1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
|
7.0.4 -- 2024-03-19
Security #6868: eve: excessive ssh long banner logging (7.0.x backport)(CVE 2024-28870)
Security #6801: ssh: quadratic complexity in overlong banner (7.0.x backport)(CVE 2024-28870)
Security #6759: libhtp: quadratic complexity checking after request line mission protocol (7.0.x backport)(CVE 2024-28871)
Security #6798: output/filestore: timeout because of running OutputTxLog on useless packets (7.0.x backport)
Bug #6842: Error message from netmap when using Netmap pipes (with lb) (7.0.x backport)
Bug #6828: dpdk: NUMA warning on non-NUMA system (7.0.x backport)
Bug #6816: capture plugins: capture plugins unusable due to initialization order (7.0.x backport)
Bug #6812: pfring: memory leak (7.0.x backport)
Bug #6810: decode/pppoe: Suspicious pointer scaling (7.0.x backport)
Bug #6791: cppcheck 2.11 errors (7.0.x backport)
Bug #6785: detect/tls.certs: direction flag checked against wrong field (7.0.x backport)
Bug #6784: util/mime: Memory leak at util-decode-mime.c:MimeDecInitParser (7.0.x backport)
Bug #6768: multi-tenancy: dead lock during tenant loading (7.0.x backport)
Bug #6765: Hugepages Error for FreeBSD when kernel NUMA build option is not enabled (7.0.x backport)
Bug #6764: Huge increase on Suricata load time with a lot of ip-only rules and bigger HOME_NET (7.0.x backport)
Bug #6761: Hugepages Error for ARM64 and af-packet IPS mode (7.0.x backport)
Bug #6756: Netmap: deadlock if netmap_open fails (7.0.x backport)
Bug #6746: Suricata 7.0.2 parent interface object in stats contains VLAN-ID as keys (7.0.x backport)
Bug #6742: dpdk: automatic cache calculation is broken (7.0.x backport)
Bug #6738: dpdk: property configuration can lead to integer overflow (7.0.x backport)
Bug #6734: tcp: tcp flow flags changing incorrectly when ruleset contains content matching (7.0.x backport)
Bug #6622: detect/filestore: flow, to_server was broken by moving files into transactions (7.0.x backport)
Bug #6593: mqtt: frames on TCP are not set properly when parsing multiple PDUs in one go (7.0.x backport)
Bug #6580: ssh: no alert on packet with Message Code: New Keys (21) (7.0.x backport)
Bug #6538: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP) (7.0.x backport)
Bug #6537: detect/filestore: be more explicit about the U16_MAX limit per signature group head (7.0.x backport)
Optimization #6774: app-layer/template: no limit on txs number (7.0.x backport)
Feature #6740: dpdk: warn the user if user-settings are adjusted to the device capabilities (7.0.x backport)
Task #6870: libhtp 0.5.47 (7.0.x backport)
Task #6749: doc: mention X710 RX descriptor limitation (7.0.x backport)
Documentation #6709: userguide/payload: fix explanation about bsize ranges (7.0.x backport)
7.0.3 -- 2024-02-08
Security #6717: http2: evasion by splitting header fields over frames (7.0.x backport)
Security #6657: detect: heap use after free with http.request_header keyword (7.0.x backport)
Security #6540: http1: configurable limit for maximum number of live transactions per flow (7.0.x backport)
Security #6539: mqtt pcap with anomalies takes too long to process (7.0.x backport)
Security #6536: pgsql: quadratic complexity leads to over consumption of memory (7.0.x backport)
Security #6533: http1: quadratic complexity from infinite folded headers (7.0.x backport)
Security #6532: SMTP: quadratic complexity from unbounded number of transaction per flow (7.0.x backport)
Security #6531: http2: quadratic complexity in find_or_create_tx not bounded by max-tx (7.0.x backport)
Bug #6711: rules: failed rules after a skipped rule are recorded as skipped, not failed (7.0.x backport)
Bug #6700: detect/requires: assertion failed !(ret == -4) (7.0.x backport)
Bug #6697: dpdk: Analyze hugepage allocation on startup more thoroughly (7.0.x backport)
Bug #6688: log-pcap: crash with suricata.yaml setting max-file to 1 (7.0.x backport)
Bug #6665: eve/smtp: attachment filenames not logged (7.0.x backport)
Bug #6662: content-inspect: FN on negative distance (7.0.x backport)
Bug #6636: stats: flows with a detection-only alproto not accounted in this protocol (7.0.x backport)
Bug #6635: Profiling takes much longer to run than it used to (7.0.x backport)
Bug #6620: Endace: timestamp fixes (7.0.x backport)
Bug #6616: detect/analyzer: misrepresenting negative distance value (7.0.x backport)
Bug #6596: SCTIME_ADD_SECS() macro zeros out ts.usec part (7.0.x backport)
Bug #6595: SCTIME_FROM_TIMESPEC() creates incorrect timestamps (7.0.x backport)
Bug #6558: HTTP/2 - http.response_line has leading space (7.0.x backport)
Bug #6556: Invalid registration of prefiltering in stream size (7.0.x backport)
Bug #6535: http.header, http.header.raw and http.request_header buffers not populated when malformed header value exists (7.0.x backport)
Bug #6521: pgsql: u16 overflow found by oss-fuzz w/ quadfuzz (7.0.x backport)
Bug #6508: pgsql/probe: TCP on 5432 traffic incorrectly tagged as PGSQL (7.0.x backport)
Bug #6479: HTTP/2 - when userinfo is in the :authority pseudo header it breaks http.host
Bug #6448: detect: flow:established,not_established considered as valid even if it can never match
Bug #6438: eve filetype plugins: file type plugins do not de-initialize properly
Bug #6436: host: ip rep prevents tag/threshold/hostbits cleanup
Bug #6435: packetpool: fix single packet return logic
Bug #6423: detect-filesize no longer supports units in value
Bug #6420: dns/eve: an empty format section results in no response details being logged
Bug #6294: http2/brotli: subtract with overflow found by sydr-Fuzz
Bug #6292: Flow manager stuck forever on race condition for return stack
Bug #6278: add a hint if user/group name is not set
Bug #6272: dpdk: big mempool leads to an error with suricatasc unix socket
Bug #4623: byte_jump with negative post_offset value fails at the end of the buffer
Feature #6614: transformation - strip_pseudo_headers (7.0.x backport)
Feature #6613: support case insensitive testing of HTTP header name existence (7.0.x backport)
Feature #6612: New Transformation: to_lowercase (7.0.x backport)
Feature #6524: rules: "requires" keyword representing the minimum version of suricata to support the rule (7.0.x backport)
Feature #6507: HTTP/2 - app-layer-event and normalization when userinfo is in the :authority pseudo header for the http.host header (7.0.x backport)
Feature #6425: HTTP/2 - new app-layer-event when `:authority` and `host` headers do not match
Task #6606: flash decompression: update/remove deprecation warnings (7.0.x backport)
Task #6604: pgsql: don't log password msg if password disabled (7.0.x backport)
Task #6581: pgsql: add cancel request message (7.0.x backport)
Task #6564: doc: document file.data (7.0.x backport)
Task #6534: runmodes: remove reference to auto modes (7.0.x backport)
Task #6523: libhtp 0.5.46 (7.0.x backport)
Task #6345: Convert unittests to new FAIL/PASS API - util-misc.c
Task #6339: Convert unittests to new FAIL/PASS API - detect-tcp-window.c
Task #6332: Convert unittests to new FAIL/PASS API - detect-bytetest.c
Task #6329: Convert unittests to new FAIL/PASS API - flow-bit.c
Task #6328: Convert unittests to new FAIL/PASS API - detect-bytejump.c
Documentation #6699: remove references in docs mentioning prehistoric Suricata versions (7.0.x backport)
Documentation #6631: Fix byte_test examples (7.0.x backport)
Documentation #6594: docs: fix broken bulleted list style on rtd (7.0.x backport)
Documentation #6513: userguide: update tls eve-log fields 'not_before' and 'not_after' (7.0.x backport)
Documentation #6511: userguide: document "tag" keyword (7.0.x backport)
Documentation #6504: userguide: explain what flow_id is (7.0.x backport)
Documentation #6383: misc: improve code documentation
Documentation #6371: spelling error in the docs
Documentation #5720: Install: Be consistent with use of the "sudo"
Documentation #5473: doc: upgrade guide for upgrading from 6 to 7
Documentation #4584: Rust doc: add docstring to rust module files
7.0.2 -- 2023-10-18
Security #6306: mime: quadratic complexity in MimeDecAddEntity
Bug #6402: detect: multi-level tunneling inspection fails
Bug #6397: detect: multiple legacy buffer selection leading to multi-buffer
Bug #6381: DPDK 23.11 changed function name of Bond API
Bug #6380: email: disabled fields in suricata.yaml also get logged
Bug #6303: conf: an empty child node is not checked for NULL
Bug #6300: config: includes provided as a sequence are loaded into the wrong parent configuration node
Bug #6297: configure/docs: check for a supported version of sphinx-build
Bug #6104: detect/multi-buffer: Heap-buffer-overflow in SigMatchAppendSMToList
Bug #6009: dpdk: incorrect final stats
Bug #5831: af-packet/ips: excessive mtu log messages
Bug #5211: detect/frames: crash with detect.profiling.grouping.dump-to-disk
Bug #4624: byte_jump with negative post_offset before start of buffer failure
Feature #6367: SMTP: do not delay mime chunk processing
Feature #5966: dpdk: Analyze hugepage allocation on startup
Feature #4968: QUIC v2 support
Task #6348: detect/analyzer: add more details for the ipopts keyword
Task #6235: decode: add drop reason for stream reassembly memcap
Documentation #6349: userguide: add section about tcp.flags
Documentation #6342: userguide: cover install-full and install-conf in the install page
7.0.1 -- 2023-09-13
Security #6279: Crash in SMTP parser during parsing of email
Security #6195: process exit in hyperscan error handling
Bug #6276: community-id: Fix IPv6 address sorting not respecting byte order
Bug #6256: eve: crash if output dir isn't writeable
Bug #6255: flow: possible divide by zero at start up
Bug #6247: pcre: parsing crash in multi-tenant multi-loader setup
Bug #6244: tcp: RST with data used in reassembly
Bug #6243: Parsing ip-reputation reputation config files now rejects CR and CR+LF
Bug #6240: pcap/file: negative pcap file timestamps lead to weird output
Bug #6233: dpdk: fix overall threads check for IPS mode
Bug #6232: dpdk: treat unknown socket value as a valid value
Bug #6222: Decode-events of IPv6 GRE are not triggered
Bug #6201: multi-tenancy: crash under test mode when tenant signature load fails
Bug #6191: if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc
Bug #6095: windows: lua script path truncated
Bug #6094: eve/stats: memcap_pressure and memcap_pressure_max not logged
Bug #6044: detect: multi-tenancy leaks memory if more than 1 tenant registered
Bug #5870: ips/af-packet: crash when copy-iface is the same as the interface
Bug #5619: dpdk/ips: crash at shutdown with mlx
Bug #5443: ftp-data: failed assertion
Bug #4881: alert event incorrectly log stored files
Optimization #6265: threading: set a higher default stack size for threads
Optimization #6263: mpm/ac: reduce stack usage
Optimization #5920: investigate: check and fix unhandled divisions by 0
Optimization #3637: Performance impact of Cisco Fabricpath
Feature #6267: multi-tenancy: reload-tenants command
Feature #6230: stats: add drop reason counters
Feature #4756: capture: support ips stats for all IPS capture methods
Feature #4587: dhcp: vendor class indentifier support
Documentation #6231: userguide: add installation from Ubuntu PPA section
Documentation #6124: userguide: add instructions/explanation for (not) running suricata with root
7.0.0 -- 2023-07-18
Bug #6212: file.magic: rule reload can lead to crashes
Bug #6211: file: assert failed (!((txd->files_logged > txd->files_opened))), function CloseFile, file output-file.c, line 96.
Bug #6207: util/mime: fuzz failure on base64 remainder parser
Bug #6205: flow/hash: flow by flow_id getter never reaches right flow_id
Bug #6185: smtp: use every byte to compute email.body_md5
Bug #6169: exceptions: master switch not applied to midstream
Bug #6165: http2: fileinfo events log http2 object instead of http object as alerts and http2 do
Bug #6163: http: request_heaser keyword does not support multibuffer
Bug #6149: exceptions: 'auto' policy not considered valid value in IDS mode
Bug #6135: base64: complete support for RFC2045
Bug #6130: http2: quadratic complexity in http2_range_key_get
Bug #6116: dpdk: demote log level of some DPDK messages
Bug #6115: dpdk: NUMA warning signals to non-existent negative id NUMA
Bug #6105: byte_jump does not allow variable name to be used consistently
Bug #6081: pcap: device reopen broken
Bug #6023: smtp: Attachment not being md5 matched
Bug #5964: dpdk: Evaluate input of EAL arguments
Bug #5916: NFQ calls TmqhOutputPacketpool before release packet function is set
Bug #5912: rfb: parser returns error on unimplemented record types
Bug #5868: filestore: not saving files when filestore enabled by rule matching on file_data (instead saves 0 bytes)
Bug #5832: source-xdp: build errors/warnings with libbpf 0.8+
Bug #5757: http: response content encoding value "none" considered invalid
Bug #5464: eve: if alert and drop rules match for a packet, "alert.action" is ambigious
Bug #5022: log-pcap: fix segfault on lz4 compressed pcaps
Bug #4797: pcre2 crash in multi-tenant
Bug #4750: pcap: memory leaks
Bug #2917: Unable to find the sm in any of the sm lists
Optimization #6194: detect: modernize filename fileext filemagic
Optimization #6151: suricatasc: Gracefully handle unsupported commands
Optimization #4145: file keywords: unify keyword registration
Optimization #4141: file.data: inspect File objects for HTTP
Feature #6162: libhtp: recognize Bearer authentication
Feature #6145: byte_math: allow variable name for nbytes
Feature #6144: byte_test: allow variable name for nbytes
Feature #6106: dpdk: fail startup on uninitialized thread affinity setting
Feature #4201: http2: full protocol support
Task #6183: flash decompression: add deprecation warning
Task #6159: libhtp: event on chunk extension
Task #6157: libhtp 0.5.45
Task #6128: af-packet: remove rollover options
Task #4163: rust: set new minimum Rust version for 7
Documentation #6032: detect: document new multi-instance logic
Documentation #5987: doc: update build instructions
Documentation #5930: doc: multi-tenant states that only vlan can be used live, should also include interface
7.0.0-rc2 -- 2023-06-14
Feature #6099: dpdk: add support for bonding interface
Feature #6085: detect: set explicit rule types
Feature #5975: Add support for 'inner' PF_RING clustering modes
Feature #5937: dpdk: Improve DPDK version checking
Feature #5876: eve: add stream tcp logging
Feature #5849: dpdk: add virtio-pmd support
Feature #5822: yaml: set suricata version in generated config
Feature #5803: github-ci: Add netmap as a Github Action
Feature #5784: detect: allow cross buffer inspection on multi-buffer matches
Feature #5746: http.connection - allow in server response
Feature #5717: rfb: add frame support
Security #6129: dcerpc: max-tx config parameter, also for UDP
Security #6118: datasets: absolute path in rules can overwrite arbitrary files
Security #5945: byte_math: Division by zero possible.
