码涯-AIGC代码仓库-openoker/snort3: Snort是一个广泛使用的开源网络入侵检测系统，能够实时分析网络流量并识别潜在的攻击。它支持自定义规则，可以根据特定的威胁情报进行配置。

2024-09-24: 3.3.7.0

appid: dns sinkhole support for edns
appid: early SSH detection brute-force fix
appid: fixes for one definiton rule violation
binder: change binding to have single service
extractor: flush data on unlocking a writer
extractor: notify handler whether it is a fixed-width formatting
extractor: refactor data pipe between an inspector and extractor's logger
extractor: rewrite std writer to use text_log utility
extractor: update logger with an internal set of fields for logging
ftp_telnet: adding fallback functionality for ftp
http2_inspect: add IPS options for frame header and data
memory: add shell commands for jemalloc heap profiling
process: skip vDSO frame on aarch64
ssh: added abort session in streamsplitter
stream: fix to dump all flows
stream_tcp: add assert to verify configured normalizer policy is valid
stream_tcp: do not overwrite global normalizer policy config option when proxy mode is enabled

2024-09-05: 3.3.5.0

appid: added new logs for reload third party
extractor: add field name to logging function
extractor: add json logger
extractor: add unit tests for enum types
extractor: fix guard-macro names
extractor: fix local variable
extractor: mention a field in initialization list
extractor: remove unused headers
extractor: take a note of FIXIT-P in key points
file_api: set file name for file processing
http_inspect: when cutting chunks check for MAX_OCTETS too
packet_tracer: add tcp window size, options and meta-ack info

2024-08-26: 3.3.4.0

appid: notify binder on service change
appid: replaced hsessions vector of raw pointers into vector of smart pointers
ftp_telnet: refactoring ftp-data
latency, dce, stream_ip: fix max pegs incorrectly declared sum
telnet: avoid flush when cr or lf is between commands

2024-08-13: 3.3.3.0

control: code cleanup
control: handle control commands after packet threads are fully initialised
daq: add outstanding packets counter
extractor: add flow hash key
file_api: max depth is set as part of initial config
file: remove unused variable in FileFlows destructor
filters: update dev_notes.txt with details for event_filter
flow: optimize timeout handling for different packet type
http_inspect: add peg counts for gzip, known-not-supported, and unknown
http_inspect: log normalized URI in extra data
ips_options: separate main thread pcre counts from packet threads stats
memory: account memory for profiler only when packet thread is involved
src: resolve various warnings
stream_tcp: make sure ports are correctly swapped when filling a meta-ACK packet

2024-07-29: 3.3.2.0

appid: fixing cpp warnings and cosmetic changes for appid cpu profiler
appid: removing trailing whitespaces
daq: added outstanding packets counter
doc: builtin rule documentation updates
flow: added compile-time option to disable tenant_id
flow: clear deferred trust after the flow is trusted to stop repeated trusting
js_norm: address pdf tokenizer issues
kaizen: fix verbose mode output for unlimited options
main: fix coverage
sip: fallback functionality for sip inspector
stream: refactor paf logic into a c++ class
stream_tcp: delete lws_init, it was redundant with tcp_init; delete FIXITs that are no longer relevant
stream_tcp: improve variable and function names for overlap processing
stream_tcp: integrate and streamline setting of flush policy and splitter
stream_tcp: merge TcpStreamSession into TcpSession
stream_tcp: refactor segment nodes to implement reassembly cursor and eliminate tracking variables
stream_tcp: refactor TcpReassembler into a virtual base class and subclasses for each mode: ignore, IPS and IDS
stream_tcp: refactor to move alert functions to their own class
stream_tcp: refactor to move tcp overlap processing out of reassembly class

2024-07-15: 3.3.1.0

appid: restructure the appid code to make it easier to follow and maintain
appid: updating appid cpu profiler cli
dce_rpc: correct the session counters post the upgrade to smb v2 from v1
detection: include OPT_TREE traces in release build
detection: make print of fast pattern as a trace module
extractor: support trans_depth, origin and referrer fields
file: fixing file context reuse
flow: clear flow stash when freeing the flow data
flow: handle significant groups with unknown group value as non-group flow keys
http_inspect: add origin header
parser: do not skip symbols while expanding variables
perf_monitor: introducing new parameters for ip flow profiling
stream_tcp: move prev_norm object from TcpNormalizer to TcpNormalizerState
stream_tcp: set daq_msg field in meta-ack pseudo-packet header to the value from the wire packet.
stream_tcp: support tracing without compilation flags
wizard: expand MMS curse

2024-06-18: 3.3.0.0

appid: display rows limit of table and totals
appid: using different api for picking appids for appid cpu profiler
build: bump version to 3.2.0
codecs: add handling of NDP types
dns: set Flow timeout after getting DNS response
extractor: add protocol logging for HTTP
framework: add new Cursor Action Type
http_inspect: set CAT_SET_SUB_SECTION for buffer with a sub-selector configured
js_norm: fix prerequisites for FlexLexer includes
main: add CLI command to show snort cpu percentage
stream_tcp: use default size atomsplitter on fallback
utils: remove duplication of definition. Thanks to xxxx81 for reporting the issue.

2024-06-02: 3.2.2.0

appid: appid cpu profiler max columns
appid: re-enabling appid cpu profiler making it thread safe
appid: store and retrieve only SNI in AppIdSession
appid: updating file_magic.rules with some new file types added to the VDB.
dce_smb: do not prune from LRU cache during file tracker update
doc: fix formatting in dev_notes.txt
flow: add the newly-created flow to p->flow to avoid segv
js_norm: stop PDF processing on syntax error
main: apply loaded configuration only once
packet_capture: make sure packet_capture executed before detection
service_inspectors: fix get_buf handling
sip: flow clean-up based on lina configured timeout
src: remove repetitive words. Thanks @gopherorg for finding those typos
src: udpate to resolve new issues
stream_tcp: don't attempt to verify or process keep-alive probes with data
stream_tcp: fix infinite recursion cases. Thanks to scloder-ut-iso for helping with debug information that uncovered a case of infinite recursion
utils: add explicit include

2024-05-16: 3.2.1.0

framework: supply directories to system headers to plug_gen.sh
main: updates for types used by Alpine.
memory: fix unit test

2024-05-08: 3.2.0.0

actions: add action counters and aggregate them under ips_actions
active, host_tracker, profiler, stats, stream: refactor installed headers to exclude implementation like counts and perf stats
api: refactor base API
build: eliminate SO_PUBLIC THREAD_LOCALs
build: fix cppcheck warnings
build: fix coverity warnings
build: fix LTO ODR issues with anonymous namespaces
codecs: PacketManager::max_layers is not THREAD_LOCAL
detection: introduce re-evaluation of ips content in next packet
detection: refactor detection_util.*
detection: refactor headers
doc: add versioning information to the developer guide
event_filter, suppress: keep antiquated dynamic array support private (use std::vector instead)
extract: move extract methods to detection
file: do not install internal headers
flow: move StreamFlowIntf to stream_flow.h
flow: split ExpectFlow into a separate header
framework: bump api version to 18
framework: bump api version tp 19
framework: bump api version to 20
framework: expand decode flags
framework: generate preprocessor output for validation
framework: improve exported header comments
host_cache: do not install private header
inspector: eval override is optional for passive inspectors
inspectors: remove redundant slot variable
inspector: use thread local slot for best perf on Linux
ips_options: fix dynamic build of some options
ips: tweak check for offload enable
log: refactor out app implementation stuff into log_errors.h
mpse: add modules for pegs and perf profiling; remove _search
numa: do not install implementation (private) header
packet_tracer: eliminate SO_PUBLIC THREAD_LOCALs
pig_pen: use Module::usage directly
plugins: add missing error messages when an so fails to load
plugins: add warning for invalid plugin types
plugins: bump base API and all plugin API version numbers
profiler: eliminate SO_PUBLIC THREAD_LOCALs for _WIN64
profiler: move implementation class to profiler_impl.h
protocols: defensive fix for malformed packets, discard log
reputation: move private defines out of installed header
rna: refactor headers for better encapsulation
snort: remove deprecated features: ** string binder[].when.zones: deprecated alias for groups ** string binder[].when.src_zone: deprecated alias for src_groups ** string binder[].when.dst_zone: deprecated alias for dst_groups ** enum dce_smb.smb_file_inspection: deprecated (not used): file inspection controlled by smb_file_depth { 'off' | 'on' | 'only' }
ssl: support dynamic build of inspector and ips options
stats: change shutdown Mbits/sec from mebibits to megabits
stats: stats.h is for internal use only, do not install
stream: delete obsolete / unused methods
style: miscellaneous cleanup
style: remove trailing spaces
tag: tweak enable toggle
tcp: move SEQ_* macros to tcp header
thread: move THREAD_LOCAL definition to snort_types.h
utils: refactor out non-public code

2024-05-06: 3.1.85.0

anaylzer, framework: add a data bus method to publish to all network policies and use it for idle
appid: add http url regex patterns
appid: appid CPU Profiler Table and CLI
appid: disable appid cpu profiler
detection: clear inspector data before flow_data
detection: fix postponed rule evaluation with recall presence
file_api: fix incorrect data size being passed to IPS engine for file type detection
flow: connection profiling feature
flow: fix unit test for debian
main: update usage of a deprecated hwloc macro. Thanks to teicors for reporting the issue!
stream_tcp: add reassembler class for missed_3whs
stream_tcp: change drop reason issuer to stream
stream_tcp: drop packet with invalid sequence number if inspection policy is inline and fix sequence number comparisons
stream_tcp: implement an asymmetric flow (one-way traffic) mode for reassembly that purges flushed segments immediately (no waiting for ack that will never come)
stream_tcp: support for asymmetric normalization
stream_tcp: track offset into data buffer due to overlaps with state variable on the TCP segment node
utils: move file specific functions from perfmonitor to utils

2024-04-08: 3.1.84.0

appid: enhanced appid config parsing
appid: remove locks from peg counts
appid: separate main thread and packet thread appid_pub_id
dce_smb: fixing an ASAN memory corruption issue
detection: handle policy changes in continuation
framework: add correct cast from double to unsigned
http_inspect: add file_data to buffer list
packet_capture: include cstdint in a header file. Thanks to Plup plup@plup.io and Hauke Mehrtens hauke@hauke-m.de for reporting this!
xhash: fixed typo

2024-03-24: 3.1.83.0

detection: use correct packet in trace logs
doc: add libml to optional dependencies
flow: add filter to dump flows
flow: fix UT
hash: exception handling for random device
packet_capture: fixed wrong dlt in pcap header when nfq is used
stream: count retransmits when we disable content rules
trace: replace colon delimiter for tenant with whitespace in the trace_logger output

2024-03-12: 3.1.82.0

appid: broadcast commands with ctrlcon
appid: change eve pattern matching logic
appid: replaced warning log with logging api for CBD
file_api: do not clear the file capture and user file data pointers when updating the verdict from the cache
filters: updated dyn array with vector
flow: updated flow_data linklist with STL container
framework: validate parameter of number type in a string form
kaizen: rename to Snort ML
main: clear lua stack when registering commands in a shell
main: reset main-thread stats from the main thread
main: update limits help
packet_capture: add packet capturing per tenant
sfip: remove references to unused mode feature
sfip: zero out var/node pointers after operations to remedy heap-use-after-free on reload
smb: fix for improper session cache destruction in tterm during config reload
snort2lua: change deprecated use of ptr_fn to lambda
stats: fix timing stats
stats: perf improvement changes
stream: remove splitter from session before inspectors
stream_tcp: add reasons for drops due to trims
stream_tcp: implement support for proxy mode normalization behavior
stream_tcp: update documentation for stream TCP alerts to include the new 129:21 and 129:22 alerts
trace: add tenants logging

2024-02-20: 3.1.81.0

appid: check tenant_match() if required
appid: log error message instead of fatal error if appid stats logfile is not accessible
appid: Lowering max packet count before service fail
control: Adds counting to ctrlcon blocked to allow for nested commands
detection: add c'tors, use new instead of snort_calloc
detection: copy ip var name in dup_rtn
flow: added ips event suppression flags
host_cache: fixed update_stats to remove race_condition
http_inspect: recreate JSNorm if reload takes place inside transaction
ips_context: add lazy-allocation of alt buffer
kaizen: provide an option to enable Kaizen's mock
kaizen: remove redundant semicolon and add explicit cast
kaizen: rename modules
lua: improve spell of wizard for HTTP
memory: prevent data race between main and packet threads
service_inspectors: add check for JSNorm config actuality
stream_tcp: add alerts for exceeding thresholds for max queued bytes or segments
stream_tcp: add check to verify seglist head is not nullptr and only initialize PAF when it is not
utils: add macro for setting thread name

2024-02-01: 3.1.79.0

appid: add tenants filter for appid debug
appid: process organization unit instead of organization name
appid: return false in is_appid_inspecting_session for quic if not decrypting
appid: update peg counts to be thread safe
coverity: fix for stream and hash
filters: make rate_filter multithreaded + some cleanup
kaizen: add dev_notes.txt
kaizen: change default value of uri_depth to -1
kaizen: change kaizen gid to 411
kaizen: extend mock object with simple matching mechanism
kaizen: make kaizen configurable per policy
kaizen: register module only when LibML present or REG_TEST defined
kaizen: update copyright
mercury: updating alpn info without sni in 7.6
network_inspectors: add kaizen ML based exploit detector
packet_tracer: add tenants to filters
profiler: improve multithread rule percentage calculation
ssl: heap overflow issue when processing handshake records
stream_tcp: correct labeling of in-sequence and out-of-sequence packets
stream_tcp: persist disable_reassembly in Flow
stream_tcp: set packet direction flag based on direction saved in reassembly state

2024-01-16: 3.1.78.0

appid: print odp version and odp detector count on startup
copyright: update year to 2024
doc: update arg list for "generatebuiltin.sh". Add parity to "generate" scripts arg list, thanks to @puck(https://github.com/puck)
main: fix inconsistent lua variables assignment
parser: fix --dump-rule-meta for negated ports

2023-12-20: 3.1.77.0

appid: add http3 to the list of ssl protocols as http3 will always be inside quic and encrypted
appid: do not delete hsession for http3
appid: fix coverity issues
appid: lua logging doc update
build: arm compilation support
catch: add boost software license for catch.hpp
detection: adjust built-in GID range to 40-999
detection: collect matched buffers on IpsContext
flow: add tenant ID to FlowKey
host_cache: fix race condition on peg counts
http_inspect: publish HTTP/1 request bodies, track MIME boundary
main: fix reload_id data race
parser: add CWD to conf search order
profiler: change time tracking for "rule_time (%)" field in rule_profiler output
profiler: dump memory profiler stats at frequent interval
pub_sub: add get_client_body and is_mime methods
ssl: stopping inspection once client or server app packet is found
utils: add get_file_size

2023-12-03: 3.1.76.0

appid: added missed cppcheck warning
appid: adding support for memory profiling of third party lib
appid: additional check for lua logging
appid: fixing coverity issues
dns: fix parsing 'additionals' section in dns response
flow_cache: added new protocol base counters
pegs: make add_peg_count and set_peg_count protected to be available for the derived class
perf_mon: fix variable name issue reported by cppcheck

2023-11-19: 3.1.75.0

appid: add appId for DNS over QUIC and DNS over HTTP/3 to application_ids.h
decompress: use list for OLE file entries to guarantee their order in file_data
detection: setting flag for flows with affected logging due to event filter

2023-11-07: 3.1.74.0

actions, detection, file_api, flow, stream: coverity fixes
appid: clean up main thread appid debug and make appid on, off, on work
appid: lua log function with appiddebug check
build: address miscellaneous cppcheck warnings
build: fix up 32-bit compilation
build: fix coverity and cppcheck issues
build: remove unused functions reported by cppcheck
codecs: fix bad checksum when auth(51) protocol header is present between IP and TCP layer.
dce_rpc: added SMB Redesigned Multichannel enabled code
http_inspect: add correct handling of configuration error
ips_options: fix ack option
ips_options: fix flow bits
packet_io: fix incorrect counters caused by data plane counters reset
search_tool: allow an override of the search method
search_tool: fall back to normal mpse if no snort config

2023-10-23: 3.1.73.0

appid: added support for appid trace logs with multiple logging levels
appid: fixing cppcheck issue
control: code refactor to support all unix flavors
detection: fix cleaning of rule profiling stats when profiling starts
host_cache: added segmented cache
http_inspect: handle reserved gzip flags
http_inspect: response to 0.9 isn't necessarily 0.9
profiler: extend field length to support uint64
stream: skip duplicated alerts in TcpReassemblerState's list. Thanks wenhao-in-chengdu for reporting the issue and suggesting a fix.
stream_tcp: ignore normalization checks when in midstream state

2023-10-10: 3.1.72.0

active: added API for printing delayed action string
appid: support to get correct http session based on stream_id
control: allow one command at a time
dce_rpc: using reset_using_rpkt() inline to what is there in eval() of SMB inspector code as well
flow_cache: added protocol base LRU caches
helpers: increase buffer space for function names, allow printing truncated names
http_inspect: clear fake headers snapshot for 0.9 response
http_inspect: run detection on failed utf decoding
memory: change NOW type counts to SUM type, where necessary
packet_io: fix daq stats
stream_tcp: accept 1 byte of trimmed probe data after zero window
stream_tcp: update rcv_nxt appropriately for each segment
tcp: timeout for embryonic and idle session

2023-09-25: 3.1.71.0

appid, http_inspect, http2_inspect: create appid session if not present in decrypt event handler, add message section as part of StreamFlowIntf for httpx
codecs: Add IPv6 Reserved Address to GID:116 Rules
detection: avoid multiple fixups of duplicated trees
detection: fix of default ips policy switching
flow: allow reinspection for blocked icmp flows after reload
flow: generate flow setup and established events for ha flows
host_cache: cppcheck fix
http2_inspect: fix http2 frame length for logging
main: fix signals handling after failed started instances
main: reset_stats argument type improvement
parser: add file_id rule syntax evaluation
smtp: add alert for mixed LF and CRLF
smtp: process DATA\n (no \r)
stream: extend list of arguments for extra data logging
stream_tcp: ensure all data segments after a zero window are blocked when NAP is inline
stream_tcp: examine whether a segment plugs a hole before blocking due to exceeding queue_limit

2023-09-10: 3.1.70.0

appid: makes regex error more of a warning
detection: fix assert expression
helpers: improve hyperscan_search error message
host_cache: added segmented host cache
main: prevent reloading unprepared thread
search_engines: allow a snort config to be passed to find_all

2023-08-27: 3.1.69.0

appid: mark ssl appid lookup successful if a service id is available
appid: prefer eve client over appid detected client after decryption and use appid detected client version if eve client equals appid client
dce_rpc: fix stats for client/server segments reassembled. Thanks to Bader-eddine Ouaich for addressing the issue.
dns: updates to allow DNS to be compiled dynamically.
framework: add virtual for inspectors that publish data when no ips policy is enabled.
http2_inspect: add frame when logging a packet
http2_inspect: handle empty header name
http2_inspect: update connection settings on ack
http2_inspect: update test tool configurations
http_inspect: adjust formatting
inspector: export get_service_inspector_by_service method
mime: fix boundary search
mime: postpone boundary-look-alike data till the next PDU arrives
mime: support transport padding in boundary strings

2023-08-14: 3.1.68.0

appid, cip: parsing cip safety segments
dns: parse and publish dns response with ip, fqdn/ttl data
doc: udpate tutorial
http_inspect: disable rule evaluation caching for MIME attachments
managers: fix get_inspector to use the passed in snort config for context and inspection inspectors
sfip: Add < operator so SfIp can be used in std::map and std::set.
src: remove ips option asn1
stream: init meta ack packet action field
wizard: refactoring - split curses to multiple files by protocol

2023-07-30: 3.1.67.0

appid: do not raise SMTP response overflow IPS alert on SSL traffic
appid: SSL regex pattern implementation
build: fix cstdint related clearlinux errors
build: fix issues with local build
build: fix type resolution for OSX build environment
control: fix descriptor polling implementation (POSIX)
control: follow code style and formatting
detection: service_extension config
flow: fix ha_test use of stack variable
flow: make sure cpputest mock objects are initialized
ips_options: remove FIXIT comment from sd_pattern
lua: change cip binder rule from 22222 to 2222 (thanks to animator-ra on GitHub for this fix).
main: increase the user policy id range to 0 - 2^64-1
perf_mon: continue even when pegcounts can't be resolved
profiler: handle reload scenarios and tsan issues
profiler: remove interdependency with time and memory for accumulation
profiler: shell commands for time profiler
ssl: extract common name in the SSL certificate using openssl apis
ssl: parse and publish server common name from server certificate
ssl: remove wildcard character from common name string extracted from ssl certificate
style: fix whitespace

2023-07-14: 3.1.66.0

appid: cache Complex HTTP Pattern glossary before detectors reload
appid: early detection of ssh and ignoring third-party detection
appid: fix for opportunistic tls detected as ssl
binder: in case of a service change, remove flags indicating an abort of the direction
flow: changes to support derived classes of parent class Flow
ftp: remove file_data dependency on file_id
helpers: added additional log in print_backtrace for debugging purpose
ips_options: add gadget check for vba_data
ips_options: add unit tests for vba_data
ips_options: update dev_notes about IPS options input values
perf_mon: fix dump_stats collision with perf mon
rna: add stats for rna graphs
stream_tcp: validate proper update of stream_tcp state when seglist head follows a hole

2023-06-29: 3.1.65.0

analyzer: poison memory segment after msg->data
appid: add support for cip multiple service packet
appid: check size boundaries before header validation
appid: do not use global pointers to service and client detectors for packet processing during reload detectors
appid: fix FTP parsing
codecs: fix ipv6_mobility parsing
codecs: fix tcp options parsing
detection: update condition since the negated stuff can be matched in such cases
file_api: avoid file cache lookup after creating new file cache entry.
icmp6: allow rules to match packet data after header
ips_content: add flag for non-default value of depth
ips_content: clean-up of function
ips_content: make the negated content be opposite to normal content
ips_content: update condition checks
log: fix out-of-bounds read access
netflow: fix raw data conversion
parser: base service_only on services not cursor type
profiler: fix date related problems in rule_profiling json output
protocols: remove of unnecessary old_opt check
regex: clear flags reused by module to construct ips option
rna: fix icmpv6 decoding
thread_config: added thread level mempolicy
utils: fix out-of-bound access

2023-06-15: 3.1.64.0

appid: always publish a change message after do not decrypt
detection: handle case when no rule tree node is found for a policy ID.
flow: introduced granular counters for idle_prunes
http_inspect: remove stream interface abstraction for http/1.1 flows
stream_ip: fix session counters in timeout and cleanup cases

2023-06-01: 3.1.63.0

appid: changes logic in ssl pattern matching
http_inspect: rebuild start line
loggers: reuse sensor_id u2 event field for tenant_id value
main: add Pig destructor to free dynamic memory
main: allow network IDs to use up to 32 bits.
main: handling the return code in case of error in creation of daq instance
perf_monitor: fix data bus subscription
stream_tcp: account for data from zero window probes

2023-05-21: 3.1.62.0

appid: added logic to check for encrypted appid before assigning SSL service based on port
decompress, detetion, file_api, framework: cppcheck fixes
flow: clean up flow termination
flow: do not recycle flow cache entries
http_inspect: add support for file transfer using Partial Content
main: disable watchdog when Snort 3 process exits gracefully
main, managers: set the network policy using the user id during inspector delete
memory: add extra jemalloc counts for tracking
memory: use jemalloc stats.mapped for process total
profiler: add json formatter
protocols: add check for missing Geneve layer in get_geneve_options.
protocols,codecs: decode Geneve variable length options.
sfip/test: fix a miscalculation of the number of codes entries.
snort2lua: remove 'reference' option during conversion

2023-05-04: 3.1.61.0

appid: appIdPegCounters thread data handling refactored to prevent data races
appid: ensure that TP SSL detection is not overwrite SMTPS service and client in a starttls session
appid: validate data size of SSL certificate record before parsing
build: remove unused header. Thanks to Rui Chen for reporting the issue.
cmake: update sed call. Thanks to graysky for reporting the issue.
flow: defensive fix to prevent crash if flow->prev is nullptr.
flow, hash, stream: add a free list node count that is output as a peg count
managers: check main SnortConfig pointer in InspectorManager::get_inspector() to avoid memory bad access calls
memory: fix memory pruning race condition and bail on reap failure
memory: provide a default value for pointers if the module has not been initialized
profiler: add shell commands
profiler: move profiler module to separate files
snort: add show_config_generation() command
stream_tcp: populate TCP pseudopackets with VLAN ids in TCP reassembler to avoid issues with secondary flow creation / expected flow cache

2023-04-20: 3.1.60.0

appid: fixed TSAN warnings
appid: log max rss difference and pattern count during appid initialization and reload detectors
appid: make ssl app group id lookup set payload and client
appid: making free_servicematch_list thread local
src: change a few operator bool functions to named functions
src: fix broken unit test/tweak define related to previous operator bool fixes

2023-04-06: 3.1.59.0

file_api: handling file cache context
flow_cache: prune multiple flows
http2_inspect: clear flow stream_intf with flow_data
http2_inspect: make flow data reload safe
memory: subtract the allocated memory from the thread pruned before comparing to the target
stream: store thread local flow control pointer in global
thread_config: add preemptive watchdog kick for flow deletion
thread_config: remove message use in watchdog timer

2023-03-22: 3.1.58.0

actions: restore rtn check in Actions::alert and add to Actions::log
appid: give precedence to eve detected client over appid when eve_http_client_mapping config is set
detection: fix queue_limit pegcounter evaluation
host cache: removed some log to prevent log flooding
js_norm: initialize normalization context only when script is detected
loggers: fix pcap flushing
memory: add shell command to dump heap stats

2023-03-09: 3.1.57.0

ftp_telnet: updated flushing around subnegotiation parameters
search_engine: allocate a single shared scratch space
profiler: add rule time percentage table field

2023-02-22: 3.1.56.0

appid: add validation for rpcbind universal address
appid: merge cname pattern matchers with ssl pattern matchers
configure: fix typo in jemalloc with tcmalloc error message
copyright: update for year 2023
doc: update sd_pattern docs after obfuscation changes
sd_pattern: keep obfuscation blocks per buffer

2023-02-08: 3.1.55.0

appid: first packet detector creation support in appid detector builder script
appid: support for IPv4 and IPv6 subnets for First Packet API
appid: updating lua API to accomodate netbios domain extraction, substring search, and substring index.
appid: use packet thread's odp context instead of inspector's context for packet processing
build: fix configure_cmake.sh 'too many arguments' error
detection: add new pegcount
main: avoid race conditions when accessing id to tid map
ssl: refactor ssl client hello parser to be used by appid/ssl inspectors
stream_tcp: fix passive pickups with missing packets. Thanks to nagmtuc and hedayat for reporting and helping debug the issue.
wizard: ensure Wizard is refcounted by MagicSplitter to prevent snort crashes due to memory corruption

2023-01-25: 3.1.53.0

appid: publish tls host set in eve process event handler only when appid discovery is complete
detection: show search algorithm configured
file_api: handling filedata in multithreading context
flow: add stream interface to get parent flow from child flow
memory: added memusage pegs
memory: fix unit test build w/o reg test

2023-01-18: 3.1.52.0

dce_rpc: add errno resets during uuid parsing
dce_rpc: handling dcerpc over smbv2
flow: update flow creation to exclude non-syn packets with no payload
framework: change range check types to int64_t to fix ILP32 bit issues
main: Fix missing include file that caused build error on some platforms.
memory: add final epoch to capture stats
memory: add regression test hooks
memory: fix init sequence; thanks to amishmm and Xiche for reporting and debugging the problem
netflow: grab the proto off of the netflow record - not the wire packet
rna: reset host_tracker type when visibility changes
stream: fix iss and irs and mid-stream sent post processing
stream: refactor tcp state machine to handle mid-stream flow and more established cases

2023-01-11: 3.1.51.0

appid: add support for cip service, client and payload detection
appid: do not create snmp future flow for udp reversed session
appid: use packet thread's odp context for future flow creation
build: error out if both jemalloc and tcmalloc are configured
build: exclude unused memory related sources
js_norm: add benchmark tests for PDF parser
js_norm: decode UTF-16BE to UTF-8 for JS in PDF
js_norm: delete unused method
js_norm: tune PDF parser performance
lua: add Adobe JavaScript related identifiers to snort_defaults
lua: fix typo in Sensitive Data classifications name
main: fix const issues causing compile warnings
memory: delete unnecessary includes
memory: incorporate overloads into profiler
memory: refactor jemalloc code and add relevant pegs
memory: rename manager to overloads to better indicate purpose
memory: update developer notes
memory: update stats regardless of state; add unit tests
memory: use the process total instead of per thread totals to enforce cap
watchdog: print thread id as well for better identification of unresponsive threads

2022-12-19: 3.1.50.0

alert_fast: fix initialization of http_inspect cheat codes
config: ensure table state is reset when starting a new shell
config: fix talos tweaks for the daq module
data_bus: improve pub-sub performance
host_cache: fix initialization from Lua
pop, imap, smtp: gracefully decline buffer requests when flow data is not present

2022-12-15: 3.1.49.0

appid: appid_detector_builder.sh addPortPatternService call fixed
appid: do not reset session data when built-in discovery is not done
appid: fixed assert condition for odp_ctxt and odp_thread_local_ctxt
doc: add decompression mention to js_norm reference
doc: update user/js_norm.txt for PDF in email protocols
geneve: if daq has the capability, do not bypass geneve tunnel
ips_options: fix offset related bug in byte_test eval()
js_norm: add PDF stream processing
js_norm: add support for email protocols
js_norm: fix pdf_tokenizer_test on FreeBSD platform
js_norm: update PDF tokenizer to use glue input streambuf
stream: ignore PAWS timestamp checks when in no_ack mode
wizard: remove client_first option

2022-12-01: 3.1.48.0

appid: added config for logging alpn service mappings
appid: fixed addition of duplicate entries in app_info_table
appid: make appid availability independent from TP state
cmake: add FLEX build macro
doc: update sensitive data documentation
doc: update user/js_norm.txt for PDF
flow: add an event for retry packets
flow: added an event to allow post processing of new expected flows
flow: fix deferred trust clear when packet is dropped
flow, stream: added code to track and event for one-sided TCP sessions and generate an event for established or one-sided flows
http_inspect: add decompression failure check before normalization
http_inspect: remove port from xff header
ips_option: keep cursor intact for a negated content mismatched
ips_option: keep cursor intact for a negated hash mismatched
js_norm: implement Enhanced JS Normalization for PDF
js_norm: use FLEX macro to build parser
process: watchdog to abort snort when multiple packet thread becomes unresponsive
smb: handling smb duplicate sessions
stream: add logic to ensure metaACKs cause flushing

2022-11-17: 3.1.47.0

appid: add a changed bit for discovery finished
appid: ntp detection improvements
appid: service, client and payload detection by lua detectors and third-party when first packet re-inspection is enabled
doc: add JavaScript Normalization section to user manual
doc: add js_norm alerts to builtin_stubs.txt
http_inspect: subdivide dev_notes into topics
http_inspect: move Enhanced JS Normalizer from NHI to a standalone component
js_norm: implement standalone Enhanced JavaScript Normalizer
main: dump packet trace after publishing finalize event since verdict could be modified.
main: update to improve performance by making packet tracer checks before calling function.
netflow: implement deferred trust, cleanup
packet_io: allow ACT_TRUST to be used as a delayed action.
packet_io: the most strict delayed action takes precedence.
smtp: do not accumulate cmds across policies and reloads. Avoids memory and performance problem.
stream: add info about the splitter lifetime to dev_notes
stream: ignore flushing from meta-ack if sent after FIN
stream: remove splitter from session before inspectors
stream: set splitter only on initialized tcp sessions or if midstream sessions are allowed
wizard: remove inspector's ref counter increments from MagicSplitter

2022-11-04: 3.1.46.0

appid: check for empty patterns in lua detector api input
appid: publish client and payload ids set in eve process event handler and ssl lookup api only after appid discovery is complete
detection: add config option for SSE
detection: skip a rule variable copy for a single-branched node
doc: add information about handling multiple detection in SSE
doc: specified which packages are sent on rejection
helpers: fix duplicate scratch_handler
http_inspect: add override to destructor
http_inspect: move LiteralSearch::setup for http_param to its module
main: add variables to lua environment
netflow: if LAST_SWITCHED isn't provided, use packet time
parser: improve port_object hash function
ports: align fields of PortObject and PortObject2
ports: enable checks in debug build only

2022-10-25: 3.1.45.0

detection: check Pig run number in node state conditions. Fixes crash introduced in 3.1.44.0.

