- detection_filter: update dev notes to show multithreaded behavior
- doc: fix typos in text;
Thanks to Greg Myers for reporting the issue
- http_inspect: refactor HttpIpsOption
- latency: disabling time out functionality on implicit enable
- mime: stop setting the file_data buffer for raw non-file MIME parts
- netflow: add dev_notes.txt
- sfdaq: fix for underflow of outstanding counter
- stream: Remove preemptive prunes peg count
2022-02-09: 3.1.23.0
- detection: add dir abort check in skip_raw_tcp
- doc: add notes about CLI/Lua precedence
- doc: fix incorrect http builtin rule sid
- event: make apis SO_PUBLIC to access in .so
- filters: allow detection filter to sum events across threads
- http_inspect: HttpStreamSplitter::reassemble verifies gzip file magic and checks for FEXTRA flag
- main: ignore Snort module's option if it duplicates CLI option
- main: parse snort module before others
- main: remove default values for other-module parameters in snort module
- main: stop with error on include(nil) attempt
- packet_io: decrease daq module's parameters priority
- stream: defer flush_queued_segments() if flow->clouseau
- stream_tcp: better place for setting delayed_finish_flag
- stream_tcp: fix a bug in which in some cases we did not call splitter finish() in each direction, by calling
flush_queued_segments() in perform_fin_recv_flush() on FIN with data packets
- stream_tcp: introduce TcpStreamTracker::delayed_finish_flag and call splitter finish from flush_on_data_policy
if delayed_finish_flag is true
- stream_tcp: wrap flow->clouseau in searching_for_service()
2022-01-31: 3.1.22.0
- appid: give priority to custom process to app mappings over ODP mappings
- appid: rename efp (encrypted fingerprint) to eve (encrypted visibility engine)
- detection: change output format of dump-rule-state
- pub_sub: export assistant_gadget_event.h header file
- stream: set the max number of flows pruned while idle to 400
2022-01-25: 3.1.21.0
- appid: do not delay detection of SMB service for the sake of version detection
- control: fix macro definitions
- copyright: Update year to 2022
- http_inspect: correct comment regarding header splitting rules
- http_inspect: forward 0.9 request lines to detection
- http_inspect: http_version_match uses msg section version id
- http_inspect: webroot traversal
- main: move policy selector and flow tracking from snort config to policy map
- main: only add policies to the user policy map at the end of table processing
- policy: add a file_policy to the network policy and use it
- stream: QUIC stream dependent changes
- stream_tcp: ensure that we call splitter finish() only once per flow, per direction
- wizard: remove extra semicolon
2022-01-12: 3.1.20.0
- appid: handle SNI in efp event
- appid: make peg counts consistent with what is reported to external components
- appid: update appid api to include ssh in the list of service inspectors that need inspection
- dnp3, gtp, file_type: fix assert while parsing string param
- doc: update JavaScript normalization docs
- http2_inspect: don't send data frames to the http stream splitter when it's not expecting them
- http2_inspect: hardening
- http_inspect: version update, http_version_match rule option
- stream_tcp: limit reassembly size for AtomSplitter;
Thanks to barosch78 and DAKOIT for their help in the process of finding the root cause
- stream_tcp: Skip seglist gap in post-ack mode if data is acked beyond the gap
- stream_user: change packet type from PDU to USER for hext daq, user codec, and stream_user
- wizard: make max_search_depth applicably for curses
2021-12-15: 3.1.19.0
- appid,ssh: roll AppId's SSH detector into SSH service inspector
- appid: remove hard-coded SSH client patterns which are available as part of ODP
- build: add cppcheck suppressions for unusedFunctions
- build: clean up some cppcheck style issues
- build: move flex options to the template file
- cmake: fix CMP0115 Warning
- daq: sort --daq-list output by module name
- dce_smb: add new smb counters
- file_api: add null check for user file data
- file_api: handle file_data
- framework,appid: generate NO_SERVICE event when no inspector can be attached to a flow; wait for the event in appid
before declaring service as unknown for the flow
- http_inspect,http2_inspect: refuse midstream pickups
- http_inspect: add JavaScript builtin de-aliasing
- http_inspect: rename js normalization options
- http_inspect: use correct detect_length for partial inspection cleanup
- loggers: fix truncated alert_syslog messages
- lua: configure a list of JS ignored IDs in default_http_inspect table
- managers: continue inspectors probe when packet has disable_inspect flag
- mime: add the support for vba macro data extraction of MS office files transferred over mime protocols
- parser: fix missing-prototypes warning in parse_ports.cc
- parser: fix parsing of portsets
- rpc: remove RpcSplitter altogether and use LogSplitter instead
- snort2lua: fix conversion of variable sets
- stream: add PKT_MORE_TO_FLUSH flag and use it in TcpReassembler::scan_data_post_ack() to signal AtomSplitter whether
to flush or not
- stream: fix issue with atom splitter not returning FLUSH
- stream_tcp: remove unnecessary special adjustment methods
- utils: (JSTokenizer) fix braces initialization compilation error (gcc5)
- utils: fix state adjustment in JS Tokenizer
- utils: place init/deinit routine under a single function
- utils: update JS normalizer unit tests
- vlan: implement vlan encode function
2021-12-01: 3.1.18.0
- alert_sf_socket: remove obselete logger
- appid: exclude stubs from coverage
- build: remove config.h from headers
- build: remove unreachable code
- build: update configure options
- catch: update catch to v2.13.7
- dev_notes.txt: fix miscellaneous typos
- doc: remove mention of Automake
- doc: update builtin_subs.txt with EVENT_JS_SCOPE_NEST_OVERFLOW alert
- doc: update module usage and inspector types in the dev guide
- doc: update user/http_inspect.txt with http_inspect.js_norm_max_scope_depth option description
- doc: update wizard documentation
- file_api: file_data changes
- framework: add support for multiple tenant
- framework: don't call a gadget's eval() or clear() after its stream splitter aborted
- framework: replace Value::get_long() with a platform-independent type
- framework: update base API version to 11
- helpers: fix stream unit test on 32 bit platforms
- http2_inspect: discard with padding
- http_inspect: fix total_bytes peg count
- http_inspect: new rule options num_headers, num_trailers
- http_inspect: store ole data in msg_body
- http_inspect: update comments for asserts in eval and clear
- http_inspect: update dev_notes.txt
- hyperscan: disable bogus unit test leak warnings
- ips_options: create LiteralSearch object for vba decompression at the time of snort initialization
- memory: add max rss to verbose memory output
- memory: add original overload manager
- memory: add support for jemalloc
- memory: expand profile report field widths
- memory: fix accounting issues
- memory: free space per DAQ message, not per allocation
- memory: move mem_stats to MemoryCap
- memory: refactoring
- memory: refactor pruning and update unit tests
- memory: remove explicit allocation tracking
- memory: update dev notes
- perf_monitor: allow constraint seconds = 0
- piglets: refactor support code
- reputation: remove unused sfrt code
- rna: refactor unit test stubs
- search_engines: remove unused test code
- stream_tcp: delete unused unit test cruft
- stream_tcp: only fallback if stream splitter aborted and don't keep processing fragments after MagicSplitter returned
STOP
- stream_tcp: remove unused unit test code
- stream_user: refactor, remove cruft
- unified2: remove cruft
- utils: do output adjustment in case of carryover
- utils: enable batch mode for Flex
- utils: (JSNormalizer) add program scope tracking and alias resolution
- utils: (JSNormalizer) rework the split over multiple chunks behavior
- utils: pass an address into memset instead of object
- utils: reduce flex generation of unused js normalizer code
- utils: reset Normalizer context when new script starts
- vba: fix buffer overflow in ole parser
- wizard: add patterns to match unknown HTTP and SIP methods
- wizard: change default value of max_search_depth from 64 to 8192
- wizard: remove telnet IAC pattern
2021-11-17: 3.1.17.0
- appid: restore the log of reload detectors complete message
- build: remove HAVE_HYPERSCAN conditional from installed header
- detection: add allow_missing_so_rules
- detection: ensure PDUs indicate parent when available
- dnp3: update builtin rule description
- doc: arp_spoof builtins
- doc: back orifice builtin rules
- doc: spell correction
- doc: update builtin alerts description for dnp3
- doc: update builtin alerts description for modbus, HTTP/2
- doc: update builtin alerts description for portscan
- doc: update builtin rule documentation for http_inspect
- doc: update builtin rules documentation for dce_smb, dce_tcp, dce_udp, rpc_decode
- doc: updated builtin rules documentation for ssh
- http2_inspect: hardening
- http2_inspect: http1_header buffer always created immediately after decode_headers
- http2_inspect: push promise error state check
- http2_inspect: truncated trailers without frame data
- ips_option: Enabling trace for vba_data options and fixing memory leak while extracting vba_data
- main: use dynamic buffer on demand in trace print functions
- u2spewfoo: Fixed incorrect usage line
2021-11-03: 3.1.16.0
- appid: during initialization, skip loading of Lua detectors that don't have validate function
- appid: in packet threads, skip loading of detectors that don't have validate function on reload
- appid: provide API to give client_app_detection_type
- codec: geneve - ensure injected packets have geneve port in outer udp header
- detection: refactor mpse serialization
- detection: rename PortGroup to the more apt RuleGroup (and related)
- detection: replace PortGroup::alloc/free with ctor/dtor
- doc: add SIP built-in rule documentation
- doc: update built-in rule doc for SMTP, IMAP and POP inspectors
- doc: update built-in rules documentation for dns module
- doc: update built-in rules documentation for ftp-telnet
- doc: updated builtin rules documentation for gtp module
- flow: fix warning in flow_cache.cc
- flow: use the same pkt_type to link and unlink unidirectional flows
- http2_inspect: refactor decoded_headers_buffer for hpack decoding
- http_inspect: eliminate cumulative js data processing
- http_inspect: handle unordered PDUs for inline/external JavaScript normalization
- http_inspect: improve file decompression
- hyperscan: sort patterns for dump / load stability
- ips: correct fast pattern port group counts
- mpse: add md5 check to deserialization
- reload: add logs to track reload process
- reload: move out reload progress flag to reload tracker
- search_engine: support hyperscan serialization
- search_engine: support port group serialization
- sip: track memory for sip sessions
- ssl: disable inspection on alert only at fatal level
- stream_tcp: fix init_wscale() to take into account the DECODE_TCP_WS flag
- tcp: remove the obsolete GNUC block from TcpOption::next()
- tcp: stop on the EOL option in TcpOptIteratorIter::operator++()
- utils: add get methods to peek in internal buffer
- utils: correct Normalizer's output upon the next scan
- wizard: update globbing and max_pattern
2021-10-21: 3.1.15.0
- appid: detect client based on longest matching user agent pattern
- appid: update the name of the lua API function that adds process name to client app mappings
- build: fix in CodeCoverage.cmake to generate *.gcda *.o files as needed by gcov
- dce_smb: optimize handling pruning of flows in stress environment
- decompress, http_inspect: add support for processing ole files and for vba_data ips option
- doc: add punctuation to builtin stubs, fix formatting
- doc: builtin rule documentation updates
- http2_inspect: partial header with priority flag set
- http_inspect: add automatic semicolon insertion
- http_inspect: document built-in alerts
- http_inspect: do not normalize JavaScript built-in identifiers
- http_inspect: hardening
- http_inspect: implement JIT (just-in-time) for JavaScript normalization
- http_inspect, ips_option: decouple the vba_data ips option from http_inspect and add the trace debug option to vba_data
- policy: update policy clone code to avoid corrupting active configuration
- protocols: prevent infinite loop over tcp options
- rna: call set_smb_fp_processor function in reload tuner
- rna: do not do service discovery for future flows
2021-10-07: 3.1.14.0
- appid: enhance RPC service detector to handle RPC Bind version 3
- appid: fix update_allocations signature in unit test
- appid: log appid daq trace first followed by subscriber modules
- appid: provide api for Lua detectors to map process name to client app
- doc: add descriptions for 119:265-271 builtin alerts
- doc: update builtin stub rule reference strings
- file: add file policy id and other config data as part of packet tracer command under File phase
- file_api: add decompress_buffer_size
- flow: add total flow latency to flowstats
- http2_inspect: compare scanned bytes to total received during reassemble
- http2_inspect: protect against reassemble with more than MAX_OCTETS
- http_inspect: change format of normalized JS identifiers
- ips_options: rename script_data buffer to js_data
- latency: add configuration for implicit enable
- lua: fix Talos tweak snaplen
- rna: support CPE new os RNA event
- snort_config: adding api for enabling latency module
- utils: add custom i/o stream buffers to JS normalizer
- utils: adjust output streambuffer expanding strategy and reserved memory
- utils: fix compilation error of js_identifier_ctx_test for clang
2021-09-22: 3.1.13.0
- appid: prioritize appid's client detection over third-party
- appid: stay in success state after RPC is detected
- builtins: add --dump-builtin-options
- catch: enable benchmarking
- cip, iec104: update stub rule messages for consistent format
- control: explicitly include ctime header in control.h
- detection: add fast patterns only once per service group
- doc: add support for details on builtin rules in the reference
- doc: update reference for 2:1 and 129:13
- doc: update the documentation of "replace" option and "rewrite" action
- doc: update user tutorial with '--enable-benchmark-tests' option
- file_api: new api added for url
- file_api: revert store processing flow in context
- flow: don't do memcap pruning if pruning is in progress
- host_cache: Avoid data race in cache size access
- host_tracker: Removing unused methods
- http_inspect: http_raw_trailer fast pattern
- http_inspect: pass file_api the uri with the filename and extract the filename from the uri path
- http_inspect: remove memrchr for portability
- netflow: use device ip and template id to ensure that the template cache keys are unique
- output: adopt the orphaned tag alert (2:1)
- rna: Avoid data races in vlan and mac address
- rna: Avoid infinite loop in ICMPv6 options
- smb: added a null check when current_flow is not present
- snort2lua: Fixed version output (issue #213);
Thanks to A-Pisani for the fix
- stream: change session_timeout default for tcp, ip, icmp and user
- stream: fix session timeout of expired flows
- trough: Avoid data race in file count
- utils: add benchmark tests for JSNormalizer
- utils: add reference and description for ClamAV test cases
- utils: avoid using pubsetbuf which is STL implementation dependent
- utils: fix typo in js_normalizer_test
2021-09-08: 3.1.12.0
- decoder: icmp6 - use source and destination addresses from packet to compute icmp6 checksum when NAT is in effect
- http_inspect: enable traces for JS Normalizer
- http_inspect: include cookies in http_raw_header
- http_inspect: reduce void space in HttpFlowData
- stream_tcp: add pegs for maximum observed queue size
- stream_tcp: normalize data when queue limits are enabled
- stream_tcp: only update window on right edge acks
- stream_tcp: set sequence number in trimmed packets up to the queue limit and increase defaults
2021-08-26: 3.1.11.0
- build: update help for --enable-tsc-clock to include arm;
Thanks to liangxwa01 for reporting the issue
- codec: geneve: fix incorrect parsing of option header length
- data_bus: support ordered call of handlers
- dns, ssh: remove obsolete stream insert checks
- doc: Add js_norm_max_template_nesting description
- flow: introduce bidirectional flag for expected session
- flow: set the client initiated flag before publishing the flow state setup event
- framework: update base API version to 8
- framework: version rollback
- http_inspect: add builtin rule for consecutive commas in accept-encoding header
