From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Fri, 4 Nov 2016 15:10:43 +0000 (-0400)
Subject: Merge pull request #695 in SNORT/snort3 from 218 to master
X-Git-Tag: 3.0.0-233~201
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4b57dee389d6ab1e3a74063ad3ccf4b0978d3511;p=thirdparty%2Fsnort3.git

Merge pull request #695 in SNORT/snort3 from 218 to master

Squashed commit of the following:

commit 3b7c746f92338501ef2c88656b841d867e982a3d
Author: Russ Combs <rucombs@cisco.com>
Date:   Fri Nov 4 10:28:04 2016 -0400

    build 218
---

diff --git a/ChangeLog b/ChangeLog
index f269698bd..342217b30 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+16/11/04 - build 218
+
+-- fix shutdown stats
+-- fix misc appid issues
+-- rewrite appid loading of lua detectors
+-- add sip inspector events for appid
+-- update default manuals
+
 16/10/28 - build 217
 
 -- update appid to 2983
diff --git a/doc/snort_manual.html b/doc/snort_manual.html
index 1a4758b31..7b44e05e6 100644
--- a/doc/snort_manual.html
+++ b/doc/snort_manual.html
@@ -779,7 +779,7 @@ asciidoc.install(2);
 <div class="literalblock">
 <div class="content">
 <pre><code> ,,_     -*&gt; Snort++ &lt;*-
-o"  )~   Version 3.0.0-a4 (Build 206) from 2.9.7-262
+o"  )~   Version 3.0.0-a4 (Build 217) from 2.9.7-262
  ''''    By Martin Roesch &amp; The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
@@ -1024,18 +1024,16 @@ settings, etc., you can also script Loggers and IpsOptions.</p></div>
 <div class="sect2">
 <h3 id="_new_http_inspector">New Http Inspector</h3>
 <div class="paragraph"><p>One of the major undertakings for Snort 3.0 is developing a completely new
-HTTP inspector. It is incomplete right now but you can examine the
-work-in-progress. You can configure it by adding:</p></div>
+HTTP inspector. You can configure it by adding:</p></div>
 <div class="literalblock">
 <div class="content">
-<pre><code>new_http_inspect = {}</code></pre>
+<pre><code>http_inspect = {}</code></pre>
 </div></div>
 <div class="paragraph"><p>to your snort.lua configuration file. Or you can read it in the source code
-under src/service_inspectors/nhttp_inspect.</p></div>
-<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release as
-http_inspect. It’s probably the better choice for now if you just want to
-do some work and do not feel like experimenting. Be sure not to configure
-    both old and new HTTP inspectors at the same time.</p></div>
+under src/service_inspectors/http_inspect.</p></div>
+<div class="paragraph"><p>The classic HTTP preprocessor is still available in the alpha release under
+extra. It has been renamed http_server. Be sure not to configure both old
+and new HTTP inspectors at the same time.</p></div>
 <div class="paragraph"><p>So why a new HTTP inspector?</p></div>
 <div class="paragraph"><p>For starters it is object-oriented. That’s good for us because we maintain
 this software. But it should also be really nice for open-source
@@ -1044,20 +1042,20 @@ processing without having to understand the whole thing. In fact much of
 the new HTTP inspector’s knowledge of HTTP is centralized in a series of
 tables where it can be easily reviewed and modified. Many significant
 changes can be made just by updating these tables.</p></div>
-<div class="paragraph"><p>New_http_inspect is the first inspector written specifically for the new
+<div class="paragraph"><p>Http_inspect is the first inspector written specifically for the new
 Snort 3.0 architecture. That provides access to one of the very best
-features of Snort 3.0: purely PDU-based inspection. Classic http_inspect
+features of Snort 3.0: purely PDU-based inspection. The classic preprocessor
 processes HTTP messages, but even while doing so it is constantly aware of
 IP packets and how they divide up the TCP data stream. The same HTTP
 message might be processed differently depending on how the sender (bad
 guy) divided it up into IP packets.</p></div>
-<div class="paragraph"><p>New_http_inspect is free of this burden and can focus exclusively on HTTP.
-That makes it much more simple, easier to test, and less prone to false
+<div class="paragraph"><p>Http_inspect is free of this burden and can focus exclusively on HTTP.
+That makes it much simpler, easier to test, and less prone to false
 positives. It also greatly reduces the opportunity for adversaries to probe
 the inspector for weak spots by adjusting packet boundaries to disguise bad
 behavior.</p></div>
 <div class="paragraph"><p>Dealing solely with HTTP messages also opens the door for developing major
-new features. The new_http_inspect design supports true stateful
+new features. The http_inspect design supports true stateful
 processing. Want to ask questions that involve both the client request and
 the server response? Or different requests in the same session? These
 things are possible.</p></div>
@@ -1067,10 +1065,9 @@ the name, it is better to think of HTTP/2 not as a newer version of
 HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and
 on top of TLS or TCP. It’s a perfect fit for the new Snort 3.0 architecture
 because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but
-not any underlying packets. Exactly what the new_http_inspect wants to
-input.</p></div>
-<div class="paragraph"><p>New_http_inspect is taking a very different approach to HTTP header fields.
-Classic http_inspect divides all the HTTP headers following the start line
+not any underlying packets. Exactly what http_inspect wants to input.</p></div>
+<div class="paragraph"><p>Http_inspect is taking a very different approach to HTTP header fields.
+The classic preprocessor divides all the HTTP headers following the start line
 into cookies and everything else. It normalizes the two pieces using a
 generic process and puts them in buffers that one can write rules against.
 There is some limited support for examining individual headers within the
@@ -1082,7 +1079,9 @@ normalization means put that date in a standard format.</p></div>
 </div>
 <div class="sect2">
 <h3 id="_binder_and_wizard">Binder and Wizard</h3>
-<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration related to networks and ports.  Here is a brief review of Snort&#8217;s configuration for network and service related components:</p></div>
+<div class="paragraph"><p>One of the fundamental differences between Snort and Snort++ concerns configuration
+related to networks and ports. Here is a brief review of Snort&#8217;s configuration for
+network and service related components:</p></div>
 <div class="ulist"><ul>
 <li>
 <p>
@@ -2477,7 +2476,7 @@ bool <strong>daq.no_promisc</strong> = false: whether to put DAQ device into pro
 </li>
 <li>
 <p>
-<strong>116:468</strong> (decode) too many protocols present
+<strong>116:472</strong> (decode) too many protocols present
 </p>
 </li>
 </ul></div>
@@ -2518,7 +2517,7 @@ int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre sta
 </li>
 <li>
 <p>
-<strong>detection.slow searches</strong>: non-fast pattern rule evaluations
+<strong>detection.hard evals</strong>: non-fast pattern rule evaluations
 </p>
 </li>
 <li>
@@ -2732,6 +2731,11 @@ int <strong>file_id.capture_block_size</strong> = 32768: file capture block size
 </li>
 <li>
 <p>
+int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8: }
+</p>
+</li>
+<li>
+<p>
 bool <strong>file_id.enable_type</strong> = false: enable type ID
 </p>
 </li>
@@ -3067,7 +3071,7 @@ bool <strong>latency.packet.fastpath</strong> = false: fastpath expensive packet
 </li>
 <li>
 <p>
-enum <strong>latency.packet.action</strong> = alert_and_log: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }
+enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }
 </p>
 </li>
 <li>
@@ -3092,7 +3096,7 @@ int <strong>latency.rule.max_suspend_time</strong> = 30000: set max time for sus
 </li>
 <li>
 <p>
-enum <strong>latency.rule.action</strong> = alert_and_log: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }
+enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }
 </p>
 </li>
 </ul></div>
@@ -3118,27 +3122,37 @@ enum <strong>latency.rule.action</strong> = alert_and_log: event action for rule
 <div class="ulist"><ul>
 <li>
 <p>
-<strong>latency.total_packets</strong>: total packets monitored
+<strong>latency.total packets</strong>: total packets monitored
+</p>
+</li>
+<li>
+<p>
+<strong>latency.total usecs</strong>: total usecs elapsed
 </p>
 </li>
 <li>
 <p>
-<strong>latency.packet_timeouts</strong>: packets that timed out
+<strong>latency.max usecs</strong>: maximum usecs elapsed
 </p>
 </li>
 <li>
 <p>
-<strong>latency.total_rule_evals</strong>: total rule evals monitored
+<strong>latency.packet timeouts</strong>: packets that timed out
 </p>
 </li>
 <li>
 <p>
-<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out
+<strong>latency.total rule evals</strong>: total rule evals monitored
 </p>
 </li>
 <li>
 <p>
-<strong>latency.rule_tree_enables</strong>: rule tree re-enables
+<strong>latency.rule eval timeouts</strong>: rule evals that timed out
+</p>
+</li>
+<li>
+<p>
+<strong>latency.rule tree enables</strong>: rule tree re-enables
 </p>
 </li>
 </ul></div>
@@ -3469,7 +3483,7 @@ int <strong>rate_filter[].seconds</strong> = 1: count interval { 0: }
 </li>
 <li>
 <p>
-select <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { alert | drop | log | pass | | reject | sdrop }
+enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }
 </p>
 </li>
 <li>
@@ -3573,11 +3587,6 @@ bool <strong>search_engine.debug_print_rule_groups_compiled</strong> = false: pr
 </li>
 <li>
 <p>
-bool <strong>search_engine.debug_print_fast_pattern</strong> = false: print fast pattern info for each rule
-</p>
-</li>
-<li>
-<p>
 int <strong>search_engine.max_pattern_len</strong> = 0: truncate patterns when compiling into state machine (0 means no maximum) { 0: }
 </p>
 </li>
@@ -3598,12 +3607,17 @@ dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern
 </li>
 <li>
 <p>
-bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory
+bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance
 </p>
 </li>
 <li>
 <p>
-bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance
+bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule
+</p>
+</li>
+<li>
+<p>
+bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory
 </p>
 </li>
 </ul></div>
@@ -3657,6 +3671,11 @@ bit_list <strong>side_channel.ports</strong>: side channel message port list { 6
 string <strong>side_channel.connectors[].connector</strong>: connector handle
 </p>
 </li>
+<li>
+<p>
+string <strong>side_channel.connector</strong>: connector handle
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 </div>
@@ -3838,11 +3857,6 @@ implied <strong>snort.-W</strong>: lists available interfaces
 </li>
 <li>
 <p>
-implied <strong>snort.-w</strong>: dump 802.11 management and control frames
-</p>
-</li>
-<li>
-<p>
 implied <strong>snort.-X</strong>: dump the raw packet data starting at the link layer
 </p>
 </li>
@@ -4391,6 +4405,34 @@ protocol decoding, anomaly detection, and construction of active responses.</p><
 </ul></div>
 </div>
 <div class="sect2">
+<h3 id="_ciscometadata">ciscometadata</h3>
+<div class="paragraph"><p>What: support for cisco metadata</p></div>
+<div class="paragraph"><p>Type: codec</p></div>
+<div class="paragraph"><p>Rules:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header
+</p>
+</li>
+<li>
+<p>
+<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length
+</p>
+</li>
+<li>
+<p>
+<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type
+</p>
+</li>
+<li>
+<p>
+<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT
+</p>
+</li>
+</ul></div>
+</div>
+<div class="sect2">
 <h3 id="_erspan2">erspan2</h3>
 <div class="paragraph"><p>What: support for encapsulated remote switched port analyzer - type 2</p></div>
 <div class="paragraph"><p>Type: codec</p></div>
@@ -5346,7 +5388,7 @@ int <strong>appid.memcap</strong> = 268435456: time period for collecting and lo
 </li>
 <li>
 <p>
-string <strong>appid.app_stats_filename</strong>: Filename for logging AppId statistics
+bool <strong>appid.log_stats</strong> = false: enable logging of AppId statistics
 </p>
 </li>
 <li>
@@ -5389,12 +5431,57 @@ bool <strong>appid.dump_ports</strong> = false: enable dump of AppId port inform
 string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from
 </p>
 </li>
+<li>
+<p>
+addr <strong>appid.session_log_filter.src_ip</strong> = 0.0.0.0/32: source ip address in CIDR format
+</p>
+</li>
+<li>
+<p>
+addr <strong>appid.session_log_filter.dst_ip</strong> = 0.0.0.0/32: destination ip address in CIDR format
+</p>
+</li>
+<li>
+<p>
+port <strong>appid.session_log_filter.src_port</strong>: source port { 1: }
+</p>
+</li>
+<li>
+<p>
+port <strong>appid.session_log_filter.dst_port</strong>: destination port { 1: }
+</p>
+</li>
+<li>
+<p>
+string <strong>appid.session_log_filter.protocol</strong>: ip protocol
+</p>
+</li>
+<li>
+<p>
+bool <strong>appid.session_log_filter.log_all_sessions</strong> = false: enable logging for all appid sessions
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
 <li>
 <p>
-<strong>appid.packets</strong>: count of packets processed by appid
+<strong>appid.packets</strong>: count of packets received by appid inspector
+</p>
+</li>
+<li>
+<p>
+<strong>appid.processed packets</strong>: count of packets processed by appid inspector
+</p>
+</li>
+<li>
+<p>
+<strong>appid.ignored packets</strong>: count of packets ignored by appid inspector
+</p>
+</li>
+<li>
+<p>
+<strong>appid.aim_clients</strong>: count of aim clients discovered by appid
 </p>
 </li>
 <li>
@@ -5424,6 +5511,11 @@ string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty
 </li>
 <li>
 <p>
+<strong>appid.bootp_flows</strong>: count of bootp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered by appid
 </p>
 </li>
@@ -5434,6 +5526,11 @@ string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty
 </li>
 <li>
 <p>
+<strong>appid.direct_connect_flows</strong>: count of direct connect flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered by appid
 </p>
 </li>
@@ -5454,6 +5551,11 @@ string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty
 </li>
 <li>
 <p>
+<strong>appid.http_flows</strong>: count of http flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.imap_flows</strong>: count of imap service flows discovered by appid
 </p>
 </li>
@@ -5494,12 +5596,37 @@ string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty
 </li>
 <li>
 <p>
+<strong>appid.msn_clients</strong>: count of msn clients discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.mysql_flows</strong>: count of mysql service flows discovered by appid
 </p>
 </li>
 <li>
 <p>
-<strong>appid.netbios_flows</strong>: count of netbios service flows discovered by appid
+<strong>appid.netbios_dgm_flows</strong>: count of netbios-dgm service flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.netbios_ns_flows</strong>: count of netbios-ns service flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.netbios_ssn_flows</strong>: count of netbios-ssn service flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.nntp_flows</strong>: count of nntp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.ntp_flows</strong>: count of ntp flows discovered by appid
 </p>
 </li>
 <li>
@@ -5509,6 +5636,121 @@ string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty
 </li>
 <li>
 <p>
+<strong>appid.radius_flows</strong>: count of radius flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rexec_flows</strong>: count of rexec flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rfb_flows</strong>: count of rfb flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rlogin_flows</strong>: count of rlogin flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rpc_flows</strong>: count of rpc flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rshell_flows</strong>: count of rshell flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rtmp_flows</strong>: count of rtmp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rtp_clients</strong>: count of rtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.sip_clients</strong>: count of SIP clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.sip_flows</strong>: count of SIP flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_aol_clients</strong>: count of AOL smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_applemail_clients</strong>: count of Apple Mail smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_eudora_clients</strong>: count of Eudora smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_eudora_pro_clients</strong>: count of Eudora Pro smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_evolution_clients</strong>: count of Evolution smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_kmail_clients</strong>: count of KMail smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_lotus_notes_clients</strong>: count of Lotus Notes smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_microsoft_outlook_clients</strong>: count of Microsoft Outlook smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_microsoft_outlook_express_clients</strong>: count of Microsoft Outlook Express smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_microsoft_outlook_imo_clients</strong>: count of Microsoft Outlook IMO smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_mutt_clients</strong>: count of Mutt smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_thunderbird_clients</strong>: count of Thunderbird smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid
 </p>
 </li>
@@ -5519,6 +5761,11 @@ string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty
 </li>
 <li>
 <p>
+<strong>appid.snmp_flows</strong>: count of snmp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.ssh_clients</strong>: count of ssh clients discovered by appid
 </p>
 </li>
@@ -5539,9 +5786,34 @@ string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty
 </li>
 <li>
 <p>
+<strong>appid.tftp_flows</strong>: count of tftp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered by appid
 </p>
 </li>
+<li>
+<p>
+<strong>appid.tns_clients</strong>: count of tns clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.tns_flows</strong>: count of tns flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.vnc_clients</strong>: count of vnc clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.yahoo_messenger_clients</strong>: count of Yahoo Messenger clients discovered by appid
+</p>
+</li>
 </ul></div>
 </div>
 <div class="sect2">
@@ -5791,6 +6063,11 @@ int <strong>dce_smb.smb_file_depth</strong> = 16384:  SMB file depth for file da
 string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on
