suricata checkin based on commit id a4bce14770beee46a537eda3c3f6e8e8565d5d0a

Change-Id: I9a214fa0ee95e58fc640e50bd604dac7f42db48f

1 files changed, 802 insertions, 0 deletions

diff --git a/framework/src/suricata/ChangeLog b/framework/src/suricata/ChangeLog
new file mode 100644
index 00000000..a265dd76
--- /dev/null
+++ b/framework/src/suricata/ChangeLog
@@ -0,0 +1,802 @@
+2.1beta4 -- 2015-05-08
+
+Bug #1314: http-events performance issues
+Bug #1340: null ptr dereference in Suricata v2.1beta2 (output-json.c:347)
+Bug #1352: file list is not cleaned up
+Bug #1358: Gradual memory leak using reload (kill -USR2 $pid)
+Bug #1366: Crash if default_packet_size is below 32 bytes
+Bug #1378: stats api doesn't call thread deinit funcs
+Bug #1384: tcp midstream window issue (master)
+Bug #1388: pcap-file hangs on systems w/o atomics support (master)
+Bug #1392: http uri parsing issue (master)
+Bug #1393: CentOS 5.11 build failures
+Bug #1398: DCERPC traffic parsing issue (master)
+Bug #1401: inverted matching on incomplete session
+Bug #1402: When re-opening files on HUP (rotation) always use the append flag.
+Bug #1417: no rules loaded - latest git - rev e250040
+Bug #1425: dead lock in de_state vs flowints/flowvars
+Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled
+Bug #1429: stream: last_ack update issue leading to stream gaps
+Bug #1435: EVE-Log alert payload option loses data
+Bug #1441: Local timestamps in json events
+Bug #1446: Unit ID check in Modbus packet error
+Bug #1449: smtp parsing issue
+Bug #1451: Fix list-keywords regressions
+Bug #1463: modbus parsing issue
+Feature #336: Add support for NETMAP to Suricata.
+Feature #885: smtp file_data support
+Feature #1394: Improve TCP reuse support
+Feature #1410: add alerts to EVE's drop logs
+Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
+Feature #1447: Ability to reject ICMP traffic
+Feature #1448: xbits
+Optimization #1014: app layer reassembly fast-path
+Optimization #1377: flow manager: reduce (try)locking
+Optimization #1403: autofp packet pool performance problems
+Optimization #1409: http pipeline support for stateful detection
+
+2.1beta3 -- 2015-01-29
+
+Bug #977: WARNING on empty rules file is fatal (should not be)
+Bug #1184: pfring: cppcheck warnings
+Bug #1321: Flow memuse bookkeeping error
+Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
+Bug #1332: cppcheck: ioctl
+Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
+Bug #1351: output-json: duplicate logging (2.1.x)
+Bug #1354: coredumps on quitting on OpenBSD
+Bug #1355: Bus error when reading pcap-file on OpenBSD
+Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x)
+Bug #1365: evasion issues (2.1.x)
+Feature #1261: Request for Additional Lua Capabilities
+Feature #1309: Lua support for Stats output
+Feature #1310: Modbus parsing and matching
+Feature #1317: Lua: Indicator for end of flow
+Feature #1333: unix-socket: allow (easier) non-root usage
+Optimization #1339: flow timeout optimization
+Optimization #1339: flow timeout optimization
+Optimization #1371: mpm optimization
+
+2.1beta2 -- 2014-11-06
+
+Feature #549: Extract file attachments from emails
+Feature #1312: Lua output support
+Feature #899: MPLS over Ethernet support
+Feature #707: ip reputation files - network range inclusion availability (cidr)
+Feature #383: Stream logging
+Feature #1263: Lua: Access to Stream Payloads
+Feature #1264: Lua: access to TCP quad / Flow Tuple
+Bug #1048: PF_RING/DNA config - suricata.yaml
+Bug #1230: byte_extract, within combination not working
+Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
+Bug #1259: AF_PACKET IPS is broken in 2.1beta1
+Bug #1260: flow logging at shutdown broken
+Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
+Bug #1280: BUG: IPv6 address vars issue
+Bug #1285: Lua - http.request_line not working (2.1)
+Bug #1287: Lua Output has dependency on eve-log:http
+Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
+Bug #1294: Configure doesn't use --with-libpcap-libraries when testing PF_RING library
+Bug #1301: suricata yaml - PF_RING load balance per hash option
+Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
+Bug #1311: EVE output Unix domain socket not working (2.1)
+
+2.1beta1 -- 2014-08-12
+
+Feature #1155: Log packet payloads in eve alerts
+Feature #1208: JSON Output Enhancement - Include Payload(s)
+Feature #1248: flow/connection logging
+Feature #1258: json: include HTTP info with Alert output
