[people/ms/suricata.git] / ChangeLog

1.4 2012-12-13

- Decoder event matching fixed (#672)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
- Add more events to IPv6 extension header anomolies (#678)
- Fix ICMPv6 payload and checksum calculation (#677, #674)
- Clean up flow timeout handling (#656)
- Fix a shutdown bug when using AF_PACKET under high load (#653)
- Fix TCP sessions being cleaned up to early (#652)

1.3.5 2012-12-06

- Flow engine memory leak fixed by Ludovico Cavedon (#651)
- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664)
- Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654)
- Windows building in CYGWIN fixed (#630)

1.4rc1 2012-11-29

- Interactive unix socket mode (#571, #552)
- IP Reputation: loading and matching (#647)
- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
- User-Agent added to file log and filestore meta files (#629)
- Endace DAG supports live stats and at exit drop stats (#638)
- Add support for libhtp event "request port doesn't match tcp port" (#650)
- Rules with negated addresses will not be considered IP-only (#599)
- Rule reloads complete much faster in low traffic conditions (#526)
- Suricata -h now displays all available options (#419)
- Luajit configure time detection was improved (#636)
- Flow manager mutex used w/o initialization (#628)
- Cygwin work around for windows shell mangling interface string (#372)
- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
- CLANG compiler build fixes (#649)
- Several fixes found by code analyzers

1.4beta3 2012-11-14

- support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619)
- support for pkt_data keyword was added
- user and group to run as can now be set in the config file
- make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
- add contrib directory to the dist (#567)
- performance improvements to signatures with dsize option
- improved rule analyzer: print fast_pattern along with the rule (#558)
- fixes to stream engine reducing the number of events generated (#604)
- add stream event to match on overlaps with different data in stream reassembly (#603)
- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
- HTTP handling in OOM condition was greatly improved (#557)
- filemagic keyword performance was improved (#585)
- fixes and improvements to daemon mode (#624)
- fix drop rules not working correctly when thresholded (#613)
- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
- fix a false possitive condition in http_header (#607)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
- fixes to rule profiling (#576)
- cleanups and misc fixes (#379, #395)
- updated bundled libhtp to 0.2.11
- build system improvements and cleanups
- fix to SSL record parsing

1.3.4 -- 2012-11-14

- fix crash in flow and host engines in cases of low memory or low memcap settings (#617)
- improve http handling in low memory conditions (#620)
- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626)
- fix building on OpenBSD 5.2
- update default config's defrag settings to reflect all available options
- fixes to make check
- fix to SSL record parsing

1.3.3 -- 2012-11-01

- fix drop rules not working correctly when thresholded (#615)
- fix a false possitive condition in http_header (#606)
- fix extracted file corruption (#601)
- fix a false possitive condition with the pcre keyword and relative matching (#588)
- fix PF_RING set cluster problem on dma interfaces (#598)
- improve http handling in low memory conditions (#586, #587)
- fix FreeBSD inline mode crash (#612)
- suppress pcre jit warning (#579)

1.4beta2 -- 2012-10-04

- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
- Added ability to control per server HTTP parser settings in much more detail (#503)
- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
- Big performance improvement in inspecting decoder, stream and app layer events (#555)
- Pool performance improvements (#541)
- Improved performance of signatures with simple pattern setups (#577)
- Bundled docs are installed upon make install (#527)
- Support for a number of global vs rule thresholds [3] was added (#425)
- Improved rule profiling performance
- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
- Fix compilation on architectures other than x86 and x86_64 (#572)
- Fix FP with anchored pcre combined with relative matching (#529)
- Fix engine hanging instead of exitting if the pcap device doesn't exist (#533)
- Work around for potential FP, will get properly fixed in next release (#574)
- Improve ERF handling. Thanks to Jason Ish
- Always set cluster_id in PF_RING
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue, IPS fix and cleanup
- Fix stream engine sometimes resending the same data to app layer
- Fix multiple issues in HTTP multipart parsing
- Fixed a lockup at shutdown with NFQ (#537)

1.3.2 -- 2012-10-03

- Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562)
- Fixed a FN condition with the flow:no_stream option (#575)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Fix multiple issues in HTTP multipart parsing
- Fix stream engine sometimes resending the same data to app layer
- Always set cluster_id in PF_RING
- Defrag: silence some potentially noisy errors/warnings
- IPFW: fix broken broadcast handling
- AF_PACKET kernel offset issue

