-
Notifications
You must be signed in to change notification settings - Fork 520
/
ChangeLog
4272 lines (3918 loc) · 205 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2021/12/01 - 3.1.18.0
alert_sf_socket: remove obselete logger
appid: exclude stubs from coverage
build: remove config.h from headers
build: remove unreachable code
build: update configure options
catch: update catch to v2.13.7
dev_notes.txt: fix miscellaneous typos
doc: remove mention of Automake
doc: update builtin_subs.txt with EVENT_JS_SCOPE_NEST_OVERFLOW alert
doc: update module usage and inspector types in the dev guide
doc: update user/http_inspect.txt with http_inspect.js_norm_max_scope_depth option description
doc: update wizard documentation
file_api: file_data changes
framework: add support for multiple tenant
framework: don't call a gadget's eval() or clear() after its stream splitter aborted
framework: replace Value::get_long() with a platform-independent type
framework: update base API version to 11
helpers: fix stream unit test on 32 bit platforms
http2_inspect: discard with padding
http_inspect: fix total_bytes peg count
http_inspect: new rule options num_headers, num_trailers
http_inspect: store ole data in msg_body
http_inspect: update comments for asserts in eval and clear
http_inspect: update dev_notes.txt
hyperscan: disable bogus unit test leak warnings
ips_options: create LiteralSearch object for vba decompression at the time of snort initialization
memory: add max rss to verbose memory output
memory: add original overload manager
memory: add support for jemalloc
memory: expand profile report field widths
memory: fix accounting issues
memory: free space per DAQ message, not per allocation
memory: move mem_stats to MemoryCap
memory: refactoring
memory: refactor pruning and update unit tests
memory: remove explicit allocation tracking
memory: update dev notes
perf_monitor: allow constraint seconds = 0
piglets: refactor support code
reputation: remove unused sfrt code
rna: refactor unit test stubs
search_engines: remove unused test code
stream_tcp: delete unused unit test cruft
stream_tcp: only fallback if stream splitter aborted and don't keep processing fragments after MagicSplitter returned STOP
stream_tcp: remove unused unit test code
stream_user: refactor, remove cruft
unified2: remove cruft
utils: do output adjustment in case of carryover
utils: enable batch mode for Flex
utils: (JSNormalizer) add program scope tracking and alias resolution
utils: (JSNormalizer) rework the split over multiple chunks behavior
utils: pass an address into memset instead of object
utils: reduce flex generation of unused js normalizer code
utils: reset Normalizer context when new script starts
vba: fix buffer overflow in ole parser
wizard: add patterns to match unknown HTTP and SIP methods
wizard: change default value of max_search_depth from 64 to 8192
wizard: remove telnet IAC pattern
2021/11/17 - 3.1.17.0
appid: restore the log of reload detectors complete message
build: remove HAVE_HYPERSCAN conditional from installed header
detection: add allow_missing_so_rules
detection: ensure PDUs indicate parent when available
dnp3: update builtin rule description
doc: arp_spoof builtins
doc: back orifice builtin rules
doc: spell correction
doc: update builtin alerts description for dnp3
doc: update builtin alerts description for modbus, HTTP/2
doc: update builtin alerts description for portscan
doc: update builtin rule documentation for http_inspect
doc: update builtin rules documentation for dce_smb, dce_tcp, dce_udp, rpc_decode
doc: updated builtin rules documentation for ssh.
http2_inspect: hardening
http2_inspect: http1_header buffer always created immediately after decode_headers
http2_inspect: push promise error state check
http2_inspect: truncated trailers without frame data
ips_option: Enabling trace for vba_data options and fixing memory leak while extracting vba_data
main: use dynamic buffer on demand in trace print functions
u2spewfoo: Fixed incorrect usage line.
2021/11/03 - 3.1.16.0
appid: during initialization, skip loading of Lua detectors that don't have validate function
appid: in packet threads, skip loading of detectors that don't have validate function on reload
appid: provide API to give client_app_detection_type
codec: geneve - ensure injected packets have geneve port in outer udp header
detection: refactor mpse serialization
detection: rename PortGroup to the more apt RuleGroup (and related)
detection: replace PortGroup::alloc/free with ctor/dtor
doc: add SIP built-in rule documentation
doc: update built-in rule doc for SMTP, IMAP and POP inspectors
doc: update built-in rules documentation for dns module
doc: update built-in rules documentation for ftp-telnet
doc: updated builtin rules documentation for gtp module
flow: fix warning in flow_cache.cc
flow: use the same pkt_type to link and unlink unidirectional flows
http2_inspect: refactor decoded_headers_buffer for hpack decoding
http_inspect: eliminate cumulative js data processing
http_inspect: handle unordered PDUs for inline/external JavaScript normalization
http_inspect: improve file decompression
hyperscan: sort patterns for dump / load stability
ips: correct fast pattern port group counts
mpse: add md5 check to deserialization
reload: add logs to track reload process
reload: move out reload progress flag to reload tracker
search_engine: support hyperscan serialization
search_engine: support port group serialization
sip: track memory for sip sessions
ssl: disable inspection on alert only at fatal level
stream_tcp: fix init_wscale() to take into account the DECODE_TCP_WS flag
tcp: remove the obsolete __GNUC__ block from TcpOption::next()
tcp: stop on the EOL option in TcpOptIteratorIter::operator++()
utils: add get methods to peek in internal buffer
utils: correct Normalizer's output upon the next scan
wizard: update globbing and max_pattern
2021/10/21 - 3.1.15.0
appid: detect client based on longest matching user agent pattern
appid: update the name of the lua API function that adds process name to client app mappings
build: fix in CodeCoverage.cmake to generate *.gcda *.o files as needed by gcov
dce_smb: optimize handling pruning of flows in stress environment
decompress, http_inspect: add support for processing ole files and for vba_data ips option
doc: add punctuation to builtin stubs, fix formatting
doc: builtin rule documentation updates
http2_inspect: partial header with priority flag set
http_inspect: add automatic semicolon insertion
http_inspect: document built-in alerts
http_inspect: do not normalize JavaScript built-in identifiers
http_inspect: hardening
http_inspect: implement JIT (just-in-time) for JavaScript normalization
http_inspect, ips_option: decouple the vba_data ips option from http_inspect and add the trace debug option to vba_data
policy: update policy clone code to avoid corrupting active configuration
protocols: prevent infinite loop over tcp options
rna: call set_smb_fp_processor function in reload tuner
rna: do not do service discovery for future flows
2021/10/07 - 3.1.14.0
appid: enhance RPC service detector to handle RPC Bind version 3
appid: fix update_allocations signature in unit test
appid: log appid daq trace first followed by subscriber modules
appid: provide api for Lua detectors to map process name to client app
doc: add descriptions for 119:265-271 builtin alerts
doc: update builtin stub rule reference strings
file: add file policy id and other config data as part of packet tracer command under File phase
file_api: add decompress_buffer_size
flow: add total flow latency to flowstats
http2_inspect: compare scanned bytes to total received during reassemble
http2_inspect: protect against reassemble with more than MAX_OCTETS
http_inspect: change format of normalized JS identifiers
ips_options: rename script_data buffer to js_data
latency: add configuration for implicit enable
lua: fix Talos tweak snaplen
rna: support CPE new os RNA event
snort_config: adding api for enabling latency module
utils: add custom i/o stream buffers to JS normalizer
utils: adjust output streambuffer expanding strategy and reserved memory
utils: fix compilation error of js_identifier_ctx_test for clang
2021/09/22 - 3.1.13.0
appid: prioritize appid's client detection over third-party
appid: stay in success state after RPC is detected.
