From: Russ Combs (rucombs) <rucombs@cisco.com>
Date: Mon, 1 Apr 2019 03:53:48 +0000 (-0400)
Subject: Merge pull request #1561 in SNORT/snort3 from ~RUCOMBS/snort3:build_251 to master
X-Git-Tag: 3.0.0-251
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=973943afd59deaad23b39254b6efdf4739469686;p=thirdparty%2Fsnort3.git

Merge pull request #1561 in SNORT/snort3 from ~RUCOMBS/snort3:build_251 to master

Squashed commit of the following:

commit fee3b901d26c6e60bf00d7e205b2d819c40bea78
Author: Russ Combs <rucombs@cisco.com>
Date:   Sun Mar 31 02:00:29 2019 -0400

    doc: update default manuals

commit ccde7e61569f60e8b0216e9a0252ad9f1ff2dffd
Author: Russ Combs <rucombs@cisco.com>
Date:   Fri Mar 29 17:18:25 2019 -0400

    build: generate and tag build 251

commit aab8ef499785065115554f39b284ab1808cb3d1e
Author: russ <rucombs@cisco.com>
Date:   Sun Mar 31 00:34:55 2019 -0400

    doc: fixup markup escapes
---

diff --git a/ChangeLog b/ChangeLog
index cdd78cc16..77f159a11 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,199 @@
+19/03/31 - build 251
+
+-- ActionManager: actions are tracked per packet for accurate packet suspension
+-- DetectionEngine: make onload safe for reentrance
+-- DetectionEngine: stall when out of contexts
+-- Flow: is_offloaded is now is_suspended
+-- IpsContext: removed useless SUSPENDED_OFFLOAD state
+-- Mpse: Addition and use of offload search method/engine
+-- Mpse: fixed build warning about constness of get_pattern_count
+-- MpseBatch: refactor into separate files
+-- Packet: fixed thread safety in onload flag checks
+-- RegexOffload: onload whatever is ready
+-- RegexOffload: refactor into mode-specific subclasses
+-- appid: Fix for FTP detection with multiline server response split across multiple packets
+-- appid: add unit test to make sure the AppIdServiceStateKey::operator<() is OK and modify
+   existing service cache memcap test to alternate ipv4 and ipv6 addresses.
+-- appid: change the service queue to store map iterators rather than the actual keys, as
+   (a) map iterators are stable and (b) sizeof(map::iterator)=8 while sizeof(key)=28.
+-- appid: compute the size of the memory used for a service cache entry only once, as it is
+   constant, and make it global.
+-- appid: fix AppIdServiceStateKey::operator<().
+-- appid: fix client discovery to only check on the first data packet.
+-- appid: fix comment in client_discovery.cc.
+-- appid: fix double free in service_state_queue and address reviewers comments.
+-- appid: fixup profiling
+-- appid: get rid of the map::find() in MapList::add(), just try to emplace directly.
+-- appid: implement service cache touch(). Must figure out where to call it from.
+-- appid: implement service discovery state queue to honor memcap.
+-- appid: introduce min memcap of 1024 with a default of 1Mb and refactor
+   AppIdServiceState::remove() to accept a ServiceCache_t::iterator rather than ip, proto,
+   port and decrypted.
+-- appid: introduce the do_touch flag to the add/get functions and call those functions with
+   the appropriate flag.
+-- appid: keep cppcheck happy.
+-- appid: more cppcheck clean-up.
+-- appid: pass HostPortKey by reference in HostPortKey::operator<().
+-- appid: put the service_state_cache and the service_state_queue into a class in its own
+   right and refactor the code.
+-- appid: remove forgotten WhereMacro.
+-- appid: rename some global variables in http_url_patterns_test.cc to suppress cppcheck messages.
+-- appid: replace the custom AppIdServiceCacheKey::operator< with memcmp in both service_state.h
+   and host_port_app_cache.cc.
+-- appid: return void in ClientDiscovery::exec_client_detectors() and set client_disco_state to
+   FINISHED in all cases except when the client validate returns APPID_INPROCESS.
+-- appid: set a range for app_stats_period parameter
+-- appid: skip empty detectors
+-- appid: the service queue should be of type AppIdServiceStateKey.
+-- appid: unit test for service cache and call the touch function.
+-- appid: untabify service_state.h and test/service_state_test.cc.
+-- appid: update unit test file.
+-- binder: Reset flow gadget and protocol ID on failed rebinding
+-- binder: store user set ips policy id from lua
+-- build: Add better support for libiconv on systems with iconv-providing libc
+-- build: fix always true warning
+-- build: fix constness warnings
+-- build: fix cppcheck warnings for file_connector, tcp_connector, ports, snort2lua, and
+   piglet_plugins,
+-- build: fix override warning
+-- catch: Update to Catch v2.7.0
+-- cd_tcp: some light refactoring
+-- conf: remove obscure and slow automatic iface var assignments; use Lua instead
+-- config: Use basename_r() function for FreeBSD versions < 12.0.0
+-- control: Avoid deleting objects on write failures so that they get deleted from main thread
+   during read polling
+-- copyright: update year to 2019
+-- cppcheck: fix some basic warnings
+-- dce_rpc: Added support to handle smb header compounding
+-- dce_rpc: Limiting each signature alert to once per session using 'limit_alerts' config
+-- dce_rpc: fix cppcheck warnings
+-- dce_rpc: fix style warning non-boolean returned
+-- decompress: add zip file decompression
+-- detection, snort2lua: added global rule state options for legacy conversions
+-- detection: Add search batching infrastructure
+-- detection: allow suspension of entire chains of contexts
+-- detection: fixed incorrect log messages
+-- detection: only swap offload configs when they change
+-- detection: split fast pattern processing when using context suspension
+-- doc: add a section for reload limitations
+-- doc: update default manuals
+-- doc: update reload limitations - adding/removing stream_*
+-- file: fixed data race at shutdown
+-- file_api: Added nullptr checking to prevent segfaults when file mempool is not configured
+-- file_api: call FileContext::set_file_name() from FileFlows::set_file_name with
+   fname = nullptr, in order to generate file event.
+-- file_api: fail the reload if max_files_cache is changed  or if capture was initially enabled
+   and capture_memcap or capture_block_size change
+-- file_api: fix policy lookup
+-- file_capture: refactor max size handling