+Optimization #1039: Packetpool should be a stack
+Optimization #1241: pcap recording: record per thread
+
+2.0.3 -- 2014-08-08
+
+Bug #1236: fix potential crash in http parsing
+Bug #1244: ipv6 defrag issue
+Bug #1238: Possible evasion in stream-tcp-reassemble.c
+Bug #1221: lowercase conversion table missing last value
+Support #1207: Cannot compile on CentOS 5 x64 with --enable-profiling
+
+2.0.2 -- 2014-06-25
+
+Bug #1098: http_raw_uri with relative pcre parsing issue
+Bug #1175: unix socket: valgrind warning
+Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
+Bug #1195: nflog: cppcheck reports memleaks
+Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
+Bug #1211: defrag issue
+Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
+Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
+Bug #1217: Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analized via socket
+Feature #781: IDS using NFLOG iptables target
+Feature #1158: Parser DNS TXT data parsing and logging
+Feature #1197: liblua support
+Feature #1200: sighup for log rotation
+
+2.0.1 -- 2014-05-21
+
+No changes since 2.0.1rc1
+
+2.0.1rc1 -- 2014-05-12
+
+Bug #978: clean up app layer parser thread local storage
+Bug #1064: Lack of Thread Deinitialization For Decoder Modules
+Bug #1101: Segmentation in AppLayerParserGetTxCnt
+Bug #1136: negated app-layer-protocol FP on multi-TX flows
+Bug #1141: dns response parsing issue
+Bug #1142: dns tcp toclient protocol detection
+Bug #1143: tls protocol detection in case of tls-alert
+Bug #1144: icmpv6: unknown type events for MLD_* types
+Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
+Bug #1146: tls: event on 'new session ticket' in handshake
+Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
+Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
+Bug #1161: eve: src and dst mixed up in some cases
+Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
+Bug #1163: HTP Segfault
+Bug #1165: af_packet - one thread consistently not working
+Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
+Bug #1176: AF_PACKET IPS mode is broken in 2.0
+Bug #1177: eve log do not show action 'dropped' just 'allowed'
+Bug #1180: Possible problem in stream tracking
+Feature #1157: Always create pid file if --pidfile command line option is provided.
+Feature #1173: tls: OpenSSL heartbleed detection
+
+2.0 -- 2014-03-25
+
+Bug #1151: tls.store not working when a TLS filter keyword is used
+
+2.0rc3 -- 2014-03-18
+
+Bug #1127: logstash & suricata parsing issue
+Bug #1128: Segmentation fault - live rule reload
+Bug #1129: pfring cluster & ring initialization
+Bug #1130: af-packet flow balancing problems
+Bug #1131: eve-log: missing user agent reported inconsistently
+Bug #1133: eve-log: http depends on regular http log
+Bug #1135: 2.0rc2 release doesn't set optimization flag on GCC
+Bug #1138: alert fastlog drop info missing
+
+2.0rc2 -- 2014-03-06
+
+Bug #611: fp: rule with ports matching on portless proto
+Bug #985: default config generates rule warnings and errors
+Bug #1021: 1.4.6: conf_filename not checked before use
+Bug #1089: SMTP: move depends on uninitialised value
+Bug #1090: FTP: Memory Leak
+Bug #1091: TLS-Handshake: Uninitialized value
+Bug #1092: HTTP: Memory Leak
+Bug #1108: suricata.yaml config parameter - segfault
+Bug #1109: PF_RING vlan handling
+Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags
+Bug #1111: capture stats at exit incorrect
+Bug #1112: tls-events.rules file missing
+Bug #1115: nfq: exit stats not working
+Bug #1120: segv with pfring/afpacket and eve-log enabled
+Bug #1121: crash in eve-log
+Bug #1124: ipfw build broken
+Feature #952: Add VLAN tag ID to all outputs
+Feature #953: Add QinQ tag ID to all outputs
+Feature #1012: Introduce SSH log
+Feature #1118: app-layer protocols http memcap - info in verbose mode (-v)
+Feature #1119: restore SSH protocol detection and parser
+
+2.0rc1 -- 2014-02-13
+
+Bug #839: http events alert multiple times
+Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log
+Bug #980: memory leak in http buffers at shutdown
+Bug #1066: logger API's for packet based logging and tx based logging
+Bug #1068: format string issues with size_t + qa not catching them
+Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
+Bug #1073: radix tree lookups are not thread safe
+Bug #1075: CUDA 5.5 doesn't compile with 2.0 beta 2
+Bug #1079: Err loading rules with variables that contain negated content.
