From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Wed, 16 Nov 2016 22:29:27 +0000 (-0500)
Subject: Merge pull request #707 in SNORT/snort3 from misc_fixes to master
X-Git-Tag: 3.0.0-233~189
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1068f2927eda2400f82c8b838717372f5fd2edfe;p=thirdparty%2Fsnort3.git

Merge pull request #707 in SNORT/snort3 from misc_fixes to master

Squashed commit of the following:

commit d796882a69f686aeb582f70a1ff6b94a44bf05ad
Author: Russ Combs <rucombs@cisco.com>
Date:   Wed Nov 16 09:38:56 2016 -0500

    revert to dumping 16 bytes per line by default

commit ae16bba4a86d6cdab6af1c38556cb3718fa1ee24
Author: Russ Combs <rucombs@cisco.com>
Date:   Wed Nov 16 09:03:20 2016 -0500

    fix out-of-tree doc builds
    fix image sizes to fit page; thanks to wyatuestc for reporting the issue
    change -L to -K in README and manual; thanks to jncornett for reporting the issue

commit fc11b8819ee95214023d973e0bd376ef0f630dba
Author: Russ Combs <rucombs@cisco.com>
Date:   Tue Nov 15 07:34:09 2016 -0500

    fix fast pattern selection when multiple designated
    thanks to j.mcdowell@titanicsystems.com for reporting the issue
---

diff --git a/README.md b/README.md
index 21a14aed9..f4f8e5f67 100644
--- a/README.md
+++ b/README.md
@@ -167,7 +167,7 @@ Then give it a go:
 
     ```shell
     $my_path/bin/snort -r a.pcap
-    $my_path/bin/snort -K text -d -e -q -r a.pcap
+    $my_path/bin/snort -L dump -d -e -q -r a.pcap
     ```
 
 * Verify a config, with or w/o rules:
diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
index 00d2e5c34..3822976e0 100644
--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
@@ -33,14 +33,17 @@ set (
 set (
     UNBUILT_SOURCES
     bugs.txt
+    building.txt
     daq.txt
     differences.txt
     errors.txt
     enviro.txt
     extending.txt
     features.txt
+    file_processing.txt
     overview.txt
     params.txt
+    perf_monitor.txt
     reference.txt
     snort2lua.txt
     snorty.png
diff --git a/doc/Makefile.am b/doc/Makefile.am
index cca6537b4..9c74a41e2 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -24,18 +24,21 @@ search_engine.txt
 #so_rule.txt
 
 unbuilt_sources = \
-snort_manual.txt \
-config_changes.txt \
 bugs.txt \
+building.txt \
+config_changes.txt \
 daq.txt \
 differences.txt \
 enviro.txt \
 errors.txt \
 extending.txt \
 features.txt \
+file_processing.txt \
 overview.txt \
 params.txt \
+perf_monitor.txt \
 reference.txt \
+snort_manual.txt \
 snort2lua.txt \
 snorty.png \
 snort2x.png \
diff --git a/doc/building.txt b/doc/building.txt
new file mode 100644
index 000000000..85a7b0a06
--- /dev/null
+++ b/doc/building.txt
@@ -0,0 +1,33 @@
+The options listed below must be explicitly enabled so they are built
+into the Snort binary.  For a full list of build options, run ./configure
+--help.
+
+*  *--enable-shell*: enable building local and remote command line shell
+   support.
+
+These options are built only if the required libraries and headers are
+present.  There is no need to explicitly enable.
+
+* *lzma*: for decompression of SWF and PDF files.
+
+* *openssl*: for SHA and MD5 file signatures and the protected_content rule
+  option.
+
+* *intel-soft-cpm": an optional pattern matcher based on a library from
+  Intel.
+
+* hyperscan for the regex rule option and hyperscan search engine.
+
+If you need to use headers and/or libraries in non-standard locations, you
+can use these options:
+
+* *--with-pkg-includes*: specify the directory containing the package
+  headers.
+
+* *--with-pkg-libraries*: specify the directory containing the package
+  libraries.
+
+These can be use for pcap, luajit, pcre, dnet, daq, lzma, openssl,
+intel-soft-cpm, and hyperscan packages.  For more information on these
+libraries see the Getting Started section of the manual.
+
diff --git a/doc/differences.txt b/doc/differences.txt
index 25c940cc5..2f470eb55 100644
--- a/doc/differences.txt
+++ b/doc/differences.txt
@@ -23,7 +23,7 @@ Snort++ differs from Snort in the following ways:
 * -T is assumed if no input given
 * added --help-config prefix to dump all matching settings
 * added --script-path
-* added -K text; -K text/pcap is old dump/log mode
+* added -L none|dump|pcap
 * added -z <#> and --max-packet-threads <#>
 * delete --enable-mpls-multicast, --enable-mpls-overlapping-ip, 
   --max-mpls-labelchain-len, --mpls-payload-type
@@ -109,7 +109,7 @@ Snort++ differs from Snort in the following ways:
 
 * alert_fast includes packet data by default
 * all text mode outputs default to stdout
-* changed default logging mode to -K none
+* changed default logging mode to -L none
 * deleted layer2resets and flexresp2_*
 * deleted log_ascii
 * general output guideline: don't print zero counts
diff --git a/doc/features.txt b/doc/features.txt
index 95f6445fe..360cdf1e9 100644
--- a/doc/features.txt
+++ b/doc/features.txt
@@ -1,33 +1,8 @@
-The features listed below must be explicitly enabled so they are built
-into the Snort binary.  For a full list of build features, run ./configure
---help.
+=== File Processing
 
-*  *--enable-shell*: enable building local and remote command line shell
-   support.
+include::file_processing.txt[]
 
-These features are built only if the required libraries and headers are
-present.  There is no need to explicitly enable.
+=== Performance Monitor
 
-* *lzma*: for decompression of SWF and PDF files.
-
-* *openssl*: for SHA and MD5 file signatures and the protected_content rule
-  option.
-
-* *intel-soft-cpm": an optional pattern matcher based on a library from
-  Intel.
-
-* hyperscan for the regex rule option and hyperscan search engine.
-
-If you need to use headers and/or libraries in non-standard locations, you
-can use these options:
-
-* *--with-pkg-includes*: specify the directory containing the package
-  headers.
-
-* *--with-pkg-libraries*: specify the directory containing the package
-  libraries.
-
-These can be use for pcap, luajit, pcre, dnet, daq, lzma, openssl,
-intel-soft-cpm, and hyperscan packages.  For more information on these
-libraries see the Getting Started section of the manual.
+include::perf_monitor.txt[]
 
diff --git a/doc/manual/file_processing.txt b/doc/file_processing.txt
similarity index 97%
rename from doc/manual/file_processing.txt
rename to doc/file_processing.txt
index c3a5545b6..e1fa576d2 100644
--- a/doc/manual/file_processing.txt
+++ b/doc/file_processing.txt
@@ -1,10 +1,10 @@
-=== Overview
-
 With the volume of malware transferred through network increasing, 
 network file inspection becomes more and more important. This feature 
 will provide file type identification, file signature creation, and file 
 capture capabilities to help users deal with those challenges. 
 
+==== Overview
+
 There are two parts of file services: file APIs and file policy.
 File APIs provides all the file inspection functionalities, such as file 
 type identification, file signature calculation, and file capture. 
@@ -18,7 +18,7 @@ policy along with file event log.
 * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
 * Supported file signature calculation: SHA256
 
-=== Quick Guide
+==== Quick Guide
 
 A very simple configuration has been included in lua/snort.lua file.
 A typical file configuration looks like this:
@@ -56,7 +56,7 @@ There are 3 steps to enable file processing:
 * Then, define the file policy and configure the inspector
 * At last, enable file_log to get detailed information about file event
  
-=== Pre-packaged File Magic Rules
+==== Pre-packaged File Magic Rules
 
 A set of file magic rules is packaged with Snort. They can be located at
 "lua/file_magic.lua". To use this feature, it is recommended that these
@@ -79,7 +79,7 @@ at content at particular file offset to identify the file type. In this
 case, two magics look at the beginning of the file. You can use character
 if it is printable or hex value in between "|".
 
-=== File Policy
+==== File Policy
 
 You can enabled file type, file signature, or file capture by configuring 
 file_id. In addition, you can enable trace to see file stream data, file 
@@ -105,7 +105,7 @@ In this example, it enables this policy:
 * For all file types identified, they will be logged with signature, and 
 also captured onto log folder.
 
-=== File Capture
+==== File Capture
 
 File can be captured and stored to log folder. We use SHA as file name
 instead of actual file name to avoid conflicts. You can capture either 
@@ -121,7 +121,7 @@ or enable it for some file or  file type in your file policy:
   
 The above rule will enable PDF file capture.
   
-=== File Events
+==== File Events
 
 File inspect preprocessor also works as a dynamic output plugin for file 
 events. It logs basic information about file. The log file is in the same
@@ -139,4 +139,4 @@ File event example:
    [Name: "malware.exe"] [Verdict: Block] [Type: MSEXE] 
    [SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A] 
    [Size: 1039328] 
-  
\ No newline at end of file
+  
diff --git a/doc/overview.txt b/doc/overview.txt
index f97eaf58f..11383ce9b 100644
--- a/doc/overview.txt
+++ b/doc/overview.txt
@@ -273,7 +273,7 @@ packets.  The key steps are given in the following figure:
 ////
 (pkt) -> [decode] -> [preprocess] -> [detect] -> [log] -> (verdict)
 ////
-image::snort2x.png["Snort 2X",width="640"]
+image::snort2x.png["Snort 2X",width="480"]
 
 The preprocess step is highly configurable.  Arbitrary preprocessors can be
 loaded dynamically at startup, configured in snort.conf, and then executed
@@ -309,7 +309,7 @@ but they are not central to basic flow processing and are not shown.)
          -----------------------------------------------------
                     [app id]   [firewall]   [other]
 ////
-image::snort3x.png["Snort 3X",width="640"]
+image::snort3x.png["Snort 3X",width="480"]
 
 However, Snort++ also provides a more flexible mechanism than callback
 functions.  By using inspection events, it is possible for an inspector to
diff --git a/doc/manual/perf_monitor.txt b/doc/perf_monitor.txt
similarity index 97%
rename from doc/manual/perf_monitor.txt
rename to doc/perf_monitor.txt
index 2d68731d9..7cebe7047 100644
--- a/doc/manual/perf_monitor.txt
+++ b/doc/perf_monitor.txt
@@ -1,15 +1,15 @@
-=== Overview
-
 The new and improved performance monitor! Is your sensor being bogged down by
 too many flows? perf_monitor! Why are certain TCP segments being dropped without
 hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check
 with stream…
 
+==== Overview
+
 The Snort performance monitor is the built-in utility for monitoring system
 and traffic statistics. All statistics are separated by processing thread.
 perf_monitor supports several trackers for monitoring such data:
 
-=== Base Tracker
+==== Base Tracker
 
 The base tracker is used to gather running statistics about Snort and its
 running modules. All Snort modules gather, at the very least, counters for the
@@ -63,7 +63,7 @@ To enable specific counts within modules:
 
 Note: Event stats from prior Snorts are now located within base statistics.
 
-=== Flow Tracker
+==== Flow Tracker
 
 Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This
 data can be used to build a profile of traffic for inspector tuning and for
@@ -73,7 +73,7 @@ To enable:
 
     perf_monitor = { flow = true }
 
-=== FlowIP Tracker
+==== FlowIP Tracker
 
 FlowIP provides statistics for individual hosts within a network. This data can
 be used for identifying communication habits, such as generating large or small
@@ -84,7 +84,7 @@ To enable:
 
     perf_monitor = { flow_ip = true }
 
-=== CPU Tracker
+==== CPU Tracker
 
 This tracker monitors the CPU and wall time spent by a given processing thread.
 
diff --git a/doc/reference.txt b/doc/reference.txt
index 2a79078b8..6666e0d24 100644
--- a/doc/reference.txt
+++ b/doc/reference.txt
@@ -6,9 +6,9 @@ include::terms.txt[]
 
 include::usage.txt[]
 
-=== Optional Features
+=== Build Options
 
-include::features.txt[]
+include::building.txt[]
 