1.4beta1 -- 2012-09-06

- Custom HTTP logging contributed by Ignacio Sanchez (#530)
- TLS certificate logging and fingerprint computation and keyword (#443)
- TLS certificate store to disk feature (#444)
- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
- AF_PACKET IPS support (#516)
- Rules can be set to inspect only IPv4 or IPv6 (#494)
- filesize keyword for matching on sizes of files in HTTP (#489)
- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
- NFQ fail open support (#507)
- Highly experimental lua scripting support for detection
- Live reloads now supports HTTP rule updates better (#522)
- AF_PACKET performance improvements (#197, #415)
- Make defrag more configurable (#517, #528)
- Improve pool performance (#518)
- Improve file inspection keywords by adding a separate API (#531)
- Example threshold.config file provided (#302)
- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
- Various spelling corrections by Simon Moon (#533)

1.3.1 -- 2012-08-21

- AF_PACKET performance improvements
- Defrag engine performance improvements
- HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
- Stream engine packet handling for packets with non-standard flag combinations (#508)
- Improved stream engine handling of packet loss (#523)
- Stream engine checksum alerting fixed
- Various rule analyzer fixes (#495, #496, #497)
- (Rule) profiling fixed and improved (#460, #466)
- Enforce limit on max-pending-packets (#510)
- fast_pattern on negated content improved
- TLS rule keyword parsing issues
- Windows build fixes (#502)
- Host OS parsing issues fixed (#499)
- Reject signatures where content length is bigger than "depth" setting (#505)
- Removed unused "prune-flows" option
- Set main thread and live reload thread names (#498)

1.3 -- 2012-07-06

- make live rule reloads optional and disabled by default
- fix a shutdown bug
- fix several memory leaks (#492)
- warn user if global and rule thresholding conflict (#455)
- set thread names on FreeBSD (Nikolay Denev)
- Fix PF_RING building on Ubuntu 12.04
- rule analyzer updates
- file inspection improvements when dealing with limits (#493)

1.3rc1 -- 2012-06-29

- experimental live rule reload by sending a USR2 signal (#279)
- AF_PACKET BPF support (#449)
- AF_PACKET live packet loss counters (#441)
- Rule analyzer (#349)
- add pcap workers runmode for use with libpcap wrappers that support load balancing, such as  Napatech's or Myricom's
- negated filemd5 matching, allowing for md5 whitelisting
- signatures with depth and/or offset are now checked against packets in addition to the stream (#404)
- http_cookie keyword now also inspects "Set-Cookie" header (#479)
- filemd5 keyword no longer depends on log-file output module (#447)
- http_raw_header keyword inspects original header line terminators (#475)
- deal with double encoded URI (#464)
- improved SMB/SMB2/DCERPC robustness
- ICMPv6 parsing fixes
- improve HTTP body inspection
- stream.inline accuracy issues fixed (#339)
- general stability fixes (#482, #486)
- missing unittests added (#471)
- "threshold.conf not found" error made more clear (#446)
- IPS mode segment logging for Unified2 improved

1.3beta2 -- 2012-06-08

- experimental support for matching on large lists of known file MD5 checksums
- Improved performance for file_data, http_server_body and http_client_body keywords
- Improvements to HTTP handling: multipart parsing, gzip decompression
- Byte_extract can support negative offsets now (#445)
- Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459)
- HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454)
- Improved error reporting when using too long address strings (#451)
- MD5 calculation improvements for daemon mode and other cases (#449)
- File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste.
- Rule parser is made more strict.
- Unified2 output overhaul, logging individual segments in more cases.
- detection_filter keyword accuracy problem was fixed (#453)
- Don't inspect cookie header with http header (#461)
- Crash with a rule with two byte_extract keywords (#456)
- SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476)
- Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452)
- Improve escaping of some characters in logs (#418)
- Checksum calculation bugs fixed
- IPv6 parsing issues fixed. Thanks to Michel Saborde.
- Endace DAG issues fixed. Thanks to Jason Ish from Endace.
- Various OpenBSD related fixes.
- Fixes for bugs found by Coverity source code analyzer.

