--------------------------------------

Changelog for DEMARC 1.05-stable

Home: http://demarc.org/
Email: info@demarc.org

--------------------------------------

+ Only minor adjustments were made to the 1.05-RC3 code to get it ready for this stable release.


##############################################################################################

##############################################################################################

--------------------------------------

New Features for DEMARC 1.05-RC3 

Home: http://demarc.org/
Email: info@demarc.org

--------------------------------------

There has only been one feature added to hte codebase since 1.05-RC2 since the goal of this 
release is simply to stabilize the codebase for the 1.05-STABLE release.

+ auto_age_events feature added which allows the main demarcd client to automatically
  expire snort events older than the specified number of days.  This way if you only 
  want to keep 30 days of IDS events, demarcd will take care of that for you 
  automatically. 
  Simply uncomment the "auto_age_data = 30" line in demarcd.conf and change "30" to
  the desired number of days.

+ The installation documents have been rewritten almost completely from scratch.  The old 
  documents served their purpose, however the new documents strive to be simpler and easier
  to follow with the categorized sections distributed throughout different files.

+ First generation User Guide is being finalized and should be made public on the website by 
  November 6th (2001). Yes, we understand that until now most of the functionality has been
  a "challenge" to track down - kudos to those of you who have already managed to figure out 
  all the features DEMARC has to offer!  

+ When demarcd detects an invalid ruleset, it still continues on with the last known good
  config/rulesets and reports the error as a "General Alert", however it will now also leave
  a copy of the bad config/rulesets in the "conf" directory as "snort<interface>.conf.tst
  to allow you to manually check why it failed on that sensor.

+ The "Validate Rules" feature on the web interface now shows you which lines were detected
  as invalid, instead of just reporting the line number.

Bugs fixed since 1.05-RC2:

+ "anonymous_user_is_admin" flag now works properly for temporarily escalating the anonymous 
  user's privileges if the admin password has been lost.

+ Workaround implemented for validating flex response rules from the web interface's 
  "Validate Rulesets" feature.

+ New method for starting snort from demarcd eliminates the snort <defunct> problem.

+ General Alerts section now includes a "Check/Uncheck All" feature.

+ dm_load_db.pl script now allows you to only add the DEMARC tables in case you have a
  database that already has the Snort schema.


################################################################################################################

################################################################################################################

--------------------------------------

New Features for DEMARC 1.05-RC2 (partial list)

Home: http://demarc.org/
Email: info@demarc.org

--------------------------------------

+ signature caching for the search page so that it doesn't have to dynamically 
  generate a signature list every time you go to the search form.

+ CIDR IP range searches have been implemented.  This means that you can search
  for a specific range of IPs from the search page instead of just a specific IP.
  ie. 192.168.10.0/24 would include 192.168.10.0 - 192.168.10.255

+ changed snort start from open handle to fork.  Thi fixes the RC1 problem 
  of snort appearing defunct if it dies.

+ added "Manual Sensor Config" in the config section for adding deleting sensors.
  This is especially usefull for installing "Snortless sensors" for only 
  monitoring local files/processes


+ Added anility to exclude rules/rulesets from being updated with RC1's new autoupdate
  feature that updates rules periodically from either sourcefire.com or whitehats.com:
  This is done by placing rules of the following format in the snort.conf file THROUGH 
  the web interface :

##########

EXCLUDE_AUTOUPDATE_RULESET "ruleset_name"
EXCLUDE_AUTOUPDATE_SIGNATURE "signature_name"

##########

+ snort.conf file created by demarcd now automatically changes to "snort<if>.conf" 
  to make it easier for multiple NIC installations.

+ added -s <sid>, -m no|yes, and -g switches for demarcd.  please type "demarcd -?" 
  in your shell to get a complete listing of switches and their meanings.

+ "Validate Rules" feature added which allows you to check the validity of the snort
  config/rulesets from the demarc web interface.  This requires snort to be installed
  on the demarc web box and the addition of a tmp/ sub dir under "/usr/local/demarc" 
  (explained in installation/upgrade instaructions) and needs to be chowned to the owner 
  of the webserver process and chmod 700.

+ Added RESET_DB.pl script in /usr/local/demarc/bin/ which allows you to wipe out
  all snort data manually.  This can be usefull if your DB accidentally grew to 
  200,000 records and you can't easily access it through the web console anymore.

+ Rules are now automatically checked by demarcd for validity before it updates its 
  running ruleset.  If the updated config/rulesets are found to be invalid, it will
  continue to run with its current working config/ruleset version and throw an error
  that will appear on the demarc web interface as a "General Alert" in the "Quick Stats"
  section.

+ Modified demarcd so it does not just die when it can't contact the mysql server if it has successfully
  connected during that session (ie network conectivity problems arise between the sensor and the DB), 
  instead it keeps trying every 10 seconds for 1/2 hour, then finally gives up.

+ Fixed bug that formatted the date WRONG and caused NIDS alerts over a day old to be displayed incorrectly .

+ Fixed error where main_monitor_sid was not being pulled out of the config file correctly.

+ Fixed priorities bug that caused the "Change all priorities..." functions not to work.


################################################################################################################

################################################################################################################

New Features for DEMARC 1.05-RC1 (partial list)

Home: http://demarc.org/
Email: info@demarc.org

--------------------------------------


[Frontend Console]
----------------------

+Optimized queries to significantly reduce page loadtime and allow 
 the DB to grow significantly larger without any increase in page loadtime.

+Graphing is now available for any search queries, or directly from the main
 page for the top signatures of the day.

+ARIN lookups have been fixed to not only work happily on BSD and Linux, but
 also includes a list of registries on which to try the query.

+Miniview can now be hidden when not needed or undocked, thereby further
 increasing page loadtime.

+Implemented caching on the unique events table, and removed caching from the 
 latest alerts from the 3 major categories on the Miniview. This has a net 
 effect of increasing speed of the main page, while keeping the most important
 stats in the Miniview as realtime updates.

+Added ability to delegate administrative responsibilities; Users can now have
 user level access, full administrative access, or a number of shades in between.

----------------------


[Client]
----------------------

+Runs as a true daemon.

+Supports multiple snort processes on the same machine.

+Optionally can set a timer to automatically download and
 implement the latest snort rules from either
 http://snort.sourcefire.com/ or http://www.whitehats.com/
 on a regular basis.

+Ability to bring up a new sensor by supplying a -I (install) flag to
 the client.

----------------------


[Integrity Checking]
----------------------

+Added the ability to check websites as well as files for changes.

+Added "IGNORE" class of rules which allow you to exclude files from
 being checked even if they're in a directory that's been set to be
 checked.

----------------------


[NIDS]
----------------------

+Added ability to search for which rulesets contain specific signatures
 straight from the event detail screen for that signature.

+Fixed ability to copy rulesets between SIDs.

-----------------------


[Host/Service Monitoring]
-----------------------

+Added built-in ability to check for DNS hijacking on any monitored
 remote service and notify via standard channels.

+Added process checking + optional automatic process regeneration.

+Added fully customizable log file monitor.

-----------------------