Bug #6137: SNMP: version is logged from state, instead of from transaction
Bug #6132: suricata-update: dump-sample-configs: configuration files not found
Bug #6120: streaming-buffer: exceeds limit when downloading large file with file-store enabled
Bug #6117: tcp regions streaming buffer: assert failed (!((region->stream_offset == sbb->offset && region->buf_offset > sbb->len))), function StreamingBufferSBBGetData
Bug #6109: exception/policy: reject changes flow action in IDS mode
Bug #6103: http2: cpu overconsumption in rust moving/memcpy in http2_parse_headers_blocks
Bug #6093: flow: occasional sudden spike in flow.memuse
Bug #6089: suricata --list-keywords does not work with debug validation
Bug #6087: FTP bounce detection doesn't work for big-endian platforms
Bug #6086: Decode-events of IPv6 packets are not triggered
Bug #6066: Memory Corruption in util-streaming-buffer
Bug #6064: dpdk: detect reload stuck if there are no packets
Bug #6062: flow: memory leaks at shutdown
Bug #6060: IP Datasets not supported from suricata.yaml
Bug #6057: rust/jsonbuilder: better handling of memory allocation errors
Bug #6054: ftp: long line discard logic should be separate for server and client
Bug #6053: smtp: long line discard logic should be separate for server and client
Bug #6046: runmode/unix-socket: http range memory leak
Bug #6043: detect: multi-tenancy fails to start
Bug #6041: ASSERT: !(sb->region.buf_offset != 0)
Bug #6038: TCP resets have incorrect len, nh in IPv6
Bug #6025: detect: allow bsize 0 for existing empty buffers
Bug #6021: af-packet: reload not occurring until packets are seen
Bug #6019: smtp: fuzz debug assertion trigger
Bug #6008: smb: wrong offset when parse SMB_COM_WRITE_ANDX record
Bug #6006: dpdk: query eth stats only by the first worker
Bug #5998: exception/policy: make work with simulated flow memcap
Bug #5989: smtp: any command post a long command gets skipped
Bug #5981: smtp: Long DATA line post boundary is capped at 4k Bytes
Bug #5979: rust: update sawp dependencies to avoid future compile issues
Bug #5978: stream/reassembly: memcap exception policy incorrectly applied
Bug #5971: libhtp: differential fuzzing with rust version: only trim spaces at headers names end
Bug #5969: detect: reload can stall if flow housekeeping takes too long
Bug #5968: flowworker: per packet flow housekeeping can process too many flows
Bug #5963: dpdk: handle packets splitted in multiple segments
Bug #5960: Postpone setting of master exception policy
Bug #5957: bpf: postpone IPS check after IPS runmode is determined from the configuration file
Bug #5952: http: multipart data is not filled up to request.body-limit
Bug #5940: exception/policy: flow action doesn't fall back to packet action when there's no flow
Bug #5936: dpdk: Release mempool only after the device closes
Bug #5931: http2: urilen not supported
Bug #5929: fast_pattern assignment of specific content in combination with urilen results in FN
Bug #5927: smtp: quadratic complexity for tx iterator with linked list
Bug #5925: dpdk: VMXNET3 fails to configure
Bug #5924: AF_XDP compile error
Bug #5923: dpdk: change in NUMA-determining API
Bug #5919: flow/manager: fix unhandled division by 0 (prealloc: 0)
Bug #5917: http: libhtp errors on multiple 100 continue response
Bug #5909: http2: quadratic complexity when reducing dynamic headers table size
Bug #5907: tcp: failed assertion ASSERT: !(ssn->state != TCP_SYN_SENT)
Bug #5905: invalid bsize and distance rule being loaded by suricata
Bug #5900: UBSAN: undefined shift in DetectByteMathDoMatch
Bug #5885: base64_decode not populating up to an invalid character
Bug #5883: mime: debug assertion on fuzz input
Bug #5881: stream: overlap with different data false positive
Bug #5877: stream: connections time out too early
Bug #5875: stream/ips: dropping spurious retransmissions times out connections
Bug #5867: false-positive drop event_types possible on passed packets
Bug #5866: detect: multi-tenancy crash
Bug #5862: netmap: packet stalls
Bug #5856: stream: SYN/ACK timestamp checking blocks valid traffic
Bug #5855: af-xdp: may fail to build on Linux systems with kernel older than 5.11
Bug #5850: frames: Assertion failed: buffer initialized
Bug #5843: tcp/stream: session reuse on tcp flows w/o sessions
Bug #5836: output: abort triggered on no permission test
Bug #5835: debug: segv on enabling debugging output
Bug #5834: tcp/regions: list corruption
Bug #5833: tcp/regions: use after free error
Bug #5825: stream.midstream: if enabled breaks exception policy
Bug #5823: smtp: config and built-in defaults mismatch
Bug #5819: SMTP does not handle LF post line limit properly
Bug #5818: time: integer comparison with different signs
Bug #5808: http2: leak with range files
Bug #5802: ips: txs still logged for dropped flow
Bug #5799: detect: sigs using DETECT_SM_LIST_PMATCH can break other signatures
Bug #5786: smb: possible evasion with trailing nbss data
Bug #5783: smb: wrong endian conversion when parse NTLM Negotiate Flags
Bug #5780: HTTP/2 - FN when matching on multiple http2.header contents
Bug #5770: smb: no consistency check between NBSS length and length field for some SMB operations
Bug #5740: content: within and distance lengths should be bounded
Bug #5667: Enable rule profiling via socket
Bug #5627: windows: windivert build broken
Bug #5621: security.limit-noproc: disabled if not provided in the configuration file
Bug #5563: stream: issue with stream debug tracking of memuse
Bug #5541: Unexpected behavior of `endswith` in combination with negated content matches
Bug #5526: tcp: Assertion failed: (!((last_ack_abs < left_edge && StreamTcpInlineMode() == 0 && !f->ffr && ssn->state < TCP_CLOSED)))
Bug #5498: flowworker: Assertion in CheckWorkQueue
Bug #5437: 'unseen' http midstream packets with TCP FIN flag set
Bug #5320: Key collisions in HTTP JSON eve-logs
Bug #5270: Flow hash table collision and flow state corruption between different capture interfaces
Bug #5261: rust: reconsider bundling Cargo.lock
Bug #5017: counters: tcp.syn, tcp.synack, tcp.rst depend on flow
Bug #4952: scan-build: Access to field 'de_state' results in a dereference of a null pointer
Bug #4759: TCP DNS query not found when tls filter is active
Bug #4578: perf shows excessive time in IPOnlyMatchPacket
Bug #4529: Not keyword matches in Kerberos requests
Bug #3152: scan-build warning for detect sigordering
Bug #3151: scan-build warning for detect port handling
Bug #3150: scan-build warnings for detect address handling
Bug #3149: scan-build warnings in radix implementation
Bug #3148: scan-build warnings for ac implementations
Bug #3147: scan-build warning for mime decoder
Optimization #6100: mqtt: quadratic complexity in get_tx_by_pkt_id
Optimization #6036: pgsql: remove unused Kerb5 auth message
Optimization #5959: detect using uninitialized engine mode
Optimization #5718: time: compact alternative to struct timeval
Optimization #5544: tls keywords: increase code coverage and update documentation (if need be)
Optimization #4378: file.data: split mpm per app_proto
Task #5993: rust: x509-parser 0.15
Task #5992: rust: snmp-parser 0.9.0
Task #5991: rust: der-parser 8.2.0
Task #5983: libhtp 0.5.44
Task #5965: tracking: Improving DPDK capture interface and docs
Task #5939: config: deprecate multiple "include" statements at the same level
Task #5918: libhtp 0.5.43
Task #5741: rust/src/rfb/* add more unittests
Task #5628: github-ci: add windows + windivert build
Task #5474: test: review how 7 works with config from 5 and 6
Task #4067: http2: overload existing http keywords to support http/2
Task #4051: Convert unittests to new FAIL/PASS API: detect-lua.c
Documentation #5962: documentation: mention the use of http1 in rule protocol
Documentation #5884: docs: update CentOS names according to their new conventions
Documentation #5859: docs: add build instructions for DPDK capture interface
Documentation #5858: docs: add list of supported NICs in DPDK mode
Documentation #5857: docs: refactor DPDK documentation
Documentation #5596: doc/optimization: move 'suricata.git/doc/userguide/convert.py' to Python3
7.0.0-rc1 -- 2023-01-31
Feature #5761: Unknown ethertype packets are not counted
Feature #5516: tls: client cert detection
Feature #5384: Thread Synchronisation: wait for all threads to be in an operating state before continuing initialisation
Feature #5383: Support for IP addresses in dataset
Feature #5219: ips: add 'master switch' to enable dropping on traffic (handling) exceptions
Feature #5184: Add more dataset user interaction
Feature #4981: frames: add general <app_proto>.stream frames
Feature #4979: frames: implement dynamic logic to disable frames of a type
Feature #4751: dns/eve: add 'HTTPS' type logging
Feature #4269: Additional dataset operations
Feature #3306: Support AF_XDP capture method
Feature #3086: app_proto for Torrent traffic
Feature #2497: error messages usability improvement
Security #5712: tcp: crafted packets lead to resource starvation
Security #5703: smb: crash inside of streaming buffer Grow()
Security #5701: Suricata crashes while processing FTP
Security #5700: SCRealloc of large chunk crashes Suricata
Security #5686: decoder/tunnel: tunnel depth not limited properly
Security #5623: smtp/base64: crash / memory corruption
Bug #5817: tls: certificates with dates prior to 1970 are not logged correctly
Bug #5814: smb: duplicate interface fields logged
Bug #5813: rfb/eve: depth in pixel format logged twice
Bug #5811: smb: tx logs sometimes have duplicate `tree_id` output
Bug #5781: smb: unbounded file chunk queuing after gap
Bug #5779: dcerpc: max-tx config parameter
Bug #5769: Incomplete values for .stats."app_layer".flow.proto
Bug #5765: exceptions: midstream flows are dropped if midstream=true && stream.midstream-policy=drop-flow
Bug #5753: smb: convert transaction list to vecdeque
Bug #5747: iprep/ipv6: warning issued on valid reputation input
Bug #5725: smtp: quoted-printable encoding skips empty lines in files
Bug #5707: quic: ja3 Stack-use-after-return READ 1
Bug #5706: app-layer-htp: Condition depending on enabled IPS mode never true
Bug #5693: decode: Padded packet to minimal Ethernet length marked with invalid length event
Bug #5691: HTTP/2 decompression bug
Bug #5663: tls: buffer overhead off by one in TLSDecodeHSHelloExtensionSupportedVersions
Bug #5661: security.limit-noproc: break ASAN/LSAN when non-root user
Bug #5658: SMTP: segfault on boundary data
Bug #5654: readthedocs: not showing pdf download option for recent versions
Bug #5644: Integer overflow at dcerpc.rs:846
Bug #5637: quic: convert to vecdeque
Bug #5624: quic: rule with ja3.hash keyword fails to load
Bug #5617: dpdk: avoid per thread warnings
Bug #5580: dpdk: IDS vs IPS confusion
Bug #5579: pgsql: support out of order parameter in startup message
Bug #5574: base64: skip over all invalid characters for RFC 2045 mode
Bug #5572: pcre2: allow different include/lib paths
Bug #5567: smb: failed assertion (!((f->alproto == ALPROTO_SMB && txd->files_logged != 0))), function CloseFile, file output-file.c
Bug #5564: tls: buffer overread
Bug #5558: detect: invalid hex character in content leads to bad debug message
Bug #5557: dcerpc: rust integer underflow
Bug #5553: dpdk: Packets with invalid checksums are not counted in DPDK capture mode
Bug #5530: frames: buffer overflow in signatures parsing
Bug #5529: frame: memory leak in signature parsing
Bug #5528: tcp: assertion failed in function DoInsertSegment
Bug #5456: detect: config keyword prevents tx cleanup
Bug #5444: dns: allow dns messages with invalid opcodes
Bug #5379: detect/udp: different detection from rules when UDP/TCP header is broken
Bug #5374: pcap-log: breaking change in file names
Bug #5258: smb/ntlmssp: parser incorrectly assumes fixed field order
Bug #5235: ftp: add event when command request or response is too long
Bug #5205: FTP-data unrecognized depending on multi-threading
Bug #5198: eve/stats: ASAN error when eve output file can't be opened.
Bug #5161: smb: file not tracked on smb2 async
Bug #4580: smb: large streams can cause large memory moves (memmove)
Bug #4554: Configuration test mode succeeds when classification.config file contains invalid content
Bug #3253: tls: handling of 'Not Before' date before unix epoch
Bug #2982: invalid dsize distance rule being loaded by suricata
Optimization #5782: smb: set defaults for file chunk limits
Optimization #5373: Prevent process creation by Suricata process
Optimization #4977: frames: gap handling in inspection
Optimization #4908: ftp: use AppLayerResult instead of buffering wherever possible
Optimization #4614: Fix warning about "field reassign with default"
Optimization #4612: Fix warning about "nonminimal bool"
Optimization #4611: Fix warning about "extra unused lifetimes"
Optimization #4610: Fix warning about "explicit counter loop"
Optimization #4608: Fix warning about "redundant pattern matching"
Optimization #4606: Fix warning about "match ref pats"
Optimization #4603: Fix warning about "type complexity"
Optimization #4602: Fix warning about "new without default"
Optimization #4601: Fix warning about "while let loop"
Optimization #4600: Fix warning about "needless lifetimes"
Optimization #4598: Fix warning about "needless_range_loop"
Optimization #4596: Fix warning about "single match"
Optimization #4594: Fix warning about "this loop never actually loops"
Optimization #4592: Fix warning about "for loop over fallibles"
Optimization #4591: Fix Rust clippy lints
Optimization #3160: clean up error codes
Task #5638: SWF decompression: Do not depend on libhtp
Task #5632: Disable swf decompression by default
Task #5587: ips/tap: in layer 2 ips/tap setups, warn that mixed usage of ips and tap will be removed in 8.0
Task #5586: rust/applayertemplate: remove pub and no_mangle from extern functions that don't need it
Task #5504: exceptions: error out when invalid configuration value is passed
Task #5496: detect/parse: add tests for parsing signatures with reject and drop action
Task #4939: app-layer: template and setup script
Task #4054: Convert unittests to new FAIL/PASS API: detect-replace.c
Task #4050: Convert unittests to new FAIL/PASS API: detect-l3proto.c
Task #4049: Convert unittests to new FAIL/PASS API: detect-itype.c
Task #4043: Convert unittests to new FAIL/PASS API: detect-icmp-seq.c
Task #4042: Convert unittests to new FAIL/PASS API: detect-icmp-id.c
Task #4039: Convert unittests to new FAIL/PASS API: detect-filesize.c
Task #4030: Convert unittests to new FAIL/PASS API: detect-engine-tag.c
Task #4029: Convert unittests to new FAIL/PASS API: detect-engine-sigorder.c
Task #4020: Convert unittests to new FAIL/PASS API - detect-distance.c
Documentation #5616: Ubuntu PPA: Package software-properties-common
Documentation #5585: devguide: bring section about installation from redmine wiki into DevGuide
Documentation #5515: userguide: add a dedicated chapter/section for the Exception Policies
Documentation #5129: devguide: clarify style guide for getframe functions
Documentation #4929: devguide: bring Contributing process page into it
Documentation #4697: devguide: document app-layer frame support
7.0.0-beta1 -- 2022-10-26
Feature #5509: App-layer event for protocol change failure
Feature #5506: DHCP: signature keyword for rebinding_time
Feature #5503: ips: add "reject" action to exception policies
Feature #5479: Add landlock support
Feature #5468: ips: midstream: add "exception policy" for midstream
Feature #5442: kerberos: log ticket encryption method
Feature #5435: DHCP: signature keyword for lease_time
Feature #5416: SNMP: signature keyword for usm
Feature #5218: ips: allow dropping of flow if applayer reaches error state
Feature #5216: ips: allow dropping of flow if flow.memcap is hit
Feature #5215: ips: allow dropping of flow if stream.reassembly.memcap is hit
Feature #5214: ips: allow dropping of flow if stream.memcap is hit
Feature #5202: eve/drop: include drop "reason"
Feature #5191: new keyword for self signed certificates
Feature #5190: new tls.random keyword
Feature #5036: sip: add frames support
Feature #4984: dns: add frames support
Feature #4983: frames: support UDP
Feature #4967: QUIC v1 support
Feature #4872: nfs: add stream app-layer frame support
Feature #4556: HTTP2: support deflate decompression
Feature #4551: eve: add direct base64 to json option to json builder
Feature #4550: pthreads: set minimum stack size
Feature #4541: netmap: new API version (14) supports multi-ring software mode
Feature #4526: SIGSEGV handling -- log stack before aborting
Feature #4515: Add DNS logging of Z flag
Feature #4507: dpdk: initial support for IDS and IPS modes
Feature #4498: decoder: add VN-Tag support
Feature #4406: unix socket: Get flow information by flow_id
Feature #4386: Support for RFC2231
Feature #4332: Makes libhtp decompression time limit configurable from Suricata
Feature #4241: Protocol support: PostgreSQL (pgsql)
Feature #4144: file.data: support for request side files in HTTP
Feature #4142: file.data: support for NFS
Feature #4117: http2: byte-range support
Feature #4116: http2: body compression handling
Feature #3957: Convert protocol to Rust: Modbus
Feature #3887: yaml: Increase maximum size for address vars
Feature #3767: Add IKEv1 parser
Feature #3701: eve: add tenant_id in eve-log for other types than alert
Feature #3512: stream depth event rule
Feature #3440: Add GQUIC Protocol Analysis and CYU Fingerprinting
Feature #3292: support for network service header (NSH)
Feature #3285: rules: XOR keyword
Feature #3002: Flow and Netflow Not Logging ESP Traffic
Feature #2697: prefilter support for stream_size
Feature #2450: lua: scripts access to calling rule informations
Feature #2323: Applayer support for telnet
Feature #2096: eve: event_type for MODBUS
Feature #2054: Extracting HTTPS URL´s from SMTP, currently only HTTP is supported
Feature #1576: http: byte-range support
Feature #1478: Active flow counters
Feature #1369: eve: json schema
Feature #1096: tls: client certificate handling
Feature #120: Capture full session on alert
Security #5408: filestore: Segfault with filestore enabled and forced
Security #5399: mqtt: DOS by quadratic with too many transactions in one parse
Security #5244: Infinite loop in JsonFTPLogger
Security #5243: protocol detection: exploitable type confusion due to concurrent protocol changes
Security #5237: nfs: arbitrary allocation from nfs4_res_secinfo_no_name
Security #5187: Rust regex crate security advisory CVE-2022-24713
Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #5023: smtp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #4857: ftp: SEGV at flow cleanup due to protocol confusion
Security #4710: tcp: Bypass of Payload Detection on TCP RST with options of MD5header
Security #4569: tcp: crafted injected packets cause desync after 3whs
Security #4504: tcp: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets
Bug #5595: eve/alert: SEGV in files to alert logging
Bug #5584: detect/tag: timeout handling issues on windows
Bug #5581: eve: mac address logging for packet records reverses direction
Bug #5571: ips: encapsulated packet logged as dropped, but not actually dropped
Bug #5538: Compiler Warning on Fedora 36 / gcc 12.2.1
Bug #5536: detect: flow.age keyword
Bug #5527: postgresql: limit number of live transactions
Bug #5521: detect: transform strip whitespace creates a 0-sized variable-length array
Bug #5518: dcerpc: More efficient transaction handling for UDP
Bug #5508: SMB2 async responses are not matched with its request
Bug #5507: DHCP: signature keyword for renewal_time
Bug #5458: Reject action is no longer working
Bug #5457: Counters are not initialized in all places.
Bug #5455: ike: logging state transforms instead of transaction transforms
Bug #5419: Failed assert DeStateSearchState
Bug #5409: PCRE: use match and recursion limit for pcrexform
Bug #5402: detect: will still inspect packets of a "dropped" flow for non-TCP
Bug #5401: tcp: assertion failed in DoInsertSegment (BUG_ON)
Bug #5392: fileinfo: inconsistent file size tracking for GAPs
Bug #5391: events: PACKET_RECYCLE does not reset event_last_logged
Bug #5390: smb: have default stream-depth of 0
Bug #5386: detect/threshold: offline time handling issue
Bug #5377: modbus: probing parser recognizes modbus with unknown function code
Bug #5368: bypass: Memory leak of some flow bypass objects.
Bug #5361: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context
Bug #5353: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails
Bug #5331: stacktrace-on-signal: Kills all processes in the same process group
Bug #5330: flow: vlan.use-for-tracking is not used for ICMPv4
Bug #5329: rust: inconsistency between rust structure RustParser and C structure AppLayerParser
Bug #5327: track by_rule|by_both incorrectly rejected for global thresholds
Bug #5321: dcerpc: More efficient transaction handling
Bug #5317: flow manager: end of flow counters not working
Bug #5316: smtp: PreProcessCommands does not handle all the edge cases
Bug #5315: decode/mime: base64 decoding for data with spaces is broken
Bug #5314: ftp: quadratic complexity for tx iterator with linked list
Bug #5313: python: distutils deprecation warning
Bug #5312: test failure on Ubuntu 22.04 with GCC 12
Bug #5310: detect: several potential infinite loops by comparing u16 to size_t
Bug #5309: CIDR prefix calculation fails on big endian archs
Bug #5308: file handling: avoid toctou race conditions
Bug #5306: dcerpc: unsigned integer overflow in parse_dcerpc_bindack
Bug #5298: template (rust): convert transaction list to vecdeque
Bug #5297: pgsql: convert transaction list to vecdeque
Bug #5296: http2: convert transaction list to vecdeque
Bug #5295: rdp: convert transaction list to vecdeque
Bug #5294: mqtt: convert to vecdeque
Bug #5291: cppcheck: various static analyzer "warning"s
Bug #5285: frame: assertion failed in PrefilterMpmFrame
Bug #5281: ftp: don't let first incomplete segment be over maximum length
Bug #5280: nfs: ASSERT: attempt to subtract with overflow (compound)
Bug #5278: app-layer: Allow for non slice based transaction containers in generate get iterator (rust)
Bug #5277: dns: More efficient transaction handling
Bug #5276: eve: payload field randomly missing even if the packet field is present
Bug #5271: app-layer: timeout when removing many transactions from the beginning
Bug #5268: mqtt: integer underflow with truncated
Bug #5260: rust: update regex dependency
Bug #5259: rust: update time dependency
Bug #5248: flow: double unlock in tcp reuse case
Bug #5246: smb: integer underflows and overflows
Bug #5238: frame: memory leak in signature parsing
Bug #5236: frame: buffer over read in SCACSearch
Bug #5228: pcre2: SEGV during rule loading
Bug #5226: Frames: failed assertion !((int64_t)data_len > frame->len)
Bug #5223: base64_decode does not populate base64_data buffer once hitting non-base64 chars
Bug #5208: DCERPC protocol detection when nested in SMB
Bug #5205: FTP-data unrecognized depending on multi-threading
Bug #5201: content:"22 2 22"; is parsed without error
Bug #5197: fast_pattern assignment of specific content results in FN
Bug #5188: SSL : over allocation for certificates
Bug #5183: TLS Handshake Fragments not Reassembled
Bug #5174: MIME URL extraction creates invalid url in JSON
Bug #5168: detect/iponly: non-cidr netmask settings can lead incorrect detection
Bug #5162: inspection of smb traffic without smb/dcerpc doesn't work correct.