2022-10-20: 3.1.44.0

appid: return APP_ID_NONE only if hsession is not present for http3
detection: add stateful signature evaluation
flow, reputation, protocols: remove reputation information from packet and flow
http_inspect: inspect multiple MIME attachments per message section
http_inspect: maximum_pipelined_requests
http_inspect: MIME partial inspections
http_inspect: remove rule option timing features
lua: add sensitive data rules
reputation: added profiling to the event handlers
reputation: fix for array indexing error when searching for reputation file entries
reputation: refactor event generation for matches
s7commplus: adding wizard support for s7commplus
utils: add possibility to process keywords as identifiers

2022-10-05: 3.1.43.0

actions: fix action logging for suppressed events
appid: handle multistream http protocols(http2,http3) together
appid: return appid set by eve for http/3 if no hsession is present, but prefer hsession appid over eve
appid: updating devnotes for first packet API
detection: refactor set next packet to use the dummy active object when there is no packet
flow: disable inspection for and HA flow unless the state is setup or inspect
http2_inspect: std::list - remove indirection from stream list
http_inspect: allowed and disallowed methods
reputation, sfrt: refactor reputation to remove global variables

2022-09-22: 3.1.42.0

appid: custom lua detector api to map ip and port to appids on the first packet
appid: added a snort config to control client-process mapping
appid: dppid service detection prioritized over third party detection
appid: cache support for unprocessed ssl packets
appid: handle http event for httpx(2,3) traffic
content: fix retry
content: fix adjustment of depth/within when offset/distance are negative
detection: add http3 to http ips buffers
detection: add option to reduce rtns by port values
doc: added smtp rule 124:17
flow: abstract class added to work on stream based connections
http2_inspect: updated with abstracted httpx(2,3) flags
http_inspect: abstract inspection of httpx(2,3)
http_inspect: http_max_header_line and http_max_trailer_line rule options
http_inspect: rework range rule options
ips_options: change ips.obfuscate_pii to be true by default
ips: trace all node evaluations
memory: fix typo in peg counter help text
netflow: evaluate all matching netflow rules, not just the first match
parser: add implicit http3 to http ips options otn
parser: remove platform dependency from parse_int function
payload_injector: accomodate httpx(2,3) stream id values
pub_sub: handle httpx(2,3) traffic
reputation: use the thread specific reputation data for aux ip event
rna: handle httpx(2,3) traffic
stream: export support for creating udp session
trace: ips variables are dumped as hex
utils: remove alert for an opening tag in string literals
wizard: deprecate client_first option

2022-09-07: 3.1.41.0

appid: send intermediate messages for appid reload commands to the socket
file_api: corrected the formatting of File Statistics output
file_id: Update Office Documents rules
flow: update flow statistics before processing a flow
framework, rna, pub_sub: make data bus get_packet method a const
netflow: log even when not all info is present
sd_pattern: add and improve built-in patterns
stream: free flow data, if flow is blocked
stream: use a const packet to populate the flow key
utils: refactor JS normalizer unit tests

2022-08-25: 3.1.40.0

appid: activate appid debug object before printing logs from http event handler
appid: do not clear client version when deleting appid session data
ChangeLog: change to md format
daq: Remove duplicate entries from static module list; thanks to raging-loon for reporting the issue
doc: add section on commit messages to the dev guide
doc: specify parallelization in make in tutorial; Thanks to nitronarcosis for reporting the issue and suggesting a fix
ffi: add get_module_version(name, type) for conditional config
flow: fix deferred trust for trust followed by defer
gid: upper bound changed to match event_filter and rate_filter implementation limits
help: enclose --help-config string defaults in single quotes
helpers: make install_oops_handle and remove_oops_handle so_public, install process.h and sigsafe.h
http_inspect: add doc for http_num_cookies
http_inspect: add more identifiers to js_norm lists
http_inspect: http_num_cookies rule option
http_inspect: parameters for header alerts
hyperscan: add warning when deserialization fails that includes error code
ip_proto: enable match on PDUs
managers: only publish the reloaded flow event for existing flows with an old policy
parameter: add int_list
parameter: simplify multi validation
reputation: make reputation handle flow setup, reloaded, and packet without flow events
stream: typo in dev_notes; Thanks to RobinLanglois for the fix
style: change max line length to 120 including \n
telnet: use the same splitter as ftp_server
utils: allow closing tag in external scripts
vlan: add configurable TPIDs; Thanks to ozkankirik for reporting the issue

2022-08-10: 3.1.39.0

cmake: add --enable-luajit-static option to enable LuaJit linked statically
http_inspect: request and response shouldn't be available for pkt_data
ips_options: remove obfuscate_pii caching in sd_pattern option
main, managers: remove the reload_module command
netflow: pass a flag if the initiator and responder were swapped
parser: remove 138 from builtin GID exceptions
rna: Added log message for missing 'rna.conf' path
utils: fix compilation warning [-Wcomma]
utils: fix JS split to reflect tokens correction and re-normalization
utils: validate escaped JavaScript identifiers

2022-07-28: 3.1.38.0

appid: restart inspection for ssl session inside http tunnel
appid: set persistent flag for sunrpc expected session
appid: send more packets to third-party for FTP user name extraction
detection: separate the branch/leaf result to different variables
http_inspect: remove dependency of JS normalization depth on HTTP depth
http_inspect: add more explicit js type values to otag type check
http_inspect: do not stop normalization in case of opening script tag
http2_inspect: add support for GOAWAY frames
http2_inspect: add support for PRIORITY frames
http_inspect: directly call detection
http2_inspect: interface to http_inspect now uses real reassembled packet
pub_sub: add definitions for ssl block and block with reset messages
snort2lua: change the conversion of sensitive data rules
stream: removed all instances of 'cap_weight' config parameter
stream: removed macro references for 'cap_weight' config parameter
utils: add static initialization of norm_names
utils: continue JS normalization after opening tag seen

2022-07-19: 3.1.37.0

reputation: print LogMessage in reputation only when in verbose mode
utils: fix Unicode LS PS handling in JavaScript

2022-07-14: 3.1.36.0

appid: fix stats cleanup
dce_smb: fix stats cleanup
file_api: fix stats cleanup
http_inspect: do not abort midstream pickups
normalizer: make normalizer and tcp_normalizer peg counts shared
stream: fix stats cleanup
utils: fix arrow functions parsing
utils: fix parsing of decimal number literals

2022-07-08: 3.1.35.0

sandbox: must propagate file_id for includer logic

2022-07-07: 3.1.34.0

build: remove unnecessary type casts
dce_rpc: set presistent flag for dcerpc pinhole session
file_id: fix rules_file path resolution
http2_inspect: consider continuation when checking headers length
log: add log_value and log_limit overloads with built-in integer types
utils: make shutdown timing stats more precise; Thanks to trevor tao trevor.tao@arm.com for the update

2022-06-30: 3.1.33.0

file_api: implement file type identification over ips engine
filters: check if a configured gid value is supported by filter's implementation
framework: update base API version to 14
ftp_telnet: make active ftp expected session in the correct direction
http2_inspect: fix unit tests depending on REG_TEST
http_inspect: implement uniform alerts when splitter aborts
hyperscan: delete databases upon error
lua: update sid and rev fields
main: move trace related code to trace folder
netflow: fix v5 header time value
parser: update do_hash() function to work correctly with port variables
parser: use std::string in ExpandVars
rna: allow rna to fire an event when a new netflow connection is detected
rna: use the longest user agent fingerprint among multiple matches
wizard: update wizard's patterns to follow the proto option

2022-06-16: 3.1.32.0

appid: config for logging eve process to client mappings
dce_smb: reduce smb_max_credit range to avoid uint16_t overflow
detection: remove redundant FIXIT
ftp_telnet: correct the implementation for check_encrypted and encrypted_data config, handle form-feed as non-encrypted traffic
ftp_telnet: handle all space characters as a seperator between FTP request command and arguments
http_inspect: add explicit check for HTML script opening tag ending
http_inspect: remove unneeded header inclusions and improve cleanup before trailers
ips_options: improve ips_hash and ips_cvs code coverage
log: Fixed missing include for Clear Linux build
logger: added reload function to create new files when snort reloads
main: add null check for scratch handler
mime: cleanup
modules: resolve int type mismatch in config options
netflow: fix build on MacOS
netflow: implement RNA integration for host/service discovery
netflow: support memcap reconfiguration upon reload
openssl: Openssl minimum version is set to 1.1.1
profiler: fix issue with negative number cast to unsigned for max_depth
rna: reduce range for ttl, fix cast for df, minor and major options; Thanks to liangxwa01 for pointing this out
stream_tcp: fix splitter abort handling
stream_tcp: flip the server_side flag in fallback() and assert what it should be
utils, parser: remove redundant fixits
utils: remove curly brace parsing from regex literals
utils: remove redundant checks in regex groups
wizard: use const reference instead of copying

2022-06-02: 3.1.31.0

appid: add lock_guard to prevent data race on reload
appid: do not delete third-party connection when third-party reload is in progress and the context swap is not complete
dce_rpc: convert tree tracker to shared ptr
doc: add class track description to user doc
filters: add correct handling of by_src and by_dst; Thanks to Albert O'Balsam for reporting the bug
host_tracker: rename generic files and classes
http2_inspect: add alert and infraction for non-Data frame too long
http_inspect: add Content-Type header validation for Enhanced JS Normalizer
http_inspect: add field for raw_body
http_inspect: add handling of binary, octal and big integers to JS Normalizer
http_inspect: change js processed data tracking
http_inspect: implement general approach of checking Content-Type header
hyperscan: reallocate hyperscan scratch space when patterns are reloaded during appid detector reload
netflow: enforce memcap for session record and template LRU caches
perf_monitor: fix timestamp for idle processing
utils: add keyword new support and object tracking
utils: allow script closing tag in single-line comments

2022-05-19: 3.1.30.0

build: Update dependent libdaq version to 3.0.7
doc: update clone link in README; Thanks to billchenchina
doc: user documentation update for obfuscate_pii and --help-module
framework: add method to get unquoted string from configuration value
http2_inspect: Templatize variable length integer decoding of integer and string
http_inspect: add ignoring defined object properties for Enchanced JS normalizer
http_inspect: avoid sending compressed data to JS normalizer
http_inspect: check if input available before JavaScript normalization
mime: set partial_header to null after deletion
perf_monitor: remove unused flatbuffers support
piglets: remove unused test harness
smb: handle file context cleanup
snort3: remove SMB detection from service_netbios.cc
stream: refactor flush_queued_segments
stream_tcp: add null check for get_current_wire_packet() in dce too
stream_tcp, pop: add sync_on_start method to StreamSplitter
stream_tcp: provide a context and a wire packet where needed, when calling into reassembly from outside regular processing (handle_timeouts)
utils: add Latin-1 decoding of JavaScript unescape-like functions
utils: allow regex literals after operator
utils: fix regex char classes parsing
utils: turn debug-build assertion into a product-build code
wizard: fix code style

2022-05-04: 3.1.29.0

appid: add alpn matchers
dce_rpc: update address space id in the smb keys
doc: rule text updates
flow, network_inspectors, policy_selectors, stream: make address space id 32 bits and add a tenant id to the daq header
flow, side_channel, utils: fix clang issues
flow: add inline cppcheck suppressions
flow: change the padding and bits in the flow key to make it more clear
http_inspect: install header files, create a virtual base class for http_inspect and http_stream_splitter
http_inspect: move mime processing outside of file and detect depth
main: update analyzer command log message to copy the variable arguments before using them for the remote response
wizard: update glob storage due to shared memory

2022-04-25: 3.1.28.0

appid: add bytes_in_use and items_in_use peg counts
appid: ssl service detection for segmented server hello done
binder: add binder actions to flow reassignment; Thanks to Meridoff for the original report of the issue
bufferlen: add missing relative override
conf: add cip and s7commplus to the default snort.lua
content: auto no-case non-alpha patterns
dce_rpc: Handling only named ioctls for smb
detection: add missing fast pattern buffer translations
detection: make CursorActionType generic
detection: map buffers to services
detection: rearrange startup rule counts
detection: remove now obsolete get buf support
doc: add clarification on default bindings in developer notes and user notes
events: add action logging to the event
flow, managers, binder: only publish flow state reloaded event from internal execute
flow: only select policies when deleting flow data if there is a policy selector
flow, snort_config: change service back to a pointer and add a method to return a non-volatile pointer for service
flow: use a flag instead off shared pointer use count for has service check
framework: make Cursor SO_PUBLIC
ftp: fix FTP response parsing
ftp: flush FTP cmds ending in just carriage return
host_cache: bytes_in_use and items_in_use peg counts
host_cache: fix unit test broken on some platforms
inspectors: add / update api buffer lists
ips: eliminate direct dependence on get_fp_buf of all ibt (by using rule options)
ips: eliminate PMTYPE* to make fast pattern buffers generic
ips: further limit port group rules
ips_options: eliminate obsolete RULE_OPTION_TYPEBUFFER*
ips_options: fix cursor action type overrides
main: check policy exists instead of index when setting network policy by id
mime: handle MIME header lines split between inspection sections and improve folded header line processing
mms: add check that BerElement argument isn't null before calling BerReader::read
mms: adding manual updates for the new service inspector for the IEC61850 MMS protocol
mms: adding new service inspector for the IEC61850 MMS protocol
mms_data: make a fast pattern buffer
mms: moved creation of TpktFlowData inspector ID to process init
module_manager: fix memory pegs display issue during packet processing, while also correctly computing the memory pegs in Analyzer::term
netflow: framework for netflow V5 and V9 events
packet_io: add rewrite action logging
parser: update dev notes
raw_data: only search pkt_data if no alt buffer or raw_data rules included in group
service inspectors: update fast pattern access
sfip: improve warning suppression
smtp: SMTPData initialization changed from memset to constructor
smtp: STARTTLS command injection event processing
stream: add can_set_no_ack() api to check if policy allows no-ack mode
stream: add current_flows, uni_flows and uni_ip_flows peg counts
utils: limit JS regex stack size
utils: track groups and escaped symbols in JavaScript regex literals

2022-04-07: 3.1.27.0

ac_full: refactor api access
ac_full: remove cruft
ac_std: fix case translation buffer size
alerts: remove obsolete stateful parameter
appid: provide client appid set by encrypted visibility engine to ssl through the ssl appid lookup api
build: compile against libatomic if present; Thanks to W. Michael Petullo mike@flyn.org
control, shell: add a command to set the network policy to be used by subsequent commands
dce_rpc: handle cleanup path and race conditions for dce traffic
detection: do not check ips policy when builtin events are queued
detection: fixup dump of detection option tree
detection: minor refactoring of rule header access
detection: override match queue limit for offload
detection: remove cruft
detection: skip match deduplication for hyperscan
file_api: handle user_file_data cleanup
hext: change stdin designation from tty to - since the trough uses dash
http2_inspect: reduce holes in objects
http_inspect: add unescape text processing for Enhanced JS Normalizer
http_inspect: decode String.fromCodePoint() JavaScript function
http_inspect: delete alerts 119:279 and 119:280
http_inspect: provide current packet to trace
http_inspect: support headers Restrict-Access-To-Tenants, Restrict-Access-Context
hyperscan: ensure adequate scratch when deserializing
rate_filter: move to inspection policy
search_engine: add fast pattern only count at startup
search_engine: always build ac_full since it is a hard default case
search_engine: fix .debug = true output
search_engine: fix adjustment for fast_pattern_offset
search_engine: fix fast pattern only eligibility check
search_engine: remove obsolete warning on max_pattern_len change
search_engine: remove search_optimize parameter (always true)
search_engine: truncated patterns not eligible as fast pattern only contents
search_engines: add and refactor unit tests
search_engines: ensure SearchTool with hyperscan gets multi-match mode
search_engines: remove the legacy ac_banded algorithm
search_engines: remove the legacy ac_sparse algorithm
search_engines: remove the legacy ac_sparse_bands algorithm
search_engines: remove the legacy ac_std algorithm
sfip: suppress compiler warning
utils: add string concatenation for Enchanced JS Normalizer
utils: allow opening/closing tags in external scripts
utils: fix JS Normalizer benchmark build
utils: fix tracking variable when the output buffer is reset
utils: harden script opening tag sequence

2022-03-23: 3.1.26.0

actions: revert bf62a22d43
actions: set a delayed action on Reject IPS Action hit
analyzer: avoid distilling sticky verdicts
appid: appid api to provide the path to appid detector directory
appid: make appid a global inspector
appid: sum stats at tterm and null the thread local stats pointer after delete
control: make sure reload commands with empty argument is handled correctly
event: add new static member update_and_get_event_id()
file_api: Handling user_file_data cleanup
flow: make service a shared pointer to handle reload properly
framework: update base API version to 13
http_inspect: do file decompression and utf decoding on non-MIME uploads
http_inspect, mime: VBA macro decompression for HTTP MIME file uploads
inspector, main, inspector_manager: add support for thread local data in inspectors and commands updating reload_id
main: add the control connection to the analyzer command and a method to log a message to both console and the remote connection
main: fix and reenable the distill_verdict unit test
managers: add a faster get_inspectors method
managers: add get_inspector unit tests
managers: move inspection policies into the corresponding network policy
packet_io: fix active action so the first reset occurred takes effect
policy_selectors: add a method to select policies based on DAQ_FlowStats_t
reputation: add a command to reload repuation data
stream: reusable stream splitter

2022-03-09: 3.1.25.0

appid: do not add duplicate process to client app mapping for the same process name
file_id: remove unused decompression and decode depth parameters
http_inspect: add http_header_test, http_trailer_test rule options
http_inspect: add override to fix warning
http_inspect: add unescape function tracking for Enhanced JS Normalizer
http_inspect: call mime in a loop for each attachment
http_inspect: remove feature to disable raw detection upon flow depth
http_inspect: use http_inspect decompression config parameters for HTTP MIME traffic instead of file_id
mime: fix resetting state after every attachment and check state instead of decode object
mime: return at the end of each attachment and set the file_data for http
process: add watchdog to detect packet threads dead lock or dead loop
ssh: NULL check for session pointer before access
stream_tcp: call final flush only when the seglist has no gaps
stream_tcp: clarify small segments help text and remove usage from lua
utils: check for NULL before calling fclose()
utils: check more likely branches at first
utils: combine ignore list with normalization map
utils: fix compilation issues in js_tokenizer
utils: improve Flex matching patterns
utils: pre-compute ID normalized names
utils: refactor the alias lookup
utils: wrap unordered set with a fast lookup table
watchdog: remove unused code

2022-02-23: 3.1.24.0

detection_filter: update dev notes to show multithreaded behavior
doc: fix typos in text; Thanks to Greg Myers for reporting the issue
http_inspect: refactor HttpIpsOption
latency: disabling time out functionality on implicit enable
mime: stop setting the file_data buffer for raw non-file MIME parts
netflow: add dev_notes.txt
sfdaq: fix for underflow of outstanding counter
stream: Remove preemptive prunes peg count

2022-02-09: 3.1.23.0

detection: add dir abort check in skip_raw_tcp
doc: add notes about CLI/Lua precedence
doc: fix incorrect http builtin rule sid
event: make apis SO_PUBLIC to access in .so
filters: allow detection filter to sum events across threads
http_inspect: HttpStreamSplitter::reassemble verifies gzip file magic and checks for FEXTRA flag
main: ignore Snort module's option if it duplicates CLI option
main: parse snort module before others
main: remove default values for other-module parameters in snort module
main: stop with error on include(nil) attempt
packet_io: decrease daq module's parameters priority
stream: defer flush_queued_segments() if flow->clouseau
stream_tcp: better place for setting delayed_finish_flag
stream_tcp: fix a bug in which in some cases we did not call splitter finish() in each direction, by calling flush_queued_segments() in perform_fin_recv_flush() on FIN with data packets
stream_tcp: introduce TcpStreamTracker::delayed_finish_flag and call splitter finish from flush_on_data_policy if delayed_finish_flag is true
stream_tcp: wrap flow->clouseau in searching_for_service()

2022-01-31: 3.1.22.0

appid: give priority to custom process to app mappings over ODP mappings
appid: rename efp (encrypted fingerprint) to eve (encrypted visibility engine)
detection: change output format of dump-rule-state
pub_sub: export assistant_gadget_event.h header file
stream: set the max number of flows pruned while idle to 400

2022-01-25: 3.1.21.0

appid: do not delay detection of SMB service for the sake of version detection
control: fix macro definitions
copyright: Update year to 2022
http_inspect: correct comment regarding header splitting rules
http_inspect: forward 0.9 request lines to detection
http_inspect: http_version_match uses msg section version id
http_inspect: webroot traversal
main: move policy selector and flow tracking from snort config to policy map
main: only add policies to the user policy map at the end of table processing
policy: add a file_policy to the network policy and use it
stream: QUIC stream dependent changes
stream_tcp: ensure that we call splitter finish() only once per flow, per direction
wizard: remove extra semicolon

2022-01-12: 3.1.20.0

appid: handle SNI in efp event
appid: make peg counts consistent with what is reported to external components
appid: update appid api to include ssh in the list of service inspectors that need inspection
dnp3, gtp, file_type: fix assert while parsing string param
doc: update JavaScript normalization docs
http2_inspect: don't send data frames to the http stream splitter when it's not expecting them
http2_inspect: hardening
http_inspect: version update, http_version_match rule option
stream_tcp: limit reassembly size for AtomSplitter; Thanks to barosch78 and DAKOIT for their help in the process of finding the root cause
stream_tcp: Skip seglist gap in post-ack mode if data is acked beyond the gap
stream_user: change packet type from PDU to USER for hext daq, user codec, and stream_user
wizard: make max_search_depth applicably for curses

2021-12-15: 3.1.19.0

appid,ssh: roll AppId's SSH detector into SSH service inspector
appid: remove hard-coded SSH client patterns which are available as part of ODP
build: add cppcheck suppressions for unusedFunctions
build: clean up some cppcheck style issues
build: move flex options to the template file
cmake: fix CMP0115 Warning
daq: sort --daq-list output by module name
dce_smb: add new smb counters
file_api: add null check for user file data
file_api: handle file_data
framework,appid: generate NO_SERVICE event when no inspector can be attached to a flow; wait for the event in appid before declaring service as unknown for the flow
http_inspect,http2_inspect: refuse midstream pickups
http_inspect: add JavaScript builtin de-aliasing
http_inspect: rename js normalization options
http_inspect: use correct detect_length for partial inspection cleanup
loggers: fix truncated alert_syslog messages
lua: configure a list of JS ignored IDs in default_http_inspect table
managers: continue inspectors probe when packet has disable_inspect flag
mime: add the support for vba macro data extraction of MS office files transferred over mime protocols
parser: fix missing-prototypes warning in parse_ports.cc
parser: fix parsing of portsets
rpc: remove RpcSplitter altogether and use LogSplitter instead
snort2lua: fix conversion of variable sets
stream: add PKT_MORE_TO_FLUSH flag and use it in TcpReassembler::scan_data_post_ack() to signal AtomSplitter whether to flush or not
stream: fix issue with atom splitter not returning FLUSH
stream_tcp: remove unnecessary special adjustment methods
utils: (JSTokenizer) fix braces initialization compilation error (gcc5)
utils: fix state adjustment in JS Tokenizer
utils: place init/deinit routine under a single function
utils: update JS normalizer unit tests
vlan: implement vlan encode function

2021-12-01: 3.1.18.0

alert_sf_socket: remove obselete logger
appid: exclude stubs from coverage
build: remove config.h from headers
build: remove unreachable code
build: update configure options
catch: update catch to v2.13.7
dev_notes.txt: fix miscellaneous typos
doc: remove mention of Automake
doc: update builtin_subs.txt with EVENT_JS_SCOPE_NEST_OVERFLOW alert
doc: update module usage and inspector types in the dev guide
doc: update user/http_inspect.txt with http_inspect.js_norm_max_scope_depth option description
doc: update wizard documentation
file_api: file_data changes
framework: add support for multiple tenant
framework: don't call a gadget's eval() or clear() after its stream splitter aborted
framework: replace Value::get_long() with a platform-independent type
framework: update base API version to 11
helpers: fix stream unit test on 32 bit platforms
http2_inspect: discard with padding
http_inspect: fix total_bytes peg count
http_inspect: new rule options num_headers, num_trailers
http_inspect: store ole data in msg_body
http_inspect: update comments for asserts in eval and clear
http_inspect: update dev_notes.txt
hyperscan: disable bogus unit test leak warnings
ips_options: create LiteralSearch object for vba decompression at the time of snort initialization
memory: add max rss to verbose memory output
memory: add original overload manager
memory: add support for jemalloc
memory: expand profile report field widths
memory: fix accounting issues
memory: free space per DAQ message, not per allocation
memory: move mem_stats to MemoryCap
memory: refactoring
memory: refactor pruning and update unit tests
memory: remove explicit allocation tracking
memory: update dev notes
perf_monitor: allow constraint seconds = 0
piglets: refactor support code
reputation: remove unused sfrt code
rna: refactor unit test stubs
search_engines: remove unused test code
stream_tcp: delete unused unit test cruft
stream_tcp: only fallback if stream splitter aborted and don't keep processing fragments after MagicSplitter returned STOP
stream_tcp: remove unused unit test code
stream_user: refactor, remove cruft
unified2: remove cruft
utils: do output adjustment in case of carryover
utils: enable batch mode for Flex
utils: (JSNormalizer) add program scope tracking and alias resolution
utils: (JSNormalizer) rework the split over multiple chunks behavior
utils: pass an address into memset instead of object
utils: reduce flex generation of unused js normalizer code
utils: reset Normalizer context when new script starts
vba: fix buffer overflow in ole parser
wizard: add patterns to match unknown HTTP and SIP methods
wizard: change default value of max_search_depth from 64 to 8192
wizard: remove telnet IAC pattern