+Bug #1080: segfault - 2.0dev (rev 6e389a1)
+Bug #1081: 100% CPU utilization with suricata 2.0 beta2+
+Bug #1082: af-packet vlan handling is broken
+Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
+Bug #1104: vlan tagged fragmentation
+Bug #1106: Git compile fails on Ubuntu Lucid
+Bug #1107: flow timeout causes decoders to run on pseudo packets
+Feature #424: App layer registration cleanup - Support specifying same alproto names in rules for different ip protocols
+Feature #542: TLS JSON output
+Feature #597: case insensitive fileext match
+Feature #772: JSON output for alerts
+Feature #814: QinQ tag flow support
+Feature #894: clean up output
+Feature #921: Override conf parameters
+Feature #1007: united output
+Feature #1040: Suricata should compile with -Werror
+Feature #1067: memcap for http inside suricata
+Feature #1086: dns memcap
+Feature #1093: stream: configurable segment pools
+Feature #1102: Add a decoder.QinQ stats in stats.log
+Feature #1105: Detect icmpv6 on ipv4
+
+2.0beta2 -- 2013-12-18
+
+Bug #463: Suricata not fire on http reply detect if request are not http
+Bug #640: app-layer-event:http.host_header_ambiguous set when it shouldn't
+Bug #714: some logs not created in daemon mode
+Bug #810: Alerts on http traffic storing the wrong packet as the IDS event payload
+Bug #815: address parsing with negation
+Bug #820: several issues found by clang 3.2
+Bug #837: Af-packet statistics inconsistent under very high traffic
+Bug #882: MpmACCudaRegister shouldn't call PatternMatchDefaultMatcher
+Bug #887: http.log printing unknown hostname most of the time
+Bug #890: af-packet segv
+Bug #892: detect-engine.profile - custom - does not err out in incorrect toclient/srv values - suricata.yaml
+Bug #895: response: rst packet bug
+Bug #896: pfring dna mode issue
+Bug #897: make install-full fails if wget is missing
+Bug #903: libhtp valgrind warning
+Bug #907: icmp_seq and icmp_id keyword with icmpv6 traffic (master)
+Bug #910: make check fails w/o sudo/root privs
+Bug #911: HUP signal
+Bug #912: 1.4.3: Unit test in util-debug.c: line too long.
+Bug #914: Having a high number of pickup queues (216+) makes suricata crash
+Bug #915: 1.4.3: log-pcap.c: crash on printing a null filename
+Bug #917: 1.4.5: decode-ipv6.c: void function cannot return value
+Bug #920: Suricata failed to parse address
+Bug #922: trackers value in suricata.yaml
+Bug #925: prealloc-sessions value bigger than allowed in suricata.yaml
+Bug #926: prealloc host value in suricata.yaml
+Bug #927: detect-thread-ratio given a non numeric value in suricata.yaml
+Bug #928: Max number of threads
+Bug #932: wrong IP version - on stacked layers
+Bug #939: thread name buffers are sized inconsistently
+Bug #943: pfring: see if we can report that the module is not loaded
+Bug #948: apple ppc64 build broken: thread-local storage not supported for this target
+Bug #958: SSL parsing issue (master)
+Bug #963: XFF compile failure on OSX
+Bug #964: Modify negated content handling
+Bug #967: threshold rule clobbers suppress rules
+Bug #968: unified2 not logging tagged packets
+Bug #970: AC memory read error
+Bug #973: Use different ids for content patterns which are the same, but one of them has a fast_pattern chop set on it.
+Bug #976: ip_rep supplying different no of alerts for 2 different but semantically similar rules
+Bug #979: clean up app layer protocol detection memory
+Bug #982: http events missing
+Bug #987: default config generates error(s)
+Bug #988: suricata don't exit in live mode
+Bug #989: Segfault in HTPStateGetTxCnt after a few minutes
+Bug #991: threshold mem leak
+Bug #994: valgrind warnings in unittests
+Bug #995: tag keyword: tagging sessions per time is broken
+Bug #998: rule reload triggers app-layer-event FP's
+Bug #999: delayed detect inits thresholds before de_ctx
+Bug #1003: Segmentation fault
+Bug #1023: block rule reloads during delayed detect init
+Bug #1026: pfring: update configure to link with -lrt
+Bug #1031: Fix IPv6 stream pseudo packets
+Bug #1035: http uri/query normalization normalizes 'plus' sign to space
+Bug #1042: Can't match "emailAddress" field in tls.subject and tls.issuerdn
+Bug #1061: Multiple flowbit set in one rule
+Feature #234: add option disable/enable individual app layer protocol inspection modules
+Feature #417: ip fragmentation time out feature in yaml
+Feature #478: XFF (X-Forwarded-For)
+Feature #602: availability for http.log output - identical to apache log format
+Feature #622: Specify number of pf_ring/af_packet receive threads on the command line
+Feature #727: Explore the support for negated alprotos in sigs.