 === Environment Variables
 
diff --git a/doc/snort_manual.html b/doc/snort_manual.html
index 7b44e05e6..cad06a32d 100644
--- a/doc/snort_manual.html
+++ b/doc/snort_manual.html
@@ -779,7 +779,7 @@ asciidoc.install(2);
 <div class="literalblock">
 <div class="content">
 <pre><code> ,,_     -*&gt; Snort++ &lt;*-
-o"  )~   Version 3.0.0-a4 (Build 217) from 2.9.7-262
+o"  )~   Version 3.0.0-a4 (Build 218) from 2.9.7-262
  ''''    By Martin Roesch &amp; The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
@@ -1208,7 +1208,7 @@ explain these concepts, let&#8217;s start by examining how Snort processes
 packets.  The key steps are given in the following figure:</p></div>
 <div class="imageblock">
 <div class="content">
-<img src="./snort2x.png" alt="Snort 2X" width="640" />
+<img src="./snort2x.png" alt="Snort 2X" width="480" />
 </div>
 </div>
 <div class="paragraph"><p>The preprocess step is highly configurable.  Arbitrary preprocessors can be
@@ -1238,7 +1238,7 @@ analysis in both cases.  (Snort++ provides hooks for arbitrary inspectors,
 but they are not central to basic flow processing and are not shown.)</p></div>
 <div class="imageblock">
 <div class="content">
-<img src="./snort3x.png" alt="Snort 3X" width="640" />
+<img src="./snort3x.png" alt="Snort 3X" width="480" />
 </div>
 </div>
 <div class="paragraph"><p>However, Snort++ also provides a more flexible mechanism than callback
@@ -1503,7 +1503,7 @@ Examine and dump a pcap:
 <div class="literalblock">
 <div class="content">
 <pre><code>$my_path/bin/snort -r &lt;pcap&gt;
-$my_path/bin/snort -K text -d -e -q -r &lt;pcap&gt;</code></pre>
+$my_path/bin/snort -L dump -d -e -q -r &lt;pcap&gt;</code></pre>
 </div></div>
 </li>
 <li>
@@ -2161,6 +2161,299 @@ stream_tcp gap count is broken.
 </div>
 </div>
 <div class="sect1">
+<h2 id="_features">Features</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>This section explains how to use key features of Snort++.</p></div>
+<div class="sect2">
+<h3 id="_file_processing">File Processing</h3>
+<div class="paragraph"><p>With the volume of malware transferred through network increasing,
+network file inspection becomes more and more important. This feature
+will provide file type identification, file signature creation, and file
+capture capabilities to help users deal with those challenges.</p></div>
+<div class="sect3">
+<h4 id="_overview_2">Overview</h4>
+<div class="paragraph"><p>There are two parts of file services: file APIs and file policy.
+File APIs provides all the file inspection functionalities, such as file
+type identification, file signature calculation, and file capture.
+File policy provides users ability to control file services, such
+as enable/disable/configure file type identification, file signature, or
+file capture.</p></div>
+<div class="paragraph"><p>In addition to all capabilities from snort 2x, we support customized file
+policy along with file event log.</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
+</p>
+</li>
+<li>
+<p>
+Supported file signature calculation: SHA256
+</p>
+</li>
+</ul></div>
+</div>
+<div class="sect3">
+<h4 id="_quick_guide">Quick Guide</h4>
+<div class="paragraph"><p>A very simple configuration has been included in lua/snort.lua file.
+A typical file configuration looks like this:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>dofile('magic.lua')</code></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>my_file_policy =
+{
+    {  when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+    {  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+    {  when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+}</code></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>file_id =
+{
+    enable_type = true,
+    enable_signature = true,
+    enable_capture = true,
+    file_rules = magics,
+    trace_type = true,
+    trace_signature = true,
+    trace_stream = true,
+    file_policy = my_file_policy,
+ }</code></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>file_log =
+{
+    log_pkt_time = true,
+    log_sys_time = false,
+}</code></pre>
+</div></div>
+<div class="paragraph"><p>There are 3 steps to enable file processing:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+First, you need to include the file magic rules.
+</p>
+</li>
+<li>
+<p>
+Then, define the file policy and configure the inspector
+</p>
+</li>
+<li>
+<p>
+At last, enable file_log to get detailed information about file event
+</p>
+</li>
+</ul></div>
+</div>
+<div class="sect3">
+<h4 id="_pre_packaged_file_magic_rules">Pre-packaged File Magic Rules</h4>
+<div class="paragraph"><p>A set of file magic rules is packaged with Snort. They can be located at
+"lua/file_magic.lua". To use this feature, it is recommended that these
+pre-packaged rules are used; doing so requires that you include
+the file in your Snort configuration as such (already in snort.lua):</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>dofile('magic.lua')</code></pre>
+</div></div>
+<div class="paragraph"><p>Example:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>{ type = "GIF", id = 62, category = "Graphics", rev = 1,
+  magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },</code></pre>
+</div></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>{ type = "GIF", id = 63, category = "Graphics", rev = 1,
+  magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },</code></pre>
+</div></div>
+<div class="paragraph"><p>The previous two rules define GIF format, because two file magics are
+different. File magics are specifed by content and offset, which look
+at content at particular file offset to identify the file type. In this
+case, two magics look at the beginning of the file. You can use character
+if it is printable or hex value in between "|".</p></div>
+</div>
+<div class="sect3">
+<h4 id="_file_policy">File Policy</h4>
+<div class="paragraph"><p>You can enabled file type, file signature, or file capture by configuring
+file_id. In addition, you can enable trace to see file stream data, file
+type, and file signature information.</p></div>
+<div class="paragraph"><p>Most importantly, you can configure a file policy that can block/alert
+some file type or an individual file based on SHA. This allows you
+build a file blacklist or whitelist.</p></div>
+<div class="paragraph"><p>Example:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>file_policy =
+{
+    {  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+    {  when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+    {  when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+}</code></pre>
+</div></div>
+<div class="paragraph"><p>In this example, it enables this policy:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+For PDF files, they will be logged with signatures.
+</p>
+</li>
+<li>
+<p>
+For the file matching this SHA, it will be blocked
+</p>
+</li>
+<li>
+<p>
+For all file types identified, they will be logged with signature, and
+also captured onto log folder.
+</p>
+</li>
+</ul></div>
+</div>
+<div class="sect3">
+<h4 id="_file_capture">File Capture</h4>
+<div class="paragraph"><p>File can be captured and stored to log folder. We use SHA as file name
+instead of actual file name to avoid conflicts. You can capture either
+all files, some file type, or a particular file based on SHA.</p></div>
+<div class="paragraph"><p>You can enable file capture through this config:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>enable_capture = true,</code></pre>
+</div></div>
+<div class="paragraph"><p>or enable it for some file or  file type in your file policy:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>{  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },</code></pre>
+</div></div>
+<div class="paragraph"><p>The above rule will enable PDF file capture.</p></div>
+</div>
+<div class="sect3">
+<h4 id="_file_events">File Events</h4>
+<div class="paragraph"><p>File inspect preprocessor also works as a dynamic output plugin for file
+events. It logs basic information about file. The log file is in the same
+folder as other log files with name starting with "file.log".</p></div>
+<div class="paragraph"><p>Example:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>file_log = { log_pkt_time = true, log_sys_time = false }</code></pre>
+</div></div>
+<div class="paragraph"><p>All file events will be logged in packet time, system time is not logged.</p></div>
+<div class="paragraph"><p>File event example:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>08/14-19:14:19.100891  10.22.75.72:33734 -&gt; 10.22.75.36:80,
+[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
+[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
+[Size: 1039328]</code></pre>
+</div></div>
+</div>
+</div>
+<div class="sect2">
+<h3 id="_performance_monitor">Performance Monitor</h3>
+<div class="paragraph"><p>The new and improved performance monitor! Is your sensor being bogged down by
+too many flows? perf_monitor! Why are certain TCP segments being dropped without
+hitting a rule? perf_monitor! Why is a sensor leaking water? Not perf_monitor, check
+with stream…</p></div>
+<div class="sect3">
+<h4 id="_overview_3">Overview</h4>
+<div class="paragraph"><p>The Snort performance monitor is the built-in utility for monitoring system
+and traffic statistics. All statistics are separated by processing thread.
+perf_monitor supports several trackers for monitoring such data:</p></div>
+</div>
+<div class="sect3">
+<h4 id="_base_tracker">Base Tracker</h4>
+<div class="paragraph"><p>The base tracker is used to gather running statistics about Snort and its
+running modules. All Snort modules gather, at the very least, counters for the
+number of packets reaching it. Most supplement these counts with those for
+domain specific functions, such as http_inspect’s number of GET requests seen.</p></div>
+<div class="paragraph"><p>Statistics are gathered live and can be reported at regular intervals. The stats
+reported correspond only to the interval in question and are reset at the
+beginning of each interval.</p></div>
+<div class="paragraph"><p>These are the same counts displayed when Snort shuts down, only sorted amongst
+the discrete intervals in which they occurred.</p></div>
+<div class="paragraph"><p>Base differs from prior implementations in Snort in that all stats gathered are
+only raw counts, allowing the data to be evaluated as needed. Additionally,
+base is entirely pluggable. Data from new Snort plugins can be added to the
+existing stats either automatically or, if specified, by name and function.</p></div>
+<div class="paragraph"><p>All plugins and counters can be enabled or disabled individually, allowing for
+only the data that is actually desired instead of overly verbose performance
+logs.</p></div>
+<div class="paragraph"><p>To enable everything:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>perf_monitor = { modules = {} }</code></pre>
+</div></div>
+<div class="paragraph"><p>To enable everything within a module:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>perf_monitor =
+{
+    modules =
+    {
+        {
+            name = 'stream_tcp',
+            pegs = [[ ]]
+        },
+    }
+}</code></pre>
+</div></div>
+<div class="paragraph"><p>To enable specific counts within modules:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>perf_monitor =
+{
+    modules =
+    {
+        {
+            name = 'stream_tcp',
+            pegs = [[ overlaps gaps ]]
+        },
+    }</code></pre>
+</div></div>
+<div class="paragraph"><p>Note: Event stats from prior Snorts are now located within base statistics.</p></div>
+</div>
+<div class="sect3">
+<h4 id="_flow_tracker">Flow Tracker</h4>
+<div class="paragraph"><p>Flow tracks statistics regarding traffic and L3/L4 protocol distributions. This
+data can be used to build a profile of traffic for inspector tuning and for
+identifying where Snort may be stressed.</p></div>
+<div class="paragraph"><p>To enable:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>perf_monitor = { flow = true }</code></pre>
+</div></div>
+</div>
+<div class="sect3">
+<h4 id="_flowip_tracker">FlowIP Tracker</h4>
+<div class="paragraph"><p>FlowIP provides statistics for individual hosts within a network. This data can
+be used for identifying communication habits, such as generating large or small
+amounts of data, opening a small or large number of sessions, and tendency to
+send smaller or larger IP packets.</p></div>
+<div class="paragraph"><p>To enable:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>perf_monitor = { flow_ip = true }</code></pre>
+</div></div>
+</div>
+<div class="sect3">
+<h4 id="_cpu_tracker">CPU Tracker</h4>
+<div class="paragraph"><p>This tracker monitors the CPU and wall time spent by a given processing thread.</p></div>
+<div class="paragraph"><p>To enable:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>perf_monitor = { cpu = true }</code></pre>
+</div></div>
+</div>
+</div>
+</div>
+</div>
+<div class="sect1">
 <h2 id="_basic_modules">Basic Modules</h2>
 <div class="sectionbody">
 <div class="paragraph"><p>Internal modules which are not plugins are termed "basic".  These include
@@ -2840,6 +3133,24 @@ bool <strong>file_id.trace_stream</strong> = false: enable runtime dump of file
 </p>
 </li>
 </ul></div>
+<div class="paragraph"><p>Peg counts:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+<strong>file_id.total_files</strong>: number of files processed
+</p>
+</li>
+<li>
+<p>
+<strong>file_id.total_file_data</strong>: number of file data bytes processed
+</p>
+</li>
+<li>
+<p>
+<strong>file_id.cache_failures</strong>: number of file cache add failures
+</p>
+</li>
+</ul></div>
 </div>
 <div class="sect2">
 <h3 id="_high_availability">high_availability</h3>
@@ -14230,7 +14541,7 @@ added --script-path
 </li>
 <li>
 <p>
-added -K text; -K text/pcap is old dump/log mode
+added -L none|dump|pcap
 </p>
 </li>
 <li>
@@ -14573,7 +14884,7 @@ all text mode outputs default to stdout
 </li>
 <li>
 <p>
-changed default logging mode to -K none
+changed default logging mode to -L none
 </p>
 </li>
 <li>
@@ -17464,9 +17775,9 @@ kill -hup &lt;pid&gt;</code></pre>
 </div>
 </div>
 <div class="sect2">
-<h3 id="_optional_features">Optional Features</h3>
-<div class="paragraph"><p>The features listed below must be explicitly enabled so they are built
-into the Snort binary.  For a full list of build features, run ./configure
+<h3 id="_build_options_2">Build Options</h3>
+<div class="paragraph"><p>The options listed below must be explicitly enabled so they are built
+into the Snort binary.  For a full list of build options, run ./configure
 --help.</p></div>
 <div class="ulist"><ul>
 <li>
@@ -17476,7 +17787,7 @@ into the Snort binary.  For a full list of build features, run ./configure
 </p>
 </li>
 </ul></div>
-<div class="paragraph"><p>These features are built only if the required libraries and headers are
+<div class="paragraph"><p>These options are built only if the required libraries and headers are
 present.  There is no need to explicitly enable.</p></div>
 <div class="ulist"><ul>
 <li>
@@ -23705,6 +24016,21 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>file_id.cache_failures</strong>: number of file cache add failures
+</p>
+</li>
+<li>
+<p>
+<strong>file_id.total_file_data</strong>: number of file data bytes processed
+</p>
+</li>
+<li>
+<p>
+<strong>file_id.total_files</strong>: number of files processed
+</p>
+</li>
+<li>
+<p>
 <strong>file_log.total events</strong>: total file events
 </p>
 </li>
@@ -30338,7 +30664,7 @@ deleted -&gt; unified2: 'filename'</code></pre>
 <div id="footnotes"><hr /></div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2016-11-03 23:18:47 EDT
+Last updated 2016-11-16 08:37:01 EST
 </div>
 </div>
 </body>
diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf
index 2270fa130..e27d920c5 100644
Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ
diff --git a/doc/snort_manual.text b/doc/snort_manual.text
index a062539c6..787078bbe 100644
--- a/doc/snort_manual.text
+++ b/doc/snort_manual.text
@@ -31,296 +31,301 @@ Table of Contents
     2.7. Gotchas
     2.8. Bugs
 
