NEWS

* 2020-09-09, prelude-lml-5.2.0:

No new changes.



* 2020-08-04, prelude-lml-5.2.0rc2:

Author: Antoine Luong

- Change company name
- Fix max-rotation-size-offset parsing



* 2020-07-23, prelude-lml-5.2.0rc1:

Author: Antoine Luong

- Document the log-max-length option



* 2020-06-30, prelude-lml-5.2.0beta2:
* 2020-06-19, prelude-lml-5.2.0beta1:

No new changes.



* 2019-09-13, prelude-lml-5.1.0:

No new changes.



* 2019-09-04, prelude-lml-5.1.0rc1:

Author: Song Tran

- Update SELinux policies



* 2019-07-17, prelude-lml-5.1.0beta1:

Author: Yoann Vandoorselaere

- Prevent partial AdditionalData in case of empty match



* 2019-03-15, prelude-lml-5.1.0alpha1:

Author: Antoine Luong

- Correctly handle one-digit syslog priorities



* 2018-09-07, prelude-lml-5.0.0:

Author: Antoine Luong

- Update GnuLib code



* 2018-08-17, prelude-lml-5.0.0rc1:
* 2018-05-04, prelude-lml-5.0.0beta2:

No new changes.



* 2018-04-13, prelude-lml-5.0.0beta1:

Author: Antoine Luong

- Update GnuLib code



* 2018-02-09, prelude-lml-4.2.0rc1:

No new changes.



* 2017-07-21, prelude-lml-4.1.0:

Author: Thomas Andrejak

- Fix missing end condition



* 2017-07-13, prelude-lml-4.1.0rc2:

Author: Thomas Andrejak

- Add info about milliseconds in Apache time-format
- Fix lines with only include directives

Author: Yoann Vandoorselaere

- Update GnuLib code



* 2017-06-30, prelude-lml-4.1.0rc1:
* 2017-06-23, prelude-lml-4.1.0beta2:

No new changes.



* 2017-06-16, prelude-lml-4.1.0beta1:

Author: Yoann Vandoorselaere

- Fix LML exit status



* 2017-02-16, prelude-lml-4.0.0:
* 2017-02-12, prelude-lml-4.0.0rc3:
* 2017-02-03, prelude-lml-4.0.0rc2:
* 2017-01-27, prelude-lml-4.0.0rc1:

No new changes.



* 2017-01-12, prelude-lml-4.0.0beta2:

Author: Yoann Vandoorselaere

- Update GnuLib/libev code

- Get rid of libgcrypt



* 2016-12-23, prelude-lml-4.0.0beta1:

Author: Song Tran

- Add SELinux policy for using unreserved ports on rhel7



* 2016-09-14, prelude-lml-3.1.0:
* 2016-09-01, prelude-lml-3.1.0rc3:

No new changes.



* 2016-08-19, prelude-lml-3.1.0rc2:

Author: Thomas Andrejak

- Allow the libev on system to be used



* 2016-08-05, prelude-lml-3.1.0rc1:

Author: Thomas Andrejak

- Rename configure.in to configure.ac

Author: Yoann Vandoorselaere

- Update libev and GnuLib code



* 2016-04-22, prelude-lml-3.0.0:
* 2016-04-15, prelude-lml-3.0.0rc4:
* 2016-04-08, prelude-lml-1.3.0rc3:
* 2016-04-01, prelude-lml-1.3.0rc2:
* 2016-03-25, prelude-lml-1.3.0rc1:

No new changes.



* 2016-03-18, prelude-lml-1.3.0beta2:

Author: Song Tran

- Add SELinux policies for using TCP and UDP syslog server



* 2016-03-01, prelude-lml-1.3.0beta1:

Author: Thomas Andrejak

- Change 'Equipe Prelude' to 'Prelude Team'



* 2016-01-11, prelude-lml-1.3.0alpha1:

Author: Tran Song

- Add SELinux policy

Author: Antoine Luong

- [#641] Fix crash when no authmode is defined in TLS configuration

Author: Thomas Andrejak

- Update from prelude-ids.org to prelude-siem.org
  Change mailing lists to forums.



* 2015-07-27, prelude-lml-1.2.6:

No changes.



