1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
|
2.1beta4 -- 2015-05-08
Bug #1314: http-events performance issues
Bug #1340: null ptr dereference in Suricata v2.1beta2 (output-json.c:347)
Bug #1352: file list is not cleaned up
Bug #1358: Gradual memory leak using reload (kill -USR2 $pid)
Bug #1366: Crash if default_packet_size is below 32 bytes
Bug #1378: stats api doesn't call thread deinit funcs
Bug #1384: tcp midstream window issue (master)
Bug #1388: pcap-file hangs on systems w/o atomics support (master)
Bug #1392: http uri parsing issue (master)
Bug #1393: CentOS 5.11 build failures
Bug #1398: DCERPC traffic parsing issue (master)
Bug #1401: inverted matching on incomplete session
Bug #1402: When re-opening files on HUP (rotation) always use the append flag.
Bug #1417: no rules loaded - latest git - rev e250040
Bug #1425: dead lock in de_state vs flowints/flowvars
Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled
Bug #1429: stream: last_ack update issue leading to stream gaps
Bug #1435: EVE-Log alert payload option loses data
Bug #1441: Local timestamps in json events
Bug #1446: Unit ID check in Modbus packet error
Bug #1449: smtp parsing issue
Bug #1451: Fix list-keywords regressions
Bug #1463: modbus parsing issue
Feature #336: Add support for NETMAP to Suricata.
Feature #885: smtp file_data support
Feature #1394: Improve TCP reuse support
Feature #1410: add alerts to EVE's drop logs
Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE
Feature #1447: Ability to reject ICMP traffic
Feature #1448: xbits
Optimization #1014: app layer reassembly fast-path
Optimization #1377: flow manager: reduce (try)locking
Optimization #1403: autofp packet pool performance problems
Optimization #1409: http pipeline support for stateful detection
2.1beta3 -- 2015-01-29
Bug #977: WARNING on empty rules file is fatal (should not be)
Bug #1184: pfring: cppcheck warnings
Bug #1321: Flow memuse bookkeeping error
Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
Bug #1332: cppcheck: ioctl
Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
Bug #1351: output-json: duplicate logging (2.1.x)
Bug #1354: coredumps on quitting on OpenBSD
Bug #1355: Bus error when reading pcap-file on OpenBSD
Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x)
Bug #1365: evasion issues (2.1.x)
Feature #1261: Request for Additional Lua Capabilities
Feature #1309: Lua support for Stats output
Feature #1310: Modbus parsing and matching
Feature #1317: Lua: Indicator for end of flow
Feature #1333: unix-socket: allow (easier) non-root usage
Optimization #1339: flow timeout optimization
Optimization #1339: flow timeout optimization
Optimization #1371: mpm optimization
2.1beta2 -- 2014-11-06
Feature #549: Extract file attachments from emails
Feature #1312: Lua output support
Feature #899: MPLS over Ethernet support
Feature #707: ip reputation files - network range inclusion availability (cidr)
Feature #383: Stream logging
Feature #1263: Lua: Access to Stream Payloads
Feature #1264: Lua: access to TCP quad / Flow Tuple
Bug #1048: PF_RING/DNA config - suricata.yaml
Bug #1230: byte_extract, within combination not working
Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml
Bug #1259: AF_PACKET IPS is broken in 2.1beta1
Bug #1260: flow logging at shutdown broken
Bug #1279: BUG: NULL pointer dereference when suricata was debug mode.