builtins: add --dump-builtin-options
catch: enable benchmarking
cip, iec104: update stub rule messages for consistent format
control: explicitly include ctime header in control.h
detection: add fast patterns only once per service group
doc: add support for details on builtin rules in the reference
doc: update reference for 2:1 and 129:13
doc: update the documentation of "replace" option and "rewrite" action
doc: update user tutorial with '--enable-benchmark-tests' option
file_api: new api added for url
file_api: revert store processing flow in context
flow: don't do memcap pruning if pruning is in progress
host_cache: Avoid data race in cache size access
host_tracker: Removing unused methods
http_inspect: http_raw_trailer fast pattern
http_inspect: pass file_api the uri with the filename and extract the filename from the uri path
http_inspect: remove memrchr for portability
netflow: use device ip and template id to ensure that the template cache keys are unique
output: adopt the orphaned tag alert (2:1)
rna: Avoid data races in vlan and mac address
rna: Avoid infinite loop in ICMPv6 options
smb: added a null check when current_flow is not present
snort2lua: Fixed version output (issue #213). Thanks to A-Pisani for the fix.
stream: change session_timeout default for tcp, ip, icmp and user
stream: fix session timeout of expired flows
trough: Avoid data race in file count
utils: add benchmark tests for JSNormalizer
utils: add reference and description for ClamAV test cases
utils: avoid using pubsetbuf which is STL implementation dependent
utils: fix typo in js_normalizer_test
2021/09/08 - 3.1.12.0
decoder: icmp6 - use source and destination addresses from packet to compute icmp6 checksum when NAT is in effect
http_inspect: enable traces for JS Normalizer
http_inspect: include cookies in http_raw_header
http_inspect: reduce void space in HttpFlowData
stream_tcp: add pegs for maximum observed queue size
stream_tcp: normalize data when queue limits are enabled
stream_tcp: only update window on right edge acks
stream_tcp: set sequence number in trimmed packets up to the queue limit and increase defaults
2021/08/26 - 3.1.11.0
build: update help for --enable-tsc-clock to include arm. Thanks to liangxwa01 for reporting the issue.
codec: geneve: fix incorrect parsing of option header length
data_bus: support ordered call of handlers
dns, ssh: remove obsolete stream insert checks
doc: Add js_norm_max_template_nesting description
flow: introduce bidirectional flag for expected session.
flow: set the client initiated flag before publishing the flow state setup event
framework: update base API version to 8
framework: version rollback
http_inspect: add builtin rule for consecutive commas in accept-encoding header
http_inspect: Add JavaScript template literals normalization
http_inspect: check if Normalizer has consumed input
http_inspect: hard-code infraction enum numbers
http_inspect: http_raw_header, http_raw_trailer field support
http_inspect: refactor NormalizedHeader
http_inspect: support more infractions and events
http_inspect: two new built-in rules
inspection: process wizard matches on defragged packets
ips: add action_map table to map rule types, eg block -> alert
ips: add action_override which applies to all rules
lua: update comments in the default config
modbus: check record length for write file record command
normalize: remove tcp.trim config
payload_injector: check if stream is established on flow rather than the packet flag to handle retries
policy: put inspection policy accessors in public space
policy: reorganize for sanity
README: mention vars in default config
sip: deprecate max_requestName_len in favor of max_request_name_len
smb: Invoke SMB debug in destructor when packet thread available
stream_tcp: update API called by payload_injector to check for unflushed queued TCP segments
style: remove crufty comments
style: remove C style (void) arglists
style: remove or update crufty preprocessor comments
utils: address compiler warning
utils: support streamed processing of JS text
wizard: support more HTTP and SIP methods
2021/08/11 - 3.1.10.0
appid: update netbios-ss (SMB) detector to extract SMB domain from SMBv2, and more intelligently handle payload appid detection
appid: use packet thread odp context while creating SIP session
build: install DAQ modules and Snort plugins in separate folders
dce_smb: restore file tracker size post deletion
dns: add DNS splitter
doc: update user manual for identifier normalization
file_api: add infra and file debugs to existing debugging framework
ftp: remove unused defines and crufty comments
http_inspect: add JavaScript identifiers normalization
http_inspect: change the default value of request_body_app_detection config parameter to true
smtp: remove unused defines
ssh: handle traffic with invalid version string
ssh: handle version string packets that also contain key exchange data
stream_tcp: skip unordered segments if last flushed position already moved past
telnet: correct help for ayt_attack_thresh
wizard: add wizard max_pattern option and update HTTP/SIP aware methods patterns
2021/07/28 - 3.1.9.0
actions: allow session data to stay accessible for loggers for reject rule action
byte_options: address compiler warnings
control: add idle expire removal to control channels
dump_stats: direct output back to command channel
events: use instance_id to make event_id unique across threads
file_api: handle file_cache inspection for non-zero offset
http2_inspect: change xor to or in assert that was failing due to uninitialized variable
http2_inspect: fix HPACK dynamic table size update management
http2_inspect: remove unused variables
http_inspect: add peg count for script bytes processed
http_inspect: add rule option http_raw_header_complete
http_inspect: don't allocate 0-length partial inspection buffer
ips_options: add catch tests for byte_test, byte_jump, byte_math, byte_extract
ips_options: address compiler warnings
ips_options: refactor byte_extract, byte_test, byte_math, byte_jump and related tests
lua: update HTTP/2 default_wizard hex with S2C pattern match
stats: update file and appid stats to use Log functions provided from stats.cc
2021/07/15 - 3.1.8.0
appid: support SSH client detection through lua detector
dce_rpc: fix crash when expected session comes after snort reload
dce_rpc: handling raw packets
dce_smb: added trace messages and multiple level logging for SMB module
dce_smb: fixed macro definition for SMB_DEBUG
doc: fix build warnings. Thanks to jiangrj (github.com/jiangrij) for reporting the issue.
