-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathChangeLog
730 lines (407 loc) · 21.2 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
--- version 2.9.3
* added support for built-in action list variables %.chr32, ..., %.chr255
that are set to ASCII 32..255 characters.
--- version 2.9.2
* starting from this version, list of event occurrence times that correspond
to event group string tokens is passed to PerlFunc and NPerlFunc event
group patterns as an additional parameter.
--- version 2.9.1
* added support for 'egtoken*' fields in EventGroup rules.
* starting from this version, list of event group string tokens is passed
to PerlFunc and NPerlFunc event group patterns as an additional parameter.
--- version 2.9.0
* added support for 'cmdexec', 'spawnexec', 'cspawnexec', 'pipeexec'
and 'reportexec' actions.
* added support for 'shell' field in SingleWithScript rules.
* added support for 'egptype' and 'egpattern' fields in EventGroup rules.
* added support for %.sp built-in action list variable.
* added ipv6 support for 'tcpsock' and 'udpsock' actions.
* bugfixes for 'write', 'writen', 'owritecl', 'udgram', 'ustream',
'udpsock' and 'tcpsock' actions (exceptions from syswrite() and send()
are now handled, and 'ustream' action no longer blocks on Linux when
peer backlog queue is full).
* improved socket handling routines.
* improved error reporting for invalid command line arguments.
* starting from this version, a program provided with --timeout-script
command line option is executed without shell interpretation.
* starting from this version, SEC uses Perl JSON::PP module instead of
JSON module (JSON::PP is included in the standard Perl installation).
--- version 2.8.3
* added support for collecting rule performance data, and
the --ruleperf and --noruleperf command line options.
* improved dump file generation in JSON format (some numeric fields
that were reported as JSON strings are now reported as JSON numbers).
--- version 2.8.2
* added support for 'varset' action.
* fixed a bug where reference to $:{cacheentry:varname} match variable
for non-existing pattern match cache entry would create an empty entry.
--- version 2.8.1
* fixed a bug in dump file creation routine (a perl warning message was
written to standard error if --dumpfjson command line option was used
without Perl JSON module being present).
--- version 2.8.0
* added support for dynamic input files, and 'addinput' and 'dropinput'
actions for managing dynamic inputs.
* added support for signal emulation and 'sigemul' action.
* added support for 'setltime' action.
* starting from this version, the 'lcall' action supports the :> operator.
* added support for $+{_intcontext} match variable.
* improved input file rotation handling.
* improved action list parsing.
* bugfixes for 'setwpos' action.
* added support for creating dump files in JSON format, and
the --dumpfjson and --nodumpfjson command line options.
--- version 2.7.12
* fixed a bug in context expression parsing routine and improved
the logging of parsing errors.
--- version 2.7.11
* added support for the --user, --group and --umask command line options.
* starting from this version, SIGPIPE signal is ignored globally
in all parts of the code.
* improved the handling of SIGTERM signal.
* optimized IO routines, signal handling and exit status collection
for child processes.
* improved command line parsing and error reporting.
* changes in rule parsing routines (only ASCII digits are allowed in
numeric rule fields).
* starting from this version, the default value for the --blocksize
command line option is 8192.
* fixed a bug in the code which checks the status of TCP sockets.
--- version 2.7.10
* added support for built-in action list variables %.chr0, ..., %.chr31
that are set to ASCII 0..31 control characters.
--- version 2.7.9
* added support for built-in action list variables %.nl, %.cr and %.tab
that are set to special characters, and time-related built-in action
list variables %.sec, %.min, %.hour, %.hmsstr, %.mday, %.mdaystr, %.mon,
%.monstr, %.year, %.wday, %.wdaystr, %.tzname, %.tzoff and %.tzoff2.
--- version 2.7.8
* added support for the --dumpfts and --nodumpfts command line options.
* added support for the 'assignsq' action.
* starting from this version, SEC_PRE_RESTART, SEC_PRE_SOFTRESTART, and
SEC_PRE_LOGROTATE internal events are generated before processing
SIGHUP, SIGABRT, and SIGUSR2 signals.
* starting from this version, the default value for
--keepopen/--nokeepopen command line options is --keepopen.
--- version 2.7.7
* added support for the 'writen', 'closef', 'closeudgr', 'closeustr',
'closeudp' and 'closetcp' actions.
* starting from this version, the default value for the --bufsize
command line option is 0 (detect appropriate input buffer size
automatically).
* starting from this version, the default value for
--jointbuf/--nojointbuf command line options is --nojointbuf.
--- version 2.7.6
* added support for the 'cspawn' and 'cevent' actions which allow
for generating synthetic events with custom internal contexts.
* fixes for logging the execution of 'shift' and 'pop' actions.