+-- filters: call get_ips_policy instead of get_network_policy when building the key for
+   rate filter.
+-- flow: Added a support to store generic objects in a stash
+-- flow: support for flow stash - allows storage of integers and strings
+-- flow_control: remove unused session flag
+-- fp_detect: suspend instead of onload if fp_local can't occur yet
+-- hash: Added lru_cache_shared.h to HASH_INCLUDES
+-- hash: Moved list_iter assignment inside to avoid improper memory access in LruCacheShared
+-- http_inspect: disable reg test assertion until interface with stream_tcp is updated
+-- http_inspect: patch around buffer ownership confusion
+-- ips_context: minimize iterations to clear data
+-- ips_options: implement FileTypeOption::hash() and FileTypeOption::operator==(), inherited
+   from IpsOption, using the types bitset array, in order to distinguish between different
+   file type options.
+-- loggers: add alert_talos, use in talos tweak
+-- loggers: alert_talos: fix copyright, author, unneeded check
+-- loggers: alert_talos: fix copyright, warnings
+-- loggers: alert_talos: fix cppcheck error
+-- loggers: alert_talos: fix include order
+-- loggers: alert_talos: fix memory leak
+-- loggers: workaround for cppcheck's false warning
+-- lua: make RTF file magic more generic
+-- main: log message when all pthreads started (REG_TEST only)
+-- main: shell commands and signals executed only after snort finish startup
+-- memory: Use only one variable to keep track of allocated and deallocated memory
+-- memory: add configurable L3/L4 specific weights for better estimation against cap
+-- memory: add size_of to various FlowData subclasses
+-- memory: apply fudge factor to tracking to better align with RSS
+-- memory: basic flow data allocation tracking
+-- memory: basic flow pruning
+-- memory: beware the perf_monitor, for she stealeth your numbers
+-- memory: do not re-enter the pruner
+-- memory: fix re-entry check
+-- memory: increase default tcp cache cap weight; fix default values
+-- memory: initial preemptive pruning based on flow data
+-- memory: refactor stats
+-- memory: remove overloading manager to make way for new implementation
+-- memory: remove useless thread local
+-- memory: require subclass implementation of FlowData::size_of()
+-- memory: track session allocations
+-- mime: add file decompression
+-- misc: fixed warnings generated from latest gcc
+-- packet tracer: initialize sf_ip structs
+-- policy: allow an empty policy be set explicitly
+   assigned to it.
+-- policy: Rename TRUE/FALSE to ENABLE/DISABLED
+-- port_scan: Fail reload if memcap changed
+-- profile: convert remaining layer 2 or greater profile scopes to the deep, dark underbelly
+-- profiler: add quick exit if not configured to minimize overhead
+-- profiler: add quick exit if not configured to minimize overhead (rule times)
+-- protocols: fix style warning non-boolean value returned
+-- react: sending reset to server only
+-- regex_offload: fix stats for thread
+-- reload: differentiate between restart required and bad config
+-- reload: fail reload if stream is in the original config and stream_* is added/removed
+-- reload: prompt reload failure and require restart when stream cache were changed
+-- reload: send reload completed message to control channel instead of logging it
+-- rule eval: ensure leaf children are properly counted
+-- rule_state: add rtn but disable if block is set on non-inline deployment
+-- rule_state: added default rule state to ips policy
+-- rule_state: added per-ips-policy rule states
+-- rules: do not preallocate actions
+-- safec: Update to work with modern versions of LibSafeC
+-- sfip: add a FIXIT for checking that the current implementation of _is_lesser(), which only
+   compares same-family ips is OK.
+-- sip: update sip options to use has_tcp_data instead of is_tcp
+-- snort2lua: Create dev_notes.txt for sticky buffers
+-- snort2lua: adding when.role for specific inspectors
+-- snort2lua: change the -l short option to --dont-convert-max-sessions.
+-- snort2lua: combining multiple zone in one binder rule
+-- snort2lua: comment gid 147 file rules
+-- snort2lua: convert file_capture config options
+-- snort2lua: do generate the tcp_cache instance even when we don't convert tcp_max to
+   max_sessions.
+-- snort2lua: do not translate max_sessions from snort.conf to snort.lua.
+-- snort2lua: fix pcre option issues
+-- snort2lua: fix sticky buffer duplication
+-- snort2lua: fixed duplication of split_any_any from config: detection
+-- snort2lua: introduce command line option -l to suppress conversion of max_tcp, max_udp,
+   max_icmp and max_ip to max_sessions.
+-- snort2lua: move obfuscate_pii to the ips table from the output table.
+-- snort_config: Add a setter for setting run_flags and set it to TRACK_ON_SYN for hs_timeout
+   config
+-- ssl: Count calls to disable_content for ssl sessions
+-- stream: Change StreamSplitter::scan to take a Packet instead of a Flow.
+-- stream: Pass Packet in flush_pdu_* -> paf_eval -> paf_callback chain.
+-- stream: fixed ignore_flow segfault bug caused by allocating generic flow data instead of
+   inspector specific flow data
+-- stream: log StreamBase::config in StreamBase::show().
+-- stream: purge remaining flows before shutdown counts
+-- stream_tcp: add track_only to disable reassembly
+-- stream_tcp: consolidate segment node and data
+-- stream_tcp: disambiguate seglist trace
+-- stream_tcp: do not purge partially acked segment
+-- stream_tcp: fix up stream order flags
+-- stream_tcp: fixup allocation tracking for overlapped segments
+-- stream_tcp: implement reserve seglist
+-- stream_tcp: initialize priv_ptr for pdus
+-- stream_tcp: patch around premature application of delayed actions that yoink the seglist
+-- stream_tcp: remove seglist node cruft
+-- stream_tcp: reset paf segment when switching splitters
+-- stream_tcp: simplify paf init
+-- stream_tcp: support unidirectional flushing similar to Snort 2
+-- stream_tcp: tweak PAF scanning
+-- stream_tcp: tweak ips mode flushing
+-- stream_udp: ensure all flows are cleared fully
+-- time: Adding timersub_ms function to return timersub in milliseconds
+
 18/12/06 - build 250
 
