Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
1781 lines (1546 sloc) 71.7 KB
18/08/13 - build 246
-- active: Add an upper limit of 255 to min_interval
-- appid: Avoid snort crash upon lua file errors
-- appid: Fixes for TNS, eDonkey, and debug logs in Lua detectors
-- appid: Single lua-state per thread
-- appid: code clean-up
-- appid: create developer notes document
-- appid: make the code compatible with the latest version of snort2.
-- appid: refactor detector initialization
-- appid: fix multithreading issues (data races) from app_forecast
-- appid: many other updates
-- binder: Make two passes at binder rules - one for policy IDs and then everything else
-- binder: Refactor binder as a passive, event-driven inspector
-- byte_test: update operator parsing, remove dead code
-- catch: Update to Catch v2.2.3
-- codecs: Handle raw IP packets in Snort proper
-- codecs: fix dynamic build of root codecs
-- decode: alternate checksum calculation to improve runtime performance
-- detection: don't offload when 0 threads are configured
-- detection: save the ropts used for dce rule options in ips context to support offload
-- detection: various bug fixes for offload emulation
-- doc: Update regarding the build issue with --enable-tcmalloc flag and known workarounds
-- doc: added active response section to user manual
-- doc: corrections to tutorial section
-- doc: update known problems
-- events: remove manager cruft
-- file_id: fix uninitialized
-- file_magic: Update file_magic.lua to cover all file types and versions
-- framework: Enable dynamic building of ips_{pcre,regex,sd_pattern} + Hyperscan MPSE
-- framework: Scratch handlers for SnortState
-- framework: fixed adding probe to wrong SnortConfig
-- http_inspect: URI normalization added to dev_notes
-- http_inspect: add perfmon to splitter
-- http_inspect: bug fix and cleanup
-- http_inspect: memory reduction and misc cleanup
-- http_inspect: renumbered events to avoid current and future conflicts with Snort 2.X
-- inspector: Rename ::update() to ::remove_inspector_binding() to better reflect what it does
-- ips: Remove unused IPS module stats
-- ips_fragbits: Removed dead code
-- packet_tracer: Report user policy IDs and add network policy
-- parser: reset parse error count before reload to avoid confusion
-- perf_monitor: fix for reload
-- perf_monitor: format error in dev_notes
-- policy: Add the ability to set network policy based on user-specified ID
-- policy: Export querying policies by user ID and setting runtime policies
-- profiler: Don't clobber max entry count when recursing
-- reload: do not set policies for incremental reload case
-- reload: set policies upon swap to avoid dangling pointers when idle
-- reputation: make sure reputation inspector is called in default policy
-- reputation: support reload module
-- sfip: if ips_policy doesn't exist, allow for ipvar parsing without vartable
-- sip: Ported sip-splitter implementation from snort2
-- snort.lua: add inline tweaks
-- snort.lua: add talos defaults
-- snort.lua: fix tweaks path; thanks to for reporting the issue
-- snort.lua: fix community rules filename; thanks to for reporting the issue
-- snort2lua: Handle sidechannel config.
-- snort2lua: add conversion for shared memory
-- snort2lua: added missing keyword to nap parsing
-- snort2lua: don't try to index into empty lines
-- snort2lua: fixed nap ip parsing
-- snort2lua: merge multiple nap rules with the same id
-- snort2lua: translate file_type rule option
-- snort: match delete[] with new[]
-- snort: wrap snort SO_PUBLIC symbols in the snort namespace
-- ssh: added test code
-- stream_ip: match delete[] with new[]; don't create zero length trackers
-- stream_tcp: 86 r_nxt_ack as tracker state for next rx seq, use rcv_nxt instead
-- stream_tcp: back out fin handling changes for bug not relevant to snort3
-- tcp_connector_test: fixed version-sensitive build problem
18/05/21 - build 245
-- CodecManager: removed unused code
-- DataBus: fixed creating DataHandler when one doesn't exist
-- Debug messages: cleanup for service inspectors. New traces for detection, stream.
-- Debug: Final debug messages cleanup, removal of macros from snort_debug
-- Ipv4Codec: removed random ip id pool and replaced randoms on demand
-- PacketManager: moved encode storage to heap
-- PerfMonitor: fixed subscribing to flow events multiple times
-- ProtoRef: Converge on single name for SnortProtocolId. Fix threading problems.
-- Reset: Always queue reject and test packet type in RejectAction::exec.
-- SFDAQModule: moved daq stats here. fixed stats not being output from perfmon.
-- Snort2lua: Add ftp_data to multiple files when needed, once per file.
-- Snort2lua: Translate ftp_server relative to default configurations.
-- Snort: moved s_data to heap
-- active: Enable when max_responses is enabled
-- alert: moved alert json. unixsock out from extra to snort3
-- appid: Add AppID debug command
-- appid: Enable Third-Party Code for Packet Processing
-- appid: Fix bug where Service and Application ID's set to port number instead of service appid
-- appid: Fixing service discovery states
-- appid: Only import dynamic detector pegcounts once
-- appid: Refactor debug command
-- appid: Refactor debug command, use SfIp, and fix non-Linux compilation
-- appid: Third party integration support
-- appid: appid session unit test changes
-- appid: change metadata buffers from std::string to pointers, to avoid extra copying
-- appid: clean-up code for performance and implement is_tp_processing_done()
-- appid: create referer object only for non-null string
-- appid: do not inspect out-of-order flows, ignore zero-payload packets for client/service discovery
-- appid: fix memory leak in appid_http_event_test and warning in
-- appid: fix segfault due to dereferencing null host pointer.
-- appid: fix tabs and indentation
-- appid: fixed http fields, referer payload and appid debug
-- appid: make tp_attribute_data more localized, so we only allocate/deallocate it if needed.
-- appid: moved HttpFieldIds to appid_http_session
-- appid: peg count / dynamic peg count update. Split peg counts into the ones known at compile time and dynamic ones. Update stats , module manager and module to support dumping dynamic stats.
-- appid: report when third party appid is done inspecting
-- appid: sip: moved pattern thread local to class instance
-- base64_decode: moved buffer storage to regular heap
-- binder: Fix UBSAN invalid value type runtime error
-- build: 244
-- build: Add --enable-ub-sanitizer option for undefined behavior sanitizer
-- build: Add some header includes for FreeBSD
-- build: Clean up CMake string APPENDing for configure options
-- build: Clean up HAVE_* definition checks
-- build: Define NDEBUG if debugging is not enabled
-- build: Fix building unit tests on FreeBSD
-- build: Modernize code with =default for special member functions
-- build: Modernize code with virtual/override/final cleanups
-- build: Remove bashisms from most shell scripts
-- build: add cmake configure switches for NO_PROFILER, NO_MEM_MGR and DEEP_PROFILING
-- build: add disable-docs to disable doc build
-- build: fix various drops const qualifier cases
-- build: fix various warnings:
-- build: propogate snort3 tsc build option to the extra build system
-- byte_extract: fix cursor update
-- byte_jump: fix from_beginning
-- byte_math: allow rvalue == 0 except for division
-- catch: Update to Catch v2.2.1
-- clock: Allow use of ARM64 CNTVCT_EL0 register for timing (#46); thanks to for the patch.
-- clock: use uint64_t with tsc clock instead of std::chrono for performance
-- cmake: Add --enable-appid-third-party to
-- cmake: Add support for building with tcmalloc
-- cmake: Rework FindPCAP logic and ignore SFBPF
-- cmake: fixed checks for functions
-- cmake: update for iconv
-- codecs: add config option to detection to enable check and alert for address anomalies
-- daq_hext: Make IpAddr() static to fix compiler warning
-- dce_co_process_ctx_id needs to update its caller's (DCE2_CoCtxReq) frag_ptr as it is called in a loop in order to parse each dce/rpc ctx item, otherwise it ends up parsing the same ctx item over and over.
-- dce_rpc: fix parsing of dce/rpc ctx items
-- dce_rpc: pass frag_ptr by reference
-- debug: Remove debug messages from appid, arp_spoof, and perf_monitor
-- debug: Remove debug messages from detection and ips_options
-- debug: Remove debug messages from stream
-- decompress/ implicit fallthrough
-- detect: moving thread locals identified to ips context
-- detection: fixed uninitialized MpseStash
-- doc: add doc for module trace
-- encoders: fixed off-by-one error in underlying buffer handling
-- extra: Port some CMake options from Snort prime
-- extra: splitted extra out to snort3_extra repo
-- file_api: combine file cache for file resume and partial file processing
-- file_connector: Fix address-of-packed-member compiler warnings
-- unreachable code return
-- file_type: Require strings instead of integers for types. Handle versions.
