]>
Commit | Line | Data |
---|---|---|
0ac27e28 VJ |
1 | 3.0.1RC1 -- 2016-03-23 |
2 | ||
3 | Feature #1535: Expose the certificate itself in TLS-lua | |
4 | Feature #1696: improve logged flow_id | |
5 | Feature #1700: enable "relro" and "now" in compile options for 3.0 | |
6 | Feature #1734: gre: support transparent ethernet bridge decoding | |
7 | Feature #1740: Create counters for decode-events errors | |
8 | Bug #873: suricata.yaml: .mgc is NOT actually added to value for magic file | |
9 | Bug #1166: tls: CID 1197759: Resource leak (RESOURCE_LEAK) | |
10 | Bug #1268: suricata and macos/darwin: [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: File 5.19 supports only version 12 magic files. `/usr/share/file/magic.mgc' is version 7 | |
11 | Bug #1359: memory leak | |
12 | Bug #1411: Suricata generates huge load when nfq_create_queue failed | |
13 | Bug #1570: stream.inline defaults to IDS mode if missing | |
14 | Bug #1591: afpacket: unsupported datalink type 65534 on tun device | |
15 | Bug #1619: Per-Thread Delta Stats Broken | |
16 | Bug #1638: rule parsing issues: rev | |
17 | Bug #1641: Suricata won't build with --disable-unix-socket when libjansson is enabled | |
18 | Bug #1646: smtp: fix inspected tracker values | |
19 | Bug #1660: segv when using --set on a list | |
20 | Bug #1669: Suricate 3.0RC3 segfault after 10 hours | |
21 | Bug #1670: Modbus compiler warnings on Fedora 23 | |
22 | Bug #1671: Cygwin Windows compilation with libjansson from source | |
23 | Bug #1674: Cannot use 'tag:session' after base64_data keyword | |
24 | Bug #1676: gentoo build error | |
25 | Bug #1679: sensor-name configuration parameter specified in wrong place in default suricata.yaml | |
26 | Bug #1680: Output sensor name in json | |
27 | Bug #1684: eve: stream payload has wrong direction in IPS mode | |
28 | Bug #1686: Conflicting "no" for "totals" and "threads" in stats output | |
29 | Bug #1689: Stack overflow in case of variables misconfiguration | |
30 | Bug #1693: Crash on Debian with libpcre 8.35 | |
31 | Bug #1695: Unix Socket missing dump-counters mode | |
32 | Bug #1698: Segmentation Fault at detect-engine-content-inspection.c:438 (master) | |
33 | Bug #1699: CUDA build broken | |
34 | Bug #1701: memory leaks | |
35 | Bug #1702: TLS SNI parsing issue | |
36 | Bug #1703: extreme slow down in HTTP multipart parsing | |
37 | Bug #1706: smtp memory leaks | |
38 | Bug #1707: malformed json if message is too big | |
39 | Bug #1708: dcerpc memory leak | |
40 | Bug #1709: http memory leak | |
41 | Bug #1715: nfq: broken time stamps with recent Linux kernel 4.4 | |
42 | Bug #1717: Memory leak on Suricata 3.0 with Netmap | |
43 | Bug #1719: fileinfo output wrong in eve in http | |
44 | Bug #1720: flowbit memleak | |
45 | Bug #1724: alert-debuglog: non-decoder events won't trigger rotation. | |
46 | Bug #1725: smtp logging memleak | |
47 | Bug #1727: unix socket runmode per pcap memory leak | |
48 | Bug #1728: unix manager command channel memory leaks | |
49 | Bug #1729: PCRE jit is disabled/blacklisted when it should not | |
50 | Bug #1731: detect-tls memory leak | |
51 | Bug #1735: cppcheck: Shifting a negative value is undefined behaviour | |
52 | Bug #1736: tls-sni: memory leaks on malformed traffic | |
53 | Bug #1742: vlan use-for-tracking including Priority in hashing | |
54 | Bug #1743: compilation with musl c library fails | |
55 | Bug #1744: tls: out of bounds memory read on malformed traffic | |
56 | Optimization #1642: Add --disable-python option | |
57 | ||
f9faf990 VJ |
58 | 3.0 -- 2016-01-27 |
59 | ||
60 | Bug #1673: smtp: crash during mime parsing | |
61 | ||
44a444ba VJ |
62 | 3.0RC3 -- 2015-12-21 |
63 | ||
64 | Bug #1632: Fail to download large file with browser | |
65 | Bug #1634: Fix non thread safeness of Prelude analyzer | |
66 | Bug #1640: drop log crashes | |
67 | Bug #1645: Race condition in unix manager | |
68 | Bug #1647: FlowGetKey flow-hash.c:240 segmentation fault (master) | |
69 | Bug #1650: DER parsing issue (master) | |
70 | ||
e94bf972 VJ |
71 | 3.0RC2 -- 2015-12-08 |
72 | ||
73 | Bug #1551: --enable-profiling-locks broken | |
74 | Bug #1602: eve-log prefix field feature broken | |
75 | Bug #1614: app_proto key missing from EVE file events | |
76 | Bug #1615: disable modbus by default | |
77 | Bug #1616: TCP reassembly bug | |
78 | Bug #1617: DNS over TCP parsing issue | |
79 | Bug #1618: SMTP parsing issue | |
80 | Feature #1635: unified2 output: disable by default | |
81 | ||
737c99dd VJ |
82 | 3.0RC1 -- 2015-11-25 |
83 | ||
84 | Bug #1150: TLS store disabled by TLS EVE logging | |
85 | Bug #1210: global counters in stats.log | |
86 | Bug #1423: Unix domain log file writer should automatically reconnect if receiving program is restarted. | |
87 | Bug #1466: Rule reload - Rules won't reload if rule files are listed in an included file. | |
88 | Bug #1467: Specifying an IPv6 entry before an IPv4 entry in host-os-policy causes ASAN heap-buffer-overflow. | |
89 | Bug #1472: Should 'goodsigs' be 'goodtotal' when checking if signatures were loaded in detect.c? | |
90 | Bug #1475: app-layer-modbus: AddressSanitizer error (heap-buffer-overflow) | |
91 | Bug #1481: Leading whitespace in flowbits variable names | |
92 | Bug #1482: suricata 2.1 beta4: StoreStateTxFileOnly crashes | |
93 | Bug #1485: hostbits - leading and trailing spaces are treated as part of the name and direction. | |
94 | Bug #1488: stream_size <= and >= modifiers function as < and > (equality is not functional) | |
95 | Bug #1491: pf_ring is not able to capture packets when running under non-root account | |
96 | Bug #1493: config test (-T) doesn't fail on missing files | |
97 | Bug #1494: off by one on rulefile count | |
98 | Bug #1500: suricata.log | |
99 | Bug #1508: address var parsing issue | |
100 | Bug #1517: Order dependent, ambiguous YAML in multi-detect. | |
101 | Bug #1518: multitenancy - selector vlan - vlan id range | |
102 | Bug #1521: multitenancy - global vlan tracking relation to selector | |
103 | Bug #1523: Decoded base64 payload short by 16 characters | |
104 | Bug #1530: multitenant mapping relation | |
105 | Bug #1531: multitenancy - confusing tenant id and vlan id output | |
106 | Bug #1556: MTU setting on NIC interface not considered by af-packet | |
107 | Bug #1557: stream: retransmission not detected | |
108 | Bug #1565: defrag: evasion issue | |
109 | Bug #1597: dns parser issue (master) | |
110 | Bug #1601: tls: server name logging | |
111 | Feature #1116: ips packet stats in stats.log | |
112 | Feature #1137: Support IP lists in threshold.config | |
113 | Feature #1228: Suricata stats.log in JSON format | |