* starting from this version, warnings are produced for duplicate
keywords in rule definitions.
--- version 2.7.5
* starting from this version, continue* rule parameters accept 'EndMatch'
as a value.
--- version 2.7.4
* added support for the 'owritecl' action.
* added support for the --childterm, --nochildterm, --rwfifo and --norwfifo
command line options.
* starting from this version, SEC_LOGROTATE internal event is generated
on the reception of SIGUSR2.
* starting from this version, the --notail option implies reading from
input pipe until all writers have closed the pipe (in previous versions,
--notail closed the pipe when no data were available for reading)
--- version 2.7.3
* improvements to 'spawn', 'write', 'udgram', 'ustream', 'udpsock' and
'tcpsock' actions.
* starting from this version, process interactivity check is accomplished
with POSIX getpgrp() and tcgetpgrp() functions.
* fixed a bug in substituting ${number} match variables.
--- version 2.7.2
* fixed a bug in the parsing of the 'rewrite' action.
--- version 2.7.1
* added support for the 'udgram', 'ustream', 'udpsock' and 'tcpsock' actions.
* changed the behavior of the 'write' action -- instead of opening and closing
the file on each access, 'write' now keeps the file open across writes.
* added support for the --socket-timeout command line option.
--- version 2.7.0
* added support for the 'if', 'while', 'break', 'continue', 'prepend',
'pop', 'shift', 'exists', 'getsize', 'getaliases', 'getltime', 'getctime',
'setctime' and 'free' actions.
* added support for varset and :> operators in context expressions.
* added support for $:{cacheentry:varname} match variables which refer
to variables from previously cached matches.
* starting from this version, PerlFunc pattern can set named match variables.
* starting from this version, the 'set' action does not change the context
lifetime if '-' is specified for lifetime.
* changed the dumpfile format to highlight frequently matching rules.
--- version 2.6.2
* added support for the --jointbuf and --nojointbuf command line options.
* added support for the 'rewrite' action.
* starting from this version, 'eval', 'call' and 'lcall' actions set
the output variable to 'undef' if no value is returned from Perl code.
--- version 2.6.1
* added support for the $+{_inputsrc} match variable.
* added support for the --keepopen and --nokeepopen command line options;
also, dashes can be used instead of underscores in all option names.
* starting from this version, Calendar rules are processed immediately
after SEC startup procedures.
--- version 2.6.0
* added support for the EventGroup rule.
* starting from this version, the Calendar rule accepts a year condition
in the time specification.
* added support for the 'lcall', 'getwpos' and 'setwpos' actions.
* added support for the named match variables and variable maps.
* added Cached and NCached pattern types, and support for pattern match
caching.
* starting from this version, all unset or undefined variables are
substituted with empty strings.
--- version 2.5.3
* starting from this version, the 'set' action without the action list
parameter does not clear the action-list-on-expiration for a context.
* starting from this version, a context can be referred by the context
name _THIS in its action-list-on-expiration.
* implemented additional sanity check for context names in context
expressions (context names may not contain spaces).
--- version 2.5.2
* starting from this version, step values can be used in 'time' field
of the Calendar rule.
--- version 2.5.1
* fixed a bug in the 'eval' action - code reference return values were
not handled correctly.
--- version 2.5.0
* added support for the Jump and Options rule.
* starting from this version, the 'continue' parameter of rules accepts
'GoTo <label>' for its value.
* added support for GoTo labels in configuration files
(set with the 'label' keyword).
* SIGINT can now be used for changing the logging level.
--- version 2.4.2
* starting from this version, 'create' and 'set' actions accept variable(s)
for the context lifetime.
* added 'tevent' action.
--- version 2.4.1
* improved the daemonization code.
* changed Sys::Syslog::openlog() options from 'cons,pid' to 'pid'.
* starting from this version, 'logonly' action has an optional parameter.
--- version 2.4.0
* added support for the SEC resource file.
* added support for the 'rem' parameter for all rule types.
* added support for the 'action2' parameter for SingleWithThreshold rules.
* added support for -help and -version command line options.
* starting from this version, SIGABRT does not clear event correlation
operations for rule files that have not been modified.
* starting from this version, the context expression &&- and ||-operator
are short-circuiting.
* starting from this version, SEC does not overwrite its dumpfile.
* starting from this version, the dumpfile contains environment information.
* starting from this version, -reopen_timeout=N command line option forces
SEC to reopen only those files that have been closed for N seconds.
* starting from this version, undef values returned by 'eval' and 'call'
actions will be replaced with empty strings before assigning them to
%-variables.
--- version 2.3.3
* fixed a bug in the open_input() function - when file pattern with wildcards
was specified for the -input option and the -intcontexts option was given,
single internal context was incorrectly set for input sources corresponding
to the file pattern.