+Feature #746: Decoding API modification
+Feature #751: Add invalid packet counter
+Feature #752: Improve checksum detection algorithm
+Feature #789: Clean-up start and stop code
+Feature #813: VLAN flow support
+Feature #878: add storage api
+Feature #901: VLAN defrag support
+Feature #904: store tx id when generating an alert
+Feature #940: randomize http body chunks sizes
+Feature #944: detect nic offloading
+Feature #956: Implement IPv6 reject
+Feature #957: reject: iface setup
+Feature #959: Move post config initialisation code to PostConfLoadedSetup
+Feature #981: Update all switch case fall throughs with comments on false throughs
+Feature #983: Provide rule support for specifying icmpv4 and icmpv6.
+Feature #986: set htp request and response size limits
+Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
+Feature #1009: Yaml file inclusion support
+Feature #1032: profiling: per keyword stats
+Optimization #583: improve Packet_ structure layout
+Optimization #1018: clean up counters api
+Optimization #1041: remove mkinstalldirs from git
+
+2.0beta1 -- 2013-07-18
+
+- Luajit flow vars and flow ints support (#593)
+- DNS parser, logger and keyword support (#792), funded by Emerging Threats
+- deflate support for HTTP response bodies (#470, #775)
+- update to libhtp 0.5 (#775)
+- improved gzip support for HTTP response bodies (#470, #775)
+- redesigned transaction handling, improving both accuracy and performance (#753)
+- redesigned CUDA support (#729)
+- Be sure to always apply verdict to NFQ packet (#769)
+- stream engine: SACK allocs should adhere to memcap (#794)
+- stream: deal with multiple different SYN/ACK's better (#796)
+- stream: Randomize stream chunk size for raw stream inspection (#804)
+- Introduce per stream thread ssn pool (#519)
+- "pass" IP-only rules should bypass detection engine after matching (#718)
+- Generate error if bpf is used in IPS mode (#777)
+- Add support for batch verdicts in NFQ, thanks to Florian Westphal
+- Update Doxygen config, thanks to Phil Schroeder
+- Improve libnss detection, thanks to Christian Kreibich
+- Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
+- OS X unix socket build fixed (#830)
+- bytetest, bytejump and byteextract negative offset failure (#827)
+- Fix fast.log formatting issues (#771), thanks to Rmkml
+- Invalidate negative depth (#774), thanks to Rmkml
+- Fixed accuracy issues with relative pcre matching (#791)
+- Fix deadlock in flowvar capture code (#802)
+- Improved accuracy of file_data keyword (#817)
+- Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
+- stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau
+
+1.4.4 -- 2013-07-18
+
+- Bug #834: Unix socket - showing as compiled when it is not desired to do so
+- Bug #835: Unix Socket not working as expected
+- Bug #841: configure --enable-unix-socket does not err out if libs/pkgs are not present
+- Bug #846: FP on IP frag and sig use udp port 0, thanks to Rmkml
+- Bug #864: backport packet action macro's
+- Bug #876: htp tunnel fix
+- Bug #877: Flowbit check with content doesn't match consistently, thanks to Francis Trudeau
+
+1.4.3 -- 2013-06-20
+
+- Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
+- Fix IPS mode being unable to drop tunneled packets (#826)
+- Fix OS X Unix Socket build (#829)
+
+1.4.2 -- 2013-05-29
+
+- No longer force nocase to be used on http_host
+- Invalidate rule if uppercase content is used for http_host w/o nocase
+- Warn user if bpf is used in af-packet IPS mode
+- Better test for available libjansson version
+- Fixed accuracy issues with relative pcre matching (#784)
+- Improved accuracy of file_data keyword (#788)
+- Invalidate negative depth (#770)
+- Fix http host parsing for IPv6 addresses (#761)
+- Fix fast.log formatting issues (#773)
+- Fixed deadlock in flowvar set code for http buffers (#801)
+- Various signature ordering improvements
+- Minor stream engine fix
+
+1.4.1 -- 2013-03-08
+
+- GeoIP keyword, allowing matching on Maxmind's database, contributed by Ignacio Sanchez (#559)
+- Introduce http_host and http_raw_host keywords (#733, #743)
+- Add python module for interacting with unix socket (#767)
+- Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)
+- Big Napatech support update by Matt Keeler
+- Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
+- FreeBSD IPFW fixes by Nikolay Denev
+- Add "default" interface setting to capture configuration in yaml (#679)
+- Make sure "snaplen" can be set by the user (#680)
+- Improve HTTP URI query string normalization (#739)
+- Improved error reporting in MD5 loading (#693)
+- Improve reference.config parser error reporting (#737)
+- Improve build info output to include all configure options (#738)
+- Segfault in TLS parsing reported by Charles Smutz (#725)
+- Fix crash in teredo decoding, reported by Rmkml (#736)
+- fixed UDPv4 packets without checksum being detected as invalid (#760)
+- fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
+- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
+- FN: IP-only rule ip_proto not matching for some protocols (#689)
+- Fix build failure with other libhtp installs (#688)