114 | Feature #1265: Replace response on Suricata dns decoder when dns error please | |
115 | Feature #1281: long snort ruleset support for "SC_ERR_NOT_SUPPORTED(225): content length greater than 255 unsupported" | |
116 | Feature #1282: support for base64_decode from snort's ruleset | |
117 | Feature #1342: Support Cisco erspan traffic | |
118 | Feature #1374: Write pre-aggregated counters for all threads | |
119 | Feature #1408: multi tenancy for detection | |
120 | Feature #1440: Load rules file from a folder or with a star pattern rather then adding them manually to suricata.yaml | |
121 | Feature #1454: Proposal to add Lumberjack/CEE formatting option to EVE JSON syslog output for compatibility with rsyslog parsing | |
122 | Feature #1492: Add HUP coverage to output json-log | |
123 | Feature #1498: color output | |
124 | Feature #1499: json output for engine messages | |
125 | Feature #1502: Expose tls fields to lua | |
126 | Feature #1514: SSH softwareversion regex should allow colon | |
127 | Feature #1527: Add ability to compile as a Position-Independent Executable (PIE) | |
128 | Feature #1568: TLS lua output support | |
129 | Feature #1569: SSH lua support | |
130 | Feature #1582: Redis output support | |
131 | Feature #1586: Add flow memcap counter | |
132 | Feature #1599: rule profiling: json output | |
133 | Optimization #1269: Convert SM List from linked list to array | |
134 | ||
0e2a4c01 VJ |
135 | 2.1beta4 -- 2015-05-08 |
136 | ||
137 | Bug #1314: http-events performance issues | |
138 | Bug #1340: null ptr dereference in Suricata v2.1beta2 (output-json.c:347) | |
139 | Bug #1352: file list is not cleaned up | |
140 | Bug #1358: Gradual memory leak using reload (kill -USR2 $pid) | |
141 | Bug #1366: Crash if default_packet_size is below 32 bytes | |
142 | Bug #1378: stats api doesn't call thread deinit funcs | |
143 | Bug #1384: tcp midstream window issue (master) | |
144 | Bug #1388: pcap-file hangs on systems w/o atomics support (master) | |
145 | Bug #1392: http uri parsing issue (master) | |
146 | Bug #1393: CentOS 5.11 build failures | |
147 | Bug #1398: DCERPC traffic parsing issue (master) | |
148 | Bug #1401: inverted matching on incomplete session | |
149 | Bug #1402: When re-opening files on HUP (rotation) always use the append flag. | |
150 | Bug #1417: no rules loaded - latest git - rev e250040 | |
151 | Bug #1425: dead lock in de_state vs flowints/flowvars | |
152 | Bug #1426: Files prematurely truncated by detection engine even though force-md5 is enabled | |
153 | Bug #1429: stream: last_ack update issue leading to stream gaps | |
154 | Bug #1435: EVE-Log alert payload option loses data | |
155 | Bug #1441: Local timestamps in json events | |
156 | Bug #1446: Unit ID check in Modbus packet error | |
157 | Bug #1449: smtp parsing issue | |
158 | Bug #1451: Fix list-keywords regressions | |
159 | Bug #1463: modbus parsing issue | |
160 | Feature #336: Add support for NETMAP to Suricata. | |
161 | Feature #885: smtp file_data support | |
162 | Feature #1394: Improve TCP reuse support | |
163 | Feature #1410: add alerts to EVE's drop logs | |
164 | Feature #1445: Suricata does not work on pfSense/FreeBSD interfaces using PPPoE | |
165 | Feature #1447: Ability to reject ICMP traffic | |
166 | Feature #1448: xbits | |
167 | Optimization #1014: app layer reassembly fast-path | |
168 | Optimization #1377: flow manager: reduce (try)locking | |
169 | Optimization #1403: autofp packet pool performance problems | |
170 | Optimization #1409: http pipeline support for stateful detection | |
171 | ||
a5641bc7 VJ |
172 | 2.1beta3 -- 2015-01-29 |
173 | ||
174 | Bug #977: WARNING on empty rules file is fatal (should not be) | |
175 | Bug #1184: pfring: cppcheck warnings | |
176 | Bug #1321: Flow memuse bookkeeping error | |
177 | Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master) | |
178 | Bug #1332: cppcheck: ioctl | |
179 | Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE) | |
180 | Bug #1351: output-json: duplicate logging (2.1.x) | |
181 | Bug #1354: coredumps on quitting on OpenBSD | |
182 | Bug #1355: Bus error when reading pcap-file on OpenBSD | |
183 | Bug #1363: Suricata does not compile on OS X/Clang due to redefinition of string functions (2.1.x) | |
184 | Bug #1365: evasion issues (2.1.x) | |
185 | Feature #1261: Request for Additional Lua Capabilities | |
186 | Feature #1309: Lua support for Stats output | |
187 | Feature #1310: Modbus parsing and matching | |
188 | Feature #1317: Lua: Indicator for end of flow | |
189 | Feature #1333: unix-socket: allow (easier) non-root usage | |
190 | Optimization #1339: flow timeout optimization | |
191 | Optimization #1339: flow timeout optimization | |
192 | Optimization #1371: mpm optimization | |
193 | ||
0b289434 VJ |
194 | 2.1beta2 -- 2014-11-06 |
195 | ||
196 | Feature #549: Extract file attachments from emails | |
197 | Feature #1312: Lua output support | |
198 | Feature #899: MPLS over Ethernet support | |
199 | Feature #707: ip reputation files - network range inclusion availability (cidr) | |
200 | Feature #383: Stream logging | |
201 | Feature #1263: Lua: Access to Stream Payloads | |
202 | Feature #1264: Lua: access to TCP quad / Flow Tuple | |
203 | Bug #1048: PF_RING/DNA config - suricata.yaml | |
204 | Bug #1230: byte_extract, within combination not working | |
205 | Bug #1257: Flow switch is missing from the eve-log section in suricata.yaml | |
206 | Bug #1259: AF_PACKET IPS is broken in 2.1beta1 | |
207 | Bug #1260: flow logging at shutdown broken | |
208 | Bug #1279: BUG: NULL pointer dereference when suricata was debug mode. | |
209 | Bug #1280: BUG: IPv6 address vars issue | |
210 | Bug #1285: Lua - http.request_line not working (2.1) | |
211 | Bug #1287: Lua Output has dependency on eve-log:http | |
212 | Bug #1288: Filestore keyword in wrong place will cause entire rule not to trigger | |
213 | Bug #1294: Configure doesn't use --with-libpcap-libraries when testing PF_RING library | |
214 | Bug #1301: suricata yaml - PF_RING load balance per hash option | |
215 | Bug #1308: http_header keyword not matching when SYN|ACK and ACK missing (master) | |
216 | Bug #1311: EVE output Unix domain socket not working (2.1) | |
217 | ||
7fa2b876 VJ |
218 | 2.1beta1 -- 2014-08-12 |
219 | ||
220 | Feature #1155: Log packet payloads in eve alerts | |
221 | Feature #1208: JSON Output Enhancement - Include Payload(s) | |
222 | Feature #1248: flow/connection logging | |
223 | Feature #1258: json: include HTTP info with Alert output | |
224 | Optimization #1039: Packetpool should be a stack | |
225 | Optimization #1241: pcap recording: record per thread | |
226 | ||
2bcff80d VJ |
227 | 2.0.3 -- 2014-08-08 |
228 | ||