- http_inspect: Add JavaScript template literals normalization
- http_inspect: check if Normalizer has consumed input
- http_inspect: hard-code infraction enum numbers
- http_inspect: http_raw_header, http_raw_trailer field support
- http_inspect: refactor NormalizedHeader
- http_inspect: support more infractions and events
- http_inspect: two new built-in rules
- inspection: process wizard matches on defragged packets
- ips: add action_map table to map rule types, eg block -> alert
- ips: add action_override which applies to all rules
- lua: update comments in the default config
- modbus: check record length for write file record command
- normalize: remove tcp.trim config
- payload_injector: check if stream is established on flow rather than the packet flag to handle retries
- policy: put inspection policy accessors in public space
- policy: reorganize for sanity
- README: mention vars in default config
- sip: deprecate max_requestName_len in favor of max_request_name_len
- smb: Invoke SMB debug in destructor when packet thread available
- stream_tcp: update API called by payload_injector to check for unflushed queued TCP segments
- style: remove crufty comments
- style: remove C style (void) arglists
- style: remove or update crufty preprocessor comments
- utils: address compiler warning
- utils: support streamed processing of JS text
- wizard: support more HTTP and SIP methods
2021-08-11: 3.1.10.0
- appid: update netbios-ss (SMB) detector to extract SMB domain from SMBv2, and more intelligently handle payload
appid detection
- appid: use packet thread odp context while creating SIP session
- build: install DAQ modules and Snort plugins in separate folders
- dce_smb: restore file tracker size post deletion
- dns: add DNS splitter
- doc: update user manual for identifier normalization
- file_api: add infra and file debugs to existing debugging framework
- ftp: remove unused defines and crufty comments
- http_inspect: add JavaScript identifiers normalization
- http_inspect: change the default value of request_body_app_detection config parameter to true
- smtp: remove unused defines
- ssh: handle traffic with invalid version string
- ssh: handle version string packets that also contain key exchange data
- stream_tcp: skip unordered segments if last flushed position already moved past
- telnet: correct help for ayt_attack_thresh
- wizard: add wizard max_pattern option and update HTTP/SIP aware methods patterns
2021-07-28: 3.1.9.0
- actions: allow session data to stay accessible for loggers for reject rule action
- byte_options: address compiler warnings
- control: add idle expire removal to control channels
- dump_stats: direct output back to command channel
- events: use instance_id to make event_id unique across threads
- file_api: handle file_cache inspection for non-zero offset
- http2_inspect: change xor to or in assert that was failing due to uninitialized variable
- http2_inspect: fix HPACK dynamic table size update management
- http2_inspect: remove unused variables
- http_inspect: add peg count for script bytes processed
- http_inspect: add rule option http_raw_header_complete
- http_inspect: don't allocate 0-length partial inspection buffer
- ips_options: add catch tests for byte_test, byte_jump, byte_math, byte_extract
- ips_options: address compiler warnings
- ips_options: refactor byte_extract, byte_test, byte_math, byte_jump and related tests
- lua: update HTTP/2 default_wizard hex with S2C pattern match
- stats: update file and appid stats to use Log functions provided from stats.cc
2021-07-15: 3.1.8.0
- appid: support SSH client detection through lua detector
- dce_rpc: fix crash when expected session comes after snort reload
- dce_rpc: handling raw packets
- dce_smb: added trace messages and multiple level logging for SMB module
- dce_smb: fixed macro definition for SMB_DEBUG
- doc: fix build warnings;
Thanks to jiangrj (github.com/jiangrij) for reporting the issue
- dump_config: support modules without config options in text format
- file_api: handling overlap segments
- http2_inspect: clean data cutter internal state after exhausting flow depth
- http_inspect: add built-in alert for script tags in a short form
- packet_io: check if unreachable_candidate before sending unreachable
- packet_io: unreachable packets shouldn't be sent for ICMP
- snort2lua: set raw_data buffer for rawbytes and B flag in PCRE
- wizard: make SSH spell more specific
2021-06-30: 3.1.7.0
- appid: enhance netbios service detector to identify SMB versions as web app
- appid: update documentation
- appid: update the DNS detector to support the all record request
- control: resolve socket issues due to race conditions
- doc: updates for http2_inspect
- framework: update base API version to 3
- main: implement test_features run flag to enable debug-like output
- mime: track memory for mime sessions
- payload_injector: don't inject if there are unflushed S2C TCP packets queued
- reputation: include list id for daq trace log
- sfip: fix unit tests for non-regtest builds
- snort2lua: fix lua conversion of unsupported http preproc options without parameters
- snort2lua: remove footprint size config
- stream: fix is_ack_valid to return true even when current ack is to the left of snd_una, per RFC793
2021-06-16: 3.1.6.0
- appid: extract auxiliary ip when uri is provided by third-party
- appid: perform detection on request body for HTTP2 traffic
- appid: remove error message when userappid.conf is not present
- appid: remove unused metadata offset functionality
- appid: support fragmented metadata
- appid: use 32 bits for storing protocol field in RPC port map message
- codecs: geneve - add support for Geneve encapsulation
- codecs: geneve - add vni to alert_csv and alert_json
- codecs: support inner flow NAT
- control: allow compile with shell disabled
- control: clean up cppcheck issues
- control: expose ContrlConn API
- control: refactor control channel management to better handle control responses
- control: remove SHELL compile flag from header
- control: remove unused IdleProcessing functionality
- dce_rpc: SMB multichannel - add smb multichannel file support
- dce_rpc: SMB multichannel - handle negotiate command to create expected flow
- dce_rpc: SMB multichannel - introduce locks
- dce_rpc: SMB multichannel - make session cache global
- dce_rpc: SMB multichannel - own memory tracking in global cache
- dce_rpc: fix warnings
- dce_rpc: handle reload prune for smb session cache
- dce_rpc: store shared pointer of session tracker
- doc: update JS normalizer options
- file_api: increase file count only once per file
- file_api: store processing flow in context
- filters: change rate filter to use network policy id instead of ips policy id
- filters: support rate filter to work with PDUs
- flow: enable support for multiple expected sessions
- ftp: create additional expected session if negotiated IP is different from server IP on packet
- gtp : check protocol type according to gtp version
- host_cache: remove unused lua mock code from the tests
- http2_inspect: don't perform valid sequence check on rst_stream frame
- http2_inspect: improve request line generation and checks
- http2_inspect: rule options and doc clean up
- http2_inspect: track dynamic table memory allocation
- http_inspect: add JS Normalizer to dev_notes
- http_inspect: add JS normalization for external scripts
- http_inspect: additional memory tracking
- http_inspect: extend built-in alerts for Javascript processing
- http_inspect: improve MPSE in HttpJsNorm (script start conditions)
- http_inspect: limit section size target for file processing
- http_inspect: publish event for http/2 request bodies
- http_inspect: support partial detect for Javascripts
- http_inspect: track memory footprint of zlib inflation
- http_inspect: update test mock api
- iec104: delete trailing spaces
- ips_options: fix intrusion alerts generation for tcp rpc PORTMAP traffic when rpc_decode is bound to the flow
- main: add support for resuming particular thread
- main: fix config dump for list-based inspector aliases
- mime: store extra data in stash
- packet_io: enable expected session flags
- protocols: remove inline specifiers for functions defined within a structure declaration
- pub_sub: add get_uri_host() to HttpEvent
- pub_sub: update HttpEvent::get_host to get_authority - now always includes port if there is one
- reputation: daq trace log
- reputation: support auxiliary IP matching upon reload
- rna: filter DHCP events and some refactoring
- rna: update last seen time on deleted host rediscovery
- stream: enable support for multiple expected sessions
- stream_tcp: populate flow contents in context for non-wire packets
- time: make Periodic class SO_PUBLIC
- trace: place trace options under the DEBUG_MSGS macro
- utils: fix warning about empty statement
- utils: refactor JSTokenizer
- utils: rework JSNormalizer class
2021-05-20: 3.1.5.0
- appid: Publish an event when appid debug command is issued
- appid: do memory accounting of api stash object, dns/tls/third-party sessions
- appid: mark payload detection as done after either http request or response is inspected
- appid: set monitor flags on future flows
- dce_rpc: fix expected session protocol id
- dce_rpc: update memory tracking for smb session data
- dce_rpc: use find_else_insert in smb session cache to avoid deadlock
- file_api: fix spell source error
- flow: Adding stash API to save auxiliary IP
- flow: Enhancing APIs to stash auxiliary IP
- flow: memory tracking updates
- hash: add new insert method in lru_cache_shared
- http2_inspect: add assert in clear
- http2_inspect: concurrent streams limit is configurable
- http2_inspect: fix non-standard c++
- http2_inspect: handle trailer after reaching flow depth
- http2_inspect: implement window_update frame
- http2_inspect: optimize processing after reaching flow depth
- http2_inspect: track stream memory incrementally instead of all up front
- http2_inspect: update discard print
- http2_inspect: update state and delete streams after reaching flow depth
- http_inspect: IP reputation support
- http_inspect: don't disable detection for flow if it's an HTTP/2 flow
- ips_options: fix relative base64_decode
- memory: free_space cleanup
- netflow: additional check before v5/v9 decode
- netflow: version 9 decoding and filtering
- packet_tracer: IPS daq trace log
- packet_tracer: file daq trace log
- parser: Remove rule merge in dump mode
- parser: reduce RTNs only after states applied
- reputation: track monitor ID via flow; minor code cleanup
- shell: exit gracefully when sanbox lua is misconfigured
- stream_tcp: Deleting session when both talker and listener are closed
- stream_tcp: Using window base for reset validation
2021-04-21: 3.1.4.0
- appid: (fix style) Local variable 'version' shadows outer variable
- appid: Delete third-party connections with context only if third-party reload is not in progress
- appid: clean up lua stack on C->lua function exit
- appid: clean-up parameters in service_bootp
- appid: detect payload based on dns host
- appid: in continue state for ftp traffic, do not change service to unknown on validation failure
- appid: monitor only the networks specified in rna configuration
- appid: refactor to set http scan flags in one place
- appid: remove detectors which are available in odp
- appid: remove duplicate rtmp code
- binder: update flow data inspector on a service change
- build: add better support for flex lexer;
Thanks to Özkan KIRIK and Moin for reporting the issue
- codecs: use held packet SYN in Tcp header creation
- copyright: Update year to 2021
- dce_rpc: Added a cleanup condition for DCERPC in close request
- dce_rpc: DCERPC Support over SMBv2
- dce_rpc: Fixed prototype mismatch. Smb2Tid doesn't need to be inline
- doc: add documentation for script_data ips option
- doc: revert documentation related to script_data ips option
- framework: Adding IT_FIRST inspector type to analyze the first packet of a flow
- hash: prepond object creation in LRU cache find_else_create
- host_tracker: fix bug in set_visibility
- http2_inspect: fix possible read-after-free in hpack decoder
- http2_inspect: free streams in completed/error state
- http_inspect: fix end of script match after reload
- http_inspect: remove detained inspection config
- ips: allow null detection trees with negated lists
- ips_options: add sticky buffer script_data ips option within normalized javascripts payload
- main: Adding reload id to track config/module/policy reloads
- main: Log holding verdict only if packet was actually held
- main: Update memcap for detained packets
- netflow: add device list configuration
- netflow: add filter matching for v5 decoder
- netflow: get correct zone info from packet
- packet_io: If packet has no daq_instance, use thread-local daq_instance
- packet_tracer: Appid daq trace log
- packet_tracer: fix trace condition for setting IP_PROTO
- payload_injector: send go away frame
- pcre: revert change that disabled jit
- reputation: Registering inspector to the IT_FIRST type
- rna: add the smb fingerprint processor to the get_or_create / set processor api
- ssl: refactoring SSLData out so it can be reused
- stream: Add held packet to retry queue when requested
- stream: Add partial_flush. Flush one side of flow immediately
- stream: IP frag packets won't have a flow so do not try to hold them
- stream: fetch held packet SYN
- stream: fix race condition in HPQReloadTuner
- stream: store held packet SYN
- utils: enable Flex C++ mode via its option
2021-03-27: 3.1.3.0
- actions: Dynamically construct the default eval order for all the loaded IPS actions
- actions: Make all IPS actions pluggable
- appid: Make netbios domain available through appid API
- appid: SMB fingerprinting support
- cmake: Add flex build dependency
- dce_rpc: Refactor SMB code
- detection: Update detection.alert, to be used instead of reputation.total_alerts
- detection: Update dump_rule_meta function to only print rules from default IPS policy
- detection: Update the rtn's listHead to reflect the new action set in the rule state
- doc: Update http_inspect feature documentation
- flow: Add packet tracer output to DAQ expected flow requests
- host_tracker: Fully populate local hostclient before logging
- http2_inspect: Alert on uppercase header name encoded in HPACK
- http_inspect: Add JavaScript whitespace normalization
- http_inspect: Add normalization_depth config option
- http_inspect: Alert on HTTP/2 upgrade attempts
- http_inspect: Integrate JSNormalizer (whitespace normalization) keeping the old one
- packet_io: Update for the removal of the RETRY DAQ verdict
- packet_tracer: Do not log non-IP packets when enabled from shell and a constraint is set
- parser: Support duped RTN if its header has been changed
- rate_filter: Get the available IPS actions dynamically to configure the new_action
- rna: Make discovery filter use client and server interfaces if they are not unknown
- rna: SMB fingerprinting support
- snort2lua: Delete conversion of disable_replace option
- snort2lua: Fix lua conversion of http preproc options
- snort: Add -h to output the help overview (same as --help)
- snort_config: Remove is_active_enabled and set_active_enabled functions
- style: Change C++ comment NULL to null
- style: Remove unnecessary cruft
- style: Remove unused cruft
- utils: Add JSNormalizer
2021-03-11: 3.1.2.0
- action_manager: Remove unused cached reject action
- appid: Always get appid inspector from default inspection policy
- appid: Fixes for cppcheck warnings
- appid: Get uri from http event even when http host is not present
- appid: Load lua detectors for packet threads from compiled lua bytecode during detector reload
- appid: Remove app forecast method
- appid: Remove detectors for obsolete apps - AOL instant messenger and Yahoo messenger
- appid: Send reloading detectors message to socket immediately
- appid: Update IMAP service detector pattern
- appid: Use opportunistic tls event to set decryption countdown for SMTP detector
- binder: Apply host attribute table information at the beginning of flow setup
- binder: Clean up std namespace usage
- binder: Use service inspector caching to improve get_gadget() performance
- binder: Use the first match for non-terminal binding usage
- build: Do one more pass of modernizing the C++ code
- dce_rpc: Handle async responses in smbv2
- dce_rpc: Pass proper file id in file api from smb1
- decompress: Add support for streaming ZIPs
- detection: Use IP and port variables from the targeted policy
- doc: Remove http detained inspection from user manual
- doc: Update documentation for ips.states
- file_magic: Add pattern for pcapng
- flow: Add new flag to indicate elephant flow
- ftp_telnet: Implement init_partial_flush for ftp data