1.3beta1 -- 2012-04-04

- TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier)
- Napatech capture card support (contributed by Randy Caldejon -- nPulse)
- Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste)
- Test mode: -T option to test the config (#271)
- Ringbuffer and zero copy support for AF_PACKET
- Commandline options to list supported app layer protocols and keywords (#344, #414)
- File extraction for HTTP POST request that do not use multipart bodies
- On the fly md5 checksum calculation of extracted files
- Line based file log, in json format
- Basic support for including other yaml files into the main yaml
- New multi pattern engine: ac-bs
- Profiling improvements, added lock profiling code
- Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys)
- Unified yaml naming convention, including fallback support (by Nikolay Denev)
- Improved Endace DAG support (#431, Jason Ish -- Endace)
- New default runmode: "autofp" (#433)
- Major rewrite of flow engine, improving scalability.
- Improved http_stat_msg and http_stat_code keywords (#394)
- Improved scalability for Tag and Threshold subsystems
- Made the rule keyword parser much stricter in detecting syntax errors
- Split "file" output into "file-store" and "file-log" outputs
- Much improved file extraction
- CUDA build fixes (#421)
- Various FP's reported by Rmkml (#403, #405, #411)
- IPv6 decoding and detection issues (reported by Michel Sarborde)
- PCAP logging crash (#422)
- Fixed many (potential) issues with the help of the Coverity source code analyzer
- Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers

1.2.1 -- 2012-01-20

- fix malformed unified2 records when writing alerts trigger by stream inspection (#402)
- only force a pseudo packet inspection cycle for TCP streams in a state >= established

1.2 -- 2012-01-19

- improved Windows/CYGWIN path handling (#387)
- fixed some issues with passing an interface or ip address with -i
- make live worker runmode threads adhere to the 'detect' cpu affinity settings

1.2rc1 -- 2012-01-11

- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
- auto detection of checksum offloading per interface (#311)
- urilen options to match on raw or normalized URI (#341)
- flow keyword option "only_stream" and "no_stream"
- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
- in IPS mode, reject rules now also drop (#399)
- http_header now also inspects response headers (#389)
- "worker" runmodes for NFQ and IPFW
- performance improvement for "ac" pattern matcher
- allow empty/non-initialized flowints to be incremented
- PCRE-JIT is now enabled by default if available (#356)
- many file inspection and extraction improvements
- flowbits and flowints are now modified in a post-match action list
- general performance increasements
- fixed parsing really high sid numbers >2 Billion (#393)
- fixed ICMPv6 not matching in IP-only sigs (#363)

1.2beta1 -- 2011-12-19

- File name, type inspection and extraction for HTTP
- filename, fileext, filemagic and filestore keywords added
- "file" output for storing extracted files to disk
- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241
- new keyword http_server_body, pcre regex /S option
- Option to enable/disable core dumping from the suricata.yaml (enabled by default)
- Human readable size limit settings in suricata.yaml
- PF_RING bpf support (required PF_RING >= 5.1) (feature #334)
- tos keyword support (feature #364)
- IPFW IPS mode does now support multiple divert sockets
- New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
- Improved alert accuracy in autofp and single runmodes
- major performance optimizations for the ac-gfbs pattern matcher implementation
- unified2 output fixes
- PF_RING supports privilege dropping now (bug #367)
- Improved detection of duplicate signatures

1.1.1 -- 2011-12-07

- Fix for a error in the smtp parser that could crash Suricata.
- Fix for AF_PACKET not compiling on modern linux systems like Fedora 16.

1.1 -- 2011-11-10

- CUDA build fixed
- minor pcap, AF_PACKET and PF_RING fixes (#368)
- bpf handling fix
- Windows CYGWIN build
- more cleanups

1.1rc1 -- 2011-11-03

- extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)
- AF_PACKET report drop stats on shutdown (#325)
- new counters in stats.log for flow and stream engines (#348)
- SMTP parsing code support for BDAT command (#347)
- HTTP URI normalization no longer converts to lowercase (#362)
- AF_PACKET works with privileges dropping now (#361)
- Prelude output for state matches (#264, #355)
- update of the pattern matching code that should improve accuracy
- rule parser was made more strict (#295, #312)
- multiple event suppressions for the same SID was fixed (#366)
- several accuracy fixes
- removal of the unified1 output plugins (#353)

1.1beta3 -- 2011-10-25

- af-packet support for high speed packet capture
- "replace" keyword support (#303)
- new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap
- added "stream-event" keyword to match on TCP session anomalies
- support for suppress keyword was added (#274)
- byte_extract keyword support was added
- improved handling of timed out TCP sessions in the detection engine
- unified2 payload logging if detection was in the HTTP state (#264)
- improved accuracy of the HTTP transaction logging
- support for larger (64 bit) Flow/Stream memcaps (#332)
- major speed improvements for PCRE, including support for PCRE JIT
- support setting flowbits in ip-only rules (#292)
- performance increases on SSE3+ CPU's
- overhaul of the packet acquisition subsystem
- packet based performance profiling subsystem was added
- TCP SACK support was added to the stream engine
- updated included libhtp to 0.2.6 which fixes several issues

