forked from OISF/suricata
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
1188 lines (1062 loc) · 56.6 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
4.0.0-rc2 -- 2017-07-13
Feature #744: Teredo configuration
Feature #1748: lua: expose tx in alert lua scripts
Bug #1855: alert number output
Bug #1888: noalert in a pass rule disables the rule
Bug #1957: PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding
Bug #1958: Possible confusion or bypass within the stream engine with retransmits.
Bug #2110: isdataat: keyword memleak
Bug #2162: rust/nfs: reachable asserting rust panic
Bug #2175: rust/nfs: panic - 4.0.0-dev (rev 7c25a2d)
Bug #2176: gcc 7.1.1 'format truncation' compiler warnings
Bug #2177: asn1/der: stack overflow
4.0.0-rc1 -- 2017-06-28
Feature #2095: eve: http body in alert event
Feature #2131: nfs: implement GAP support
Feature #2156: Add app_proto or partial flow entry to alerts
Feature #2163: ntp parser
Feature #2164: rust: external parser crate support
Bug #1930: Segfault when event rule is invalid
Bug #2038: validate app-layer API use
Bug #2109: asn1: keyword memleak
Bug #2141: 4.0.0-dev (rev 8ea9a5a) segfault
Bug #2143: Bypass cause missing alert on packets only signatures
Bug #2144: rust: panic in dns/tcp
Bug #2148: rust/dns: panic on malformed rrnames
Bug #2153: starttls 'tunnel' packet issue - nfq_handle_packet error -1
Bug #2154: Dynamic stack overflow in payload printable output
Bug #2155: AddressSanitizer double-free error
Bug #2157: Compilation Issues Beta 4.0
Bug #2158: Suricata v4.0.0-beta1 dns_query; segmentation fault
Bug #2159: http: 2221028 triggers on underscore in hostname
Bug #2160: openbsd: pcap with raw datalink not supported
Bug #2161: libhtp 0.5.25
Bug #2165: rust: releases should include crate dependencies (cargo-vendor)
4.0.0-beta1 -- 2017-06-07
Feature #805: Add support for applayer change
Feature #806: Implement STARTTLS support
Feature #1636: Signal rotation of unified2 log file without restart
Feature #1953: lua: expose flow_id
Feature #1969: TLS transactions with session resumption are not logged
Feature #1978: Using date in logs name
Feature #1998: eve.tls: custom TLS logging
Feature #2006: tls: decode certificate serial number
Feature #2011: eve.alert: print outside IP addresses on alerts on traffic inside tunnels
Feature #2046: Support custom file permissions per logger
Feature #2061: lua: get timestamps from flow
Feature #2077: Additional HTTP Header Contents and Negation
Feature #2129: nfs: parser, logger and detection
Feature #2130: dns: rust parser with stateless behaviour
Feature #2132: eve: flowbit and other vars logging
Feature #2132: eve: flowbit and other vars logging
Feature #2133: unix socket: add/remove hostbits
Bug #1335: suricata option --pidfile overwrites any file
Bug #1470: make install-full can have race conditions on OSX.
Bug #1759: CentOS5 EOL tasks
Bug #2037: travis: move off legacy support
Bug #2039: suricata stops processing when http-log output via unix_stream backs up
Bug #2041: bad checksum 0xffff
Bug #2044: af-packet: faulty VLAN handling in tpacket-v3 mode
Bug #2045: geoip: compile warning on CentOS 7
Bug #2049: Empty rule files cause failure exit code without corresponding message
Bug #2051: ippair: xbit unset memory leak
Bug #2053: ippair: pair is direction sensitive
Bug #2070: file store: file log / file store mismatch with multiple files
Bug #2072: app-layer: fix memleak on bad traffic
Bug #2078: http body handling: failed assertion
Bug #2088: modbus: clang-4.0 compiler warnings
Bug #2093: Handle TCP stream gaps.
Bug #2097: "Name of device should not be null" appears in suricata.log when using pfring with configuration from suricata.yaml
Bug #2098: isdataat: fix parsing issue with leading spaces
Bug #2108: pfring: errors when compiled with asan/debug
Bug #2111: doc: links towards http_header_names
Bug #2112: doc: links towards certain http_ keywords not working
Bug #2113: Race condition starting Unix Server
Bug #2118: defrag - overlap issue in linux policy
Bug #2125: ASAN SEGV - Suricata version 4.0dev (rev 922a27e)
Optimization #521: Introduce per stream thread segment pool
Optimization #1873: Classtypes missing on decoder-events,files, and stream-events
3.2.1 -- 2017-02-15
Feature #1951: Allow building without libmagic/file
Feature #1972: SURICATA ICMPv6 unknown type 143 for MLDv2 report
Feature #2010: Suricata should confirm SSSE3 presence at runtime when built with Hyperscan support
Bug #467: compilation with unittests & debug validation
Bug #1780: VLAN tags not forwarded in afpacket inline mode
Bug #1827: Mpm AC fails to alloc memory
Bug #1843: Mpm Ac: int overflow during init
Bug #1887: pcap-log sets snaplen to -1
Bug #1946: can't get response info in some situation
Bug #1973: suricata fails to start because of unix socket
Bug #1975: hostbits/xbits memory leak
Bug #1982: tls: invalid record event triggers on valid traffic
Bug #1984: http: protocol detection issue if both sides are malformed
Bug #1985: pcap-log: minor memory leaks
Bug #1987: log-pcap: pcap files created with invalid snaplen
Bug #1988: tls_cert_subject bug
Bug #1989: SMTP protocol detection is case sensitive
Bug #1991: Suricata cannot parse ports: "![1234, 1235]"
Bug #1997: tls-store: bug that cause Suricata to crash
Bug #2001: Handling of unsolicited DNS responses.