-- flow: SO_PUBLIC FlowKey
-- framework: align PktType and proto bits
-- framework: remove bogus PktType for ARP and just use proto bits instead
-- ftp_server: Added Flow::set_service and fixed FtpDataFlowData::handled_expected.
-- ftp_server: Added ability get TCP options length from TcpStreamSession.
-- ftp_server: Added accessors to Stream so TcpStreamSession can be private.
-- ftp_server: Base last_seg_size off of MSS.
-- ftp_server: Provide FLOW_SERVICE_CHANGE pub/sub event.
-- ftp_server: ftp_server requires that ftp_client and ftp_data be configured.
-- hashfcn: Fix UBSAN integer overflow runtime error
-- hashfcn: Fix UBSAN left shift of negative value runtime error
-- http_inspect: broken chunk performance improvement
-- http_inspect: bugfix and new alert for gzip underrun
-- http_inspect: embedded white space in Content-Length
-- http_inspect: handling of run-to-connection-close bodies beyond depth
-- http_inspect: know more Content-Encodings by name
-- http_inspect: patch around regression failures until a permanent solution is implemented
-- http_inspect: performance enhancements for file processing beyond detection depth
-- ip: replaced REG_TEST with -H option for ipv4 codec fixed seed
-- ips_byte_jump: Fix UBSAN left shift of negative value runtime error
-- ips_byte_math: Fix UBSAN left shift of negative value runtime error
-- ips_flags: remove dead code
-- javascript: moved decode buffer to stack
-- memory: disable with -DNO_MEM_MGR
-- dangling references
-- packet_capture, cmake: Remove SFBPF dependencies
-- packet_capture: adding analyzer command to initialize dump file
-- packet_tracer: Fix compiler warning when compiling with NDEBUG
-- packet_tracer: Modularize and add constraint-based shell enablement
-- parameter: Fix UBSAN shift exponent is too large for 32-bit type runtime error
-- parser: allow arbitrary rule gids
-- pop, imap, and smtp: changes to MIME configuration parameters
-- port_scan: include open ports with alerts instead of separate
-- profile: disable with -DNO_PROFILER
-- profiler: add deep profiler option
-- reload: enabled reloading ips_actions; added parse error check for reloading
-- repuation: remove the limit for zone id
-- reputation: add zone support
-- search_engine: revert default detect_raw_tcp to false
-- service inspectors: debug cleanup
-- sfip: A version of set() which automatically determines the family
-- sfip: removed ntoa. use ntop(SfIpString) instead.
-- snort2lua: Add reject action when active responses is enabled
-- snort2lua: conversion of gid 120 to 119
-- snort2lua: enable reject action when firewall is enabled
-- snort: -r- will read packets from stdin
-- spell check: fix memeory and indicies typos
-- steam_tcp: change singleton names from linux to new_linux to avoid spurious collisions with defines
-- stream ip: refactored to use MemoryManager allocators
-- stream: assume gid 135 so those rules are handled as standard builtins
-- stream: be selective about flow creation for scans
-- stream: refactor flow control for new PktTypes
-- stream: remove usused ignore_any_rules from tcp and udp
-- stream: respect tcp require_3whs
-- stream: warning: potential memory leaks
-- stream_tcp: refactor tcp normalizer and reassembler to eliminate dynamic heap allocations per flow
-- stream_tcp: switch to splitter max
-- stream_tcp: tweak seglist cursor handling
-- target_based: 100% coverage on
-- target_based: unit tests for ProtocolReference class
-- tcp codec: count bad ip6 checksums correctly; thanks to for reporting the issue
-- tcp: allow data handlding for packet with invalid ack
-- time: initialize Stopwatch::start_time member variable to 0 ticks when TSC clock is enabled
-- trace: add traces for deleted debug messages
-- wizard: Fix UBSAN out-of-bounds access runtime error
-- zhash: cleanup cruftiness
18/03/15 - build 244
-- appid: unit-tests for http detector plugins
-- build: address compiler warnings, spell check and static analyzer issues
-- build: extirpate autotools usage
-- build: fix compilation issue on FreeBSD with extra
-- byte_jump: updated byte_jump post_offset option to support variable
-- cmake: update CMake config to use GNUInstallDirs and match automake
-- daq: hext DAQ can generate start of flow and end of flow meta events
-- doc: add documentation for ftp telnet
-- doc: fix including config_changes.txt when ruby is not present
-- doc: update ftp time format link
-- doc: updates for HTTP/2
-- http_inspect: handle white space before chunk length
-- inspectors: probes run regardless of active policy
-- logger: update Hext Logger to subscribe and log DAQ Meta Packets
-- main: reload hosts while reloading config
-- memory: override C++14 delete operators as well
-- packet tracer: added ability to direct logging to file
-- perf_monitor: fixed flow_ip outputting erroneous values
-- perf_monitor: query modules for stats only after they have all loaded
-- snort: --rule-to-text [<delim>] raw string output
-- snort: allow colon separated directories for --daq-dir
-- snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort' namespace
18/02/12 - build 243
-- build: enable gdb debugging info by default
-- build: fix cppcheck warnings
-- build: fix static analysis issue
-- comments: fix 6isco typos
-- copyright: update year to 2018
-- detection: use detection limit (alt_dsize)
-- detection: trace fast pattern searches with 0x20
-- detection: do not change search_engine.inspect_stream_inserts configuration
-- doc: update default manuals
-- flow: support episodic detection
-- help: upper case proto acronyms etc.
-- http_inspect: apply request/response depth to packet data
-- http_inspect: suppress raw packet inspection beyond request/response depth
-- main: Export AnalyzerCommand and main_broadcast_command()
-- rules: fix path variable expansion
-- search_engine: rename inspect_stream_inserts to detect_raw_tcp for clarity
default to true for 2.X rule sets
-- rules: update fast pattern selection to exclude redundant port groups
when service groups are present
-- wizard: count user scans and hits separate from tcp
18/01/29 - build 242
-- build: add STATIC to add_library call of port_scan to build it statically
otherwise link will fail ( already build only the static version)
thanks to Fabrice Fontaine <>
-- doc: update snort2lua for .rules files
-- doc: fixed some typos
-- expect: removed a single-element structure ExpectFlows
-- file_api: give FilePolicyBase a default virtual destructor
-- file: gracefully handle not having file policy configured in dce_smb
-- flow: provided access to all expected flows created by a packet
-- inspection events: added mandatory expected flow pub sub support
-- inspector_manager: fix acquire and use of default policy
-- profiler: fixed missing include
-- sfdaq: export can_whitelist() and modify_flow_opaque()file_api:
move VerdictName array out of file_api.h
-- snort2lua: fix file_rule_path and fw_log_size handling in firewall preprocessor
-- snort2lua: make sure file_magic table comes before file_id table.
-- snort2lua: detect commented 'alert' rules and convert them from snort to snort3 format.
Leave the rules commented out in the snort3 rules file.
-- snort2lua: convert *.rules files line-by-line
-- unit tests: updated Catch
-- unit tests: added ability to run Catch tests from dynamic modules
-- utils, flatbuffers: added a uniform interface for 64-bit endian swaps
17/12/15 - build 241
-- add back the ref count for file config
-- alert_csv: various fixes to match alert_json
-- alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers
-- alert_json: various fixes
thanks to Noah Dietrich <> for reporting the issues
-- appid: close all Lua states when thread exits
-- appid: gracefully handle failed Lua state instantiation
thanks to Noah Dietrich <> for reporting the issue.
-- appid: only update session flags and discovery state if service id actually set to http
-- appid: patch to update the appid discovery state when an http event results in setting of the service id for a flow
-- appid: return false from is_third_party_appid_available when no third party module is available.