1.1beta2 -- 2011-04-13

- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
- Inline mode for the stream engine (#230, #248).
- New keyword support: nfq_set_mark
- Included an example decoder-events.rules file
- api for adding and selecting runmodes was added
- pcap logging / recording output was added
- basic SCTP protocol parsing was added
- more fine grained CPU affinity setting support was added
- stream engine inspects stream in larger chunks
- fast_pattern support for http_method content modifier (#255)
- negation support for isdataat keyword (#257)
- configurable interval for stats.log updates (#247)
- new pf_ring runmode was added that scales better
- pcap live mode now handles the monitor interface going up and down
- several QA additions to "make check"
- NFQ (linux inline) mode was improved
- Alerts classification fix (#275)
- compiles and runs on big-endian systems (#63)
- unified2 output works around barnyard2 issues with DLT_RAW + IPv6

1.1beta1 -- 2010-12-21

- New keyword support: http_raw_header, http_stat_msg, http_stat_code.
- A new default pattern matcher, Aho-Corasick based, that uses much less memory.
- reference.config support as supplied by ET/ETpro and VRT.
- Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header.
- Improved parsers, especially the DCERPC parser.
- Much improved performance & accuracy.

1.0.5 -- 2011-07-25

- Fix stream reassembly bug #300. Thanks to Rmkml for the report.
- Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.

1.0.4 -- 2011-06-24

- LibHTP updated to 0.2.6
- Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
- Large number of (potential) issues fixed after source code scans with the Clang static analizer.