* 2014-10-15, prelude-lml-1.2.6rc3:

Author: Yoann Vandoorselaere

- Update Gnulib code, remove obsolete



* 2014-09-23, prelude-lml-1.2.6rc2:

Author: Yoann Vandoorselaere

- Update libev code

- Update GnuLib code



* 2014-09-16, prelude-lml-1.2.6rc1:

Author: Yoann Vandoorselaere

- Fix crash with recent libprelude version



* 2014-07-07, prelude-lml-1.2.5:

- Improve debugging output

- Initial TCP/TCP-TLS support

    * TCP server support has been added and can be activated using the
    tcp-server option, the default port is 514.

    * TCP-TLS server support has been added and can be activated using the
    "tcp-tls-server" option, the defaut port is 6514. The system support
    anonymous authentication using the (anon-(EC)DH) key exchange protocol as
    well as x509 authentication, which might be used with or without client
    certificate verification ("tls-verify option"). Certificate verification
    may include fingerprint (MD5 or SHA1) and/or name verification with the
    use of the "tls-trusted-fingerprint" and "tls-trusted-name" option.

    Multiple TCP(/TLS) server might be configured, listening on different ports
    with different options.

- Removed rhel6 packaging

- Fix compilation warning

- Update libev
  Update to latest libev version, some compatibility fixes

- Autoconf / Automake fixes, GnuLib code update.
  Update configure.in to fit latest autoconf and automake changes.
  Remove obsolete autoconf macro, and update to newer one.
  Configure script generation and distcheck target are now working again



* 2013-09-18, prelude-lml-1.0.2:

- Removed ruleset. Ruleset are now shipped with the prelude-lml-rules module.

- Fixed recursive inclusion of headers

- Fixed #520 : start problem with UDP and SELinux

- Added /var/log/secure in the default monitored log files


* 2012-06-06, prelude-lml-1.0.1:

- Changed copyrights

- Added packaging for rhel6

- Contributed rules by <operador@sesabe.mooo.com>
  
  Added rules for Cisco ips 4200, Juniper SSLVPN, Symantec SEP 12.1 AV, Freeradius
  Updated rules for Cisco ASA


* 2010-03-16, prelude-lml-1.0.0:

- Minor changes since rc2.


* 2010-02-08, prelude-lml-1.0.0rc2:

- File notification improvement: some case where file notification was
  not working appropriately were fixed. Improve handling of file
  deletion (optionaly followed by file creation event).

- There was various case where the previous code would mishandle the
  metadata write/verification. All known issues are now fixed.

- There was no monitoring for standard input, everything was read once
  upon start and further input was ignored.

- Fix possible truncation of dispatched log, when the string contained
  multiples nul terminator. Fixes a regression of LML 1.0.0rc1.

- Statistics were missing for UDP server input.

- Minor events reporting improvement, and bug fixes.

- Improve large file handling.



* 2010-01-29, prelude-lml-1.0.0rc1:

- Support for character encoding and convertion to UTF-8. The user
  can specify a different character encoding for each files.

- Automatic character set detection if none is specified by the user,
  the implementation will attempt to detect the character set used for a
  given file. In case the detection fail, the system default will be
  used.

- Log entry are now converted to UTF-8 before processing. This fixes a
  problem where user could see incorrect characters in reported alert,
  since they were carrying data that could involve differents character
  set.

- Include Snare ruleset, courtesy of Nicholas Nachefski
  <nnachefski@gmail.com>.

- [ModSecurity]: Events generated were missing some AdditionalData
  information.

- [NetFilters]: ruleset compatibility Ulogd, various improvement.

- Various bug fixes.



* 2009-07-16, prelude-lml-0.9.15:

- Make the Prelude-LML UDP server IPv6 compatible.

- Implement 'idmef-alter' and 'idmef-alter-force' option, alloing
  to include static values into IDMEF events generated using a given
  format.

- New PPP/PPTPD/L2TP ruleset, by Alexander Afonyashin <firm@iname.com>,
  with slight modification from Pierre Chifflier <p.chifflier@inl.fr>.
  Close #340.

- Fix CISCO VPN ruleset so that the 'Authentication rejected' rule will
  trigger even if the 'server' field does not contain a word (fix #328).