-- appid: tweak warnings and errors
-- binder: activate profiler support
-- binder: add FIXIT re creating default bindings when the wizard is not configured
-- binder: fix ingress / egress test
-- binder: minor perf and readability tweaks
-- build: fixed build issues on OSX with clang with cd_pbb, alert_json
-- build: fixed several dyanmic modules on OSX / clang
-- build: suppress appid warnings for valid case statement fall throughs
-- byte_test: fix string bounds check
-- catch: Update to Catch v2.0.1
-- cmake: add --define to for arbitrary defines
-- codec: added wlan support for arp_spoof
-- codec: updated MIPv6 and merged, and to
-- conf: remove OPTIONS from SIP and HTTP spells to avoid confusion with RTSP
-- conf: remove client to server spells for FTP, IMAP, POP, and SMTP to avoid false pickups
-- control: must execute from default policy only
-- control: process flow first
-- cppcheck: More miscellaneous fixes, mostly for new Catch
-- daq: explicitly initialize more fields in SFDAQInstance constructor
-- daq: handle real IP and port
-- data_bus: also publish to default policy
-- data_bus: refactor basic access for pub / sub
-- dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / dce_udp = dcerpc)
-- detection: fix option tree looping issue
-- detection: rename ServiceInfo to SignatureServiceInfo
-- doc: fix type in style section
-- doc: update default manuals
-- file api: move file verdict enforcement out of file policy
-- file api: support file verdict delay during signature lookup
-- file policy and file config update to allow user define customized file policy through file api
-- file policy: add support for file event logging
-- file_api: Set the FileContext verdict, not a local verdict
-- file_id: add interface to access file info from file capture
-- file_id: support groups
-- hash: Rename SFGHASH, SFXHASH, SFHASHFCN to something resonable
-- http_inspect: add profiler support
-- http_inspect: fix bugs related to stream interaction
-- http_inspect: use configured max_pdu as base target reassembly size
-- inspection: default policy mode depends on adaptor mode
-- ips options: error if lookup fails due to bad case, typos, etc.
thanks to Noah Dietrich <> for reporting the issue
-- memory: no stats output unless configured
-- normalizer: added test mode
-- normalizer: fix enable checks
-- parsing: resolve paths from the current config directory instead of process directory
-- policy: added inspection policy config.
-- port_scan: add alert_all to make alerting on all events in window optional
-- port_scan: fix flow checks
-- profiler: fix focus of eventq
-- reputation: tweak warning message
-- rules: default msg = "no msg in rule"
-- sfrt: remove cruft and reformat header
-- shell: fixed crash when issuing control commands
-- sip: use log splitter for tcp
-- snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
-- snort2lua: Convert file_magic.conf to Lua format.
-- snort2lua: added inspection uuid
-- snort2lua: added na_policy_mode. added ability amend tables if created.
-- snort2lua: added normalize_tcp: ftp
-- snort2lua: fix stream_size: to_client, to_server conversion
-- snort2lua: future proof --bind-wizard binding order
-- snort2lua: no sticky buffer for relative pcre
-- snort2lua: remove when udp from binding to support tcp too
-- snort2lua: tweak const name for clarity (internal)
-- snort2lua: urilen:<> --> bufferlen:<=>
-- snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer
-- soid: allow stub to contain any or all options
-- --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static
-- stream: change tcp idle timeout to 3600 to match 2.X nominal timeout
-- stream_*: separate session profiler data from flow cache profiler data
-- stream_ip: fix non-frag counting
-- stream_size: fix eval packet checks
-- stream_tcp: delete superfluous memsets to zero
-- stream_tcp: ignore flush requests on unitialized sessions (early abort condition)
-- stream_tcp: instantiate wizard only when needed
-- stream_tcp: remove empty default state action
-- stream_user: clear splitter properly
-- target_based: Install header
-- wizard: abort if no match
-- wizard: activate profiler support
-- wizard: usage is inspect
17/10/31 - build 240
-- active: fix packet modify vs resize handling
-- alert_csv: rename dgm_len to pkt_len
-- alert_csv: add b64_data, class, priority, service, vlan, and mpls options
-- alert_json: initial json event logger
-- alerts: add log_references to store and log rule references with alert_full
-- appid: enable SSL certificate pattern matching
-- appid: fix build with LuaJIT 2.1
-- appid: reorganize AppIdHttpSession to minimize padding
-- appid: add count for applications detected by port only
-- appid: create exptected flow immediately after ftp PORT command for active mode
-- appid: handle sip events before packets
-- appid: overhaul peg counting for discovered appids
-- appid: use ac_full search method since it supports find_all; force enable dfa flag
-- binder: added network policy selection
-- binder: added zones
-- binder: allow src and dst specifications for ports and nets
-- binder: check interface on packet instead of flow
-- binder: fixed nets check falling through on failure
-- build: clean up a few ICC 2018 and GCC 7 warnings
-- build: fix linking against external libiconv with autotools
-- build: fix numerous analyzer errors and leaks
-- build: fix numerous clang-tidy warnings
-- build: fix numerous cppcheck warnings
-- build: fix numerous valgrind errors
-- build: fixed issues on OSX
-- catch: update to Catch v1.10.0
-- cd_icmp6: fix encoded cksum calculation
-- cd_pbb: initial version of codec for 802.1ah; thanks to jan hugo prins <> for reporting the issue
-- cd_pflog: fix comments; thanks to Markus Lude <> for the 2X patch
-- content: fix relative loop condition
-- control: delete the old binder while reloading inspector
-- control: update binder with new inspector
-- daq: add support for DAQ_VERDICT_RETRY
-- daq: add support for packet trace
-- daq: add support tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS by config and flags
-- data_log: update to new http_inspect
-- dce_rpc: remove connection-oriented rules from dce_smb module
-- dce_smb: unicode filename support
-- doc: add module usage and peg count type
-- doc: add POP, IMAP and SMTP to user manual features
-- doc: add port scan feature
-- flow key: support associating router solicit/reply packets to a single session
-- http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status line or headers
-- http_inspect: add random increment to message body division points
-- http_inspect: added http_raw_buffer rule option
-- http_inspect: create message sections with body data that has been dechunked and unzipped but not otherwise nortmalized
-- http_inspect: handle borked reassembly gracefully; thanks to João Soares <> for reporting the issue
-- http_inspect: support for u2 extra data logging
-- http_inspect: test tool improvements
-- http_inspect: true IP enhancements
-- inspectors: add control type and ensure appid is run ahead of other controls
-- inspectors: add peg count for max concurrent sessions
-- ips: add uuid
-- loggers: add base64 encoder based on libb64 from devolve
-- loggers: use standard year/mon/day format
-- main: fix potential memory leak when queuing analyzer commands
-- memory: align allocator metadata such that returned memory is also max_align_t-aligned
-- memory: output basic startup heap stats
-- messages: output startup warnings and errors to stderr instead of stdout
-- messages: redirect stderr to syslog as well
-- modules: add usage designating global, context, inspect, or detect policy applicability
-- mss: add extra rule option to check mss
-- parser: disallow invalid port range !:65535 (!any)
-- parser: tweak performance
-- pcre: fix relative search with ^
-- pop: service name is pop3
-- replace: fix activation sequence
-- rules: warn only once per gid:sid of no fast pattern
-- search_engine: port the optimized port table compilation from 2.9.12
-- search_engines: Fix case sensitive ac_full DFA matching
-- shell: delete inspector from the default inspection policy
-- shell: fix --pause to accept control commands while in paused state
-- sip: sip_method can use data from any sip inspector of any inspection policy
-- snort.lua: align default conf closer to 2.X
-- snort.lua: expand default conf for completeness and clarity
-- snort_defaults.lua: update default servers and ports
-- snort2lua: correctly identify ftpbounce and sameip as unsupported rule options
-- snort2lua: added XFF configuration to unsupported list
-- snort2lua: added config protected_content to deleted list
-- snort2lua: added config_na_policy_mode to unsupported list
-- snort2lua: added dynamicoutput to deleted list
-- snort2lua: added firewall to unsupported list
-- snort2lua: added nap.rules zone translation
-- snort2lua: added nap_selector support
-- snort2lua: added nap_selector to unsupported list
-- snort2lua: added sf_unified2 to unsupported list and matching log/alert to deleted.
-- snort2lua: bindings now merge and propagate to top level of corresponsing policy
-- snort2lua: config policy_id converts to when ips_policy_id
-- snort2lua: convert dsize:a<>b to dsize:a<=>b for consistency with other rule options
-- snort2lua: do not convert sameip; handle same as ftpbounce (no longer supported)
-- snort2lua: enforced ordering to bindings in binder table
-- snort2lua: fix null char in -? output
-- snort2lua: fixed extra whitespace generation
-- snort2lua: logto is not supported
-- snort2lua: removed port dce proxy bindings to fix http_inspect conflicts
-- snort2lua: search_engine.split_any_any now defaults to true
-- snort: -T does not compile mpse; --mem-check does
-- snort: add warnings count to -T ouptut
-- snort: add --dump-msg-map
-- snort: exit with zero from usage
-- snort: fix --dump-builtin-rules to accept optional module prefix
-- stdlog: support snort 3> log for text alerts
-- target: add rule option to indicate target of attack
-- thread: add logging directory ID offset controlled by --id-offset option
-- u2spewfoo: fix build on FreeBSD
-- unified2: add legacy_events bool for out-of-date barnyard2
-- unified2: log buffers as cooked packets with legacy events
-- wscale: add extra rule option to check tcp window scaling
17/07/25 - build 239
-- rules: remove sample.rules; Talos will publish Snort 3 rules on
-- logging: fix handling of out of range timeval
thanks to for reporting the issue
-- wizard: fix direction issue
-- wizard: fix imap spell
17/07/24 - build 238
-- check: update hyperscan and regex tests
-- cpputests: clean up some header include issues
-- daq_socket: update to support query of pci
-- detection: fix debug print of fast pattern only
-- detection: rule evaluation trace utility
-- doc: update concepts and differences
-- file_api: memory leak fixed
-- file_id: fixes for file capture exit
-- http_inspect: added 119:97 for lower case letters in version field
-- http_inspect: alert 119:96 added for unsolicited 206 response.
