]>
Commit | Line | Data |
---|---|---|
63370745 VJ |
1 | 1.4 2012-12-13 |
2 | ||
3 | - Decoder event matching fixed (#672) | |
4 | - Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665) | |
5 | - Add more events to IPv6 extension header anomolies (#678) | |
6 | - Fix ICMPv6 payload and checksum calculation (#677, #674) | |
7 | - Clean up flow timeout handling (#656) | |
8 | - Fix a shutdown bug when using AF_PACKET under high load (#653) | |
9 | - Fix TCP sessions being cleaned up to early (#652) | |
10 | ||
11 | 1.3.5 2012-12-06 | |
12 | ||
13 | - Flow engine memory leak fixed by Ludovico Cavedon (#651) | |
14 | - Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664) | |
15 | - Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654) | |
16 | - Windows building in CYGWIN fixed (#630) | |
17 | ||
e4f25661 VJ |
18 | 1.4rc1 2012-11-29 |
19 | ||
20 | - Interactive unix socket mode (#571, #552) | |
21 | - IP Reputation: loading and matching (#647) | |
22 | - Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435) | |
23 | - Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494) | |
24 | - User-Agent added to file log and filestore meta files (#629) | |
25 | - Endace DAG supports live stats and at exit drop stats (#638) | |
26 | - Add support for libhtp event "request port doesn't match tcp port" (#650) | |
27 | - Rules with negated addresses will not be considered IP-only (#599) | |
28 | - Rule reloads complete much faster in low traffic conditions (#526) | |
29 | - Suricata -h now displays all available options (#419) | |
30 | - Luajit configure time detection was improved (#636) | |
31 | - Flow manager mutex used w/o initialization (#628) | |
32 | - Cygwin work around for windows shell mangling interface string (#372) | |
33 | - Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648) | |
34 | - CLANG compiler build fixes (#649) | |
35 | - Several fixes found by code analyzers | |
36 | ||
b0caeaa5 VJ |
37 | 1.4beta3 2012-11-14 |
38 | ||
39 | - support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619) | |
40 | - support for pkt_data keyword was added | |
41 | - user and group to run as can now be set in the config file | |
42 | - make HTTP request and response body inspection sizes configurable per HTTP server config (#560) | |
43 | - PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625) | |
44 | - add contrib directory to the dist (#567) | |
45 | - performance improvements to signatures with dsize option | |
46 | - improved rule analyzer: print fast_pattern along with the rule (#558) | |
47 | - fixes to stream engine reducing the number of events generated (#604) | |
48 | - add stream event to match on overlaps with different data in stream reassembly (#603) | |
49 | - stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592) | |
50 | - HTTP handling in OOM condition was greatly improved (#557) | |
51 | - filemagic keyword performance was improved (#585) | |
52 | - fixes and improvements to daemon mode (#624) | |
53 | - fix drop rules not working correctly when thresholded (#613) | |
54 | - fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581) | |
55 | - fix a false possitive condition in http_header (#607) | |
56 | - fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627) | |
57 | - fixes to rule profiling (#576) | |
58 | - cleanups and misc fixes (#379, #395) | |
59 | - updated bundled libhtp to 0.2.11 | |
60 | - build system improvements and cleanups | |
61 | - fix to SSL record parsing | |
62 | ||
63 | 1.3.4 -- 2012-11-14 | |
64 | ||
65 | - fix crash in flow and host engines in cases of low memory or low memcap settings (#617) | |
66 | - improve http handling in low memory conditions (#620) | |
67 | - fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626) | |
68 | - fix building on OpenBSD 5.2 | |
69 | - update default config's defrag settings to reflect all available options | |
70 | - fixes to make check | |
71 | - fix to SSL record parsing | |
72 | ||
73 | 1.3.3 -- 2012-11-01 | |
74 | ||
75 | - fix drop rules not working correctly when thresholded (#615) | |
76 | - fix a false possitive condition in http_header (#606) | |
77 | - fix extracted file corruption (#601) | |
78 | - fix a false possitive condition with the pcre keyword and relative matching (#588) | |
79 | - fix PF_RING set cluster problem on dma interfaces (#598) | |