Bug #2003: BUG_ON body sometimes contains side-effectual code
Bug #2004: Invalid file hash computation when force-hash is used
Bug #2005: Incoherent sizes between request, capture and http length
Bug #2007: smb: protocol detection just checks toserver
Bug #2008: Suricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE
Bug #2009: Suricata is unable to get offloading settings when run under non-root
Bug #2012: dns.log does not log unanswered queries
Bug #2017: EVE Log Missing Fields
Bug #2019: IPv4 defrag evasion issue
Bug #2022: dns: out of bound memory read
3.2 -- 2016-12-01
Bug #1117: PCAP file count does not persist
Bug #1577: luajit scripts load error
Bug #1924: Windows dynamic DNS updates trigger 'DNS malformed request data' alerts
Bug #1938: suricata: log handling issues
Bug #1955: luajit script init failed
Bug #1960: Error while parsing rule with PCRE keyword with semicolon
Bug #1961: No error on missing semicolon between depth and classtype
Bug #1965: dnp3/enip/cip keywords naming convention
Bug #1966: af-packet fanout detection broken on Debian Jessie (master)
3.2RC1 -- 2016-11-01
Feature #1906: doc: install man page and ship pdf
Feature #1916: lua: add an SCPacketTimestamp function
Feature #1867: rule compatibility: flow:not_established not supported.
Bug #1525: Use pkg-config for libnetfilter_queue
Bug #1690: app-layer-proto negation issue
Bug #1909: libhtp 0.5.23
Bug #1914: file log always shows stored: no even if file is stored
Bug #1917: nfq: bypass SEGV
Bug #1919: filemd5: md5-list does not allow comments any more
Bug #1923: dns - back to back requests results in loss of response
Bug #1928: flow bypass leads to memory errors
Bug #1931: multi-tenancy fails to start
Bug #1932: make install-full does not install tls-events.rules
Bug #1935: Check redis reply in non pipeline mode
Bug #1936: Can't set fast_pattern on tls_sni content
3.2beta1 -- 2016-10-03
Feature #509: add SHA1 and SHA256 checksum support for files
Feature #1231: ssl_state negation support
Feature #1345: OOBE -3- disable NIC offloading by default
Feature #1373: Allow different reassembly depth for filestore rules
Feature #1495: EtherNet/IP and CIP support
Feature #1583: tls: validity fields (notBefore and notAfter)
Feature #1657: Per application layer stats
Feature #1896: Reimplement tls.subject and tls.isserdn
Feature #1903: tls: tls_cert_valid and tls_cert_expired keywords
Feature #1907: http_request_line and http_response_line
Optimization #1044: TLS buffers evaluated by fast_pattern matcher.
Optimization #1277: Trigger second live rule-reload while first one is in progress
Bug #312: incorrect parsing of rules with missing semi-colon for keywords
Bug #712: wildcard matches on tls.subject
Bug #1353: unix-command socket created with last character missing
Bug #1486: invalid rule: parser err msg not descriptive enough
Bug #1525: Use pkg-config for libnetfilter_queue
Bug #1893: tls: src_ip and dest_ip reversed in TLS events for IPS vs IDS mode.
Bug #1898: Inspection does not always stop when stream depth is reached
3.1.2 -- 2016-09-06
Feature #1830: support 'tag' in eve log
Feature #1870: make logged flow_id more unique
Feature #1874: support Cisco Fabric Path / DCE
Feature #1885: eve: add option to log all dropped packets
Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
Bug #1853: suricata is matching everything on dce_stub_data buffer
Bug #1854: unified2: logging of tagged packets not working
Bug #1856: PCAP mode device not found
Bug #1858: Lots of TCP 'duplicated option/DNS malformed request data' after upgrading from 3.0.1 to 3.1.1
Bug #1878: dns: crash while logging sshfp records
Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
Bug #1884: libhtp 0.5.22
3.1.1 -- 2016-07-13
Feature #1775: Lua: SMTP-support
Bug #1419: DNS transaction handling issues
Bug #1515: Problem with Threshold.config when using more than one IP
Bug #1664: Unreplied DNS queries not logged when flow is aged out
Bug #1808: Can't set thread priority after dropping privileges.
Bug #1821: Suricata 3.1 fails to start on CentOS6
Bug #1839: suricata 3.1 configure.ac says >=libhtp-0.5.5, but >=libhtp-0.5.20 required
Bug #1840: --list-keywords and --list-app-layer-protos not working
Bug #1841: libhtp 0.5.21
Bug #1844: netmap: IPS mode doesn't set 2nd iface in promisc mode
Bug #1845: Crash on disabling a app-layer protocol when it's logger is still enabled
Optimization #1846: af-packet: improve thread calculation logic
Optimization #1847: rules: don't warn on empty files
3.1 -- 2016-06-20
Bug #1589: Cannot run nfq in workers mode
Bug #1804: yaml: legacy detect-engine parsing custom values broken
3.1RC1 -- 2016-06-07
Feature #681: Implement TPACKET_V3 support in AF_PACKET
Feature #1134: tls: server name rule keyword
Feature #1343: OOBE -1- increasing the default stream.memcap and stream.reassembly.memcap values
Feature #1344: OOBE -2- decreasing the default flow-timeouts (at least for TCP)
Feature #1563: dns: log sshfp records
Feature #1760: Unit tests: Don't register return value, use 1 for success, 0 for failure.
Feature #1761: Unit tests: Provide macros for clean test failures.