dump_config: support modules without config options in text format
file_api: handling overlap segments
http2_inspect: clean data cutter internal state after exhausting flow depth
http_inspect: add built-in alert for script tags in a short form
packet_io: check if unreachable_candidate before sending unreachable
packet_io: unreachable packets shouldn't be sent for ICMP
snort2lua: set raw_data buffer for rawbytes and B flag in PCRE
wizard: make SSH spell more specific
2021/06/30 - 3.1.7.0
appid: enhance netbios service detector to identify SMB versions as web app
appid: update documentation
appid: update the DNS detector to support the all record request
control: resolve socket issues due to race conditions
doc: updates for http2_inspect
framework: update base API version to 3
main: implement test_features run flag to enable debug-like output
mime: track memory for mime sessions
payload_injector: don't inject if there are unflushed S2C TCP packets queued
reputation: include list id for daq trace log
sfip: fix unit tests for non-regtest builds
snort2lua: fix lua conversion of unsupported http preproc options without parameters
snort2lua: remove footprint size config
stream: fix is_ack_valid to return true even when current ack is to the left of snd_una, per RFC793
2021/06/16 - 3.1.6.0
appid: extract auxiliary ip when uri is provided by third-party
appid: perform detection on request body for HTTP2 traffic.
appid: remove error message when userappid.conf is not present
appid: remove unused metadata offset functionality
appid: support fragmented metadata
appid: use 32 bits for storing protocol field in RPC port map message
codecs: geneve - add support for Geneve encapsulation
codecs: geneve - add vni to alert_csv and alert_json
codecs: support inner flow NAT
control: allow compile with shell disabled
control: clean up cppcheck issues
control: expose ContrlConn API
control: refactor control channel management to better handle control responses
control: remove SHELL compile flag from header
control: remove unused IdleProcessing functionality
dce_rpc: SMB multichannel - add smb multichannel file support
dce_rpc: SMB multichannel - handle negotiate command to create expected flow
dce_rpc: SMB multichannel - introduce locks
dce_rpc: SMB multichannel - make session cache global
dce_rpc: SMB multichannel - own memory tracking in global cache
dce_rpc: fix warnings
dce_rpc: handle reload prune for smb session cache
dce_rpc: store shared pointer of session tracker
doc: update JS normalizer options
file_api: increase file count only once per file
file_api: store processing flow in context
filters: change rate filter to use network policy id instead of ips policy id
filters: support rate filter to work with PDUs
flow: enable support for multiple expected sessions
ftp: create additional expected session if negotiated IP is different from server IP on packet
gtp : check protocol type according to gtp version
host_cache: remove unused lua mock code from the tests
http2_inspect: don't perform valid sequence check on rst_stream frame
http2_inspect: improve request line generation and checks
http2_inspect: rule options and doc clean up
http2_inspect: track dynamic table memory allocation
http_inspect: add JS Normalizer to dev_notes
http_inspect: add JS normalization for external scripts
http_inspect: additional memory tracking
http_inspect: extend built-in alerts for Javascript processing
http_inspect: improve MPSE in HttpJsNorm (script start conditions)
http_inspect: limit section size target for file processing
http_inspect: publish event for http/2 request bodies
http_inspect: support partial detect for Javascripts
http_inspect: track memory footprint of zlib inflation
http_inspect: update test mock api
iec104: delete trailing spaces
ips_options: fix intrusion alerts generation for tcp rpc PORTMAP traffic when rpc_decode is bound to the flow
main: add support for resuming particular thread
main: fix config dump for list-based inspector aliases
mime: store extra data in stash
packet_io: enable expected session flags
protocols: remove inline specifiers for functions defined within a structure declaration
pub_sub: add get_uri_host() to HttpEvent
pub_sub: update HttpEvent::get_host to get_authority - now always includes port if there is one
reputation: daq trace log
reputation: support auxiliary IP matching upon reload
rna: filter DHCP events and some refactoring
rna: update last seen time on deleted host rediscovery
stream: enable support for multiple expected sessions
stream_tcp: populate flow contents in context for non-wire packets
time: make Periodic class SO_PUBLIC
trace: place trace options under the DEBUG_MSGS macro
utils: fix warning about empty statement
utils: refactor JSTokenizer
utils: rework JSNormalizer class
2021/05/20 - 3.1.5.0
appid: Publish an event when appid debug command is issued
appid: do memory accounting of api stash object, dns/tls/third-party sessions
appid: mark payload detection as done after either http request or response is inspected
appid: set monitor flags on future flows
dce_rpc: fix expected session protocol id
dce_rpc: update memory tracking for smb session data
dce_rpc: use find_else_insert in smb session cache to avoid deadlock
file_api: fix spell source error
flow: Adding stash API to save auxiliary IP
flow: Enhancing APIs to stash auxiliary IP
flow: memory tracking updates
hash: add new insert method in lru_cache_shared
http2_inspect: add assert in clear
http2_inspect: concurrent streams limit is configurable
http2_inspect: fix non-standard c++
http2_inspect: handle trailer after reaching flow depth
http2_inspect: implement window_update frame
http2_inspect: optimize processing after reaching flow depth
http2_inspect: track stream memory incrementally instead of all up front
http2_inspect: update discard print
http2_inspect: update state and delete streams after reaching flow depth
http_inspect: IP reputation support
http_inspect: don't disable detection for flow if it's an HTTP/2 flow
ips_options: fix relative base64_decode
memory: free_space cleanup
netflow: additional check before v5/v9 decode
netflow: version 9 decoding and filtering
packet_tracer: IPS daq trace log
packet_tracer: file daq trace log
parser: Remove rule merge in dump mode
parser: reduce RTNs only after states applied
reputation: track monitor ID via flow; minor code cleanup
shell: exit gracefully when sanbox lua is misconfigured
stream_tcp: Deleting session when both talker and listener are closed
stream_tcp: Using window base for reset validation
2021/04/21 - 3.1.4.0
-- appid: (fix style) Local variable 'version' shadows outer variable
-- appid: Delete third-party connections with context only if third-party reload is not in progress
-- appid: clean up lua stack on C->lua function exit
-- appid: clean-up parameters in service_bootp
-- appid: detect payload based on dns host
-- appid: in continue state for ftp traffic, do not change service to unknown on validation failure
-- appid: monitor only the networks specified in rna configuration
-- appid: refactor to set http scan flags in one place
-- appid: remove detectors which are available in odp
-- appid: remove duplicate rtmp code
-- binder: update flow data inspector on a service change
-- build: add better support for flex lexer; Thanks to Özkan KIRIK and Moin for reporting the issue.
