From: Michael Altizer (mialtize) <mialtize@cisco.com>
Date: Fri, 21 Feb 2020 18:06:45 +0000 (+0000)
Subject: Merge pull request #1992 in SNORT/snort3 from ~MIALTIZE/snort3:build_268 to master
X-Git-Tag: 3.0.0-268
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57f41b6e049d4854721ec4f5aa03e3b94e55bc70;p=thirdparty%2Fsnort3.git

Merge pull request #1992 in SNORT/snort3 from ~MIALTIZE/snort3:build_268 to master

Squashed commit of the following:

commit 785c0e89b1bde00cc72133e23738c57727407758
Author: Michael Altizer <mialtize@cisco.com>
Date:   Fri Feb 21 11:00:08 2020 -0500

    build: generate and tag build 268
---

diff --git a/ChangeLog b/ChangeLog
index 2e8be1bcc..58c232bed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,118 @@
+20/02/21 - build 268
+
+-- appid: Adding support for appid detection on decrypted SSL sessions
+-- appid: Adding support for wildcard ports in static host port cache
+-- appid: clean up ENABLE_APPID_THIRD_PARTY from configure_cmake
+-- appid: cleanup terminology
+-- appid: delete odp context on exit
+-- appid: detect payload for http tunnel traffic
+-- appid: do not reload third party on reload_config
+-- appid: Don't mark HTTP session done if the ssl detector is still in progress
+-- appid: Fix array initialization on Appid
+-- appid: get rid of ENABLE_APPID_THIRD_PARTY flag
+-- appid: handle invalid uri in http tunnel traffic
+-- appid: load app mapping data to odp context
+-- appid: move dns, sip, ssl and http pattern matchers to odp context; move client discovery
+   manager to odp context
+-- appid: move odp config, host-port cache and length cache to a separate class OdpContext; remove
+   obsolete port detector code
+-- appid: reset tp packet counters each time we do reinspect
+-- appid: support third party reload when snort is running with single packet thread
+-- bufferlen: match on total length unless remaining is specified
+-- build: Clean up accumulated tabs and trailing whitespace in the code
+-- build: clean up non-hyperscan builds
+-- build: Fix more Clang 9 compiler warnings
+-- build: Remove some extraneous semicolons (compiler warnings)
+-- build: Rename parameters that shadow class members (compiler warnings)
+-- build: Updates across the board for stricter Clang const-casting warnings
+-- catch: Update to Catch v2.11.1
+-- cip: explicitly include sys/time.h header
+-- codecs: Use unions for checksum pseudoheaders
+-- content: add hyperscan content literal matching alternative to boyer-moore
+-- content: delete flawed hyper search test
+-- content: use hs_compile if hs_compile_lit is not available
+-- copyright: update year to 2020
+-- dce_tcp: fixup flow data handling
+-- detection: add config option to enable conversion of pcre expressions to use the regex engine
+-- detection: add hyperscan_literals option
+-- detection: add pcre_override to enable/disable pcre/O
+-- detection: signature evaluation looping based on literal contents only (exclude regex)
+-- doc: manual updates for HTTP/2
+-- doc: update documentation for lua whitelist
+-- doc: update reload_limitations.txt
+-- file_api: enable Active when there are reset rules in the file policy
+-- framework: introduce ScratchAllocator class to help with scratch memory management
+-- gtp_inspect: fix default port binding
+-- hash: refactor ghash implementation to convert it to an actual C++ class
+-- hash: refactor key compare function prototype and functions to return boolean
+-- hash: refactor to move common definitions into hash_defs.h
+-- hash: refactor xhash to be a real C++ class
+-- host_tracker: Check lock in a separate thread in unit-test
+-- host_tracker: make current_size atomic to save some locks
+-- host_tracker: Support host_cache reload with RRT when memcap changes
+-- http2_inspect: add transfer encoding chunked at end of decoded http1 header block
+-- http2_inspect: data frame http inspection walking skeleton first phase
+-- http2_inspect: fast pattern support
+-- http2_inspect: fix string decode error
+-- http2_inspect: frame data no longer in file_data
+-- http2_inspect: integration with NHI
+-- http2_inspect: support disabling detection for uninteresting HTTP/2 frames
+-- http2_inspect: support HPACK dynamic table size updates
+-- http_inspect: add http_param rule option
+-- http_inspect: gzip splitting beyond request_depth should use correct target size
+-- http_inspect: no duplicate built-in events for a flow
+-- http_inspect: patch H2I-related xtra data crash
+-- http_inspect: process multiple files simultaneously over HTTP/1.1
+-- http_inspect: refactoring
+-- http_inspect: update test tool to support the HTTP/2 macros and new insert command
+-- http_inspect: when detection is disabled, disable all rules not just content rules
+-- http_inspect/http2_inspect: H2I unified2 extra data logging
+-- hyperscan: convert thread locals to scan context
+-- inspectors: ensure correct lookup by type, name, or service
+-- inspectors: print label for type and alias in inspector manager. Remove printing module name in
+   inspectors ::show() method.
+-- ips: alert service rules check ports
+-- ips_pcre: compile/evaluate pcre rule option regular expressions with the hyperscan regex engine
+   when possible
+-- ips_pcre: support the O & R modifiers when converting pcre to regex
+-- ips: refactor rule parsing
+-- ips: remove dead code from rule parser
+-- ips: use service "file" instead of "user"
+-- loggers: update vlan logging in csv and json loggers
+-- lua: Added missing file magic pattern for FLIC
+-- lua: Added missing file magic pattern for IntelHEX
+-- lua: fix typo in default smtp's alt_max_command_line_len
+-- lua: update default lua files to whitelist the defined tables
+-- main: add verbose inspector output during reload
+-- main: make IPS actions (reject, react, replace) configurable per-IPS policy
+-- main: move config_lua to Shell::configure
+-- memory: Treating config value memory.cap as per thread instead of global
+-- metadata: add --metadata-filter to load matching rules only
+-- mime: support simultaneous file processing of MIME-encoded files over HTTP/1.1
+-- module_manager: add snort_whitelist_append and snort_whitelist_add_prefix FFIs
+-- normalizer: disable all normalizations by default except for tcp.ips
+-- packet_io: provide default reset action (bidirectional reset for TCP, ICMP unreachable for the
+   rest)
+-- packet_io: refactor Active and IPS Actions to start disentangling them
+-- parser: add service http2 to http rules
+-- parser: store local copy of service name
+-- pcre: ensure use of maximal ovector size and simplify logic
+-- port_scan: Supporting reload config when memcap changes
+-- protocols: provide direct access to the CiscoMetaData layer
+-- regex: convert thread locals to scan context
+-- reload: eliminate FatalError calls that can't happen because snort_calloc always returns valid
+   memory
+-- rna: use standard uint8_t type instead of u_int8_t
+-- search_engine: trivial reformatting
+-- smtp: update defaults to better align with Snort 2
+-- snort2lua: conversion of path containing variables
+-- snort: add new warn flag warn-conf-strict that will throw out warning when table is not found
+-- snort: Adding some verbose logs for appid, file_id, and reputation inspectors
+-- stream_tcp: ensure that flows with mss and timestamps are picked up on syn
+-- tweaks: set reasonable stream_ip.min_fragment_length values
+-- tweaks: update per new normalizer defaults
+-- tweaks: update policy configs to better align with Snort 2
+
 19/12/20 - build 267
 