80 | - improve http handling in low memory conditions (#586, #587) | |
81 | - fix FreeBSD inline mode crash (#612) | |
82 | - suppress pcre jit warning (#579) | |
83 | ||
d774d6e2 VJ |
84 | 1.4beta2 -- 2012-10-04 |
85 | ||
86 | - New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346) | |
87 | - Added ability to control per server HTTP parser settings in much more detail (#503) | |
88 | - Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540) | |
89 | - Big performance improvement in inspecting decoder, stream and app layer events (#555) | |
90 | - Pool performance improvements (#541) | |
91 | - Improved performance of signatures with simple pattern setups (#577) | |
92 | - Bundled docs are installed upon make install (#527) | |
93 | - Support for a number of global vs rule thresholds [3] was added (#425) | |
94 | - Improved rule profiling performance | |
95 | - If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded. | |
96 | - Fix compilation on architectures other than x86 and x86_64 (#572) | |
97 | - Fix FP with anchored pcre combined with relative matching (#529) | |
98 | - Fix engine hanging instead of exitting if the pcap device doesn't exist (#533) | |
99 | - Work around for potential FP, will get properly fixed in next release (#574) | |
100 | - Improve ERF handling. Thanks to Jason Ish | |
101 | - Always set cluster_id in PF_RING | |
102 | - IPFW: fix broken broadcast handling | |
103 | - AF_PACKET kernel offset issue, IPS fix and cleanup | |
104 | - Fix stream engine sometimes resending the same data to app layer | |
105 | - Fix multiple issues in HTTP multipart parsing | |
106 | - Fixed a lockup at shutdown with NFQ (#537) | |
107 | ||
108 | 1.3.2 -- 2012-10-03 | |
109 | ||
110 | - Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562) | |
111 | - Fixed a FN condition with the flow:no_stream option (#575) | |
112 | - Fix building of perf profiling code on i386 platform. By Simon Moon (#534) | |
113 | - Fix multiple issues in HTTP multipart parsing | |
114 | - Fix stream engine sometimes resending the same data to app layer | |
115 | - Always set cluster_id in PF_RING | |
116 | - Defrag: silence some potentially noisy errors/warnings | |
117 | - IPFW: fix broken broadcast handling | |
118 | - AF_PACKET kernel offset issue | |
119 | ||
fca70730 VJ |
120 | 1.4beta1 -- 2012-09-06 |
121 | ||
122 | - Custom HTTP logging contributed by Ignacio Sanchez (#530) | |
123 | - TLS certificate logging and fingerprint computation and keyword (#443) | |
124 | - TLS certificate store to disk feature (#444) | |
125 | - Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480) | |
126 | - AF_PACKET IPS support (#516) | |
127 | - Rules can be set to inspect only IPv4 or IPv6 (#494) | |
128 | - filesize keyword for matching on sizes of files in HTTP (#489) | |
129 | - Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522) | |
130 | - NFQ fail open support (#507) | |
131 | - Highly experimental lua scripting support for detection | |
132 | - Live reloads now supports HTTP rule updates better (#522) | |
133 | - AF_PACKET performance improvements (#197, #415) | |
134 | - Make defrag more configurable (#517, #528) | |
135 | - Improve pool performance (#518) | |
136 | - Improve file inspection keywords by adding a separate API (#531) | |
137 | - Example threshold.config file provided (#302) | |
138 | - Fix building of perf profiling code on i386 platform. By Simon Moon (#534) | |
139 | - Various spelling corrections by Simon Moon (#533) | |
140 | ||
e28835af VJ |
141 | 1.3.1 -- 2012-08-21 |
142 | ||
143 | - AF_PACKET performance improvements | |
144 | - Defrag engine performance improvements | |
145 | - HTTP: add per server options to enable/disable double decoding of URI (#464, #504) | |
146 | - Stream engine packet handling for packets with non-standard flag combinations (#508) | |
147 | - Improved stream engine handling of packet loss (#523) | |
148 | - Stream engine checksum alerting fixed | |
149 | - Various rule analyzer fixes (#495, #496, #497) | |
150 | - (Rule) profiling fixed and improved (#460, #466) | |
151 | - Enforce limit on max-pending-packets (#510) | |
152 | - fast_pattern on negated content improved | |
153 | - TLS rule keyword parsing issues | |
154 | - Windows build fixes (#502) | |
155 | - Host OS parsing issues fixed (#499) | |
