diff options
Diffstat (limited to 'framework/src/suricata/ChangeLog')
| -rw-r--r-- | framework/src/suricata/ChangeLog | 855 |
1 files changed, 0 insertions, 855 deletions
diff --git a/framework/src/suricata/ChangeLog b/framework/src/suricata/ChangeLog deleted file mode 100644 index a7e64598..00000000 --- a/framework/src/suricata/ChangeLog +++ /dev/null @@ -1,855 +0,0 @@ -3.0RC1 -- 2015-11-25 - -Bug #1150: TLS store disabled by TLS EVE logging -Bug #1210: global counters in stats.log -Bug #1423: Unix domain log file writer should automatically reconnect if receiving program is restarted. -Bug #1466: Rule reload - Rules won't reload if rule files are listed in an included file. -Bug #1467: Specifying an IPv6 entry before an IPv4 entry in host-os-policy causes ASAN heap-buffer-overflow. -Bug #1472: Should 'goodsigs' be 'goodtotal' when checking if signatures were loaded in detect.c? -Bug #1475: app-layer-modbus: AddressSanitizer error (heap-buffer-overflow) -Bug #1481: Leading whitespace in flowbits variable names -Bug #1482: suricata 2.1 beta4: StoreStateTxFileOnly crashes -Bug #1485: hostbits - leading and trailing spaces are treated as part of the name and direction. -Bug #1488: stream_size <= and >= modifiers function as < and > (equality is not functional) -Bug #1491: pf_ring is not able to capture packets when running under non-root account -Bug #1493: config test (-T) doesn't fail on missing files -Bug #1494: off by one on rulefile count -Bug #1500: suricata.log -Bug #1508: address var parsing issue -Bug #1517: Order dependent, ambiguous YAML in multi-detect. -Bug #1518: multitenancy - selector vlan - vlan id range -Bug #1521: multitenancy - global vlan tracking relation to selector -Bug #1523: Decoded base64 payload short by 16 characters -Bug #1530: multitenant mapping relation -Bug #1531: multitenancy - confusing tenant id and vlan id output -Bug #1556: MTU setting on NIC interface not considered by af-packet -Bug #1557: stream: retransmission not detected -Bug #1565: defrag: evasion issue -Bug #1597: dns parser issue (master) -Bug #1601: tls: server name logging -Feature #1116: ips packet stats in stats.log -Feature #1137: Support IP lists in threshold.config -Feature #1228: Suricata stats.log in JSON format -Feature #1265: Replace response on Suricata dns decoder when dns error please -Feature #1281: long snort ruleset support for "SC_ERR_NOT_SUPPORTED(225): content length greater than 255 unsupported" -Feature #1282: support for base64_decode from snort's ruleset -Feature #1342: Support Cisco erspan traffic -Feature #1374: Write pre-aggregated counters for all threads -Feature #1408: multi tenancy for detection -Feature #1440: Load rules file from a folder or with a star pattern rather then adding them manually to suricata.yaml -Feature #1454: Proposal to add Lumberjack/CEE formatting option to EVE JSON syslog output for compatibility with rsyslog parsing -Feature #1492: Add HUP coverage to output json-log -Feature #1498: color output -Feature #1499: json output for engine messages -Feature #1502: Expose tls fields to lua -Feature #1514: SSH softwareversion regex should allow colon -Feature #1527: Add ability to compile as a Position-Independent Executable (PIE) -Feature #1568: TLS lua output support -Feature #1569: SSH lua support -Feature #1582: Redis output support -Feature #1586: Add flow memcap counter -Feature #1599: rule profiling: json output -Optimization #1269: Convert SM List from linked list to array - -2.1beta4 -- 2015-05-08 - -Bug #1314: http-events performance issues -Bug #1340: null ptr dereference in Suricata v2.1beta2 (output-json.c:347) -Bug #1352: file list is not cleaned up -Bug #1358: Gradual memory leak using reload (kill -USR2 $pid) -Bug #1366: Crash if default_packet_size is below 32 bytes -Bug #1378: stats api doesn't call thread deinit funcs -Bug #1384: tcp midstream window issue (master) -Bug #1388: pcap-file hangs on systems w/o atomics support (master) -Bug #1392: http uri parsing issue (master) -Bug #1393: CentOS 5.11 build failures -Bug #1398: DCERPC traffic parsing issue (master) -Bug #1401: inverted matching on incomplete session -Bug #1402: When re-opening files on HUP (rotation) always use the append flag. -Bug #1417: no rules loaded - latest git - rev e250040 -Bug #1425: dead lock in de_state vs flowints/flowvars -Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled -Bug #1429: stream: last_ack update issue leading to stream gaps -Bug #1435: EVE-Log alert payload option loses data -Bug #1441: Local timestamps in json events -Bug #1446: Unit ID check in Modbus packet error -Bug #1449: smtp parsing issue -Bug #1451: Fix list-keywords regressions -Bug #1463: modbus parsing issue -Feature #336: Add support for NETMAP to Suricata. -Feature #885: smtp file_data support -Feature #1394: Improve TCP reuse support -Feature #1410: add alerts to EVE's drop logs -Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE -Feature #1447: Ability to reject ICMP traffic -Feature #1448: xbits -Optimization #1014: app layer reassembly fast-path -Optimization #1377: flow manager: reduce (try)locking -Optimization #1403: autofp packet pool performance problems -Optimization #1409: http pipeline support for stateful detection - -2.1beta3 -- 2015-01-29 - -Bug #977: WARNING on empty rules file is fatal (should not be) -Bug #1184: pfring: cppcheck warnings -Bug #1321: Flow memuse bookkeeping error -Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master) -Bug #1332: cppcheck: ioctl -Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE) -Bug #1351: output-json: duplicate logging (2.1.x) -Bug #1354: coredumps on quitting on OpenBSD -Bug #1355: Bus error when reading pcap-file on OpenBSD -Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x) -Bug #1365: evasion issues (2.1.x) -Feature #1261: Request for Additional Lua Capabilities -Feature #1309: Lua support for Stats output -Feature #1310: Modbus parsing and matching -Feature #1317: Lua: Indicator for end of flow -Feature #1333: unix-socket: allow (easier) non-root usage -Optimization #1339: flow timeout optimization -Optimization #1339: flow timeout optimization -Optimization #1371: mpm optimization - -2.1beta2 -- 2014-11-06 - -Feature #549: Extract file attachments from emails -Feature #1312: Lua output support -Feature #899: MPLS over Ethernet support -Feature #707: ip reputation files - network range inclusion availability (cidr) -Feature #383: Stream logging -Feature #1263: Lua: Access to Stream Payloads -Feature #1264: Lua: access to TCP quad / Flow Tuple -Bug #1048: PF_RING/DNA config - suricata.yaml -Bug #1230: byte_extract, within combination not working -Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml -Bug #1259: AF_PACKET IPS is broken in 2.1beta1 -Bug #1260: flow logging at shutdown broken -Bug #1279: BUG: NULL pointer dereference when suricata was debug mode. -Bug #1280: BUG: IPv6 address vars issue -Bug #1285: Lua - http.request_line not working (2.1) -Bug #1287: Lua Output has dependency on eve-log:http -Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger -Bug #1294: Configure doesn't use --with-libpcap-libraries when testing PF_RING library -Bug #1301: suricata yaml - PF_RING load balance per hash option -Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master) -Bug #1311: EVE output Unix domain socket not working (2.1) - -2.1beta1 -- 2014-08-12 - -Feature #1155: Log packet payloads in eve alerts -Feature #1208: JSON Output Enhancement - Include Payload(s) -Feature #1248: flow/connection logging -Feature #1258: json: include HTTP info with Alert output -Optimization #1039: Packetpool should be a stack -Optimization #1241: pcap recording: record per thread - -2.0.3 -- 2014-08-08 - -Bug #1236: fix potential crash in http parsing -Bug #1244: ipv6 defrag issue -Bug #1238: Possible evasion in stream-tcp-reassemble.c -Bug #1221: lowercase conversion table missing last value -Support #1207: Cannot compile on CentOS 5 x64 with --enable-profiling - -2.0.2 -- 2014-06-25 - -Bug #1098: http_raw_uri with relative pcre parsing issue -Bug #1175: unix socket: valgrind warning -Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3 -Bug #1195: nflog: cppcheck reports memleaks -Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git) -Bug #1211: defrag issue -Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes -Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars -Bug #1217: Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analized via socket -Feature #781: IDS using NFLOG iptables target -Feature #1158: Parser DNS TXT data parsing and logging -Feature #1197: liblua support -Feature #1200: sighup for log rotation - -2.0.1 -- 2014-05-21 - -No changes since 2.0.1rc1 - -2.0.1rc1 -- 2014-05-12 - -Bug #978: clean up app layer parser thread local storage -Bug #1064: Lack of Thread Deinitialization For Decoder Modules -Bug #1101: Segmentation in AppLayerParserGetTxCnt -Bug #1136: negated app-layer-protocol FP on multi-TX flows -Bug #1141: dns response parsing issue -Bug #1142: dns tcp toclient protocol detection -Bug #1143: tls protocol detection in case of tls-alert -Bug #1144: icmpv6: unknown type events for MLD_* types -Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr -Bug #1146: tls: event on 'new session ticket' in handshake -Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET -Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2 -Bug #1161: eve: src and dst mixed up in some cases -Bug #1162: proto-detect: make sure probing parsers for all registered ports are run -Bug #1163: HTP Segfault -Bug #1165: af_packet - one thread consistently not working -Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT) -Bug #1176: AF_PACKET IPS mode is broken in 2.0 -Bug #1177: eve log do not show action 'dropped' just 'allowed' -Bug #1180: Possible problem in stream tracking -Feature #1157: Always create pid file if --pidfile command line option is provided. -Feature #1173: tls: OpenSSL heartbleed detection - -2.0 -- 2014-03-25 - -Bug #1151: tls.store not working when a TLS filter keyword is used - -2.0rc3 -- 2014-03-18 - -Bug #1127: logstash & suricata parsing issue -Bug #1128: Segmentation fault - live rule reload -Bug #1129: pfring cluster & ring initialization -Bug #1130: af-packet flow balancing problems -Bug #1131: eve-log: missing user agent reported inconsistently -Bug #1133: eve-log: http depends on regular http log -Bug #1135: 2.0rc2 release doesn't set optimization flag on GCC -Bug #1138: alert fastlog drop info missing - -2.0rc2 -- 2014-03-06 - -Bug #611: fp: rule with ports matching on portless proto -Bug #985: default config generates rule warnings and errors -Bug #1021: 1.4.6: conf_filename not checked before use -Bug #1089: SMTP: move depends on uninitialised value -Bug #1090: FTP: Memory Leak -Bug #1091: TLS-Handshake: Uninitialized value -Bug #1092: HTTP: Memory Leak -Bug #1108: suricata.yaml config parameter - segfault -Bug #1109: PF_RING vlan handling -Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags -Bug #1111: capture stats at exit incorrect -Bug #1112: tls-events.rules file missing -Bug #1115: nfq: exit stats not working -Bug #1120: segv with pfring/afpacket and eve-log enabled -Bug #1121: crash in eve-log -Bug #1124: ipfw build broken -Feature #952: Add VLAN tag ID to all outputs -Feature #953: Add QinQ tag ID to all outputs -Feature #1012: Introduce SSH log -Feature #1118: app-layer protocols http memcap - info in verbose mode (-v) -Feature #1119: restore SSH protocol detection and parser - -2.0rc1 -- 2014-02-13 - -Bug #839: http events alert multiple times -Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log -Bug #980: memory leak in http buffers at shutdown -Bug #1066: logger API's for packet based logging and tx based logging -Bug #1068: format string issues with size_t + qa not catching them -Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault -Bug #1073: radix tree lookups are not thread safe -Bug #1075: CUDA 5.5 doesn't compile with 2.0 beta 2 -Bug #1079: Err loading rules with variables that contain negated content. -Bug #1080: segfault - 2.0dev (rev 6e389a1) -Bug #1081: 100% CPU utilization with suricata 2.0 beta2+ -Bug #1082: af-packet vlan handling is broken -Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets -Bug #1104: vlan tagged fragmentation -Bug #1106: Git compile fails on Ubuntu Lucid -Bug #1107: flow timeout causes decoders to run on pseudo packets -Feature #424: App layer registration cleanup - Support specifying same alproto names in rules for different ip protocols -Feature #542: TLS JSON output -Feature #597: case insensitive fileext match -Feature #772: JSON output for alerts -Feature #814: QinQ tag flow support -Feature #894: clean up output -Feature #921: Override conf parameters -Feature #1007: united output -Feature #1040: Suricata should compile with -Werror -Feature #1067: memcap for http inside suricata -Feature #1086: dns memcap -Feature #1093: stream: configurable segment pools -Feature #1102: Add a decoder.QinQ stats in stats.log -Feature #1105: Detect icmpv6 on ipv4 - -2.0beta2 -- 2013-12-18 - -Bug #463: Suricata not fire on http reply detect if request are not http -Bug #640: app-layer-event:http.host_header_ambiguous set when it shouldn't -Bug #714: some logs not created in daemon mode -Bug #810: Alerts on http traffic storing the wrong packet as the IDS event payload -Bug #815: address parsing with negation -Bug #820: several issues found by clang 3.2 -Bug #837: Af-packet statistics inconsistent under very high traffic -Bug #882: MpmACCudaRegister shouldn't call PatternMatchDefaultMatcher -Bug #887: http.log printing unknown hostname most of the time -Bug #890: af-packet segv -Bug #892: detect-engine.profile - custom - does not err out in incorrect toclient/srv values - suricata.yaml -Bug #895: response: rst packet bug -Bug #896: pfring dna mode issue -Bug #897: make install-full fails if wget is missing -Bug #903: libhtp valgrind warning -Bug #907: icmp_seq and icmp_id keyword with icmpv6 traffic (master) -Bug #910: make check fails w/o sudo/root privs -Bug #911: HUP signal -Bug #912: 1.4.3: Unit test in util-debug.c: line too long. -Bug #914: Having a high number of pickup queues (216+) makes suricata crash -Bug #915: 1.4.3: log-pcap.c: crash on printing a null filename -Bug #917: 1.4.5: decode-ipv6.c: void function cannot return value -Bug #920: Suricata failed to parse address -Bug #922: trackers value in suricata.yaml -Bug #925: prealloc-sessions value bigger than allowed in suricata.yaml -Bug #926: prealloc host value in suricata.yaml -Bug #927: detect-thread-ratio given a non numeric value in suricata.yaml -Bug #928: Max number of threads -Bug #932: wrong IP version - on stacked layers -Bug #939: thread name buffers are sized inconsistently -Bug #943: pfring: see if we can report that the module is not loaded -Bug #948: apple ppc64 build broken: thread-local storage not supported for this target -Bug #958: SSL parsing issue (master) -Bug #963: XFF compile failure on OSX -Bug #964: Modify negated content handling -Bug #967: threshold rule clobbers suppress rules -Bug #968: unified2 not logging tagged packets -Bug #970: AC memory read error -Bug #973: Use different ids for content patterns which are the same, but one of them has a fast_pattern chop