- ftp_telnet: Respect telnet_cmds config for raising 125:1
- host_attributes: Update api to reduce use of shared_pointer
- http2_inspect: Limit number of concurrent streams
- http2_inspect: Process rst_stream frame
- http_inspect: IPv6 authority in URI
- http_inspect: Javascript support cleanup
- http_inspect: Partial inspection for 0 length chunk
- http_inspect: Remove detained inspection
- http_inspect: Remove unused events
- http_inspect: Temporarily restore detained_inspection parameter
- iec104: Add documentation for iec104 service inspector
- iec104: Additional input sanitization, syntax, and style changes
- iec104: Integrate new iec104 protocol service inspector
- inspector_manager: Instantiate default binder as long as a wizard or stream are present
- ips_options: Update cursor position for relative pcre
- ipv4: Correct the calculation for illegal fragment offset checks
- log: Add printf format attribute to TextLog_Print() and clean up the fallout
- log: Base logging the Ethernet header on proto bits rather than DLT
- loggers: Fix excessive byte reordering when printing MPLS labels in CSV and JSON
- main: Fix accumulating and printing codec stats at run time
- managers: Enforce strict parsing for binder aliases
- managers: Pass the configuration to default module's end()
- managers: Perform sanity checks on set_alias() parameters
- memory: Free memory space while updating allocation
- module: Introduced new api to clear global active module counters
- module_manager: Enforce interest in global modules only in the default policy
- mpls: Add next layer autodetection and implement codec logging
- mpls: Refactor mpls.enable_mpls_overlapping_ip into packet.mpls_agnostic
- mpls: Remove enable_mpls_multicast option
- packet_capture: Add group filter for packet capture
- packet_tracer: Add daq buffer to hold daq logs
- perf_monitor: Fix finalizing JSON output files for trackers
- portscan: Fix decoy and distributed scan logic
- portscan: Fix delimiter for ports in config
- portscan: Fix IP scans not alerting
- protocols: Add initial support for multilayer compound codecs
- protocols: Add peg count for decodes that exceeded the max layers
- protocols: Consistently encapsulate exported protocol headers in the snort namespace
- reputation: Add peg count for total alerts
- reputation: Remove deprecated redundant terms
- rna: Discover NetBIOS name
- snort: Clear snort counter for modules, daq, file_id, appid
- snort: Update for DAQ_FlowStats_t structure and field name changes
- snort_config: Clean up and annotate command line config merge process
- snort_config: Remove unnecessary command line options
- stream: Always use latest splitter from tracker after paf_check
- stream: Do not update service from appid to host attributes if nothing is changed
- stream: Set block pending flag when a flow is dropped
- stream_tcp: Ensure flows aren't pruned while processing a PDU
- stream_tcp: Flush queued segments when FIN is received
- stream_tcp: Support data on SYN by default with or without Fast Open option
- trans_bridge: Lift the log() implementation from the root Ethernet codec
- wizard: Add support for sslv2 detection
2021-01-28: 3.1.1.0
- appid: Add support for snmpv3 report pdu
- appid: Always store container session api object in stash
- appid: Do not process sip event for an existing session after detector reload
- appid: Remove unused code; cleanup FIXIT comments related to reload
- appid: Send reload detectors and third-party messages to socket immediately if appid is not
enabled
- codecs: Update tcp naptha check to make sure it is ipv4 traffic
- file_api: Remove file context after file name set if processing is complete
- file_api: Stop processing signature when type verdict is 'FILE_VERDICT_STOP'
- flow: Update direction and interface info in HA flow
- ftp: Use Stream packet holding to handle ftp-data EoF
- http_inspect: Add chunked processing to dev notes
- http_inspect: Provide file_id to set file name and read new return value
- http_inspect: Validate and normalize scheme
- http_inspect: Validate URI scheme length
- inspector: Add a global reference count for uses that are not thread specific
- lrucache: Changes for memcap for support constant cache objects with variable size
- managers: Clean all inactive inspectors warning about ones that are still referenced
- mime: Provide file_id to set file name and read new return value
- payload_injector: Inject settings frame
- rna: Minimize synchronization overhead
2021-01-13: 3.1.0.0
- appid: Store stats in map
- appid: Tear down third-party when appid gets disabled
- build: Add support for version sublevel and build via CMake
- dce_rpc: Handle Flow from File inspection
- host_cache: Add command to output host_cache usage, pegs, and memcap
- http2_inspect: Add total_bytes peg to track HTTP/2 data bytes inspected
- http_inspect: Abort on HTTP/2 connection preface
- http_inspect: Add total_bytes peg to track HTTP data bytes inspected
- http_inspect: Alert on truncated chunked and content-length message bodies
- http_inspect: Support stretch for Http2
- log: Reuse TextLog buffer for a large data;
Thanks to Chris White for reporting the issue
- packet_io: IDS mode should not give blacklist verdict for Intrusion event
- rna: Fix version, vendor and user string comparison at maximum length
- rna: Perform appropriate filter check based on the event type
- rna: Revert rna performance optimizations
- rpc_decode: Implement adjust_to_fit for RPC splitter
- stream_tcp: Delete redundant calls to check if the tcp packet contains a data payload
- stream_tcp: Fix issues causing overrun of the pdu reassembly buffer, make splitters
authoritative of size of the reassembled pdu
- stream_tcp: On midstream pickup, when first packet is a data segment, set flag on talker tracker
to reinit seglist base seg on first received data packet
- stream_tcp: Remove obsolete flush_data_ready() function
2020-12-20: 3.0.3 build 6
- active: Fix falling back on using raw IP for active responses when no device is specified
- appid: Add support for apps, http host, url and tls host in HA
- appid: Allow checking appid availability for a given http/2 stream
- appid: Change terms used in code, logs and peg counts
- appid: Do not override http fields with empty values
- appid: Dump userappid configurations upon reloading third-party
- appid: For http2 flow, return service id as http2 when no streams are yet created
- appid: Mark reload third-party complete after unloading old library and creating new third-party
context
- appid: Print more descriptive error message when lua detector registers invalid pattern
- binder: Pass service to get_bindings on flow service change
- binder: Specify service inspector type when getting a gadget instance
- build: Clean up various cppcheck warnings
- catch: Avoid using INTERNAL_CATCH_UNIQUE_NAME in our headers
- catch: Update to Catch v2.13.3
- dce_rpc: Fixed incorrect access of FileFlows while pruning the flow
- file_api: Fixed stats which weren't cleared when there were no stats for signature processing
- file_api: Handle resume block when multiple file rules are configured with store option enabled
- flow: Pause logging during timeout processing
- helpers: Handle SIGILL and SIGFPE with the oops handler
- high_availability: Add check for packet key equals HA key before consume
- host_attributes: Better error handling for reload to eliminate double free and memory leaks
- http2_inspect: Check for invalid flags
- http2_inspect: Fix bug with exceeding inspection depth
- http2_inspect: Fix empty queue access and some bookkeeping
- http2_inspect: Handle connection close during headers frames
- http2_inspect: Handle discard
- http2_inspect: HI error handling improvements
- http2_inspect: Improve error handling
- http2_inspect: Remove 0 length scan for most cases
- http_inspect: Explicit memory allocation for transactions and partial inspections
- http_inspect: Script detection for HTTP/2
- inspector_manager: Remove unused inspector_exists_in_any_policy() function
- inspector: Remove obsolete metapacket processing functionality
- main: Convert Request to shared_ptr to avoid memory problems
- main: Fix memory leak in reload_config() caused by incorrect code merge
- managers: Add inspector type in the help module output
- managers: Don't allow a referenced inspector to stall emptying the trash
- managers: Track removed inspectors during reload and call tear_down and tterm to release
resources
- packet_io: Export forwarding_packet() function
- packet_tracer: Fix the debug session information for non-ip packets
- parser: Add escaping for double quotes and special chars in a rule body
- parser: Fix escape logic for --dump-rule-meta output
- reload: Reset default policies after failed reload
- request: Expose methods to be used in plugins
- rna: Do null check in the Inspector rather than the Module in the control commands
- rna: Generate new host event for CDP traffic
- rna: Make the mac cache persist over reload config
- rna: Reduce host cache lock usage to improve performance
- rna: Remove unused function
- rna: Replace some tabs with spaces as per style guidelines
- rna: Support data purge command
- rna: Support DHCP fingerprint matching and event generation
- rna: Use service ip and port provided by appid for DHCP discovery events
- shell: Change terms used in code, logs and peg counts
- shell: Support for loading configuration in lua sandbox
- snort: Add OopsHandlerSuspend for suspending Snort's crash handler
- stream: Fix stream clean up when going from enabled to disabled
- stream_ha: Only flush on HA deactivate if not in STANDBY, set HA state to STANDBY when new Flow
is created
- stream_tcp: Initialize the alerts array to empty when a TcpReassembler instance is initialized
or reset
- stream_tcp: Set interfaces in both directions
2020-11-16: 3.0.3 build 5
- appid: Add unit test to verify HA data for flow unmonitored by appid
- appid: Handle cppcheck warnings
- appid: Prefix http/2 decrypted urls with https://
- appid: Support client login failure event
- flow: Do not remove the flow during pruning/reload during IPS event with block action
- flow: Flesh out swap_roles() to swap more client/server fields
- flow: Set client initiated flag based on DAQ reverse flow flag, track on syn config, and syn-ack
packet
- ftp: Handle FTP detection when ftp data segment size changes
- host_tracker: Ignore IP family when comparing SfIp keys in the host cache
- http2_inspect: Data frame redesign
- http2_inspect: Multi-segment reassemble discard bug fix
- http2_inspect: Perform hpack decoding on push_promise frames
- http2_inspect: Refactor data cutter
- http2_inspect: Refactor scan()
- http2_inspect: Remove const cast
- http2_inspect: Send push_promise frames through http_inspect
- ips_options: Don't move cursor in byte_math
- main: Set up logging flags globally to avoid dependencies on a particular SnortConfig object
- payload_injector: Refactoring
- payload_injector: Remove content length and connection for HTTP/2
- rna: Add command to delete MAC hosts and protos
- rna: Delete payloads when clients, services are deleted; add unit tests
- rna: Discover banner on service version or response events
- rna: Don't process packet in eval if eth bit not set
- rna: Log src mac from packet containing CDP message when host type change event is generated
- rna: Support banner discovery
- rna: Support change service event with null version and vendor
- rna: Support user login failure discovery
- smtp: Make sure the ssl search abandoned flag is preserved for reset
- stream_tcp: Remove redundant/unneeded asserts that check if tcp event is for a meta-ack
psuedo-packet
- thread_config: Show thread ID when logging binding information
- trace: Add missing packet information to some of the messages
2020-10-27: 3.0.3 build 4
- actions: Add support to react for HTTP/2
- appid: Fix -Wunused-private-field Clang warning in service_state.h
- build: Various build fixes for OS X
- file_api: Remove deletion of file_mempool
- framework: Fix ConnectorConfig dtor to be virtual
- ips: Move IPS variables to sub-tables which designate type
- lua: Update default_variables with 'nets', 'paths', and 'ports' tables in snort_defaults.lua
- module: Fix modules that accept their configuration as a list
- payload_injector: Support pages > 16k
- rna: Add unit tests for TCP fingerprint methods
- snort: Remove support for -S option
- src: Clean up zero-initialization of arrays
- tools: Update snort2lua to convert custom variables into ips.variables.nets/.paths/.ports tables
- trace: Add timestamps in trace log messages for stdout logger
2020-10-22: 3.0.3 build 3
- actions: Update react documentation
- actions: Use payload_injector for react
- appid: Add service group and asid in AppIdServiceStateKey
- appid: Continue appid inspection after third-party identifies an application
- appid: Do not reset third-party session after third-party reload
- build: Updates for libdaq changes that introduce significant groups in flow stats
- codecs: Remove PIM and Mobility from bad protocol lists
- dce_rpc: Add ingress/egress group and asid in SmbFlowKey and Smb2SidHashKey
- doc: Tweak the template regex in get_differences.rb
- dump_config: Don't print names for list elements
- file_api: Add ingress/egress group and asid in FileHashKey
- file_magic: Update POSIX tar archive pattern
- flow: Add source/dest group id in flow key
- flow: Stale and deleted flows due to EOF should generate would have dropped event
- ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted
data channels
- host_cache: Add delete host, network protocol, transport protocol, client, service, tcp
fingerprint and user agent fingerprint commands
- host_tracker: Implement client and server delete commands
- http2_inspect: Handle stream creation for push promise frames
- ips_options: Fix retry calculation in IPS content when handling "within" field
- lua: Use default IPS variables in the default config
- main: Add lua variables for snort version and build
- managers: Delete obsolete variable parsing code
- managers: Skip snort_set lua function for non-table top level keys in finalize.lua
- meta: Do not dump elided header fields or default message
- meta: Dump full rule field
- meta: Dump missing port field
- packet: Add two new apis to parse ingress/egress group from packet's daq pkt_hdr
- packet_tracer: Add groups in logging based on significant groups flag
- port_scan: Add group and asid in PS_HASH_KEY
- rna: Change ip to client instead of server for login events
- rna: Change logic for payload discovery, eventing
- rna: Conditionalize reload tuner registration on get_inspector()
- rna: Log user-agent device information
- rna: Move registration of reload tuner to configure()
- snort2lua: Update comments for deleted rule_state options
- ssh: Fix code indentation and CI breakage
- ssh: SSH splitter implementation
- stream: Initialize flow key's flags.ubits with 0
- stream_tcp: Don't attempt to drop 'meta_ack packets', there is no wire packet for these acks
- style: Clean up accumulated tabs and trailing whitespace
- trace: Refactor the test code
- trace: Skip trace reload if no initial config present
- utils: Add a generic function to get random seeds
2020-10-07: 3.0.3 build 2
- appid: Create events for client user name, id and login success
- appid: Inform third-party about snort's idle state during reload
- appid: Reload detector patterns on reload_config for the sake of hyperscan
- appid: Update appid to use instance based reload tuner
- binder: Allow binding based on address spaces
- binder: Allow directional binding based on interfaces
- binder: Enforce directionality, add intfs, rename groups, cleanup
- framework: Update packet constraints comparison to check only set fields
- host_tracker: Update host tracker to use instance based reload tuner
- http2_inspect: Fix frame padding handling
- http2_inspect: Free up HI flow data when we are finished with it
- http2_inspect: Stream state tracking
- http_inspect: Implement can_start_tls(), add support of ssl search abandoned event
- http_inspect: Support for custom xff type headers
- main: Change reload memcap framework to use object instances
- main: Remove deprecated rule_state module
- main: Update host attribute class to use instance based reload tuner
- normalizer: Move TTL configuration toggle to inspector configure()
- perf_monitor: Update perf monitor to use instance based reload tuner
- policy: Copy uuid, user_policy_id, and policy_mode when an inspection policy is cloned
- pop: Generate alert for unknown command if file policy is attached
- port_scan: Update port scan to use instance based reload tuner
- rna: Add event_time to rna logger events
- rna: Add payload discovery logic