Bug #5147: frames: debug assertion on SMB2 traffic
Bug #5146: libhtp: does not handle 100 continue if there is a 0 Content Length
Bug #5145: nfs: Integer underflow in NFS
Bug #5144: Failed assert DeStateSearchState
Bug #5132: segfault: master - HTPFileCloseHandleRange
Bug #5094: output: timestamp missing usecs on Arm 32bit + Musl
Bug #5093: rust/proc-macro-crate: pin to old version to support our MSRV
Bug #5086: htp: server personality radix handling issue
Bug #5085: defrag: policy config can setup radix incorrectly
Bug #5084: iprep: cidr support can set up radix incorrectly
Bug #5081: detect/iponly: rule parsing does not always apply netmask correctly
Bug #5080: eve/dnp3: coverity warnings for string handling
Bug #5079: swf: coverity warning
Bug #5077: byte_math rule options need to be in order or will fail otherwise
Bug #5073: Off-by-one in flow-manager flow_hash row allocation
Bug #5070: Stacktrace logger should propagate original signal
Bug #5066: detect/iponly: mixing netblocks can lead to FN/FP
Bug #5065: frames: coverity warning
Bug #5046: Documentation copyright years are invalid
Bug #5040: stats: add app-layer error counters
Bug #5034: dns: probing/parser can return error when it should return incomplete
Bug #5019: dataset: error with space in rule language
Bug #5018: MQTT can return AppLayerResult::incomplete forever and buffer forever
Bug #5011: frames: buffer overread in SigValidate
Bug #5009: dpdk: fails to compile on ubuntu 22.04
Bug #5007: pgsql: coverity warning
Bug #4972: Null deference in ConfigApplyTx
Bug #4969: Libhtp timeout lzma reallocing dictionary
Bug #4953: stream: too aggressive pruning in lossy streams
Bug #4948: SMTP assertion triggered
Bug #4947: suricatasc loop if recv returns no data
Bug #4945: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice()
Bug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit
Bug #4935: DPDK: Packet counters set incorrectly
Bug #4924: dns: transaction not created when z-bit set
Bug #4920: detect/app-layer-protocol: app-layer-protocol:http broken
Bug #4882: Netmap configuration -- need a configuration option for non-standard library locations.
Bug #4877: Run stream reassembly on both directions upon receiving a FIN packet
Bug #4862: MQTT : transactions are never cleaned by AppLayerParserTransactionsCleanup
Bug #4860: eve.json remove app-layer specific fields from root object
Bug #4859: dnp3: buffer over read in logging base64 empty objects
Bug #4849: protodetect: SMB vs TLS protocol detection in midstream
Bug #4848: TFTP: memory leak due to missing detect state
Bug #4842: smb: excessive memory use during file transfer
Bug #4839: Memory leak with signature using file_data and NFS
Bug #4836: profiling: Invalid performance counter when using sampling
Bug #4828: flow: flows not evicted & freed in time
Bug #4817: smtp: smtp transaction not logged if no email is present
Bug #4812: conf: quadratic complexity
Bug #4811: Range: memory leak from HTTP2
Bug #4810: pppoe decoder fails when protocol identity field is only 1 byte
Bug #4808: flow: worker-evicted flows need to be processed quicker
Bug #4807: packetpool: packets in pool may have capture method ReleasePacket callbacks set
Bug #4804: af-packet: tpacket v3 if/down logic broken
Bug #4803: af-packet: up/down logic leaks resources in autofp (tpacket v2)
Bug #4801: af-packet: tpacket v3 socket reference handling broken
Bug #4800: af-packet: flag collision between kernel and Suricata
Bug #4785: af-packet: threads sometimes get stuck in capture
Bug #4779: flow/bypass: flow worker not performing flow timeout "housekeeping"
Bug #4778: flow/bypass: app-layer/stream resources not freed when bypass activated
Bug #4771: pcrexform: does not capture substring but whole match
Bug #4769: dcerpc dce_iface just match a packet
Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords
Bug #4766: Flow leaked when flow->use_cnt access race happens
Bug #4765: loopback: different AF_INET6 values per OS
Bug #4764: range: no validity check with HTTP2 leads to over allocation
Bug #4757: Incomplete range with overlap, and expected new bytes, lead to incomplete reassembly
Bug #4754: Invalid range leads to OOM
Bug #4752: Memory leak in SNMP with DetectEngineState
Bug #4741: Quadratic complexity in modus due to missing tx_iterator
Bug #4739: Absent app-layer protocol is always enabled by default
Bug #4737: ubsan: bytejump warning
Bug #4731: flows: spare pool not freeing flows aggressively enough
Bug #4724: pcre2: scan-build warning
Bug #4722: flows: TCP flow timeout handling stuck if there is no traffic
Bug #4720: pcre2: ASAN heap-buffer-overflow
Bug #4719: http2: byte-range test fails intermittently
Bug #4699: coverity warnings after output changes
Bug #4692: lua: file info callback returns wrong value
Bug #4685: detect: too many prefilter engines lead to FNs
Bug #4681: Wrong list_id with transforms for http_client_body and http file_data
Bug #4680: nfs: failed assert self.tx_data.files_logged > 1
Bug #4679: IPv6 : decoder event on invalid fragment length
Bug #4670: rules: mix of drop and pass rules issues
Bug #4666: http: ipv6 address is a valid host
Bug #4664: ipv6 evasions : fragmentation
Bug #4663: rules: drop rules with noalert not fully dropping
Bug #4659: Configuration test mode succeeds when reference.config file contains invalid content
Bug #4654: tcp: insert_data_normal_fail can hit without triggering memcap
Bug #4650: Stream TCP raw reassembly is leaking
Bug #4622: File deletions over SMB are not always logged
Bug #4621: rust panic: when using smb stream-depth
Bug #4620: Protocol detection : confusion with SMB in midstream
Bug #4619: HTTP2 null dereference in upgrade
Bug #4586: segmentfault when reopen redis
Bug #4582: BUG_ON triggered from TmThreadsInjectFlowById
Bug #4581: Excessive qsort/msort time when large number of rules using tls.fingerprint
Bug #4577: coverity: minor warnings
Bug #4570: eve/flow: many flows logged with reason==unknown
Bug #4563: Rules based on SSH banner-related keywords only match on acked data
Bug #4562: Memory leak in Protocol change during protocol detection
Bug #4561: Failed assertion in SMTP SMTPTransactionComplete
Bug #4560: Quadratic complexity in HTTP2 gzip decompression
Bug #4558: DNP3: intra structure overflow in DNP3DecodeObjectG70V6
Bug #4549: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Bug #4540: unused variables warnings on Windows compiles with rust
Bug #4537: alert count shows up as 0 when stats are disabled
Bug #4536: SWF decompression overread
Bug #4534: Timeout in ikev2 parsing
Bug #4533: Rust modbus parser does not handle gaps as it claims
Bug #4530: DOS Quadratic complexity when having too many transactions
Bug #4527: Fix implicit conversions in traffic facing source code modules
Bug #4525: segv with --set cmdline option if incorrect key is provided
Bug #4523: Application log cannot to be re-opened when running as non-root user
Bug #4516: Integer overflows
Bug #4509: Incorrect flags in Rust
Bug #4508: SSH bypass is not working
Bug #4505: Rust panic while parsing (new rust) modbus rule
Bug #4503: Buffer overflow in "by_rule" threshold context
Bug #4502: TCP reassembly memuse approaching memcap value results in TCP detection being stopped
Bug #4495: output: threaded output coverity warning
Bug #4494: Failed assertion in HTTP2 decompression
Bug #4491: rules: rules w/o sid accepted, leading to alerts with signature_id: 0
Bug #4478: freebsd: lockups due to mutex handling issues
Bug #4477: Infinite loops in when using InspectionBufferMultipleForList
Bug #4476: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti
Bug #4473: Timeout in ftp parsing rs_ftp_active_eprt
Bug #4472: YAML -- interpretation of "~" (tilde)
Bug #4448: Properly set the ICMP emergency-bypassed value
Bug #4447: ipv6 & ftp & passive mode & error
Bug #4442: build: Build failure on FreeBSD
Bug #4440: eve: log if flow had gap
Bug #4438: Null-dereference in HTTP2MimicHttp1Request in midstream
Bug #4437: dns: high resource usage on long lived dns connections
Bug #4436: Buffer overread in SMTP SMTPParseCommandBDAT
Bug #4434: Duplicate alert record in eve log when using unix-socket mode
Bug #4433: Debug assert failed in ikev1 logger
Bug #4428: Rust panic in suricata::dcerpc::detect::handle_input_data (buffer overread)
Bug #4425: threaded eve: files not closed on deinitialization
Bug #4424: ftp: Memory leak with duplicate FTP expectation
Bug #4407: threshold: slow startup on threshold.config with many addresses in suppression
Bug #4404: eve/mqtt: mqtt logging crashes when eve is multithreaded
Bug #4403: Use after free or read overflow or use of unitized memory in TransformStripWhitespace called by HttpServerBodyXformsGetDataCallback
Bug #4401: Quadratic complexity in libhtp chunk parsing
Bug #4400: Panic in Rust HTTP2 dynamic headers table eviction
Bug #4397: eve.drop: alerts option logs lowest priority alert
Bug #4395: Incorrect AppLayerResult::incomplete for RDP
Bug #4394: detect: "drop" on protocol detect only rule doesn't drop flow
Bug #4389: Protocol detection tls-dcerpc
Bug #4388: Protocol detection evasion enip-dns
Bug #4387: Heap-use-after-free READ 8 · JsonDNP3LoggerToClient
Bug #4379: flow manager: using too much CPU during idle
Bug #4376: TCP flow that retransmits the SYN with a newer TSval not properly tracked
Bug #4375: segv in ApplyToU8Hash
Bug #4369: Configuration test mode succeeds when threshold.config file contains invalid content
Bug #4361: detect: file.data performance regression
Bug #4348: ftp: "g_expectation_data_id" and "g_expectation_id" in AppLayerExpectationHandle function
Bug #4335: Stack-buffer-overflow READ 4 in SetupU8Hash
Bug #4331: libhtp: don't put stream in error state on compression issues
Bug #4320: Heap use after free in parsing signatures with ip_proto and prefilter
Bug #4280: Suricata is not fully reading or loading the iprep files
Bug #4277: SIGABRT: rust panic HTTP2State
Bug #4274: Suricata crashes at exit in NFQ mode
Bug #4273: protodetect: SEGV due to NULL ptr deref
Bug #4272: Timeout in libhtp with lzma in gzip to be decompressed in many responses
Bug #4271: datasets: reference counter issue in string lookup
Bug #4267: output: don't use /etc/protocols
Bug #4262: ebpf: llc detection failure
Bug #4261: Mismatch between capture and outputs in rules leads to seg fault
Bug #4258: ftp-data: support for file.name keyword is incomplete
Bug #4254: Leak in signature parsing with urilen
Bug #4253: lua: flowint/flowvar API naming consistency
Bug #4247: detect: NOOPT flag not enforced correctly
Bug #4246: Assertion failed in AdjustToAcked delta > 10000000ULL && delta > stream->window
Bug #4245: SMTP/Email Body md5: Only logs the md5 of the first part in a multi-part mime message
Bug #4239: dataset file not written when run as user
Bug #4238: tcp/fastopen: false positive on "invalid option"
Bug #4233: ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOL
Bug #4232: Protocol detection evasion enip-SMB
Bug #4231: ICMPv6 failed assert p->icmpv6h == NULL with icmpv6.hdr
Bug #4228: tcp/async: incorrect flagging of ACK values as invalid
Bug #4225: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode
Bug #4224: modbus: Request flood leads to CPU exhaustion
Bug #4216: 5.0.5 in socket mode crashes when using file-store due to uninitialized stats_ctx
Bug #4211: Not all manpages are built by docs Makefile
Bug #4210: Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode
Bug #4208: Suricata crashes with multi-threaded eve logger and HTTP/2 traffic
Bug #4206: dns: output flags not set correctly on 32 bit systems
Bug #4205: eve: Memory leak from jsonbuilder in @MetadataJson@
Bug #4202: Wrong stream side after direction change
Bug #4199: Transformation keyword can’t trigger an alert
Bug #4198: dcerpc: no alert triggered with dce opnum in 6.0
Bug #4187: rs_dcerpc_udp_get_tx takes out unusual amount of CPU
Bug #4171: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL
Bug #4152: fatal error: 'gnu/stubs-32.h' file not found
Bug #4106: Duplicate TLS subjects in tls metadata.
Bug #4096: flow manager: 200% CPU in KVM host with no activity with Suricata 6
Bug #4080: DCERPCUDPState handle fragmented data functions pegging certain CPU cores/threads
Bug #3996: SIGABRT: SMTPTransactionComplete
Bug #3995: SIGABRT stream-tcp-reassemble
Bug #3846: Infinite loop if the sniffing interface temporarily goes down
Bug #3703: fileinfo "stored: false" even if the file is kept on disk
Bug #3685: Incorrect logging level for messages
Bug #3542: FTP: expectation created in wrong direction.
Bug #3475: SMB evasion against EICAR file detection
Bug #3419: af-packet: cluster_id is not used when trying to set fanout support
Bug #3109: dcerpc engine not generating alerts
Bug #2809: Applayer Mismatch protocol both directions for kerberos AS-REQ/KDC_ERR_PREAUTH_REQUIRED exchange
Bug #2802: iprep: use_cnt can get desynchronized (SIGABRT)
Bug #2510: Suricata doesnt decompress HTTP Post body
Bug #2190: apparent 1000 character limit in threshold.conf IP lists
Optimization #5592: tunnel: spinlock for tunnel packet sync
Optimization #5577: Fix warning about "comparing with null" in debug code
Optimization #5481: tls: support incomplete API to replace internal buffering
Optimization #5454: http2: slow http2_frames_get_header_value_vec because of allocation
Optimization #5400: dpdk: allow specifying of `rss_hf` flags in config
Optimization #5232: rules: pattern id assignment is too slow
Optimization #5231: rules: mpm setup more costly than needed
Optimization #5230: rules: too much time spent in DetectUnregisterThreadCtxFuncs due to pcre2
Optimization #5229: rules: too much time spent in SigMatchListSMBelongsTo at startup
Optimization #4991: pgsql: convert parser to nom7 functions
Optimization #4907: smtp: use AppLayerResult instead of buffering wherever possible
Optimization #4805: af-packet: move vlan hdr insert logic to capture/decode
Optimization #4795: Remove PASS_IF macro from the FAIL/PASS API
Optimization #4748: app-layer/rust: explore if tx iterator can be implemented as a trait
Optimization #4711: Clang 14 and rust nightly new warnings
Optimization #4653: Flow cleaning with chunked approach is memory hungry
Optimization #4609: Fix warning about "if same then else"
Optimization #4604: Fix warning about "branches sharing code"
Optimization #4599: Fix warning about "ptr_arg"
Optimization #4597: Fix warning about "enum's name"
Optimization #4593: Fix warning about "mixed case hex literals"
Optimization #4555: HTTP2: what to do when HTTP upgrade is requested and HTTP2 is disabled ?
Optimization #4497: rust: clean up constructors of state, transaction structs
Optimization #4496: decode: remove NULL checks after header casts
Optimization #4475: Rust: Make default_port in parser registration an Option
Optimization #4427: storage api: use dedicated 'id' type
Optimization #4366: decoder: limit number of decoding layers
Optimization #4319: dcerpc: improve protocol detection
Optimization #4207: Use configurable or more dynamic @ PACKET_ALERT_MAX@
Optimization #4154: Rust Parsers: Abstract AppLayer events to a derive macro
Optimization #4126: Threaded eve logging for output types other than regular file (socket, plugins, redis etc)
Optimization #4112: Use generic rust DetectU32Data in every keyword needing this
Optimization #3832: rust: Make core::* as enum to improve readability
Optimization #3825: Defining only one basic rust Files structure
Optimization #3658: Use WARN_UNUSED for ByteExtract* functions
Optimization #3315: app-layer: unify registration logic
Task #5569: transversal: update references to suricata webpage version 2
Task #5497: github-ci: update runners using ubuntu-18.04 image
Task #5475: doc: add exception policy documentation
Task #5319: add `alert-queue-expand-fails` command-line option
Task #5179: stats/alert: log out to stats alerts that have been discarded from packet queue
Task #5175: nfs4: Improve compound record parsers
Task #5166: quic: Support older versions like Q039 and Q043
Task #5143: QUIC: support JA3
Task #5002: applayertemplate: convert parser to nom7 functions
Task #5001: x509: convert parser to nom7 functions
Task #5000: rfb: convert parser to nom7 functions
Task #4999: ntp: convert parser to nom7 functions
Task #4998: krb: convert parser to nom7 functions
Task #4997: mime: convert parser to nom7 functions
Task #4996: rdp: convert parser to nom7 functions
Task #4995: snmp: convert parser to nom7 functions
Task #4994: ike: convert parser to nom7 functions
Task #4993: asn1: convert parser to nom7 functions
Task #4992: dcerpc: convert parser to nom7 functions
Task #4970: libhtp 0.5.40
Task #4915: transversal: update references to suricata webpage
Task #4912: Update default rule path to /var/lib/suricata/rules.
Task #4909: devguide: move into userguide as last chapter
Task #4796: af-packet: remove non-mmap tpacket-v1 support
Task #4784: config: add suricata version as a comment to the top of the configuration file
Task #4721: http2: enable by default
Task #4668: Remove Prelude output
Task #4667: libhtp 0.5.39
Task #4446: pcre2: document changes vs prce1 for rule writers
Task #4444: files: store files in transactions instead of per flow state
Task #4221: Build Suricata into a static and shared library
Task #4182: lua: Use lua_pushinteger for pushing integer types as integers instead of floats
Task #4157: deprecation: remove dns eve v1 logging (May 2022)
Task #4058: Convert unittests to new FAIL/PASS API: detect-sid.c
Task #4056: Convert unittests to new FAIL/PASS API: detect-rpc.c
Task #4053: Convert unittests to new FAIL/PASS API: detect-msg.c
Task #4038: Convert unittests to new FAIL/PASS API: detect-filesha256.c
Task #4036: Convert unittests to new FAIL/PASS API: detect-filename.c
Task #4035: Convert unittests to new FAIL/PASS API: detect-filemd5.c
Task #4034: Convert unittests to new FAIL/PASS API: detect-filemagic.c
Task #4033: Convert unittests to new FAIL/PASS API: detect-fileext.c
Task #4032: Convert unittests to new FAIL/PASS API: detect-file-data.c
Task #3905: GitHub CI: use sccache for commits build
Task #3194: pcre2 support
Documentation #5511: userguide: add subsection about setting up Suri in IPS mode with DPDK
Documentation #5441: userguide: rules meta page updates
Documentation #5385: userguide: update rule's format document
Documentation #5364: userguide: reorganize `Application Layers Parsers` and `Application layers` subsections in the suricata.yaml page
Documentation #5130: doc: add flowbits ORing doc
Documentation #4949: userguide: add explanation on max-streams in the suricata.yaml page
Documentation #4671: Document changes to HTTP events with respect to http/http2 normalization
Documentation #4396: Devguide: Transactions and State overview
Documentation #3029: No documentation for "dcerpc" keywords
Documentation #3017: No documentation for "rawbytes" keyword
6.0.1 -- 2020-12-04
Feature #2689: http: Normalized HTTP client body buffer
Feature #4121: http2: support file inspection API
Bug #1275: ET Rule 2003927 not matching in suricata
Bug #3467: Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode
Bug #3616: strip_whitespace causes FN
Bug #3726: Segmentation fault on rule reload when using libmagic
Bug #3856: dcerpc: last response packet not logged
Bug #3924: asan leak htp_connp_create
Bug #3925: dcerpc: crash in eve logging
Bug #3930: Out of memory from THashInitConfig called by DetectDatasetSetup
Bug #3994: SIGABRT TCPProtoDetectCheckBailConditions
Bug #4018: Napatech: Double release of packet possible in certain error cases.
