in
	middle of connection.

2002-05-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (update_stream_status): 
	remove un-needed code. Don't reset the timer here.

	(update_client_state): call update_state_generic().
	(update_server_state): call update_state_generic().

	(update_state_generic): new function, share more code.
	Only reset the TCP stream timer after we know the packet
	is valid.
	
	(tcp_stream_kill_one_side): make sure we don't leak memory
	by calling free_simplex_stream(dst); again.

2002-04-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* libpcap.diff: fix a memory leak on FreeBSD. 
	Also use a context diff to avoid warning.

2002-04-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* libpcap.tar: 
	* libpcap.diff:
	update for PCAP 0.7.1.

	* src/packet-decode.c (capture_sll): new function,
	capture from linux cooked devices.
	
	(capture_null): remove un-needed stuff.

	(capture_ip): check ip version before calling 
	packet_add_header().

	* src/tcp-stream.c (status_got_ack): 
	don't reset ISN and offset_acked if tcp_stream_reasm()
	returned 0. (fix possible leak).

2002-04-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (insert_stream_chunk): fix a leak 
	on overlapping fragments.

2002-04-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-rules.c (parse_include): 
	don't append rulesetdir to the filename if the filename
	is absolute.
	(set_ruleset): avoid un-needed strdup().

2002-04-25  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (capture_setup_generic): 
	don't forget the BPF. This was causing argument given BPF
	to never be used, because setup_global_bpf() was overwriting
	them.
	
	(setup_bpf): 
	set dev->fcode to NULL, so that we don't try to free it again
	on next call (triggered by setup_global_bpf). Fix a double free
	on platform that doesn't support BPF, or on invalid BPF. 

	Also commented why we return 0 on pcap_compile() error.
	
	* src/packet-decode.c (capture_ip): 
	don't try to compute checksum for reassembled datagram.
	
	(capture_tcp_options): 
	(capture_ip_options): 
	(capture_tcp): 
	(capture_ip): only try to reassemble IP fragment / TCP segment
	if the option buffer is not corrupted. Else analyze the data,
	but don't try to reassemble.

2002-04-24  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/http/http.c (http_sequence_to_unicode): 

	* src/packet-decode.c (packet_new): 
	set paws_tsval and paws_tsecr to 0.

	* src/tcp-stream.c (update_stream_data): 
	handle case where sequence is < than ISN (retransmission).

	* src/optparse.c (remember_needed_option): 
	(get_tcp_timestamp): 
	(walk_options): call remember_needed_option() here.

	* src/include/packet.h:
	Store PAWS in the packet_container_t structure for
	handling in tcp-stream.c

	* src/protocol-plugins.c: 
	* src/detect-plugins.c: 
	remove un-needed dlfcn.h dependencie.

	* src/capture.c (do_capture_from_multiple_devices): 
	Be more strict in handling of possible error while capturing.
	(do_poll): made inline.

2002-04-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (status_got_ack): 
	remove un-needed check. This is already done in update_stream_data.

2002-04-19  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/packet-decode.c (capture_tcp): 
	run the engine before adding data to the packet in case reassembly is enabled.
        We want to match data only one time (when reassembly is triggered).

2002-04-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/ip-fragment.c (ip_frag_reasm): 
	avoid possible unaligned access.

	* src/tcp-stream.c: 
	Handle sequence wrap arround. We only work using relative
	offset, and use wrap arround safe methode to compute them.

	This work was done by Vincent Glaume <glaume@enseirb.fr>
	and myself.
	
2002-04-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (tcp_stream_reasm): 
	fix memory corruptiuon bug: stop passing pointer to 
	the ip and tcp header from the currently processed packet.
	Only pass last_packet (which is the last packet that can be 
	used for reassembly purpose).

	(update_stream_data): 
	use is_window_respected().	

	(inject_packet): get ip and tcp header from last_packet.

	* src/packet-decode.c (packet_new): 
	set tcp_allocated_data to NULL.

	(packet_release): if the tcp_allocated_data pointer is
	set, free it.

	* src/include/packet.h: new tcp_allocated_data pointer,
	reference data allocated by the TCP stream reassembly stack.

	

2002-04-17  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c: 
	(tcp_stream_reasm): fix a possible leak.
	(is_window_respected): verify that an ACK was received.
	(tcp_stream_reasm): offset adjust should be uint32_t to 
	avoid wrap arround.

	(update_client_state): 
	(update_server_state): take care of the return value of 
	the status_got_* function. Also run status_got_ack last
	cause it might free the stream.

	* plugins/detects/snortrules/snort-rules.c: 
	* src/packet-decode.c: 
	fix warnings.

	* src/tcp-stream.c (inject_packet): 
	comment out the slow path for packet re-injection
	cause it might result in subtle bug. We need to 
	have a decent solution for sharing pcap_pkthdr.

	* plugins/protocols/http/http.c (match_uricontent): 
	assert against data len, not capture len. This was 
	triggering the assertion wrongly on reassembled packed.

	* src/tcp-stream.c (inject_packet):
	restore IP and TCP header.
	
	* src/tcp-stream.c (status_got_fin): 
	remove unused variable.

	Make the reassembly structs lighter.

	(inject_packet): remove obsolete assertion.

	(free_chunk): new function, kill duplicated code.

	(tcp_stream_reasm): handle possible case where last_packet
	is NULL, if no segment in the queue were ACKed.

2002-04-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c: 
	use dprint for debugging stuff. Conditionally compile if
	DEBUG is defined.

2002-04-16  Vincent Glaume  <glaume@enseirb.fr>

	* src/packet-decode.c:
	TCP/IP checksum control is now performed.

	(basic_checksum):
	sums the 16 bit words of a block of bytes; if there's an odd number of 
	bytes, the last one is padded with 0 as specified in the TCP and IP RFCs.

	(cksum_complement):
	returns the 16 bit one's complement of its argument which is a 32 bit 
	integer.
	
2002-04-16  Baptiste Malguy <baptiste@malguy.net>

	* plugins/detects/snortrules/rules-scanner.l: 
	very slightly reversed the previous modification as it tended to escape
	to many things.

2002-04-16  Baptiste Malguy <baptiste@malguy.net>
	* plugins/detects/snortrules/rules-scanner.l: 
	added character escape (notably with the new functions remove_bslash())

2002-04-15  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (restore_packet_injection): 
	move the memcpy() after the buffer reallocation.

	* src/protocol-plugins.c (protocol_plugin_port_list_free): 
	free port list correctly, without leaking memory.

2002-04-15  Vincent Glaume  <glaume@enseirb.fr>

	* src/tcp-stream.c

	(tcp_stream_reasm):
	detects when some data is missing in a TCP stream, while performing 
	the reassembly. this is done by computing the next expected sequence
	number each time some data is stored; when a hole is detected, the data
	previously stored is injected via restore_packet_injection()
	
	(restore_packet_injection):
	this new function calls inject_packet() to inject the data preceeding a 
	hole (that is, a missing packet), and updates some offset variables used 
	to know the position in the stream.

	
2002-04-15  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c: 
	
	(status_got_ack): 
	check if a FIN is acked, report evasive FIN here.

	(status_got_fin): 
	don't call tcp_stream_kill_one_side() here, rather set the CLOSE_WAIT
	flags, and wait for status_got_ack to confirm the FIN is acknowledged.
	Also, check for evasion correctly.
	
	(status_got_rst): 
	check for RST evasion correctly (as specified by the TCP RFC).
	
2002-04-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-rules.c 
	(resolve_variable): new function, resolve variable in a buffer.
	(replace_str): new function, replace a given string in the 
	provided buffer.

	(parse_signature_file): 
	always duplicate the line for consistency (if variable have to be
	resolved, we may need to free the old line and rewrite it, which
	is inconsistant with a static buffer).

	(parse_line): 
	only try to resolve variable if the file is not included from 
	another file. (ruleset variable are still valid, but handled directly by
	the flex/bison parser).
	
	* plugins/detects/snortrules/ruleset/classification.config: 
	add policy-violation classification.

	* plugins/protocols/http/http.c (decode_http_packet): 
	fix possible problem while computing URI len. Fix URI
	real start.

2002-04-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Makefile.am (install-data-local): 
	set permission for prelude-nids.conf-dist 
	(Thanks to Yann Droneaud <meuh@tuxfamily.org> for pointing this out).

	* plugins/protocols/http/http.c (decode_http_packet): 
	revert wrong fix in http decode, put an assertion to be sure.

	* src/capture.c (capture_from_file): 
	Call pcap_set_alloc_func from there too. Reading packet
	from a file doesn't mean we don't want to keep track from
	them !

	This fix a problem with TCP stream reassembly when reading 
	packet from a file.

2002-04-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/http/http.c (match_uricontent): 
	don't try to analyse data that isn't httpmod processed.

	(decode_http_packet): 
	correct the way we get the request size.
	
2002-04-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	Included a modified patch from Yann Droneaud <ydroneaud@meuh.eu.org>,
	this patch fix compilation on system where pcap is not installed :

	* plugins/protocols/telnet/Makefile.am (DEFS): 
	* plugins/protocols/rpc/Makefile.am (DEFS): 
	* plugins/protocols/http/Makefile.am (INCLUDES): 
	* plugins/detects/snortrules/Makefile.am (DEFS): 
	* plugins/detects/scandetect/Makefile.am (DEFS): 
	* plugins/detects/debug/Makefile.am (DEFS): 
	* plugins/detects/arpspoof/Makefile.am (DEFS): 

	added path to libpcap, duplicate include path for build and src 
	directories. Add pcap.h include path.

	* plugins/detects/snortrules/ruleset/Makefile.am: cosmetic change
        define preluderulesetdir before preluderuleset_DATA

2002-04-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/telnet/Makefile.am (DEFS): 
	* plugins/protocols/rpc/Makefile.am (DEFS): 
	* plugins/protocols/http/Makefile.am (INCLUDES): 
	* plugins/detects/snortrules/Makefile.am (DEFS): 
	* plugins/detects/scandetect/Makefile.am (DEFS): 
	* plugins/detects/debug/Makefile.am (DEFS): 
	* plugins/detects/arpspoof/Makefile.am (DEFS): 

	added path to libpcap, duplicate include path for build and src 
	directories. Add pcap.h include path

	* plugins/detects/snortrules/ruleset/Makefile.am: cosmetic change
        define preluderulesetdir before preluderuleset_DATA

	
	* src/packet-decode.c (capture_ip): 
	after the ip_len check, change caplen to ip_len so that we
	don't see ethernet garbage at the end of our packet.

	* src/rules-default.c (signature_match_fragbits): 
	handle unaligned acces. 

	* plugins/protocols/http/unicode-to-ascii.c (unicode_to_ascii): 
	remove debuging printf.

	* src/rules-default.c (signature_match_portsrc): 
	(signature_match_portdst): 
	(signature_match_id): 
	(signature_match_win): 
	(signature_match_seq): 
	(signature_match_icmpid): 
	(signature_match_icmpseq): 

	remove un-needed cast.
	
2002-04-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: stop using profile-arcs for optimised build.
	GCC generate bugged code with it.

	* src/rules.c (debug_print_node): 
	(signature_engine_process_packet): 
	added debuging code that dump the tree while we are walking it.
	conditionnaly enabled if DEBUG is defined.

	* src/Makefile.am (prelude_nids_SOURCES): 
	(BUILT_SOURCES): use some autoconf magic to fix the
	dependencies problem caused by the way we distribute pcap.

	Hope it'll work everywhere.

2002-04-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/protocol-plugins.c: 
	use an hash table to store port number. Test show that
	it improve performance by 30% in protocol_plugin_is_port_ok().

	* Makefile.am (install-data-local): 
        Only install default configuration file if it does not
        exit... If a configuration file is already present, warn
        the user and install in prelude-nids.conf-dist.


2002-04-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-rules.c: 
	added declaration for generated parsing function.

	* configure.in: 
	removed old bison / yacc check . Not needed anymore.

	* src/tcp-stream.c (tcp_stream_new): 
	fix a warning.

2002-04-05  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* src/capture.c: do not abort when ioctl() returns error
	when setting BIOCIMMEDIATE on pcap device, issue warning
	only. This is fix for bug#00001. 

2002-04-05  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/protocols/http/unitable-generator:
	new directory, containing a tool for generating custom Unicode
	convertion tables (unitable.txt) for WIN32 machines. Since it's 
        WIN32 code none of files in this directory are compiled or installed 
	when prelude-nids is build. Please see README file in unitable-generator
	directory for more information. This program has its own ChangeLog
	in its directory and its changes should be documented there. 

2002-03-28  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* README: minor language corrections

2002-03-28  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* configure.in: remove bison+flex check (no longer needed)

2002-03-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/Makefile.am: 
	real fix for the assertion problem on some system.
	Fix symbol clash between SnortRules and libpcap,
	leading to abnormal termination upon startup on FreeBSD 4.x.

	This fix has been made possible with the insight from
	Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>

2002-03-25  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-keys.c (match_tcp_flow): 
	(parse_tcp_flow): implement Snort 1.9 flow key... Missing
	is the match function that we need to integrate with
	the TCP reassembly stuff.

	* src/packet-decode.c: 
	conform more to current prelude coding style. Stop
	using global variable. Many cleanup and more low 
	level HW layer handling.
	
	(bytes_are_in_frame): 
	(bytes_are_in_frame_nopkt): new helper macro.

	* src/nids-alert.c (nids_alert_new): 
	use the pcap_pkthdr timestamp, so that we report the
	good time for alert coming from capture file.

	* src/ip-fragment.c: 
	full reentrancy.

	* src/capture.c (search_datalink_handler): 
	handle PPP and ATM better, fit packet-decode rewrite.
	(setup_capture_from_file): set bpf and fcode members 
	to NULL.

	
	* src/ip-fragment.c (ip_frag_queue): 	
	* src/hostdb.c (host_key): (search): 
	* plugins/protocols/telnet/telnet.c (decode_packet): 
	* plugins/protocols/rpc/rpc-decode.c (match_rpc_rule): 
	(decode_rpc_request): 
	(reasm_rpc_fragments): 
	(decode_rpc):
	* plugins/protocols/http/http.c (http_decode): 
	* plugins/detects/scandetect/scandetect.c (tcp_packet): 
	(scandetect_run): 
	* plugins/detects/arpspoof/arpspoof.c (arpcheck_run): 

	Update to use the new extract_* functions.

	* plugins/protocols/http/unicode-to-ascii.c (unicode_load_table): 
	memset the codes table to 0, so that we know about unknow mapping.

	* plugins/protocols/http/http.c (log_unknown): 
	take the unicode value that generated the error as argument.

	(log_invalid_utf8): fix a typo.
	(iss_sequence_to_unicode): Handle ISS %uXXXX encoding.
	(http_sequence_to_unicode): do not bound check here.
	(read_http_encapsulated_utf8_sequence): do it here.
	(process_escaped_data): renamed from process_data.
	(decode_http_packet): call process_escaped_data() only if data
	contain a '%' character.
	
2002-03-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/http/http.c:
	* plugins/protocols/http/unicode-to-ascii.h:
	* plugins/protocols/http/unicode-to-ascii.c: 
	Cleanup. Coding style fixes. 

2002-03-23  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* prelude-nids.conf.in: Added Unicode-related options for httpmod. 

	* plugins/protocols/http/http.c: Modified to use functions from
	unicode-to-ascii.c
	
	* plugins/protocols/http/unicode-to-ascii.h:
	* plugins/protocols/http/unicode-to-ascii.c: New file.
	Handle Unicode to ASCII convertion table loaded from file.

	* plugins/protocols/http/unitable.txt: New file.
	Default Unicode to ASCII convertion table. 
	
2002-03-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/http/http.c: added Unicode support. 

2002-03-23  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* configure.in: fix a bug in Bison/Flex detection

2002-03-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/http/http.c: 
	UTF-8 decoding implemented, complete code rew-write,
	Snort compatibility.

	Depend on Krzysztof Zaraska Unicode parser, and table
	generator (which should be commited shortly).

	
	* configure.in: 
	* plugins/detects/snortrules/Makefile.am (SUBDIRS): 
	Add Bison/Flex detection. If theses are not present,
	use included, already processed files.
	
	* plugins/detects/snortrules/rules-grammar.y: 
	fix minor bug.

2002-03-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (update_stream_status): 
	handle ECN nicely.

	* src/prelude.c (cleanup): 
	no need to unlink() pidfile here.

	* src/pconfig.c (set_prelude_user_id): fix typo.

2002-03-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c: 
	* libpcap.diff: include constness fix... 

	* plugins/detects/snortrules/snort-rules.c (plugin_init): 
	use option_run_last definition.

	* src/pconfig.c (set_capture_from_device): 
	strdup() variable / value before passing them to
	variable_set().

	(set_daemon_mode): call prelude_daemonize() here,
	so that fork() occur before pthread creation.

2002-03-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/pconfig.c (set_capture_from_device): 
	get device address and create the associated variable.
	Thus while parsing option (which'll avoid, looking up 
	the ruleset before devices variables are set).

	(pconfig_set): it's the sensor responssability to call
	prelude_async_init().

	(pconfig_set): add the --user (-u), option, which permit to
	run Prelude NIDS as the specified user.

	(set_prelude_user_id): new function, handle case where the
	user want Prelude NIDS to run as a non root user.

	* src/capture.c (capture_get_device_address): 
	new function, used in order to get address of a device.

	(set_device_variable):  removed.

	* src/packet-decode.c (packet_new): proto member default to p_end
	(fix a crash if an alert is reported and packet_add_header was never
	called).

	* plugins/detects/snortrules/snort-rules.c (plugin_init): 
	call prelude_option_set_priority so that callback for this option
	is called last, and we can resolve the $interface_ADDRESS variable.

2002-03-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c:
	Made state being a bits vector, instead of just storing one
	state at a time.
	
	* src/tcp-stream.c (update_stream_data): 
	don't insert already acked segment.

	(search_previous_stream_chunk): store chunk in reverse order,
	so number of hop is almost always 1.

2002-03-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (inject_packet_slow_path): 
	new function, packet re-injection needing memcpy.
	(update_server_state): 
	(update_client_state): avoid being desynchronised if an attacker
	send us a SYN for an already existing, with TWH completed, connection.

	(status_got_ack): now that we can re-inject packet in a flexible way,
	we do not need to wait for a packet with the good source to come.

	(inject_packet): use fast path when possible (packet not used somewhere else), 
	else use inject_packet_slow_path().

	(status_got_ack): only set state to ACK_RCVD the first time we get an ACK.
	This'll avoid clearing the CLOSED_WAIT state.

	Many other bug fix, fix a packet leak.

	* src/packet-decode.c (packet_new): 
	made public, can be used by other subsystem for packet injection.
	(packet_decode_add_header): made inline, instead of a macro.


2002-03-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c: 
	re-introduce closed-wait state. More alignment care. Packet
	re-injection. Check window size.
	(tcp_stream_reasm): check that we have more than 0 byte to
	reasm (we may have already done it).
	
	(tcp_stream_kill_one_side): handle CLOSE_WAIT state.
	
	(inject_packet): new function.

	(tcp_stream_reasm): If there is not ACKED bufer in the list,
	convert there offset to a relative value with what we already reassembled.

	* src/packet-decode.c (SliceAndStoreDataPkt): 
	made public so that it can be called for packet re-injection.
	(SliceAndStoreTcpPkt): don't call SLiceAndStoreDataPkt ourself
	if tcp_stream is enabled.

	* src/tcp-stream.c (search): 
	more alignment care. Check matching sport and dport.


2002-03-07  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>
	* src/tcp-stream.c: fixed FreeBSD warning about LIST_HEAD


2002-03-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/tcp-stream.c (print_ascii): 
	print on stdout not stderr, so that we are not annoyed
	by buffering.

	* src/packet-decode.c (SliceAndStoreTcpPkt): 
	set packet->allocated_data so that TCP reassembled 
	data are taken into account.

	* src/tcp-stream.c: care about alignment.
	(tcp_stream_new): timeout is 2 minutes.

	* src/pconfig.c (pconfig_set): 
	enable TCP stream reassembly on request.

	* src/tcp-stream.c: TCP stream reassembly.

	* src/packet-decode.c (SliceAndStoreDataPkt): 
	take a length argument, do not use caplen anymore...
	
	(SliceAndStoreTcpPkt): call the tcp stream reassembly engine,
	if something is reassembled, call SliceAndStoreDataPkt again.

2002-03-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* libpcap.diff: when buffer are handled by the application,
	don't free it on exist. It's up to the application to free used
	buffer.

2002-03-02  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>

	* plugins/protocols/rpc/rpc-decode.c: fix includes

2002-02-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/protocols/telnet/Makefile.am (DEFS): 
	* plugins/protocols/http/Makefile.am (DEFS): 
	* plugins/detects/snortrules/Makefile.am (DEFS): 
	* plugins/detects/shellcode/Makefile.am (DEFS): 
	* plugins/detects/scandetect/Makefile.am: 
	* plugins/detects/arpspoof/Makefile.am: 
	* plugins/detects/debug/Makefile.am (DEFS): 

	locale include directory *before* libprelude include directory.

2002-02-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/Makefile.am (DEFS): -I$(top_srcdir) -Ilibpcap before
	other include directory.

	* src/capture.c: workarround for NetBSD not defining ENOTSUP.

	* plugins/protocols/rpc/rpc-decode.c: include netinet/in.h and
	inttypes.h.

	* plugins/detects/scandetect/scandetect.c (guess_tcp_scan_kind): 
	ignore TH_CWR and TH_ECNECHO instead of old removed TH_RES1 /
	TH_RES2.
	