 </p>
 </li>
+<li>
+<p>
+bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Rules:</p></div>
 <div class="ulist"><ul>
@@ -6039,6 +6316,16 @@ string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on
 <strong>133:57</strong> (dce_smb) SMB - Client attempted to create or set a file&#8217;s attributes to readonly/hidden/system.
 </p>
 </li>
+<li>
+<p>
+<strong>133:58</strong> (dce_smb) SMB - File offset provided is greater than file size specified
+</p>
+</li>
+<li>
+<p>
+<strong>133:59</strong> (dce_smb) SMB - Next command specified in SMB2 header is beyond payload boundary
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
@@ -6204,6 +6491,11 @@ string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on
 </li>
 <li>
 <p>
+<strong>dce_smb.Ignored bytes</strong>: total ignored bytes
+</p>
+</li>
+<li>
+<p>
 <strong>dce_smb.Client segs reassembled</strong>: total smb client segments reassembled
 </p>
 </li>
@@ -6222,8 +6514,43 @@ string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on
 <strong>dce_smb.Files processed</strong>: total smb files processed
 </p>
 </li>
-</ul></div>
-</div>
+<li>
+<p>
+<strong>dce_smb.SMBv2 create</strong>: total number of SMBv2 create packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 write</strong>: total number of SMBv2 write packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 read</strong>: total number of SMBv2 read packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 set info</strong>: total number of SMBv2 set info packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 tree connect</strong>: total number of SMBv2 tree connect packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 tree disconnect</strong>: total number of SMBv2 tree disconnect packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 close</strong>: total number of SMBv2 close packets seen
+</p>
+</li>
+</ul></div>
+</div>
 <div class="sect2">
 <h3 id="_dce_tcp">dce_tcp</h3>
 <div class="paragraph"><p>What: dce over tcp inspection</p></div>
@@ -6479,6 +6806,165 @@ enum <strong>dce_tcp.policy</strong> = WinXP:  Target based policy to use { Win2
 </ul></div>
 </div>
 <div class="sect2">
+<h3 id="_dce_udp">dce_udp</h3>
+<div class="paragraph"><p>What: dce over udp inspection</p></div>
+<div class="paragraph"><p>Type: inspector</p></div>
+<div class="paragraph"><p>Configuration:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+bool <strong>dce_udp.disable_defrag</strong> = false:  Disable DCE/RPC defragmentation
+</p>
+</li>
+<li>
+<p>
+int <strong>dce_udp.max_frag_len</strong> = 65535:  Maximum fragment size for defragmentation { 1514:65535 }
+</p>
+</li>
+</ul></div>
+<div class="paragraph"><p>Rules:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+<strong>133:40</strong> (dce_udp) Connection-less DCE/RPC - Invalid major version.
+</p>
+</li>
+<li>
+<p>
+<strong>133:41</strong> (dce_udp) Connection-less DCE/RPC - Invalid pdu type.
+</p>
+</li>
+<li>
+<p>
+<strong>133:42</strong> (dce_udp) Connection-less DCE/RPC - Data length less than header size.
+</p>
+</li>
+<li>
+<p>
+<strong>133:43</strong> (dce_udp) Connection-less DCE/RPC - Bad sequence number.
+</p>
+</li>
+</ul></div>
+<div class="paragraph"><p>Peg counts:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+<strong>dce_udp.events</strong>: total events
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.aborted sessions</strong>: total aborted sessions
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.bad autodetects</strong>: total bad autodetects
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.udp sessions</strong>: total udp sessions
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.udp packets</strong>: total udp packets
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Requests</strong>: total connection-less requests
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Acks</strong>: total connection-less acks
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Cancels</strong>: total connection-less cancels
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Client facks</strong>: total connection-less client facks
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Ping</strong>: total connection-less ping
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Responses</strong>: total connection-less responses
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Rejects</strong>: total connection-less rejects
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Cancel acks</strong>: total connection-less cancel acks
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Server facks</strong>: total connection-less server facks
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Faults</strong>: total connection-less faults
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.No calls</strong>: total connection-less no calls
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Working</strong>: total connection-less working
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Other requests</strong>: total connection-less other requests
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Other responses</strong>: total connection-less other responses
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Fragments</strong>: total connection-less fragments
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Max fragment size</strong>: connection-less maximum fragment size
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Frags reassembled</strong>: total connection-less fragments reassembled
+</p>
+</li>
+<li>
+<p>
+<strong>dce_udp.Max seqnum</strong>: max connection-less seqnum
+</p>
+</li>
+</ul></div>
+</div>
+<div class="sect2">
 <h3 id="_dnp3">dnp3</h3>
 <div class="paragraph"><p>What: dnp3 inspection</p></div>
 <div class="paragraph"><p>Type: inspector</p></div>
@@ -6693,6 +7179,11 @@ string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the g
 </li>
 <li>
 <p>
+string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands
+</p>
+</li>
+<li>
+<p>
 string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands
 </p>
 </li>
@@ -6941,6 +7432,11 @@ bool <strong>http_inspect.unzip</strong> = true: decompress gzip and deflate mes
 </li>
 <li>
 <p>
+bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings
+</p>
+</li>
+<li>
+<p>
 bit_list <strong>http_inspect.bad_characters</strong>: alert when any of specified bytes are present in URI after percent decoding { 255 }
 </p>
 </li>
@@ -7359,6 +7855,11 @@ bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with tes
 </li>
 <li>
 <p>
+<strong>119:66</strong> (http_inspect) White space within header name
+</p>
+</li>
+<li>
+<p>
 <strong>119:67</strong> (http_inspect) Excessive gzip compression
 </p>
 </li>
@@ -7402,6 +7903,21 @@ bool <strong>http_inspect.show_pegs</strong> = true: display peg counts with tes
 <strong>119:75</strong> (http_inspect) Misformatted HTTP traffic
 </p>
 </li>
+<li>
+<p>
+<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used
+</p>
+</li>
+<li>
+<p>
+<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used
+</p>
+</li>
+<li>
+<p>
+<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
@@ -9493,27 +10009,27 @@ int <strong>ssl.max_heartbeat_length</strong> = 0: maximum length of heartbeat r
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }
+bool <strong>stream.ip_frags_only</strong> = false: don&#8217;t process non-frag flows
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
+int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
+int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.ip_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
+int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 2: }
+int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
 <li>
@@ -9528,12 +10044,7 @@ int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time
 </li>
 <li>
 <p>
-int <strong>stream.icmp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
-int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }
+int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
 <li>
@@ -9548,12 +10059,7 @@ int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time
 </li>
 <li>
 <p>
-int <strong>stream.tcp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
-int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }
+int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
 <li>
@@ -9568,11 +10074,6 @@ int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time
 </li>
 <li>
 <p>
-int <strong>stream.udp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
 int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
@@ -9588,11 +10089,6 @@ int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time
 </li>
 <li>
 <p>
-int <strong>stream.user_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
 int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
@@ -9606,11 +10102,6 @@ int <strong>stream.file_cache.pruning_timeout</strong> = 30: minimum inactive ti
 int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
 </p>
 </li>
-<li>
-<p>
-int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
@@ -9626,7 +10117,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.ip timeout prunes</strong>: ip sessions pruned due to timeout
+<strong>stream.ip idle prunes</strong>: ip sessions pruned due to timeout
 </p>
 </li>
 <li>
@@ -9651,7 +10142,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.ip user prunes</strong>: ip sessions pruned for other reasons
+<strong>stream.ip ha prunes</strong>: ip sessions pruned by high availability sync
 </p>
 </li>
 <li>
@@ -9666,7 +10157,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.icmp timeout prunes</strong>: icmp sessions pruned due to timeout
+<strong>stream.icmp idle prunes</strong>: icmp sessions pruned due to timeout
 </p>
 </li>
 <li>
@@ -9691,7 +10182,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.icmp user prunes</strong>: icmp sessions pruned for other reasons
+<strong>stream.icmp ha prunes</strong>: icmp sessions pruned by high availability sync
 </p>
 </li>
 <li>
@@ -9706,7 +10197,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.tcp timeout prunes</strong>: tcp sessions pruned due to timeout
+<strong>stream.tcp idle prunes</strong>: tcp sessions pruned due to timeout
 </p>
 </li>
 <li>
@@ -9731,7 +10222,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.tcp user prunes</strong>: tcp sessions pruned for other reasons
+<strong>stream.tcp ha prunes</strong>: tcp sessions pruned by high availability sync
 </p>
 </li>
 <li>
@@ -9746,7 +10237,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.udp timeout prunes</strong>: udp sessions pruned due to timeout
+<strong>stream.udp idle prunes</strong>: udp sessions pruned due to timeout
 </p>
 </li>
 <li>
@@ -9771,7 +10262,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.udp user prunes</strong>: udp sessions pruned for other reasons
+<strong>stream.udp ha prunes</strong>: udp sessions pruned by high availability sync
 </p>
 </li>
 <li>
@@ -9786,7 +10277,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.user timeout prunes</strong>: user sessions pruned due to timeout
+<strong>stream.user idle prunes</strong>: user sessions pruned due to timeout
 </p>
 </li>
 <li>
@@ -9811,7 +10302,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.user user prunes</strong>: user sessions pruned for other reasons
+<strong>stream.user ha prunes</strong>: user sessions pruned by high availability sync
 </p>
 </li>
 <li>
@@ -9826,7 +10317,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.file timeout prunes</strong>: file sessions pruned due to timeout
+<strong>stream.file idle prunes</strong>: file sessions pruned due to timeout
 </p>
 </li>
 <li>
@@ -9851,7 +10342,7 @@ int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clea
 </li>
 <li>
 <p>
-<strong>stream.file user prunes</strong>: file sessions pruned for other reasons
+<strong>stream.file ha prunes</strong>: file sessions pruned by high availability sync
 </p>
 </li>
 </ul></div>
@@ -9951,6 +10442,11 @@ enum <strong>stream_ip.policy</strong> = linux: fragment reassembly policy { fir
 int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout { 1:86400 }
 </p>
 </li>
+<li>
+<p>
+int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Rules:</p></div>
 <div class="ulist"><ul>
@@ -10044,12 +10540,12 @@ int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout {
 </li>
 <li>
 <p>
-<strong>stream_ip.total</strong>: total fragments
+<strong>stream_ip.total frags</strong>: total fragments
 </p>
 </li>
 <li>
 <p>
-<strong>stream_ip.current</strong>: current fragments
+<strong>stream_ip.current frags</strong>: current fragments
 </p>
 </li>
 <li>
@@ -12179,17 +12675,17 @@ int <strong>rev.~</strong>: revision { 1: }
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>rpc.~app</strong>: application number
+int <strong>rpc.~app</strong>: application number
 </p>
 </li>
 <li>
 <p>
-string <strong>rpc.~ver</strong>: version number or * for any
+int <strong>rpc.ver</strong>: version number or * for any
 </p>
 </li>
 <li>
 <p>
-string <strong>rpc.~proc</strong>: procedure number or * for any
+int <strong>rpc.proc</strong>: procedure number or * for any
 </p>
 </li>
 </ul></div>
@@ -14208,8 +14704,6 @@ configure can be found by running the following command:</p></div>
 <div class="content">
 <pre><code>snort --help-config http_inspect | grep http_inspect.profile</code></pre>
 </div></div>
-<div class="paragraph"><p>The new Http Inspect (new_http_inspect) implementation of config options is
-still under development.</p></div>
 </div>
 </div>
 </div>
@@ -15976,6 +16470,12 @@ The goal is to have highly readable class declarations.  The user
   available to the client.
 </p>
 </li>
+<li>
+<p>
+Any using statements in source files should be added only after all
+  includes have been declared.
+</p>
+</li>
 </ul></div>
 </div>
 <div class="sect2">
@@ -15994,6 +16494,12 @@ Use lower case identifiers with underscore separators, e.g. some_function()
 </li>
 <li>
 <p>
+Do not start or end variable names with an underscore.  This has a good
+  chance of conflicting with macro and/or system definitions.
+</p>
+</li>
+<li>
+<p>
 Use lower case filenames with underscores.
 </p>
 </li>
@@ -16050,9 +16556,10 @@ Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left for a
 </li>
 <li>
 <p>
-Presently using FIXIT-X where X = P | H | M | L, indicating perf, high,
-  med, or low priority.  For now, H, M, or L can indicate alpha 1, 2, or 3.
-  Perf changes fall between alpha 1 and 2.
+Presently using FIXIT-X where X = A | W | P | H | M | L, indicating analysis,
+  warning, perf, high, med, or low priority.  Place A and W comments on the
+  exact warning line so we can match up comments and build output.  Supporting
+  comments can be added above.
 </p>
 </li>
 <li>
@@ -16080,7 +16587,7 @@ Put author, description, etc. in separate comment(s) following the
 <li>
 <p>
 Each header should have a comment immediately after the header guard to
-  give an overview of the file so the user knows what&#8217;s going on.
+  give an overview of the file so the reader knows what&#8217;s going on.
 </p>
 </li>
 </ul></div>
@@ -17597,11 +18104,6 @@ libraries see the Getting Started section of the manual.</p></div>
 </li>
 <li>
 <p>
-<strong>-w</strong> dump 802.11 management and control frames
-</p>
-</li>
-<li>
-<p>
 <strong>-W</strong> lists available interfaces
 </p>
 </li>
@@ -17958,11 +18460,6 @@ string <strong>appid.app_detector_dir</strong>: directory to load AppId detector
 </li>
 <li>
 <p>
-string <strong>appid.app_stats_filename</strong>: Filename for logging AppId statistics
-</p>
-</li>
-<li>
-<p>
 int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging AppId statistics { 0: }
 </p>
 </li>
@@ -17998,6 +18495,11 @@ int <strong>appid.instance_id</strong> = 0: instance id - need more details for
 </li>
 <li>
 <p>
+bool <strong>appid.log_stats</strong> = false: enable logging of AppId statistics
+</p>
+</li>
+<li>
+<p>
 int <strong>appid.memcap</strong> = 268435456: time period for collecting and logging AppId statistics { 1048576:3221225472 }
 </p>
 </li>
@@ -18008,6 +18510,36 @@ string <strong>appids.~</strong>: appid option
 </li>
 <li>
 <p>
+addr <strong>appid.session_log_filter.dst_ip</strong> = 0.0.0.0/32: destination ip address in CIDR format
+</p>
+</li>
+<li>
+<p>
+port <strong>appid.session_log_filter.dst_port</strong>: destination port { 1: }
+</p>
+</li>
+<li>
+<p>
+bool <strong>appid.session_log_filter.log_all_sessions</strong> = false: enable logging for all appid sessions
+</p>
+</li>
+<li>
+<p>
+string <strong>appid.session_log_filter.protocol</strong>: ip protocol
+</p>
+</li>
+<li>
+<p>
+addr <strong>appid.session_log_filter.src_ip</strong> = 0.0.0.0/32: source ip address in CIDR format
+</p>
+</li>
+<li>
+<p>
+port <strong>appid.session_log_filter.src_port</strong>: source port { 1: }
+</p>
+</li>
+<li>
+<p>
 string <strong>appid.thirdparty_appid_dir</strong>: directory to load thirdparty AppId detectors from
 </p>
 </li>
@@ -18523,6 +19055,11 @@ string <strong>dce_smb.smb_invalid_shares</strong>: SMB shares to alert on
 </li>
 <li>
 <p>
+bool <strong>dce_smb.smb_legacy_mode</strong> = false: inspect only SMBv1
+</p>
+</li>
+<li>
+<p>
 int <strong>dce_smb.smb_max_chain</strong> = 3:  SMB max chain size { 0:255 }
 </p>
 </li>
@@ -18558,6 +19095,16 @@ int <strong>dce_tcp.reassemble_threshold</strong> = 0:  Minimum bytes received b
 </li>
 <li>
 <p>
+bool <strong>dce_udp.disable_defrag</strong> = false:  Disable DCE/RPC defragmentation
+</p>
+</li>
+<li>
+<p>
+int <strong>dce_udp.max_frag_len</strong> = 65535:  Maximum fragment size for defragmentation { 1514:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>detection.asn1</strong> = 256: maximum decode nodes { 1: }
 </p>
 </li>
@@ -18823,6 +19370,11 @@ int <strong>file_id.lookup_timeout</strong> = 2: give up on lookup after this ma
 </li>
 <li>
 <p>
+int <strong>file_id.max_files_cached</strong> = 65536: maximal number of files cached in memory { 8: }
+</p>
+</li>
+<li>
+<p>
 int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0: }
 </p>
 </li>
@@ -19023,6 +19575,11 @@ string <strong>ftp_server.data_chan_cmds</strong>: check the formatting of the g
 </li>
 <li>
 <p>
+string <strong>ftp_server.data_rest_cmds</strong>: check the formatting of the given commands
+</p>
+</li>
+<li>
+<p>
 string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the given commands
 </p>
 </li>
@@ -19303,6 +19860,11 @@ string <strong>http_inspect.iis_unicode_map_file</strong>: file containing code
 </li>
 <li>
 <p>
+bool <strong>http_inspect.normalize_utf</strong> = true: normalize charset utf encodings
+</p>
+</li>
+<li>
+<p>