Feature #1762: default to AF_PACKET for -i if available
Feature #1785: hyperscan spm integration
Feature #1789: hyperscan mpm: enable by default
Feature #1797: netmap: implement 'threads: auto'
Feature #1798: netmap: warn about NIC offloading on FreeBSD
Feature #1800: update bundled libhtp to 0.5.20
Feature #1801: reduce info level verbosity
Feature #1802: yaml: improve default layout
Feature #1803: reimplement rule grouping
Bug #1078: 'Not" operator (!) in Variable causes extremely slow loading of Suricata
Bug #1202: detect-engine profile medium consumes more memory than detect-engine profile high
Bug #1289: MPM b2gm matcher has questionable code
Bug #1487: Configuration parser depends on key ordering
Bug #1524: Potential Thread Name issues due to RHEL7 Interface Naming Contentions
Bug #1584: Rule keywords conflict will cause Suricata restart itself in loop
Bug #1606: [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl: 6
Bug #1665: Default maximum packet size is insufficient when VLAN tags are present (and not stripped)
Bug #1714: Kernel panic on application exit with netmap Suricata 3.0 stable
Bug #1746: deadlock with autofp and --disable-detection
Bug #1764: app-layer-modbus: AddressSanitizer error (segmentation fault)
Bug #1768: packet processing threads doubled
Bug #1771: tls store memory leak
Bug #1773: smtp: not all attachments inspected in all cases
Bug #1786: spm crash on rule reload
Bug #1792: dns-json-log produces no output
Bug #1795: Remove unused CPU affinity settings from suricata.yaml
Optimization #563: pmq optimization -- remove patter_id_array
Optimization #1037: Optimize TCP Option storage
Optimization #1418: lockless flow handling during capture (autofp)
Optimization #1784: reduce storage size of IPv4 options and IPv6 ext hdrs
3.0.1 -- 2016-04-04
Feature #1704: hyperscan mpm integration
Feature #1661: Improved support for xbits/hostbits (in particular ip_pair) when running with multiple threads
Bug #1697: byte_extract incompatibility with Snort.
Bug #1737: Stats not reset between PCAPs when Suricata runs in socket mode
3.0.1RC1 -- 2016-03-23
Feature #1535: Expose the certificate itself in TLS-lua
Feature #1696: improve logged flow_id
Feature #1700: enable "relro" and "now" in compile options for 3.0
Feature #1734: gre: support transparent ethernet bridge decoding
Feature #1740: Create counters for decode-events errors
Bug #873: suricata.yaml: .mgc is NOT actually added to value for magic file
Bug #1166: tls: CID 1197759: Resource leak (RESOURCE_LEAK)
Bug #1268: suricata and macos/darwin: [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: File 5.19 supports only version 12 magic files. `/usr/share/file/magic.mgc' is version 7
Bug #1359: memory leak
Bug #1411: Suricata generates huge load when nfq_create_queue failed
Bug #1570: stream.inline defaults to IDS mode if missing
Bug #1591: afpacket: unsupported datalink type 65534 on tun device
Bug #1619: Per-Thread Delta Stats Broken
Bug #1638: rule parsing issues: rev
Bug #1641: Suricata won't build with --disable-unix-socket when libjansson is enabled
Bug #1646: smtp: fix inspected tracker values
Bug #1660: segv when using --set on a list
Bug #1669: Suricate 3.0RC3 segfault after 10 hours
Bug #1670: Modbus compiler warnings on Fedora 23
Bug #1671: Cygwin Windows compilation with libjansson from source
Bug #1674: Cannot use 'tag:session' after base64_data keyword
Bug #1676: gentoo build error
Bug #1679: sensor-name configuration parameter specified in wrong place in default suricata.yaml
Bug #1680: Output sensor name in json
Bug #1684: eve: stream payload has wrong direction in IPS mode
Bug #1686: Conflicting "no" for "totals" and "threads" in stats output
Bug #1689: Stack overflow in case of variables misconfiguration
Bug #1693: Crash on Debian with libpcre 8.35
Bug #1695: Unix Socket missing dump-counters mode
Bug #1698: Segmentation Fault at detect-engine-content-inspection.c:438 (master)
Bug #1699: CUDA build broken
Bug #1701: memory leaks
Bug #1702: TLS SNI parsing issue
Bug #1703: extreme slow down in HTTP multipart parsing
Bug #1706: smtp memory leaks
Bug #1707: malformed json if message is too big
Bug #1708: dcerpc memory leak
Bug #1709: http memory leak
Bug #1715: nfq: broken time stamps with recent Linux kernel 4.4
Bug #1717: Memory leak on Suricata 3.0 with Netmap
Bug #1719: fileinfo output wrong in eve in http
Bug #1720: flowbit memleak
Bug #1724: alert-debuglog: non-decoder events won't trigger rotation.
Bug #1725: smtp logging memleak
Bug #1727: unix socket runmode per pcap memory leak
Bug #1728: unix manager command channel memory leaks
Bug #1729: PCRE jit is disabled/blacklisted when it should not
Bug #1731: detect-tls memory leak
Bug #1735: cppcheck: Shifting a negative value is undefined behaviour
Bug #1736: tls-sni: memory leaks on malformed traffic
Bug #1742: vlan use-for-tracking including Priority in hashing
Bug #1743: compilation with musl c library fails
Bug #1744: tls: out of bounds memory read on malformed traffic
Optimization #1642: Add --disable-python option
3.0 -- 2016-01-27
Bug #1673: smtp: crash during mime parsing
3.0RC3 -- 2015-12-21
Bug #1632: Fail to download large file with browser
Bug #1634: Fix non thread safeness of Prelude analyzer
Bug #1640: drop log crashes
Bug #1645: Race condition in unix manager
Bug #1647: FlowGetKey flow-hash.c:240 segmentation fault (master)
Bug #1650: DER parsing issue (master)
3.0RC2 -- 2015-12-08
Bug #1551: --enable-profiling-locks broken
Bug #1602: eve-log prefix field feature broken
Bug #1614: app_proto key missing from EVE file events
Bug #1615: disable modbus by default
Bug #1616: TCP reassembly bug
Bug #1617: DNS over TCP parsing issue
Bug #1618: SMTP parsing issue
Feature #1635: unified2 output: disable by default
3.0RC1 -- 2015-11-25
Bug #1150: TLS store disabled by TLS EVE logging
Bug #1210: global counters in stats.log
Bug #1423: Unix domain log file writer should automatically reconnect if receiving program is restarted.