	* src/include/nethdr.h (TH_ECNECHO): 
	added definition for TH_CW and TH_ECNECHO.

2002-02-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/packet-decode.c: 
	* src/capture.c (search_datalink_handler): 
	made pcap data not const to avoid ton of warning.
	
	* src/protocol-plugins.c: made port_list API cleaner.

	* plugins/detects/scandetect/scandetect.c: 
	* plugins/detects/arpspoof/arpspoof.c (arpcheck_run): 
	alignment fix.
	
	* plugins/protocols/rpc/rpc-decode.c (reasm_rpc_fragments): 
	alignment fix, better bound checking, use memcpy().

	(decode_rpc_request): compare rpc protocol version instead of 
	program version to RPC_MSG_VERSION.

2002-02-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/ip-fragment.c (ip_frag_queue): 
	* src/packet-decode.c (SliceAndStoreEtherPkt): 
	(SliceAndStoreIpPkt): 
	* src/hostdb.c (host_key): handle alignment.

	* libpcap.diff: fix memory corruption bug on some
	architecture due to an overlap between struct pcap_pkthdr
	and struct pcap_ref_pkthdr. 

	Use a simple timeval struct instead of a pcap_timeval struct.
	The fix was discovered by Pierre-Jean Turpeau <Pierre-Jean.Turpeau@enseirb.fr>

2002-02-20  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/packet-decode.c (SliceAndStoreDataPkt): 
	include payload in the packet before calling protocol_plugins_run()
	so that we can see the payload on protocol plugins alert.

	* src/optparse.c (setup_opt_alert): 
	include impact description.

	* src/capture.c (add_device): 
	use prelude_realloc() for portability.
	
	* src/capture.c (setup_bpf): 
	call pcap_freecode to avoid leaking pcap bpf.
		
	* src/capture.c (setup_bpf): 
	use capdev_t bpf_program struct.
	
	* acinclude.m4: 
	remove commented out line containing AM_PATH_GTK,
	cause even thought it is commented, a bug in aclocal make
	it try to find this macro, and to fail on system were it is not
	available.

	Thanks to Pierre-Jean Turpeau <Pierre-Jean.Turpeau@enseirb.fr>
	for pointing and fixing this problem.

2002-02-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-keys.c (parse_reference): 
	handle arachnids and macafee reference again. Class them as 
	unknown reference as they are not specified by IDMEFv6.

2002-02-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/rules-default.c (signature_match_packet_content): 
	use application_layer_depth instead of current depth.

	* plugins/detects/shellcode/shellcode.h: 
	add copyright information, fit Prelude Coding style.

2002-02-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* docs/man/prelude-nids.8: 
	added prelude-nids manpage, by Sebastien Tricaud <toady@cell-security.com>.
	Re-worked it a little, so that it fit current prelude-nids behavior.

	* src/pconfig.c (set_bpf_rule): 
	possibility to have a global BPF rule.

2002-02-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* prelude-nids.conf: update comment. 
	Use the sensors-default.conf configured Manager address by
	default. Add an entry for the shellcode detection plugin.

	* plugins/detects/shellcode/shellcode.c: 
	make maximum number of NOP before raising an alert configurable.

	* plugins/detects/shellcode/Makefile.am (noinst_HEADERS): 
	shellcode.h
	
	* src/prelude.c: include nids-alert.h to avoid warning.

2002-02-07  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>
	* src/capture.c: added a workaround for a FreeBSD 4.x bug
	in poll() regarding handling of POLLIN flag (see source 
	file for more information). This fixes a problem with capturing
	on multiple interfaces on FreeBSD 4.x. FreeBSD 5.0 does not have
	this bug. 

2002-02-01  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/shellcode/shellcode.c: 
	implementation of polymorphic shellcode detection. This
	is inspired from the NIDSfindshellcode program by 
	Next Generation Security Technologies.

	* src/packet-decode.c (SliceAndStoreIpPkt): 
	don't try to decode IPv6 packet. for now.

	* plugins/detects/debug/debug.c (debug_run): debug plugin
	create a real alert.

	* src/nids-alert.c: remove the old hack that was used
	to gather the size of the message to be sent for creating 
	the message.

	We now use the prelude-msgbuf API.

2002-01-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-keys.c (add_classtype): 
	break when we found the corresponding keys. Use calloc() to 
	set memory content to 0.

2002-01-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c: include analyzer ostype and osversion.

	* plugins/protocols/http/http.c (check_for_attack): 
	made alert member static.

2002-01-25  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c: modified the API used to send alert
	a little. We now include IDMEF v6 alert information. 

	* src/ip-fragment.c: 
	Include more attack information. Alert on IP frag overlap
	attack.

	* plugins/detects/snortrules/snort-keys.c: 
	(add_classtype): Extend classtype so we can provide IDMEF
	compliant informations.
	
	* src/packet-decode.c: 
	* src/optparse.c: 	
	* plugins/protocols/http/http.c (check_for_attack): 
	* plugins/detects/snortrules/snort-rules.c (signature_matched_cb): 
	* plugins/detects/scandetect/scandetect.c: 
	* plugins/detects/arpspoof/arpspoof.c: 

	Include IDMEF v6 compliant attack information. 
	Fit nids-alert API change.
	
2002-01-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c (nids_alert): 
	* plugins/detects/snortrules/snort-rules.c (signature_matched_cb): 

	use prelude_sensor_send_msg_async().
	
2002-01-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/snortrules/snort-rules.c (signature_matched_cb): 
	IDMEF v6 compliance.

2002-01-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* libpcap.diff: updated the pcap patch.

	* src/capture.c (capture_from_device): 
	only set the pcap allocation function in case we're not
	capturing to a file.
	(handle_device_event): back to use pcap_dispatch.
	(handle_device_event): return pcap dispatch return value
	in case we're reading from a file. Always return 1 if we're
	reading from a device, unless an error occur.

	(do_capture_from_multiple_devices):
	correct the way we get the pcap FD in case we're capturing
	from a file.

2002-01-20  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>
	* configure.in: added AC_CANONICAL_SYSTEM macro to fix autoconf 2.5x
	problem

2002-01-19  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (setup_capture_from_device): convert 
	to Prelude coding style.

	(capture_start): now that we have a real workaround for
	the FreeBSD BPF bug, use do_capture_from_multiple_devices() 
	anyway.

2001-01-19  Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
	* src/capture.c: fixed FreeBSD packet capture problem causing
	prelude-nids to wait until pcap buffer fills and then process all 
	captured packets in one burst. Credit and much thanks go to Dug Song 
	<dugsong@monkey.org> for the fix. 

2002-01-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Moved back to using configure.in... Autoconf 2.5x cause
	too much problem. Cleaned up the whole stuff.

	* src/ip-fragment.c (ip_expire): uncommented expire
	attack detection. Should work with the timer_reset() call.
	(ip_defrag): reset the IP queue timer if we know this entry.

	* configure.ac: updated.

2002-01-17  Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
	* plugins/detects/snortrules/snort-rules.c:
	fixed LIST_HEAD warning on FreeBSD.
	* plugins/detects/debug/debug.c: removed obsolete comment

2002-01-17  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c: use notification provided by libprelude
	in order to setup BPF for not analyzing sensor -> manager
	communication.

	* configure.ac: updated.

2002-01-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/ip-fragment.c (ip_frag_create): Initialize timer
	*after* setting it up.

2002-01-12  Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
	* plugins/detects/snortrules/snort-rules.c:
	* src/nids-alert.c:
	* src/rules-default.c:
	* src/rules.c: fixed includes to allow compiling on FreeBSD

2002-01-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/packet-decode.c (SliceAndStoreNullPkt): 
	(SliceAndStorePppPkt): 
	(SliceAndStorePppBsdosPkt): 
	(SliceAndStoreFddiPkt): 
	(SliceAndStoreAtmPkt): 
	(SliceAndStoreRawPkt): call debug plugin registered
	to all protocols.

	* plugins/detects/debug/debug.c (debug_run): correct
	output message.

	* src/rules.c (_r_insert_node): revert wrong fix.

2002-01-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/rules.c (_r_insert_node): 
	fix a long standing leak.
	fix several warning.

2002-01-06  Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>

	* src/prelude.c: includes cleanup

2002-01-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/include/Makefile.am (includedir): correct prefix.

	* src/pconfig.c (pconfig_set): pass sensor name
	to prelude_sensor_init();

	remove some old code.

	* prelude-nids.conf.in: 
	* configure.ac: 
	preprocess the configuration file.

2002-01-04  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/rules-parsing.c (signature_parser_parse_key): 
	delete rule on error.

	* src/pconfig.c (pconfig_set): 
	now use the prelude-getopt API.

	* src/nids-alert.c: 
	(send_analyzer_data): new function. Send analyzer related information.

	
	* src/prelude.c (main): 
	* src/protocol-plugins.c: 
	* src/detect-plugins.c: fit latest API change allowing
	asynchronous plugins subscribtion / un-subscribtion.

	* plugins/protocols/telnet/telnet.c: 
	* plugins/protocols/rpc/rpc-plugin.c: 
	* plugins/protocols/http/http.c: 
	* plugins/detects/snortrules/snort-rules.c:
	* plugins/detects/scandetect/scandetect.c: 
	* plugins/detects/debug/debug.c:
	* plugins/detects/arpspoof/arpspoof.c: 
	use prelude-getopt API. Fit latest plugin API change.

	* plugins/detects/snortrules/snort-rules.c:
	(signature_matched_cb): handle Snort classtype.
	
2002-01-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/rules-operations.c (signature_engine_get_new_data_id): 
	data rule ID are allocated dynamically.

	* src/packet-decode.c (SliceAndStoreIcmpPkt): make
	the ICMP open addressed hash table static.

	* src/capture.c: more cleanup.

	* src/rules-default.c: move lot of parsing function
	to snort-key.c, in the SnortRule plugin. Theses function
	are directly related to Snort parsing.


2001-12-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.ac: Remove obsolete XDR option.
	
	*  updated CREDITS file with the necessary entry.
	
2001-12-30  Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
	* src/*.c: multiple changes of inclusion order in source files.
	Now <libprelude/list.h> included after "packet.h" in all files. 
	This fixes the LIST_HEAD bug on FreeBSD.
	
	* src/include/packet.h: added comment describing the above
	problem and recommended inclusion order

	* plugins/detects/debug.c: if built with -DDEBUG_PLUGIN_ENABLE
	the plugin is always enabled, regardless of -e plugin option
	on prelude-nids startup. If built with -DDEBUG_PLUGIN_VERBOSE
	a message is sent to stderr every time an alert is received. 
	By default none of these options is enabled. 

2001-12-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (read_packet): new function wrapper
	for the real pcap link handler. We use this wrapper
	in order to count the number of packet on a device, cause
	pcap don't do it for file and this could confuse the user.

	(capture_from_device): Take an outfile argument, so that each device
	can be captured to a different file. Also, outfile will get an extension 
	(the device name), in order to not confuse libpcap 
	(which associate a capture file with the type of link for the device) if
	the user specify the same file for two differents devices.

	(pcap_dump_stat_from_device): also log prelude own device statistic.

	(do_capture_from_single_device): new function: 
	We use this function instead of directly using 
	do_capture_from_multiple_devices() in order to work arround a FreeBSD bug :
	When linked against libc_r, polling on a BPF device won't return until the
	buffer for the device is full.

	The result is that we get burst of packet instead of one packet at a time
	(which will probably fuck up some of the detection timer).

	Here we fix the case were we only capture from a single device, cause
	we don't need polling(). Unfortunnaly there is no workaround for the case
	where we are trying to listen on several devices (until the FreeBSD team
	fix the problem).

	(do_capture_from_multiple_devices): pass a cnt of 1, so pcap_loop
	will return immediatly and we can continue polling.

	(handle_device_event): use pcap_loop which behavior are more
	predictable than pcap_dispatch. Also take a cnt argument.

	* src/pconfig.c (pconfig_set): handle the return value
	from capture devices setup well.

2001-12-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (capture_from_device): take a snaplen
	argument.

	* src/pconfig.c (pconfig_set): 
	(setup_capture_device): add the device only after reading
	an eventual snaplen.

	* src/capture.c: lot of change for latest pcap modification.
	Zero copy should work properly now.

	* src/detect-plugins.c (plugin_subscribe): set
	first buffer byte to zero, so plugin that  don't register
	to a protocol do not output garbage.

	* src/capture.c: add a per interface packet counter.
	remove some un-needed variable. 

	* src/include/packet.h: now have a struct pcap_pkthdr
	member (needed to achieve zero copy cleanly).

	* src/packet-decode.c: no need for a global pcap_pkthdr.
	(packet_new): log an error in case of memory allocation problem.
	(SliceAndStoreEtherPkt): 
	(SliceAndStoreNullPkt): 
	(SliceAndStorePppPkt): 
	(SliceAndStoreFddiPkt): 
	(SliceAndStoreRawPkt):
	Set packet->pcap_hdr member to the current pcap_hdr.
	
	(packet_release): 
	call pcap_buffer_free()

	* src/prelude.c (main): make good use of prelude_log_set_prefix().

	* src/protocol-plugins.c (plugin_subscribe): 
	* plugins/detects/snortrules/snort-rules.c (load_signature_file): 
	* src/detect-plugins.c (plugin_subscribe): 
	instead of calling log() several time for a single line 
	queue write to a buffer. This avoid having too many line in syslog.

2001-12-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/include/nids-alert-id.h: remove un-necessary definition.

	* src/nids-alert.c: cleanup. Move some informations from
	NIDS message protocol to raw IDMEF.

2001-12-13  Krzysztof Zaraska  <kzaraska@student.uci.agh.edu.pl>
	* plugins/detects/scandetect/scandetect.c (set_ignore_host): 
	fixed function parameter handling

2001-12-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/detect-plugins.c (detect_plugins_run): 
	* src/protocol-plugins.c (protocol_plugins_run): Addapt to new
	plugin_run / plugin_run_with_return_value prototype.

2001-12-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (do_capture_from_single_device): removed.
	This duplicate too much code with do_capture_from_multiple_device
	and it's not worth the CPU gain.

	(capture_start): use do_capture_from_multiple_devices, even if 
	there is only one interface.

	(do_capture_from_multiple_devices): handle POLLERR event (instead
	of going crazy in a 100% CPU loop).

	* src/pconfig.c: get rid of the config_quiet configuration
	variable which was needed by libprelude. Use prelude_log_use_syslog instead.

2001-11-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (do_capture_from_multiple_devices): 
	don't increment packet counter if capture was interupted by a signal.

	* plugins/detects/scandetect/scandetect.c (new_cnx): 
	set connection counter to 0. This fix a problem when freed 
	memory was re-used (counter not being reseted), and will fix
	problem on system where data segment is not zeroed.

2001-11-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/include/detect.h: include sensor.h

	* src/capture.c (do_capture_from_file): fix warning.

	* src/nids-alert.c (nids_alert_new): 
	* plugins/detects/snortrules/snort-rules.c (signature_matched_cb): 
	Use standard IDMEF message.

	
	* src/rules-default.c (parse_reference): 
	* src/include/rules-default.h: use an idmef_classification_origin_t
	type to store the classification origin.

2001-11-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/Makefile.am (t): use $(MAKE) variable instead of 
	directly calling make, this fix BSD compile issue. Thanks to
	Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> for reporting
	and fixing the problem.

2001-11-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (do_capture_from_file): timer wake up
	isnow handled entirely in libprelude.

2001-11-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/capture.c (do_capture_from_multiple_devices): 
	(do_capture_from_single_device): timer are now waked up in
	the asynchronous thread. Theses 2 functions should probably be
	merged, they are almost identical now.

2001-10-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* A lot of modification. Complete API change, use
	OOP model in non time critical place for maintainability
	reason.
	
2001-10-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/pconfig.c (print_usage): libprelude_sensor_print_help()
	doesn't exist anymore.

	* src/prelude.c (main): libprelude_sensor_init() have
	to be called before anything else.

2001-10-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.ac:
	correct AC_PATH_GENERIC usage.

2001-09-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Makefile.am (preludeconf_DATA): 
	* configure.ac (prelude_conf): 
	Rename the configuration file to prelude-nids.conf.

	* prelude.conf: rename Prelude section to Prelude NIDS.
	rename "report addr" entry to "manager addr" and "report port"
	entry to "manager port".

	Rename to prelude-nids.conf
		
	* src/Makefile.am : Rename binary to prelude-nids. 

2001-09-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/detects/scandetect/scandetect.c (plugin_init): 
	(set_low_port_count): (set_high_port_count): (print_help): 
	add the high-port-count and low-port-count configuration key.

	(set_cnx_port): new function, set the bit corresponding the
	the destination port passed as argument. Return 0 on success,
	-1 if port was already set.

	(new_cnx): Use set_cnx_port(). 
	Don't call gettimeofday to set the connection timestamp,
	use the packet packet provided timestamp.

	(modify_cnx): Use set_cnx_port().

	(guess_tcp_scan_kind): Handle more scan type.


	Lot of cleanup.
	We now use a timeout of 60 seconds before expiring entry.
	Each connection for a given shost <-> dhost pair reset the
	timeout.

	We separatly count connection on low ( < 1024 ) and high (>1024)
	ports.

	Threshold for triggering an alert is 5 connection on a priviledged
	port in less than 60 seconds, or 50 connection on an unpriviledged
	port in less than 60 seconds.

2001-09-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/rules-default.c (parse_msg): count \0 in message len.
	(parse_reference): ditto. Use the new data_reference_t type to
	store reference corresponding to a rule.

	* src/packet-decode.c (packet_release): 
	Verify that refcount is alway bigger than zero. Assert if
	not, cause that could lead to complicated memory corruption 
	problem.

	* src/nids-alert.c :
	Many cleanup,
	(nids_alert_new): new function, setup the alert basic.
	Determine correctly the length of the alert buffer.

	* plugins/detects/snortrules/snort-rules.c (signature_matched_cb): 
	use nids_alert_new to setup the alert basic. Emmit more informations
	about the matched signature.

2001-09-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/include/nethdr.h (TH_RES1): 
	Add definition for reserved bits (ECN).

	* src/include/detect.h: include nids-alert-id.h and alert-id.h
	commented include.

	* plugins/detects/snortrules/snort-rules.c (signature_matched_cb): 
	use the ID_PRELUDE_NIDS_ALERT definition.

	* src/nids-alert.c: include alert-id.h
	(nids_alert): use the ID_PRELUDE_NIDS_ALERT definition.

	* src/include/packet.h (packet_add_header): 
	set len to 0.

	* src/nids-alert.c (write_standard_infos): 
	Use an array to store the string, else sizeof will
	return a pointer size.

	* plugins/detects/snortrules/snort-rules.c: 
	Emmit packet. Use alert id defined in nids-alert-id.h.
	

2001-08-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/nids-alert.c: new file, 
	provide callback to be called by libprelude-sensors,
	in order to lock / release / send the private data (the packet
	for prelude-nids).

	* src/include/packet.h: packet_t len is 16 bits,
	proto is 8bits.

	* src/prelude.c (main): pass the callback function for
	private data handling to libprelude-sensors.

	* plugins/detects/snortrules/snort-rules.c (signature_matched_cb): 
	the packet shouldn't be locked here.

2001-08-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

        * src/plugins/detects/scandetect/scandetect.c: 
        do not register to the IP protocol, we can gather the IP
        header when called for a TCP || UDP packet.
        (plugin_init): Handle the ignore-host config key.

        Lot of cleanup, fixed a off by one error with the port array.

2001-08-25  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

        * src/prelude/rules-type.c (parse_ip): 
        Let gcc deduce the size of the array by himself.
        This can avoid obvious error.

        * src/prelude/prelude.c (main): 
        call hostdb_init().

        * src/prelude/include/hostdb.h: 
        * src/prelude/hostdb.c (hostdb_init): new function :
        set the hostdb hash table to 0. This should fix crash on 
        operating system that do not set the data segment to 0.

2001-08-24  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* More tree changes. Protocols plugins should compile again.

2001-08-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* plugins/arpspoof/arpspoof.c: Sync with arpspoof plugins from the
	stable branch.

	* src/pconfig.c (pconfig_set): remove some of the option now handled
	directly by libprelude-sensors.

	* Move several stuff into libprelude-sensors.

2001-08-19  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rules_parsing.c (signature_parser_add_post_processing): 
	renamed from add_post_processing.
	(signature_parser_post_processing): now return an int.

	Remove the rule_parsed variable (used to communicate with yacc/lex),
	This belong to the rule parser plugin.

	* src/prelude/Makefile.am (prelude_SOURCES):
	rules_grammar.y and rules_lexer.c belong to the rules parser plugin.

	* src/prelude/protocol-plugins.c (protocol_plugin_init_port_list): 
	Ooops, not memcmp... memset.

	* src/prelude/rules-type.c 
	(print_segment): Remove un-necessary \n. 
	(print_flags): ditto.
	(print_integer): ditto.
	(print_ip): ditto.

	* src/prelude/capture.c (set_device_variable): 
	(setup_capture_from_device): Set the device_ADDRESS variable.
	This fix bug #452731.

	* src/prelude/rules.c (signature_engine_process_packet): 
	Convert the leaf test result to boolean then XOR it against
	leaf_match->inversed.

	* src/plugins/detects/rules/rules.c (parse_signature_file): don't
	set rule counter to 0 here. This fix the bug were 0 rules added 
	/ ignored when reported in case there was several rules files 
	included.