1.0.3 -- 2011-04-13

- Fix broken checksum calculation for TCP/UDP in some cases
- Fix errors in the byte_test, byte_jump, http_method and http_header keywords
- Fix a ASN1 parsing issue
- Improve LibHTP memory handling
- Fix a defrag issue
- Fix several stream engine issues
Commit	Line	Data
63370745 VJ	1	1.4 2012-12-13
	2
	3	- Decoder event matching fixed (#672)
	4	- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#665)
	5	- Add more events to IPv6 extension header anomolies (#678)
	6	- Fix ICMPv6 payload and checksum calculation (#677, #674)
	7	- Clean up flow timeout handling (#656)
	8	- Fix a shutdown bug when using AF_PACKET under high load (#653)
	9	- Fix TCP sessions being cleaned up to early (#652)
	10
	11	1.3.5 2012-12-06
	12
	13	- Flow engine memory leak fixed by Ludovico Cavedon (#651)
	14	- Unified2 would overwrite files if file rotation happened within a second of file creation, leading to loss of events/alerts (#664)
	15	- Flow manager mutex used unintialized, fixed by Ludovico Cavedon (#654)
	16	- Windows building in CYGWIN fixed (#630)
	17
e4f25661 VJ	18	1.4rc1 2012-11-29
	19
	20	- Interactive unix socket mode (#571, #552)
	21	- IP Reputation: loading and matching (#647)
	22	- Improved --list-keywords commandline option gives detailed info for supported keyword, including doc link (#435)
	23	- Rule analyzer improvement wrt ipv4/ipv6, invalid rules (#494)
	24	- User-Agent added to file log and filestore meta files (#629)
	25	- Endace DAG supports live stats and at exit drop stats (#638)
	26	- Add support for libhtp event "request port doesn't match tcp port" (#650)
	27	- Rules with negated addresses will not be considered IP-only (#599)
	28	- Rule reloads complete much faster in low traffic conditions (#526)
	29	- Suricata -h now displays all available options (#419)
	30	- Luajit configure time detection was improved (#636)
	31	- Flow manager mutex used w/o initialization (#628)
	32	- Cygwin work around for windows shell mangling interface string (#372)
	33	- Fix a Prelude output crash with alerts generated by rules w/o classtype or msg (#648)
	34	- CLANG compiler build fixes (#649)
	35	- Several fixes found by code analyzers
	36
b0caeaa5 VJ	37	1.4beta3 2012-11-14
	38
	39	- support for Napatech cards was greatly improved by Matt Keeler from Npulse (#430, #619)
	40	- support for pkt_data keyword was added
	41	- user and group to run as can now be set in the config file
	42	- make HTTP request and response body inspection sizes configurable per HTTP server config (#560)
	43	- PCAP/AF_PACKET/PF_RING packet stats are now printed in stats.log (#561, #625)
	44	- add contrib directory to the dist (#567)
	45	- performance improvements to signatures with dsize option
	46	- improved rule analyzer: print fast_pattern along with the rule (#558)
	47	- fixes to stream engine reducing the number of events generated (#604)
	48	- add stream event to match on overlaps with different data in stream reassembly (#603)
	49	- stream.inline option new defaults to "auto", meaning enabled in IPS mode, disabled in IDS mode (#592)
	50	- HTTP handling in OOM condition was greatly improved (#557)
	51	- filemagic keyword performance was improved (#585)
	52	- fixes and improvements to daemon mode (#624)
	53	- fix drop rules not working correctly when thresholded (#613)
	54	- fixed a possible FP when a regular and "chopped" fast_pattern were the same (#581)
	55	- fix a false possitive condition in http_header (#607)
	56	- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#627)
	57	- fixes to rule profiling (#576)
	58	- cleanups and misc fixes (#379, #395)
	59	- updated bundled libhtp to 0.2.11
	60	- build system improvements and cleanups
	61	- fix to SSL record parsing
	62
	63	1.3.4 -- 2012-11-14
	64
	65	- fix crash in flow and host engines in cases of low memory or low memcap settings (#617)
	66	- improve http handling in low memory conditions (#620)
	67	- fix inaccuracy in byte_jump keyword when using "from_beginning" option (#626)
	68	- fix building on OpenBSD 5.2
	69	- update default config's defrag settings to reflect all available options
	70	- fixes to make check
	71	- fix to SSL record parsing
	72
	73	1.3.3 -- 2012-11-01
	74
	75	- fix drop rules not working correctly when thresholded (#615)
	76	- fix a false possitive condition in http_header (#606)
	77	- fix extracted file corruption (#601)
	78	- fix a false possitive condition with the pcre keyword and relative matching (#588)
	79	- fix PF_RING set cluster problem on dma interfaces (#598)
	80	- improve http handling in low memory conditions (#586, #587)
	81	- fix FreeBSD inline mode crash (#612)
	82	- suppress pcre jit warning (#579)
	83
d774d6e2 VJ	84	1.4beta2 -- 2012-10-04
	85
	86	- New keyword: "luajit" to inspect packet, payload and all HTTP buffers with a Lua script (#346)
	87	- Added ability to control per server HTTP parser settings in much more detail (#503)
	88	- Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
	89	- Big performance improvement in inspecting decoder, stream and app layer events (#555)
	90	- Pool performance improvements (#541)
	91	- Improved performance of signatures with simple pattern setups (#577)