229 | Bug #1236: fix potential crash in http parsing | |
230 | Bug #1244: ipv6 defrag issue | |
231 | Bug #1238: Possible evasion in stream-tcp-reassemble.c | |
232 | Bug #1221: lowercase conversion table missing last value | |
233 | Support #1207: Cannot compile on CentOS 5 x64 with --enable-profiling | |
234 | ||
1419e400 VJ |
235 | 2.0.2 -- 2014-06-25 |
236 | ||
237 | Bug #1098: http_raw_uri with relative pcre parsing issue | |
238 | Bug #1175: unix socket: valgrind warning | |
239 | Bug #1189: abort() in 2.0dev (rev 6fbb955) with pf_ring 5.6.3 | |
240 | Bug #1195: nflog: cppcheck reports memleaks | |
241 | Bug #1206: ZC pf_ring not working with Suricata 2.0.1 (or latest git) | |
242 | Bug #1211: defrag issue | |
243 | Bug #1212: core dump (after a while) when app-layer.protocols.http.enabled = yes | |
244 | Bug #1214: Global Thresholds (sig_id 0, gid_id 0) not applied correctly if a signature has event vars | |
245 | Bug #1217: Segfault in unix-manager.c line 529 when using --unix-socket and sending pcap files to be analized via socket | |
246 | Feature #781: IDS using NFLOG iptables target | |
247 | Feature #1158: Parser DNS TXT data parsing and logging | |
248 | Feature #1197: liblua support | |
249 | Feature #1200: sighup for log rotation | |
250 | ||
174a5055 VJ |
251 | 2.0.1 -- 2014-05-21 |
252 | ||
253 | No changes since 2.0.1rc1 | |
254 | ||
7e8f80b3 VJ |
255 | 2.0.1rc1 -- 2014-05-12 |
256 | ||
257 | Bug #978: clean up app layer parser thread local storage | |
258 | Bug #1064: Lack of Thread Deinitialization For Decoder Modules | |
259 | Bug #1101: Segmentation in AppLayerParserGetTxCnt | |
260 | Bug #1136: negated app-layer-protocol FP on multi-TX flows | |
261 | Bug #1141: dns response parsing issue | |
262 | Bug #1142: dns tcp toclient protocol detection | |
263 | Bug #1143: tls protocol detection in case of tls-alert | |
264 | Bug #1144: icmpv6: unknown type events for MLD_* types | |
265 | Bug #1145: ipv6: support PAD1 in DST/HOP extension hdr | |
266 | Bug #1146: tls: event on 'new session ticket' in handshake | |
267 | Bug #1159: Possible memory exhaustion when an invalid bpf-filter is used with AF_PACKET | |
268 | Bug #1160: Pcaps submitted via Unix Socket do not finish processing in Suricata 2 | |
269 | Bug #1161: eve: src and dst mixed up in some cases | |
270 | Bug #1162: proto-detect: make sure probing parsers for all registered ports are run | |
271 | Bug #1163: HTP Segfault | |
272 | Bug #1165: af_packet - one thread consistently not working | |
273 | Bug #1170: rohash: CID 1197756: Bad bit shift operation (BAD_SHIFT) | |
274 | Bug #1176: AF_PACKET IPS mode is broken in 2.0 | |
275 | Bug #1177: eve log do not show action 'dropped' just 'allowed' | |
276 | Bug #1180: Possible problem in stream tracking | |
277 | Feature #1157: Always create pid file if --pidfile command line option is provided. | |
278 | Feature #1173: tls: OpenSSL heartbleed detection | |
279 | ||
bc70fc0f VJ |
280 | 2.0 -- 2014-03-25 |
281 | ||
282 | Bug #1151: tls.store not working when a TLS filter keyword is used | |
283 | ||
03091dfb VJ |
284 | 2.0rc3 -- 2014-03-18 |
285 | ||
286 | Bug #1127: logstash & suricata parsing issue | |
287 | Bug #1128: Segmentation fault - live rule reload | |
288 | Bug #1129: pfring cluster & ring initialization | |
289 | Bug #1130: af-packet flow balancing problems | |
290 | Bug #1131: eve-log: missing user agent reported inconsistently | |
291 | Bug #1133: eve-log: http depends on regular http log | |
292 | Bug #1135: 2.0rc2 release doesn't set optimization flag on GCC | |
293 | Bug #1138: alert fastlog drop info missing | |
294 | ||
845cbcce VJ |
295 | 2.0rc2 -- 2014-03-06 |
296 | ||
297 | Bug #611: fp: rule with ports matching on portless proto | |
298 | Bug #985: default config generates rule warnings and errors | |
299 | Bug #1021: 1.4.6: conf_filename not checked before use | |
300 | Bug #1089: SMTP: move depends on uninitialised value | |
301 | Bug #1090: FTP: Memory Leak | |
302 | Bug #1091: TLS-Handshake: Uninitialized value | |
303 | Bug #1092: HTTP: Memory Leak | |
304 | Bug #1108: suricata.yaml config parameter - segfault | |
305 | Bug #1109: PF_RING vlan handling | |
306 | Bug #1110: Can have the same Pattern ID (pid) for the same pattern but different case flags | |
307 | Bug #1111: capture stats at exit incorrect | |
308 | Bug #1112: tls-events.rules file missing | |
309 | Bug #1115: nfq: exit stats not working | |
310 | Bug #1120: segv with pfring/afpacket and eve-log enabled | |
311 | Bug #1121: crash in eve-log | |
312 | Bug #1124: ipfw build broken | |
313 | Feature #952: Add VLAN tag ID to all outputs | |
314 | Feature #953: Add QinQ tag ID to all outputs | |
315 | Feature #1012: Introduce SSH log | |
316 | Feature #1118: app-layer protocols http memcap - info in verbose mode (-v) | |
317 | Feature #1119: restore SSH protocol detection and parser | |
318 | ||
2421da6e VJ |
319 | 2.0rc1 -- 2014-02-13 |
320 | ||
321 | Bug #839: http events alert multiple times | |
322 | Bug #954: VLAN decoder stats with AF Packet get written to the first thread only - stats.log | |
323 | Bug #980: memory leak in http buffers at shutdown | |
324 | Bug #1066: logger API's for packet based logging and tx based logging | |
325 | Bug #1068: format string issues with size_t + qa not catching them | |
326 | Bug #1072: Segmentation fault in 2.0beta2: Custom HTTP log segmentation fault | |
327 | Bug #1073: radix tree lookups are not thread safe | |
328 | Bug #1075: CUDA 5.5 doesn't compile with 2.0 beta 2 | |
329 | Bug #1079: Err loading rules with variables that contain negated content. | |
330 | Bug #1080: segfault - 2.0dev (rev 6e389a1) | |
331 | Bug #1081: 100% CPU utilization with suricata 2.0 beta2+ | |
332 | Bug #1082: af-packet vlan handling is broken | |
333 | Bug #1103: stats.log not incrementing decoder.ipv4/6 stats when reading in QinQ packets | |
334 | Bug #1104: vlan tagged fragmentation | |
335 | Bug #1106: Git compile fails on Ubuntu Lucid | |
336 | Bug #1107: flow timeout causes decoders to run on pseudo packets | |
337 | Feature #424: App layer registration cleanup - Support specifying same alproto names in rules for different ip protocols | |
338 | Feature #542: TLS JSON output | |
339 | Feature #597: case insensitive fileext match | |
340 | Feature #772: JSON output for alerts | |
341 | Feature #814: QinQ tag flow support | |
342 | Feature #894: clean up output | |
343 | Feature #921: Override conf parameters | |
344 | Feature #1007: united output | |
345 | Feature #1040: Suricata should compile with -Werror | |
346 | Feature #1067: memcap for http inside suricata | |
347 | Feature #1086: dns memcap | |
348 | Feature #1093: stream: configurable segment pools | |