-- http_inspect: specific alert added 119:95 for Content-Encoding chunked.
-- ipv6: fix flow label access method; thanks to schrx3b6 for the patch
-- loggers: remove units options; all limits expressed in MB
-- mpse: Remove Intel Soft CPM support
-- mpse: make regex capability generic
-- mpse: only use literals for fast patterns if search_method is not hyperscan
-- output: add packet trace feature
-- perf_monitor: fixed main table (perf_monitor) having same name as pegs for
-- perfmon field
-- regex: fix pass through of mpse flags to hyperscan
-- replace: do not trip over fast pattern only
-- rpc: revert to positional params, fix tcp logic, clean up formatting
-- rules: promote metadata:service to a separate option since it is not metadata
-- snort2lua: Fixed incorrect file names errors
-- snort2lua: move footprint to stream from stream_tcp
-- spell check: fix message and comment typos
-- stream: add ip_proto as part of flow key
-- stream: fix user dependency on flush bucket
-- text logs: fix default unlimited file size
-- u2: add event3 to u2spewfoo
-- u2: convert thread local buffers to heap
-- u2: deprecate ip4 and ip6 specific events and add a single event for both
-- u2: remove obsolete configurations
-- u2: support mixed IP versions
17/07/13 - build 237
-- build: add support for appending EXTRABUILD to the BUILD string
-- build: Clean up some ICC 2017 warnings
-- build: clean up some GCC 7 warnings
-- build: support OpenSSL 1.1.0 API
-- build: clean up some cppcheck warnings
-- appid: port some missing 2.9.X FEAT_OPEN_APPID code
-- appid: fix thread-unsafe sharing of HTTP pattern tables
-- DAQ: fix leaking instance memory when configure fails
-- daq_hext and daq_file: pass PCI via query method
-- icmp6: reject non-ip6, raise 116:474
-- http_inspect: header normalization improvements
-- http_inspect: port fixes for UTF decoding
-- http_inspect: added 119:87 - 119:90 for expect / continue issues
-- http_inspect: added 119:91 for Transfer-Encoding header not valid for HTTP 1.0
-- http_inspect: added 119:92 for Content-Transfer-Encoding
-- http_inspect: added 119:93 for issues with chunked message trailers
-- PDF decompression: fix missing reset in state machine transition
-- ftp_server: implement splitter to improve EOF processing
-- port_scan: merge global settings into main module and other improvements
-- perf_monitor: add JSON formatter
-- ssl: add splitter to improve PDU processing
-- detection: fix segfault in DetectionEngine::idle sans thread_init
-- rules: tolerate spaces in positional parameters
thanks to Joao Soares for reporting the issue
-- ip and tcp options: fix max length handling and clean up logging
-- cmg: improved alert formatting
-- doc: updates re control channel
-- snort2lua: added line number and file name to error output
-- snort2lua: fix removal of ignore_ports in stream_tcp.small_segments
-- snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments
-- snort2lua: update for port_scan
17/06/15 - build 236
-- appid: clean up shutdown stats
-- appid: fix memory leak
-- conf: update defaults
-- decode: updated ipv6 valid next headers
-- detection: avoid superfluous leaf nodes in detection option trees
-- http_inspect: improved handling of badly terminated chunks
-- http_inspect: improved transfer-encoding header processing
-- ips options: add validation for range check types such as dsize
-- perf_monitor: add more tcp and udp peg counts
-- perf_monitor: update cpu tracker output to thread_#.cpu_*
-- port_scan: alert on all scan attempts so blocking is possible
-- port_scan: make fully configurable
-- sip: fix get body buffer for fast patterns
-- ssl: use stop-and-wait splitter (protocol aware splitter is next)
-- stream_ip: fix 123:7
17/06/01 - build 235
-- http_inspect: improve handling of improper bare \r separator
-- appid: fix bug where TNS detector corrupted the flow data object
-- search_engine: set range for max_queue_events parameter
thanks to for reporting the issue
-- arp_spoof: reject non-ethernet packets
-- stream_ip: remove dead code and tweak formatting
-- ipproto: remove unreachable code
-- control_mgmt: add support for daq module reload
-- control_mgmt: add support for unix sockets
-- doc: update default manuals
-- doc: update differences section
-- doc: update README
17/05/21 - build 234
-- byte_math: port rule option from 2X and add feature documentation
-- pgm: don't calculate checksum if header length is not divisible by 4
-- appid: fix sip event handling, http pattern lists, thread locals
-- build: fix issues with OpenSolaris and FreeBSD builds
-- cmake: fix issues with libpcap and miscellaneous
-- offload: refactor for initial (experimental) version of regex offload to other threads
-- cmg: revamp hex buffer dump format with 16 or 20 bytes per line
-- rules: reject positional parameters containing spaces
17/05/11 - build 233
-- packet manager: ensure ether type proto ids don't masquerade as ip proto ids
thanks to Bhargava Shastry <> for reporting the issue
-- codec manager: fix off-by-1 mapping array size
thanks to Bhargava Shastry <> for reporting the issue
-- codec: fix extraction of ether type from cisco metadata
-- appid: add new unit tests to the cmake build, fix missing lib reference to sfip
-- sfghash: clean up and add unit tests
-- http: fix 119:38 false positive
-- main: fix compiler warnings when SHELL is not enabled
-- perf_monitor: fix flatbuffers handling of empty strings
-- modbus: port fix for false positives on length field
-- http: port simple UTF decoding w/o byte order mark
-- build: updated code to resolve cppcheck warnings
-- cleanup: fix typos in source code string literals and comments
-- doc: fix typos
17/04/28 - build 232
-- build: clean up Intel compiler warnings and remarks
-- build: fix FreeBSD compilation issues
-- cmake: fix building with and without flatbuffers present
-- autoconf: check for lua.hpp as well as luajit.h to ensure C++ support
-- shell: make commands non-blocking
-- shell: allow multiple remote connections
-- snort2lua: fix generated stream_tcp bindings
-- snort2lua: fix basic error handling with non-conformant 2.X conf
-- decode: fix 116:402
-- dnp3: fix 145:5
-- appid: numerous fixes and cleanup
-- http_server: removed (use new http_inspect instead)
-- byte_jump: add bitmask and from_end (from 2.9.9 Snort)
-- byte_extract: add bitmask (from 2.9.9 Snort)
-- flatbuffers: add version to banner if present
-- loggers: build alert_sf_socket on all platforms
17/04/07 - build 231
-- add decode of MPLS in IP
-- add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack)
-- cleanup: remove dead code
17/03/27 - build 230
-- require hyperscan >= 4.4.0, check runtime support
thanks to for submitting the patch
-- fix search tool issue with empty pattern database
thanks to for reporting the issue
-- fix sip_method to error out if sip not instantiated
-- major appid overhaul to address lingering concerns: refactor, cleanup,
-- major detection overhaul to address lingering concerns: refactor, cleanup,
release memory ASAP
-- add FlatBuffers output format to perf_monitor
also added tool to convert FlatBuffers files to yaml
-- add regex.fast_pattern; do not use for fast pattern unless explicitly indicated
-- update copyrights to 2017
17/03/17 - build 229
-- fixed mpse to ensure all search methods return consistent results
-- updated search tool to use fast pattern config's search method
(benefits appid, http_inspect, imap, pop, and smtp)
-- snort2lua parsing bug fixes to recognize incomplete constructs
-- http_inspect: added alert 119:81 for nonprinting character in header name
-- http_inspect: added alert 119:82 for bad Content-Length value
-- http_inspect: added alert 119:83 for header wrapping; CR and LF parsed as whitespace
17/03/02 - build 228
-- update hypercsan mpse: print error message and erroneous pattern when compilation fails
-- update rule parser: add multiple byte orders warning
-- fix pid file: create regardless of priv drop settings
-- fix dce_rpc: mark generated iface patterns as literal
-- snort2lua: mark appid conf and thirdparty_appid_dir as unsupported (temporary)
-- snort2lua: fix a couple of typos in table API output
-- snort2lua: fix sticky buffer following uricontent
-- doc: add DAQ configuration documentation
-- doc: move LibDAQ README to Reference, update, and fix typos
-- doc: update default manuals
17/02/24 - build 227
-- allow arbitrary / unused gids in text rules
-- support DAQs w/o explicit sources (nfq, ipfw)
-- fix up peg help (remove _)
-- fix u2 logging of PDUs
17/02/16 - build 226
-- add PDF/SWF decompression to http_inspect
-- add connectors to generated reference parts of manual
-- add feature documentation for HA, side_channel, and connectors
-- add feature documentation for http_inspect
-- update default manuals
-- fix privilege dropping and chroot behavior
-- fix perf_monitor segfault when tterm is called before tinit
-- fix stream_tcp counter underflow bug and handle max and instant stats
-- fix lzma length calculation bug
-- fix bogus 129:20 alerts
-- fix back orifice compiler warning with -O3
-- fix bug that could cause hang on ctl-C
-- fix memory leak after reload w/o changing search engine
-- fix off by one error when reassembling after TCP FIN received