 -- actions: Fix incorrect order of IPS reject unreachable codes and adding forward option
@@ -12,7 +208,8 @@
 -- build: fix some int type conversion warnings
 -- build: reduce variable scope to address warnings
 -- detection: enable offloading non-pdu packets
--- detection, stream: fixed assuming packets were offloaded when previous packets on flow have been offloaded
+-- detection, stream: fixed assuming packets were offloaded when previous packets on flow have
+   been offloaded
 -- file_api: choose whether to get file config from current config or staged one
 -- file: fail the reload if capture is enabled for the first time
 -- framework: Clone databus to new config during module reload
@@ -33,25 +230,31 @@
 -- perf_monitor: Actually allow building perf_monitor as a dynamic plugin
 -- perf_monitor: fix benign parameter errors
 -- perf_monitor: fixed fbs schema generation when not building with DEBUG
--- protocols: add vlan_idx field to Packet struct and handle multiple vlan type ids; thanks to ymansour for reporting the issue
+-- protocols: add vlan_idx field to Packet struct and handle multiple vlan type ids;
+   thanks to ymansour for reporting the issue
 -- regex worker: removed assert that didn't handle locks cleanly
--- reputation: Fix iterations of layers for different nested_ip configs and show the blacklisted IP in events
+-- reputation: Fix iterations of layers for different nested_ip configs and show the
+   blacklisted IP in events
 -- sip: Added sanity check for buffer boundary while parsing a sip message
 -- snort2lua: add code to output control = forward under the reject module
 -- snort2lua: Fix compiler warning for catching exceptions by value
 -- snort2lua: Fix pcre H and P option conversions for sip
 -- snort: add --help-limits to output max* values
 -- snort: Default to a snaplen of 1518
--- snort: fix command line parameters to support setting in Lua; thanks to Meridoff <oagvozd@gmail.com> for reporting the issue
--- snort: remove obsolete and inadequate -W option; thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue
--- snort: terminate gracefully upon DAQ start failure; thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue
+-- snort: fix command line parameters to support setting in Lua;
+   thanks to Meridoff <oagvozd@gmail.com> for reporting the issue
+-- snort: remove obsolete and inadequate -W option;
+   thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue
+-- snort: terminate gracefully upon DAQ start failure;
+   thanks to Jaime González <jaimeglz1952@gmail.com> for reporting the issue
 -- so rules: add robust stub parsing
 -- stream: fixed stream_base flow peg count sum_stats bug
 -- stream tcp: fixed applying post-inspection operations to wrong rebuilt packet
 -- stream tcp: fixed sequence overlap handling when working with empty seglist
 -- style: clean up comment to reduce spelling exceptions
 -- thread: No more breaks for pigs (union busting)
--- tools: Install appid-detector-builder.sh with the other tools; thanks to Jonathan McDowell <noodles-github@earth.li> for reporting the issue
+-- tools: Install appid-detector-builder.sh with the other tools;
+   thanks to Jonathan McDowell <noodles-github@earth.li> for reporting the issue
 