 int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for URL directory { 1:65535 }
 </p>
 </li>
@@ -19673,7 +20235,7 @@ string <strong>itype.~range</strong>: check if icmp type is <em>type | min&lt;&g
 </li>
 <li>
 <p>
-enum <strong>latency.packet.action</strong> = alert_and_log: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }
+enum <strong>latency.packet.action</strong> = none: event action if packet times out and is fastpathed { none | alert | log | alert_and_log }
 </p>
 </li>
 <li>
@@ -19688,7 +20250,7 @@ int <strong>latency.packet.max_time</strong> = 500: set timeout for packet laten
 </li>
 <li>
 <p>
-enum <strong>latency.rule.action</strong> = alert_and_log: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }
+enum <strong>latency.rule.action</strong> = none: event action for rule latency enable and suspend events { none | alert | log | alert_and_log }
 </p>
 </li>
 <li>
@@ -20368,7 +20930,7 @@ int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0: }
 </li>
 <li>
 <p>
-select <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { alert | drop | log | pass | | reject | sdrop }
+enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }
 </p>
 </li>
 <li>
@@ -20508,17 +21070,17 @@ int <strong>rev.~</strong>: revision { 1: }
 </li>
 <li>
 <p>
-string <strong>rpc.~app</strong>: application number
+int <strong>rpc.~app</strong>: application number
 </p>
 </li>
 <li>
 <p>
-string <strong>rpc.~proc</strong>: procedure number or * for any
+int <strong>rpc.proc</strong>: procedure number or * for any
 </p>
 </li>
 <li>
 <p>
-string <strong>rpc.~ver</strong>: version number or * for any
+int <strong>rpc.ver</strong>: version number or * for any
 </p>
 </li>
 <li>
@@ -20563,11 +21125,6 @@ bool <strong>search_engine.debug</strong> = false: print verbose fast pattern in
 </li>
 <li>
 <p>
-bool <strong>search_engine.debug_print_fast_pattern</strong> = false: print fast pattern info for each rule
-</p>
-</li>
-<li>
-<p>
 bool <strong>search_engine.debug_print_nocontent_rule_tests</strong> = false: print rule group info during packet evaluation
 </p>
 </li>
@@ -20618,6 +21175,11 @@ bool <strong>search_engine.search_optimize</strong> = true: tweak state machine
 </li>
 <li>
 <p>
+bool <strong>search_engine.show_fast_patterns</strong> = false: print fast pattern info for each rule
+</p>
+</li>
+<li>
+<p>
 bool <strong>search_engine.split_any_any</strong> = false: evaluate any-any rules separately to save memory
 </p>
 </li>
@@ -20673,6 +21235,11 @@ implied <strong>sha512.relative</strong> = false: offset from cursor instead of
 </li>
 <li>
 <p>
+string <strong>side_channel.connector</strong>: connector handle
+</p>
+</li>
+<li>
+<p>
 string <strong>side_channel.connectors[].connector</strong>: connector handle
 </p>
 </li>
@@ -21413,11 +21980,6 @@ implied <strong>snort.--warn-vars</strong>: warn about variable definition and u
 </li>
 <li>
 <p>
-implied <strong>snort.-w</strong>: dump 802.11 management and control frames
-</p>
-</li>
-<li>
-<p>
 implied <strong>snort.-W</strong>: lists available interfaces
 </p>
 </li>
@@ -21588,11 +22150,6 @@ implied <strong>ssl_version.tls1.2</strong>: check for tls1.2
 </li>
 <li>
 <p>
-int <strong>stream.file_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
 int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
 </p>
 </li>
@@ -21613,17 +22170,12 @@ bool <strong>stream_file.upload</strong> = false: indicate file transfer directi
 </li>
 <li>
 <p>
-int <strong>stream.icmp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
 int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.icmp_cache.max_sessions</strong> = 32768: maximum simultaneous sessions tracked before pruning { 2: }
+int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
 <li>
@@ -21638,22 +22190,22 @@ int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout
 </li>
 <li>
 <p>
-int <strong>stream.ip_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
+int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
+int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.ip_cache.max_sessions</strong> = 16384: maximum simultaneous sessions tracked before pruning { 2: }
+int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.ip_cache.pruning_timeout</strong> = 30: minimum inactive time before being eligible for pruning { 1: }
+bool <strong>stream.ip_frags_only</strong> = false: don&#8217;t process non-frag flows
 </p>
 </li>
 <li>
@@ -21688,6 +22240,11 @@ int <strong>stream_ip.session_timeout</strong> = 30: session tracking timeout {
 </li>
 <li>
 <p>
+int <strong>stream_ip.trace</strong>: mask for enabling debug traces in module
+</p>
+</li>
+<li>
+<p>
 enum <strong>stream_reassemble.action</strong>: stop or start stream reassembly { disable|enable }
 </p>
 </li>
@@ -21718,17 +22275,12 @@ string <strong>stream_size.~range</strong>: size for comparison
 </li>
 <li>
 <p>
-int <strong>stream.tcp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
 int <strong>stream.tcp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.tcp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }
+int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
 <li>
@@ -21813,17 +22365,12 @@ int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of
 </li>
 <li>
 <p>
-int <strong>stream.udp_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
 int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
 </p>
 </li>
 <li>
 <p>
-int <strong>stream.udp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2: }
+int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2: }
 </p>
 </li>
 <li>
@@ -21843,11 +22390,6 @@ int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout {
 </li>
 <li>
 <p>
-int <strong>stream.user_cache.cleanup_pct</strong> = 5: percent of cache to clean when max_sessions is reached { 1:100 }
-</p>
-</li>
-<li>
-<p>
 int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1: }
 </p>
 </li>
@@ -21908,6 +22450,26 @@ int <strong>tag.seconds</strong>: tag for this many seconds { 1: }
 </li>
 <li>
 <p>
+string <strong>tcp_connector.address</strong>: address
+</p>
+</li>
+<li>
+<p>
+port <strong>tcp_connector.base_port</strong>: base port number
+</p>
+</li>
+<li>
+<p>
+string <strong>tcp_connector.connector</strong>: connector name
+</p>
+</li>
+<li>
+<p>
+enum <strong>tcp_connector.setup</strong>: stream establishment { call | answer }
+</p>
+</li>
+<li>
+<p>
 int <strong>telnet.ayt_attack_thresh</strong> = -1: alert on this number of consecutive telnet AYT commands { -1: }
 </p>
 </li>
@@ -22038,6 +22600,11 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 <div class="ulist"><ul>
 <li>
 <p>
+<strong>appid.aim_clients</strong>: count of aim clients discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.battlefield_flows</strong>: count of battle field flows discovered by appid
 </p>
 </li>
@@ -22063,6 +22630,11 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>appid.bootp_flows</strong>: count of bootp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.dcerpc_tcp_flows</strong>: count of dce rpc flows over tcp discovered by appid
 </p>
 </li>
@@ -22073,6 +22645,11 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>appid.direct_connect_flows</strong>: count of direct connect flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.dns_tcp_flows</strong>: count of dns flows over tcp discovered by appid
 </p>
 </li>
@@ -22093,6 +22670,16 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>appid.http_flows</strong>: count of http flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.ignored packets</strong>: count of packets ignored by appid inspector
+</p>
+</li>
+<li>
+<p>
 <strong>appid.imap_flows</strong>: count of imap service flows discovered by appid
 </p>
 </li>
@@ -22133,17 +22720,42 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>appid.msn_clients</strong>: count of msn clients discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.mysql_flows</strong>: count of mysql service flows discovered by appid
 </p>
 </li>
 <li>
 <p>
-<strong>appid.netbios_flows</strong>: count of netbios service flows discovered by appid
+<strong>appid.netbios_dgm_flows</strong>: count of netbios-dgm service flows discovered by appid
 </p>
 </li>
 <li>
 <p>
-<strong>appid.packets</strong>: count of packets processed by appid
+<strong>appid.netbios_ns_flows</strong>: count of netbios-ns service flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.netbios_ssn_flows</strong>: count of netbios-ssn service flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.nntp_flows</strong>: count of nntp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.ntp_flows</strong>: count of ntp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.packets</strong>: count of packets received by appid inspector
 </p>
 </li>
 <li>
@@ -22153,16 +22765,141 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>appid.processed packets</strong>: count of packets processed by appid inspector
+</p>
+</li>
+<li>
+<p>
+<strong>appid.radius_flows</strong>: count of radius flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rexec_flows</strong>: count of rexec flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rfb_flows</strong>: count of rfb flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rlogin_flows</strong>: count of rlogin flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rpc_flows</strong>: count of rpc flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rshell_flows</strong>: count of rshell flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rsync_flows</strong>: count of rsync service flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rtmp_flows</strong>: count of rtmp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.rtp_clients</strong>: count of rtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.sip_clients</strong>: count of SIP clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.sip_flows</strong>: count of SIP flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_aol_clients</strong>: count of AOL smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_applemail_clients</strong>: count of Apple Mail smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_eudora_clients</strong>: count of Eudora smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_eudora_pro_clients</strong>: count of Eudora Pro smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_evolution_clients</strong>: count of Evolution smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.smtp_flows</strong>: count of smtp flows discovered by appid
 </p>
 </li>
 <li>
 <p>
+<strong>appid.smtp_kmail_clients</strong>: count of KMail smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_lotus_notes_clients</strong>: count of Lotus Notes smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_microsoft_outlook_clients</strong>: count of Microsoft Outlook smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_microsoft_outlook_express_clients</strong>: count of Microsoft Outlook Express smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_microsoft_outlook_imo_clients</strong>: count of Microsoft Outlook IMO smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.smtp_mutt_clients</strong>: count of Mutt smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.smtps_flows</strong>: count of smtps flows discovered by appid
 </p>
 </li>
 <li>
 <p>
+<strong>appid.smtp_thunderbird_clients</strong>: count of Thunderbird smtp clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.snmp_flows</strong>: count of snmp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.ssh_clients</strong>: count of ssh clients discovered by appid
 </p>
 </li>
@@ -22183,11 +22920,36 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>appid.tftp_flows</strong>: count of tftp flows discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>appid.timbuktu_flows</strong>: count of timbuktu flows discovered by appid
 </p>
 </li>
 <li>
 <p>
+<strong>appid.tns_clients</strong>: count of tns clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.tns_flows</strong>: count of tns flows discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.vnc_clients</strong>: count of vnc clients discovered by appid
+</p>
+</li>
+<li>
+<p>
+<strong>appid.yahoo_messenger_clients</strong>: count of Yahoo Messenger clients discovered by appid
+</p>
+</li>
+<li>
+<p>
 <strong>arp_spoof.packets</strong>: total packets
 </p>
 </li>
@@ -22393,6 +23155,11 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>dce_smb.Ignored bytes</strong>: total ignored bytes
+</p>
+</li>
+<li>
+<p>
 <strong>dce_smb.Max outstanding requests</strong>: total smb maximum outstanding requests
 </p>
 </li>
@@ -22413,237 +23180,387 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>dce_smb.Other responses</strong>: total connection-oriented other responses
+<strong>dce_smb.Other responses</strong>: total connection-oriented other responses
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Packets</strong>: total smb packets
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Rejects</strong>: total connection-oriented rejects
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Request fragments</strong>: total connection-oriented request fragments
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Requests</strong>: total connection-oriented requests
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Response fragments</strong>: total connection-oriented response fragments
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Responses</strong>: total connection-oriented responses
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Server frags reassembled</strong>: total connection-oriented server fragments reassembled
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Server max fragment size</strong>: connection-oriented server maximum fragment size
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Server min fragment size</strong>: connection-oriented server minimum fragment size
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Server segs reassembled</strong>: total connection-oriented server segments reassembled
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Server segs reassembled</strong>: total smb server segments reassembled
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Sessions</strong>: total smb sessions
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.Shutdowns</strong>: total connection-oriented shutdowns
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 close</strong>: total number of SMBv2 close packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 create</strong>: total number of SMBv2 create packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 read</strong>: total number of SMBv2 read packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 set info</strong>: total number of SMBv2 set info packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 tree connect</strong>: total number of SMBv2 tree connect packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 tree disconnect</strong>: total number of SMBv2 tree disconnect packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_smb.SMBv2 write</strong>: total number of SMBv2 write packets seen
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.aborted sessions</strong>: total aborted sessions
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.bad autodetects</strong>: total bad autodetects
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.Bind naks</strong>: total connection-oriented bind naks
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.Binds</strong>: total connection-oriented binds
+</p>
+</li>
+<li>
+<p>
+<strong>dce_tcp.Cancels</strong>: total connection-oriented cancels
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Packets</strong>: total smb packets
+<strong>dce_tcp.Client frags reassembled</strong>: total connection-oriented client fragments reassembled
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.PDUs</strong>: total connection-oriented PDUs
+<strong>dce_tcp.Client max fragment size</strong>: connection-oriented client maximum fragment size
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Rejects</strong>: total connection-oriented rejects
+<strong>dce_tcp.Client min fragment size</strong>: connection-oriented client minimum fragment size
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Request fragments</strong>: total connection-oriented request fragments
+<strong>dce_tcp.Client segs reassembled</strong>: total connection-oriented client segments reassembled
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Requests</strong>: total connection-oriented requests
+<strong>dce_tcp.events</strong>: total events
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Response fragments</strong>: total connection-oriented response fragments
+<strong>dce_tcp.Faults</strong>: total connection-oriented faults
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Responses</strong>: total connection-oriented responses
+<strong>dce_tcp.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Server frags reassembled</strong>: total connection-oriented server fragments reassembled
+<strong>dce_tcp.Orphaned</strong>: total connection-oriented orphaned
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Server max fragment size</strong>: connection-oriented server maximum fragment size
+<strong>dce_tcp.Other requests</strong>: total connection-oriented other requests
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Server min fragment size</strong>: connection-oriented server minimum fragment size
+<strong>dce_tcp.Other responses</strong>: total connection-oriented other responses
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Server segs reassembled</strong>: total connection-oriented server segments reassembled
+<strong>dce_tcp.PDUs</strong>: total connection-oriented PDUs
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Server segs reassembled</strong>: total smb server segments reassembled
+<strong>dce_tcp.Rejects</strong>: total connection-oriented rejects
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Sessions</strong>: total smb sessions
+<strong>dce_tcp.Request fragments</strong>: total connection-oriented request fragments
 </p>
 </li>
 <li>
 <p>
-<strong>dce_smb.Shutdowns</strong>: total connection-oriented shutdowns
+<strong>dce_tcp.Requests</strong>: total connection-oriented requests
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.aborted sessions</strong>: total aborted sessions
+<strong>dce_tcp.Response fragments</strong>: total connection-oriented response fragments