- rna: Check user-agent processor early to skip some work
- rna: Port host type discovery logic
- rna: Set the thread local fingerprint processors during reload_config
- rna: Update rna to use instance based reload tuner
- rna: Update methods for user-agent processor
- rna: User discovery for successful login
- snort2lua: Convert rule_state into ips.states
- stream_tcp: Update trace messages to use trace framework
- stream: Update stream to use instance based reload tuner
- trace: Update parser unit tests
- wizard: Clean up parameter parsing and make it a bit stricter
2020-09-23: 3.0.3 build 1
- ac_bnfa: Disable broken fail state reduction
- appid: Check third party context version while deleting connections
- appid: Use third party payload if available for HTTP tunneled
- cmake: Support cmake build type configuration
- dce_rpc: Handle compound requests for upload
- dce_rpc: Modify logs to show if file context is found or not found
- dump_config: Sort config options before printing
- file_api: Update lookup and block timeout from config at file cache creation
- flowbits: Evaluate checkers after setters for fast pattern matches
- ftp: Add APPE to upload commands
- http2_inspect: Convert to new stream states
- http2_inspect: Fix how implement_reassemble uses frame_type
- http2_inspect: Refactor HI interactions out of frame constructors
- http_inspect: Extract filename from content-disposition header for HTTP uploads
- module_manager: Keep a list of modules supporting reload_module
- netflow: Cache support and more v5 decoding
- payload_injector: Don't inject if stream id is even
- profiler: Fix issue where flushed pattern matches caused rule_eval to be profiled under mpse
- reputation: Change terms used in code, logs, and peg counts
- rna: Add unit test to validate VLAN handling
- rna: Avoid conflicts with other fingerprint definitions
- rna: Service discovery with multiple vendor and version support
- rna: Support user agent fingerprints
- s7commplus: V3 header support
- search_engine: Fix peg type for max_queued
- stream_tcp: Add an assert to catch tcp state/event combination that should not occur
- stream_tcp: Add PegCount for tcp packets received with an invalid ack
- stream_tcp: Arrange TCP tracker member vars to optimize storage requirements, add helper
functions to access private splitter functions
- stream_tcp: Delete redundant calls to flush data when FIN is received
- stream_tcp: Delete unused packet action flags, set action flags via its setter
- stream_tcp: Fix issues with stream_tcp handling of the TCP MSS option
- stream_tcp: Handle bad tcp packets consistently when normalizing in ips mode
- stream_tcp: Implement helper function to return true if the TCP packet is a data segment, false
otherwise
- stream_tcp: Merge the setup methods of the TcpStreamSession and TcpSession classes into a single
method in TcpSession
- stream_tcp: Refactor tcp handling of no flags to drop packet before any processing, don't
generate event
- stream_tcp: Refactor tracker and reassembler classes to improve encapsulation and move member
variables to appropriate class
- stream_tcp: Remove FIXIT-H because by definition an Ack Sent event in TcpStateNone means the
SYN-ACK was not seen, so no way to do the check suggested
- stream_tcp: Remove FIXIT-H to add ack validation, the ack is already validated when processed on
the listener side
- target_based: Support reload of host attribute table via signal as well as control channel
command
2020-09-13: 3.0.2 build 6
- active: Remove per packet prevent trust action
- appid: Add check for nullptr before setting tls host
- appid: Clear services set in host attribute table upon detector reload
- appid: Detect SMTP after decryption
- appid: Dump user appid configuration on reload detectors
- appid: Generate events for service info changes
- appid: Pass snort protocol id instead of appid while creating future flow
- appid: Reorder third-party reload to keep only one handle open at a time
- appid: Send swap response for reload_odp and reload_third_party commands in control thread
- appid: Set payload to unknown for out-of-order flows
- appid: Skip detection for existing sessions after detector reload; rename reload_odp command to
reload_detectors
- appid: Support json logging in appid_listener
- appid: Update appid stats for decrypted flows
- appid: Update appid warning messages to print module name in lowercase
- build: Fix minor cppcheck warnings
- build: Updates for libdaq changes to interface group field width and naming
- byte_jump: Fix jump relative to extracted length w/o relative offset
- cmake: Restore accidentally removed caching of static DAQ modules
- dce_rpc: Introduce smb2 logs
- doc: Update the config dump in JSON format (all policies)
- doc: Update the config dump in JSON format (main policy)
- doc: Update trace.txt with info about 'trace.modules.all' option
- dump_config: Add --dump-config="top" to dump the main policy config only
- dump_config: Dump config in JSON format to stdout
- file_api: Increase default max_files_per_flow limit to 128
- flow: Add a deferred trust class to allow plugins to defer trusting sessions
- flow: Disabled inspection for FlowState::RESET
- flow: Reset the flow before removing
- helpers: Add unit tests for special characters escaping
- helpers: Fix build on systems without sigaction
- helpers: Rework DiscoveryFilter to monitor IP lists based on interface rather than group
- helpers: Use sig_t instead of sighandler_t for better BSD compatibility
- host_tracker: Fix allocator unit test to work on 32-bit systems again
- http2_inspect: Convert circular_array to std:vector
- http2_inspect: Fix continuation frame check
- http2_inspect: Fix hpack dynamic table init
- http2_inspect: Prepare http2_inspect and http_inspect for HTTP/2 trailers
- http2_inspect: Refactor hpack decoding and send trailer to http_inspect for processing
- http_inspect: Declare get_type_expected const
- http_inspect: Don't use the URL to cache file verdicts for uploads
- http_inspect: Script detection
- http_inspect: Script detection and concurrency fixes
- http_inspect: Support hyperscan literal search for accelerated blocking
- http_method: Make available for fast pattern with first body section
- imap: Publish OPPORTUNISTIC_TLS_EVENT on successfull completion on START_TLS, add a new state to
avoid publishing start_tls events multiple times
- ips_options: Ensure all options use base class hash and compare methods
- ips: Use the policies in the flow when creating pseudo packet
- main: Turn off signal handlers later to catch more during snort shutdown
- managers: Immediately stop executing inspectors when inspection is disabled
- mime: Fix off-by-1 error with filename and email id capture
- mime: Minor code cleanup
- netflow: Introduce netflow as a service inspector
- packet_io: Added reason for ActiveStatus WOULD
- packet_io: Do not allow trust unless the action is allow or trust
- payload_injector: Assume http1, if packet does not have a gadget
- payload_injector: Fix warning
- payload_injector: Support http2 injection
- payload_injector: Support translation of header field value with length > 127
- perf_monitor: Convert the perf_monitor inspector configure warnings to errors
- pop: Publish start_tls events, support for ssl search abandoned
- reputation: Change from group-based to interface-based IP lists
- rna: Add protocols on logging host trackers
- rna: Implement update_timeout for MAC hosts
- rna: Remove dependency on uuid library
- rna: Remove redefinition of USHRT_MAX
- rna: Removing unused command and exporting swapper
- rna: Support client discovery from appid event changes
- rna: Support service discovery from appid event changes
- rna: Tcp fingerprints configuration, storage, matching and event generation
- snort2lua: Remove obsolete and unused code
- snort2lua: Remove unused unit test files
- snort: Address fatal shutdown stability issues
- stream_ip: Fix zero fragment built-in rule triggering for some reassembly policies
- style: Replace some tabs that snuck in with proper spaces
- tests: Fix the majority of memory leaks in CppUTest unit tests
- trace: Add support for modules.all option
- trace: Update loggers to support extended output with n-tuple packet info
- utils: Add sys/time.h to util.h for struct timeval definition
- wizard: Fix the error message about invalid pattern
2020-08-12: 3.0.2 build 5
- cip: Fix the trailing parameter for the module
- dce_rpc: Set dce_rpc as a control channel inspector
- flow: Check expected flows in flow control and add direction swap flag to expected flows
- framework: Add an API to check if the module can be bound in the binder
- ftp: Add opportunistic TLS support
- ftp: Fix direction for active FTP data transfers
- helpers: Extend printed JSON syntax
- http2_inpsect: Fix for flush on data frame boundray w/o end of stream
- http_inspect: Do finish() after partial inspection
- lua: Add TCP port 80 binding to the connectivity and balanced tweaks
- main: Add printing modules help in JSON format
- managers: Print the instance type of the inspector module with --help-module
- rna: Add RNA MAC-based discovery logic
- rna: Discover network and transport protocols
- stream_tcp: Add check to prevent reentry to TCP session cleanup when flushing a PDU
2020-08-06: 3.0.2 build 4
- appid: Clear service appid entries in dynamic host cache on ODP reload
- appid: Generate event notification when dns host is set
- dce_rpc: Fix for smb crash while tcp session pruning
- dce_rpc: Fix for smb session cleanup issue
- dce_rpc: Use file name hash as file id
- doc: Add documentation for dumping consolidated config in text format
- flow: Fixing free_flow_data logic
- http_inspect: Code clean up
- http_inspect: Test tool enhancement
- main: Dump consolidated config in the text format
- rna: Fix redefined macro warnings in between unit-test tools
- rna: TCP fingerprint input and retrieval
- utils: Keep deprecated attribute table pegcounts
2020-07-28: 3.0.2 build 3
- active: Move Active enabled flag into SnortConfig
- appid: For http traffic, if payload cannot be detected, set it to unknown
- appid: Move appid data needed by external components to stash
- appid: Support ODP reload for multiple packet threads and new session
- dce_rpc: Improve PAF autodetection for heavily segmented TCP traffic
- doc: Split Snort manual into separate user, reference, and upgrade docs
- doc: Update default text manuals
- doc: Update extending.txt about TraceLogger plugin
- file_api: Log event generated when lookup timedout
- ftp_telnet: Remove global config variable shared between multiple threads to prevent data race
- http2_inpsect: Fix interaction with tool tcpclose
- http2_inspect: Fix stream_in_hi
- http2_inspect: General code cleanup
- http_inspect: Do partial inspections incrementally
- http_inspect: Reduce memory used by partial inspections
- main: Rename the config options to ignore flowbits and rules warnings
- parser: Add support for variables with each ips policy
- payload_injector: Add HTTP page translation
- payload_injector: Extend utility to support HTTP/2 (no injection)
- pub_sub: Added a method in HttpEvent to retrieve true client-ip address from HTTP header based
on priority
- rna: Fingerprint reader class and lookup table for tcp fingerprints
- snort_defaults: Remove the NOTIFY, SUBSCRIBE, and UPDATE HTTP methods
- stream_tcp: Only perform paws validation on real packets, skip this on meta-ack packets
- stream_tcp: When clearing a session during meta-ack processing pass a nullptr as the Packet*
parameter
- target_based: Add mutex lock to ensure host service accesses are thread safe
- target_based: Move host attribute peg counts from the process pegs to stats specific to host
attribute operations
- target_based: Refactor host attribute to use the LruCacheShared data store class to support
thread safe access
- target_based: Streamline host attribute table activate and swap logic on startup and reload
- trace: Add support for extending TraceLogger as a passive inspector plugin
- wizard: Abandon the wizard on UDP flows after the first packet
- wizard: Abort the splitter once we've hit the max PDU size
- wizard: Add peg counts for abandoned searches per protocol
- wizard: Improve wizard tracing to indicate direction and abandonment
- wizard: Properly terminate hex matching
- wizard: Report spell and hex configuration errors and warnings
2020-07-15: 3.0.2 build 2
- appid: Moving thread local ODP stuff to a new class
- binder: delete obsolete network_policy parsing code
- build: Fix static analyzer complaints about unused stored values
- daq: Fix calculation of outstanding packets stat to properly use the delta
- dce_rpc: adding support for multiple smbv2 sessions for same tcp connection
- dce_rpc: Invalid endpoint mapper message
- dce_rpc: SMB ID invalid memory access
- http_inspect: send MIME full message body for file processing
- main: add config options --ignore-warn-rules and --ignore-warn-flowbits to snort module
- mime: mime no longer overwrites file_data buffer for http packets
- smtp: generate SSL_SEARCH_ABANDONED event when no STARTTLS is detected
- smtp: support opportunistic SSL/TLS switch over
- stream_tcp: coding style improvements
- stream_tcp: eliminate direct references to the Packet* wherevever possible within the TCP state
machine context
- stream_tcp: eliminate use of STREAM_INSERT_OK as return code, it conveyed no useful information
and was ultimately unused
- stream_tcp: implement meta-ack pseudo packet as thread local that is reused on each meta-ack TSD
- stream_tcp: implement support for processing meta-ack information when present
- stream_tcp: meta-ack from daq is in network order not host, remove conversion from host to
network
- stream_tcp: process meta-ack info in any flush policy mode
- trace: add support for DAQ trace filtering
2020-07-06: 3.0.2 build 1
- appid: Appid coverity issues
- appid: Create lua states and lua detectors in control thread
- appid: Delete stale third-party connections when reloading third-party on midstream
- appid: Fix the format of the IPv6 strings in the Service State unit tests
- appid: include appid session api in appid event
- appid: use configured search method for multi-pattern matching
- build: Eradicate u_int usage
- build: Fix unit tests to build and work properly on a 32-bit system
- build: Fix various cppcheck warnings about constness
- build: Increment version to 3.0.2
- build: Miscellaneous 32-bit build fixes
- build: Use sanity check results (HAVE_*) for optional packages in CMake
- cmake: Properly handle SIGNALSNORT* options in configure_cmake.sh
- codecs: add tunnel bypass logic based on DAQ payload_offset
- dce_tcp: parse only endpoint mapper messages
- detection: remove checksum drop fixit
- detection: remove unused code
- framework: fix global data bus cloning during reload module and policy
- helpers: Add a signal-safe formatted printing utility class
- helpers: Add support for dumping a backtrace via libunwind on fatal signals
- helpers: Dump additional information to stderr when a fatal signal is received
- helpers: Revamp signal handler installation and removal
- http2_inspect: Make print_flow_issues() regtest-only
- inspectors: add a virtual disable method for controls
- ips: add http fast pattern buffers
- ips: add ips service vs buffer checks; add missing services
- ips: enable non-service rules when service is detected
- ips: minimize port group construction for any-any and bidirectional rules
- ips: refactor fast pattern selection
- ips: update detection trees for earliest header checks
- main: configure and set main thread affinity
- main: set thread type for main thread
- managers: format lua whitelist output and ignore internal whitelist keywords
- max_detect: detained inspection disabled pending further work
- mpse: remove unused pattern trimming support
- oops_handler: Operate on DAQ message instead of Snort Packets
- payload_injector: add payload injection utility
- regex: convert to same syntax as pcre plus fast_pattern option
- rna: Adding initial support for reload_fingerprint command
- rna: remove custom_fingerprint_dir from configuration
- snort_defaults.lua: remove unused AIM_SERVERS var
- snort: fix --dump-rule-meta with ips.states
- stream_ip: Avoid modifying the original fragmented packet during rebuild
- stream_ip: use lowercase fragmentation policy names for verbose output
- stream: lock xtradata stream_impl to avoid data race on logging
- trace: add thread type and thread instance id to each log message for stdout logger
- tweaks: enable file signature for sec and max until depth issue resolved
- tweaks: updates for efficacy and performance
- wizard: Add FTP pattern to recognize FileZilla FTP Server
2020-06-18: 3.0.1 build 5