+- Fix malformed yaml loading leading to a crash (#694)
+- Various Mac OS X fixes (#700, #701, #703)
+- Fix for autotools on Mac OS X by Jason Ish (#704)
+- Fix AF_PACKET under high load not updating stats (#706)
+
+1.3.6 -- 2013-03-07
+
+- fix decoder event rules not checked in all cases (#671)
+- checksum detection for icmpv6 was fixed (#673)
+- crash in HTTP server body inspection code fixed (#675)
+- fixed a icmpv6 payload bug (#676)
+- IP-only rule ip_proto not matching for some protocols was addressed (#690)
+- fixed malformed yaml crashing suricata (#702)
+- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
+- crash in tls parser was fixed (#759)
+- fixed UDPv4 packets without checksum being detected as invalid (#762)
+- fixed DCE/SMB parsers getting confused in some fragmented cases (#763)
+
+1.4 2012-12-13
+
+- Decoder event matching fixed (#672)
+- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
+- Add more events to IPv6 extension header anomolies (#678)
+- Fix ICMPv6 payload and checksum calculation (#677, #674)
+- Clean up flow timeout handling (#656)
+- Fix a shutdown bug when using AF_PACKET under high load (#653)
+- Fix TCP sessions being cleaned up to early (#652)
+
+1.3.5 2012-12-06
+
+- Flow engine memory leak fixed by Ludovico Cavedon (#651)
+- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664)
+- Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654)
+- Windows building in CYGWIN fixed (#630)
+
+1.4rc1 2012-11-29
+
+- Interactive unix socket mode (#571, #552)
+- IP Reputation: loading and matching (#647)
+- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
+- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
+- User-Agent added to file log and filestore meta files (#629)
+- Endace DAG supports live stats and at exit drop stats (#638)
+- Add support for libhtp event "request port doesn't match tcp port" (#650)
+- Rules with negated addresses will not be considered IP-only (#599)
+- Rule reloads complete much faster in low traffic conditions (#526)
+- Suricata -h now displays all available options (#419)
+- Luajit configure time detection was improved (#636)
+- Flow manager mutex used w/o initialization (#628)
+- Cygwin work around for windows shell mangling interface string (#372)
+- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
+- CLANG compiler build fixes (#649)
+- Several fixes found by code analyzers
+
+1.4beta3 2012-11-14
+
+- support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619)
+- support for pkt_data keyword was added
+- user and group to run as can now be set in the config file
+- make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
+- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
+- add contrib directory to the dist (#567)
+- performance improvements to signatures with dsize option
+- improved rule analyzer: print fast_pattern along with the rule (#558)
+- fixes to stream engine reducing the number of events generated (#604)
+- add stream event to match on overlaps with different data in stream reassembly (#603)
+- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
+- HTTP handling in OOM condition was greatly improved (#557)
+- filemagic keyword performance was improved (#585)
+- fixes and improvements to daemon mode (#624)
+- fix drop rules not working correctly when thresholded (#613)
+- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
+- fix a false possitive condition in http_header (#607)
+- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
+- fixes to rule profiling (#576)
+- cleanups and misc fixes (#379, #395)
+- updated bundled libhtp to 0.2.11
+- build system improvements and cleanups
+- fix to SSL record parsing
+
+1.3.4 -- 2012-11-14
+
+- fix crash in flow and host engines in cases of low memory or low memcap settings (#617)
+- improve http handling in low memory conditions (#620)
+- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626)
+- fix building on OpenBSD 5.2
+- update default config's defrag settings to reflect all available options
+- fixes to make check
+- fix to SSL record parsing
+
+1.3.3 -- 2012-11-01
+
+- fix drop rules not working correctly when thresholded (#615)
+- fix a false possitive condition in http_header (#606)
+- fix extracted file corruption (#601)
+- fix a false possitive condition with the pcre keyword and relative matching (#588)
+- fix PF_RING set cluster problem on dma interfaces (#598)
+- improve http handling in low memory conditions (#586, #587)
+- fix FreeBSD inline mode crash (#612)
+- suppress pcre jit warning (#579)
+
+1.4beta2 -- 2012-10-04
+
+- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
+- Added ability to control per server HTTP parser settings in much more detail (#503)
+- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
+- Big performance improvement in inspecting decoder, stream and app layer events (#555)
+- Pool performance improvements (#541)
+- Improved performance of signatures with simple pattern setups (#577)
+- Bundled docs are installed upon make install (#527)
+- Support for a number of global vs rule thresholds [3] was added (#425)