Bug #1466: Rule reload - Rules won't reload if rule files are listed in an included file.
Bug #1467: Specifying an IPv6 entry before an IPv4 entry in host-os-policy causes ASAN heap-buffer-overflow.
Bug #1472: Should 'goodsigs' be 'goodtotal' when checking if signatures were loaded in detect.c?
Bug #1475: app-layer-modbus: AddressSanitizer error (heap-buffer-overflow)
Bug #1481: Leading whitespace in flowbits variable names
Bug #1482: suricata 2.1 beta4: StoreStateTxFileOnly crashes
Bug #1485: hostbits - leading and trailing spaces are treated as part of the name and direction.
Bug #1488: stream_size <= and >= modifiers function as < and > (equality is not functional)
Bug #1491: pf_ring is not able to capture packets when running under non-root account
Bug #1493: config test (-T) doesn't fail on missing files
Bug #1494: off by one on rulefile count
Bug #1500: suricata.log
Bug #1508: address var parsing issue
Bug #1517: Order dependent, ambiguous YAML in multi-detect.
Bug #1518: multitenancy - selector vlan - vlan id range
Bug #1521: multitenancy - global vlan tracking relation to selector
Bug #1523: Decoded base64 payload short by 16 characters
Bug #1530: multitenant mapping relation
Bug #1531: multitenancy - confusing tenant id and vlan id output
Bug #1556: MTU setting on NIC interface not considered by af-packet
Bug #1557: stream: retransmission not detected
Bug #1565: defrag: evasion issue
Bug #1597: dns parser issue (master)
Bug #1601: tls: server name logging
Feature #1116: ips packet stats in stats.log
Feature #1137: Support IP lists in threshold.config
Feature #1228: Suricata stats.log in JSON format
Feature #1265: Replace response on Suricata dns decoder when dns error please
Feature #1281: long snort ruleset support for "SC_ERR_NOT_SUPPORTED(225): content length greater than 255 unsupported"
Feature #1282: support for base64_decode from snort's ruleset
Feature #1342: Support Cisco erspan traffic
Feature #1374: Write pre-aggregated counters for all threads
Feature #1408: multi tenancy for detection
Feature #1440: Load rules file from a folder or with a star pattern rather then adding them manually to suricata.yaml
Feature #1454: Proposal to add Lumberjack/CEE formatting option to EVE JSON syslog output for compatibility with rsyslog parsing
Feature #1492: Add HUP coverage to output json-log
Feature #1498: color output
Feature #1499: json output for engine messages
Feature #1502: Expose tls fields to lua
Feature #1514: SSH softwareversion regex should allow colon
Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)
Feature #1568: TLS lua output support
Feature #1569: SSH lua support
Feature #1582: Redis output support
Feature #1586: Add flow memcap counter
Feature #1599: rule profiling: json output
Optimization #1269: Convert SM List from linked list to array
2.1beta4 -- 2015-05-08
Bug #1314: http-events performance issues
Bug #1340: null ptr dereference in Suricata v2.1beta2 (output-json.c:347)
Bug #1352: file list is not cleaned up
Bug #1358: Gradual memory leak using reload (kill -USR2 $pid)
Bug #1366: Crash if default_packet_size is below 32 bytes
Bug #1378: stats api doesn't call thread deinit funcs
Bug #1384: tcp midstream window issue (master)
Bug #1388: pcap-file hangs on systems w/o atomics support (master)
Bug #1392: http uri parsing issue (master)
Bug #1393: CentOS 5.11 build failures
Bug #1398: DCERPC traffic parsing issue (master)
Bug #1401: inverted matching on incomplete session
Bug #1402: When re-opening files on HUP (rotation) always use the append flag.
Bug #1417: no rules loaded - latest git - rev e250040
Bug #1425: dead lock in de_state vs flowints/flowvars
Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled
Bug #1429: stream: last_ack update issue leading to stream gaps
Bug #1435: EVE-Log alert payload option loses data
Bug #1441: Local timestamps in json events
Bug #1446: Unit ID check in Modbus packet error
Bug #1449: smtp parsing issue
Bug #1451: Fix list-keywords regressions
Bug #1463: modbus parsing issue
Feature #336: Add support for NETMAP to Suricata.