Bug #1280: BUG: IPv6 address vars issue
Bug #1285: Lua - http.request_line not working (2.1)
Bug #1287: Lua Output has dependency on eve-log:http
Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger
Bug #1294: Configure doesn't use --with-libpcap-libraries when testing PF_RING library
Bug #1301: suricata yaml - PF_RING load balance per hash option
Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master)
Bug #1311: EVE output Unix domain socket not working (2.1)
2.1beta1 -- 2014-08-12
Feature #1155: Log packet payloads in eve alerts
Feature #1208: JSON Output Enhancement - Include Payload(s)
Feature #1248: flow/connection logging
Feature #1258: json: include HTTP info with Alert output
Optimization #1039: Packetpool should be a stack
Optimization #1241: pcap recording: record per thread
2.0.3 -- 2014-08-08
Bug #1236: fix potential crash in http parsing
Bug #1244: ipv6 defrag issue
Bug #1238: Possible evasion in stream-tcp-reassemble.c
Bug #1221: lowercase conversion table missing last value
Support #1207: Cannot compile on CentOS 5 x64 with --enable-profiling
2.0.2 -- 2014-06-25
Bug #1098: http_raw_uri with relative pcre parsing issue
Bug #1175: unix socket: valgrind warning
Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3
Bug #1195: nflog: cppcheck reports memleaks
Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git)
Bug #1211: defrag issue
Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes
Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars
Bug #1217: Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analized via socket
Feature #781: IDS using NFLOG iptables target
Feature #1158: Parser DNS TXT data parsing and logging
Feature #1197: liblua support
Feature #1200: sighup for log rotation
2.0.1 -- 2014-05-21
No changes since 2.0.1rc1
2.0.1rc1 -- 2014-05-12
Bug #978: clean up app layer parser thread local storage
Bug #1064: Lack of Thread Deinitialization For Decoder Modules
Bug #1101: Segmentation in AppLayerParserGetTxCnt
Bug #1136: negated app-layer-protocol FP on multi-TX flows
Bug #1141: dns response parsing issue
Bug #1142: dns tcp toclient protocol detection
Bug #1143: tls protocol detection in case of tls-alert
Bug #1144: icmpv6: unknown type events for MLD_* types
Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr
Bug #1146: tls: event on 'new session ticket' in handshake
Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET
Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2
Bug #1161: eve: src and dst mixed up in some cases
Bug #1162: proto-detect: make sure probing parsers for all registered ports are run
Bug #1163: HTP Segfault
Bug #1165: af_packet - one thread consistently not working
Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT)
Bug #1176: AF_PACKET IPS mode is broken in 2.0
Bug #1177: eve log do not show action 'dropped' just 'allowed'
Bug #1180: Possible problem in stream tracking
Feature #1157: Always create pid file if --pidfile command line option is provided.
Feature #1173: tls: OpenSSL heartbleed detection
2.0 -- 2014-03-25
Bug #1151: tls.store not working when a TLS filter keyword is used
2.0rc3 -- 2014-03-18
Bug #1127: logstash & suricata parsing issue
Bug #1128: Segmentation fault - live rule reload
Bug #1129: pfring cluster & ring initialization
Bug #1130: af-packet flow balancing problems
Bug #1131: eve-log: missing user agent reported inconsistently
Bug #1133: eve-log: http depends on regular http log
Bug #1135: 2.0rc2 release doesn't set optimization flag on GCC
Bug #1138: alert fastlog drop info missing
2.0rc2 -- 2014-03-06
Bug #611: fp: rule with ports matching on portless proto
Bug #985: default config generates rule warnings and errors
Bug #1021: 1.4.6: conf_filename not checked before use
Bug #1089: SMTP: move depends on uninitialised value
Bug #1090: FTP: Memory Leak
Bug #1091: TLS-Handshake: Uninitialized value
Bug #1092: HTTP: Memory Leak
Bug #1108: suricata.yaml config parameter - segfault
Bug #1109: PF_RING vlan handling
Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags
Bug #1111: capture stats at exit incorrect
Bug #1112: tls-events.rules file missing
Bug #1115: nfq: exit stats not working
Bug #1120: segv with pfring/afpacket and eve-log enabled
Bug #1121: crash in eve-log
Bug #1124: ipfw build broken
Feature #952: Add VLAN tag ID to all outputs
Feature #953: Add QinQ tag ID to all outputs
Feature #1012: Introduce SSH log
Feature #1118: app-layer protocols http memcap - info in verbose mode (-v)
Feature #1119: restore SSH protocol detection and parser
2.0rc1 -- 2014-02-13
Bug #839: http events alert multiple times
Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log
Bug #980: memory leak in http buffers at shutdown
Bug #1066: logger API's for packet based logging and tx based logging
Bug #1068: format string issues with size_t + qa not catching them
Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault
Bug #1073: radix tree lookups are not thread safe
Bug #1075: CUDA 5.5 doesn't compile with 2.0 beta 2
Bug #1079: Err loading rules with variables that contain negated content.