 18/11/07 - build 249
 
@@ -70,15 +273,18 @@
 -- dcerpc: fixed setting endianness on one packet and checking on another
 -- detection : add function to clear ips_id from unit tests
 -- detectionengine: Only clear inspector data after offloads have completed
--- detection/http_inspect: Save a snapshot HTTP buffers in the IPS context to support offload of HTTP flows
+-- detection/http_inspect: Save a snapshot HTTP buffers in the IPS context to support offload
+   of HTTP flows
 -- doc: Adding performance consideration for developers
 -- file_api: revert deleting gid 146 so existing 146 rulesets dont attempt empty rule eval
 -- fixits: prioritize for RC
 -- flow: fixed build warning
 -- flow: track multiple offloads
 -- fp_detect: onload before running local to ensure event ordering
--- framework: replace the newly introduced loop to reset the reload_type flags with the existing Inspector::update_policy function
--- framework: set the reload_type flags to RELOAD_TYPE_NONE at the end of reload, in anticipation of future reloads.
+-- framework: replace the newly introduced loop to reset the reload_type flags with the
+   existing Inspector::update_policy function
+-- framework: set the reload_type flags to RELOAD_TYPE_NONE at the end of reload, in
+   anticipation of future reloads.
 -- host_tracker: fixed uppcase IP param issue
 -- http2_inspect: Change http2 GID from 219 to 121
 -- ips_flowbits: move static structures to snort config
@@ -92,18 +298,21 @@
 -- perfmon: fix issue for report correct stats after passing -n pkts
 -- perf_monitor: trackers keep copy of the relevant config items from the inspector
 -- reload: fixed smtp seg fault when reload failed
--- reputation: delete old conf before allocating a new one in ReputationModule::begin() if conf not null
+-- reputation: delete old conf before allocating a new one in ReputationModule::begin() if
+   conf not null
 -- rule_state: indicate list format
 -- search_tool: include bytes searched in pattern match stats
 -- search_tool: validate ac_full and ac_bnfa wrt search and search_all
 -- snort2lua: Add support for enable/disable iprep logging using suppress mechanism
 -- snort2lua: Avoid returning reference of local variable
 -- snort2lua: comment out deleted gid 146 rules
--- snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string sanity checks
+-- snort2lua: Enable address_anomaly_detection during snort2lua and fixed missing string
+   sanity checks
 -- snort2lua: fixed paf_max to stream_tcp.max_pdu convertion
 -- snort2lua: tweak for style consistency
 -- snort: add --rule-path to load rules from all files under given dir
--- snort: Code refactoring - replacing push_back/insert by emplace_back/emplace, keeping reputation_id in flow instead of flow_data, and appid code improvements
+-- snort: Code refactoring - replacing push_back/insert by emplace_back/emplace, keeping
+   reputation_id in flow instead of flow_data, and appid code improvements
 -- source: fix some typos
 -- source: minor refactoring
 -- spell: fix typo
@@ -260,14 +469,17 @@
 -- appid: change metadata buffers from std::string to pointers, to avoid extra copying
 -- appid: clean-up code for performance and implement is_tp_processing_done()
 -- appid: create referer object only for non-null string
--- appid: do not inspect out-of-order flows, ignore zero-payload packets for client/service discovery
+-- appid: do not inspect out-of-order flows, ignore zero-payload packets for client/service
+   discovery
 -- appid: fix memory leak in appid_http_event_test and warning in appid_http_session.cc
 -- appid: fix segfault due to dereferencing null host pointer.
 -- appid: fix tabs and indentation
 -- appid: fixed http fields, referer payload and appid debug
 -- appid: make tp_attribute_data more localized, so we only allocate/deallocate it if needed.
 -- appid: moved HttpFieldIds to appid_http_session
--- appid: peg count / dynamic peg count update.  Split peg counts into the ones known at compile time and dynamic ones.  Update stats , module manager and module to support dumping dynamic stats.
+-- appid: peg count / dynamic peg count update.  Split peg counts into the ones known at
+   compile time and dynamic ones.  Update stats , module manager and module to support
+   dumping dynamic stats.
 -- appid: report when third party appid is done inspecting
 -- appid: sip: moved pattern thread local to class instance
 -- base64_decode: moved buffer storage to regular heap
@@ -291,7 +503,8 @@
 -- byte_jump: fix from_beginning
 -- byte_math: allow rvalue == 0 except for division
 -- catch: Update to Catch v2.2.1
--- clock: Allow use of ARM64 CNTVCT_EL0 register for timing (#46); thanks to j.mcdowell@titan-ic.com for the patch.
+-- clock: Allow use of ARM64 CNTVCT_EL0 register for timing (#46);
+   thanks to j.mcdowell@titan-ic.com for the patch.
 -- clock: use uint64_t with tsc clock instead of std::chrono for performance
 -- cmake: Add --enable-appid-third-party to configure_cmake.sh
 -- cmake: Add support for building with tcmalloc
@@ -300,7 +513,9 @@
 -- cmake: update for iconv
 -- codecs: add config option to detection to enable check and alert for address anomalies
 -- daq_hext: Make IpAddr() static to fix compiler warning
--- dce_co_process_ctx_id needs to update its caller's (DCE2_CoCtxReq) frag_ptr as it is called in a loop in order to parse each dce/rpc ctx item, otherwise it ends up parsing the same ctx item over and over.
+-- dce_co_process_ctx_id needs to update its caller's (DCE2_CoCtxReq) frag_ptr as it is
+   called in a loop in order to parse each dce/rpc ctx item, otherwise it ends up parsing
+   the same ctx item over and over.