- actions: on a reload_config() free the memory allocated for react page on previous configuration
loading
- actions: refactor to store react page response in std::string
- active: add a facility to prevent a DAQ whitelist verdict
- appid: add api to check if appid needs inspection
- appid: add braces to fix static analysis complaint
- appid: add response message to reload_third_party
- appid: check fqn before registering rrt
- appid: for http2, if metadata doesn't give a match on payload, set payload id to unknown
- appid: free memory allocated when appid is configured initially and then not configured on a
subsequent reload
- appid: lua APIs to get IP and port tunneled through a proxy
- appid: match http2 response to request
- appid: remove unnecessary stuff from appid apis
- appid: revert snort protocol id changes and fixed warnings
- appid: set appid_tlshost_bit when we set tls_cname
- appid: set snort protocol id on the flow and remove ssl squelch code
- appid: update cert viz API to handle subject alt name and SNI mismatch
- codecs: fix issues found by static analysis
- dce_rpc: suppport for DCE/RPC future session
- detection: do not apply global rule state to the empty policy
- doc: update user manual for trace feature
- file_api: making sure that file malware inspection is turned off and only file-type detection is
enabled when file_id config is defined without any parameter
- flow: make client_initiated flag depend on the DAQ reverse flow flag
- hash: replace the cache entry if found
- host_cache: add new peg to module test
- host_cache: allowing module to accept 64 bit memcap value
- http2_inspect: fix hpack infractions
- http2_inspect: partial inspect with less than 8 bytes of frame header in the same packet
- http2_inspect: track memory usage for http_inspect flows in http2_inspect
- log: fix issues found by static analysis
- managers: add inspector execution and timing traces to InspectorManager
- packet: add client and server direction methods that use the client initiator flow flag
- parser: free memory allocated for RTN when SO rule load fails
- parser: print loaded and shared rules for each ips policy
- perf_monitor: fix count and interval during disable cli execution
- port_scan: cleanup port scan memory allocations in module tterm
- rpc_decode: remove unused config object
- search_engines: fix potential memory leaks and an error in a printed value
- service_inspectors: remove some redundant initializations and lookups, move some field
initializations into the constructor
- shell: if initial load of snort configuration fails release memory allocated for modules and
plugins
- snort2lua: deprecate react::msg option, display of rule message in react page not currently
supported
- snort2lua: fix issues found by static analysis
- snort_config: only perform FatalError cleanup from main thread
- stream: add final check to free allocated memory when module tterm is called
- stream: fixed ip family in the flow->key during StreamHAClient::consume
- stream_tcp: fix issues for tcp simultaneous close
- stream_tcp: unconditionally release held packets that have timed out, regardless of flushing
- trace: add control channel command
- trace: add support for passing in the packet pointer to loggers
- trace: filter traces by packet constraints
- trace: fix for trace messages in the test-mode ('-T' option)
- trace: remove redundant include
2020-05-20: 3.0.1 build 4
- appid: Do not allocate DNS session for non-DNS flows and update memory tracker for HTTP sessions
- appid: Get inspector for the current snort config during reload
- binder: print configured bindings in show() method
- build: fix cppcheck warnings and typos
- coverity: fixed issues discovered by Coverity tool
- daq: Configure DAQ instances with total instances and instance IDs
- dce_rpc: code style cleanups
- dce_rpc: generate alert when dce splitter aborts due to invalid fragment length
- flow: If a retry packet does not belong to a flow, block it
- ftp_telnet: fix FTP race condition
- http2_inspect: change partial flush handling
- log: do not truncate config option names in ConfigLogger
- loggers: when logging alert only use inspector buffers and name when the inspector's paf
splitter is assigned for the direction of the alert"
- main: Fixing some issues reported by Coverity
- managers: print alphabetically sorted verbose inspector config output within an inspection
policy
- mpse: constify snort config args
- network_inspectors: Fixing a few minor issues reported by Coverity
- parser: print enabled rules for each ips policy
- search_tool: refactor initialization
- snort_config: constify Inspector::show and remove unnecessary logger args
- snort_config: make const for packet threads
- snort_config: minimize thread local access to snort_config
- snort_config: pseudo packet initialization
- snort_config: refactor access methods
- snort_config: use provided conf
- stream: add a configurable timeout for held packets
- stream: move held packet timeout to Stream and support changing it on reload
- stream_tcp: call splitter->finish() before reassemble() when flushing when PAF aborts due to gap
in queued data
- stream_tcp: change the DAQ verdict from drop to blacklist for held packets that timed out
- stream_tcp: clear gadget from Flow object once fallback has happened in both directions
- stream_tcp: only clear gadget after both splitters have aborted
- stream_tcp: when paf aborts due to gap in data set splitter state to ABORT
- trace: move module trace configuration into the trace module
2020-05-06: 3.0.1 build 3
- appid: Do not process retry packets but continue processing future packets in AppId
- appid: Extract metadata for tunneled HTTP session
- appid: Make unit tests multithread safe
- appid: On API call store new values and publish an event for them immediately
- appid: remove old http2 support
- appid: store appids for http traffic in http session
- appid: support for multi-stream http2 session
- appid: Update miscellaneous appid on first decrypted packet
- build: add support for ccache
- file_api: fix file stats
- file_api: mark processing of file complete after type detection if signature not enabled
- http2_inspect: add peg count to track max concurrent http2 file transfers
- http2_inspect: fix handling leftover data with padding
- http2_inspect: protect against unexpected eval calls
- http2_inspect: support stream multiplexing
- http2_inspect: update padding check only for header and data frames
- http_inspect: add support for http2 file processing
- json: add stream formatter helper
- managers: sort the inspector list in inspection policy using the instance name
- memory: expose memory_cap.h to plugins
- parameter: reject reals assigned to ints
- rna: Update dev notes to describe usage
- snort: add classtype, priority, and references to --dump-rule-meta output
- snort: convert --dump-rule-{meta,state,deps} to json format
- so rules: allow #fragments in references in so rule stubs
- stream: Fix for stream pegs dumping zero values into perf_monitor_base.csv
2020-04-23: 3.0.1 build 2
- appid: Change sessionAPI to accomodate stream_index
- appid: detect payload for first http2 stream
- appid: Fix thread-safety issues in appid
- appid: mark third-party inspection as done for expected flows
- appid: Populate url for QUIC sessions by extracting QUIC SNI metadata from third-party
- appid: remove thirdparty processing for http2 traffic
- appid: remove unused code
- appid: remove unused config options and rename "debug" option
- appid: set up packet counters to make sure flows with one-way data don't pend forever
- appid: Support org unit in SSL lookup API and do not overwrite the API provided data
- codecs: Clean up CiscoMetaData implementation
- codecs: GRE checksum updated for injected and rewritten packets
- codecs: Update GRE flags and offset for injected packets
- control: Disable request unit-test in cmake if shell is disabled
- control: Fixing data races in request read and response
- file: apply cached verdict on already seen file
- file_magic: Update category for HWP and MSOLE2
- flowbits: eliminate extraneous FlowBitState
- flowbits: fix reload mapping
- flowbits: refactor implementation
- flowbits: relocate bitop.h to helpers
- flowbits: remove extraneous count
- flowbits: remove unused group support
- flow: track allocations for each flow, update cap_weights
- framework: Remove unused InspectorData template
- ftp_data: fix ids flushing at EOF
- ftp: whitelisting reason support
- host_tracker: Move all HostCacheAlloc template implementions to the header
- http2_inspect: discard split connection preface
- http2_inspect: flush pending data when a non-data frame is received
- http2_inspect: handle the case of leftover header only (no body)
- http2_inspect: support 0 length data frames
- http_inspect: add fragment to http_uri
- http_inspect: cut over to wizard on successful CONNECT response
- http_inspect: enhance processing of connect messages
- http_inspect: fix duplicated detained_inspection print in show()
- http_inspect: make script tag check case insensitive
- http_inspect: register extra-data callbacks in constructor
- hyperscan: simplify scratch memory initialization
- inspectors: designate service inspectors control channels for avc only
- inspectors: designate service inspectors for file carving
- inspectors: designate service inspectors for start tls
- inspectors: update verbose config output in show() method to a new format
- ips_context: add support to fallback to avc only
- ips: fix rule state mapping and policy lookup
- ips: remove plugins cruft from option tree node (rule body)
- latency: check if ip header is present before deferring it
- latency: use test_timeout config option to deterministically trigger latency events for ifdef
REG_TEST
- loggers: Add SGT field to CSV and JSON loggers
- main: Make test_log() static in snort_debug.cc
- managers: print inspectors' config output for every inspection policy configured
- metadata-filter: apply to so rule stubs
- output: allow error messages in quiet mode
- packet_io: log daq batch size
- packet_io: log daq pool size
- perf_monitor: Enable or disable flow-ip-profiling using shell commands
- plugin_manager: make erase from plug_map safer
- plugin_manager: make sure --show-plugins option picks up SO plugins
- reload: update ReloadError response messages to use consistent wording across all messages
- session: remove unused IPS option
- sip: Support pinhole for sip early media
- snort2lua: make qos configuration values deleted from firewall
- snort: add --dump-rule-deps
- snort: add --dump-rule-state
- snort: add flowbits set and checked to --dump-rule-meta
- snort: add rule text to --dump-rule-meta
- snort: enable --dump-rule-meta to work without a conf
- snort: initial implementation of --dump-rule-meta
- snort: remove inappropriate fatal errors
- snort: remove unused --pcap-reload option
- so rules: allow stub gid:sid:rev to override so
- so rules: allow stub header to override so header
- stream_tcp: remove unused session printing cruft
- target_based: refactor host attribute table logic into a c++ class, eliminate dead code
- target_based: refactor to improve design of the host attribute classes
- target_based: refactor to load host attribute table from file
- time: make packet_gettimeofday public
- trace: refactor stdout/syslog logging of trace into logger framework
2020-03-31: 3.0.1 build 1
- analyzer: Send detained packet event when a packet is held
- appid: use http2 inspector for detection even if third-party module is present
- build: Increment version to 3.0.1
- dce_rpc: Fixed missing space in string
- doc: add FIXIT-E description
- http2_inspect: handle Cl and TE headers, and end_stream flags set on headers frames
- http2_inspect: multiple data frames support
- http_inspect: added FIXIT for thread safety
- http_inspect: eliminate empty body sections for missing message bodies
- latency: remove action config option and convert the log handler to trace_log message
- mime: fix data race in mime config
- modules: Support verbosity level for module trace options, modify trace logging macros
- service_inspectors: standardize verbose config startup output for SMTP, POP and IMAP inspectors
- snort2lua: remove conversion of deprecated options pkt-log and rule-log
- so_rule: fix reload of shared object rules that use flow data
- src: update high priority "to be fixed" comments (FIXIT-H)
- stream_tcp: Out-of-order ACK processing fix
2020-03-25: build 270
- active: Base hold_packet() decision on DAQ message pool usage
- active: Fix direction of RST packet being sent to server
- active: Move packet hold realization for Stream detainment to verdict handling
- active: Send entire buffer at once when send_data uses ioctl
- appid: Adding UT for client_app_aim_test
- appid: Fix SMB session data memory leak
- appid: Include DNS over TLS port for classification
- appid: Restart service detection on start of decryption
- appid: Support appid detection for outer protocol service
- appid: Support detection for first stream in http/2 session
- binder: Ignore the network_policy binding
- build: Bump the C++ compiler supported feature set requirement to C++14
- build: Don't try to use libuuid headers/libraries when not found;
Thanks to James Lay jlay@slave-tothe-box.net for reporting the issue
- build: Refactor included headers
- codecs: Add new proto bit for udp tunneled traffic
- codecs: Add vxlan codec
- dce_rpc: Inspect midstream sessions for file inspection
- file_api: Reading the new data for the overlapped file_data
- filters: Update threshold tracking functions
- flow: Allow the ExpectCache to force prune, so that we can always make room when the cache is
full
- flow: Change the ExpectCache prune logic to only remove a specified number of oldest entries,
regardless of node expiration time
- flow: Do away altogether with the loop in ExpectCache::prune, just remove one, only when the
cache is full
- http2_inspect: Refactor data cutter - preparation for multi packet processing
- http2_inspect: Support single data frame sent to http, multiple flushes
- http2_inspect: Update dev notes with memory calculations
- http_inspect: Create http2 message body type
- http_inspect: Gzip detained inspection
- http_inspect: Refactor print_section for message bodies
- loggers: Update usage to GLOBAL for all loggers
- lua: Enable a rewrite plugin in a default config
- main: Check if flow state is blocked while applying verdicts
- main: Setting higher maximum pruning when idle
- snort2lua: Convert a replace option to a rewrite plugin/action
- snort2lua: Don't print out network_policy binding
- stream: Short-circuit stream when handling retry packets in no-ack mode
- stream_tcp: Cancel hold requests on the current packet when flushing
- stream_tcp: Finalize held packets in TcpSession::clear_session()
- stream_tcp: Moved retry check to TcpSession::process
2020-03-12: build 269
- active: Add ability to inject resets and payload via IOCTLs
- appid: Add support for third-party reload on midstream session
- appid: detect apps using x-working-with http field in response header
- appid: Enhance ssl appid lookup api to store SNI and CN provided by SSL for app detection
- appid: fix thread-safety issues in mdns detector
- appid: handle CERTIFICATE STATUS handshake type in SSL detector
- appid: move client/service pattern detectors and service discovery manager to odp context
- appid: Support third-party reload when snort is running with multiple packet threads
- base64_decode: use standard detection context data buffer
- build: fix build on big-endian systems
- build: Fix LibUUID detection on OS X
- build: Fix various build issues on FreeBSD and OS X
- build: refactor trace logs
- build: tweak includes
- build: use const and auto references where possible
- byte_math: Snort2 bug fix port of integer over and under flow detection
- classifications: update implementation with unordered map
- classifications: use consistent variable names
- cmake: Fix building without lzma library
- detection: added support for trace config option to take a list of strings with verbosity level
instead of bitmask
- detection: refactoring updates to detection, moved DetectionModule into a separate file
- flow: added initiator bytes/packets onto flow
- flow: Add missing time.h include for struct timeval
- flow: free the flow data before deleting the actual flow
- flow: turn off deferred whitelist on DONE if no whitelist was seen
- flow_cache: fix memory deallocation bug due to inverted return value from hash release node
- framework: add generic conversion of trace strings to bitmaks
- ftp: Whitelist ftp session after max sig depth reached
- ghash: fix thread race condition with GHash member variables when a GHash instance is global