set on it. -Bug #976: ip_rep supplying different no of alerts for 2 different but semantically similar rules -Bug #979: clean up app layer protocol detection memory -Bug #982: http events missing -Bug #987: default config generates error(s) -Bug #988: suricata don't exit in live mode -Bug #989: Segfault in HTPStateGetTxCnt after a few minutes -Bug #991: threshold mem leak -Bug #994: valgrind warnings in unittests -Bug #995: tag keyword: tagging sessions per time is broken -Bug #998: rule reload triggers app-layer-event FP's -Bug #999: delayed detect inits thresholds before de_ctx -Bug #1003: Segmentation fault -Bug #1023: block rule reloads during delayed detect init -Bug #1026: pfring: update configure to link with -lrt -Bug #1031: Fix IPv6 stream pseudo packets -Bug #1035: http uri/query normalization normalizes 'plus' sign to space -Bug #1042: Can't match "emailAddress" field in tls.subject and tls.issuerdn -Bug #1061: Multiple flowbit set in one rule -Feature #234: add option disable/enable individual app layer protocol inspection modules -Feature #417: ip fragmentation time out feature in yaml -Feature #478: XFF (X-Forwarded-For) -Feature #602: availability for http.log output - identical to apache log format -Feature #622: Specify number of pf_ring/af_packet receive threads on the command line -Feature #727: Explore the support for negated alprotos in sigs. -Feature #746: Decoding API modification -Feature #751: Add invalid packet counter -Feature #752: Improve checksum detection algorithm -Feature #789: Clean-up start and stop code -Feature #813: VLAN flow support -Feature #878: add storage api -Feature #901: VLAN defrag support -Feature #904: store tx id when generating an alert -Feature #940: randomize http body chunks sizes -Feature #944: detect nic offloading -Feature #956: Implement IPv6 reject -Feature #957: reject: iface setup -Feature #959: Move post config initialisation code to PostConfLoadedSetup -Feature #981: Update all switch case fall throughs with comments on false throughs -Feature #983: Provide rule support for specifying icmpv4 and icmpv6. -Feature #986: set htp request and response size limits -Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments -Feature #1009: Yaml file inclusion support -Feature #1032: profiling: per keyword stats -Optimization #583: improve Packet_ structure layout -Optimization #1018: clean up counters api -Optimization #1041: remove mkinstalldirs from git - -2.0beta1 -- 2013-07-18 - -- Luajit flow vars and flow ints support (#593) -- DNS parser, logger and keyword support (#792), funded by Emerging Threats -- deflate support for HTTP response bodies (#470, #775) -- update to libhtp 0.5 (#775) -- improved gzip support for HTTP response bodies (#470, #775) -- redesigned transaction handling, improving both accuracy and performance (#753) -- redesigned CUDA support (#729) -- Be sure to always apply verdict to NFQ packet (#769) -- stream engine: SACK allocs should adhere to memcap (#794) -- stream: deal with multiple different SYN/ACK's better (#796) -- stream: Randomize stream chunk size for raw stream inspection (#804) -- Introduce per stream thread ssn pool (#519) -- "pass" IP-only rules should bypass detection engine after matching (#718) -- Generate error if bpf is used in IPS mode (#777) -- Add support for batch verdicts in NFQ, thanks to Florian Westphal -- Update Doxygen config, thanks to Phil Schroeder -- Improve libnss detection, thanks to Christian Kreibich -- Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml -- OS X unix socket build fixed (#830) -- bytetest, bytejump and byteextract negative offset failure (#827) -- Fix fast.log formatting issues (#771), thanks to Rmkml -- Invalidate negative depth (#774), thanks to Rmkml -- Fixed accuracy issues with relative pcre matching (#791) -- Fix deadlock in flowvar capture code (#802) -- Improved accuracy of file_data keyword (#817) -- Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy -- stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau - -1.4.4 -- 2013-07-18 - -- Bug #834: Unix socket - showing as compiled when it is not desired to do so -- Bug #835: Unix Socket not working as expected -- Bug #841: configure --enable-unix-socket does not err out if libs/pkgs are not present -- Bug #846: FP on IP frag and sig use udp port 0, thanks to Rmkml -- Bug #864: backport packet action macro's -- Bug #876: htp tunnel fix -- Bug #877: Flowbit check with content doesn't match consistently, thanks to Francis Trudeau - -1.4.3 -- 2013-06-20 - -- Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828) -- Fix IPS mode being unable to drop tunneled packets (#826) -- Fix OS X Unix Socket build (#829) - -1.4.2 -- 2013-05-29 - -- No longer force nocase to be used on http_host -- Invalidate rule if uppercase content is used for http_host w/o nocase -- Warn user if bpf is used in af-packet IPS mode -- Better test for available libjansson version -- Fixed accuracy issues with relative pcre matching (#784) -- Improved accuracy of file_data keyword (#788) -- Invalidate negative depth (#770) -- Fix http host parsing