-- codecs: use held packet SYN in Tcp header creation
-- copyright: Update year to 2021
-- dce_rpc: Added a cleanup condition for DCERPC in close request
-- dce_rpc: DCERPC Support over SMBv2
-- dce_rpc: Fixed prototype mismatch. Smb2Tid doesn't need to be inline.
-- doc: add documentation for script_data ips option
-- doc: revert documentation related to script_data ips option
-- framework: Adding IT_FIRST inspector type to analyze the first packet of a flow
-- hash: prepond object creation in LRU cache find_else_create
-- host_tracker: fix bug in set_visibility
-- http2_inspect: fix possible read-after-free in hpack decoder
-- http2_inspect: free streams in completed/error state
-- http_inspect: fix end of script match after reload
-- http_inspect: remove detained inspection config
-- ips: allow null detection trees with negated lists
-- ips_options: add sticky buffer script_data ips option within normalized javascripts payload
-- main: Adding reload id to track config/module/policy reloads
-- main: Log holding verdict only if packet was actually held.
-- main: Update memcap for detained packets.
-- netflow: add device list configuration
-- netflow: add filter matching for v5 decoder
-- netflow: get correct zone info from packet
-- packet_io: If packet has no daq_instance, use thread-local daq_instance.
-- packet_tracer: Appid daq trace log
-- packet_tracer: fix trace condition for setting IP_PROTO
-- payload_injector: send go away frame
-- pcre: revert change that disabled jit
-- reputation: Registering inspector to the IT_FIRST type
-- rna: add the smb fingerprint processor to the get_or_create / set processor api
-- ssl: refactoring SSLData out so it can be reused
-- stream: Add held packet to retry queue when requested.
-- stream: Add partial_flush. Flush one side of flow immediately.
-- stream: IP frag packets won't have a flow so do not try to hold them.
-- stream: fetch held packet SYN
-- stream: fix race condition in HPQReloadTuner
-- stream: store held packet SYN
-- utils: enable Flex C++ mode via its option
2021/03/27 - 3.1.3.0
-- actions: Dynamically construct the default eval order for all the loaded IPS actions
-- actions: Make all IPS actions pluggable
-- appid: Make netbios domain available through appid API
-- appid: SMB fingerprinting support
-- cmake: Add flex build dependency
-- dce_rpc: Refactor SMB code
-- detection: Update detection.alert, to be used instead of reputation.total_alerts
-- detection: Update dump_rule_meta function to only print rules from default IPS policy
-- detection: Update the rtn's listHead to reflect the new action set in the rule state
-- doc: Update http_inspect feature documentation
-- flow: Add packet tracer output to DAQ expected flow requests
-- host_tracker: Fully populate local hostclient before logging
-- http2_inspect: Alert on uppercase header name encoded in HPACK
-- http_inspect: Add JavaScript whitespace normalization
-- http_inspect: Add normalization_depth config option
-- http_inspect: Alert on HTTP/2 upgrade attempts
-- http_inspect: Integrate JSNormalizer (whitespace normalization) keeping the old one
-- packet_io: Update for the removal of the RETRY DAQ verdict
-- packet_tracer: Do not log non-IP packets when enabled from shell and a constraint is set
-- parser: Support duped RTN if its header has been changed
-- rate_filter: Get the available IPS actions dynamically to configure the new_action
-- rna: Make discovery filter use client and server interfaces if they are not unknown
-- rna: SMB fingerprinting support
-- snort2lua: Delete conversion of disable_replace option
-- snort2lua: Fix lua conversion of http preproc options
-- snort: Add -h to output the help overview (same as --help)
-- snort_config: Remove is_active_enabled and set_active_enabled functions
-- style: Change C++ comment NULL to null
-- style: Remove unnecessary cruft
-- style: Remove unused cruft
-- utils: Add JSNormalizer
2021/03/11 - 3.1.2.0
-- action_manager: Remove unused cached reject action
-- appid: Always get appid inspector from default inspection policy
-- appid: Fixes for cppcheck warnings
-- appid: Get uri from http event even when http host is not present
-- appid: Load lua detectors for packet threads from compiled lua bytecode during detector reload
-- appid: Remove app forecast method
-- appid: Remove detectors for obsolete apps - AOL instant messenger and Yahoo messenger
-- appid: Send reloading detectors message to socket immediately
-- appid: Update IMAP service detector pattern
-- appid: Use opportunistic tls event to set decryption countdown for SMTP detector
-- binder: Apply host attribute table information at the beginning of flow setup
-- binder: Clean up std namespace usage
-- binder: Use service inspector caching to improve get_gadget() performance
-- binder: Use the first match for non-terminal binding usage
-- build: Do one more pass of modernizing the C++ code
-- dce_rpc: Handle async responses in smbv2
-- dce_rpc: Pass proper file id in file api from smb1
-- decompress: Add support for streaming ZIPs
-- detection: Use IP and port variables from the targeted policy
-- doc: Remove http detained inspection from user manual
-- doc: Update documentation for ips.states
-- file_magic: Add pattern for pcapng
-- flow: Add new flag to indicate elephant flow