156 | - Reject signatures where content length is bigger than "depth" setting (#505) | |
157 | - Removed unused "prune-flows" option | |
158 | - Set main thread and live reload thread names (#498) | |
159 | ||
22957776 VJ |
160 | 1.3 -- 2012-07-06 |
161 | ||
162 | - make live rule reloads optional and disabled by default | |
163 | - fix a shutdown bug | |
164 | - fix several memory leaks (#492) | |
165 | - warn user if global and rule thresholding conflict (#455) | |
166 | - set thread names on FreeBSD (Nikolay Denev) | |
167 | - Fix PF_RING building on Ubuntu 12.04 | |
168 | - rule analyzer updates | |
169 | - file inspection improvements when dealing with limits (#493) | |
170 | ||
583ba460 VJ |
171 | 1.3rc1 -- 2012-06-29 |
172 | ||
173 | - experimental live rule reload by sending a USR2 signal (#279) | |
174 | - AF_PACKET BPF support (#449) | |
175 | - AF_PACKET live packet loss counters (#441) | |
176 | - Rule analyzer (#349) | |
177 | - add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's | |
178 | - negated filemd5 matching, allowing for md5 whitelisting | |
179 | - signatures with depth and/or offset are now checked against packets in addition to the stream (#404) | |
180 | - http_cookie keyword now also inspects "Set-Cookie" header (#479) | |
181 | - filemd5 keyword no longer depends on log-file output module (#447) | |
182 | - http_raw_header keyword inspects original header line terminators (#475) | |
183 | - deal with double encoded URI (#464) | |
184 | - improved SMB/SMB2/DCERPC robustness | |
185 | - ICMPv6 parsing fixes | |
186 | - improve HTTP body inspection | |
187 | - stream.inline accuracy issues fixed (#339) | |
188 | - general stability fixes (#482, #486) | |
189 | - missing unittests added (#471) | |
190 | - "threshold.conf not found" error made more clear (#446) | |
191 | - IPS mode segment logging for Unified2 improved | |
192 | ||
193 | 1.3beta2 -- 2012-06-08 | |
ed9b07ef VJ |
194 | |
195 | - experimental support for matching on large lists of known file MD5 checksums | |
196 | - Improved performance for file_data, http_server_body and http_client_body keywords | |
197 | - Improvements to HTTP handling: multipart parsing, gzip decompression | |
198 | - Byte_extract can support negative offsets now (#445) | |
199 | - Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459) | |
200 | - HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454) | |
201 | - Improved error reporting when using too long address strings (#451) | |
202 | - MD5 calculation improvements for daemon mode and other cases (#449) | |
203 | - File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste. | |
204 | - Rule parser is made more strict. | |
205 | - Unified2 output overhaul, logging individual segments in more cases. | |
206 | - detection_filter keyword accuracy problem was fixed (#453) | |
207 | - Don't inspect cookie header with http header (#461) | |
208 | - Crash with a rule with two byte_extract keywords (#456) | |
209 | - SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476) | |
210 | - Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452) | |
211 | - Improve escaping of some characters in logs (#418) | |
212 | - Checksum calculation bugs fixed | |
213 | - IPv6 parsing issues fixed. Thanks to Michel Saborde. | |
214 | - Endace DAG issues fixed. Thanks to Jason Ish from Endace. | |
215 | - Various OpenBSD related fixes. | |
216 | - Fixes for bugs found by Coverity source code analyzer. | |
217 | ||
fbe0206c VJ |
218 | 1.3beta1 -- 2012-04-04 |
219 | ||
220 | - TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier) | |
221 | - Napatech capture card support (contributed by Randy Caldejon -- nPulse) | |
222 | - Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste) | |
223 | - Test mode: -T option to test the config (#271) | |
224 | - Ringbuffer and zero copy support for AF_PACKET | |
225 | - Commandline options to list supported app layer protocols and keywords (#344, #414) | |
226 | - File extraction for HTTP POST request that do not use multipart bodies | |
227 | - On the fly md5 checksum calculation of extracted files | |
228 | - Line based file log, in json format | |
229 | - Basic support for including other yaml files into the main yaml | |
230 | - New multi pattern engine: ac-bs | |
231 | - Profiling improvements, added lock profiling code | |