 -- dce_rpc: fix parsing of dce/rpc ctx items
 -- dce_rpc: pass frag_ptr by reference
 -- debug: Remove debug messages from appid, arp_spoof, and perf_monitor
@@ -364,7 +579,8 @@
 -- snort2lua: enable reject action when firewall is enabled
 -- snort: -r- will read packets from stdin
 -- spell check: fix memeory and indicies typos
--- steam_tcp: change singleton names from linux to new_linux to avoid spurious collisions with defines
+-- steam_tcp: change singleton names from linux to new_linux to avoid spurious collisions
+   with defines
 -- stream ip: refactored to use MemoryManager allocators
 -- stream: assume gid 135 so those rules are handled as standard builtins
 -- stream: be selective about flow creation for scans
@@ -372,12 +588,14 @@
 -- stream: remove usused ignore_any_rules from tcp and udp
 -- stream: respect tcp require_3whs
 -- stream: warning: potential memory leaks
--- stream_tcp: refactor tcp normalizer and reassembler to eliminate dynamic heap allocations per flow
+-- stream_tcp: refactor tcp normalizer and reassembler to eliminate dynamic heap allocations
+   per flow
 -- stream_tcp: switch to splitter max
 -- stream_tcp: tweak seglist cursor handling
 -- target_based: 100% coverage on snort_protocols.cc
 -- target_based: unit tests for ProtocolReference class
--- tcp codec: count bad ip6 checksums correctly; thanks to j.mcdowell@titan-ic.com for reporting the issue
+-- tcp codec: count bad ip6 checksums correctly; thanks to j.mcdowell@titan-ic.com for reporting
+   the issue
 -- tcp: allow data  handlding for packet with invalid ack
 -- time: initialize Stopwatch::start_time member variable to 0 ticks when TSC clock is enabled
 -- trace: add traces for deleted debug messages
@@ -407,7 +625,8 @@
 -- perf_monitor: query modules for stats only after they have all loaded
 -- snort: --rule-to-text [<delim>] raw string output
 -- snort: allow colon separated directories for --daq-dir
--- snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort' namespace
+-- snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort'
+   namespace
 
 18/02/12 - build 243
 
@@ -468,7 +687,8 @@
 -- appid: gracefully handle failed Lua state instantiation
    thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue.
 -- appid: only update session flags and discovery state if service id actually set to http
--- appid: patch to update the appid discovery state when an http event results in setting of the service id for a flow
+-- appid: patch to update the appid discovery state when an http event results in setting of the
+   service id for a flow
 -- appid: return false from is_third_party_appid_available when no third party module is available.
 -- appid: tweak warnings and errors
 -- binder: activate profiler support
@@ -535,7 +755,8 @@
 -- snort2lua: remove when udp from binding to support tcp too
 -- snort2lua: tweak const name for clarity (internal)
 -- snort2lua: urilen:<> --> bufferlen:<=>
--- snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer
+-- snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces
+   from LeakSanitizer
 -- soid: allow stub to contain any or all options
 -- --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static
 -- stream: change tcp idle timeout to 3600 to match 2.X nominal timeout
@@ -581,7 +802,8 @@
 -- build: fixed issues on OSX
 -- catch: update to Catch v1.10.0
 -- cd_icmp6: fix encoded cksum calculation
--- cd_pbb: initial version of codec for 802.1ah; thanks to jan hugo prins <jhp@jhprins.org> for reporting the issue
+-- cd_pbb: initial version of codec for 802.1ah; thanks to jan hugo prins <jhp@jhprins.org> for
+   reporting the issue
 -- cd_pflog: fix comments; thanks to Markus Lude <markus.lude@gmx.de> for the 2X patch
 -- content: fix relative loop condition
 -- control: delete the old binder while reloading inspector
@@ -596,11 +818,14 @@
 -- doc: add POP, IMAP and SMTP to user manual features
 -- doc: add port scan feature
 -- flow key: support associating router solicit/reply packets to a single session
--- http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status line or headers
+-- http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after
+   status line or headers
 -- http_inspect: add random increment to message body division points
 -- http_inspect: added http_raw_buffer rule option
--- http_inspect: create message sections with body data that has been dechunked and unzipped but not otherwise nortmalized
--- http_inspect: handle borked reassembly gracefully; thanks to João Soares <joaopsys@gmail.com> for reporting the issue
+-- http_inspect: create message sections with body data that has been dechunked and unzipped but
+   not otherwise nortmalized
+-- http_inspect: handle borked reassembly gracefully;
+   thanks to João Soares <joaopsys@gmail.com> for reporting the issue
 -- http_inspect: support for u2 extra data logging
 -- http_inspect: test tool improvements
 -- http_inspect: true IP enhancements
diff --git a/doc/snort_manual.html b/doc/snort_manual.html
index 1e8c8e35d..dec31cadd 100644
--- a/doc/snort_manual.html
+++ b/doc/snort_manual.html
@@ -1,9 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
     "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
 <head>
 <meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8" />
-<meta name="generator" content="AsciiDoc 8.6.8" />
+<meta name="generator" content="AsciiDoc 8.6.10" />
 <title>Snort 3 User Manual</title>
 <style type="text/css">
 /* Shared CSS for AsciiDoc xhtml11 and html5 backends */
@@ -94,7 +95,9 @@ ul > li > * { color: black; }
   padding: 0;
   margin: 0;
 }
-
+pre {
+  white-space: pre-wrap;
+}
 