- Remove dos-style end-of-lines (Closes #338)

- Fixes possible off by one when parsing variable reference number, and
  remove un-needed check that would always evaluate to TRUE.Thanks
  Steve Grubb <sgrubb@redhat.com> for reporting this problem (and
  running flexelint on the Prelude sources)!

- Update for libtool 2.x compatibility.

- This simplify the whole regular expression handling a lot, making the
  code much easier to read, and fixing potential problem with ovector
  assignement. This code should also improve performance by a small
  factor.

- Change CISCO references urls to their new location, add CISCO ASA rule
  to handle discarded tcp or udp packets.

- Various fixes and update.



* 2008-10-17, prelude-lml-0.9.14:

- Fix log file permission error, that could happen thought the user
  Prelude-LML was running as could access the file (#291).

- ModSecurity ruleset update, by Dan Kopecek <dkopecek@redhat.com>:
  provides much more descriptive classification.text, add regexps for
  [file ..], [line ...], [tag ...] fields and fine tune targets/types
  (#321).

- Deprecate Gamin/FAM support in favor of libev: the previous implementation
  had problem on SELinux enabled system due to Gamin server startup being
  triggered by other program, and thus using improper role for Prelude-LML.
  (#326).

- Improved polling architecture by using Operating System specific backend
  when possible.

- We now monitor files that are not immediately available for reading on
  startup: once the file can be monitored, libev provide us with a notification.



* 2008-08-21, prelude-lml-0.9.13:

- ModSecurity ruleset rewrite, by Peter Vrabec <pvrabec@redhat.com> and
  Dan Kopecek <dkopecek@redhat.com>. This ruleset handle ModSecurity 2.0
  output. (Fix #216).

- New rulesets for FreeBSD su attempts, by Alexander Afonyashin <firm@iname.com>
  (Fix #304).

- Add additional format to the default configuration to deal with apache
  error_log file format, by Alexander Afonyashin <firm@iname.com> (Fix #307).

- Normalize some classification: introduce Remote Login, and
  Credentials Change. Cleanup SSH ruleset, and remove duplicated rules.

- Automated regression tests on make check.



* 2008-04-24, prelude-lml-0.9.12.2:

- Fix wrong ruleset/config installation path.


* 2008-04-23, prelude-lml-0.9.12.1:

- Fix undefined reference with non-FAM build.


* 2008-04-23, prelude-lml-0.9.12:

- [rulesets]: Remove successful/failure keyword from classification
  (use IDMEF completion). Analyzer class sanitization.

- [nagios] Handle Nagios V2 log entry (fix #283).

- [spamassassin] Fix incorrect AdditionalData assignement.

- New Suhosin ruleset, by Sebastien Tricaud <toady@inl.fr>

- Fix invalid logfile inconsistency alert that could be triggered
  in a rare case, after a renaming detection. Alert improvement.

- On logfile inconsistency alert, do not re-analyze the whole file.

- Remove the 1024 bytes per PCRE reference limit.

- Minor bug fixes, build system cleanup.


* 2007-12-17, prelude-lml-0.9.11:

- Asterisk log format and new ruleset for SIP REGISTER method, by
  Sébastien Tricaud <toady@inl.fr>.

- Honeytrap ruleset, by Bjoern Weiland (Fix #244).

- Kojoney honeypot ruleset, by Bjoern Weiland (fix #245).

- Fix performance regression due to the introduction of OpenHostAPD
  ruleset. This double Prelude-LML performance.

- New rule to ignore cron jobs, by Pierre Chifflier
  <p.chifflier@inl.fr> (fix #266).

- [ntsyslog]: Fix regex 1403, so it matches the provided log sample,
  by Pierre Chifflier <p.chifflier@inl.fr>.

- [bonding]: Fix a few typos, and use the same type or end of lines
  (do not use mixed mode for CR and CR/LF) (fix #219), by
  Pierre Chifflier <p.chifflier@inl.fr>.

- Replace 'ignore-metadata' option with a new 'metadata' option.
  Available arguments are: 'head' (start log analyzis from the head of
  the file), 'tail' (start log analyzis from the tail of the file),
  'last' (start log analyzis from the last known position of the file),
  'nowrite' (don't write any metadata while analyzing log files).