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Alter context responses</strong>: total connection-oriented alter context responses
+<strong>dce_tcp.Responses</strong>: total connection-oriented responses
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Alter contexts</strong>: total connection-oriented alter contexts
+<strong>dce_tcp.Server frags reassembled</strong>: total connection-oriented server fragments reassembled
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Auth3s</strong>: total connection-oriented auth3s
+<strong>dce_tcp.Server max fragment size</strong>: connection-oriented server maximum fragment size
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.bad autodetects</strong>: total bad autodetects
+<strong>dce_tcp.Server min fragment size</strong>: connection-oriented server minimum fragment size
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Bind acks</strong>: total connection-oriented binds acks
+<strong>dce_tcp.Server segs reassembled</strong>: total connection-oriented server segments reassembled
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Bind naks</strong>: total connection-oriented bind naks
+<strong>dce_tcp.Shutdowns</strong>: total connection-oriented shutdowns
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Binds</strong>: total connection-oriented binds
+<strong>dce_tcp.tcp packets</strong>: total tcp packets
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Cancels</strong>: total connection-oriented cancels
+<strong>dce_tcp.tcp sessions</strong>: total tcp sessions
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Client frags reassembled</strong>: total connection-oriented client fragments reassembled
+<strong>dce_udp.aborted sessions</strong>: total aborted sessions
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Client max fragment size</strong>: connection-oriented client maximum fragment size
+<strong>dce_udp.Acks</strong>: total connection-less acks
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Client min fragment size</strong>: connection-oriented client minimum fragment size
+<strong>dce_udp.bad autodetects</strong>: total bad autodetects
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Client segs reassembled</strong>: total connection-oriented client segments reassembled
+<strong>dce_udp.Cancel acks</strong>: total connection-less cancel acks
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.events</strong>: total events
+<strong>dce_udp.Cancels</strong>: total connection-less cancels
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Faults</strong>: total connection-oriented faults
+<strong>dce_udp.Client facks</strong>: total connection-less client facks
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.MS RPC/HTTP PDUs</strong>: total connection-oriented MS requests to send RPC over HTTP
+<strong>dce_udp.events</strong>: total events
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Orphaned</strong>: total connection-oriented orphaned
+<strong>dce_udp.Faults</strong>: total connection-less faults
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Other requests</strong>: total connection-oriented other requests
+<strong>dce_udp.Fragments</strong>: total connection-less fragments
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Other responses</strong>: total connection-oriented other responses
+<strong>dce_udp.Frags reassembled</strong>: total connection-less fragments reassembled
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.PDUs</strong>: total connection-oriented PDUs
+<strong>dce_udp.Max fragment size</strong>: connection-less maximum fragment size
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Rejects</strong>: total connection-oriented rejects
+<strong>dce_udp.Max seqnum</strong>: max connection-less seqnum
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Request fragments</strong>: total connection-oriented request fragments
+<strong>dce_udp.No calls</strong>: total connection-less no calls
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Requests</strong>: total connection-oriented requests
+<strong>dce_udp.Other requests</strong>: total connection-less other requests
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Response fragments</strong>: total connection-oriented response fragments
+<strong>dce_udp.Other responses</strong>: total connection-less other responses
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Responses</strong>: total connection-oriented responses
+<strong>dce_udp.Ping</strong>: total connection-less ping
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Server frags reassembled</strong>: total connection-oriented server fragments reassembled
+<strong>dce_udp.Rejects</strong>: total connection-less rejects
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Server max fragment size</strong>: connection-oriented server maximum fragment size
+<strong>dce_udp.Requests</strong>: total connection-less requests
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Server min fragment size</strong>: connection-oriented server minimum fragment size
+<strong>dce_udp.Responses</strong>: total connection-less responses
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Server segs reassembled</strong>: total connection-oriented server segments reassembled
+<strong>dce_udp.Server facks</strong>: total connection-less server facks
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.Shutdowns</strong>: total connection-oriented shutdowns
+<strong>dce_udp.udp packets</strong>: total udp packets
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.tcp packets</strong>: total tcp packets
+<strong>dce_udp.udp sessions</strong>: total udp sessions
 </p>
 </li>
 <li>
 <p>
-<strong>dce_tcp.tcp sessions</strong>: total tcp sessions
+<strong>dce_udp.Working</strong>: total connection-less working
 </p>
 </li>
 <li>
@@ -22688,6 +23605,11 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>detection.hard evals</strong>: non-fast pattern rule evaluations
+</p>
+</li>
+<li>
+<p>
 <strong>detection.header searches</strong>: fast pattern searches in header buffer
 </p>
 </li>
@@ -22733,11 +23655,6 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>detection.slow searches</strong>: non-fast pattern rule evaluations
-</p>
-</li>
-<li>
-<p>
 <strong>detection.total alerts</strong>: alerts including IP reputation
 </p>
 </li>
@@ -23043,27 +23960,37 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>latency.packet_timeouts</strong>: packets that timed out
+<strong>latency.max usecs</strong>: maximum usecs elapsed
 </p>
 </li>
 <li>
 <p>
-<strong>latency.rule_eval_timeouts</strong>: rule evals that timed out
+<strong>latency.packet timeouts</strong>: packets that timed out
 </p>
 </li>
 <li>
 <p>
-<strong>latency.rule_tree_enables</strong>: rule tree re-enables
+<strong>latency.rule eval timeouts</strong>: rule evals that timed out
 </p>
 </li>
 <li>
 <p>
-<strong>latency.total_packets</strong>: total packets monitored
+<strong>latency.rule tree enables</strong>: rule tree re-enables
 </p>
 </li>
 <li>
 <p>
-<strong>latency.total_rule_evals</strong>: total rule evals monitored
+<strong>latency.total packets</strong>: total packets monitored
+</p>
+</li>
+<li>
+<p>
+<strong>latency.total rule evals</strong>: total rule evals monitored
+</p>
+</li>
+<li>
+<p>
+<strong>latency.total usecs</strong>: total usecs elapsed
 </p>
 </li>
 <li>
@@ -23873,32 +24800,32 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.file memcap prunes</strong>: file sessions pruned due to memcap
+<strong>stream.file ha prunes</strong>: file sessions pruned by high availability sync
 </p>
 </li>
 <li>
 <p>
-<strong>stream.file preemptive prunes</strong>: file sessions pruned during preemptive pruning
+<strong>stream.file idle prunes</strong>: file sessions pruned due to timeout
 </p>
 </li>
 <li>
 <p>
-<strong>stream.file timeout prunes</strong>: file sessions pruned due to timeout
+<strong>stream.file memcap prunes</strong>: file sessions pruned due to memcap
 </p>
 </li>
 <li>
 <p>
-<strong>stream.file total prunes</strong>: total file sessions pruned
+<strong>stream.file preemptive prunes</strong>: file sessions pruned during preemptive pruning
 </p>
 </li>
 <li>
 <p>
-<strong>stream.file uni prunes</strong>: file uni sessions pruned
+<strong>stream.file total prunes</strong>: total file sessions pruned
 </p>
 </li>
 <li>
 <p>
-<strong>stream.file user prunes</strong>: file sessions pruned for other reasons
+<strong>stream.file uni prunes</strong>: file uni sessions pruned
 </p>
 </li>
 <li>
@@ -23918,6 +24845,16 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>stream.icmp ha prunes</strong>: icmp sessions pruned by high availability sync
+</p>
+</li>
+<li>
+<p>
+<strong>stream.icmp idle prunes</strong>: icmp sessions pruned due to timeout
+</p>
+</li>
+<li>
+<p>
 <strong>stream_icmp.max</strong>: max icmp sessions
 </p>
 </li>
@@ -23948,11 +24885,6 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.icmp timeout prunes</strong>: icmp sessions pruned due to timeout
-</p>
-</li>
-<li>
-<p>
 <strong>stream_icmp.timeouts</strong>: icmp session timeouts
 </p>
 </li>
@@ -23968,11 +24900,6 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.icmp user prunes</strong>: icmp sessions pruned for other reasons
-</p>
-</li>
-<li>
-<p>
 <strong>stream_ip.alerts</strong>: alerts generated
 </p>
 </li>
@@ -23988,7 +24915,7 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream_ip.current</strong>: current fragments
+<strong>stream_ip.current frags</strong>: current fragments
 </p>
 </li>
 <li>
@@ -24023,6 +24950,16 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>stream.ip ha prunes</strong>: ip sessions pruned by high availability sync
+</p>
+</li>
+<li>
+<p>
+<strong>stream.ip idle prunes</strong>: ip sessions pruned due to timeout
+</p>
+</li>
+<li>
+<p>
 <strong>stream_ip.max frags</strong>: max fragments
 </p>
 </li>
@@ -24088,22 +25025,17 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.ip timeout prunes</strong>: ip sessions pruned due to timeout
-</p>
-</li>
-<li>
-<p>
 <strong>stream_ip.timeouts</strong>: ip session timeouts
 </p>
 </li>
 <li>
 <p>
-<strong>stream.ip total prunes</strong>: total ip sessions pruned
+<strong>stream_ip.total frags</strong>: total fragments
 </p>
 </li>
 <li>
 <p>
-<strong>stream_ip.total</strong>: total fragments
+<strong>stream.ip total prunes</strong>: total ip sessions pruned
 </p>
 </li>
 <li>
@@ -24133,11 +25065,6 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.ip user prunes</strong>: ip sessions pruned for other reasons
-</p>
-</li>
-<li>
-<p>
 <strong>stream_tcp.3way trackers</strong>: tcp session tracking started on ack
 </p>
 </li>
@@ -24193,6 +25120,16 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>stream.tcp ha prunes</strong>: tcp sessions pruned by high availability sync
+</p>
+</li>
+<li>
+<p>
+<strong>stream.tcp idle prunes</strong>: tcp sessions pruned due to timeout
+</p>
+</li>
+<li>
+<p>
 <strong>stream_tcp.ignored</strong>: tcp packets ignored
 </p>
 </li>
@@ -24313,11 +25250,6 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.tcp timeout prunes</strong>: tcp sessions pruned due to timeout
-</p>
-</li>
-<li>
-<p>
 <strong>stream_tcp.timeouts</strong>: tcp session timeouts
 </p>
 </li>
@@ -24338,22 +25270,27 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.tcp user prunes</strong>: tcp sessions pruned for other reasons
+<strong>stream_udp.created</strong>: udp session trackers created
 </p>
 </li>
 <li>
 <p>
-<strong>stream_udp.created</strong>: udp session trackers created
+<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess
 </p>
 </li>
 <li>
 <p>
-<strong>stream.udp excess prunes</strong>: udp sessions pruned due to excess
+<strong>stream.udp flows</strong>: total udp sessions
 </p>
 </li>
 <li>
 <p>
-<strong>stream.udp flows</strong>: total udp sessions
+<strong>stream.udp ha prunes</strong>: udp sessions pruned by high availability sync
+</p>
+</li>
+<li>
+<p>
+<strong>stream.udp idle prunes</strong>: udp sessions pruned due to timeout
 </p>
 </li>
 <li>
@@ -24388,11 +25325,6 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.udp timeout prunes</strong>: udp sessions pruned due to timeout
-</p>
-</li>
-<li>
-<p>
 <strong>stream_udp.timeouts</strong>: udp session timeouts
 </p>
 </li>
@@ -24408,32 +25340,32 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.udp user prunes</strong>: udp sessions pruned for other reasons
+<strong>stream.user excess prunes</strong>: user sessions pruned due to excess
 </p>
 </li>
 <li>
 <p>
-<strong>stream.user excess prunes</strong>: user sessions pruned due to excess
+<strong>stream.user flows</strong>: total user sessions
 </p>
 </li>
 <li>
 <p>
-<strong>stream.user flows</strong>: total user sessions
+<strong>stream.user ha prunes</strong>: user sessions pruned by high availability sync
 </p>
 </li>
 <li>
 <p>
-<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap
+<strong>stream.user idle prunes</strong>: user sessions pruned due to timeout
 </p>
 </li>
 <li>
 <p>
-<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning
+<strong>stream.user memcap prunes</strong>: user sessions pruned due to memcap
 </p>
 </li>
 <li>
 <p>
-<strong>stream.user timeout prunes</strong>: user sessions pruned due to timeout
+<strong>stream.user preemptive prunes</strong>: user sessions pruned during preemptive pruning
 </p>
 </li>
 <li>
@@ -24448,17 +25380,17 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>stream.user user prunes</strong>: user sessions pruned for other reasons
+<strong>tcp.bad checksum (ip4)</strong>: nonzero tcp over ip checksums
 </p>
 </li>
 <li>
 <p>
-<strong>tcp.bad checksum (ip4)</strong>: nonzero tcp over ip checksums
+<strong>tcp.bad checksum (ip6)</strong>: nonzero tcp over ipv6 checksums
 </p>
 </li>
 <li>
 <p>
-<strong>tcp.bad checksum (ip6)</strong>: nonzero tcp over ipv6 checksums
+<strong>tcp_connector.messages</strong>: total messages
 </p>
 </li>
 <li>
@@ -24538,6 +25470,11 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>116</strong>: ciscometadata
+</p>
+</li>
+<li>
+<p>
 <strong>116</strong>: decode
 </p>
 </li>
@@ -24688,6 +25625,11 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>133</strong>: dce_udp
+</p>
+</li>
+<li>
+<p>
 <strong>134</strong>: latency
 </p>
 </li>
@@ -25518,7 +26460,27 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
-<strong>116:468</strong> (decode) too many protocols present
+<strong>116:468</strong> (ciscometadata) truncated Cisco Metadata header
+</p>
+</li>
+<li>
+<p>
+<strong>116:469</strong> (ciscometadata) invalid Cisco Metadata option length
+</p>
+</li>
+<li>
+<p>
+<strong>116:470</strong> (ciscometadata) invalid Cisco Metadata option type
+</p>
+</li>
+<li>
+<p>
+<strong>116:471</strong> (ciscometadata) invalid Cisco Metadata SGT
+</p>
+</li>
+<li>
+<p>
+<strong>116:472</strong> (decode) too many protocols present
 </p>
 </li>
 <li>
@@ -25848,6 +26810,11 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>119:66</strong> (http_inspect) White space within header name
+</p>
+</li>
+<li>
+<p>
 <strong>119:67</strong> (http_inspect) Excessive gzip compression
 </p>
 </li>
@@ -25893,6 +26860,21 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>119:76</strong> (http_inspect) Unsupported Transfer-Encoding or Content-Encoding used
+</p>
+</li>
+<li>
+<p>
+<strong>119:77</strong> (http_inspect) Unknown Transfer-Encoding or Content-Encoding used
+</p>
+</li>
+<li>
+<p>
+<strong>119:78</strong> (http_inspect) Multiple layers of compression encodings applied
+</p>
+</li>
+<li>
+<p>
 <strong>122:1</strong> (port_scan) TCP portscan
 </p>
 </li>
@@ -26593,6 +27575,26 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>133:40</strong> (dce_udp) Connection-less DCE/RPC - Invalid major version.
+</p>
+</li>
+<li>
+<p>
+<strong>133:41</strong> (dce_udp) Connection-less DCE/RPC - Invalid pdu type.
+</p>
+</li>
+<li>
+<p>
+<strong>133:42</strong> (dce_udp) Connection-less DCE/RPC - Data length less than header size.
+</p>
+</li>
+<li>
+<p>
+<strong>133:43</strong> (dce_udp) Connection-less DCE/RPC - Bad sequence number.
+</p>
+</li>
+<li>
+<p>
 <strong>133:44</strong> (dce_smb) SMB - Invalid SMB version 1 seen.
 </p>
 </li>
@@ -26658,6 +27660,16 @@ string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with
 </li>
 <li>
 <p>
+<strong>133:58</strong> (dce_smb) SMB - File offset provided is greater than file size specified
+</p>
+</li>
+<li>
+<p>
+<strong>133:59</strong> (dce_smb) SMB - Next command specified in SMB2 header is beyond payload boundary
+</p>
+</li>
+<li>
+<p>
 <strong>134:1</strong> (latency) rule tree suspended due to latency
 </p>
 </li>
@@ -27489,6 +28501,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>ciscometadata</strong> (codec): support for cisco metadata
+</p>
+</li>
+<li>
+<p>
 <strong>classifications</strong> (basic): define rule categories with priority
 </p>
 </li>
@@ -27539,6 +28556,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>dce_udp</strong> (inspector): dce over udp inspection
+</p>
+</li>
+<li>
+<p>
 <strong>decode</strong> (basic): general decoder rules
 </p>
 </li>
@@ -28284,6 +29306,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>tcp_connector</strong> (connector): implement the tcp stream connector
+</p>
+</li>
+<li>
+<p>
 <strong>telnet</strong> (inspector): telnet inspection and normalization
 </p>
 </li>
@@ -28339,6 +29366,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>codec::ciscometadata</strong>: support for cisco metadata
+</p>
+</li>
+<li>
+<p>
 <strong>codec::erspan2</strong>: support for encapsulated remote switched port analyzer - type 2
 </p>
 </li>
@@ -28514,6 +29546,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>connector::tcp_connector</strong>: implement the tcp stream connector
+</p>
+</li>
+<li>
+<p>
 <strong>inspector::appid</strong>: application and service identification
 </p>
 </li>
@@ -28544,6 +29581,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>inspector::dce_udp</strong>: dce over udp inspection
+</p>
+</li>
+<li>
+<p>
 <strong>inspector::dnp3</strong>: dnp3 inspection
 </p>
 </li>
@@ -29296,7 +30338,7 @@ deleted -&gt; unified2: 'filename'</code></pre>
 <div id="footnotes"><hr /></div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2016-08-11 02:38:58 EDT
+Last updated 2016-11-03 23:18:47 EDT
 </div>
 </div>
 </body>
diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf
index 1d96d7232..2270fa130 100644
Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ
diff --git a/doc/snort_manual.text b/doc/snort_manual.text
index c2a88e45f..a062539c6 100644
--- a/doc/snort_manual.text
+++ b/doc/snort_manual.text
@@ -320,7 +320,7 @@ Table of Contents
 Snorty
 
  ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0-a4 (Build 213) from 2.9.7-262
+o"  )~   Version 3.0.0-a4 (Build 217) from 2.9.7-262
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
          Copyright (C) 2014-2016 Cisco and/or its affiliates. All rights reserved.
@@ -1344,7 +1344,7 @@ Configuration:
 Peg counts:
 
   * detection.analyzed: packets sent to detection
-  * detection.slow searches: non-fast pattern rule evaluations
+  * detection.hard evals: non-fast pattern rule evaluations
   * detection.raw searches: fast pattern searches in raw packet data
   * detection.cooked searches: fast pattern searches in cooked packet
     data
@@ -1598,9 +1598,8 @@ Configuration:
     thresholding (usec) { 0: }
   * bool latency.packet.fastpath = false: fastpath expensive packets
     (max_time exceeded)
-  * enum latency.packet.action = alert_and_log: event action if
-    packet times out and is fastpathed { none | alert | log |
-    alert_and_log }
+  * enum latency.packet.action = none: event action if packet times
+    out and is fastpathed { none | alert | log | alert_and_log }
   * int latency.rule.max_time = 500: set timeout for rule evaluation
     (usec) { 0: }
   * bool latency.rule.suspend = false: temporarily suspend expensive
@@ -1609,9 +1608,8 @@ Configuration:
     of timeouts before suspending a rule { 1: }
   * int latency.rule.max_suspend_time = 30000: set max time for
     suspending a rule (ms, 0 means permanently disable rule) { 0: }
-  * enum latency.rule.action = alert_and_log: event action for rule
-    latency enable and suspend events { none | alert | log |
-    alert_and_log }
+  * enum latency.rule.action = none: event action for rule latency
+    enable and suspend events { none | alert | log | alert_and_log }
 