 -- appid: Adding command for third-party reload
diff --git a/doc/snort_manual.html b/doc/snort_manual.html
index adf59bb00..7712cf40d 100644
--- a/doc/snort_manual.html
+++ b/doc/snort_manual.html
@@ -782,10 +782,10 @@ asciidoc.install(2);
 <div class="literalblock">
 <div class="content">
 <pre><code> ,,_     -*&gt; Snort++ &lt;*-
-o"  )~   Version 3.0.0 (Build 267)
+o"  )~   Version 3.0.0 (Build 268)
  ''''    By Martin Roesch &amp; The Snort Team
          http://snort.org/contact#team
-         Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
+         Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
          Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>
 </div></div>
 <div id="toc">
@@ -1183,6 +1183,24 @@ active.max_responses = 1</code></pre>
 </div></div>
 </div>
 <div class="sect3">
+<h4 id="_whitelist">Whitelist</h4>
+<div class="paragraph"><p>When Snort is run with the --warn-conf-strict option, warnings will be
+generated for all Lua tables present in the configuration files that do
+not map to Snort module names. Like with other warnings, these will
+upgraded to errors when Snort is run in pedantic mode.</p></div>
+<div class="paragraph"><p>To dynamically add exceptions that should bypass this strict validation,
+two Lua functions are made available to be called during the evaluation
+of Snort configuration files: snort_whitelist_append() and
+snort_whitelist_add_prefix(). Each function takes a whitespace-delimited
+list, the former a list of exact table names and the latter a list of table
+name prefixes to allow.</p></div>
+<div class="paragraph"><p>Examples:
+snort_whitelist_append("table1 table2")
+snort_whitelist_add_prefix("local_ foobar_")</p></div>
+<div class="paragraph"><p>The accumulated contents of the whitelist (both exact and prefix) will be
+dumped when Snort is run in verbose mode (-v).</p></div>
+</div>
+<div class="sect3">
 <h4 id="_rules">Rules</h4>
 <div class="paragraph"><p>Rules determine what Snort is looking for.  They can be put directly in
 your Lua configuration file with the ips module, on the command line with
@@ -5332,7 +5350,7 @@ plus_to_space = true
 percent_u = false
 utf8_bare_byte = false
 iis_unicode = false
-iis_double_decode = false</code></pre>
+iis_double_decode = true</code></pre>
 </div></div>
 <div class="paragraph"><p>The HTTP inspector normalizes percent encodings found in URIs. For instance
 it will convert "%48%69%64%64%65%6e" to "Hidden". All the options listed
@@ -5376,7 +5394,7 @@ you to create exemptions for those characters.</p></div>
 <div class="literalblock">
 <div class="content">
 <pre><code>simplify_path = true
-backslash_to_slash = false</code></pre>
+backslash_to_slash = true</code></pre>
 </div></div>
 <div class="paragraph"><p>HTTP inspector simplifies directory paths in URIs by eliminating extra
 traversals using ., .., and /.</p></div>
@@ -5403,9 +5421,8 @@ directories to be separated by backslashes:</p></div>
 <div class="content">
 <pre><code>\this\is\the\other\way\to\write\a\path</code></pre>
 </div></div>
-<div class="paragraph"><p>backslash_to_slash is turned off by default. If you are protecting such a
-server then set backslash_to_slash = true and all the backslashes will be
-replaced with slashes during normalization.</p></div>
+<div class="paragraph"><p>backslash_to_slash is turned on by default. It replaces all the backslashes
+with slashes during normalization.</p></div>
 </div>
 </div>
 <div class="sect3">
@@ -5831,6 +5848,29 @@ http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )</code></pre>
 </div></div>
 <div class="paragraph"><p>Frame type 0 is DATA which carries the HTTP message body. This rule will
 search for MaLwArE inside an HTTP message body.</p></div>
+<div class="paragraph"><p>To smooth the transition to inspecting HTTP/2, rules that specify
+service:http will be treated as if they also specify service:http2.
+Thus:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>alert tcp any any -&gt; any any (flow:established, to_server;
+http_uri; content:"/foo";
+service: http; sid:10; rev:1;)</code></pre>
+</div></div>
+<div class="paragraph"><p>is understood to mean:</p></div>
+<div class="literalblock">
+<div class="content">
+<pre><code>alert tcp any any -&gt; any any (flow:established, to_server;
+http_uri; content:"/foo";
+service: http,http2; sid:10; rev:1;)</code></pre>
+</div></div>
+<div class="paragraph"><p>Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2 traffic.</p></div>
+<div class="paragraph"><p>The reverse is not true. "service: http2" without http will match on HTTP/2
+flows but not HTTP/1 flows.</p></div>
+<div class="paragraph"><p>This feature makes it easy to add HTTP/2 inspection without modifying
+large numbers of existing rules. New rules should explicitly specify
+"service http,http2;" if that is the desired behavior. Eventually
+support for http implies http2 may be deprecated and removed.</p></div>
 <div class="paragraph"><p>In the future, http2_inspect will support HPACK header decompression and
 be fully integrated with http_inspect to provide full inspection of the
 individual HTTP/1.1 streams.</p></div>
@@ -7112,7 +7152,7 @@ int <strong>attribute_table.max_services_per_host</strong> = 8: maximum number o
 </li>
 <li>
 <p>
-int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule { 1:255 }
+int <strong>attribute_table.max_metadata_services</strong> = 9: maximum number of services in rule { 1:255 }
 </p>
 </li>
 </ul></div>
@@ -7404,6 +7444,11 @@ bool <strong>detection.global_rule_state</strong> = false: apply rule_state agai
 </li>
 <li>
 <p>
+bool <strong>detection.hyperscan_literals</strong> = false: use hyperscan for content literal searches instead of boyer-moore
+</p>
+</li>
+<li>
+<p>
 int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }
 </p>
 </li>
@@ -7414,7 +7459,7 @@ int <strong>detection.offload_threads</strong> = 0: maximum number of simultaneo
 </li>
 <li>
 <p>
-bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching
+bool <strong>detection.pcre_enable</strong> = true: enable pcre pattern matching
 </p>
 </li>
 <li>
@@ -7429,6 +7474,16 @@ int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre sta
 </li>
 <li>
 <p>
+bool <strong>detection.pcre_override</strong> = true: enable pcre match limit overrides when pattern matching (ie ignore /O)
+</p>
+</li>
+<li>
+<p>
+bool <strong>detection.pcre_to_regex</strong> = false: enable the use of regex instead of pcre for compatible expressions
+</p>
+</li>
+<li>
+<p>
 bool <strong>detection.enable_address_anomaly_checks</strong> = false: enable check and alerting of address anomalies
 </p>
 </li>
@@ -7805,27 +7860,32 @@ int <strong>host_cache.memcap</strong> = 8388608: maximum host cache size in byt
 <div class="ulist"><ul>
 <li>
 <p>
-<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry (sum)
+<strong>host_cache.adds</strong>: lru cache added new entry (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>host_cache.alloc_prunes</strong>: lru cache pruned entry to make space for new entry (sum)
 </p>
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)
+<strong>host_cache.find_hits</strong>: lru cache found entry in cache (sum)
 </p>
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)
+<strong>host_cache.find_misses</strong>: lru cache did not find entry in cache (sum)
 </p>
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache (sum)
+<strong>host_cache.reload_prunes</strong>: lru cache pruned entry for lower memcap during reload (sum)
 </p>
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)
+<strong>host_cache.removes</strong>: lru cache found entry and removed it (sum)
 </p>
 </li>
 </ul></div>
@@ -9126,6 +9186,11 @@ implied <strong>snort.--mem-check</strong>: like -T but also compile search engi
 </li>
 <li>
 <p>
+string <strong>snort.--metadata-filter</strong>: &lt;filter&gt; load only rules containing filter string in metadata if set
+</p>
+</li>
+<li>
+<p>
 implied <strong>snort.--nostamps</strong>: don&#8217;t include timestamps in log file names
 </p>
 </li>
@@ -9291,6 +9356,11 @@ implied <strong>snort.--warn-conf</strong>: warn about configuration issues
 </li>
 <li>
 <p>
+implied <strong>snort.--warn-conf-strict</strong>: warn about unrecognized elements in configuration files
+</p>
+</li>
+<li>
+<p>
 implied <strong>snort.--warn-daq</strong>: warn about DAQ issues, usually related to mode
 </p>
 </li>
@@ -13106,6 +13176,16 @@ int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module
 <strong>121:12</strong> (http2_inspect) unknown parameter in HTTP/2 settings frame
 </p>
 </li>
+<li>
+<p>
+<strong>121:13</strong> (http2_inspect) invalid HTTP/2 frame sequence
+</p>
+</li>
+<li>
+<p>
+<strong>121:14</strong> (http2_inspect) HTTP/2 dynamic table size limit exceeded
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
@@ -13124,6 +13204,11 @@ int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module
 <strong>http2_inspect.max_concurrent_sessions</strong>: maximum concurrent HTTP/2 sessions (max)
 </p>
 </li>
+<li>
+<p>
+<strong>http2_inspect.max_table_entries</strong>: maximum entries in an HTTP/2 dynamic table (max)
+</p>
+</li>
 </ul></div>
 </div>
 <div class="sect2">
@@ -13225,7 +13310,7 @@ int <strong>http_inspect.iis_unicode_code_page</strong> = 1252: code page to use
 </li>
 <li>
 <p>
-bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters
+bool <strong>http_inspect.iis_double_decode</strong> = true: perform double decoding of percent encodings to normalize characters
 </p>
 </li>
 <li>
@@ -13235,7 +13320,7 @@ int <strong>http_inspect.oversize_dir_length</strong> = 300: maximum length for
 </li>
 <li>
 <p>
-bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs
+bool <strong>http_inspect.backslash_to_slash</strong> = true: replace \ with / when normalizing URIs
 </p>
 </li>
 <li>
@@ -13746,6 +13831,11 @@ bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory pa
 <strong>119:248</strong> (http_inspect) gzip compressed data followed by unexpected non-gzip data
 </p>
 </li>
+<li>
+<p>
+<strong>119:249</strong> (http_inspect) excessive HTTP parameter key repeats
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
@@ -13869,6 +13959,16 @@ bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory pa
 <strong>http_inspect.partial_inspections</strong>: pre-inspections for detained inspection (sum)
 </p>
 </li>
+<li>
+<p>
+<strong>http_inspect.excess_parameters</strong>: repeat parameters exceeding max (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>http_inspect.parameters</strong>: HTTP parameters inspected (sum)
+</p>
+</li>
 </ul></div>
 </div>
 <div class="sect2">
@@ -14081,7 +14181,7 @@ int <strong>imap.uu_decode_depth</strong> = -1: Unix-to-Unix decoding depth (-1
 <div class="ulist"><ul>
 <li>
 <p>
-bool <strong>normalizer.ip4.base</strong> = true: clear options
+bool <strong>normalizer.ip4.base</strong> = false: clear options
 </p>
 </li>
 <li>
@@ -14106,17 +14206,17 @@ bool <strong>normalizer.ip4.trim</strong> = false: truncate excess payload beyon
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues
+bool <strong>normalizer.tcp.base</strong> = false: clear reserved bits and option padding and fix urgent pointer / flags issues
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization
+bool <strong>normalizer.tcp.block</strong> = false: allow packet drops during TCP normalization
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length
+bool <strong>normalizer.tcp.urp</strong> = false: adjust urgent pointer if beyond segment length
 </p>
 </li>
 <li>
@@ -14131,7 +14231,7 @@ select <strong>normalizer.tcp.ecn</strong> = off: clear ecn for all packets | se
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes
+bool <strong>normalizer.tcp.pad</strong> = false: clear any option padding bytes
 </p>
 </li>
 <li>
@@ -14161,27 +14261,27 @@ bool <strong>normalizer.tcp.trim</strong> = false: enable all of the TCP trim op
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed
+bool <strong>normalizer.tcp.opts</strong> = false: clear all options except mss, wscale, timestamp, and any explicitly allowed
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set
+bool <strong>normalizer.tcp.req_urg</strong> = false: clear the urgent pointer if the urgent flag is not set
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload
+bool <strong>normalizer.tcp.req_pay</strong> = false: clear the urgent pointer and the urgent flag if there is no payload
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header
+bool <strong>normalizer.tcp.rsv</strong> = false: clear the reserved bits in the TCP header
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set
+bool <strong>normalizer.tcp.req_urp</strong> = false: clear the urgent flag if the urgent pointer is not set
 </p>
 </li>
 <li>
@@ -14588,7 +14688,7 @@ int <strong>perf_monitor.seconds</strong> = 60: report interval { 1:max32 }
 </li>
 <li>
 <p>
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 8200:maxSZ }
+int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 236:maxSZ }
 </p>
 </li>
 <li>
@@ -15261,7 +15361,22 @@ int <strong>port_scan.icmp_window</strong> = 0: detection interval for all ICMP
 <div class="ulist"><ul>
 <li>
 <p>
-<strong>port_scan.packets</strong>: total packets (sum)
+<strong>port_scan.packets</strong>: number of packets processed by port scan (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>port_scan.trackers</strong>: number of trackers allocated by port scan (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>port_scan.alloc_prunes</strong>: number of trackers pruned on allocation of new tracking (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>port_scan.reload_prunes</strong>: number of trackers pruned on reload due to reduced memcap (sum)
 </p>
 </li>
 </ul></div>
@@ -16129,17 +16244,17 @@ int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Lin
 </li>
 <li>
 <p>
-int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }
+int <strong>smtp.max_command_line_len</strong> = 512: max Command Line Length { 0:65535 }
 </p>
 </li>
 <li>
 <p>
-int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }
+int <strong>smtp.max_header_line_len</strong> = 1000: max SMTP DATA header line { 0:65535 }
 </p>
 </li>
 <li>
 <p>
-int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }
+int <strong>smtp.max_response_line_len</strong> = 512: max SMTP response line { 0:65535 }
 </p>
 </li>
 <li>
@@ -17901,7 +18016,12 @@ implied <strong>ber_skip.optional</strong>: match even if the specified BER type
 <div class="ulist"><ul>
 <li>
 <p>
-interval <strong>bufferlen.~range</strong>: check that length of current buffer is in given range { 0:65535 }
+interval <strong>bufferlen.~range</strong>: check that total length of current buffer is in given range { 0:65535 }
+</p>
+</li>
+<li>
+<p>
+implied <strong>bufferlen.relative</strong>: use remaining length (from current position) instead of total length
 </p>
 </li>
 </ul></div>
@@ -18883,6 +19003,25 @@ implied <strong>http_method.with_trailer</strong>: parts of this rule examine HT
 </ul></div>
 </div>
 <div class="sect2">
+<h3 id="_http_param">http_param</h3>
+<div class="paragraph"><p>What: rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body</p></div>
+<div class="paragraph"><p>Type: ips_option</p></div>
+<div class="paragraph"><p>Usage: detect</p></div>
+<div class="paragraph"><p>Configuration:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+string <strong>http_param.~param</strong>: parameter to match
+</p>
+</li>
+<li>
+<p>
+implied <strong>http_param.nocase</strong>: case insensitive match
+</p>
+</li>
+</ul></div>
+</div>
+<div class="sect2">
 <h3 id="_http_raw_body_2">http_raw_body</h3>
 <div class="paragraph"><p>What: rule option to set the detection cursor to the unnormalized message body</p></div>
 <div class="paragraph"><p>Type: ips_option</p></div>
@@ -19389,7 +19528,7 @@ implied <strong>md5.relative</strong> = false: offset from cursor instead of sta
 </div>
 <div class="sect2">
 <h3 id="_metadata">metadata</h3>
-<div class="paragraph"><p>What: rule option for conveying arbitrary name, value data within the rule text</p></div>
+<div class="paragraph"><p>What: rule option for conveying arbitrary comma-separated name, value data within the rule text</p></div>
 <div class="paragraph"><p>Type: ips_option</p></div>
 <div class="paragraph"><p>Usage: detect</p></div>
 <div class="paragraph"><p>Configuration:</p></div>
@@ -19476,6 +19615,29 @@ string <strong>pcre.~re</strong>: Snort regular expression
 </p>
 </li>
 </ul></div>
+<div class="paragraph"><p>Peg counts:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+<strong>pcre.pcre_rules</strong>: total rules processed with pcre option (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>pcre.pcre_to_hyper</strong>: total pcre rules by hyperscan engine (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>pcre.pcre_native</strong>: total pcre rules compiled by pcre engine (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>pcre.pcre_negated</strong>: total pcre rules using negation syntax (sum)
+</p>
+</li>
+</ul></div>
 </div>
 <div class="sect2">
 <h3 id="_pkt_data">pkt_data</h3>
@@ -24595,6 +24757,11 @@ these libraries see the Getting Started section of the manual.</p></div>
 </li>
 <li>
 <p>
+<strong>--metadata-filter</strong> &lt;filter&gt; load only rules containing filter string in metadata if set
+</p>
+</li>
+<li>
+<p>
 <strong>--nostamps</strong> don&#8217;t include timestamps in log file names
 </p>
 </li>
@@ -24760,6 +24927,11 @@ these libraries see the Getting Started section of the manual.</p></div>
 </li>
 <li>
 <p>
+<strong>--warn-conf-strict</strong> warn about unrecognized elements in configuration files
+</p>
+</li>
+<li>
+<p>
 <strong>--warn-daq</strong> warn about DAQ issues, usually related to mode
 </p>
 </li>
@@ -25120,7 +25292,7 @@ int <strong>attribute_table.max_hosts</strong> = 1024: maximum number of hosts i
 </li>
 <li>
 <p>
-int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number of services in rule { 1:255 }
+int <strong>attribute_table.max_metadata_services</strong> = 9: maximum number of services in rule { 1:255 }
 </p>
 </li>
 <li>
@@ -25275,7 +25447,12 @@ bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }
 </li>
 <li>
 <p>
-interval <strong>bufferlen.~range</strong>: check that length of current buffer is in given range { 0:65535 }
+interval <strong>bufferlen.~range</strong>: check that total length of current buffer is in given range { 0:65535 }
+</p>
+</li>
+<li>
+<p>
+implied <strong>bufferlen.relative</strong>: use remaining length (from current position) instead of total length
 </p>
 </li>
 <li>
@@ -25885,6 +26062,11 @@ bool <strong>detection.global_rule_state</strong> = false: apply rule_state agai
 </li>
 <li>
 <p>
+bool <strong>detection.hyperscan_literals</strong> = false: use hyperscan for content literal searches instead of boyer-moore
+</p>
+</li>
+<li>
+<p>
 int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }
 </p>
 </li>
@@ -25895,7 +26077,7 @@ int <strong>detection.offload_threads</strong> = 0: maximum number of simultaneo
 </li>
 <li>
 <p>
-bool <strong>detection.pcre_enable</strong> = true: disable pcre pattern matching
+bool <strong>detection.pcre_enable</strong> = true: enable pcre pattern matching
 </p>
 </li>
 <li>
@@ -25910,6 +26092,16 @@ int <strong>detection.pcre_match_limit_recursion</strong> = 1500: limit pcre sta
 </li>
 <li>
 <p>
+bool <strong>detection.pcre_override</strong> = true: enable pcre match limit overrides when pattern matching (ie ignore /O)
+</p>
+</li>
+<li>
+<p>
+bool <strong>detection.pcre_to_regex</strong> = false: enable the use of regex instead of pcre for compatible expressions
+</p>
+</li>
+<li>
+<p>
 int <strong>detection.trace</strong>: mask for enabling debug traces in module { 0:max53 }
 </p>
 </li>
@@ -26675,7 +26867,7 @@ implied <strong>http_header.with_trailer</strong>: parts of this rule examine HT
 </li>
 <li>
 <p>
-bool <strong>http_inspect.backslash_to_slash</strong> = false: replace \ with / when normalizing URIs
+bool <strong>http_inspect.backslash_to_slash</strong> = true: replace \ with / when normalizing URIs
 </p>
 </li>
 <li>
@@ -26710,7 +26902,7 @@ string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the sp
 </li>
 <li>
 <p>
-bool <strong>http_inspect.iis_double_decode</strong> = false: perform double decoding of percent encodings to normalize characters
+bool <strong>http_inspect.iis_double_decode</strong> = true: perform double decoding of percent encodings to normalize characters
 </p>
 </li>
 <li>
@@ -26805,6 +26997,16 @@ implied <strong>http_method.with_trailer</strong>: parts of this rule examine HT
 </li>
 <li>
 <p>
+implied <strong>http_param.nocase</strong>: case insensitive match
+</p>
+</li>
+<li>
+<p>
+string <strong>http_param.~param</strong>: parameter to match
+</p>
+</li>
+<li>
+<p>
 implied <strong>http_raw_cookie.request</strong>: match against the cookie from the request message even when examining the response
 </p>
 </li>
@@ -27400,7 +27602,7 @@ bool <strong>normalizer.icmp6</strong> = false: clear reserved flag
 </li>
 <li>
 <p>
-bool <strong>normalizer.ip4.base</strong> = true: clear options
+bool <strong>normalizer.ip4.base</strong> = false: clear options
 </p>
 </li>
 <li>
@@ -27440,12 +27642,12 @@ multi <strong>normalizer.tcp.allow_names</strong>: don&#8217;t clear given optio
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.base</strong> = true: clear reserved bits and option padding and fix urgent pointer / flags issues
+bool <strong>normalizer.tcp.base</strong> = false: clear reserved bits and option padding and fix urgent pointer / flags issues
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.block</strong> = true: allow packet drops during TCP normalization
+bool <strong>normalizer.tcp.block</strong> = false: allow packet drops during TCP normalization
 </p>
 </li>
 <li>
@@ -27460,32 +27662,32 @@ bool <strong>normalizer.tcp.ips</strong> = true: ensure consistency in retransmi
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.opts</strong> = true: clear all options except mss, wscale, timestamp, and any explicitly allowed
+bool <strong>normalizer.tcp.opts</strong> = false: clear all options except mss, wscale, timestamp, and any explicitly allowed
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.pad</strong> = true: clear any option padding bytes
+bool <strong>normalizer.tcp.pad</strong> = false: clear any option padding bytes
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.req_pay</strong> = true: clear the urgent pointer and the urgent flag if there is no payload
+bool <strong>normalizer.tcp.req_pay</strong> = false: clear the urgent pointer and the urgent flag if there is no payload
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.req_urg</strong> = true: clear the urgent pointer if the urgent flag is not set
+bool <strong>normalizer.tcp.req_urg</strong> = false: clear the urgent pointer if the urgent flag is not set
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.req_urp</strong> = true: clear the urgent flag if the urgent pointer is not set
+bool <strong>normalizer.tcp.req_urp</strong> = false: clear the urgent flag if the urgent pointer is not set
 </p>
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.rsv</strong> = true: clear the reserved bits in the TCP header
+bool <strong>normalizer.tcp.rsv</strong> = false: clear the reserved bits in the TCP header
 </p>
 </li>
 <li>
@@ -27515,7 +27717,7 @@ bool <strong>normalizer.tcp.trim_win</strong> = false: trim data to window
 </li>
 <li>
 <p>
-bool <strong>normalizer.tcp.urp</strong> = true: adjust urgent pointer if beyond segment length
+bool <strong>normalizer.tcp.urp</strong> = false: adjust urgent pointer if beyond segment length
 </p>
 </li>
 <li>
@@ -27645,7 +27847,7 @@ bool <strong>perf_monitor.flow_ip</strong> = false: enable statistics on host pa
 </li>
 <li>
 <p>
-int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 8200:maxSZ }
+int <strong>perf_monitor.flow_ip_memcap</strong> = 52428800: maximum memory in bytes for flow tracking { 236:maxSZ }