-3. Basic Modules
-
-    3.1. active
-    3.2. alerts
-    3.3. attribute_table
-    3.4. classifications
-    3.5. daq
-    3.6. decode
-    3.7. detection
-    3.8. event_filter
-    3.9. event_queue
-    3.10. file_id
-    3.11. high_availability
-    3.12. host_cache
-    3.13. host_tracker
-    3.14. hosts
-    3.15. ips
-    3.16. latency
-    3.17. memory
-    3.18. network
-    3.19. output
-    3.20. packets
-    3.21. process
-    3.22. profiler
-    3.23. rate_filter
-    3.24. references
-    3.25. rule_state
-    3.26. search_engine
-    3.27. side_channel
-    3.28. snort
-    3.29. suppress
-
-4. Codec Modules
-
-    4.1. arp
-    4.2. auth
-    4.3. ciscometadata
-    4.4. erspan2
-    4.5. erspan3
-    4.6. esp
-    4.7. eth
-    4.8. fabricpath
-    4.9. gre
-    4.10. gtp
-    4.11. icmp4
-    4.12. icmp6
-    4.13. igmp
-    4.14. ipv4
-    4.15. ipv6
-    4.16. mpls
-    4.17. pgm
-    4.18. pppoe
-    4.19. tcp
-    4.20. udp
-    4.21. vlan
-
-5. Inspector Modules
-
-    5.1. appid
-    5.2. arp_spoof
-    5.3. back_orifice
-    5.4. binder
-    5.5. dce_smb
-    5.6. dce_tcp
-    5.7. dce_udp
-    5.8. dnp3
-    5.9. dns
-    5.10. file_log
-    5.11. ftp_client
-    5.12. ftp_data
-    5.13. ftp_server
-    5.14. gtp_inspect
-    5.15. http_inspect
-    5.16. imap
-    5.17. modbus
-    5.18. normalizer
-    5.19. packet_capture
-    5.20. perf_monitor
-    5.21. pop
-    5.22. port_scan
-    5.23. port_scan_global
-    5.24. reputation
-    5.25. rpc_decode
-    5.26. sip
-    5.27. smtp
-    5.28. ssh
-    5.29. ssl
-    5.30. stream
-    5.31. stream_file
-    5.32. stream_icmp
-    5.33. stream_ip
-    5.34. stream_tcp
-    5.35. stream_udp
-    5.36. stream_user
-    5.37. telnet
-    5.38. wizard
-
-6. IPS Action Modules
-
-    6.1. react
-    6.2. reject
-    6.3. rewrite
-
-7. IPS Option Modules
-
-    7.1. ack
-    7.2. appids
-    7.3. asn1
-    7.4. base64_decode
-    7.5. bufferlen
-    7.6. byte_extract
-    7.7. byte_jump
-    7.8. byte_test
-    7.9. classtype
-    7.10. content
-    7.11. cvs
-    7.12. dce_iface
-    7.13. dce_opnum
-    7.14. dce_stub_data
-    7.15. detection_filter
-    7.16. dnp3_data
-    7.17. dnp3_func
-    7.18. dnp3_ind
-    7.19. dnp3_obj
-    7.20. dsize
-    7.21. file_data
-    7.22. file_type
-    7.23. flags
-    7.24. flow
-    7.25. flowbits
-    7.26. fragbits
-    7.27. fragoffset
-    7.28. gid
-    7.29. gtp_info
-    7.30. gtp_type
-    7.31. gtp_version
-    7.32. http_client_body
-    7.33. http_cookie
-    7.34. http_header
-    7.35. http_method
-    7.36. http_raw_cookie
-    7.37. http_raw_header
-    7.38. http_raw_request
-    7.39. http_raw_status
-    7.40. http_raw_trailer
-    7.41. http_raw_uri
-    7.42. http_stat_code
-    7.43. http_stat_msg
-    7.44. http_trailer
-    7.45. http_uri
-    7.46. http_version
-    7.47. icmp_id
-    7.48. icmp_seq
-    7.49. icode
-    7.50. id
-    7.51. ip_proto
-    7.52. ipopts
-    7.53. isdataat
-    7.54. itype
-    7.55. md5
-    7.56. metadata
-    7.57. modbus_data
-    7.58. modbus_func
-    7.59. modbus_unit
-    7.60. msg
-    7.61. pcre
-    7.62. pkt_data
-    7.63. priority
-    7.64. raw_data
-    7.65. reference
-    7.66. regex
-    7.67. rem
-    7.68. replace
-    7.69. rev
-    7.70. rpc
-    7.71. sd_pattern
-    7.72. seq
-    7.73. session
-    7.74. sha256
-    7.75. sha512
-    7.76. sid
-    7.77. sip_body
-    7.78. sip_header
-    7.79. sip_method
-    7.80. sip_stat_code
-    7.81. so
-    7.82. soid
-    7.83. ssl_state
-    7.84. ssl_version
-    7.85. stream_reassemble
-    7.86. stream_size
-    7.87. tag
-    7.88. tos
-    7.89. ttl
-    7.90. window
-
-8. Search Engine Modules
-9. SO Rule Modules
-10. Logger Modules
-
-    10.1. alert_csv
-    10.2. alert_fast
-    10.3. alert_full
-    10.4. alert_sfsocket
-    10.5. alert_syslog
-    10.6. log_codecs
-    10.7. log_hext
-    10.8. log_pcap
-    10.9. unified2
-
-11. DAQ Modules
-
-    11.1. Building the DAQ Library and DAQ Modules
-    11.2. PCAP Module
-    11.3. AFPACKET Module
-    11.4. NFQ Module
-    11.5. IPQ Module
-    11.6. IPFW Module
-    11.7. Dump Module
-    11.8. Netmap Module
-    11.9. Notes on iptables
-    11.10. Notes on FreeBSD::IPFW
-    11.11. Notes on OpenBSD::IPFW
-    11.12. Socket Module
-    11.13. File Module
-    11.14. Hext Module
-
-12. Snort++ vs Snort
-
-    12.1. Build Options
-    12.2. Command Line
-    12.3. Conf File
-    12.4. Rules
-    12.5. Output
-    12.6. HTTP Profiles
-
-13. Snort2Lua
-
-    13.1. Snort2Lua Command Line
-    13.2. Known Problems
-    13.3. Usage
-
-14. Extending Snort++
-
-    14.1. Plugins
-    14.2. Modules
-    14.3. Inspectors
-    14.4. Codecs
-    14.5. IPS Actions
-    14.6. Developers Guide
-    14.7. Piglet Test Harness
-    14.8. Piglet Lua API
-
-15. Coding Style
-
-    15.1. General
-    15.2. C++ Specific
-    15.3. Naming
-    15.4. Comments
-    15.5. Logging
-    15.6. Types
-    15.7. Macros (aka defines)
-    15.8. Formatting
-    15.9. Headers
-    15.10. Warnings
-    15.11. Uncrustify
-
-16. Reference
-
-    16.1. Terminology
-    16.2. Usage
-    16.3. Plugins
-    16.4. Output Files
-    16.5. Optional Features
-    16.6. Environment Variables
-    16.7. Command Line Options
-    16.8. Parameters
-    16.9. Configuration
-    16.10. Counts
-    16.11. Generators
-    16.12. Builtin Rules
-    16.13. Command Set
-    16.14. Signals
-    16.15. Configuration Changes
-    16.16. Module Listing
+3. Features
+
+    3.1. File Processing
+    3.2. Performance Monitor
+
+4. Basic Modules
+
+    4.1. active
+    4.2. alerts
+    4.3. attribute_table
+    4.4. classifications
+    4.5. daq
+    4.6. decode
+    4.7. detection
+    4.8. event_filter
+    4.9. event_queue
+    4.10. file_id
+    4.11. high_availability
+    4.12. host_cache
+    4.13. host_tracker
+    4.14. hosts
+    4.15. ips
+    4.16. latency
+    4.17. memory
+    4.18. network
+    4.19. output
+    4.20. packets
+    4.21. process
+    4.22. profiler
+    4.23. rate_filter
+    4.24. references
+    4.25. rule_state
+    4.26. search_engine
+    4.27. side_channel
+    4.28. snort
+    4.29. suppress
+
+5. Codec Modules
+
+    5.1. arp
+    5.2. auth
+    5.3. ciscometadata
+    5.4. erspan2
+    5.5. erspan3
+    5.6. esp
+    5.7. eth
+    5.8. fabricpath
+    5.9. gre
+    5.10. gtp
+    5.11. icmp4
+    5.12. icmp6
+    5.13. igmp
+    5.14. ipv4
+    5.15. ipv6
+    5.16. mpls
+    5.17. pgm
+    5.18. pppoe
+    5.19. tcp
+    5.20. udp
+    5.21. vlan
+
+6. Inspector Modules
+
+    6.1. appid
+    6.2. arp_spoof
+    6.3. back_orifice
+    6.4. binder
+    6.5. dce_smb
+    6.6. dce_tcp
+    6.7. dce_udp
+    6.8. dnp3
+    6.9. dns
+    6.10. file_log
+    6.11. ftp_client
+    6.12. ftp_data
+    6.13. ftp_server
+    6.14. gtp_inspect
+    6.15. http_inspect
+    6.16. imap
+    6.17. modbus
+    6.18. normalizer
+    6.19. packet_capture
+    6.20. perf_monitor
+    6.21. pop
+    6.22. port_scan
+    6.23. port_scan_global
+    6.24. reputation
+    6.25. rpc_decode
+    6.26. sip
+    6.27. smtp
+    6.28. ssh
+    6.29. ssl
+    6.30. stream
+    6.31. stream_file
+    6.32. stream_icmp
+    6.33. stream_ip
+    6.34. stream_tcp
+    6.35. stream_udp
+    6.36. stream_user
+    6.37. telnet
+    6.38. wizard
+
+7. IPS Action Modules
+
+    7.1. react
+    7.2. reject
+    7.3. rewrite
+
+8. IPS Option Modules
+
+    8.1. ack
+    8.2. appids
+    8.3. asn1
+    8.4. base64_decode
+    8.5. bufferlen
+    8.6. byte_extract
+    8.7. byte_jump
+    8.8. byte_test
+    8.9. classtype
+    8.10. content
+    8.11. cvs
+    8.12. dce_iface
+    8.13. dce_opnum
+    8.14. dce_stub_data
+    8.15. detection_filter
+    8.16. dnp3_data
+    8.17. dnp3_func
+    8.18. dnp3_ind
+    8.19. dnp3_obj
+    8.20. dsize
+    8.21. file_data
+    8.22. file_type
+    8.23. flags
+    8.24. flow
+    8.25. flowbits
+    8.26. fragbits
+    8.27. fragoffset
+    8.28. gid
+    8.29. gtp_info
+    8.30. gtp_type
+    8.31. gtp_version
+    8.32. http_client_body
+    8.33. http_cookie
+    8.34. http_header
+    8.35. http_method
+    8.36. http_raw_cookie
+    8.37. http_raw_header
+    8.38. http_raw_request
+    8.39. http_raw_status
+    8.40. http_raw_trailer
+    8.41. http_raw_uri
+    8.42. http_stat_code
+    8.43. http_stat_msg
+    8.44. http_trailer
+    8.45. http_uri
+    8.46. http_version
+    8.47. icmp_id
+    8.48. icmp_seq
+    8.49. icode
+    8.50. id
+    8.51. ip_proto
+    8.52. ipopts
+    8.53. isdataat
+    8.54. itype
+    8.55. md5
+    8.56. metadata
+    8.57. modbus_data
+    8.58. modbus_func
+    8.59. modbus_unit
+    8.60. msg
+    8.61. pcre
+    8.62. pkt_data
+    8.63. priority
+    8.64. raw_data
+    8.65. reference
+    8.66. regex
+    8.67. rem
+    8.68. replace
+    8.69. rev
+    8.70. rpc
+    8.71. sd_pattern
+    8.72. seq
+    8.73. session
+    8.74. sha256
+    8.75. sha512
+    8.76. sid
+    8.77. sip_body
+    8.78. sip_header
+    8.79. sip_method
+    8.80. sip_stat_code
+    8.81. so
+    8.82. soid
+    8.83. ssl_state
+    8.84. ssl_version
+    8.85. stream_reassemble
+    8.86. stream_size
+    8.87. tag
+    8.88. tos
+    8.89. ttl
+    8.90. window
+
+9. Search Engine Modules
+10. SO Rule Modules
+11. Logger Modules
+
+    11.1. alert_csv
+    11.2. alert_fast
+    11.3. alert_full
+    11.4. alert_sfsocket
+    11.5. alert_syslog
+    11.6. log_codecs
+    11.7. log_hext
+    11.8. log_pcap
+    11.9. unified2
+
+12. DAQ Modules
+
+    12.1. Building the DAQ Library and DAQ Modules
+    12.2. PCAP Module
+    12.3. AFPACKET Module
+    12.4. NFQ Module
+    12.5. IPQ Module
+    12.6. IPFW Module
+    12.7. Dump Module
+    12.8. Netmap Module
+    12.9. Notes on iptables
+    12.10. Notes on FreeBSD::IPFW
+    12.11. Notes on OpenBSD::IPFW
+    12.12. Socket Module
+    12.13. File Module
+    12.14. Hext Module
+
+13. Snort++ vs Snort
+
+    13.1. Build Options
+    13.2. Command Line
+    13.3. Conf File
+    13.4. Rules
+    13.5. Output
+    13.6. HTTP Profiles
+
+14. Snort2Lua
+
+    14.1. Snort2Lua Command Line
+    14.2. Known Problems
+    14.3. Usage
+
+15. Extending Snort++
+
+    15.1. Plugins
+    15.2. Modules
+    15.3. Inspectors
+    15.4. Codecs
+    15.5. IPS Actions
+    15.6. Developers Guide
+    15.7. Piglet Test Harness
+    15.8. Piglet Lua API
+
+16. Coding Style
+
+    16.1. General
+    16.2. C++ Specific
+    16.3. Naming
+    16.4. Comments
+    16.5. Logging
+    16.6. Types
+    16.7. Macros (aka defines)
+    16.8. Formatting
+    16.9. Headers
+    16.10. Warnings
+    16.11. Uncrustify
+
+17. Reference
+
+    17.1. Terminology
+    17.2. Usage
+    17.3. Plugins
+    17.4. Output Files
+    17.5. Build Options
+    17.6. Environment Variables
+    17.7. Command Line Options
+    17.8. Parameters
+    17.9. Configuration
+    17.10. Counts
+    17.11. Generators
+    17.12. Builtin Rules
+    17.13. Command Set
+    17.14. Signals
+    17.15. Configuration Changes
+    17.16. Module Listing
 