Bug #4069: dcerpc: fix UDP transaction handling, free_tx, etc
Bug #4071: Null dereference in ipv4hdr GetData
Bug #4072: ssl: Integer underflow in SSL parser
Bug #4073: Protocol detection evasion by packet splitting on enip/SMB
Bug #4074: Timeout while loading many rules with keyword ssl_version
Bug #4076: http2: Memory leak when parsing signature with filestore
Bug #4085: Assertion from AdjustToAcked
Bug #4086: dns: memory leak in v1 dns eve logging
Bug #4090: icmpv4: header handling issue(s)
Bug #4091: byte_math: Offset is a signed value
Bug #4094: AddressSanitizer: dynamic-stack-buffer-overflow (util-crypt)
Bug #4100: ftp: Quadratic complexity in FTPGetOldestTx may lead to DOS
Bug #4109: mac address logging crash
Bug #4110: http: LibHTP wrong protocol with content duplication
Bug #4111: dnp3: DOS in long loop of zero sized objects
Bug #4120: http2: null ptr deref in http2 alert metadata
Bug #4124: dcerpc: UDP request response pair match is incorrect
Bug #4155: dnp3: memory leak when parsing objects with bytearrays
Bug #4156: dnp3: signed integer overflow
Bug #4158: PacketCopyData sets packet length even on failure
Bug #4173: dnp3: SV tests fail on big endian
Bug #4177: Rustc nightly warning getting the inner pointer of a temporary `CString`
Optimization #4114: Optimize Rust logging macros: SCLogInfo, SCLogDebug and friends
Task #4137: deprecate: eve.dns v1 record support
Task #4180: libhtp 0.5.36
6.0.0 -- 2020-10-08
Bug #3099: Weird handling of IKEv2 flows when alerts happen
Bug #3691: strip_whitespace doesn't strip_whitespace
Bug #3772: DNP3 probing parser does not detect the proper direction in midstream
Bug #3774: Assert failed in TLS due to integer underflow
Bug #3775: Memory leak in libhtp in error case
Bug #3853: Multi-byte Heap buffer over-read in ssl parser
Bug #3857: Protocol detection evasion by packet splitting on enip/dnp3
Bug #3877: Transaction list grows without bound on parsers that use unidirectional transactions
Bug #3896: app-layer-parser.c:1264: AppLayerParserParse: Assertion `!(res.needed + res.consumed < input_len)' failed.
Bug #3904: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=true
Bug #3926: dcerpc: Rust panic in handle_common_stub
Bug #3927: Alert "fileinfo" array conflicts with "fileinfo" event type
Bug #3928: eve: metadata section mixup with anomaly
Bug #3929: Unexpected exit from THashInitConfig called by DetectDatasetSetup
Bug #3930: Out of memory from THashInitConfig called by DetectDatasetSetup
Bug #3931: Memory leak from signature with file.name
Bug #3956: HTTP2 support variable integer lengths for headers
Bug #3972: HTTP2: stream_id_reuse
Bug #3977: SNMP: Better handling of unidirectional transactions
Bug #3978: DHCP: Add unidirectional transaction handling
Bug #3979: IKEv2: Add unidirectional transaction handling
Bug #3980: MQTT: Add unidirectional transaction handling
Bug #3981: SIP: Add unidirectional transaction handling
Bug #3982: RDP: Add unidirectional transaction handling
Bug #3983: KRB5: Add unidirectional transaction handling
Bug #3984: NTP: Add unidirectional transaction handling
Bug #3987: Hang while processing HTTP traffic
Bug #3989: HTTP2: invalid_frame_data anomaly
Bug #3991: Libhtp timeout in data_probe_chunk_length
Bug #3992: RDP incorrect AppLayerResult::incomplete
Bug #3993: Use of uninitialized value in DetectDatarepParse
Bug #3998: HTTP2: invalid header anomaly
Bug #4009: ENIP: Unidirectional transaction handling
Feature #3955: Protocol detection : run probing parser for protocol found in other direction
Task #3922: libhtp 0.5.35
Task #4017: suricata-update: bundle 1.2.0
Documentation #2211: doc: document issues with --set and lists in the command line parameters section of the manual
6.0.0-rc1 -- 2020-09-11
Feature #2970: DNS: Parse and extract SOA app layer data from DNS packets
Feature #3063: protocol decoder: geneve
Task #3178: json: remove individual loggers
Task #3559: http: support GAP recovery
Task #3759: datasets: finalize to move out of 'experimental'
Task #3824: libhtp 0.5.34
Task #3868: GitHub CI: Add Fedora 32 runner with ASAN and Suricata-Verify
Task #3903: remove BUG_ON from app-layer AppLayerResult eval
Documentation #3497: Document the removal of unified2 and migration options
Documentation #3799: Deprecated configuration keyword in "Hardware bypass with Netronome"
Bug #2433: memleak with suppression rules defined in threshold.conf
Bug #3776: Timeout in libhtp due to multiple responses with double lzma encoding
Bug #3816: Coverity scan issue -- null pointer deref in reject dev handling
Bug #3842: eve: logging silently continues if disk is full
Bug #3850: Invalid state for JsonBuilder with metadata signature keyword
Bug #3858: pcap recursive: coverity issues
Bug #3861: flow: check flow bypass handling
Bug #3863: reject: compile warning
Bug #3864: plugin: coverity issues
Bug #3865: flow: coverity issues
Bug #3866: http2: http1 to http2 upgrade support
Bug #3871: Include acsite.m4 in distribution
Bug #3872: Fail CROSS_COMPILE check for PCRE JIT EXEC
Bug #3874: configure: fails to check for netfilter_queue headers on older header packages
Bug #3879: datasets related memleak
Bug #3880: http parsing/alerting - continue
Bug #3882: Plugin support typo
Bug #3883: Runmode Single Memory Leak
Bug #3885: 6.0.0-beta1 stream-tcp-reassemble.c:1066: AdjustToAcked: Assertion `!(adjusted > check)' failed
Bug #3888: 6.0.0-dev - heap-buffer-overflow /opt/suricata/src/flow-manager.c:472:34 in FlowTimeoutHash with AFPv3
Bug #3890: AddressSanitizer: SEGV on unknown address - failed to setup/expand stream segment pool.
Bug #3895: Assert failed in DNS incomplete parsing
Bug #3897: Integer overflow in SCSigOrderByPriorityCompare
Bug #3898: Leak from bad signature with DCERPC keyword, then another protocol keyword
Bug #3902: flow/bypass: SEGV src/flow.c:1158:9 in FlowUpdateState
Bug #3906: mqtt 'assertion failed: `(left == right)` src/mqtt/parser.rs:500:13
Bug #3907: http2 rust - 'index out of bounds: the len is 2 but the index is 63'
Bug #3908: Port prscript to Python 3
Bug #3911: datasets: path handling issues with default-rule-path vs -S <file>
Bug #3913: Memory leak from signature with pcrexform
Bug #3914: Protocol detection gets not retries on protocol change if there is not enough data
Bug #3915: Eve output in threaded mode does not rotate logs on request (eg: SIGHUP)
Bug #3916: Dataset filename not always found on load
Bug #3917: HTTP2 incorrect incomplete after banner
6.0.0-beta1 -- 2020-08-07
Feature #641: Flowbits group for ORing
Feature #1807: Cisco HDLC Decoder
Feature #1947: HTTP2 decoder
Feature #2015: eve: add fileinfo in alert
Feature #2196: Add flow_id to the file extracted .meta file
Feature #2311: math on extracted values
Feature #2312: http: parsing for async streams
Feature #2385: deprecate: unified2
Feature #2524: Allow user to choose the reject iface
Feature #2553: support 'by_both' in threshold rule keyword
Feature #2694: thresholding: feature parity between global and per-rule options
Feature #2698: hassh and hasshServer for ssh fingerprinting
Feature #2859: Oss-fuzz integration
Feature #3199: transformation should be able to take options
Feature #3200: pcre: allow operation as transform
Feature #3293: eve: per thread output files
Feature #3332: Dynamic Loadable Module/Plugin Support
Feature #3422: GRE ERSPAN Type 1 Support
Feature #3444: app-layer: signal stream engine about expected data size
Feature #3445: Convert SSH parser to Rust
Feature #3501: Add RFB parser
Feature #3546: Teredo port configuration
Feature #3549: Add MQTT parser
Feature #3626: implement from_end byte_jump keyword
Feature #3635: datasets: add 'dataset-remove' unix command
Feature #3661: validate strip_whitespace content before loading a rule
Feature #3693: DCERPC multi tx support
Feature #3694: DCERPC logging support
Feature #3760: datasets: distinguish between 'static' and 'dynamic' sets
Feature #3823: conditional logging: tx log filtering
Optimization #749: pcre 8.32 introduces JIT pcre_jit_exec(...)
Optimization #947: dynamic allocation of thread queues
Optimization #1038: Flow Queue should be a stack
Optimization #2779: Convert DCE_RPC from C to Rust
Optimization #2845: Counters for kernel_packets decreases at times without restart
Optimization #2977: replace asn1 parser with rust based implementation
Optimization #3234: dns app-layer c vs rust cleanup
Optimization #3308: rust: use cbindgen to generate bindings
Optimization #3538: dns: use app-layer incomplete support
Optimization #3539: rdp: use app-layer incomplete support
Optimization #3541: applayertemplate: use app-layer incomplete support
Optimization #3655: default to c11 standard
Optimization #3708: Convert SSH logging to JsonBuilder
Optimization #3709: Convert DNP3 logging to JsonBuilder
Optimization #3710: Convert SMTP logging to JsonBuilder
Optimization #3711: Convert NFS logging to JsonBuilder
Optimization #3712: Convert SMB logging to JsonBuilder
Optimization #3713: Convert RFB logging to JsonBuilder
Optimization #3714: Convert FTP logging to JsonBuilder
Optimization #3715: Convert RDP logging to JsonBuilder
Optimization #3716: Use uuid crate wherever possible in smb rust parser
Optimization #3754: Convert KRB to JsonBuilder
Optimization #3755: Convert IKEv2 to JsonBuilder
Optimization #3756: Convert SNMP to JsonBuilder
Optimization #3757: Convert Netflow to JsonBuilder
Optimization #3764: Convert TFTP to JsonBuilder
Optimization #3765: Convert Templates to JsonBuilder
Optimization #3773: DNP3 CRC disabled when fuzzing
Optimization #3838: Convert 'vars' (metadata logging) to JsonBuilder
Task #2381: deprecate: 'drop' log output
Task #2959: deprecate: filestore v1
Task #3128: nom 5
Task #3167: convert all _Bool use to bool
Task #3255: rdp: enable by default
Task #3256: sip: enable by default
Task #3331: Rust: Move to 2018 Edition
Task #3344: devguide: setup sphinx
Task #3408: FTP should place constraints on filename lengths
Task #3409: SMTP should place restraints on variable length items (e.g., filenames)
Task #3460: autotools: check autoscan output
Task #3515: GRE ERSPAN Type 1 Support configuration
Task #3564: dcerpc: support GAP recovery
Documentation #3335: doc: add ipv4.hdr and ipv6.hdr
Bug #2506: filestore v1: with stream-depth not null, files are never truncated
Bug #2525: Add VLAN support to reject feature
Bug #2639: Alert for tcp rules with established without 3whs
Bug #2726: writing large number of json events on high speed traffic results in packet drops
Bug #2737: Invalid memory read on malformed rule with Lua script
Bug #3053: Replace atoi with StringParse* for better error handling
Bug #3078: flow-timeout: check that 'emergency' settings are < normal settings
Bug #3096: random failures on sip and http-evader suricata-verify tests
Bug #3108: Calculation of threads in autofp mode is wrong
Bug #3188: Use FatalError wherever possible
Bug #3265: Dropping privileges does not work with NFLOG
Bug #3282: --list-app-layer-protos only uses default suricata.yaml location.
Bug #3283: bitmask option of payload-keyword byte_test not working
Bug #3339: Missing community ID in smb, rdp, tftp, dhcp
Bug #3378: ftp: asan detects leaks of expectations
Bug #3435: afl: Compile/make fails on openSUSE Leap-15.1
Bug #3441: alerts: missing rdp and snmp metadata
Bug #3451: gcc10: compilation failure unless -fcommon is supplied
Bug #3463: Faulty signature with two threshold keywords does not generate an error and never match
Bug #3465: build-info and configure wrongly display libnss status
Bug #3468: BUG_ON(strcasecmp(str, "any") in DetectAddressParseString
Bug #3476: datasets: Dataset not working in unix socket mode
Bug #3483: SIP: Input not parsed when header values contain trailing spaces
Bug #3486: Make Rust probing parsers optional
Bug #3489: rule parsing: memory leaks
Bug #3490: Segfault when facing malformed SNMP rules
Bug #3496: defrag: asan issue
Bug #3504: http.header.raw prematurely truncates in some conditions
Bug #3509: Behavior for tcp fastopen
Bug #3517: Convert DER parser to Rust
Bug #3519: FTP: Incorrect ftp_memuse calculation.
Bug #3522: TCP Fast Open - Bypass of stateless alerts
Bug #3523: Suricata does not log alert metadata info when running in unix-socket mode
Bug #3525: Kerberos vulnerable to TCP splitting evasion
Bug #3529: rust: smb compile warnings
Bug #3532: Skip over ERF_TYPE_META records
Bug #3547: file logging: complete files sometimes marked 'TRUNCATED'
Bug #3565: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
Bug #3566: rules: minor memory leak involving pcre_get_substring
Bug #3567: rules/bsize: memory issue during parsing
Bug #3568: rules: bad rule leads to memory exhaustion
Bug #3569: fuzz: memory leak in bidir rules
Bug #3570: rfb: invalid AppLayerResult use
Bug #3583: rules: missing 'consumption' of transforms before pkt_data would lead to crash
Bug #3584: rules: crash on 'internal'-only keywords
Bug #3586: rules: bad address block leads to stack exhaustion
Bug #3593: Stack overflow when parsing ERF file
Bug #3594: rules: memory leaks in pktvar keyword
Bug #3595: sslv3: asan detects leaks
Bug #3615: Protocol detection evasion by packet splitting
Bug #3628: Incorrect ASN.1 long form length parsing
Bug #3630: Recursion stack-overflow in parsing YAML configuration
Bug #3631: FTP response buffering against TCP stream
Bug #3632: rules: memory leaks on failed rules
Bug #3638: TOS IP Keyword not triggering an alert
Bug #3640: coverity: leak in fast.log setup error path
Bug #3641: coverity: data directory handling issues
Bug #3642: RFB parser wrongly handles incomplete data
Bug #3643: Libhtp request: extra whitespace interpreted as dummy new request
Bug #3654: Rules reload with Napatech can hang Suricata UNIX manager process
Bug #3657: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
Bug #3662: Signature with an IP range creates one IPOnlyCIDRItem by IP address
Bug #3677: Segfault on SMTP TLS
Bug #3680: Dataset reputation invalid value logging
Bug #3683: rules: memory leak on bad rule
Bug #3687: Null dereference in DetectEngineSignatureIsDuplicate
Bug #3689: Protocol detection evasion by packet splitting on enip/nfs
Bug #3690: eve.json windows timestamp field has "Eastern Daylight Time" appended to timestamp
Bug #3699: smb: post-GAP file handling
Bug #3700: nfs: post-GAP file handling
Bug #3720: Incorrect handling of ASN1 relative_offset keyword
Bug #3732: filemagic logging resulting in performance hit
Bug #3749: redis: Reconnect is invalid in batch mode
Bug #3750: redis: no or delayed data in low speed network
Bug #3772: DNP3 probing parser does not detect the proper direction in midstream
Bug #3779: Exit on signature with invalid transform pcrexform
Bug #3783: Stack overflow in DetectFlowbitsAnalyze
Bug #3802: Rule filename mutation when reading file hash files from a directory other than the default-rule-directory
Bug #3808: pfring: compile warnings
Bug #3814: Coverity scan issue -- null pointer deref in ftp logger
Bug #3815: Coverity scan issue -- control flow issue ftp logger
Bug #3817: Coverity scan issue -- resource leak in filestore output logger
Bug #3818: Coverity scan issue -- null pointer deref in detect engine
Bug #3820: ssh: invalid use to 'AppLayerResult::incomplete`
Bug #3821: Memory leak in signature parsing with keyword rfb.secresult
Bug #3822: Rust panic at DCERPC signature parsing
Bug #3840: Integer overflow in DetectContentPropagateLimits leading to unintended signature behavior
Bug #3841: Heap-buffer-overflow READ 8 · DetectGetLastSMByListId
Bug #3851: Invalid DNS incomplete result
Bug #3855: mqtt: coverity static analysis issues
5.0.1 -- 2019-12-13
Bug #1871: intermittent abort()s at shutdown and in unix-socket
Bug #2810: enabling add request/response http headers in master
Bug #3047: byte_extract does not work in some situations
Bug #3073: AC_CHECK_FILE on cross compile
Bug #3103: --engine-analysis warning for flow on an icmp request rule
Bug #3120: nfq_handle_packet error -1 Resource temporarily unavailable warnings
Bug #3237: http_accept not treated as sticky buffer by --engine-analysis
Bug #3254: tcp: empty SACK option leads to decoder event
Bug #3263: nfq: invalid number of bytes reported
Bug #3264: EVE DNS Warning about defaulting to v2 as version is not set.
Bug #3266: fast-log: icmp type prints wrong value
Bug #3267: Support for tcp.hdr Behavior
Bug #3275: address parsing: memory leak in error path
Bug #3277: segfault when test a nfs pcap file
Bug #3281: Impossible to cross-compile due to AC_CHECK_FILE
Bug #3284: hash function for string in dataset is not correct
Bug #3286: TCP evasion technique by faking a closed TCP session
Bug #3324: TCP evasion technique by overlapping a TCP segment with a fake packet
Bug #3328: bad ip option evasion
Bug #3340: DNS: DNS over TCP transactions logged with wrong direction.
Bug #3341: tcp.hdr content matches don't work as expected
Bug #3345: App-Layer: Not all parsers register TX detect flags that should
Bug #3346: BPF filter on command line not honored for pcap file
Bug #3362: cross compiling not affecting rust component of suricata
Bug #3376: http: pipelining tx id handling broken
Bug #3386: Suricata is unable to get MTU from NIC after 4.1.0
Bug #3389: EXTERNAL_NET no longer working in 5.0 as expected
Bug #3390: Eve log does not generate pcap_filename when Interacting via unix socket in pcap processing mode
Bug #3397: smtp: file tracking issues when more than one attachment in a tx
Bug #3398: smtp: 'raw-message' option file tracking issues with multi-tx
Bug #3399: smb: post-GAP some transactions never close
Bug #3401: smb1: 'event only' transactions for bad requests never close
Bug #3411: detect/asn1: crashes on packets smaller than offset setting
Task #3364: configure: Rust 1.37+ has cargo-vendor support bundled into cargo.