-- fix cmake doc build to include plugins on SNORT_PLUGIN_PATH
-- fix compiler warnings in dce_http_server and dce_http_proxy
-- fix appid reload issue
-- snort2lua - changes for rpc over http
-- snort2lua - changes to convert config alertfile: <filename>
-- snort2lua - changes to add file_id when smb file inspection is on
-- snort2lua - add deprecated option stream5_tcp: log_asymmetric_traffic
17/02/01 - build 225
-- implement RPC over HTTP by adding dce_http_server and dce_http_proxy
-- port disable_replace option from snort 2.x and add snort2lua support
-- port ssh tunnel over http detection
-- fix stream splitter handling during final flush of session data
-- fix appid to use HTTP inspection events to detect webdav methods
-- fix unit test build to work w/o REG_TEST
-- fix shell to add missing newline to Lua execution error responses
-- fix support for content strings with escaped quotes ("foo\"bar")
thanks to for reporting the issue
-- fix various reload issues
-- fix various thread sanitizer issues
-- fix session disposal to always be after logging
-- fix appid pattern matching issues
-- fix appid dns flow counts
-- fix shell resume after command line --pause
-- fix sd_pattern validation boundary conditions
-- build: don't disable asserts when compiling with code coverage
-- autoconf: update to latest versions of autoconf-archive macros
-- main: add asynchronous, broadcastable analyzer commands
-- add salt to flow hash
-- normalize peg names to lower snake_case
-- update default manuals
17/01/17 - build 224
-- fix various stream_tcp flush issues
-- fix various cmake issues
-- fix appid counting of kerberos flows
-- fix expected flow leak when expiring nodes during lookup
thanks to João Soares <> for reporting the issue
-- fix autoconf retrieving PCRE cppflags from pkg-config
-- fix stream_user reassembly
-- remove unused appid.thirdparty_appid_dir
-- build and install plugins as modules instead of libraries
-- obfuscate stream rebuilt payload
-- updates for latest zlib
-- disable smb2 processing when file service is disabled
-- refactor includes; prune the set of installed headers
-- don't build alert_sf_socket on OSX
-- added CPP flags used to build Snort to snort.pc for extras and other
plugins to use
16/21/16 - build 223
-- port 2983 smb active response updates
-- fix reload crash with file inspector
-- fix appid service dispatch handling issue
thanks to João Soares <> for reporting the issue
-- fix paf-type flushing of single segments
thanks to João Soares <> for reporting the issue
-- fix daemonization
thanks to João Soares <> for reporting the issue
-- also fixes double counting of reassembled buffers
-- fix fallback from paf to atom splitter if flushing past gap
-- fix thread termination segfaults after DAQ module initialization fails
-- fix non-x86 builds - do not build tsc clock scaling
-- added appid to user manual features
-- update default user manuals
-- minor refactor of flush loop for clarity
-- improve http_inspect Field class
-- refactor plugin loading
16/12/16 - build 222
-- add JavaScript Normalization to http_inspect
-- fix appid service check dispatch list
-- fix modbus_data handling to not skip options
thanks to for reporting the issue
-- fix sensitive data filtering documentation issues
-- build: Illumos build fixes
-- build: Address some cppcheck concerns
-- miscellaneous const tweaks
-- reformat builtin rule text for consistency
-- reformat help text for consistency
-- refactor user manual for clarity
-- update default user manuals
16/12/09 - build 221
-- fix appid handling of sip inspection events
-- fix wizard to prevent use-after-free of service name
-- fix various issues reported by cppcheck
-- fix reload race condition
-- fix cmake + clang builds
-- add padding guards around hash key structs
-- update manual for dce_* inspectors
-- refactor IP address handling
16/12/01 - build 220
-- fixed uu and qp decode issue
-- fixed file signature calculation for ftp
-- fixed file resume blocking
-- fix 135:2 to be upon completion of 3-way handshake
-- fix memory leak with libcrypto use
-- fix multithreaded use of libcrypto
-- fix default snort2lua output for gtp and modbus
-- fix Lua ordering issue with net and port vars
-- fix miscellaneous multithreading issues with appid
-- fix comment in snort.lua re install directory use;
thanks to Yang Wang for sending the pull request
-- add alternate fast patterns for dce_udp endianness
-- removed underscores from all peg counts
-- document sensitive data use
-- user manual refactoring and updates
16/11/21 - build 219
-- add dce auto detect to wizard
-- add MIME file processing to new http_inspect
-- add chapters on perf_monitor and file processing to user manual
-- appid refactoring and cleanup
-- many appid fixes for leaks, sanitizer, and analyzer issues
-- fix appid pattern matching for http
-- fix various race conditions reported by thread sanitizer
-- fix out-of-order FIN handling
-- fix cmake package name used in HS and HWLOC so that REQUIRED works
-- fix out-of-tree doc builds
-- fix image sizes to fit page; thanks to wyatuestc for reporting the issue
-- fix fast pattern selection when multiple designated
thanks to for reporting the issue
-- change -L to -K in README and manual; thanks to jncornett for reporting the issue
-- support compiling catch tests in standalone source files
-- create pid file after dropping privileges
-- improve detection and use of CppUTest in non-standard locations
16/11/04 - build 218
-- fix shutdown stats
-- fix misc appid issues
-- rewrite appid loading of lua detectors
-- add sip inspector events for appid
-- update default manuals
16/10/28 - build 217
-- update appid to 2983
-- add inspector events from http_inspect to appid
-- fix appid error messages
-- fix flow reinitialization after expiration
-- fix release of blocked flow
-- fix 129:16 false positive
16/10/21 - build 216
-- add build configuration for thread sanitizer
-- port dce_udp fragments
-- build: clean up some ICC warnings
-- fix various unit test leaks
-- fix -Wmaybe-uninitialized issues
-- fix related to appid name with space and SSL position
16/10/13 - build 215
-- added module trace facility
-- port block malware over ftp for clients/servers that support REST command
-- port dce_udp packet processing
-- change search_engine.debug_print_fast_pattern to show_fast_patterns
-- overhaul appid for multiple threads, memory leaks, and coding style
-- fix various appid patterns and counts
-- fix fast pattern selection
-- fix file hash pruning issue
-- fix rate_filter action config and apply_to clean up
16/10/07 - build 214
-- updated DAQ - you *must* use DAQ 2.2.1
-- add libDAQ version to snort -V output
-- add support http file upload processing and process decode/detection depths
-- port sip changes to avoid using NAT ip when calculating callid
-- port dce_udp autodetect and session creation
-- fix static analysis issues
-- fix analyzer/pig race condition
-- fix explicit obfuscation disable not working
-- fix ftp_data: Gracefully handle cleared flow data
-- fix LuaJIT rule option memory leak of plugin name
-- fix various appid issues - initial port is nearing completion
-- fix http_inspect event 119:66
-- fix ac_full initialization performance
-- fix stream_tcp left overlap on hpux, solaris
-- fix/remove 129:5 ("bad segment") events
-- file_mempool: fix initializing total pool size
-- fix bpf includes
-- fix builds for OpenSolaris
-- expected: push expected flow information through the DAQ module
-- expected: expected cache revamp and related bugfixes
-- ftp_data: add expected data consumption to set service name and fix bugs
-- build: remove lingering libDAQ #ifdefs
-- defaults: update FTP default config based on Snort2's hardcoded one
-- rename default_snort_manual.* to snort_manual.*
-- build docs only by explicit target (make html|pdf|text)
-- update default manuals to build 213
-- tolerate more spaces in ip lists
-- add rev to rule latency logs
-- change default latency actions to none
-- deleted non-functional extra decoder for i4l_rawip
16/09/27 - build 213
-- ported full retransmit changes from snort 2X
-- fixed carved smb2 filenames
-- fixed multithread hyperscan mpse
-- fixed sd_pattern iterative validation
16/09/24 - build 212
-- add dce udp snort2lua
-- add file detection when they are transferred in segments in SMB2
-- fix another case of CPPUTest header order issues
-- separate idle timeouts from session timeouts counts
-- close tcp on rst in close wait, closing, fin wait 1, and fin wait 2
-- doc: update style guide for 'using' statements and underscores
-- packet_capture: Include top-level pcap.h for backward compatibility
-- main: remove unused -w commandline option
-- lua: fix conflict with _L macro from ctype.h on OpenBSD
-- cmake: clean dead variables out of config.cmake.h
-- build: fix 32-bit compiler warnings
-- build: fix illumos/OpenSolaris build and remove SOLARIS/SUNOS defines
-- build: remove superfluous LINUX and MACOS definitions
-- build: remove superfluous OPENBSD and FREEBSD definitions
-- build: entering 'std' namespace should be after all headers are included
-- build: clean up u_int*_t usage
-- build: remove SPARC support
-- build: clean up some DAQ header inclusion creep.