-- ftp_telnet: Implement init_partial_flush for ftp data
-- ftp_telnet: Respect telnet_cmds config for raising 125:1
-- host_attributes: Update api to reduce use of shared_pointer
-- http2_inspect: Limit number of concurrent streams
-- http2_inspect: Process rst_stream frame
-- http_inspect: IPv6 authority in URI
-- http_inspect: Javascript support cleanup
-- http_inspect: Partial inspection for 0 length chunk
-- http_inspect: Remove detained inspection
-- http_inspect: Remove unused events
-- http_inspect: Temporarily restore detained_inspection parameter
-- iec104: Add documentation for iec104 service inspector
-- iec104: Additional input sanitization, syntax, and style changes
-- iec104: Integrate new iec104 protocol service inspector
-- inspector_manager: Instantiate default binder as long as a wizard or stream are present
-- ips_options: Update cursor position for relative pcre
-- ipv4: Correct the calculation for illegal fragment offset checks
-- log: Add printf format attribute to TextLog_Print() and clean up the fallout
-- log: Base logging the Ethernet header on proto bits rather than DLT
-- loggers: Fix excessive byte reordering when printing MPLS labels in CSV and JSON
-- main: Fix accumulating and printing codec stats at run time
-- managers: Enforce strict parsing for binder aliases
-- managers: Pass the configuration to default module's end()
-- managers: Perform sanity checks on set_alias() parameters
-- memory: Free memory space while updating allocation
-- module: Introduced new api to clear global active module counters
-- module_manager: Enforce interest in global modules only in the default policy
-- mpls: Add next layer autodetection and implement codec logging
-- mpls: Refactor mpls.enable_mpls_overlapping_ip into packet.mpls_agnostic
-- mpls: Remove enable_mpls_multicast option
-- packet_capture: Add group filter for packet capture
-- packet_tracer: Add daq buffer to hold daq logs
-- perf_monitor: Fix finalizing JSON output files for trackers
-- portscan: Fix decoy and distributed scan logic
-- portscan: Fix delimiter for ports in config
-- portscan: Fix IP scans not alerting
-- protocols: Add initial support for multilayer compound codecs
-- protocols: Add peg count for decodes that exceeded the max layers
-- protocols: Consistently encapsulate exported protocol headers in the snort namespace
-- reputation: Add peg count for total alerts
-- reputation: Remove deprecated redundant terms
-- rna: Discover NetBIOS name
-- snort: Clear snort counter for modules, daq, file_id, appid
-- snort: Update for DAQ_FlowStats_t structure and field name changes
-- snort_config: Clean up and annotate command line config merge process
-- snort_config: Remove unnecessary command line options
-- stream: Always use latest splitter from tracker after paf_check
-- stream: Do not update service from appid to host attributes if nothing is changed
-- stream: Set block pending flag when a flow is dropped
-- stream_tcp: Ensure flows aren't pruned while processing a PDU
-- stream_tcp: Flush queued segments when FIN is received
-- stream_tcp: Support data on SYN by default with or without Fast Open option
-- trans_bridge: Lift the log() implementation from the root Ethernet codec
-- wizard: Add support for sslv2 detection
2021/01/28 - 3.1.1.0
-- appid: Add support for snmpv3 report pdu
-- appid: Always store container session api object in stash
-- appid: Do not process sip event for an existing session after detector reload
-- appid: Remove unused code; cleanup FIXIT comments related to reload
-- appid: Send reload detectors and third-party messages to socket immediately if appid is not
enabled
-- codecs: Update tcp naptha check to make sure it is ipv4 traffic
-- file_api: Remove file context after file name set if processing is complete
-- file_api: Stop processing signature when type verdict is 'FILE_VERDICT_STOP'
-- flow: Update direction and interface info in HA flow
-- ftp: Use Stream packet holding to handle ftp-data EoF
-- http_inspect: Add chunked processing to dev notes
-- http_inspect: Provide file_id to set file name and read new return value
-- http_inspect: Validate and normalize scheme
-- http_inspect: Validate URI scheme length
-- inspector: Add a global reference count for uses that are not thread specific
-- lrucache: Changes for memcap for support constant cache objects with variable size.
-- managers: Clean all inactive inspectors warning about ones that are still referenced
-- mime: Provide file_id to set file name and read new return value
-- payload_injector: Inject settings frame
-- rna: Minimize synchronization overhead
2021/01/13 - 3.1.0.0
-- appid: Store stats in map
-- appid: Tear down third-party when appid gets disabled
-- build: Add support for version sublevel and build via CMake
-- dce_rpc: Handle Flow from File inspection
-- host_cache: Add command to output host_cache usage, pegs, and memcap
-- http2_inspect: Add total_bytes peg to track HTTP/2 data bytes inspected
-- http_inspect: Abort on HTTP/2 connection preface
-- http_inspect: Add total_bytes peg to track HTTP data bytes inspected
-- http_inspect: Alert on truncated chunked and content-length message bodies
-- http_inspect: Support stretch for Http2
-- log: Reuse TextLog buffer for a large data
Thanks to Chris White for reporting the issue.