Documentation #2885: update documentation to indicate -i can be used multiple times
5.0.0 -- 2019-10-15
Feature #1851: add verbosity level description to the help command
Feature #1940: Debian Jessie - better message when trying to run 2 suricata with afpacket
Feature #3204: ja3(s): automatically enable when rules require it
Bug #1443: deprecated library calls
Bug #1778: af_packet: IPS and defrag
Bug #2386: check if default log dir is writable at start up
Bug #2465: Eve Stats will not be reported unless stats.log is enabled
Bug #2490: Filehash rule does not fire without filestore keyword
Bug #2668: make install-full fails if CARGO_TARGET_DIR has spaces in the directory path
Bug #2669: make install-full fails due to being unable to find libhtp.so.2
Bug #2955: lua issues on arm (fedora:29)
Bug #3113: python-yaml dependency is actually python3-yaml dependency
Bug #3139: enip: compile warnings on gcc-8
Bug #3143: datasets: don't use list in global config
Bug #3190: file_data inspection inhibited by additional (non-file_data) content match rule
Bug #3196: Distributed archive do not include eBPF files
Bug #3209: Copy engine provided classification.config to $datadir/suricata.
Bug #3210: Individual output log levels capped by the default log level
Bug #3216: MSN protocol detection/parser is not working
Bug #3223: --disable-geoip does not work
Bug #3226: ftp: ASAN error
Bug #3232: Static build with pcap fails
Optimization #3039: configure: don't generate warnings on missing features
Documentation #2640: http-body and http-body-printable in eve-log require metadata to be enabled, yet there is no indication of this anywhere
Documentation #2839: Update perf and tuning user guides
Documentation #2876: doc: add nftables with nfqueue section
Documentation #3207: Update the http app-layer doc and config
Documentation #3230: EVE DNS logger defaults to version 2 instead of version when version not specified.
5.0.0-rc1 -- 2019-09-24
Feature #524: detect double encoding in URI
Feature #713: tls.fingerprint - file usage
Feature #997: Add libhtp event for every htp_log() that needs an event.
Feature #1203: TCP Fast Open support
Feature #1249: http/dns ip-reputation alike technique
Feature #1757: URL Reputation
Feature #2200: Dynamically add md5 to blacklist without full restart
Feature #2283: turn content modifiers into 'sticky buffers'
Feature #2314: protocol parser: rdp
Feature #2315: eve: ftp logging
Feature #2318: matching on large amounts of data with dynamic updates
Feature #2529: doc: include quick start guide
Feature #2539: protocol parser: vxlan
Feature #2670: tls_cert sticky buffer
Feature #2684: Add JA3S
Feature #2738: SNMP parser, logging and detection
Feature #2754: JA3 and JA3S - sets / reputation
Feature #2758: intel / reputation matching on arbitrary data
Feature #2789: Use clang for building eBPF programs even if Suricata is built using GCC
Feature #2916: FTP decoder should have Rust port parsers
Feature #2940: document anomaly log
Feature #2941: anomaly log: add protocol detection events
Feature #2952: modernize http_header_names
Feature #3011: Add new 'cluster_peer' runmode to allow for load balancing by IP header (src<->dst) only
Feature #3058: Hardware offload for XDP bypass
Feature #3059: Use pinned maps in XDP bypass
Feature #3060: Add way to detect TCP MSS values
Feature #3061: Add way to inspect TCP header
Feature #3062: Add way to inspect UDP header
Feature #3074: DNS full domain matching within the dns_query buffer
Feature #3080: Provide a IP pair XDP load balancing
Feature #3081: Decapsulation of GRE in XDP filter
Feature #3084: SIP parser, logging and detection
Feature #3165: New rule keyword: dns.opcode; For matching on the opcode in the DNS header.
Bug #941: Support multiple stacked compression, compression that specifies the wrong compression type
Bug #1271: Creating core dump with dropped privileges
Bug #1656: several silent bypasses at the HTTP application level (chunking, compression, HTTP 0.9...)
Bug #1776: Multiple Content-Length headers causes HTP_STREAM_ERROR
Bug #2080: Rules with bad port group var do not error
Bug #2146: DNS answer not logged with eve-log
Bug #2210: logging: SC_LOG_OP_FILTER still displays some lines not matching filter
Bug #2264: file-store.stream-depth not working as expected when configured to a specific value
Bug #2395: File_data inspection depth while inspecting base64 decoded data
Bug #2619: Malformed HTTP causes FN using http_header_names;
Bug #2626: doc/err: More descriptive message on err for escaping backslash
Bug #2654: Off-by-one iteration of EBPF flow_table_vX in EBPFForEachFlowVXTable (util-ebpf.c)
Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss
Bug #2662: unix socket - memcap read/set showing unlimited where there are limited values configured by default
Bug #2686: Fancy Quotes in Documentation
Bug #2765: GeoIP keyword depends on now discontinued legacy GeoIP database
Bug #2769: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0
Bug #2786: make install-full does not install some source events rules
Bug #2840: xdp modes - Invalid argument (-22) on certain NICs
Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis output
Bug #2853: filestore (v1 and v2): dropping of "unwanted" files
Bug #2926: engine-analysis with content modifiers not always issues correct warning
Bug #2942: anomaly log: app layer events
Bug #2951: valgrind warnings in ftp
Bug #2953: bypass keyword: Suricata 4.1.x Segmentation Faults
Bug #2961: filestore: memory leaks
Bug #2965: Version 5 Beta1 - Multiple NFQUEUE failed
Bug #2986: stream bypass not making callback as expected
Bug #2992: Build failure on m68k with uclibc
Bug #2999: AddressSanitizer: heap-buffer-overflow in HTPParseContentRange
Bug #3000: tftp: missing logs because of broken tx handling
Bug #3004: SC_ERR_PCAP_DISPATCH with message "error code -2" upon rule reload completion
Bug #3006: improve rule keyword alproto registration
Bug #3007: rust: updated libc crate causes deprecation warnings
Bug #3009: Fixes warning about size of integers in string formats
Bug #3051: mingw/msys: compile errors
Bug #3054: Build failure with --enable-rust-debug
Bug #3070: coverity warnings in protocol detection
Bug #3072: Rust nightly warning
Bug #3076: Suricata sometimes doesn't store the vlan id when vlan.use-for-tracking is false
Bug #3089: Fedora rawhide af-packet compilation err
Bug #3098: rule-reloads Option?
Bug #3111: ftp warnings during compile
Bug #3112: engine-analysis warning on http_content_type
Bug #3133: http_accept_enc warning with engine-analysis
Bug #3136: rust: Remove the unneeded macros
Bug #3138: Don't install Suricata provided rules to /etc/suricata/rules as part of make install-rules.
Bug #3140: ftp: compile warnings on gcc-8
Bug #3158: 'wrong thread' tracking inaccurate for bridging IPS modes
Bug #3162: TLS Lua output does not work without TLS log
Bug #3169: tls: out of bounds read (5.x)
Bug #3171: defrag: out of bounds read (5.x)
Bug #3176: ipv4: ts field decoding oob read (5.x)
Bug #3177: suricata is logging tls log repeatedly if custom mode is enabled
Bug #3185: decode/der: crafted input can lead to resource starvation (5.x)
Bug #3189: NSS Shutdown triggers crashes in test mode (5.x)
Optimization #879: update configure.ac with autoupdate
Optimization #1218: BoyerMooreNocase could avoid tolower() call
Optimization #1220: Boyer Moore SPM pass in ctx instead of individual bmBc and bmBg
Optimization #2602: add keywords to --list-keywords output
Optimization #2843: suricatact/filestore/prune: check that directory is a filestore directory before removing files
Optimization #2848: Rule reload when run with -s or -S arguments
Optimization #2991: app-layer-event keyword tx handling
Optimization #3005: make sure DetectBufferSetActiveList return codes are always checked
Optimization #3077: FTP parser command lookup
Optimization #3085: Suggest more appropriate location to store eBPF binaries
Optimization #3137: Make description of all keywords consistent and pretty
Task #2629: tracking: Rust 2018 edition
Task #2974: detect: check all keyword urls
Task #3014: Missing documentation for "flags" option
Task #3092: Date of revision should also be a part of info from suricata -v
Task #3135: counters: new default for decoder events
Task #3141: libhtp 0.5.31
5.0.0-beta1 -- 2019-04-30
Feature #884: add man pages
Feature #984: libhtp HTP_AUTH_UNRECOGNIZED
Feature #1970: json: make libjansson mandatory
Feature #2081: document byte_test
Feature #2082: document byte_jump
Feature #2083: document byte_extract
Feature #2282: event log aka weird.log
Feature #2332: Support for common http response headers - Location and Server
Feature #2421: add system mode and user mode
Feature #2459: Support of FTP active mode
Feature #2484: no stream events after known pkt loss in flow
Feature #2485: http: log byte range with file extraction
Feature #2507: Make Rust mandatory
Feature #2561: Add possibility for smtp raw extraction
Feature #2563: Add dump of all headers in http eve-log
Feature #2572: extend protocol detection to specify flow direction
Feature #2741: netmap: add support for lb and vale switches
Feature #2766: Simplified Napatech Configuration
Feature #2820: pcap multi dev support for Windows (5.0.x)
Feature #2837: Add more custom HTTP Header values for HTTP JSON Logging
Feature #2895: OpenBSD pledge support
Feature #2897: update http_content_type and others to new style sticky buffers
Feature #2914: modernize tls sticky buffers
Feature #2930: http_protocol: use mpm and content inspect v2 apis
Feature #2937: sticky buffer access from lua script
Optimization #2530: Print matching rule SID in filestore meta file
Optimization #2632: remove C implementations where we have Rust as well
Optimization #2793: Python 3 support for python tools
Optimization #2808: Prefer Python 3 in ./configure
Bug #1013: command line parsing
Bug #1324: vlan tag in eve.json
Bug #1427: configure with libnss and libnspr
Bug #1694: unix-socket reading 0 size pcap
Bug #1860: 2220005: SURICATA SMTP bdat chunk len exceeded when using SMTP connection caching
Bug #2057: eve.json flow logs do not contain in_iface
Bug #2432: engine-analysis does not print out the tls buffers
Bug #2503: rust: nom 4.2 released
Bug #2527: FTP file extraction only working in passive mode
Bug #2605: engine-analysis warning on PCRE
Bug #2733: rust/mingw: libc::IPPROTO_* not defined
Bug #2751: Engine unable to disable detect thread, Killing engine. (in libpcap mode)
Bug #2775: dns v1/2 with rust results in less app layer data available in the alert record (for dns related alerts/rules)
Bug #2797: configure.ac: broken --{enable,disable}-xxx options
Bug #2798: --engine-analysis is unaware of http_host buffer
Bug #2800: Undocumented commands for suricatasc
Bug #2812: suricatasc multiple python issues
Bug #2813: suricatasc: failure with extra commands
Bug #2817: Suricata.yaml encrypt-handling instead encryption-handling
Bug #2821: netmap/afpacket IPS: stream.inline: auto broken (5.0.x)
Bug #2822: SSLv3 - AddressSanitizer heap-buffer-overflow (5.0.x)
Bug #2833: mem leak - rules loading hunt rules
Bug #2838: 4.1.x gcc 9 compilation warnings
Bug #2844: alignment issues in dnp3
Bug #2846: IPS mode crash under load (5.0.x)
Bug #2857: nfq asan heap-use-after-free error
Bug #2877: rust: windows build fails in gen-c-headers.py
Bug #2889: configure doesn't display additional information for missing requirements
Bug #2896: smb 1 create andx request does not parse the filename correctly (master)
Bug #2899: Suricata 4.1.2 and up to 5.x Dev branch - Make compile issue when using PF_ring library on Redhat only
Bug #2901: pcap logging with lz4 coverity warning (master)
Bug #2909: segfault on logrotation when the files cannot be opened
Bug #2912: memleaks in nflog
Bug #2915: modernize ssh sticky buffers
Bug #2921: chmod file mode warning expressed in incorrect base
Bug #2929: error messages regarding byte jump and byte extract
Bug #2944: ssh: heap buffer overflow (master)
Bug #2945: mpls: heapbuffer overflow in file decode-mpls.c (master)
Bug #2946: decode-ethernet: heapbuffer overflow in file decode-ethernet.c (master)
Bug #2947: rust/dhcp: panic in dhcp parser (master)
Bug #2948: mpls: cast of misaligned data leads to undefined behaviour (master)
Bug #2949: rust/ftp: panic in ftp parser (master)
Bug #2950: rust/nfs: integer underflow (master)
Task #2297: deprecate: dns.log
Task #2376: deprecate: files-json.log
Task #2379: deprecate: Tilera / Tile support
Task #2849: Remove C SMB parser.
Task #2850: Remove C DNS parsers.
4.1.2 -- 2018-12-21
Feature #1863: smtp: improve pipelining support
Feature #2748: bundle libhtp 0.5.29
Feature #2749: bundle suricata-update 1.0.3
Bug #2682: python-yaml Not Listed As Ubuntu Prerequisite
Bug #2736: DNS Golden Transaction ID - detection bypass
Bug #2745: Invalid detect-engine config could lead to segfault
Bug #2752: smb: logs for IOCTL and DCERPC have tree_id value of 0
4.1.1 -- 2018-12-17
Feature #2637: af-packet: improve error output for BPF loading failure
Feature #2671: Add Log level to suricata.log when using JSON type
Bug #2502: suricata.c ConfigGetCaptureValue - PCAP/AFP fallthrough to strip_trailing_plus
Bug #2528: krb parser not always parsing tgs responses
Bug #2633: Improve errors handling in AF_PACKET
Bug #2653: llc detection failure in configure.ac
Bug #2677: coverity: ja3 potential memory leak
Bug #2679: build with profiling enabled on generates compile warnings
Bug #2704: DNSv1 for Rust enabled builds.
Bug #2705: configure: Test for PyYAML and disable suricata-update if not installed.
Bug #2716: Stats interval are 1 second too early each tick
Bug #2717: nfs related panic in 4.1
Bug #2719: Failed Assertion, Suricata Abort - util-mpm-hs.c line 163 (4.1.x)
Bug #2723: dns v2 json output should always set top-level rrtype in responses
Bug #2730: rust/dns/lua - The Lua calls for DNS values when using Rust don't behave the same as the C implementation.
Bug #2731: multiple instances of transaction loggers are broken
Bug #2734: unix runmode deadlock when using too many threads
4.1.0 -- 2018-11-06
Bug #2467: 4.1beta1 - non rust builds with SMB enabled
Bug #2657: smtp segmentation fault
Bug #2663: libhtp 0.5.28
4.1.0-rc2 -- 2018-10-16
Feature #2279: TLS 1.3 decoding, SNI extraction and logging
Feature #2562: Add http_port in http eve-log if specified in the hostname
Feature #2567: multi-tenancy: add 'device' selector
Feature #2638: community flow id
Optimization #2579: tcp: SegmentSmack
Optimization #2580: ip: FragmentSmack
Bug #2100: af_packet: High latency
Bug #2212: profiling: app-layer profiling shows time spent in HTTP on UDP
Bug #2419: Increase size of length of Decoder handlers from uint16 to uint32
Bug #2491: async-oneside and midstream not working as expected
Bug #2522: The cross-effects of rules on each other, without the use of flowbits.
Bug #2541: detect-parse: missing space in error message
Bug #2552: "Drop" action is logged as "allowed" in af_packet and netmap modes
Bug #2554: suricata does not detect a web-attack
Bug #2555: Ensure strings in eve-log are json-encodable
Bug #2558: negated fileext and filename do not work as expected
Bug #2559: DCE based rule false positives
Bug #2566: memleak: applayer dhcp with 4.1.0-dev (rev 9370805)
Bug #2570: Signature affecting another's ability to detect and alert
Bug #2571: coredump: liballoc/vec.rs dhcp
Bug #2573: prefilter keyword doesn't work when detect.prefilter.default=mpm
Bug #2574: prefilter keyword as alias for fast_pattern is broken
Bug #2603: memleak/coredump: Ja3BufferInit
Bug #2604: memleak: DetectEngineStateAlloc with ipsec-events.rules
Bug #2606: File descriptor leak in af-packet mode
Bug #2615: processing of nonexistent pcap
4.1.0-rc1 -- 2018-07-20
Feature #2292: flow: add icmpv4 and improve icmpv6 flow handling
Feature #2298: pcap: store pcaps in compressed form
Feature #2416: Increase XFF coverage to files and http log
Feature #2417: Add Option to Delete Pcap Files After Processing
Feature #2455: Add WinDivert source to Windows builds
Feature #2456: LZ4 compression for pcap logs
Optimization #2461: Let user to explicit disable libnss and libnspr support
Bug #1929: yaml: ConfYamlHandleInclude memleak
Bug #2090: Rule-reload in multi-tenancy is buggy
Bug #2217: event_type flow is missing icmpv4 (while it has icmpv6) info wherever available
Bug #2463: memleak: gitmaster flash decompression - 4.1.0-dev (rev efdc592)
Bug #2469: The autoconf script throws and error when af_packet is enabled and then continues
Bug #2481: integer overflow caused by casting uin32 to uint16 in detection
Bug #2492: Inverted IP params in fileinfo events
Bug #2496: gcc 8 warnings
Bug #2498: Lua file output script causes a segfault when protocol is not HTTP
Bug #2501: Suricata stops inspecting TCP stream if a TCP RST was met
Bug #2504: ntp parser update cause build failure
Bug #2505: getrandom prevents any suricata start commands on more later OS's
Bug #2511: Suricata gzip unpacker bypass
Bug #2515: memleak: when using smb rules without rust
Bug #2516: Dead lock caused by unix command register-tenant
Bug #2518: Tenant rules reload completely broken in 4.x.x
Bug #2520: Invalid application layer logging in alert for DNS
Bug #2521: rust: dns warning during compile
Bug #2536: libhtp 0.5.27
Bug #2542: ssh out of bounds read
Bug #2543: enip out of bounds read
4.1.0-beta1 -- 2018-03-22
Feature #550: Extract file attachments from FTP
Feature #646: smb log feature to be introduced
Feature #719: finish/enable smb2 app layer parser
Feature #723: Add support for smb 3
Feature #724: Prevent resetting in UNIX socket mode
Feature #735: Introduce content_len keyword
Feature #741: Introduce endswith keyword
Feature #742: startswith keyword
Feature #1006: transformation api
Feature #1198: more compact dns logging
Feature #1201: file-store metadata in JSON format
Feature #1386: offline: add pcap file name to EVE
Feature #1458: unix-socket - make rule load errs available
Feature #1476: Suricata Unix socket PCAP processing stats should not need to reset after each run
Feature #1579: Support Modbus Unit Identifier
Feature #1585: unix-socket: improve information regarding ruleset
Feature #1600: flash file decompression for file_data
Feature #1678: open umask settings or make them configurable
Feature #1948: allow filestore name configuration options
Feature #1949: only write unique files
Feature #2020: eve: add body of signature to eve.json alert
Feature #2062: tls: reimplement tls.fingerprint
Feature #2076: Strip whitespace from buffers
Feature #2086: DNS answer for a NS containing multiple name servers should only be one line
Feature #2142: filesize: support other units than only bytes
Feature #2192: JA3 TLS client fingerprinting
Feature #2199: DNS answer events compacted
Feature #2222: Batch submission of PCAPs over the socket
Feature #2253: Log rule metadata in alert event
Feature #2285: modify memcaps over unix socket
Feature #2295: decoder: support PCAP LINKTYPE_IPV4
Feature #2299: pcap: read directory with pcaps from the command-line
Feature #2303: file-store enhancements (aka file-store v2): deduplication; hash-based naming; json metadata and cleanup tooling
Feature #2352: eve: add "metadata" field to alert (rework of vars)
Feature #2382: deprecate: CUDA support
Feature #2399: eBPF and XDP bypass for AF_PACKET capture method
Feature #2464: tftp logging
Optimization #2193: random: support getrandom(2) if available
Optimization #2302: rule parsing: faster parsing by not using pcre
Bug #993: libhtp upgrade to handle responses first
Bug #1503: lua output setup failure does not exit engine with --init-errors-fatal
Bug #1788: af-packet coverity warning
Bug #1842: Duplicated analyzer in Prelude alert
Bug #1904: modbus: duplicate alerts / detection unaware of direction
Bug #2202: BUG_ON asserts in AppLayerIncFlowCounter
Bug #2229: mem leak AFP with 4.0.0-dev (rev 1180687)
Bug #2240: suricatasc dump-counters returns error when return message is larger than 4096
Bug #2252: Rule parses in 4.0 when flow to client is set and http_client_body is used.
