shoki@meshuggeneh.net
CHANGES
0.3.0 (Real Soon Now) 2004 (The `sucks less than the last release' release)
This is a ground-up rewrite of the shoki tools. This means
that there are -substantial- changes from previous releases.
A quick summary of the functional changes:
-The parser(1) widget no longer exists and has been replaced by
the lexer(1) widget
-Filter rule syntax is completely different. no more tab-delimited
config files
-Doctrine rules are handled completely differently and are not
(directly) backward compatable. Instead of being a subset of
filter rules handled by the parser(1), doctrine rules
now use a different format interpreted by the ooda(8) widget
-Different passive fingerprinting logic (now steals from p0f instead
of Lance Spitzner's paper)
-Man pages now use the mdoc macros (instead of the old an macros).
The mdoc macros are installed by default on all the `officially
supported' OSes, so this shouldn't pose many compatability problems.
-Now distributed under a BSD-style license
DELTAS (from the last interim 0.3.0 release)
-Added rc(1) (basically a CLI for the hustler clustering stuff)
-Added lsevents(1), lsalerts(1), showevent(1), and rmevent(1) (CLI
widgets for getting event information from the database.
loosely modeled on mh/nmh)
-Added shoki_sez(8) (a daemon that sends alerts via Jabber)
-Fixed bug in filter name handling in pgsql logging
-Rewrote the anomaly counting code (for better performance)
-Changed filter/alert severity semantics (now follows syslog(2))
-Cleaned up autoconf compile flag handling
-Valgrind-related cleanup of option handling
-Added hustler config loading/saving
-Added hustler resize mode
-Tweaked hustler phase space navigation
Consult the CHANGES.old document in the ./doc directory of the shoki
source tree for details of previous releases.
[Shoki Homepage]
[shoki@meshuggeneh.net]