??/??/????: 0.9.6

  - 02/05/2002: 0.9.6b20
    - fixed output of error when the email alert action fails
      (Mike Pursifull)
    - fixed ICMP type=3 decode when padding is not present in payload
      (reported: Steven Bennett <steven.bennet@gapac.com>)
    - fixed SQL bug when referencing an event whose signature
      has no classification against a MS SQL server (Charlie Hand 
      <charlieh@silicondefense.com>)
    - added != operator for signature criteria  
    - added $use_sig_list configuration variable to support signature
      combo box in the search form (Steve Halligan <agent33@geeksquad.com>)
    - fixed bug in DNS lookup cache expiration (Lucas de Carvalho Ferreira
      <lucas.ferreira@bms.com.br>)

  - 11/29/2001: 0.9.6b19
    - fixed bug in PostgreSQL and MS-SQL SQL in the IP link statistics
      page
    - fixed bug in SQL generated for searches using 'src or dst' IP
      address criteria

  - 11/13/2001: 0.9.6b18
    - fixed bug with unescaped whois information being written to the 
      database (reported: Mike Shaw <mshaw@wwisp.com>)
    - fixed bug in archiving alerts which have a null signature
      (reported: Paul Davis <Paul.Davis@firstring.com>)
    - added support for emailing alerts as an attachment 
      (Marek Stiefenhofer <m.stiefenhofer@ecofis.de>)
    - added $action_email_from, $action_email_subject, 
      $action_email_msg, $action_email_mode configuration variables
    - added support for MSSQL (Charles Hand <charlieh@silicondefense.com>) 
    - fixed the error message in acidPConnect() and acidConnect() in the 
      case the connection failed (Charles Hand <charlieh@silicondefense.com>) 
    - fixed off-by-one error in acidFieldExists() (Charles Hand 
      <charlieh@silicondefense.com>)
    - Decode of ICMP destination unreachable and time exceeded messages
      (Mike Daulie <Michel.Daulie@ufsia.ac.be>)
    - fixed bug in email alert action which caused printable characters
      to be escaped as though they were HTML
    - added ability to rebuild the event, DNS, and whois cache
    - fixed "back" button support in the single alert listing, search page,
      first alert listing from the search page, single IP stats page
    - fixed bug related to improperly remembered state when viewing the contents
      of an Alert group from the AG screen when global criteria is defined
    - fixed bug in queries built with the != operator applied to IP addresses
    - fixed bug in event caching of certain pre-processor alerts
    - fixed bug in SQL for custom searches when using an IP address and an 
      IP field
    - added IP link statistics page
    - added $main_page_detail configuration variable
    - fixed bug in alert archiving which caused signature references and 
      classification not be copied (reported: Ryan Hill <rhill@xypoint.com>)

  - 10/24/2001: 0.9.6b17
    - last 72-hour, 24-hour, and today snapshot for IP addresses
    - reduced the expontential session memory usage by the page history
      functionality / back button
    - added toggle for back button support (adds $maintain_history
      configuration variable)
    - added $external_port_link configuration variable
    - added classification statistics page

  - 10/02/2001: 0.9.6b16
    - fixed bug in generated SQL for Alert graphing when begin/end time
      are specified (reported: Andreas Hasenack <andreas@conectiva.com.br>)
    - fixed bug in GetQueryResultsID() using strtok() with PHP 4.0.6.7rc2
      (reported: Chris Koontz <ckoontz@yahoo.com>, Robert Settle 
       <Robert.Settle@langley.af.mil>)
    - fixed bug in single alert display when previous page had a sort
      criteria causing the browsing buttons (next, previous) not to display
      the correct alerts in the sequence 
    - added links for external DNS resolution and alernate external whois
      links (adds $external_dns_link, $external_all_link configuration 
      variables) (Diane Davidowicz <Diane.Davidowicz@noaa.gov>)
    - added support for 'url' references (Robert Grabowsky
      <robertg@infotech-nj.com>)
    - fixed bug in archiving action which resulted in alerts being identified
      as duplicates (already archived) due to inproper counting which tables
      needed to be archived.