Bug #2258: rate_filter inconsistency: triggered after "count" detections when by_rule, and after count+1 detections when by_src/by_dst.
Bug #2268: Don't printf util-enum errors
Bug #2288: Suricata segfaults on ICMP and flowint check
Bug #2294: rules: depth < content rules not rejected (master)
Bug #2307: segfault in http_start with 4.1.0-dev (rev 83f220a)
Bug #2335: conf: stack-based buffer-overflow in ParseFilename
Bug #2345: conf: Memory-leak in DetectAddressTestConfVars
Bug #2346: conf: NULL-pointer dereference in ConfUnixSocketIsEnable
Bug #2347: conf: use of NULL-pointer in DetectLoadCompleteSigPath
Bug #2349: conf: multiple NULL-pointer dereferences in FlowInitConfig
Bug #2353: Command Line Options Ignored with pcap-file-continuous setting
Bug #2354: conf: multiple NULL-pointer dereferences in StreamTcpInitConfig
Bug #2356: coverity issues in new pcap file/directory handling
Bug #2360: possible deadlock with signal handling
Bug #2364: rust/dns: logging missing string versions of rtypes and rcodes
Bug #2365: rust/dns: flooded by 'LogDnsLogger not implemented for Rust DNS'
Bug #2367: Conf: Multiple NULL-pointer dereferences in HostInitConfig
Bug #2368: Conf: Multiple NULL-pointer dereferences after ConfGetBool in StreamTcpInitConfig
Bug #2370: Conf: Multiple NULL-pointer dereferences in PostConfLoadedSetup
Bug #2390: mingw linker error with rust
Bug #2391: libhtp 0.5.26
Bug #2394: Pcap Directory May Miss Files
Bug #2397: Call to panic()! macro in Rust NFS decoder causes crash on malformed NFS traffic
Bug #2398: Lua keyword cmd help documentation pointing to old docs
Bug #2402: http_header_names doesn't operate as documented
Bug #2403: Crash for offline pcap mode when running in single mode
Bug #2407: Fix timestamp offline when pcap timestamp is zero
Bug #2408: fix print backslash in PrintRawUriFp
Bug #2414: NTP parser registration frees used memory
Bug #2418: Skip configuration "include" nodes when file is empty
Bug #2420: Use pthread_sigmask instead of sigprogmask for signal handling
Bug #2425: DNP3 memcpy buffer overflow
Bug #2427: Suricata 3.x.x and 4.x.x do not parse HTTP responses if tcp data was sent before 3-way-handshake completed
Bug #2430: http eve log data source/dest flip
Bug #2437: rust/dns: Core Dump with malformed traffic
Bug #2442: der parser: bad input consumes cpu and memory
Bug #2446: http bodies / file_data: thread space creation writing out of bounds (master)
Bug #2451: Missing Files Will Cause Pcap Thread to No Longer Run in Unix Socket Mode
Bug #2454: master - suricata.c:2473-2474 - SIGUSR2 not wrapped in #ifndef OS_WIN32
Bug #2466: [4.1beta1] Messages with SC_LOG_CONFIG level are logged to syslog with EMERG priority
4.0.1 -- 2017-10-18
Bug #2050: TLS rule mixes up server and client certificates
Bug #2064: Rules with dual classtype do not error
Bug #2074: detect msg: memory leak
Bug #2102: Rules with dual sid do not error
Bug #2103: Rules with dual rev do not error
Bug #2151: The documentation does not reflect current suricata.yaml regarding cpu-affinity
Bug #2194: rust/nfs: sigabrt/rust panic - 4.0.0-dev (rev fc22943)
Bug #2197: rust build with lua enabled fails on x86
Bug #2201: af_packet: suricata leaks memory with use-mmap enabled and incorrect BPF filter
Bug #2207: DNS UDP "Response" parsing recording an incorrect value
Bug #2208: mis-structured JSON stats output if interface name is shortened
Bug #2226: improve error message if stream memcaps too low
Bug #2228: enforcing specific number of threads with autofp does not seem to work
Bug #2244: detect state uses broken offset logic (4.0.x)
Feature #2114: Redis output: add RPUSH support
Feature #2152: Packet and Drop Counters for Napatech
4.0.0 -- 2017-07-27
Feature #2138: Create a sample systemd service file.
Feature #2184: rust: increase minimally supported rustc version to 1.15
Bug #2169: dns/tcp: response traffic leads to 'app_proto_tc: failed'
Bug #2170: Suricata fails on large BPFs with AF_PACKET
Bug #2185: rust: build failure if libjansson is missing
Bug #2186: smb dcerpc segfaults in StubDataParser
Bug #2187: hyperscan: mpm setup error leads to crash
4.0.0-rc2 -- 2017-07-13
Feature #744: Teredo configuration
Feature #1748: lua: expose tx in alert lua scripts
Bug #1855: alert number output
Bug #1888: noalert in a pass rule disables the rule
Bug #1957: PCRE lowercase enforcement in http_host buffer does not allow for upper case in hex-encoding
Bug #1958: Possible confusion or bypass within the stream engine with retransmits.
Bug #2110: isdataat: keyword memleak
Bug #2162: rust/nfs: reachable asserting rust panic
Bug #2175: rust/nfs: panic - 4.0.0-dev (rev 7c25a2d)
Bug #2176: gcc 7.1.1 'format truncation' compiler warnings
Bug #2177: asn1/der: stack overflow
4.0.0-rc1 -- 2017-06-28
Feature #2095: eve: http body in alert event
Feature #2131: nfs: implement GAP support
Feature #2156: Add app_proto or partial flow entry to alerts
Feature #2163: ntp parser
Feature #2164: rust: external parser crate support
Bug #1930: Segfault when event rule is invalid
Bug #2038: validate app-layer API use
Bug #2101: unix socket: stalling due to being unable to disable detect thread
Bug #2109: asn1: keyword memleak
Bug #2117: byte_extract and byte_test collaboration doesnt work on 3.2.1
Bug #2141: 4.0.0-dev (rev 8ea9a5a) segfault
Bug #2143: Bypass cause missing alert on packets only signatures
Bug #2144: rust: panic in dns/tcp
Bug #2148: rust/dns: panic on malformed rrnames
Bug #2153: starttls 'tunnel' packet issue - nfq_handle_packet error -1
Bug #2154: Dynamic stack overflow in payload printable output
Bug #2155: AddressSanitizer double-free error
Bug #2157: Compilation Issues Beta 4.0
Bug #2158: Suricata v4.0.0-beta1 dns_query; segmentation fault
Bug #2159: http: 2221028 triggers on underscore in hostname
Bug #2160: openbsd: pcap with raw datalink not supported
Bug #2161: libhtp 0.5.25
Bug #2165: rust: releases should include crate dependencies (cargo-vendor)
4.0.0-beta1 -- 2017-06-07
Feature #805: Add support for applayer change
Feature #806: Implement STARTTLS support
Feature #1636: Signal rotation of unified2 log file without restart
Feature #1953: lua: expose flow_id
Feature #1969: TLS transactions with session resumption are not logged
Feature #1978: Using date in logs name
Feature #1998: eve.tls: custom TLS logging
Feature #2006: tls: decode certificate serial number
Feature #2011: eve.alert: print outside IP addresses on alerts on traffic inside tunnels
Feature #2046: Support custom file permissions per logger
Feature #2061: lua: get timestamps from flow
Feature #2077: Additional HTTP Header Contents and Negation
Feature #2123: unix-socket: additional runmodes
Feature #2129: nfs: parser, logger and detection
Feature #2130: dns: rust parser with stateless behaviour
Feature #2132: eve: flowbit and other vars logging
Feature #2133: unix socket: add/remove hostbits
Bug #1335: suricata option --pidfile overwrites any file
Bug #1470: make install-full can have race conditions on OSX.
Bug #1759: CentOS5 EOL tasks
Bug #2037: travis: move off legacy support
Bug #2039: suricata stops processing when http-log output via unix_stream backs up
Bug #2041: bad checksum 0xffff
Bug #2044: af-packet: faulty VLAN handling in tpacket-v3 mode
Bug #2045: geoip: compile warning on CentOS 7
Bug #2049: Empty rule files cause failure exit code without corresponding message
Bug #2051: ippair: xbit unset memory leak
Bug #2053: ippair: pair is direction sensitive
Bug #2070: file store: file log / file store mismatch with multiple files
Bug #2072: app-layer: fix memleak on bad traffic
Bug #2078: http body handling: failed assertion
Bug #2088: modbus: clang-4.0 compiler warnings
Bug #2093: Handle TCP stream gaps.
Bug #2097: "Name of device should not be null" appears in suricata.log when using pfring with configuration from suricata.yaml
Bug #2098: isdataat: fix parsing issue with leading spaces
Bug #2108: pfring: errors when compiled with asan/debug
Bug #2111: doc: links towards http_header_names
Bug #2112: doc: links towards certain http_ keywords not working
Bug #2113: Race condition starting Unix Server
Bug #2118: defrag - overlap issue in linux policy
Bug #2125: ASAN SEGV - Suricata version 4.0dev (rev 922a27e)
Optimization #521: Introduce per stream thread segment pool
Optimization #1873: Classtypes missing on decoder-events,files, and stream-events
3.2.1 -- 2017-02-15
Feature #1951: Allow building without libmagic/file
Feature #1972: SURICATA ICMPv6 unknown type 143 for MLDv2 report
Feature #2010: Suricata should confirm SSSE3 presence at runtime when built with Hyperscan support
Bug #467: compilation with unittests & debug validation
Bug #1780: VLAN tags not forwarded in afpacket inline mode
Bug #1827: Mpm AC fails to alloc memory
Bug #1843: Mpm Ac: int overflow during init
Bug #1887: pcap-log sets snaplen to -1
Bug #1946: can't get response info in some situation
Bug #1973: suricata fails to start because of unix socket
Bug #1975: hostbits/xbits memory leak
Bug #1982: tls: invalid record event triggers on valid traffic
Bug #1984: http: protocol detection issue if both sides are malformed
Bug #1985: pcap-log: minor memory leaks
Bug #1987: log-pcap: pcap files created with invalid snaplen
Bug #1988: tls_cert_subject bug
Bug #1989: SMTP protocol detection is case sensitive
Bug #1991: Suricata cannot parse ports: "![1234, 1235]"
Bug #1997: tls-store: bug that cause Suricata to crash
Bug #2001: Handling of unsolicited DNS responses.
Bug #2003: BUG_ON body sometimes contains side-effectual code
Bug #2004: Invalid file hash computation when force-hash is used
Bug #2005: Incoherent sizes between request, capture and http length
Bug #2007: smb: protocol detection just checks toserver
Bug #2008: Suricata 3.2, pcap-log no longer works due to timestamp_pattern PCRE
Bug #2009: Suricata is unable to get offloading settings when run under non-root
Bug #2012: dns.log does not log unanswered queries
Bug #2017: EVE Log Missing Fields
Bug #2019: IPv4 defrag evasion issue
Bug #2022: dns: out of bound memory read
3.2 -- 2016-12-01
Bug #1117: PCAP file count does not persist
Bug #1577: luajit scripts load error
Bug #1924: Windows dynamic DNS updates trigger 'DNS malformed request data' alerts
Bug #1938: suricata: log handling issues
Bug #1955: luajit script init failed
Bug #1960: Error while parsing rule with PCRE keyword with semicolon
Bug #1961: No error on missing semicolon between depth and classtype
Bug #1965: dnp3/enip/cip keywords naming convention
Bug #1966: af-packet fanout detection broken on Debian Jessie (master)
3.2RC1 -- 2016-11-01
Feature #1906: doc: install man page and ship pdf
Feature #1916: lua: add an SCPacketTimestamp function
Feature #1867: rule compatibility: flow:not_established not supported.
Bug #1525: Use pkg-config for libnetfilter_queue
Bug #1690: app-layer-proto negation issue
Bug #1909: libhtp 0.5.23
Bug #1914: file log always shows stored: no even if file is stored
Bug #1917: nfq: bypass SEGV
Bug #1919: filemd5: md5-list does not allow comments any more
Bug #1923: dns - back to back requests results in loss of response
Bug #1928: flow bypass leads to memory errors
Bug #1931: multi-tenancy fails to start
Bug #1932: make install-full does not install tls-events.rules
Bug #1935: Check redis reply in non pipeline mode
Bug #1936: Can't set fast_pattern on tls_sni content
3.2beta1 -- 2016-10-03
Feature #509: add SHA1 and SHA256 checksum support for files
Feature #1231: ssl_state negation support
Feature #1345: OOBE -3- disable NIC offloading by default
Feature #1373: Allow different reassembly depth for filestore rules
Feature #1495: EtherNet/IP and CIP support
Feature #1583: tls: validity fields (notBefore and notAfter)
Feature #1657: Per application layer stats
Feature #1896: Reimplement tls.subject and tls.issuerdn
Feature #1903: tls: tls_cert_valid and tls_cert_expired keywords
Feature #1907: http_request_line and http_response_line
Optimization #1044: TLS buffers evaluated by fast_pattern matcher.
Optimization #1277: Trigger second live rule-reload while first one is in progress
Bug #312: incorrect parsing of rules with missing semi-colon for keywords
Bug #712: wildcard matches on tls.subject
Bug #1353: unix-command socket created with last character missing
Bug #1486: invalid rule: parser err msg not descriptive enough
Bug #1525: Use pkg-config for libnetfilter_queue
Bug #1893: tls: src_ip and dest_ip reversed in TLS events for IPS vs IDS mode.
Bug #1898: Inspection does not always stop when stream depth is reached
3.1.2 -- 2016-09-06
Feature #1830: support 'tag' in eve log
Feature #1870: make logged flow_id more unique
Feature #1874: support Cisco Fabric Path / DCE
Feature #1885: eve: add option to log all dropped packets
Bug #1849: ICMPv6 incorrect checksum alert if Ethernet FCS is present
Bug #1853: suricata is matching everything on dce_stub_data buffer
Bug #1854: unified2: logging of tagged packets not working
Bug #1856: PCAP mode device not found
Bug #1858: Lots of TCP 'duplicated option/DNS malformed request data' after upgrading from 3.0.1 to 3.1.1
Bug #1878: dns: crash while logging sshfp records
Bug #1880: icmpv4 error packets can lead to missed detection in tcp/udp
Bug #1884: libhtp 0.5.22
3.1.1 -- 2016-07-13
Feature #1775: Lua: SMTP-support
Bug #1419: DNS transaction handling issues
Bug #1515: Problem with Threshold.config when using more than one IP
Bug #1664: Unreplied DNS queries not logged when flow is aged out
Bug #1808: Can't set thread priority after dropping privileges.
Bug #1821: Suricata 3.1 fails to start on CentOS6
Bug #1839: suricata 3.1 configure.ac says >=libhtp-0.5.5, but >=libhtp-0.5.20 required
Bug #1840: --list-keywords and --list-app-layer-protos not working
Bug #1841: libhtp 0.5.21
Bug #1844: netmap: IPS mode doesn't set 2nd iface in promisc mode
Bug #1845: Crash on disabling a app-layer protocol when it's logger is still enabled
Optimization #1846: af-packet: improve thread calculation logic
Optimization #1847: rules: don't warn on empty files
3.1 -- 2016-06-20
Bug #1589: Cannot run nfq in workers mode
Bug #1804: yaml: legacy detect-engine parsing custom values broken
3.1RC1 -- 2016-06-07
Feature #681: Implement TPACKET_V3 support in AF_PACKET
Feature #1134: tls: server name rule keyword
Feature #1343: OOBE -1- increasing the default stream.memcap and stream.reassembly.memcap values
Feature #1344: OOBE -2- decreasing the default flow-timeouts (at least for TCP)
Feature #1563: dns: log sshfp records
Feature #1760: Unit tests: Don't register return value, use 1 for success, 0 for failure.
Feature #1761: Unit tests: Provide macros for clean test failures.
Feature #1762: default to AF_PACKET for -i if available
Feature #1785: hyperscan spm integration
Feature #1789: hyperscan mpm: enable by default
Feature #1797: netmap: implement 'threads: auto'
Feature #1798: netmap: warn about NIC offloading on FreeBSD
Feature #1800: update bundled libhtp to 0.5.20
Feature #1801: reduce info level verbosity
Feature #1802: yaml: improve default layout
Feature #1803: reimplement rule grouping
Bug #1078: 'Not" operator (!) in Variable causes extremely slow loading of Suricata
Bug #1202: detect-engine profile medium consumes more memory than detect-engine profile high
Bug #1289: MPM b2gm matcher has questionable code
Bug #1487: Configuration parser depends on key ordering
Bug #1524: Potential Thread Name issues due to RHEL7 Interface Naming Contentions
Bug #1584: Rule keywords conflict will cause Suricata restart itself in loop
Bug #1606: [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl: 6
Bug #1665: Default maximum packet size is insufficient when VLAN tags are present (and not stripped)
Bug #1714: Kernel panic on application exit with netmap Suricata 3.0 stable
Bug #1746: deadlock with autofp and --disable-detection
Bug #1764: app-layer-modbus: AddressSanitizer error (segmentation fault)
Bug #1768: packet processing threads doubled
Bug #1771: tls store memory leak
Bug #1773: smtp: not all attachments inspected in all cases
Bug #1786: spm crash on rule reload
Bug #1792: dns-json-log produces no output
Bug #1795: Remove unused CPU affinity settings from suricata.yaml
Optimization #563: pmq optimization -- remove patter_id_array
Optimization #1037: Optimize TCP Option storage
Optimization #1418: lockless flow handling during capture (autofp)
Optimization #1784: reduce storage size of IPv4 options and IPv6 ext hdrs
3.0.1 -- 2016-04-04
Feature #1704: hyperscan mpm integration
Feature #1661: Improved support for xbits/hostbits (in particular ip_pair) when running with multiple threads
Bug #1697: byte_extract incompatibility with Snort.