2021-11-17: 3.1.17.0

appid: restore the log of reload detectors complete message
build: remove HAVE_HYPERSCAN conditional from installed header
detection: add allow_missing_so_rules
detection: ensure PDUs indicate parent when available
dnp3: update builtin rule description
doc: arp_spoof builtins
doc: back orifice builtin rules
doc: spell correction
doc: update builtin alerts description for dnp3
doc: update builtin alerts description for modbus, HTTP/2
doc: update builtin alerts description for portscan
doc: update builtin rule documentation for http_inspect
doc: update builtin rules documentation for dce_smb, dce_tcp, dce_udp, rpc_decode
doc: updated builtin rules documentation for ssh
http2_inspect: hardening
http2_inspect: http1_header buffer always created immediately after decode_headers
http2_inspect: push promise error state check
http2_inspect: truncated trailers without frame data
ips_option: Enabling trace for vba_data options and fixing memory leak while extracting vba_data
main: use dynamic buffer on demand in trace print functions
u2spewfoo: Fixed incorrect usage line

2021-11-03: 3.1.16.0

appid: during initialization, skip loading of Lua detectors that don't have validate function
appid: in packet threads, skip loading of detectors that don't have validate function on reload
appid: provide API to give client_app_detection_type
codec: geneve - ensure injected packets have geneve port in outer udp header
detection: refactor mpse serialization
detection: rename PortGroup to the more apt RuleGroup (and related)
detection: replace PortGroup::alloc/free with ctor/dtor
doc: add SIP built-in rule documentation
doc: update built-in rule doc for SMTP, IMAP and POP inspectors
doc: update built-in rules documentation for dns module
doc: update built-in rules documentation for ftp-telnet
doc: updated builtin rules documentation for gtp module
flow: fix warning in flow_cache.cc
flow: use the same pkt_type to link and unlink unidirectional flows
http2_inspect: refactor decoded_headers_buffer for hpack decoding
http_inspect: eliminate cumulative js data processing
http_inspect: handle unordered PDUs for inline/external JavaScript normalization
http_inspect: improve file decompression
hyperscan: sort patterns for dump / load stability
ips: correct fast pattern port group counts
mpse: add md5 check to deserialization
reload: add logs to track reload process
reload: move out reload progress flag to reload tracker
search_engine: support hyperscan serialization
search_engine: support port group serialization
sip: track memory for sip sessions
ssl: disable inspection on alert only at fatal level
stream_tcp: fix init_wscale() to take into account the DECODE_TCP_WS flag
tcp: remove the obsolete GNUC block from TcpOption::next()
tcp: stop on the EOL option in TcpOptIteratorIter::operator++()
utils: add get methods to peek in internal buffer
utils: correct Normalizer's output upon the next scan
wizard: update globbing and max_pattern

2021-10-21: 3.1.15.0

appid: detect client based on longest matching user agent pattern
appid: update the name of the lua API function that adds process name to client app mappings
build: fix in CodeCoverage.cmake to generate *.gcda *.o files as needed by gcov
dce_smb: optimize handling pruning of flows in stress environment
decompress, http_inspect: add support for processing ole files and for vba_data ips option
doc: add punctuation to builtin stubs, fix formatting
doc: builtin rule documentation updates
http2_inspect: partial header with priority flag set
http_inspect: add automatic semicolon insertion
http_inspect: document built-in alerts
http_inspect: do not normalize JavaScript built-in identifiers
http_inspect: hardening
http_inspect: implement JIT (just-in-time) for JavaScript normalization
http_inspect, ips_option: decouple the vba_data ips option from http_inspect and add the trace debug option to vba_data
policy: update policy clone code to avoid corrupting active configuration
protocols: prevent infinite loop over tcp options
rna: call set_smb_fp_processor function in reload tuner
rna: do not do service discovery for future flows

2021-10-07: 3.1.14.0

appid: enhance RPC service detector to handle RPC Bind version 3
appid: fix update_allocations signature in unit test
appid: log appid daq trace first followed by subscriber modules
appid: provide api for Lua detectors to map process name to client app
doc: add descriptions for 119:265-271 builtin alerts
doc: update builtin stub rule reference strings
file: add file policy id and other config data as part of packet tracer command under File phase
file_api: add decompress_buffer_size
flow: add total flow latency to flowstats
http2_inspect: compare scanned bytes to total received during reassemble
http2_inspect: protect against reassemble with more than MAX_OCTETS
http_inspect: change format of normalized JS identifiers
ips_options: rename script_data buffer to js_data
latency: add configuration for implicit enable
lua: fix Talos tweak snaplen
rna: support CPE new os RNA event
snort_config: adding api for enabling latency module
utils: add custom i/o stream buffers to JS normalizer
utils: adjust output streambuffer expanding strategy and reserved memory
utils: fix compilation error of js_identifier_ctx_test for clang

2021-09-22: 3.1.13.0

appid: prioritize appid's client detection over third-party
appid: stay in success state after RPC is detected
builtins: add --dump-builtin-options
catch: enable benchmarking
cip, iec104: update stub rule messages for consistent format
control: explicitly include ctime header in control.h
detection: add fast patterns only once per service group
doc: add support for details on builtin rules in the reference
doc: update reference for 2:1 and 129:13
doc: update the documentation of "replace" option and "rewrite" action
doc: update user tutorial with '--enable-benchmark-tests' option
file_api: new api added for url
file_api: revert store processing flow in context
flow: don't do memcap pruning if pruning is in progress
host_cache: Avoid data race in cache size access
host_tracker: Removing unused methods
http_inspect: http_raw_trailer fast pattern
http_inspect: pass file_api the uri with the filename and extract the filename from the uri path
http_inspect: remove memrchr for portability
netflow: use device ip and template id to ensure that the template cache keys are unique
output: adopt the orphaned tag alert (2:1)
rna: Avoid data races in vlan and mac address
rna: Avoid infinite loop in ICMPv6 options
smb: added a null check when current_flow is not present
snort2lua: Fixed version output (issue #213); Thanks to A-Pisani for the fix
stream: change session_timeout default for tcp, ip, icmp and user
stream: fix session timeout of expired flows
trough: Avoid data race in file count
utils: add benchmark tests for JSNormalizer
utils: add reference and description for ClamAV test cases
utils: avoid using pubsetbuf which is STL implementation dependent
utils: fix typo in js_normalizer_test

2021-09-08: 3.1.12.0

decoder: icmp6 - use source and destination addresses from packet to compute icmp6 checksum when NAT is in effect
http_inspect: enable traces for JS Normalizer
http_inspect: include cookies in http_raw_header
http_inspect: reduce void space in HttpFlowData
stream_tcp: add pegs for maximum observed queue size
stream_tcp: normalize data when queue limits are enabled
stream_tcp: only update window on right edge acks
stream_tcp: set sequence number in trimmed packets up to the queue limit and increase defaults

2021-08-26: 3.1.11.0

build: update help for --enable-tsc-clock to include arm; Thanks to liangxwa01 for reporting the issue
codec: geneve: fix incorrect parsing of option header length
data_bus: support ordered call of handlers
dns, ssh: remove obsolete stream insert checks
doc: Add js_norm_max_template_nesting description
flow: introduce bidirectional flag for expected session
flow: set the client initiated flag before publishing the flow state setup event
framework: update base API version to 8
framework: version rollback
http_inspect: add builtin rule for consecutive commas in accept-encoding header
http_inspect: Add JavaScript template literals normalization
http_inspect: check if Normalizer has consumed input
http_inspect: hard-code infraction enum numbers
http_inspect: http_raw_header, http_raw_trailer field support
http_inspect: refactor NormalizedHeader
http_inspect: support more infractions and events
http_inspect: two new built-in rules
inspection: process wizard matches on defragged packets
ips: add action_map table to map rule types, eg block -> alert
ips: add action_override which applies to all rules
lua: update comments in the default config
modbus: check record length for write file record command
normalize: remove tcp.trim config
payload_injector: check if stream is established on flow rather than the packet flag to handle retries
policy: put inspection policy accessors in public space
policy: reorganize for sanity
README: mention vars in default config
sip: deprecate max_requestName_len in favor of max_request_name_len
smb: Invoke SMB debug in destructor when packet thread available
stream_tcp: update API called by payload_injector to check for unflushed queued TCP segments
style: remove crufty comments
style: remove C style (void) arglists
style: remove or update crufty preprocessor comments
utils: address compiler warning
utils: support streamed processing of JS text
wizard: support more HTTP and SIP methods

2021-08-11: 3.1.10.0

appid: update netbios-ss (SMB) detector to extract SMB domain from SMBv2, and more intelligently handle payload appid detection
appid: use packet thread odp context while creating SIP session
build: install DAQ modules and Snort plugins in separate folders
dce_smb: restore file tracker size post deletion
dns: add DNS splitter
doc: update user manual for identifier normalization
file_api: add infra and file debugs to existing debugging framework
ftp: remove unused defines and crufty comments
http_inspect: add JavaScript identifiers normalization
http_inspect: change the default value of request_body_app_detection config parameter to true
smtp: remove unused defines
ssh: handle traffic with invalid version string
ssh: handle version string packets that also contain key exchange data
stream_tcp: skip unordered segments if last flushed position already moved past
telnet: correct help for ayt_attack_thresh
wizard: add wizard max_pattern option and update HTTP/SIP aware methods patterns

2021-07-28: 3.1.9.0

actions: allow session data to stay accessible for loggers for reject rule action
byte_options: address compiler warnings
control: add idle expire removal to control channels
dump_stats: direct output back to command channel
events: use instance_id to make event_id unique across threads
file_api: handle file_cache inspection for non-zero offset
http2_inspect: change xor to or in assert that was failing due to uninitialized variable
http2_inspect: fix HPACK dynamic table size update management
http2_inspect: remove unused variables
http_inspect: add peg count for script bytes processed
http_inspect: add rule option http_raw_header_complete
http_inspect: don't allocate 0-length partial inspection buffer
ips_options: add catch tests for byte_test, byte_jump, byte_math, byte_extract
ips_options: address compiler warnings
ips_options: refactor byte_extract, byte_test, byte_math, byte_jump and related tests
lua: update HTTP/2 default_wizard hex with S2C pattern match
stats: update file and appid stats to use Log functions provided from stats.cc

2021-07-15: 3.1.8.0

appid: support SSH client detection through lua detector
dce_rpc: fix crash when expected session comes after snort reload
dce_rpc: handling raw packets
dce_smb: added trace messages and multiple level logging for SMB module
dce_smb: fixed macro definition for SMB_DEBUG
doc: fix build warnings; Thanks to jiangrj (github.com/jiangrij) for reporting the issue
dump_config: support modules without config options in text format
file_api: handling overlap segments
http2_inspect: clean data cutter internal state after exhausting flow depth
http_inspect: add built-in alert for script tags in a short form
packet_io: check if unreachable_candidate before sending unreachable
packet_io: unreachable packets shouldn't be sent for ICMP
snort2lua: set raw_data buffer for rawbytes and B flag in PCRE
wizard: make SSH spell more specific

2021-06-30: 3.1.7.0

appid: enhance netbios service detector to identify SMB versions as web app
appid: update documentation
appid: update the DNS detector to support the all record request
control: resolve socket issues due to race conditions
doc: updates for http2_inspect
framework: update base API version to 3
main: implement test_features run flag to enable debug-like output
mime: track memory for mime sessions
payload_injector: don't inject if there are unflushed S2C TCP packets queued
reputation: include list id for daq trace log
sfip: fix unit tests for non-regtest builds
snort2lua: fix lua conversion of unsupported http preproc options without parameters
snort2lua: remove footprint size config
stream: fix is_ack_valid to return true even when current ack is to the left of snd_una, per RFC793

2021-06-16: 3.1.6.0

appid: extract auxiliary ip when uri is provided by third-party
appid: perform detection on request body for HTTP2 traffic
appid: remove error message when userappid.conf is not present
appid: remove unused metadata offset functionality
appid: support fragmented metadata
appid: use 32 bits for storing protocol field in RPC port map message
codecs: geneve - add support for Geneve encapsulation
codecs: geneve - add vni to alert_csv and alert_json
codecs: support inner flow NAT
control: allow compile with shell disabled
control: clean up cppcheck issues
control: expose ContrlConn API
control: refactor control channel management to better handle control responses
control: remove SHELL compile flag from header
control: remove unused IdleProcessing functionality
dce_rpc: SMB multichannel - add smb multichannel file support
dce_rpc: SMB multichannel - handle negotiate command to create expected flow
dce_rpc: SMB multichannel - introduce locks
dce_rpc: SMB multichannel - make session cache global
dce_rpc: SMB multichannel - own memory tracking in global cache
dce_rpc: fix warnings
dce_rpc: handle reload prune for smb session cache
dce_rpc: store shared pointer of session tracker
doc: update JS normalizer options
file_api: increase file count only once per file
file_api: store processing flow in context
filters: change rate filter to use network policy id instead of ips policy id
filters: support rate filter to work with PDUs
flow: enable support for multiple expected sessions
ftp: create additional expected session if negotiated IP is different from server IP on packet
gtp : check protocol type according to gtp version
host_cache: remove unused lua mock code from the tests
http2_inspect: don't perform valid sequence check on rst_stream frame
http2_inspect: improve request line generation and checks
http2_inspect: rule options and doc clean up
http2_inspect: track dynamic table memory allocation
http_inspect: add JS Normalizer to dev_notes
http_inspect: add JS normalization for external scripts
http_inspect: additional memory tracking
http_inspect: extend built-in alerts for Javascript processing
http_inspect: improve MPSE in HttpJsNorm (script start conditions)
http_inspect: limit section size target for file processing
http_inspect: publish event for http/2 request bodies
http_inspect: support partial detect for Javascripts
http_inspect: track memory footprint of zlib inflation
http_inspect: update test mock api
iec104: delete trailing spaces
ips_options: fix intrusion alerts generation for tcp rpc PORTMAP traffic when rpc_decode is bound to the flow
main: add support for resuming particular thread
main: fix config dump for list-based inspector aliases
mime: store extra data in stash
packet_io: enable expected session flags
protocols: remove inline specifiers for functions defined within a structure declaration
pub_sub: add get_uri_host() to HttpEvent
pub_sub: update HttpEvent::get_host to get_authority - now always includes port if there is one
reputation: daq trace log
reputation: support auxiliary IP matching upon reload
rna: filter DHCP events and some refactoring
rna: update last seen time on deleted host rediscovery
stream: enable support for multiple expected sessions
stream_tcp: populate flow contents in context for non-wire packets
time: make Periodic class SO_PUBLIC
trace: place trace options under the DEBUG_MSGS macro
utils: fix warning about empty statement
utils: refactor JSTokenizer
utils: rework JSNormalizer class

2021-05-20: 3.1.5.0

appid: Publish an event when appid debug command is issued
appid: do memory accounting of api stash object, dns/tls/third-party sessions
appid: mark payload detection as done after either http request or response is inspected
appid: set monitor flags on future flows
dce_rpc: fix expected session protocol id
dce_rpc: update memory tracking for smb session data
dce_rpc: use find_else_insert in smb session cache to avoid deadlock
file_api: fix spell source error
flow: Adding stash API to save auxiliary IP
flow: Enhancing APIs to stash auxiliary IP
flow: memory tracking updates
hash: add new insert method in lru_cache_shared
http2_inspect: add assert in clear
http2_inspect: concurrent streams limit is configurable
http2_inspect: fix non-standard c++
http2_inspect: handle trailer after reaching flow depth
http2_inspect: implement window_update frame
http2_inspect: optimize processing after reaching flow depth
http2_inspect: track stream memory incrementally instead of all up front
http2_inspect: update discard print
http2_inspect: update state and delete streams after reaching flow depth
http_inspect: IP reputation support
http_inspect: don't disable detection for flow if it's an HTTP/2 flow
ips_options: fix relative base64_decode
memory: free_space cleanup
netflow: additional check before v5/v9 decode
netflow: version 9 decoding and filtering
packet_tracer: IPS daq trace log
packet_tracer: file daq trace log
parser: Remove rule merge in dump mode
parser: reduce RTNs only after states applied
reputation: track monitor ID via flow; minor code cleanup
shell: exit gracefully when sanbox lua is misconfigured
stream_tcp: Deleting session when both talker and listener are closed
stream_tcp: Using window base for reset validation

2021-04-21: 3.1.4.0

appid: (fix style) Local variable 'version' shadows outer variable
appid: Delete third-party connections with context only if third-party reload is not in progress
appid: clean up lua stack on C->lua function exit
appid: clean-up parameters in service_bootp
appid: detect payload based on dns host
appid: in continue state for ftp traffic, do not change service to unknown on validation failure
appid: monitor only the networks specified in rna configuration
appid: refactor to set http scan flags in one place
appid: remove detectors which are available in odp
appid: remove duplicate rtmp code
binder: update flow data inspector on a service change
build: add better support for flex lexer; Thanks to Özkan KIRIK and Moin for reporting the issue
codecs: use held packet SYN in Tcp header creation
copyright: Update year to 2021
dce_rpc: Added a cleanup condition for DCERPC in close request
dce_rpc: DCERPC Support over SMBv2
dce_rpc: Fixed prototype mismatch. Smb2Tid doesn't need to be inline
doc: add documentation for script_data ips option
doc: revert documentation related to script_data ips option
framework: Adding IT_FIRST inspector type to analyze the first packet of a flow
hash: prepond object creation in LRU cache find_else_create
host_tracker: fix bug in set_visibility
http2_inspect: fix possible read-after-free in hpack decoder
http2_inspect: free streams in completed/error state
http_inspect: fix end of script match after reload
http_inspect: remove detained inspection config
ips: allow null detection trees with negated lists
ips_options: add sticky buffer script_data ips option within normalized javascripts payload
main: Adding reload id to track config/module/policy reloads
main: Log holding verdict only if packet was actually held
main: Update memcap for detained packets
netflow: add device list configuration
netflow: add filter matching for v5 decoder
netflow: get correct zone info from packet
packet_io: If packet has no daq_instance, use thread-local daq_instance
packet_tracer: Appid daq trace log
packet_tracer: fix trace condition for setting IP_PROTO
payload_injector: send go away frame
pcre: revert change that disabled jit
reputation: Registering inspector to the IT_FIRST type
rna: add the smb fingerprint processor to the get_or_create / set processor api
ssl: refactoring SSLData out so it can be reused
stream: Add held packet to retry queue when requested
stream: Add partial_flush. Flush one side of flow immediately
stream: IP frag packets won't have a flow so do not try to hold them
stream: fetch held packet SYN
stream: fix race condition in HPQReloadTuner
stream: store held packet SYN
utils: enable Flex C++ mode via its option

2021-03-27: 3.1.3.0

actions: Dynamically construct the default eval order for all the loaded IPS actions
actions: Make all IPS actions pluggable
appid: Make netbios domain available through appid API
appid: SMB fingerprinting support
cmake: Add flex build dependency
dce_rpc: Refactor SMB code
detection: Update detection.alert, to be used instead of reputation.total_alerts
detection: Update dump_rule_meta function to only print rules from default IPS policy
detection: Update the rtn's listHead to reflect the new action set in the rule state
doc: Update http_inspect feature documentation
flow: Add packet tracer output to DAQ expected flow requests
host_tracker: Fully populate local hostclient before logging
http2_inspect: Alert on uppercase header name encoded in HPACK
http_inspect: Add JavaScript whitespace normalization
http_inspect: Add normalization_depth config option
http_inspect: Alert on HTTP/2 upgrade attempts
http_inspect: Integrate JSNormalizer (whitespace normalization) keeping the old one
packet_io: Update for the removal of the RETRY DAQ verdict
packet_tracer: Do not log non-IP packets when enabled from shell and a constraint is set
parser: Support duped RTN if its header has been changed
rate_filter: Get the available IPS actions dynamically to configure the new_action
rna: Make discovery filter use client and server interfaces if they are not unknown
rna: SMB fingerprinting support
snort2lua: Delete conversion of disable_replace option
snort2lua: Fix lua conversion of http preproc options
snort: Add -h to output the help overview (same as --help)
snort_config: Remove is_active_enabled and set_active_enabled functions
style: Change C++ comment NULL to null
style: Remove unnecessary cruft
style: Remove unused cruft
utils: Add JSNormalizer

2021-03-11: 3.1.2.0

action_manager: Remove unused cached reject action
appid: Always get appid inspector from default inspection policy
appid: Fixes for cppcheck warnings
appid: Get uri from http event even when http host is not present
appid: Load lua detectors for packet threads from compiled lua bytecode during detector reload
appid: Remove app forecast method
appid: Remove detectors for obsolete apps - AOL instant messenger and Yahoo messenger
appid: Send reloading detectors message to socket immediately
appid: Update IMAP service detector pattern
appid: Use opportunistic tls event to set decryption countdown for SMTP detector
binder: Apply host attribute table information at the beginning of flow setup
binder: Clean up std namespace usage
binder: Use service inspector caching to improve get_gadget() performance
binder: Use the first match for non-terminal binding usage
build: Do one more pass of modernizing the C++ code
dce_rpc: Handle async responses in smbv2
dce_rpc: Pass proper file id in file api from smb1
decompress: Add support for streaming ZIPs
detection: Use IP and port variables from the targeted policy
doc: Remove http detained inspection from user manual
doc: Update documentation for ips.states
file_magic: Add pattern for pcapng
flow: Add new flag to indicate elephant flow
ftp_telnet: Implement init_partial_flush for ftp data
ftp_telnet: Respect telnet_cmds config for raising 125:1
host_attributes: Update api to reduce use of shared_pointer
http2_inspect: Limit number of concurrent streams
http2_inspect: Process rst_stream frame
http_inspect: IPv6 authority in URI
http_inspect: Javascript support cleanup
http_inspect: Partial inspection for 0 length chunk
http_inspect: Remove detained inspection
http_inspect: Remove unused events
http_inspect: Temporarily restore detained_inspection parameter
iec104: Add documentation for iec104 service inspector
iec104: Additional input sanitization, syntax, and style changes
iec104: Integrate new iec104 protocol service inspector
inspector_manager: Instantiate default binder as long as a wizard or stream are present
ips_options: Update cursor position for relative pcre
ipv4: Correct the calculation for illegal fragment offset checks
log: Add printf format attribute to TextLog_Print() and clean up the fallout
log: Base logging the Ethernet header on proto bits rather than DLT
loggers: Fix excessive byte reordering when printing MPLS labels in CSV and JSON
main: Fix accumulating and printing codec stats at run time
managers: Enforce strict parsing for binder aliases
managers: Pass the configuration to default module's end()
managers: Perform sanity checks on set_alias() parameters
memory: Free memory space while updating allocation
module: Introduced new api to clear global active module counters
module_manager: Enforce interest in global modules only in the default policy
mpls: Add next layer autodetection and implement codec logging
mpls: Refactor mpls.enable_mpls_overlapping_ip into packet.mpls_agnostic
mpls: Remove enable_mpls_multicast option
packet_capture: Add group filter for packet capture
packet_tracer: Add daq buffer to hold daq logs
perf_monitor: Fix finalizing JSON output files for trackers
portscan: Fix decoy and distributed scan logic
portscan: Fix delimiter for ports in config
portscan: Fix IP scans not alerting
protocols: Add initial support for multilayer compound codecs
protocols: Add peg count for decodes that exceeded the max layers
protocols: Consistently encapsulate exported protocol headers in the snort namespace
reputation: Add peg count for total alerts
reputation: Remove deprecated redundant terms
rna: Discover NetBIOS name
snort: Clear snort counter for modules, daq, file_id, appid
snort: Update for DAQ_FlowStats_t structure and field name changes
snort_config: Clean up and annotate command line config merge process
snort_config: Remove unnecessary command line options
stream: Always use latest splitter from tracker after paf_check
stream: Do not update service from appid to host attributes if nothing is changed
stream: Set block pending flag when a flow is dropped
stream_tcp: Ensure flows aren't pruned while processing a PDU
stream_tcp: Flush queued segments when FIN is received
stream_tcp: Support data on SYN by default with or without Fast Open option
trans_bridge: Lift the log() implementation from the root Ethernet codec
wizard: Add support for sslv2 detection

2021-01-28: 3.1.1.0

appid: Add support for snmpv3 report pdu
appid: Always store container session api object in stash
appid: Do not process sip event for an existing session after detector reload
appid: Remove unused code; cleanup FIXIT comments related to reload
appid: Send reload detectors and third-party messages to socket immediately if appid is not enabled
codecs: Update tcp naptha check to make sure it is ipv4 traffic
file_api: Remove file context after file name set if processing is complete
file_api: Stop processing signature when type verdict is 'FILE_VERDICT_STOP'
flow: Update direction and interface info in HA flow
ftp: Use Stream packet holding to handle ftp-data EoF
http_inspect: Add chunked processing to dev notes
http_inspect: Provide file_id to set file name and read new return value
http_inspect: Validate and normalize scheme
http_inspect: Validate URI scheme length
inspector: Add a global reference count for uses that are not thread specific
lrucache: Changes for memcap for support constant cache objects with variable size
managers: Clean all inactive inspectors warning about ones that are still referenced
mime: Provide file_id to set file name and read new return value
payload_injector: Inject settings frame
rna: Minimize synchronization overhead

2021-01-13: 3.1.0.0

appid: Store stats in map
appid: Tear down third-party when appid gets disabled
build: Add support for version sublevel and build via CMake
dce_rpc: Handle Flow from File inspection
host_cache: Add command to output host_cache usage, pegs, and memcap
http2_inspect: Add total_bytes peg to track HTTP/2 data bytes inspected
http_inspect: Abort on HTTP/2 connection preface
http_inspect: Add total_bytes peg to track HTTP data bytes inspected
http_inspect: Alert on truncated chunked and content-length message bodies
http_inspect: Support stretch for Http2
log: Reuse TextLog buffer for a large data; Thanks to Chris White for reporting the issue
packet_io: IDS mode should not give blacklist verdict for Intrusion event
rna: Fix version, vendor and user string comparison at maximum length
rna: Perform appropriate filter check based on the event type
rna: Revert rna performance optimizations
rpc_decode: Implement adjust_to_fit for RPC splitter
stream_tcp: Delete redundant calls to check if the tcp packet contains a data payload
stream_tcp: Fix issues causing overrun of the pdu reassembly buffer, make splitters authoritative of size of the reassembled pdu
stream_tcp: On midstream pickup, when first packet is a data segment, set flag on talker tracker to reinit seglist base seg on first received data packet
stream_tcp: Remove obsolete flush_data_ready() function

2020-12-20: 3.0.3 build 6

active: Fix falling back on using raw IP for active responses when no device is specified
appid: Add support for apps, http host, url and tls host in HA
appid: Allow checking appid availability for a given http/2 stream
appid: Change terms used in code, logs and peg counts
appid: Do not override http fields with empty values
appid: Dump userappid configurations upon reloading third-party
appid: For http2 flow, return service id as http2 when no streams are yet created
appid: Mark reload third-party complete after unloading old library and creating new third-party context
appid: Print more descriptive error message when lua detector registers invalid pattern
binder: Pass service to get_bindings on flow service change
binder: Specify service inspector type when getting a gadget instance
build: Clean up various cppcheck warnings
catch: Avoid using INTERNAL_CATCH_UNIQUE_NAME in our headers
catch: Update to Catch v2.13.3
dce_rpc: Fixed incorrect access of FileFlows while pruning the flow
file_api: Fixed stats which weren't cleared when there were no stats for signature processing
file_api: Handle resume block when multiple file rules are configured with store option enabled
flow: Pause logging during timeout processing
helpers: Handle SIGILL and SIGFPE with the oops handler
high_availability: Add check for packet key equals HA key before consume
host_attributes: Better error handling for reload to eliminate double free and memory leaks
http2_inspect: Check for invalid flags
http2_inspect: Fix bug with exceeding inspection depth
http2_inspect: Fix empty queue access and some bookkeeping
http2_inspect: Handle connection close during headers frames
http2_inspect: Handle discard
http2_inspect: HI error handling improvements
http2_inspect: Improve error handling
http2_inspect: Remove 0 length scan for most cases
http_inspect: Explicit memory allocation for transactions and partial inspections
http_inspect: Script detection for HTTP/2
inspector_manager: Remove unused inspector_exists_in_any_policy() function
inspector: Remove obsolete metapacket processing functionality
main: Convert Request to shared_ptr to avoid memory problems
main: Fix memory leak in reload_config() caused by incorrect code merge
managers: Add inspector type in the help module output
managers: Don't allow a referenced inspector to stall emptying the trash
managers: Track removed inspectors during reload and call tear_down and tterm to release resources
packet_io: Export forwarding_packet() function
packet_tracer: Fix the debug session information for non-ip packets
parser: Add escaping for double quotes and special chars in a rule body
parser: Fix escape logic for --dump-rule-meta output
reload: Reset default policies after failed reload
request: Expose methods to be used in plugins
rna: Do null check in the Inspector rather than the Module in the control commands
rna: Generate new host event for CDP traffic
rna: Make the mac cache persist over reload config
rna: Reduce host cache lock usage to improve performance
rna: Remove unused function
rna: Replace some tabs with spaces as per style guidelines
rna: Support data purge command
rna: Support DHCP fingerprint matching and event generation
rna: Use service ip and port provided by appid for DHCP discovery events
shell: Change terms used in code, logs and peg counts
shell: Support for loading configuration in lua sandbox
snort: Add OopsHandlerSuspend for suspending Snort's crash handler
stream: Fix stream clean up when going from enabled to disabled
stream_ha: Only flush on HA deactivate if not in STANDBY, set HA state to STANDBY when new Flow is created
stream_tcp: Initialize the alerts array to empty when a TcpReassembler instance is initialized or reset
stream_tcp: Set interfaces in both directions