Bug #1080: segfault - 2.0dev (rev 6e389a1)
Bug #1081: 100% CPU utilization with suricata 2.0 beta2+
Bug #1082: af-packet vlan handling is broken
Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets
Bug #1104: vlan tagged fragmentation
Bug #1106: Git compile fails on Ubuntu Lucid
Bug #1107: flow timeout causes decoders to run on pseudo packets
Feature #424: App layer registration cleanup - Support specifying same alproto names in rules for different ip protocols
Feature #542: TLS JSON output
Feature #597: case insensitive fileext match
Feature #772: JSON output for alerts
Feature #814: QinQ tag flow support
Feature #894: clean up output
Feature #921: Override conf parameters
Feature #1007: united output
Feature #1040: Suricata should compile with -Werror
Feature #1067: memcap for http inside suricata
Feature #1086: dns memcap
Feature #1093: stream: configurable segment pools
Feature #1102: Add a decoder.QinQ stats in stats.log
Feature #1105: Detect icmpv6 on ipv4
2.0beta2 -- 2013-12-18
Bug #463: Suricata not fire on http reply detect if request are not http
Bug #640: app-layer-event:http.host_header_ambiguous set when it shouldn't
Bug #714: some logs not created in daemon mode
Bug #810: Alerts on http traffic storing the wrong packet as the IDS event payload
Bug #815: address parsing with negation
Bug #820: several issues found by clang 3.2
Bug #837: Af-packet statistics inconsistent under very high traffic
Bug #882: MpmACCudaRegister shouldn't call PatternMatchDefaultMatcher
Bug #887: http.log printing unknown hostname most of the time
Bug #890: af-packet segv
Bug #892: detect-engine.profile - custom - does not err out in incorrect toclient/srv values - suricata.yaml
Bug #895: response: rst packet bug
Bug #896: pfring dna mode issue
Bug #897: make install-full fails if wget is missing
Bug #903: libhtp valgrind warning
Bug #907: icmp_seq and icmp_id keyword with icmpv6 traffic (master)
Bug #910: make check fails w/o sudo/root privs
Bug #911: HUP signal
Bug #912: 1.4.3: Unit test in util-debug.c: line too long.
Bug #914: Having a high number of pickup queues (216+) makes suricata crash
Bug #915: 1.4.3: log-pcap.c: crash on printing a null filename
Bug #917: 1.4.5: decode-ipv6.c: void function cannot return value
Bug #920: Suricata failed to parse address
Bug #922: trackers value in suricata.yaml
Bug #925: prealloc-sessions value bigger than allowed in suricata.yaml
Bug #926: prealloc host value in suricata.yaml
Bug #927: detect-thread-ratio given a non numeric value in suricata.yaml
Bug #928: Max number of threads
Bug #932: wrong IP version - on stacked layers
Bug #939: thread name buffers are sized inconsistently
Bug #943: pfring: see if we can report that the module is not loaded
Bug #948: apple ppc64 build broken: thread-local storage not supported for this target
Bug #958: SSL parsing issue (master)
Bug #963: XFF compile failure on OSX
Bug #964: Modify negated content handling
Bug #967: threshold rule clobbers suppress rules
Bug #968: unified2 not logging tagged packets
Bug #970: AC memory read error
Bug #973: Use different ids for content patterns which are the same, but one of them has a fast_pattern chop set on it.
Bug #976: ip_rep supplying different no of alerts for 2 different but semantically similar rules
Bug #979: clean up app layer protocol detection memory
Bug #982: http events missing
Bug #987: default config generates error(s)
Bug #988: suricata don't exit in live mode
Bug #989: Segfault in HTPStateGetTxCnt after a few minutes
Bug #991: threshold mem leak
Bug #994: valgrind warnings in unittests
Bug #995: tag keyword: tagging sessions per time is broken
Bug #998: rule reload triggers app-layer-event FP's
Bug #999: delayed detect inits thresholds before de_ctx
Bug #1003: Segmentation fault
Bug #1023: block rule reloads during delayed detect init
Bug #1026: pfring: update configure to link with -lrt
Bug #1031: Fix IPv6 stream pseudo packets
Bug #1035: http uri/query normalization normalizes 'plus' sign to space
Bug #1042: Can't match "emailAddress" field in tls.subject and tls.issuerdn
Bug #1061: Multiple flowbit set in one rule
Feature #234: add option disable/enable individual app layer protocol inspection modules
Feature #417: ip fragmentation time out feature in yaml
Feature #478: XFF (X-Forwarded-For)
Feature #602: availability for http.log output - identical to apache log format
Feature #622: Specify number of pf_ring/af_packet receive threads on the command line
Feature #727: Explore the support for negated alprotos in sigs.