for IPv6 addresses (#761) -- Fix fast.log formatting issues (#773) -- Fixed deadlock in flowvar set code for http buffers (#801) -- Various signature ordering improvements -- Minor stream engine fix - -1.4.1 -- 2013-03-08 - -- GeoIP keyword, allowing matching on Maxmind's database, contributed by Ignacio Sanchez (#559) -- Introduce http_host and http_raw_host keywords (#733, #743) -- Add python module for interacting with unix socket (#767) -- Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765) -- Big Napatech support update by Matt Keeler -- Configurable sensor id in unified2 output, contributed by Jake Gionet (#667) -- FreeBSD IPFW fixes by Nikolay Denev -- Add "default" interface setting to capture configuration in yaml (#679) -- Make sure "snaplen" can be set by the user (#680) -- Improve HTTP URI query string normalization (#739) -- Improved error reporting in MD5 loading (#693) -- Improve reference.config parser error reporting (#737) -- Improve build info output to include all configure options (#738) -- Segfault in TLS parsing reported by Charles Smutz (#725) -- Fix crash in teredo decoding, reported by Rmkml (#736) -- fixed UDPv4 packets without checksum being detected as invalid (#760) -- fixed DCE/SMB parsers getting confused in some fragmented cases (#764) -- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697) -- FN: IP-only rule ip_proto not matching for some protocols (#689) -- Fix build failure with other libhtp installs (#688) -- Fix malformed yaml loading leading to a crash (#694) -- Various Mac OS X fixes (#700, #701, #703) -- Fix for autotools on Mac OS X by Jason Ish (#704) -- Fix AF_PACKET under high load not updating stats (#706) - -1.3.6 -- 2013-03-07 - -- fix decoder event rules not checked in all cases (#671) -- checksum detection for icmpv6 was fixed (#673) -- crash in HTTP server body inspection code fixed (#675) -- fixed a icmpv6 payload bug (#676) -- IP-only rule ip_proto not matching for some protocols was addressed (#690) -- fixed malformed yaml crashing suricata (#702) -- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717) -- crash in tls parser was fixed (#759) -- fixed UDPv4 packets without checksum being detected as invalid (#762) -- fixed DCE/SMB parsers getting confused in some fragmented cases (#763) - -1.4 2012-12-13 - -- Decoder event matching fixed (#672) -- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665) -- Add more events to IPv6 extension header anomolies (#678) -- Fix ICMPv6 payload and checksum calculation (#677, #674) -- Clean up flow timeout handling (#656) -- Fix a shutdown bug when using AF_PACKET under high load (#653) -- Fix TCP sessions being cleaned up to early (#652) - -1.3.5 2012-12-06 - -- Flow engine memory leak fixed by Ludovico Cavedon (#651) -- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664) -- Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654) -- Windows building in CYGWIN fixed (#630) - -1.4rc1 2012-11-29 - -- Interactive unix socket mode (#571, #552) -- IP Reputation: loading and matching (#647) -- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435) -- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494) -- User-Agent added to file log and filestore meta files (#629) -- Endace DAG supports live stats and at exit drop stats (#638) -- Add support for libhtp event "request port doesn't match tcp port" (#650) -- Rules with negated addresses will not be considered IP-only (#599) -- Rule reloads complete much faster in low traffic conditions (#526) -- Suricata -h now displays all available options (#419) -- Luajit configure time detection was improved (#636) -- Flow manager mutex used w/o initialization (#628) -- Cygwin work around for windows shell mangling interface string (#372) -- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648) -- CLANG compiler build fixes (#649) -- Several fixes found by code analyzers - -1.4beta3 2012-11-14 - -- support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619) -- support for pkt_data keyword was added -- user and group to run as can now be set in the config file -- make HTTP request and response body inspection sizes configurable per HTTP server config (#560) -- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625) -- add contrib directory to the dist (#567) -- performance improvements to signatures with dsize option -- improved rule analyzer: print fast_pattern along with the rule (#558) -- fixes to stream engine reducing the number of events generated (#604) -- add stream event to match on overlaps with different data in stream reassembly (#603) -- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592) -- HTTP handling in OOM condition was greatly improved (#557) -- filemagic keyword performance was improved (#585) -- fixes and improvements to daemon mode (#624) -- fix drop rules not working correctly when thresholded (#613) -- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581) -- fix a false possitive condition in http_header (#607) -- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627) -- fixes to rule profiling (#576) -- cleanups and misc fixes (#379, #395) -- updated bundled libhtp to 0.2.11 -- build system improvements and cleanups -- fix to SSL record parsing - -1.3.4 -- 2012-11-14 - -- fix crash in flow and host engines in cases of low memory or low memcap settings (#617) -- improve http handling in low memory conditions (#620) -- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626) -- fix building on OpenBSD 5.2 -- update default config's defrag settings to reflect all available options -- fixes to make check -- fix to SSL record parsing - -1.3.3 -- 2012-11-01 - -- fix drop rules not working correctly when thresholded (#615) -- fix a false possitive condition in http_header (#606) -- fix extracted file corruption (#601) -- fix a false possitive condition with the pcre keyword and relative matching (#588) -- fix PF_RING set cluster problem on dma interfaces (#598) -- improve http handling in low memory conditions (#586, #587) -- fix FreeBSD inline mode crash (#612) -- suppress pcre jit warning (#579) - -1.4beta2 -- 2012-10-04 - -- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346) -- Added ability to control per server HTTP parser settings in much more detail (#503) -- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540) -- Big performance improvement in inspecting decoder, stream and app layer events (#555) -- Pool performance improvements (#541) -- Improved performance of signatures with simple pattern setups (#577) -- Bundled docs are installed upon make install (#527) -- Support for a number of global vs rule thresholds [3] was added (#425) -- Improved rule profiling performance -- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded. -- Fix compilation on architectures other than x86 and x86_64 (#572) -- Fix FP with anchored pcre combined with relative matching (#529) -- Fix engine hanging instead of exitting if the pcap device doesn't exist (#533) -- Work around for potential FP, will get properly fixed in next release (#574) -- Improve ERF handling. Thanks to Jason Ish -- Always set cluster_id in PF_RING -- IPFW: fix broken broadcast handling -- AF_PACKET kernel offset issue, IPS fix and cleanup -- Fix stream engine sometimes resending the same data to app layer -- Fix multiple issues in HTTP multipart parsing -- Fixed a lockup at shutdown with NFQ (#537) - -1.3.2 -- 2012-10-03 - -- Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562) -- Fixed a FN condition with the flow:no_stream option (#575) -- Fix building of perf profiling code on i386 platform. By Simon Moon (#534) -- Fix multiple issues in HTTP multipart parsing -- Fix stream engine sometimes resending the same data to app layer -- Always set cluster_id in PF_RING -- Defrag: silence some potentially noisy errors/warnings -- IPFW: fix broken broadcast handling -- AF_PACKET kernel offset issue - -1.4beta1 -- 2012-09-06 - -- Custom HTTP logging contributed by Ignacio Sanchez (#530) -- TLS certificate logging and fingerprint computation and keyword (#443) -- TLS certificate store to disk feature (#444) -- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480) -- AF_PACKET IPS support (#516) -- Rules can be set to inspect only IPv4 or IPv6 (#494) -- filesize keyword for matching on sizes of files in HTTP (#489) -- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522) -- NFQ fail open support (#507) -- Highly experimental lua scripting support for detection -- Live reloads now supports HTTP rule updates better (#522) -- AF_PACKET performance improvements (#197, #415) -- Make defrag more configurable (#517, #528) -- Improve pool performance (#518) -- Improve file inspection keywords by adding a separate API (#531) -- Example threshold.config file provided (#302) -- Fix building of perf profiling code on i386 platform. By Simon Moon (#534) -- Various spelling corrections by Simon Moon (#533) - -1.3.1 -- 2012-08-21 - -- AF_PACKET performance improvements -- Defrag engine performance improvements -- HTTP: add per server options to enable/disable double decoding of URI (#464, #504) -- Stream engine packet handling for packets with non-standard flag combinations (#508) -- Improved stream engine handling of packet loss (#523) -- Stream engine checksum alerting fixed -- Various rule analyzer fixes (#495, #496, #497) -- (Rule) profiling fixed and improved (#460, #466) -- Enforce limit on max-pending-packets (#510) -- fast_pattern on negated content improved -- TLS rule keyword parsing issues -- Windows build fixes (#502) -- Host OS parsing issues fixed (#499) -- Reject signatures where content length is bigger than "depth" setting (#505) -- Removed unused "prune-flows" option -- Set main thread and live reload thread names (#498) - -1.3 -- 2012-07-06 - -- make live rule reloads optional and disabled by default -- fix a shutdown bug -- fix several memory leaks (#492) -- warn user if global and rule thresholding conflict (#455) -- set thread names on FreeBSD (Nikolay Denev) -- Fix PF_RING building on Ubuntu 12.04 -- rule analyzer updates -- file inspection improvements when dealing with limits (#493) - -1.3rc1 -- 2012-06-29 - -- experimental live rule reload by sending a USR2 