 Snorty
 
  ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0-a4 (Build 217) from 2.9.7-262
+o"  )~   Version 3.0.0-a4 (Build 218) from 2.9.7-262
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
@@ -816,7 +821,7 @@ Then give it a go:
   * Examine and dump a pcap:
 
     $my_path/bin/snort -r <pcap>
-    $my_path/bin/snort -K text -d -e -q -r <pcap>
+    $my_path/bin/snort -L dump -d -e -q -r <pcap>
 
   * Verify config, with or w/o rules:
 
@@ -1167,7 +1172,271 @@ WARNING: unknown symbol x
 
 ---------------------------------------------------------------------
 
-3. Basic Modules
+3. Features
+
+---------------------------------------------------------------------
+
+This section explains how to use key features of Snort++.
+
+
+3.1. File Processing
+
+--------------
+
+With the volume of malware transferred through network increasing,
+network file inspection becomes more and more important. This feature
+will provide file type identification, file signature creation, and
+file capture capabilities to help users deal with those challenges.
+
+3.1.1. Overview
+
+There are two parts of file services: file APIs and file policy. File
+APIs provides all the file inspection functionalities, such as file
+type identification, file signature calculation, and file capture.
+File policy provides users ability to control file services, such as
+enable/disable/configure file type identification, file signature, or
+file capture.
+
+In addition to all capabilities from snort 2x, we support customized
+file policy along with file event log.
+
+  * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
+  * Supported file signature calculation: SHA256
+
+3.1.2. Quick Guide
+
+A very simple configuration has been included in lua/snort.lua file.
+A typical file configuration looks like this:
+
+dofile('magic.lua')
+
+my_file_policy =
+{
+    {  when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+    {  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+    {  when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+}
+
+file_id =
+{
+    enable_type = true,
+    enable_signature = true,
+    enable_capture = true,
+    file_rules = magics,
+    trace_type = true,
+    trace_signature = true,
+    trace_stream = true,
+    file_policy = my_file_policy,
+ }
+
+file_log =
+{
+    log_pkt_time = true,
+    log_sys_time = false,
+}
+
+There are 3 steps to enable file processing:
+
+  * First, you need to include the file magic rules.
+  * Then, define the file policy and configure the inspector
+  * At last, enable file_log to get detailed information about file
+    event
+
+3.1.3. Pre-packaged File Magic Rules
+
+A set of file magic rules is packaged with Snort. They can be located
+at "lua/file_magic.lua". To use this feature, it is recommended that
+these pre-packaged rules are used; doing so requires that you include
+the file in your Snort configuration as such (already in snort.lua):
+
+dofile('magic.lua')
+
+Example:
+
+{ type = "GIF", id = 62, category = "Graphics", rev = 1,
+  magic = { { content = "| 47 49 46 38 37 61 |",offset = 0 } } },
+
+{ type = "GIF", id = 63, category = "Graphics", rev = 1,
+  magic = { { content = "| 47 49 46 38 39 61 |",offset = 0 } } },
+
+The previous two rules define GIF format, because two file magics are
+different. File magics are specifed by content and offset, which look
+at content at particular file offset to identify the file type. In
+this case, two magics look at the beginning of the file. You can use
+character if it is printable or hex value in between "|".
+
+3.1.4. File Policy
+
+You can enabled file type, file signature, or file capture by
+configuring file_id. In addition, you can enable trace to see file
+stream data, file type, and file signature information.
+
+Most importantly, you can configure a file policy that can block/
+alert some file type or an individual file based on SHA. This allows
+you build a file blacklist or whitelist.
+
+Example:
+
+file_policy =
+{
+    {  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_signature = true } },
+    {  when = { sha256 = "F74DC976BC8387E7D4FC0716A069017A0C7ED13F309A523CC41A8739CCB7D4B6" }, use = { verdict = 'block'} },
+    {  when = { file_type_id = 0 }, use = { verdict = 'log', enable_file_signature = true, enable_file_capture = true } }
+}
+
+In this example, it enables this policy:
+
+  * For PDF files, they will be logged with signatures.
+  * For the file matching this SHA, it will be blocked
+  * For all file types identified, they will be logged with
+    signature, and also captured onto log folder.
+
+3.1.5. File Capture
+
+File can be captured and stored to log folder. We use SHA as file
+name instead of actual file name to avoid conflicts. You can capture
+either all files, some file type, or a particular file based on SHA.
+
+You can enable file capture through this config:
+
+enable_capture = true,
+
+or enable it for some file or file type in your file policy:
+
+{  when = { file_type_id = 22 }, use = { verdict = 'log', enable_file_capture = true } },
+
+The above rule will enable PDF file capture.
+
+3.1.6. File Events
+
+File inspect preprocessor also works as a dynamic output plugin for
+file events. It logs basic information about file. The log file is in
+the same folder as other log files with name starting with
+"file.log".
+
+Example:
+
+file_log = { log_pkt_time = true, log_sys_time = false }
+
+All file events will be logged in packet time, system time is not
+logged.
+
+File event example:
+
+08/14-19:14:19.100891  10.22.75.72:33734 -> 10.22.75.36:80,
+[Name: "malware.exe"] [Verdict: Block] [Type: MSEXE]
+[SHA: 6F26E721FDB1AAFD29B41BCF90196DEE3A5412550615A856DAE8E3634BCE9F7A]
+[Size: 1039328]
+
+
+3.2. Performance Monitor
+
+--------------
+
+The new and improved performance monitor! Is your sensor being bogged
+down by too many flows? perf_monitor! Why are certain TCP segments
+being dropped without hitting a rule? perf_monitor! Why is a sensor
+leaking water? Not perf_monitor, check with stream…
+
+3.2.1. Overview
+
+The Snort performance monitor is the built-in utility for monitoring
+system and traffic statistics. All statistics are separated by
+processing thread. perf_monitor supports several trackers for
+monitoring such data:
+
+3.2.2. Base Tracker
+
+The base tracker is used to gather running statistics about Snort and
+its running modules. All Snort modules gather, at the very least,
+counters for the number of packets reaching it. Most supplement these
+counts with those for domain specific functions, such as
+http_inspect’s number of GET requests seen.
+
+Statistics are gathered live and can be reported at regular
+intervals. The stats reported correspond only to the interval in
+question and are reset at the beginning of each interval.
+
+These are the same counts displayed when Snort shuts down, only
+sorted amongst the discrete intervals in which they occurred.
+
+Base differs from prior implementations in Snort in that all stats
+gathered are only raw counts, allowing the data to be evaluated as
+needed. Additionally, base is entirely pluggable. Data from new Snort
+plugins can be added to the existing stats either automatically or,
+if specified, by name and function.
+
+All plugins and counters can be enabled or disabled individually,
+allowing for only the data that is actually desired instead of overly
+verbose performance logs.
+
+To enable everything:
+
+perf_monitor = { modules = {} }
+
+To enable everything within a module:
+
+perf_monitor =
+{
+    modules =
+    {
+        {
+            name = 'stream_tcp',
+            pegs = [[ ]]
+        },
+    }
+}
+
+To enable specific counts within modules:
+
+perf_monitor =
+{
+    modules =
+    {
+        {
+            name = 'stream_tcp',
+            pegs = [[ overlaps gaps ]]
+        },
+    }
+
+Note: Event stats from prior Snorts are now located within base
+statistics.
+
+3.2.3. Flow Tracker
+
+Flow tracks statistics regarding traffic and L3/L4 protocol
+distributions. This data can be used to build a profile of traffic
+for inspector tuning and for identifying where Snort may be stressed.
+
+To enable:
+
+perf_monitor = { flow = true }
+
+3.2.4. FlowIP Tracker
+
+FlowIP provides statistics for individual hosts within a network.
+This data can be used for identifying communication habits, such as
+generating large or small amounts of data, opening a small or large
+number of sessions, and tendency to send smaller or larger IP
+packets.
+
+To enable:
+
+perf_monitor = { flow_ip = true }
+
+3.2.5. CPU Tracker
+
+This tracker monitors the CPU and wall time spent by a given
+processing thread.
+
+To enable:
+
+perf_monitor = { cpu = true }
+
+
+---------------------------------------------------------------------
+
+4. Basic Modules
 
 ---------------------------------------------------------------------
 
@@ -1175,7 +1444,7 @@ Internal modules which are not plugins are termed "basic". These
 include configuration for core processing.
 
 
-3.1. active
+4.1. active
 
 --------------
 
@@ -1195,7 +1464,7 @@ Configuration:
     responses { 1: }
 
 
-3.2. alerts
+4.2. alerts
 
 --------------
 
@@ -1225,7 +1494,7 @@ Configuration:
     for GTP|Teredo|6in4|4in6 traffic
 
 
-3.3. attribute_table
+4.3. attribute_table
 
 --------------
 
@@ -1243,7 +1512,7 @@ Configuration:
     services in rule metadata { 1:256 }
 
 
-3.4. classifications
+4.4. classifications
 
 --------------
 
@@ -1260,7 +1529,7 @@ Configuration:
   * string classifications[].text: description of class
 
 
-3.5. daq
+4.5. daq
 
 --------------
 
@@ -1304,7 +1573,7 @@ Peg counts:
   * daq.idle: attempts to acquire from DAQ without available packets
 
 
-3.6. decode
+4.6. decode
 
 --------------
 
@@ -1324,7 +1593,7 @@ Rules:
   * 116:472 (decode) too many protocols present
 
 
-3.7. detection
+4.7. detection
 
 --------------
 
@@ -1365,7 +1634,7 @@ Peg counts:
   * detection.alert limit: events previously triggered on same PDU
 
 
-3.8. event_filter
+4.8. event_filter
 
 --------------
 
@@ -1388,7 +1657,7 @@ Configuration:
     according to track
 
 
-3.9. event_queue
+4.9. event_queue
 
 --------------
 
@@ -1406,7 +1675,7 @@ Configuration:
     action group or all action groups
 
 
-3.10. file_id
+4.10. file_id
 
 --------------
 
@@ -1466,8 +1735,14 @@ Configuration:
   * bool file_id.trace_stream = false: enable runtime dump of file
     data
 
+Peg counts:
+
+  * file_id.total_files: number of files processed
+  * file_id.total_file_data: number of file data bytes processed
+  * file_id.cache_failures: number of file cache add failures
+
 
-3.11. high_availability
+4.11. high_availability
 
 --------------
 
@@ -1490,7 +1765,7 @@ Configuration:
 Peg counts:
 
 
-3.12. host_cache
+4.12. host_cache
 
 --------------
 
@@ -1516,7 +1791,7 @@ Peg counts:
   * host_cache.lru cache clears: lru cache clear API calls
 
 
-3.13. host_tracker
+4.13. host_tracker
 
 --------------
 
@@ -1544,7 +1819,7 @@ Peg counts:
   * host_tracker.service removes: host service removes
 
 
-3.14. hosts
+4.14. hosts
 
 --------------
 
@@ -1565,7 +1840,7 @@ Configuration:
   * port hosts[].services[].port: port number
 
 
-3.15. ips
+4.15. ips
 
 --------------
 
@@ -1584,7 +1859,7 @@ Configuration:
   * string ips.rules: snort rules and includes
 
 
-3.16. latency
+4.16. latency
 
 --------------
 
@@ -1628,7 +1903,7 @@ Peg counts:
   * latency.rule tree enables: rule tree re-enables
 
 
-3.17. memory
+4.17. memory
 
 --------------
 
@@ -1646,7 +1921,7 @@ Configuration:
     preemptive cleanup actions (percent, 0 to disable) { 0: }
 
 
-3.18. network
+4.18. network
 
 --------------
 
@@ -1679,7 +1954,7 @@ Configuration:
     116:293 may fire. 0 = unlimited { 0:255 }
 
 
-3.19. output
+4.19. output
 
 --------------
 
@@ -1713,7 +1988,7 @@ Configuration:
   * bool output.verbose = false: be verbose (same as -v)
 
 
-3.20. packets
+4.20. packets
 
 --------------
 
@@ -1735,7 +2010,7 @@ Configuration:
     is used to track fragments and connections
 
 
-3.21. process
+4.21. process
 
 --------------
 
@@ -1759,7 +2034,7 @@ Configuration:
     timestamps
 
 
-3.22. profiler
+4.22. profiler
 
 --------------
 
@@ -1792,7 +2067,7 @@ Configuration:
     avg_match | avg_no_match }
 
 
-3.23. rate_filter
+4.23. rate_filter
 
 --------------
 
@@ -1816,7 +2091,7 @@ Configuration:
     according to track
 
 
-3.24. references
+4.24. references
 
 --------------
 
@@ -1830,7 +2105,7 @@ Configuration:
   * string references[].url: where this reference is defined
 
 
-3.25. rule_state
+4.25. rule_state
 
 --------------
 
@@ -1846,7 +2121,7 @@ Configuration:
     policies
 
 
-3.26. search_engine
+4.26. search_engine
 
 --------------
 
@@ -1900,7 +2175,7 @@ Peg counts:
   * search_engine.qualified events: total qualified events
 
 
-3.27. side_channel
+4.27. side_channel
 
 --------------
 
@@ -1918,7 +2193,7 @@ Configuration:
 Peg counts:
 
 
-3.28. snort
+4.28. snort
 
 --------------
 
@@ -2136,7 +2411,7 @@ Peg counts:
   * snort.attribute table hosts: total number of hosts in table
 
 
-3.29. suppress
+4.29. suppress
 
 --------------
 
@@ -2156,7 +2431,7 @@ Configuration:
 
 ---------------------------------------------------------------------
 
-4. Codec Modules
+5. Codec Modules
 
 ---------------------------------------------------------------------
 
@@ -2165,7 +2440,7 @@ protocol decoding, anomaly detection, and construction of active
 responses.
 