2020-11-16: 3.0.3 build 5

appid: Add unit test to verify HA data for flow unmonitored by appid
appid: Handle cppcheck warnings
appid: Prefix http/2 decrypted urls with https://
appid: Support client login failure event
flow: Do not remove the flow during pruning/reload during IPS event with block action
flow: Flesh out swap_roles() to swap more client/server fields
flow: Set client initiated flag based on DAQ reverse flow flag, track on syn config, and syn-ack packet
ftp: Handle FTP detection when ftp data segment size changes
host_tracker: Ignore IP family when comparing SfIp keys in the host cache
http2_inspect: Data frame redesign
http2_inspect: Multi-segment reassemble discard bug fix
http2_inspect: Perform hpack decoding on push_promise frames
http2_inspect: Refactor data cutter
http2_inspect: Refactor scan()
http2_inspect: Remove const cast
http2_inspect: Send push_promise frames through http_inspect
ips_options: Don't move cursor in byte_math
main: Set up logging flags globally to avoid dependencies on a particular SnortConfig object
payload_injector: Refactoring
payload_injector: Remove content length and connection for HTTP/2
rna: Add command to delete MAC hosts and protos
rna: Delete payloads when clients, services are deleted; add unit tests
rna: Discover banner on service version or response events
rna: Don't process packet in eval if eth bit not set
rna: Log src mac from packet containing CDP message when host type change event is generated
rna: Support banner discovery
rna: Support change service event with null version and vendor
rna: Support user login failure discovery
smtp: Make sure the ssl search abandoned flag is preserved for reset
stream_tcp: Remove redundant/unneeded asserts that check if tcp event is for a meta-ack psuedo-packet
thread_config: Show thread ID when logging binding information
trace: Add missing packet information to some of the messages

2020-10-27: 3.0.3 build 4

actions: Add support to react for HTTP/2
appid: Fix -Wunused-private-field Clang warning in service_state.h
build: Various build fixes for OS X
file_api: Remove deletion of file_mempool
framework: Fix ConnectorConfig dtor to be virtual
ips: Move IPS variables to sub-tables which designate type
lua: Update default_variables with 'nets', 'paths', and 'ports' tables in snort_defaults.lua
module: Fix modules that accept their configuration as a list
payload_injector: Support pages > 16k
rna: Add unit tests for TCP fingerprint methods
snort: Remove support for -S option
src: Clean up zero-initialization of arrays
tools: Update snort2lua to convert custom variables into ips.variables.nets/.paths/.ports tables
trace: Add timestamps in trace log messages for stdout logger

2020-10-22: 3.0.3 build 3

actions: Update react documentation
actions: Use payload_injector for react
appid: Add service group and asid in AppIdServiceStateKey
appid: Continue appid inspection after third-party identifies an application
appid: Do not reset third-party session after third-party reload
build: Updates for libdaq changes that introduce significant groups in flow stats
codecs: Remove PIM and Mobility from bad protocol lists
dce_rpc: Add ingress/egress group and asid in SmbFlowKey and Smb2SidHashKey
doc: Tweak the template regex in get_differences.rb
dump_config: Don't print names for list elements
file_api: Add ingress/egress group and asid in FileHashKey
file_magic: Update POSIX tar archive pattern
flow: Add source/dest group id in flow key
flow: Stale and deleted flows due to EOF should generate would have dropped event
ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted data channels
host_cache: Add delete host, network protocol, transport protocol, client, service, tcp fingerprint and user agent fingerprint commands
host_tracker: Implement client and server delete commands
http2_inspect: Handle stream creation for push promise frames
ips_options: Fix retry calculation in IPS content when handling "within" field
lua: Use default IPS variables in the default config
main: Add lua variables for snort version and build
managers: Delete obsolete variable parsing code
managers: Skip snort_set lua function for non-table top level keys in finalize.lua
meta: Do not dump elided header fields or default message
meta: Dump full rule field
meta: Dump missing port field
packet: Add two new apis to parse ingress/egress group from packet's daq pkt_hdr
packet_tracer: Add groups in logging based on significant groups flag
port_scan: Add group and asid in PS_HASH_KEY
rna: Change ip to client instead of server for login events
rna: Change logic for payload discovery, eventing
rna: Conditionalize reload tuner registration on get_inspector()
rna: Log user-agent device information
rna: Move registration of reload tuner to configure()
snort2lua: Update comments for deleted rule_state options
ssh: Fix code indentation and CI breakage
ssh: SSH splitter implementation
stream: Initialize flow key's flags.ubits with 0
stream_tcp: Don't attempt to drop 'meta_ack packets', there is no wire packet for these acks
style: Clean up accumulated tabs and trailing whitespace
trace: Refactor the test code
trace: Skip trace reload if no initial config present
utils: Add a generic function to get random seeds

2020-10-07: 3.0.3 build 2

appid: Create events for client user name, id and login success
appid: Inform third-party about snort's idle state during reload
appid: Reload detector patterns on reload_config for the sake of hyperscan
appid: Update appid to use instance based reload tuner
binder: Allow binding based on address spaces
binder: Allow directional binding based on interfaces
binder: Enforce directionality, add intfs, rename groups, cleanup
framework: Update packet constraints comparison to check only set fields
host_tracker: Update host tracker to use instance based reload tuner
http2_inspect: Fix frame padding handling
http2_inspect: Free up HI flow data when we are finished with it
http2_inspect: Stream state tracking
http_inspect: Implement can_start_tls(), add support of ssl search abandoned event
http_inspect: Support for custom xff type headers
main: Change reload memcap framework to use object instances
main: Remove deprecated rule_state module
main: Update host attribute class to use instance based reload tuner
normalizer: Move TTL configuration toggle to inspector configure()
perf_monitor: Update perf monitor to use instance based reload tuner
policy: Copy uuid, user_policy_id, and policy_mode when an inspection policy is cloned
pop: Generate alert for unknown command if file policy is attached
port_scan: Update port scan to use instance based reload tuner
rna: Add event_time to rna logger events
rna: Add payload discovery logic
rna: Check user-agent processor early to skip some work
rna: Port host type discovery logic
rna: Set the thread local fingerprint processors during reload_config
rna: Update rna to use instance based reload tuner
rna: Update methods for user-agent processor
rna: User discovery for successful login
snort2lua: Convert rule_state into ips.states
stream_tcp: Update trace messages to use trace framework
stream: Update stream to use instance based reload tuner
trace: Update parser unit tests
wizard: Clean up parameter parsing and make it a bit stricter

2020-09-23: 3.0.3 build 1

ac_bnfa: Disable broken fail state reduction
appid: Check third party context version while deleting connections
appid: Use third party payload if available for HTTP tunneled
cmake: Support cmake build type configuration
dce_rpc: Handle compound requests for upload
dce_rpc: Modify logs to show if file context is found or not found
dump_config: Sort config options before printing
file_api: Update lookup and block timeout from config at file cache creation
flowbits: Evaluate checkers after setters for fast pattern matches
ftp: Add APPE to upload commands
http2_inspect: Convert to new stream states
http2_inspect: Fix how implement_reassemble uses frame_type
http2_inspect: Refactor HI interactions out of frame constructors
http_inspect: Extract filename from content-disposition header for HTTP uploads
module_manager: Keep a list of modules supporting reload_module
netflow: Cache support and more v5 decoding
payload_injector: Don't inject if stream id is even
profiler: Fix issue where flushed pattern matches caused rule_eval to be profiled under mpse
reputation: Change terms used in code, logs, and peg counts
rna: Add unit test to validate VLAN handling
rna: Avoid conflicts with other fingerprint definitions
rna: Service discovery with multiple vendor and version support
rna: Support user agent fingerprints
s7commplus: V3 header support
search_engine: Fix peg type for max_queued
stream_tcp: Add an assert to catch tcp state/event combination that should not occur
stream_tcp: Add PegCount for tcp packets received with an invalid ack
stream_tcp: Arrange TCP tracker member vars to optimize storage requirements, add helper functions to access private splitter functions
stream_tcp: Delete redundant calls to flush data when FIN is received
stream_tcp: Delete unused packet action flags, set action flags via its setter
stream_tcp: Fix issues with stream_tcp handling of the TCP MSS option
stream_tcp: Handle bad tcp packets consistently when normalizing in ips mode
stream_tcp: Implement helper function to return true if the TCP packet is a data segment, false otherwise
stream_tcp: Merge the setup methods of the TcpStreamSession and TcpSession classes into a single method in TcpSession
stream_tcp: Refactor tcp handling of no flags to drop packet before any processing, don't generate event
stream_tcp: Refactor tracker and reassembler classes to improve encapsulation and move member variables to appropriate class
stream_tcp: Remove FIXIT-H because by definition an Ack Sent event in TcpStateNone means the SYN-ACK was not seen, so no way to do the check suggested
stream_tcp: Remove FIXIT-H to add ack validation, the ack is already validated when processed on the listener side
target_based: Support reload of host attribute table via signal as well as control channel command

2020-09-13: 3.0.2 build 6

active: Remove per packet prevent trust action
appid: Add check for nullptr before setting tls host
appid: Clear services set in host attribute table upon detector reload
appid: Detect SMTP after decryption
appid: Dump user appid configuration on reload detectors
appid: Generate events for service info changes
appid: Pass snort protocol id instead of appid while creating future flow
appid: Reorder third-party reload to keep only one handle open at a time
appid: Send swap response for reload_odp and reload_third_party commands in control thread
appid: Set payload to unknown for out-of-order flows
appid: Skip detection for existing sessions after detector reload; rename reload_odp command to reload_detectors
appid: Support json logging in appid_listener
appid: Update appid stats for decrypted flows
appid: Update appid warning messages to print module name in lowercase
build: Fix minor cppcheck warnings
build: Updates for libdaq changes to interface group field width and naming
byte_jump: Fix jump relative to extracted length w/o relative offset
cmake: Restore accidentally removed caching of static DAQ modules
dce_rpc: Introduce smb2 logs
doc: Update the config dump in JSON format (all policies)
doc: Update the config dump in JSON format (main policy)
doc: Update trace.txt with info about 'trace.modules.all' option
dump_config: Add --dump-config="top" to dump the main policy config only
dump_config: Dump config in JSON format to stdout
file_api: Increase default max_files_per_flow limit to 128
flow: Add a deferred trust class to allow plugins to defer trusting sessions
flow: Disabled inspection for FlowState::RESET
flow: Reset the flow before removing
helpers: Add unit tests for special characters escaping
helpers: Fix build on systems without sigaction
helpers: Rework DiscoveryFilter to monitor IP lists based on interface rather than group
helpers: Use sig_t instead of sighandler_t for better BSD compatibility
host_tracker: Fix allocator unit test to work on 32-bit systems again
http2_inspect: Convert circular_array to std:vector
http2_inspect: Fix continuation frame check
http2_inspect: Fix hpack dynamic table init
http2_inspect: Prepare http2_inspect and http_inspect for HTTP/2 trailers
http2_inspect: Refactor hpack decoding and send trailer to http_inspect for processing
http_inspect: Declare get_type_expected const
http_inspect: Don't use the URL to cache file verdicts for uploads
http_inspect: Script detection
http_inspect: Script detection and concurrency fixes
http_inspect: Support hyperscan literal search for accelerated blocking
http_method: Make available for fast pattern with first body section
imap: Publish OPPORTUNISTIC_TLS_EVENT on successfull completion on START_TLS, add a new state to avoid publishing start_tls events multiple times
ips_options: Ensure all options use base class hash and compare methods
ips: Use the policies in the flow when creating pseudo packet
main: Turn off signal handlers later to catch more during snort shutdown
managers: Immediately stop executing inspectors when inspection is disabled
mime: Fix off-by-1 error with filename and email id capture
mime: Minor code cleanup
netflow: Introduce netflow as a service inspector
packet_io: Added reason for ActiveStatus WOULD
packet_io: Do not allow trust unless the action is allow or trust
payload_injector: Assume http1, if packet does not have a gadget
payload_injector: Fix warning
payload_injector: Support http2 injection
payload_injector: Support translation of header field value with length > 127
perf_monitor: Convert the perf_monitor inspector configure warnings to errors
pop: Publish start_tls events, support for ssl search abandoned
reputation: Change from group-based to interface-based IP lists
rna: Add protocols on logging host trackers
rna: Implement update_timeout for MAC hosts
rna: Remove dependency on uuid library
rna: Remove redefinition of USHRT_MAX
rna: Removing unused command and exporting swapper
rna: Support client discovery from appid event changes
rna: Support service discovery from appid event changes
rna: Tcp fingerprints configuration, storage, matching and event generation
snort2lua: Remove obsolete and unused code
snort2lua: Remove unused unit test files
snort: Address fatal shutdown stability issues
stream_ip: Fix zero fragment built-in rule triggering for some reassembly policies
style: Replace some tabs that snuck in with proper spaces
tests: Fix the majority of memory leaks in CppUTest unit tests
trace: Add support for modules.all option
trace: Update loggers to support extended output with n-tuple packet info
utils: Add sys/time.h to util.h for struct timeval definition
wizard: Fix the error message about invalid pattern

2020-08-12: 3.0.2 build 5

cip: Fix the trailing parameter for the module
dce_rpc: Set dce_rpc as a control channel inspector
flow: Check expected flows in flow control and add direction swap flag to expected flows
framework: Add an API to check if the module can be bound in the binder
ftp: Add opportunistic TLS support
ftp: Fix direction for active FTP data transfers
helpers: Extend printed JSON syntax
http2_inpsect: Fix for flush on data frame boundray w/o end of stream
http_inspect: Do finish() after partial inspection
lua: Add TCP port 80 binding to the connectivity and balanced tweaks
main: Add printing modules help in JSON format
managers: Print the instance type of the inspector module with --help-module
rna: Add RNA MAC-based discovery logic
rna: Discover network and transport protocols
stream_tcp: Add check to prevent reentry to TCP session cleanup when flushing a PDU

2020-08-06: 3.0.2 build 4

appid: Clear service appid entries in dynamic host cache on ODP reload
appid: Generate event notification when dns host is set
dce_rpc: Fix for smb crash while tcp session pruning
dce_rpc: Fix for smb session cleanup issue
dce_rpc: Use file name hash as file id
doc: Add documentation for dumping consolidated config in text format
flow: Fixing free_flow_data logic
http_inspect: Code clean up
http_inspect: Test tool enhancement
main: Dump consolidated config in the text format
rna: Fix redefined macro warnings in between unit-test tools
rna: TCP fingerprint input and retrieval
utils: Keep deprecated attribute table pegcounts

2020-07-28: 3.0.2 build 3

active: Move Active enabled flag into SnortConfig
appid: For http traffic, if payload cannot be detected, set it to unknown
appid: Move appid data needed by external components to stash
appid: Support ODP reload for multiple packet threads and new session
dce_rpc: Improve PAF autodetection for heavily segmented TCP traffic
doc: Split Snort manual into separate user, reference, and upgrade docs
doc: Update default text manuals
doc: Update extending.txt about TraceLogger plugin
file_api: Log event generated when lookup timedout
ftp_telnet: Remove global config variable shared between multiple threads to prevent data race
http2_inpsect: Fix interaction with tool tcpclose
http2_inspect: Fix stream_in_hi
http2_inspect: General code cleanup
http_inspect: Do partial inspections incrementally
http_inspect: Reduce memory used by partial inspections
main: Rename the config options to ignore flowbits and rules warnings
parser: Add support for variables with each ips policy
payload_injector: Add HTTP page translation
payload_injector: Extend utility to support HTTP/2 (no injection)
pub_sub: Added a method in HttpEvent to retrieve true client-ip address from HTTP header based on priority
rna: Fingerprint reader class and lookup table for tcp fingerprints
snort_defaults: Remove the NOTIFY, SUBSCRIBE, and UPDATE HTTP methods
stream_tcp: Only perform paws validation on real packets, skip this on meta-ack packets
stream_tcp: When clearing a session during meta-ack processing pass a nullptr as the Packet* parameter
target_based: Add mutex lock to ensure host service accesses are thread safe
target_based: Move host attribute peg counts from the process pegs to stats specific to host attribute operations
target_based: Refactor host attribute to use the LruCacheShared data store class to support thread safe access
target_based: Streamline host attribute table activate and swap logic on startup and reload
trace: Add support for extending TraceLogger as a passive inspector plugin
wizard: Abandon the wizard on UDP flows after the first packet
wizard: Abort the splitter once we've hit the max PDU size
wizard: Add peg counts for abandoned searches per protocol
wizard: Improve wizard tracing to indicate direction and abandonment
wizard: Properly terminate hex matching
wizard: Report spell and hex configuration errors and warnings

2020-07-15: 3.0.2 build 2

appid: Moving thread local ODP stuff to a new class
binder: delete obsolete network_policy parsing code
build: Fix static analyzer complaints about unused stored values
daq: Fix calculation of outstanding packets stat to properly use the delta
dce_rpc: adding support for multiple smbv2 sessions for same tcp connection
dce_rpc: Invalid endpoint mapper message
dce_rpc: SMB ID invalid memory access
http_inspect: send MIME full message body for file processing
main: add config options --ignore-warn-rules and --ignore-warn-flowbits to snort module
mime: mime no longer overwrites file_data buffer for http packets
smtp: generate SSL_SEARCH_ABANDONED event when no STARTTLS is detected
smtp: support opportunistic SSL/TLS switch over
stream_tcp: coding style improvements
stream_tcp: eliminate direct references to the Packet* wherevever possible within the TCP state machine context
stream_tcp: eliminate use of STREAM_INSERT_OK as return code, it conveyed no useful information and was ultimately unused
stream_tcp: implement meta-ack pseudo packet as thread local that is reused on each meta-ack TSD
stream_tcp: implement support for processing meta-ack information when present
stream_tcp: meta-ack from daq is in network order not host, remove conversion from host to network
stream_tcp: process meta-ack info in any flush policy mode
trace: add support for DAQ trace filtering

2020-07-06: 3.0.2 build 1

appid: Appid coverity issues
appid: Create lua states and lua detectors in control thread
appid: Delete stale third-party connections when reloading third-party on midstream
appid: Fix the format of the IPv6 strings in the Service State unit tests
appid: include appid session api in appid event
appid: use configured search method for multi-pattern matching
build: Eradicate u_int usage
build: Fix unit tests to build and work properly on a 32-bit system
build: Fix various cppcheck warnings about constness
build: Increment version to 3.0.2
build: Miscellaneous 32-bit build fixes
build: Use sanity check results (HAVE_*) for optional packages in CMake
cmake: Properly handle SIGNALSNORT* options in configure_cmake.sh
codecs: add tunnel bypass logic based on DAQ payload_offset
dce_tcp: parse only endpoint mapper messages
detection: remove checksum drop fixit
detection: remove unused code
framework: fix global data bus cloning during reload module and policy
helpers: Add a signal-safe formatted printing utility class
helpers: Add support for dumping a backtrace via libunwind on fatal signals
helpers: Dump additional information to stderr when a fatal signal is received
helpers: Revamp signal handler installation and removal
http2_inspect: Make print_flow_issues() regtest-only
inspectors: add a virtual disable method for controls
ips: add http fast pattern buffers
ips: add ips service vs buffer checks; add missing services
ips: enable non-service rules when service is detected
ips: minimize port group construction for any-any and bidirectional rules
ips: refactor fast pattern selection
ips: update detection trees for earliest header checks
main: configure and set main thread affinity
main: set thread type for main thread
managers: format lua whitelist output and ignore internal whitelist keywords
max_detect: detained inspection disabled pending further work
mpse: remove unused pattern trimming support
oops_handler: Operate on DAQ message instead of Snort Packets
payload_injector: add payload injection utility
regex: convert to same syntax as pcre plus fast_pattern option
rna: Adding initial support for reload_fingerprint command
rna: remove custom_fingerprint_dir from configuration
snort_defaults.lua: remove unused AIM_SERVERS var
snort: fix --dump-rule-meta with ips.states
stream_ip: Avoid modifying the original fragmented packet during rebuild
stream_ip: use lowercase fragmentation policy names for verbose output
stream: lock xtradata stream_impl to avoid data race on logging
trace: add thread type and thread instance id to each log message for stdout logger
tweaks: enable file signature for sec and max until depth issue resolved
tweaks: updates for efficacy and performance
wizard: Add FTP pattern to recognize FileZilla FTP Server

2020-06-18: 3.0.1 build 5

actions: on a reload_config() free the memory allocated for react page on previous configuration loading
actions: refactor to store react page response in std::string
active: add a facility to prevent a DAQ whitelist verdict
appid: add api to check if appid needs inspection
appid: add braces to fix static analysis complaint
appid: add response message to reload_third_party
appid: check fqn before registering rrt
appid: for http2, if metadata doesn't give a match on payload, set payload id to unknown
appid: free memory allocated when appid is configured initially and then not configured on a subsequent reload
appid: lua APIs to get IP and port tunneled through a proxy
appid: match http2 response to request
appid: remove unnecessary stuff from appid apis
appid: revert snort protocol id changes and fixed warnings
appid: set appid_tlshost_bit when we set tls_cname
appid: set snort protocol id on the flow and remove ssl squelch code
appid: update cert viz API to handle subject alt name and SNI mismatch
codecs: fix issues found by static analysis
dce_rpc: suppport for DCE/RPC future session
detection: do not apply global rule state to the empty policy
doc: update user manual for trace feature
file_api: making sure that file malware inspection is turned off and only file-type detection is enabled when file_id config is defined without any parameter
flow: make client_initiated flag depend on the DAQ reverse flow flag
hash: replace the cache entry if found
host_cache: add new peg to module test
host_cache: allowing module to accept 64 bit memcap value
http2_inspect: fix hpack infractions
http2_inspect: partial inspect with less than 8 bytes of frame header in the same packet
http2_inspect: track memory usage for http_inspect flows in http2_inspect
log: fix issues found by static analysis
managers: add inspector execution and timing traces to InspectorManager
packet: add client and server direction methods that use the client initiator flow flag
parser: free memory allocated for RTN when SO rule load fails
parser: print loaded and shared rules for each ips policy
perf_monitor: fix count and interval during disable cli execution
port_scan: cleanup port scan memory allocations in module tterm
rpc_decode: remove unused config object
search_engines: fix potential memory leaks and an error in a printed value
service_inspectors: remove some redundant initializations and lookups, move some field initializations into the constructor
shell: if initial load of snort configuration fails release memory allocated for modules and plugins
snort2lua: deprecate react::msg option, display of rule message in react page not currently supported
snort2lua: fix issues found by static analysis
snort_config: only perform FatalError cleanup from main thread
stream: add final check to free allocated memory when module tterm is called
stream: fixed ip family in the flow->key during StreamHAClient::consume
stream_tcp: fix issues for tcp simultaneous close
stream_tcp: unconditionally release held packets that have timed out, regardless of flushing
trace: add control channel command
trace: add support for passing in the packet pointer to loggers
trace: filter traces by packet constraints
trace: fix for trace messages in the test-mode ('-T' option)
trace: remove redundant include

2020-05-20: 3.0.1 build 4

appid: Do not allocate DNS session for non-DNS flows and update memory tracker for HTTP sessions
appid: Get inspector for the current snort config during reload
binder: print configured bindings in show() method
build: fix cppcheck warnings and typos
coverity: fixed issues discovered by Coverity tool
daq: Configure DAQ instances with total instances and instance IDs
dce_rpc: code style cleanups
dce_rpc: generate alert when dce splitter aborts due to invalid fragment length
flow: If a retry packet does not belong to a flow, block it
ftp_telnet: fix FTP race condition
http2_inspect: change partial flush handling
log: do not truncate config option names in ConfigLogger
loggers: when logging alert only use inspector buffers and name when the inspector's paf splitter is assigned for the direction of the alert"
main: Fixing some issues reported by Coverity
managers: print alphabetically sorted verbose inspector config output within an inspection policy
mpse: constify snort config args
network_inspectors: Fixing a few minor issues reported by Coverity
parser: print enabled rules for each ips policy
search_tool: refactor initialization
snort_config: constify Inspector::show and remove unnecessary logger args
snort_config: make const for packet threads
snort_config: minimize thread local access to snort_config
snort_config: pseudo packet initialization
snort_config: refactor access methods
snort_config: use provided conf
stream: add a configurable timeout for held packets
stream: move held packet timeout to Stream and support changing it on reload
stream_tcp: call splitter->finish() before reassemble() when flushing when PAF aborts due to gap in queued data
stream_tcp: change the DAQ verdict from drop to blacklist for held packets that timed out
stream_tcp: clear gadget from Flow object once fallback has happened in both directions
stream_tcp: only clear gadget after both splitters have aborted
stream_tcp: when paf aborts due to gap in data set splitter state to ABORT
trace: move module trace configuration into the trace module

2020-05-06: 3.0.1 build 3

appid: Do not process retry packets but continue processing future packets in AppId
appid: Extract metadata for tunneled HTTP session
appid: Make unit tests multithread safe
appid: On API call store new values and publish an event for them immediately
appid: remove old http2 support
appid: store appids for http traffic in http session
appid: support for multi-stream http2 session
appid: Update miscellaneous appid on first decrypted packet
build: add support for ccache
file_api: fix file stats
file_api: mark processing of file complete after type detection if signature not enabled
http2_inspect: add peg count to track max concurrent http2 file transfers
http2_inspect: fix handling leftover data with padding
http2_inspect: protect against unexpected eval calls
http2_inspect: support stream multiplexing
http2_inspect: update padding check only for header and data frames
http_inspect: add support for http2 file processing
json: add stream formatter helper
managers: sort the inspector list in inspection policy using the instance name
memory: expose memory_cap.h to plugins
parameter: reject reals assigned to ints
rna: Update dev notes to describe usage
snort: add classtype, priority, and references to --dump-rule-meta output
snort: convert --dump-rule-{meta,state,deps} to json format
so rules: allow #fragments in references in so rule stubs
stream: Fix for stream pegs dumping zero values into perf_monitor_base.csv

2020-04-23: 3.0.1 build 2

appid: Change sessionAPI to accomodate stream_index
appid: detect payload for first http2 stream
appid: Fix thread-safety issues in appid
appid: mark third-party inspection as done for expected flows
appid: Populate url for QUIC sessions by extracting QUIC SNI metadata from third-party
appid: remove thirdparty processing for http2 traffic
appid: remove unused code
appid: remove unused config options and rename "debug" option
appid: set up packet counters to make sure flows with one-way data don't pend forever
appid: Support org unit in SSL lookup API and do not overwrite the API provided data
codecs: Clean up CiscoMetaData implementation
codecs: GRE checksum updated for injected and rewritten packets
codecs: Update GRE flags and offset for injected packets
control: Disable request unit-test in cmake if shell is disabled
control: Fixing data races in request read and response
file: apply cached verdict on already seen file
file_magic: Update category for HWP and MSOLE2
flowbits: eliminate extraneous FlowBitState
flowbits: fix reload mapping
flowbits: refactor implementation
flowbits: relocate bitop.h to helpers
flowbits: remove extraneous count
flowbits: remove unused group support
flow: track allocations for each flow, update cap_weights
framework: Remove unused InspectorData template
ftp_data: fix ids flushing at EOF
ftp: whitelisting reason support
host_tracker: Move all HostCacheAlloc template implementions to the header
http2_inspect: discard split connection preface
http2_inspect: flush pending data when a non-data frame is received
http2_inspect: handle the case of leftover header only (no body)
http2_inspect: support 0 length data frames
http_inspect: add fragment to http_uri
http_inspect: cut over to wizard on successful CONNECT response
http_inspect: enhance processing of connect messages
http_inspect: fix duplicated detained_inspection print in show()
http_inspect: make script tag check case insensitive
http_inspect: register extra-data callbacks in constructor
hyperscan: simplify scratch memory initialization
inspectors: designate service inspectors control channels for avc only
inspectors: designate service inspectors for file carving
inspectors: designate service inspectors for start tls
inspectors: update verbose config output in show() method to a new format
ips_context: add support to fallback to avc only
ips: fix rule state mapping and policy lookup
ips: remove plugins cruft from option tree node (rule body)
latency: check if ip header is present before deferring it
latency: use test_timeout config option to deterministically trigger latency events for ifdef REG_TEST
loggers: Add SGT field to CSV and JSON loggers
main: Make test_log() static in snort_debug.cc
managers: print inspectors' config output for every inspection policy configured
metadata-filter: apply to so rule stubs
output: allow error messages in quiet mode
packet_io: log daq batch size
packet_io: log daq pool size
perf_monitor: Enable or disable flow-ip-profiling using shell commands
plugin_manager: make erase from plug_map safer
plugin_manager: make sure --show-plugins option picks up SO plugins
reload: update ReloadError response messages to use consistent wording across all messages
session: remove unused IPS option
sip: Support pinhole for sip early media
snort2lua: make qos configuration values deleted from firewall
snort: add --dump-rule-deps
snort: add --dump-rule-state
snort: add flowbits set and checked to --dump-rule-meta
snort: add rule text to --dump-rule-meta
snort: enable --dump-rule-meta to work without a conf
snort: initial implementation of --dump-rule-meta
snort: remove inappropriate fatal errors
snort: remove unused --pcap-reload option
so rules: allow stub gid:sid:rev to override so
so rules: allow stub header to override so header
stream_tcp: remove unused session printing cruft
target_based: refactor host attribute table logic into a c++ class, eliminate dead code
target_based: refactor to improve design of the host attribute classes
target_based: refactor to load host attribute table from file
time: make packet_gettimeofday public
trace: refactor stdout/syslog logging of trace into logger framework