2001-08-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.ac: bump version number to 0.4.1.

	* src/prelude/include/plugin-detect.h: 
	* src/prelude/detect-plugins.c (detect_plugins_run): 

	* src/plugins/detects/arpspoof/arpspoof.c: 
	Final version is now able to look at ARP cache overwrite
	attack. Use a hash table to store ARP entry. The hash 
	function is a little weak, but it will be ok for now.

	* prelude-report.conf.in:
	Update to fit latest changes.

	* src/plugins/reports/xmlmod/xmlmod.c: 
	* src/plugins/reports/filemod/filemod.c: 
	* src/plugins/reports/htmlmod/htmlmod.c: 
	* src/plugins/reports/execmod/execmod.c: 
	* src/plugins/protocols/telnet/telnet.c: 
	* src/plugins/protocols/rpc/rpc-plugin.c: 
	* src/plugins/protocols/http/http.c: 
	* src/plugins/detects/scandetect/scandetect.c: 
	* src/plugins/detects/rules/rules.c: 
	* src/plugins/detects/debug/debug.c: 
	* src/plugins/detects/arpspoof/arpspoof.c: 

	Update to fit latest configuration API change.
	
	* src/libprelude/plugin-common.c: Several cleanup,
	comment the code a little.
	(plugin_config_get): 
	(generate_options_string): 
	(get_missing_options):  New function to be used by
	plugin to get their configuration. This will remove
	the configuration mess in all plugins. 

	* prelude.conf: Update the configuration file to fit
	the latest changes.

	* src/libprelude/config-engine.c (config_get): 
	If entry is found but not followed by an '=' character
	return an empty string, not NULL. Also, all config line 
	should end with a ';' except section line.

	* src/prelude/Makefile.am (t): Applied patch from 
	Sylvain Gil <tootella@tootella.org>. This should fix the 
	problem some people where having with Prelude not compiling 
	because of the way it include libpcap.

	* include/nethdr.h: added some definition for ARP header.

	* src/plugins/detects/arpspoof/arpspoof.c: 
	Start of the ArpSpoof detection plugins.

2001-08-17  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* prelude-report.conf.in: new file.
	* prelude-report.conf: deleted.
	* configure.ac : generate prelude-report.conf from 
	prelude-report.conf.in
	* Makefile.am (install-data-local): log directory is
	a subdirectory of $(localstatedir).

	This was done with the help of Sylvain Gil <tootella@tootella.org>
	
	* prelude.spec: updated.


2001-08-15  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.ac: 
	Bump version to 0.4.0.
	
	Handle the case when pthread_ function are in libc_r.

	* src/plugins/protocols/rpc/rpc-decode.c: 
	* src/prelude-report/ssl.c: 
	* src/prelude/rules_default.c: 
	* src/prelude/write-func.c: 
	* src/libprelude/ssl_config.c: 
	* src/prelude/ssl.c:

	Portability fix.

2001-08-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Added missing copyright notice everywhere.

	* src/plugins/detects/rules/rules.c (plugin_init): 
	Change contact informations, and set author to : "The Prelude Team".
	
	* src/prelude/rqueue.c: Change support mail address.

	* src/prelude/packet-decode.c (handle_ip_fragment): 
	Fix cast.
	(handle_ip_fragment): do not free allocated_data here,
	this is packet_release job.
	
	(handle_ip_fragment): Commented out the hlen > caplen test
	done after defragmentation. This should never happen (put an
	assert instead).

	* include/packet.h: captured_data and allocated data are 
	unsigned char ptr.

2001-08-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/pconfig.c (pconfig_set): 
	* src/prelude/rules.c (signature_engine_process_packet): 
	Added the -o option (report-all), the effect of this option
	is to report all matching signature against a packet.
	
	* Makefile.am (install-data-local): 
	create /var/log/prelude at install time.

	* prelude-report.conf (logfile): 
	log in /var/log/prelude/prelude.log

	* src/libprelude/auth-common.c (ask_account_infos): 
	Added a fprintf explaining what to do.

	* src/prelude/rules_default.c (match_id):
	(match_seq): Use network to host byte order translation function.
	(match_ack): ditto.
	(match_icmp_id): ditto.
	(match_icmp_seq): ditto.

	* src/prelude/rules_default.c: 
	Integrated patch by Laurent Oudot <oudot.laurent@wanadoo.fr> that 
	implement the TCP window test (Snort 1.8 compatibility).


	* src/prelude/rules_default.c (parse_sameip): 
	(match_sameip): New function, handle the sameip test.
	(signature_engine_init): handle the sameip test.
	(match_win): 

	* include/list.h (list_entry): Use void pointer.

2001-08-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/detects/rules/rules.c (signature_matched_cb): 
	Call the rqueue_report function (renamed).

	* src/prelude-report/report-infos.c (get_cleartext_alert_kind): 
	handle the guess alert kind.

	* src/prelude/rules_operations.c: 
	* src/prelude/rules_default.c: 
	* src/prelude/rules.c:  Warnings fix.
	
	* src/prelude/Makefile.am: Make dist should work now.

2001-08-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/include/Makefile.am (noinst_HEADERS):
	(EXTRA_DIST): add missing headers files.

	* src/prelude/Makefile.am (DEFS): correct for new method
	of compilation.

	* src/libprelude/include/Makefile.am (noinst_HEADERS): 
	add missing headers files.

	* Makefile.am (SUBDIRS): remove libpcap from SUBDIRS.
	(EXTRA_DIST): add libpcap.tar and libpcap.diff.

2001-08-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/protocols/telnet/telnet.c: 
	Options / config file handling.

	* src/plugins/protocols/rpc/rpc-plugin.c : 
	* src/plugins/protocols/rpc/rpc-decode.c: 
	Big cleanup, almost total rew-write. 
	Handle fragment records the right way.

2001-08-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/protocols/telnet/telnet.c: 
	New plugin, that handle telnet nogotiation character.

	* src/plugins/protocols/rpc/rpc-decode.c (decode_rpc): 
	correct handling of the msg_type enumeration.

	* src/plugins/protocols/rpc/rpc-plugin.c (setup_own_default): 
	default port is 111.

	* src/prelude/pconfig.c (print_usage): 
	Request protocol plugin option printing.

	* src/libprelude/config-engine.c (chomp): 
	Only NULL terminate the line if it is ended with a \n.

	* src/plugins/protocols/rpc/:
	completly rew-written the RPC plugin. 

	* src/prelude/protocol-plugins.c (protocol_plugin_is_port_ok): 
	(protocol_plugin_add_port_to_list): 
	(protocol_plugin_add_string_port_to_list): 
	(protocol_plugin_init_port_list): new function. This is the port_list
	API used by protocol plugins to see if a packet match a set of destination
	port.

	* src/plugins/protocols/http/http.c (match_uricontent): 
	If there is no preprocessed URI, analyze the raw data.
	(decode_http_packet): return 0 when we matched an URI,
	as the payload is not modified.

	cleaned up, fixed some bugs.

2001-08-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet-decode.c (packet_new): 
	(SliceAndStoreDataPkt): 

	Set application layer depth.
	
	(SliceAndStoreTcpPkt): 
	(SliceAndStoreUdpPkt):

	Set transport layer depth.
	
	(SliceAndStoreIpPkt): 

	Set network layer depth.
	

	* src/prelude/rules_default.c: 
	* src/prelude/rqueue.c (determine_alert_kind): 
	* src/plugins/protocols/rpc/rpc.c (decode_rpc): 
	* src/plugins/protocols/http/http.c (http_decode): 

	Modified to use the new packet_t member.
	
	* include/proto.h: depth_* enum are no longer used.

	* include/packet.h: new members : network_layer_depth,
	application_layer_depth, transport_layer_depth. This is used
	to locate certain kind of headers in the packet. 

	This fix the bug people using not fully understood link layer
	protocol were having.

	Converted some member to int8_t in the packet_container_t structure.

	

2001-08-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/protocols/rpc/rpc.c: 
	* src/plugins/protocols/http/http.c:

	Add command line / configuration file options handling.
	The HTTP protocol plugin now also handle a portlist.

2001-08-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rules_default.c (match_ip_src): 
	(match_ip_dst): correct debuging output.

	* src/libprelude/plugin-common.c (plugin_register): 
	Only increase plugins_id_max if the plugin registered
	succesfully.
	(plugin_get_highest_id): cleanup
	(plugin_load_single): don't increase plugins_id_max here.

	* src/prelude/include/timer.h: 
	* src/prelude/include/hostdb.h: 
	* src/prelude/tcp-stream.c (tcp_stream_new): 

	cleanup.

	* src/prelude/rules_default.c (match_content): 
	this function is static.

	* src/prelude/rules.c (MAX_RULES_CALLED): 
	set to 10000 instead of 50. This is a temporary workarround
	for getting all leaf match tested.

	* src/prelude/rsend.c (expire): 

	* src/prelude/ip_fragment.c (ip_defrag_init): 
	Id that are gonna be used into the host database should
	always be allocated before first hostdb usage.

	* src/prelude/prelude.c (main): 
	call ip_defrag_init().
	

2001-08-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/protocols/http/http.c: 
	New protocol plugin that decode the http protocol.
	It also provide the uricontent key (Snort compatibility).

	* src/prelude/rules_default.c (signature_engine_match_content): 
	renamed from match_content, and made public. This function is to
	be accessed by certain protocol plugins.
	
	(signature_parser_parse_content): 
	renamed from parse_content, and made public. This function is to
	be accessed by certain protocol plugins.
	
	(parse_content_list): New function, to handle the content-list
	test. This is not working yet.
	
	(signature_engine_init): handle the content-list test, fit other
	changes.

	(parse_depth): error checking.
	(parse_offset):	error checking.

	(signature_engine_match_content): comment the code.

2001-08-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rqueue.c (plugin_rqueue_report): 
	fix a bug that was making a crash possible when the alert kind
	was guessed. 

	* src/prelude/rules_default.c: remove the ignore key
	macro (that was creating a new function for each use of this
	macro) just add a dummy function for test that we want to 
	ignore.
	
	(match_ip_src): 
	(match_ip_dst): Added temporary debuging printf in theses
	function.

	(signature_engine_init): handle the sid, rev, react, resp,
	logto, key correctly (Snort 1.8 compatibility)

	(match_ip_proto): 
	new function that match an IP packet protocol member.
	(signature_engine_init): 
	Handle the ip_proto test (Snort 1.8 compatibility).
	

	* src/prelude/packet-decode.c (SliceAndStoreDataPkt): 
	fix several possible bug related to protocol plugins handling.

	(SliceAndStoreIpPkt): Match the packet against the new IP root
	node.

	(SliceAndStoreIcmpPkt): Len should *never* be zero (use 
	ICMP_MINLEN if the type is unknow).
	This should fix a report server crash we were seeing.
	

	* src/prelude/prelude.c: 
	Updated copyright notice.

	* src/plugins/detects/rules/rules.c (get_protocol_node): 
	handle the "ip" protocol (Snort 1.8 compatibility).

	* src/prelude/ip_fragment.c (ip_frag_destroy): 
	(nfrag): minor cleanup. 
	The frag_item_t structure don't need a prev member.

2001-07-31  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet-decode.c (SliceAndStoreIcmpPkt): 
	len should *never* be 0. If we don't know the Icmp type,
	handle the first 8 bytes of the icmp packet. Not the rest.

2001-07-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/protocols/rpc/rpc.c: complete version
	of the RPC plugins.

	* src/prelude/rules_default.c (match_ip_src): 
	(match_ip_dst): 
	(match_port_src): 
	(match_port_dst): 
	(match_tcp_flags): 
	(match_fragbits): 
	(match_ttl): 
	(match_tos): 
	(match_id): 
	(match_data_size): 
	(match_seq): 
	(match_ack): 
	(match_itype): 
	(match_icode): 
	(match_icmp_id): 
	(match_icmp_seq): 
	(match_ipopts): 
	(match_content): 

	Matching function always return -1 on faillure.
	This is for coherency with the rest of the Prelude sources.

	* src/prelude/rules.c (signature_engine_process_packet): 
	check explicitly that the match_packet function pointer
	return a negative value or not. Do the same for leaf 
	function call (now test function return -1 in case of error).

	* src/prelude/packet-decode.c (packet_new): 
	set the new protocol plugins members.

	(handle_ip_fragment): turn IP defragmentation back on.

	(SliceAndStoreDataPkt): if there is no more payload after
	a protocol plugin ran, just return.

	(SliceAndStoreDataPkt): comment the function.
	
	(SliceAndStoreDataPkt): analyze the part of the payload not
	handled by a protocol plugin. But always dump the whole payload
	(including protocol plugin data) at reporting time.

	* include/packet.h: Comment the different structures.
	add the protocol_plugin_id and protocol_plugin_data members to
	the packet_container_t structure. Theses members are used to
	store private protocol data by the protocol plugins.

	* src/prelude-report/report-infos.c (udp_dump): 
	convert to host byte order before printing the len value
	of an UDP packet.

	* src/plugins/protocols/Makefile.am (SUBDIRS): 
	this file was missing.

2001-07-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/protocols/rpc/rpc.c: 
	(match_rpc): current_data is not a pointer.
	(add_rpc_rules): better error checking.
	(parse_rpc): no parse the rpc rule cleanly.

	* src/prelude/rules_default.c (parse_port_type): 
	fix bug where a rule containing the port 0, would be rejected.
	Port 0 is a valid port. Ditto for port 65535.

	(signature_engine_init): handle the classtype rule 
	(used in Snort 1.8), this avoid us to reject rules using it.

2001-07-25  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/Makefile.am (SUBDIRS): 
	* src/plugins/protocols/Makefile.am (SUBDIRS): 
	* configure.in (CFLAGS): add the protocols plugins
	directory / rpc protocols plugins directory to the
	compilation path.

	* src/plugins/protocols/rpc/decode.c (parse_rpc): 
	squeleton for the rpc plugin.

	* src/prelude/include/plugin-protocol.h (plugin_protocol): 
	(plugin_set_protocol): new macro.

2001-07-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/include/rules.h: leaf_match_f_t now take a void pointer
	not a data_t.

	* src/prelude/rules_operations.c (add_leaf_match_by_id): 
	new function to add a leaf match with care of it's priority.
	Not used for now.
	
	(add_rule_leaf_match): Now take a void argument pointing 
	on a data type to pass when executing the leaf test callback.

	* src/prelude/rules_default.c: 
	(match_ipopts): don't use a flag_t anymore. 
	(match_content): use the new string_t structure, 
	do not loop throught the global rule data anymore.
	(parse_offset): ditto
	(parse_depth): ditto
	(parse_content): ditto
	(set_nocase): new function (set the global string pointer to NULL for each rule parsed).
	(signature_engine_init): parse_ipopts is now a leaf test, 
	add the new set_nocase() function to the post processing list.

	(parse_ipopts): Ipopts test are now leaf tests. This'll correct the memory
	problem we had because of theses test and the factorial tree duplication they 
	result in.

	* src/prelude/rules.c (signature_engine_process_packet): 
	Do not pass global rules data anymore, pass the data corresponding
	to our test.

	Coding style change. -1 is always to be returned in case of error.
	

2001-07-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/include/packet-decode.h: 
	don't include pcap.h here, as it will be a problem for people
	that don't have libpcap installed (as we use our own local 
	libpcap). To avoid warning, declare an opaque pcap_pkthdr 
	structure.

2001-07-01  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/filemod/filemod.c: flush
	the file descriptor.

	* src/prelude-report/server.c (wait_connection): 
	(unix_server_start): 
	(inet_server_start): Don't use tcp wrapper if we arre
	listening on an UNIX socket.

	* configure.in (LIBWRAP_PATH): tcp wrapper check wasn't
	working anymore.

	* src/prelude-report/server.c (tcpd_auth): oops, correct
	a double declaration.

	* Still working on code readability, function renaming...
	  Also fixed several bug and simplified several function.

2001-06-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Too much change to list,
	  Signature engine modified to fit the Prelude coding style,
	  several part simplified, function renaming, try to make as
	  much auto documenting code as possible.

2001-06-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	Applied portability patch from Jeremie Brebec <brebec@enseirb.fr>

	* src/libprelude/rxdr.c (xdr_alert): convert
	the time_t argument to an unsigned long. 
	use xdr_u_long().

	* src/libprelude/plugin-common.c (RTLD_NOW): 
	if RTLD_NOW isn't defined, define it to have 
	the same value as RTLD_LAZY.

	* configure.in: check for inet_aton.

2001-06-20  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* include/nethdr.h: use uintxx_t not u_intxx_t which
	isn't portable. Do not define the arphdr structure
	(this is creating conflict on several OS), instead, 
	make the arphdr_t type.

	Thanks to Jeremie Brebec <brebec@enseirb.fr> who pointed 
	this out.

2001-06-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/detects/rules/rules.c: big, big cleanup.

2001-06-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/plugin-common.c (plugin_load_from_dir): 
	fix a memory leak on error condition.

2001-06-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/cnx.c (wait_raw_report):
	(wait_xdr_report): 
	reference the new alert_t plugin member.
	

	* src/prelude/write-func.c (write_raw_report): 
	(writev_raw_report): update to use the new alert_t plugin member.

	* src/prelude/rqueue.c (plugin_rqueue_report): 
	(prelude_rqueue_report): set the alert->plugin member to
	a localy declared plugin (prelude_core_plugin).

	* src/plugins/reports/xmlmod/xmlmod.c (create_plugin_infos): 
	* src/plugins/reports/htmlmod/html.c (output_plugin_infos): 
	* src/plugins/reports/filemod/filemod.c (filemod_run): 
	* src/plugins/reports/execmod/execmod.c (execmod_run): 
	* src/libprelude/rxdr.c (xdr_alert): 
	* src/libprelude/alert-common.c (read_alert): 
	(alert_free): update to use the new alert_t plugin member.
	

	* include/alert-prv.h: instead of declaring plugin_generic_t
	member here, use a plugin_generic_t pointer. This make the
	code cleaner.

	* src/prelude-report/optparse.c (ip_optval): 
	Corrected a 2 bytes out of bound access (thanks
	to Electric Fence). The code was assuming the kind
	and length bytes of the option were still in the buffer.

	* configure.in: 
	* src/plugins/reports/xmlmod/Makefile.am: 
	* src/plugins/reports/xmlmod/xmlmod.c: 

	Big change : revert to not using libxml, as it involve
	several performance drawback for what we want to do that
	I don't want to deal with.
	
2001-06-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/xmlmod/xmlmod.c (xmlmod_run): 
	(create_xml_document): use xmlNewDocRawNode.

	* src/plugins/reports/xmlmod/Makefile.am (xmlmoddir):
	New xmlmod plugin, convert a report to XML.
	This will serve as a future replacement to htmlmod
	when combined to a stylesheet.

	* src/plugins/reports/Makefile.am (SUBDIRS): 
	include the xmlmod subdirectory.

	* prelude-report.conf: 
	Add default config for the new xml reporting plugin.
	
	* configure.in: 
	Add an entry for the new xml reporting plugin.

	* src/plugins/reports/filemod/filemod.c (check_opts): 
	* src/plugins/reports/execmod/execmod.c (check_opts): 
	* src/plugins/reports/htmlmod/htmlmod.c (check_opts): close
	the config file on error.
	Also, fix a bug in some of thoses function where the plugin
	would be disabled, if the enable flag was set on the command
	line *and* in the config file.
	
	* src/plugins/reports/htmlmod/html.c: 
	cleanup the mess.
	(create_detailled_report): divided into several function.

	(output_hexdump): new function, also, escape "<", ">", 
	and "&" character that were handled by the browser, even
	inside a <pre> tag. (So the report isn't screwed anymore
	when payload is html).
	
	(output_pktdump): new function.
	(output_report_infos): new function.
	(output_plugin_infos): new function.

	* src/prelude/rsave.c (backout_existing_report): 
	new function.

	* src/prelude/protocol-plugins.c (protocol_plugins_run): 
	return an integer (the len of the handled part of the payload),
	also, break as soon as a protocol plugin that can handle the
	payload is found.
	(protocol_plugins_run): Initialize ret, cause the list
	could be empty.

	* src/prelude/packet-decode.c (SliceAndStoreDataPkt): 
	Run the protocol plugins.

2001-06-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/prelude.c (main): use do_init_nofail
	macros for loading of protocol plugin, we don't want
	to exit if this subsystem fail.

	* src/libprelude/include/common.h (do_init_nofail): 
	new macros (do not exit in case of faillure).

	* src/prelude-report/report-plugins.c: 
	Some cleanup.
	
	(report_plugins_init): Issue a warning and return -1
	if no plugin were loaded.


	* src/prelude/include/rqueue.h (prelude_do_report): 
	(plugin_do_report): initialize the report member to
	NULL. Good catch, by Jeremie Brebec <brebec@enseirb.fr>

	* src/prelude/rsave.c (setup_fd): Create the target
	directory if it doesn't exist (we don't want to fail
	here).

2001-06-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet-decode.c (SliceAndStoreTcpPkt): 
	* src/prelude/rqueue.c (determine_alert_kind): 
	Disable tcp stream for the moment, it's not ready.

	* src/prelude/ip_fragment.c (ip_frag_destroy): 
	(ip_frag_reasm): release packet.
	(ip_frag_create): lock packet.

	Lock the initial fragmented packet.

2001-06-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/include/plugin-protocol.h: 
	run function for this plugin return an integer.
	The plugin_protocol_t structure also contain a list of detection
	plugin.