 
-4.1. arp
+5.1. arp
 
 --------------
 
@@ -2178,7 +2453,7 @@ Rules:
   * 116:109 (arp) truncated ARP
 
 
-4.2. auth
+5.2. auth
 
 --------------
 
@@ -2192,7 +2467,7 @@ Rules:
   * 116:466 (auth) bad authentication header length
 
 
-4.3. ciscometadata
+5.3. ciscometadata
 
 --------------
 
@@ -2208,7 +2483,7 @@ Rules:
   * 116:471 (ciscometadata) invalid Cisco Metadata SGT
 
 
-4.4. erspan2
+5.4. erspan2
 
 --------------
 
@@ -2222,7 +2497,7 @@ Rules:
   * 116:463 (erspan2) captured < ERSpan type2 header length
 
 
-4.5. erspan3
+5.5. erspan3
 
 --------------
 
@@ -2235,7 +2510,7 @@ Rules:
   * 116:464 (erspan3) captured < ERSpan type3 header length
 
 
-4.6. esp
+5.6. esp
 
 --------------
 
@@ -2253,7 +2528,7 @@ Rules:
   * 116:294 (esp) truncated encapsulated security payload header
 
 
-4.7. eth
+5.7. eth
 
 --------------
 
@@ -2266,7 +2541,7 @@ Rules:
   * 116:424 (eth) truncated eth header
 
 
-4.8. fabricpath
+5.8. fabricpath
 
 --------------
 
@@ -2279,7 +2554,7 @@ Rules:
   * 116:467 (fabricpath) truncated FabricPath header
 
 
-4.9. gre
+5.9. gre
 
 --------------
 
@@ -2297,7 +2572,7 @@ Rules:
   * 116:165 (gre) GRE trans header length > payload length
 
 
-4.10. gtp
+5.10. gtp
 
 --------------
 
@@ -2311,7 +2586,7 @@ Rules:
   * 116:298 (gtp) GTP header length is invalid
 
 
-4.11. icmp4
+5.11. icmp4
 
 --------------
 
@@ -2357,7 +2632,7 @@ Peg counts:
   * icmp4.bad checksum: non-zero icmp checksums
 
 
-4.12. icmp6
+5.12. icmp6
 
 --------------
 
@@ -2393,7 +2668,7 @@ Peg counts:
   * icmp6.bad checksum (ip6): nonzero ipcm6 checksums
 
 
-4.13. igmp
+5.13. igmp
 
 --------------
 
@@ -2406,7 +2681,7 @@ Rules:
   * 116:455 (igmp) DOS IGMP IP options validation attempt
 
 
-4.14. ipv4
+5.14. ipv4
 
 --------------
 
@@ -2444,7 +2719,7 @@ Peg counts:
   * ipv4.bad checksum: nonzero ip checksums
 
 
-4.15. ipv6
+5.15. ipv6
 
 --------------
 
@@ -2488,7 +2763,7 @@ Rules:
   * 116:456 (ipv6) too many IP6 extension headers
 
 
-4.16. mpls
+5.16. mpls
 
 --------------
 
@@ -2523,7 +2798,7 @@ Peg counts:
   * mpls.total bytes: total mpls labeled bytes processed
 
 
-4.17. pgm
+5.17. pgm
 
 --------------
 
@@ -2536,7 +2811,7 @@ Rules:
   * 116:454 (pgm) BAD-TRAFFIC PGM nak list overflow attempt
 
 
-4.18. pppoe
+5.18. pppoe
 
 --------------
 
@@ -2549,7 +2824,7 @@ Rules:
   * 116:120 (pppoe) bad PPPOE frame detected
 
 
-4.19. tcp
+5.19. tcp
 
 --------------
 
@@ -2587,7 +2862,7 @@ Peg counts:
   * tcp.bad checksum (ip6): nonzero tcp over ipv6 checksums
 
 
-4.20. udp
+5.20. udp
 
 --------------
 
@@ -2618,7 +2893,7 @@ Peg counts:
   * udp.bad checksum (ip6): nonzero udp over ipv6 checksums
 
 
-4.21. vlan
+5.21. vlan
 
 --------------
 
@@ -2635,7 +2910,7 @@ Rules:
 
 ---------------------------------------------------------------------
 
-5. Inspector Modules
+6. Inspector Modules
 
 ---------------------------------------------------------------------
 
@@ -2643,7 +2918,7 @@ These modules perform a variety of functions, including analysis of
 protocols beyond basic decoding.
 
 
-5.1. appid
+6.1. appid
 
 --------------
 
@@ -2787,7 +3062,7 @@ Peg counts:
     discovered by appid
 
 
-5.2. arp_spoof
+6.2. arp_spoof
 
 --------------
 
@@ -2812,7 +3087,7 @@ Peg counts:
   * arp_spoof.packets: total packets
 
 
-5.3. back_orifice
+6.3. back_orifice
 
 --------------
 
@@ -2832,7 +3107,7 @@ Peg counts:
   * back_orifice.packets: total packets
 
 
-5.4. binder
+6.4. binder
 
 --------------
 
@@ -2870,7 +3145,7 @@ Peg counts:
   * binder.inspects: inspect bindings
 
 
-5.5. dce_smb
+6.5. dce_smb
 
 --------------
 
@@ -3055,7 +3330,7 @@ Peg counts:
   * dce_smb.SMBv2 close: total number of SMBv2 close packets seen
 
 
-5.6. dce_tcp
+6.6. dce_tcp
 
 --------------
 
@@ -3154,7 +3429,7 @@ Peg counts:
   * dce_tcp.tcp packets: total tcp packets
 
 
-5.7. dce_udp
+6.7. dce_udp
 
 --------------
 
@@ -3205,7 +3480,7 @@ Peg counts:
   * dce_udp.Max seqnum: max connection-less seqnum
 
 
-5.8. dnp3
+6.8. dnp3
 
 --------------
 
@@ -3239,7 +3514,7 @@ Peg counts:
   * dnp3.dnp3 application pdus: total dnp3 application pdus
 
 
-5.9. dns
+6.9. dns
 
 --------------
 
@@ -3260,7 +3535,7 @@ Peg counts:
   * dns.responses: total dns responses
 
 
-5.10. file_log
+6.10. file_log
 
 --------------
 
@@ -3280,7 +3555,7 @@ Peg counts:
   * file_log.total events: total file events
 
 
-5.11. ftp_client
+6.11. ftp_client
 
 --------------
 
@@ -3304,7 +3579,7 @@ Configuration:
     sequences on ftp control channel
 
 
-5.12. ftp_data
+6.12. ftp_data
 
 --------------
 
@@ -3317,7 +3592,7 @@ Peg counts:
   * ftp_data.packets: total packets
 
 
-5.13. ftp_server
+6.13. ftp_server
 
 --------------
 
@@ -3386,7 +3661,7 @@ Peg counts:
   * ftp_server.packets: total packets
 
 
-5.14. gtp_inspect
+6.14. gtp_inspect
 
 --------------
 
@@ -3420,7 +3695,7 @@ Peg counts:
   * gtp_inspect.unknown infos: unknown information elements
 
 
-5.15. http_inspect
+6.15. http_inspect
 
 --------------
 
@@ -3597,7 +3872,7 @@ Peg counts:
   * http_inspect.URI coding: URIs with character coding problems
 
 
-5.16. imap
+6.16. imap
 
 --------------
 
@@ -3639,7 +3914,7 @@ Peg counts:
   * imap.non-encoded bytes: total non-encoded extracted bytes
 
 
-5.17. modbus
+6.17. modbus
 
 --------------
 
@@ -3660,7 +3935,7 @@ Peg counts:
   * modbus.frames: total Modbus messages
 
 
-5.18. normalizer
+6.18. normalizer
 
 --------------
 
@@ -3786,7 +4061,7 @@ Peg counts:
   * normalizer.test tcp block: test blocked segments
 
 
-5.19. packet_capture
+6.19. packet_capture
 
 --------------
 
@@ -3812,7 +4087,7 @@ Peg counts:
     filter
 
 
-5.20. perf_monitor
+6.20. perf_monitor
 
 --------------
 
@@ -3850,7 +4125,7 @@ Peg counts:
   * perf_monitor.packets: total packets
 
 
-5.21. pop
+6.21. pop
 
 --------------
 
@@ -3892,7 +4167,7 @@ Peg counts:
   * pop.non-encoded bytes: total non-encoded extracted bytes
 
 
-5.22. port_scan
+6.22. port_scan
 
 --------------
 
@@ -3950,7 +4225,7 @@ Rules:
   * 122:27 (port_scan) open port
 
 
-5.23. port_scan_global
+6.23. port_scan_global
 
 --------------
 
@@ -3968,7 +4243,7 @@ Peg counts:
   * port_scan_global.packets: total packets
 
 
-5.24. reputation
+6.24. reputation
 
 --------------
 
@@ -4006,7 +4281,7 @@ Peg counts:
   * reputation.memory_allocated: total memory allocated
 
 
-5.25. rpc_decode
+6.25. rpc_decode
 
 --------------
 
@@ -4027,7 +4302,7 @@ Peg counts:
   * rpc_decode.packets: total packets
 
 
-5.26. sip
+6.26. sip
 
 --------------
 
@@ -4124,7 +4399,7 @@ Peg counts:
   * sip.9xx: 9xx
 
 
-5.27. smtp
+6.27. smtp
 
 --------------
 
@@ -4215,7 +4490,7 @@ Peg counts:
   * smtp.non-encoded bytes: total non-encoded extracted bytes
 
 
-5.28. ssh
+6.28. ssh
 
 --------------
 
@@ -4247,7 +4522,7 @@ Peg counts:
   * ssh.packets: total packets
 
 
-5.29. ssl
+6.29. ssl
 
 --------------
 
@@ -4291,7 +4566,7 @@ Peg counts:
   * ssl.detection disabled: total detection disabled
 
 
-5.30. stream
+6.30. stream
 
 --------------
 
@@ -4402,7 +4677,7 @@ Peg counts:
     sync
 
 
-5.31. stream_file
+6.31. stream_file
 
 --------------
 
@@ -4415,7 +4690,7 @@ Configuration:
   * bool stream_file.upload = false: indicate file transfer direction
 
 
-5.32. stream_icmp
+6.32. stream_icmp
 
 --------------
 
@@ -4438,7 +4713,7 @@ Peg counts:
   * stream_icmp.prunes: icmp session prunes
 
 
-5.33. stream_ip
+6.33. stream_ip
 
 --------------
 
@@ -4507,7 +4782,7 @@ Peg counts:
   * stream_ip.fragmented bytes: total fragmented bytes
 
 
-5.34. stream_tcp
+6.34. stream_tcp
 
 --------------
 
@@ -4623,7 +4898,7 @@ Peg counts:
   * stream_tcp.closing: number of sessions currently closing
 
 
-5.35. stream_udp
+6.35. stream_udp
 
 --------------
 
@@ -4648,7 +4923,7 @@ Peg counts:
   * stream_udp.prunes: udp session prunes
 
 
-5.36. stream_user
+6.36. stream_user
 
 --------------
 
@@ -4662,7 +4937,7 @@ Configuration:
     1:86400 }
 
 
-5.37. telnet
+6.37. telnet
 
 --------------
 
@@ -4691,7 +4966,7 @@ Peg counts:
   * telnet.packets: total packets
 
 
-5.38. wizard
+6.38. wizard
 
 --------------
 
@@ -4732,7 +5007,7 @@ Peg counts:
 
 ---------------------------------------------------------------------
 
-6. IPS Action Modules
+7. IPS Action Modules
 
 ---------------------------------------------------------------------
 
@@ -4745,7 +5020,7 @@ the parser. For the reject rule, you can set reject = { } to get the
 rule to parse.
 
 
-6.1. react
+7.1. react
 
 --------------
 
@@ -4761,7 +5036,7 @@ Configuration:
     body)
 
 
-6.2. reject
+7.2. reject
 
 --------------
 
@@ -4777,7 +5052,7 @@ Configuration:
     |all }
 
 
-6.3. rewrite
+7.3. rewrite
 
 --------------
 
@@ -4788,14 +5063,14 @@ Type: ips_action
 
 ---------------------------------------------------------------------
 
-7. IPS Option Modules
+8. IPS Option Modules
 
 ---------------------------------------------------------------------
 
 IPS options are the building blocks of IPS rules.
 
 
-7.1. ack
+8.1. ack
 
 --------------
 
@@ -4809,7 +5084,7 @@ Configuration:
     <max | >min
 
 
-7.2. appids
+8.2. appids
 
 --------------
 
@@ -4822,7 +5097,7 @@ Configuration:
   * string appids.~: appid option
 
 
-7.3. asn1
+8.3. asn1
 
 --------------
 
@@ -4844,7 +5119,7 @@ Configuration:
   * int asn1.relative_offset: relative offset from the cursor.
 
 
-7.4. base64_decode
+8.4. base64_decode
 
 --------------
 
@@ -4863,7 +5138,7 @@ Configuration:
     start of buffer.
 