signal (#279) -- AF_PACKET BPF support (#449) -- AF_PACKET live packet loss counters (#441) -- Rule analyzer (#349) -- add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's -- negated filemd5 matching, allowing for md5 whitelisting -- signatures with depth and/or offset are now checked against packets in addition to the stream (#404) -- http_cookie keyword now also inspects "Set-Cookie" header (#479) -- filemd5 keyword no longer depends on log-file output module (#447) -- http_raw_header keyword inspects original header line terminators (#475) -- deal with double encoded URI (#464) -- improved SMB/SMB2/DCERPC robustness -- ICMPv6 parsing fixes -- improve HTTP body inspection -- stream.inline accuracy issues fixed (#339) -- general stability fixes (#482, #486) -- missing unittests added (#471) -- "threshold.conf not found" error made more clear (#446) -- IPS mode segment logging for Unified2 improved - -1.3beta2 -- 2012-06-08 - -- experimental support for matching on large lists of known file MD5 checksums -- Improved performance for file_data, http_server_body and http_client_body keywords -- Improvements to HTTP handling: multipart parsing, gzip decompression -- Byte_extract can support negative offsets now (#445) -- Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459) -- HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454) -- Improved error reporting when using too long address strings (#451) -- MD5 calculation improvements for daemon mode and other cases (#449) -- File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste. -- Rule parser is made more strict. -- Unified2 output overhaul, logging individual segments in more cases. -- detection_filter keyword accuracy problem was fixed (#453) -- Don't inspect cookie header with http header (#461) -- Crash with a rule with two byte_extract keywords (#456) -- SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476) -- Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452) -- Improve escaping of some characters in logs (#418) -- Checksum calculation bugs fixed -- IPv6 parsing issues fixed. Thanks to Michel Saborde. -- Endace DAG issues fixed. Thanks to Jason Ish from Endace. -- Various OpenBSD related fixes. -- Fixes for bugs found by Coverity source code analyzer. - -1.3beta1 -- 2012-04-04 - -- TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier) -- Napatech capture card support (contributed by Randy Caldejon -- nPulse) -- Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste) -- Test mode: -T option to test the config (#271) -- Ringbuffer and zero copy support for AF_PACKET -- Commandline options to list supported app layer protocols and keywords (#344, #414) -- File extraction for HTTP POST request that do not use multipart bodies -- On the fly md5 checksum calculation of extracted files -- Line based file log, in json format -- Basic support for including other yaml files into the main yaml -- New multi pattern engine: ac-bs -- Profiling improvements, added lock profiling code -- Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys) -- Unified yaml naming convention, including fallback support (by Nikolay Denev) -- Improved Endace DAG support (#431, Jason Ish -- Endace) -- New default runmode: "autofp" (#433) -- Major rewrite of flow engine, improving scalability. -- Improved http_stat_msg and http_stat_code keywords (#394) -- Improved scalability for Tag and Threshold subsystems -- Made the rule keyword parser much stricter in detecting syntax errors -- Split "file" output into "file-store" and "file-log" outputs -- Much improved file extraction -- CUDA build fixes (#421) -- Various FP's reported by Rmkml (#403, #405, #411) -- IPv6 decoding and detection issues (reported by Michel Sarborde) -- PCAP logging crash (#422) -- Fixed many (potential) issues with the help of the Coverity source code analyzer -- Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers - -1.2.1 -- 2012-01-20 - -- fix malformed unified2 records when writing alerts trigger by stream inspection (#402) -- only force a pseudo packet inspection cycle for TCP streams in a state >= established - -1.2 -- 2012-01-19 - -- improved Windows/CYGWIN path handling (#387) -- fixed some issues with passing an interface or ip address with -i -- make live worker runmode threads adhere to the 'detect' cpu affinity settings - -1.2rc1 -- 2012-01-11 - -- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events -- auto detection of checksum offloading per interface (#311) -- urilen options to match on raw or normalized URI (#341) -- flow keyword option "only_stream" and "no_stream" -- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250) -- in IPS mode, reject rules now also drop (#399) -- http_header now also inspects response headers (#389) -- "worker" runmodes for NFQ and IPFW -- performance improvement for "ac" pattern matcher -- allow empty/non-initialized flowints to be incremented -- PCRE-JIT is now enabled by default if available (#356) -- many file inspection and extraction improvements -- flowbits and flowints are now modified in a post-match action list -- general