 </p>
 </li>
 <li>
@@ -28740,17 +28942,17 @@ int <strong>smtp.max_auth_command_line_len</strong> = 1000: max auth command Lin
 </li>
 <li>
 <p>
-int <strong>smtp.max_command_line_len</strong> = 0: max Command Line Length { 0:65535 }
+int <strong>smtp.max_command_line_len</strong> = 512: max Command Line Length { 0:65535 }
 </p>
 </li>
 <li>
 <p>
-int <strong>smtp.max_header_line_len</strong> = 0: max SMTP DATA header line { 0:65535 }
+int <strong>smtp.max_header_line_len</strong> = 1000: max SMTP DATA header line { 0:65535 }
 </p>
 </li>
 <li>
 <p>
-int <strong>smtp.max_response_line_len</strong> = 0: max SMTP response line { 0:65535 }
+int <strong>smtp.max_response_line_len</strong> = 512: max SMTP response line { 0:65535 }
 </p>
 </li>
 <li>
@@ -29075,6 +29277,11 @@ implied <strong>snort.--mem-check</strong>: like -T but also compile search engi
 </li>
 <li>
 <p>
+string <strong>snort.--metadata-filter</strong>: &lt;filter&gt; load only rules containing filter string in metadata if set
+</p>
+</li>
+<li>
+<p>
 implied <strong>snort.-M</strong>: log messages to syslog (not alerts)
 </p>
 </li>
@@ -29330,6 +29537,11 @@ implied <strong>snort.--warn-all</strong>: enable all warnings
 </li>
 <li>
 <p>
+implied <strong>snort.--warn-conf-strict</strong>: warn about unrecognized elements in configuration files
+</p>
+</li>
+<li>
+<p>
 implied <strong>snort.--warn-conf</strong>: warn about configuration issues
 </p>
 </li>
@@ -31145,27 +31357,32 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_adds</strong>: lru cache added new entry (sum)
+<strong>host_cache.adds</strong>: lru cache added new entry (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>host_cache.alloc_prunes</strong>: lru cache pruned entry to make space for new entry (sum)
 </p>
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_find_hits</strong>: lru cache found entry in cache (sum)
+<strong>host_cache.find_hits</strong>: lru cache found entry in cache (sum)
 </p>
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_find_misses</strong>: lru cache did not find entry in cache (sum)
+<strong>host_cache.find_misses</strong>: lru cache did not find entry in cache (sum)
 </p>
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_prunes</strong>: lru cache pruned entry to make space for new entry (sum)
+<strong>host_cache.reload_prunes</strong>: lru cache pruned entry for lower memcap during reload (sum)
 </p>
 </li>
 <li>
 <p>
-<strong>host_cache.lru_cache_removes</strong>: lru cache found entry and removed it (sum)
+<strong>host_cache.removes</strong>: lru cache found entry and removed it (sum)
 </p>
 </li>
 <li>
@@ -31195,6 +31412,11 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>http2_inspect.max_table_entries</strong>: maximum entries in an HTTP/2 dynamic table (max)
+</p>
+</li>
+<li>
+<p>
 <strong>http_inspect.chunked</strong>: chunked message bodies (sum)
 </p>
 </li>
@@ -31220,6 +31442,11 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>http_inspect.excess_parameters</strong>: repeat parameters exceeding max (sum)
+</p>
+</li>
+<li>
+<p>
 <strong>http_inspect.flows</strong>: HTTP connections inspected (sum)
 </p>
 </li>
@@ -31255,6 +31482,11 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>http_inspect.parameters</strong>: HTTP parameters inspected (sum)
+</p>
+</li>
+<li>
+<p>
 <strong>http_inspect.partial_inspections</strong>: pre-inspections for detained inspection (sum)
 </p>
 </li>
@@ -31815,6 +32047,26 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>pcre.pcre_native</strong>: total pcre rules compiled by pcre engine (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>pcre.pcre_negated</strong>: total pcre rules using negation syntax (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>pcre.pcre_rules</strong>: total rules processed with pcre option (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>pcre.pcre_to_hyper</strong>: total pcre rules by hyperscan engine (sum)
+</p>
+</li>
+<li>
+<p>
 <strong>perf_monitor.alloc_prunes</strong>: flows pruned on allocation of IP flows (sum)
 </p>
 </li>
@@ -31895,7 +32147,22 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
-<strong>port_scan.packets</strong>: total packets (sum)
+<strong>port_scan.alloc_prunes</strong>: number of trackers pruned on allocation of new tracking (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>port_scan.packets</strong>: number of packets processed by port scan (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>port_scan.reload_prunes</strong>: number of trackers pruned on reload due to reduced memcap (sum)
+</p>
+</li>
+<li>
+<p>
+<strong>port_scan.trackers</strong>: number of trackers allocated by port scan (sum)
 </p>
 </li>
 <li>
@@ -34790,6 +35057,11 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>119:249</strong> (http_inspect) excessive HTTP parameter key repeats
+</p>
+</li>
+<li>
+<p>
 <strong>121:1</strong> (http2_inspect) error in HPACK integer value
 </p>
 </li>
@@ -34850,6 +35122,16 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>121:13</strong> (http2_inspect) invalid HTTP/2 frame sequence
+</p>
+</li>
+<li>
+<p>
+<strong>121:14</strong> (http2_inspect) HTTP/2 dynamic table size limit exceeded
+</p>
+</li>
+<li>
+<p>
 <strong>122:1</strong> (port_scan) TCP portscan
 </p>
 </li>
@@ -37071,6 +37353,11 @@ deleted -&gt; unified2: 'vlan_event_types'</code></pre>
 </li>
 <li>
 <p>
+<strong>http_param</strong> (ips_option): rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body
+</p>
+</li>
+<li>
+<p>
 <strong>http_raw_body</strong> (ips_option): rule option to set the detection cursor to the unnormalized message body
 </p>
 </li>
@@ -37136,6 +37423,11 @@ deleted -&gt; unified2: 'vlan_event_types'</code></pre>
 </li>
 <li>
 <p>
+<strong>hyperscan</strong> (search_engine): intel hyperscan-based mpse with regex support
+</p>
+</li>
+<li>
+<p>
 <strong>icmp4</strong> (codec): support for Internet control message protocol v4
 </p>
 </li>
@@ -37256,7 +37548,7 @@ deleted -&gt; unified2: 'vlan_event_types'</code></pre>
 </li>
 <li>
 <p>
-<strong>metadata</strong> (ips_option): rule option for conveying arbitrary name, value data within the rule text
+<strong>metadata</strong> (ips_option): rule option for conveying arbitrary comma-separated name, value data within the rule text
 </p>
 </li>
 <li>
@@ -38531,6 +38823,11 @@ deleted -&gt; unified2: 'vlan_event_types'</code></pre>
 </li>
 <li>
 <p>
+<strong>ips_option::http_param</strong>: rule option to set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body
+</p>
+</li>
+<li>
+<p>
 <strong>ips_option::http_raw_body</strong>: rule option to set the detection cursor to the unnormalized message body
 </p>
 </li>
@@ -38641,7 +38938,7 @@ deleted -&gt; unified2: 'vlan_event_types'</code></pre>
 </li>
 <li>
 <p>
-<strong>ips_option::metadata</strong>: rule option for conveying arbitrary name, value data within the rule text
+<strong>ips_option::metadata</strong>: rule option for conveying arbitrary comma-separated name, value data within the rule text
 </p>
 </li>
 <li>
@@ -39024,11 +39321,6 @@ daq.snaplen
 </li>
 <li>
 <p>
-daq.no_promisc
-</p>
-</li>
-<li>
-<p>
 detection.asn1
 </p>
 </li>
@@ -39039,11 +39331,6 @@ file_id.max_files_cached
 </li>
 <li>
 <p>
-port_scan.memcap
-</p>
-</li>
-<li>
-<p>
 process.chroot
 </p>
 </li>
@@ -39064,97 +39351,12 @@ process.set_uid
 </li>
 <li>
 <p>
-stream.footprint
-</p>
-</li>
-<li>
-<p>
-stream.ip_cache.max_sessions
-</p>
-</li>
-<li>
-<p>
-stream.ip_cache.pruning_timeout
-</p>
-</li>
-<li>
-<p>
-stream.ip_cache.idle_timeout
-</p>
-</li>
-<li>
-<p>
-stream.icmp_cache.max_sessions
-</p>
-</li>
-<li>
-<p>
-stream.icmp_cache.pruning_timeout
-</p>
-</li>
-<li>
-<p>
-stream.icmp_cache.idle_timeout
-</p>
-</li>
-<li>
-<p>
-stream.tcp_cache.max_sessions
-</p>
-</li>
-<li>
-<p>
-stream.tcp_cache.pruning_timeout
-</p>
-</li>
-<li>
-<p>
-stream.tcp_cache.idle_timeout
-</p>
-</li>
-<li>
-<p>
-stream.udp_cache.max_sessions
-</p>
-</li>
-<li>
-<p>
-stream.udp_cache.pruning_timeout
-</p>
-</li>
-<li>
-<p>
-stream.udp_cache.idle_timeout
-</p>
-</li>
-<li>
-<p>
-stream.user_cache.max_sessions
-</p>
-</li>
-<li>
-<p>
-stream.user_cache.pruning_timeout
-</p>
-</li>
-<li>
-<p>
-stream.user_cache.idle_timeout
-</p>
-</li>
-<li>
-<p>
-stream.file_cache.max_sessions
-</p>
-</li>
-<li>
-<p>
-stream.file_cache.pruning_timeout
+snort.--bpf
 </p>
 </li>
 <li>
 <p>
-stream.file_cache.idle_timeout
+snort.-l
 </p>
 </li>
 </ul></div>
@@ -39194,7 +39396,7 @@ Adding/removing stream_* inspectors if stream was already configured
 <div id="footer">
 <div id="footer-text">
 Last updated
- 2019-12-20 13:13:48 EST
+ 2020-02-21 11:32:57 EST
 </div>
 </div>
 </body>
diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf
index f076d26c0..fb22e0c9c 100644
Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ
diff --git a/doc/snort_manual.text b/doc/snort_manual.text
index 1203383fa..a815de0da 100644
--- a/doc/snort_manual.text
+++ b/doc/snort_manual.text
@@ -255,72 +255,73 @@ Table of Contents
     11.51. http_cookie
     11.52. http_header
     11.53. http_method
-    11.54. http_raw_body
-    11.55. http_raw_cookie
-    11.56. http_raw_header
-    11.57. http_raw_request
-    11.58. http_raw_status
-    11.59. http_raw_trailer
-    11.60. http_raw_uri
-    11.61. http_stat_code
-    11.62. http_stat_msg
-    11.63. http_trailer
-    11.64. http_true_ip
-    11.65. http_uri
-    11.66. http_version
-    11.67. icmp_id
-    11.68. icmp_seq
-    11.69. icode
-    11.70. id
-    11.71. ip_proto
-    11.72. ipopts
-    11.73. isdataat
-    11.74. itype
-    11.75. md5
-    11.76. metadata
-    11.77. modbus_data
-    11.78. modbus_func
-    11.79. modbus_unit
-    11.80. msg
-    11.81. mss
-    11.82. pcre
-    11.83. pkt_data
-    11.84. pkt_num
-    11.85. priority
-    11.86. raw_data
-    11.87. reference
-    11.88. regex
-    11.89. rem
-    11.90. replace
-    11.91. rev
-    11.92. rpc
-    11.93. s7commplus_content
-    11.94. s7commplus_func
-    11.95. s7commplus_opcode
-    11.96. sd_pattern
-    11.97. seq
-    11.98. service
-    11.99. session
-    11.100. sha256
-    11.101. sha512
-    11.102. sid
-    11.103. sip_body
-    11.104. sip_header
-    11.105. sip_method
-    11.106. sip_stat_code
-    11.107. so
-    11.108. soid
-    11.109. ssl_state
-    11.110. ssl_version
-    11.111. stream_reassemble
-    11.112. stream_size
-    11.113. tag
-    11.114. target
-    11.115. tos
-    11.116. ttl
-    11.117. urg
-    11.118. window
-    11.119. wscale
+    11.54. http_param
+    11.55. http_raw_body
+    11.56. http_raw_cookie
+    11.57. http_raw_header
+    11.58. http_raw_request
+    11.59. http_raw_status
+    11.60. http_raw_trailer
+    11.61. http_raw_uri
+    11.62. http_stat_code
+    11.63. http_stat_msg
+    11.64. http_trailer
+    11.65. http_true_ip
+    11.66. http_uri
+    11.67. http_version
+    11.68. icmp_id
+    11.69. icmp_seq
+    11.70. icode
+    11.71. id
+    11.72. ip_proto
+    11.73. ipopts
+    11.74. isdataat
+    11.75. itype
+    11.76. md5
+    11.77. metadata
+    11.78. modbus_data
+    11.79. modbus_func
+    11.80. modbus_unit
+    11.81. msg
+    11.82. mss
+    11.83. pcre
+    11.84. pkt_data
+    11.85. pkt_num
+    11.86. priority
+    11.87. raw_data
+    11.88. reference
+    11.89. regex
+    11.90. rem
+    11.91. replace
+    11.92. rev
+    11.93. rpc
+    11.94. s7commplus_content
+    11.95. s7commplus_func
+    11.96. s7commplus_opcode
+    11.97. sd_pattern
+    11.98. seq
+    11.99. service
+    11.100. session
+    11.101. sha256
+    11.102. sha512
+    11.103. sid
+    11.104. sip_body
+    11.105. sip_header
+    11.106. sip_method
+    11.107. sip_stat_code
+    11.108. so
+    11.109. soid
+    11.110. ssl_state
+    11.111. ssl_version
+    11.112. stream_reassemble
+    11.113. stream_size
+    11.114. tag
+    11.115. target
+    11.116. tos
+    11.117. ttl
+    11.118. urg
+    11.119. window
+    11.120. wscale
 