- hash: add unit tests for new HashLruCache class
- hash: delete unused sfmemcap.[h|cc] and remove unnecessary includes
- http2_inspect: abort for nhi errors
- http2_inspect: send data frames to http - full frames only in a single flush
- http_inspect: change http_uri to only include path and query for absolute and absolute path uris
- http_inspect: improve precautions for stream interactions
- http_inspect: Properly mock HttpModule::peg_counts in http_transaction_test
- main: do FileService::post_init after inspectors are configured
- parser: remove legacy parsing code
- plugin_manager: add support for reload so_rule plugins
- pub_sub: add http2 info to http pub messages
- reference: update implementation with unordered map
- reload: add description of reload error to the response message of the reload_config command
- reputation: remove reputation monitor flag from packet, track verdict on flow
- rules: add constructors for references and classifications
- rules: fix warnings and startup counts for duplicates
- rules: remove cruft
- rules: simplify implementation of services, classifications, and references by using std::string
- rules: update --gen-msg-map to include all configured rules with references
- service_inspectors: added counters to track total number of data bytes processed in SMTP, POP,
SSH and FTP
- service: update implementation to vector
- sfdaq: convert parsing related error messages in DAQ init to ParseErrors
- sfdaq: Made get_stats public for plugins
- smb: Fix malware over size 131kb not being detected in SMBv2/SMBv3
- snort_config: footprint REG_TEST, no check for stream inspector add/rm, etc
- stats: update shutdown timing stats
- stream: Addressing inconsistent stream stats and some data races
- stream_ip: added counters to track total number of data bytes processed
- stream_tcp: no_ack applies only to ips mode
- stream_udp: added counters to track total number of data bytes processed
- style: remove tabs and too long lines
- utils: add unit tests for MemCapAllocator class
- utils: create memory allocation class based on sfmemcap functionality
- utils: handle out-of-range time
- xhash: refactor XHash and HashFnc to eliminate c-style callbacks and simplify ctor options
- xhash: rename hashfcn.[cc|h] to hash_keys.[cc|h]
- xhash/zhash: refactor duplicated code into a common base class, xhash/zhash will subclass this
new base class
- zhash: make zhash a subclass of xhash, eliminate duplicate code
- zhash: refactor to use hash_lru_cache and hash_key_operations classes
2020-02-21: build 268
- appid: Adding support for appid detection on decrypted SSL sessions
- appid: Adding support for wildcard ports in static host port cache
- appid: clean up ENABLE_APPID_THIRD_PARTY from configure_cmake
- appid: cleanup terminology
- appid: delete odp context on exit
- appid: detect payload for http tunnel traffic
- appid: do not reload third party on reload_config
- appid: Don't mark HTTP session done if the ssl detector is still in progress
- appid: Fix array initialization on Appid
- appid: get rid of ENABLE_APPID_THIRD_PARTY flag
- appid: handle invalid uri in http tunnel traffic
- appid: load app mapping data to odp context
- appid: move dns, sip, ssl and http pattern matchers to odp context; move client discovery
manager to odp context
- appid: move odp config, host-port cache and length cache to a separate class OdpContext; remove
obsolete port detector code
- appid: reset tp packet counters each time we do reinspect
- appid: support third party reload when snort is running with single packet thread
- bufferlen: match on total length unless remaining is specified
- build: Clean up accumulated tabs and trailing whitespace in the code
- build: clean up non-hyperscan builds
- build: Fix more Clang 9 compiler warnings
- build: Remove some extraneous semicolons (compiler warnings)
- build: Rename parameters that shadow class members (compiler warnings)
- build: Updates across the board for stricter Clang const-casting warnings
- catch: Update to Catch v2.11.1
- cip: explicitly include sys/time.h header
- codecs: Use unions for checksum pseudoheaders
- content: add hyperscan content literal matching alternative to boyer-moore
- content: delete flawed hyper search test
- content: use hs_compile if hs_compile_lit is not available
- copyright: update year to 2020
- dce_tcp: fixup flow data handling
- detection: add config option to enable conversion of pcre expressions to use the regex engine
- detection: add hyperscan_literals option
- detection: add pcre_override to enable/disable pcre/O
- detection: signature evaluation looping based on literal contents only (exclude regex)
- doc: manual updates for HTTP/2
- doc: update documentation for lua whitelist
- doc: update reload_limitations.txt
- file_api: enable Active when there are reset rules in the file policy
- framework: introduce ScratchAllocator class to help with scratch memory management
- gtp_inspect: fix default port binding
- hash: refactor ghash implementation to convert it to an actual C++ class
- hash: refactor key compare function prototype and functions to return boolean
- hash: refactor to move common definitions into hash_defs.h
- hash: refactor xhash to be a real C++ class
- host_tracker: Check lock in a separate thread in unit-test
- host_tracker: make current_size atomic to save some locks
- host_tracker: Support host_cache reload with RRT when memcap changes
- http2_inspect: add transfer encoding chunked at end of decoded http1 header block
- http2_inspect: data frame http inspection walking skeleton first phase
- http2_inspect: fast pattern support
- http2_inspect: fix string decode error
- http2_inspect: frame data no longer in file_data
- http2_inspect: integration with NHI
- http2_inspect: support disabling detection for uninteresting HTTP/2 frames
- http2_inspect: support HPACK dynamic table size updates
- http_inspect: add http_param rule option
- http_inspect: gzip splitting beyond request_depth should use correct target size
- http_inspect: no duplicate built-in events for a flow
- http_inspect: patch H2I-related xtra data crash
- http_inspect: process multiple files simultaneously over HTTP/1.1
- http_inspect: refactoring
- http_inspect: update test tool to support the HTTP/2 macros and new insert command
- http_inspect: when detection is disabled, disable all rules not just content rules
- http_inspect/http2_inspect: H2I unified2 extra data logging
- hyperscan: convert thread locals to scan context
- inspectors: ensure correct lookup by type, name, or service
- inspectors: print label for type and alias in inspector manager. Remove printing module name in
inspectors ::show() method
- ips: alert service rules check ports
- ips_pcre: compile/evaluate pcre rule option regular expressions with the hyperscan regex engine
when possible
- ips_pcre: support the O & R modifiers when converting pcre to regex
- ips: refactor rule parsing
- ips: remove dead code from rule parser
- ips: use service "file" instead of "user"
- loggers: update vlan logging in csv and json loggers
- lua: Added missing file magic pattern for FLIC
- lua: Added missing file magic pattern for IntelHEX
- lua: fix typo in default smtp's alt_max_command_line_len
- lua: update default lua files to whitelist the defined tables
- main: add verbose inspector output during reload
- main: make IPS actions (reject, react, replace) configurable per-IPS policy
- main: move config_lua to Shell::configure
- memory: Treating config value memory.cap as per thread instead of global
- metadata: add --metadata-filter to load matching rules only
- mime: support simultaneous file processing of MIME-encoded files over HTTP/1.1
- module_manager: add snort_whitelist_append and snort_whitelist_add_prefix FFIs
- normalizer: disable all normalizations by default except for tcp.ips
- packet_io: provide default reset action (bidirectional reset for TCP, ICMP unreachable for the
rest)
- packet_io: refactor Active and IPS Actions to start disentangling them
- parser: add service http2 to http rules
- parser: store local copy of service name
- pcre: ensure use of maximal ovector size and simplify logic
- port_scan: Supporting reload config when memcap changes
- protocols: provide direct access to the CiscoMetaData layer
- regex: convert thread locals to scan context
- reload: eliminate FatalError calls that can't happen because snort_calloc always returns valid
memory
- rna: use standard uint8_t type instead of u_int8_t
- search_engine: trivial reformatting
- smtp: update defaults to better align with Snort 2
- snort2lua: conversion of path containing variables
- snort: add new warn flag warn-conf-strict that will throw out warning when table is not found
- snort: Adding some verbose logs for appid, file_id, and reputation inspectors
- stream_tcp: ensure that flows with mss and timestamps are picked up on syn
- tweaks: set reasonable stream_ip.min_fragment_length values
- tweaks: update per new normalizer defaults
- tweaks: update policy configs to better align with Snort 2
2019-12-20: build 267
- appid: Adding command for third-party reload
- appid: cleanup unused code
- binder: assitant gadget support
- build: Const-ify reference arguments as suggested by cppcheck
- catch: Add infrastructure for standalone Catch unit tests
- catch: Update to Catch v2.11.0
- codec: Added GRE::encode method
- control: Convert IdleProcessing unit tests to standalone Catch
- dce_rpc: Convert HTTP proxy and server splitter unit tests to standalone Catch
- file_api: When multiple files are processed simultaneously per flow, store the files on the
flow, not in the cache. Don't cache files until the signature has been computed
- file_magic: add file magic for .jar, .rar, .alz, .egg, .hwp and .swf files
- framework: Convert parameter and range unit tests to standalone Catch
- gtp: alerts should be raised for missing TEID in gtp msg
- helpers: Convert Base64Encoder unit tests to standalone Catch
- http2_inspect: add Stream class
- http2_inspect: parse settings frames
- http_inspect: support limited response depth
- ips: do not use includer for any rules file includes
- ips: fix --show-file-codes for inclusion from -c file
- lru_cache_shared: added find_else_insert to add user managed objects to the cache
- lua: Convert LuaStack unit tests to standalone Catch
- lua: Link lua_stack_test against libdl to handle the static luajit case
- packet_capture: ignore PDUs and defragged packets, include non-IP packets
- perf_monitor: Convert CSV, FBS, and JSON formatter unit tests to standalone Catch
- perf_monitor: tuning for flow_ip_memcap on reload
- profiler: Convert MemoryContext and ProfilerStatsTable unit tests to standalone Catch
- reload: fix issue where resource tuning was not being called when in idle context
- rule_state: allow empty tables
- search_engine: fix expected count of MPSEs when offloading
- sfip: Convert SfIp unit tests to standalone Catch
- sfip: Use REG_TEST-style IP stringification for standalone Catch tests
- stream_tcp: fix TcpState post increment operator to stop increment at max value (and use
correct max value)
- stream_tcp: refactor stream_tcp initialization to create reassemblers during plugin init
- stream_tcp: refactor to initialize tcp normalizers during plugin init
- stream/tcp: Remove some unused Catch includes
- time: Convert periodic and stopwatch unit tests to standalone Catch
- utils: Convert bitop unit tests to standalone Catch
2019-12-04: build 266
- appid: Add new pattern to pop3, don't concatenate ssl certs, use openssl-1.1 compliant APIs
- appid: Enabling host cache for unknown SSL flows
- appid: Fix for better classification on pinholed data session and control session for
rshell/rexec
- appid: Format detected apps stats in columns akin to file stats
- appid: Handle memcap during reload_config using RRT
- appid: Minor cleanup
- cmake: Cache static DAQ module info in FindDAQ
- file_api: Fixed eventing when FILE_SIG_DEPTH failed when store files enabled
- flow: Add ability to defer whitelist verdict
- flow: Clean up unit test compiler warnings
- flow: Disabling the inspection if the Flow state is BLOCK
- http2_inspect: Generate status lines for responses and be more lenient on RFC violations
- http2_inspect: Implement hpack dynamic index lookups
- http_inspect: Implement show method for verbose config output
- http_inspect: Update user manual for detained inspection
- hyperscan: Select max scratch from among all compiler threads
- ips: Add support for parallel fast-pattern MPSE FSM compilation
- ips: Only use multiple threads for rule group compilation at startup
- ips: Support 2 rule vars same as Snort 2
- mpse: Only hyperscan currently supports parallel compilation
- port_scan: Only update scanner for ICMP if we have one
- profiler: Fix module profile for multithreaded runs
- search_engine: Ensure configured search_method is applied to search tools
- search_engine: Process intermediate fast-pattern matches in batches of 32 same as Snort 2
- search_engine: Raise an error if any MPSE compilation fails
- sfip: Replace copy setter with implicit copy constructor
- stats: Removal of mallinfo as it only support 32bit
- stream_tcp: Move and update the libtcp source files to the tcp source directory to consolidate
the stream tcp code into one component (libtcp goes away)
- stream_tcp: Updates from PR review comments
2019-11-22: build 265
- analyzer_command: support resource tuning on reload
- appid: Adding Lua-C API to handle midstream traffic
- cip: ips rule support for Common Industrial Protocol (CIP)
- ftp: handling multiple ftp server config validation
- detection: disable rule evaluation when detection is disabled for offload packets
- detection: fix post-inspection state clearing issue
- flow: check if there are offloaded packets in the flow before clearing out the alert count
- http2_inspect: add frame class and refactor stream splitter
- http2_inspect: fix unit tests to build without REGTEST defined
- main: Improve performance of control connection polling
- plugin_manager: allow loading individual plugin files in plugin-path
- reject: Setting defaults for reset and control options
- snort: update reload resource tuner to return status indicating if there is work to be done in
the packet thread
- stream: register reload resource tuner unconditionally. move checks for config changes to the
tuner tinit method
- stream_tcp: fix state machine instantiation
- wizard: handle NBSS startup in dce_smb_curse
2019-11-06: build 264
- appid: Handle DNS responses with compression pointers at last record
- dce_smb: deprecate config for smb_file_inspection, use smb_file_depth only
- detection: negated fast patterns are last choice
- http2_inspect: fix bugs in splitting long data frames and padding
- http_inspect: change accelerated_blocking to detained_inspection
- http_inspect: remove deprecated @fileclose command from test tool
- imap, pop, smtp: changed default decode depths to unlimited
- ips: define a builtin GID range to prevent unloaded SIDs from firing on all packets
- ips_option::enable: fix dynamic plugin build
- lua: tweak default conf and add tweaks for various scenarios
- normalizer: make tcp.ips defaults to true
- port_scan: increase default memcap to a more reasonable 10M
- s7commplus: Initial working version of s7commplus service inspector
- search_engine: stop searching if queue limit is reached
- stream: implement reload resource tuner for stream to adjust the number of flow objects as
needed when the stream 'max_flows' configuration option changes
- telnet: fix check_encrypted help string
2019-10-31: build 263
- appid: for ssl sessions, set payload id to unknown after ssl handshake is done if the payload id
was not not found
- appid: check inferred services in host cache only if there were updates
- appid: Updating the path to userappid.conf
- build: Clean up snort namespace usage
- build: generate and tag build 263
- binder: Use reloaded snort config when getting inspector
- codecs: Relax requirement for DAQ packet decode data offsets when bypassing checksums
- content: rewrite boyer_moore for performance
- data_bus: add unit test cases
- detection: enhance fast pattern match queuing
- dns: made changes to make sure DNS parsing is thread safe
- doc: update default manuals
- file_api: Put FileCapture in the snort namespace
- ftp: fix for missing prototype warning
- ftp: catch invalid server command format
- http_inspect: test tool single-direction abort fix
- http_inspect: add more config initializers
- http2_inspect: generate request start line from pseudo-headers
- http2_inspect: abort on header decode error
- http2_inspect: stop sharing a variable between scan and reassemble
- http2_inspect: decode indexed header fields in the HPACK static table