  - 09/17/2001: 0.9.6b15
    - application "back" button
    - SQL trace log (adds $sql_trace_mode and $sql_trace_file configuration
      variables)
    - variable DB connection methods (adds $db_connect_method configuration
      variable)
    - last 72-hour snapshot added for Alert Listing, and unique alerts

  - 09/12/2001: 0.9.6b14
    - config parameter 'html_no_cache': whether a HTML no-cache directive 
      should be sent to the browser
    - abstracted the functionality of displaying query results into
      OO classes: QueryResultsOutput and QueryState  
    - substantial re-organization of functions among the library files
    - Summary statistics links for query results (adds $show_summary_stat
      configuration variable)
    - additional page timing via OO class EventTiming (adds $debug_time_mode 
      configuration variable)
    - TCP and UDP port statistics
    - modified sensor stats to accepts criteria (Addam Schroll <aschroll@mitre.org>)
    - fixed signature support in DDL SQL for DB v0 with event caching 
    - selectively clear criteria from query results
    - fixed bug in alert graphing when x-value overflowed the GET
      parameter string
    - CIDR notation for IP criteria
    - fixed bug with alert action with blobs (e.g. signatures, sensors) where the 
      number of alerts exceeded the number of blobs

  - 07/29/2001: 0.9.6b13
    - Alert caching: caching of data into the acid_event table
    - signature classification support
    - print timing information on page loading time ($debug_time_mode)
    - cache (DNS, whois, event cache) maintenance page
    - fixed chart begin/end time form input so it "remembers" previously 
      entered hour and day of month criteria (Sean Walberg 
      <SWalberg@exchange.hsc.mb.ca>)
    - fixed bug in archiving that prevented layer-4 data from being
      copied (Addam Schroll <aschroll@mitre.org>)
    - fixed bug in acid_stat_alerts so that sig_names (in DB schema v0)
      are properly URI encoded (Addam Schroll <aschroll@mitre.org>)
    - fix for DB schema v0 update SQL for the event cache 
      (Addam Schroll <aschroll@mitre.org>)

  - 07/09/2001: 0.9.6b12
    - acidGetDBVersion() added to class acidCon()
    - removed BCMath requirement; a modified acidip2long() and
      acidlong2ip() can provide 32-bit unsigned IP operations
      (Christopher Ostmo <tech@appideas.com>)
    - fixed bug in delete alert actions on signatures and sensors whereby the
      number of alerts for the query was improperly decremented.
      (reported: Jeffrey Dell <JDell@seisint.com>)

  - 07/04/2001: 0.9.6b11
    - fixed bug related to extraneous criteria being present in queries from
      the IP address statistics listing (acid_stat_ipaddr)
      (reported: Roeland Weve <roeland@office.netland.nl>)
    - fixed bug with Unique alert listings not transferring time-based criteria
      correctly to other pages linked from it.
      (reported: Andreas Hasenack <andreas@netbank.com.br>)
    - Removed all remaining SQL references to ip_src? or ip_dst? since these 
      fields are no longer present in DB schema v103.  Note: This breaks classful 
      IP searching (e.g. 127.0 => 127.0.*.*)
    - Browser portability: fixed rendering issues in Konqueror with '>' and '<' 
      translation (Ian Sharkey <iansharkey@hotmail.com>); fixed HTML of
      traffic profile graph to improve rendering in Opera (Andreas Steinmetz 
      <ast@domdv.de>)
    - Improved graphs generation: auto-sizing of the x-axis labels (Ian Sharkey 
      <iansharkey@hotmail.com>); sending proper MIME type and cache control
      headers (Andreas Steinmetz <ast@domdv.de>)
    - SQL optimizations to improve speed (Ryan Poppa <rpoppa@opentext.com>,
      Dave Randolph <daver@tigerbyte.com>, rdd)
    - No-cache HTTP header (Dave Randolph <daver@tigerbyte.com>)
    - Parsing of Snort spp_portscan log file (Blake Frantz <blake@mc.net>)
    - fixed bug in chart graphing (reported: Mark Menke <mmenke@SonicWALL.com>)
      and alert histogram that caused invalid days to be added to the end
      of a month (i.e. view 31th day of month, when month only has 28 days)