 12. Search Engine Modules
 13. SO Rule Modules
@@ -410,10 +411,10 @@ Table of Contents
 Snorty
 
  ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 267)
+o"  )~   Version 3.0.0 (Build 268)
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
-         Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
+         Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
          Copyright (C) 1998-2013 Sourcefire, Inc., et al.
 
 
@@ -672,7 +673,27 @@ do:
 
 active = { max_responses = 1, min_interval = 5 }
 
-1.2.3. Rules
+1.2.3. Whitelist
+
+When Snort is run with the --warn-conf-strict option, warnings will
+be generated for all Lua tables present in the configuration files
+that do not map to Snort module names. Like with other warnings,
+these will upgraded to errors when Snort is run in pedantic mode.
+
+To dynamically add exceptions that should bypass this strict
+validation, two Lua functions are made available to be called during
+the evaluation of Snort configuration files: snort_whitelist_append()
+and snort_whitelist_add_prefix(). Each function takes a
+whitespace-delimited list, the former a list of exact table names and
+the latter a list of table name prefixes to allow.
+
+Examples: snort_whitelist_append("table1 table2")
+snort_whitelist_add_prefix("local_ foobar_")
+
+The accumulated contents of the whitelist (both exact and prefix)
+will be dumped when Snort is run in verbose mode (-v).
+
+1.2.4. Rules
 
 Rules determine what Snort is looking for. They can be put directly
 in your Lua configuration file with the ips module, on the command
@@ -691,7 +712,7 @@ $ sort -c snort.lua -R rules.txt
 
 You can use both approaches together.
 
-1.2.4. Includes
+1.2.5. Includes
 
 Your configuration file file may include other files, either directly
 via Lua or via various parameters. Snort will find relative includes
@@ -714,7 +735,7 @@ Some things to keep in mind:
     relative to the working directory. These will be updated in a
     future release.
 
-1.2.5. Converting Your 2.X Configuration
+1.2.6. Converting Your 2.X Configuration
 
 If you have a working 2.X configuration snort2lua makes it easy to
 get up and running with Snort 3. This tool will convert your
@@ -3869,7 +3890,7 @@ plus_to_space = true
 percent_u = false
 utf8_bare_byte = false
 iis_unicode = false
-iis_double_decode = false
+iis_double_decode = true
 
 The HTTP inspector normalizes percent encodings found in URIs. For
 instance it will convert "%48%69%64%64%65%6e" to "Hidden". All the
@@ -3918,7 +3939,7 @@ In the example, the lower-case letters a, b, and c and the digits 1,
 generating an alert.
 
 simplify_path = true
-backslash_to_slash = false
+backslash_to_slash = true
 
 HTTP inspector simplifies directory paths in URIs by eliminating
 extra traversals using ., .., and /.
@@ -3942,9 +3963,8 @@ allow directories to be separated by backslashes:
 
 \this\is\the\other\way\to\write\a\path
 
-backslash_to_slash is turned off by default. If you are protecting
-such a server then set backslash_to_slash = true and all the
-backslashes will be replaced with slashes during normalization.
+backslash_to_slash is turned on by default. It replaces all the
+backslashes with slashes during normalization.
 
 5.9.3. Detection rules
 
@@ -4334,6 +4354,31 @@ http2_frame_data; content:"MaLwArE"; sid:3; rev:1; )
 Frame type 0 is DATA which carries the HTTP message body. This rule
 will search for MaLwArE inside an HTTP message body.
 
+To smooth the transition to inspecting HTTP/2, rules that specify
+service:http will be treated as if they also specify service:http2.
+Thus:
+
+alert tcp any any -> any any (flow:established, to_server;
+http_uri; content:"/foo";
+service: http; sid:10; rev:1;)
+
+is understood to mean:
+
+alert tcp any any -> any any (flow:established, to_server;
+http_uri; content:"/foo";
+service: http,http2; sid:10; rev:1;)
+
+Thus it will alert on "/foo" in the URI for both HTTP/1 and HTTP/2
+traffic.
+
+The reverse is not true. "service: http2" without http will match on
+HTTP/2 flows but not HTTP/1 flows.
+
+This feature makes it easy to add HTTP/2 inspection without modifying
+large numbers of existing rules. New rules should explicitly specify
+"service http,http2;" if that is the desired behavior. Eventually
+support for http implies http2 may be deprecated and removed.
+
 In the future, http2_inspect will support HPACK header decompression
 and be fully integrated with http_inspect to provide full inspection
 of the individual HTTP/1.1 streams.
@@ -5440,7 +5485,7 @@ Configuration:
     attribute table { 32:max53 }
   * int attribute_table.max_services_per_host = 8: maximum number of
     services per host entry in attribute table { 1:65535 }
-  * int attribute_table.max_metadata_services = 8: maximum number of
+  * int attribute_table.max_metadata_services = 9: maximum number of
     services in rule { 1:255 }
 
 
@@ -5569,15 +5614,21 @@ Configuration:
     disable rules by default (overridden by ips policy settings)
   * bool detection.global_rule_state = false: apply rule_state
     against all policies
+  * bool detection.hyperscan_literals = false: use hyperscan for
+    content literal searches instead of boyer-moore
   * int detection.offload_limit = 99999: minimum sizeof PDU to
     offload fast pattern search (defaults to disabled) { 0:max32 }
   * int detection.offload_threads = 0: maximum number of simultaneous
     offloads (defaults to disabled) { 0:max32 }
-  * bool detection.pcre_enable = true: disable pcre pattern matching
+  * bool detection.pcre_enable = true: enable pcre pattern matching
   * int detection.pcre_match_limit = 1500: limit pcre backtracking, 0
     = off { 0:max32 }
   * int detection.pcre_match_limit_recursion = 1500: limit pcre stack
     consumption, 0 = off { 0:max32 }
+  * bool detection.pcre_override = true: enable pcre match limit
+    overrides when pattern matching (ie ignore /O)
+  * bool detection.pcre_to_regex = false: enable the use of regex
+    instead of pcre for compatible expressions
   * bool detection.enable_address_anomaly_checks = false: enable
     check and alerting of address anomalies
   * int detection.trace: mask for enabling debug traces in module {
@@ -5758,15 +5809,15 @@ Commands:
 
 Peg counts:
 
-  * host_cache.lru_cache_adds: lru cache added new entry (sum)
-  * host_cache.lru_cache_prunes: lru cache pruned entry to make space
-    for new entry (sum)
-  * host_cache.lru_cache_find_hits: lru cache found entry in cache
+  * host_cache.adds: lru cache added new entry (sum)
+  * host_cache.alloc_prunes: lru cache pruned entry to make space for
+    new entry (sum)
+  * host_cache.find_hits: lru cache found entry in cache (sum)
+  * host_cache.find_misses: lru cache did not find entry in cache
     (sum)
-  * host_cache.lru_cache_find_misses: lru cache did not find entry in
-    cache (sum)
-  * host_cache.lru_cache_removes: lru cache found entry and removed
-    it (sum)
+  * host_cache.reload_prunes: lru cache pruned entry for lower memcap
+    during reload (sum)
+  * host_cache.removes: lru cache found entry and removed it (sum)
 
 
 6.12. host_tracker
@@ -6419,6 +6470,8 @@ Configuration:
     of packet threads (same as -z) { 0:max32 }
   * implied snort.--mem-check: like -T but also compile search
     engines
+  * string snort.--metadata-filter: <filter> load only rules
+    containing filter string in metadata if set
   * implied snort.--nostamps: don’t include timestamps in log file
     names
   * implied snort.--nolock-pidfile: do not try to lock Snort PID file
@@ -6475,6 +6528,8 @@ Configuration:
   * implied snort.--version: show version number (same as -V)
   * implied snort.--warn-all: enable all warnings
   * implied snort.--warn-conf: warn about configuration issues
+  * implied snort.--warn-conf-strict: warn about unrecognized
+    elements in configuration files
   * implied snort.--warn-daq: warn about DAQ issues, usually related
     to mode
   * implied snort.--warn-flowbits: warn about flowbits that are
@@ -8270,6 +8325,8 @@ Rules:
   * 121:10 (http2_inspect) invalid HTTP/2 header field
   * 121:11 (http2_inspect) error in HTTP/2 settings frame
   * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
+  * 121:13 (http2_inspect) invalid HTTP/2 frame sequence
+  * 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
 
 Peg counts:
 
@@ -8278,6 +8335,8 @@ Peg counts:
     sessions (now)
   * http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2
     sessions (max)
+  * http2_inspect.max_table_entries: maximum entries in an HTTP/2
+    dynamic table (max)
 
 
 9.24. http_inspect
@@ -8332,11 +8391,11 @@ Configuration:
     points for IIS unicode. { (optional) }
   * int http_inspect.iis_unicode_code_page = 1252: code page to use
     from the IIS unicode map file { 0:65535 }
-  * bool http_inspect.iis_double_decode = false: perform double
+  * bool http_inspect.iis_double_decode = true: perform double
     decoding of percent encodings to normalize characters
   * int http_inspect.oversize_dir_length = 300: maximum length for
     URL directory { 1:65535 }
-  * bool http_inspect.backslash_to_slash = false: replace \ with /
+  * bool http_inspect.backslash_to_slash = true: replace \ with /
     when normalizing URIs
   * bool http_inspect.plus_to_space = true: replace + with <sp> when
     normalizing URIs
@@ -8466,6 +8525,7 @@ Rules:
     value
   * 119:248 (http_inspect) gzip compressed data followed by
     unexpected non-gzip data
+  * 119:249 (http_inspect) excessive HTTP parameter key repeats
 
 Peg counts:
 
@@ -8503,6 +8563,9 @@ Peg counts:
     inspection (sum)
   * http_inspect.partial_inspections: pre-inspections for detained
     inspection (sum)
+  * http_inspect.excess_parameters: repeat parameters exceeding max
+    (sum)
+  * http_inspect.parameters: HTTP parameters inspected (sum)
 
 
 9.25. imap
@@ -8614,24 +8677,24 @@ Usage: inspect
 
 Configuration:
 
-  * bool normalizer.ip4.base = true: clear options
+  * bool normalizer.ip4.base = false: clear options
   * bool normalizer.ip4.df = false: clear don’t frag flag
   * bool normalizer.ip4.rf = false: clear reserved flag
   * bool normalizer.ip4.tos = false: clear tos / differentiated
     services byte
   * bool normalizer.ip4.trim = false: truncate excess payload beyond
     datagram length
-  * bool normalizer.tcp.base = true: clear reserved bits and option
+  * bool normalizer.tcp.base = false: clear reserved bits and option
     padding and fix urgent pointer / flags issues
-  * bool normalizer.tcp.block = true: allow packet drops during TCP
+  * bool normalizer.tcp.block = false: allow packet drops during TCP
     normalization
-  * bool normalizer.tcp.urp = true: adjust urgent pointer if beyond
+  * bool normalizer.tcp.urp = false: adjust urgent pointer if beyond
     segment length
   * bool normalizer.tcp.ips = true: ensure consistency in
     retransmitted data
   * select normalizer.tcp.ecn = off: clear ecn for all packets |
     sessions w/o ecn setup { off | packet | stream }
-  * bool normalizer.tcp.pad = true: clear any option padding bytes
+  * bool normalizer.tcp.pad = false: clear any option padding bytes
   * bool normalizer.tcp.trim_syn = false: remove data on SYN
   * bool normalizer.tcp.trim_rst = false: remove any data from RST
     packet
@@ -8639,15 +8702,15 @@ Configuration:
   * bool normalizer.tcp.trim_mss = false: trim data to MSS
   * bool normalizer.tcp.trim = false: enable all of the TCP trim
     options
-  * bool normalizer.tcp.opts = true: clear all options except mss,
+  * bool normalizer.tcp.opts = false: clear all options except mss,
     wscale, timestamp, and any explicitly allowed
-  * bool normalizer.tcp.req_urg = true: clear the urgent pointer if
+  * bool normalizer.tcp.req_urg = false: clear the urgent pointer if
     the urgent flag is not set
-  * bool normalizer.tcp.req_pay = true: clear the urgent pointer and
+  * bool normalizer.tcp.req_pay = false: clear the urgent pointer and
     the urgent flag if there is no payload
-  * bool normalizer.tcp.rsv = true: clear the reserved bits in the
+  * bool normalizer.tcp.rsv = false: clear the reserved bits in the
     TCP header
-  * bool normalizer.tcp.req_urp = true: clear the urgent flag if the
+  * bool normalizer.tcp.req_urp = false: clear the urgent flag if the
     urgent pointer is not set
   * multi normalizer.tcp.allow_names: don’t clear given option names
     { sack | echo | partial_order | conn_count | alt_checksum | md5 }
@@ -8787,7 +8850,7 @@ Configuration:
     0:max32 }
   * int perf_monitor.seconds = 60: report interval { 1:max32 }
   * int perf_monitor.flow_ip_memcap = 52428800: maximum memory in
-    bytes for flow tracking { 8200:maxSZ }
+    bytes for flow tracking { 236:maxSZ }
   * int perf_monitor.max_file_size = 1073741824: files will be rolled
     over if they exceed this size { 4096:max53 }
   * int perf_monitor.flow_ports = 1023: maximum ports to track {
@@ -9029,7 +9092,13 @@ Rules:
 