 Rules:
 
@@ -1811,9 +1809,8 @@ Configuration:
   * int rate_filter[].count = 1: number of events in interval before
     tripping { 0: }
   * int rate_filter[].seconds = 1: count interval { 0: }
-  * select rate_filter[].new_action = alert: take this action on
-    future hits until timeout { alert | drop | log | pass | | reject
-    | sdrop }
+  * enum rate_filter[].new_action = alert: take this action on future
+    hits until timeout { log | pass | alert | drop | block | reset }
   * int rate_filter[].timeout = 1: count interval { 0: }
   * string rate_filter[].apply_to: restrict filter to these addresses
     according to track
@@ -1874,8 +1871,6 @@ Configuration:
     prints uncompiled rule group information
   * bool search_engine.debug_print_rule_groups_compiled = false:
     prints compiled rule group information
-  * bool search_engine.debug_print_fast_pattern = false: print fast
-    pattern info for each rule
   * int search_engine.max_pattern_len = 0: truncate patterns when
     compiling into state machine (0 means no maximum) { 0: }
   * int search_engine.max_queue_events = 5: maximum number of
@@ -1886,10 +1881,12 @@ Configuration:
   * dynamic search_engine.search_method = ac_bnfa: set fast pattern
     algorithm - choose available search engine { ac_banded | ac_bnfa
     | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
-  * bool search_engine.split_any_any = false: evaluate any-any rules
-    separately to save memory
   * bool search_engine.search_optimize = true: tweak state machine
     construction for better performance
+  * bool search_engine.show_fast_patterns = false: print fast pattern
+    info for each rule
+  * bool search_engine.split_any_any = false: evaluate any-any rules
+    separately to save memory
 