-- packet_io: IDS mode should not give blacklist verdict for Intrusion event
-- rna: Fix version, vendor and user string comparison at maximum length
-- rna: Perform appropriate filter check based on the event type
-- rna: Revert rna performance optimizations
-- rpc_decode: Implement adjust_to_fit for RPC splitter
-- stream_tcp: Delete redundant calls to check if the tcp packet contains a data payload
-- stream_tcp: Fix issues causing overrun of the pdu reassembly buffer, make splitters
authoritative of size of the reassembled pdu
-- stream_tcp: On midstream pickup, when first packet is a data segment, set flag on talker tracker
to reinit seglist base seg on first received data packet
-- stream_tcp: Remove obsolete flush_data_ready() function
2020/12/20 - 3.0.3 build 6
-- active: Fix falling back on using raw IP for active responses when no device is specified
-- appid: Add support for apps, http host, url and tls host in HA
-- appid: Allow checking appid availability for a given http/2 stream
-- appid: Change terms used in code, logs and peg counts
-- appid: Do not override http fields with empty values
-- appid: Dump userappid configurations upon reloading third-party
-- appid: For http2 flow, return service id as http2 when no streams are yet created
-- appid: Mark reload third-party complete after unloading old library and creating new third-party
context
-- appid: Print more descriptive error message when lua detector registers invalid pattern
-- binder: Pass service to get_bindings on flow service change
-- binder: Specify service inspector type when getting a gadget instance
-- build: Clean up various cppcheck warnings
-- catch: Avoid using INTERNAL_CATCH_UNIQUE_NAME in our headers
-- catch: Update to Catch v2.13.3
-- dce_rpc: Fixed incorrect access of FileFlows while pruning the flow
-- file_api: Fixed stats which weren't cleared when there were no stats for signature processing
-- file_api: Handle resume block when multiple file rules are configured with store option enabled
-- flow: Pause logging during timeout processing
-- helpers: Handle SIGILL and SIGFPE with the oops handler
-- high_availability: Add check for packet key equals HA key before consume
-- host_attributes: Better error handling for reload to eliminate double free and memory leaks
-- http2_inspect: Check for invalid flags
-- http2_inspect: Fix bug with exceeding inspection depth
-- http2_inspect: Fix empty queue access and some bookkeeping
-- http2_inspect: Handle connection close during headers frames
-- http2_inspect: Handle discard
-- http2_inspect: HI error handling improvements
-- http2_inspect: Improve error handling
-- http2_inspect: Remove 0 length scan for most cases
-- http_inspect: Explicit memory allocation for transactions and partial inspections
-- http_inspect: Script detection for HTTP/2
-- inspector_manager: Remove unused inspector_exists_in_any_policy() function
-- inspector: Remove obsolete metapacket processing functionality
-- main: Convert Request to shared_ptr to avoid memory problems
-- main: Fix memory leak in reload_config() caused by incorrect code merge
-- managers: Add inspector type in the help module output
-- managers: Don't allow a referenced inspector to stall emptying the trash
-- managers: Track removed inspectors during reload and call tear_down and tterm to release
resources
-- packet_io: Export forwarding_packet() function
-- packet_tracer: Fix the debug session information for non-ip packets
-- parser: Add escaping for double quotes and special chars in a rule body
-- parser: Fix escape logic for --dump-rule-meta output
-- reload: Reset default policies after failed reload
-- request: Expose methods to be used in plugins
-- rna: Do null check in the Inspector rather than the Module in the control commands
-- rna: Generate new host event for CDP traffic
-- rna: Make the mac cache persist over reload config
-- rna: Reduce host cache lock usage to improve performance
-- rna: Remove unused function
-- rna: Replace some tabs with spaces as per style guidelines
-- rna: Support data purge command
-- rna: Support DHCP fingerprint matching and event generation
-- rna: Use service ip and port provided by appid for DHCP discovery events
-- shell: Change terms used in code, logs and peg counts
-- shell: Support for loading configuration in lua sandbox
-- snort: Add OopsHandlerSuspend for suspending Snort's crash handler
-- stream: Fix stream clean up when going from enabled to disabled
-- stream_ha: Only flush on HA deactivate if not in STANDBY, set HA state to STANDBY when new Flow
is created
-- stream_tcp: Initialize the alerts array to empty when a TcpReassembler instance is initialized
or reset
-- stream_tcp: Set interfaces in both directions
2020/11/16 - 3.0.3 build 5
-- appid: Add unit test to verify HA data for flow unmonitored by appid
-- appid: Handle cppcheck warnings
-- appid: Prefix http/2 decrypted urls with https://
-- appid: Support client login failure event
-- flow: Do not remove the flow during pruning/reload during IPS event with block action
-- flow: Flesh out swap_roles() to swap more client/server fields
-- flow: Set client initiated flag based on DAQ reverse flow flag, track on syn config, and syn-ack
packet
-- ftp: Handle FTP detection when ftp data segment size changes
-- host_tracker: Ignore IP family when comparing SfIp keys in the host cache
-- http2_inspect: Data frame redesign
-- http2_inspect: Multi-segment reassemble discard bug fix
-- http2_inspect: Perform hpack decoding on push_promise frames
-- http2_inspect: Refactor data cutter
-- http2_inspect: Refactor scan()
-- http2_inspect: Remove const cast
-- http2_inspect: Send push_promise frames through http_inspect
-- ips_options: Don't move cursor in byte_math
-- main: Set up logging flags globally to avoid dependencies on a particular SnortConfig object
-- payload_injector: Refactoring
-- payload_injector: Remove content length and connection for HTTP/2
-- rna: Add command to delete MAC hosts and protos
-- rna: Delete payloads when clients, services are deleted; add unit tests
-- rna: Discover banner on service version or response events
-- rna: Don't process packet in eval if eth bit not set
-- rna: Log src mac from packet containing CDP message when host type change event is generated
-- rna: Support banner discovery
-- rna: Support change service event with null version and vendor
-- rna: Support user login failure discovery
-- smtp: Make sure the ssl search abandoned flag is preserved for reset
-- stream_tcp: Remove redundant/unneeded asserts that check if tcp event is for a meta-ack
psuedo-packet
-- thread_config: Show thread ID when logging binding information
-- trace: Add missing packet information to some of the messages
2020/10/27 - 3.0.3 build 4
-- actions: Add support to react for HTTP/2
-- appid: Fix -Wunused-private-field Clang warning in service_state.h
-- build: Various build fixes for OS X
-- file_api: Remove deletion of file_mempool
-- framework: Fix ConnectorConfig dtor to be virtual