Feature #746: Decoding API modification
Feature #751: Add invalid packet counter
Feature #752: Improve checksum detection algorithm
Feature #789: Clean-up start and stop code
Feature #813: VLAN flow support
Feature #878: add storage api
Feature #901: VLAN defrag support
Feature #904: store tx id when generating an alert
Feature #940: randomize http body chunks sizes
Feature #944: detect nic offloading
Feature #956: Implement IPv6 reject
Feature #957: reject: iface setup
Feature #959: Move post config initialisation code to PostConfLoadedSetup
Feature #981: Update all switch case fall throughs with comments on false throughs
Feature #983: Provide rule support for specifying icmpv4 and icmpv6.
Feature #986: set htp request and response size limits
Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
Feature #1009: Yaml file inclusion support
Feature #1032: profiling: per keyword stats
Optimization #583: improve Packet_ structure layout
Optimization #1018: clean up counters api
Optimization #1041: remove mkinstalldirs from git
2.0beta1 -- 2013-07-18
- Luajit flow vars and flow ints support (#593)
- DNS parser, logger and keyword support (#792), funded by Emerging Threats
- deflate support for HTTP response bodies (#470, #775)
- update to libhtp 0.5 (#775)
- improved gzip support for HTTP response bodies (#470, #775)
- redesigned transaction handling, improving both accuracy and performance (#753)
- redesigned CUDA support (#729)
- Be sure to always apply verdict to NFQ packet (#769)
- stream engine: SACK allocs should adhere to memcap (#794)
- stream: deal with multiple different SYN/ACK's better (#796)
- stream: Randomize stream chunk size for raw stream inspection (#804)
- Introduce per stream thread ssn pool (#519)
- "pass" IP-only rules should bypass detection engine after matching (#718)
- Generate error if bpf is used in IPS mode (#777)
- Add support for batch verdicts in NFQ, thanks to Florian Westphal
- Update Doxygen config, thanks to Phil Schroeder
- Improve libnss detection, thanks to Christian Kreibich
- Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml
- OS X unix socket build fixed (#830)
- bytetest, bytejump and byteextract negative offset failure (#827)
- Fix fast.log formatting issues (#771), thanks to Rmkml
- Invalidate negative depth (#774), thanks to Rmkml
- Fixed accuracy issues with relative pcre matching (#791)
- Fix deadlock in flowvar capture code (#802)
- Improved accuracy of file_data keyword (#817)
- Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy
- stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau
1.4.4 -- 2013-07-18
- Bug #834: Unix socket - showing as compiled when it is not desired to do so
- Bug #835: Unix Socket not working as expected
- Bug #841: configure --enable-unix-socket does not err out if libs/pkgs are not present
- Bug #846: FP on IP frag and sig use udp port 0, thanks to Rmkml
- Bug #864: backport packet action macro's
- Bug #876: htp tunnel fix
- Bug #877: Flowbit check with content doesn't match consistently, thanks to Francis Trudeau
1.4.3 -- 2013-06-20
- Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828)
- Fix IPS mode being unable to drop tunneled packets (#826)
- Fix OS X Unix Socket build (#829)
1.4.2 -- 2013-05-29
- No longer force nocase to be used on http_host
- Invalidate rule if uppercase content is used for http_host w/o nocase
- Warn user if bpf is used in af-packet IPS mode
- Better test for available libjansson version
- Fixed accuracy issues with relative pcre matching (#784)
- Improved accuracy of file_data keyword (#788)
- Invalidate negative depth (#770)
- Fix http host parsing for IPv6 addresses (#761)
- Fix fast.log formatting issues (#773)
- Fixed deadlock in flowvar set code for http buffers (#801)
- Various signature ordering improvements
- Minor stream engine fix
1.4.1 -- 2013-03-08
- GeoIP keyword, allowing matching on Maxmind's database, contributed by Ignacio Sanchez (#559)
- Introduce http_host and http_raw_host keywords (#733, #743)
- Add python module for interacting with unix socket (#767)
- Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765)
- Big Napatech support update by Matt Keeler
- Configurable sensor id in unified2 output, contributed by Jake Gionet (#667)
- FreeBSD IPFW fixes by Nikolay Denev
- Add "default" interface setting to capture configuration in yaml (#679)
- Make sure "snaplen" can be set by the user (#680)
- Improve HTTP URI query string normalization (#739)
- Improved error reporting in MD5 loading (#693)
- Improve reference.config parser error reporting (#737)
- Improve build info output to include all configure options (#738)
- Segfault in TLS parsing reported by Charles Smutz (#725)
- Fix crash in teredo decoding, reported by Rmkml (#736)
- fixed UDPv4 packets without checksum being detected as invalid (#760)
- fixed DCE/SMB parsers getting confused in some fragmented cases (#764)
- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697)