	* src/prelude/protocol-plugins.c (plugin_subscribe): intialize
	the list that contain detect plugin for this protocol plugin.
	(protocol_plugins_run): use plugin_run_with_return_value() macro.
	If a protocol plugin return 0 (which mean it could handle the payload),
	start the detection plugin associated with this protocol plugin.
	(protocol_plugins_search): New function, search for a protocol plugin
	that can handle passed in protocol.

	* src/prelude/detect-plugins.c (register_to_plugin_provided_protocol): 
	New function, search a protocol plugin that handle the protocol
	specified by the detect plugin. Associate the detection plugin 
	to the protocol plugin if found.
	(register_to_internal_protocol): renamed.

	* include/proto.h: added p_external to the protocol enumeration.
	This is to be used to specify a protocol plugin.

	* src/libprelude/include/plugin-common-prv.h (plugin_run_with_return_value): 
	new macro, permit to get the plugin_run function return value.

2001-06-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/include/detect-plugins.h: move the content
	of this header to plugin-detect.h. Removed.

	* include/packet.h: Add a refcount member,
	and two member containing data and tcp depth.

	* src/prelude/capture.c (pktalloc): 
	(setup_capture_from_device): Use malloc, stop using recycler here.

	* src/libprelude/plugin-common.c (plugin_request_new_id): 
	new function that return a valid, not used, plugin identity.

	Many change in this commit, we stop using recycler because of
	the locking issue they bring and the little, almost non existant
	performance improvment they bring. We'll see for reinclusion later.
	Some cleanup.
	
2001-05-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rqueue.c (plugin_rqueue_report): 
	(prelude_rqueue_report): if alert kind is guess,
	check if the packet is part of a known stream.

	* src/plugins/detects/rules/rules.c: use the guess
	alert kind.

	* include/alert.h (enum): new kind of alert : guess,
	which will use the tcp_stream provided mechanism to test
	if the stream is known.

	* src/prelude/tcp-stream.c: completly reworked the tcp
	stream reassembler... This one should now work and fix 
	all leak. It also implement it's own hash table (inspired
	from tcpdump one) instead of hostdb in order to gather
	connection in duplex ( src / dst in the same entry wether
	they are reversed or not).

2001-05-24  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/optparse.c (option_is_set): new function
	check if a given option is in the option buffer.
	Return 0 on success, -1 on error.

	* src/prelude/hostdb.c (host_free): renamed host_del
	to host_free() as it make more obvious what this function
	does.
	(hostdb_del): call packet_release before calling host_free().

2001-05-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/tcp-stream.c (tcp_stream_is_known): 
	new function, tell if the current tcp packet is part 
	of a tcp stream.
	(sequence_match_current_packet): 
	(sequence_match_new_packet): 
	New function.

	* src/prelude/recycler.c 
	(RecyclerLockChunk): Decrease the semaphore count. 
	(RecyclerReleaseChunk): Increase the semaphore count.
	(RecyclerGetChunk): Wait for the semaphore count to be positive,
	but don't decrease it when sem_wait() return.

	* src/prelude/include/recycler.h: declare recycler_get_chunk_nowait()
	here.

	* src/prelude/recycler.c (RecyclerGrow): got rid of an
	unused variable.

	* src/plugins/detects/scandetect/scandetect.c (new_cnx): 
	don't lock the packet here anymore.
	(expire_cnx): ditto.
	(_cnxInfo ): don't need to carry a pointer to the packet
	anymore.

	* src/prelude/ip_fragment.c (ip_frag_create): don't
	lock the packet anymore, as hostdb is doing it for us.
	(ipq_kill): ditto.
	(ip_frag_reasm): ditto.

	* src/prelude/hostdb.c (hostdb_new): now take the
	packet_container_t argument and manage locking it.
	(hostdb_del): release the packet when refcount is 0.

	* src/prelude/tcp-stream.c: still working on tcp stream
	reassembly... The core should now be stable, and it's 
	cleaner.

	* src/prelude/prelude.c: include pcap.h to avoid warnings.

	* src/prelude/packet-decode.c (SliceAndStoreTcpPkt): 
	call tcp_stream_store().

	* src/prelude/tcp-stream.c: start of TCP stream reassembly code.
	We don't reassemble the whole data yet, but it will be easy.

	There is some problem with using the hostdb hash table for this stuff,
	and we end up having duplicate entry. Whole goal would be to make hostdb
	generic enought to be handle to handle this.

2001-05-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/ip_fragment.c (ip_frag_queue): return an int.
	(ip_frag_queue): remove the err: goto, and replace it with
	return -1. return 0 on success.

	(ip_frag_reasm): don't kill ip queue here in case of error.
	
	(ip_defrag): check the ip_frag_queue /ip_frag_reasm return value, 
	kill queued entry on any error.

	This fix a leak on fragmentation attack detection.
	
2001-05-04  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* include/nethdr.h: add missing compatibility header.
	* Modify the whole sources to use the new type.
	
2001-05-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/htmlmod/html.c (create_detailled_report): 
	use report infos provided kind.

	* src/prelude-report/report-infos.c (get_cleartext_alert_kind): 
	new function, return a readable kind for the current report.

	* src/prelude/rqueue.c (rqueue_init): new function,
	create the Report Queue recycler.

	* src/prelude/prelude.c (main): call decode_init()
	here. (main): call rqueue_init().

	* src/prelude/packet-decode.c (decode_init): use
	MAX_PKTINUSE for recycler creation.

	* src/prelude/capture.c (capture_start): don't call
	decode_init() here.

	* src/prelude/async-write.c: remove the MAX_IO limit.
	This limit is now achieved in rqueue.c when there is no
	more free chunk in the recycler.

	* include/packet.h (MAX_PKTINUSE): define the maximum 
	number of packet that can be locked simultaneously in 
	Prelude. (Attack Detection / Alert reporting).

	* src/plugins/reports/execmod/execmod.c: new plugin
	that execute a given program with a report as argument.
	[untested].


2001-04-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/include/rules.h: Remove rules_t type
	which is redondant with rule_t. Include a list member
	to rule_t.

2001-04-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/rules_parsing.c: 
	* src/libprelude/include/rules-variable.h (variable_unset): 
	* src/libprelude/rules-variable.c:

	Move the variable code to it's own file, cause this is 
	generic code and is much cleaner.

2001-04-24  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* too many changes to list,
	  we do not use memcpy to copy the packet anymore,
	  we furnish a patched version of libpcap that allow Prelude
	  to use it's own packet memory managment.

	  This avoid us a lot of recycler hack,
	  and this represent a BIG performance gain.

2001-04-20  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/capture.c (search_datalink_handler): 
	Add DLT_LOOP, and DLT_RAW to the list.

	* src/prelude/packet-decode.c (SliceAndStoreRawPkt): 
	New function, for PPPOE handling.

	* src/prelude/capture.c (search_datalink_handler): 
	Print the datalink type as an integer.

2001-04-19  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet-decode.c (SliceAndStoreIcmpPkt): 
	Better ICMP handling.
	When handling ICMP unreachable code, also decode
	associated IP header/availlable data.

	* src/plugins/detects/rules/rules.c: subscribe to
	all protocol.
	(_r_parse_rules_file): redesign parser to be more
	modular / readable.
	Each keyword as it's own function.

2001-04-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Merged back prelude_0_3 stable branch into HEAD.

2001-04-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet-decode.c (handle_ip_fragment): 
	(SliceAndStoreIpPkt): move the fragment handling
	part in another function.
	(SliceAndStoreIpPkt): check the option before any
	fragment operation.

	* include/packet.h (struct __tcphdr): 
	(struct __iphdr): 
	Snapend member is unused.
	
	* src/plugins/reports/htmlmod/htmlmod.c: 
	complete re-work, should fix almost all problem there
	was with the previous plugins.
	
	Also, we now use a symlink to point to the latest report
	which avoid us to move generated file arround...
	this also make counting the number of report directory 
	at init time a O(1) operation, not O(n), 
	thanks to Renaud Chaillat <rino@mandrakesoft.com> for this idea.
	
	* src/plugins/reports/htmlmod/Makefile.am : 
	* src/plugins/reports/htmlmod/html.c: 
	* src/plugins/reports/htmlmod/html.h: 
	Move all code responssible for HTML code generation
	to html.c.

	* src/prelude-report/prelude_report.c (cleanup): 
	reset the signal to it's default behavior before
	anything else.

2001-04-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/server.c (is_unix_socket_already_used): 
	(unix_server_start): This should now handle the case where
	a UNIX socket already exist on filesystem but isn't used.

	* src/prelude-report/ssl_register_client.c: 
	(wait_connection): 
	(send_own_certificate): 
	(wait_certificate): 
	(ssl_register_client): 
	BIG cleanup, divided into several function.

	* src/libprelude/ssl_gencrypto.c (get_full_hostname): 
	new function.
	(add_DN_object): defaut name for certificate if the
	full machine name.

	* src/plugins/reports/htmlmod/htmlmod.c (html_run): 
	handle case where there is no more disk space.

	* src/prelude/rsave.c (sendfile_send): fix a typo.
	(sendfile_send): cast st.st_size to size_t.

2001-04-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/htmlmod/htmlmod.c (write_host_infos): 
	don't gather packet information ourself, use the informations
	provided in the report_infos structure.

	* src/prelude-report/report-infos.c (arp_dump): use inet_ntoa.
	(create_pktdump): fill sport / dport / saddr / daddr.

	* src/plugins/reports/htmlmod/htmlmod.c (write_host_infos): 
	use report_infos structure. Do not take a Packet_t argument,
	but a report_infos_t argument.
	(update_host_index): Suit write_host_infos changes.

	* src/prelude-report/include/report-infos.h: sp and dp
	are uint16_t.


2001-04-15  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rwrite.c: removed writing function
	from there, use function now provided in write-func.c

	* src/prelude/rsave.c (backup_report): 
	use writev_raw_report().

	* src/libprelude/alert-common.c (do_read): 
	use socket_read_nowait().
	(read_alert): use socket_read() for the first read call.
	(alert_read): protocol and len member are now written in
	two time, adapt read call.

	* configure.in (enable_sendfile): oops, 
	HAVE_SENDFILE was never defined.

	* src/libprelude/socket-op.c (do_socket_read): 
	(socket_write): 
	oops fix a bug where errno was set to EINTR
	but was checked even when read was returning 0.
	This was causing an endless loop.

2001-04-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/alert-common.c (read_alert):
	* src/prelude/rwrite.c (write_raw_report): 
	* include/alert-prv.h (alert_message_len): 
	* src/prelude/rqueue.c (prelude_rqueue_report): 
	(plugin_rqueue_report): 
	Don't write more than what is needed.

	* include/packet.h (struct __iphdr): 
	(struct __tcphdr ): opts_len should not be unsigned.

	* src/prelude/packet-decode.c (SliceAndStoreNullPkt): 
	don't call incr_depth (we don't stock anything about this
	layer).
	(SliceAndStorePppPkt): ditto.
	(SliceAndStorePppBsdosPkt): ditto. 
	(SliceAndStoreFddiPkt): ditto.

	* src/prelude/pconfig.c: no need to include pcap.h here.

	* src/prelude/capture.c: use poll() instead of select(),
	that avoid us set managment...
	capture function share more code.
	commented public function.
	

2001-04-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rwrite.c (rwrite_write): if there is an error
	writing the report, send the PIPE signal to the main thread
	anyway.

	* src/libprelude/socket-op.c (socket_write):(do_socket_read): 
	cast buf to unsigned char (pointer arithmetic not allowed
	on pointer to void).

	* src/prelude/rqueue.c (prelude_rqueue_report): 
	move the vsnprintf call out of the report_new() func.

	* src/plugins/reports/htmlmod/htmlmod.c :
	use PATH_MAX, not NAME_MAX.
	(plugin_init): create the default HTML page if
	symlink does not exist.

	* src/prelude-report/report-infos.c (tcp_dump): 
	(tcp_dump): use %ld in snprintf for seq/ack.

	* include/nethdr.h: include sys/types.h

	* src/prelude/packet-decode.c (SliceAndStoreIgmpPkt): 
	(SliceAndStoreIcmpPkt): use portable structure name.

	* src/prelude-report/report-infos.c: 
	* src/prelude/hostdb.c: 
	* src/prelude/ip_fragment.c:
	Correct header inclusion.
	
	* src/prelude-report/cnx.c: 
	* src/prelude/rwrite.c: 
	* src/libprelude/rxdr.c:
	include rpc/types.h

	* include/nethdr.h: 
	* include/packet.h: 
	all needed header for portable network compilation
	should go in nethdr.h

	* src/prelude-report/server.c (inet_server_start): 
	call auth_init() here.

	* src/prelude-report/cnx.c (setup_connection): 
	use socket_read/write_delimited().

	* src/prelude-report/auth.c (get_account_infos): 
	use socket_read_delimited().
	(separate_string): avoid un-necessary strlen() call.
	(cmp): cleanup.
	(auth_check): use socket_write_delimited.

	* src/prelude/rsend.c (setup_connection): 
	read / write config_string function were renamed...
	(do_connect): oops, auth_init / auth_client call was
	not ok.

	* src/prelude/auth.c (write_auth_infos): cleanup, use
	socket_write_delimited.
	(read_auth_result): use socket_read_delimited(),
	we do not need a so large buffer.

	* src/libprelude/socket-op.c (do_socket_read): new function.
	(socket_read): use do_socket_read().
	(socket_read_nowait): new function, use do_socket_read().
	(socket_read_delimited): renamed from read_config_string.
	(socket_write_delimited): renamed from write_config_string.

	* configure.in: cleanup, check for some function
	in libnsl and libsocket for portability.

2001-04-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/auth-common.c (parse_auth_line): 
	use strtok instead of strsep, as strsep isn't ANSI.

	* configure.in: Version is 0.3b1
	* Merge stable change from head to prelude_0_3 branch.
	
2001-04-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/report-infos.c: define ARPOP_* and
	ARPHRD_* ourself, as it is not defined in many system.

	* src/prelude-report/optparse.c: define IPOPT_SECURITY
	and IPOPT_RA if not defined in common include file.

	* src/prelude/rsend.c (inet_connect): 
	use IPPROTO_TCP in setsockopt, not SOL_TCP (non standard).

	* src/libprelude/include/compat.h: 
	* src/libprelude/compat.c : new file.
	(getopt_long): provide a wrapper to getopt_long function
	if it is not present on this system.

	Include compatibility header where it's needed.
	Include in the build.
	
	* src/prelude/ip_fragment.c: 
	include netinet/in_systm.h

	* src/prelude/pconfig.c: 
	* src/plugins/detects/scandetect/scandetect.c: 
	* src/plugins/detects/debug/debug.c: 
	* src/libprelude/include/plugin-common.h: 
	do not include getopt.h, this is not a standard header,
	and this have nothing to do here.

	
	* src/prelude-report/optparse.c (tcp_optval): 
	* src/libprelude/include/extract.h:
	use uint32_t instead of u_int32_t.

	* include/packet.h: 
	include sys/socket.h, net/if.h

	* configure.in: check for getopt_long.

2001-04-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/socket-op.c: new file.
	(socket_read): read as many byte as requested or die.
	(socket_write): write as many byte as requested or die.
	(read_config_string):
	(write_config_string): 

	* src/prelude/rwrite.c (write_raw_report): 
	use a macro that check the return value of
	the write() call for us. It make the code much more readable.

	* src/prelude/rsend.c (set_options): new function.
	(setup_connection): divide in two function.
	(setup_connection): use the new function call
	read_config_string / write_config_string.

	* src/libprelude/alert-common.c: 
	(read_alert): use a macro that check the return value of
	the read() call for us. It make the code much more readable.

	* src/libprelude/common.c: removed.
	* configure.in: cleanup.

2001-04-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rqueue.c (report_new): return -1
	when updating.

2001-04-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Merged back prelude_0_3 stable branch into HEAD.

2001-04-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet-decode.c (handle_ip_fragment): 
	(SliceAndStoreIpPkt): move the fragment handling
	part in another function.
	(SliceAndStoreIpPkt): check the option before any
	fragment operation.

	* include/packet.h (struct __tcphdr): 
	(struct __iphdr): 
	Snapend member is unused.
	
	* src/plugins/reports/htmlmod/htmlmod.c: 
	complete re-work, should fix almost all problem there
	was with the previous plugins.
	
	Also, we now use a symlink to point to the latest report
	which avoid us to move generated file arround...
	this also make counting the number of report directory 
	at init time a O(1) operation, not O(n), 
	thanks to Renaud Chaillat <rino@mandrakesoft.com> for this idea.
	
	* src/plugins/reports/htmlmod/Makefile.am : 
	* src/plugins/reports/htmlmod/html.c: 
	* src/plugins/reports/htmlmod/html.h: 
	Move all code responssible for HTML code generation
	to html.c.

	* src/prelude-report/prelude_report.c (cleanup): 
	reset the signal to it's default behavior before
	anything else.

2001-04-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/server.c (is_unix_socket_already_used): 
	(unix_server_start): This should now handle the case where
	a UNIX socket already exist on filesystem but isn't used.

	* src/prelude-report/ssl_register_client.c: 
	(wait_connection): 
	(send_own_certificate): 
	(wait_certificate): 
	(ssl_register_client): 
	BIG cleanup, divided into several function.

	* src/libprelude/ssl_gencrypto.c (get_full_hostname): 
	new function.
	(add_DN_object): defaut name for certificate if the
	full machine name.

	* src/plugins/reports/htmlmod/htmlmod.c (html_run): 
	handle case where there is no more disk space.

	* src/prelude/rsave.c (sendfile_send): fix a typo.
	(sendfile_send): cast st.st_size to size_t.

2001-04-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/htmlmod/htmlmod.c (write_host_infos): 
	don't gather packet information ourself, use the informations
	provided in the report_infos structure.

	* src/prelude-report/report-infos.c (arp_dump): use inet_ntoa.
	(create_pktdump): fill sport / dport / saddr / daddr.

	* src/plugins/reports/htmlmod/htmlmod.c (write_host_infos): 
	use report_infos structure. Do not take a Packet_t argument,
	but a report_infos_t argument.
	(update_host_index): Suit write_host_infos changes.

	* src/prelude-report/include/report-infos.h: sp and dp
	are uint16_t.


2001-04-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/ip_fragment.c: Use uint8_t.

	* src/prelude/hostdb.c: 
	* include/packet.h: added missing include in_systm.h 
	for BSD kind system.

	* src/libprelude/plugin-common.c: getopt.h isn't
	a standard header... getopt() function should be
	defined in unistd.h

	* src/libprelude/ssl_gencrypto.c: include e_os.h
	in order for this to compile with OpenSSL 0.9.5.

2001-03-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/ssl_gencrypto.c (ssl_gen_crypto): 
	* src/libprelude/ssl_registration_msg.c (save_cert):

	Set umask before creating the certificate / creating the key.
	This is a workaround because of our lack of knowledge about
	a BIO function that would permit to set permission.
	We use umask instead of chmod() to avoid a potential race
	(window of time where the destination file would be readable
	by all). I also put a FIXME for this issue.

2001-03-29  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: 
	bump version to 0.3.

	* src/plugins/reports/htmlmod/htmlmod.c (create_link_if_needed): 
	use a relative path.

	* src/prelude-report/server.c (wait_connection):
	call report_server_close() on return.
	
	(report_server_close): new function, 
	close server socket.

	* src/prelude/rsave.c (backout_report): set fd to -1
	after a backout. Return -1 if fd is not valid 
	(and do not try anything).

	* src/prelude/rsend.c (setup_connection): cleanup.

2001-03-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/cnx.c (wait_xdr_report): 
	set the packet member after the memset.

	* src/prelude/rwrite.c (rwrite_write): 
	* src/prelude/async-write.c (flush_aio_queue): 
	unlock the packet and free the alert here not
	in rwrite_write().

	* src/prelude/rsave.c (save_report): forgot
	to write some member of alert_t to filedes.

	* src/prelude-report/cnx.c (wait_xdr_report): oops.

	* src/prelude-report/report-infos.c (report_infos_get): 
	set date_end member to NULL if there is no ending date.

	* src/plugins/reports/htmlmod/htmlmod.c (create_dir): 
	don't return an error if errno is EEXIST.

	* src/plugins/reports/sysplug/sysplug.c: use rinfo
	pre - decoded date.

	* src/prelude/pconfig.c (pconfig_set): 
	(configure_port): 
	(configure_address): 
	* src/prelude-report/pconfig.c: 
	(configure_listen_port): 
	(configure_listen_address): 

	Fixed bug reported by Jeremie Brebec <brebec@enseirb.fr>
	related to data in the prelude config file never being
	read.
	
	* src/prelude-report/cnx.c (wait_raw_report): pass an
	alert_t to report_infos_get, not a packet.

	* src/prelude-report/report-infos.c (report_infos_get): 
	* src/prelude-report/include/report-infos.h (report_infos_get): 
	Now take an alert argument.
	Convert the start / end time_t into date here cause the ctime()
	function is expensive.
	
	* src/prelude-report/optparse.c: remove \n from string.

	* src/prelude/timer.c (wake_up_timer): removed a
	debuging printf.

	* src/prelude/recycler.c (RecyclerIsLocked): return
	the current refcount for this chunk.

	* src/prelude/detect-plugins-api.c (packet_release):
	(packet_lock): 
	Cleanly deal with the recycler refcount.
	Document thoses function.

2001-03-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/rxdr.c (xdr_ip): en/de code ip_hl
	member.

