??/??/????: 0.9.6

  - 07/04/2001: 0.9.6b11
    - fixed bug related to extranous criteria being present in queries from
      the IP address statistics listing (acid_stat_ipaddr)
      (reported: Roeland Weve <roeland@office.netland.nl>)
    - fixed bug with Unique alert listings not transfering time-based criteria
      correctly to other pages linked from it.
      (reported: Andreas Hasenack <andreas@netbank.com.br>)
    - Removed all remaining SQL references to ip_src? or ip_dst? since these 
      fields are no longer present in DB schema v103.  Note: This breaks classful 
      IP searching (e.g. 127.0 => 127.0.*.*)
    - Browser portability: fixed rendering issues in Konqueror with '>' and '<' 
      translation (Ian Sharkey <iansharkey@hotmail.com>); fixed HTML of
      traffic profile graph to improve rendering in Opera (Andreas Steinmetz 
      <ast@domdv.de>)
    - Improved graphs generation: autosizing of the x-axis labels (Ian Sharkey 
      <iansharkey@hotmail.com>); sending proper MIME type and cache control
      headers (Andreas Steinmetz <ast@domdv.de>)
    - SQL optimizations to improve speed (Ryan Poppa <rpoppa@opentext.com>,
      Dave Randolph <daver@tigerbyte.com>, rdd)
    - No-cache HTTP header (Dave Randolph <daver@tigerbyte.com>)
    - Parsing of Snort spp_portscan log file (Blake Frantz <blake@mc.net>)
    - fixed bug in chart graphing (reported: Mark Menke <mmenke@SonicWALL.com>)
      and alert histogram that caused invalid days to be added to the end
      of a month (i.e. view 31th day of month, when month only has 28 days)

  - 06/18/2001: 0.9.6b10
    - full internal support for manipulating IP addresses as 32-bit integers
      (required the bcmath library, --enable-bcmath)
    - fixed links from event listing on single IP statistics page
    - fixed bug with the browsing between alerts on the alert display
      when the only criteria is layer-4 protocol
    - re-organized related code out of acid_common.php into seperate *.inc
    - fixed bug with email export when old-style inline references are used
      in the signature name (reported: Wozz: <wozz+snort@wookie.net>)
    - DNS hostname caching
    - fixed bug in SQL generated for "Last x Unique Alerts" (reported:
      Andreas Hasenack <andreas@netbank.com.br>)
    - increased debugging information and explicit test for a correct
      version of PHP
    - Hyperlink IP address in portscan messages (Michael Bell <michael.bell@web.de>)
    - Native whois queries with caching (requires --enable-sockets)
    - configuration parameter (max_script_runtime) to set max_execution_time
      PHP variable for time consuming operations
    - fixed bug with shared state incorrectly being carried over from 
      acid_stat_ipaddr links back to query results (reported: 
      <dmuz@angrypacket.com>, Andreas Hasenack <andreas@netbank.com.br>)
    - previous timestamp of unique alert; link to the actual first/previous/last
      alert added on the unique alert page (Ryan Poppa <rpoppa@opentext.com>)
    - complete re-write of alert actions; new alert action API
    - archive alert action
    - several updates to alert data graphing: chart period, begin/end time
      (Michael Bell <michael.bell@web.de>), thresholds, label rotation

  - 05/08/2001: 0.9.6b9
    - alert data graphing via PHPlot    
    - 'resolve_IP' parameter added to define whether FQDN are displayed on the
      unique IP added page
    - fixed bug in export/emailing alert action related to signature normalization
      in schema v100 (reported: Wozz: <wozz+snort@wookie.net>)
    - added export/emailing of alerts in a summary format 
    - fixed bug in portscan traffic % graph where the schema < v100 were given
      SQL for schema v100+ 

  - 05/03/2001: 0.9.6b8
     - fixed bug with alert action from the Query Results page which used the
       "Entire Query" specifier. (reported: Frank Reid <fcreid@ourcorner.org>) 
     - fixed bug with Time profile incorrectly displaying the specific alerts,
       and Query form improperly processing IP addresses due to use of PHP
       sessions. (reported: Cornett Wood <cornett@arpa.net>, 
       Steve Hutchins <steve.hutchins@optimation.co.nz>)
     - fixed bug in scrolling through the alert display code 
       (reported: Roeland Weve <roeland@office.netland.nl>)
     - catch DB schema flaw with ./create_postgresql v100 that defined
       event.signature as TEXT (reported: Roeland Weve <roeland@office.netland.nl>) 
     - code security: explicitly import and initialize POST/GET variables 
     - added check of PHP build to confirm that the necessary DB libraries were
       built
     - complete migration of shared state into PHP sessions
     - fixed bug with criteria form converting user input to PostgreSQL SQL; using 
       acidSQL_UNIXTIME
     - fixed bug in portscan 'traffic profile' graph not reflecting schema v100
       changes (reported: Helio <helio@compuland.com.br>) 
     - optimized performance of Unique Alert listing

  - 03/26/2001: 0.9.6b7
     - snapshot: most frequent IP addresses
     - sorting capability and query optimization on Unique Address listing
     - support for DB schema v1.0.0 (100) (normalized signatures, rule references)
     - migration shared state of 'most' pages into PHP sessions (cookie-based) 