+- Improved rule profiling performance
+- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
+- Fix compilation on architectures other than x86 and x86_64 (#572)
+- Fix FP with anchored pcre combined with relative matching (#529)
+- Fix engine hanging instead of exitting if the pcap device doesn't exist (#533)
+- Work around for potential FP, will get properly fixed in next release (#574)
+- Improve ERF handling. Thanks to Jason Ish
+- Always set cluster_id in PF_RING
+- IPFW: fix broken broadcast handling
+- AF_PACKET kernel offset issue, IPS fix and cleanup
+- Fix stream engine sometimes resending the same data to app layer
+- Fix multiple issues in HTTP multipart parsing
+- Fixed a lockup at shutdown with NFQ (#537)
+
+1.3.2 -- 2012-10-03
+
+- Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562)
+- Fixed a FN condition with the flow:no_stream option (#575)
+- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
+- Fix multiple issues in HTTP multipart parsing
+- Fix stream engine sometimes resending the same data to app layer
+- Always set cluster_id in PF_RING
+- Defrag: silence some potentially noisy errors/warnings
+- IPFW: fix broken broadcast handling
+- AF_PACKET kernel offset issue
+
+1.4beta1 -- 2012-09-06
+
+- Custom HTTP logging contributed by Ignacio Sanchez (#530)
+- TLS certificate logging and fingerprint computation and keyword (#443)
+- TLS certificate store to disk feature (#444)
+- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
+- AF_PACKET IPS support (#516)
+- Rules can be set to inspect only IPv4 or IPv6 (#494)
+- filesize keyword for matching on sizes of files in HTTP (#489)
+- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
+- NFQ fail open support (#507)
+- Highly experimental lua scripting support for detection
+- Live reloads now supports HTTP rule updates better (#522)
+- AF_PACKET performance improvements (#197, #415)
+- Make defrag more configurable (#517, #528)
+- Improve pool performance (#518)
+- Improve file inspection keywords by adding a separate API (#531)
+- Example threshold.config file provided (#302)
+- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
+- Various spelling corrections by Simon Moon (#533)
+
+1.3.1 -- 2012-08-21
+
+- AF_PACKET performance improvements
+- Defrag engine performance improvements
+- HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
+- Stream engine packet handling for packets with non-standard flag combinations (#508)
+- Improved stream engine handling of packet loss (#523)
+- Stream engine checksum alerting fixed
+- Various rule analyzer fixes (#495, #496, #497)
+- (Rule) profiling fixed and improved (#460, #466)
+- Enforce limit on max-pending-packets (#510)
+- fast_pattern on negated content improved
+- TLS rule keyword parsing issues
+- Windows build fixes (#502)
+- Host OS parsing issues fixed (#499)
+- Reject signatures where content length is bigger than "depth" setting (#505)
+- Removed unused "prune-flows" option
+- Set main thread and live reload thread names (#498)
+
+1.3 -- 2012-07-06
+
+- make live rule reloads optional and disabled by default
+- fix a shutdown bug
+- fix several memory leaks (#492)
+- warn user if global and rule thresholding conflict (#455)
+- set thread names on FreeBSD (Nikolay Denev)
+- Fix PF_RING building on Ubuntu 12.04
+- rule analyzer updates
+- file inspection improvements when dealing with limits (#493)
+
+1.3rc1 -- 2012-06-29
+
+- experimental live rule reload by sending a USR2 signal (#279)
+- AF_PACKET BPF support (#449)
+- AF_PACKET live packet loss counters (#441)
+- Rule analyzer (#349)
+- add pcap workers runmode for use with libpcap wrappers that support load balancing, such as  Napatech's or Myricom's
+- negated filemd5 matching, allowing for md5 whitelisting
+- signatures with depth and/or offset are now checked against packets in addition to the stream (#404)
+- http_cookie keyword now also inspects "Set-Cookie" header (#479)
+- filemd5 keyword no longer depends on log-file output module (#447)
+- http_raw_header keyword inspects original header line terminators (#475)
+- deal with double encoded URI (#464)
+- improved SMB/SMB2/DCERPC robustness
+- ICMPv6 parsing fixes
+- improve HTTP body inspection
+- stream.inline accuracy issues fixed (#339)
+- general stability fixes (#482, #486)
+- missing unittests added (#471)
+- "threshold.conf not found" error made more clear (#446)
+- IPS mode segment logging for Unified2 improved
+
+1.3beta2 -- 2012-06-08
+
+- experimental support for matching on large lists of known file MD5 checksums
+- Improved performance for file_data, http_server_body and http_client_body keywords
+- Improvements to HTTP handling: multipart parsing, gzip decompression
+- Byte_extract can support negative offsets now (#445)
+- Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459)
+- HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454)
+- Improved error reporting when using too long address strings (#451)
+- MD5 calculation improvements for daemon mode and other cases (#449)
+- File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste.