16/09/22 - build 211
-- fix hyperscan detection with nocase
-- fix shutdown sequence
-- fix --dirty-pig
-- fix FreeBSD build re appid / service_rpc
16/09/20 - build 210
-- started dce_udp porting
-- added HA details to stream/* dev_notes
-- added stream.ip_frag_only to avoid tracking unwanted flows
-- updated default stream cache sizes to match 2.X
-- fixed tcp_connector_test for OSX build
-- fixed binder make files to include binder.h
-- fixed double counting of ip and udp timeouts and prunes
-- fixed clearing of SYN - RST flows
16/09/14 - build 209
-- add dce iface fast pattern for tcp
-- add --enable-tsc-clock to build/use TSC register (on x86)
-- update latency to use ticks during runtime
-- tcp stream reassembly tweaks
-- fix inverted detection_filter logic
-- fix stream profile stats parents
-- fix most bogus gap counts
-- unit test fixes for high availability, hyperscan, and regex
16/09/09 - build 208
-- fixed for TCP high availability
-- fixed install of file_decomp.h for consistency between Snort and extras
-- added smtp client counters and unit tests
-- ported Smbv2/3 file support
-- ported mpls encode fixes from 2983
-- cleaned up compiler warnings
16/09/02 - build 207
-- ported smb file processing
-- ported the 2.9.8 ciscometadata decoder
-- ported the 2.9.8 double and triple vlan tagging changes
-- use sd_pattern as a fast-pattern
-- rewrite and fix the rpc option
-- cleanup fragbits option implementation
-- finish up cutover to the new http_inspect by default
-- added appid counts for rsync
-- added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse
-- moved file capture to offload thread
-- numerous fixes, cleanup, and refactoring for appid
-- numerous fixes, cleanup, and refactoring for high availability
-- fixed regex as fast pattern with hyperscan mpse
-- fixed http_inspect and tcp valgrind errors
-- fixed extra auto build from dist
16/08/10 - build 206
-- ported appid rule option as "appids"
-- moved http_inspect (old) to http_server (in extras)
-- moved new_http_inspect to http_inspect
-- added smtp.max_auth_command_line_len
-- fixed asn1:print help
-- fixed event queue buffer log size
-- fixed make distcheck; thanks to jack jackson <> for reporting the issue
16/08/05 - build 205
-- ported smb segmentation support
-- converted sd_pattern to use hyperscan
-- fixed help text for rule options ack, fragoffset, seq, tos, ttl, and win
-- fixed endianness issues with rule options seq and win
-- fixed rule option session binary vs all
16/07/29 - build 204
-- fixed issue with icmp_seq and icmp_id field matching
-- fixed off-by-1 line number in rule parsing errors
-- fix cmake make check issue with new_http_inspect
-- added new_http_inspect unbounded POST alert
16/07/22 - build 203
-- add oversize directory alert to new_http_inspect
-- add appid counts for mdns, timbuktu, battlefield, bgp, and netbios services
-- continue smb port - write and close command, deprecated dialect check, smb fingerprint
-- fix outstanding strndup calls
16/07/15 - build 202
-- fix dynamic build of new_http_inspect
-- fix static analysis issues
-- fix new_http_inspect handling of 100 response
-- port appid detectors: kereberos, bittorrent, imap, pop
-- port smb reassembly and raw commands processing
-- snort2lua updates for new_http_inspect
-- code refactoring and cleanup
16/06/22 - build 201
-- initial appid port - in progress
-- add configure --enable-hardened-build
-- add configure --pie (position independent executable)
-- add new_http_inspect alert for loss of sync
-- add peg counts for new_http_inspect
-- add peg counts for sd_pattern
-- add file_log inspector to log file events
-- add filename support to file daq
-- add high availability support for udp and icmp
-- add support for safe C library
-- continue porting of dce_rpc - smb transaction processing (part 2)
-- various snort2lua updates and fixes
-- fix default prime tables for internal hash functions
-- fix new_http_inspect bounds issues
-- fix icc warnings
-- miscellaneous cmake and auto tools build fixes
-- openssl is now a mandatory dependency
16/06/10 - build 200
-- continued porting of dce_rpc - smb transaction processing
-- tweaked autotools build foo
-- add / update unit tests
-- fix additional memory leaks
-- fix compiler warnings
-- fix static analysis issues
-- fix handling of bpf file failures
16/06/03 - build 199
-- add new http_inspect alerts abusive content-length and transfer-encodings
-- add \b matching to sensitive data
-- add obfuscation for sensitive data
-- add support for unprivileged operation
-- fix link with dynamic DAQ
-- convert legacy allocations to memory manager for better memory profiling
16/05/27 - build 198
-- add double-decoding to new_http_inspect
-- add obfuscation support for cmg and unified2
-- cleanup compiler warnings and memory leaks
-- fixup cmake builds
-- update file processing configuration
-- prevent profiler double counting on recursion
-- additional unit tests for high availability
-- fix multi-DAQ instance configuration
16/05/02 - build 197
-- fix build of extras
-- fix unit tests
16/04/29 - build 196
-- overhaul cmake foo
-- update extras to better serve as examples
-- cleanup use of protocol numbers and identifiers
-- continued stream_tcp refactoring
-- continued dce2 port
-- more static analysis memory leak fixes
16/04/22 - build 195
-- added packet_capture module
-- initial high availability for UDP
-- changed memory_manager to use absolute instead of relative cap
-- cmake and pkgconfig fixes
-- updated catch headers to v1.4.0
-- fix stream_tcp config leak
-- added file capture stats
-- static analysis updates
-- DAQ interface refactoring
-- perf_monitor refactoring
-- unicode map file for new_http_inspect
16/04/08 - build 194
-- added iterative pruning for out of memory condition
-- added preemptive pruning to memory manager
-- dce segmentation changes
-- dce smb header checks port - non segmented packets
-- added thread timing stats to perf_monitor
-- fixed so rule input / output
-- fixed protocol numbering issues
-- fixed 129:18
-- update extra version to alpha 4 - thanks to Henry Luciano
<> for reporting the issue
-- remove legacy/unused obfuscation api
-- fixed clang, gcc, and icc, build warnings
-- fixed static analysis issues
-- fixed memory leaks (more to go)
-- clean up hyperscan pkg-config and cmake logic
16/03/28 - build 193
-- fix session parsing abort handling
-- fix shutdown memory leaks
-- fix building against LuaJIT using only pkg-config
-- fix FreeBSD build
-- perf_monitor config and format fixes
-- cmake - check all dependencies before fatal error
-- new_http_inspect unicode initialization bug fix
-- new_http_inspect %u encoding and utf 8 bare byte
-- continued tcp stream refactoring
-- legacy search engine cleanup
-- dcd2 port continued - add dce packet fragmentation
-- add configure --enable-address-sanitizer
-- add configure --enable-code-coverage
-- memory manager updates
16/03/18 - build 192
-- use hwloc for CPU affinity
-- fix process stats output
-- add dce rule options iface, opnum, smb, stub_data, tcp
-- add dce option for byte_extract/jump/test
-- initial side channel and file connector for HA
-- continued memory manager implementation
-- add UTF-8 normalization for new_http_inspect
-- fix rule compilation for sticky buffers
-- host_cache and host_tracker config and stats updates
-- miscellaneous warning and lint cleanup
-- snort2Lua updates for preproc sensitive_data and sd_pattern option
16/03/07 - build 191
-- fix perf_monitor stats output at shutdown
-- initial port of sensitive data as a rule option
-- fix doc/ for linux
16/03/04 - build 190
-- fix console close and remote control disconnect issues
-- added per-thread memcap calculation
-- add statistics counters to host_tracker module
-- new_http_inspect basic URI normalization with configuration options
-- format string cleanup for parser logging
-- fix conf reload by signal
16/02/26 - build 189
-- snort2lua for dce2 port (in progress)
-- replace ppm with latency
-- added rule latency
-- fixed more address sanitizer bugs
-- fixed use of debug vs debug-msgs
-- add missing ips option hash and == methods
-- perf_monitor configuration
-- fix linux + clang build errors
-- trough rewrite
16/02/22 - build 188
-- added delete/delete[] replacements for nothrow overload
thanks to Ramya Potluri for reporting the issue