2020-03-31: 3.0.1 build 1

analyzer: Send detained packet event when a packet is held
appid: use http2 inspector for detection even if third-party module is present
build: Increment version to 3.0.1
dce_rpc: Fixed missing space in string
doc: add FIXIT-E description
http2_inspect: handle Cl and TE headers, and end_stream flags set on headers frames
http2_inspect: multiple data frames support
http_inspect: added FIXIT for thread safety
http_inspect: eliminate empty body sections for missing message bodies
latency: remove action config option and convert the log handler to trace_log message
mime: fix data race in mime config
modules: Support verbosity level for module trace options, modify trace logging macros
service_inspectors: standardize verbose config startup output for SMTP, POP and IMAP inspectors
snort2lua: remove conversion of deprecated options pkt-log and rule-log
so_rule: fix reload of shared object rules that use flow data
src: update high priority "to be fixed" comments (FIXIT-H)
stream_tcp: Out-of-order ACK processing fix

2020-03-25: build 270

active: Base hold_packet() decision on DAQ message pool usage
active: Fix direction of RST packet being sent to server
active: Move packet hold realization for Stream detainment to verdict handling
active: Send entire buffer at once when send_data uses ioctl
appid: Adding UT for client_app_aim_test
appid: Fix SMB session data memory leak
appid: Include DNS over TLS port for classification
appid: Restart service detection on start of decryption
appid: Support appid detection for outer protocol service
appid: Support detection for first stream in http/2 session
binder: Ignore the network_policy binding
build: Bump the C++ compiler supported feature set requirement to C++14
build: Don't try to use libuuid headers/libraries when not found; Thanks to James Lay jlay@slave-tothe-box.net for reporting the issue
build: Refactor included headers
codecs: Add new proto bit for udp tunneled traffic
codecs: Add vxlan codec
dce_rpc: Inspect midstream sessions for file inspection
file_api: Reading the new data for the overlapped file_data
filters: Update threshold tracking functions
flow: Allow the ExpectCache to force prune, so that we can always make room when the cache is full
flow: Change the ExpectCache prune logic to only remove a specified number of oldest entries, regardless of node expiration time
flow: Do away altogether with the loop in ExpectCache::prune, just remove one, only when the cache is full
http2_inspect: Refactor data cutter - preparation for multi packet processing
http2_inspect: Support single data frame sent to http, multiple flushes
http2_inspect: Update dev notes with memory calculations
http_inspect: Create http2 message body type
http_inspect: Gzip detained inspection
http_inspect: Refactor print_section for message bodies
loggers: Update usage to GLOBAL for all loggers
lua: Enable a rewrite plugin in a default config
main: Check if flow state is blocked while applying verdicts
main: Setting higher maximum pruning when idle
snort2lua: Convert a replace option to a rewrite plugin/action
snort2lua: Don't print out network_policy binding
stream: Short-circuit stream when handling retry packets in no-ack mode
stream_tcp: Cancel hold requests on the current packet when flushing
stream_tcp: Finalize held packets in TcpSession::clear_session()
stream_tcp: Moved retry check to TcpSession::process

2020-03-12: build 269

active: Add ability to inject resets and payload via IOCTLs
appid: Add support for third-party reload on midstream session
appid: detect apps using x-working-with http field in response header
appid: Enhance ssl appid lookup api to store SNI and CN provided by SSL for app detection
appid: fix thread-safety issues in mdns detector
appid: handle CERTIFICATE STATUS handshake type in SSL detector
appid: move client/service pattern detectors and service discovery manager to odp context
appid: Support third-party reload when snort is running with multiple packet threads
base64_decode: use standard detection context data buffer
build: fix build on big-endian systems
build: Fix LibUUID detection on OS X
build: Fix various build issues on FreeBSD and OS X
build: refactor trace logs
build: tweak includes
build: use const and auto references where possible
byte_math: Snort2 bug fix port of integer over and under flow detection
classifications: update implementation with unordered map
classifications: use consistent variable names
cmake: Fix building without lzma library
detection: added support for trace config option to take a list of strings with verbosity level instead of bitmask
detection: refactoring updates to detection, moved DetectionModule into a separate file
flow: added initiator bytes/packets onto flow
flow: Add missing time.h include for struct timeval
flow: free the flow data before deleting the actual flow
flow: turn off deferred whitelist on DONE if no whitelist was seen
flow_cache: fix memory deallocation bug due to inverted return value from hash release node
framework: add generic conversion of trace strings to bitmaks
ftp: Whitelist ftp session after max sig depth reached
ghash: fix thread race condition with GHash member variables when a GHash instance is global
hash: add unit tests for new HashLruCache class
hash: delete unused sfmemcap.[h|cc] and remove unnecessary includes
http2_inspect: abort for nhi errors
http2_inspect: send data frames to http - full frames only in a single flush
http_inspect: change http_uri to only include path and query for absolute and absolute path uris
http_inspect: improve precautions for stream interactions
http_inspect: Properly mock HttpModule::peg_counts in http_transaction_test
main: do FileService::post_init after inspectors are configured
parser: remove legacy parsing code
plugin_manager: add support for reload so_rule plugins
pub_sub: add http2 info to http pub messages
reference: update implementation with unordered map
reload: add description of reload error to the response message of the reload_config command
reputation: remove reputation monitor flag from packet, track verdict on flow
rules: add constructors for references and classifications
rules: fix warnings and startup counts for duplicates
rules: remove cruft
rules: simplify implementation of services, classifications, and references by using std::string
rules: update --gen-msg-map to include all configured rules with references
service_inspectors: added counters to track total number of data bytes processed in SMTP, POP, SSH and FTP
service: update implementation to vector
sfdaq: convert parsing related error messages in DAQ init to ParseErrors
sfdaq: Made get_stats public for plugins
smb: Fix malware over size 131kb not being detected in SMBv2/SMBv3
snort_config: footprint REG_TEST, no check for stream inspector add/rm, etc
stats: update shutdown timing stats
stream: Addressing inconsistent stream stats and some data races
stream_ip: added counters to track total number of data bytes processed
stream_tcp: no_ack applies only to ips mode
stream_udp: added counters to track total number of data bytes processed
style: remove tabs and too long lines
utils: add unit tests for MemCapAllocator class
utils: create memory allocation class based on sfmemcap functionality
utils: handle out-of-range time
xhash: refactor XHash and HashFnc to eliminate c-style callbacks and simplify ctor options
xhash: rename hashfcn.[cc|h] to hash_keys.[cc|h]
xhash/zhash: refactor duplicated code into a common base class, xhash/zhash will subclass this new base class
zhash: make zhash a subclass of xhash, eliminate duplicate code
zhash: refactor to use hash_lru_cache and hash_key_operations classes

2020-02-21: build 268

appid: Adding support for appid detection on decrypted SSL sessions
appid: Adding support for wildcard ports in static host port cache
appid: clean up ENABLE_APPID_THIRD_PARTY from configure_cmake
appid: cleanup terminology
appid: delete odp context on exit
appid: detect payload for http tunnel traffic
appid: do not reload third party on reload_config
appid: Don't mark HTTP session done if the ssl detector is still in progress
appid: Fix array initialization on Appid
appid: get rid of ENABLE_APPID_THIRD_PARTY flag
appid: handle invalid uri in http tunnel traffic
appid: load app mapping data to odp context
appid: move dns, sip, ssl and http pattern matchers to odp context; move client discovery manager to odp context
appid: move odp config, host-port cache and length cache to a separate class OdpContext; remove obsolete port detector code
appid: reset tp packet counters each time we do reinspect
appid: support third party reload when snort is running with single packet thread
bufferlen: match on total length unless remaining is specified
build: Clean up accumulated tabs and trailing whitespace in the code
build: clean up non-hyperscan builds
build: Fix more Clang 9 compiler warnings
build: Remove some extraneous semicolons (compiler warnings)
build: Rename parameters that shadow class members (compiler warnings)
build: Updates across the board for stricter Clang const-casting warnings
catch: Update to Catch v2.11.1
cip: explicitly include sys/time.h header
codecs: Use unions for checksum pseudoheaders
content: add hyperscan content literal matching alternative to boyer-moore
content: delete flawed hyper search test
content: use hs_compile if hs_compile_lit is not available
copyright: update year to 2020
dce_tcp: fixup flow data handling
detection: add config option to enable conversion of pcre expressions to use the regex engine
detection: add hyperscan_literals option
detection: add pcre_override to enable/disable pcre/O
detection: signature evaluation looping based on literal contents only (exclude regex)
doc: manual updates for HTTP/2
doc: update documentation for lua whitelist
doc: update reload_limitations.txt
file_api: enable Active when there are reset rules in the file policy
framework: introduce ScratchAllocator class to help with scratch memory management
gtp_inspect: fix default port binding
hash: refactor ghash implementation to convert it to an actual C++ class
hash: refactor key compare function prototype and functions to return boolean
hash: refactor to move common definitions into hash_defs.h
hash: refactor xhash to be a real C++ class
host_tracker: Check lock in a separate thread in unit-test
host_tracker: make current_size atomic to save some locks
host_tracker: Support host_cache reload with RRT when memcap changes
http2_inspect: add transfer encoding chunked at end of decoded http1 header block
http2_inspect: data frame http inspection walking skeleton first phase
http2_inspect: fast pattern support
http2_inspect: fix string decode error
http2_inspect: frame data no longer in file_data
http2_inspect: integration with NHI
http2_inspect: support disabling detection for uninteresting HTTP/2 frames
http2_inspect: support HPACK dynamic table size updates
http_inspect: add http_param rule option
http_inspect: gzip splitting beyond request_depth should use correct target size
http_inspect: no duplicate built-in events for a flow
http_inspect: patch H2I-related xtra data crash
http_inspect: process multiple files simultaneously over HTTP/1.1
http_inspect: refactoring
http_inspect: update test tool to support the HTTP/2 macros and new insert command
http_inspect: when detection is disabled, disable all rules not just content rules
http_inspect/http2_inspect: H2I unified2 extra data logging
hyperscan: convert thread locals to scan context
inspectors: ensure correct lookup by type, name, or service
inspectors: print label for type and alias in inspector manager. Remove printing module name in inspectors ::show() method
ips: alert service rules check ports
ips_pcre: compile/evaluate pcre rule option regular expressions with the hyperscan regex engine when possible
ips_pcre: support the O & R modifiers when converting pcre to regex
ips: refactor rule parsing
ips: remove dead code from rule parser
ips: use service "file" instead of "user"
loggers: update vlan logging in csv and json loggers
lua: Added missing file magic pattern for FLIC
lua: Added missing file magic pattern for IntelHEX
lua: fix typo in default smtp's alt_max_command_line_len
lua: update default lua files to whitelist the defined tables
main: add verbose inspector output during reload
main: make IPS actions (reject, react, replace) configurable per-IPS policy
main: move config_lua to Shell::configure
memory: Treating config value memory.cap as per thread instead of global
metadata: add --metadata-filter to load matching rules only
mime: support simultaneous file processing of MIME-encoded files over HTTP/1.1
module_manager: add snort_whitelist_append and snort_whitelist_add_prefix FFIs
normalizer: disable all normalizations by default except for tcp.ips
packet_io: provide default reset action (bidirectional reset for TCP, ICMP unreachable for the rest)
packet_io: refactor Active and IPS Actions to start disentangling them
parser: add service http2 to http rules
parser: store local copy of service name
pcre: ensure use of maximal ovector size and simplify logic
port_scan: Supporting reload config when memcap changes
protocols: provide direct access to the CiscoMetaData layer
regex: convert thread locals to scan context
reload: eliminate FatalError calls that can't happen because snort_calloc always returns valid memory
rna: use standard uint8_t type instead of u_int8_t
search_engine: trivial reformatting
smtp: update defaults to better align with Snort 2
snort2lua: conversion of path containing variables
snort: add new warn flag warn-conf-strict that will throw out warning when table is not found
snort: Adding some verbose logs for appid, file_id, and reputation inspectors
stream_tcp: ensure that flows with mss and timestamps are picked up on syn
tweaks: set reasonable stream_ip.min_fragment_length values
tweaks: update per new normalizer defaults
tweaks: update policy configs to better align with Snort 2

2019-12-20: build 267

appid: Adding command for third-party reload
appid: cleanup unused code
binder: assitant gadget support
build: Const-ify reference arguments as suggested by cppcheck
catch: Add infrastructure for standalone Catch unit tests
catch: Update to Catch v2.11.0
codec: Added GRE::encode method
control: Convert IdleProcessing unit tests to standalone Catch
dce_rpc: Convert HTTP proxy and server splitter unit tests to standalone Catch
file_api: When multiple files are processed simultaneously per flow, store the files on the flow, not in the cache. Don't cache files until the signature has been computed
file_magic: add file magic for .jar, .rar, .alz, .egg, .hwp and .swf files
framework: Convert parameter and range unit tests to standalone Catch
gtp: alerts should be raised for missing TEID in gtp msg
helpers: Convert Base64Encoder unit tests to standalone Catch
http2_inspect: add Stream class
http2_inspect: parse settings frames
http_inspect: support limited response depth
ips: do not use includer for any rules file includes
ips: fix --show-file-codes for inclusion from -c file
lru_cache_shared: added find_else_insert to add user managed objects to the cache
lua: Convert LuaStack unit tests to standalone Catch
lua: Link lua_stack_test against libdl to handle the static luajit case
packet_capture: ignore PDUs and defragged packets, include non-IP packets
perf_monitor: Convert CSV, FBS, and JSON formatter unit tests to standalone Catch
perf_monitor: tuning for flow_ip_memcap on reload
profiler: Convert MemoryContext and ProfilerStatsTable unit tests to standalone Catch
reload: fix issue where resource tuning was not being called when in idle context
rule_state: allow empty tables
search_engine: fix expected count of MPSEs when offloading
sfip: Convert SfIp unit tests to standalone Catch
sfip: Use REG_TEST-style IP stringification for standalone Catch tests
stream_tcp: fix TcpState post increment operator to stop increment at max value (and use correct max value)
stream_tcp: refactor stream_tcp initialization to create reassemblers during plugin init
stream_tcp: refactor to initialize tcp normalizers during plugin init
stream/tcp: Remove some unused Catch includes
time: Convert periodic and stopwatch unit tests to standalone Catch
utils: Convert bitop unit tests to standalone Catch

2019-12-04: build 266

appid: Add new pattern to pop3, don't concatenate ssl certs, use openssl-1.1 compliant APIs
appid: Enabling host cache for unknown SSL flows
appid: Fix for better classification on pinholed data session and control session for rshell/rexec
appid: Format detected apps stats in columns akin to file stats
appid: Handle memcap during reload_config using RRT
appid: Minor cleanup
cmake: Cache static DAQ module info in FindDAQ
file_api: Fixed eventing when FILE_SIG_DEPTH failed when store files enabled
flow: Add ability to defer whitelist verdict
flow: Clean up unit test compiler warnings
flow: Disabling the inspection if the Flow state is BLOCK
http2_inspect: Generate status lines for responses and be more lenient on RFC violations
http2_inspect: Implement hpack dynamic index lookups
http_inspect: Implement show method for verbose config output
http_inspect: Update user manual for detained inspection
hyperscan: Select max scratch from among all compiler threads
ips: Add support for parallel fast-pattern MPSE FSM compilation
ips: Only use multiple threads for rule group compilation at startup
ips: Support 2 rule vars same as Snort 2
mpse: Only hyperscan currently supports parallel compilation
port_scan: Only update scanner for ICMP if we have one
profiler: Fix module profile for multithreaded runs
search_engine: Ensure configured search_method is applied to search tools
search_engine: Process intermediate fast-pattern matches in batches of 32 same as Snort 2
search_engine: Raise an error if any MPSE compilation fails
sfip: Replace copy setter with implicit copy constructor
stats: Removal of mallinfo as it only support 32bit
stream_tcp: Move and update the libtcp source files to the tcp source directory to consolidate the stream tcp code into one component (libtcp goes away)
stream_tcp: Updates from PR review comments

2019-11-22: build 265

analyzer_command: support resource tuning on reload
appid: Adding Lua-C API to handle midstream traffic
cip: ips rule support for Common Industrial Protocol (CIP)
ftp: handling multiple ftp server config validation
detection: disable rule evaluation when detection is disabled for offload packets
detection: fix post-inspection state clearing issue
flow: check if there are offloaded packets in the flow before clearing out the alert count
http2_inspect: add frame class and refactor stream splitter
http2_inspect: fix unit tests to build without REGTEST defined
main: Improve performance of control connection polling
plugin_manager: allow loading individual plugin files in plugin-path
reject: Setting defaults for reset and control options
snort: update reload resource tuner to return status indicating if there is work to be done in the packet thread
stream: register reload resource tuner unconditionally. move checks for config changes to the tuner tinit method
stream_tcp: fix state machine instantiation
wizard: handle NBSS startup in dce_smb_curse

2019-11-06: build 264

appid: Handle DNS responses with compression pointers at last record
dce_smb: deprecate config for smb_file_inspection, use smb_file_depth only
detection: negated fast patterns are last choice
http2_inspect: fix bugs in splitting long data frames and padding
http_inspect: change accelerated_blocking to detained_inspection
http_inspect: remove deprecated @fileclose command from test tool
imap, pop, smtp: changed default decode depths to unlimited
ips: define a builtin GID range to prevent unloaded SIDs from firing on all packets
ips_option::enable: fix dynamic plugin build
lua: tweak default conf and add tweaks for various scenarios
normalizer: make tcp.ips defaults to true
port_scan: increase default memcap to a more reasonable 10M
s7commplus: Initial working version of s7commplus service inspector
search_engine: stop searching if queue limit is reached
stream: implement reload resource tuner for stream to adjust the number of flow objects as needed when the stream 'max_flows' configuration option changes
telnet: fix check_encrypted help string

2019-10-31: build 263

appid: for ssl sessions, set payload id to unknown after ssl handshake is done if the payload id was not not found
appid: check inferred services in host cache only if there were updates
appid: Updating the path to userappid.conf
build: Clean up snort namespace usage
build: generate and tag build 263
binder: Use reloaded snort config when getting inspector
codecs: Relax requirement for DAQ packet decode data offsets when bypassing checksums
content: rewrite boyer_moore for performance
data_bus: add unit test cases
detection: enhance fast pattern match queuing
dns: made changes to make sure DNS parsing is thread safe
doc: update default manuals
file_api: Put FileCapture in the snort namespace
ftp: fix for missing prototype warning
ftp: catch invalid server command format
http_inspect: test tool single-direction abort fix
http_inspect: add more config initializers
http2_inspect: generate request start line from pseudo-headers
http2_inspect: abort on header decode error
http2_inspect: stop sharing a variable between scan and reassemble
http2_inspect: decode indexed header fields in the HPACK static table
http2_inspect: Move HPACK decompression out of stream splitter into a separate class
http2_inspect: Abort on bad connection preface
http2_inspect: cleanup
http2_inspect: discard connection preface
ips: add states member, similar to rules, by convention use for rule state stubs with enable
mime: Put MailLogConfig in the snort namespace
packet: fix reset issues
packet_io: do not retry packets that do not have a daq instance
policy: Avoid unintended insertion of policy into map if it does not exist
pub_subs: made default pub_subs policy-independent
rule_state: deprecat, replace with ips option enable to avoid LuaJIT limitations
stream_tcp: fix stability issues
stream_tcp: If no-ack is on, rewrite ACK value to be the expected ACK

2019-10-09: build 262

analyzer: move setting pkth to nullptr to after publishing finalize event
analyzer: publish other message event for unknown DAQ messages
appid: add support for bittorrent detection over standard ports
appid: add support for Lua detector callback mechanism
appid: add support for wildcard ports in host tracker
appid: extract forward ip from http tunneled traffic and use it for dynamic host cache lookup
appid: fix populating dns_query for DNS traffic
binder: allow binder to support global level service inspectors
binder: remove global check for stream inspectors and revert module_map changes
codecs: fix checksumming a single byte of unaligned data
codecs: use checksum validation from DAQ packet decode data when available
detection: consistently prefer service rules over port rules
detection: do not split service groups by ip proto to avoid extra searches
detection: map file rules to services
detection: non-service rules must match on rule header proto
detection: remove cruft from match accumulator
detection: remove more cruft from match tracker
detection: remove the inappropriate match tracker from mpse batch setup
detection: remove unnecessary match data from eval context
detection: support alert file rules w/o optional services
detection: update trace to indicate eval task
detection: use reference for signature eval data
doc: add Snort2Lua note on ips rule action rewrite
flow: check if control packet has a valid daq instance before setting up daq expected flow and add pegcounts for expected flows
flow: patch to allocate Flow objects individually on demand. Once allocated the Flow objects are reused until snort exits or reload changes the max_flows setting
flow: when walking uni_list stop before reaching head
helpers: discovery filter support for zone matching
helpers: implement port exclusion in discovery filter
http2_inspect: cut headers from frame_data buffer
http2_inspect: parse hpack header representations and decode string literals
http2_inspect: validate connection preface
ips_options: minor code style changes
libtcp: turn off no-ack mode if packet is out of order
lua: added move constructor and move assignment operator to Lua::State to fix segv
lua: fixed whitespace to match style guidelines
managers: add null check in reload_module to prevent crash when trying to reload module that has not been configured
profiler: increase width of checks and alloc fields so values don't run together
protocols: remove reference to obsolete DAQ_PKT_FLAG_HW_TCP_CS_GOOD flag
pub_sub: replace DaqMetaEvent and OtherMessageEvent with DaqMessageEvent
reputation: prevent reload module crash when reputation is not configured in lua at startup
reputation: SIDs for source and destination-triggered events added
snort2lua: convert snort2 port bindings into snort3 service bindings for inspectors configured in wizard and add --bind-port option to enable port bindings conversion
snort2lua: remove identity related options from firewall
snort2lua: reset the sticky buffer name while converting unchanged sticky rule options and file_data
stream: clean up cppcheck warnings
stream: clean up update_direction
stream: code cleanup and dead-code removal
unit-tests: fix compiler warnings that snuck into CppUTest unit tests
utils: prevent integer overflow/underflow when reading BER elements

2019-09-12: build 261

analyzer: Process retry queue and onloads when no DAQ messages are received
appid: Enabled API for SSL to lookup appid
appid: Support FTP banners on multiple packets with split response code
build: Address miscellaneous cppcheck warnings
build: Const-ify reference arguments as suggested by cppcheck
build: Update CMake logic for unversioned LibSafeC pkg-config name
doc: add bullets for $var parameter names and maxXX limits
http_inspect: accelerated blocking for chunked message bodies
http2_inspect: send raw encoded headers to detection
managers: Make InspectorManager::thread_stop() a no-op if thread_init() was never called
rna: generate an RNA_EVENT_CHANGE when a host is seen after the last log event and the current time is past the update timeout
rna: support for bidirectional flow with UDP, IP, and ICMP traffic
rna: Support for filtering rna events by host ip
rule_state: switch from regex parameter names to simpler parsing
snort2lua: only emit max_flows and pruning_timeout options in converted lua file if the option is used in the snort2 conf file
stream: fix problem with accelerated blocking partial inspection
style: update link for google c++ style guide

2019-08-28: build 260

appid: handle 'change cipher spec' in 'server hello' to allow some app detection for tls 1.3 traffic
binder: updated change_service event to support service reset via wizard
host_tracker: derive LruCacheSharedMemcap from the general LruCacheShared that tracks size in bytes, rather than number of items and instantiate host_cache from LruCacheSharedMemcap
http2_inspect: Remove pkt_data buffer option
reload: fix coding style issues, support multiple in progress analyzer commands, support associated AC state for execute method, move reload tune logic for ACSwap to the execute command
rna: Support for rna unified2 logging
stream_tcp: clear consecutive small segs count upon non-small segs only

2019-08-21: build 259

analyzer_command: Import into snort namespace and add the ability to retrieve the DAQ instance from an Analyzer
appid: delay port-based detection until a non-zero payload packet is seen for the session
appid: fix discovery unit test that was failing intermittently
appid: Fix for app name not getting evaluated for port/protocol based detectors
appid: support for bittorrent detection when UDP tracker packet arrives after the TCP resumed session has already started
build: Fix miscellaneous cppcheck warnings
codec: Adapt to new DAQ message metadata source for Real IP/port info
file_api: generate events each time file is seen, not just first time
finalize_packet: pass verdict by reference in inspector event
flow: add virtual destructor to stash generic object
flow: Bypass HA write for unsupported Tunnel flows
flow: delete stale flow on receiving NEW_FLOW flag
flow: if no 'get_ssn' handler configured then skip processing of the flow
flow: introduced variable for handling idle session timeouts and flag for actively pruning flows based on the expire_time
flow: make a single flow cache for all the protocols
flow: refactor flow config object to work with single flow cache concept
flow: refactor uni list managment into a separate class and instantiate an instance for ip flows and another for all non-ip flows
flow: release session object allocated for a flow when the Flow object is reused and the PktType of the new flow is different from the previous use
flow: Add packet tracer message when a new session is started
ftp_telnet: add support for ftp file resume block by calculating path hash used as file id
hash: add back size(), get_max_size() and remove() functions to lru_cache_shared
hash: add unit test for explicitly testing get / set max size
host_cache: Refactoring code to fix multithreading issues and to remove redundancy
http2: huffman string decode
http2_inspect: add HI test tool
http_inspect: remove 0-byte workaround
ips_options: add ber_data and ber_skip
main: Implement reload memcap framework
pcre: add peg counts for PCRE_ERROR_MATCHLIMIT and PCRE_ERROR_RECURSIONLIMIT return status from pcre_exec()
reputation: Fixed issues with reputation monitor
rna: Add new hosts with IP-address into host cache
snort2lua: Combine proto specific cache options for max_session in one max_flows option
stream_tcp: add API for switching to no_ack mode
stream_tcp: fix 3-1-2 ordering markup
stream: update checks for modified stream config to work with updates to stream config options
stream: updated the protocol setup and process logic of TCP,UDP,IP,ICMP and USER sessions for setting and updating idle session timeouts
time: Make TscClock fail to compile on non-x86/AArch64 systems
wizard: Avoid host cache service insertion since we are using flow service
xhash: Ported sfxhash_change_memcap() from snort2 to snort3

2019-07-17: build 258

analyzer: 1024 contexts max is a better default until configurable
appid: fix header order in appid_session
codec: add support of ignore_vlan flag from daq header
detection: allocate scratch after configuration
detection: immediately onload after offloading when running regression tests
detection: on PDUs change search order to set check_ports correctly
detection: reduce hard number of contexts to work with pcap default
detection: start offload threads before packet threads are pinned
detection: use offload_threads = N with -z = 1
flow: Extend stash to support uint32_t and make it SO_PUBLIC
flow: Fixes for DAQ-backed HA implementation
flow: remove config.h from flow_stash_keys
high_availability: high availability support in Snort2Lua
host_cache: Adding command and config option to dump hosts
host_cache: Closing va_list after usage using va_end
http2: decode HPACK uint
http2: hpack string decode
http_inspect: perf improvements
http_inspect: send headers to detection separately
ips: add missing non-fast-pattern warning
ips: refactor fast pattern searching
mpse: api init and print methods are optional
no_ack: Purge segment list withouth waiting for ack when using no_ack feature
pcre: cap the pcre_match_limit_recursion based on the stack size available
profiler: convert ips options to use optional profiles
profiler: eliminate deep profiling
profiler: implement general exclusion
profiler: include onload/offload efforts in mpse
profiler: refactor
profiler: split out paf from stream_tcp
profiler: track DAQ message receives and finalizes
snort: remove out-of-date Snort 2 version from -V
stream: add convenient method for flow deletion
stream_tcp: Add no-ack policy to handle flows that have no ACKs for data
stream_tcp: fix non-deep detect profile exclusion
talos.lua: various fixes for command line usage