 Peg counts:
 
-  * port_scan.packets: total packets (sum)
+  * port_scan.packets: number of packets processed by port scan (sum)
+  * port_scan.trackers: number of trackers allocated by port scan
+    (sum)
+  * port_scan.alloc_prunes: number of trackers pruned on allocation
+    of new tracking (sum)
+  * port_scan.reload_prunes: number of trackers pruned on reload due
+    to reduced memcap (sum)
 
 
 9.33. reputation
@@ -9386,11 +9455,11 @@ Configuration:
     extracted from the RCPT TO command
   * int smtp.max_auth_command_line_len = 1000: max auth command Line
     Length { 0:65535 }
-  * int smtp.max_command_line_len = 0: max Command Line Length {
+  * int smtp.max_command_line_len = 512: max Command Line Length {
     0:65535 }
-  * int smtp.max_header_line_len = 0: max SMTP DATA header line {
+  * int smtp.max_header_line_len = 1000: max SMTP DATA header line {
     0:65535 }
-  * int smtp.max_response_line_len = 0: max SMTP response line {
+  * int smtp.max_response_line_len = 512: max SMTP response line {
     0:65535 }
   * enum smtp.normalize = none: turns on/off normalization { none |
     cmds | all }
@@ -10188,8 +10257,10 @@ Usage: detect
 
 Configuration:
 
-  * interval bufferlen.~range: check that length of current buffer is
-    in given range { 0:65535 }
+  * interval bufferlen.~range: check that total length of current
+    buffer is in given range { 0:65535 }
+  * implied bufferlen.relative: use remaining length (from current
+    position) instead of total length
 
 
 11.8. byte_extract
@@ -10989,7 +11060,24 @@ Configuration:
     message trailers
 
 
-11.54. http_raw_body
+11.54. http_param
+
+--------------
+
+What: rule option to set the detection cursor to the value of the
+specified HTTP parameter key which may be in the query or body
+
+Type: ips_option
+
+Usage: detect
+
+Configuration:
+
+  * string http_param.~param: parameter to match
+  * implied http_param.nocase: case insensitive match
+
+
+11.55. http_raw_body
 
 --------------
 
@@ -11001,7 +11089,7 @@ Type: ips_option
 Usage: detect
 
 
-11.55. http_raw_cookie
+11.56. http_raw_cookie
 
 --------------
 
@@ -11024,7 +11112,7 @@ Configuration:
     HTTP message trailers
 
 
-11.56. http_raw_header
+11.57. http_raw_header
 
 --------------
 
@@ -11047,7 +11135,7 @@ Configuration:
     HTTP message trailers
 
 
-11.57. http_raw_request
+11.58. http_raw_request
 
 --------------
 
@@ -11068,7 +11156,7 @@ Configuration:
     HTTP message trailers
 
 
-11.58. http_raw_status
+11.59. http_raw_status
 
 --------------
 
@@ -11087,7 +11175,7 @@ Configuration:
     HTTP message trailers
 
 
-11.59. http_raw_trailer
+11.60. http_raw_trailer
 
 --------------
 
@@ -11108,7 +11196,7 @@ Configuration:
     HTTP response message body (must be combined with request)
 
 
-11.60. http_raw_uri
+11.61. http_raw_uri
 
 --------------
 
@@ -11137,7 +11225,7 @@ Configuration:
     URI only
 
 
-11.61. http_stat_code
+11.62. http_stat_code
 
 --------------
 
@@ -11155,7 +11243,7 @@ Configuration:
     HTTP message trailers
 
 
-11.62. http_stat_msg
+11.63. http_stat_msg
 
 --------------
 
@@ -11174,7 +11262,7 @@ Configuration:
     HTTP message trailers
 
 
-11.63. http_trailer
+11.64. http_trailer
 
 --------------
 
@@ -11196,7 +11284,7 @@ Configuration:
     message body (must be combined with request)
 
 
-11.64. http_true_ip
+11.65. http_true_ip
 
 --------------
 
@@ -11217,7 +11305,7 @@ Configuration:
     HTTP message trailers
 
 
-11.65. http_uri
+11.66. http_uri
 
 --------------
 
@@ -11245,7 +11333,7 @@ Configuration:
     only
 
 
-11.66. http_version
+11.67. http_version
 
 --------------
 
@@ -11267,7 +11355,7 @@ Configuration:
     HTTP message trailers
 
 
-11.67. icmp_id
+11.68. icmp_id
 
 --------------
 
@@ -11283,7 +11371,7 @@ Configuration:
     0:65535 }
 
 
-11.68. icmp_seq
+11.69. icmp_seq
 
 --------------
 
@@ -11299,7 +11387,7 @@ Configuration:
     given range { 0:65535 }
 
 
-11.69. icode
+11.70. icode
 
 --------------
 
@@ -11315,7 +11403,7 @@ Configuration:
     0:255 }
 
 
-11.70. id
+11.71. id
 
 --------------
 
@@ -11331,7 +11419,7 @@ Configuration:
     }
 
 
-11.71. ip_proto
+11.72. ip_proto
 
 --------------
 
@@ -11346,7 +11434,7 @@ Configuration:
   * string ip_proto.~proto: [!|>|<] name or number
 
 
-11.72. ipopts
+11.73. ipopts
 
 --------------
 
@@ -11362,7 +11450,7 @@ Configuration:
     lsrre|ssrr|satid|any }
 
 
-11.73. isdataat
+11.74. isdataat
 
 --------------
 
@@ -11379,7 +11467,7 @@ Configuration:
     buffer
 
 
-11.74. itype
+11.75. itype
 
 --------------
 
@@ -11395,7 +11483,7 @@ Configuration:
     0:255 }
 
 
-11.75. md5
+11.76. md5
 
 --------------
 
@@ -11415,12 +11503,12 @@ Configuration:
     of buffer
 
 
-11.76. metadata
+11.77. metadata
 
 --------------
 
-What: rule option for conveying arbitrary name, value data within the
-rule text
+What: rule option for conveying arbitrary comma-separated name, value
+data within the rule text
 
 Type: ips_option
 
@@ -11432,7 +11520,7 @@ Configuration:
     pairs
 
 
-11.77. modbus_data
+11.78. modbus_data
 
 --------------
 
@@ -11443,7 +11531,7 @@ Type: ips_option
 Usage: detect
 
 
-11.78. modbus_func
+11.79. modbus_func
 
 --------------
 
@@ -11458,7 +11546,7 @@ Configuration:
   * string modbus_func.~: function code to match
 
 
-11.79. modbus_unit
+11.80. modbus_unit
 
 --------------
 
@@ -11473,7 +11561,7 @@ Configuration:
   * int modbus_unit.~: Modbus unit ID { 0:255 }
 
 
-11.80. msg
+11.81. msg
 
 --------------
 
@@ -11488,7 +11576,7 @@ Configuration:
   * string msg.~: message describing rule
 
 
-11.81. mss
+11.82. mss
 
 --------------
 
@@ -11504,7 +11592,7 @@ Configuration:
     }
 
 
-11.82. pcre
+11.83. pcre
 
 --------------
 
@@ -11518,8 +11606,15 @@ Configuration:
 
   * string pcre.~re: Snort regular expression
 
+Peg counts:
+
+  * pcre.pcre_rules: total rules processed with pcre option (sum)
+  * pcre.pcre_to_hyper: total pcre rules by hyperscan engine (sum)
+  * pcre.pcre_native: total pcre rules compiled by pcre engine (sum)
+  * pcre.pcre_negated: total pcre rules using negation syntax (sum)
 
-11.83. pkt_data
+
+11.84. pkt_data
 
 --------------
 
@@ -11531,7 +11626,7 @@ Type: ips_option
 Usage: detect
 
 
-11.84. pkt_num
+11.85. pkt_num
 
 --------------
 
@@ -11547,7 +11642,7 @@ Configuration:
     { 1: }
 
 
-11.85. priority
+11.86. priority
 
 --------------
 
@@ -11563,7 +11658,7 @@ Configuration:
     1:max31 }
 
 
-11.86. raw_data
+11.87. raw_data
 
 --------------
 
@@ -11574,7 +11669,7 @@ Type: ips_option
 Usage: detect
 
 
-11.87. reference
+11.88. reference
 
 --------------
 
@@ -11590,7 +11685,7 @@ Configuration:
   * string reference.~id: reference id
 
 
-11.88. regex
+11.89. regex
 
 --------------
 
@@ -11613,7 +11708,7 @@ Configuration:
     instead of start of buffer
 
 
-11.89. rem
+11.90. rem
 
 --------------
 
@@ -11628,7 +11723,7 @@ Configuration:
   * string rem.~: comment
 
 
-11.90. replace
+11.91. replace
 
 --------------
 
@@ -11643,7 +11738,7 @@ Configuration:
   * string replace.~: byte code to replace with
 
 
-11.91. rev
+11.92. rev
 
 --------------
 
@@ -11658,7 +11753,7 @@ Configuration:
   * int rev.~: revision { 1:max32 }
 
 
-11.92. rpc
+11.93. rpc
 
 --------------
 
@@ -11675,7 +11770,7 @@ Configuration:
   * string rpc.~proc: procedure number or * for any
 
 
-11.93. s7commplus_content
+11.94. s7commplus_content
 
 --------------
 
@@ -11686,7 +11781,7 @@ Type: ips_option
 Usage: detect
 
 
-11.94. s7commplus_func
+11.95. s7commplus_func
 
 --------------
 
@@ -11701,7 +11796,7 @@ Configuration:
   * string s7commplus_func.~: function code to match
 
 
-11.95. s7commplus_opcode
+11.96. s7commplus_opcode
 
 --------------
 
@@ -11716,7 +11811,7 @@ Configuration:
   * string s7commplus_opcode.~: opcode code to match
 
 
-11.96. sd_pattern
+11.97. sd_pattern
 
 --------------
 
@@ -11740,7 +11835,7 @@ Peg counts:
   * sd_pattern.terminated: hyperscan terminated (sum)
 
 
-11.97. seq
+11.98. seq
 
 --------------
 
@@ -11756,7 +11851,7 @@ Configuration:
     range { 0: }
 
 
-11.98. service
+11.99. service
 
 --------------
 
@@ -11771,7 +11866,7 @@ Configuration:
   * string service.*: one or more comma-separated service names
 