	92	- Bundled docs are installed upon make install (#527)
	93	- Support for a number of global vs rule thresholds [3] was added (#425)
	94	- Improved rule profiling performance
	95	- If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.
	96	- Fix compilation on architectures other than x86 and x86_64 (#572)
	97	- Fix FP with anchored pcre combined with relative matching (#529)
	98	- Fix engine hanging instead of exitting if the pcap device doesn't exist (#533)
	99	- Work around for potential FP, will get properly fixed in next release (#574)
	100	- Improve ERF handling. Thanks to Jason Ish
	101	- Always set cluster_id in PF_RING
	102	- IPFW: fix broken broadcast handling
	103	- AF_PACKET kernel offset issue, IPS fix and cleanup
	104	- Fix stream engine sometimes resending the same data to app layer
	105	- Fix multiple issues in HTTP multipart parsing
	106	- Fixed a lockup at shutdown with NFQ (#537)
	107
	108	1.3.2 -- 2012-10-03
	109
	110	- Fixed a possible FP when a regular and "chopped" fast_pattern were the same (#562)
	111	- Fixed a FN condition with the flow:no_stream option (#575)
	112	- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
	113	- Fix multiple issues in HTTP multipart parsing
	114	- Fix stream engine sometimes resending the same data to app layer
	115	- Always set cluster_id in PF_RING
	116	- Defrag: silence some potentially noisy errors/warnings
	117	- IPFW: fix broken broadcast handling
	118	- AF_PACKET kernel offset issue
	119
fca70730 VJ	120	1.4beta1 -- 2012-09-06
	121
	122	- Custom HTTP logging contributed by Ignacio Sanchez (#530)
	123	- TLS certificate logging and fingerprint computation and keyword (#443)
	124	- TLS certificate store to disk feature (#444)
	125	- Decoding of IPv4-in-IPv6, IPv6-in-IPv6 and Teredo tunnels (#462, #514, #480)
	126	- AF_PACKET IPS support (#516)
	127	- Rules can be set to inspect only IPv4 or IPv6 (#494)
	128	- filesize keyword for matching on sizes of files in HTTP (#489)
	129	- Delayed detect initialization. Starts processing packets right away and loads detection engine in the background (#522)
	130	- NFQ fail open support (#507)
	131	- Highly experimental lua scripting support for detection
	132	- Live reloads now supports HTTP rule updates better (#522)
	133	- AF_PACKET performance improvements (#197, #415)
	134	- Make defrag more configurable (#517, #528)
	135	- Improve pool performance (#518)
	136	- Improve file inspection keywords by adding a separate API (#531)
	137	- Example threshold.config file provided (#302)
	138	- Fix building of perf profiling code on i386 platform. By Simon Moon (#534)
	139	- Various spelling corrections by Simon Moon (#533)
	140
e28835af VJ	141	1.3.1 -- 2012-08-21
	142
	143	- AF_PACKET performance improvements
	144	- Defrag engine performance improvements
	145	- HTTP: add per server options to enable/disable double decoding of URI (#464, #504)
	146	- Stream engine packet handling for packets with non-standard flag combinations (#508)
	147	- Improved stream engine handling of packet loss (#523)
	148	- Stream engine checksum alerting fixed
	149	- Various rule analyzer fixes (#495, #496, #497)
	150	- (Rule) profiling fixed and improved (#460, #466)
	151	- Enforce limit on max-pending-packets (#510)
	152	- fast_pattern on negated content improved
	153	- TLS rule keyword parsing issues
	154	- Windows build fixes (#502)
	155	- Host OS parsing issues fixed (#499)
	156	- Reject signatures where content length is bigger than "depth" setting (#505)
	157	- Removed unused "prune-flows" option
	158	- Set main thread and live reload thread names (#498)
	159
22957776 VJ	160	1.3 -- 2012-07-06
	161
	162	- make live rule reloads optional and disabled by default
	163	- fix a shutdown bug
	164	- fix several memory leaks (#492)
	165	- warn user if global and rule thresholding conflict (#455)
	166	- set thread names on FreeBSD (Nikolay Denev)
	167	- Fix PF_RING building on Ubuntu 12.04
	168	- rule analyzer updates
	169	- file inspection improvements when dealing with limits (#493)
	170
583ba460 VJ	171	1.3rc1 -- 2012-06-29
	172
	173	- experimental live rule reload by sending a USR2 signal (#279)
	174	- AF_PACKET BPF support (#449)
	175	- AF_PACKET live packet loss counters (#441)
	176	- Rule analyzer (#349)
	177	- add pcap workers runmode for use with libpcap wrappers that support load balancing, such as Napatech's or Myricom's
	178	- negated filemd5 matching, allowing for md5 whitelisting
	179	- signatures with depth and/or offset are now checked against packets in addition to the stream (#404)
	180	- http_cookie keyword now also inspects "Set-Cookie" header (#479)
	181	- filemd5 keyword no longer depends on log-file output module (#447)
	182	- http_raw_header keyword inspects original header line terminators (#475)
	183	- deal with double encoded URI (#464)
	184	- improved SMB/SMB2/DCERPC robustness
	185	- ICMPv6 parsing fixes
	186	- improve HTTP body inspection
	187	- stream.inline accuracy issues fixed (#339)
	188	- general stability fixes (#482, #486)
	189	- missing unittests added (#471)
	190	- "threshold.conf not found" error made more clear (#446)