--- version 2.3.2
* calls to Sys::Syslog functions are now enclosed in eval { }, in order
to trap die() calls from those functions.
* modified pattern matching functions.
* input source names are now also passed as parameters to PerlFunc and
NPerlFunc pattern functions.
--- version 2.3.1
* fixed a bug in the closelog() function call which caused SEC to terminate
on the reception of SIGHUP, SIGABRT, and SIGUSR2 signals when SEC was started
with the -syslog option.
--- version 2.3.0
* added PerlFunc and NPerlFunc pattern types.
* added 'call' action.
* added support for Perl function operands in context expressions.
* added support for user-defined variables of custom length.
* changed the apostrophe masking algorithm for the -quoting option.
* changed the context lifetime checking algorithm.
* more efficient runtime handling of action lists and context expressions.
* more efficient handling of Calendar rules (the context expression will
be checked after the time pattern).
* the dump file now contains the time of the last configuration load.
* if the -syslog option has not been specified, SEC can now work without
the Sys::Syslog module.
--- version 2.2.5
* added TValue pattern type.
* added 'obsolete' action.
* added -check_timeout flag.
* added performance improvements.
* %-signs in syslog messages are now converted to %% before calling
syslog(), in order to avoid warnings printed from Sys::Syslog module.
--- version 2.2.4
* fixed a bug in calling syslog openlog() that caused SEC to terminate
with older versions of Perl.
--- version 2.2.3
* added support for the syslog-style logging and the -syslog option
(with the help of the Sys::Syslog module).
* added support for the \0-construct in substring patterns.
* fixed a bug that caused SEC to skip empty lines (lines made up of
just the newline character).
--- version 2.2.2
* revised some regular expressions that are used for analyzing action
definitions in configuration file(s).
* SEC now generates SEC_SOFTRESTART internal event when it receives SIGABRT.
--- version 2.2.1
* fixed a bug that caused SEC to reset explicit internal context names
to implicit default names, e.g., due to the bug the explicit name LOG
that was given with -input=logfile=LOG became _FILE_EVENT_logfile after
SIGHUP or SIGABRT.
--- version 2.2.0
* added support for multiple input files
* added support for internal contexts (activated with -intcontexts or
-input=<pattern>=<context> option)
* added support for context aliasing (with 'alias' and 'unalias' actions)
* added support for negative pattern matching (with NRegExp and NSubStr
pattern types)
* added support for the []-operator in context expressions
* included a workaround for the Perl regexp bug that prevented SEC for
reading its configuration files (this bug appeared when the LANG environment
variable was set to utf8, causing SEC to log error messages about lines not
conforming to keyword=value format).
--- version 2.1.11
* added 'fill', 'copy', and 'empty' actions.
--- version 2.1.10
* 'pipe' and 'report' actions are now able to write to standard output.
* SEC internal event is now also generated when SEC reaches the end of
file, and it was started with -notail and -intevents options.
* 'write' action now checks whether write(2) to a pipe transferred all bytes.
--- version 2.1.9
* $- and %-variables can now be used in Perl miniprograms (in context
expressions and 'eval' actions).
* 'write' action now supports standard output as its output file.
* improved the $- and %-variable masking algorithm - in addition to the
masking facilities (e.g., %%t) one can use $$ or %% to get the $ or %
sign before the variable values (e.g., $$$1 now evaluates to
$<1st backref value>, while with the previous version it yielded $$1).
* Parentheses in context and action definitions can now be masked with
backslashes.
--- version 2.1.8
* SEC now reports incorrect values for 'continue' and 'continue2'
keywords in rule definitions.
* Most action parameters (those that are free-form strings by their nature)
can now be enclosed in parantheses, in order to mask possible ; symbols,
and prevent SEC from splitting the action list in wrong places.
* Prior to this version, it was possible to use only special variables
$0,...,$9 and %0,...,%9 in SEC rule definitions (e.g., $10 was considered
to be $1 followed by the '0' symbol); this has been fixed.
* Special variables $0, $1, ..., and %0, %1, ... can now be masked by
adding the $- or %-prefix to them, e.g., $$1 becomes $1 when $-variables
are evaluated.
* User-defined %<letter> variables can now be masked by adding the %-prefix
to the variable, e.g., %%t does not evaluate to the %-sign followed by
the current timestamp, but rather becomes %t.
* The SEC dumpfile now contains the current date, time, and version number.
* Added -evstoresize, -testonly, and -notestonly flags.
--- version 2.1.7
* Added 'assign' and 'eval' actions, and added support for user-defined
variables.
* SEC context expressions can now contain Perl miniprograms as operands
that will be evaluated with Perl eval() function.