-- ips: Move IPS variables to sub-tables which designate type
-- lua: Update default_variables with 'nets', 'paths', and 'ports' tables in snort_defaults.lua
-- module: Fix modules that accept their configuration as a list
-- payload_injector: Support pages > 16k
-- rna: Add unit tests for TCP fingerprint methods
-- snort: Remove support for -S option
-- src: Clean up zero-initialization of arrays
-- tools: Update snort2lua to convert custom variables into ips.variables.nets/.paths/.ports tables
-- trace: Add timestamps in trace log messages for stdout logger
2020/10/22 - 3.0.3 build 3
-- actions: Update react documentation
-- actions: Use payload_injector for react
-- appid: Add service group and asid in AppIdServiceStateKey
-- appid: Continue appid inspection after third-party identifies an application
-- appid: Do not reset third-party session after third-party reload
-- build: Updates for libdaq changes that introduce significant groups in flow stats
-- codecs: Remove PIM and Mobility from bad protocol lists
-- dce_rpc: Add ingress/egress group and asid in SmbFlowKey and Smb2SidHashKey
-- doc: Tweak the template regex in get_differences.rb
-- dump_config: Don't print names for list elements
-- file_api: Add ingress/egress group and asid in FileHashKey
-- file_magic: Update POSIX tar archive pattern
-- flow: Add source/dest group id in flow key
-- flow: Stale and deleted flows due to EOF should generate would have dropped event
-- ftp_data: Add can_start_tls() support and generate ssl search abandoned event for unencrypted
data channels
-- host_cache: Add delete host, network protocol, transport protocol, client, service, tcp
fingerprint and user agent fingerprint commands
-- host_tracker: Implement client and server delete commands
-- http2_inspect: Handle stream creation for push promise frames
-- ips_options: Fix retry calculation in IPS content when handling "within" field
-- lua: Use default IPS variables in the default config
-- main: Add lua variables for snort version and build
-- managers: Delete obsolete variable parsing code
-- managers: Skip snort_set lua function for non-table top level keys in finalize.lua
-- meta: Do not dump elided header fields or default message
-- meta: Dump full rule field
-- meta: Dump missing port field
-- packet: Add two new apis to parse ingress/egress group from packet's daq pkt_hdr
-- packet_tracer: Add groups in logging based on significant groups flag
-- port_scan: Add group and asid in PS_HASH_KEY
-- rna: Change ip to client instead of server for login events
-- rna: Change logic for payload discovery, eventing
-- rna: Conditionalize reload tuner registration on get_inspector()
-- rna: Log user-agent device information
-- rna: Move registration of reload tuner to configure()
-- snort2lua: Update comments for deleted rule_state options
-- ssh: Fix code indentation and CI breakage
-- ssh: SSH splitter implementation
-- stream: Initialize flow key's flags.ubits with 0
-- stream_tcp: Don't attempt to drop 'meta_ack packets', there is no wire packet for these acks
-- style: Clean up accumulated tabs and trailing whitespace
-- trace: Refactor the test code
-- trace: Skip trace reload if no initial config present
-- utils: Add a generic function to get random seeds
2020/10/07 - 3.0.3 build 2
-- appid: Create events for client user name, id and login success
-- appid: Inform third-party about snort's idle state during reload
-- appid: Reload detector patterns on reload_config for the sake of hyperscan
-- appid: Update appid to use instance based reload tuner
-- binder: Allow binding based on address spaces
-- binder: Allow directional binding based on interfaces
-- binder: Enforce directionality, add intfs, rename groups, cleanup
-- framework: Update packet constraints comparison to check only set fields
-- host_tracker: Update host tracker to use instance based reload tuner
-- http2_inspect: Fix frame padding handling
-- http2_inspect: Free up HI flow data when we are finished with it
-- http2_inspect: Stream state tracking
-- http_inspect: Implement can_start_tls(), add support of ssl search abandoned event
-- http_inspect: Support for custom xff type headers
-- main: Change reload memcap framework to use object instances
-- main: Remove deprecated rule_state module
-- main: Update host attribute class to use instance based reload tuner
-- normalizer: Move TTL configuration toggle to inspector configure()
-- perf_monitor: Update perf monitor to use instance based reload tuner
-- policy: Copy uuid, user_policy_id, and policy_mode when an inspection policy is cloned
-- pop: Generate alert for unknown command if file policy is attached.
-- port_scan: Update port scan to use instance based reload tuner
-- rna: Add event_time to rna logger events
-- rna: Add payload discovery logic
-- rna: Check user-agent processor early to skip some work
-- rna: Port host type discovery logic
-- rna: Set the thread local fingerprint processors during reload_config
-- rna: Update rna to use instance based reload tuner
-- rna: Update methods for user-agent processor
-- rna: User discovery for successful login
-- snort2lua: Convert rule_state into ips.states
-- stream_tcp: Update trace messages to use trace framework
-- stream: Update stream to use instance based reload tuner
-- trace: Update parser unit tests
-- wizard: Clean up parameter parsing and make it a bit stricter
2020/09/23 - 3.0.3 build 1
-- ac_bnfa: Disable broken fail state reduction
-- appid: Check third party context version while deleting connections
-- appid: Use third party payload if available for HTTP tunneled
-- cmake: Support cmake build type configuration
-- dce_rpc: Handle compound requests for upload
-- dce_rpc: Modify logs to show if file context is found or not found
-- dump_config: Sort config options before printing
-- file_api: Update lookup and block timeout from config at file cache creation
-- flowbits: Evaluate checkers after setters for fast pattern matches
-- ftp: Add APPE to upload commands
-- http2_inspect: Convert to new stream states
-- http2_inspect: Fix how implement_reassemble uses frame_type
-- http2_inspect: Refactor HI interactions out of frame constructors
-- http_inspect: Extract filename from content-disposition header for HTTP uploads
-- module_manager: Keep a list of modules supporting reload_module
-- netflow: Cache support and more v5 decoding
-- payload_injector: Don't inject if stream id is even
-- profiler: Fix issue where flushed pattern matches caused rule_eval to be profiled under mpse
-- reputation: Change terms used in code, logs, and peg counts
-- rna: Add unit test to validate VLAN handling
-- rna: Avoid conflicts with other fingerprint definitions
-- rna: Service discovery with multiple vendor and version support
-- rna: Support user agent fingerprints
-- s7commplus: V3 header support
-- search_engine: Fix peg type for max_queued
-- stream_tcp: Add an assert to catch tcp state/event combination that should not occur