performance increasements -- fixed parsing really high sid numbers >2 Billion (#393) -- fixed ICMPv6 not matching in IP-only sigs (#363) - -1.2beta1 -- 2011-12-19 - -- File name, type inspection and extraction for HTTP -- filename, fileext, filemagic and filestore keywords added -- "file" output for storing extracted files to disk -- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241 -- new keyword http_server_body, pcre regex /S option -- Option to enable/disable core dumping from the suricata.yaml (enabled by default) -- Human readable size limit settings in suricata.yaml -- PF_RING bpf support (required PF_RING >= 5.1) (feature #334) -- tos keyword support (feature #364) -- IPFW IPS mode does now support multiple divert sockets -- New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp" -- Improved alert accuracy in autofp and single runmodes -- major performance optimizations for the ac-gfbs pattern matcher implementation -- unified2 output fixes -- PF_RING supports privilege dropping now (bug #367) -- Improved detection of duplicate signatures - -1.1.1 -- 2011-12-07 - -- Fix for a error in the smtp parser that could crash Suricata. -- Fix for AF_PACKET not compiling on modern linux systems like Fedora 16. - -1.1 -- 2011-11-10 - -- CUDA build fixed -- minor pcap, AF_PACKET and PF_RING fixes (#368) -- bpf handling fix -- Windows CYGWIN build -- more cleanups - -1.1rc1 -- 2011-11-03 - -- extended HTTP request logging for use with (among other things) http_agent for Sguil (#38) -- AF_PACKET report drop stats on shutdown (#325) -- new counters in stats.log for flow and stream engines (#348) -- SMTP parsing code support for BDAT command (#347) -- HTTP URI normalization no longer converts to lowercase (#362) -- AF_PACKET works with privileges dropping now (#361) -- Prelude output for state matches (#264, #355) -- update of the pattern matching code that should improve accuracy -- rule parser was made more strict (#295, #312) -- multiple event suppressions for the same SID was fixed (#366) -- several accuracy fixes -- removal of the unified1 output plugins (#353) - -1.1beta3 -- 2011-10-25 - -- af-packet support for high speed packet capture -- "replace" keyword support (#303) -- new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap -- added "stream-event" keyword to match on TCP session anomalies -- support for suppress keyword was added (#274) -- byte_extract keyword support was added -- improved handling of timed out TCP sessions in the detection engine -- unified2 payload logging if detection was in the HTTP state (#264) -- improved accuracy of the HTTP transaction logging -- support for larger (64 bit) Flow/Stream memcaps (#332) -- major speed improvements for PCRE, including support for PCRE JIT -- support setting flowbits in ip-only rules (#292) -- performance increases on SSE3+ CPU's -- overhaul of the packet acquisition subsystem -- packet based performance profiling subsystem was added -- TCP SACK support was added to the stream engine -- updated included libhtp to 0.2.6 which fixes several issues - -1.1beta2 -- 2011-04-13 - -- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262). -- Inline mode for the stream engine (#230, #248). -- New keyword support: nfq_set_mark -- Included an example decoder-events.rules file -- api for adding and selecting runmodes was added -- pcap logging / recording output was added -- basic SCTP protocol parsing was added -- more fine grained CPU affinity setting support was added -- stream engine inspects stream in larger chunks -- fast_pattern support for http_method content modifier (#255) -- negation support for isdataat keyword (#257) -- configurable interval for stats.log updates (#247) -- new pf_ring runmode was added that scales better -- pcap live mode now handles the monitor interface going up and down -- several QA additions to "make check" -- NFQ (linux inline) mode was improved -- Alerts classification fix (#275) -- compiles and runs on big-endian systems (#63) -- unified2 output works around barnyard2 issues with DLT_RAW + IPv6 - -1.1beta1 -- 2010-12-21 - -- New keyword support: http_raw_header, http_stat_msg, http_stat_code. -- A new default pattern matcher, Aho-Corasick based, that uses much less memory. -- reference.config support as supplied by ET/ETpro and VRT. -- Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header. -- Improved parsers, especially the DCERPC parser. -- Much improved performance & accuracy. - -1.0.5 -- 2011-07-25 - -- Fix stream reassembly bug #300. Thanks to Rmkml for the report. -- Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat. - -1.0.4 -- 2011-06-24 - -- LibHTP updated to 0.2.6 -- Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat. -- Large number of (potential) issues fixed after source code scans with the Clang static analizer. - -1.0.3 -- 2011-04-13 - -- Fix broken checksum calculation for TCP/UDP in some cases -- Fix errors in the byte_test, byte_jump, http_method and http_header keywords -- Fix a ASN1 parsing issue -- Improve LibHTP memory handling -- Fix a defrag issue -- Fix several stream engine issues - |