 #author {
   color: #527bbd;
@@ -223,7 +226,7 @@ div.exampleblock > div.content {
 }
 
 div.imageblock div.content { padding-left: 0; }
-span.image img { border-style: none; }
+span.image img { border-style: none; vertical-align: text-bottom; }
 a.image:visited { color: white; }
 
 dl {
@@ -779,10 +782,10 @@ asciidoc.install(2);
 <div class="literalblock">
 <div class="content">
 <pre><code> ,,_     -*&gt; Snort++ &lt;*-
-o"  )~   Version 3.0.0 (Build 250) from 2.9.11
+o"  )~   Version 3.0.0 (Build 251) from 2.9.11
  ''''    By Martin Roesch &amp; The Snort Team
          http://snort.org/contact#team
-         Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
+         Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
          Copyright (C) 1998-2013 Sourcefire, Inc., et al.</code></pre>
 </div></div>
 <div id="toc">
@@ -2125,7 +2128,7 @@ lzma &gt;= 5.1.2 from <a href="http://tukaani.org/xz/">http://tukaani.org/xz/</a
 </li>
 <li>
 <p>
-safec from <a href="https://sourceforge.net/projects/safeclib/">https://sourceforge.net/projects/safeclib/</a> for runtime bounds
+safec from <a href="https://github.com/rurban/safeclib/">https://github.com/rurban/safeclib/</a> for runtime bounds
   checks on certain legacy C-library calls
 </p>
 </li>
@@ -3686,7 +3689,7 @@ representative byte strings to their binary equivalent and testing them.</p></di
 <div class="paragraph"><p>Snort uses the C operators for each of these operators. If the &amp;
 operator is used, then it would be the same as using</p></div>
 <div class="listingblock">
-<div class="content"><!-- Generator: GNU source-highlight 3.1.8
+<div class="content"><!-- Generator: GNU source-highlight
 by Lorenzo Bettini
 http://www.lorenzobettini.it
 http://www.gnu.org/software/src-highlite -->
@@ -3694,7 +3697,7 @@ http://www.gnu.org/software/src-highlite -->
 <div class="paragraph"><p><em>!</em> operator negates the results from the base check. <em>!&lt;oper&gt;</em> is
 considered as</p></div>
 <div class="listingblock">
-<div class="content"><!-- Generator: GNU source-highlight 3.1.8
+<div class="content"><!-- Generator: GNU source-highlight
 by Lorenzo Bettini
 http://www.lorenzobettini.it
 http://www.gnu.org/software/src-highlite -->
@@ -7070,11 +7073,6 @@ bool <strong>alerts.alert_with_interface_name</strong> = false: include interfac
 </li>
 <li>
 <p>
-bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules
-</p>
-</li>
-<li>
-<p>
 int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available MB of memory for detection_filters { 0:max32 }
 </p>
 </li>
@@ -7148,17 +7146,17 @@ int <strong>attribute_table.max_metadata_services</strong> = 8: maximum number o
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>classifications[].name</strong>: name used with classtype rule option
+string <strong><code>classifications[].name</code></strong>: name used with classtype rule option
 </p>
 </li>
 <li>
 <p>
-int <strong>classifications[].priority</strong> = 1: default priority for class { 0:max32 }
+int <strong><code>classifications[].priority</code></strong> = 1: default priority for class { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>classifications[].text</strong>: description of class
+string <strong><code>classifications[].text</code></strong>: description of class
 </p>
 </li>
 </ul></div>
@@ -7172,7 +7170,7 @@ string <strong>classifications[].text</strong>: description of class
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>daq.module_dirs[].str</strong>: string parameter
+string <strong><code>daq.module_dirs[].str</code></strong>: string parameter
 </p>
 </li>
 <li>
@@ -7187,22 +7185,22 @@ string <strong>daq.module</strong>: DAQ module to use
 </li>
 <li>
 <p>
-string <strong>daq.variables[].str</strong>: string parameter
+string <strong><code>daq.variables[].str</code></strong>: string parameter
 </p>
 </li>
 <li>
 <p>
-int <strong>daq.instances[].id</strong>: instance ID (required) { 0:max32 }
+int <strong><code>daq.instances[].id</code></strong>: instance ID (required) { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>daq.instances[].input_spec</strong>: input specification
+string <strong><code>daq.instances[].input_spec</code></strong>: input specification
 </p>
 </li>
 <li>
 <p>
-string <strong>daq.instances[].variables[].str</strong>: string parameter
+string <strong><code>daq.instances[].variables[].str</code></strong>: string parameter
 </p>
 </li>
 <li>
@@ -7378,6 +7376,16 @@ int <strong>detection.asn1</strong> = 0: maximum decode nodes { 0:65535 }
 </li>
 <li>
 <p>
+bool <strong>detection.global_default_rule_state</strong> = true: enable or disable rules by default (overridden by ips policy settings)
+</p>
+</li>
+<li>
+<p>
+bool <strong>detection.global_rule_state</strong> = false: apply rule_state against all policies
+</p>
+</li>
+<li>
+<p>
 int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }
 </p>
 </li>
@@ -7514,6 +7522,11 @@ int <strong>detection.trace</strong>: mask for enabling debug traces in module {
 <strong>detection.alert_limit</strong>: events previously triggered on same PDU (sum)
 </p>
 </li>
+<li>
+<p>
+<strong>detection.context_stalls</strong>: times processing stalled to wait for an available context (sum)
+</p>
+</li>
 </ul></div>
 </div>
 <div class="sect2">
@@ -7525,37 +7538,37 @@ int <strong>detection.trace</strong>: mask for enabling debug traces in module {
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>event_filter[].gid</strong> = 1: rule generator ID { 0:max32 }
+int <strong><code>event_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>event_filter[].sid</strong> = 1: rule signature ID { 0:max32 }
+int <strong><code>event_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>event_filter[].type</strong>: 1st count events | every count events | once after count events { limit | threshold | both }
+enum <strong><code>event_filter[].type</code></strong>: 1st count events | every count events | once after count events { limit | threshold | both }
 </p>
 </li>
 <li>
 <p>
-enum <strong>event_filter[].track</strong>: filter only matching source or destination addresses { by_src | by_dst }
+enum <strong><code>event_filter[].track</code></strong>: filter only matching source or destination addresses { by_src | by_dst }
 </p>
 </li>
 <li>
 <p>
-int <strong>event_filter[].count</strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }
+int <strong><code>event_filter[].count</code></strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }
 </p>
 </li>
 <li>
 <p>
-int <strong>event_filter[].seconds</strong> = 0: count interval { 0:max32 }
+int <strong><code>event_filter[].seconds</code></strong> = 0: count interval { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>event_filter[].ip</strong>: restrict filter to these addresses according to track
+string <strong><code>event_filter[].ip</code></strong>: restrict filter to these addresses according to track
 </p>
 </li>
 </ul></div>
@@ -7640,7 +7653,7 @@ real <strong>high_availability.min_sync</strong> = 1.0: minimum interval between
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>host_cache[].size</strong>: size of host cache { 1:max32 }
+int <strong><code>host_cache[].size</code></strong>: size of host cache { 1:max32 }
 </p>
 </li>
 </ul></div>
@@ -7692,32 +7705,32 @@ int <strong>host_cache[].size</strong>: size of host cache { 1:max32 }
 <div class="ulist"><ul>
 <li>
 <p>
-addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr
+addr <strong><code>host_tracker[].ip</code></strong> = 0.0.0.0/32: hosts address / cidr
 </p>
 </li>
 <li>
 <p>
-enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
+enum <strong><code>host_tracker[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
 </p>
 </li>
 <li>
 <p>
-enum <strong>host_tracker[].tcp_policy</strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
+enum <strong><code>host_tracker[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
 </p>
 </li>
 <li>
 <p>
-string <strong>host_tracker[].services[].name</strong>: service identifier
+string <strong><code>host_tracker[].services[].name</code></strong>: service identifier
 </p>
 </li>
 <li>
 <p>
-enum <strong>host_tracker[].services[].proto</strong> = tcp: IP protocol { tcp | udp }
+enum <strong><code>host_tracker[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }
 </p>
 </li>
 <li>
 <p>
-port <strong>host_tracker[].services[].port</strong>: port number
+port <strong><code>host_tracker[].services[].port</code></strong>: port number