* If the parameter for 'event' action contains newlines, the parameter
will be split into lines (i.e., split into parts by using newline as a
delimiter), and 'event' action will be executed for each line separately.
* Prior to this version, if the last line in the SEC input file was not
terminated with a newline, SEC still processed it immediately.
This caused problems with lines that were appended to the input file with
more than one write. SEC will now consider the line complete and ready
for processing only after the terminating newline has been written.
* Prior to this version, if the backreference values inserted to SEC actions
contained strings %s, %t and %u, they were erroneously considered to be
special variables and replaced with their values. This has now been fixed
by temporarily masking all %-characters in backreference values, in order
to avoid clashes with %s, %t, %u, and user-defined %<letter> variables.
* %-variables can now be used in <filename> parameter of the 'write' action.
--- version 2.1.6
* Added -intevents and -nointevents flags. The -intevents flag will force
SEC to generate internal events when SEC is started and when SEC receives
certain signals.
* Prior to this version, SEC used the following scheme for starting external
commands: a separate intermediate process was created that handled the
communication with the running command (e.g., data piping to the standard
input of the command). Since shellcmd and spawn actions do not require
this sort of synchronous communication, SEC does not create intermediate
processes for these actions anymore.
--- version 2.1.5
* SEC now uses perl strict module
--- version 2.1.4
* fixed the perl close() bug in pipe_cmd() function by using
IO::Handle->flush(). This bug caused the SingleWithScript rule to
produce incorrect results with some perl versions and OS platforms.
* moved a code fragment from shell_cmd() function to execute_actionlist()
--- version 2.1.3
* fixed a minor bug in analyze_action() function for 'delete' action (it
is now verified that the parameter for 'delete' contains no whitespaces)
* improved the code for daemonization
--- version 2.1.2
* added 'write' action
* introduced -debug flag to customize SEC logging
* introduced %t and %u variables that can be used in the
action field of the rule definition (like %s variable).
* -pid and -log flags are now optional
--- version 2.1.1
* fixed a bug in shell_cmd(): if 'shellcmd' action wrote something to its
stdout in version 2.1, the action terminated with 'broken pipe' condition
(exit code 141) because no-one was reading the written data.
--- version 2.1
* added 'spawn' action
* IO and IPC handling functions have been completely rewritten - input
data are read by blocks, interrupted system calls are handled in a better
way, child processes are sent SIGTERM when SEC terminates, etc.
* SIGTERM can now be used to terminate SEC gracefully
* changed default value for -cleantime flag to 1 second
* added -poll_timeout and -blocksize flags
* changed PairWithWindow rule handling in process_rules2
--- version 2.0.2-1, 2.0.2-2
* minor fix of timed_tasks()
* minor fix of analyze_action()
--- version 2.0.1, 2.0.2
* Windows fixes
* Added -fromstart and -nofromstart flags
* Improved SingleWithScript rule: added optional action2 parameter;
an external program given with 'script' parameter is now supplied
with the names of all existing contexts (through stdin of the program)
* added check whether dumpfile is a symbolic link
* changed input_shuffled(): fixed file decrease check; SEC will now
exit when some major errors occur (failed stat() and failed sysseek()
on the input filehandle)
--- version 2.0
* configuration file format changed from old field&separator-style format
to new keyword&value-style format
* added support for multiple configuration files
* added support for parantheses in context definitions
* SIGABRT can now be used for invoking "soft" configuration reloads
* changed the parameters for 'create' action
* added 'pipe', set', 'add' and 'report' actions.
* added support for 'context2' parameter in Pair* rules
* added support for $0 and %0 special variables in regexp matches
--- version 1.1.2
* Improved error logging
--- version 1.1.1
* SEC now follows input files by the name and not by i-node (i.e., if
input file is recreated or truncated, SEC transparently reopens the file
and starts to process it from the beginning).
* SIGUSR2 is now used for logfile rotation only.
--- version 1.1
* improved logging (log messages will also be written to STDERR, if STDERR
is connected to terminal - this facilitates interactive debugging)
* changed input handling from buffered to non-buffered
(sysopen, sysread and sysseek are now used instead of open, <> and seek)
* removed behaviour-after-match field from Suppress rule definition
* added Calendar and SingleWithScript rules
* added support for && and || operators in context definitions
* added support for action lists
* improved create, delete, event and reset actions
* added %1, %2, ... special variables to Pair and PairWithWindow rules
* replaced itosvstream.c with more advanced itostream.c
--- version 1.02
* fixed read_line(), open_input() and match_regexp() subroutines
--- version 1.01
* improved the handling of SIGHUP and SIGUSR2: on the reception of those
signals input file will also be reopened (in addition to other procedures)
* read_line(): changed input error handling (program does not try to
reopen the input stream, but calls exit(1) instead)