-- stream_tcp: Add PegCount for tcp packets received with an invalid ack
-- stream_tcp: Arrange TCP tracker member vars to optimize storage requirements, add helper
functions to access private splitter functions
-- stream_tcp: Delete redundant calls to flush data when FIN is received
-- stream_tcp: Delete unused packet action flags, set action flags via its setter
-- stream_tcp: Fix issues with stream_tcp handling of the TCP MSS option
-- stream_tcp: Handle bad tcp packets consistently when normalizing in ips mode
-- stream_tcp: Implement helper function to return true if the TCP packet is a data segment, false
otherwise
-- stream_tcp: Merge the setup methods of the TcpStreamSession and TcpSession classes into a single
method in TcpSession
-- stream_tcp: Refactor tcp handling of no flags to drop packet before any processing, don't
generate event
-- stream_tcp: Refactor tracker and reassembler classes to improve encapsulation and move member
variables to appropriate class
-- stream_tcp: Remove FIXIT-H because by definition an Ack Sent event in TcpStateNone means the
SYN-ACK was not seen, so no way to do the check suggested
-- stream_tcp: Remove FIXIT-H to add ack validation, the ack is already validated when processed on
the listener side
-- target_based: Support reload of host attribute table via signal as well as control channel
command
2020/09/13 - 3.0.2 build 6
-- active: Remove per packet prevent trust action
-- appid: Add check for nullptr before setting tls host
-- appid: Clear services set in host attribute table upon detector reload
-- appid: Detect SMTP after decryption
-- appid: Dump user appid configuration on reload detectors
-- appid: Generate events for service info changes
-- appid: Pass snort protocol id instead of appid while creating future flow
-- appid: Reorder third-party reload to keep only one handle open at a time
-- appid: Send swap response for reload_odp and reload_third_party commands in control thread
-- appid: Set payload to unknown for out-of-order flows
-- appid: Skip detection for existing sessions after detector reload; rename reload_odp command to
reload_detectors
-- appid: Support json logging in appid_listener
-- appid: Update appid stats for decrypted flows
-- appid: Update appid warning messages to print module name in lowercase
-- build: Fix minor cppcheck warnings
-- build: Updates for libdaq changes to interface group field width and naming
-- byte_jump: Fix jump relative to extracted length w/o relative offset
-- cmake: Restore accidentally removed caching of static DAQ modules
-- dce_rpc: Introduce smb2 logs
-- doc: Update the config dump in JSON format (all policies)
-- doc: Update the config dump in JSON format (main policy)
-- doc: Update trace.txt with info about 'trace.modules.all' option
-- dump_config: Add --dump-config="top" to dump the main policy config only
-- dump_config: Dump config in JSON format to stdout
-- file_api: Increase default max_files_per_flow limit to 128
-- flow: Add a deferred trust class to allow plugins to defer trusting sessions
-- flow: Disabled inspection for FlowState::RESET
-- flow: Reset the flow before removing
-- helpers: Add unit tests for special characters escaping
-- helpers: Fix build on systems without sigaction
-- helpers: Rework DiscoveryFilter to monitor IP lists based on interface rather than group
-- helpers: Use sig_t instead of sighandler_t for better BSD compatibility
-- host_tracker: Fix allocator unit test to work on 32-bit systems again
-- http2_inspect: Convert circular_array to std:vector
-- http2_inspect: Fix continuation frame check
-- http2_inspect: Fix hpack dynamic table init
-- http2_inspect: Prepare http2_inspect and http_inspect for HTTP/2 trailers
-- http2_inspect: Refactor hpack decoding and send trailer to http_inspect for processing
-- http_inspect: Declare get_type_expected const
-- http_inspect: Don't use the URL to cache file verdicts for uploads
-- http_inspect: Script detection
-- http_inspect: Script detection and concurrency fixes
-- http_inspect: Support hyperscan literal search for accelerated blocking
-- http_method: Make available for fast pattern with first body section
-- imap: Publish OPPORTUNISTIC_TLS_EVENT on successfull completion on START_TLS, add a new state to
avoid publishing start_tls events multiple times
-- ips_options: Ensure all options use base class hash and compare methods
-- ips: Use the policies in the flow when creating pseudo packet
-- main: Turn off signal handlers later to catch more during snort shutdown
-- managers: Immediately stop executing inspectors when inspection is disabled
-- mime: Fix off-by-1 error with filename and email id capture
-- mime: Minor code cleanup
-- netflow: Introduce netflow as a service inspector
-- packet_io: Added reason for ActiveStatus WOULD
-- packet_io: Do not allow trust unless the action is allow or trust
-- payload_injector: Assume http1, if packet does not have a gadget
-- payload_injector: Fix warning
-- payload_injector: Support http2 injection
-- payload_injector: Support translation of header field value with length > 127
-- perf_monitor: Convert the perf_monitor inspector configure warnings to errors
-- pop: Publish start_tls events, support for ssl search abandoned
-- reputation: Change from group-based to interface-based IP lists
-- rna: Add protocols on logging host trackers
-- rna: Implement update_timeout for MAC hosts
-- rna: Remove dependency on uuid library
-- rna: Remove redefinition of USHRT_MAX
-- rna: Removing unused command and exporting swapper
-- rna: Support client discovery from appid event changes
-- rna: Support service discovery from appid event changes
-- rna: Tcp fingerprints configuration, storage, matching and event generation
-- snort2lua: Remove obsolete and unused code
-- snort2lua: Remove unused unit test files
-- snort: Address fatal shutdown stability issues
-- stream_ip: Fix zero fragment built-in rule triggering for some reassembly policies
-- style: Replace some tabs that snuck in with proper spaces
-- tests: Fix the majority of memory leaks in CppUTest unit tests
-- trace: Add support for modules.all option
-- trace: Update loggers to support extended output with n-tuple packet info
-- utils: Add sys/time.h to util.h for struct timeval definition
-- wizard: Fix the error message about invalid pattern
2020/08/12 - 3.0.2 build 5
-- cip: Fix the trailing parameter for the module
-- dce_rpc: Set dce_rpc as a control channel inspector
-- flow: Check expected flows in flow control and add direction swap flag to expected flows
-- framework: Add an API to check if the module can be bound in the binder
-- ftp: Add opportunistic TLS support
-- ftp: Fix direction for active FTP data transfers
-- helpers: Extend printed JSON syntax
-- http2_inpsect: Fix for flush on data frame boundray w/o end of stream
-- http_inspect: Do finish() after partial inspection
-- lua: Add TCP port 80 binding to the connectivity and balanced tweaks
-- main: Add printing modules help in JSON format