232 | - Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys) | |
233 | - Unified yaml naming convention, including fallback support (by Nikolay Denev) | |
234 | - Improved Endace DAG support (#431, Jason Ish -- Endace) | |
235 | - New default runmode: "autofp" (#433) | |
236 | - Major rewrite of flow engine, improving scalability. | |
237 | - Improved http_stat_msg and http_stat_code keywords (#394) | |
238 | - Improved scalability for Tag and Threshold subsystems | |
239 | - Made the rule keyword parser much stricter in detecting syntax errors | |
240 | - Split "file" output into "file-store" and "file-log" outputs | |
241 | - Much improved file extraction | |
242 | - CUDA build fixes (#421) | |
243 | - Various FP's reported by Rmkml (#403, #405, #411) | |
244 | - IPv6 decoding and detection issues (reported by Michel Sarborde) | |
245 | - PCAP logging crash (#422) | |
246 | - Fixed many (potential) issues with the help of the Coverity source code analyzer | |
247 | - Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers | |
248 | ||
65d1783b VJ |
249 | 1.2.1 -- 2012-01-20 |
250 | ||
251 | - fix malformed unified2 records when writing alerts trigger by stream inspection (#402) | |
252 | - only force a pseudo packet inspection cycle for TCP streams in a state >= established | |
253 | ||
5b42f360 VJ |
254 | 1.2 -- 2012-01-19 |
255 | ||
256 | - improved Windows/CYGWIN path handling (#387) | |
257 | - fixed some issues with passing an interface or ip address with -i | |
258 | - make live worker runmode threads adhere to the 'detect' cpu affinity settings | |
259 | ||
e192ce7e VJ |
260 | 1.2rc1 -- 2012-01-11 |
261 | ||
262 | - app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events | |
263 | - auto detection of checksum offloading per interface (#311) | |
264 | - urilen options to match on raw or normalized URI (#341) | |
265 | - flow keyword option "only_stream" and "no_stream" | |
266 | - unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250) | |
267 | - in IPS mode, reject rules now also drop (#399) | |
268 | - http_header now also inspects response headers (#389) | |
269 | - "worker" runmodes for NFQ and IPFW | |
270 | - performance improvement for "ac" pattern matcher | |
271 | - allow empty/non-initialized flowints to be incremented | |
272 | - PCRE-JIT is now enabled by default if available (#356) | |
273 | - many file inspection and extraction improvements | |
274 | - flowbits and flowints are now modified in a post-match action list | |
275 | - general performance increasements | |
276 | - fixed parsing really high sid numbers >2 Billion (#393) | |
277 | - fixed ICMPv6 not matching in IP-only sigs (#363) | |
278 | ||
c0cd2c85 VJ |
279 | 1.2beta1 -- 2011-12-19 |
280 | ||
281 | - File name, type inspection and extraction for HTTP | |
282 | - filename, fileext, filemagic and filestore keywords added | |
283 | - "file" output for storing extracted files to disk | |
284 | - file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241 | |
285 | - new keyword http_server_body, pcre regex /S option | |
286 | - Option to enable/disable core dumping from the suricata.yaml (enabled by default) | |
287 | - Human readable size limit settings in suricata.yaml | |
288 | - PF_RING bpf support (required PF_RING >= 5.1) (feature #334) | |
289 | - tos keyword support (feature #364) | |
290 | - IPFW IPS mode does now support multiple divert sockets | |
291 | - New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp" | |
292 | - Improved alert accuracy in autofp and single runmodes | |
293 | - major performance optimizations for the ac-gfbs pattern matcher implementation | |
294 | - unified2 output fixes | |
295 | - PF_RING supports privilege dropping now (bug #367) | |
296 | - Improved detection of duplicate signatures | |
297 | ||
298 | 1.1.1 -- 2011-12-07 | |
299 | ||
300 | - Fix for a error in the smtp parser that could crash Suricata. | |
301 | - Fix for AF_PACKET not compiling on modern linux systems like Fedora 16. | |
302 | ||
6256d6b5 VJ |
303 | 1.1 -- 2011-11-10 |
304 | ||
305 | - CUDA build fixed | |
306 | - minor pcap, AF_PACKET and PF_RING fixes (#368) | |
307 | - bpf handling fix | |
308 | - Windows CYGWIN build | |
309 | - more cleanups | |
310 | ||
311 | 1.1rc1 -- 2011-11-03 | |
312 | ||
313 | - extended HTTP request logging for use with (among other things) http_agent for Sguil (#38) | |