- http2_inspect: Move HPACK decompression out of stream splitter into a separate class
- http2_inspect: Abort on bad connection preface
- http2_inspect: cleanup
- http2_inspect: discard connection preface
- ips: add states member, similar to rules, by convention use for rule state stubs with enable
- mime: Put MailLogConfig in the snort namespace
- packet: fix reset issues
- packet_io: do not retry packets that do not have a daq instance
- policy: Avoid unintended insertion of policy into map if it does not exist
- pub_subs: made default pub_subs policy-independent
- rule_state: deprecat, replace with ips option enable to avoid LuaJIT limitations
- stream_tcp: fix stability issues
- stream_tcp: If no-ack is on, rewrite ACK value to be the expected ACK
2019-10-09: build 262
- analyzer: move setting pkth to nullptr to after publishing finalize event
- analyzer: publish other message event for unknown DAQ messages
- appid: add support for bittorrent detection over standard ports
- appid: add support for Lua detector callback mechanism
- appid: add support for wildcard ports in host tracker
- appid: extract forward ip from http tunneled traffic and use it for dynamic host cache lookup
- appid: fix populating dns_query for DNS traffic
- binder: allow binder to support global level service inspectors
- binder: remove global check for stream inspectors and revert module_map changes
- codecs: fix checksumming a single byte of unaligned data
- codecs: use checksum validation from DAQ packet decode data when available
- detection: consistently prefer service rules over port rules
- detection: do not split service groups by ip proto to avoid extra searches
- detection: map file rules to services
- detection: non-service rules must match on rule header proto
- detection: remove cruft from match accumulator
- detection: remove more cruft from match tracker
- detection: remove the inappropriate match tracker from mpse batch setup
- detection: remove unnecessary match data from eval context
- detection: support alert file rules w/o optional services
- detection: update trace to indicate eval task
- detection: use reference for signature eval data
- doc: add Snort2Lua note on ips rule action rewrite
- flow: check if control packet has a valid daq instance before setting up daq expected flow and
add pegcounts for expected flows
- flow: patch to allocate Flow objects individually on demand. Once allocated the Flow objects are
reused until snort exits or reload changes the max_flows setting
- flow: when walking uni_list stop before reaching head
- helpers: discovery filter support for zone matching
- helpers: implement port exclusion in discovery filter
- http2_inspect: cut headers from frame_data buffer
- http2_inspect: parse hpack header representations and decode string literals
- http2_inspect: validate connection preface
- ips_options: minor code style changes
- libtcp: turn off no-ack mode if packet is out of order
- lua: added move constructor and move assignment operator to Lua::State to fix segv
- lua: fixed whitespace to match style guidelines
- managers: add null check in reload_module to prevent crash when trying to reload module that has
not been configured
- profiler: increase width of checks and alloc fields so values don't run together
- protocols: remove reference to obsolete DAQ_PKT_FLAG_HW_TCP_CS_GOOD flag
- pub_sub: replace DaqMetaEvent and OtherMessageEvent with DaqMessageEvent
- reputation: prevent reload module crash when reputation is not configured in lua at startup
- reputation: SIDs for source and destination-triggered events added
- snort2lua: convert snort2 port bindings into snort3 service bindings for inspectors configured
in wizard and add --bind-port option to enable port bindings conversion
- snort2lua: remove identity related options from firewall
- snort2lua: reset the sticky buffer name while converting unchanged sticky rule options and
file_data
- stream: clean up cppcheck warnings
- stream: clean up update_direction
- stream: code cleanup and dead-code removal
- unit-tests: fix compiler warnings that snuck into CppUTest unit tests
- utils: prevent integer overflow/underflow when reading BER elements
2019-09-12: build 261
- analyzer: Process retry queue and onloads when no DAQ messages are received
- appid: Enabled API for SSL to lookup appid
- appid: Support FTP banners on multiple packets with split response code
- build: Address miscellaneous cppcheck warnings
- build: Const-ify reference arguments as suggested by cppcheck
- build: Update CMake logic for unversioned LibSafeC pkg-config name
- doc: add bullets for $var parameter names and maxXX limits
- http_inspect: accelerated blocking for chunked message bodies
- http2_inspect: send raw encoded headers to detection
- managers: Make InspectorManager::thread_stop() a no-op if thread_init() was never called
- rna: generate an RNA_EVENT_CHANGE when a host is seen after the last log event and the current
time is past the update timeout
- rna: support for bidirectional flow with UDP, IP, and ICMP traffic
- rna: Support for filtering rna events by host ip
- rule_state: switch from regex parameter names to simpler parsing
- snort2lua: only emit max_flows and pruning_timeout options in converted lua file if the option
is used in the snort2 conf file
- stream: fix problem with accelerated blocking partial inspection
- style: update link for google c++ style guide
2019-08-28: build 260
- appid: handle 'change cipher spec' in 'server hello' to allow some app detection for tls 1.3
traffic
- binder: updated change_service event to support service reset via wizard
- host_tracker: derive LruCacheSharedMemcap from the general LruCacheShared that tracks size in
bytes, rather than number of items and instantiate host_cache from LruCacheSharedMemcap
- http2_inspect: Remove pkt_data buffer option
- reload: fix coding style issues, support multiple in progress analyzer commands, support
associated AC state for execute method, move reload tune logic for ACSwap to the execute command
- rna: Support for rna unified2 logging
- stream_tcp: clear consecutive small segs count upon non-small segs only
2019-08-21: build 259
- analyzer_command: Import into snort namespace and add the ability to retrieve the DAQ instance
from an Analyzer
- appid: delay port-based detection until a non-zero payload packet is seen for the session
- appid: fix discovery unit test that was failing intermittently
- appid: Fix for app name not getting evaluated for port/protocol based detectors
- appid: support for bittorrent detection when UDP tracker packet arrives after the TCP resumed
session has already started
- build: Fix miscellaneous cppcheck warnings
- codec: Adapt to new DAQ message metadata source for Real IP/port info
- file_api: generate events each time file is seen, not just first time
- finalize_packet: pass verdict by reference in inspector event
- flow: add virtual destructor to stash generic object
- flow: Bypass HA write for unsupported Tunnel flows
- flow: delete stale flow on receiving NEW_FLOW flag
- flow: if no 'get_ssn' handler configured then skip processing of the flow
- flow: introduced variable for handling idle session timeouts and flag for actively pruning flows
based on the expire_time
- flow: make a single flow cache for all the protocols
- flow: refactor flow config object to work with single flow cache concept
- flow: refactor uni list managment into a separate class and instantiate an instance for ip flows
and another for all non-ip flows
- flow: release session object allocated for a flow when the Flow object is reused and the PktType
of the new flow is different from the previous use
- flow: Add packet tracer message when a new session is started
- ftp_telnet: add support for ftp file resume block by calculating path hash used as file id
- hash: add back size(), get_max_size() and remove() functions to lru_cache_shared
- hash: add unit test for explicitly testing get / set max size
- host_cache: Refactoring code to fix multithreading issues and to remove redundancy
- http2: huffman string decode
- http2_inspect: add HI test tool
- http_inspect: remove 0-byte workaround
- ips_options: add ber_data and ber_skip
- main: Implement reload memcap framework
- pcre: add peg counts for PCRE_ERROR_MATCHLIMIT and PCRE_ERROR_RECURSIONLIMIT return status from
pcre_exec()
- reputation: Fixed issues with reputation monitor
- rna: Add new hosts with IP-address into host cache
- snort2lua: Combine proto specific cache options for max_session in one max_flows option
- stream_tcp: add API for switching to no_ack mode
- stream_tcp: fix 3-1-2 ordering markup
- stream: update checks for modified stream config to work with updates to stream config options
- stream: updated the protocol setup and process logic of TCP,UDP,IP,ICMP and USER sessions for
setting and updating idle session timeouts
- time: Make TscClock fail to compile on non-x86/AArch64 systems
- wizard: Avoid host cache service insertion since we are using flow service
- xhash: Ported sfxhash_change_memcap() from snort2 to snort3
2019-07-17: build 258
- analyzer: 1024 contexts max is a better default until configurable
- appid: fix header order in appid_session
- codec: add support of ignore_vlan flag from daq header
- detection: allocate scratch after configuration
- detection: immediately onload after offloading when running regression tests
- detection: on PDUs change search order to set check_ports correctly
- detection: reduce hard number of contexts to work with pcap default
- detection: start offload threads before packet threads are pinned
- detection: use offload_threads = N with -z = 1
- flow: Extend stash to support uint32_t and make it SO_PUBLIC
- flow: Fixes for DAQ-backed HA implementation
- flow: remove config.h from flow_stash_keys
- high_availability: high availability support in Snort2Lua
- host_cache: Adding command and config option to dump hosts
- host_cache: Closing va_list after usage using va_end
- http2: decode HPACK uint
- http2: hpack string decode
- http_inspect: perf improvements
- http_inspect: send headers to detection separately
- ips: add missing non-fast-pattern warning
- ips: refactor fast pattern searching
- mpse: api init and print methods are optional
- no_ack: Purge segment list withouth waiting for ack when using no_ack feature
- pcre: cap the pcre_match_limit_recursion based on the stack size available
- profiler: convert ips options to use optional profiles
- profiler: eliminate deep profiling
- profiler: implement general exclusion
- profiler: include onload/offload efforts in mpse
- profiler: refactor
- profiler: split out paf from stream_tcp
- profiler: track DAQ message receives and finalizes
- snort: remove out-of-date Snort 2 version from -V
- stream: add convenient method for flow deletion
- stream_tcp: Add no-ack policy to handle flows that have no ACKs for data
- stream_tcp: fix non-deep detect profile exclusion
- talos.lua: various fixes for command line usage
2019-06-19: build 257
- analyzer: publish finalize packet event before calling finalize_message
- appid: Protocol based detection for non-TCP non-UDP traffic
- appid: support for dynamic host cache lookup-based app detection
- build: Fix unused parameter warnings in unit tests
- check: Fix missing semicolons on CHECK calls
- detection: adding pegcounts for fallback, offload failures
- detection: add peg for onload wait conditions
- detection: fix check for disabled rules
- detection: fix creation of service map to use ips policy id
- detection: on PDUs search TCP/UDP portgroups even when user_mode services exist
- doc: Remove perpetually out-of-date copy of LibDAQ's README
- doc: Update documentation to reflect post-DAQng reality
- flow: check if flow is actually deleted before updating memstats
- flow: Implement storing and importing HA data via DAQ IOCTLs
- http_inspect: stop clearing http data snapshots from ips contexts on flow deletion
- http_inspect/stream: accelerated blocking
- http_inspect: test tool enhancement
- icmp4: verify checksum before the type validation
- ips_options: add relative parameter to so option
- perf_mon: removed flow_ip_handler from PerfMonitor
- regex: fix repeated search offset
- rna: Fixing doc build failure due to asciidoc format issue
- rna: Implementing event-driven RNA inspections
- rna: Introducing barebone RNA module and inspector
- rna: Renaming peg counts and adding a warning when config changes
- smtp: Fix handle_header_line and normalize_data unit tests
- smtp: pass packet pointer instead of nullptr to SMTP_CopyToAltBuffer
- stream: Do not validate timestamp until peer timestamp is set
- stream_ip: Checking null inspector while updating session
2019-05-22: build 256
- DAQng: Port Snort and its DAQ modules to DAQ3
- Massive refactoring of the Analyzer thread
- Handle multiple offloaded wire packets
- Port hext and file DAQ modules to DAQng
- Reimplement the RETRY verdict internal to Snort
- Revamp skip-n/exit-after-n/pause-after-n handling
- Update lua tweaks with new DAQ configuration format
- Update sfdaq unit tests for DAQng
- Update snort2lua to convert to new DAQ configuration
- filters: add peg count for when the thd_runtime XHash table gets full
- filters: make thd_runtime and rf_hash thread local and allocate them from thread init
rather than from Module::end()
- http_inspect: fix status_code_num bug in HttpMsgHeader::update_flow() that leads to
assert on input.length()>0 in norm_decimal_integer
- main: Fix File Descriptor leaks
- main: Include analyzer.h in snort.c
- packet_io: Refactor the Trough a bit
- perf_mon: Fixed time stamp and memory leak issue
- Add real timestamp to empty perf_stats data
- Updated dbus default subscription code and perf_mon event subscirption code
to resolve memory leak and invalid event subscription from reloading
- Moved flow_ip_tracker to thread local
- perf_monitor: Fixing heap-use-after-free after reload failure
- port_scan: Change minimum memcap value to 1024 to avoid divide by zero crash
- rule_state: change enable values "true" / "false" to "yes" / "no"
- snort2lua: Remove sticky buffer duplicates
- stream: disable inspection of flow on reset
2019-05-03: build 255
- ips: add includer for better relative path support
- module_manager: Fix potential null deref in module parameter dumping
2019-04-26: build 254
- analyzer: Print pause indicator from analyzer threads
- appid: remove inspector reference from detectors
- build: Remove perpetually stale reference to lua_plugffi.h
- build: remove unused cruft; clean up KMap
- config: replace working dir overrides with --include-path
- context: only clear ids_in_use in dtor
- file_type: remove redundant error message
- log_pcap, packet_capture: Don't try to use a DAQ pkthdr as a PCAP pkthdr
- Lua: update tweaks per latest include changes
- main: Use epoll (for linux systems) instead of select to get rid of limit on fd-set-size and for
time efficiency
- snort2lua: fix histogram option change comment
- snort2lua: Integer parameter range check
- stream_tcp: Try to work with a cleaner Packet when purging at shutdown
- test: remove cruft
2019-04-17: build 253
- build: delete unused code called out by cppcheck
- doc: remove mention of obsolete LUA_PATH, SNORT_LUA_PATH, and required snort_config library
- flow_cache: Pruning one stream when excess pruning skips even if max_sessions is reached
- ftp_server: fix normalization and PDU parsing issues
- helpers: directory: use readdir instead of readdir_r
- Lua: apply the necessary builtin defaults from one place
- Lua: internalize snort_config.lua dependency
- Lua: build-time stringify Lua files for use as C++ variables
- Lua: remove dependency on SNORT_LUA_PATH
- mime: fix decompression for multiple files
- parser: update include file handling
- parser: fix defaults for alerts.order and network.checksum_eval
2019-04-10: build 252
- appid: Fix NetworkSet compilation on big-endian systems
- appid: Reduce variable scope in service_mdns
- appid: Reduce variable scope in service_rpc
- codecs/ipv4: Use struct in_addr when calling inet_ntop()
- dce_rpc: Fix const cast warnings in dce_smb2
- detection: Don't send zero size searches to the regex offloader
If a batch search request had nothing in it to be
searched for there is no purpose in sending it to
the offloader
- detection: Ensure offload search engine started with appropriate regex offloader
If the offload_search_method is not specified then by
default it will be the same as the normal search_method
If this search method is an async mpse it needs started
using the MpseRegexOffload offloader otherwise it needs
started using the ThreadRegexOffload offloader
- file_api: add extract filename to FileFlow from mime header
- file_api: Add timer to limit how long we want for pending file lookup