 
-11.99. session
+11.100. session
 
 --------------
 
@@ -11786,7 +11881,7 @@ Configuration:
   * enum session.~mode: output format { printable|binary|all }
 
 
-11.100. sha256
+11.101. sha256
 
 --------------
 
@@ -11806,7 +11901,7 @@ Configuration:
     start of buffer
 
 
-11.101. sha512
+11.102. sha512
 
 --------------
 
@@ -11826,7 +11921,7 @@ Configuration:
     start of buffer
 
 
-11.102. sid
+11.103. sid
 
 --------------
 
@@ -11841,7 +11936,7 @@ Configuration:
   * int sid.~: signature id { 1:max32 }
 
 
-11.103. sip_body
+11.104. sip_body
 
 --------------
 
@@ -11852,7 +11947,7 @@ Type: ips_option
 Usage: detect
 
 
-11.104. sip_header
+11.105. sip_header
 
 --------------
 
@@ -11864,7 +11959,7 @@ Type: ips_option
 Usage: detect
 
 
-11.105. sip_method
+11.106. sip_method
 
 --------------
 
@@ -11879,7 +11974,7 @@ Configuration:
   * string sip_method.*method: sip method
 
 
-11.106. sip_stat_code
+11.107. sip_stat_code
 
 --------------
 
@@ -11894,7 +11989,7 @@ Configuration:
   * int sip_stat_code.*code: status code { 1:999 }
 
 
-11.107. so
+11.108. so
 
 --------------
 
@@ -11911,7 +12006,7 @@ Configuration:
     buffer
 
 
-11.108. soid
+11.109. soid
 
 --------------
 
@@ -11927,7 +12022,7 @@ Configuration:
     like 3_45678_9
 
 
-11.109. ssl_state
+11.110. ssl_state
 
 --------------
 
@@ -11956,7 +12051,7 @@ Configuration:
     unknown
 
 
-11.110. ssl_version
+11.111. ssl_version
 
 --------------
 
@@ -11983,7 +12078,7 @@ Configuration:
     tls1.2
 
 
-11.111. stream_reassemble
+11.112. stream_reassemble
 
 --------------
 
@@ -12004,7 +12099,7 @@ Configuration:
     remainder of the session
 
 
-11.112. stream_size
+11.113. stream_size
 
 --------------
 
@@ -12022,7 +12117,7 @@ Configuration:
     direction(s) { either|to_server|to_client|both }
 
 
-11.113. tag
+11.114. tag
 
 --------------
 
@@ -12041,7 +12136,7 @@ Configuration:
   * int tag.bytes: tag for this many bytes { 1:max32 }
 
 
-11.114. target
+11.115. target
 
 --------------
 
@@ -12057,7 +12152,7 @@ Configuration:
     dst_ip }
 
 
-11.115. tos
+11.116. tos
 
 --------------
 
@@ -12072,7 +12167,7 @@ Configuration:
   * interval tos.~range: check if IP TOS is in given range { 0:255 }
 