	191	- IPS mode segment logging for Unified2 improved
	192
	193	1.3beta2 -- 2012-06-08
ed9b07ef VJ	194
	195	- experimental support for matching on large lists of known file MD5 checksums
	196	- Improved performance for file_data, http_server_body and http_client_body keywords
	197	- Improvements to HTTP handling: multipart parsing, gzip decompression
	198	- Byte_extract can support negative offsets now (#445)
	199	- Support for PF_RING 5.4 added. Many thanks to Chris Wakelin (#459)
	200	- HOME_NET and EXTERNAL_NET and the other vars are now checked for common errors (#454)
	201	- Improved error reporting when using too long address strings (#451)
	202	- MD5 calculation improvements for daemon mode and other cases (#449)
	203	- File inspection scripts: Added Syslog action for logging to local syslog. Thanks to Martin Holste.
	204	- Rule parser is made more strict.
	205	- Unified2 output overhaul, logging individual segments in more cases.
	206	- detection_filter keyword accuracy problem was fixed (#453)
	207	- Don't inspect cookie header with http header (#461)
	208	- Crash with a rule with two byte_extract keywords (#456)
	209	- SSL parser fixes. Thanks to Chris Wakelin for testing the patches! (#476)
	210	- Accuracy issues in HTTP inspection fixed. Thanks to Rmkml (#452)
	211	- Improve escaping of some characters in logs (#418)
	212	- Checksum calculation bugs fixed
	213	- IPv6 parsing issues fixed. Thanks to Michel Saborde.
	214	- Endace DAG issues fixed. Thanks to Jason Ish from Endace.
	215	- Various OpenBSD related fixes.
	216	- Fixes for bugs found by Coverity source code analyzer.
	217
fbe0206c VJ	218	1.3beta1 -- 2012-04-04
	219
	220	- TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier)
	221	- Napatech capture card support (contributed by Randy Caldejon -- nPulse)
	222	- Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste)
	223	- Test mode: -T option to test the config (#271)
	224	- Ringbuffer and zero copy support for AF_PACKET
	225	- Commandline options to list supported app layer protocols and keywords (#344, #414)
	226	- File extraction for HTTP POST request that do not use multipart bodies
	227	- On the fly md5 checksum calculation of extracted files
	228	- Line based file log, in json format
	229	- Basic support for including other yaml files into the main yaml
	230	- New multi pattern engine: ac-bs
	231	- Profiling improvements, added lock profiling code
	232	- Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys)
	233	- Unified yaml naming convention, including fallback support (by Nikolay Denev)
	234	- Improved Endace DAG support (#431, Jason Ish -- Endace)
	235	- New default runmode: "autofp" (#433)
	236	- Major rewrite of flow engine, improving scalability.
	237	- Improved http_stat_msg and http_stat_code keywords (#394)
	238	- Improved scalability for Tag and Threshold subsystems
	239	- Made the rule keyword parser much stricter in detecting syntax errors
	240	- Split "file" output into "file-store" and "file-log" outputs
	241	- Much improved file extraction
	242	- CUDA build fixes (#421)
	243	- Various FP's reported by Rmkml (#403, #405, #411)
	244	- IPv6 decoding and detection issues (reported by Michel Sarborde)
	245	- PCAP logging crash (#422)
	246	- Fixed many (potential) issues with the help of the Coverity source code analyzer
	247	- Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers
	248
65d1783b VJ	249	1.2.1 -- 2012-01-20
	250
	251	- fix malformed unified2 records when writing alerts trigger by stream inspection (#402)
	252	- only force a pseudo packet inspection cycle for TCP streams in a state >= established
	253
5b42f360 VJ	254	1.2 -- 2012-01-19
	255
	256	- improved Windows/CYGWIN path handling (#387)
	257	- fixed some issues with passing an interface or ip address with -i
	258	- make live worker runmode threads adhere to the 'detect' cpu affinity settings
	259
e192ce7e VJ	260	1.2rc1 -- 2012-01-11
	261
	262	- app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events
	263	- auto detection of checksum offloading per interface (#311)
	264	- urilen options to match on raw or normalized URI (#341)
	265	- flow keyword option "only_stream" and "no_stream"
	266	- unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250)
	267	- in IPS mode, reject rules now also drop (#399)
	268	- http_header now also inspects response headers (#389)
	269	- "worker" runmodes for NFQ and IPFW
	270	- performance improvement for "ac" pattern matcher
	271	- allow empty/non-initialized flowints to be incremented
	272	- PCRE-JIT is now enabled by default if available (#356)
	273	- many file inspection and extraction improvements
	274	- flowbits and flowints are now modified in a post-match action list
	275	- general performance increasements
	276	- fixed parsing really high sid numbers >2 Billion (#393)
	277	- fixed ICMPv6 not matching in IP-only sigs (#363)
	278
c0cd2c85 VJ	279	1.2beta1 -- 2011-12-19
	280
	281	- File name, type inspection and extraction for HTTP
	282	- filename, fileext, filemagic and filestore keywords added
	283	- "file" output for storing extracted files to disk
	284	- file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241