  - 06/18/2001: 0.9.6b10
    - full internal support for manipulating IP addresses as 32-bit integers
      (required the bcmath library, --enable-bcmath)
    - fixed links from event listing on single IP statistics page
    - fixed bug with the browsing between alerts on the alert display
      when the only criteria is layer-4 protocol
    - re-organized related code out of acid_common.php into separate *.inc
    - fixed bug with email export when old-style inline references are used
      in the signature name (reported: Wozz: <wozz+snort@wookie.net>)
    - DNS hostname caching
    - fixed bug in SQL generated for "Last x Unique Alerts" (reported:
      Andreas Hasenack <andreas@netbank.com.br>)
    - increased debugging information and explicit test for a correct
      version of PHP
    - Hyperlink IP address in portscan messages (Michael Bell <michael.bell@web.de>)
    - Native whois queries with caching (requires --enable-sockets)
    - configuration parameter (max_script_runtime) to set max_execution_time
      PHP variable for time consuming operations
    - fixed bug with shared state incorrectly being carried over from 
      acid_stat_ipaddr links back to query results (reported: 
      <dmuz@angrypacket.com>, Andreas Hasenack <andreas@netbank.com.br>)
    - previous timestamp of unique alert; link to the actual first/previous/last
      alert added on the unique alert page (Ryan Poppa <rpoppa@opentext.com>)
    - complete re-write of alert actions; new alert action API
    - archive alert action
    - several updates to alert data graphing: chart period, begin/end time
      (Michael Bell <michael.bell@web.de>), thresholds, label rotation

  - 05/08/2001: 0.9.6b9
    - alert data graphing via PHPlot    
    - 'resolve_IP' parameter added to define whether FQDN are displayed on the
      unique IP added page
    - fixed bug in export/emailing alert action related to signature normalization
      in schema v100 (reported: Wozz: <wozz+snort@wookie.net>)
    - added export/emailing of alerts in a summary format 
    - fixed bug in portscan traffic % graph where the schema < v100 were given
      SQL for schema v100+ 

  - 05/03/2001: 0.9.6b8
     - fixed bug with alert action from the Query Results page which used the
       "Entire Query" specifier. (reported: Frank Reid <fcreid@ourcorner.org>) 
     - fixed bug with Time profile incorrectly displaying the specific alerts,
       and Query form improperly processing IP addresses due to use of PHP
       sessions. (reported: Cornett Wood <cornett@arpa.net>, 
       Steve Hutchins <steve.hutchins@optimation.co.nz>)
     - fixed bug in scrolling through the alert display code 
       (reported: Roeland Weve <roeland@office.netland.nl>)
     - catch DB schema flaw with ./create_postgresql v100 that defined
       event.signature as TEXT (reported: Roeland Weve <roeland@office.netland.nl>) 
     - code security: explicitly import and initialize POST/GET variables 
     - added check of PHP build to confirm that the necessary DB libraries were
       built
     - complete migration of shared state into PHP sessions
     - fixed bug with criteria form converting user input to PostgreSQL SQL; using 
       acidSQL_UNIXTIME
     - fixed bug in portscan 'traffic profile' graph not reflecting schema v100
       changes (reported: Helio <helio@compuland.com.br>) 
     - optimized performance of Unique Alert listing

  - 03/26/2001: 0.9.6b7
     - snapshot: most frequent IP addresses
     - sorting capability and query optimization on Unique Address listing
     - support for DB schema v1.0.0 (100) (normalized signatures, rule references)
     - migration shared state of 'most' pages into PHP sessions (cookie-based) 

  - 03/23/2001: 0.9.6b6
     - fixed bug in UDP/ICMP 'traffic profile' graphs not displaying the correct
       background color (fix: Guillaume <guillaume@sky.fr>) 
     - fixed bug with sorting order in Unique Alert listing when number of alerts
       exceeds $show_row (fix: Luigi Gangitano <luigi@gangitano.it>)
     - fixed typo bug in "most frequent alerts" which caused the destination 
       address link to improperly display the unique IP address and Alert display
       page (fix: James Stahr <stahr@binc.net>)
     - snapshot: all alerts in 24 hrs (Steve Halligan <agent33@geeksquad.com>)
     - fixed divide-by-zero error in number of alert count with the sensor statistics 
       when no alerts exist (fix: Cornett Wood <cornett@arpa.net>)
     - support for rule references (rdd, Cornett Wood <cornett@arpa.net>;
       bugs: Steve Halligan <agent33@geeksquad.com>)
     - fixed another division-by-zero dealing due to portscans 
       (fix: Mark Motley <mark@motleynet.com>)

  - 02/12/2001: 0.9.6b5
     - fixed bug in specifying time criteria consisting only of dates in main
       search
     - added FQDN to the unique address listing
     - wrap ascii-text logged payload at 70-columns when printing alert
       (Frank Reid <fcreid@ourcorner.org>)