2019-06-19: build 257

analyzer: publish finalize packet event before calling finalize_message
appid: Protocol based detection for non-TCP non-UDP traffic
appid: support for dynamic host cache lookup-based app detection
build: Fix unused parameter warnings in unit tests
check: Fix missing semicolons on CHECK calls
detection: adding pegcounts for fallback, offload failures
detection: add peg for onload wait conditions
detection: fix check for disabled rules
detection: fix creation of service map to use ips policy id
detection: on PDUs search TCP/UDP portgroups even when user_mode services exist
doc: Remove perpetually out-of-date copy of LibDAQ's README
doc: Update documentation to reflect post-DAQng reality
flow: check if flow is actually deleted before updating memstats
flow: Implement storing and importing HA data via DAQ IOCTLs
http_inspect: stop clearing http data snapshots from ips contexts on flow deletion
http_inspect/stream: accelerated blocking
http_inspect: test tool enhancement
icmp4: verify checksum before the type validation
ips_options: add relative parameter to so option
perf_mon: removed flow_ip_handler from PerfMonitor
regex: fix repeated search offset
rna: Fixing doc build failure due to asciidoc format issue
rna: Implementing event-driven RNA inspections
rna: Introducing barebone RNA module and inspector
rna: Renaming peg counts and adding a warning when config changes
smtp: Fix handle_header_line and normalize_data unit tests
smtp: pass packet pointer instead of nullptr to SMTP_CopyToAltBuffer
stream: Do not validate timestamp until peer timestamp is set
stream_ip: Checking null inspector while updating session

2019-05-22: build 256

DAQng: Port Snort and its DAQ modules to DAQ3
- Massive refactoring of the Analyzer thread
- Handle multiple offloaded wire packets
- Port hext and file DAQ modules to DAQng
- Reimplement the RETRY verdict internal to Snort
- Revamp skip-n/exit-after-n/pause-after-n handling
- Update lua tweaks with new DAQ configuration format
- Update sfdaq unit tests for DAQng
- Update snort2lua to convert to new DAQ configuration
filters: add peg count for when the thd_runtime XHash table gets full
filters: make thd_runtime and rf_hash thread local and allocate them from thread init rather than from Module::end()
http_inspect: fix status_code_num bug in HttpMsgHeader::update_flow() that leads to assert on input.length()>0 in norm_decimal_integer
main: Fix File Descriptor leaks
main: Include analyzer.h in snort.c
packet_io: Refactor the Trough a bit
perf_mon: Fixed time stamp and memory leak issue
- Add real timestamp to empty perf_stats data
- Updated dbus default subscription code and perf_mon event subscirption code to resolve memory leak and invalid event subscription from reloading
- Moved flow_ip_tracker to thread local
perf_monitor: Fixing heap-use-after-free after reload failure
port_scan: Change minimum memcap value to 1024 to avoid divide by zero crash
rule_state: change enable values "true" / "false" to "yes" / "no"
snort2lua: Remove sticky buffer duplicates
stream: disable inspection of flow on reset

2019-05-03: build 255

ips: add includer for better relative path support
module_manager: Fix potential null deref in module parameter dumping

2019-04-26: build 254

analyzer: Print pause indicator from analyzer threads
appid: remove inspector reference from detectors
build: Remove perpetually stale reference to lua_plugffi.h
build: remove unused cruft; clean up KMap
config: replace working dir overrides with --include-path
context: only clear ids_in_use in dtor
file_type: remove redundant error message
log_pcap, packet_capture: Don't try to use a DAQ pkthdr as a PCAP pkthdr
Lua: update tweaks per latest include changes
main: Use epoll (for linux systems) instead of select to get rid of limit on fd-set-size and for time efficiency
snort2lua: fix histogram option change comment
snort2lua: Integer parameter range check
stream_tcp: Try to work with a cleaner Packet when purging at shutdown
test: remove cruft

2019-04-17: build 253

build: delete unused code called out by cppcheck
doc: remove mention of obsolete LUA_PATH, SNORT_LUA_PATH, and required snort_config library
flow_cache: Pruning one stream when excess pruning skips even if max_sessions is reached
ftp_server: fix normalization and PDU parsing issues
helpers: directory: use readdir instead of readdir_r
Lua: apply the necessary builtin defaults from one place
Lua: internalize snort_config.lua dependency
Lua: build-time stringify Lua files for use as C++ variables
Lua: remove dependency on SNORT_LUA_PATH
mime: fix decompression for multiple files
parser: update include file handling
parser: fix defaults for alerts.order and network.checksum_eval

2019-04-10: build 252

appid: Fix NetworkSet compilation on big-endian systems
appid: Reduce variable scope in service_mdns
appid: Reduce variable scope in service_rpc
codecs/ipv4: Use struct in_addr when calling inet_ntop()
dce_rpc: Fix const cast warnings in dce_smb2
detection: Don't send zero size searches to the regex offloader If a batch search request had nothing in it to be searched for there is no purpose in sending it to the offloader
detection: Ensure offload search engine started with appropriate regex offloader If the offload_search_method is not specified then by default it will be the same as the normal search_method If this search method is an async mpse it needs started using the MpseRegexOffload offloader otherwise it needs started using the ThreadRegexOffload offloader
file_api: add extract filename to FileFlow from mime header
file_api: Add timer to limit how long we want for pending file lookup
file_api: If configured, reset session when lookup times out
file_api: Make expiration timers more granular
file_api: use more generic form of timercmp and fix timersub call
file_api: use timersub_ms, updates to packettracer logs
flow: add the override keyword to some member function to keep cppcheck happy
flow: add test to check that a handler is not getting stash events that it's not listening to
flow: stash publish event
flow: unit test for stash publish
ftp_telnet: Fix potential NULL pointer arithmetic in check_ftp()
ftp_telnet: Fix val-never-used warning in DoNextFormat()
http_inspect: Fix val-never-used warning in check_oversize_dir()
http_inspect: Give HttpTestInput a destructor to clean up its file handle
log: Fix potential NULL pointer arithmetic warning in log_text
mpse: Adding performance profiling stats to Mpse batch search The Mpse batch search function does not have any performance profiling so this function is now wrapped to facilitate the addition of performance stats
normalize: Remove redundant check during configuration
offload: simplify zero byte bypass
offload: Framework changes to support polling for completed batch searches When a batch search is issued, currently we poll to determine if that batch has completed its search This change facilitates polling to return any batch that has completed its search
packet_io: Changes to allow daq retries to work properly
packet_io: add entry for retry in act_str due to re-ordering
packet_io: re-order ACT_RETRY to be before ACT_DROP
packet_tracer: Pass filename string parameter by reference
perf_monitor: Pass ModuleConfig string parameter by reference
port_scan: Reduce variable scope in configuration
rule_state: rule_state: do not require rules in all policies
rules: remove cruft from tree nodes
sfip: Reduce variable scopes in sf_ipvar
sfip: Switch test debug flag to a cpp macro
sfrt: Reduce variable scope in _dir_remove_less_specific()
sip: Give SipSplitterUT a proper copy constructor
snort2lua: Adding support for appid tp_config_path conversion
snort2lua: Convert rawbytes to raw_data sticky buffer
so rules: fixup shutdown sequencing
so rules: make plain stubs same as protected
so rules: use stub strictly as a key
stream: set retransmit flag
stream_ip: Fix sign comparison and val-never-used issues in defrag
stream_tcp: Fix shadowed variable when profiling deeply
u2spewfoo: update due to re-ording of retry action

2019-03-31: build 251

ActionManager: actions are tracked per packet for accurate packet suspension
DetectionEngine: make onload safe for reentrance
DetectionEngine: stall when out of contexts
Flow: is_offloaded is now is_suspended
IpsContext: removed useless SUSPENDED_OFFLOAD state
Mpse: Addition and use of offload search method/engine
Mpse: fixed build warning about constness of get_pattern_count
MpseBatch: refactor into separate files
Packet: fixed thread safety in onload flag checks
RegexOffload: onload whatever is ready
RegexOffload: refactor into mode-specific subclasses
appid: Fix for FTP detection with multiline server response split across multiple packets
appid: add unit test to make sure the AppIdServiceStateKey::operator<() is OK and modify existing service cache memcap test to alternate ipv4 and ipv6 addresses
appid: change the service queue to store map iterators rather than the actual keys, as (a) map iterators are stable and (b) sizeof(map::iterator)=8 while sizeof(key)=28
appid: compute the size of the memory used for a service cache entry only once, as it is constant, and make it global
appid: fix AppIdServiceStateKey::operator<()
appid: fix client discovery to only check on the first data packet
appid: fix comment in client_discovery.cc
appid: fix double free in service_state_queue and address reviewers comments
appid: fixup profiling
appid: get rid of the map::find() in MapList::add(), just try to emplace directly
appid: implement service cache touch(). Must figure out where to call it from
appid: implement service discovery state queue to honor memcap
appid: introduce min memcap of 1024 with a default of 1Mb and refactor AppIdServiceState::remove() to accept a ServiceCache_t::iterator rather than ip, proto, port and decrypted
appid: introduce the do_touch flag to the add/get functions and call those functions with the appropriate flag
appid: keep cppcheck happy
appid: more cppcheck clean-up
appid: pass HostPortKey by reference in HostPortKey::operator<()
appid: put the service_state_cache and the service_state_queue into a class in its own right and refactor the code
appid: remove forgotten WhereMacro
appid: rename some global variables in http_url_patterns_test.cc to suppress cppcheck messages
appid: replace the custom AppIdServiceCacheKey::operator< with memcmp in both service_state.h and host_port_app_cache.cc
appid: return void in ClientDiscovery::exec_client_detectors() and set client_disco_state to FINISHED in all cases except when the client validate returns APPID_INPROCESS
appid: set a range for app_stats_period parameter
appid: skip empty detectors
appid: the service queue should be of type AppIdServiceStateKey
appid: unit test for service cache and call the touch function
appid: untabify service_state.h and test/service_state_test.cc
appid: update unit test file
binder: Reset flow gadget and protocol ID on failed rebinding
binder: store user set ips policy id from lua
build: Add better support for libiconv on systems with iconv-providing libc
build: fix always true warning
build: fix constness warnings
build: fix cppcheck warnings for file_connector, tcp_connector, ports, snort2lua, and piglet_plugins,
build: fix override warning
catch: Update to Catch v2.7.0
cd_tcp: some light refactoring
conf: remove obscure and slow automatic iface var assignments; use Lua instead
config: Use basename_r() function for FreeBSD versions < 12.0.0
control: Avoid deleting objects on write failures so that they get deleted from main thread during read polling
copyright: update year to 2019
cppcheck: fix some basic warnings
dce_rpc: Added support to handle smb header compounding
dce_rpc: Limiting each signature alert to once per session using 'limit_alerts' config
dce_rpc: fix cppcheck warnings
dce_rpc: fix style warning non-boolean returned
decompress: add zip file decompression
detection, snort2lua: added global rule state options for legacy conversions
detection: Add search batching infrastructure
detection: allow suspension of entire chains of contexts
detection: fixed incorrect log messages
detection: only swap offload configs when they change
detection: split fast pattern processing when using context suspension
doc: add a section for reload limitations
doc: update default manuals
doc: update reload limitations - adding/removing stream_*
file: fixed data race at shutdown
file_api: Added nullptr checking to prevent segfaults when file mempool is not configured
file_api: call FileContext::set_file_name() from FileFlows::set_file_name with fname = nullptr, in order to generate file event
file_api: fail the reload if max_files_cache is changed or if capture was initially enabled and capture_memcap or capture_block_size change
file_api: fix policy lookup
file_capture: refactor max size handling
filters: call get_ips_policy instead of get_network_policy when building the key for rate filter
flow: Added a support to store generic objects in a stash
flow: support for flow stash - allows storage of integers and strings
flow_control: remove unused session flag
fp_detect: suspend instead of onload if fp_local can't occur yet
hash: Added lru_cache_shared.h to HASH_INCLUDES
hash: Moved list_iter assignment inside to avoid improper memory access in LruCacheShared
http_inspect: disable reg test assertion until interface with stream_tcp is updated
http_inspect: patch around buffer ownership confusion
ips_context: minimize iterations to clear data
ips_options: implement FileTypeOption::hash() and FileTypeOption::operator==(), inherited from IpsOption, using the types bitset array, in order to distinguish between different file type options
loggers: add alert_talos, use in talos tweak
loggers: alert_talos: fix copyright, author, unneeded check
loggers: alert_talos: fix copyright, warnings
loggers: alert_talos: fix cppcheck error
loggers: alert_talos: fix include order
loggers: alert_talos: fix memory leak
loggers: workaround for cppcheck's false warning
lua: make RTF file magic more generic
main: log message when all pthreads started (REG_TEST only)
main: shell commands and signals executed only after snort finish startup
memory: Use only one variable to keep track of allocated and deallocated memory
memory: add configurable L3/L4 specific weights for better estimation against cap
memory: add size_of to various FlowData subclasses
memory: apply fudge factor to tracking to better align with RSS
memory: basic flow data allocation tracking
memory: basic flow pruning
memory: beware the perf_monitor, for she stealeth your numbers
memory: do not re-enter the pruner
memory: fix re-entry check
memory: increase default tcp cache cap weight; fix default values
memory: initial preemptive pruning based on flow data
memory: refactor stats
memory: remove overloading manager to make way for new implementation
memory: remove useless thread local
memory: require subclass implementation of FlowData::size_of()
memory: track session allocations
mime: add file decompression
misc: fixed warnings generated from latest gcc
packet tracer: initialize sf_ip structs
policy: allow an empty policy be set explicitly assigned to it
policy: Rename TRUE/FALSE to ENABLE/DISABLED
port_scan: Fail reload if memcap changed
profile: convert remaining layer 2 or greater profile scopes to the deep, dark underbelly
profiler: add quick exit if not configured to minimize overhead
profiler: add quick exit if not configured to minimize overhead (rule times)
protocols: fix style warning non-boolean value returned
react: sending reset to server only
regex_offload: fix stats for thread
reload: differentiate between restart required and bad config
reload: fail reload if stream is in the original config and stream_* is added/removed
reload: prompt reload failure and require restart when stream cache were changed
reload: send reload completed message to control channel instead of logging it
rule eval: ensure leaf children are properly counted
rule_state: add rtn but disable if block is set on non-inline deployment
rule_state: added default rule state to ips policy
rule_state: added per-ips-policy rule states
rules: do not preallocate actions
safec: Update to work with modern versions of LibSafeC
sfip: add a FIXIT for checking that the current implementation of _is_lesser(), which only compares same-family ips is OK
sip: update sip options to use has_tcp_data instead of is_tcp
snort2lua: Create dev_notes.txt for sticky buffers
snort2lua: adding when.role for specific inspectors
snort2lua: change the -l short option to --dont-convert-max-sessions
snort2lua: combining multiple zone in one binder rule
snort2lua: comment gid 147 file rules
snort2lua: convert file_capture config options
snort2lua: do generate the tcp_cache instance even when we don't convert tcp_max to max_sessions
snort2lua: do not translate max_sessions from snort.conf to snort.lua
snort2lua: fix pcre option issues
snort2lua: fix sticky buffer duplication
snort2lua: fixed duplication of split_any_any from config: detection
snort2lua: introduce command line option -l to suppress conversion of max_tcp, max_udp, max_icmp and max_ip to max_sessions
snort2lua: move obfuscate_pii to the ips table from the output table
snort_config: Add a setter for setting run_flags and set it to TRACK_ON_SYN for hs_timeout config
ssl: Count calls to disable_content for ssl sessions
stream: Change StreamSplitter::scan to take a Packet instead of a Flow
stream: Pass Packet in flushpdu* -> paf_eval -> paf_callback chain
stream: fixed ignore_flow segfault bug caused by allocating generic flow data instead of inspector specific flow data
stream: log StreamBase::config in StreamBase::show()
stream: purge remaining flows before shutdown counts
stream_tcp: add track_only to disable reassembly
stream_tcp: consolidate segment node and data
stream_tcp: disambiguate seglist trace
stream_tcp: do not purge partially acked segment
stream_tcp: fix up stream order flags
stream_tcp: fixup allocation tracking for overlapped segments
stream_tcp: implement reserve seglist
stream_tcp: initialize priv_ptr for pdus
stream_tcp: patch around premature application of delayed actions that yoink the seglist
stream_tcp: remove seglist node cruft
stream_tcp: reset paf segment when switching splitters
stream_tcp: simplify paf init
stream_tcp: support unidirectional flushing similar to Snort 2
stream_tcp: tweak PAF scanning
stream_tcp: tweak ips mode flushing
stream_udp: ensure all flows are cleared fully
time: Adding timersub_ms function to return timersub in milliseconds

2018-12-06: build 250

actions: Fix incorrect order of IPS reject unreachable codes and adding forward option
active: added peg count for injects
active, detection: active state is tied to specific packet, not thread
appid: Don't build unit test components without ENABLE_UNIT_TESTS
appid: Fix heap overflow issue for a fuzzed pcap
build: accept generator names with spaces in configure_cmake.sh
build: clean up additional warnings
build: fix come cppcheck warnings
build: fix some int format specifiers
build: fix some int type conversion warnings
build: reduce variable scope to address warnings
detection: enable offloading non-pdu packets
detection, stream: fixed assuming packets were offloaded when previous packets on flow have been offloaded
file_api: choose whether to get file config from current config or staged one
file: fail the reload if capture is enabled for the first time
framework: Clone databus to new config during module reload
loggers: Use thread safe strerror_r() instead of strerror()
main: support resume(n) command
managers: update action manager to support reload
module_manager: Fix configuring module parameter defaults when modules have list parameters
parameter: add max31, max32, and max53 for int upper bounds
parameter: add maxSZ upper bound for int sizes
parameter: build out validation unit tests
parameter: clean up some signed/unsigned mismatches
parameter: clean up upper bounds
parameter: remove arbitrary one day limit on timers
parameter: remove ineffective -1 from pcre_match_limit*
parameter: reorgranize for unit tests
parameter: use bool instead of int for bools
parameter: use consistent default port ranges
perf_monitor: Actually allow building perf_monitor as a dynamic plugin
perf_monitor: fix benign parameter errors
perf_monitor: fixed fbs schema generation when not building with DEBUG
protocols: add vlan_idx field to Packet struct and handle multiple vlan type ids; Thanks to ymansour for reporting the issue
regex worker: removed assert that didn't handle locks cleanly
reputation: Fix iterations of layers for different nested_ip configs and show the blacklisted IP in events
sip: Added sanity check for buffer boundary while parsing a sip message
snort2lua: add code to output control = forward under the reject module
snort2lua: Fix compiler warning for catching exceptions by value
snort2lua: Fix pcre H and P option conversions for sip
snort: add --help-limits to output max* values
snort: Default to a snaplen of 1518
snort: fix command line parameters to support setting in Lua; Thanks to Meridoff oagvozd@gmail.com for reporting the issue
snort: remove obsolete and inadequate -W option; Thanks to Jaime González jaimeglz1952@gmail.com for reporting the issue
snort: terminate gracefully upon DAQ start failure; Thanks to Jaime González jaimeglz1952@gmail.com for reporting the issue
so rules: add robust stub parsing
stream: fixed stream_base flow peg count sum_stats bug
stream tcp: fixed applying post-inspection operations to wrong rebuilt packet
stream tcp: fixed sequence overlap handling when working with empty seglist
style: clean up comment to reduce spelling exceptions
thread: No more breaks for pigs (union busting)
tools: Install appid-detector-builder.sh with the other tools; Thanks to Jonathan McDowell noodles-github@earth.li for reporting the issue

2018-11-07: build 249

appid: Fixing profiler data race and registration issues
appid: make third party appid stats configurable
appid: Remove detector flows from the list for faulty lua detectors
build: remove dead code
build: support dynamic imap, pop, and smtp
comments: additional cleanup
comments: delete obsolete comments
comments: fixup format, spelling, priority, etc
comments: remove XXX and convert to FIXIT where appropriate
connectors: Fix TCP connector unit test compilation on Alpine Linux (musl)
cppcheck: cleanup some warnings
dcerpc: fixed build warning with struct packing
dcerpc: fixed setting endianness on one packet and checking on another
detection : add function to clear ips_id from unit tests
detectionengine: Only clear inspector data after offloads have completed
detection/http_inspect: Save a snapshot HTTP buffers in the IPS context to support offload of HTTP flows
doc: Adding performance consideration for developers
file_api: revert deleting gid 146 so existing 146 rulesets dont attempt empty rule eval
fixits: prioritize for RC
flow: fixed build warning
flow: track multiple offloads
fp_detect: onload before running local to ensure event ordering
framework: replace the newly introduced loop to reset the reload_type flags with the existing Inspector::update_policy function
framework: set the reload_type flags to RELOAD_TYPE_NONE at the end of reload, in anticipation of future reloads
host_tracker: fixed uppcase IP param issue
http2_inspect: Change http2 GID from 219 to 121
ips_flowbits: move static structures to snort config
main: initialize shell_map and other maps in PolicyMap::clone()
main: size analyzer notification ring appropriately
manual: fix some typos
mime: made the mime hdr info and current search thread local
mime: move the decode buffer used by mime attachments to mime context data
packet_tracer: can't emplace vector until c++14
parser: bad filename during reload is not a fatal error
perfmon: fix issue for report correct stats after passing -n pkts
perf_monitor: trackers keep copy of the relevant config items from the inspector
reload: fixed smtp seg fault when reload failed
reputation: delete old conf before allocating a new one in ReputationModule::begin() if conf not null
rule_state: indicate list format
search_tool: include bytes searched in pattern match stats
search_tool: validate ac_full and ac_bnfa wrt search and search_all
snort2lua: Add support for enable/disable iprep logging using suppress mechanism
snort2lua: Avoid returning reference of local variable
snort2lua: comment out deleted gid 146 rules
snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string sanity checks
snort2lua: fixed paf_max to stream_tcp.max_pdu convertion
snort2lua: tweak for style consistency
snort: add --rule-path to load rules from all files under given dir
snort: Code refactoring - replacing push_back/insert by emplace_back/emplace, keeping reputation_id in flow instead of flow_data, and appid code improvements
source: fix some typos
source: minor refactoring
spell: fix typo
stream, detection, flow: don't force onloads between pdus unless absolutey necessary
stream: fixed build warning
stream: only delete flows after all onloads
stream tcp: don't delete flow data on rst, let session close handle it
textlog: removed unused TextLog_Tell function
thread_idle: call timeout flows with packet time for pcap replay
utils: fixed deprecation build warning on register keyword

2018-09-26: build 248

appid: adding detector builder and fixing stats to recognize custom appid; Thanks to Wang Jun traceflight@outlook.com for reporting the issue
appid: fixing ubuntu check tests
appid: fix valgrind issues in SIP event handler
appid: FreeBSD unit-test fix
appid: supporting pub-sub mechanism for app changes
build: add libnsl and libsocket to Snort for Solaris builds
build: fall back on TI-RPC if no built-in RPC DB is found
build: introduce a more robust check for GNU strerror_r
daqs: include unistd.h directly for better cross-platform compatibility
dce_rpc: add DCE2_CO_REM_FRAG_LEN_LT_SIZE (133:31) to the TCP rule map
dce_rpc: add DCE2_SMB_NB_LT_COM (133:11) to the SMB rule map
detection: added post-onload callbacks
detection: allocate ips context data using hard coded max_ips_id == 32
detection: don't use s_switcher to get file data
detection: run active actions at onload
detection: use packet to reference context
file_api: fix off-by-one bug that was hurting performance
file_api: move the check on REJECT or BLOCK inside an upper if clause for performance reasons
file_api: set disable flow inspection as soon as the verdict is REJECT
file_api: treat a BLOCK verdict the same as a REJECT verdict, for good measure
http_inspect: split and inspect immediately upon reaching depth
latency: added cleanup for RegexOffload threads
lua: changing default FTP EPSV string format
main: pause-after-n support
managers: handle tinit for inspectors added during reload
managers: if a plugin doesn't have tinit, still mark it as initialized
reputation: early return on parsing error causing uninitialized id
reputation: fix SI doesn't block traffic if Any Zone is specified

2018-08-27: build 247 - Beta

appid: change map to unordered map
appid: declare SMTPS early in STARTTLS state on success response code
appid: fix data-race issues from ips_appid_option and improve app_name search
detection: avoid repeating detection by always doing non-fast-pattern rules immediately (applies to experimental offload only)
docs: update default html, pdf, and text user manuals
reputation: reevaluate current flows upon reload
stream_tcp: avoid duplicating split sement data
build: removing use of u_char and u_short macros (github #53)

2018-08-13: build 246

active: Add an upper limit of 255 to min_interval
appid: Avoid snort crash upon lua file errors
appid: Fixes for TNS, eDonkey, and debug logs in Lua detectors
appid: Single lua-state per thread
appid: code clean-up
appid: create developer notes document
appid: make the code compatible with the latest version of snort2
appid: refactor detector initialization
appid: fix multithreading issues (data races) from app_forecast
appid: many other updates
binder: Make two passes at binder rules - one for policy IDs and then everything else
binder: Refactor binder as a passive, event-driven inspector
byte_test: update operator parsing, remove dead code
catch: Update to Catch v2.2.3
codecs: Handle raw IP packets in Snort proper
codecs: fix dynamic build of root codecs
decode: alternate checksum calculation to improve runtime performance
detection: don't offload when 0 threads are configured
detection: save the ropts used for dce rule options in ips context to support offload
detection: various bug fixes for offload emulation
doc: Update regarding the build issue with --enable-tcmalloc flag and known workarounds
doc: added active response section to user manual
doc: corrections to tutorial section
doc: update known problems
events: remove manager cruft
file_id: fix uninitialized
file_magic: Update file_magic.lua to cover all file types and versions
framework: Enable dynamic building of ips_{pcre,regex,sd_pattern} + Hyperscan MPSE
framework: Scratch handlers for SnortState
framework: fixed adding probe to wrong SnortConfig
http_inspect: URI normalization added to dev_notes
http_inspect: add perfmon to splitter
http_inspect: bug fix and cleanup
http_inspect: memory reduction and misc cleanup
http_inspect: renumbered events to avoid current and future conflicts with Snort 2.X
inspector: Rename ::update() to ::remove_inspector_binding() to better reflect what it does
ips: Remove unused IPS module stats
ips_fragbits: Removed dead code
packet_tracer: Report user policy IDs and add network policy
parser: reset parse error count before reload to avoid confusion
perf_monitor: fix for reload
perf_monitor: format error in dev_notes
policy: Add the ability to set network policy based on user-specified ID
policy: Export querying policies by user ID and setting runtime policies
profiler: Don't clobber max entry count when recursing
reload: do not set policies for incremental reload case
reload: set policies upon swap to avoid dangling pointers when idle
reputation: make sure reputation inspector is called in default policy
reputation: support reload module
sfip: if ips_policy doesn't exist, allow for ipvar parsing without vartable
sip: Ported sip-splitter implementation from snort2
snort.lua: add inline tweaks
snort.lua: add talos defaults
snort.lua: fix tweaks path; Thanks to brastult@cisco.com for reporting the issue
snort.lua: fix community rules filename; Thanks to mike@flyn.org for reporting the issue
snort2lua: Handle sidechannel config
snort2lua: add conversion for shared memory
snort2lua: added missing keyword to nap parsing
snort2lua: don't try to index into empty lines
snort2lua: fixed nap ip parsing
snort2lua: merge multiple nap rules with the same id
snort2lua: translate file_type rule option
snort: match delete[] with new[]
snort: wrap snort SO_PUBLIC symbols in the snort namespace
ssh: added test code
stream_ip: match delete[] with new[]; don't create zero length trackers
stream_tcp: 86 r_nxt_ack as tracker state for next rx seq, use rcv_nxt instead
stream_tcp: back out fin handling changes for bug not relevant to snort3
tcp_connector_test: fixed version-sensitive build problem