 </p>
 </li>
 </ul></div>
@@ -7749,32 +7762,32 @@ port <strong>host_tracker[].services[].port</strong>: port number
 <div class="ulist"><ul>
 <li>
 <p>
-addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / CIDR
+addr <strong><code>hosts[].ip</code></strong> = 0.0.0.0/32: hosts address / CIDR
 </p>
 </li>
 <li>
 <p>
-enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
+enum <strong><code>hosts[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
 </p>
 </li>
 <li>
 <p>
-enum <strong>hosts[].tcp_policy</strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
+enum <strong><code>hosts[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
 </p>
 </li>
 <li>
 <p>
-string <strong>hosts[].services[].name</strong>: service identifier
+string <strong><code>hosts[].services[].name</code></strong>: service identifier
 </p>
 </li>
 <li>
 <p>
-enum <strong>hosts[].services[].proto</strong> = tcp: IP protocol { tcp | udp }
+enum <strong><code>hosts[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }
 </p>
 </li>
 <li>
 <p>
-port <strong>hosts[].services[].port</strong>: port number
+port <strong><code>hosts[].services[].port</code></strong>: port number
 </p>
 </li>
 </ul></div>
@@ -7812,6 +7825,11 @@ enum <strong>inspection.mode</strong> = inline-test: set policy mode { inline |
 <div class="ulist"><ul>
 <li>
 <p>
+enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { false | true | inherit }
+</p>
+</li>
+<li>
+<p>
 bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs
 </p>
 </li>
@@ -7837,6 +7855,11 @@ string <strong>ips.rules</strong>: snort rules and includes
 </li>
 <li>
 <p>
+bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers
+</p>
+</li>
+<li>
+<p>
 string <strong>ips.uuid</strong> = 00000000-0000-0000-0000-000000000000: IPS policy uuid
 </p>
 </li>
@@ -7961,12 +7984,50 @@ int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (by
 </li>
 <li>
 <p>
-bool <strong>memory.soft</strong> = false: always succeed in allocating memory, even if above the cap
+int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }
+</p>
+</li>
+</ul></div>
+<div class="paragraph"><p>Peg counts:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+<strong>memory.allocations</strong>: total number of allocations (now)
 </p>
 </li>
 <li>
 <p>
-int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }
+<strong>memory.deallocations</strong>: total number of deallocations (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.allocated</strong>: total amount of memory allocated (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.deallocated</strong>: total amount of memory allocated (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.reap_attempts</strong>: attempts to reclaim memory (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.reap_failures</strong>: failures to reclaim memory (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.max_in_use</strong>: highest allocated - deallocated (max)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.total_fudge</strong>: sum of all adjustments (now)
 </p>
 </li>
 </ul></div>
@@ -8064,27 +8125,22 @@ string <strong>output.logdir</strong> = .: where to put log files (same as -l)
 </li>
 <li>
 <p>
-bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)
-</p>
-</li>
-<li>
-<p>
-bool <strong>output.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers
+bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)
 </p>
 </li>
 <li>
 <p>
-bool <strong>output.show_year</strong> = false: include year in timestamp in the alert and log files (same as -y)
+int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>output.tagged_packet_limit</strong> = 256: maximum number of packets tagged for non-packet metrics { 0:max32 }
+bool <strong>output.verbose</strong> = false: be verbose (same as -v)
 </p>
 </li>
 <li>
 <p>
-bool <strong>output.verbose</strong> = false: be verbose (same as -v)
+bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresses (same as -O)
 </p>
 </li>
 <li>
@@ -8174,12 +8230,12 @@ string <strong>process.chroot</strong>: set chroot directory (same as -t)
 </li>
 <li>
 <p>
-string <strong>process.threads[].cpuset</strong>: pin the associated thread to this cpuset
+string <strong><code>process.threads[].cpuset</code></strong>: pin the associated thread to this cpuset
 </p>
 </li>
 <li>
 <p>
-int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the &lt;cur_thread_num&gt; thread that runs { 0:65535 }
+int <strong><code>process.threads[].thread</code></strong> = 0: set cpu affinity for the &lt;cur_thread_num&gt; thread that runs { 0:65535 }
 </p>
 </li>
 <li>
@@ -8287,42 +8343,42 @@ enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { no
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0:max32 }
+int <strong><code>rate_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].sid</strong> = 1: rule signature ID { 0:max32 }
+int <strong><code>rate_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>rate_filter[].track</strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }
+enum <strong><code>rate_filter[].track</code></strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].count</strong> = 1: number of events in interval before tripping { 0:max32 }
+int <strong><code>rate_filter[].count</code></strong> = 1: number of events in interval before tripping { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].seconds</strong> = 1: count interval { 0:max32 }
+int <strong><code>rate_filter[].seconds</code></strong> = 1: count interval { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }
+enum <strong><code>rate_filter[].new_action</code></strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].timeout</strong> = 1: count interval { 0:max32 }
+int <strong><code>rate_filter[].timeout</code></strong> = 1: count interval { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>rate_filter[].apply_to</strong>: restrict filter to these addresses according to track
+string <strong><code>rate_filter[].apply_to</code></strong>: restrict filter to these addresses according to track
 </p>
 </li>
 </ul></div>
@@ -8336,36 +8392,31 @@ string <strong>rate_filter[].apply_to</strong>: restrict filter to these address
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>references[].name</strong>: name used with reference rule option
+string <strong><code>references[].name</code></strong>: name used with reference rule option
 </p>
 </li>
 <li>
 <p>
-string <strong>references[].url</strong>: where this reference is defined
+string <strong><code>references[].url</code></strong>: where this reference is defined
 </p>
 </li>
 </ul></div>
 </div>
 <div class="sect2">
 <h3 id="_rule_state">rule_state</h3>
-<div class="paragraph"><p>What: enable/disable specific IPS rules</p></div>
+<div class="paragraph"><p>What: enable/disable and set actions for specific IPS rules</p></div>
 <div class="paragraph"><p>Type: basic</p></div>
 <div class="paragraph"><p>Usage: detect</p></div>
 <div class="paragraph"><p>Configuration:</p></div>
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>rule_state[].gid</strong> = 0: rule generator ID { 0:max32 }
+enum <strong><code>rule_state.([0-9]+):([0-9]+).action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }
 </p>
 </li>
 <li>
 <p>
-int <strong>rule_state[].sid</strong> = 0: rule signature ID { 0:max32 }
-</p>
-</li>
-<li>
-<p>
-bool <strong>rule_state[].enable</strong> = true: enable or disable rule in all policies
+enum <strong><code>rule_state.([0-9]+):([0-9]+).enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { false | true | inherit }
 </p>
 </li>
 </ul></div>
@@ -8439,6 +8490,11 @@ dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern
 </li>
 <li>
 <p>
+dynamic <strong>search_engine.offload_search_method</strong>: set fast pattern offload algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }
+</p>
+</li>
+<li>
+<p>
 bool <strong>search_engine.search_optimize</strong> = true: tweak state machine construction for better performance
 </p>
 </li>
@@ -8506,7 +8562,7 @@ bit_list <strong>side_channel.ports</strong>: side channel message port list { 6
 </li>
 <li>
 <p>
-string <strong>side_channel.connectors[].connector</strong>: connector handle
+string <strong><code>side_channel.connectors[].connector</code></strong>: connector handle
 </p>
 </li>
 <li>
@@ -9268,22 +9324,22 @@ int <strong>snort.trace</strong>: mask for enabling debug traces in module { 0:m