-- fixed a detection option comparison bug which wasted time and space
-- disable perf_monitor by default since the reporting interval should be set
-- memory manager updates
-- valgrind and unsanitary address fixes
-- snort2lua updates for dce2
-- build issue fix - make non-GNU strerror_r() the default case
-- packet latency updates
-- perfmon updates
16/02/12 - build 187
-- file capture added - initial version writes from packet thread
-- added support for http 0.9 to new_http_inspect
-- added URI normalization of headers, cookies, and post bodies to new_http_inspect
-- updates to better support scripting
-- updated catch header (used for some unit tests)
-- continued dce2 port
-- fixed misc clang and dynamic plugin build issues
-- fixed static analysis issues and crash in new_http_inspect
-- fixed tcp paws issue
-- fixed normalization stats
-- fixed issues reported by Bill Parker
-- refactoring updates to tcp session
-- refactoring updates to profiler
16/02/02 - build 186
-- update copyright to 2016, add missing license blocks
-- fix xcode builds
-- fix static analysis issues
-- update default manuals
-- host_module and host_tracker updates
-- start perf_monitor rewrite - 1st of many updates
-- start dce2 port - 1st of many updates
-- remove --enable-ppm - always enabled
16/01/25 - build 185
-- initial host_tracker for new integrated netmap
-- new_http_inspect refactoring for time and space considerations
-- fix profiler depth bug
-- fatal on failed IP rep segment allocation - thanks to Bill Parker
-- tweaked style guide wrt class declarations
16/01/08 - build 184
-- added new_http_inpsect rule options
-- fixed build issue with Clang and thread_local
-- continued tcp session refactoring
-- fixed rule option string unescape issue
15/12/11 - build 183
-- circumvent asymmetric flow handling issue
15/12/11 - build 182 - Alpha 3
-- added memory profiling feature
-- added regex fast pattern support
-- ported reputation preprocessor from 2X
-- synced to 297-262
-- removed '_q' search method flavors - all are now queued
-- removed PPM_TEST
-- build and memory leak fixes
15/12/04 - build 181
-- perf profiling enhancements
-- fixed build issues and memory leaks
-- continued pattern match refactoring
-- fix spurious sip_method matching
15/11/25 - build 180
-- ported dnp3 preprocessor and rule options from 2.X
-- fixed various valgrind issues with stats from sip, imap, pop, and smtp
-- fixed captured length of some icmp6 types
-- added support for hyperscan search method using rule contents
(regex to follow)
-- fixed various log pcap issues
-- squelch repeated ip6 ooo extensions and bad options per packet
-- fixed arp inspection bug
15/11/20 - build 179
-- user manaul updates
-- fix perf_monitor.max_file_size default to work on 32-bit systems, thanks
to for reporting the issue
-- fix bogus 116:431 events
-- decode past excess ip6 extensions and bad options
-- add iface to alert_csv.fields
-- add hyperscan fast pattern search engine - functional but not yet used
-- remove --enable-perf-profiling so it is always built
-- perf profiling changes in preparation for memory profiling
-- remove obsolete LibDAQ preprocessor conditionals
-- fix arp inspection
-- search engine refactoring
15/11/13 - build 178
-- document runtime link issue with hyperscan on osx
-- fix pathname generation for event trace file
-- new_http_inspect tweaks
-- remove --enable-ppm-test
-- sync up auto tools and cmake build options
15/11/05 - build 177
-- idle processing cleanup
-- fixed teredo payload detection
-- new_http_inspect cleanup
-- update old http_inspect to allow spaces in uri
-- added null check suggest by Bill Parker
-- fix cmake for hyperscan
-- ssl and dns stats updates
-- fix ppm config
-- miscellanous code cleanup
15/10/30 - build 176
-- tcp reassembly refactoring
-- profiler rewrite
-- added gzip support to new_http_inspect
-- added regex rule option based on hyperscan
15/10/23 - build 175
-- ported gtp preprocessor and rule options from 2.X
-- ported modbus preprocessor and rule options from 2.X
-- fixed 116:297
-- added unit test build for cmake (already in autotools builds)
-- fixed dynamic builds (187 plugins, 138 dynamic)
15/10/16 - build 174
-- legacy daemonization cleanup
-- decouple -D, -M, -q
-- delete -E
-- initial rewrite of profiler
-- don't create pid file unless requested
-- remove pid lock file
-- new_http_inspect header processing, normalization, and decompression tweaks
-- convert README to markdown for pretty github rendering
(contributed by
-- perfmonitor fixes
-- ssl stats updates
15/10/09 - build 173
-- added pkt_num rule option to extras
-- fix final -> finalize changes for extras
-- moved alert_unixsock and log_null to extras
-- removed duplicate pat_stats source from extras
-- prevent tcp session restart on rebuilt packets
thanks to rmkml for reporting the issue
-- fixed profiler configuration
-- fixed ppm event logging
-- added filename to reload commands
-- fixed -B switch
-- reverted tcp syn only logic to match 2X
-- ensure ip6 extension decoder state is reset for ip4 too since ip4
packets may have ip6 next proto
-- update default manuals
15/10/01 - build 172
-- check for bool value before setting fastpath config option in PPM
-- update manual related to liblzma
-- fix file processing
-- refactor non-ethernet plugins
-- fix file_decomp error logic
-- enable active response without flow
-- update bug list
15/09/25 - build 171
-- fix metadata:service to work like 2x
-- fixed issues when building with LINUX_SMP
-- fixed frag tracker accounting
-- fix Xcode builds
-- implement 116:281 decoder rule
-- udpated snort2lua
-- add cpputest for unit testing
-- don't apply cooked verdicts to raw packets
15/09/17 - build 170
-- removed unused control socket defines from cmake
-- fixed build error with valgrind build option
-- cleanup *FLAGS use in
-- change compiler search order to prefer clang over gcc
-- update where to get dnet
-- update usage and bug list
-- move extra daqs and extra hext logger to main source tree
-- fix breakloop in file daq
-- fix plain file processing
-- fix detection of stream_user and stream_file data
-- log innermost proto for type of broken packets
15/09/10 - build 169
-- fix chunked manual install
-- add event direction bug
-- fix OpenBSD build
-- convert check unit tests to catch
-- code cleanup
-- fix dev guide builds from top_srcdir
15/09/04 - build 168
-- fixed build of chunked manual (thanks to Bill Parker for reporting the issue)
-- const cleanup
-- new_http_inspect cookie processing updates
-- fixed cmake build issue with SMP stats enabled
-- fixed compiler warnings
-- added unit tests
-- updated error messages in u2spewfoo
-- changed error format for consistency with Snort
-- fixed u2spewfoo build issue
-- added strdup sanity checks (thanks to Bill Parker for reporting the issue)
-- DNS bug fix for TCP
-- added --catch-tags [footag],[bartag] for unit test selection
15/08/31 - build 167
-- fix xcode warnings
15/08/21 - build 166
-- fix link error with g++ 4.8.3
-- support multiple script-path args and single files
-- piglet bug fixes
-- add usage examples with live interfaces
thanks to Aman Mangal <> for reporting the problem
-- fixed port_scan packet selection
-- fixed rpc_decode sequence number handling and buffer setup
-- perf_monitor fixes for file output
15/08/14 - build 165
-- flow depth support for new_http_inspect
-- TCP session refactoring and create libtcp
-- fix ac_sparse_bands search method
-- doc and build tweaks for piglets
-- expanded piglet interfaces and other enhancements
-- fix unit test return value
-- add catch.hpp include from
-- run catch unit tests after check unit tests
-- fix documentation errors in users manual
15/08/07 - build 164
-- add range and default to command line args
-- fix unit test build on osx
-- DAQ packet header conditional compilation for piglet
-- add make targets for dev_guide.html and snort_online.html
-- cleanup debug macros
-- fix parameter range for those depending on loaded plugins
thanks to Siti Farhana Binti Lokman <>
for reporting the issue
15/07/30 - build 163
-- numerous piglet fixes and enhancements
-- BitOp rewrite
-- added more private IP address
thanks to Bill Parker for reporting the issue
-- fixed endianness in private IP address check
-- fix build of dynamic plugins
15/07/22 - build 162
-- enable build dependency tracking