349 | Feature #1102: Add a decoder.QinQ stats in stats.log | |
350 | Feature #1105: Detect icmpv6 on ipv4 | |
351 | ||
d3d745d5 VJ |
352 | 2.0beta2 -- 2013-12-18 |
353 | ||
354 | Bug #463: Suricata not fire on http reply detect if request are not http | |
355 | Bug #640: app-layer-event:http.host_header_ambiguous set when it shouldn't | |
356 | Bug #714: some logs not created in daemon mode | |
357 | Bug #810: Alerts on http traffic storing the wrong packet as the IDS event payload | |
358 | Bug #815: address parsing with negation | |
359 | Bug #820: several issues found by clang 3.2 | |
360 | Bug #837: Af-packet statistics inconsistent under very high traffic | |
361 | Bug #882: MpmACCudaRegister shouldn't call PatternMatchDefaultMatcher | |
362 | Bug #887: http.log printing unknown hostname most of the time | |
363 | Bug #890: af-packet segv | |
364 | Bug #892: detect-engine.profile - custom - does not err out in incorrect toclient/srv values - suricata.yaml | |
365 | Bug #895: response: rst packet bug | |
366 | Bug #896: pfring dna mode issue | |
367 | Bug #897: make install-full fails if wget is missing | |
368 | Bug #903: libhtp valgrind warning | |
369 | Bug #907: icmp_seq and icmp_id keyword with icmpv6 traffic (master) | |
370 | Bug #910: make check fails w/o sudo/root privs | |
371 | Bug #911: HUP signal | |
372 | Bug #912: 1.4.3: Unit test in util-debug.c: line too long. | |
373 | Bug #914: Having a high number of pickup queues (216+) makes suricata crash | |
374 | Bug #915: 1.4.3: log-pcap.c: crash on printing a null filename | |
375 | Bug #917: 1.4.5: decode-ipv6.c: void function cannot return value | |
376 | Bug #920: Suricata failed to parse address | |
377 | Bug #922: trackers value in suricata.yaml | |
378 | Bug #925: prealloc-sessions value bigger than allowed in suricata.yaml | |
379 | Bug #926: prealloc host value in suricata.yaml | |
380 | Bug #927: detect-thread-ratio given a non numeric value in suricata.yaml | |
381 | Bug #928: Max number of threads | |
382 | Bug #932: wrong IP version - on stacked layers | |
383 | Bug #939: thread name buffers are sized inconsistently | |
384 | Bug #943: pfring: see if we can report that the module is not loaded | |
385 | Bug #948: apple ppc64 build broken: thread-local storage not supported for this target | |
386 | Bug #958: SSL parsing issue (master) | |
387 | Bug #963: XFF compile failure on OSX | |
388 | Bug #964: Modify negated content handling | |
389 | Bug #967: threshold rule clobbers suppress rules | |
390 | Bug #968: unified2 not logging tagged packets | |
391 | Bug #970: AC memory read error | |
392 | Bug #973: Use different ids for content patterns which are the same, but one of them has a fast_pattern chop set on it. | |
393 | Bug #976: ip_rep supplying different no of alerts for 2 different but semantically similar rules | |
394 | Bug #979: clean up app layer protocol detection memory | |
395 | Bug #982: http events missing | |
396 | Bug #987: default config generates error(s) | |
397 | Bug #988: suricata don't exit in live mode | |
398 | Bug #989: Segfault in HTPStateGetTxCnt after a few minutes | |
399 | Bug #991: threshold mem leak | |
400 | Bug #994: valgrind warnings in unittests | |
401 | Bug #995: tag keyword: tagging sessions per time is broken | |
402 | Bug #998: rule reload triggers app-layer-event FP's | |
403 | Bug #999: delayed detect inits thresholds before de_ctx | |
404 | Bug #1003: Segmentation fault | |
405 | Bug #1023: block rule reloads during delayed detect init | |
406 | Bug #1026: pfring: update configure to link with -lrt | |
407 | Bug #1031: Fix IPv6 stream pseudo packets | |
408 | Bug #1035: http uri/query normalization normalizes 'plus' sign to space | |
409 | Bug #1042: Can't match "emailAddress" field in tls.subject and tls.issuerdn | |
410 | Bug #1061: Multiple flowbit set in one rule | |
411 | Feature #234: add option disable/enable individual app layer protocol inspection modules | |
412 | Feature #417: ip fragmentation time out feature in yaml | |
413 | Feature #478: XFF (X-Forwarded-For) | |
414 | Feature #602: availability for http.log output - identical to apache log format | |
415 | Feature #622: Specify number of pf_ring/af_packet receive threads on the command line | |
416 | Feature #727: Explore the support for negated alprotos in sigs. | |
417 | Feature #746: Decoding API modification | |
418 | Feature #751: Add invalid packet counter | |
419 | Feature #752: Improve checksum detection algorithm | |
420 | Feature #789: Clean-up start and stop code | |
421 | Feature #813: VLAN flow support | |
422 | Feature #878: add storage api | |
423 | Feature #901: VLAN defrag support | |
424 | Feature #904: store tx id when generating an alert | |
425 | Feature #940: randomize http body chunks sizes | |
426 | Feature #944: detect nic offloading | |
427 | Feature #956: Implement IPv6 reject | |
428 | Feature #957: reject: iface setup | |
429 | Feature #959: Move post config initialisation code to PostConfLoadedSetup | |
430 | Feature #981: Update all switch case fall throughs with comments on false throughs | |
431 | Feature #983: Provide rule support for specifying icmpv4 and icmpv6. | |
432 | Feature #986: set htp request and response size limits | |
433 | Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments | |
434 | Feature #1009: Yaml file inclusion support | |
435 | Feature #1032: profiling: per keyword stats | |
436 | Optimization #583: improve Packet_ structure layout | |
437 | Optimization #1018: clean up counters api | |
438 | Optimization #1041: remove mkinstalldirs from git | |
439 | ||
f09f289b VJ |
440 | 2.0beta1 -- 2013-07-18 |
441 | ||
442 | - Luajit flow vars and flow ints support (#593) | |
443 | - DNS parser, logger and keyword support (#792), funded by Emerging Threats | |
444 | - deflate support for HTTP response bodies (#470, #775) | |
445 | - update to libhtp 0.5 (#775) | |
446 | - improved gzip support for HTTP response bodies (#470, #775) | |
447 | - redesigned transaction handling, improving both accuracy and performance (#753) | |
448 | - redesigned CUDA support (#729) | |
449 | - Be sure to always apply verdict to NFQ packet (#769) | |
450 | - stream engine: SACK allocs should adhere to memcap (#794) | |
451 | - stream: deal with multiple different SYN/ACK's better (#796) | |
452 | - stream: Randomize stream chunk size for raw stream inspection (#804) | |
453 | - Introduce per stream thread ssn pool (#519) | |
454 | - "pass" IP-only rules should bypass detection engine after matching (#718) | |
455 | - Generate error if bpf is used in IPS mode (#777) | |
456 | - Add support for batch verdicts in NFQ, thanks to Florian Westphal | |