+- Rule parser is made more strict.
+- Unified2 output overhaul, logging individual segments in more cases.
+- detection_filter keyword accuracy problem was fixed (#453)
+- Don't inspect cookie header with http header (#461)
+- Crash with a rule with two byte_extract keywords (#456)
+- SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476)
+- Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452)
+- Improve escaping of some characters in logs (#418)
+- Checksum calculation bugs fixed
+- IPv6 parsing issues fixed. Thanks to Michel Saborde.
+- Endace DAG issues fixed. Thanks to Jason Ish from Endace.
+- Various OpenBSD related fixes.
+- Fixes for bugs found by Coverity source code analyzer.
+
+1.3beta1 -- 2012-04-04
+
+- TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier)
+- Napatech capture card support (contributed by Randy Caldejon -- nPulse)
+- Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste)
+- Test mode: -T option to test the config (#271)
+- Ringbuffer and zero copy support for AF_PACKET
+- Commandline options to list supported app layer protocols and keywords (#344, #414)
+- File extraction for HTTP POST request that do not use multipart bodies
+- On the fly md5 checksum calculation of extracted files
+- Line based file log, in json format
+- Basic support for including other yaml files into the main yaml
+- New multi pattern engine: ac-bs
+- Profiling improvements, added lock profiling code
+- Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys)
+- Unified yaml naming convention, including fallback support (by Nikolay Denev)
+- Improved Endace DAG support (#431, Jason Ish -- Endace)
+- New default runmode: "autofp" (#433)
+- Major rewrite of flow engine, improving scalability.
+- Improved http_stat_msg and http_stat_code keywords (#394)
+- Improved scalability for Tag and Threshold subsystems
+- Made the rule keyword parser much stricter in detecting syntax errors
+- Split "file" output into "file-store" and "file-log" outputs
+- Much improved file extraction
+- CUDA build fixes (#421)
+- Various FP's reported by Rmkml (#403, #405, #411)
+- IPv6 decoding and detection issues (reported by Michel Sarborde)
+- PCAP logging crash (#422)
+- Fixed many (potential) issues with the help of the Coverity source code analyzer
+- Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers
+
+1.2.1 -- 2012-01-20
+
+- fix malformed unified2 records when writing alerts trigger by stream inspection (#402)
+- only force a pseudo packet inspection cycle for TCP streams in a state >= established
+
+1.2 -- 2012-01-19
+
+- improved Windows/CYGWIN path handling (#387)
+- fixed some issues with passing an interface or ip address with -i
+- make live worker runmode threads adhere to the 'detect' cpu affinity settings
+
+1.2rc1 -- 2012-01-11
+
+- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
+- auto detection of checksum offloading per interface (#311)
+- urilen options to match on raw or normalized URI (#341)
+- flow keyword option "only_stream" and "no_stream"
+- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
+- in IPS mode, reject rules now also drop (#399)
+- http_header now also inspects response headers (#389)
+- "worker" runmodes for NFQ and IPFW
+- performance improvement for "ac" pattern matcher
+- allow empty/non-initialized flowints to be incremented
+- PCRE-JIT is now enabled by default if available (#356)
+- many file inspection and extraction improvements
+- flowbits and flowints are now modified in a post-match action list
+- general performance increasements
+- fixed parsing really high sid numbers >2 Billion (#393)
+- fixed ICMPv6 not matching in IP-only sigs (#363)
+
+1.2beta1 -- 2011-12-19
+
+- File name, type inspection and extraction for HTTP
+- filename, fileext, filemagic and filestore keywords added
+- "file" output for storing extracted files to disk
+- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241
+- new keyword http_server_body, pcre regex /S option
+- Option to enable/disable core dumping from the suricata.yaml (enabled by default)
+- Human readable size limit settings in suricata.yaml
+- PF_RING bpf support (required PF_RING >= 5.1) (feature #334)
+- tos keyword support (feature #364)
+- IPFW IPS mode does now support multiple divert sockets
+- New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
+- Improved alert accuracy in autofp and single runmodes
+- major performance optimizations for the ac-gfbs pattern matcher implementation
+- unified2 output fixes
+- PF_RING supports privilege dropping now (bug #367)
+- Improved detection of duplicate signatures
+
+1.1.1 -- 2011-12-07
+
+- Fix for a error in the smtp parser that could crash Suricata.