  - 02/08/2001: 0.9.6b4
     - fixed bug in alert display page when printing the packet payload
       (reported: Jason Haar <jason.haar@trimble.co.nz>) 
     - fixed bug in Today's Unique Alert listing so that when drilling
       into specific alert instances, only today's are actually shown
       (reported: Jason Haar <jason.haar@trimble.co.nz>) 

  - 02/08/2001: 0.9.6b3
     - fixed bug which caused when clicking on '# of occurrences' from unique address 
       listing from a unique alerts listing (reported: Erek Adams 
       <erek@theadamsfamily.net>)
     - display src/dest port when applicable with the IP address on query results
     - added "# of alerts in AG" column in "list_all" view of the AG
     - more complete sort capability in general query results, AGs, and unique alerts
     - AG and delete actions supported from the sensor or unique alert page 
     - percentage graph of portscan traffic on main page
     - improved export of alerts in the email messages
     - fixed divide-by-zero bug in sensor statistics (reported: Cornett Wood
       <cornett@arpa.net>)

  - 01/29/2001: 0.9.6b2
     - Database abstraction implemented
     - Support for MySQL and PostgreSQL

  - 01/22/2001: 0.9.6b1
     - fixed bug which prevented the ability to scroll through "Unique Events"
       (reported: Jason Boyer <jason@bmh.com>)
     - updated Alert Decode to also support ascii sensor logging
     - fixed bug with emailing results from "Unique Event statistics" 
       (fix: Steve Halligan <agent33@geeksquad.com>
        reported: Jeff Oxenreider <jox@safelite.com>)

01/18/2001 : 0.9.5   
  - added alert groups (AG)
  - aggregate stats based on sensor (Stuart Stock <stuart@broadword.com>)
  - added alert purging
  - added stats for single IP address (# of alerts, sensors) and whois 
    lookups (Jeff Seeley <jeff_seely@broadword.com>, Bill Marquette
    <wlmarque@hewitt.com>)
  - added unique IP addresses list (testing: Nathan Spande
    <nspande@fool.com>
  - added ability to email query results (Steve Halligan, agent33@geeksquad.com) 
  - fixed bug in alert arrival time graph when # of alerts was less than 1%
  - generalized the IP proto decode 
  - fixed bug in criteria description when printing 'Last X' alerts
  - updated DB check version code to be aware of new AG tables
  - main and last-X alerts page refresh 
  - added sensor name as a search criteria
  - added AG name as a search criteria
  - signatures hyperlink to CVE, bugtraq, McAfee, or whitehats (Paul Harrington 
    <paul@pizza.org>) which spawn a new browser window (Jason Harr
    jason.haar@timble.co.nz)
  - added snapshot: today's alerts
  - automated ACID's table and index creation
  - added sort criteria for the search results (timestamp, signature)
  - fixed bug in flags search criteria where PSH and RST were transposed
    (reported: Jed Pickel <jed@pickel.net>)
  - fixed bug associated with using '_'-character in style sheet classes
    which caused them not be valid under certain configurations.
    (solution reported by: Jed Pickel <jed@pickel.net>)
  - improved human-readable criteria description for queries (added
    descriptive text when TCP flags are criteria, removed extraneous blank lines)
  - fixed bug in hex-encoded packet payload printing of ASCII equivalent
  - added warning messages when erroneous search criteria is entered 
  - today's unique alerts 
  - Java-script to automatically select-all in the query results (Bill Marquette
    <wlmarque@hewitt.com>)
  - Added ability to enter IP address criteria as either an octet or
    a single string (testing: Frank Reid, <fcreid@outcorner.org>)
  - Added source/destination as a type of IP address criteria
  - Most recent unique alerts
  - Most frequent alerts

09/14/2000 : 0.9.4   
  - fixed bug in mysql_connect() calls where the $alert_port variable was 
    being ignored

09/13/2000 : 0.9.3   
  - fixed bug in protocol graphs on main page
  - fixed bug in the title display when acid_pkt_main is called
  - added ability to drill into packets from the arrival time graph
  - added FQDN and sensor information on packet lookup
  - added check for Snort DB version to catch old Snort DB or whether the 
    SQL creation was not run 

09/11/2000 : 0.9.2
  - initial public release
  - added alert arrival time graphing

09/09/2000 : 0.9.1   
  - fixed bug in how JOINS are made in query
  - added last x-number of alerts by protocol feature

09/08/2000 : 0.9.0   
  - limited release