-- cleanup automake and cmake foo
-- updated bug list
-- added Lua stack manager and updated code that manipulated a persistent lua_State
thanks to Sancho Panza ( for reporting the issue
-- piglet updates and fixes
-- dev guide - convert snort includes into links
-- fixup includes
15/07/15 - build 161
-- added piglet plugin test harness
-- added piglet_scripts with codec and inspector examples
-- added doc/
-- added dev_notes.txt in each src/ subdir
-- scrubbed headers
15/07/06 - build 160 - Alpha 2
-- fixed duplicate patterns in file_magic.lua
-- warn about rules with no fast pattern
-- warn if file rule has no file_data fp
-- run fast patterns according to packet type
-- update / expand shutdown output for detection
-- binder sets service from inspector if not set
-- allow abbreviated rule headers
-- fix cmake build on linux w/o asciidoc
-- add bugs list to manual
-- fix memory leaks
-- fix valgrind issues
-- fix xcode analyzer issues
15/07/02 - build 159
-- added file processing to new_http_inspect
-- ported sip preprocessor
-- refactoring port group init and start up output
-- standardize / generalize fp buffers
-- add log_hext.width
-- tweak style guide
-- fix hosts table parsing
15/06/19 - build 158
-- nhttp splitter updates
-- nhttp handle white space after chunk length
-- refactor of fpcreate
-- refactor sfportobject into ports/*
-- delete flowbits_size, refactor bitop foo
-- rename PortList to PortBitSet etc. to avoid confusion
-- fix ssl assertion
-- cleanup cache config
15/06/11 - build 157
-- port ssl from snort
-- fix stream_tcp so call splitter finish only if scan was called
-- changed drop rules drop current packet only
-- unchanged block rules block all packets on flow
-- added reset rules to function as reject
-- deleted sdrop and sblock rules; use suppressions instead
-- refactored active module
-- updated snort2lua
15/06/04 - build 156
-- new_http_inspect switch to bitset for event tracking
-- fixed stream tcp handling of paf abort
-- fixed stream tcp cleanup on reset
-- fixed sequence of flush and flow data cleanup for new http inspect
15/05/31 - build 155
-- update default manuals
-- fix autotools build of manual wrt plugins
-- file processing fixup
-- update usage from blog
-- add file magic lua
-- xcode analyzer cleanup
15/05/28 - build 154
-- new_http_inspect parsing and event handling updates
-- initial port of file capture from Snort
-- stream_tcp reassembles payload only
-- remove obsolete REG_TEST logging
-- refactor encode_format*()
-- rewrite alert_csv with default suitable for reg tests and debugging
-- dump 20 hex bytes per line instead of 16
-- add raw mode hext DAQ and logger; fix dns inspector typo for tcp checks
-- document raw hext mode
-- cleanup flush flags vs dir
-- add alert_csv.separator, delete alert_test
-- tweak log config; rename daq/log user to hext
-- cleanup logging
-- stream_tcp refactoring and cleanup
15/05/22 - build 153
-- new_http_inspect parsing updates
-- use buckets for user seglist
-- fix u2 to output data only packets
-- added DAQs for socket, user, and file in extras
-- changed -K to -L (log type)
-- added extra DAQ for user and file
-- added stream_user for payload processing
-- added stream_file for file processing
15/05/15 - build 152
-- fixed config error for inspection of rebuilt packets
-- ported smtp inspector from Snort
-- static analysis fix for new_http_inspect
15/05/08 - build 151
-- doc tweaks
-- new_http_inspect message parsing updates
-- misc bug fixes
15/04/30 - build 150
-- fixed xcode static analysis issues
-- updated default manuals
-- added packet processing section to manual
-- additional refactoring and cleanup
-- fix http_inspect mpse search
-- fixed urg rule option
-- change daq.var to daq.vars to support multiple params
reported by Sancho Panza
-- ensure unknown sources are analyzed
-- pop and imap inspectors ported
15/04/28 - build 149
-- fixed build issue with extras
15/04/28 - build 148
-- fixed default validation issue reported by Sancho Panza
-- refactored snort and snort_config modules
-- file id refactoring and cleanup
-- added publish-subscribe handling of data events
-- added data_log plugin example for pub-sub
15/04/23 - build 147
-- change PT_DATA to IT_PASSIVE; supports named instances, reload, and consumers
15/04/16 - build 146
-- added build of snort_manual.text if w3m is installed
-- added default_snort_manual.text w/o w3m
-- add Flow pointer to StreamSplitter::finish()
15/04/10 - build 145
-- nhttp clear() and related changes
-- abort PAF in current direction only
-- added StreamSplitter::finish()
-- allow relative flush point of zero
-- added Inspector::clear()
-- new http refactoring and cleanup
-- new http changes - events from splitter
-- fix dns assertion; remove unused variables
15/03/31 - build 144
-- reworked autotools generation of api_options.h
-- updated default manuals
-- ported dns inspector
15/03/26 - build 143
-- ported ssh inspector
-- apply service from hosts when inspector already bound to flow
-- ensure direction and service are applied to packet regardless of flow state
-- enable active for react / reject only if used in configuration
-- fixed use of bound ip and tcp policy if not set in hosts
-- eliminate dedicated nhttp chunk buffer
-- minor nhttp cleanup in StreamSplitter
15/03/18 - build 142
-- fixed host lookup issue
-- folded classification.lua and reference.lua into snort_defaults.lua
-- apply defaults from parameter tables instead of relying on ctors etc.
-- fix static analysis issues reported by xcode
-- change policy names with a-b form to a_b for consistency
-- make all warnings optional
-- fix ip and tcp policy defines
-- fix ip and icmp flow client/server ip init
-- added logging examples to usage
15/03/11 - build 141
-- added build foo for lzma; refactored
-- enhancements for checking compatibility of external plugins
-- added doc/usage.txt
15/02/27 - build 140
-- uncrustify, see crusty.cfg
-- updated documentation on new HTTP inspector, binder, and wizard
15/02/26 - build 139
-- additional http_inspect cleanup
-- documented gotcha regarding rule variable definitions in Lua
-- sync 297 http xff, swf, and pdf updates
15/02/20 - build 138
-- sync ftp with 297; replace stream event callbacks with FlowData virtuals
15/02/12 - build 137
-- updated manual from blog posts and emails
-- normalization refactoring, renaming
-- fixed icmp4 encoding
-- methods in codec_events and ip_util namespaces are now protected
Codec methods
-- 297 sync of active and codecs
15/02/05 - build 136
-- fix up encoders
-- sync stream with 297
-- fix encoder check for ip6 extensions
-- sync normalizations with 297
15/01/29 - build 135
-- fixed freebsd build error
-- fix default hi profile name
-- updated default snort manuals
15/01/26 - build 134
-- sync Mpse to 297, add SearchTool
-- 297 sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based
-- addition of mime decoding stats and updates to mime detection limits
-- snort2lua changed to add bindings for default ports if not explicitly
-- added md5, sha256, and sha512 rule options based on Snort 2.X
15/01/20 - build 133
-- fixes for large file support on 32-bit Linux systems (reported by Y M)
-- changed u2 base file name to unified2.log
-- updated doc based on tips/tricks blog
-- fixed active rule actions (react, reject, rewrite)
-- moved http_inspect profile defaults to snort_defaults.lua
-- add generalized infractions tracking to new_http_inspect
-- updated snort2lua to override default tables (x = { t = v }; x.t.a = 1)
-- additional codec refactoring
-- added pflog codecs
-- fixed stream_size rule option
15/01/05 - build 132
-- added this change log
-- initial partial sync with Snort 297 including bug fixes and variable
-- malloc info output with -v at shutdown (if supported)
-- updated source copyrights for 2015 and reformatted license foo for
14/12/16 - build 131
-- fix asciidoc formatting and update default manuals
-- updates to doc to better explain github builds
-- fix default init for new_http_inspect
-- fix cmake issues reported by Y M
-- add missing g++ dependency to doc reported by Bill Parker
-- add general fp re-search solution for fp buffers further restricted
during rule eval; fixes issue reported by @rmkml
-- add missing sanity checks reported by bill parker
-- tweak READMEs
14/12/11 - build 130
-- alpha 1 release