+- Fix for AF_PACKET not compiling on modern linux systems like Fedora 16.
+
+1.1 -- 2011-11-10
+
+- CUDA build fixed
+- minor pcap, AF_PACKET and PF_RING fixes (#368)
+- bpf handling fix
+- Windows CYGWIN build
+- more cleanups
+
+1.1rc1 -- 2011-11-03
+
+- extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)
+- AF_PACKET report drop stats on shutdown (#325)
+- new counters in stats.log for flow and stream engines (#348)
+- SMTP parsing code support for BDAT command (#347)
+- HTTP URI normalization no longer converts to lowercase (#362)
+- AF_PACKET works with privileges dropping now (#361)
+- Prelude output for state matches (#264, #355)
+- update of the pattern matching code that should improve accuracy
+- rule parser was made more strict (#295, #312)
+- multiple event suppressions for the same SID was fixed (#366)
+- several accuracy fixes
+- removal of the unified1 output plugins (#353)
+
+1.1beta3 -- 2011-10-25
+
+- af-packet support for high speed packet capture
+- "replace" keyword support (#303)
+- new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap
+- added "stream-event" keyword to match on TCP session anomalies
+- support for suppress keyword was added (#274)
+- byte_extract keyword support was added
+- improved handling of timed out TCP sessions in the detection engine
+- unified2 payload logging if detection was in the HTTP state (#264)
+- improved accuracy of the HTTP transaction logging
+- support for larger (64 bit) Flow/Stream memcaps (#332)
+- major speed improvements for PCRE, including support for PCRE JIT
+- support setting flowbits in ip-only rules (#292)
+- performance increases on SSE3+ CPU's
+- overhaul of the packet acquisition subsystem
+- packet based performance profiling subsystem was added
+- TCP SACK support was added to the stream engine
+- updated included libhtp to 0.2.6 which fixes several issues
+
+1.1beta2 -- 2011-04-13
+
+- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
+- Inline mode for the stream engine (#230, #248).
+- New keyword support: nfq_set_mark
+- Included an example decoder-events.rules file
+- api for adding and selecting runmodes was added
+- pcap logging / recording output was added
+- basic SCTP protocol parsing was added
+- more fine grained CPU affinity setting support was added
+- stream engine inspects stream in larger chunks
+- fast_pattern support for http_method content modifier (#255)
+- negation support for isdataat keyword (#257)
+- configurable interval for stats.log updates (#247)
+- new pf_ring runmode was added that scales better
+- pcap live mode now handles the monitor interface going up and down
+- several QA additions to "make check"
+- NFQ (linux inline) mode was improved
+- Alerts classification fix (#275)
+- compiles and runs on big-endian systems (#63)
+- unified2 output works around barnyard2 issues with DLT_RAW + IPv6
+
+1.1beta1 -- 2010-12-21
+
+- New keyword support: http_raw_header, http_stat_msg, http_stat_code.
+- A new default pattern matcher, Aho-Corasick based, that uses much less memory.
+- reference.config support as supplied by ET/ETpro and VRT.
+- Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header.
+- Improved parsers, especially the DCERPC parser.
+- Much improved performance & accuracy.
+
+1.0.5 -- 2011-07-25
+
+- Fix stream reassembly bug #300. Thanks to Rmkml for the report.
+- Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
+
+1.0.4 -- 2011-06-24
+
+- LibHTP updated to 0.2.6
+- Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
+- Large number of (potential) issues fixed after source code scans with the Clang static analizer.
+
+1.0.3 -- 2011-04-13
+
+- Fix broken checksum calculation for TCP/UDP in some cases
+- Fix errors in the byte_test, byte_jump, http_method and http_header keywords
+- Fix a ASN1 parsing issue
+- Improve LibHTP memory handling
+- Fix a defrag issue
+- Fix several stream engine issues
+