 
-7.5. bufferlen
+8.5. bufferlen
 
 --------------
 
@@ -4876,7 +5151,7 @@ Configuration:
   * string bufferlen.~range: len | min<>max | <max | >min
 
 
-7.6. byte_extract
+8.6. byte_extract
 
 --------------
 
@@ -4907,7 +5182,7 @@ Configuration:
   * implied byte_extract.dec: convert from decimal string
 
 
-7.7. byte_jump
+8.7. byte_jump
 
 --------------
 
@@ -4941,7 +5216,7 @@ Configuration:
   * implied byte_jump.dec: convert from decimal string
 
 
-7.8. byte_test
+8.8. byte_test
 
 --------------
 
@@ -4970,7 +5245,7 @@ Configuration:
   * implied byte_test.dec: convert from decimal string
 
 
-7.9. classtype
+8.9. classtype
 
 --------------
 
@@ -4983,7 +5258,7 @@ Configuration:
   * string classtype.~: classification for this rule
 
 
-7.10. content
+8.10. content
 
 --------------
 
@@ -5011,7 +5286,7 @@ Configuration:
     from cursor
 
 
-7.11. cvs
+8.11. cvs
 
 --------------
 
@@ -5024,7 +5299,7 @@ Configuration:
   * implied cvs.invalid-entry: looks for an invalid Entry string
 
 
-7.12. dce_iface
+8.12. dce_iface
 
 --------------
 
@@ -5039,7 +5314,7 @@ Configuration:
   * implied dce_iface.any_frag: match on any fragment
 
 
-7.13. dce_opnum
+8.13. dce_opnum
 
 --------------
 
@@ -5053,7 +5328,7 @@ Configuration:
     list
 
 
-7.14. dce_stub_data
+8.14. dce_stub_data
 
 --------------
 
@@ -5062,7 +5337,7 @@ What: sets the cursor to dcerpc stub data
 Type: ips_option
 
 
-7.15. detection_filter
+8.15. detection_filter
 
 --------------
 
@@ -5081,7 +5356,7 @@ Configuration:
     1: }
 
 
-7.16. dnp3_data
+8.16. dnp3_data
 
 --------------
 
@@ -5090,7 +5365,7 @@ What: sets the cursor to dnp3 data
 Type: ips_option
 
 
-7.17. dnp3_func
+8.17. dnp3_func
 
 --------------
 
@@ -5103,7 +5378,7 @@ Configuration:
   * string dnp3_func.~: match dnp3 function code or name
 
 
-7.18. dnp3_ind
+8.18. dnp3_ind
 
 --------------
 
@@ -5116,7 +5391,7 @@ Configuration:
   * string dnp3_ind.~: match given dnp3 indicator flags
 
 
-7.19. dnp3_obj
+8.19. dnp3_obj
 
 --------------
 
@@ -5132,7 +5407,7 @@ Configuration:
     }
 
 
-7.20. dsize
+8.20. dsize
 
 --------------
 
@@ -5146,7 +5421,7 @@ Configuration:
     max | <max | >min
 
 
-7.21. file_data
+8.21. file_data
 
 --------------
 
@@ -5155,7 +5430,7 @@ What: rule option to set detection cursor to file data
 Type: ips_option
 
 
-7.22. file_type
+8.22. file_type
 
 --------------
 
@@ -5168,7 +5443,7 @@ Configuration:
   * string file_type.~: list of file type IDs to match
 
 
-7.23. flags
+8.23. flags
 
 --------------
 
@@ -5182,7 +5457,7 @@ Configuration:
   * string flags.~mask_flags: these flags are don’t cares
 
 
-7.24. flow
+8.24. flow
 
 --------------
 
@@ -5206,7 +5481,7 @@ Configuration:
   * implied flow.only_frag: match on defragmented packets only
 
 
-7.25. flowbits
+8.25. flowbits
 
 --------------
 
@@ -5221,7 +5496,7 @@ Configuration:
   * string flowbits.~arg2: group if arg1 is bits
 
 
-7.26. fragbits
+8.26. fragbits
 
 --------------
 
@@ -5234,7 +5509,7 @@ Configuration:
   * string fragbits.~flags: these flags are tested
 
 
-7.27. fragoffset
+8.27. fragoffset
 
 --------------
 
@@ -5248,7 +5523,7 @@ Configuration:
     value | min<>max | <max | >min
 
 
-7.28. gid
+8.28. gid
 
 --------------
 
@@ -5261,7 +5536,7 @@ Configuration:
   * int gid.~: generator id { 1: }
 
 
-7.29. gtp_info
+8.29. gtp_info
 
 --------------
 
@@ -5274,7 +5549,7 @@ Configuration:
   * string gtp_info.~: info element to match
 
 
-7.30. gtp_type
+8.30. gtp_type
 
 --------------
 
@@ -5287,7 +5562,7 @@ Configuration:
   * string gtp_type.~: list of types to match
 
 
-7.31. gtp_version
+8.31. gtp_version
 
 --------------
 
@@ -5300,7 +5575,7 @@ Configuration:
   * int gtp_version.~: version to match { 0:2 }
 
 
-7.32. http_client_body
+8.32. http_client_body
 
 --------------
 
@@ -5309,7 +5584,7 @@ What: rule option to set the detection cursor to the request body
 Type: ips_option
 
 
-7.33. http_cookie
+8.33. http_cookie
 
 --------------
 
@@ -5327,7 +5602,7 @@ Configuration:
     message trailers
 
 
-7.34. http_header
+8.34. http_header
 
 --------------
 
@@ -5348,7 +5623,7 @@ Configuration:
     message trailers
 
 
-7.35. http_method
+8.35. http_method
 
 --------------
 
@@ -5365,7 +5640,7 @@ Configuration:
     message trailers
 
 
-7.36. http_raw_cookie
+8.36. http_raw_cookie
 
 --------------
 
@@ -5384,7 +5659,7 @@ Configuration:
     HTTP message trailers
 
 
-7.37. http_raw_header
+8.37. http_raw_header
 
 --------------
 
@@ -5403,7 +5678,7 @@ Configuration:
     HTTP message trailers
 
 
-7.38. http_raw_request
+8.38. http_raw_request
 
 --------------
 
@@ -5420,7 +5695,7 @@ Configuration:
     HTTP message trailers
 
 
-7.39. http_raw_status
+8.39. http_raw_status
 
 --------------
 
@@ -5437,7 +5712,7 @@ Configuration:
     HTTP message trailers
 
 
-7.40. http_raw_trailer
+8.40. http_raw_trailer
 
 --------------
 
@@ -5456,7 +5731,7 @@ Configuration:
     HTTP response message body (must be combined with request)
 
 
-7.41. http_raw_uri
+8.41. http_raw_uri
 
 --------------
 
@@ -5481,7 +5756,7 @@ Configuration:
     URI only
 
 
-7.42. http_stat_code
+8.42. http_stat_code
 
 --------------
 
@@ -5497,7 +5772,7 @@ Configuration:
     HTTP message trailers
 
 
-7.43. http_stat_msg
+8.43. http_stat_msg
 
 --------------
 
@@ -5514,7 +5789,7 @@ Configuration:
     HTTP message trailers
 
 
-7.44. http_trailer
+8.44. http_trailer
 
 --------------
 
@@ -5534,7 +5809,7 @@ Configuration:
     message body (must be combined with request)
 
 
-7.45. http_uri
+8.45. http_uri
 
 --------------
 
@@ -5558,7 +5833,7 @@ Configuration:
     only
 
 
-7.46. http_version
+8.46. http_version
 
 --------------
 
@@ -5576,7 +5851,7 @@ Configuration:
     HTTP message trailers
 
 
-7.47. icmp_id
+8.47. icmp_id
 
 --------------
 
@@ -5590,7 +5865,7 @@ Configuration:
     >min
 
 
-7.48. icmp_seq
+8.48. icmp_seq
 
 --------------
 
@@ -5604,7 +5879,7 @@ Configuration:
     min<>max | <max | >min
 
 
-7.49. icode
+8.49. icode
 
 --------------
 
@@ -5618,7 +5893,7 @@ Configuration:
     | >min
 
 
-7.50. id
+8.50. id
 
 --------------
 
@@ -5632,7 +5907,7 @@ Configuration:
     min
 
 
-7.51. ip_proto
+8.51. ip_proto
 
 --------------
 
@@ -5645,7 +5920,7 @@ Configuration:
   * string ip_proto.~proto: [!|>|<] name or number
 
 
-7.52. ipopts
+8.52. ipopts
 
 --------------
 
@@ -5659,7 +5934,7 @@ Configuration:
     lsrre|ssrr|satid|any }
 
 
-7.53. isdataat
+8.53. isdataat
 
 --------------
 
@@ -5674,7 +5949,7 @@ Configuration:
     buffer
 
 
-7.54. itype
+8.54. itype
 
 --------------
 
@@ -5688,7 +5963,7 @@ Configuration:
     | >min
 
 
-7.55. md5
+8.55. md5
 
 --------------
 
@@ -5706,7 +5981,7 @@ Configuration:
     of buffer
 
 
-7.56. metadata
+8.56. metadata
 
 --------------
 
@@ -5721,7 +5996,7 @@ Configuration:
   * string metadata.*: additional parameters not used by snort
 
 
-7.57. modbus_data
+8.57. modbus_data
 
 --------------
 
@@ -5730,7 +6005,7 @@ What: rule option to set cursor to modbus data
 Type: ips_option
 
 
-7.58. modbus_func
+8.58. modbus_func
 
 --------------
 
@@ -5743,7 +6018,7 @@ Configuration:
   * string modbus_func.~: function code to match
 
 
-7.59. modbus_unit
+8.59. modbus_unit
 
 --------------
 
@@ -5756,7 +6031,7 @@ Configuration:
   * int modbus_unit.~: modbus unit ID { 0:255 }
 
 
-7.60. msg
+8.60. msg
 
 --------------
 
@@ -5769,7 +6044,7 @@ Configuration:
   * string msg.~: message describing rule
 
 
-7.61. pcre
+8.61. pcre
 
 --------------
 
@@ -5782,7 +6057,7 @@ Configuration:
   * string pcre.~re: Snort regular expression
 
 
-7.62. pkt_data
+8.62. pkt_data
 
 --------------
 
@@ -5792,7 +6067,7 @@ packet data
 Type: ips_option
 
 
-7.63. priority
+8.63. priority
 
 --------------
 
@@ -5806,7 +6081,7 @@ Configuration:
     1: }
 
 
-7.64. raw_data
+8.64. raw_data
 
 --------------
 
@@ -5815,7 +6090,7 @@ What: rule option to set the detection cursor to the raw packet data
 Type: ips_option
 
 
-7.65. reference
+8.65. reference
 
 --------------
 
@@ -5829,7 +6104,7 @@ Configuration:
   * string reference.~id: reference id
 
 
-7.66. regex
+8.66. regex
 
 --------------
 
@@ -5848,7 +6123,7 @@ Configuration:
     instead of start of buffer
 
 
-7.67. rem
+8.67. rem
 
 --------------
 
@@ -5861,7 +6136,7 @@ Configuration:
   * string rem.~: comment
 
 
-7.68. replace
+8.68. replace
 
 --------------
 
@@ -5874,7 +6149,7 @@ Configuration:
   * string replace.~: byte code to replace with
 
 
-7.69. rev
+8.69. rev
 
 --------------
 
@@ -5887,7 +6162,7 @@ Configuration:
   * int rev.~: revision { 1: }
 
 
-7.70. rpc
+8.70. rpc
 
 --------------
 
@@ -5902,7 +6177,7 @@ Configuration:
   * int rpc.proc: procedure number or * for any
 
 
-7.71. sd_pattern
+8.71. sd_pattern
 
 --------------
 
@@ -5923,7 +6198,7 @@ Peg counts:
   * sd_pattern.terminated: hyperscan terminated
 
 
-7.72. seq
+8.72. seq
 
 --------------
 
@@ -5937,7 +6212,7 @@ Configuration:
     min<>max | <max | >min
 
 
-7.73. session
+8.73. session
 
 --------------
 
@@ -5950,7 +6225,7 @@ Configuration:
   * enum session.~mode: output format { printable|binary|all }
 
 
-7.74. sha256
+8.74. sha256
 
 --------------
 
@@ -5968,7 +6243,7 @@ Configuration:
     start of buffer
 
 
-7.75. sha512
+8.75. sha512
 
 --------------
 
@@ -5986,7 +6261,7 @@ Configuration:
     start of buffer
 
 
-7.76. sid
+8.76. sid
 
 --------------
 
@@ -5999,7 +6274,7 @@ Configuration:
   * int sid.~: signature id { 1: }
 
 
-7.77. sip_body
+8.77. sip_body
 
 --------------
 
@@ -6008,7 +6283,7 @@ What: rule option to set the detection cursor to the request body
 Type: ips_option
 
 
-7.78. sip_header
+8.78. sip_header
 
 --------------
 
@@ -6018,7 +6293,7 @@ buffer
 Type: ips_option
 
 
-7.79. sip_method
+8.79. sip_method
 
 --------------
 
@@ -6031,7 +6306,7 @@ Configuration:
   * string sip_method.*method: sip method
 
 
-7.80. sip_stat_code
+8.80. sip_stat_code
 
 --------------
 
@@ -6044,7 +6319,7 @@ Configuration:
   * int sip_stat_code.*code: stat code { 1:999 }
 
 
-7.81. so
+8.81. so
 
 --------------
 
@@ -6057,7 +6332,7 @@ Configuration:
   * string so.~func: name of eval function
 
 
-7.82. soid
+8.82. soid
 
 --------------
 
@@ -6070,7 +6345,7 @@ Configuration:
   * string soid.~: SO rule ID has <gid>|<sid> format, like 3|12345
 
 
-7.83. ssl_state
+8.83. ssl_state
 
 --------------
 
@@ -6097,7 +6372,7 @@ Configuration:
     unknown
 
 
-7.84. ssl_version
+8.84. ssl_version
 
 --------------
 
@@ -6122,7 +6397,7 @@ Configuration:
     tls1.2
 
 
-7.85. stream_reassemble
+8.85. stream_reassemble
 
 --------------
 
@@ -6141,7 +6416,7 @@ Configuration:
     remainder of the session
 
 
-7.86. stream_size
+8.86. stream_size
 
 --------------
 
@@ -6156,7 +6431,7 @@ Configuration:
     direction(s) { either|to_server|to_client|both }
 
 
-7.87. tag
+8.87. tag
 
 --------------
 
@@ -6173,7 +6448,7 @@ Configuration:
   * int tag.bytes: tag for this many bytes { 1: }
 
 
-7.88. tos
+8.88. tos
 
 --------------
 
@@ -6187,7 +6462,7 @@ Configuration:
     <max | >min
 
 
-7.89. ttl
+8.89. ttl
 
 --------------
 
@@ -6201,7 +6476,7 @@ Configuration:
     max | <max | >min
 
 
-7.90. window
+8.90. window
 
 --------------
 
@@ -6217,7 +6492,7 @@ Configuration:
 
 ---------------------------------------------------------------------
 
-8. Search Engine Modules
+9. Search Engine Modules
 
 ---------------------------------------------------------------------
 
@@ -6229,7 +6504,7 @@ Related configuration is done with the basic detection module.
 