 
-11.116. ttl
+11.117. ttl
 
 --------------
 
@@ -12088,7 +12183,7 @@ Configuration:
     0:255 }
 
 
-11.117. urg
+11.118. urg
 
 --------------
 
@@ -12104,7 +12199,7 @@ Configuration:
     { 0:65535 }
 
 
-11.118. window
+11.119. window
 
 --------------
 
@@ -12120,7 +12215,7 @@ Configuration:
     range { 0:65535 }
 
 
-11.119. wscale
+11.120. wscale
 
 --------------
 
@@ -14548,6 +14643,8 @@ these libraries see the Getting Started section of the manual.
   * --max-packet-threads <count> configure maximum number of packet
     threads (same as -z) (0:max32)
   * --mem-check like -T but also compile search engines
+  * --metadata-filter <filter> load only rules containing filter
+    string in metadata if set
   * --nostamps don’t include timestamps in log file names
   * --nolock-pidfile do not try to lock Snort PID file
   * --pause wait for resume/quit command before processing packets/
@@ -14599,6 +14696,8 @@ these libraries see the Getting Started section of the manual.
   * --version show version number (same as -V)
   * --warn-all enable all warnings
   * --warn-conf warn about configuration issues
+  * --warn-conf-strict warn about unrecognized elements in
+    configuration files
   * --warn-daq warn about DAQ issues, usually related to mode
   * --warn-flowbits warn about flowbits that are checked but not set
     and vice-versa
@@ -14747,7 +14846,7 @@ these libraries see the Getting Started section of the manual.
     -65535:65535 }
   * int attribute_table.max_hosts = 1024: maximum number of hosts in
     attribute table { 32:max53 }
-  * int attribute_table.max_metadata_services = 8: maximum number of
+  * int attribute_table.max_metadata_services = 9: maximum number of
     services in rule { 1:255 }
   * int attribute_table.max_services_per_host = 8: maximum number of
     services per host entry in attribute table { 1:65535 }
@@ -14793,8 +14892,10 @@ these libraries see the Getting Started section of the manual.
   * bit_list binder[].when.src_zone: source zone { 63 }
   * bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
   * bit_list binder[].when.zones: zones { 63 }
-  * interval bufferlen.~range: check that length of current buffer is
-    in given range { 0:65535 }
+  * interval bufferlen.~range: check that total length of current
+    buffer is in given range { 0:65535 }
+  * implied bufferlen.relative: use remaining length (from current
+    position) instead of total length
   * int byte_extract.align = 0: round the number of converted bytes
     up to the next 2- or 4-byte boundary { 0:4 }
   * implied byte_extract.big: big endian
@@ -14994,15 +15095,21 @@ these libraries see the Getting Started section of the manual.
     disable rules by default (overridden by ips policy settings)
   * bool detection.global_rule_state = false: apply rule_state
     against all policies
+  * bool detection.hyperscan_literals = false: use hyperscan for
+    content literal searches instead of boyer-moore
   * int detection.offload_limit = 99999: minimum sizeof PDU to
     offload fast pattern search (defaults to disabled) { 0:max32 }
   * int detection.offload_threads = 0: maximum number of simultaneous
     offloads (defaults to disabled) { 0:max32 }
-  * bool detection.pcre_enable = true: disable pcre pattern matching
+  * bool detection.pcre_enable = true: enable pcre pattern matching
   * int detection.pcre_match_limit = 1500: limit pcre backtracking, 0
     = off { 0:max32 }
   * int detection.pcre_match_limit_recursion = 1500: limit pcre stack
     consumption, 0 = off { 0:max32 }
+  * bool detection.pcre_override = true: enable pcre match limit
+    overrides when pattern matching (ie ignore /O)
+  * bool detection.pcre_to_regex = false: enable the use of regex
+    instead of pcre for compatible expressions
   * int detection.trace: mask for enabling debug traces in module {
     0:max53 }
   * bool dnp3.check_crc = false: validate checksums in DNP3 link
@@ -15252,7 +15359,7 @@ these libraries see the Getting Started section of the manual.
     examining HTTP message headers
   * implied http_header.with_trailer: parts of this rule examine HTTP
     message trailers
-  * bool http_inspect.backslash_to_slash = false: replace \ with /
+  * bool http_inspect.backslash_to_slash = true: replace \ with /
     when normalizing URIs
   * bit_list http_inspect.bad_characters: alert when any of specified
     bytes are present in URI after percent decoding { 255 }
@@ -15268,7 +15375,7 @@ these libraries see the Getting Started section of the manual.
     specified unreserved characters are percent-encoded in a
     URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
     tilde, and minus. { (optional) }
-  * bool http_inspect.iis_double_decode = false: perform double
+  * bool http_inspect.iis_double_decode = true: perform double
     decoding of percent encodings to normalize characters
   * int http_inspect.iis_unicode_code_page = 1252: code page to use
     from the IIS unicode map file { 0:65535 }
@@ -15308,6 +15415,8 @@ these libraries see the Getting Started section of the manual.
     examining HTTP message headers
   * implied http_method.with_trailer: parts of this rule examine HTTP
     message trailers
+  * implied http_param.nocase: case insensitive match
+  * string http_param.~param: parameter to match
   * implied http_raw_cookie.request: match against the cookie from
     the request message even when examining the response
   * implied http_raw_cookie.with_body: parts of this rule examine
@@ -15529,7 +15638,7 @@ these libraries see the Getting Started section of the manual.
     normalizing { 1:255 }
   * bool normalizer.icmp4 = false: clear reserved flag
   * bool normalizer.icmp6 = false: clear reserved flag
-  * bool normalizer.ip4.base = true: clear options
+  * bool normalizer.ip4.base = false: clear options
   * bool normalizer.ip4.df = false: clear don’t frag flag
   * bool normalizer.ip4.rf = false: clear reserved flag
   * bool normalizer.ip4.tos = false: clear tos / differentiated
@@ -15540,24 +15649,24 @@ these libraries see the Getting Started section of the manual.
   * string normalizer.tcp.allow_codes: don’t clear given option codes
   * multi normalizer.tcp.allow_names: don’t clear given option names
     { sack | echo | partial_order | conn_count | alt_checksum | md5 }
-  * bool normalizer.tcp.base = true: clear reserved bits and option
+  * bool normalizer.tcp.base = false: clear reserved bits and option
     padding and fix urgent pointer / flags issues
-  * bool normalizer.tcp.block = true: allow packet drops during TCP
+  * bool normalizer.tcp.block = false: allow packet drops during TCP
     normalization
   * select normalizer.tcp.ecn = off: clear ecn for all packets |
     sessions w/o ecn setup { off | packet | stream }
   * bool normalizer.tcp.ips = true: ensure consistency in
     retransmitted data
-  * bool normalizer.tcp.opts = true: clear all options except mss,
+  * bool normalizer.tcp.opts = false: clear all options except mss,
     wscale, timestamp, and any explicitly allowed
-  * bool normalizer.tcp.pad = true: clear any option padding bytes
-  * bool normalizer.tcp.req_pay = true: clear the urgent pointer and
+  * bool normalizer.tcp.pad = false: clear any option padding bytes
+  * bool normalizer.tcp.req_pay = false: clear the urgent pointer and
     the urgent flag if there is no payload
-  * bool normalizer.tcp.req_urg = true: clear the urgent pointer if
+  * bool normalizer.tcp.req_urg = false: clear the urgent pointer if
     the urgent flag is not set
-  * bool normalizer.tcp.req_urp = true: clear the urgent flag if the
+  * bool normalizer.tcp.req_urp = false: clear the urgent flag if the
     urgent pointer is not set
-  * bool normalizer.tcp.rsv = true: clear the reserved bits in the
+  * bool normalizer.tcp.rsv = false: clear the reserved bits in the
     TCP header
   * bool normalizer.tcp.trim = false: enable all of the TCP trim
     options
@@ -15566,7 +15675,7 @@ these libraries see the Getting Started section of the manual.
     packet
   * bool normalizer.tcp.trim_syn = false: remove data on SYN
   * bool normalizer.tcp.trim_win = false: trim data to window
-  * bool normalizer.tcp.urp = true: adjust urgent pointer if beyond
+  * bool normalizer.tcp.urp = false: adjust urgent pointer if beyond
     segment length
   * bool output.dump_chars_only = false: turns on character dumps
     (same as -C)
@@ -15612,7 +15721,7 @@ these libraries see the Getting Started section of the manual.
   * bool perf_monitor.flow_ip = false: enable statistics on host
     pairs
   * int perf_monitor.flow_ip_memcap = 52428800: maximum memory in
-    bytes for flow tracking { 8200:maxSZ }
+    bytes for flow tracking { 236:maxSZ }
   * int perf_monitor.flow_ports = 1023: maximum ports to track {
     0:65535 }
   * enum perf_monitor.format = csv: output format for stats { csv |
@@ -15993,11 +16102,11 @@ these libraries see the Getting Started section of the manual.
     extracted from the RCPT TO command
   * int smtp.max_auth_command_line_len = 1000: max auth command Line
     Length { 0:65535 }
-  * int smtp.max_command_line_len = 0: max Command Line Length {
+  * int smtp.max_command_line_len = 512: max Command Line Length {
     0:65535 }
-  * int smtp.max_header_line_len = 0: max SMTP DATA header line {
+  * int smtp.max_header_line_len = 1000: max SMTP DATA header line {
     0:65535 }
-  * int smtp.max_response_line_len = 0: max SMTP response line {
+  * int smtp.max_response_line_len = 512: max SMTP response line {
     0:65535 }
   * string smtp.normalize_cmds: list of commands to normalize
   * enum smtp.normalize = none: turns on/off normalization { none |
@@ -16106,6 +16215,8 @@ these libraries see the Getting Started section of the manual.
     of packet threads (same as -z) { 0:max32 }
   * implied snort.--mem-check: like -T but also compile search
     engines
+  * string snort.--metadata-filter: <filter> load only rules
+    containing filter string in metadata if set
   * implied snort.-M: log messages to syslog (not alerts)
   * int snort.-m: <umask> set the process file mode creation mask {
     0x000:0x1FF }
@@ -16189,6 +16300,8 @@ these libraries see the Getting Started section of the manual.
   * implied snort.--version: show version number (same as -V)
   * implied snort.-V: (same as --version)
   * implied snort.--warn-all: enable all warnings
+  * implied snort.--warn-conf-strict: warn about unrecognized
+    elements in configuration files
   * implied snort.--warn-conf: warn about configuration issues
   * implied snort.--warn-daq: warn about DAQ issues, usually related
     to mode
@@ -16756,15 +16869,15 @@ these libraries see the Getting Started section of the manual.
     received without a local flow (sum)
   * high_availability.update_msgs_recv: update messages received
     (sum)
-  * host_cache.lru_cache_adds: lru cache added new entry (sum)
-  * host_cache.lru_cache_find_hits: lru cache found entry in cache
+  * host_cache.adds: lru cache added new entry (sum)
+  * host_cache.alloc_prunes: lru cache pruned entry to make space for
+    new entry (sum)
+  * host_cache.find_hits: lru cache found entry in cache (sum)
+  * host_cache.find_misses: lru cache did not find entry in cache
     (sum)
-  * host_cache.lru_cache_find_misses: lru cache did not find entry in
-    cache (sum)
-  * host_cache.lru_cache_prunes: lru cache pruned entry to make space
-    for new entry (sum)
-  * host_cache.lru_cache_removes: lru cache found entry and removed
-    it (sum)
+  * host_cache.reload_prunes: lru cache pruned entry for lower memcap
+    during reload (sum)
+  * host_cache.removes: lru cache found entry and removed it (sum)
   * host_tracker.service_adds: host service adds (sum)
   * host_tracker.service_finds: host service finds (sum)
   * http2_inspect.concurrent_sessions: total concurrent HTTP/2
@@ -16772,6 +16885,8 @@ these libraries see the Getting Started section of the manual.
   * http2_inspect.flows: HTTP connections inspected (sum)
   * http2_inspect.max_concurrent_sessions: maximum concurrent HTTP/2
     sessions (max)
+  * http2_inspect.max_table_entries: maximum entries in an HTTP/2
+    dynamic table (max)
   * http_inspect.chunked: chunked message bodies (sum)
   * http_inspect.concurrent_sessions: total concurrent http sessions
     (now)
@@ -16779,6 +16894,8 @@ these libraries see the Getting Started section of the manual.
   * http_inspect.delete_requests: DELETE requests inspected (sum)
   * http_inspect.detained_packets: TCP packets delayed by detained
     inspection (sum)
+  * http_inspect.excess_parameters: repeat parameters exceeding max
+    (sum)
   * http_inspect.flows: HTTP connections inspected (sum)
   * http_inspect.get_requests: GET requests inspected (sum)
   * http_inspect.head_requests: HEAD requests inspected (sum)
@@ -16788,6 +16905,7 @@ these libraries see the Getting Started section of the manual.
   * http_inspect.options_requests: OPTIONS requests inspected (sum)
   * http_inspect.other_requests: other request methods inspected
     (sum)
+  * http_inspect.parameters: HTTP parameters inspected (sum)
   * http_inspect.partial_inspections: pre-inspections for detained
     inspection (sum)
   * http_inspect.post_requests: POST requests inspected (sum)
@@ -16932,6 +17050,10 @@ these libraries see the Getting Started section of the manual.
   * packet_capture.captured: packets matching dumped after matching
     filter (sum)
   * packet_capture.processed: packets processed against filter (sum)
+  * pcre.pcre_native: total pcre rules compiled by pcre engine (sum)
+  * pcre.pcre_negated: total pcre rules using negation syntax (sum)
+  * pcre.pcre_rules: total rules processed with pcre option (sum)
+  * pcre.pcre_to_hyper: total pcre rules by hyperscan engine (sum)
   * perf_monitor.alloc_prunes: flows pruned on allocation of IP flows
     (sum)
   * perf_monitor.packets: total packets processed by performance
@@ -16955,7 +17077,13 @@ these libraries see the Getting Started section of the manual.
   * pop.sessions: total pop sessions (sum)
   * pop.uu_attachments: total uu attachments decoded (sum)
   * pop.uu_decoded_bytes: total uu decoded bytes (sum)
-  * port_scan.packets: total packets (sum)
+  * port_scan.alloc_prunes: number of trackers pruned on allocation
+    of new tracking (sum)
+  * port_scan.packets: number of packets processed by port scan (sum)
+  * port_scan.reload_prunes: number of trackers pruned on reload due
+    to reduced memcap (sum)
+  * port_scan.trackers: number of trackers allocated by port scan
+    (sum)
   * rate_filter.no_memory: number of times rate filter ran out of
     memory (sum)
   * reputation.blacklisted: number of packets blacklisted (sum)
@@ -17648,6 +17776,7 @@ these libraries see the Getting Started section of the manual.
     value
   * 119:248 (http_inspect) gzip compressed data followed by
     unexpected non-gzip data
+  * 119:249 (http_inspect) excessive HTTP parameter key repeats
   * 121:1 (http2_inspect) error in HPACK integer value
   * 121:2 (http2_inspect) HPACK integer value has leading zeros
   * 121:3 (http2_inspect) error in HPACK string value
@@ -17661,6 +17790,8 @@ these libraries see the Getting Started section of the manual.
   * 121:10 (http2_inspect) invalid HTTP/2 header field
   * 121:11 (http2_inspect) error in HTTP/2 settings frame
   * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
+  * 121:13 (http2_inspect) invalid HTTP/2 frame sequence
+  * 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
   * 122:1 (port_scan) TCP portscan
   * 122:2 (port_scan) TCP decoy portscan
   * 122:3 (port_scan) TCP portsweep
@@ -18512,6 +18643,9 @@ deleted -> unified2: 'vlan_event_types'
   * http_inspect (inspector): HTTP inspector
   * http_method (ips_option): rule option to set the detection cursor
     to the HTTP request method
+  * http_param (ips_option): rule option to set the detection cursor
+    to the value of the specified HTTP parameter key which may be in
+    the query or body
   * http_raw_body (ips_option): rule option to set the detection
     cursor to the unnormalized message body
   * http_raw_cookie (ips_option): rule option to set the detection
@@ -18538,6 +18672,8 @@ deleted -> unified2: 'vlan_event_types'
     the normalized URI buffer
   * http_version (ips_option): rule option to set the detection
     cursor to the version buffer
+  * hyperscan (search_engine): intel hyperscan-based mpse with regex
+    support
   * icmp4 (codec): support for Internet control message protocol v4
   * icmp6 (codec): support for Internet control message protocol v6
   * icmp_id (ips_option): rule option to check ICMP ID
@@ -18564,8 +18700,8 @@ deleted -> unified2: 'vlan_event_types'
   * md5 (ips_option): payload rule option for hash matching
   * mem_test (inspector): for testing memory management
   * memory (basic): memory management configuration
-  * metadata (ips_option): rule option for conveying arbitrary name,
-    value data within the rule text
+  * metadata (ips_option): rule option for conveying arbitrary
+    comma-separated name, value data within the rule text
   * modbus (inspector): modbus inspection
   * modbus_data (ips_option): rule option to set cursor to modbus
     data
@@ -18914,6 +19050,9 @@ deleted -> unified2: 'vlan_event_types'
     to the normalized headers
   * ips_option::http_method: rule option to set the detection cursor
     to the HTTP request method
+  * ips_option::http_param: rule option to set the detection cursor
+    to the value of the specified HTTP parameter key which may be in
+    the query or body
   * ips_option::http_raw_body: rule option to set the detection
     cursor to the unnormalized message body
   * ips_option::http_raw_cookie: rule option to set the detection
@@ -18950,8 +19089,8 @@ deleted -> unified2: 'vlan_event_types'
     payload data
   * ips_option::itype: rule option to check ICMP type
   * ips_option::md5: payload rule option for hash matching
-  * ips_option::metadata: rule option for conveying arbitrary name,
-    value data within the rule text
+  * ips_option::metadata: rule option for conveying arbitrary
+    comma-separated name, value data within the rule text
   * ips_option::modbus_data: rule option to set cursor to modbus data
   * ips_option::modbus_func: rule option to check modbus function
     code
@@ -19063,33 +19202,14 @@ a restart:
   * attribute_table.max_hosts
   * attribute_table.max_services_per_host
   * daq.snaplen
-  * daq.no_promisc
   * detection.asn1
   * file_id.max_files_cached
-  * port_scan.memcap
   * process.chroot
   * process.daemon
   * process.set_gid
   * process.set_uid
-  * stream.footprint
-  * stream.ip_cache.max_sessions
-  * stream.ip_cache.pruning_timeout
-  * stream.ip_cache.idle_timeout
-  * stream.icmp_cache.max_sessions
-  * stream.icmp_cache.pruning_timeout
-  * stream.icmp_cache.idle_timeout
-  * stream.tcp_cache.max_sessions
-  * stream.tcp_cache.pruning_timeout
-  * stream.tcp_cache.idle_timeout
-  * stream.udp_cache.max_sessions
-  * stream.udp_cache.pruning_timeout
-  * stream.udp_cache.idle_timeout
-  * stream.user_cache.max_sessions
-  * stream.user_cache.pruning_timeout
-  * stream.user_cache.idle_timeout
-  * stream.file_cache.max_sessions
-  * stream.file_cache.pruning_timeout
-  * stream.file_cache.idle_timeout
+  * snort.--bpf
+  * snort.-l
 
 In addition, the following scenarios require a restart:
 
diff --git a/src/main/build.h b/src/main/build.h
index f9190e66c..6bb172a27 100644
--- a/src/main/build.h
+++ b/src/main/build.h
@@ -12,7 +12,7 @@
 //                                               //
 //-----------------------------------------------//
 
-#define BUILD_NUMBER 267
+#define BUILD_NUMBER 268
 
 #ifndef EXTRABUILD
 #define BUILD STRINGIFY_MX(BUILD_NUMBER)