- FN: IP-only rule ip_proto not matching for some protocols (#689)
- Fix build failure with other libhtp installs (#688)
- Fix malformed yaml loading leading to a crash (#694)
- Various Mac OS X fixes (#700, #701, #703)
- Fix for autotools on Mac OS X by Jason Ish (#704)
- Fix AF_PACKET under high load not updating stats (#706)
1.3.6 -- 2013-03-07
- fix decoder event rules not checked in all cases (#671)
- checksum detection for icmpv6 was fixed (#673)
- crash in HTTP server body inspection code fixed (#675)
- fixed a icmpv6 payload bug (#676)
- IP-only rule ip_proto not matching for some protocols was addressed (#690)
- fixed malformed yaml crashing suricata (#702)
- parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717)
- crash in tls parser was fixed (#759)
- fixed UDPv4 packets without checksum being detected as invalid (#762)
- fixed DCE/SMB parsers getting confused in some fragmented cases (#763)
1.4 2012-12-13
- Decoder event matching fixed (#672)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
- Add more events to IPv6 extension header anomolies (#678)
- Fix ICMPv6 payload and checksum calculation (#677, #674)
- Clean up flow timeout handling (#656)
- Fix a shutdown bug when using AF_PACKET under high load (#653)
- Fix TCP sessions being cleaned up to early (#652)
1.3.5 2012-12-06
- Flow engine memory leak fixed by Ludovico Cavedon (#651)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664)
- Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654)
- Windows building in CYGWIN fixed (#630)
1.4rc1 2012-11-29
- Interactive unix socket mode (#571, #552)
- IP Reputation: loading and matching (#647)
- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
- User-Agent added to file log and filestore meta files (#629)
- Endace DAG supports live stats and at exit drop stats (#638)
- Add support for libhtp event "request port doesn't match tcp port" (#650)
- Rules with negated addresses will not be considered IP-only (#599)
- Rule reloads complete much faster in low traffic conditions (#526)
- Suricata -h now displays all available options (#419)
- Luajit configure time detection was improved (#636)
- Flow manager mutex used w/o initialization (#628)
- Cygwin work around for windows shell mangling interface string (#372)
- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
- CLANG compiler build fixes (#649)
- Several fixes found by code analyzers
1.4beta3 2012-11-14
- support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619)
- support for pkt_data keyword was added
- user and group to run as can now be set in the config file
- make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
- add contrib directory to the dist (#567)
- performance improvements to signatures with dsize option
- improved rule analyzer: print fast_pattern along with the rule (#558)
- fixes to stream engine reducing the number of events generated (#604)
- add stream event to match on overlaps with different data in stream reassembly (#603)
- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
- HTTP handling in OOM condition was greatly improved (#557)
- filemagic keyword performance was improved (#585)
- fixes and improvements to daemon mode (#624)
- fix drop rules not working correctly when thresholded (#613)
- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
- fix a false possitive condition in http_header (#607)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
- fixes to rule profiling (#576)
- cleanups and misc fixes (#379, #395)
- updated bundled libhtp to 0.2.11
- build system improvements and cleanups
- fix to SSL record parsing
1.3.4 -- 2012-11-14
- fix crash in flow and host engines in cases of low memory or low memcap settings (#617)
- improve http handling in low memory conditions (#620)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626)
- fix building on OpenBSD 5.2
- update default config's defrag settings to reflect all available options
- fixes to make check
- fix to SSL record parsing
1.3.3 -- 2012-11-01
- fix drop rules not working correctly when thresholded (#615)
- fix a false possitive condition in http_header (#606)
- fix extracted file corruption (#601)
- fix a false possitive condition with the pcre keyword and relative matching (#588)
- fix PF_RING set cluster problem on dma interfaces (#598)
- improve http handling in low memory conditions (#586, #587)
- fix FreeBSD inline mode crash (#612)
- suppress pcre jit warning (#579)
1.4beta2 -- 2012-10-04
- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
- Added ability to control per server HTTP parser settings in much more detail (#503)
- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
- Big performance improvement in inspecting decoder, stream and app layer events (#555)
- Pool performance improvements (#541)
- Improved performance of signatures with simple pattern setups (#577)
- Bundled docs are installed upon make install (#527)