	285	- new keyword http_server_body, pcre regex /S option
	286	- Option to enable/disable core dumping from the suricata.yaml (enabled by default)
	287	- Human readable size limit settings in suricata.yaml
	288	- PF_RING bpf support (required PF_RING >= 5.1) (feature #334)
	289	- tos keyword support (feature #364)
	290	- IPFW IPS mode does now support multiple divert sockets
	291	- New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp"
	292	- Improved alert accuracy in autofp and single runmodes
	293	- major performance optimizations for the ac-gfbs pattern matcher implementation
	294	- unified2 output fixes
	295	- PF_RING supports privilege dropping now (bug #367)
	296	- Improved detection of duplicate signatures
	297
	298	1.1.1 -- 2011-12-07
	299
	300	- Fix for a error in the smtp parser that could crash Suricata.
	301	- Fix for AF_PACKET not compiling on modern linux systems like Fedora 16.
	302
6256d6b5 VJ	303	1.1 -- 2011-11-10
	304
	305	- CUDA build fixed
	306	- minor pcap, AF_PACKET and PF_RING fixes (#368)
	307	- bpf handling fix
	308	- Windows CYGWIN build
	309	- more cleanups
	310
	311	1.1rc1 -- 2011-11-03
	312
	313	- extended HTTP request logging for use with (among other things) http_agent for Sguil (#38)
	314	- AF_PACKET report drop stats on shutdown (#325)
	315	- new counters in stats.log for flow and stream engines (#348)
	316	- SMTP parsing code support for BDAT command (#347)
	317	- HTTP URI normalization no longer converts to lowercase (#362)
	318	- AF_PACKET works with privileges dropping now (#361)
	319	- Prelude output for state matches (#264, #355)
	320	- update of the pattern matching code that should improve accuracy
	321	- rule parser was made more strict (#295, #312)
	322	- multiple event suppressions for the same SID was fixed (#366)
	323	- several accuracy fixes
	324	- removal of the unified1 output plugins (#353)
	325
	326	1.1beta3 -- 2011-10-25
	327
	328	- af-packet support for high speed packet capture
	329	- "replace" keyword support (#303)
	330	- new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap
	331	- added "stream-event" keyword to match on TCP session anomalies
	332	- support for suppress keyword was added (#274)
	333	- byte_extract keyword support was added
	334	- improved handling of timed out TCP sessions in the detection engine
	335	- unified2 payload logging if detection was in the HTTP state (#264)
	336	- improved accuracy of the HTTP transaction logging
	337	- support for larger (64 bit) Flow/Stream memcaps (#332)
	338	- major speed improvements for PCRE, including support for PCRE JIT
	339	- support setting flowbits in ip-only rules (#292)
	340	- performance increases on SSE3+ CPU's
	341	- overhaul of the packet acquisition subsystem
	342	- packet based performance profiling subsystem was added
	343	- TCP SACK support was added to the stream engine
	344	- updated included libhtp to 0.2.6 which fixes several issues
	345
	346	1.1beta2 -- 2011-04-13
	347
	348	- New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262).
	349	- Inline mode for the stream engine (#230, #248).
	350	- New keyword support: nfq_set_mark
	351	- Included an example decoder-events.rules file
	352	- api for adding and selecting runmodes was added
	353	- pcap logging / recording output was added
	354	- basic SCTP protocol parsing was added
	355	- more fine grained CPU affinity setting support was added
	356	- stream engine inspects stream in larger chunks
	357	- fast_pattern support for http_method content modifier (#255)
	358	- negation support for isdataat keyword (#257)
	359	- configurable interval for stats.log updates (#247)
	360	- new pf_ring runmode was added that scales better
	361	- pcap live mode now handles the monitor interface going up and down
	362	- several QA additions to "make check"
	363	- NFQ (linux inline) mode was improved
	364	- Alerts classification fix (#275)
	365	- compiles and runs on big-endian systems (#63)
	366	- unified2 output works around barnyard2 issues with DLT_RAW + IPv6
367
368	1.1beta1 -- 2010-12-21
369
370	- New keyword support: http_raw_header, http_stat_msg, http_stat_code.
371	- A new default pattern matcher, Aho-Corasick based, that uses much less memory.
372	- reference.config support as supplied by ET/ETpro and VRT.
373	- Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header.
374	- Improved parsers, especially the DCERPC parser.
375	- Much improved performance & accuracy.
376
377	1.0.5 -- 2011-07-25
378
379	- Fix stream reassembly bug #300. Thanks to Rmkml for the report.
380	- Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
381
382	1.0.4 -- 2011-06-24
383
384	- LibHTP updated to 0.2.6
385	- Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat.
386	- Large number of (potential) issues fixed after source code scans with the Clang static analizer.
387
388	1.0.3 -- 2011-04-13
389
390	- Fix broken checksum calculation for TCP/UDP in some cases
391	- Fix errors in the byte_test, byte_jump, http_method and http_header keywords
392	- Fix a ASN1 parsing issue
393	- Improve LibHTP memory handling
394	- Fix a defrag issue
395	- Fix several stream engine issues
396