  Example: --metadata=tail,nowrite

- Improve LML logging message, make it less confusing.



* 2007-08-08, prelude-lml-0.9.10.1:

- Make SSH rules IPv6 compliants, allowing to merge old
  IPv6 only rules with IPv4 rules. Some additional minor
  bug fixes (fix #232).

- Fix incorrect target user assignment, as well as incorrect
  PCRE reference in assessment.impact.description
  (Paul Robert Marino <prmarino1@gmail.com>) (fix #232).

- CISCO router acl lists can now use names instead of numbers. This made
  rule id=500 in cisco-router.rules fail to alert on packet denys on newer
  cisco devices (Paul Robert Marino <prmarino1@gmail.com>).

- Fix Apache formating when Apache logname or user is set
  (Robin Gruyters <r.gruyters@yirdis.nl> and <andre@vandervlies.xs4all.nl>)
  (fix #229).

- Invalid user.user_id(0).name assignement in SSH rule 1913
  (Scott Olihovik <skippylou@gmail.com>) (fix #243).

- Various bug fixes and minor improvements.


* 2007-05-19, prelude-lml-0.9.10:

        - Ability to use regular expressions in plugins.rules to define
          monitored sources, this can be very useful when combined to file globing.

        - [SPEEDUP] When the "*" keyword is used, the data is passed to the upper
          layer without trying to match anything.

        - Fix NULL pointer dereference when a rule reference an existing,
          but empty context (fix #226).

        - Remove deprecated use of prelude_client_print_setup_error(),
          directly handled via prelude_perror().

        - Make the log parser more robust.



* 2007-05-02, prelude-lml-0.9.9:

        - Pattern can now be used to specify file to be monitored.

        - Fix an issue in the detection of buggy writev() FAM notification.

        - Add bonding.rules, by Paul Robert Marino <prmarino1@gmail.com>.

        - ModSecurity ruleset update: remove unnecessary fields + ModSecurity 2.0 compatibility.

        - New Cisco IOS common ruleset, by Alexandre Racine.

        - Avoid duplicating information in node name and node address.

        - Add rule ID and revision to the generated alert for each matched rule. Fix #206.

        - Various bug fixes.



* 2006-12-20, prelude-lml-0.9.8.1:

        - Compile / run under OS X.

        - Various portability fixes.


* 2006-12-15, prelude-lml-0.9.8:

        - Introduce Cisco ASA IPS module support.

        - Introduce yum support.

        - Introduce Cacti thold plugin support.

        - Introduce Microsoft Cluster Service support.

        - Honeyd rules update and improvement.

        - Updated NAVCE rules; modified ClamAV rules for consistency.

        - Improve NTSyslog ruleset.

        - Added rule to ignore LML's "could not match prefix" log entries.

        - Fix format problem with Apache logs from western hemisphere (- versus + TZ)

        - Fix Squid process exited rule (#185).


* 2006-09-11, prelude-lml-0.9.7:

        - Fix reading from standard input.

        - Fix OpenBSD getaddrinfo() problem.

        - Add Cisco-CSS support.

        - Add Cisco-Router IDS module support.

        - Checkpoint ruleset is supported again.

        - Support 'fork failure' grsecurity warning, fix 'terminal being sniffed' match.

        - NTsyslog ruleset audit.

        - Fix WAP11 ruleset.


* 2006-06-10, prelude-lml-0.9.6:

        - Fix a bug where some rules marked silent would trigger an alert.

        - Load Sonicwall and Spamassassin ruleset by default.

        - Fix rule syntax problem in Sonicwall ruleset.

        - Fix rule indexing problem in Squid ruleset.

        - Postfix rule consistency fix.


* 2006-05-17, prelude-lml-0.9.5:

        - Experimental context support (ala SEC): we now handle
          multiline log matching.

        - Update PAX rules so that it use the new context feature.

        - Don't exit on statistics signal, improve statistics precision,
          make them easier to read.

        - Fix some problem with user & group options.

        - text-output argument is optional.

        - New experimental ruleset: Sonicwall and Spamassassin. These
          need to be manually hooked to pcre.rules if you plan to use
          them.

        - Fix FAM activation switches.


* 2006-03-06, prelude-lml-0.9.4:

        - Remove trailing space from regex we get from plugins.rules (this fix
          a match problem on log entry that didn't contain any space).