- Support for a number of global vs rule thresholds [3] was added (#425)
- Improved rule profiling performance
- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
- Fix compilation on architectures other than x86 and x86_64 (#572)
- Fix FP with anchored pcre combined with relative matching (#529)
- Fix engine hanging instead of exitting if the pcap device doesn't exist (#533)
- Work around for potential FP, will get properly fixed in next release (#574)
- Improve ERF handling. Thanks to Jason Ish
- Always set cluster_id in PF_RING
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue, IPS fix and cleanup
- Fix stream engine sometimes resending the same data to app layer
- Fix multiple issues in HTTP multipart parsing
- Fixed a lockup at shutdown with NFQ (#537)
1.3.2 -- 2012-10-03
- Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562)
- Fixed a FN condition with the flow:no_stream option (#575)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Fix multiple issues in HTTP multipart parsing
- Fix stream engine sometimes resending the same data to app layer
- Always set cluster_id in PF_RING
- Defrag: silence some potentially noisy errors/warnings
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue
1.4beta1 -- 2012-09-06
- Custom HTTP logging contributed by Ignacio Sanchez (#530)
- TLS certificate logging and fingerprint computation and keyword (#443)
- TLS certificate store to disk feature (#444)
- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
- AF_PACKET IPS support (#516)
- Rules can be set to inspect only IPv4 or IPv6 (#494)
- filesize keyword for matching on sizes of files in HTTP (#489)
- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
- NFQ fail open support (#507)
- Highly experimental lua scripting support for detection
- Live reloads now supports HTTP rule updates better (#522)
- AF_PACKET performance improvements (#197, #415)
- Make defrag more configurable (#517, #528)
- Improve pool performance (#518)
- Improve file inspection keywords by adding a separate API (#531)
- Example threshold.config file provided (#302)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Various spelling corrections by Simon Moon (#533)
1.3.1 -- 2012-08-21
- AF_PACKET performance improvements
- Defrag engine performance improvements
- HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
- Stream engine packet handling for packets with non-standard flag combinations (#508)
- Improved stream engine handling of packet loss (#523)
- Stream engine checksum alerting fixed
- Various rule analyzer fixes (#495, #496, #497)
- (Rule) profiling fixed and improved (#460, #466)
- Enforce limit on max-pending-packets (#510)
- fast_pattern on negated content improved
- TLS rule keyword parsing issues
- Windows build fixes (#502)
- Host OS parsing issues fixed (#499)
- Reject signatures where content length is bigger than "depth" setting (#505)
- Removed unused "prune-flows" option
- Set main thread and live reload thread names (#498)
1.3 -- 2012-07-06
- make live rule reloads optional and disabled by default
- fix a shutdown bug
- fix several memory leaks (#492)
- warn user if global and rule thresholding conflict (#455)
- set thread names on FreeBSD (Nikolay Denev)
- Fix PF_RING building on Ubuntu 12.04
- rule analyzer updates
- file inspection improvements when dealing with limits (#493)
1.3rc1 -- 2012-06-29
- experimental live rule reload by sending a USR2 signal (#279)
- AF_PACKET BPF support (#449)
- AF_PACKET live packet loss counters (#441)
- Rule analyzer (#349)
- add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's
- negated filemd5 matching, allowing for md5 whitelisting
- signatures with depth and/or offset are now checked against packets in addition to the stream (#404)
- http_cookie keyword now also inspects "Set-Cookie" header (#479)
- filemd5 keyword no longer depends on log-file output module (#447)
- http_raw_header keyword inspects original header line terminators (#475)
- deal with double encoded URI (#464)
- improved SMB/SMB2/DCERPC robustness
- ICMPv6 parsing fixes
- improve HTTP body inspection
- stream.inline accuracy issues fixed (#339)
- general stability fixes (#482, #486)
- missing unittests added (#471)
- "threshold.conf not found" error made more clear (#446)
- IPS mode segment logging for Unified2 improved
1.3beta2 -- 2012-06-08
- experimental support for matching on large lists of known file MD5 checksums
- Improved performance for file_data, http_server_body and http_client_body keywords
- Improvements to HTTP handling: multipart parsing, gzip decompression
- Byte_extract can support negative offsets now (#445)
- Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459)
- HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454)
- Improved error reporting when using too long address strings (#451)
- MD5 calculation improvements for daemon mode and other cases (#449)
- File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste.