	* src/prelude/capture.c (capture_from_single_device): 
	put back our filedes in our set on timeout.

	* src/prelude/ip_fragment.c (ip_defrag): never
	call ip_frag_destroy() directly, call ipq_kill().
	We were leaking a timer on some very special case,
	resulting in an assert later when walking the timer
	list.

2001-03-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/htmlmod/htmlmod.c (html_run): 
	use the .html extension.

	* src/prelude/packet-decode.c (decode_init): maximum data size
	was determined using snaplen. This is wrong, and was resulting
	in a crash on big defragmented packet.
	Maximum defragmented packet size is 65535 bytes, 
	use this size for now.

2001-03-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/plugin-common.c 
	(plugin_get_opts): 
	some version of getopt where crashing on this...
	always set a default argv when argc is 0.

	(plugin_set_args): 
	Set help_flag to 1 if argc && argv are NULL.
	
	* src/prelude-report/pconfig.c: removed -x (--use-xdr) 
	flag from prelude-report, it now turn on XDR if Prelude client
	request it.

2001-03-23  root  <yoann@mandrakesoft.com>

	* src/prelude-report/cnx.c (setup_connection): check errno.

2001-03-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rwrite.c: 
	* src/prelude/rsend.c (setup_connection): 
	* src/prelude-report/cnx.c (setup_connection):
	start to implement XDR negotiation, should now be able
	to compile without XDR.
	

2001-03-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rsend.c: move the writing part of the
	interface to rwrite.c.

	(setup_connection): 
	* src/prelude-report/cnx.c (setup_connection): 
	implemented SSL negotiation between
	client and server. (XDR negotiation to come soon).

	* src/prelude/rsave.c: completly rewritten (but not
	finished). Also, use sendfile under linux when doing
	the backout (this permit us to benefit of zero copy).

	* src/prelude/pconfig.c (pconfig_set):
	* src/prelude-report/pconfig.c (pconfig_init): 
	* src/prelude/pconfig.c (print_usage): 
	added the -n (--not-crypt) option usable with -c in
	order to not crypt the private key.

	* src/prelude/rwrite.c (rwrite_write): 
	use the kill function to send a SIGPIPE to our parent
	when write return EPIPE.

	* src/prelude/async-write.c (aio_thread): 
	block the SIGPIPE signal.

	* src/libprelude/include/ssl_gencrypto.h (ssl_gen_crypto): 
	* src/libprelude/ssl_gencrypto.c (ssl_gen_crypto): 
	add a crypt argument that specify if the private key 
	should be crypted or not.

	* configure.in: check for XDR.

2001-03-20  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/sysplug/sysplug.c (check_opts): 
	added options checking.

	* src/prelude-report/include/report.h: include
	config-engine.h

	* src/prelude-report/cnx.c (wait_raw_report): set the
	packet member.
	(wait_xdr_report): ditto.

	* src/plugins/reports/htmlmod/htmlmod.c (create_index): 
	set offset at 0 when we create index.
	Also corrected some of the table usage, thanks to the
	help of Odile Darmet <o.darmet@netdev.net>
	Renamed some function name.

	* prelude.conf (htmldir): add a default entry
	for HtmlMod.

	* src/prelude-report/ssl_register_client.c (ssl_register_client): 
	get listening port from prelude report own config.

	* src/prelude/ssl_register.c (ssl_add_certificate): 
	output a little more use friendly.
	(ssl_add_certificate): use Prelude config provided
	address and port.

	* src/prelude-report/pconfig.c: 
	* src/prelude/pconfig.c (pconfig_set): 
	Error message when trying to create / wait certificate
	and report address is not set or is UNIX.
	Use port 5554 as a default. Set report addr to "unix"
	as default.
	
	* src/libprelude/ssl_config.c:
	(ssl_read_config): Prelude and Prelude report should
	use their own config structure for getting report server
	address / port.

	* src/libprelude/ssl_gencrypto.c (add_DN_object): use
	sizeof.
	(add_DN_object): cleanup.
	(prompt_info): ditto.

	* src/libprelude/ssl_config.c (ssl_get_cert_filename): 
	remove debuging message.

	* src/prelude-report/cnx.c (handle_inet_connection):
	free (from) on authentication faillure. Also be verbose
	about authentication.

	* src/libprelude/rxdr.c (rxdr_encode): removed
	a debugging printf.

	* src/prelude-report/pconfig.c: missing break.

	* src/prelude-report/cnx.c (wait_raw_report): 
	(wait_xdr_report): divide wait_cnx into 2 differents function.

	* src/prelude-report/include/plugin-report.h :
	new macro to access plugin_report_t member.

	* src/prelude-report/report-plugins.c (report_plugins_close): 
	new function, close all report plugins.

	* src/prelude-report/prelude_report.c (cleanup): call
	report_plugins_close().
	(main): ditto.
	(main): don't use the do_init macro to check the return
	value of report_server_start... this fix the bug where
	prelude_report exited before unlinking the UNIX socket.

	* src/prelude-report/pconfig.c (print_help): new
	function, also call plugins_print_opts().
	call plugin_set_args() on -h option and -m option.
	call config close...

	* src/prelude-report/cnx.c (read_alert): read all
	new alert members.
	(free_alert): free new member.

	* src/prelude/include/plugin-detect.h: new macro
	to access the plugin_detect_t structure.

	* src/prelude/include/detect.h: commented,
	also include config-engine.h.

	* src/prelude/rsend.c (write_raw_report): write new
	information members.

	* src/prelude/rqueue.c (prelude_rqueue_report): fill
	all the alert information members.
	(plugin_rqueue_report): ditto.

	* src/plugins/* : modified all plugins to have consistant
	configuration options.

	* src/libprelude/include/plugin-common.h: new macro
	to access the plugin_generic_t structure that also fill
	the size of the seted member...
	(PLUGIN_GENERIC): now contain a size member of each 
	char * member...

	* src/libprelude/plugin-common.c (plugin_register): if
	the register callback is not set, just return 0.
	(Normal case for plugin to print help).
	(plugins_print_opts): now take a dirname argument,
	load all plugin from this directory...
	plugin then call the new plugin_get_opts() function
	to get their argument and react accrodingly (in this 
	case argument list must contain the --help arg).
	(get_plugin_opts): new function, parse the argument list
	in order to gather the argument of one plugin identified
	by pname.
	(plugin_get_opts): new function, that give access to
	the plugin to it's argument list.
	(plugin_set_args): called by the program configuration
	stuff if the help option is found or if the start of plugin
	option is found....

	* src/libprelude/config-engine.c (config_set): add
	missing variable.

	* include/alert-prv.h: add all possible information
	about plugins, also add a size members for each of theses.
	define macro to access the alert structure and to access the 
	len of a given members...

2001-03-19  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/config-engine.c (config_close): check
	if content is not NULL before calling free_file_content...
	This avoid a NULL pointer dereference on close if the file :
	- was created on open.
	- nothing was written to it.
	(config_set): only set the need_sync flag if the file operations
	were successfull.

2001-03-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/htmlmod/htmlmod.c:
	Thanks to Odile Darmet <o.darmet@netdev.net> for her help
	in correcting HTML output, and making it nicer.
	bugfix and cleanup.

	* src/prelude-report/include/plugin-report.h: 
	
	* src/prelude-report/server.c: 
	(wait_connection): cleanup.
	(wait_connection): use the handle_connection() function 
	pointer (that prevent us to check if we're on UNIX / INET
	socket everytime).

	* src/prelude-report/report-plugins.c (report_plugins_run): 
	pass the report infos structure.

	* src/prelude-report/prelude_report.c (main): 
	remove the UNIX socket if the report_server_start
	function return...
	

	* src/prelude-report/cnx.c (read_raw_report): 
	handle error better.
	(decode_alert): if 0'ed out some memset that shouldn't
	be needed anymore.
	(wait_report): use the new report_infos_* interface,
	pass the rinfo structure to plugins.
	(wait_report): don't call xdr_destroy here...
	(handle_inet_connection): do it here...
	(get_sock_addr): new function to get connecting address.
	(handle_inet_connection): 
	(handle_unix_connection): log connection opening / closure.

	* src/prelude/pconfig.c (print_usage): better explaination
	of how to set the -s (snaplen) option.

	* src/prelude/packet-decode.c (_get_chunk):
	lock chunk if packet is already locked.
	(SliceAndStoreDataPkt): only verify snapend if
	there is frag_ptr is NULL. (snapend is not valid
	anymore when processing a packet we reassembled).
	(SliceAndStoreDataPkt): packet data len now equal
	sizeof(PktData_t) + caplen... (which is always < than snaplen).
	(SliceAndStoreIpPkt): if we are processing a fragment, don't
	try to analyze header beyond IP.
	(decode_init): Size of a data recycler element is now
	sizeof(PktData_t) + snaplen.

	(SliceAndStoreIcmpPkt): BSD icmp structure is 28 bytes long,
	when setting size of the structure, tell it is 8 bytes.

	* src/prelude/ip_fragment.c: several cleanup.
	corrected some wrong alert... added one.
	(ip_frag_reasm): directly set structure member instead
	of casting data...

	* include/packet.h (struct): data isn't statically set
	to 2500 anymore... allocate it depending on snaplen.

2001-03-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/reports/htmlmod/htmlmod.c: finished...
	now make eyes candy report, and should be safe on 
	Prelude Report restart...

2001-03-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>
        * Added the fsmod and htmlmod reporting module,
	- fsmod is for generating report using directly your 
	filesystem hierarchy, it could easily be used by external
	program (like cgi) that would generate dinamycally any kind
	of user readable report.

	- htmlmod, which create html report.
	
	* src/plugins/detects/scandetect/scandetect.c (expire_cnx): 
	Don't release the packet here, 
	as it will be re-locked because of async IO.

	* src/prelude/rsend.c (_write_raw_report): send the
	description too.

	* src/prelude-report/cnx.c (read_raw_report):
	read description size, alloc the description member,
	read the description data.
	(free_alert): free description if present.

	* src/plugins/reports/sysplug/sysplug.c: 
	removed uneeded	code.
	(_log): removed.
	(sysplug_run): use fprintf.

	* src/prelude/detect-plugins-api.c (packet_release): 
	don't release the packet if it isn't locked...
	(packet_lock): don't lock the packet if it is already
	locked.

2001-03-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rqueue.c (rqueue_generic): don't lock the
	packet here... the plugin has to do it by itself.

	* src/plugins/detects/scandetect/scandetect.c (expire_cnx): 
	don't release the packet here... it will be done after it is
	written.

2001-03-12  Jeremie Brebec / Toussaint Mathieu

	* Added secure communication plugin system into prelude.
	These plugins have to secure the communication between 
	prelude and the prelude-report.
	* a ssl plugin using it, based on OpenSSL library. 
	
2001-03-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/recycler.c: comment the sources.
	Removed un-necessary check.
	* src/prelude/include/recycler.h:
	Made some function be macro.

2001-03-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* configure.in: bumped version to 0.2

	* src/prelude-report/server.c (get_sock_addr): cast
	our sockaddr_in structure to sockaddr, this fix the
	wrong reported address problem.
	(wait_cnx): put back the code to serve > 1 Prelude
	client.

	* src/prelude/pconfig.c (pconfig_set): added 'a' to
	the getopt_long optstring.

	* src/prelude/packet-decode.c (_get_chunk): 
	(verify_depth): fix a warning.

	* src/prelude/timer.c: 
	* src/prelude/hostdb.c: 
	added gtkdoc format style comment.
	
	* src/prelude/include/async-write.h:
	* src/prelude/async-write.c (_add_aio_item): made
	this function void.
	(async_write): ditto.
	added gtkdoc format style comment.

	* configure.in: check for gtkdoc, 
	also check for an user provided html output dir,
	create Makefile in the docs and docs/api subdir.

	* Makefile.am (SUBDIRS): added the docs subdir.
	

2001-03-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/auth-common.c (_auth_create_account): 
	Ooops, do not close fd if it is NULL.

	* src/prelude-report/cnx.c (is_endian_convertion_needed): 
	* src/prelude-report/pconfig.c: 
	* src/prelude-report/include/pconfig.h (__config_init): 
	* src/prelude/rsend.c (is_endian_convertion_needed): 
	(rsend_init): 
	(expire): 
	* src/prelude/include/pconfig.h:

	Add the -x (--use-xdr) option to Prelude and Prelude Report
	to set the report sending / receiving mode...
	this will be automated in the future...

	* src/prelude/pconfig.c (print_usage): 
	(pconfig_set): Added a --version (-v) option to dump
	the version number.

	* src/prelude/rsend.c (_write_func): free the alert and
	release the packet.

	* src/prelude/include/rqueue.h: the rqueue_t structure
	doesn't contain anymore the alert_t structure but a pointer
	to it.

	* src/prelude/rsend.c: (_write_report):
	removed this function as we don't need to duplicate
	the alert anymore.
	(rsend_emmit): directly call async_write().

	* src/prelude/rqueue.c (plugin_rqueue_report): 
	(prelude_rqueue_report): allocate an alert_t structure using malloc
	instead of using an statically allocated one used for each, same 
	report. (We need this because the alert_t structure shouldn't be
	modified after we write it (and as we're using asynchronous write
	the write is delayed)).

	* src/prelude/async-write.c: the wqueue_t structure
	no longer exist. Renamed some function to suit this change.
	(_add_aio_item): removed allocation of the wqueue_t item
	as we now have a list member in the alert structure itself.
	(_flush_aio_queue): Directly deal with the alert_t structure.

	* include/alert-prv.h: add a list member.

	Now we don't need to copy the alert anymore before
	adding it to the async IO queue.

2001-03-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* Many change, inclusion of Asynchronous Write of 
	report (see async_write.c) integration with XDR reporting,
	Raw report reporting and backup solution.

	* Added the possibility to bypass XDR reporting by
	directly sending binary report. Code to detect the
	remote (Prelude-Report) machine type should come soon.

	* Cleaned up the whole autoconf mess, insure that make
	dist and make distcheck work.

	* src/prelude/ip_fragment.c : Lock the whole packet
	else we will get wrong reporting.

2001-03-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rqueue.c: commented the module a little.

	* src/plugins/detects/scandetect/scandetect.c (do_report_if_needed):
	set report kind to normal.

2001-02-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rsend.c (inet_connect): turn the tcp Nagle
	algorithm off...

2001-02-11  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/ip_fragment.c (ip_frag_create): avoid
	a memcpy here, just lock the chunk using the recycler.
	(ip_frag_reasm): 
	the IPQ structure ip member is now a pointer.
	(ip_frag_reasm): when fixing the header of the new 
	IP defragmented packet, operate directly on the copied data.
	(ipq_kill): release the ip associated chunk.
	(frag_alloc_queue): kill this function.

2001-02-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/prelude.c (main): done some reordering
	in the module initialization.

2001-02-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/auth.c (get_account_infos): 
	unless the two first provided command are the username
	and the password, close the connection.

	* src/prelude/timer.c (wake_up_timer): commented
	debug stuff.

	* src/plugins/reports/sysplug/sysplug.c: 
	* src/libprelude/rxdr.c (xdr_alert): 
	* src/prelude/rqueue.c (rqueue_update): 
	(plugin_rqueue_report): 
	(prelude_rqueue_report): 
	* include/alert-prv.h: 

	Now dump the time between the start / end of
	a given attack...

	* src/* :
	more convertion to the new log macro.
	
	* src/prelude-report/cnx.c (do_read): 
	* src/prelude/rsend.c (_write): commented out debuging
	printf.

	* src/prelude-report/cnx.c (decode_alert): removed
	redundant message / check.

	* src/plugins/reports/sysplug/sysplug.c: 
	* include/alert-prv.h: 
	* src/prelude/rqueue.c:
	* src/prelude/rxdr.c :

	do not decode the date inside prelude, just
	store a time_t returned by time() inside the report 
	structure. Do the ctime() in sysplug.c.
	> 50 % performance improvment when making a report.
	(ctime() + strdup() were really taking too much time here).

	Next step is to suppress XDR convertion when making a report
	to an UNIX socket... this take far too much time and isn't needed
	in this case.

	* src/libprelude/rxdr.c : put \n at the end of 
	log() macro call.

2001-02-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* TODO: updated.

	* src/libprelude/plugin-common.c :
	many change, added the ability for a plugin to 
	register itself which mean a plugin (the .so) can 
	now contain > 1 plugin. This is a needed change
	for plugin like auth/crypt.

	* src/prelude/rsend.c (rsend_emmit): oops, fixed
	a change I shouldn't have commited yet (ability
	to not translate report to XDR if we're using an
	UNIX socket).
	This fix should make Prelude work again.

	* include/print.h: removed.
	* src/libprelude/include/common.h: added the log macro.
	* src/* : Use the new log() macro everywhere.

	This fix the issue where prelude was sending message
	to stdout / stderr, even in daemon mode.

2001-02-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* TODO: updated.

	* remove two unused file.
	* src/prelude/detect-plugins-api.c: remove obsolete prelude_GetDepth().
	* src/prelude/capture.c (capture_from_multiple_devices): cleanup.

2001-01-31  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/hostdb.c (search): slight optimisations.

	* src/prelude-report/pconfig.c (configure_listen_address): 
	* src/prelude/pconfig.c (configure_address): copy the
	returned value.

	* src/prelude/rsave.c (backout_report): 
	* src/prelude/rsend.c (_write_xdr): first arg should
	be (char *), not (void *)...

	* src/libprelude/config-engine.c (config_get): strip
	trailling white space at the end of the string.

	* src/prelude/daemonize.c :
	* src/prelude/include/daemonize.h :
	moved to libprelude.
	
	* src/prelude-report/prelude_report.c (main): if daemonize
	is set, start prelude_report as a daemon.

	* src/prelude/rsend.c (generic_connect): correct the error
	message.

	Also, fixed lot of warning.

2000-11-24  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet-decode.c (SliceAndStoreIpPkt): made
	it tail recursive.

	* include/alert-prv.h: set message to be maximum 1024
	character long.

	* src/prelude/rqueue.c: got rid of rqueue_init().

2000-11-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rsave.c (backout_report): modification
	to the report save module to fit report send interface
	modifications.

2000-11-20  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/rxdr.c : revert change from 4 days ago.
	
	* src/prelude/prelude.c (main): rqueue init function
	must be called before plugins one.

	* src/plugins/detects/debug/debug.c (_debug_run): remove
	unused variable i.

	* src/prelude/packet-decode.c (SliceAndStoreIpPkt): 
	plugins we run depend if we are in the main IP header,
	or in an encap IP header.

	* src/prelude/detect-plugins.c: add an ipencap plugins
	list.

2000-11-19  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/plugin-common.c (plugin_run): removed,
	now that each kind of plugin can have different arguments
	passed to their run function, each plugin specify their
	own run function prototype, and each kind-of-plugin module
	use the plugin_run macros, which is generic for all plugins.

	* src/libprelude/include/plugin-common-prv.h (plugin_run): 
	Added the plugin_run macro.

	* src/prelude/rqueue.c (rqueue_report): do not update
	queued report if kind is normal (report of normal kind
	aren't queued).
	(rqueue_report): set count to 1 before sending a report
	with a normal 'kind'.

	* src/libprelude/plugin-common.c (plugin_load_single): pass
	the current plugin_generic_t to add_plugin_entry().
	(add_plugin_entry): take a plugin_generic_t arg.
	(add_plugin_entry): set the plugin member.

	* src/libprelude/config-engine.c (config_open): set content
	member to NULL.

2000-11-17  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/report-plugins-api.c (switch_ethertype): 
	print the well known ethertype.

	* src/libprelude/rxdr.c: many change, use xdr_opaque
	everywhere it is possible... encoding / decoding should
	now be much faster.

	* src/libprelude/plugin-common.c : many change,
	now plugin_container_t contain 2 lists : 
	one to be registered internally (by the plugin-common module)
	the other to be registered externally (by other modules).
	also, it now contain a pointer on the entry of the 
	plugin (the parent of the container).

2000-11-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* include/packet.h: not arphdr, ether_arp.

	* src/plugins/detects/debug/debug.c: added the debug plugin.

	* src/prelude-report/report-plugins-api.c (igmp_dump): created,
	dump igmp header...

	* src/libprelude/plugin-common.c (plugin_load_single): change
	from RTLD_LAZY to RTLD_NOW to lookup all symbol at init time.

2000-11-15  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* TODO: updated.

	* src/libprelude/config-engine.c: more code cleanup.

2000-11-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/prelude.c (sighandler): ooops,
	missing include + typo fix.

	* src/libprelude/config-engine.c (config_get): don't
	return space, if present, at the begining of the value.

	* src/prelude/rsend.c (inet_connect): correct a typo
	(inet_connect): return an error if connect fail.

	* src/plugins/detects/scandetect/scandetect.c (_check_opts): removed
	debuging printf.

	* src/prelude-report/pconfig.c : 
	* src/prelude/pconfig.c: update to use new configuration
	engine.

	* src/libprelude/include/config-engine.h: updated header.

	* src/libprelude/config-engine.c (config_open): ok,
	finished the new configuration stuff. Work but need
	cleanup.

	* src/prelude/pconfig.c (pconfig_set): 
	* src/libprelude/plugin-common.c (_plugin_set_opts): 
	* src/plugins/detects/scandetect/scandetect.c (_check_opts): 

	Do the bad work for the plugin, cleanup argc/argv before
	passing to it, that avoid the plugin to have to check if
	it is already parsing it's own options.
	
2000-11-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/include/plugin-common.h (NEXT_PLUGIN_OPT): new define.