 ---------------------------------------------------------------------
 
-9. SO Rule Modules
+10. SO Rule Modules
 
 ---------------------------------------------------------------------
 
@@ -6240,14 +6515,14 @@ typically do not have associated modules.
 
 ---------------------------------------------------------------------
 
-10. Logger Modules
+11. Logger Modules
 
 ---------------------------------------------------------------------
 
 All output of events and packets is done by Loggers.
 
 
-10.1. alert_csv
+11.1. alert_csv
 
 --------------
 
@@ -6273,7 +6548,7 @@ Configuration:
   * enum alert_csv.units = B: bytes | KB | MB | GB { B | K | M | G }
 
 
-10.2. alert_fast
+11.2. alert_fast
 
 --------------
 
@@ -6290,7 +6565,7 @@ Configuration:
   * enum alert_fast.units = B: bytes | KB | MB | GB { B | K | M | G }
 
 
-10.3. alert_full
+11.3. alert_full
 
 --------------
 
@@ -6307,7 +6582,7 @@ Configuration:
     K | M | G }
 
 
-10.4. alert_sfsocket
+11.4. alert_sfsocket
 
 --------------
 
@@ -6322,7 +6597,7 @@ Configuration:
   * int alert_sfsocket.rules[].sid = 1: rule signature ID { 1: }
 
 
-10.5. alert_syslog
+11.5. alert_syslog
 
 --------------
 
@@ -6342,7 +6617,7 @@ Configuration:
     cons | ndelay | perror | pid }
 
 
-10.6. log_codecs
+11.6. log_codecs
 
 --------------
 
@@ -6357,7 +6632,7 @@ Configuration:
   * bool log_codecs.msg = false: include alert msg
 
 
-10.7. log_hext
+11.7. log_hext
 
 --------------
 
@@ -6376,7 +6651,7 @@ Configuration:
   * int log_hext.width = 20: set line width (0 is unlimited) { 0: }
 
 
-10.8. log_pcap
+11.8. log_pcap
 
 --------------
 
@@ -6390,7 +6665,7 @@ Configuration:
   * enum log_pcap.units = B: bytes | KB | MB | GB { B | K | M | G }
 
 
-10.9. unified2
+11.9. unified2
 
 --------------
 
@@ -6412,7 +6687,7 @@ Configuration:
 
 ---------------------------------------------------------------------
 
-11. DAQ Modules
+12. DAQ Modules
 
 ---------------------------------------------------------------------
 
@@ -6431,7 +6706,7 @@ section summarizes the important things you need to know to use these
 DAQ modules. There are also 3rd DAQ modules available.
 
 
-11.1. Building the DAQ Library and DAQ Modules
+12.1. Building the DAQ Library and DAQ Modules
 
 --------------
 
@@ -6479,7 +6754,7 @@ configure options, run:
 ./configure --help
 
 
-11.2. PCAP Module
+12.2. PCAP Module
 
 --------------
 
@@ -6500,7 +6775,7 @@ You can specify the buffer size pcap uses with:
   * The pcap DAQ does not count filtered packets. *
 
 
-11.3. AFPACKET Module
+12.3. AFPACKET Module
 
 --------------
 
@@ -6546,7 +6821,7 @@ DAQ module due to its dependency on both TPACKET v2 and
 PACKET_TX_RING support.
 
 
-11.4. NFQ Module
+12.4. NFQ Module
 
 --------------
 
@@ -6567,7 +6842,7 @@ warning and won’t change user or group.
 Notes on iptables are given below.
 
 
-11.5. IPQ Module
+12.5. IPQ Module
 
 --------------
 
@@ -6595,7 +6870,7 @@ warning and won’t change user or group.
 Notes on iptables are given below.
 
 
-11.6. IPFW Module
+12.6. IPFW Module
 
 --------------
 
@@ -6619,7 +6894,7 @@ Instead, start Snort like this:
 Notes on FreeBSD and OpenBSD are given below.
 
 
-11.7. Dump Module
+12.7. Dump Module
 
 --------------
 
@@ -6646,7 +6921,7 @@ another mode like this:
 ./snort -i <device> -Q --daq dump --daq-var load-mode=passive
 
 
-11.8. Netmap Module
+12.8. Netmap Module
 
 --------------
 
@@ -6679,7 +6954,7 @@ The interfaces will need to be up and in promiscuous mode in order to
 function (ifconfig em1 up promisc). The DAQ module does not currently
 do either of these configuration steps for itself.
 
-11.8.1. FreeBSD
+12.8.1. FreeBSD
 
 In FreeBSD 10.0, netmap has been integrated into the core OS. In
 order to use it, you must recompile your kernel with the line
@@ -6688,7 +6963,7 @@ device netmap
 
 added to your kernel config.
 
-11.8.2. Linux
+12.8.2. Linux
 
 You will need to download the netmap source code from the project’s
 repository:
@@ -6720,7 +6995,7 @@ TODO:
   * Support for VALE and netmap pipes.
 
 
-11.9. Notes on iptables
+12.9. Notes on iptables
 
 --------------
 
@@ -6785,7 +7060,7 @@ These DAQs should be run with a snaplen of 65535 since the kernel
 defrags the packets before queuing. Also, no need to configure frag3.
 
 
-11.10. Notes on FreeBSD::IPFW
+12.10. Notes on FreeBSD::IPFW
 
 --------------
 
@@ -6880,7 +7155,7 @@ The steps to set up NAT with ipfw are as follows:
     ${fwcmd} add divert 8000 all from any to any in via ${oif}
 
 
-11.11. Notes on OpenBSD::IPFW
+12.11. Notes on OpenBSD::IPFW
 
 --------------
 
@@ -6914,7 +7189,7 @@ Here is one way to set things up:
       + Note that on OpenBSD, divert sockets don’t work with bridges!
 
 
-11.12. Socket Module
+12.12. Socket Module
 
 --------------
 
@@ -6949,7 +7224,7 @@ To use the socket DAQ, start Snort++ like this:
   * This module is primarily for development and test.
 
 
-11.13. File Module
+12.13. File Module
 
 --------------
 
@@ -6968,7 +7243,7 @@ threads with these Snort options:
   * This module is primarily for development and test.
 
 
-11.14. Hext Module
+12.14. Hext Module
 
 --------------
 
@@ -7050,7 +7325,7 @@ no effect.
 
 ---------------------------------------------------------------------
 
-12. Snort++ vs Snort
+13. Snort++ vs Snort
 
 ---------------------------------------------------------------------
 
@@ -7065,7 +7340,7 @@ Snort++ differs from Snort in the following ways:
   * all Snort config options are grouped into Snort++ modules
 
 
-12.1. Build Options
+13.1. Build Options
 
 --------------
 
@@ -7075,7 +7350,7 @@ Snort++ differs from Snort in the following ways:
   * hardened --enable-inline-init-failopen / INLINE_FAILOPEN
 
 
-12.2. Command Line
+13.2. Command Line
 
 --------------
 
@@ -7086,7 +7361,7 @@ Snort++ differs from Snort in the following ways:
   * -T is assumed if no input given
   * added --help-config prefix to dump all matching settings
   * added --script-path
-  * added -K text; -K text/pcap is old dump/log mode
+  * added -L none|dump|pcap
   * added -z <#> and --max-packet-threads <#>
   * delete --enable-mpls-multicast, --enable-mpls-overlapping-ip,
     --max-mpls-labelchain-len, --mpls-payload-type
@@ -7102,7 +7377,7 @@ Snort++ differs from Snort in the following ways:
   * removed -b, -N, -Z and, --perfmon-file options
 
 
-12.3. Conf File
+13.3. Conf File
 
 --------------
 
@@ -7150,7 +7425,7 @@ Snort++ differs from Snort in the following ways:
     active.max_responses, min_interval
 
 
-12.4. Rules
+13.4. Rules
 
 --------------
 
@@ -7184,13 +7459,13 @@ Snort++ differs from Snort in the following ways:
   * #begin … #end comments
 
 
-12.5. Output
+13.5. Output
 
 --------------
 
   * alert_fast includes packet data by default
   * all text mode outputs default to stdout
-  * changed default logging mode to -K none
+  * changed default logging mode to -L none
   * deleted layer2resets and flexresp2_*
   * deleted log_ascii
   * general output guideline: don’t print zero counts
@@ -7202,7 +7477,7 @@ Snort++ differs from Snort in the following ways:
   * alert_unified2 and log_unified2 have been deleted
 
 
-12.6. HTTP Profiles
+13.6. HTTP Profiles
 
 --------------
 
@@ -7292,7 +7567,7 @@ snort --help-config http_inspect | grep http_inspect.profile
 
 ---------------------------------------------------------------------
 
-13. Snort2Lua
+14. Snort2Lua
 
 ---------------------------------------------------------------------
 
@@ -7343,7 +7618,7 @@ unsupported options will be converted to the best of Snort2Lua’s
 capability and then printed as a comment in the rule file.
 
 
-13.1. Snort2Lua Command Line
+14.1. Snort2Lua Command Line
 
 --------------
 
@@ -7371,12 +7646,12 @@ errors that have occurred. Finally, differences mode will not
 actually output a valid Snort3.0 configuration. Instead, you can see
 the exact options from the input configuration that have changed.
 
-13.1.1. Usage: snort2lua [OPTIONS]… -c <snort_conf> …
+14.1.1. Usage: snort2lua [OPTIONS]… -c <snort_conf> …
 
 Converts the Snort configuration file specified by the -c or
 --conf-file options into a Snort++ configuration file
 
-13.1.1.1. Options:
+14.1.1.1. Options:
 
   * -? show usage
   * -h this overview of snort2lua
@@ -7428,12 +7703,12 @@ Converts the Snort configuration file specified by the -c or
     <include_file>'s rules to <rule_file>.
   * --version Same as -V. Print the current Snort2Lua version
 
-13.1.1.2. Required option:
+14.1.1.2. Required option:
 
   * A Snort configuration file to convert. Set with either -c or 
     --conf-file
 
-13.1.1.3. Default values:
+14.1.1.3. Default values:
 
   * <out_file> = snort.lua
   * <rule_file> = <out_file> = snort.lua. Rules are written to the 
@@ -7442,7 +7717,7 @@ Converts the Snort configuration file specified by the -c or
     mode.
 
 
-13.2. Known Problems
+14.2. Known Problems
 
 --------------
 
@@ -7470,7 +7745,7 @@ Converts the Snort configuration file specified by the -c or
     numbers will eventually be combined into one output.
 
 
-13.3. Usage
+14.3. Usage
 
 --------------
 
@@ -7557,12 +7832,12 @@ appended to the original filename.
 
 ---------------------------------------------------------------------
 
-14. Extending Snort++
+15. Extending Snort++
 
 ---------------------------------------------------------------------
 
 
-14.1. Plugins
+15.1. Plugins
 
 --------------
 
@@ -7588,7 +7863,7 @@ specific API add various other data and functions for their given
 roles.
 
 
-14.2. Modules
+15.2. Modules
 
 --------------
 
@@ -7640,7 +7915,7 @@ multiple plugin instances are created which use that Module.
 (Multiple instances require Snort++ binding configuration.)
 
 
-14.3. Inspectors
+15.3. Inspectors
 
 --------------
 
@@ -7660,7 +7935,7 @@ inspectors are executed when:
     perf_monitor, port_scan)
 
 
-14.4. Codecs
+15.4. Codecs
 
 --------------
 
@@ -7846,7 +8121,7 @@ may also be unable to accomplish some of its basic functionality.
     running Snort3.0.
 
 
-14.5. IPS Actions
+15.5. IPS Actions
 
 --------------
 
@@ -7855,7 +8130,7 @@ determine verdict. (Conversely, builtin actions don’t have an
 associated plugin function.)
 
 
-14.6. Developers Guide
+15.6. Developers Guide
 
 --------------
 
@@ -7863,7 +8138,7 @@ Run doc/dev_guide.sh to generate /tmp/dev_guide.html, an annotated
 guide to the source tree.
 
 
-14.7. Piglet Test Harness
+15.7. Piglet Test Harness
 
 --------------
 
@@ -7909,7 +8184,7 @@ The test runner will generate a check-like output, indicating the the
 results of each test script.
 