- file_api: If configured, reset session when lookup times out
- file_api: Make expiration timers more granular
- file_api: use more generic form of timercmp and fix timersub call
- file_api: use timersub_ms, updates to packettracer logs
- flow: add the override keyword to some member function to keep cppcheck happy
- flow: add test to check that a handler is not getting stash events that it's not listening to
- flow: stash publish event
- flow: unit test for stash publish
- ftp_telnet: Fix potential NULL pointer arithmetic in check_ftp()
- ftp_telnet: Fix val-never-used warning in DoNextFormat()
- http_inspect: Fix val-never-used warning in check_oversize_dir()
- http_inspect: Give HttpTestInput a destructor to clean up its file handle
- log: Fix potential NULL pointer arithmetic warning in log_text
- mpse: Adding performance profiling stats to Mpse batch search
The Mpse batch search function does not have any
performance profiling so this function is now wrapped
to facilitate the addition of performance stats
- normalize: Remove redundant check during configuration
- offload: simplify zero byte bypass
- offload: Framework changes to support polling for completed
batch searches
When a batch search is issued, currently we poll to
determine if that batch has completed its search
This change facilitates polling to return any batch
that has completed its search
- packet_io: Changes to allow daq retries to work properly
- packet_io: add entry for retry in act_str due to re-ordering
- packet_io: re-order ACT_RETRY to be before ACT_DROP
- packet_tracer: Pass filename string parameter by reference
- perf_monitor: Pass ModuleConfig string parameter by reference
- port_scan: Reduce variable scope in configuration
- rule_state: rule_state: do not require rules in all policies
- rules: remove cruft from tree nodes
- sfip: Reduce variable scopes in sf_ipvar
- sfip: Switch test debug flag to a cpp macro
- sfrt: Reduce variable scope in _dir_remove_less_specific()
- sip: Give SipSplitterUT a proper copy constructor
- snort2lua: Adding support for appid tp_config_path conversion
- snort2lua: Convert rawbytes to raw_data sticky buffer
- so rules: fixup shutdown sequencing
- so rules: make plain stubs same as protected
- so rules: use stub strictly as a key
- stream: set retransmit flag
- stream_ip: Fix sign comparison and val-never-used issues in defrag
- stream_tcp: Fix shadowed variable when profiling deeply
- u2spewfoo: update due to re-ording of retry action
2019-03-31: build 251
- ActionManager: actions are tracked per packet for accurate packet suspension
- DetectionEngine: make onload safe for reentrance
- DetectionEngine: stall when out of contexts
- Flow: is_offloaded is now is_suspended
- IpsContext: removed useless SUSPENDED_OFFLOAD state
- Mpse: Addition and use of offload search method/engine
- Mpse: fixed build warning about constness of get_pattern_count
- MpseBatch: refactor into separate files
- Packet: fixed thread safety in onload flag checks
- RegexOffload: onload whatever is ready
- RegexOffload: refactor into mode-specific subclasses
- appid: Fix for FTP detection with multiline server response split across multiple packets
- appid: add unit test to make sure the AppIdServiceStateKey::operator<() is OK and modify
existing service cache memcap test to alternate ipv4 and ipv6 addresses
- appid: change the service queue to store map iterators rather than the actual keys, as
(a) map iterators are stable and (b) sizeof(map::iterator)=8 while sizeof(key)=28
- appid: compute the size of the memory used for a service cache entry only once, as it is
constant, and make it global
- appid: fix AppIdServiceStateKey::operator<()
- appid: fix client discovery to only check on the first data packet
- appid: fix comment in client_discovery.cc
- appid: fix double free in service_state_queue and address reviewers comments
- appid: fixup profiling
- appid: get rid of the map::find() in MapList::add(), just try to emplace directly
- appid: implement service cache touch(). Must figure out where to call it from
- appid: implement service discovery state queue to honor memcap
- appid: introduce min memcap of 1024 with a default of 1Mb and refactor
AppIdServiceState::remove() to accept a ServiceCache_t::iterator rather than ip, proto,
port and decrypted
- appid: introduce the do_touch flag to the add/get functions and call those functions with
the appropriate flag
- appid: keep cppcheck happy
- appid: more cppcheck clean-up
- appid: pass HostPortKey by reference in HostPortKey::operator<()
- appid: put the service_state_cache and the service_state_queue into a class in its own
right and refactor the code
- appid: remove forgotten WhereMacro
- appid: rename some global variables in http_url_patterns_test.cc to suppress cppcheck messages
- appid: replace the custom AppIdServiceCacheKey::operator< with memcmp in both service_state.h
and host_port_app_cache.cc
- appid: return void in ClientDiscovery::exec_client_detectors() and set client_disco_state to
FINISHED in all cases except when the client validate returns APPID_INPROCESS
- appid: set a range for app_stats_period parameter
- appid: skip empty detectors
- appid: the service queue should be of type AppIdServiceStateKey
- appid: unit test for service cache and call the touch function
- appid: untabify service_state.h and test/service_state_test.cc
- appid: update unit test file
- binder: Reset flow gadget and protocol ID on failed rebinding
- binder: store user set ips policy id from lua
- build: Add better support for libiconv on systems with iconv-providing libc
- build: fix always true warning
- build: fix constness warnings
- build: fix cppcheck warnings for file_connector, tcp_connector, ports, snort2lua, and
piglet_plugins,
- build: fix override warning
- catch: Update to Catch v2.7.0
- cd_tcp: some light refactoring
- conf: remove obscure and slow automatic iface var assignments; use Lua instead
- config: Use basename_r() function for FreeBSD versions < 12.0.0
- control: Avoid deleting objects on write failures so that they get deleted from main thread
during read polling
- copyright: update year to 2019
- cppcheck: fix some basic warnings
- dce_rpc: Added support to handle smb header compounding
- dce_rpc: Limiting each signature alert to once per session using 'limit_alerts' config
- dce_rpc: fix cppcheck warnings
- dce_rpc: fix style warning non-boolean returned
- decompress: add zip file decompression
- detection, snort2lua: added global rule state options for legacy conversions
- detection: Add search batching infrastructure
- detection: allow suspension of entire chains of contexts
- detection: fixed incorrect log messages
- detection: only swap offload configs when they change
- detection: split fast pattern processing when using context suspension
- doc: add a section for reload limitations
- doc: update default manuals
- doc: update reload limitations - adding/removing stream_*
- file: fixed data race at shutdown
- file_api: Added nullptr checking to prevent segfaults when file mempool is not configured
- file_api: call FileContext::set_file_name() from FileFlows::set_file_name with
fname = nullptr, in order to generate file event
- file_api: fail the reload if max_files_cache is changed or if capture was initially enabled
and capture_memcap or capture_block_size change
- file_api: fix policy lookup
- file_capture: refactor max size handling
- filters: call get_ips_policy instead of get_network_policy when building the key for
rate filter
- flow: Added a support to store generic objects in a stash
- flow: support for flow stash - allows storage of integers and strings
- flow_control: remove unused session flag
- fp_detect: suspend instead of onload if fp_local can't occur yet
- hash: Added lru_cache_shared.h to HASH_INCLUDES
- hash: Moved list_iter assignment inside to avoid improper memory access in LruCacheShared
- http_inspect: disable reg test assertion until interface with stream_tcp is updated
- http_inspect: patch around buffer ownership confusion
- ips_context: minimize iterations to clear data
- ips_options: implement FileTypeOption::hash() and FileTypeOption::operator==(), inherited
from IpsOption, using the types bitset array, in order to distinguish between different
file type options
- loggers: add alert_talos, use in talos tweak
- loggers: alert_talos: fix copyright, author, unneeded check
- loggers: alert_talos: fix copyright, warnings
- loggers: alert_talos: fix cppcheck error
- loggers: alert_talos: fix include order
- loggers: alert_talos: fix memory leak
- loggers: workaround for cppcheck's false warning
- lua: make RTF file magic more generic
- main: log message when all pthreads started (REG_TEST only)
- main: shell commands and signals executed only after snort finish startup
- memory: Use only one variable to keep track of allocated and deallocated memory
- memory: add configurable L3/L4 specific weights for better estimation against cap
- memory: add size_of to various FlowData subclasses
- memory: apply fudge factor to tracking to better align with RSS
- memory: basic flow data allocation tracking
- memory: basic flow pruning
- memory: beware the perf_monitor, for she stealeth your numbers
- memory: do not re-enter the pruner
- memory: fix re-entry check
- memory: increase default tcp cache cap weight; fix default values
- memory: initial preemptive pruning based on flow data
- memory: refactor stats
- memory: remove overloading manager to make way for new implementation
- memory: remove useless thread local
- memory: require subclass implementation of FlowData::size_of()
- memory: track session allocations
- mime: add file decompression
- misc: fixed warnings generated from latest gcc
- packet tracer: initialize sf_ip structs
- policy: allow an empty policy be set explicitly
assigned to it
- policy: Rename TRUE/FALSE to ENABLE/DISABLED
- port_scan: Fail reload if memcap changed
- profile: convert remaining layer 2 or greater profile scopes to the deep, dark underbelly
- profiler: add quick exit if not configured to minimize overhead
- profiler: add quick exit if not configured to minimize overhead (rule times)
- protocols: fix style warning non-boolean value returned
- react: sending reset to server only
- regex_offload: fix stats for thread
- reload: differentiate between restart required and bad config
- reload: fail reload if stream is in the original config and stream_* is added/removed
- reload: prompt reload failure and require restart when stream cache were changed
- reload: send reload completed message to control channel instead of logging it
- rule eval: ensure leaf children are properly counted
- rule_state: add rtn but disable if block is set on non-inline deployment
- rule_state: added default rule state to ips policy
- rule_state: added per-ips-policy rule states
- rules: do not preallocate actions
- safec: Update to work with modern versions of LibSafeC
- sfip: add a FIXIT for checking that the current implementation of _is_lesser(), which only
compares same-family ips is OK
- sip: update sip options to use has_tcp_data instead of is_tcp
- snort2lua: Create dev_notes.txt for sticky buffers
- snort2lua: adding when.role for specific inspectors
- snort2lua: change the -l short option to --dont-convert-max-sessions
- snort2lua: combining multiple zone in one binder rule
- snort2lua: comment gid 147 file rules
- snort2lua: convert file_capture config options
- snort2lua: do generate the tcp_cache instance even when we don't convert tcp_max to
max_sessions
- snort2lua: do not translate max_sessions from snort.conf to snort.lua
- snort2lua: fix pcre option issues
- snort2lua: fix sticky buffer duplication
- snort2lua: fixed duplication of split_any_any from config: detection
- snort2lua: introduce command line option -l to suppress conversion of max_tcp, max_udp,
max_icmp and max_ip to max_sessions
- snort2lua: move obfuscate_pii to the ips table from the output table
- snort_config: Add a setter for setting run_flags and set it to TRACK_ON_SYN for hs_timeout
config
- ssl: Count calls to disable_content for ssl sessions
- stream: Change StreamSplitter::scan to take a Packet instead of a Flow
- stream: Pass Packet in flushpdu* -> paf_eval -> paf_callback chain
- stream: fixed ignore_flow segfault bug caused by allocating generic flow data instead of
inspector specific flow data
- stream: log StreamBase::config in StreamBase::show()
- stream: purge remaining flows before shutdown counts
- stream_tcp: add track_only to disable reassembly
- stream_tcp: consolidate segment node and data
- stream_tcp: disambiguate seglist trace
- stream_tcp: do not purge partially acked segment
- stream_tcp: fix up stream order flags
- stream_tcp: fixup allocation tracking for overlapped segments
- stream_tcp: implement reserve seglist
- stream_tcp: initialize priv_ptr for pdus
- stream_tcp: patch around premature application of delayed actions that yoink the seglist
- stream_tcp: remove seglist node cruft
- stream_tcp: reset paf segment when switching splitters
- stream_tcp: simplify paf init
- stream_tcp: support unidirectional flushing similar to Snort 2
- stream_tcp: tweak PAF scanning
- stream_tcp: tweak ips mode flushing
- stream_udp: ensure all flows are cleared fully
- time: Adding timersub_ms function to return timersub in milliseconds
2018-12-06: build 250
- actions: Fix incorrect order of IPS reject unreachable codes and adding forward option
- active: added peg count for injects
- active, detection: active state is tied to specific packet, not thread
- appid: Don't build unit test components without ENABLE_UNIT_TESTS
- appid: Fix heap overflow issue for a fuzzed pcap
- build: accept generator names with spaces in configure_cmake.sh
- build: clean up additional warnings
- build: fix come cppcheck warnings
- build: fix some int format specifiers
- build: fix some int type conversion warnings
- build: reduce variable scope to address warnings
- detection: enable offloading non-pdu packets
- detection, stream: fixed assuming packets were offloaded when previous packets on flow have
been offloaded
- file_api: choose whether to get file config from current config or staged one
- file: fail the reload if capture is enabled for the first time
- framework: Clone databus to new config during module reload
- loggers: Use thread safe strerror_r() instead of strerror()
- main: support resume(n) command
- managers: update action manager to support reload
- module_manager: Fix configuring module parameter defaults when modules have list parameters
- parameter: add max31, max32, and max53 for int upper bounds
- parameter: add maxSZ upper bound for int sizes
- parameter: build out validation unit tests
- parameter: clean up some signed/unsigned mismatches
- parameter: clean up upper bounds
- parameter: remove arbitrary one day limit on timers
- parameter: remove ineffective -1 from pcre_match_limit*
- parameter: reorgranize for unit tests
- parameter: use bool instead of int for bools
- parameter: use consistent default port ranges
- perf_monitor: Actually allow building perf_monitor as a dynamic plugin
- perf_monitor: fix benign parameter errors
- perf_monitor: fixed fbs schema generation when not building with DEBUG
- protocols: add vlan_idx field to Packet struct and handle multiple vlan type ids;
Thanks to ymansour for reporting the issue
- regex worker: removed assert that didn't handle locks cleanly
- reputation: Fix iterations of layers for different nested_ip configs and show the
blacklisted IP in events
- sip: Added sanity check for buffer boundary while parsing a sip message
- snort2lua: add code to output control = forward under the reject module
- snort2lua: Fix compiler warning for catching exceptions by value
- snort2lua: Fix pcre H and P option conversions for sip
- snort: add --help-limits to output max* values
- snort: Default to a snaplen of 1518
- snort: fix command line parameters to support setting in Lua;
Thanks to Meridoff oagvozd@gmail.com for reporting the issue
- snort: remove obsolete and inadequate -W option;
Thanks to Jaime González jaimeglz1952@gmail.com for reporting the issue
- snort: terminate gracefully upon DAQ start failure;
Thanks to Jaime González jaimeglz1952@gmail.com for reporting the issue
- so rules: add robust stub parsing
- stream: fixed stream_base flow peg count sum_stats bug
- stream tcp: fixed applying post-inspection operations to wrong rebuilt packet
- stream tcp: fixed sequence overlap handling when working with empty seglist
- style: clean up comment to reduce spelling exceptions
- thread: No more breaks for pigs (union busting)
- tools: Install appid-detector-builder.sh with the other tools;
Thanks to Jonathan McDowell noodles-github@earth.li for reporting the issue
2018-11-07: build 249