	* src/plugins/detects/scandetect/scandetect.c (_check_opts): updated.

	* src/libprelude/plugin-common.c (add_plugin_entry): created,
	add a new plugin_entry to the list all_plugin list.
	(plugin_load_single): call add_plugin_entry().
	(plugin_set_opts): created, set option for plugin designed by
	name.
	(plugins_print_opts): created
	(plugins_print_stats): created

	Now plugins are able to provide options.
	
	* TODO: updated.

	* src/prelude/prelude.c (sighandler): reset to default
	signal (was under #if 0).

	* src/prelude-report/auth.c (get_account_infos): oops,
	read auth infos on socket while we don't have an username
	and a password... 

2000-11-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/libprelude/plugin-common.c (plugin_print_stats_for_each):
	created, walk throught a plugin container list, and dump stat
	for each plugin.

2000-11-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

        * Too many change too list :
	basically cleaned up all the include mess,
	changed some function location to better place,
	make all composant of prelude use the new plugin
	architecture.

	* src/libprelude/plugin-common.c (plugin_destroy): new function.
	created the plugin_entry_t private type, which contain handle for
	all plugins.
	(plugin_register): use list_add_tail.

2000-11-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/include/plugin-detect.h: 
	Define the new plugin_detect_t type, 
	to be used with new Plugin shared api.

	* src/libprelude/include/plugin-common.h: 
	* src/libprelude/include/plugin-common-prv.h: 
	* src/libprelude/plugin-common.c: 
	(is_a_plugin): 
	(generate_filename): 
	(plugin_load_single): 
	(create_container): 
	(copy_container): 
	(plugin_load_from_dir): 
	(plugin_register): 
	(plugin_run): 
	(plugin_dump_stats): 

	First attempt at sharing the plugins code between 
	Prelude and Prelude Report. Dedicated plugins structure
	member are hidden from the shared plugins function that
	use an abstract of the structure.

2000-11-04  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rsave.c (create_fd_if_needed): new function,
	create the backup file descriptor if it do not exist.
	(rewind_stream): new function, rewind a file stream by
	a specified amount of byte.
	(save_report): make the int argument const,
	also, if the second write file, call rewind_stream() 
	in order to not have a truncated report.
	(read_report): 
	(backout_report): cleanup.

	Lot of cleanup, better error handling, written some comment.

	* src/prelude/rsend.c: 
	(sigpipe_handler): handler for the sigpipe signal.
	(do_connect): new function, 
	connect to the report server of the right manner.

	(expire): call do_connect, don't reinit the rsend module.
	using a do { } while () loop make the code cleaner here.

	(rsend_init): set a signal handler for SIGPIPE,
	use do_connect()

	Lot of cleanup, written some comment.

	* src/prelude/include/rsave.h (backup_report): 
	* src/prelude/rsend.c (generic_connect): correct a typo.
	* src/prelude/rsave.c (read_report): some cleanup.

2000-10-31  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/server.c (generic_server): attach
	an handler to the SIGCHLD signal.
	(child_exit): function called when SIGCHLD is received.
	Call wait(NULL) in order to inform the parent that a child
	just exited.

2000-10-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/pconfig.c : 
	* src/libprelude/include/config-engine.h :
	* src/libprelude/config-engine.c: 
	* src/libprelude/Makefile.am (libprelude_la_SOURCES):

	completly rewritten the configuration engine, made
	that Prelude & Prelude Report use it.

2000-10-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	Too much change to list, basically,
	added authentication from prelude to prelude-report,
	prelude-report have better event logging,
	we user SOCK_STREAM for unix socket.
	Many cleanup...

2000-10-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* TODO: updated (pcap problem)

	* src/prelude/capture.c (setup_capture_from_device): 
	timeout for pcap set to 1000 ms.
	(capture_from_single_device): back to pcap_read.

2000-09-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/detects/scandetect/scandetect.c: 
	removed assert.
	(_cnxInfo ): kind is not const.
	(_cnxInfo ): no need for ip member anymore.
	(expire_cnx): free cnx->kind
	(new_cnx): take a kind argument
	(update_cnx): new_cnx take a kind argument.
	(create_cnx): ditto, do not set tmp->kind here,
	but int new_cnx, so when other function call new_cnx,
	the created structure have a kind member.
	Note: This plugin should be cleaned up.
	(plug_run): use an assert to check depth is OK.

	clean the mess a little.

	* src/prelude/detect_plugins.c (pluginInit): don't increase
	global plugins id counter in case of initialization faillure.

2000-09-15  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/hostdb.c (hostdb_set_plugin_data): oops,
	increment refcount.

	* src/plugins/detects/scandetect/scandetect.c :
	addapt to hostdb interface change.

	* src/prelude/include/hostdb.h: 
	* src/prelude/hostdb.c: completly reworked, larger set of 
	function which avoid making unneeded operation...
	all public function have prefix hostdb_.

2000-09-14  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/detects/scandetect/scandetect.c (kind_cnxInfo): 
	beautification.

2000-09-12  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rsend.c (__rsend_emmit): increment saved_report
	there too.

	* src/prelude/rqueue.c (rqueue_expire): update to reflect
	rsend.c change.

	* src/prelude/rsend.c (__rsend_emmit): made the function
	void.

	* src/prelude/rsave.c: set fd to NULL at init time.

	* src/prelude/rsend.c: tweaked a lot, made it cleaner.

	* src/prelude/rsave.c (backup_destroy): new function.
	(save_report): return number of character written for this 
	report (not including additionnal informations).
	(read_report): cleanup, better error handling.

	* src/prelude/rsend.c (expire): update for rsave.c change. 

	* src/prelude/rsave.c (save_report): return the number
	of character written.

	* src/prelude/rqueue.c (__rqueue_report): commented
	(__rqueue_report): removed uneeded return.

	* src/prelude-report/Makefile.am (INCLUDES): 
	-I$(top_srcdir) for config.h

	* src/prelude-report/server.c :
	include config.h
	
	* src/prelude-report/server.c (HandleInetConnection): 
	don't try to use tcp wrapper if tcpd.h isn't there.
	use the tcpd_auth function.
	(tcpd_auth): new function, handle tcp wrapper authentication.
	return 0 on success, -1 if auth was denyed. 
	Only compiled if tcpd.h is present.

	* configure.in (LIBWRAP_PATH): add a check for tcpd.h

	* src/prelude/rqueue.c (__rqueue_report): If this
	is a normal attack, don't queue it.
	(__rqueue_report):
	(rqueue_update): 
	(rqueue_first): function don't need an alert_t argument,
	access the alert_t structure via item.
	(__rqueue_report): basic kind handling.

2000-09-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* CREDITS: added.

	* README: heavilly modified.

	* src/plugins/reports/sysplug/sysplug.c: added another tab

	* src/libprelude/include/log.h: 
	* src/libprelude/log.c: 
	* src/prelude/include/rid.h: 
	* src/prelude/include/do_report.h: 
	* src/prelude/do_report.c: 
	* include/priority.h: deleted.

	* src/prelude-report/include/report_plugins.h:
	new macros to access the ReportPlugin_t structure.

	* src/prelude/include/detect_plugins.h:
	new macros, prelude_Pkt* aren't existing anymore,
	include inline version of PktLock & PktRelease here.

	* src/prelude/include/detect.h: 
	only used by detect plugins, define REPORTING_FUNC.
	include alert.h, do not include do_report.h & priority.h anymore.

	* src/prelude/include/daemonize.h (__daemonize): 

	* src/prelude/tcpip_options.c:
	* src/prelude/include/rqueue.h (__rqueue_report):
	* src/prelude/rqueue.c (alert_set_date): new function.
	do not use the priority anymore, use kind.

	* src/prelude/packet_handler.c: 
	* src/prelude/ip_fragment.c: 
	use kind instead of priority for reporting.

	* src/prelude/detect_plugins_api.c: 
	removed __PktLock & __PktRelease from here.

	* src/prelude/detect_plugins.c (plugin_destroy): 
	(plugin_add): 
	(plugin_cpy): new private functions, cleaned up.

	* src/prelude/prelude.c (main):	
	* src/prelude/include/daemonize.h (__daemonize): 
	* src/prelude/daemonize.c (__daemonize): renamed function.

	* src/prelude/Makefile.am (prelude_SOURCES): 
	do_report.c not included anymore, s/packet_capture.c/capture.c/

	* src/prelude/packet_capture.c: renamed to capture.c

	* src/plugins/reports/sysplug/sysplug.c : do logging ourself,
	use new macros to access plugin structure.

	* src/plugins/detects/scandetect/scandetect.c (expire_cnx): 
	(plug_init): 
	* src/plugins/detects/nopsearch/nopsearch.c: Use
	new macros to access plugin structure.
	(do_report): do not set a priority, set a kind of report.

	* src/libprelude/rxdr.c (__rxdr_encode): 
	do not xdr encode / decode priority members.
	Just use kind members.
	Trying to get rid of 'depth', not encoded/decoded
	anymore.

	* src/libprelude/log.c: removed

	* src/libprelude/Makefile.am (libprelude_la_SOURCES): 
	do not compile log.c anymore.

	* include/alert.h (RID_PPPBSDOS_TRUNC): rid.h merged with
	alert.h. actually, we do not use priority_t, remove it.
	Include reporting function, they are small, so they better
	be inlined.
	Only compile reporting function if REPORTING_FUNC is defined.

	plugin_do_report and prelude_do_report merged to one function :
	__do_report(), new macros : plugin_do_report & prelude_do_report
	point on it.
	
	* src/libprelude/log.c (prelude_Log): removed debuging
	printf

	* src/prelude/Makefile.am (prelude_SOURCES): 
	renamed packet_capture.c to capture.c
	
	* src/prelude/prelude.c (main): 
	* src/prelude/daemonize.c (__daemonize): 
	* src/prelude/include/daemonize.h (__daemonize): 
	renamed function to __daemonize
	
2000-09-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/detect_plugins.c (__plugins_init): remove
	unnecessary test.

2000-08-31  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/report_plugins_api.c (tcpopt_dump): fix a typo.
	(tcpopt_dump): 
	(ipopt_dump): when an unknow option is found, print it's value.

	* src/prelude-report/tcp_options.c (prelude_GetNextTcpOption): 
	* src/prelude-report/ip_options.c (prelude_GetNextIpOption): 

	On option parsing error, set opts_len to -1, so we don't try
	to parse next option anymore on next function call.
	Always return the current valid options value, not -1.

2000-08-30  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet_handler.c (SliceAndStoreAtmPkt): 
	(SliceAndStoreFddiPkt): 
	(SliceAndStorePppBsdosPkt): 
	(SliceAndStorePppPkt): 
	(SliceAndStoreNullPkt):
	All of theses weren't adaptated to use Recycler, that
	is now done.

	* configure.in: 
	* src/prelude/include/detect_plugins.h: removed all
	occurence to prelude filter.

	* TODO: updated, removed the report save item :
	it is done, it work great.

	* src/prelude/rsend.c (InetConnect): 
	(UnixConnect): set sock to -1 when closing socket
	if connecting fail.

	* src/prelude/include/rsave.h:
	* src/prelude/rsave.c: 
	Provide two public function :
	__rbackup_report(char *mem, int mlen)
	which save a report (located in mem, of size mlen)
	in /var/spool/prelude/report.

	__rbackout_report(char *mem, int *mlen)
	which read a report and it's size and store them
	respectively in the mem and mlen pointer.

	* src/prelude/include/timer.h: added some macros
	to access timer structure members. This is done for
	compatibility in case the structure change.
	Make the actual timer_set_* define uses theses macros.

	* src/prelude/rsend.c: removed some unused include file.
	report saving function aren't there anymore, see rsave.c.
	(__rsend_emmit): use a prelude timer.
	(expire): new function, for timer expiration.
	Use the new __rbackup_report / __rbackout_report function,
	provided by rsave.c

	* src/plugins/detects/match/match.c (plug_run): 
	Packet_t shouldn't be const anymore.

	* src/prelude-report/report_plugins_api.c (prelude_HexDump): 
	remove an unused variable.

2000-08-28  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/include/recycler.h: 
	* src/prelude/recycler.c (RecyclerIsLocked): new function.

2000-08-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/timer.c (__prelude_WakeUpTimer): print
	the execution time.

2000-08-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/do_report.c (prelude_do_report): 
	(plugin_do_report): don't copy the report here, now done in
	rqueue.c

	* src/prelude/rqueue.c (__rqueue_report): message is copied here.

	* src/prelude/detect_plugins.c (__plugins_run): no need to set
	p_end here anymore.

	* src/prelude/ip_fragment.c (ip_frag_reasm): oops,
	corrected a dumb bug which prevented correct IP defragmentation :
	advance our pointer while we copy data on the memory block pointed to.

2000-08-17  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/detect_plugins_api.c (prelude_PktAlloc): 
	(prelude_PktCpy): 
	(prelude_PktFree): use the err macros.

	* src/prelude/tcpip_options.c (VerifyOptions): do not set p_end here.

	* src/prelude/ip_fragment.c (ip_frag_create): set len to 0.

	* src/prelude/packet_handler.c (SliceAndStoreIpPkt): put the
	truncated IP check before the defragmentation.
	( IP len of a defragmented packet will always be > than caplen ).

	* src/prelude/ip_fragment.c (IPQ_HASHSZ): 1024 buckets.

2000-08-16  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/xdr_encode.c (xdr_packet): merge p_ip & p_ipencap
	case.

	* src/prelude/detect_plugins_api.c (prelude_PktCpy): set proto
	to p_ipencap not to p_ip when copying a pkt (with ip encapsulation).
	

2000-08-09  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* added missing copyright notice.

2000-08-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/include/timer.c:
	* src/prelude/include/timer.h: (timer_elapsed): renamed
	timer_get() to timer_elapsed, use a timeval struct passed
	as argument to store the elapsed time.

	in timer_t, 
	start_time renamed to start and is now a timeval structure.

2000-08-07  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/detect_plugins_api.c (prelude_PktCpy): added
	copy for ip encap.

	* src/prelude/hostdb.c (prelude_AddCnx): hash of 1024 positions.

	* Many work done on the report queue,
	  too much too list.

	* src/prelude/xdr_encode.c (xdr_packet): use one loop
	instead of two...

2000-08-04  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* include/detect.h: 
	* src/prelude/include/do_report.h (prelude_do_report): 
	* src/prelude/include/detect_plugins_api.h: 
	* src/prelude/Makefile.am (prelude_SOURCES): 
	* src/prelude/do_report.c: 
	* src/prelude/detect_plugins_api.c: moved prelude_do_report()
	and plugin_do_report() to do_report.[ch]

2000-08-03  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/report_communication.c (generic_connect): reuse 
	O_NONBLOCK.
	(SendReport): even when an error occur, call rewind_xdr_stream().

	* src/prelude/ip_fragment.c (ip_frag_create): set timer expire to 1.

	* src/prelude/packet_capture.c (capture_from_single_device): 
	finished. 

2000-08-02  Yoann Vandoorselaere  <yoann@mandrakesoft.com>
	
	* include/proto.h: give minimum depth for depth_data & depth_ipencap.

	* src/prelude/detect_plugins_api.c: removed prelude_GetDepth from
	here, it is now inlined, in detect_plugins_api.h

	* src/prelude/packet_handler.c (SliceAndStoreIpPkt): do not
	inline this function, cause it can be called recursively if
	there is ip encapsulation.
	Take an proto_t argument which define if the current ip packet
	decapsulated is an ip header, or an ip header encapsulated in 
	another one.
	(switch_ethertype): inline this one.

	* src/plugins/detects/match/match.c (plug_run): no getdepth
	needed here.

	* src/prelude/packet_capture.c (packet_capture_start): no
	need to FD_ZERO here.

	* src/prelude/timer.c (timer_init): removed the timeritem
	stuff which are not so usefull.

	* src/prelude/include/timer.h: documented.

2000-08-01  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet_capture.c (listen_multiple):
	Try to do self documenting code...

2000-07-31  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* include/packet.h: 
	* src/prelude/ip_fragment.c (ip_defrag): 
	removed some warning...
	
	* src/prelude/packet_capture.c (PreludeCapture): restore the
	fds usign it's backup, instead of recalling FD_SET macros.

	* src/prelude/include/pconfig.h (struct ): use a linked
	list for devices listing.

2000-07-26  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/plugins/detects/nopsearch/nopsearch.c: use bytestring
	in order to optimize the comparison with packet data...
	This isn't finished, and the plugins do not work anymore.

2000-07-27  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/detect_plugins.c (__DetectPlugins_run): added
	plugins / pfr statistic gathering.

	* src/plugins/detects/nopsearch/nopsearch.c: finished.

2000-07-25  Yoann Vandoorselaere  <yoann@mandrakesoft.com>
	
	* src/prelude/detect_plugins.c (__prelude_InitDetectPlugins): set
	plugin id before copying the plugin in random category.

	* src/prelude/rsched.c (rsched_new): avoid memcpy here.

2000-07-24  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet_handler.c: add printing of the function
	to the verify_depth macros.

	* src/prelude-report/handle_connection.c (free_report): 
	(print_info): 
	* include/detect-report.h (struct): removed detect_proto
	related stuff : it is not used anymore.

	* src/prelude-report/xdr_decode.c (xdr_detectreport): 
	* src/prelude/xdr_encode.c (xdr_detectreport): 
	detect_proto was removed from DetectReport structure.

	* include/detect.h: removed hostdb macros, function
	can now be directly used, removed the prelude_do_report_async
	macros.

	* src/plugins/detects/match/match.c (read_conf): 
	* src/plugins/detects/scandetect/scandetect.c: 
	* src/plugins/detects/nopsearch/nopsearch.c: 
	* src/plugins/detects/ipfrag/ipfrag.c (plug_init): 
	* src/prelude/rsched.c (__rsched_auth): 
	* src/prelude/include/rsched.h (__rsched_auth): 
	sed s/DetectPublic_t/DetectPlugin_t/

	* include/detect.h: include priority.h

	* src/prelude/detect_plugins.c: do not include detect-prv.h,
	which do not exist anymore.
	(init_detect_plugin): 
	* src/prelude/include/detect-prv.h: no more public /
	private branch : that is idiot.

	* src/prelude/detect_plugins.c (__DetectPlugins_run): 
	Made reentrant, the dirty stuff are out now.

	* src/plugins/detects/scandetect/scandetect.c: inlined
	some function.
	(expire_cnx): use plugin_do_report(), not 
	prelude_do_report_async() anymore.
	
	* src/plugins/detects/match/match.c: 
	* src/plugins/detects/nopsearch/nopsearch.c: 
	* src/plugins/detects/opts/opts.c: 
	add packet to the plugin_do_report() args.
	add a DetectPlugin_t to the plug_run() args.

	* src/prelude/include/detect_plugins_api.h : commented
	the source.

2000-07-23  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/rsched.c : made some function inline.

2000-07-22  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/handle_connection.c: include common.h

	* src/prelude/packet_capture.c: include print.h.

	* src/prelude/timer.c: 
	* src/prelude/include/timer.h : 
	made some function inline.
	
	* src/prelude/packet_capture.c (prelude_capture_from_device): 
	use p_print in some place.
	
	* src/prelude/include/pconfig.h: 
	* src/prelude/pconfig.c (PreludeConfig): 
	* src/prelude-report/config.c (PreludeReportConfig): 
	* src/prelude-report/include/report_config.h (struct report_config): 
	ditto.
	
	* src/prelude-report/report_plugins.c: 
	* src/prelude-report/handle_connection.c: 
	* src/prelude-report/prelude_report.c: 
	* src/prelude/prelude.c: 
	* src/prelude/report_communication.c: 
	* src/prelude/pconfig.c: 
	* src/prelude/packet_handler.c: 
	* src/libprelude/tcp_options.c: 
	* src/libprelude/include/common.h: 
	* src/prelude/detect_plugins.c:

	* include/print.h (p_print): created, contain inline
	p_print function.

	* src/prelude/packet_capture.c: 
	(prelude_capture_from_device): 
	* src/prelude/packet_handler.c (SliceAndStoreDataPkt): 
	Alloc directly __pkt_data.data in packet_capture do not use
	an extern pointer to reference __pkt_data.data all the time...
	This fix a sigsegv when the first packet received when running 
	prelude was not a packet containing data.
	
	* src/plugins/detects/match/match.c (plug_run): match use
	p-medium to do report, not p_high... ideally, we should be
	able to specify a priority for each rules. It will be implemented.

	* src/prelude/include/init_funcs.h: added declaration for
	__prelude_InitRsched().

	* src/prelude/rsched.c (schedule_pmedium): new function,
	call schedule_plow at the moment.
	(schedule_plow): 
	(rsched_schedule): splitted in two function.

	* src/prelude/packet_capture.c (prelude_print_stats): 
	print number of : page faults, page reclaims, swap, volontary
	context switch.

	* src/prelude/rsched.c (__rsched_auth): only reset timer if
	we issue a report.

	* src/prelude/detect_plugins.c (__prelude_InitDetectPlugins): 
	set the plugin id.

	* src/plugins/detects/nopsearch/nopsearch.c: use medium
	report priority cause it is only speculation.

	* src/prelude/timer.c (prelude_GetTimer): new function,
	permit to get the time when timer was lastly set...

	* src/prelude/rsched.c (__prelude_InitRsched): use calloc.

2000-07-21  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/detect_plugins.c (__DetectPlugins_run): removed
	a debuging printf.

	* src/prelude/plugin_filters.c (DetectPluginFilter_init): removed
	one #if 0 and an not needed p_print.