  - 03/23/2001: 0.9.6b6
     - fixed bug in UDP/ICMP 'traffic profile' graphs not displaying the correct
       background color (fix: Guillaume <guillaume@sky.fr>) 
     - fixed bug with sorting order in Unique Alert listing when number of alerts
       exceeds $show_row (fix: Luigi Gangitano <luigi@gangitano.it>)
     - fixed typo bug in "most frequent alerts" which caused the destination 
       address link to improperly display the unique IP address and Alert display
       page (fix: James Stahr <stahr@binc.net>)
     - snapshot: all alerts in 24 hrs (Steve Halligan <agent33@geeksquad.com>)
     - fixed divide-by-zero error in number of alert count with the sensor statistics 
       when no alerts exist (fix: Cornett Wood <cornett@arpa.net>)
     - support for rule references (rdd, Cornett Wood <cornett@arpa.net>;
       bugs: Steve Halligan <agent33@geeksquad.com>)
     - fixed another division-by-zero dealing due to portscans 
       (fix: Mark Motley <mark@motleynet.com>)

  - 02/12/2001: 0.9.6b5
     - fixed bug in specifying time criteria consisting only of dates in main
       search
     - added FQDN to the unique address listing
     - wrap ascii-text logged payload at 70-columns when printing alert
       (Frank Reid <fcreid@ourcorner.org>)

  - 02/08/2001: 0.9.6b4
     - fixed bug in alert display page when printing the packet payload
       (reported: Jason Haar <jason.haar@trimble.co.nz>) 
     - fixed bug in Today's Unique Alert listing so that when drilling
       into specific alert instances, only today's are actually shown
       (reported: Jason Haar <jason.haar@trimble.co.nz>) 

  - 02/08/2001: 0.9.6b3
     - fixed bug which caused when clicking on '# of occurrences' from unique address 
       listing from a unique alerts listing (reported: Erek Adams 
       <erek@theadamsfamily.net>)
     - display src/dest port when applicable with the IP address on query results
     - added "# of alerts in AG" column in "list_all" view of the AG
     - more complete sort capability in general query results, AGs, and unique alerts
     - AG and delete actions supported from the sensor or unique alert page 
     - percentage graph of portscan traffic on main page
     - improved export of alerts in the email messages
     - fixed divide-by-zero bug in sensor statistics (reported: Cornett Wood
       <cornett@arpa.net>)

  - 01/29/2001: 0.9.6b2
     - Database abstraction implemented
     - Support for MySQL and PostgresSQL

  - 01/22/2001: 0.9.6b1
     - fixed bug which prevented the ability to scroll through "Unique Events"
       (reported: Jason Boyer <jason@bmh.com>)
     - updated Alert Decode to also support ascii sensor logging
     - fixed bug with emailing results from "Unique Event statistics" 
       (fix: Steve Halligan <agent33@geeksquad.com>
        reported: Jeff Oxenreider <jox@safelite.com>)

01/18/2001 : 0.9.5   
  - added alert groups (AG)
  - aggregate stats based on sensor (Stuart Stock <stuart@broadword.com>)
  - added alert purging
  - added stats for single IP address (# of alerts, sensors) and whois 
    lookups (Jeff Seeley <jeff_seely@broadword.com>, Bill Marquette
    <wlmarque@hewitt.com>)
  - added unique IP addresses list (testing: Nathan Spande
    <nspande@fool.com>
  - added ability to email query results (Steve Halligan, agent33@geeksquad.com) 
  - fixed bug in alert arrival time graph when # of alerts was less than 1%
  - generalized the IP proto decode 
  - fixed bug in criteria description when printing 'Last X' alerts
  - updated DB check version code to be aware of new AG tables
  - main and last-X alerts page refresh 
  - added sensor name as a search criteria
  - added AG name as a search criteria
  - signatures hyperlink to CVE, bugtraq, McAfee, or whitehats (Paul Harrington 
    <paul@pizza.org>) which spawn a new browser window (Jason Harr
    jason.haar@timble.co.nz)
  - added snapshot: today's alerts
  - automated ACID's table and index creation
  - added sort criteria for the search results (timestamp, signature)
  - fixed bug in flags search criteria where PSH and RST were transposed
    (reported: Jed Pickel <jed@pickel.net>)
  - fixed bug associated with using '_'-character in style sheet classes
    which caused them not be valid under certain configurations.
    (solution reported by: Jed Pickel <jed@pickel.net>)
  - improved human-readable criteria description for queries (added
    descriptive text when TCP flags are criteria, removed extraneous blank lines)
  - fixed bug in hex-encoded packet payload printing of ASCII equivalent
  - added warning messages when erroneous search criteria is entered 
  - today's unique alerts 
  - Java-script to automatically select-all in the query results (Bill Marquette
    <wlmarque@hewitt.com>)
  - Added ability to enter IP address criteria as either an octet or
    a single string (testing: Frank Reid, <fcreid@outcorner.org>)
  - Added source/destination as a type of IP address criteria
  - Most recent unique alerts
  - Most frequent alerts

09/14/2000 : 0.9.4   
  - fixed bug in mysql_connect() calls where the $alert_port variable was 
    being ignored

09/13/2000 : 0.9.3   
  - fixed bug in protocol graphs on main page
  - fixed bug in the title display when acid_pkt_main is called
  - added ability to drill into packets from the arrival time graph
  - added FQDN and sensor information on packet lookup
  - added check for Snort DB version to catch old Snort DB or whether the 
    SQL creation was not run 

09/11/2000 : 0.9.2
  - initial public release
  - added alert arrival time graphing

09/09/2000 : 0.9.1   
  - fixed bug in how JOINS are made in query
  - added last x-number of alerts by protocol feature

09/08/2000 : 0.9.0   
  - limited release