        - Add --user / --group option to drop privilege. However, make sure it is
          not allowed to open file that the target user can not read, because it
          would lead to failure when trying to re-open the logfile after a rotation.

        - Signal handling improvement.

        - Fix priority for --quiet option.

        - Use newer libprelude IDMEF_LIST_APPEND/IDMEF_LIST_PREPEND addition.

        - Add unhandled arguments warning.


* 2006-02-21, prelude-lml-0.9.3:

        - Fix a byte ordering issue, resulting in non working LML on some
          architecture.

        - Fix a bug introduced in 0.9.2, that could result in some rules not
          being matched.

        - Rename udp-srvr option to udp-server, as defined in the
          configuration file.

        - Marked selinux rules as experimental.

        - Extended modsecurity with additional_data fields, added one rule.

        - Add missing "chained" keyword to some Netfilter rules.

        - Fixed a simple layout oddity in single.


* 2006-01-31, prelude-lml-0.9.2:

        - Get rid of the 1024 characters per line limitation (defined as per
          the syslog RFC), since LML is not limited to parsing input from syslog
          anymore.

        - Handle events in Clamav logging format as well as syslog.

        - Abstracted Squid chain regex to allow parsing of data directly
          from Squid log files.

        - Introduced support for openhostapd.

        - Began expanding rulesets with additional_data and vendor-specific
          classification data.

        - Various ruleset updates and bug fixes.


* 2005-11-24, prelude-lml-0.9.1:

        - Fixed bad mssql chain regex.

        - Added analyzer name and manufacturer to linksys-wap11 rules.

        - Added rules ID 1914 and 1915 for Suse specific PAM log format (#73).

        - Updated p3scan rule (id 405) for newer version log format.

        - Rework Netfilter ruleset resulting in simpler and faster ruleset
          matching a wider range of Netfilter log entry. The new implementation
          remove part of the Netfilter rules that had to be manually enabled depending
          on your Netfilter configuration. This is now handled automatically.

        - Implement the ability to have multiple logfile format per source (#107).

        - Implement the ability to start multiple UDP server and to filter on any server instance.

        - Fix issue with Target.node remaining empty on configuration using no-resolve (#108).

        - Fix static compilation (#109).

        - Fix a possible bug where LML file descriptor were not monitored in daemon mode.

        - Fix crash if we could not retrieve the machine canonical name (#100).

        - Fix debug plugin crash.

        - Various bugfix.


* 2005-09-20, prelude-lml-0.9.0:

        - 0.9.0 final.

        - Standardized usage of service.iana_protocol_name /
          service.iana_protocol_number over service.protocol.


* 2005-09-12, prelude-lml-0.9.0-rc6:

        - Netscreen support.

        - Nagios rules update.

        - grsecurity rules update.

        - File path logging according to IDMEF v14.

        - Update for gentoo system. Log tty on authentication failure.

        - Fix file descriptor leak. Set close-on-exec.

        - Log messages for services being turned off are now all 'medium'
          severity, while services being turned on are now all 'info' severity.

        - Re-establish signal handler for older *nix. Print statistics on SIGQUIT.


* 2005-07-14, prelude-lml-0.9.0-rc5:

        - New ruleset for Arbor Networks Peakflow system, by Herve Debar.

        - Added preliminary support for PIX conduits.

        - Implement the "warning-limit" option. Can be used in order to supress
          reporting of prefix parser error (warning-limit 0), or to define a limit
          of warning (stop reporting once the threshold is reached). -1 for no limit.

        - Improve error reporting.

        - Various bugfix, minor rules update.


* 2005-05-16, prelude-lml-0.9.0-rc4:

        - Added systrace, identd, arpwatch, pure-ftpd support.

        - Fix a crash uppon activation of the debug plugin.

        - Fix a Solaris specific issue resulting in invalid alert detect-time.

        - Fix possible crash with rule referencing invalid IDMEF path.
          Better error reporting on invalid path/invalid value. Always include the rule ID.

        - Fix a problem with generated alert possibly containing content gathered from other rules.

        - Fix option namespace conflict. Correct --version option.

        - Ruleset improvement and fixes.

        - Decrease startup verbosity level.