	* src/prelude/filter_funcs.c: removed p_print on compile_*,
	because this just blow up the screen at init time.

	
	* src/prelude/include/rsched.h : created.

	* src/prelude/include/hostdb.h : 
	* src/prelude/hostdb.c (__prelude_InitHostdb): by convention,
	all init function should return 0 on success.

	* src/prelude/report_communication.c : corrected the use of the
	err macros...

	* src/prelude/prelude.c (DO_INIT): provide the DO_INIT macros,
	  thanks to (Francis Galiegue), use it to init random part of
	  prelude.

	* src/prelude/include/detect_plugins.h: readded the "id" member.

	* src/prelude/rsched.c: added the report scheduler.

	* src/prelude/Makefile.am (prelude_SOURCES): added the report
	scheduler.

2000-07-18  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude-report/report_plugins_api.c (ip_dump): use
	off & 0x3fff to know if the packet is fragmented.

	* aclocal.m4: 
	* configure.in: Check if unaligned access is OK, stolen 
	from tcpdump...

	* src/prelude/ip_fragment.c: include ip_fragment.h,
	constified a little.

	* src/prelude/packet_handler.c (SliceAndStoreFddiPkt): 
	depth = -1, as we don't store any fddi header at the moment.
	(SliceAndStoreAtmPkt): same.

	* src/prelude/packet_capture.c (prelude_capture_from_device): 
	Capture in promiscuous mode... duh...

2000-07-17  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/packet_handler.c (SliceAndStoreNullPkt): 
	Handle the loopback interface.
	(SliceAndStoreFddiPkt): Handle FDDI interface.
	(SliceAndStorePppPkt): handle PPP interface.
	(SliceAndStorePppBsdosPkt): Handle PPP ( bsd specific ) interface.
	(SliceAndStoreAtmPkt): Handle ATM.

	* src/prelude/packet_capture.c: added handling call for null,
	ppp, ppp bsdos, fddi, atm interface...

	* src/prelude/ip_fragment.c : added (from ip_fragment-2.4.0test3.c), 
	cleanup.
	(ip_frag_reasm): removed some debuging printf.

	* src/prelude/ip_fragment.c (ip_frag_queue): Added a report
	about Ip Defragmentation attack, and a report about last 
	fragment received but data missing.
	(ip_frag_queue): Do not free 'frag', but 'free_it'...
	This fix the memory corruption bug.

	* src/prelude/filter_funcs.c: extern declaration of Packet_t.
	(verify_proto): use prelude_GetDepth().

2000-07-13  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/ip_fragment-2.4.0test3.c: 
	adaptated the new 2.4.0test4 IP defragmentation stack to prelude.
	There is probably some bug sitting... 
	Not compiled by default at the moment.

2000-07-10  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/filter_funcs.c: removed unused structure.

	* src/plugins/detects/scandetect/scandetect.c : indentation
	fix, corrected some comments, plugins definitions correction.	

	* src/prelude/report_communication.c (rewind_xdr_stream): indent
	fixes.

	* src/prelude/report_communication.c (UnixConnect): corrected
	a typo.

	* src/prelude/Makefile.am (prelude_SOURCES): added
	sched.c

	* src/prelude/sched.c: start of a new report scheduler.

2000-07-08  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/report_communication.c 
	(UnixConnect): use the err macros.

	* src/plugins/detects/match/match.c: include common.h,
	to avoid undefined err macros.

	* src/plugins/reports/Makefile.am :
	* configure.in : don't compile reportsrv, cause it
	does not work at the moment and make prelude crash.

	* src/prelude-report/xdr_decode.c (xdr_tcphdr): fix
	a compile warning.

	* src/prelude/xdr_encode.c (xdr_packet): more detailled
	error message.

	* src/prelude/filter_funcs.c (verify_tcpflag): fix a
	compile warning.

	* src/prelude/ip_fragment.c (ip_create): reindent
	some things.
	(ip_frag_create): ditto.

	* src/prelude/hostdb.c (__prelude_SearchCnx): split
	in two function.
	(search_data): new function;
	reindent.

2000-07-06  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/ip_fragment.c: removed some commented
	out include.
	(ip_find): code cleanup.

	* src/libprelude/pluginlib.c: included common.h.

	* src/prelude-report/report_sched.c: included common.h.

	* src/libprelude/config_engine.c: included common.h
	to avoid compile warning; removed some not needed
	extern function declaration.

2000-07-05  Yoann Vandoorselaere  <yoann@mandrakesoft.com>

	* src/prelude/ip_fragment.c (ip_glue): More complete
	attack detection report, in case of an Oversized packet
	caught.
	(ipfrag): ditto.

* Tue Jun 27 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- detect.h : added FIXME for broken prelude_report_async.
- hostdb.c : little cleanup ( new function __cnx_del() ),
	     should not sigsegv anymore, but i'm not sure the bug
	     is definitively fixed.
- scandetect.c : removed an unused variable, don't feel unused plugin
	         structure field.
- match.c : use err() macros.
- config_engine.c : ditto.
- match.c : ditto. 
- report_communication.c, xdr_encode.c : added debuging printf.
- xdr_decode.c : include common.h
- detect_plugins_api.c : prelude_do_report() set depth.

* Mon Jun 26 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- detect-report.h : depth back in the DetectReport struct, data_depth removed.
- scandetect.c : fix a typo, remove debuging printf.
- sysplug.c : check if prelude_PktDump() returned NULL,
  to avoid a pointer dereference.
- detect_plugins.c : set DetectReport depth member to depth.
- ip_fragment.c : cleanup, do it's own report instead of printf,
- moved the overlap check part out of ipfrag() in check_overlap(),
  fixed a possible overlap bug by the way.
- packet_handler.c : do it's own report instead of outputing on stdout.
- xdr_encode.c : use the err macros instead of perror.
- handle_connection.c : removed not used global variable depth.
  added a check for report wo packet, use err macros.
- report_plugins.c : use the err macros.
- report_plugins_api.c : remove unused global extern variable depth,
  added a check for NULL packet in packet analyzing function.
- server.c : use err macros.
- xdr_decode.c : ditto.
- ip_fragment.c : oops, fix argument passing for check_overlap().
- packet.h : remove unused #if 0'd code.
- aclocal.m4 : removed from cvs.
	
* Thu Jun 22 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- scandetect.c : completly rewritten, detect the type of scan,
	cleaned up, detect udp scan.
- daemonize.c : use the err macros instead of fprintf.
- detect_plugins.c : use the err macros instead of perror.
- detect_plugins_api.c : ditto, removed err macros from here,
	and put it in libprelude/include/common.h, when copying a
	packet, if an udp header is found, copy it as p_udp, not p_tcp,
	this fix a segfault.
- hostdb.c : use the err macros instead of perror, don't use ip_id
	to generate the hashing key.
- ip_fragment.c : use the err macros, cleanup.
- packet_capture.c : use the err macros.
- report_communication.c : ditto.
- timer.c : ditto.
- xdr_encode.c : use xdr_u_short for th_urp.
- xdr_decode.c : ditto.
- report_plugin_api.c : correct a typo.
- filter_funcs.c : use the err macros instead of perror.

* Mon Jun 19 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- Removed the opts plugins ( now theses check are done by prelude itself ).
- Added the reportsrv report plugins ( which will serv report to whatever
  client in realtime. ).
- Don't even threat invalids options.
- Added some copyright headers.
- Remove __MAX_TCPOPT_LEN / __MAX_IPOPT_LEN and user __MAX_OPTS_LEN everywhere.
- scandetect.c : fixed a bug which could lead to sigsegv if the dst port was
  set to 0 / > 65535. cleanup.
- detect_plugins.c : when subscribing a plugins in more than one category, 
  duplicate it, this will avoid list pointer to point on the same category.
- detect_plugins_api.c : added the err() macros, giving way more debug
  informations ( should be used instead of perror ).
  include errno.h and string.h; added prelude_do_report() function, which allow
  prelude to do report itself.
- detect_plugins_api.h : added declaration for prelude_do_report().
- packet_handler.c : VerifyOptions() now take an Packet_t argument in order to
  do it's own report.
- report_communications : all report saved in *1* file.
- tcpip_options.c :  do it's own report when it see invalid options.
- xdr_encode.c : use xdr_int, not xdr_u_int for opts_len.
- xdr_decode.c : ditto.
- handle_connection.c : set ip_opts & tcp_opts to NULL at init time;
  when something goes wrong decoding a report, do not return, just continue and
  wait for another report.

* Fri Jun 09 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- libprelude/log.c : include log.h, changed function name from
  Prelude* to prelude_*, commented out fflush call.
- libprelude/pluginlib.c : Test realloc return value, remove
  pktalloc_called and pktcpy_called now not needed in this place.
- libprelude/log.h : modify function name, according to log.c modifications.
- match.c : remove the no more used print_data function.
- nopsearch.c : remove \n at the end of the constant passed to
  plugin_do_report.
- sysplug.c : log too many thing for syslog, just log into
  /var/log/prelude.log, use the log.[ch] API, use the new prelude_HexDump()
  function to log an hexadecimal data dump.
- detect_plugins_api.c : added pktalloc_called & pktcpy_called variable,
  prelude_GetDepth doesn't cache data anymore, this could lead to bug, and
  we're not sure how many time gain we do with it.
- prelude.c : remove the open / close log call at the start / end of prelude.
- prelude_report.c : ditto.
- report_communication.c : remove a debuging printf.
- xdr_types.h : Packet_t is const here.
- handle_connection.c : free ip / tcp opts and data, set them to NULL 
  (could lead to  bug if not ).
- report_plugins_api.c : added the prelude_HexDump() function, to make 
  hexadecimal dump from data, removed old print_data(), all 'proto'_dump()
  function now return dynamically allocated value (ie : do not use static
  buffer anymore, because it can lead to problem for encapsulated protocol ).
- report_plugins_api.h: added prelude_HexDump declaration.
- xdr_decodes.c : remove the tcp / ip opts and packet data allocation, 
  this was a wrong fix to the prelude-report sigsegv problem because xdr_bytes
  return already allocated data.
- libprelude/lookup.[ch] : added.
- report_plugins_api.c : corrected siome problem in prelude_HexDump().
- packet_handler.c : after the top level protocol is handled, set the first 
  byte of data to 0, this will prevent plugins to issue warning on following 
  packet with no data.
- log.c : put fflush back in.

* Wed Jun 06 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- include/proto.h : Added the 'p_all' protocol, 
  which mean a plugins can be run against all protocol
- match.c : subscribe to p_all.
- libprelude/tcp_options.c / ip_options.c : make it reantrant.
- libprelude/ip_options.c : added prelude_SearchIpOption 
  ( like in tcp_option.c )
- libprelude/tcp_options.c : removed some debuging printf.
- libprelude/pluginlib.h : match the new ip/tcp options parsing API.
- libprelude/lookup.c : all the prelude lookup table goes here, 
  to avoid code duplication.
- filter_funcs.c : added the verify / compile tcp/ip options functions.
  verify_content() / verify_regcontent : check if data size if 0, if so, return -1.
  Functions now use the table parsing function provided by lookup.c.
  Modularized a little.
- packet_handler.c : add a call for running plugins from "all" category.
- plugins_filter.c : added ip_opt and tcp_opt rules.
- prelude-report/handle_connection.c : alloc dynamically the options buffer
  sometime the way xdr work is really weird.
- report_plugins_api.c : frag[0] = '\0', to avoid outputing garbage, use
  lookup.c and adapt to the new tcp/ip options parsing api.
- match.c : don't read line starting with #.
  if no rules registered, unregister the plugins. ( init return -1 )

* Mar Jun 06 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- Big cleanup, many file renamed, many include file added.
- split / merge of some files.
- change functions name.
- Do not put only used by one program function in libprelude.
- Corrected a bug in prelude_PktDump() which made the tcp opt dump
  return NULL (which also prevented data printing).
- Added the opts plugins, which must issue warning on DOS tentative
  via invalid tcp / ip opts... 
- Modification of the prelude core in progress in order to have
  a good plugins implementation for such verification ( opts )
- prelude-report : Correct some wrong include entry.

* Mon Jun 05 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- configure.in : removed -fno-inline from the CFLAGS, should be defined
  by the developper using the CFLAGS variable if he want to. Add -pg,
  in order to make function execution statistic using gprof.
- detect.h : added declaration for connection database function.
- hostdb2.c : Completly reworked, use a different hash, implemented
  much more cleanly. Also, the Add / Del / Search function now take
  an ip header as argument instead of the two in_addr structure...
  prelude_AddCnx return a pointer on an persistant struct ip.
  Put hostdb2 where it belong, it is only used by Detect plugins, so
  it should go in prelude main code.
- plugins/scandetect.c : Modified to work with the new hostdb stuff.
- detect_plugin_filter.c : DetectPluginFilter_run() is Improved in speed 
  by about 10 %, do not use recursive function call anymore, but use goto.
- prelude.c : sighandler() : Temporarily use exit(2), 
  for gmon.out ( gprof ) generation.
	
* Wed May 31 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- Added filtering rule "regcontent", which is to specify regex.
- Done some experimentation about the string / byte string search
  into data buffer, strstr is the best for string against all 
  implementation of Boyer Moore algorithm i have found ( they
  seem to implement this algorithm, and seem to be asm optimized ).
- For the bytestring search, i'm currently using regex ( which are
  compiled at init time ), this is fast, but i think regex
  is overkill for this task, so it will probably change.
- Corrected a problem in packet_handler.c : always add an \0
  at the end of the data, this is very usefull because we are
  not cleaning the memory before slicing each packet ( this'll
  take too long ), so the buffer was never ending and contained 
  part of previously received packet whis is not good and leaded 
  to some duplicated plugins warning.
- filter.c : Corrected 2 off by one error.
- filter.c : tcp_flag rule can now take > 1 flag as argument ( separated by
  virgule ) 
- detect_plugin_filter.c : there was problem parsing quoted rules.
- plugins/detect/match.c : avoid a NULL pointer dereference.
- plugins/detect/match.conf : added a winnuke detection rule.
- plugins/detect/winnuke : removed, now handled by the match plugin.
- plugins/detect/Makefile.am : remove the winnuke subdir.
- plugins/detect/match.c : added the plugin description.
- configure.in : remove the winnuke plugin Makefile generation.
- libprelude/pkt_dump.c : do not use asprintf / vasprintf anymore,
  use snprintf in statically allocated buffer.

* Tue May 30 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>

- Cleanup the code in some place.
- Renaming of public internal function to being with __
- Removed some temporary file.
- Create includes files with function declaration instead
  of declaring by hand.
- Removed sync.c
- Made it possible to declare filter from plugins.
- Added the content and hexcontent PF rules.
- Added copyright notice to new file.
- Updated TODO
- Makefile.am : install prelude.conf
- make match plugins read rules from the match.conf config file.
- install match.conf
- cleanup configure script, installation path.
- plug_init should return an int for / OK / failled.
- match.c / match.conf Add a custom msg= argument to a rule for the warning
  if the rule is matched.
- remove strdetect plugin, match does it's work.

* Mon May 29 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- added match plugins.

* Fry May 28 2000 Yoann Vandoorselaere <yoann@mandrakesoft.com>
- src/prelude-report/xdr_decode.c: alloc data buf, this will prevent
	prelude-report to sigsegv everytime.
- Removed all optimisations for debuging purpose.
- solved a bug in hostdb2.c, the data ptr was wrong.
- src/prelude/ip_fragment.c : When we find a list entry for this fragment,
	just reset the timer, do not delete it... This fix a fragmentation bug
	which was resulting in a sigsegv.

* Mon Mar 06 2000 Francis Galiegue
- src/libprelude/newstack.c: Oops, bug - FIXED
- src/libprelude/newstack.c: new stack implementation with defragmentation and
  alignment, compiles but needs testing.
- src/libprelude/newstack.c: a few changes

* Sun Mar 05 2000 Vandoorselaere Yoann
- Added documentation on fast algorithm for ip routing table,
  this is similar at what we do in hostdb, and we'll probably need
  to implement one of these algorithm.

* Sat Mar 04 2000 Vandoorselaere Yoann
- work on the new connection database.

* Thu Mar 02 2000 Francis Galiegue
- src/libprelude/hostdb.c: complete rewrite

* Wed Mar 01 2000 Vandoorselaere Yoann
- stack.c bug is fixed...
- Better error handling.
- Cleanup a little, commented the code
- More work on the alignement problem
- Made hostdb.c faster.

* Thu Feb 29 2000 Vandoorselaere Yoann
- Added alloc error check, in this part of the code we must absolutly
	handle an alloc error cleanly.
- Moved packet copy related functions to pktcpy.c
- Made it really clean, use a function for each header copy.
- use p_free to free data->data structure member.

* Mon Feb 28 2000 Vandoorselaere Yoann
- Many work on the stack, this is becomming better and better,
	however  there is a bug somewhere in the packet cpy stuff....
	and it dereference a pointer which give us a sigsegv... 

* Mon Feb 28 2000 Francis Galiegue
- src/libprelude/newstack.c: new file, try at a total new stack implementation
- src/libprelude/newstack.c: lots of changes
- src/libprelude/newstack.c: grr, added missing semicolon...
- src/libprelude/newstack.c: rename p_* to pn_* to compare with other stacks
- src/libprelude/Makefile.am: added newstack.c to targets
- src/libprelude/newstack.c: now deleted, a bug in it which I don't get
- src/libprelude/Makefile.am: fixed

* Mon Feb 28 2000 Vandoorselaere Yoann
- rewritten the libprelude stack from scratch...
  it is far from being finished, but will be more easy to
  extend... currently my bench show a 40% CPU gain with the
  cache... But this is not real world test...
  Real test scheduled to tomorrow.

* Fri Feb 25 2000 Francis Galiegue
- src/libprelude/hostdb.c: added malloc() failure checks
- src/libprelude/hostdb.c: tons of other checks 
- src/libprelude/hostdb.c: macro for debugging, added more checks

* Fri Feb 25 2000 Vandoorselaere Yoann
- Clean up stack.c, fix a bug, attempt using it
	in prelude_PktCpy too see if we gain in performance.

* Fri Feb 25 2000 Francis Galiegue
- src/libprelude/hostdb.c: undid last change in hash_value()

* Fri Feb 25 2000 Vandoorselaere Yoann
- Cleanup of stack.c, use the new list scheme, include at compile time.

* Fri Feb 25 2000 Francis Galiegue
- src/libprelude/hostdb.c: remove ntohl() calls into hash_value()
- src/libprelude/hostdb.c: completely redefined hash_value()
- src/libprelude/hostdb.c: simplified hash_value(), again

* Fri Feb 25 2000 Vandoorselaere Yoann
- Use the snaplen config entry ( if provided ) to
	setup the data buffer.

- config.c -s ( for report server addr ) changed to -a,
	 -s is now used to setup snaplen.

- packet_capture.c / packet_handler.c : 
	dynamically alloc the data buffer at startup time following
	the snaplen arg ( which currently doesn't exist ).
	never free / realloc it after...

- hostdb : removed some warning warning.

- packet_capture : print hash statistic;
	Francis : please say me when you change variable name :)

* Thu Feb 24 2000 Francis Galiegue
- src/libprelude/hostdb.c (yes, again!): #if 0'ed table dump, added extern
  variables on host/cnx/pdata usage. FIXME: malloc()s need to be checked, this
  is scheduled for tomorrow - it will require an API change!

* Thu Feb 24 2000 Vandoorselaere Yoann
- Made prelude_GetCleanData faster.
- today it was a ip stress test day,
	we discovered some bug ( in fact place where timeout
	were too high ) and the memory was growing far too much.
	We corrected them.
	
* Thu Feb 24 2000 Francis Galiegue
- src/libprelude/hostdb.c: only dump table usage every 256 entries

* Thu Feb 24 2000 Vandoorselaere Yoann
- Use the new cnx related API,
	only do scan detection, the rest of the detection stuff
	syn / stream will now be in other plugins.

* Thu Feb 24 2000 Francis Galiegue
- src/libprelude/hostdb.c: oops, bug - bad list_add usage
- src/libprelude/hostdb.c: Grrr... Have to check for whether hash tables are
  initialized in every public function. UGLY. FIXME.
- src/libprelude/hostdb.c: (yes, again) Fixed hogs in debugging functions

* Thu Feb 24 2000 Vandoorselaere Yoann
- hostdb: renamed public function.
-         made it k&r compliant :-P :)
- scandetect: new version on the way,
	there is some problem with hostdb at the moment
	
* Thu Feb 24 2000 Francis Galiegue
- src/libprelude/Makefile.am: added hostdb.c into targets
- src/libprelude/hostdb.c: finished, now it needs testing
- autogen.sh: added -c flag to automake

* Wed Feb 23 2000 Vandoorselaere Yoann
-  removed the id things completly ( not used ).
- detect_plugins.c, detect.h, detect-prv.h : Moved the plugins 
	id from the private plugin structure to the public one.

* Wed Feb 23 2000 Francis Galiegue
- src/prelude/detect_plugins.c: fixed not unlikely case where the detection
  plugins directory did not end with a "/" - a double slash doesn't hurt

* Wed Feb 23 2000 Vandoorselaere Yoann
- hostdb.c: clean up... Do not use memcmp
	in order to compare two address as it is not
	the best way.
- Fix some typos.

* Wed Feb 23 2000 Francis Galiegue
- src/prelude/detect_plugins.c: cleanup

- src/libprelude/hostdb.c: fully done, but for plugins interaction - we need to
  know which plugin calls us!