Feature #885: smtp file_data support
Feature #1394: Improve TCP reuse support
Feature #1410: add alerts to EVE's drop logs
Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
Feature #1447: Ability to reject ICMP traffic
Feature #1448: xbits
Optimization #1014: app layer reassembly fast-path
Optimization #1377: flow manager: reduce (try)locking
Optimization #1403: autofp packet pool performance problems
Optimization #1409: http pipeline support for stateful detection
2.1beta3 -- 2015-01-29
Bug #977: WARNING on empty rules file is fatal (should not be)
Bug #1184: pfring: cppcheck warnings
Bug #1321: Flow memuse bookkeeping error
Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
Bug #1332: cppcheck: ioctl
Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
Bug #1351: output-json: duplicate logging (2.1.x)
Bug #1354: coredumps on quitting on OpenBSD
Bug #1355: Bus error when reading pcap-file on OpenBSD
Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x)
Bug #1365: evasion issues (2.1.x)
Feature #1261: Request for Additional Lua Capabilities
Feature #1309: Lua support for Stats output
Feature #1310: Modbus parsing and matching
Feature #1317: Lua: Indicator for end of flow
Feature #1333: unix-socket: allow (easier) non-root usage
Optimization #1339: flow timeout optimization
Optimization #1339: flow timeout optimization
Optimization #1371: mpm optimization
2.1beta2 -- 2014-11-06
Feature #549: Extract file attachments from emails
Feature #1312: Lua output support
Feature #899: MPLS over Ethernet support
Feature #707: ip reputation files - network range inclusion availability (cidr)
Feature #383: Stream logging
Feature #1263: Lua: Access to Stream Payloads
Feature #1264: Lua: access to TCP quad / Flow Tuple
Bug #1048: PF_RING/DNA config - suricata.yaml
Bug #1230: byte_extract, within combination not working
Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
Bug #1259: AF_PACKET IPS is broken in 2.1beta1
Bug #1260: flow logging at shutdown broken
Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
Bug #1280: BUG: IPv6 address vars issue
Bug #1285: Lua - http.request_line not working (2.1)
Bug #1287: Lua Output has dependency on eve-log:http
Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
Bug #1294: Configure doesn't use --with-libpcap-libraries when testing PF_RING library
Bug #1301: suricata yaml - PF_RING load balance per hash option
Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
Bug #1311: EVE output Unix domain socket not working (2.1)
2.1beta1 -- 2014-08-12
Feature #1155: Log packet payloads in eve alerts
Feature #1208: JSON Output Enhancement - Include Payload(s)
Feature #1248: flow/connection logging
Feature #1258: json: include HTTP info with Alert output
Optimization #1039: Packetpool should be a stack
Optimization #1241: pcap recording: record per thread
2.0.3 -- 2014-08-08
Bug #1236: fix potential crash in http parsing
Bug #1244: ipv6 defrag issue
Bug #1238: Possible evasion in stream-tcp-reassemble.c
Bug #1221: lowercase conversion table missing last value
Support #1207: Cannot compile on CentOS 5 x64 with --enable-profiling
2.0.2 -- 2014-06-25
Bug #1098: http_raw_uri with relative pcre parsing issue
Bug #1175: unix socket: valgrind warning
Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
Bug #1195: nflog: cppcheck reports memleaks
Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
Bug #1211: defrag issue
Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
Bug #1217: Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analized via socket
Feature #781: IDS using NFLOG iptables target
Feature #1158: Parser DNS TXT data parsing and logging
Feature #1197: liblua support
Feature #1200: sighup for log rotation
2.0.1 -- 2014-05-21
No changes since 2.0.1rc1
2.0.1rc1 -- 2014-05-12
Bug #978: clean up app layer parser thread local storage
Bug #1064: Lack of Thread Deinitialization For Decoder Modules
Bug #1101: Segmentation in AppLayerParserGetTxCnt
Bug #1136: negated app-layer-protocol FP on multi-TX flows
Bug #1141: dns response parsing issue
Bug #1142: dns tcp toclient protocol detection
Bug #1143: tls protocol detection in case of tls-alert
Bug #1144: icmpv6: unknown type events for MLD_* types
Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
Bug #1146: tls: event on 'new session ticket' in handshake
Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
Bug #1161: eve: src and dst mixed up in some cases
Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
Bug #1163: HTP Segfault
Bug #1165: af_packet - one thread consistently not working
Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
Bug #1176: AF_PACKET IPS mode is broken in 2.0
Bug #1177: eve log do not show action 'dropped' just 'allowed'
Bug #1180: Possible problem in stream tracking
Feature #1157: Always create pid file if --pidfile command line option is provided.
Feature #1173: tls: OpenSSL heartbleed detection
2.0 -- 2014-03-25
Bug #1151: tls.store not working when a TLS filter keyword is used
2.0rc3 -- 2014-03-18
Bug #1127: logstash & suricata parsing issue
Bug #1128: Segmentation fault - live rule reload
Bug #1129: pfring cluster & ring initialization
Bug #1130: af-packet flow balancing problems
Bug #1131: eve-log: missing user agent reported inconsistently
Bug #1133: eve-log: http depends on regular http log
Bug #1135: 2.0rc2 release doesn't set optimization flag on GCC
Bug #1138: alert fastlog drop info missing
2.0rc2 -- 2014-03-06
Bug #611: fp: rule with ports matching on portless proto
Bug #985: default config generates rule warnings and errors
Bug #1021: 1.4.6: conf_filename not checked before use
Bug #1089: SMTP: move depends on uninitialised value
Bug #1090: FTP: Memory Leak
Bug #1091: TLS-Handshake: Uninitialized value
Bug #1092: HTTP: Memory Leak
Bug #1108: suricata.yaml config parameter - segfault
Bug #1109: PF_RING vlan handling
Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags
Bug #1111: capture stats at exit incorrect
Bug #1112: tls-events.rules file missing
Bug #1115: nfq: exit stats not working
Bug #1120: segv with pfring/afpacket and eve-log enabled
Bug #1121: crash in eve-log
Bug #1124: ipfw build broken
Feature #952: Add VLAN tag ID to all outputs
Feature #953: Add QinQ tag ID to all outputs
Feature #1012: Introduce SSH log
Feature #1118: app-layer protocols http memcap - info in verbose mode (-v)
Feature #1119: restore SSH protocol detection and parser
2.0rc1 -- 2014-02-13
Bug #839: http events alert multiple times
Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log
Bug #980: memory leak in http buffers at shutdown
Bug #1066: logger API's for packet based logging and tx based logging
Bug #1068: format string issues with size_t + qa not catching them
Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
Bug #1073: radix tree lookups are not thread safe
Bug #1075: CUDA 5.5 doesn't compile with 2.0 beta 2
Bug #1079: Err loading rules with variables that contain negated content.
