--------------------------------------

New Features for DEMARC 1.05-RC2 (partial list)

Home: http://demarc.org/
Email: info@demarc.org

--------------------------------------

+ signature caching for the search page so that it doesn't have to dynamically 
  generate a signature list every time you go to the search form.

+ CIDR IP range searches have been implemented.  This means that you can search
  for a specific range of IPs from the search page instead of just a specific IP.
  ie. 192.168.10.0/24 would include 192.168.10.0 - 192.168.10.255

+ changed snort start from open handle to fork.  Thi fixes the RC1 problem 
  of snort appearing defunct if it dies.

+ added "Manual Sensor Config" in the config section for adding deleting sensors.
  This is especially usefull for installing "Snortless sensors" for only 
  monitoring local files/processes


+ Added anility to exclude rules/rulesets from being updated with RC1's new autoupdate
  feature that updates rules periodically from either sourcefire.com or whitehats.com:
  This is done by placing rules of the following format in the snort.conf file THROUGH 
  the web interface :

##########

EXCLUDE_AUTOUPDATE_RULESET "ruleset_name"
EXCLUDE_AUTOUPDATE_SIGNATURE "signature_name"

##########

+ snort.conf file created by demarcd now automatically changes to "snort<if>.conf" 
  to make it easier for multiple NIC installations.

+ added -s <sid>, -m no|yes, and -g switches for demarcd.  please type "demarcd -h" 
  in your shell to get a complete listing of switches and their meanings.

+ "Validate Rules" feature added which allows you to check the validity of the snort
  config/rulesets from the demarc web interface.  This requires snort to be installed
  on the demarc web box and the addition of a tmp/ sub dir under "/usr/local/demarc" 
  (explained in installation/upgrade instaructions) and needs to be chowned to the owner 
  of the webserver process and chmod 700.

+ Added RESET_DB.pl script in /usr/local/demarc/bin/ which allows you to wipe out
  all snort data manually.  This can be usefull if your DB accidentally grew to 
  200,000 records and you can't easily access it through the web console anymore.

+ Rules are now automatically checked by demarcd for validity before it updates its 
  running ruleset.  If the updated config/rulesets are found to be invalid, it will
  continue to run with its current working config/ruleset version and throw an error
  that will appear on the demarc web interface as a "General Alert" in the "Quick Stats"
  section.

+ Modified demarcd so it does not just die when it can't contact the mysql server if it has successfully
  connected during that session (ie network conectivity problems arise between the sensor and the DB), 
  instead it keeps trying every 10 seconds for 1/2 hour, then finally gives up.

+ Fixed bug that formatted the date WRONG and caused NIDS alerts over a day old to be displayed incorrectly .

+ Fixed error where main_monitor_sid was not being pulled out of the config file correctly.

+ Fixed priorities bug that caused the "Change all priorities..." functions not to work.


################################################################################################################

################################################################################################################

New Features for DEMARC 1.05-RC1 (partial list)

Home: http://demarc.org/
Email: info@demarc.org

--------------------------------------


[Frontend Console]
----------------------

+Optimized queries to significantly reduce page loadtime and allow 
 the DB to grow significantly larger without any increase in page loadtime.

+Graphing is now available for any search queries, or directly from the main
 page for the top signatures of the day.

+ARIN lookups have been fixed to not only work happily on BSD and Linux, but
 also includes a list of registries on which to try the query.

+Miniview can now be hidden when not needed or undocked, thereby further
 increasing page loadtime.

+Implemented caching on the unique events table, and removed caching from the 
 latest alerts from the 3 major categories on the Miniview. This has a net 
 effect of increasing speed of the main page, while keeping the most important
 stats in the Miniview as realtime updates.

+Added ability to delegate administrative responsibilities; Users can now have
 user level access, full administrative access, or a number of shades in between.

----------------------


[Client]
----------------------

+Runs as a true daemon.

+Supports multiple snort processes on the same machine.

+Optionally can set a timer to automatically download and
 implement the latest snort rules from either
 http://snort.sourcefire.com/ or http://www.whitehats.com/
 on a regular basis.

+Ability to bring up a new sensor by supplying a -I (install) flag to
 the client.

----------------------


[Integrity Checking]
----------------------

+Added the ability to check websites as well as files for changes.

+Added "IGNORE" class of rules which allow you to exclude files from
 being checked even if they're in a directory that's been set to be
 checked.

----------------------


[NIDS]
----------------------

+Added ability to search for which rulesets contain specific signatures
 straight from the event detail screen for that signature.

+Fixed ability to copy rulesets between SIDs.

-----------------------


[Host/Service Monitoring]
-----------------------

+Added built-in ability to check for DNS hijacking on any monitored
 remote service and notify via standard channels.

+Added process checking + optional automatic process regeneration.

+Added fully customizable log file monitor.

-----------------------