457 | - Update Doxygen config, thanks to Phil Schroeder | |
458 | - Improve libnss detection, thanks to Christian Kreibich | |
459 | - Fix a FP on rules looking for port 0 and fragments (#847), thanks to Rmkml | |
460 | - OS X unix socket build fixed (#830) | |
461 | - bytetest, bytejump and byteextract negative offset failure (#827) | |
462 | - Fix fast.log formatting issues (#771), thanks to Rmkml | |
463 | - Invalidate negative depth (#774), thanks to Rmkml | |
464 | - Fixed accuracy issues with relative pcre matching (#791) | |
465 | - Fix deadlock in flowvar capture code (#802) | |
466 | - Improved accuracy of file_data keyword (#817) | |
467 | - Fix af-packet ips mode rule processing bug (#819), thanks to Laszlo Madarassy | |
468 | - stream: fix injecting pseudo packet too soon leading to FP (#883), thanks to Francis Trudeau | |
469 | ||
470 | 1.4.4 -- 2013-07-18 | |
471 | ||
472 | - Bug #834: Unix socket - showing as compiled when it is not desired to do so | |
473 | - Bug #835: Unix Socket not working as expected | |
474 | - Bug #841: configure --enable-unix-socket does not err out if libs/pkgs are not present | |
475 | - Bug #846: FP on IP frag and sig use udp port 0, thanks to Rmkml | |
476 | - Bug #864: backport packet action macro's | |
477 | - Bug #876: htp tunnel fix | |
478 | - Bug #877: Flowbit check with content doesn't match consistently, thanks to Francis Trudeau | |
479 | ||
480 | 1.4.3 -- 2013-06-20 | |
481 | ||
482 | - Fix missed detection in bytetest, bytejump and byteextract for negative offset (#828) | |
483 | - Fix IPS mode being unable to drop tunneled packets (#826) | |
484 | - Fix OS X Unix Socket build (#829) | |
485 | ||
486 | 1.4.2 -- 2013-05-29 | |
487 | ||
488 | - No longer force nocase to be used on http_host | |
489 | - Invalidate rule if uppercase content is used for http_host w/o nocase | |
490 | - Warn user if bpf is used in af-packet IPS mode | |
491 | - Better test for available libjansson version | |
492 | - Fixed accuracy issues with relative pcre matching (#784) | |
493 | - Improved accuracy of file_data keyword (#788) | |
494 | - Invalidate negative depth (#770) | |
495 | - Fix http host parsing for IPv6 addresses (#761) | |
496 | - Fix fast.log formatting issues (#773) | |
497 | - Fixed deadlock in flowvar set code for http buffers (#801) | |
498 | - Various signature ordering improvements | |
499 | - Minor stream engine fix | |
500 | ||
501 | 1.4.1 -- 2013-03-08 | |
502 | ||
503 | - GeoIP keyword, allowing matching on Maxmind's database, contributed by Ignacio Sanchez (#559) | |
504 | - Introduce http_host and http_raw_host keywords (#733, #743) | |
505 | - Add python module for interacting with unix socket (#767) | |
506 | - Add new unix socket commands: fetching config, counters, basic runtime info (#764, #765) | |
507 | - Big Napatech support update by Matt Keeler | |
508 | - Configurable sensor id in unified2 output, contributed by Jake Gionet (#667) | |
509 | - FreeBSD IPFW fixes by Nikolay Denev | |
510 | - Add "default" interface setting to capture configuration in yaml (#679) | |
511 | - Make sure "snaplen" can be set by the user (#680) | |
512 | - Improve HTTP URI query string normalization (#739) | |
513 | - Improved error reporting in MD5 loading (#693) | |
514 | - Improve reference.config parser error reporting (#737) | |
515 | - Improve build info output to include all configure options (#738) | |
516 | - Segfault in TLS parsing reported by Charles Smutz (#725) | |
517 | - Fix crash in teredo decoding, reported by Rmkml (#736) | |
518 | - fixed UDPv4 packets without checksum being detected as invalid (#760) | |
519 | - fixed DCE/SMB parsers getting confused in some fragmented cases (#764) | |
520 | - parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#697) | |
521 | - FN: IP-only rule ip_proto not matching for some protocols (#689) | |
522 | - Fix build failure with other libhtp installs (#688) | |
523 | - Fix malformed yaml loading leading to a crash (#694) | |
524 | - Various Mac OS X fixes (#700, #701, #703) | |
525 | - Fix for autotools on Mac OS X by Jason Ish (#704) | |
526 | - Fix AF_PACKET under high load not updating stats (#706) | |
527 | ||
528 | 1.3.6 -- 2013-03-07 | |
529 | ||
530 | - fix decoder event rules not checked in all cases (#671) | |
531 | - checksum detection for icmpv6 was fixed (#673) | |
532 | - crash in HTTP server body inspection code fixed (#675) | |
533 | - fixed a icmpv6 payload bug (#676) | |
534 | - IP-only rule ip_proto not matching for some protocols was addressed (#690) | |
535 | - fixed malformed yaml crashing suricata (#702) | |
536 | - parsing ipv6 address/subnet parsing in thresholding was fixed by Jamie Strandboge (#717) | |
537 | - crash in tls parser was fixed (#759) | |
538 | - fixed UDPv4 packets without checksum being detected as invalid (#762) | |
539 | - fixed DCE/SMB parsers getting confused in some fragmented cases (#763) | |
540 | ||
63370745 VJ |
541 | 1.4 2012-12-13 |
542 | ||
543 | - Decoder event matching fixed (#672) | |
544 | - Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665) | |
545 | - Add more events to IPv6 extension header anomolies (#678) | |
546 | - Fix ICMPv6 payload and checksum calculation (#677, #674) | |
547 | - Clean up flow timeout handling (#656) | |
548 | - Fix a shutdown bug when using AF_PACKET under high load (#653) | |
549 | - Fix TCP sessions being cleaned up to early (#652) | |
550 | ||
551 | 1.3.5 2012-12-06 | |
552 | ||
553 | - Flow engine memory leak fixed by Ludovico Cavedon (#651) | |
554 | - Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664) | |
555 | - Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654) | |
556 | - Windows building in CYGWIN fixed (#630) | |
557 | ||
e4f25661 VJ |
558 | 1.4rc1 2012-11-29 |
559 | ||
560 | - Interactive unix socket mode (#571, #552) | |
561 | - IP Reputation: loading and matching (#647) | |
562 | - Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435) | |
563 | - Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494) | |
564 | - User-Agent added to file log and filestore meta files (#629) | |
565 | - Endace DAG supports live stats and at exit drop stats (#638) | |
566 | - Add support for libhtp event "request port doesn't match tcp port" (#650) | |
567 | - Rules with negated addresses will not be considered IP-only (#599) | |
568 | - Rule reloads complete much faster in low traffic conditions (#526) | |
569 | - Suricata -h now displays all available options (#419) | |
570 | - Luajit configure time detection was improved (#636) | |
571 | - Flow manager mutex used w/o initialization (#628) | |
572 | - Cygwin work around for windows shell mangling interface string (#372) | |