* Wed Feb 23 2000 Vandoorselaere Yoann
- libprelude/plugins.c use the new list interface.

* Tue Feb 22 2000 Vandoorselaere Yoann
- Use the list.h provided by the linux kernel for linked list handling.
- plugins_run : use the new list interface.
- detect_plugins.c : use the new list interface.
- detect_plugins.c : removed unused 'all_plugins' structure.
- timer.c : use the new list interface.
- starting work on hostdb.c for caching connection ( needed for some plugins, )
  this will prevent a lot of duplicated code.
  Francis is working on hash table for hostdb.
- handle_connection, report_plugins : use the new list interface.

* Sun Feb 20 2000 Vandoorselaere Yoann
- Parsing of prelude filters work again.
- modified some plugins to check that getdepth doesn't return -1.
  this was causing random crash when plugin tryed to access packet[depth]
  if the value returned for depth was -1
- Renamed prelude_do_report_self() to __prelude_do_report_async()
- created the prelude_do_report_async macro which call __prelude_do_report_async
	and automatically fill the plugin argument.
- Fix a bug in timer.c where the callback could be called and Del the current timer
	by itself, the result was that item->next was dereferenced && crash.
- Fix a bug in prelude_PktCpy().
- Fix a bug with plugin which aren't of the good category executed.

* Fri Feb 18 2000 Vandoorselaere Yoann
- Worked on the depth bug... work better. :)
- Revert to wenesday version, not good to touch code after
	too many beer.

* Wed Feb 16 2000 Vandoorselaere Yoann
- ip_fragment.c : little cleanup
- ip_expire : delete timer
- Try to fix scandetect.c again
- Fix a little bug occuring when reseting timer.
- Scan detect work again, it should also detect syn attack.
- First try at implementing prelude timer in scandetect. 
- More fix to scandetect.
- Fixed a bug in the timer implementation.
- Added libprelude/sync.c which call the necessary function
        for libprelude to sync with prelude.
- Worked a little on scandetect plugins, is broken, will be
        rewriten in a few time.
- plugins_run : call prelude_SyncLibrary instead of prelude_FreeCachedData.

* Tue Feb 15 2000 Vandoorselaere Yoann
- redone timer_t structure,
- start to implement timer in ip_fragment.c
- added timer in libprelude,
	ip_frag should use them.
	the timer are awakened at each packet cycle.
- ipfrag.c : s/ip_frag/ipfrag/ 
- detect_plugins_filters.c : bug fixes.
- detect_plugins_filters.c : big clean up.

* Mon Feb 14 2000 Francis Galiegue
- src/plugins/detects/scandetect/scandetect.c: fixed the port mapping stuff
- src/plugins/detects/scandetect/scandetect.c: oops... Fixed stupid bug
 
* Mon Feb 14 2000 Vandoorselaere Yoann
- removed configure ... nothing to do in the repository.
- corrected a double free in ip_fragment.c in case of a defrag error.
- corrected packet_handler.c where we were passing the total len of our
	ip packet instead of just data len.

* Mon Feb 14 2000 Francis Galiegue
- src/plugins/detects/scandetect/scandetect.c: resync'ed

* Mon Feb 14 2000 Francis Galiegue
- src/plugins/detects/scandetect/scandetect.c: macro'ized list add as well

* Mon Feb 14 2000 Vandoorselaere Yoann
- added new ipfrag plugins ( which does actually nothing ).

* Mon Feb 14 2000 Francis Galiegue
- src/plugins/detects/scandetect/scandetect.c: macro'ized list removal - old
  code is "#if 0"'ed for now

* Sat feb 12 2000 Vandoorselaere Yoann
- nopsearch : removed unused function ( comp_nop ).
- nopsearch : oops, fix a typo.
- nopsearch : integrated some optimization by Francis.
- nopsearch : added sparc & ppc nop check.

* Thu Feb 10 2000 Vandoorselaere Yoann
- depth tweak, no need to use depth anymore in
	the plugins called function.
- nopsearch : fixed a few thing, now work,
	also need to test with alpha stack overflow.

* Thu Feb 10 2000 Francis Galiegue
- Finished with the doc - for now

* Thu Feb 10 2000 Vandoorselaere Yoann
- little cleanup to packet.h
- More cleanup in nopsearch.c
- modified nopsearch.c : to detect stack overflow
	on many architecture,
	made code modulable so adding a new architecture is easy
	and doesn't add too much overhead.
	At the moment nopsearch search for x86 & alpha nop.

* Wed Feb 09 2000 Francis Galiegue
- Still more documentation cleanup

* Wed Feb 09 2000 Francis Galiegue
- More documentation cleanup

* Wed Feb 09 2000 Francis Galiegue
- doc rewrite and cleanup - partly done

* Tue Feb 08 2000 Vandoorselaere Yoann
- commented includes.
- renamed config file related function.
- prelude/config.c : use the new config functions name.

* Mon Feb 07 2000 Francis Galiegue
- small rewrite of src/prelude/report_communication.c:SendSavedReport

* Mon Feb 07 2000 Vandoorselaere Yoann
- Doc update.
- libprelude/tcp_options.c : little optimisation,
	handle unknow options.
- libprelude/pkt_dump.c : rewrite the ipopt / tcpopt things 
	in a more cleaner way, and commented it.
- prelude/tcpip_options.c : indent fix.
	
* Sun Feb 06 2000 Vandoorselaere Yoann
- Removed src_host , dst_host, src_port, dst_port of
	the DetectReport_t structure, since they are no longer needed.
- Added debuging printf to help catch a *fucking* hiden bug in the packet
	handling sheme.
- Oops forget to count one bit in tcp/ip options validity check.

- prelude/config.c: Use getopt_long.
- Fixed a bug in tcp / ip options decoding,
	xdr alloc the opts pointer itself.
 
* Sat Feb 05 2000 Vandoorselaere Yoann
- src/prelude/packet_handler.c : added many sanity check
	for header, now header handling should be really attack safe
- src/prelude/tcpip_options.c : 
	prevent a possible crash again.

- src/plugins/detect/nopsearch/nopsearch.c : 
	- optimizations,
	- bugfix, now work.
- src/prelude/tcpip_options.c :
	corrected a grave tcp/ip options parsing bug
	which could result in crash if bad opts len were received.
- src/prelude/packet_handler.c : consistency check ( prevent crash ).

* Fri feb 04 2000 Vandoorselaere Yoann
- src/plugins/detects/nopsearch/nopsearch.c: moved nop_count
  to the right place, use size_t in the good places 
	
* Fri Feb 04 2000 Francis Galiegue
- Rewrote src/plugins/detects/nopsearch/nopsearch.c to optimize for the common
  case.

* Wed feb 02 2000 Vandoorselaere Yoann
- Options aren't allocated dynamically,
	use an array of 40 unsigned char ( maximum opt len ).

* Sun Jan 30 2000 Vandoorselaere Yoann
- prelude/tcp_options.c && prelude/ip_options.c :
	code merged into prelude/tcpip_options.c

* Sat Jan 29 2000 Vandoorselaere Yoann
- Oops, fix broken include.

- Ok, now prelude itself just parse tcp/ip options
  if at a certain point options aren't valid, we
  assume, that the option len is faked, ( else this could
  allow an attacker to hide data behind fake option ).
  and we recalcul our own option len.

- libprelude have now several function to parse Ip/Tcp options.
- Bugfix in plugins.c
- Many other change, too long to list :)
 

* Fri Jan 28 2000 Vandoorselaere Yoann
- reverted previous change about tcp options,
	keep in prelude, where they are parsed, and where
	we can't avoid certain kind of attack.
- ip_options : dito
- More documentation work.
	
* Thu Jan 27 2000 Vandoorselaere Yoann
- Moved IP option in libprelude, made API consistant.
- pkt_dump.c : Adapt to new IP options parsing shecme.
- packet_handler.c : dito.
- Plugins.c : dito.
- xdr_encode.c : dito.
- xdr_decode.c : dito.
- More autoconf work,
	seem to work fine.

* Wed Jan 26 2000 Vandoorselaere Yoann
- plugins.c : fix some warning.
- include cleanup
- More autoconf work...
- Updated TODO
- Ok all seem to work fine now,
	except that all library / module are linked
	with all autoconf checked library...
- include file "NEWS"
- oops forgot to call aclocal in autogen.sh
- Ok, i think autoconf support will be ok
	this night...
	Don't try to run prelude at the moment,
	it will compile but won't run ( cause of some plugin change )
- TODO update
- prelude/report_communication.c: unix server listen on /dev/prelude_socket.
- prelude-report/server.c : use tcp wrapper,
	unix server listen on /dev/prelude_socket
- prelude/config.c : don't use a define for the time to retry
	contacting report server, use the config variable.
- prelude/config.c : added -t option, to specify a retry 
	time for contacting report server if it is unreachable.
- tcp_options.c : added prelude_SearchTcpOption() function.
- report_communication: added rewind_xdr_stream() function 
	to deal with xdr_setpos error.
- Commented the code.
- Cleaned the code.

* Tue Jan 25 2000 Vandoorselaere Yoann
- Fix a little memory leak in config.c
- Added "user=" config file entry,
  permit prelude to setuid to this user when it do not need root access.
- Corrected a bunch of warning, added tcp_fragment.c kernel
  license header cause the fragment ip stack i use is largely based on it.
- Ok tcp_option parsing does work...
- xdr_encode / xdr_decode now work with new opts parsing.
- pkt_dump use new parsing API.
- all appear to work fine ( basically :) )
- Falling asleep on my keyboard, gotta sleep.
  
* Mon Jan 24 2000 Vandoorselaere Yoann
- Reworked the way plugins access to the tcp / ip options...
  There is currently some *big change in the prelude source tree...
  So it will probably don't work / crash...
- libprelude/plugins.c : use switch instead of if.
- Corrected a few warn.
- Removed XDR stuff from libprelude,
  i'm now forced to have xdr_encode / xdr_decode in two
  different file , even if they are very similar...
- Many update, plugins use shared library func...
- Prelude is currently broken.

* Sat Jan 22 2000 Vandoorselaere Yoann
- added function prelude_GetDepth() to the library. 
- xdr_type.c : use xdr_wrapstring instead of xdr_string.
- Plugins use library extensively :)
- Library is now shared...
- Report plugins use prelude_GetPktdump(); ( from libprelude ).

* Fri Jan 21 2000 Vandoorselaere Yoann
- use libtool
- pkt_dump.c : fix a bunch of warning, indentation fix.
- detect_plugins_filter.c : added parenthesis understanding for priority
  comprehenssion.
- s/PreludeStartDetectPlugins/DetectPlugins_run/
- renamed plugins.c into plugins_run.c
- delete_plugins_filter.c : removed a bug.
- renamed some file
- filters : && alias AND and || alias OR.
- Don't exit if can't resolve.
- Cleaned up...

* Thu Jan 20 2000 Vandoorselaere Yoann
- Makefile : include filter.c & plugins_filter.c in compile.
- detect.h : plugins structure include filter structure.
- detect_plugins.c : call the detect filter init function.
- plugins.c : modified to use filter at plugins start time.
- filter.c : contains function for filter.
- plugins_filter.c : contains filtering rule parsing/init code.

* Wed Jan 19 2000 Vandoorselaere Yoann
- ip_frag.c : all appear to work fine, need to implement timer.
- ip_frag.c : cleaned up a little.
- ip_frag.c : backport of the kernel hash table
- ip_frag.c : more work...
- packet_handler.c : adapted for new fragmentation code.
- yesterday item 3 is fixed, for item 1 : it is more clean :) but dirty :)...

* Tue Jan 18 2000 Vandoorselaere Yoann
- ip_frag.c : fixed some bug.
- ip_frag.c : cleaned up a little.
- Ok, fragmentation stack seem to work *but* :
	1 - Is dirty, need to be cleaned.
	2 - Need to be *heavily* tested.
	3 - Doesn't verify if it have all fragment before trying reassembly.
	4 - Need to implement timer to free old packet fragment,
		which were never defragmented.

- ip_frag.c : starting work on the fragment stack.
- pkt_dump.c : oops, forgot to remove one debug printf. 
- pkt_dump.c : print tcp & ip flags,
	reordered informations.
- updated TODO.

* Mon Jan 17 2000 Vandoorselaere Yoann
- pkt_dump.c is now clean :-)
- Ok probably corrected the problem... 
- There is a bug left somewhere in pkt_dump.c
	It will sigsegv at free time when dumping the header informations.
- Cleaned up pkt_dump.c
- no more tcp options parsing problem,
	i was given the end of the option buffer to the parsing function
	instead of the beginning...

* Sun Jan 16 2000 Vandoorselaere Yoann
- More work on the documentation.
- Cleaned up server.c & divided it in two part 
	( see handle_connection.c )
- Come back to the old way of initializing plugins.

* Sat Jan 15 2000 Vandoorselaere Yoann
- strdetect: remove unused code.

* Fri Jan 14 2000 Vandoorselaere Yoann
- More work on the memory stack.
- Started writing documentation. ( see index.htmli, prelude.fig
  prelude-report.fig )

* Thu Jan 13 2000 Vandoorselaere Yoann
- Work on the memory stack.
- packet_handler.c : fix a const warning.
- report_sched.c : reworked a little. ( already broken ),
	don't rely on the src / dst addr, cause the used protocol is unknown.
	just rely on the emitting plugin ID and basically prevent report flooding.
- report_communication.c : socket O_NONBLOCK.
- packet_handler.h : typo.
- Updated README.

* Wed Jan 12 2000 Vandoorselaere Yoann
- Added a README
- Ok, make it compile again...
- Don't try it , it will not compile...
- Big change to the source tree, rewriting include in a more logic way...
- divided prelude_config.h into 2 headers : prelude_config.h & config_devices.h
- updated TODO.
- I'm on the way of doing a major cleanup,
  however, i've not got many time to work on prelude ( actually ).

* Wed Dec 22 1999 Vandoorselaere Yoann
- prelude / prelude-report: path is defined at compile time
- added libprelude/plugins.c: for plugins related function.

* Tue Dec 14 1999 Vandoorselaere Yoann
- config_engine.c: be quiet don't report section xxx doesn't exist.
				   dito for xxx in section xxx doesn't exist

* Mon Dec 13 1999 Vandoorselaere Yoann
- Fix the second alert report server crash bug.
- prelude_report/config.c: Handle the quiet & daemonize options
  in config file.
- Updated TODO file
- missing include
- ip_options.c: pass an fd to p_print.
- packet_handler.c: Verify that packet depth doesn't exceed 
  maximum staticly allocated packet depth.
- tcp_options.c: Verify our options data doesn't point outside our option
  buffer space.

* Fri Dec 10 1999 Vandoorselaere Yoann
- Big source tree cleanup.
- Renamed function name / file.
- packet_handler.c: fix a possible crash.
- xdr_types.[ch] now in libprelude.
- Finished tcp options handling, just need to push & test it...
- Finished the tcp options table pass trought XDR.
- created prelude-fw directory, for dynamic firewalling.

* Wed Dec 08 1999 Vandoorselaere Yoann
- Updated TODO.
- tcp_options.c : Added the 2 or 3 missing options...

* Tue Dec 07 1999 Vandoorselaere Yoann
- tcp_options.c : Tcp options handling is now OK.
  I will add the last 2 or 3 missing options this night or tomorrow.
  I need to write a little stack to remember easyly all the used options.

* Mon Dec 06 1999 Vandoorselaere Yoann
- Starting working on protocol options handling.
  it is now done for tcp... Not for Ip...
  Added extract.h from tcpdump, used to watch used options...
  Also, it only print the informations on screen at the moment...
  Introduced a new bug in the report server, it will sigsegv 
  on the second report, i will check that this week.

* Sat Dec 04 1999 Vandoorselaere Yoann
- Unix server work too.
- Fixed the way prelude report what it does.
- Ok inet server is now clean :-)
  working on the unix socket server.
- sysplug report plugins : corrected a typo.

* 02 Dec 1999 Vandoorselaere Yoann
- Start implementing unix socket,
  will finish this nigh / week end.
- Now longer write 65535 bytes of data on the socket,
  ( he write what the xdr data take ),
  this fix the bug were there was two report ( in prelude-report ) :
  one good, the second was just blank ( in fact we just needed 1 report ).
- Little memory leak fixed in prelude,
  now that the packet data is allocated dynamically.
- (Big ) Memory leak fix in prelude-report,
  destroy the XDR stream, and all var allocated by
  xdr function. 
- Little cleanup, put log stuff into
  the prelude library.

* 01 Dec 1999 Vandoorselaere Yoann
- Tested a lot more, optimized, bug fix.
- Ok, after 2 days were prelude wasn't working,
  it is now ok, XDR problem have been fixed,
  however it need test...
  Will test this night. 

* 29 Nov 1999 Vandoorselaere Yoann
Ouah, after 3 night of work :
- Prelude don't report itself anymore, it use Prelude report.
- Coded many of the XDR encoding / decoding function,
  it is located in src/common & is used by both prelude & prelude-report.
- Fixed prelude-report, it now use plugins properly.
- TODO update.
	
* 25 Nov 1999 Vandoorselaere Yoann
- Cleaned up the source.
- removed icmp_hack ( to be rewriten ).
- several typo fix.
- Commented plugins API source.
- Use the new file engine.
- Rewriten prelude.conf with the new file format.

* 08 Oct 1999 Vandoorselaere Yoann
- prelude_packet_handler.c,
  Inlined some function.
- libprelude/file_engine.c
  New parse engine added...

* 14 Sep 1999 Vandoorselaere Yoann
- More Work on the syn/scan detection plugin.
  
* 13 Sep 1999 Vandoorselaere Yoann
 - little change to syn/scan detection plugin.
   It will report less wrong alert.

* 02 Sep 1999 Vandoorselaere Yoann
- init_report_plugins.c Made the report plugins are
  treated like detect plugins... ( same loading system ).
  by the way corrected a grave memory bug ( which was present )
  in the report plugins init code, and which made more than
  4 detect plugins == SIGSEGV. ( plugin->run pointing on 0x0 ).
- plugin-prv.h report is treated like detect plugins.

* 15 Aug 1999 Vandoorselaere Yoann
- prelude_plugins.c : include time.h
- prelude-report/*.c : Reordered source tree,
  renamed function.

* 14 Aug 1999 Vandoorselaere Yoann
- Minor fix in syndetect plugins,
  if tcp packet isn't a SYN packet,
  doesn't break from the main switch loop, just return.
  ( note that it will be handled by prelude when bpf inside
  plugins will be supported. ).

* 13 Aug 1999 Vandoorselaere Yoann
- Corrected a critical bug in src/libprelude/config.c
  The memory space was corrupted this one was very hard to trace, cause prelude
  didn't sigsegv at freed time, but at random time.
  I like memory corruption bug :-).

- Improved the way packet on multiple interface are captured,
  commented the code.
  Added a copy of the pcap fd used by pcap to capture the packet
  on one interface in the config interface structure...

* 12 Aug 1999 Vandoorselaere Yoann
- Started working on a separated server to make report,
  prelude access it via connection oriented socket, and give it the necessary thing
  to made a report, this server just launch the ReportPlugin.
  This is the first step in making prelude a distributed applications.
  ( Note that since this change prelude is completly broken...
    currently hacking on a way to pass data structure over the network 
    and yes i know corba is slow, i'won't use it, this is for a
    ***performance critical*** section. )
  
* 10 Aug 1999 Vandoorselaere Yoann
- Documentated plugin-prv.h.
- Cleanned all #include in the source tree.

* 09 Aug 1999 Vandoorselaere Yoann
- Documentated plugin.h sources.
- Splitted plugin.h in two parts : plugin.h / plugin-prv.h 
  ( prelude plugin private header )

* 30 Jul 1999 Vandoorselaere Yoann
- Corrected many bug in prelude_check_opt,
  parsing of options and of the bpf rules after a -i. 
  It work like a charm :-) .
  note that the format for -i is now :
  -i eth0 'eventual BPF rule'

* 28 Jul 1999 Vandoorselaere Yoann
- Added features to the sysplug plugin.
- Finished the scan detection plugin ( Should verify 1 or 2 things again ).

* 27 Jul 1999 Vandoorselaere Yoann
- Corrected a bug that made the wrong detect plugin infos
  was passed to report plugins.
- Started working on a scan detection module ( tcp / udp ).

* 26 Jul 1999 Vandoorselaere Yoann
- Multiple interface / same time now work,
  just run prelude with prelude -i eth0 [eventual bpf] -i eth1 [eventual bpf]
- Corrected a small bug in the packet_counter.
- added bpf support for each device configured.
- added bpf support for file reading.

* 23 Jul 1999 Vandoorselaere Yoann
- Starting adaptating prelude to use many interface at the same time.
- Added daemon mode.
- Added reading packet from file.
- Added writing packet to file.
- Modularized a bit prelude_packet_capture.c
- Starting to code a scan detection plugins,
  will need a good hash function in order to be fast.

* 22 Jul 1999 Vandoorselaere Yoann
- Rewwriten prelude from the scratch,
  better handling of packet, more plugins possibility.
  ( A plugins subscribe for udp packet, prelude caught an udp packet,
  call all modules subscribed for udp, with as argument an Structure
  representating the current packet, with in this one, an union
  of supported protocol, and a int, which is the current Depth of the packet 
  ( udp in our case ), the plugins can walk in the packet array if it want, to saw other protocol.

- Plugins subscribtion now work.

- Starting new ChangeLog.