- Rule parser is made more strict.
- Unified2 output overhaul, logging individual segments in more cases.
- detection_filter keyword accuracy problem was fixed (#453)
- Don't inspect cookie header with http header (#461)
- Crash with a rule with two byte_extract keywords (#456)
- SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476)
- Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452)
- Improve escaping of some characters in logs (#418)
- Checksum calculation bugs fixed
- IPv6 parsing issues fixed. Thanks to Michel Saborde.
- Endace DAG issues fixed. Thanks to Jason Ish from Endace.
- Various OpenBSD related fixes.
- Fixes for bugs found by Coverity source code analyzer.
1.3beta1 -- 2012-04-04
- TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier)
- Napatech capture card support (contributed by Randy Caldejon -- nPulse)
- Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste)
- Test mode: -T option to test the config (#271)
- Ringbuffer and zero copy support for AF_PACKET
- Commandline options to list supported app layer protocols and keywords (#344, #414)
- File extraction for HTTP POST request that do not use multipart bodies
- On the fly md5 checksum calculation of extracted files
- Line based file log, in json format
- Basic support for including other yaml files into the main yaml
- New multi pattern engine: ac-bs
- Profiling improvements, added lock profiling code
- Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys)
- Unified yaml naming convention, including fallback support (by Nikolay Denev)
- Improved Endace DAG support (#431, Jason Ish -- Endace)
- New default runmode: "autofp" (#433)
- Major rewrite of flow engine, improving scalability.
- Improved http_stat_msg and http_stat_code keywords (#394)
- Improved scalability for Tag and Threshold subsystems
- Made the rule keyword parser much stricter in detecting syntax errors
- Split "file" output into "file-store" and "file-log" outputs
- Much improved file extraction
- CUDA build fixes (#421)
- Various FP's reported by Rmkml (#403, #405, #411)
- IPv6 decoding and detection issues (reported by Michel Sarborde)
- PCAP logging crash (#422)
- Fixed many (potential) issues with the help of the Coverity source code analyzer
- Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers
1.2.1 -- 2012-01-20
- fix malformed unified2 records when writing alerts trigger by stream inspection (#402)
- only force a pseudo packet inspection cycle for TCP streams in a state >= established
1.2 -- 2012-01-19
- improved Windows/CYGWIN path handling (#387)
- fixed some issues with passing an interface or ip address with -i
- make live worker runmode threads adhere to the 'detect' cpu affinity settings
1.2rc1 -- 2012-01-11
- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalized URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
- in IPS mode, reject rules now also drop (#399)
- http_header now also inspects response headers (#389)
- "worker" runmodes for NFQ and IPFW
- performance improvement for "ac" pattern matcher
- allow empty/non-initialized flowints to be incremented
- PCRE-JIT is now enabled by default if available (#356)
- many file inspection and extraction improvements
- flowbits and flowints are now modified in a post-match action list
- general performance increasements
- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)
1.2beta1 -- 2011-12-19
- File name, type inspection and extraction for HTTP
- filename, fileext, filemagic and filestore keywords added
- "file" output for storing extracted files to disk
- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241
- new keyword http_server_body, pcre regex /S option
- Option to enable/disable core dumping from the suricata.yaml (enabled by default)
- Human readable size limit settings in suricata.yaml
- PF_RING bpf support (required PF_RING >= 5.1) (feature #334)
- tos keyword support (feature #364)
- IPFW IPS mode does now support multiple divert sockets
- New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
- Improved alert accuracy in autofp and single runmodes
- major performance optimizations for the ac-gfbs pattern matcher implementation
- unified2 output fixes
- PF_RING supports privilege dropping now (bug #367)
- Improved detection of duplicate signatures
1.1.1 -- 2011-12-07
- Fix for a error in the smtp parser that could crash Suricata.