573 | - Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648) | |
574 | - CLANG compiler build fixes (#649) | |
575 | - Several fixes found by code analyzers | |
576 | ||
b0caeaa5 VJ |
577 | 1.4beta3 2012-11-14 |
578 | ||
579 | - support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619) | |
580 | - support for pkt_data keyword was added | |
581 | - user and group to run as can now be set in the config file | |
582 | - make HTTP request and response body inspection sizes configurable per HTTP server config (#560) | |
583 | - PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625) | |
584 | - add contrib directory to the dist (#567) | |
585 | - performance improvements to signatures with dsize option | |
586 | - improved rule analyzer: print fast_pattern along with the rule (#558) | |
587 | - fixes to stream engine reducing the number of events generated (#604) | |
588 | - add stream event to match on overlaps with different data in stream reassembly (#603) | |
589 | - stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592) | |
590 | - HTTP handling in OOM condition was greatly improved (#557) | |
591 | - filemagic keyword performance was improved (#585) | |
592 | - fixes and improvements to daemon mode (#624) | |
593 | - fix drop rules not working correctly when thresholded (#613) | |
594 | - fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581) | |
595 | - fix a false possitive condition in http_header (#607) | |
596 | - fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627) | |
597 | - fixes to rule profiling (#576) | |
598 | - cleanups and misc fixes (#379, #395) | |
599 | - updated bundled libhtp to 0.2.11 | |
600 | - build system improvements and cleanups | |
601 | - fix to SSL record parsing | |
602 | ||
603 | 1.3.4 -- 2012-11-14 | |
604 | ||
605 | - fix crash in flow and host engines in cases of low memory or low memcap settings (#617) | |
606 | - improve http handling in low memory conditions (#620) | |
607 | - fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626) | |
608 | - fix building on OpenBSD 5.2 | |
609 | - update default config's defrag settings to reflect all available options | |
610 | - fixes to make check | |
611 | - fix to SSL record parsing | |
612 | ||
613 | 1.3.3 -- 2012-11-01 | |
614 | ||
615 | - fix drop rules not working correctly when thresholded (#615) | |
616 | - fix a false possitive condition in http_header (#606) | |
617 | - fix extracted file corruption (#601) | |
618 | - fix a false possitive condition with the pcre keyword and relative matching (#588) | |
619 | - fix PF_RING set cluster problem on dma interfaces (#598) | |
620 | - improve http handling in low memory conditions (#586, #587) | |
621 | - fix FreeBSD inline mode crash (#612) | |
622 | - suppress pcre jit warning (#579) | |
623 | ||
d774d6e2 VJ |
624 | 1.4beta2 -- 2012-10-04 |
625 | ||
626 | - New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346) | |
627 | - Added ability to control per server HTTP parser settings in much more detail (#503) | |
628 | - Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540) | |
629 | - Big performance improvement in inspecting decoder, stream and app layer events (#555) | |
630 | - Pool performance improvements (#541) | |
631 | - Improved performance of signatures with simple pattern setups (#577) | |
632 | - Bundled docs are installed upon make install (#527) | |
633 | - Support for a number of global vs rule thresholds [3] was added (#425) | |
634 | - Improved rule profiling performance | |
635 | - If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded. | |
636 | - Fix compilation on architectures other than x86 and x86_64 (#572) | |
637 | - Fix FP with anchored pcre combined with relative matching (#529) | |
638 | - Fix engine hanging instead of exitting if the pcap device doesn't exist (#533) | |
639 | - Work around for potential FP, will get properly fixed in next release (#574) | |
640 | - Improve ERF handling. Thanks to Jason Ish | |
641 | - Always set cluster_id in PF_RING | |
642 | - IPFW: fix broken broadcast handling | |
643 | - AF_PACKET kernel offset issue, IPS fix and cleanup | |
644 | - Fix stream engine sometimes resending the same data to app layer | |
645 | - Fix multiple issues in HTTP multipart parsing | |
646 | - Fixed a lockup at shutdown with NFQ (#537) | |
647 | ||
648 | 1.3.2 -- 2012-10-03 | |
649 | ||
650 | - Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562) | |
651 | - Fixed a FN condition with the flow:no_stream option (#575) | |
652 | - Fix building of perf profiling code on i386 platform. By Simon Moon (#534) | |
653 | - Fix multiple issues in HTTP multipart parsing | |
654 | - Fix stream engine sometimes resending the same data to app layer | |
655 | - Always set cluster_id in PF_RING | |
656 | - Defrag: silence some potentially noisy errors/warnings | |
657 | - IPFW: fix broken broadcast handling | |
658 | - AF_PACKET kernel offset issue | |
659 | ||
fca70730 VJ |
660 | 1.4beta1 -- 2012-09-06 |
661 | ||
662 | - Custom HTTP logging contributed by Ignacio Sanchez (#530) | |
663 | - TLS certificate logging and fingerprint computation and keyword (#443) | |
664 | - TLS certificate store to disk feature (#444) | |
665 | - Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480) | |
666 | - AF_PACKET IPS support (#516) | |
667 | - Rules can be set to inspect only IPv4 or IPv6 (#494) | |
668 | - filesize keyword for matching on sizes of files in HTTP (#489) | |
669 | - Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522) | |
670 | - NFQ fail open support (#507) | |
671 | - Highly experimental lua scripting support for detection | |
672 | - Live reloads now supports HTTP rule updates better (#522) | |
673 | - AF_PACKET performance improvements (#197, #415) | |
674 | - Make defrag more configurable (#517, #528) | |
675 | - Improve pool performance (#518) | |
676 | - Improve file inspection keywords by adding a separate API (#531) | |
677 | - Example threshold.config file provided (#302) | |
678 | - Fix building of perf profiling code on i386 platform. By Simon Moon (#534) | |
679 | - Various spelling corrections by Simon Moon (#533) | |
680 | ||
e28835af VJ |
681 | 1.3.1 -- 2012-08-21 |
682 | ||
683 | - AF_PACKET performance improvements | |
684 | - Defrag engine performance improvements | |
685 | - HTTP: add per server options to enable/disable double decoding of URI (#464, #504) | |
686 | - Stream engine packet handling for packets with non-standard flag combinations (#508) | |
687 | - Improved stream engine handling of packet loss (#523) | |
688 | - Stream engine checksum alerting fixed | |
689 | - Various rule analyzer fixes (#495, #496, #497) | |