Bug #1737: Stats not reset between PCAPs when Suricata runs in socket mode
3.0.1RC1 -- 2016-03-23
Feature #1535: Expose the certificate itself in TLS-lua
Feature #1696: improve logged flow_id
Feature #1700: enable "relro" and "now" in compile options for 3.0
Feature #1734: gre: support transparent ethernet bridge decoding
Feature #1740: Create counters for decode-events errors
Bug #873: suricata.yaml: .mgc is NOT actually added to value for magic file
Bug #1166: tls: CID 1197759: Resource leak (RESOURCE_LEAK)
Bug #1268: suricata and macos/darwin: [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: File 5.19 supports only version 12 magic files. `/usr/share/file/magic.mgc' is version 7
Bug #1359: memory leak
Bug #1411: Suricata generates huge load when nfq_create_queue failed
Bug #1570: stream.inline defaults to IDS mode if missing
Bug #1591: afpacket: unsupported datalink type 65534 on tun device
Bug #1619: Per-Thread Delta Stats Broken
Bug #1638: rule parsing issues: rev
Bug #1641: Suricata won't build with --disable-unix-socket when libjansson is enabled
Bug #1646: smtp: fix inspected tracker values
Bug #1660: segv when using --set on a list
Bug #1669: Suricate 3.0RC3 segfault after 10 hours
Bug #1670: Modbus compiler warnings on Fedora 23
Bug #1671: Cygwin Windows compilation with libjansson from source
Bug #1674: Cannot use 'tag:session' after base64_data keyword
Bug #1676: gentoo build error
Bug #1679: sensor-name configuration parameter specified in wrong place in default suricata.yaml
Bug #1680: Output sensor name in json
Bug #1684: eve: stream payload has wrong direction in IPS mode
Bug #1686: Conflicting "no" for "totals" and "threads" in stats output
Bug #1689: Stack overflow in case of variables misconfiguration
Bug #1693: Crash on Debian with libpcre 8.35
Bug #1695: Unix Socket missing dump-counters mode
Bug #1698: Segmentation Fault at detect-engine-content-inspection.c:438 (master)
Bug #1699: CUDA build broken
Bug #1701: memory leaks
Bug #1702: TLS SNI parsing issue
Bug #1703: extreme slow down in HTTP multipart parsing
Bug #1706: smtp memory leaks
Bug #1707: malformed json if message is too big
Bug #1708: dcerpc memory leak
Bug #1709: http memory leak
Bug #1715: nfq: broken time stamps with recent Linux kernel 4.4
Bug #1717: Memory leak on Suricata 3.0 with Netmap
Bug #1719: fileinfo output wrong in eve in http
Bug #1720: flowbit memleak
Bug #1724: alert-debuglog: non-decoder events won't trigger rotation.
Bug #1725: smtp logging memleak
Bug #1727: unix socket runmode per pcap memory leak
Bug #1728: unix manager command channel memory leaks
Bug #1729: PCRE jit is disabled/blacklisted when it should not
Bug #1731: detect-tls memory leak
Bug #1735: cppcheck: Shifting a negative value is undefined behaviour
Bug #1736: tls-sni: memory leaks on malformed traffic
Bug #1742: vlan use-for-tracking including Priority in hashing
Bug #1743: compilation with musl c library fails
Bug #1744: tls: out of bounds memory read on malformed traffic
Optimization #1642: Add --disable-python option
3.0 -- 2016-01-27
Bug #1673: smtp: crash during mime parsing
3.0RC3 -- 2015-12-21
Bug #1632: Fail to download large file with browser
Bug #1634: Fix non thread safeness of Prelude analyzer
Bug #1640: drop log crashes
Bug #1645: Race condition in unix manager
Bug #1647: FlowGetKey flow-hash.c:240 segmentation fault (master)
Bug #1650: DER parsing issue (master)
3.0RC2 -- 2015-12-08
Bug #1551: --enable-profiling-locks broken
Bug #1602: eve-log prefix field feature broken
Bug #1614: app_proto key missing from EVE file events
Bug #1615: disable modbus by default
Bug #1616: TCP reassembly bug
Bug #1617: DNS over TCP parsing issue
Bug #1618: SMTP parsing issue
Feature #1635: unified2 output: disable by default
3.0RC1 -- 2015-11-25
Bug #1150: TLS store disabled by TLS EVE logging
Bug #1210: global counters in stats.log
Bug #1423: Unix domain log file writer should automatically reconnect if receiving program is restarted.
Bug #1466: Rule reload - Rules won't reload if rule files are listed in an included file.
Bug #1467: Specifying an IPv6 entry before an IPv4 entry in host-os-policy causes ASAN heap-buffer-overflow.
Bug #1472: Should 'goodsigs' be 'goodtotal' when checking if signatures were loaded in detect.c?
Bug #1475: app-layer-modbus: AddressSanitizer error (heap-buffer-overflow)
Bug #1481: Leading whitespace in flowbits variable names
Bug #1482: suricata 2.1 beta4: StoreStateTxFileOnly crashes
Bug #1485: hostbits - leading and trailing spaces are treated as part of the name and direction.
Bug #1488: stream_size <= and >= modifiers function as < and > (equality is not functional)
Bug #1491: pf_ring is not able to capture packets when running under non-root account
Bug #1493: config test (-T) doesn't fail on missing files
Bug #1494: off by one on rulefile count
Bug #1500: suricata.log
Bug #1508: address var parsing issue
Bug #1517: Order dependent, ambiguous YAML in multi-detect.
Bug #1518: multitenancy - selector vlan - vlan id range
Bug #1521: multitenancy - global vlan tracking relation to selector
Bug #1523: Decoded base64 payload short by 16 characters
Bug #1530: multitenant mapping relation
Bug #1531: multitenancy - confusing tenant id and vlan id output
Bug #1556: MTU setting on NIC interface not considered by af-packet
Bug #1557: stream: retransmission not detected
Bug #1565: defrag: evasion issue
Bug #1597: dns parser issue (master)
Bug #1601: tls: server name logging
Feature #1116: ips packet stats in stats.log
Feature #1137: Support IP lists in threshold.config
Feature #1228: Suricata stats.log in JSON format
Feature #1265: Replace response on Suricata dns decoder when dns error please
Feature #1281: long snort ruleset support for "SC_ERR_NOT_SUPPORTED(225): content length greater than 255 unsupported"
Feature #1282: support for base64_decode from snort's ruleset
Feature #1342: Support Cisco erspan traffic
Feature #1374: Write pre-aggregated counters for all threads
Feature #1408: multi tenancy for detection
Feature #1440: Load rules file from a folder or with a star pattern rather then adding them manually to suricata.yaml
Feature #1454: Proposal to add Lumberjack/CEE formatting option to EVE JSON syslog output for compatibility with rsyslog parsing
Feature #1492: Add HUP coverage to output json-log
Feature #1498: color output
Feature #1499: json output for engine messages
Feature #1502: Expose tls fields to lua
Feature #1514: SSH softwareversion regex should allow colon
Feature #1527: Add ability to compile as a Position-Independent Executable (PIE)
Feature #1568: TLS lua output support
Feature #1569: SSH lua support
Feature #1582: Redis output support
Feature #1586: Add flow memcap counter
Feature #1599: rule profiling: json output
Optimization #1269: Convert SM List from linked list to array
2.1beta4 -- 2015-05-08
Bug #1314: http-events performance issues
Bug #1340: null ptr dereference in Suricata v2.1beta2 (output-json.c:347)
Bug #1352: file list is not cleaned up
Bug #1358: Gradual memory leak using reload (kill -USR2 $pid)
Bug #1366: Crash if default_packet_size is below 32 bytes
Bug #1378: stats api doesn't call thread deinit funcs
Bug #1384: tcp midstream window issue (master)
Bug #1388: pcap-file hangs on systems w/o atomics support (master)
Bug #1392: http uri parsing issue (master)
Bug #1393: CentOS 5.11 build failures
Bug #1398: DCERPC traffic parsing issue (master)
Bug #1401: inverted matching on incomplete session
Bug #1402: When re-opening files on HUP (rotation) always use the append flag.
Bug #1417: no rules loaded - latest git - rev e250040
Bug #1425: dead lock in de_state vs flowints/flowvars
Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled
Bug #1429: stream: last_ack update issue leading to stream gaps
Bug #1435: EVE-Log alert payload option loses data
Bug #1441: Local timestamps in json events
Bug #1446: Unit ID check in Modbus packet error
Bug #1449: smtp parsing issue
Bug #1451: Fix list-keywords regressions
Bug #1463: modbus parsing issue
Feature #336: Add support for NETMAP to Suricata.
Feature #885: smtp file_data support
Feature #1394: Improve TCP reuse support
Feature #1410: add alerts to EVE's drop logs
Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
Feature #1447: Ability to reject ICMP traffic
Feature #1448: xbits
Optimization #1014: app layer reassembly fast-path
Optimization #1377: flow manager: reduce (try)locking
Optimization #1403: autofp packet pool performance problems
Optimization #1409: http pipeline support for stateful detection
2.1beta3 -- 2015-01-29
Bug #977: WARNING on empty rules file is fatal (should not be)
Bug #1184: pfring: cppcheck warnings
Bug #1321: Flow memuse bookkeeping error
Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
Bug #1332: cppcheck: ioctl
Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
Bug #1351: output-json: duplicate logging (2.1.x)
Bug #1354: coredumps on quitting on OpenBSD
Bug #1355: Bus error when reading pcap-file on OpenBSD
Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x)
Bug #1365: evasion issues (2.1.x)
Feature #1261: Request for Additional Lua Capabilities
Feature #1309: Lua support for Stats output
Feature #1310: Modbus parsing and matching
Feature #1317: Lua: Indicator for end of flow
Feature #1333: unix-socket: allow (easier) non-root usage
Optimization #1339: flow timeout optimization
Optimization #1339: flow timeout optimization
Optimization #1371: mpm optimization
2.1beta2 -- 2014-11-06
Feature #549: Extract file attachments from emails
Feature #1312: Lua output support
Feature #899: MPLS over Ethernet support
Feature #707: ip reputation files - network range inclusion availability (cidr)
Feature #383: Stream logging
Feature #1263: Lua: Access to Stream Payloads
Feature #1264: Lua: access to TCP quad / Flow Tuple
Bug #1048: PF_RING/DNA config - suricata.yaml
Bug #1230: byte_extract, within combination not working
Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
Bug #1259: AF_PACKET IPS is broken in 2.1beta1
Bug #1260: flow logging at shutdown broken
Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
Bug #1280: BUG: IPv6 address vars issue
Bug #1285: Lua - http.request_line not working (2.1)
Bug #1287: Lua Output has dependency on eve-log:http
Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
Bug #1294: Configure doesn't use --with-libpcap-libraries when testing PF_RING library
Bug #1301: suricata yaml - PF_RING load balance per hash option
Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
Bug #1311: EVE output Unix domain socket not working (2.1)
2.1beta1 -- 2014-08-12
Feature #1155: Log packet payloads in eve alerts
Feature #1208: JSON Output Enhancement - Include Payload(s)
Feature #1248: flow/connection logging
Feature #1258: json: include HTTP info with Alert output
Optimization #1039: Packetpool should be a stack
Optimization #1241: pcap recording: record per thread
2.0.3 -- 2014-08-08
Bug #1236: fix potential crash in http parsing
Bug #1244: ipv6 defrag issue
Bug #1238: Possible evasion in stream-tcp-reassemble.c
Bug #1221: lowercase conversion table missing last value
Support #1207: Cannot compile on CentOS 5 x64 with --enable-profiling
2.0.2 -- 2014-06-25
Bug #1098: http_raw_uri with relative pcre parsing issue
Bug #1175: unix socket: valgrind warning
Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
Bug #1195: nflog: cppcheck reports memleaks
Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
Bug #1211: defrag issue
Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
Bug #1217: Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analyzed via socket
Feature #781: IDS using NFLOG iptables target
Feature #1158: Parser DNS TXT data parsing and logging
Feature #1197: liblua support
Feature #1200: sighup for log rotation
2.0.1 -- 2014-05-21
No changes since 2.0.1rc1
2.0.1rc1 -- 2014-05-12
Bug #978: clean up app layer parser thread local storage
Bug #1064: Lack of Thread Deinitialization For Decoder Modules
Bug #1101: Segmentation in AppLayerParserGetTxCnt
Bug #1136: negated app-layer-protocol FP on multi-TX flows
Bug #1141: dns response parsing issue
Bug #1142: dns tcp toclient protocol detection
Bug #1143: tls protocol detection in case of tls-alert
Bug #1144: icmpv6: unknown type events for MLD_* types
Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
Bug #1146: tls: event on 'new session ticket' in handshake
Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
Bug #1161: eve: src and dst mixed up in some cases
Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
Bug #1163: HTP Segfault
Bug #1165: af_packet - one thread consistently not working
Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
Bug #1176: AF_PACKET IPS mode is broken in 2.0
Bug #1177: eve log do not show action 'dropped' just 'allowed'
Bug #1180: Possible problem in stream tracking
Feature #1157: Always create pid file if --pidfile command line option is provided.
Feature #1173: tls: OpenSSL heartbleed detection
2.0 -- 2014-03-25
Bug #1151: tls.store not working when a TLS filter keyword is used
2.0rc3 -- 2014-03-18
Bug #1127: logstash & suricata parsing issue
Bug #1128: Segmentation fault - live rule reload
Bug #1129: pfring cluster & ring initialization
Bug #1130: af-packet flow balancing problems
Bug #1131: eve-log: missing user agent reported inconsistently
Bug #1133: eve-log: http depends on regular http log
Bug #1135: 2.0rc2 release doesn't set optimization flag on GCC
Bug #1138: alert fastlog drop info missing
2.0rc2 -- 2014-03-06
Bug #611: fp: rule with ports matching on portless proto
Bug #985: default config generates rule warnings and errors
Bug #1021: 1.4.6: conf_filename not checked before use
Bug #1089: SMTP: move depends on uninitialised value
Bug #1090: FTP: Memory Leak
Bug #1091: TLS-Handshake: Uninitialized value
Bug #1092: HTTP: Memory Leak
Bug #1108: suricata.yaml config parameter - segfault
Bug #1109: PF_RING vlan handling
Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags
Bug #1111: capture stats at exit incorrect
Bug #1112: tls-events.rules file missing
Bug #1115: nfq: exit stats not working
Bug #1120: segv with pfring/afpacket and eve-log enabled
Bug #1121: crash in eve-log
Bug #1124: ipfw build broken
Feature #952: Add VLAN tag ID to all outputs
Feature #953: Add QinQ tag ID to all outputs
Feature #1012: Introduce SSH log
Feature #1118: app-layer protocols http memcap - info in verbose mode (-v)
Feature #1119: restore SSH protocol detection and parser
2.0rc1 -- 2014-02-13
Bug #839: http events alert multiple times
Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log
Bug #980: memory leak in http buffers at shutdown
Bug #1066: logger API's for packet based logging and tx based logging
Bug #1068: format string issues with size_t + qa not catching them
Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
Bug #1073: radix tree lookups are not thread safe
Bug #1075: CUDA 5.5 doesn't compile with 2.0 beta 2
Bug #1079: Err loading rules with variables that contain negated content.
Bug #1080: segfault - 2.0dev (rev 6e389a1)
Bug #1081: 100% CPU utilization with suricata 2.0 beta2+
Bug #1082: af-packet vlan handling is broken
Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
Bug #1104: vlan tagged fragmentation
Bug #1106: Git compile fails on Ubuntu Lucid
Bug #1107: flow timeout causes decoders to run on pseudo packets
Feature #424: App layer registration cleanup - Support specifying same alproto names in rules for different ip protocols
Feature #542: TLS JSON output
Feature #597: case insensitive fileext match
Feature #772: JSON output for alerts
Feature #814: QinQ tag flow support
Feature #894: clean up output
Feature #921: Override conf parameters
Feature #1007: united output
Feature #1040: Suricata should compile with -Werror
Feature #1067: memcap for http inside suricata
Feature #1086: dns memcap
Feature #1093: stream: configurable segment pools
Feature #1102: Add a decoder.QinQ stats in stats.log
Feature #1105: Detect icmpv6 on ipv4
2.0beta2 -- 2013-12-18
Bug #463: Suricata not fire on http reply detect if request are not http
Bug #640: app-layer-event:http.host_header_ambiguous set when it shouldn't
Bug #714: some logs not created in daemon mode
Bug #810: Alerts on http traffic storing the wrong packet as the IDS event payload
Bug #815: address parsing with negation
Bug #820: several issues found by clang 3.2
Bug #837: Af-packet statistics inconsistent under very high traffic
Bug #882: MpmACCudaRegister shouldn't call PatternMatchDefaultMatcher
Bug #887: http.log printing unknown hostname most of the time
Bug #890: af-packet segv
Bug #892: detect-engine.profile - custom - does not err out in incorrect toclient/srv values - suricata.yaml
Bug #895: response: rst packet bug
Bug #896: pfring dna mode issue
Bug #897: make install-full fails if wget is missing
Bug #903: libhtp valgrind warning
Bug #907: icmp_seq and icmp_id keyword with icmpv6 traffic (master)
Bug #910: make check fails w/o sudo/root privs
Bug #911: HUP signal
Bug #912: 1.4.3: Unit test in util-debug.c: line too long.
Bug #914: Having a high number of pickup queues (216+) makes suricata crash
Bug #915: 1.4.3: log-pcap.c: crash on printing a null filename
Bug #917: 1.4.5: decode-ipv6.c: void function cannot return value
Bug #920: Suricata failed to parse address
Bug #922: trackers value in suricata.yaml
Bug #925: prealloc-sessions value bigger than allowed in suricata.yaml
Bug #926: prealloc host value in suricata.yaml
Bug #927: detect-thread-ratio given a non numeric value in suricata.yaml
Bug #928: Max number of threads
Bug #932: wrong IP version - on stacked layers
Bug #939: thread name buffers are sized inconsistently
Bug #943: pfring: see if we can report that the module is not loaded
Bug #948: apple ppc64 build broken: thread-local storage not supported for this target
Bug #958: SSL parsing issue (master)
Bug #963: XFF compile failure on OSX
Bug #964: Modify negated content handling
Bug #967: threshold rule clobbers suppress rules
Bug #968: unified2 not logging tagged packets
Bug #970: AC memory read error
Bug #973: Use different ids for content patterns which are the same, but one of them has a fast_pattern chop set on it.
Bug #976: ip_rep supplying different no of alerts for 2 different but semantically similar rules
Bug #979: clean up app layer protocol detection memory
Bug #982: http events missing
Bug #987: default config generates error(s)
Bug #988: suricata don't exit in live mode
Bug #989: Segfault in HTPStateGetTxCnt after a few minutes
Bug #991: threshold mem leak
Bug #994: valgrind warnings in unittests
Bug #995: tag keyword: tagging sessions per time is broken
Bug #998: rule reload triggers app-layer-event FP's
Bug #999: delayed detect inits thresholds before de_ctx
Bug #1003: Segmentation fault
Bug #1023: block rule reloads during delayed detect init
Bug #1026: pfring: update configure to link with -lrt
Bug #1031: Fix IPv6 stream pseudo packets
Bug #1035: http uri/query normalization normalizes 'plus' sign to space
Bug #1042: Can't match "emailAddress" field in tls.subject and tls.issuerdn
Bug #1061: Multiple flowbit set in one rule
Feature #234: add option disable/enable individual app layer protocol inspection modules
Feature #417: ip fragmentation time out feature in yaml
Feature #478: XFF (X-Forwarded-For)
Feature #602: availability for http.log output - identical to apache log format
Feature #622: Specify number of pf_ring/af_packet receive threads on the command line
Feature #727: Explore the support for negated alprotos in sigs.
Feature #746: Decoding API modification
Feature #751: Add invalid packet counter
Feature #752: Improve checksum detection algorithm
Feature #789: Clean-up start and stop code
Feature #813: VLAN flow support
Feature #878: add storage api
Feature #901: VLAN defrag support
Feature #904: store tx id when generating an alert
Feature #940: randomize http body chunks sizes
Feature #944: detect nic offloading
Feature #956: Implement IPv6 reject
Feature #957: reject: iface setup
Feature #959: Move post config initialisation code to PostConfLoadedSetup
Feature #981: Update all switch case fall-throughs with comments on fall-throughs
Feature #983: Provide rule support for specifying icmpv4 and icmpv6.