        - Add --enable-unsupported-ruleset configure option enabling installation
          of currently unsupported ruleset. Theses ruleset need love, see
          http://prelude-ids.org/pipermail/prelude-user/2005-May/000861.html,
          and contact Gene R Gomez <gene@gomezbrothers.com> if interested.

        - New '--dump-unmatched' option, useful for regression testing. Print out the log
          that were not matched by the current set of rules.


* 2005-04-17, prelude-lml-0.9.0-rc3:

        - Introduced SELinux, httpd, Dlink ruleset support.

        - More rule classification work.

        - Ipv6 support in sshd.rules, support more events.

        - Ntsyslog ruleset consistancy work.

        - Make it easier to use chained rules. Apply chained on all top
          inclusion. Result is ~850% performance improvement. Check:
          http://prelude-ids.org/pipermail/prelude-user/2005-April/000781.html


* 2005-04-09, prelude-lml 0.9.0-rc2:

        - Ruleset update to provide better Analyzer class definition.

        - Analyzer class changed from Prelude-LML to Log Analyzer.

        - Correct FAM checks.

        - Fix IRIX & OpenBSD compilation.

        - Set minimum PCRE version requirement to 4.1.


* 2005-03-29, prelude-lml 0.9.0-rc1:

        Note: due to several years of work and the habit of working with the new
        version, it is hard to remind all the enhancement made in this release.
        Please bear with us and try it for yourself :-)

        - Handle the whole IDMEF set of object.
        - Support any kind of log format.
        - Support for multiple/optional regular expressions.
        - Support jump/optional jump between different rules.

        - New rules for: Dell OM, Shadow Utils, Modsecurity, P3Scan, Tripwire,
          ClamAV, Sendmail, Tripwire, APC Environmental Monitoring Unit, CISCO PIX,
          Cisco VPN Concentrator, Microsoft SQL Server, PAM, pcAnywhere, Oracle, Webmin, Wu-Ftpd.

        - Per log file ruleset are now possible.
        - Optimization work.
        - Support plugin dl-preopening on platform without dlopen() or dlsym().


* 2003-10-22, prelude-lml 0.8.6:

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Automatically translate a value from base 8 and 16 to base 10.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Add a workaround for log using hexadecimal value without 0x prefix.
          This permit to handle, for example, the way ZyXel modem output the
          packet port.

        - Stéphane Loeuillet <stephane.loeuillet@tiscali.fr>:
          Add a new portsentry rule concerning dropped packets.

        - Stéphane Loeuillet <stephane.loeuillet@tiscali.fr>:
          New ZyXel rules for PPP logs, as well as ruleset improvment
          and bugfix.

        - Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>:
          Fixed handling return value of prelude_inet_getaddrinfo. Fix
          a BSD crash.

        - Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>:
          Fixed Ipfw ICMP rules. Thanks to mark@fantoma.net for the report.

* 2003-10-06, prelude-lml 0.8.5:

        - Nicolas Delon <delon.nicolas@wanadoo.fr>:
          Handle case where a file is rotated by being
          compressed and renamed. Not only deleted.

        - Nicolas Delon <delon.nicolas@wanadoo.fr>:
          Make it work on OpenBSD.

* 2003-09-21, prelude-lml 0.8.4:

        - Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>:
          Removed bogus pcre.h test in configure.
          Handle situation where $fam_include_dir is undefined correctly.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Make sure we always have a target hostname to use in alert.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Avoid duplicate rotation alert. In case there was a rotation or
          a checksum error, we have to analyze the file from the beginning.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Use new libprelude IPv6 aware function in order to populate
          Node and Address members.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Fix a possible crash within metadata handling. I wonder
          how it worked before.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          New --group (-g) option that take a groupname argument:
          LML will setgid to the specified group if requested. This
          fix bug #0000081.

        - Stephane Loeuillet <stephane.loeuillet@tiscali.fr>:
          Add a new variable type for [source/target].service.port
          (VARIABLE_TYPE_PORT). now, ports could either contain a
          port number or a service name (www would resolve to 80,
          depending your /etc/services).

        - Simon Castro <scastro@entreelibre.com>:
          New IPChains ruleset.