Bug #1080: segfault - 2.0dev (rev 6e389a1)
Bug #1081: 100% CPU utilization with suricata 2.0 beta2+
Bug #1082: af-packet vlan handling is broken
Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
Bug #1104: vlan tagged fragmentation
Bug #1106: Git compile fails on Ubuntu Lucid
Bug #1107: flow timeout causes decoders to run on pseudo packets
Feature #424: App layer registration cleanup - Support specifying same alproto names in rules for different ip protocols
Feature #542: TLS JSON output
Feature #597: case insensitive fileext match
Feature #772: JSON output for alerts
Feature #814: QinQ tag flow support
Feature #894: clean up output
Feature #921: Override conf parameters
Feature #1007: united output
Feature #1040: Suricata should compile with -Werror
Feature #1067: memcap for http inside suricata
Feature #1086: dns memcap
Feature #1093: stream: configurable segment pools
Feature #1102: Add a decoder.QinQ stats in stats.log
Feature #1105: Detect icmpv6 on ipv4
2.0beta2 -- 2013-12-18
Bug #463: Suricata not fire on http reply detect if request are not http
Bug #640: app-layer-event:http.host_header_ambiguous set when it shouldn't
Bug #714: some logs not created in daemon mode
Bug #810: Alerts on http traffic storing the wrong packet as the IDS event payload
Bug #815: address parsing with negation
Bug #820: several issues found by clang 3.2
Bug #837: Af-packet statistics inconsistent under very high traffic
Bug #882: MpmACCudaRegister shouldn't call PatternMatchDefaultMatcher
Bug #887: http.log printing unknown hostname most of the time
Bug #890: af-packet segv
Bug #892: detect-engine.profile - custom - does not err out in incorrect toclient/srv values - suricata.yaml
Bug #895: response: rst packet bug
Bug #896: pfring dna mode issue
Bug #897: make install-full fails if wget is missing
Bug #903: libhtp valgrind warning
Bug #907: icmp_seq and icmp_id keyword with icmpv6 traffic (master)
Bug #910: make check fails w/o sudo/root privs
Bug #911: HUP signal
Bug #912: 1.4.3: Unit test in util-debug.c: line too long.
Bug #914: Having a high number of pickup queues (216+) makes suricata crash
Bug #915: 1.4.3: log-pcap.c: crash on printing a null filename
Bug #917: 1.4.5: decode-ipv6.c: void function cannot return value
Bug #920: Suricata failed to parse address
Bug #922: trackers value in suricata.yaml
Bug #925: prealloc-sessions value bigger than allowed in suricata.yaml
Bug #926: prealloc host value in suricata.yaml
Bug #927: detect-thread-ratio given a non numeric value in suricata.yaml
Bug #928: Max number of threads
Bug #932: wrong IP version - on stacked layers
Bug #939: thread name buffers are sized inconsistently
Bug #943: pfring: see if we can report that the module is not loaded
Bug #948: apple ppc64 build broken: thread-local storage not supported for this target
Bug #958: SSL parsing issue (master)
Bug #963: XFF compile failure on OSX
Bug #964: Modify negated content handling
Bug #967: threshold rule clobbers suppress rules
Bug #968: unified2 not logging tagged packets
Bug #970: AC memory read error
Bug #973: Use different ids for content patterns which are the same, but one of them has a fast_pattern chop set on it.
Bug #976: ip_rep supplying different no of alerts for 2 different but semantically similar rules
Bug #979: clean up app layer protocol detection memory
Bug #982: http events missing
Bug #987: default config generates error(s)
Bug #988: suricata don't exit in live mode
Bug #989: Segfault in HTPStateGetTxCnt after a few minutes
Bug #991: threshold mem leak
Bug #994: valgrind warnings in unittests
Bug #995: tag keyword: tagging sessions per time is broken
Bug #998: rule reload triggers app-layer-event FP's
Bug #999: delayed detect inits thresholds before de_ctx
Bug #1003: Segmentation fault
Bug #1023: block rule reloads during delayed detect init
Bug #1026: pfring: update configure to link with -lrt
Bug #1031: Fix IPv6 stream pseudo packets
Bug #1035: http uri/query normalization normalizes 'plus' sign to space
Bug #1042: Can't match "emailAddress" field in tls.subject and tls.issuerdn
Bug #1061: Multiple flowbit set in one rule
Feature #234: add option disable/enable individual app layer protocol inspection modules
Feature #417: ip fragmentation time out feature in yaml
Feature #478: XFF (X-Forwarded-For)
Feature #602: availability for http.log output - identical to apache log format
Feature #622: Specify number of pf_ring/af_packet receive threads on the command line
Feature #727: Explore the support for negated alprotos in sigs.
Feature #746: Decoding API modification
Feature #751: Add invalid packet counter
Feature #752: Improve checksum detection algorithm
Feature #789: Clean-up start and stop code
Feature #813: VLAN flow support
Feature #878: add storage api
Feature #901: VLAN defrag support
Feature #904: store tx id when generating an alert
Feature #940: randomize http body chunks sizes
Feature #944: detect nic offloading
Feature #956: Implement IPv6 reject
Feature #957: reject: iface setup
Feature #959: Move post config initialisation code to PostConfLoadedSetup
Feature #981: Update all switch case fall throughs with comments on false throughs
Feature #983: Provide rule support for specifying icmpv4 and icmpv6.