2018-05-21: build 245

CodecManager: removed unused code
DataBus: fixed creating DataHandler when one doesn't exist
Debug messages: cleanup for service inspectors. New traces for detection, stream
Debug: Final debug messages cleanup, removal of macros from snort_debug
Ipv4Codec: removed random ip id pool and replaced randoms on demand
PacketManager: moved encode storage to heap
PerfMonitor: fixed subscribing to flow events multiple times
ProtoRef: Converge on single name for SnortProtocolId. Fix threading problems
Reset: Always queue reject and test packet type in RejectAction::exec
SFDAQModule: moved daq stats here. fixed stats not being output from perfmon
Snort2lua: Add ftp_data to multiple files when needed, once per file
Snort2lua: Translate ftp_server relative to default configurations
Snort: moved s_data to heap
active: Enable when max_responses is enabled
alert: moved alert json. unixsock out from extra to snort3
appid: Add AppID debug command
appid: Enable Third-Party Code for Packet Processing
appid: Fix bug where Service and Application ID's set to port number instead of service appid
appid: Fixing service discovery states
appid: Only import dynamic detector pegcounts once
appid: Refactor debug command
appid: Refactor debug command, use SfIp, and fix non-Linux compilation
appid: Third party integration support
appid: appid session unit test changes
appid: change metadata buffers from std::string to pointers, to avoid extra copying
appid: clean-up code for performance and implement is_tp_processing_done()
appid: create referer object only for non-null string
appid: do not inspect out-of-order flows, ignore zero-payload packets for client/service discovery
appid: fix memory leak in appid_http_event_test and warning in appid_http_session.cc
appid: fix segfault due to dereferencing null host pointer
appid: fix tabs and indentation
appid: fixed http fields, referer payload and appid debug
appid: make tp_attribute_data more localized, so we only allocate/deallocate it if needed
appid: moved HttpFieldIds to appid_http_session
appid: peg count / dynamic peg count update. Split peg counts into the ones known at compile time and dynamic ones. Update stats , module manager and module to support dumping dynamic stats
appid: report when third party appid is done inspecting
appid: sip: moved pattern thread local to class instance
base64_decode: moved buffer storage to regular heap
binder: Fix UBSAN invalid value type runtime error
build: 244
build: Add --enable-ub-sanitizer option for undefined behavior sanitizer
build: Add some header includes for FreeBSD
build: Clean up CMake string APPENDing for configure options
build: Clean up HAVE_* definition checks
build: Define NDEBUG if debugging is not enabled
build: Fix building unit tests on FreeBSD
build: Modernize code with =default for special member functions
build: Modernize code with virtual/override/final cleanups
build: Remove bashisms from most shell scripts
build: add cmake configure switches for NO_PROFILER, NO_MEM_MGR and DEEP_PROFILING
build: add disable-docs to disable doc build
build: fix various drops const qualifier cases
build: fix various warnings:
build: propogate snort3 tsc build option to the extra build system
byte_extract: fix cursor update
byte_jump: fix from_beginning
byte_math: allow rvalue == 0 except for division
catch: Update to Catch v2.2.1
clock: Allow use of ARM64 CNTVCT_EL0 register for timing (#46); Thanks to j.mcdowell@titan-ic.com for the patch
clock: use uint64_t with tsc clock instead of std::chrono for performance
cmake: Add --enable-appid-third-party to configure_cmake.sh
cmake: Add support for building with tcmalloc
cmake: Rework FindPCAP logic and ignore SFBPF
cmake: fixed checks for functions
cmake: update for iconv
codecs: add config option to detection to enable check and alert for address anomalies
daq_hext: Make IpAddr() static to fix compiler warning
dce_co_process_ctx_id needs to update its caller's (DCE2_CoCtxReq) frag_ptr as it is called in a loop in order to parse each dce/rpc ctx item, otherwise it ends up parsing the same ctx item over and over
dce_rpc: fix parsing of dce/rpc ctx items
dce_rpc: pass frag_ptr by reference
debug: Remove debug messages from appid, arp_spoof, and perf_monitor
debug: Remove debug messages from detection and ips_options
debug: Remove debug messages from stream
decompress/file_decomp_pdf.cc: implicit fallthrough
detect: moving thread locals identified to ips context
detection: fixed uninitialized MpseStash
doc: add doc for module trace
encoders: fixed off-by-one error in underlying buffer handling
extra: Port some CMake options from Snort prime
extra: splitted extra out to snort3_extra repo
file_api: combine file cache for file resume and partial file processing
file_connector: Fix address-of-packed-member compiler warnings
file_decomp_pdf.cc: unreachable code return
file_type: Require strings instead of integers for types. Handle versions
flow: SO_PUBLIC FlowKey
framework: align PktType and proto bits
framework: remove bogus PktType for ARP and just use proto bits instead
ftp_server: Added Flow::set_service and fixed FtpDataFlowData::handled_expected
ftp_server: Added ability get TCP options length from TcpStreamSession
ftp_server: Added accessors to Stream so TcpStreamSession can be private
ftp_server: Base last_seg_size off of MSS
ftp_server: Provide FLOW_SERVICE_CHANGE pub/sub event
ftp_server: ftp_server requires that ftp_client and ftp_data be configured
hashfcn: Fix UBSAN integer overflow runtime error
hashfcn: Fix UBSAN left shift of negative value runtime error
http_inspect: broken chunk performance improvement
http_inspect: bugfix and new alert for gzip underrun
http_inspect: embedded white space in Content-Length
http_inspect: handling of run-to-connection-close bodies beyond depth
http_inspect: know more Content-Encodings by name
http_inspect: patch around regression failures until a permanent solution is implemented
http_inspect: performance enhancements for file processing beyond detection depth
ip: replaced REG_TEST with -H option for ipv4 codec fixed seed
ips_byte_jump: Fix UBSAN left shift of negative value runtime error
ips_byte_math: Fix UBSAN left shift of negative value runtime error
ips_flags: remove dead code
javascript: moved decode buffer to stack
memory: disable with -DNO_MEM_MGR
memory_manager.cc: dangling references
packet_capture, cmake: Remove SFBPF dependencies
packet_capture: adding analyzer command to initialize dump file
packet_tracer: Fix compiler warning when compiling with NDEBUG
packet_tracer: Modularize and add constraint-based shell enablement
parameter: Fix UBSAN shift exponent is too large for 32-bit type runtime error
parser: allow arbitrary rule gids
pop, imap, and smtp: changes to MIME configuration parameters
port_scan: include open ports with alerts instead of separate
profile: disable with -DNO_PROFILER
profiler: add deep profiler option
reload: enabled reloading ips_actions; added parse error check for reloading
repuation: remove the limit for zone id
reputation: add zone support
search_engine: revert default detect_raw_tcp to false
service inspectors: debug cleanup
sfip: A version of set() which automatically determines the family
sfip: removed ntoa. use ntop(SfIpString) instead
snort2lua: Add reject action when active responses is enabled
snort2lua: conversion of gid 120 to 119
snort2lua: enable reject action when firewall is enabled
snort: -r- will read packets from stdin
spell check: fix memeory and indicies typos
steam_tcp: change singleton names from linux to new_linux to avoid spurious collisions with defines
stream ip: refactored to use MemoryManager allocators
stream: assume gid 135 so those rules are handled as standard builtins
stream: be selective about flow creation for scans
stream: refactor flow control for new PktTypes
stream: remove usused ignore_any_rules from tcp and udp
stream: respect tcp require_3whs
stream: warning: potential memory leaks
stream_tcp: refactor tcp normalizer and reassembler to eliminate dynamic heap allocations per flow
stream_tcp: switch to splitter max
stream_tcp: tweak seglist cursor handling
target_based: 100% coverage on snort_protocols.cc
target_based: unit tests for ProtocolReference class
tcp codec: count bad ip6 checksums correctly; Thanks to j.mcdowell@titan-ic.com for reporting the issue
tcp: allow data handlding for packet with invalid ack
time: initialize Stopwatch::start_time member variable to 0 ticks when TSC clock is enabled
trace: add traces for deleted debug messages
wizard: Fix UBSAN out-of-bounds access runtime error
zhash: cleanup cruftiness

2018-03-15: build 244

appid: unit-tests for http detector plugins
build: address compiler warnings, spell check and static analyzer issues
build: extirpate autotools usage
build: fix compilation issue on FreeBSD with extra
byte_jump: updated byte_jump post_offset option to support variable
cmake: update CMake config to use GNUInstallDirs and match automake
daq: hext DAQ can generate start of flow and end of flow meta events
doc: add documentation for ftp telnet
doc: fix including config_changes.txt when ruby is not present
doc: update ftp time format link
doc: updates for HTTP/2
http_inspect: handle white space before chunk length
inspectors: probes run regardless of active policy
logger: update Hext Logger to subscribe and log DAQ Meta Packets
main: reload hosts while reloading config
memory: override C++14 delete operators as well
packet tracer: added ability to direct logging to file
perf_monitor: fixed flow_ip outputting erroneous values
perf_monitor: query modules for stats only after they have all loaded
snort: --rule-to-text [] raw string output
snort: allow colon separated directories for --daq-dir
snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort' namespace

2018-02-12: build 243

build: enable gdb debugging info by default
build: fix cppcheck warnings
build: fix static analysis issue
comments: fix 6isco typos
copyright: update year to 2018
detection: use detection limit (alt_dsize)
detection: trace fast pattern searches with 0x20
detection: do not change search_engine.inspect_stream_inserts configuration
doc: update default manuals
flow: support episodic detection
help: upper case proto acronyms etc
http_inspect: apply request/response depth to packet data
http_inspect: suppress raw packet inspection beyond request/response depth
main: Export AnalyzerCommand and main_broadcast_command()
rules: fix path variable expansion
search_engine: rename inspect_stream_inserts to detect_raw_tcp for clarity default to true for 2.X rule sets
rules: update fast pattern selection to exclude redundant port groups when service groups are present
wizard: count user scans and hits separate from tcp

2018-01-29: build 242

build: add STATIC to add_library call of port_scan to build it statically otherwise link will fail (Makefile.am already build only the static version); Thanks to Fabrice Fontaine fontaine.fabrice@gmail.com
doc: update snort2lua for .rules files
doc: fixed some typos
expect: removed a single-element structure ExpectFlows
file_api: give FilePolicyBase a default virtual destructor
file: gracefully handle not having file policy configured in dce_smb
flow: provided access to all expected flows created by a packet
inspection events: added mandatory expected flow pub sub support
inspector_manager: fix acquire and use of default policy
profiler: fixed missing include
sfdaq: export can_whitelist() and modify_flow_opaque()file_api: move VerdictName array out of file_api.h
snort2lua: fix file_rule_path and fw_log_size handling in firewall preprocessor
snort2lua: make sure file_magic table comes before file_id table
snort2lua: detect commented 'alert' rules and convert them from snort to snort3 format Leave the rules commented out in the snort3 rules file
snort2lua: convert *.rules files line-by-line
unit tests: updated Catch
unit tests: added ability to run Catch tests from dynamic modules
utils, flatbuffers: added a uniform interface for 64-bit endian swaps

2017-12-15: build 241

add back the ref count for file config
alert_csv: various fixes to match alert_json
alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers
alert_json: various fixes; Thanks to Noah Dietrich for reporting the issues
appid: close all Lua states when thread exits
appid: gracefully handle failed Lua state instantiation; Thanks to Noah Dietrich for reporting the issue
appid: only update session flags and discovery state if service id actually set to http
appid: patch to update the appid discovery state when an http event results in setting of the service id for a flow
appid: return false from is_third_party_appid_available when no third party module is available
appid: tweak warnings and errors
binder: activate profiler support
binder: add FIXIT re creating default bindings when the wizard is not configured
binder: fix ingress / egress test
binder: minor perf and readability tweaks
build: fixed build issues on OSX with clang with cd_pbb, alert_json
build: fixed several dyanmic modules on OSX / clang
build: suppress appid warnings for valid case statement fall throughs
byte_test: fix string bounds check
catch: Update to Catch v2.0.1
cmake: add --define to configure_cmake.sh for arbitrary defines
codec: added wlan support for arp_spoof
codec: updated MIPv6 and merged cd_pim.cc, cd_swpie.cc and cd_sun_ud.cc to cd_bad_proto.cc
conf: remove OPTIONS from SIP and HTTP spells to avoid confusion with RTSP
conf: remove client to server spells for FTP, IMAP, POP, and SMTP to avoid false pickups
control: must execute from default policy only
control: process flow first
cppcheck: More miscellaneous fixes, mostly for new Catch
daq: explicitly initialize more fields in SFDAQInstance constructor
daq: handle real IP and port
data_bus: also publish to default policy
data_bus: refactor basic access for pub / sub
dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / dce_udp = dcerpc)
detection: fix option tree looping issue
detection: rename ServiceInfo to SignatureServiceInfo
doc: fix type in style section
doc: update default manuals
file api: move file verdict enforcement out of file policy
file api: support file verdict delay during signature lookup
file policy and file config update to allow user define customized file policy through file api
file policy: add support for file event logging
file_api: Set the FileContext verdict, not a local verdict
file_id: add interface to access file info from file capture
file_id: support groups
hash: Rename SFGHASH, SFXHASH, SFHASHFCN to something resonable
http_inspect: add profiler support
http_inspect: fix bugs related to stream interaction
http_inspect: use configured max_pdu as base target reassembly size
inspection: default policy mode depends on adaptor mode
ips options: error if lookup fails due to bad case, typos, etc; Thanks to Noah Dietrich for reporting the issue
memory: no stats output unless configured
normalizer: added test mode
normalizer: fix enable checks
parsing: resolve paths from the current config directory instead of process directory
policy: added inspection policy config
port_scan: add alert_all to make alerting on all events in window optional
port_scan: fix flow checks
profiler: fix focus of eventq
reputation: tweak warning message
rules: default msg = "no msg in rule"
sfrt: remove cruft and reformat header
shell: fixed crash when issuing control commands
sip: use log splitter for tcp
snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
snort2lua: Convert file_magic.conf to Lua format
snort2lua: added inspection uuid
snort2lua: added na_policy_mode. added ability amend tables if created
snort2lua: added normalize_tcp: ftp
snort2lua: fix stream_size: to_client, to_server conversion
snort2lua: future proof --bind-wizard binding order
snort2lua: no sticky buffer for relative pcre
snort2lua: remove when udp from binding to support tcp too
snort2lua: tweak const name for clarity (internal)
snort2lua: urilen:<> --> bufferlen:<=>
snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer
soid: allow stub to contain any or all options --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static
stream: change tcp idle timeout to 3600 to match 2.X nominal timeout
stream_*: separate session profiler data from flow cache profiler data
stream_ip: fix non-frag counting
stream_size: fix eval packet checks
stream_tcp: delete superfluous memsets to zero
stream_tcp: ignore flush requests on unitialized sessions (early abort condition)
stream_tcp: instantiate wizard only when needed
stream_tcp: remove empty default state action
stream_user: clear splitter properly
target_based: Install header
wizard: abort if no match
wizard: activate profiler support
wizard: usage is inspect

2017-10-31: build 240

active: fix packet modify vs resize handling
alert_csv: rename dgm_len to pkt_len
alert_csv: add b64_data, class, priority, service, vlan, and mpls options
alert_json: initial json event logger
alerts: add log_references to store and log rule references with alert_full
appid: enable SSL certificate pattern matching
appid: fix build with LuaJIT 2.1
appid: reorganize AppIdHttpSession to minimize padding
appid: add count for applications detected by port only
appid: create exptected flow immediately after ftp PORT command for active mode
appid: handle sip events before packets
appid: overhaul peg counting for discovered appids
appid: use ac_full search method since it supports find_all; force enable dfa flag
binder: added network policy selection
binder: added zones
binder: allow src and dst specifications for ports and nets
binder: check interface on packet instead of flow
binder: fixed nets check falling through on failure
build: clean up a few ICC 2018 and GCC 7 warnings
build: fix linking against external libiconv with autotools
build: fix numerous analyzer errors and leaks
build: fix numerous clang-tidy warnings
build: fix numerous cppcheck warnings
build: fix numerous valgrind errors
build: fixed issues on OSX
catch: update to Catch v1.10.0
cd_icmp6: fix encoded cksum calculation
cd_pbb: initial version of codec for 802.1ah; Thanks to jan hugo prins jhp@jhprins.org for reporting the issue
cd_pflog: fix comments; Thanks to Markus Lude markus.lude@gmx.de for the 2X patch
content: fix relative loop condition
control: delete the old binder while reloading inspector
control: update binder with new inspector
daq: add support for DAQ_VERDICT_RETRY
daq: add support for packet trace
daq: add support tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS by config and flags
data_log: update to new http_inspect
dce_rpc: remove connection-oriented rules from dce_smb module
dce_smb: unicode filename support
doc: add module usage and peg count type
doc: add POP, IMAP and SMTP to user manual features
doc: add port scan feature
flow key: support associating router solicit/reply packets to a single session
http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status line or headers
http_inspect: add random increment to message body division points
http_inspect: added http_raw_buffer rule option
http_inspect: create message sections with body data that has been dechunked and unzipped but not otherwise nortmalized
http_inspect: handle borked reassembly gracefully; Thanks to João Soares joaopsys@gmail.com for reporting the issue
http_inspect: support for u2 extra data logging
http_inspect: test tool improvements
http_inspect: true IP enhancements
inspectors: add control type and ensure appid is run ahead of other controls
inspectors: add peg count for max concurrent sessions
ips: add uuid
loggers: add base64 encoder based on libb64 from devolve
loggers: use standard year/mon/day format
main: fix potential memory leak when queuing analyzer commands
memory: align allocator metadata such that returned memory is also max_align_t-aligned
memory: output basic startup heap stats
messages: output startup warnings and errors to stderr instead of stdout
messages: redirect stderr to syslog as well
modules: add usage designating global, context, inspect, or detect policy applicability
mss: add extra rule option to check mss
parser: disallow invalid port range !:65535 (!any)
parser: tweak performance
pcre: fix relative search with ^
pop: service name is pop3
replace: fix activation sequence
rules: warn only once per gid:sid of no fast pattern
search_engine: port the optimized port table compilation from 2.9.12
search_engines: Fix case sensitive ac_full DFA matching
shell: delete inspector from the default inspection policy
shell: fix --pause to accept control commands while in paused state
sip: sip_method can use data from any sip inspector of any inspection policy
snort.lua: align default conf closer to 2.X
snort.lua: expand default conf for completeness and clarity
snort_defaults.lua: update default servers and ports
snort2lua: correctly identify ftpbounce and sameip as unsupported rule options
snort2lua: added XFF configuration to unsupported list
snort2lua: added config protected_content to deleted list
snort2lua: added config_na_policy_mode to unsupported list
snort2lua: added dynamicoutput to deleted list
snort2lua: added firewall to unsupported list
snort2lua: added nap.rules zone translation
snort2lua: added nap_selector support
snort2lua: added nap_selector to unsupported list
snort2lua: added sf_unified2 to unsupported list and matching log/alert to deleted
snort2lua: bindings now merge and propagate to top level of corresponsing policy
snort2lua: config policy_id converts to when ips_policy_id
snort2lua: convert dsize:a<>b to dsize:a<=>b for consistency with other rule options
snort2lua: do not convert sameip; handle same as ftpbounce (no longer supported)
snort2lua: enforced ordering to bindings in binder table
snort2lua: fix null char in -? output
snort2lua: fixed extra whitespace generation
snort2lua: logto is not supported
snort2lua: removed port dce proxy bindings to fix http_inspect conflicts
snort2lua: search_engine.split_any_any now defaults to true
snort: -T does not compile mpse; --mem-check does
snort: add warnings count to -T ouptut
snort: add --dump-msg-map
snort: exit with zero from usage
snort: fix --dump-builtin-rules to accept optional module prefix
stdlog: support snort 3> log for text alerts
target: add rule option to indicate target of attack
thread: add logging directory ID offset controlled by --id-offset option
u2spewfoo: fix build on FreeBSD
unified2: add legacy_events bool for out-of-date barnyard2
unified2: log buffers as cooked packets with legacy events
wscale: add extra rule option to check tcp window scaling

2017-07-25: build 239

rules: remove sample.rules; Talos will publish Snort 3 rules on snort.org
logging: fix handling of out of range timeval; Thanks to kamil@frankowicz.me for reporting the issue
wizard: fix direction issue
wizard: fix imap spell

2017-07-24: build 238

check: update hyperscan and regex tests
cpputests: clean up some header include issues
daq_socket: update to support query of pci
detection: fix debug print of fast pattern only
detection: rule evaluation trace utility
doc: update concepts and differences
file_api: memory leak fixed
file_id: fixes for file capture exit
http_inspect: added 119:97 for lower case letters in version field
http_inspect: alert 119:96 added for unsolicited 206 response
http_inspect: specific alert added 119:95 for Content-Encoding chunked
ipv6: fix flow label access method; Thanks to schrx3b6 for the patch
loggers: remove units options; all limits expressed in MB
mpse: Remove Intel Soft CPM support
mpse: make regex capability generic
mpse: only use literals for fast patterns if search_method is not hyperscan
output: add packet trace feature
perf_monitor: fixed main table (perf_monitor) having same name as pegs for
perfmon field
regex: fix pass through of mpse flags to hyperscan
replace: do not trip over fast pattern only
rpc: revert to positional params, fix tcp logic, clean up formatting
rules: promote metadata:service to a separate option since it is not metadata
snort2lua: Fixed incorrect file names errors
snort2lua: move footprint to stream from stream_tcp
spell check: fix message and comment typos
stream: add ip_proto as part of flow key
stream: fix user dependency on flush bucket
text logs: fix default unlimited file size
u2: add event3 to u2spewfoo
u2: convert thread local buffers to heap
u2: deprecate ip4 and ip6 specific events and add a single event for both
u2: remove obsolete configurations
u2: support mixed IP versions

2017-07-13: build 237

build: add support for appending EXTRABUILD to the BUILD string
build: Clean up some ICC 2017 warnings
build: clean up some GCC 7 warnings
build: support OpenSSL 1.1.0 API
build: clean up some cppcheck warnings
appid: port some missing 2.9.X FEAT_OPEN_APPID code
appid: fix thread-unsafe sharing of HTTP pattern tables
DAQ: fix leaking instance memory when configure fails
daq_hext and daq_file: pass PCI via query method
icmp6: reject non-ip6, raise 116:474
http_inspect: header normalization improvements
http_inspect: port fixes for UTF decoding
http_inspect: added 119:87 - 119:90 for expect / continue issues
http_inspect: added 119:91 for Transfer-Encoding header not valid for HTTP 1.0
http_inspect: added 119:92 for Content-Transfer-Encoding
http_inspect: added 119:93 for issues with chunked message trailers
PDF decompression: fix missing reset in state machine transition
ftp_server: implement splitter to improve EOF processing
port_scan: merge global settings into main module and other improvements
perf_monitor: add JSON formatter
ssl: add splitter to improve PDU processing
detection: fix segfault in DetectionEngine::idle sans thread_init
rules: tolerate spaces in positional parameters; Thanks to Joao Soares for reporting the issue
ip and tcp options: fix max length handling and clean up logging
cmg: improved alert formatting
doc: updates re control channel
snort2lua: added line number and file name to error output
snort2lua: fix removal of ignore_ports in stream_tcp.small_segments
snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments
snort2lua: update for port_scan

2017-06-15: build 236

appid: clean up shutdown stats
appid: fix memory leak
conf: update defaults
decode: updated ipv6 valid next headers
detection: avoid superfluous leaf nodes in detection option trees
http_inspect: improved handling of badly terminated chunks
http_inspect: improved transfer-encoding header processing
ips options: add validation for range check types such as dsize
perf_monitor: add more tcp and udp peg counts
perfmonitor: update cpu tracker output to thread#.cpu_*
port_scan: alert on all scan attempts so blocking is possible
port_scan: make fully configurable
sip: fix get body buffer for fast patterns
ssl: use stop-and-wait splitter (protocol aware splitter is next)
stream_ip: fix 123:7

2017-06-01: build 235

http_inspect: improve handling of improper bare \r separator
appid: fix bug where TNS detector corrupted the flow data object
search_engine: set range for max_queue_events parameter; Thanks to Navdeep.Uniyal@neclab.eu for reporting the issue
arp_spoof: reject non-ethernet packets
stream_ip: remove dead code and tweak formatting
ipproto: remove unreachable code
control_mgmt: add support for daq module reload
control_mgmt: add support for unix sockets
doc: update default manuals
doc: update differences section
doc: update README

2017-05-21: build 234

byte_math: port rule option from 2X and add feature documentation
pgm: don't calculate checksum if header length is not divisible by 4
appid: fix sip event handling, http pattern lists, thread locals
build: fix issues with OpenSolaris and FreeBSD builds
cmake: fix issues with libpcap and miscellaneous
offload: refactor for initial (experimental) version of regex offload to other threads
cmg: revamp hex buffer dump format with 16 or 20 bytes per line
rules: reject positional parameters containing spaces

2017-05-11: build 233

packet manager: ensure ether type proto ids don't masquerade as ip proto ids; Thanks to Bhargava Shastry bshastry@sec.t-labs.tu-berlin.de for reporting the issue
codec manager: fix off-by-1 mapping array size; Thanks to Bhargava Shastry bshastry@sec.t-labs.tu-berlin.de for reporting the issue
codec: fix extraction of ether type from cisco metadata
appid: add new unit tests to the cmake build, fix missing lib reference to sfip
sfghash: clean up and add unit tests
http: fix 119:38 false positive
main: fix compiler warnings when SHELL is not enabled
perf_monitor: fix flatbuffers handling of empty strings
modbus: port fix for false positives on length field
http: port simple UTF decoding w/o byte order mark
build: updated code to resolve cppcheck warnings
cleanup: fix typos in source code string literals and comments
doc: fix typos

2017-04-28: build 232

build: clean up Intel compiler warnings and remarks
build: fix FreeBSD compilation issues
cmake: fix building with and without flatbuffers present
autoconf: check for lua.hpp as well as luajit.h to ensure C++ support
shell: make commands non-blocking
shell: allow multiple remote connections
snort2lua: fix generated stream_tcp bindings
snort2lua: fix basic error handling with non-conformant 2.X conf
decode: fix 116:402
dnp3: fix 145:5
appid: numerous fixes and cleanup
http_server: removed (use new http_inspect instead)
byte_jump: add bitmask and from_end (from 2.9.9 Snort)
byte_extract: add bitmask (from 2.9.9 Snort)
flatbuffers: add version to banner if present
loggers: build alert_sf_socket on all platforms

2017-04-07: build 231

add decode of MPLS in IP
add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack)
cleanup: remove dead code

2017-03-27: build 230

require hyperscan >= 4.4.0, check runtime support; Thanks to justin.viiret@intel.com for submitting the patch
fix search tool issue with empty pattern database; Thanks to justin.viiret@intel.com for reporting the issue
fix sip_method to error out if sip not instantiated
major appid overhaul to address lingering concerns: refactor, cleanup, simplify
major detection overhaul to address lingering concerns: refactor, cleanup, release memory ASAP
add FlatBuffers output format to perf_monitor also added tool to convert FlatBuffers files to yaml
add regex.fast_pattern; do not use for fast pattern unless explicitly indicated
update copyrights to 2017

2017-03-17: build 229

fixed mpse to ensure all search methods return consistent results
updated search tool to use fast pattern config's search method (benefits appid, http_inspect, imap, pop, and smtp)
snort2lua parsing bug fixes to recognize incomplete constructs
http_inspect: added alert 119:81 for nonprinting character in header name
http_inspect: added alert 119:82 for bad Content-Length value
http_inspect: added alert 119:83 for header wrapping; CR and LF parsed as whitespace

2017-03-02: build 228 - Alpha 4

update hypercsan mpse: print error message and erroneous pattern when compilation fails
update rule parser: add multiple byte orders warning
fix pid file: create regardless of priv drop settings
fix dce_rpc: mark generated iface patterns as literal
snort2lua: mark appid conf and thirdparty_appid_dir as unsupported (temporary)
snort2lua: fix a couple of typos in table API output
snort2lua: fix sticky buffer following uricontent
doc: add DAQ configuration documentation
doc: move LibDAQ README to Reference, update, and fix typos
doc: update default manuals

2017-02-24: build 227

allow arbitrary / unused gids in text rules
support DAQs w/o explicit sources (nfq, ipfw)
fix up peg help (remove _)
fix u2 logging of PDUs

2017-02-16: build 226

add PDF/SWF decompression to http_inspect
add connectors to generated reference parts of manual
add feature documentation for HA, side_channel, and connectors
add feature documentation for http_inspect
update default manuals
fix privilege dropping and chroot behavior
fix perf_monitor segfault when tterm is called before tinit
fix stream_tcp counter underflow bug and handle max and instant stats
fix lzma length calculation bug
fix bogus 129:20 alerts
fix back orifice compiler warning with -O3
fix bug that could cause hang on ctl-C
fix memory leak after reload w/o changing search engine
fix off by one error when reassembling after TCP FIN received
fix cmake doc build to include plugins on SNORT_PLUGIN_PATH
fix compiler warnings in dce_http_server and dce_http_proxy
fix appid reload issue
snort2lua - changes for rpc over http
snort2lua - changes to convert config alertfile:
snort2lua - changes to add file_id when smb file inspection is on
snort2lua - add deprecated option stream5_tcp: log_asymmetric_traffic

2017-02-01: build 225

implement RPC over HTTP by adding dce_http_server and dce_http_proxy
port disable_replace option from snort 2.x and add snort2lua support
port ssh tunnel over http detection
fix stream splitter handling during final flush of session data
fix appid to use HTTP inspection events to detect webdav methods
fix unit test build to work w/o REG_TEST
fix shell to add missing newline to Lua execution error responses
fix support for content strings with escaped quotes ("foo\"bar"); Thanks to secres@linuxmail.org for reporting the issue
fix various reload issues
fix various thread sanitizer issues
fix session disposal to always be after logging
fix appid pattern matching issues
fix appid dns flow counts
fix shell resume after command line --pause
fix sd_pattern validation boundary conditions
build: don't disable asserts when compiling with code coverage
autoconf: update to latest versions of autoconf-archive macros
main: add asynchronous, broadcastable analyzer commands
add salt to flow hash
normalize peg names to lower snake_case
update default manuals