314 | - AF_PACKET report drop stats on shutdown (#325) | |
315 | - new counters in stats.log for flow and stream engines (#348) | |
316 | - SMTP parsing code support for BDAT command (#347) | |
317 | - HTTP URI normalization no longer converts to lowercase (#362) | |
318 | - AF_PACKET works with privileges dropping now (#361) | |
319 | - Prelude output for state matches (#264, #355) | |
320 | - update of the pattern matching code that should improve accuracy | |
321 | - rule parser was made more strict (#295, #312) | |
322 | - multiple event suppressions for the same SID was fixed (#366) | |
323 | - several accuracy fixes | |
324 | - removal of the unified1 output plugins (#353) | |
325 | ||
326 | 1.1beta3 -- 2011-10-25 | |
327 | ||
328 | - af-packet support for high speed packet capture | |
329 | - "replace" keyword support (#303) | |
330 | - new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap | |
331 | - added "stream-event" keyword to match on TCP session anomalies | |
332 | - support for suppress keyword was added (#274) | |
333 | - byte_extract keyword support was added | |
334 | - improved handling of timed out TCP sessions in the detection engine | |
335 | - unified2 payload logging if detection was in the HTTP state (#264) | |
336 | - improved accuracy of the HTTP transaction logging | |
337 | - support for larger (64 bit) Flow/Stream memcaps (#332) | |
338 | - major speed improvements for PCRE, including support for PCRE JIT | |
339 | - support setting flowbits in ip-only rules (#292) | |
340 | - performance increases on SSE3+ CPU's | |
341 | - overhaul of the packet acquisition subsystem | |
342 | - packet based performance profiling subsystem was added | |
343 | - TCP SACK support was added to the stream engine | |
344 | - updated included libhtp to 0.2.6 which fixes several issues | |
345 | ||
346 | 1.1beta2 -- 2011-04-13 | |
347 | ||
348 | - New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262). | |
349 | - Inline mode for the stream engine (#230, #248). | |
350 | - New keyword support: nfq_set_mark | |
351 | - Included an example decoder-events.rules file | |
352 | - api for adding and selecting runmodes was added | |
353 | - pcap logging / recording output was added | |
354 | - basic SCTP protocol parsing was added | |
355 | - more fine grained CPU affinity setting support was added | |
356 | - stream engine inspects stream in larger chunks | |
357 | - fast_pattern support for http_method content modifier (#255) | |
358 | - negation support for isdataat keyword (#257) | |
359 | - configurable interval for stats.log updates (#247) | |
360 | - new pf_ring runmode was added that scales better | |
361 | - pcap live mode now handles the monitor interface going up and down | |
362 | - several QA additions to "make check" | |
363 | - NFQ (linux inline) mode was improved | |
364 | - Alerts classification fix (#275) | |
365 | - compiles and runs on big-endian systems (#63) | |
366 | - unified2 output works around barnyard2 issues with DLT_RAW + IPv6 | |
367 | ||
368 | 1.1beta1 -- 2010-12-21 | |
369 | ||
370 | - New keyword support: http_raw_header, http_stat_msg, http_stat_code. | |
371 | - A new default pattern matcher, Aho-Corasick based, that uses much less memory. | |
372 | - reference.config support as supplied by ET/ETpro and VRT. | |
373 | - Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header. | |
374 | - Improved parsers, especially the DCERPC parser. | |
375 | - Much improved performance & accuracy. | |
376 | ||
377 | 1.0.5 -- 2011-07-25 | |
378 | ||
379 | - Fix stream reassembly bug #300. Thanks to Rmkml for the report. | |
380 | - Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat. | |
381 | ||
382 | 1.0.4 -- 2011-06-24 | |
383 | ||
384 | - LibHTP updated to 0.2.6 | |
385 | - Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat. | |
386 | - Large number of (potential) issues fixed after source code scans with the Clang static analizer. | |
387 | ||
388 | 1.0.3 -- 2011-04-13 | |
389 | ||
390 | - Fix broken checksum calculation for TCP/UDP in some cases | |
391 | - Fix errors in the byte_test, byte_jump, http_method and http_header keywords | |
392 | - Fix a ASN1 parsing issue | |
393 | - Improve LibHTP memory handling | |
394 | - Fix a defrag issue | |
395 | - Fix several stream engine issues | |
396 |