Feature #986: set htp request and response size limits
Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
Feature #1009: Yaml file inclusion support
Feature #1032: profiling: per keyword stats
Optimization #583: improve Packet_ structure layout
Optimization #1018: clean up counters api
Optimization #1041: remove mkinstalldirs from git
2.0beta1 -- 2013-07-18
- Luajit flow vars and flow ints support (#593)
- DNS parser, logger and keyword support (#792), funded by Emerging Threats
- deflate support for HTTP response bodies (#470, #775)
- update to libhtp 0.5 (#775)
- improved gzip support for HTTP response bodies (#470, #775)
- redesigned transaction handling, improving both accuracy and performance (#753)
- redesigned CUDA support (#729)
- Be sure to always apply verdict to NFQ packet (#769)
- stream engine: SACK allocs should adhere to memcap (#794)
- stream: deal with multiple different SYN/ACK's better (#796)
- stream: Randomize stream chunk size for raw stream inspection (#804)
- Introduce per stream thread ssn pool (#519)
- "pass" IP-only rules should bypass detection engine after matching (#718)
- Generate error if bpf is used in IPS mode (#777)
- Add support for batch verdicts in NFQ, thanks to Florian Westphal
- Update Doxygen config, thanks to Phil Schroeder
- Improve libnss detection, thanks to Christian Kreibich
- Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
- OS X unix socket build fixed (#830)
- bytetest, bytejump and byteextract negative offset failure (#827)
- Fix fast.log formatting issues (#771), thanks to Rmkml
- Invalidate negative depth (#774), thanks to Rmkml
- Fixed accuracy issues with relative pcre matching (#791)
- Fix deadlock in flowvar capture code (#802)
- Improved accuracy of file_data keyword (#817)
- Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
- stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau
1.4.4 -- 2013-07-18
- Bug #834: Unix socket - showing as compiled when it is not desired to do so
- Bug #835: Unix Socket not working as expected
- Bug #841: configure --enable-unix-socket does not err out if libs/pkgs are not present
- Bug #846: FP on IP frag and sig use udp port 0, thanks to Rmkml
- Bug #864: backport packet action macro's
- Bug #876: htp tunnel fix
- Bug #877: Flowbit check with content doesn't match consistently, thanks to Francis Trudeau
1.4.3 -- 2013-06-20
- Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
- Fix IPS mode being unable to drop tunneled packets (#826)
- Fix OS X Unix Socket build (#829)
1.4.2 -- 2013-05-29
- No longer force nocase to be used on http_host
- Invalidate rule if uppercase content is used for http_host w/o nocase
- Warn user if bpf is used in af-packet IPS mode
- Better test for available libjansson version
- Fixed accuracy issues with relative pcre matching (#784)
- Improved accuracy of file_data keyword (#788)
- Invalidate negative depth (#770)
- Fix http host parsing for IPv6 addresses (#761)
- Fix fast.log formatting issues (#773)
- Fixed deadlock in flowvar set code for http buffers (#801)
- Various signature ordering improvements
- Minor stream engine fix
1.4.1 -- 2013-03-08
- GeoIP keyword, allowing matching on Maxmind's database, contributed by Ignacio Sanchez (#559)
- Introduce http_host and http_raw_host keywords (#733, #743)
- Add python module for interacting with unix socket (#767)
- Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)
- Big Napatech support update by Matt Keeler
- Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
- FreeBSD IPFW fixes by Nikolay Denev
- Add "default" interface setting to capture configuration in yaml (#679)
- Make sure "snaplen" can be set by the user (#680)
- Improve HTTP URI query string normalization (#739)
- Improved error reporting in MD5 loading (#693)
- Improve reference.config parser error reporting (#737)
- Improve build info output to include all configure options (#738)
- Segfault in TLS parsing reported by Charles Smutz (#725)
- Fix crash in teredo decoding, reported by Rmkml (#736)
- fixed UDPv4 packets without checksum being detected as invalid (#760)
- fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
- FN: IP-only rule ip_proto not matching for some protocols (#689)
- Fix build failure with other libhtp installs (#688)
- Fix malformed yaml loading leading to a crash (#694)
- Various Mac OS X fixes (#700, #701, #703)
- Fix for autotools on Mac OS X by Jason Ish (#704)
- Fix AF_PACKET under high load not updating stats (#706)
1.3.6 -- 2013-03-07
- fix decoder event rules not checked in all cases (#671)
- checksum detection for icmpv6 was fixed (#673)
- crash in HTTP server body inspection code fixed (#675)
- fixed a icmpv6 payload bug (#676)
- IP-only rule ip_proto not matching for some protocols was addressed (#690)
- fixed malformed yaml crashing suricata (#702)
- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
- crash in tls parser was fixed (#759)
- fixed UDPv4 packets without checksum being detected as invalid (#762)
- fixed DCE/SMB parsers getting confused in some fragmented cases (#763)
1.4 2012-12-13
- Decoder event matching fixed (#672)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
- Add more events to IPv6 extension header anomolies (#678)
- Fix ICMPv6 payload and checksum calculation (#677, #674)
- Clean up flow timeout handling (#656)
- Fix a shutdown bug when using AF_PACKET under high load (#653)
- Fix TCP sessions being cleaned up to early (#652)
1.3.5 2012-12-06
- Flow engine memory leak fixed by Ludovico Cavedon (#651)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664)
- Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654)
- Windows building in CYGWIN fixed (#630)
1.4rc1 2012-11-29
- Interactive unix socket mode (#571, #552)
- IP Reputation: loading and matching (#647)
- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
- User-Agent added to file log and filestore meta files (#629)
- Endace DAG supports live stats and at exit drop stats (#638)
- Add support for libhtp event "request port doesn't match tcp port" (#650)
- Rules with negated addresses will not be considered IP-only (#599)
- Rule reloads complete much faster in low traffic conditions (#526)
- Suricata -h now displays all available options (#419)
- Luajit configure time detection was improved (#636)
- Flow manager mutex used w/o initialization (#628)
- Cygwin work around for windows shell mangling interface string (#372)
- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
- CLANG compiler build fixes (#649)
- Several fixes found by code analyzers
1.4beta3 2012-11-14
- support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619)
- support for pkt_data keyword was added
- user and group to run as can now be set in the config file
- make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
- add contrib directory to the dist (#567)
- performance improvements to signatures with dsize option
- improved rule analyzer: print fast_pattern along with the rule (#558)
- fixes to stream engine reducing the number of events generated (#604)
- add stream event to match on overlaps with different data in stream reassembly (#603)
- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
- HTTP handling in OOM condition was greatly improved (#557)
- filemagic keyword performance was improved (#585)
- fixes and improvements to daemon mode (#624)
- fix drop rules not working correctly when thresholded (#613)
- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
- fix a false possitive condition in http_header (#607)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
- fixes to rule profiling (#576)
- cleanups and misc fixes (#379, #395)
- updated bundled libhtp to 0.2.11
- build system improvements and cleanups
- fix to SSL record parsing
1.3.4 -- 2012-11-14
- fix crash in flow and host engines in cases of low memory or low memcap settings (#617)
- improve http handling in low memory conditions (#620)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626)
- fix building on OpenBSD 5.2
- update default config's defrag settings to reflect all available options
- fixes to make check
- fix to SSL record parsing
1.3.3 -- 2012-11-01
- fix drop rules not working correctly when thresholded (#615)
- fix a false possitive condition in http_header (#606)
- fix extracted file corruption (#601)
- fix a false possitive condition with the pcre keyword and relative matching (#588)
- fix PF_RING set cluster problem on dma interfaces (#598)
- improve http handling in low memory conditions (#586, #587)
- fix FreeBSD inline mode crash (#612)
- suppress pcre jit warning (#579)
1.4beta2 -- 2012-10-04
- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
- Added ability to control per server HTTP parser settings in much more detail (#503)
- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
- Big performance improvement in inspecting decoder, stream and app layer events (#555)
- Pool performance improvements (#541)
- Improved performance of signatures with simple pattern setups (#577)
- Bundled docs are installed upon make install (#527)
- Support for a number of global vs rule thresholds [3] was added (#425)
- Improved rule profiling performance
- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
- Fix compilation on architectures other than x86 and x86_64 (#572)
- Fix FP with anchored pcre combined with relative matching (#529)
- Fix engine hanging instead of exitting if the pcap device doesn't exist (#533)
- Work around for potential FP, will get properly fixed in next release (#574)
- Improve ERF handling. Thanks to Jason Ish
- Always set cluster_id in PF_RING
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue, IPS fix and cleanup
- Fix stream engine sometimes resending the same data to app layer
- Fix multiple issues in HTTP multipart parsing
- Fixed a lockup at shutdown with NFQ (#537)
1.3.2 -- 2012-10-03
- Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562)
- Fixed a FN condition with the flow:no_stream option (#575)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Fix multiple issues in HTTP multipart parsing
- Fix stream engine sometimes resending the same data to app layer
- Always set cluster_id in PF_RING
- Defrag: silence some potentially noisy errors/warnings
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue
1.4beta1 -- 2012-09-06
- Custom HTTP logging contributed by Ignacio Sanchez (#530)
- TLS certificate logging and fingerprint computation and keyword (#443)
- TLS certificate store to disk feature (#444)
- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
- AF_PACKET IPS support (#516)
- Rules can be set to inspect only IPv4 or IPv6 (#494)
- filesize keyword for matching on sizes of files in HTTP (#489)
- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
- NFQ fail open support (#507)
- Highly experimental lua scripting support for detection
- Live reloads now supports HTTP rule updates better (#522)
- AF_PACKET performance improvements (#197, #415)
- Make defrag more configurable (#517, #528)
- Improve pool performance (#518)
- Improve file inspection keywords by adding a separate API (#531)
- Example threshold.config file provided (#302)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Various spelling corrections by Simon Moon (#533)
1.3.1 -- 2012-08-21
- AF_PACKET performance improvements
- Defrag engine performance improvements
- HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
- Stream engine packet handling for packets with non-standard flag combinations (#508)
- Improved stream engine handling of packet loss (#523)
- Stream engine checksum alerting fixed
- Various rule analyzer fixes (#495, #496, #497)
- (Rule) profiling fixed and improved (#460, #466)
- Enforce limit on max-pending-packets (#510)
- fast_pattern on negated content improved
- TLS rule keyword parsing issues
- Windows build fixes (#502)
- Host OS parsing issues fixed (#499)
- Reject signatures where content length is bigger than "depth" setting (#505)
- Removed unused "prune-flows" option
- Set main thread and live reload thread names (#498)
1.3 -- 2012-07-06
- make live rule reloads optional and disabled by default
- fix a shutdown bug
- fix several memory leaks (#492)
- warn user if global and rule thresholding conflict (#455)
- set thread names on FreeBSD (Nikolay Denev)
- Fix PF_RING building on Ubuntu 12.04
- rule analyzer updates
- file inspection improvements when dealing with limits (#493)
1.3rc1 -- 2012-06-29
- experimental live rule reload by sending a USR2 signal (#279)
- AF_PACKET BPF support (#449)
- AF_PACKET live packet loss counters (#441)
- Rule analyzer (#349)
- add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's
- negated filemd5 matching, allowing for md5 whitelisting
- signatures with depth and/or offset are now checked against packets in addition to the stream (#404)
- http_cookie keyword now also inspects "Set-Cookie" header (#479)
- filemd5 keyword no longer depends on log-file output module (#447)
- http_raw_header keyword inspects original header line terminators (#475)
- deal with double encoded URI (#464)
- improved SMB/SMB2/DCERPC robustness
- ICMPv6 parsing fixes
- improve HTTP body inspection
- stream.inline accuracy issues fixed (#339)
- general stability fixes (#482, #486)
- missing unittests added (#471)
- "threshold.conf not found" error made more clear (#446)
- IPS mode segment logging for Unified2 improved
1.3beta2 -- 2012-06-08
- experimental support for matching on large lists of known file MD5 checksums
- Improved performance for file_data, http_server_body and http_client_body keywords
- Improvements to HTTP handling: multipart parsing, gzip decompression
- Byte_extract can support negative offsets now (#445)
- Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459)
- HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454)
- Improved error reporting when using too long address strings (#451)
- MD5 calculation improvements for daemon mode and other cases (#449)
- File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste.
- Rule parser is made more strict.
- Unified2 output overhaul, logging individual segments in more cases.
- detection_filter keyword accuracy problem was fixed (#453)
- Don't inspect cookie header with http header (#461)
- Crash with a rule with two byte_extract keywords (#456)