        - John Green <john@giggled.org>:
          Add Vigor xDSl router built-in firewall support.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Stop using getc_unlocked(). This function is not available
          on some plateform, and we don't need it anymore as we droped
          the threaded architecture.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Be verbose when we fail opening a logfile.

* 2003-04-24, prelude-lml 0.8.3:

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Implement logfile metadata:

          If there is metadata available and current logfile size is
          less than the specified metadata offset, assume the log got
          rotated, and start analyzing the file at offset 0.

          If there are metadata available and current logfile size is
          more or equal than the specified metadata offset: start analyzing
          the logfile from the specified offset. Unless the checksum doesn't
          match, in which case we'll issue an alert, and restart from 0.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Should now be able to read up to 2 ^ (64-1) bytes logfile.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Implemented runtime detection and workaround of the FAM (Dnotify)
          writev() bug. We go back to simple file polling if the bug is
          present.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Restart LML on SIGHUP, so that log rotation program might
          restart it.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Implemented handling of the source and destination address,
          by the Simple (signature) plugin.

        - Vincent Glaume <vglaume@exaprobe.com>:
          Implemented handling of the "last" keyword, telling LML to stop
          matching regex against a line of log once one of them has been
          matched.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          LML alert now carry LML version.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Modified the Debug plugin so that it use the shared LML API
          for sending alert. Also, Debug alert are now low priority.

        - Laurent Oudot <oudot.laurent@wanadoo.fr>:
          Exim ruleset.

        - Stéphane Loeuillet <LeRoutier@wanadoo.fr>:
          ProFTPD, vpopmail, qpopper rulesets.

        - Vincent Glaume <vglaume@exaprobe.com>:
          Squid, NtSyslog, Ipso, Checkpoint, rulesets.


* 2002-12-06, prelude-lml-0.8.2:

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          LML doesn't use pthread anymore, but use more favorable technic
          where several file descriptor are monitored from a single thread.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Massive reorganisation of the way we're doing file monitoring,
          we are now able to monitor file change throught FAM instead of
          polling every file descriptor every second. Be warned that a bug
          in current Linux Kernel (up to 2.4.20 and 2.5.50) prevent FAM from
          being enabled cause the kernel won't send file notification event
          for writev() issued change. FAM support will only be activated in
          case the bug is not present.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Fix Solaris compilation problem.

        - Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>:
          Fix a build problem on FreeBSD

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          The Simple plugin now support setting User and UserID fields.

        - Brad Spengler <spender@grsecurity.net>:
          Update grsecurity ruleset. The new ruleset should handle event
          generated by grsecurity up to version 1.9.7.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Prevent signatures without regex to be compiled in. This fix a
          possible SIGSEGV due to a NULL pointer dereference in case a
          signatures didn't provide a regex.

        - Nicolas Delon <delon.nicolas@wanadoo.fr>:
          New sshd ruleset.

        - Laurent Oudot <oudot.laurent@wanadoo.fr>
          New ZyWall ruleset.

        - Nicolas Delon <delon.nicolas@wanadoo.fr>:
          Updated the Netfilter ruleset so that it is able to match
          packets not received from the LAN.

        - Yoann Vandoorselaere <yoann@prelude-ids.org>:
          Add a COPYING.OPENSSL file, containing the OpenSSL license.
          Permit linking with OpenSSL so that Debian package might be distributed.

* 2002-08-29, prelude-lml-0.8.1:
        - Check strdup() return value, and fix a possible
          memory leak in the udp-server code.
          (Guillaume Pelat).

        - Fix possible assertion when two modifications
          are done in the logfile at the same second.
          (Guillaume Pelat).

        - Fix possible unterminated string.
          (Guillaume Pelat).

        - Fix possible file descriptor leak.
          (Guillaume Pelat).

        - Dup the filename before checking if opening the file
          suceeded, so that re-opening inactive file work again.
          (Yoann Vandoorselaere).

        - Emit an alert if the modification time get modified,
          but file size doesn't increase.
          (Yoann Vandoorselaere).

        - Emit an alert if logfile hard link count reach 0.
          (Yoann Vandoorselaere).

* 2002-07-30, prelude-lml-0.8.0:
        - Initial release.
        - Support for (GrSecurity, NetFilter, Cisco, ZyXel, IpFw, Pax).