 
-14.8. Piglet Lua API
+15.8. Piglet Lua API
 
 --------------
 
@@ -7922,7 +8197,7 @@ the underlying C\++ member functions. Every effort has been made to
 keep the mappings consist, but there are still some differences. They
 are documented below.
 
-14.8.1. Plugin Instances
+15.8.1. Plugin Instances
 
 For each test, piglet instantiates plugin specified in the name field
 of the plugin table. The virtual methods of the instance are exposed
@@ -7996,7 +8271,7 @@ SoRule
 
 Currently, SoRule does not expose any methods.
 
-14.8.1.1. Interface Objects
+15.8.1.1. Interface Objects
 
 Many of the plugins take C++ classes and structs as arguments. These
 objects are exposed to the Lua API as Lua userdata. Exposed objects
@@ -8205,7 +8480,7 @@ by an inspector via Inspector.get_splitter()
 
 ---------------------------------------------------------------------
 
-15. Coding Style
+16. Coding Style
 
 ---------------------------------------------------------------------
 
@@ -8214,7 +8489,7 @@ not yet firm so feedback is welcome to get something we can live
 with.
 
 
-15.1. General
+16.1. General
 
 --------------
 
@@ -8234,7 +8509,7 @@ with.
     subdirectory.
 
 
-15.2. C++ Specific
+16.2. C++ Specific
 
 --------------
 
@@ -8268,7 +8543,7 @@ with.
     all includes have been declared.
 
 
-15.3. Naming
+16.3. Naming
 
 --------------
 
@@ -8281,7 +8556,7 @@ with.
   * Use lower case filenames with underscores.
 
 
-15.4. Comments
+16.4. Comments
 
 --------------
 
@@ -8329,7 +8604,7 @@ with.
     going on.
 
 
-15.5. Logging
+16.5. Logging
 
 --------------
 
@@ -8341,7 +8616,7 @@ with.
     about the problem already w/o you shouting at him.
 
 
-15.6. Types
+16.6. Types
 
 --------------
 
@@ -8378,7 +8653,7 @@ with.
     code is not updated if new errors are added.
 
 
-15.7. Macros (aka defines)
+16.7. Macros (aka defines)
 
 --------------
 
@@ -8399,7 +8674,7 @@ with.
     if-else type surprises.
 
 
-15.8. Formatting
+16.8. Formatting
 
 --------------
 
@@ -8448,7 +8723,7 @@ with.
             foo();
 
 
-15.9. Headers
+16.9. Headers
 
 --------------
 
@@ -8506,7 +8781,7 @@ with.
     scoped.
 
 
-15.10. Warnings
+16.10. Warnings
 
 --------------
 
@@ -8525,7 +8800,7 @@ with.
   * Then Fix All Warnings and Aborts. None Allowed.
 
 
-15.11. Uncrustify
+16.11. Uncrustify
 
 --------------
 
@@ -8544,12 +8819,12 @@ uncrustify -c crusty.cfg --replace file.cc
 
 ---------------------------------------------------------------------
 
-16. Reference
+17. Reference
 
 ---------------------------------------------------------------------
 
 
-16.1. Terminology
+17.1. Terminology
 
 --------------
 
@@ -8609,7 +8884,7 @@ uncrustify -c crusty.cfg --replace file.cc
     binding. See hex and spell.
 
 
-16.2. Usage
+17.2. Usage
 
 --------------
 
@@ -8617,7 +8892,7 @@ For the following examples "$my_path" is assumed to be the path to
 the Snort++ install directory. Additionally, it is assumed that
 "$my_path/bin" is in your PATH.
 
-16.2.1. Environment
+17.2.1. Environment
 
 LUA_PATH is used directly by Lua to load and run required libraries.
 SNORT_LUA_PATH is used by Snort to load supplemental configuration
@@ -8626,7 +8901,7 @@ files.
 export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
 export SNORT_LUA_PATH=$my_path/etc/snort
 
-16.2.2. Help
+17.2.2. Help
 
 Print the help summary:
 
@@ -8653,7 +8928,7 @@ Note
 Snort++ stops reading command-line options after the "--help-" and
 "--list-" options, so any other options should be placed before them.
 
-16.2.3. Sniffing and Logging
+17.2.3. Sniffing and Logging
 
 Read a pcap:
 
@@ -8681,7 +8956,7 @@ Log packets to a directory:
 
 snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -L dump -l /path/to/log/dir
 
-16.2.4. Configuration
+17.2.4. Configuration
 
 Validate a configuration file:
 
@@ -8703,7 +8978,7 @@ Tell Snort++ where to look for additional Lua scripts:
 
 snort --script-path /path/to/script/dir
 
-16.2.5. IDS mode
+17.2.5. IDS mode
 
 Run Snort++ in IDS mode, reading packets from a pcap:
 
@@ -8739,7 +9014,7 @@ snort -c $my_path/etc/snort/snort.lua --daq afpacket -i "eth0:eth1" \
     -A cmg
 
 
-16.3. Plugins
+17.3. Plugins
 
 --------------
 
@@ -8760,7 +9035,7 @@ alert tcp any any -> any 80 (
 END
 
 
-16.4. Output Files
+17.4. Output Files
 
 --------------
 
@@ -8799,7 +9074,7 @@ subdirectories are created automatically if required. Log filename is
 based on module name that writes the file. All text mode outputs
 default to stdout. These options can be combined.
 
-16.4.1. DAQ Alternatives
+17.4.1. DAQ Alternatives
 
 Process hext packets from stdin:
 
@@ -8829,7 +9104,7 @@ Bridge two TCP connections on port 8000 and inspect the traffic:
 snort -c $my_path/etc/snort/snort.lua \
     --daq-dir $my_path/lib/snort/daqs --daq socket
 
-16.4.2. Logger Alternatives
+17.4.2. Logger Alternatives
 
 Dump TCP stream payload in hext mode:
 
@@ -8845,7 +9120,7 @@ Output the old test format alerts:
 snort -c $my_path/etc/snort/snort.lua \
     --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"
 
-16.4.3. Shell
+17.4.3. Shell
 
 You must build with --enable-shell to make the command line shell
 available.
@@ -8877,7 +9152,7 @@ snort --shell -j 12345 <args>
 The command line interface is still under development. Suggestions
 are welcome.
 
-16.4.4. Signals
+17.4.4. Signals
 
 Note
 
@@ -8910,18 +9185,18 @@ Note
 The available signals may vary from platform to platform.
 
 
-16.5. Optional Features
+17.5. Build Options
 
 --------------
 
-The features listed below must be explicitly enabled so they are
-built into the Snort binary. For a full list of build features, run .
-/configure --help.
+The options listed below must be explicitly enabled so they are built
+into the Snort binary. For a full list of build options, run ./
+configure --help.
 
   * --enable-shell: enable building local and remote command line
     shell support.
 
-These features are built only if the required libraries and headers
+These options are built only if the required libraries and headers
 are present. There is no need to explicitly enable.
 
   * lzma: for decompression of SWF and PDF files.
@@ -8944,7 +9219,7 @@ intel-soft-cpm, and hyperscan packages. For more information on these
 libraries see the Getting Started section of the manual.
 
 
-16.6. Environment Variables
+17.6. Environment Variables
 
 --------------
 
@@ -8969,7 +9244,7 @@ libraries see the Getting Started section of the manual.
     be added to the manuals.
 
 
-16.7. Command Line Options
+17.7. Command Line Options
 
 --------------
 
@@ -9129,7 +9404,7 @@ libraries see the Getting Started section of the manual.
     the system; default is 1 (0:)
 
 
-16.8. Parameters
+17.8. Parameters
 
 --------------
 
@@ -9182,7 +9457,7 @@ Some additional details to note:
     ID values.
 
 
-16.9. Configuration
+17.9. Configuration
 
 --------------
 
@@ -10624,7 +10899,7 @@ Some additional details to note:
     wild cards (*)
 
 
-16.10. Counts
+17.10. Counts
 
 --------------
 
@@ -10916,6 +11191,9 @@ Some additional details to note:
   * dns.requests: total dns requests
   * dns.responses: total dns responses
   * file_connector.messages: total messages
+  * file_id.cache_failures: number of file cache add failures
+  * file_id.total_file_data: number of file data bytes processed
+  * file_id.total_files: number of files processed
   * file_log.total events: total file events
   * ftp_data.packets: total packets
   * ftp_server.packets: total packets
@@ -11309,7 +11587,7 @@ Some additional details to note:
   * wizard.user scans: user payload scans
 
 
-16.11. Generators
+17.11. Generators
 
 --------------
 
@@ -11361,7 +11639,7 @@ Some additional details to note:
   * 145: dnp3
 
 
-16.12. Builtin Rules
+17.12. Builtin Rules
 
 --------------
 
@@ -11922,7 +12200,7 @@ Some additional details to note:
     function code.
 
 
-16.13. Command Set
+17.13. Command Set
 
 --------------
 
@@ -11940,7 +12218,7 @@ Some additional details to note:
   * snort.show_plugins(): show available plugins
 
 
-16.14. Signals
+17.14. Signals
 
 --------------
 
@@ -11958,7 +12236,7 @@ and are not applicable elsewhere.
   * term(15): shutdown normally
 
 
-16.15. Configuration Changes
+17.15. Configuration Changes
 
 --------------
 
@@ -12265,7 +12543,7 @@ deleted -> test: 'stdout'
 deleted -> unified2: 'filename'
 
 
-16.16. Module Listing
+17.16. Module Listing
 
 --------------
 
@@ -12531,7 +12809,7 @@ deleted -> unified2: 'filename'
   * wizard (inspector): inspector that implements port-independent
     protocol identification :leveloffset: 0
 
-16.16.1. Plugin Listing
+17.16.1. Plugin Listing
 
   * codec::arp: support for address resolution protocol
   * codec::auth: support for IP authentication header
diff --git a/doc/snort_manual.txt b/doc/snort_manual.txt
index 40b4a82d5..fc18f76e3 100644
--- a/doc/snort_manual.txt
+++ b/doc/snort_manual.txt
@@ -16,6 +16,12 @@ include::overview.txt[]
 
 include::start.txt[]
 
+== Features
+
+This section explains how to use key features of Snort++.
+
+include::features.txt[]
+
 == Basic Modules
 
 Internal modules which are not plugins are termed "basic".  These include
@@ -68,14 +74,6 @@ SO rules are dynamic rules that require custom coding to perform detection
 not possible with the existing rule options.  These rules typically do not
 have associated modules.
 
-== File Processing
-
-include::manual/file_processing.txt[]
-
-== Performance Monitor
-
-include::manual/perf_monitor.txt[]
-
 == Logger Modules
 
 All output of events and packets is done by Loggers.
diff --git a/doc/start.txt b/doc/start.txt
index aaf7a601b..e94b4e643 100644
--- a/doc/start.txt
+++ b/doc/start.txt
@@ -122,7 +122,7 @@ Then give it a go:
 * Examine and dump a pcap:
 
     $my_path/bin/snort -r <pcap>
-    $my_path/bin/snort -K text -d -e -q -r <pcap>
+    $my_path/bin/snort -L dump -d -e -q -r <pcap>
 
 * Verify config, with or w/o rules:
 
diff --git a/src/detection/fp_utils.cc b/src/detection/fp_utils.cc
index bec326eab..efb53c821 100644
--- a/src/detection/fp_utils.cc
+++ b/src/detection/fp_utils.cc
@@ -270,6 +270,7 @@ bool FpSelector::is_better_than(FpSelector& rhs, bool srvc, RuleDirection dir)
             ParseWarning(WARN_RULES,
                 "only one fast_pattern content per rule allowed - using first");
             pmd->fp = 0;
+            return false;
         }
         return true;
     }
@@ -531,14 +532,14 @@ TEST_CASE("fp_pkt_key_port_user", "[FastPatternSelect]")
 TEST_CASE("fp_pkt_key_port_user_user", "[FastPatternSelect]")
 {
     PatternMatchData p0;
-    set_pmd(p0, 0x10, "short");
+    set_pmd(p0, 0x10, "longer");
     FpSelector s0(CAT_SET_KEY, &p0);
 
     PatternMatchData p1;
-    set_pmd(p1, 0x10, "longer");
+    set_pmd(p1, 0x10, "short");
     FpSelector s1(CAT_SET_KEY, &p1);
 
-    CHECK(s0.is_better_than(s1, false, RULE_WO_DIR));
+    CHECK(!s0.is_better_than(s1, false, RULE_WO_DIR));
 }
 
 TEST_CASE("fp_pkt_key_port_user_user2", "[FastPatternSelect]")
diff --git a/src/log/log_text.cc b/src/log/log_text.cc
index db28829fc..631f8f992 100644
--- a/src/log/log_text.cc
+++ b/src/log/log_text.cc
@@ -1254,6 +1254,7 @@ static void LogCharData(TextLog* log, const char* data, int len)
  *
  * Returns: void function
  */
+#ifdef REG_TEST
 static const char SEPARATOR[] =
           "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -";
 
@@ -1263,6 +1264,17 @@ static const char SEPARATOR[] =
 
 static const char PAD3[] =
           "                                                             ";
+#else
+static const char SEPARATOR[] =
+          "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -";
+
+#define BYTES_PER_FRAME 16
+/* middle:"41 02 43 04 45 06 47 08 49 0A 4B 0C 4D 0E 4F 0F  A.C.E.G.I.K.M.O....."
+   at end:"41 02 43 04 45 06 47 08                          A.C.E.G."*/
+
+static const char PAD3[] =
+          "                                                 ";
+#endif
 
 void LogNetData(TextLog* log, const uint8_t* data, const int len, Packet* p)
 {