690 | - (Rule) profiling fixed and improved (#460, #466) | |
691 | - Enforce limit on max-pending-packets (#510) | |
692 | - fast_pattern on negated content improved | |
693 | - TLS rule keyword parsing issues | |
694 | - Windows build fixes (#502) | |
695 | - Host OS parsing issues fixed (#499) | |
696 | - Reject signatures where content length is bigger than "depth" setting (#505) | |
697 | - Removed unused "prune-flows" option | |
698 | - Set main thread and live reload thread names (#498) | |
699 | ||
22957776 VJ |
700 | 1.3 -- 2012-07-06 |
701 | ||
702 | - make live rule reloads optional and disabled by default | |
703 | - fix a shutdown bug | |
704 | - fix several memory leaks (#492) | |
705 | - warn user if global and rule thresholding conflict (#455) | |
706 | - set thread names on FreeBSD (Nikolay Denev) | |
707 | - Fix PF_RING building on Ubuntu 12.04 | |
708 | - rule analyzer updates | |
709 | - file inspection improvements when dealing with limits (#493) | |
710 | ||
583ba460 VJ |
711 | 1.3rc1 -- 2012-06-29 |
712 | ||
713 | - experimental live rule reload by sending a USR2 signal (#279) | |
714 | - AF_PACKET BPF support (#449) | |
715 | - AF_PACKET live packet loss counters (#441) | |
716 | - Rule analyzer (#349) | |
717 | - add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's | |
718 | - negated filemd5 matching, allowing for md5 whitelisting | |
719 | - signatures with depth and/or offset are now checked against packets in addition to the stream (#404) | |
720 | - http_cookie keyword now also inspects "Set-Cookie" header (#479) | |
721 | - filemd5 keyword no longer depends on log-file output module (#447) | |
722 | - http_raw_header keyword inspects original header line terminators (#475) | |
723 | - deal with double encoded URI (#464) | |
724 | - improved SMB/SMB2/DCERPC robustness | |
725 | - ICMPv6 parsing fixes | |
726 | - improve HTTP body inspection | |
727 | - stream.inline accuracy issues fixed (#339) | |
728 | - general stability fixes (#482, #486) | |
729 | - missing unittests added (#471) | |
730 | - "threshold.conf not found" error made more clear (#446) | |
731 | - IPS mode segment logging for Unified2 improved | |
732 | ||
733 | 1.3beta2 -- 2012-06-08 | |
ed9b07ef VJ |
734 | |
735 | - experimental support for matching on large lists of known file MD5 checksums | |
736 | - Improved performance for file_data, http_server_body and http_client_body keywords | |
737 | - Improvements to HTTP handling: multipart parsing, gzip decompression | |
738 | - Byte_extract can support negative offsets now (#445) | |
739 | - Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459) | |
740 | - HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454) | |
741 | - Improved error reporting when using too long address strings (#451) | |
742 | - MD5 calculation improvements for daemon mode and other cases (#449) | |
743 | - File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste. | |
744 | - Rule parser is made more strict. | |
745 | - Unified2 output overhaul, logging individual segments in more cases. | |
746 | - detection_filter keyword accuracy problem was fixed (#453) | |
747 | - Don't inspect cookie header with http header (#461) | |
748 | - Crash with a rule with two byte_extract keywords (#456) | |
749 | - SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476) | |
750 | - Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452) | |
751 | - Improve escaping of some characters in logs (#418) | |
752 | - Checksum calculation bugs fixed | |
753 | - IPv6 parsing issues fixed. Thanks to Michel Saborde. | |
754 | - Endace DAG issues fixed. Thanks to Jason Ish from Endace. | |
755 | - Various OpenBSD related fixes. | |
756 | - Fixes for bugs found by Coverity source code analyzer. | |
757 | ||
fbe0206c VJ |
758 | 1.3beta1 -- 2012-04-04 |
759 | ||
760 | - TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier) | |
761 | - Napatech capture card support (contributed by Randy Caldejon -- nPulse) | |
762 | - Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste) | |
763 | - Test mode: -T option to test the config (#271) | |
764 | - Ringbuffer and zero copy support for AF_PACKET | |
765 | - Commandline options to list supported app layer protocols and keywords (#344, #414) | |
766 | - File extraction for HTTP POST request that do not use multipart bodies | |
767 | - On the fly md5 checksum calculation of extracted files | |
768 | - Line based file log, in json format | |
769 | - Basic support for including other yaml files into the main yaml | |
770 | - New multi pattern engine: ac-bs | |
771 | - Profiling improvements, added lock profiling code | |
772 | - Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys) | |
773 | - Unified yaml naming convention, including fallback support (by Nikolay Denev) | |
774 | - Improved Endace DAG support (#431, Jason Ish -- Endace) | |
775 | - New default runmode: "autofp" (#433) | |
776 | - Major rewrite of flow engine, improving scalability. | |
777 | - Improved http_stat_msg and http_stat_code keywords (#394) | |
778 | - Improved scalability for Tag and Threshold subsystems | |
779 | - Made the rule keyword parser much stricter in detecting syntax errors | |
780 | - Split "file" output into "file-store" and "file-log" outputs | |
781 | - Much improved file extraction | |
782 | - CUDA build fixes (#421) | |
783 | - Various FP's reported by Rmkml (#403, #405, #411) | |
784 | - IPv6 decoding and detection issues (reported by Michel Sarborde) | |
785 | - PCAP logging crash (#422) | |
786 | - Fixed many (potential) issues with the help of the Coverity source code analyzer | |
787 | - Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers | |
788 | ||
65d1783b VJ |
789 | 1.2.1 -- 2012-01-20 |
790 | ||
791 | - fix malformed unified2 records when writing alerts trigger by stream inspection (#402) | |
792 | - only force a pseudo packet inspection cycle for TCP streams in a state >= established | |
793 | ||
5b42f360 VJ |
794 | 1.2 -- 2012-01-19 |
795 | ||
796 | - improved Windows/CYGWIN path handling (#387) | |
797 | - fixed some issues with passing an interface or ip address with -i | |
798 | - make live worker runmode threads adhere to the 'detect' cpu affinity settings | |
799 | ||
e192ce7e VJ |
800 | 1.2rc1 -- 2012-01-11 |
801 | ||
802 | - app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events | |
803 | - auto detection of checksum offloading per interface (#311) | |
804 | - urilen options to match on raw or normalized URI (#341) | |
805 | - flow keyword option "only_stream" and "no_stream" | |
806 | - unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250) | |