Feature #986: set htp request and response size limits
Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
Feature #1009: Yaml file inclusion support
Feature #1032: profiling: per keyword stats
Optimization #583: improve Packet_ structure layout
Optimization #1018: clean up counters api
Optimization #1041: remove mkinstalldirs from git
2.0beta1 -- 2013-07-18
- Luajit flow vars and flow ints support (#593)
- DNS parser, logger and keyword support (#792), funded by Emerging Threats
- deflate support for HTTP response bodies (#470, #775)
- update to libhtp 0.5 (#775)
- improved gzip support for HTTP response bodies (#470, #775)
- redesigned transaction handling, improving both accuracy and performance (#753)
- redesigned CUDA support (#729)
- Be sure to always apply verdict to NFQ packet (#769)
- stream engine: SACK allocs should adhere to memcap (#794)
- stream: deal with multiple different SYN/ACK's better (#796)
- stream: Randomize stream chunk size for raw stream inspection (#804)
- Introduce per stream thread ssn pool (#519)
- "pass" IP-only rules should bypass detection engine after matching (#718)
- Generate error if bpf is used in IPS mode (#777)
- Add support for batch verdicts in NFQ, thanks to Florian Westphal
- Update Doxygen config, thanks to Phil Schroeder
- Improve libnss detection, thanks to Christian Kreibich
- Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
- OS X unix socket build fixed (#830)
- bytetest, bytejump and byteextract negative offset failure (#827)
- Fix fast.log formatting issues (#771), thanks to Rmkml
- Invalidate negative depth (#774), thanks to Rmkml
- Fixed accuracy issues with relative pcre matching (#791)
- Fix deadlock in flowvar capture code (#802)
- Improved accuracy of file_data keyword (#817)
- Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
- stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau
1.4.4 -- 2013-07-18
- Bug #834: Unix socket - showing as compiled when it is not desired to do so
- Bug #835: Unix Socket not working as expected
- Bug #841: configure --enable-unix-socket does not err out if libs/pkgs are not present
- Bug #846: FP on IP frag and sig use udp port 0, thanks to Rmkml
- Bug #864: backport packet action macro's
- Bug #876: htp tunnel fix
- Bug #877: Flowbit check with content doesn't match consistently, thanks to Francis Trudeau
1.4.3 -- 2013-06-20
- Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
- Fix IPS mode being unable to drop tunneled packets (#826)
- Fix OS X Unix Socket build (#829)
1.4.2 -- 2013-05-29
- No longer force nocase to be used on http_host
- Invalidate rule if uppercase content is used for http_host w/o nocase
- Warn user if bpf is used in af-packet IPS mode
- Better test for available libjansson version
- Fixed accuracy issues with relative pcre matching (#784)
- Improved accuracy of file_data keyword (#788)
- Invalidate negative depth (#770)
- Fix http host parsing for IPv6 addresses (#761)
- Fix fast.log formatting issues (#773)
- Fixed deadlock in flowvar set code for http buffers (#801)
- Various signature ordering improvements
- Minor stream engine fix
1.4.1 -- 2013-03-08
- GeoIP keyword, allowing matching on Maxmind's database, contributed by Ignacio Sanchez (#559)
- Introduce http_host and http_raw_host keywords (#733, #743)
- Add python module for interacting with unix socket (#767)
- Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)
- Big Napatech support update by Matt Keeler
- Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
- FreeBSD IPFW fixes by Nikolay Denev
- Add "default" interface setting to capture configuration in yaml (#679)
- Make sure "snaplen" can be set by the user (#680)
- Improve HTTP URI query string normalization (#739)
- Improved error reporting in MD5 loading (#693)
- Improve reference.config parser error reporting (#737)
- Improve build info output to include all configure options (#738)
- Segfault in TLS parsing reported by Charles Smutz (#725)
- Fix crash in teredo decoding, reported by Rmkml (#736)
- fixed UDPv4 packets without checksum being detected as invalid (#760)
- fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
- FN: IP-only rule ip_proto not matching for some protocols (#689)
- Fix build failure with other libhtp installs (#688)
- Fix malformed yaml loading leading to a crash (#694)
- Various Mac OS X fixes (#700, #701, #703)
- Fix for autotools on Mac OS X by Jason Ish (#704)
- Fix AF_PACKET under high load not updating stats (#706)
1.3.6 -- 2013-03-07
- fix decoder event rules not checked in all cases (#671)
- checksum detection for icmpv6 was fixed (#673)
- crash in HTTP server body inspection code fixed (#675)
- fixed a icmpv6 payload bug (#676)
- IP-only rule ip_proto not matching for some protocols was addressed (#690)
- fixed malformed yaml crashing suricata (#702)
- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
- crash in tls parser was fixed (#759)
- fixed UDPv4 packets without checksum being detected as invalid (#762)
- fixed DCE/SMB parsers getting confused in some fragmented cases (#763)
1.4 2012-12-13
- Decoder event matching fixed (#672)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
- Add more events to IPv6 extension header anomalies (#678)
- Fix ICMPv6 payload and checksum calculation (#677, #674)
- Clean up flow timeout handling (#656)
- Fix a shutdown bug when using AF_PACKET under high load (#653)
- Fix TCP sessions being cleaned up to early (#652)
1.3.5 2012-12-06
- Flow engine memory leak fixed by Ludovico Cavedon (#651)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664)
- Flow manager mutex used uninitialized, fixed by Ludovico Cavedon (#654)
- Windows building in CYGWIN fixed (#630)
1.4rc1 2012-11-29
- Interactive unix socket mode (#571, #552)
- IP Reputation: loading and matching (#647)
- Improved --list-keywords command-line option gives detailed info for supported keyword, including doc link (#435)
- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
- User-Agent added to file log and filestore meta files (#629)
- Endace DAG supports live stats and at exit drop stats (#638)
- Add support for libhtp event "request port doesn't match tcp port" (#650)
- Rules with negated addresses will not be considered IP-only (#599)
- Rule reloads complete much faster in low traffic conditions (#526)
- Suricata -h now displays all available options (#419)
- Luajit configure time detection was improved (#636)
- Flow manager mutex used w/o initialization (#628)
- Cygwin workaround for windows shell mangling interface string (#372)
- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
- CLANG compiler build fixes (#649)
- Several fixes found by code analyzers
1.4beta3 2012-11-14
- support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619)
- support for pkt_data keyword was added
- user and group to run as can now be set in the config file
- make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
- add contrib directory to the dist (#567)
- performance improvements to signatures with dsize option
- improved rule analyzer: print fast_pattern along with the rule (#558)
- fixes to stream engine reducing the number of events generated (#604)
- add stream event to match on overlaps with different data in stream reassembly (#603)
- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
- HTTP handling in OOM condition was greatly improved (#557)
- filemagic keyword performance was improved (#585)
- fixes and improvements to daemon mode (#624)
- fix drop rules not working correctly when thresholded (#613)
- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
- fix a false positive condition in http_header (#607)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
- fixes to rule profiling (#576)
- cleanups and misc fixes (#379, #395)
- updated bundled libhtp to 0.2.11
- build system improvements and cleanups
- fix to SSL record parsing
1.3.4 -- 2012-11-14
- fix crash in flow and host engines in cases of low memory or low memcap settings (#617)
- improve http handling in low memory conditions (#620)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626)
- fix building on OpenBSD 5.2
- update default config's defrag settings to reflect all available options
- fixes to make check
- fix to SSL record parsing
1.3.3 -- 2012-11-01
- fix drop rules not working correctly when thresholded (#615)
- fix a false positive condition in http_header (#606)
- fix extracted file corruption (#601)
- fix a false positive condition with the pcre keyword and relative matching (#588)
- fix PF_RING set cluster problem on dma interfaces (#598)
- improve http handling in low memory conditions (#586, #587)
- fix FreeBSD inline mode crash (#612)
- suppress pcre jit warning (#579)
1.4beta2 -- 2012-10-04
- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
- Added ability to control per server HTTP parser settings in much more detail (#503)
- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
- Big performance improvement in inspecting decoder, stream and app layer events (#555)
- Pool performance improvements (#541)
- Improved performance of signatures with simple pattern setups (#577)
- Bundled docs are installed upon make install (#527)
- Support for a number of global vs rule thresholds [3] was added (#425)
- Improved rule profiling performance
- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
- Fix compilation on architectures other than x86 and x86_64 (#572)
- Fix FP with anchored pcre combined with relative matching (#529)
- Fix engine hanging instead of exiting if the pcap device doesn't exist (#533)
- Work around for potential FP, will get properly fixed in next release (#574)
- Improve ERF handling. Thanks to Jason Ish
- Always set cluster_id in PF_RING
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue, IPS fix and cleanup
- Fix stream engine sometimes resending the same data to app layer
- Fix multiple issues in HTTP multipart parsing
- Fixed a lockup at shutdown with NFQ (#537)
1.3.2 -- 2012-10-03
- Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562)
- Fixed a FN condition with the flow:no_stream option (#575)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Fix multiple issues in HTTP multipart parsing
- Fix stream engine sometimes resending the same data to app layer
- Always set cluster_id in PF_RING
- Defrag: silence some potentially noisy errors/warnings
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue
1.4beta1 -- 2012-09-06
- Custom HTTP logging contributed by Ignacio Sanchez (#530)
- TLS certificate logging and fingerprint computation and keyword (#443)
- TLS certificate store to disk feature (#444)
- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
- AF_PACKET IPS support (#516)
- Rules can be set to inspect only IPv4 or IPv6 (#494)
- filesize keyword for matching on sizes of files in HTTP (#489)
- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
- NFQ fail open support (#507)
- Highly experimental lua scripting support for detection
- Live reloads now supports HTTP rule updates better (#522)
- AF_PACKET performance improvements (#197, #415)
- Make defrag more configurable (#517, #528)
- Improve pool performance (#518)
- Improve file inspection keywords by adding a separate API (#531)
- Example threshold.config file provided (#302)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Various spelling corrections by Simon Moon (#533)
1.3.1 -- 2012-08-21
- AF_PACKET performance improvements
- Defrag engine performance improvements
- HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
- Stream engine packet handling for packets with non-standard flag combinations (#508)
- Improved stream engine handling of packet loss (#523)
- Stream engine checksum alerting fixed
- Various rule analyzer fixes (#495, #496, #497)
- (Rule) profiling fixed and improved (#460, #466)
- Enforce limit on max-pending-packets (#510)
- fast_pattern on negated content improved
- TLS rule keyword parsing issues
- Windows build fixes (#502)
- Host OS parsing issues fixed (#499)
- Reject signatures where content length is bigger than "depth" setting (#505)
- Removed unused "prune-flows" option
- Set main thread and live reload thread names (#498)
1.3 -- 2012-07-06
- make live rule reloads optional and disabled by default
- fix a shutdown bug
- fix several memory leaks (#492)
- warn user if global and rule thresholding conflict (#455)
- set thread names on FreeBSD (Nikolay Denev)
- Fix PF_RING building on Ubuntu 12.04
- rule analyzer updates
- file inspection improvements when dealing with limits (#493)
1.3rc1 -- 2012-06-29
- experimental live rule reload by sending a USR2 signal (#279)
- AF_PACKET BPF support (#449)
- AF_PACKET live packet loss counters (#441)
- Rule analyzer (#349)
- add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's
- negated filemd5 matching, allowing for md5 whitelisting
- signatures with depth and/or offset are now checked against packets in addition to the stream (#404)
- http_cookie keyword now also inspects "Set-Cookie" header (#479)
- filemd5 keyword no longer depends on log-file output module (#447)
- http_raw_header keyword inspects original header line terminators (#475)
- deal with double encoded URI (#464)
- improved SMB/SMB2/DCERPC robustness
- ICMPv6 parsing fixes
- improve HTTP body inspection
- stream.inline accuracy issues fixed (#339)
- general stability fixes (#482, #486)
- missing unittests added (#471)
- "threshold.conf not found" error made more clear (#446)
- IPS mode segment logging for Unified2 improved
1.3beta2 -- 2012-06-08
- experimental support for matching on large lists of known file MD5 checksums
- Improved performance for file_data, http_server_body and http_client_body keywords
- Improvements to HTTP handling: multipart parsing, gzip decompression
- Byte_extract can support negative offsets now (#445)
- Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459)
- HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454)
- Improved error reporting when using too long address strings (#451)
- MD5 calculation improvements for daemon mode and other cases (#449)
- File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste.
- Rule parser is made more strict.
- Unified2 output overhaul, logging individual segments in more cases.
- detection_filter keyword accuracy problem was fixed (#453)
- Don't inspect cookie header with http header (#461)
- Crash with a rule with two byte_extract keywords (#456)
- SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476)
- Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452)
- Improve escaping of some characters in logs (#418)
- Checksum calculation bugs fixed
- IPv6 parsing issues fixed. Thanks to Michel Saborde.
- Endace DAG issues fixed. Thanks to Jason Ish from Endace.
- Various OpenBSD related fixes.
- Fixes for bugs found by Coverity source code analyzer.
1.3beta1 -- 2012-04-04
- TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier)
- Napatech capture card support (contributed by Randy Caldejon -- nPulse)
- Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste)
- Test mode: -T option to test the config (#271)
- Ringbuffer and zero copy support for AF_PACKET
- CommandLine options to list supported app layer protocols and keywords (#344, #414)
- File extraction for HTTP POST request that do not use multipart bodies
- On the fly md5 checksum calculation of extracted files
- Line based file log, in json format
- Basic support for including other yaml files into the main yaml
- New multi pattern engine: ac-bs
- Profiling improvements, added lock profiling code
- Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys)
- Unified yaml naming convention, including fallback support (by Nikolay Denev)
- Improved Endace DAG support (#431, Jason Ish -- Endace)
- New default runmode: "autofp" (#433)
- Major rewrite of flow engine, improving scalability.
- Improved http_stat_msg and http_stat_code keywords (#394)
- Improved scalability for Tag and Threshold subsystems
- Made the rule keyword parser much stricter in detecting syntax errors
- Split "file" output into "file-store" and "file-log" outputs
- Much improved file extraction
- CUDA build fixes (#421)
- Various FP's reported by Rmkml (#403, #405, #411)
- IPv6 decoding and detection issues (reported by Michel Saborde)
- PCAP logging crash (#422)
- Fixed many (potential) issues with the help of the Coverity source code analyzer
- Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers
1.2.1 -- 2012-01-20
- fix malformed unified2 records when writing alerts trigger by stream inspection (#402)
- only force a pseudo packet inspection cycle for TCP streams in a state >= established
1.2 -- 2012-01-19
- improved Windows/CYGWIN path handling (#387)
- fixed some issues with passing an interface or ip address with -i
- make live worker runmode threads adhere to the 'detect' cpu affinity settings
1.2rc1 -- 2012-01-11
- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalized URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
- in IPS mode, reject rules now also drop (#399)
- http_header now also inspects response headers (#389)
- "worker" runmodes for NFQ and IPFW
- performance improvement for "ac" pattern matcher
- allow empty/non-initialized flowints to be incremented
- PCRE-JIT is now enabled by default if available (#356)
- many file inspection and extraction improvements
- flowbits and flowints are now modified in a post-match action list
- general performance increments
- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)
1.2beta1 -- 2011-12-19
- File name, type inspection and extraction for HTTP
- filename, fileext, filemagic and filestore keywords added
- "file" output for storing extracted files to disk
- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241
- new keyword http_server_body, pcre regex /S option
- Option to enable/disable core dumping from the suricata.yaml (enabled by default)
- Human readable size limit settings in suricata.yaml
- PF_RING bpf support (required PF_RING >= 5.1) (feature #334)
- tos keyword support (feature #364)
- IPFW IPS mode does now support multiple divert sockets
- New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
- Improved alert accuracy in autofp and single runmodes
- major performance optimizations for the ac-gfbs pattern matcher implementation
- unified2 output fixes
- PF_RING supports privilege dropping now (bug #367)
- Improved detection of duplicate signatures
1.1.1 -- 2011-12-07
- Fix for a error in the smtp parser that could crash Suricata.
- Fix for AF_PACKET not compiling on modern linux systems like Fedora 16.
1.1 -- 2011-11-10
- CUDA build fixed
- minor pcap, AF_PACKET and PF_RING fixes (#368)
- bpf handling fix
- Windows CYGWIN build
- more cleanups
1.1rc1 -- 2011-11-03
- extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)
- AF_PACKET report drop stats on shutdown (#325)
- new counters in stats.log for flow and stream engines (#348)
- SMTP parsing code support for BDAT command (#347)
- HTTP URI normalization no longer converts to lowercase (#362)
- AF_PACKET works with privileges dropping now (#361)
- Prelude output for state matches (#264, #355)
- update of the pattern matching code that should improve accuracy
- rule parser was made more strict (#295, #312)
- multiple event suppressions for the same SID was fixed (#366)
- several accuracy fixes
- removal of the unified1 output plugins (#353)
1.1beta3 -- 2011-10-25
- af-packet support for high speed packet capture
- "replace" keyword support (#303)
- new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap
- added "stream-event" keyword to match on TCP session anomalies
- support for suppress keyword was added (#274)
- byte_extract keyword support was added
- improved handling of timed out TCP sessions in the detection engine
- unified2 payload logging if detection was in the HTTP state (#264)
- improved accuracy of the HTTP transaction logging
- support for larger (64 bit) Flow/Stream memcaps (#332)
- major speed improvements for PCRE, including support for PCRE JIT
- support setting flowbits in ip-only rules (#292)
- performance increases on SSE3+ CPU's
- overhaul of the packet acquisition subsystem
- packet based performance profiling subsystem was added
- TCP SACK support was added to the stream engine
- updated included libhtp to 0.2.6 which fixes several issues
1.1beta2 -- 2011-04-13
- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
- Inline mode for the stream engine (#230, #248).
- New keyword support: nfq_set_mark
- Included an example decoder-events.rules file
- api for adding and selecting runmodes was added
- pcap logging / recording output was added
- basic SCTP protocol parsing was added
- more fine-grained CPU affinity setting support was added
- stream engine inspects stream in larger chunks
- fast_pattern support for http_method content modifier (#255)
- negation support for isdataat keyword (#257)
- configurable interval for stats.log updates (#247)
- new pf_ring runmode was added that scales better
- pcap live mode now handles the monitor interface going up and down
- several QA additions to "make check"
- NFQ (linux inline) mode was improved
- Alerts classification fix (#275)
- compiles and runs on big-endian systems (#63)
- unified2 output works around barnyard2 issues with DLT_RAW + IPv6
1.1beta1 -- 2010-12-21
- New keyword support: http_raw_header, http_stat_msg, http_stat_code.
- A new default pattern matcher, Aho-Corasick based, that uses much less memory.
- reference.config support as supplied by ET/ETpro and VRT.
- Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header.
- Improved parsers, especially the DCERPC parser.
- Much improved performance & accuracy.
1.0.5 -- 2011-07-25
- Fix stream reassembly bug #300. Thanks to Rmkml for the report.
- Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
1.0.4 -- 2011-06-24
- LibHTP updated to 0.2.6
- Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
- Large number of (potential) issues fixed after source code scans with the Clang static analyzer.
1.0.3 -- 2011-04-13
- Fix broken checksum calculation for TCP/UDP in some cases
- Fix errors in the byte_test, byte_jump, http_method and http_header keywords
- Fix a ASN1 parsing issue
- Improve LibHTP memory handling
- Fix a defrag issue
- Fix several stream engine issues
|