2017-01-17: build 224

fix various stream_tcp flush issues
fix various cmake issues
fix appid counting of kerberos flows
fix expected flow leak when expiring nodes during lookup; Thanks to João Soares joaosoares11@hotmail.com for reporting the issue
fix autoconf retrieving PCRE cppflags from pkg-config
fix stream_user reassembly
remove unused appid.thirdparty_appid_dir
build and install plugins as modules instead of libraries
obfuscate stream rebuilt payload
updates for latest zlib
disable smb2 processing when file service is disabled
refactor includes; prune the set of installed headers
don't build alert_sf_socket on OSX
added CPP flags used to build Snort to snort.pc for extras and other plugins to use

2016-21-16: build 223

port 2983 smb active response updates
fix reload crash with file inspector
fix appid service dispatch handling issue; Thanks to João Soares joaosoares11@hotmail.com for reporting the issue
fix paf-type flushing of single segments; Thanks to João Soares joaosoares11@hotmail.com for reporting the issue
fix daemonization; Thanks to João Soares joaosoares11@hotmail.com for reporting the issue
also fixes double counting of reassembled buffers
fix fallback from paf to atom splitter if flushing past gap
fix thread termination segfaults after DAQ module initialization fails
fix non-x86 builds - do not build tsc clock scaling
added appid to user manual features
update default user manuals
minor refactor of flush loop for clarity
improve http_inspect Field class
refactor plugin loading

2016-12-16: build 222

add JavaScript Normalization to http_inspect
fix appid service check dispatch list
fix modbus_data handling to not skip options; Thanks to FabianMalte.Kopp@b-tu.de for reporting the issue
fix sensitive data filtering documentation issues
build: Illumos build fixes
build: Address some cppcheck concerns
miscellaneous const tweaks
reformat builtin rule text for consistency
reformat help text for consistency
refactor user manual for clarity
update default user manuals

2016-12-09: build 221

fix appid handling of sip inspection events
fix wizard to prevent use-after-free of service name
fix various issues reported by cppcheck
fix reload race condition
fix cmake + clang builds
add padding guards around hash key structs
update manual for dce_* inspectors
refactor IP address handling

2016-12-01: build 220

fixed uu and qp decode issue
fixed file signature calculation for ftp
fixed file resume blocking
fix 135:2 to be upon completion of 3-way handshake
fix memory leak with libcrypto use
fix multithreaded use of libcrypto
fix default snort2lua output for gtp and modbus
fix Lua ordering issue with net and port vars
fix miscellaneous multithreading issues with appid
fix comment in snort.lua re install directory use; Thanks to Yang Wang for sending the pull request
add alternate fast patterns for dce_udp endianness
removed underscores from all peg counts
document sensitive data use
user manual refactoring and updates

2016-11-21: build 219

add dce auto detect to wizard
add MIME file processing to new http_inspect
add chapters on perf_monitor and file processing to user manual
appid refactoring and cleanup
many appid fixes for leaks, sanitizer, and analyzer issues
fix appid pattern matching for http
fix various race conditions reported by thread sanitizer
fix out-of-order FIN handling
fix cmake package name used in HS and HWLOC so that REQUIRED works
fix out-of-tree doc builds
fix image sizes to fit page; Thanks to wyatuestc for reporting the issue
fix fast pattern selection when multiple designated; Thanks to j.mcdowell@titanicsystems.com for reporting the issue
change -L to -K in README and manual; Thanks to jncornett for reporting the issue
support compiling catch tests in standalone source files
create pid file after dropping privileges
improve detection and use of CppUTest in non-standard locations

2016-11-04: build 218

fix shutdown stats
fix misc appid issues
rewrite appid loading of lua detectors
add sip inspector events for appid
update default manuals

2016-10-28: build 217

update appid to 2983
add inspector events from http_inspect to appid
fix appid error messages
fix flow reinitialization after expiration
fix release of blocked flow
fix 129:16 false positive

2016-10-21: build 216

add build configuration for thread sanitizer
port dce_udp fragments
build: clean up some ICC warnings
fix various unit test leaks
fix -Wmaybe-uninitialized issues
fix related to appid name with space and SSL position

2016-10-13: build 215

added module trace facility
port block malware over ftp for clients/servers that support REST command
port dce_udp packet processing
change search_engine.debug_print_fast_pattern to show_fast_patterns
overhaul appid for multiple threads, memory leaks, and coding style
fix various appid patterns and counts
fix fast pattern selection
fix file hash pruning issue
fix rate_filter action config and apply_to clean up

2016-10-07: build 214

updated DAQ - you must use DAQ 2.2.1
add libDAQ version to snort -V output
add support http file upload processing and process decode/detection depths
port sip changes to avoid using NAT ip when calculating callid
port dce_udp autodetect and session creation
fix static analysis issues
fix analyzer/pig race condition
fix explicit obfuscation disable not working
fix ftp_data: Gracefully handle cleared flow data
fix LuaJIT rule option memory leak of plugin name
fix various appid issues - initial port is nearing completion
fix http_inspect event 119:66
fix ac_full initialization performance
fix stream_tcp left overlap on hpux, solaris
fix/remove 129:5 ("bad segment") events
file_mempool: fix initializing total pool size
fix bpf includes
fix builds for OpenSolaris
expected: push expected flow information through the DAQ module
expected: expected cache revamp and related bugfixes
ftp_data: add expected data consumption to set service name and fix bugs
build: remove lingering libDAQ #ifdefs
defaults: update FTP default config based on Snort2's hardcoded one
rename default_snort_manual.* to snort_manual.*
build docs only by explicit target (make html|pdf|text)
update default manuals to build 213
tolerate more spaces in ip lists
add rev to rule latency logs
change default latency actions to none
deleted non-functional extra decoder for i4l_rawip

2016-09-27: build 213

ported full retransmit changes from snort 2X
fixed carved smb2 filenames
fixed multithread hyperscan mpse
fixed sd_pattern iterative validation

2016-09-24: build 212

add dce udp snort2lua
add file detection when they are transferred in segments in SMB2
fix another case of CPPUTest header order issues
separate idle timeouts from session timeouts counts
close tcp on rst in close wait, closing, fin wait 1, and fin wait 2
doc: update style guide for 'using' statements and underscores
packet_capture: Include top-level pcap.h for backward compatibility
main: remove unused -w commandline option
lua: fix conflict with _L macro from ctype.h on OpenBSD
cmake: clean dead variables out of config.cmake.h
build: fix 32-bit compiler warnings
build: fix illumos/OpenSolaris build and remove SOLARIS/SUNOS defines
build: remove superfluous LINUX and MACOS definitions
build: remove superfluous OPENBSD and FREEBSD definitions
build: entering 'std' namespace should be after all headers are included
build: clean up u_int*_t usage
build: remove SPARC support
build: clean up some DAQ header inclusion creep

2016-09-22: build 211

fix hyperscan detection with nocase
fix shutdown sequence
fix --dirty-pig
fix FreeBSD build re appid / service_rpc

2016-09-20: build 210

started dce_udp porting
added HA details to stream/* dev_notes
added stream.ip_frag_only to avoid tracking unwanted flows
updated default stream cache sizes to match 2.X
fixed tcp_connector_test for OSX build
fixed binder make files to include binder.h
fixed double counting of ip and udp timeouts and prunes
fixed clearing of SYN - RST flows

2016-09-14: build 209

add dce iface fast pattern for tcp
add --enable-tsc-clock to build/use TSC register (on x86)
update latency to use ticks during runtime
tcp stream reassembly tweaks
fix inverted detection_filter logic
fix stream profile stats parents
fix most bogus gap counts
unit test fixes for high availability, hyperscan, and regex

2016-09-09: build 208

fixed for TCP high availability
fixed install of file_decomp.h for consistency between Snort and extras
added smtp client counters and unit tests
ported Smbv2/3 file support
ported mpls encode fixes from 2983
cleaned up compiler warnings

2016-09-02: build 207

ported smb file processing
ported the 2.9.8 ciscometadata decoder
ported the 2.9.8 double and triple vlan tagging changes
use sd_pattern as a fast-pattern
rewrite and fix the rpc option
cleanup fragbits option implementation
finish up cutover to the new http_inspect by default
added appid counts for rsync
added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse
moved file capture to offload thread
numerous fixes, cleanup, and refactoring for appid
numerous fixes, cleanup, and refactoring for high availability
fixed regex as fast pattern with hyperscan mpse
fixed http_inspect and tcp valgrind errors
fixed extra auto build from dist

2016-08-10: build 206

ported appid rule option as "appids"
moved http_inspect (old) to http_server (in extras)
moved new_http_inspect to http_inspect
added smtp.max_auth_command_line_len
fixed asn1:print help
fixed event queue buffer log size
fixed make distcheck; Thanks to jack jackson jsakcon@gmail.com for reporting the issue

2016-08-05: build 205

ported smb segmentation support
converted sd_pattern to use hyperscan
fixed help text for rule options ack, fragoffset, seq, tos, ttl, and win
fixed endianness issues with rule options seq and win
fixed rule option session binary vs all

2016-07-29: build 204

fixed issue with icmp_seq and icmp_id field matching
fixed off-by-1 line number in rule parsing errors
fix cmake make check issue with new_http_inspect
added new_http_inspect unbounded POST alert

2016-07-22: build 203

add oversize directory alert to new_http_inspect
add appid counts for mdns, timbuktu, battlefield, bgp, and netbios services
continue smb port - write and close command, deprecated dialect check, smb fingerprint
fix outstanding strndup calls

2016-07-15: build 202

fix dynamic build of new_http_inspect
fix static analysis issues
fix new_http_inspect handling of 100 response
port appid detectors: kereberos, bittorrent, imap, pop
port smb reassembly and raw commands processing
snort2lua updates for new_http_inspect
code refactoring and cleanup

2016-06-22: build 201

initial appid port - in progress
add configure --enable-hardened-build
add configure --pie (position independent executable)
add new_http_inspect alert for loss of sync
add peg counts for new_http_inspect
add peg counts for sd_pattern
add file_log inspector to log file events
add filename support to file daq
add high availability support for udp and icmp
add support for safe C library
continue porting of dce_rpc - smb transaction processing (part 2)
various snort2lua updates and fixes
fix default prime tables for internal hash functions
fix new_http_inspect bounds issues
fix icc warnings
miscellaneous cmake and auto tools build fixes
openssl is now a mandatory dependency

2016-06-10: build 200

continued porting of dce_rpc - smb transaction processing
tweaked autotools build foo
add / update unit tests
fix additional memory leaks
fix compiler warnings
fix static analysis issues
fix handling of bpf file failures

2016-06-03: build 199

add new http_inspect alerts abusive content-length and transfer-encodings
add \b matching to sensitive data
add obfuscation for sensitive data
add support for unprivileged operation
fix link with dynamic DAQ
convert legacy allocations to memory manager for better memory profiling

2016-05-27: build 198

add double-decoding to new_http_inspect
add obfuscation support for cmg and unified2
cleanup compiler warnings and memory leaks
fixup cmake builds
update file processing configuration
prevent profiler double counting on recursion
additional unit tests for high availability
fix multi-DAQ instance configuration

2016-05-02: build 197

fix build of extras
fix unit tests

2016-04-29: build 196

overhaul cmake foo
update extras to better serve as examples
cleanup use of protocol numbers and identifiers
continued stream_tcp refactoring
continued dce2 port
more static analysis memory leak fixes

2016-04-22: build 195

added packet_capture module
initial high availability for UDP
changed memory_manager to use absolute instead of relative cap
cmake and pkgconfig fixes
updated catch headers to v1.4.0
fix stream_tcp config leak
added file capture stats
static analysis updates
DAQ interface refactoring
perf_monitor refactoring
unicode map file for new_http_inspect

2016-04-08: build 194

added iterative pruning for out of memory condition
added preemptive pruning to memory manager
dce segmentation changes
dce smb header checks port - non segmented packets
added thread timing stats to perf_monitor
fixed so rule input / output
fixed protocol numbering issues
fixed 129:18
update extra version to alpha 4 -; Thanks to Henry Luciano cuncator@mote.org for reporting the issue
remove legacy/unused obfuscation api
fixed clang, gcc, and icc, build warnings
fixed static analysis issues
fixed memory leaks (more to go)
clean up hyperscan pkg-config and cmake logic

2016-03-28: build 193

fix session parsing abort handling
fix shutdown memory leaks
fix building against LuaJIT using only pkg-config
fix FreeBSD build
perf_monitor config and format fixes
cmake - check all dependencies before fatal error
new_http_inspect unicode initialization bug fix
new_http_inspect %u encoding and utf 8 bare byte
continued tcp stream refactoring
legacy search engine cleanup
dcd2 port continued - add dce packet fragmentation
add configure --enable-address-sanitizer
add configure --enable-code-coverage
memory manager updates

2016-03-18: build 192

use hwloc for CPU affinity
fix process stats output
add dce rule options iface, opnum, smb, stub_data, tcp
add dce option for byte_extract/jump/test
initial side channel and file connector for HA
continued memory manager implementation
add UTF-8 normalization for new_http_inspect
fix rule compilation for sticky buffers
host_cache and host_tracker config and stats updates
miscellaneous warning and lint cleanup
snort2Lua updates for preproc sensitive_data and sd_pattern option

2016-03-07: build 191

fix perf_monitor stats output at shutdown
initial port of sensitive data as a rule option
fix doc/online_manual.sh for linux

2016-03-04: build 190

fix console close and remote control disconnect issues
added per-thread memcap calculation
add statistics counters to host_tracker module
new_http_inspect basic URI normalization with configuration options
format string cleanup for parser logging
fix conf reload by signal

2016-02-26: build 189

snort2lua for dce2 port (in progress)
replace ppm with latency
added rule latency
fixed more address sanitizer bugs
fixed use of debug vs debug-msgs
add missing ips option hash and == methods
perf_monitor configuration
fix linux + clang build errors
trough rewrite

2016-02-22: build 188

added delete/delete[] replacements for nothrow overload; Thanks to Ramya Potluri for reporting the issue
fixed a detection option comparison bug which wasted time and space
disable perf_monitor by default since the reporting interval should be set
memory manager updates
valgrind and unsanitary address fixes
snort2lua updates for dce2
build issue fix - make non-GNU strerror_r() the default case
packet latency updates
perfmon updates

2016-02-12: build 187

file capture added - initial version writes from packet thread
added support for http 0.9 to new_http_inspect
added URI normalization of headers, cookies, and post bodies to new_http_inspect
configure_cmake.sh updates to better support scripting
updated catch header (used for some unit tests)
continued dce2 port
fixed misc clang and dynamic plugin build issues
fixed static analysis issues and crash in new_http_inspect
fixed tcp paws issue
fixed normalization stats
fixed issues reported by Bill Parker
refactoring updates to tcp session
refactoring updates to profiler

2016-02-02: build 186

fix xcode builds
fix static analysis issues
update default manuals
host_module and host_tracker updates
start perf_monitor rewrite - 1st of many updates
start dce2 port - 1st of many updates
remove --enable-ppm - always enabled

2016-01-25: build 185

initial host_tracker for new integrated netmap
new_http_inspect refactoring for time and space considerations
fix profiler depth bug
fatal on failed IP rep segment allocation -; Thanks to Bill Parker
tweaked style guide wrt class declarations

2016-01-08: build 184

added new_http_inpsect rule options
fixed build issue with Clang and thread_local
continued tcp session refactoring
fixed rule option string unescape issue

2015-12-11: build 183

circumvent asymmetric flow handling issue

2015-12-11: build 182 - Alpha 3

added memory profiling feature
added regex fast pattern support
ported reputation preprocessor from 2X
synced to 297-262
removed '_q' search method flavors - all are now queued
removed PPM_TEST
build and memory leak fixes

2015-12-04: build 181

perf profiling enhancements
fixed build issues and memory leaks
continued pattern match refactoring
fix spurious sip_method matching

2015-11-25: build 180

ported dnp3 preprocessor and rule options from 2.X
fixed various valgrind issues with stats from sip, imap, pop, and smtp
fixed captured length of some icmp6 types
added support for hyperscan search method using rule contents (regex to follow)
fixed various log pcap issues
squelch repeated ip6 ooo extensions and bad options per packet
fixed arp inspection bug

2015-11-20: build 179

user manaul updates
fix perf_monitor.max_file_size default to work on 32-bit systems,; Thanks to noah_dietrich@86penny.org for reporting the issue
fix bogus 116:431 events
decode past excess ip6 extensions and bad options
add iface to alert_csv.fields
add hyperscan fast pattern search engine - functional but not yet used
remove --enable-perf-profiling so it is always built
perf profiling changes in preparation for memory profiling
remove obsolete LibDAQ preprocessor conditionals
fix arp inspection
search engine refactoring

2015-11-13: build 178

document runtime link issue with hyperscan on osx
fix pathname generation for event trace file
new_http_inspect tweaks
remove --enable-ppm-test
sync up auto tools and cmake build options

2015-11-05: build 177

idle processing cleanup
fixed teredo payload detection
new_http_inspect cleanup
update old http_inspect to allow spaces in uri
added null check suggest by Bill Parker
fix cmake for hyperscan
ssl and dns stats updates
fix ppm config
miscellanous code cleanup

2015-10-30: build 176

tcp reassembly refactoring
profiler rewrite
added gzip support to new_http_inspect
added regex rule option based on hyperscan

2015-10-23: build 175

ported gtp preprocessor and rule options from 2.X
ported modbus preprocessor and rule options from 2.X
fixed 116:297
added unit test build for cmake (already in autotools builds)
fixed dynamic builds (187 plugins, 138 dynamic)

2015-10-16: build 174

legacy daemonization cleanup
decouple -D, -M, -q
delete -E
initial rewrite of profiler
don't create pid file unless requested
remove pid lock file
new_http_inspect header processing, normalization, and decompression tweaks
convert README to markdown for pretty github rendering (contributed by gavares@gmail.com)
perfmonitor fixes
ssl stats updates

2015-10-09: build 173

added pkt_num rule option to extras
fix final -> finalize changes for extras
moved alert_unixsock and log_null to extras
removed duplicate pat_stats source from extras
prevent tcp session restart on rebuilt packets; Thanks to rmkml for reporting the issue
fixed profiler configuration
fixed ppm event logging
added filename to reload commands
fixed -B switch
reverted tcp syn only logic to match 2X
ensure ip6 extension decoder state is reset for ip4 too since ip4 packets may have ip6 next proto
update default manuals

2015-10-01: build 172

check for bool value before setting fastpath config option in PPM
update manual related to liblzma
fix file processing
refactor non-ethernet plugins
fix file_decomp error logic
enable active response without flow
update bug list

2015-09-25: build 171

fix metadata:service to work like 2x
fixed issues when building with LINUX_SMP
fixed frag tracker accounting
fix Xcode builds
implement 116:281 decoder rule
udpated snort2lua
add cpputest for unit testing
don't apply cooked verdicts to raw packets

2015-09-17: build 170

removed unused control socket defines from cmake
fixed build error with valgrind build option
cleanup *FLAGS use in configure.ac
change configure.ac compiler search order to prefer clang over gcc
update where to get dnet
update usage and bug list
move extra daqs and extra hext logger to main source tree
fix breakloop in file daq
fix plain file processing
fix detection of stream_user and stream_file data
log innermost proto for type of broken packets

2015-09-10: build 169

fix chunked manual install
add event direction bug
fix OpenBSD build
convert check unit tests to catch
code cleanup
fix dev guide builds from top_srcdir

2015-09-04: build 168

fixed build of chunked manual; Thanks to Bill Parker for reporting the issue
const cleanup
new_http_inspect cookie processing updates
fixed cmake build issue with SMP stats enabled
fixed compiler warnings
added unit tests
updated error messages in u2spewfoo
changed error format for consistency with Snort
fixed u2spewfoo build issue
added strdup sanity checks; Thanks to Bill Parker for reporting the issue
DNS bug fix for TCP
added --catch-tags [footag],[bartag] for unit test selection

2015-08-31: build 167

fix xcode warnings

2015-08-21: build 166

fix link error with g++ 4.8.3
support multiple script-path args and single files
piglet bug fixes
add usage examples with live interfaces; Thanks to Aman Mangal mangalaman93@gmail.com for reporting the problem
fixed port_scan packet selection
fixed rpc_decode sequence number handling and buffer setup
perf_monitor fixes for file output

2015-08-14: build 165

flow depth support for new_http_inspect
TCP session refactoring and create libtcp
fix ac_sparse_bands search method
doc and build tweaks for piglets
expanded piglet interfaces and other enhancements
fix unit test return value
add catch.hpp include from https://github.com/philsquared/Catch
run catch unit tests after check unit tests
fix documentation errors in users manual

2015-08-07: build 164

add range and default to command line args
fix unit test build on osx
DAQ packet header conditional compilation for piglet
add make targets for dev_guide.html and snort_online.html
cleanup debug macros
fix parameter range for those depending on loaded plugins; Thanks to Siti Farhana Binti Lokman sitifarhana.lokman@postgrad.manchester.ac.uk for reporting the issue

2015-07-30: build 163

numerous piglet fixes and enhancements
BitOp rewrite
added more private IP address; Thanks to Bill Parker for reporting the issue
fixed endianness in private IP address check
fix build of dynamic plugins

2015-07-22: build 162

enable build dependency tracking
cleanup automake and cmake foo
updated bug list
added Lua stack manager and updated code that manipulated a persistent lua_State; Thanks to Sancho Panza (sancho@posteo.de) for reporting the issue
piglet updates and fixes
dev guide - convert snort includes into links
fixup includes

2015-07-15: build 161

added piglet plugin test harness
added piglet_scripts with codec and inspector examples
added doc/dev_guide.sh
added dev_notes.txt in each src/ subdir
scrubbed headers

2015-07-06: build 160 - Alpha 2

fixed duplicate patterns in file_magic.lua
warn about rules with no fast pattern
warn if file rule has no file_data fp
run fast patterns according to packet type
update / expand shutdown output for detection
binder sets service from inspector if not set
allow abbreviated rule headers
fix cmake build on linux w/o asciidoc
add bugs list to manual
fix memory leaks
fix valgrind issues
fix xcode analyzer issues

2015-07-02: build 159

added file processing to new_http_inspect
ported sip preprocessor
refactoring port group init and start up output
standardize / generalize fp buffers
add log_hext.width
tweak style guide
fix hosts table parsing

2015-06-19: build 158

nhttp splitter updates
nhttp handle white space after chunk length
refactor of fpcreate
refactor sfportobject into ports/*
delete flowbits_size, refactor bitop foo
rename PortList to PortBitSet etc. to avoid confusion
fix ssl assertion
cleanup cache config

2015-06-11: build 157

port ssl from snort
fix stream_tcp so call splitter finish only if scan was called
changed drop rules drop current packet only
unchanged block rules block all packets on flow
added reset rules to function as reject
deleted sdrop and sblock rules; use suppressions instead
refactored active module
updated snort2lua

2015-06-04: build 156

new_http_inspect switch to bitset for event tracking
fixed stream tcp handling of paf abort
fixed stream tcp cleanup on reset
fixed sequence of flush and flow data cleanup for new http inspect

2015-05-31: build 155

update default manuals
fix autotools build of manual wrt plugins
file processing fixup
update usage from blog
add file magic lua
xcode analyzer cleanup

2015-05-28: build 154

new_http_inspect parsing and event handling updates
initial port of file capture from Snort
stream_tcp reassembles payload only
remove obsolete REG_TEST logging
refactor encode_format*()
rewrite alert_csv with default suitable for reg tests and debugging
dump 20 hex bytes per line instead of 16
add raw mode hext DAQ and logger; fix dns inspector typo for tcp checks
document raw hext mode
cleanup flush flags vs dir
add alert_csv.separator, delete alert_test
tweak log config; rename daq/log user to hext
cleanup logging
stream_tcp refactoring and cleanup

2015-05-22: build 153

new_http_inspect parsing updates
use buckets for user seglist
fix u2 to output data only packets
added DAQs for socket, user, and file in extras
changed -K to -L (log type)
added extra DAQ for user and file
added stream_user for payload processing
added stream_file for file processing

2015-05-15: build 152

fixed config error for inspection of rebuilt packets
ported smtp inspector from Snort
static analysis fix for new_http_inspect

2015-05-08: build 151

doc tweaks
new_http_inspect message parsing updates
misc bug fixes

2015-04-30: build 150

fixed xcode static analysis issues
updated default manuals
added packet processing section to manual
additional refactoring and cleanup
fix http_inspect mpse search
fixed urg rule option
change daq.var to daq.vars to support multiple params reported by Sancho Panza
ensure unknown sources are analyzed
pop and imap inspectors ported

2015-04-28: build 149

fixed build issue with extras

2015-04-28: build 148

fixed default validation issue reported by Sancho Panza
refactored snort and snort_config modules
file id refactoring and cleanup
added publish-subscribe handling of data events
added data_log plugin example for pub-sub

2015-04-23: build 147

change PT_DATA to IT_PASSIVE; supports named instances, reload, and consumers

2015-04-16: build 146

added build of snort_manual.text if w3m is installed
added default_snort_manual.text w/o w3m
add Flow pointer to StreamSplitter::finish()

2015-04-10: build 145

nhttp clear() and related changes
abort PAF in current direction only
added StreamSplitter::finish()
allow relative flush point of zero
added Inspector::clear()
new http refactoring and cleanup
new http changes - events from splitter
fix dns assertion; remove unused variables

2015-03-31: build 144

reworked autotools generation of api_options.h
updated default manuals
ported dns inspector

2015-03-26: build 143

ported ssh inspector
apply service from hosts when inspector already bound to flow
ensure direction and service are applied to packet regardless of flow state
enable active for react / reject only if used in configuration
fixed use of bound ip and tcp policy if not set in hosts
eliminate dedicated nhttp chunk buffer
minor nhttp cleanup in StreamSplitter

2015-03-18: build 142

fixed host lookup issue
folded classification.lua and reference.lua into snort_defaults.lua
apply defaults from parameter tables instead of relying on ctors etc
fix static analysis issues reported by xcode
change policy names with a-b form to a_b for consistency
make all warnings optional
fix ip and tcp policy defines
fix ip and icmp flow client/server ip init
added logging examples to usage

2015-03-11: build 141

added build foo for lzma; refactored configure.ac
enhancements for checking compatibility of external plugins
added doc/usage.txt

2015-02-27: build 140

uncrustify, see crusty.cfg
updated documentation on new HTTP inspector, binder, and wizard

2015-02-26: build 139

additional http_inspect cleanup
documented gotcha regarding rule variable definitions in Lua
sync 297 http xff, swf, and pdf updates

2015-02-20: build 138

sync ftp with 297; replace stream event callbacks with FlowData virtuals

2015-02-12: build 137

updated manual from blog posts and emails
normalization refactoring, renaming
fixed icmp4 encoding
methods in codec_events and ip_util namespaces are now protected Codec methods
297 sync of active and codecs

2015-02-05: build 136

fix up encoders
sync stream with 297
fix encoder check for ip6 extensions
sync normalizations with 297

2015-01-29: build 135

fixed freebsd build error
fix default hi profile name
updated default snort manuals

2015-01-26: build 134

sync Mpse to 297, add SearchTool
297 sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based
addition of mime decoding stats and updates to mime detection limits
snort2lua changed to add bindings for default ports if not explicitly configured
added md5, sha256, and sha512 rule options based on Snort 2.X protected_content

2015-01-20: build 133

fixes for large file support on 32-bit Linux systems (reported by Y M)
changed u2 base file name to unified2.log
updated doc based on tips/tricks blog
fixed active rule actions (react, reject, rewrite)
moved http_inspect profile defaults to snort_defaults.lua
add generalized infractions tracking to new_http_inspect
updated snort2lua to override default tables (x = { t = v }; x.t.a = 1)
additional codec refactoring
added pflog codecs
fixed stream_size rule option

2015-01-05: build 132

added this change log
initial partial sync with Snort 297 including bug fixes and variable renaming
malloc info output with -v at shutdown (if supported)
updated source copyrights for 2015 and reformatted license foo for consistency

2014-12-16: build 131

fix asciidoc formatting and update default manuals
updates to doc to better explain github builds
fix default init for new_http_inspect
fix cmake issues reported by Y M
add missing g++ dependency to doc reported by Bill Parker
add general fp re-search solution for fp buffers further restricted during rule eval; fixes issue reported by @rmkml
add missing sanity checks reported by bill parker
tweak READMEs

2014-12-11: build 130

alpha 1 release

ChangeLog.md 267 KB 永久链接 文件历史 原始文件

ChangeLog.md 267 KB

永久链接文件历史原始文件