807 | - in IPS mode, reject rules now also drop (#399) | |
808 | - http_header now also inspects response headers (#389) | |
809 | - "worker" runmodes for NFQ and IPFW | |
810 | - performance improvement for "ac" pattern matcher | |
811 | - allow empty/non-initialized flowints to be incremented | |
812 | - PCRE-JIT is now enabled by default if available (#356) | |
813 | - many file inspection and extraction improvements | |
814 | - flowbits and flowints are now modified in a post-match action list | |
815 | - general performance increasements | |
816 | - fixed parsing really high sid numbers >2 Billion (#393) | |
817 | - fixed ICMPv6 not matching in IP-only sigs (#363) | |
818 | ||
c0cd2c85 VJ |
819 | 1.2beta1 -- 2011-12-19 |
820 | ||
821 | - File name, type inspection and extraction for HTTP | |
822 | - filename, fileext, filemagic and filestore keywords added | |
823 | - "file" output for storing extracted files to disk | |
824 | - file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241 | |
825 | - new keyword http_server_body, pcre regex /S option | |
826 | - Option to enable/disable core dumping from the suricata.yaml (enabled by default) | |
827 | - Human readable size limit settings in suricata.yaml | |
828 | - PF_RING bpf support (required PF_RING >= 5.1) (feature #334) | |
829 | - tos keyword support (feature #364) | |
830 | - IPFW IPS mode does now support multiple divert sockets | |
831 | - New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp" | |
832 | - Improved alert accuracy in autofp and single runmodes | |
833 | - major performance optimizations for the ac-gfbs pattern matcher implementation | |
834 | - unified2 output fixes | |
835 | - PF_RING supports privilege dropping now (bug #367) | |
836 | - Improved detection of duplicate signatures | |
837 | ||
838 | 1.1.1 -- 2011-12-07 | |
839 | ||
840 | - Fix for a error in the smtp parser that could crash Suricata. | |
841 | - Fix for AF_PACKET not compiling on modern linux systems like Fedora 16. | |
842 | ||
6256d6b5 VJ |
843 | 1.1 -- 2011-11-10 |
844 | ||
845 | - CUDA build fixed | |
846 | - minor pcap, AF_PACKET and PF_RING fixes (#368) | |
847 | - bpf handling fix | |
848 | - Windows CYGWIN build | |
849 | - more cleanups | |
850 | ||
851 | 1.1rc1 -- 2011-11-03 | |
852 | ||
853 | - extended HTTP request logging for use with (among other things) http_agent for Sguil (#38) | |
854 | - AF_PACKET report drop stats on shutdown (#325) | |
855 | - new counters in stats.log for flow and stream engines (#348) | |
856 | - SMTP parsing code support for BDAT command (#347) | |
857 | - HTTP URI normalization no longer converts to lowercase (#362) | |
858 | - AF_PACKET works with privileges dropping now (#361) | |
859 | - Prelude output for state matches (#264, #355) | |
860 | - update of the pattern matching code that should improve accuracy | |
861 | - rule parser was made more strict (#295, #312) | |
862 | - multiple event suppressions for the same SID was fixed (#366) | |
863 | - several accuracy fixes | |
864 | - removal of the unified1 output plugins (#353) | |
865 | ||
866 | 1.1beta3 -- 2011-10-25 | |
867 | ||
868 | - af-packet support for high speed packet capture | |
869 | - "replace" keyword support (#303) | |
870 | - new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap | |
871 | - added "stream-event" keyword to match on TCP session anomalies | |
872 | - support for suppress keyword was added (#274) | |
873 | - byte_extract keyword support was added | |
874 | - improved handling of timed out TCP sessions in the detection engine | |
875 | - unified2 payload logging if detection was in the HTTP state (#264) | |
876 | - improved accuracy of the HTTP transaction logging | |
877 | - support for larger (64 bit) Flow/Stream memcaps (#332) | |
878 | - major speed improvements for PCRE, including support for PCRE JIT | |
879 | - support setting flowbits in ip-only rules (#292) | |
880 | - performance increases on SSE3+ CPU's | |
881 | - overhaul of the packet acquisition subsystem | |
882 | - packet based performance profiling subsystem was added | |
883 | - TCP SACK support was added to the stream engine | |
884 | - updated included libhtp to 0.2.6 which fixes several issues | |
885 | ||
886 | 1.1beta2 -- 2011-04-13 | |
887 | ||
888 | - New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262). | |
889 | - Inline mode for the stream engine (#230, #248). | |
890 | - New keyword support: nfq_set_mark | |
891 | - Included an example decoder-events.rules file | |
892 | - api for adding and selecting runmodes was added | |
893 | - pcap logging / recording output was added | |
894 | - basic SCTP protocol parsing was added | |
895 | - more fine grained CPU affinity setting support was added | |
896 | - stream engine inspects stream in larger chunks | |
897 | - fast_pattern support for http_method content modifier (#255) | |
898 | - negation support for isdataat keyword (#257) | |
899 | - configurable interval for stats.log updates (#247) | |
900 | - new pf_ring runmode was added that scales better | |
901 | - pcap live mode now handles the monitor interface going up and down | |
902 | - several QA additions to "make check" | |
903 | - NFQ (linux inline) mode was improved | |
904 | - Alerts classification fix (#275) | |
905 | - compiles and runs on big-endian systems (#63) | |
906 | - unified2 output works around barnyard2 issues with DLT_RAW + IPv6 | |
907 | ||
908 | 1.1beta1 -- 2010-12-21 | |
909 | ||
910 | - New keyword support: http_raw_header, http_stat_msg, http_stat_code. | |
911 | - A new default pattern matcher, Aho-Corasick based, that uses much less memory. | |
912 | - reference.config support as supplied by ET/ETpro and VRT. | |
913 | - Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header. | |
914 | - Improved parsers, especially the DCERPC parser. | |
915 | - Much improved performance & accuracy. | |
916 | ||
917 | 1.0.5 -- 2011-07-25 | |
918 | ||
919 | - Fix stream reassembly bug #300. Thanks to Rmkml for the report. | |
920 | - Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat. | |
921 | ||
922 | 1.0.4 -- 2011-06-24 | |
923 | ||
924 | - LibHTP updated to 0.2.6 | |
925 | - Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat. | |
926 | - Large number of (potential) issues fixed after source code scans with the Clang static analizer. | |
927 | ||
928 | 1.0.3 -- 2011-04-13 | |
929 | ||
930 | - Fix broken checksum calculation for TCP/UDP in some cases | |
931 | - Fix errors in the byte_test, byte_jump, http_method and http_header keywords | |
932 | - Fix a ASN1 parsing issue | |
933 | - Improve LibHTP memory handling | |
934 | - Fix a defrag issue | |
935 | - Fix several stream engine issues | |
936 |