 Peg counts:
 
@@ -2659,8 +2656,7 @@ Configuration:
   * string appid.conf: RNA configuration file
   * int appid.memcap = 268435456: time period for collecting and
     logging AppId statistics { 1048576:3221225472 }
-  * string appid.app_stats_filename: Filename for logging AppId
-    statistics
+  * bool appid.log_stats = false: enable logging of AppId statistics
   * int appid.app_stats_period = 300: time period for collecting and
     logging AppId statistics { 0: }
   * int appid.app_stats_rollover_size = 20971520: max file size for
@@ -2676,6 +2672,15 @@ Configuration:
     information
   * string appid.thirdparty_appid_dir: directory to load thirdparty
     AppId detectors from
+  * addr appid.session_log_filter.src_ip = 0.0.0.0/32: source ip
+    address in CIDR format
+  * addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination ip
+    address in CIDR format
+  * port appid.session_log_filter.src_port: source port { 1: }
+  * port appid.session_log_filter.dst_port: destination port { 1: }
+  * string appid.session_log_filter.protocol: ip protocol
+  * bool appid.session_log_filter.log_all_sessions = false: enable
+    logging for all appid sessions
 
 Peg counts:
 
@@ -2684,6 +2689,7 @@ Peg counts:
     inspector
   * appid.ignored packets: count of packets ignored by appid
     inspector
+  * appid.aim_clients: count of aim clients discovered by appid
   * appid.battlefield_flows: count of battle field flows discovered
     by appid
   * appid.bgp_flows: count of bgp flows discovered by appid
@@ -2692,16 +2698,20 @@ Peg counts:
   * appid.bit_flows: count of bittorrent flows discovered by appid
   * appid.bittracker_clients: count of bittorrent tracker clients
     discovered by appid
+  * appid.bootp_flows: count of bootp flows discovered by appid
   * appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
     discovered by appid
   * appid.dcerpc_udp_flows: count of dce rpc flows over udp
     discovered by appid
+  * appid.direct_connect_flows: count of direct connect flows
+    discovered by appid
   * appid.dns_tcp_flows: count of dns flows over tcp discovered by
     appid
   * appid.dns_udp_flows: count of dns flows over udp discovered by
     appid
   * appid.ftp_flows: count of ftp flows discovered by appid
   * appid.ftps_flows: count of ftps flows discovered by appid
+  * appid.http_flows: count of http flows discovered by appid
   * appid.imap_flows: count of imap service flows discovered by appid
   * appid.imaps_flows: count of imap TLS service flows discovered by
     appid
@@ -2713,13 +2723,30 @@ Peg counts:
   * appid.kerberos_users: count of kerberos users discovered by appid
   * appid.lpr_flows: count of lpr service flows discovered by appid
   * appid.mdns_flows: count of mdns service flows discovered by appid
+  * appid.msn_clients: count of msn clients discovered by appid
   * appid.mysql_flows: count of mysql service flows discovered by
     appid
-  * appid.netbios_flows: count of netbios service flows discovered by
-    appid
+  * appid.netbios_dgm_flows: count of netbios-dgm service flows
+    discovered by appid
+  * appid.netbios_ns_flows: count of netbios-ns service flows
+    discovered by appid
+  * appid.netbios_ssn_flows: count of netbios-ssn service flows
+    discovered by appid
+  * appid.nntp_flows: count of nntp flows discovered by appid
+  * appid.ntp_flows: count of ntp flows discovered by appid
   * appid.pop_flows: count of pop service flows discovered by appid
+  * appid.radius_flows: count of radius flows discovered by appid
+  * appid.rexec_flows: count of rexec flows discovered by appid
+  * appid.rfb_flows: count of rfb flows discovered by appid
+  * appid.rlogin_flows: count of rlogin flows discovered by appid
+  * appid.rpc_flows: count of rpc flows discovered by appid
+  * appid.rshell_flows: count of rshell flows discovered by appid
   * appid.rsync_flows: count of rsync service flows discovered by
     appid
+  * appid.rtmp_flows: count of rtmp flows discovered by appid
+  * appid.rtp_clients: count of rtp clients discovered by appid
+  * appid.sip_clients: count of SIP clients discovered by appid
+  * appid.sip_flows: count of SIP flows discovered by appid
   * appid.smtp_aol_clients: count of AOL smtp clients discovered by
     appid
   * appid.smtp_applemail_clients: count of Apple Mail smtp clients
@@ -2746,11 +2773,18 @@ Peg counts:
     discovered by appid
   * appid.smtp_flows: count of smtp flows discovered by appid
   * appid.smtps_flows: count of smtps flows discovered by appid
+  * appid.snmp_flows: count of snmp flows discovered by appid
   * appid.ssh_clients: count of ssh clients discovered by appid
   * appid.ssh_flows: count of ssh flows discovered by appid
   * appid.ssl_flows: count of ssl flows discovered by appid
   * appid.telnet_flows: count of telnet flows discovered by appid
+  * appid.tftp_flows: count of tftp flows discovered by appid
   * appid.timbuktu_flows: count of timbuktu flows discovered by appid
+  * appid.tns_clients: count of tns clients discovered by appid
+  * appid.tns_flows: count of tns flows discovered by appid
+  * appid.vnc_clients: count of vnc clients discovered by appid
+  * appid.yahoo_messenger_clients: count of Yahoo Messenger clients
+    discovered by appid
 
 
 5.2. arp_spoof
@@ -3297,6 +3331,8 @@ Configuration:
     commands
   * string ftp_server.data_chan_cmds: check the formatting of the
     given commands
+  * string ftp_server.data_rest_cmds: check the formatting of the
+    given commands
   * string ftp_server.data_xfer_cmds: check the formatting of the
     given commands
   * string ftp_server.directory_cmds[].dir_cmd: directory command
@@ -3514,6 +3550,7 @@ Rules:
     URI
   * 119:64 (http_inspect) HTTP chunk misformatted
   * 119:65 (http_inspect) White space following chunk length
+  * 119:66 (http_inspect) White space within header name
   * 119:67 (http_inspect) Excessive gzip compression
   * 119:68 (http_inspect) Gzip decompression failed
   * 119:69 (http_inspect) HTTP 0.9 requested followed by another
@@ -4423,6 +4460,7 @@ Configuration:
     | linux | bsd | bsd_right | last | windows | solaris }
   * int stream_ip.session_timeout = 30: session tracking timeout {
     1:86400 }
+  * int stream_ip.trace: mask for enabling debug traces in module
 
 Rules:
 
@@ -8266,9 +8304,11 @@ with.
   * Use FIXIT (not FIXTHIS or TODO or whatever) to mark things left
     for a day or even just a minute. That way we can find them easily
     and won’t lose track of them.
-  * Presently using FIXIT-X where X = P | H | M | L, indicating perf,
-    high, med, or low priority. For now, H, M, or L can indicate
-    alpha 1, 2, or 3. Perf changes fall between alpha 1 and 2.
+  * Presently using FIXIT-X where X = A | W | P | H | M | L,
+    indicating analysis, warning, perf, high, med, or low priority.
+    Place A and W comments on the exact warning line so we can match
+    up comments and build output. Supporting comments can be added
+    above.
   * Put the copyright(s) and license in a comment block at the top of
     each source file (.h and .cc). Don’t bother with trivial scripts
     and make foo. Some interesting Lua code should get a comment
@@ -8285,7 +8325,7 @@ with.
     // based on work by Ryan Jordan
 
   * Each header should have a comment immediately after the header
-    guard to give an overview of the file so the user knows what’s
+    guard to give an overview of the file so the reader knows what’s
     going on.
 