- Fix for AF_PACKET not compiling on modern linux systems like Fedora 16.
1.1 -- 2011-11-10
- CUDA build fixed
- minor pcap, AF_PACKET and PF_RING fixes (#368)
- bpf handling fix
- Windows CYGWIN build
- more cleanups
1.1rc1 -- 2011-11-03
- extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)
- AF_PACKET report drop stats on shutdown (#325)
- new counters in stats.log for flow and stream engines (#348)
- SMTP parsing code support for BDAT command (#347)
- HTTP URI normalization no longer converts to lowercase (#362)
- AF_PACKET works with privileges dropping now (#361)
- Prelude output for state matches (#264, #355)
- update of the pattern matching code that should improve accuracy
- rule parser was made more strict (#295, #312)
- multiple event suppressions for the same SID was fixed (#366)
- several accuracy fixes
- removal of the unified1 output plugins (#353)
1.1beta3 -- 2011-10-25
- af-packet support for high speed packet capture
- "replace" keyword support (#303)
- new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap
- added "stream-event" keyword to match on TCP session anomalies
- support for suppress keyword was added (#274)
- byte_extract keyword support was added
- improved handling of timed out TCP sessions in the detection engine
- unified2 payload logging if detection was in the HTTP state (#264)
- improved accuracy of the HTTP transaction logging
- support for larger (64 bit) Flow/Stream memcaps (#332)
- major speed improvements for PCRE, including support for PCRE JIT
- support setting flowbits in ip-only rules (#292)
- performance increases on SSE3+ CPU's
- overhaul of the packet acquisition subsystem
- packet based performance profiling subsystem was added
- TCP SACK support was added to the stream engine
- updated included libhtp to 0.2.6 which fixes several issues
1.1beta2 -- 2011-04-13
- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
- Inline mode for the stream engine (#230, #248).
- New keyword support: nfq_set_mark
- Included an example decoder-events.rules file
- api for adding and selecting runmodes was added
- pcap logging / recording output was added
- basic SCTP protocol parsing was added
- more fine grained CPU affinity setting support was added
- stream engine inspects stream in larger chunks
- fast_pattern support for http_method content modifier (#255)
- negation support for isdataat keyword (#257)
- configurable interval for stats.log updates (#247)
- new pf_ring runmode was added that scales better
- pcap live mode now handles the monitor interface going up and down
- several QA additions to "make check"
- NFQ (linux inline) mode was improved
- Alerts classification fix (#275)
- compiles and runs on big-endian systems (#63)
- unified2 output works around barnyard2 issues with DLT_RAW + IPv6
1.1beta1 -- 2010-12-21
- New keyword support: http_raw_header, http_stat_msg, http_stat_code.
- A new default pattern matcher, Aho-Corasick based, that uses much less memory.
- reference.config support as supplied by ET/ETpro and VRT.
- Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header.
- Improved parsers, especially the DCERPC parser.
- Much improved performance & accuracy.
1.0.5 -- 2011-07-25
- Fix stream reassembly bug #300. Thanks to Rmkml for the report.
- Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
1.0.4 -- 2011-06-24
- LibHTP updated to 0.2.6
- Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
- Large number of (potential) issues fixed after source code scans with the Clang static analizer.
1.0.3 -- 2011-04-13
- Fix broken checksum calculation for TCP/UDP in some cases
- Fix errors in the byte_test, byte_jump, http_method and http_header keywords
- Fix a ASN1 parsing issue
- Improve LibHTP memory handling
- Fix a defrag issue
- Fix several stream engine issues
|