 
@@ -9211,8 +9251,6 @@ Some additional details to note:
     cons | ndelay | perror | pid }
   * string appid.app_detector_dir: directory to load AppId detectors
     from
-  * string appid.app_stats_filename: Filename for logging AppId
-    statistics
   * int appid.app_stats_period = 300: time period for collecting and
     logging AppId statistics { 0: }
   * int appid.app_stats_rollover_size = 20971520: max file size for
@@ -9225,9 +9263,19 @@ Some additional details to note:
     information
   * int appid.instance_id = 0: instance id - need more details for
     what this is { 0: }
+  * bool appid.log_stats = false: enable logging of AppId statistics
   * int appid.memcap = 268435456: time period for collecting and
     logging AppId statistics { 1048576:3221225472 }
   * string appids.~: appid option
+  * addr appid.session_log_filter.dst_ip = 0.0.0.0/32: destination ip
+    address in CIDR format
+  * port appid.session_log_filter.dst_port: destination port { 1: }
+  * bool appid.session_log_filter.log_all_sessions = false: enable
+    logging for all appid sessions
+  * string appid.session_log_filter.protocol: ip protocol
+  * addr appid.session_log_filter.src_ip = 0.0.0.0/32: source ip
+    address in CIDR format
+  * port appid.session_log_filter.src_port: source port { 1: }
   * string appid.thirdparty_appid_dir: directory to load thirdparty
     AppId detectors from
   * ip4 arp_spoof.hosts[].ip: host ip address
@@ -9545,6 +9593,8 @@ Some additional details to note:
     maximum for command { 0: }
   * string ftp_server.data_chan_cmds: check the formatting of the
     given commands
+  * string ftp_server.data_rest_cmds: check the formatting of the
+    given commands
   * string ftp_server.data_xfer_cmds: check the formatting of the
     given commands
   * int ftp_server.def_max_param_len = 100: default maximum length of
@@ -9781,16 +9831,14 @@ Some additional details to note:
     buffer
   * string itype.~range: check if icmp type is type | min<>max | <max
     | >min
-  * enum latency.packet.action = alert_and_log: event action if
-    packet times out and is fastpathed { none | alert | log |
-    alert_and_log }
+  * enum latency.packet.action = none: event action if packet times
+    out and is fastpathed { none | alert | log | alert_and_log }
   * bool latency.packet.fastpath = false: fastpath expensive packets
     (max_time exceeded)
   * int latency.packet.max_time = 500: set timeout for packet latency
     thresholding (usec) { 0: }
-  * enum latency.rule.action = alert_and_log: event action for rule
-    latency enable and suspend events { none | alert | log |
-    alert_and_log }
+  * enum latency.rule.action = none: event action for rule latency
+    enable and suspend events { none | alert | log | alert_and_log }
   * int latency.rule.max_suspend_time = 30000: set max time for
     suspending a rule (ms, 0 means permanently disable rule) { 0: }
   * int latency.rule.max_time = 500: set timeout for rule evaluation
@@ -10022,9 +10070,8 @@ Some additional details to note:
   * int rate_filter[].count = 1: number of events in interval before
     tripping { 0: }
   * int rate_filter[].gid = 1: rule generator ID { 0: }
-  * select rate_filter[].new_action = alert: take this action on
-    future hits until timeout { alert | drop | log | pass | | reject
-    | sdrop }
+  * enum rate_filter[].new_action = alert: take this action on future
+    hits until timeout { log | pass | alert | drop | block | reset }
   * int rate_filter[].seconds = 1: count interval { 0: }
   * int rate_filter[].sid = 1: rule signature ID { 0: }
   * int rate_filter[].timeout = 1: count interval { 0: }
@@ -10078,8 +10125,6 @@ Some additional details to note:
   * bool search_engine.bleedover_warnings_enabled = false: print
     warning if a rule is demoted to any-any port group
   * bool search_engine.debug = false: print verbose fast pattern info
-  * bool search_engine.debug_print_fast_pattern = false: print fast
-    pattern info for each rule
   * bool search_engine.debug_print_nocontent_rule_tests = false:
     print rule group info during packet evaluation
   * bool search_engine.debug_print_rule_group_build_details = false:
@@ -10102,6 +10147,8 @@ Some additional details to note:
     | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan }
   * bool search_engine.search_optimize = true: tweak state machine
     construction for better performance
+  * bool search_engine.show_fast_patterns = false: print fast pattern
+    info for each rule
   * bool search_engine.split_any_any = false: evaluate any-any rules
     separately to save memory
   * string seq.~range: check if tcp sequence number value is value |
@@ -10452,6 +10499,7 @@ Some additional details to note:
     | linux | bsd | bsd_right | last | windows | solaris }
   * int stream_ip.session_timeout = 30: session tracking timeout {
     1:86400 }
+  * int stream_ip.trace: mask for enabling debug traces in module
   * enum stream_reassemble.action: stop or start stream reassembly {
     disable|enable }
   * enum stream_reassemble.direction: action applies to the given
@@ -10580,6 +10628,7 @@ Some additional details to note:
 
 --------------
 
+  * appid.aim_clients: count of aim clients discovered by appid
   * appid.battlefield_flows: count of battle field flows discovered
     by appid
   * appid.bgp_flows: count of bgp flows discovered by appid
@@ -10588,16 +10637,20 @@ Some additional details to note:
   * appid.bit_flows: count of bittorrent flows discovered by appid
   * appid.bittracker_clients: count of bittorrent tracker clients
     discovered by appid
+  * appid.bootp_flows: count of bootp flows discovered by appid
   * appid.dcerpc_tcp_flows: count of dce rpc flows over tcp
     discovered by appid
   * appid.dcerpc_udp_flows: count of dce rpc flows over udp
     discovered by appid
+  * appid.direct_connect_flows: count of direct connect flows
+    discovered by appid
   * appid.dns_tcp_flows: count of dns flows over tcp discovered by
     appid
   * appid.dns_udp_flows: count of dns flows over udp discovered by
     appid
   * appid.ftp_flows: count of ftp flows discovered by appid
   * appid.ftps_flows: count of ftps flows discovered by appid
+  * appid.http_flows: count of http flows discovered by appid
   * appid.ignored packets: count of packets ignored by appid
     inspector
   * appid.imap_flows: count of imap service flows discovered by appid
@@ -10611,16 +10664,33 @@ Some additional details to note:
   * appid.kerberos_users: count of kerberos users discovered by appid
   * appid.lpr_flows: count of lpr service flows discovered by appid
   * appid.mdns_flows: count of mdns service flows discovered by appid
+  * appid.msn_clients: count of msn clients discovered by appid
   * appid.mysql_flows: count of mysql service flows discovered by
     appid
-  * appid.netbios_flows: count of netbios service flows discovered by
-    appid
+  * appid.netbios_dgm_flows: count of netbios-dgm service flows
+    discovered by appid
+  * appid.netbios_ns_flows: count of netbios-ns service flows
+    discovered by appid
+  * appid.netbios_ssn_flows: count of netbios-ssn service flows
+    discovered by appid
+  * appid.nntp_flows: count of nntp flows discovered by appid
+  * appid.ntp_flows: count of ntp flows discovered by appid
   * appid.packets: count of packets received by appid inspector
   * appid.pop_flows: count of pop service flows discovered by appid
   * appid.processed packets: count of packets processed by appid
     inspector
+  * appid.radius_flows: count of radius flows discovered by appid
+  * appid.rexec_flows: count of rexec flows discovered by appid
+  * appid.rfb_flows: count of rfb flows discovered by appid
+  * appid.rlogin_flows: count of rlogin flows discovered by appid
+  * appid.rpc_flows: count of rpc flows discovered by appid
+  * appid.rshell_flows: count of rshell flows discovered by appid
   * appid.rsync_flows: count of rsync service flows discovered by
     appid
+  * appid.rtmp_flows: count of rtmp flows discovered by appid
+  * appid.rtp_clients: count of rtp clients discovered by appid
+  * appid.sip_clients: count of SIP clients discovered by appid
+  * appid.sip_flows: count of SIP flows discovered by appid
   * appid.smtp_aol_clients: count of AOL smtp clients discovered by
     appid
   * appid.smtp_applemail_clients: count of Apple Mail smtp clients
@@ -10647,11 +10717,18 @@ Some additional details to note:
   * appid.smtps_flows: count of smtps flows discovered by appid
   * appid.smtp_thunderbird_clients: count of Thunderbird smtp clients
     discovered by appid
+  * appid.snmp_flows: count of snmp flows discovered by appid
   * appid.ssh_clients: count of ssh clients discovered by appid
   * appid.ssh_flows: count of ssh flows discovered by appid
   * appid.ssl_flows: count of ssl flows discovered by appid
   * appid.telnet_flows: count of telnet flows discovered by appid
+  * appid.tftp_flows: count of tftp flows discovered by appid
   * appid.timbuktu_flows: count of timbuktu flows discovered by appid
+  * appid.tns_clients: count of tns clients discovered by appid
+  * appid.tns_flows: count of tns flows discovered by appid
+  * appid.vnc_clients: count of vnc clients discovered by appid
+  * appid.yahoo_messenger_clients: count of Yahoo Messenger clients
+    discovered by appid
   * arp_spoof.packets: total packets
   * back_orifice.packets: total packets
   * binder.allows: allow bindings
@@ -10819,6 +10896,7 @@ Some additional details to note:
     data
   * detection.event limit: events filtered
   * detection.file searches: fast pattern searches in file buffer
+  * detection.hard evals: non-fast pattern rule evaluations
   * detection.header searches: fast pattern searches in header buffer
   * detection.key searches: fast pattern searches in key buffer
   * detection.logged: logged packets
@@ -10828,7 +10906,6 @@ Some additional details to note:
   * detection.pkt searches: fast pattern searches in packet data
   * detection.queue limit: events not queued because queue full
   * detection.raw searches: fast pattern searches in raw packet data
-  * detection.slow searches: non-fast pattern rule evaluations
   * detection.total alerts: alerts including IP reputation
   * dnp3.dnp3 application pdus: total dnp3 application pdus
   * dnp3.dnp3 link layer frames: total dnp3 link layer frames
@@ -11544,6 +11621,7 @@ Some additional details to note:
     URI
   * 119:64 (http_inspect) HTTP chunk misformatted
   * 119:65 (http_inspect) White space following chunk length
+  * 119:66 (http_inspect) White space within header name
   * 119:67 (http_inspect) Excessive gzip compression
   * 119:68 (http_inspect) Gzip decompression failed
   * 119:69 (http_inspect) HTTP 0.9 requested followed by another
diff --git a/src/main/build.h b/src/main/build.h
index b7e9e6259..58dcdf52c 100644
--- a/src/main/build.h
+++ b/src/main/build.h
@@ -10,7 +10,7 @@
 //                                               //
 //-----------------------------------------------//
 
-#define BUILD "217"
+#define BUILD "218"
 
 #endif
 
diff --git a/src/network_inspectors/appid/lua_detector_module.cc b/src/network_inspectors/appid/lua_detector_module.cc
index 75e51795b..c2ec8af3f 100644
--- a/src/network_inspectors/appid/lua_detector_module.cc
+++ b/src/network_inspectors/appid/lua_detector_module.cc
@@ -25,6 +25,7 @@
 
 #include <algorithm>
 #include <glob.h>
+#include <libgen.h>
 #include <lua.hpp>
 
 #include "appid_config.h"
@@ -400,7 +401,7 @@ static Detector* create_lua_detector(lua_State* L, const char* detectorName, App
     return detector;
 }
 
-void LuaDetectorManager::load_detector( const char* detector_filename, bool isCustom)
+void LuaDetectorManager::load_detector(char* detector_filename, bool isCustom)
 {
     char detectorName[MAX_LUA_DETECTOR_FILENAME_LEN];
 
diff --git a/src/network_inspectors/appid/lua_detector_module.h b/src/network_inspectors/appid/lua_detector_module.h
index 4bb72a531..02c1c4f07 100644
--- a/src/network_inspectors/appid/lua_detector_module.h
+++ b/src/network_inspectors/appid/lua_detector_module.h
@@ -47,7 +47,7 @@ private:
     void list_lua_detectors();
     void init_lua_service_detectors();
     void init_lua_client_detectors();
-    void load_detector(const char* detectorName, bool isCustom);
+    void load_detector(char* detectorName, bool isCustom);
     void load_lua_detectors(const char* path, bool isCustom);
 
     AppIdConfig& config;