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>suppress[].gid</strong> = 0: rule generator ID { 0:max32 }
+int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>suppress[].sid</strong> = 0: rule signature ID { 0:max32 }
+int <strong><code>suppress[].sid</code></strong> = 0: rule signature ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>suppress[].track</strong>: suppress only matching source or destination addresses { by_src | by_dst }
+enum <strong><code>suppress[].track</code></strong>: suppress only matching source or destination addresses { by_src | by_dst }
 </p>
 </li>
 <li>
 <p>
-string <strong>suppress[].ip</strong>: restrict suppression to these addresses according to track
+string <strong><code>suppress[].ip</code></strong>: restrict suppression to these addresses according to track
 </p>
 </li>
 </ul></div>
@@ -10502,7 +10558,7 @@ protocols beyond basic decoding.</p></div>
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>appid.memcap</strong> = 0: disregard - not implemented { 0:maxSZ }
+int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }
 </p>
 </li>
 <li>
@@ -10512,7 +10568,7 @@ bool <strong>appid.log_stats</strong> = false: enable logging of appid statistic
 </li>
 <li>
 <p>
-int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 0:max32 }
+int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 1:max32 }
 </p>
 </li>
 <li>
@@ -10627,12 +10683,12 @@ int <strong>appid.trace</strong>: mask for enabling debug traces in module { 0:m
 <div class="ulist"><ul>
 <li>
 <p>
-ip4 <strong>arp_spoof.hosts[].ip</strong>: host ip address
+ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address
 </p>
 </li>
 <li>
 <p>
-mac <strong>arp_spoof.hosts[].mac</strong>: host mac address
+mac <strong><code>arp_spoof.hosts[].mac</code></strong>: host mac address
 </p>
 </li>
 </ul></div>
@@ -10714,112 +10770,117 @@ mac <strong>arp_spoof.hosts[].mac</strong>: host mac address
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>binder[].when.ips_policy_id</strong> = 0: unique ID for selection of this config by external logic { 0:max32 }
+int <strong><code>binder[].when.ips_policy_id</code></strong> = 0: unique ID for selection of this config by external logic { 0:max32 }
+</p>
+</li>
+<li>
+<p>
+bit_list <strong><code>binder[].when.ifaces</code></strong>: list of interface indices { 255 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }
+bit_list <strong><code>binder[].when.vlans</code></strong>: list of VLAN IDs { 4095 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }
+addr_list <strong><code>binder[].when.nets</code></strong>: list of networks
 </p>
 </li>
 <li>
 <p>
-addr_list <strong>binder[].when.nets</strong>: list of networks
+addr_list <strong><code>binder[].when.src_nets</code></strong>: list of source networks
 </p>
 </li>
 <li>
 <p>
-addr_list <strong>binder[].when.src_nets</strong>: list of source networks
+addr_list <strong><code>binder[].when.dst_nets</code></strong>: list of destination networks
 </p>
 </li>
 <li>
 <p>
-addr_list <strong>binder[].when.dst_nets</strong>: list of destination networks
+enum <strong><code>binder[].when.proto</code></strong>: protocol { any | ip | icmp | tcp | udp | user | file }
 </p>
 </li>
 <li>
 <p>
-enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }
+bit_list <strong><code>binder[].when.ports</code></strong>: list of ports { 65535 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.ports</strong>: list of ports { 65535 }
+bit_list <strong><code>binder[].when.src_ports</code></strong>: list of source ports { 65535 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.src_ports</strong>: list of source ports { 65535 }
+bit_list <strong><code>binder[].when.dst_ports</code></strong>: list of destination ports { 65535 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.dst_ports</strong>: list of destination ports { 65535 }
+bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }
 </p>
 </li>
 <li>
 <p>
-int <strong>binder[].when.src_zone</strong>: source zone { 0:max31 }
+bit_list <strong><code>binder[].when.src_zone</code></strong>: source zone { 63 }
 </p>
 </li>
 <li>
 <p>
-int <strong>binder[].when.dst_zone</strong>: destination zone { 0:max31 }
+bit_list <strong><code>binder[].when.dst_zone</code></strong>: destination zone { 63 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }
+enum <strong><code>binder[].when.role</code></strong> = any: use the given configuration on one or any end of a session { client | server | any }
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].when.service</strong>: override default configuration
+string <strong><code>binder[].when.service</code></strong>: override default configuration
 </p>
 </li>
 <li>
 <p>
-enum <strong>binder[].use.action</strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }
+enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.file</strong>: use configuration in given file
+string <strong><code>binder[].use.file</code></strong>: use configuration in given file
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.inspection_policy</strong>: use inspection policy from given file
+string <strong><code>binder[].use.inspection_policy</code></strong>: use inspection policy from given file
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.ips_policy</strong>: use ips policy from given file
+string <strong><code>binder[].use.ips_policy</code></strong>: use ips policy from given file
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.network_policy</strong>: use network policy from given file
+string <strong><code>binder[].use.network_policy</code></strong>: use network policy from given file
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.service</strong>: override automatic service identification
+string <strong><code>binder[].use.service</code></strong>: override automatic service identification
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.type</strong>: select module for binding
+string <strong><code>binder[].use.type</code></strong>: select module for binding
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.name</strong>: symbol name (defaults to type)
+string <strong><code>binder[].use.name</code></strong>: symbol name (defaults to type)
 </p>
 </li>
 </ul></div>
@@ -10926,6 +10987,11 @@ int <strong>data_log.limit</strong> = 0: set maximum size in MB before rollover
 <div class="ulist"><ul>
 <li>
 <p>
+bool <strong>dce_smb.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
+</p>
+</li>
+<li>
+<p>
 bool <strong>dce_smb.disable_defrag</strong> = false: disable DCE/RPC defragmentation
 </p>
 </li>
@@ -11426,6 +11492,11 @@ int <strong>dce_smb.trace</strong>: mask for enabling debug traces in module { 0
 <div class="ulist"><ul>
 <li>
 <p>
+bool <strong>dce_tcp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
+</p>
+</li>
+<li>
+<p>
 bool <strong>dce_tcp.disable_defrag</strong> = false: disable DCE/RPC defragmentation
 </p>
 </li>
@@ -11686,6 +11757,11 @@ enum <strong>dce_tcp.policy</strong> = WinXP: target based policy to use { Win20
 <div class="ulist"><ul>
 <li>
 <p>
+bool <strong>dce_udp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
+</p>
+</li>
+<li>
+<p>
 bool <strong>dce_udp.disable_defrag</strong> = false: disable DCE/RPC defragmentation
 </p>
 </li>
@@ -12133,77 +12209,77 @@ int <strong>file_id.show_data_depth</strong> = 100: print this many octets { 0:m
 </li>
 <li>
 <p>
-int <strong>file_id.file_rules[].rev</strong> = 0: rule revision { 0:max32 }
+int <strong><code>file_id.file_rules[].rev</code></strong> = 0: rule revision { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].msg</strong>: information about the file type
+string <strong><code>file_id.file_rules[].msg</code></strong>: information about the file type
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].type</strong>: file type name
+string <strong><code>file_id.file_rules[].type</code></strong>: file type name
 </p>
 </li>
 <li>
 <p>
-int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0:max32 }
+int <strong><code>file_id.file_rules[].id</code></strong> = 0: file type id { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].category</strong>: file type category
+string <strong><code>file_id.file_rules[].category</code></strong>: file type category
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].group</strong>: comma separated list of groups associated with file type
+string <strong><code>file_id.file_rules[].group</code></strong>: comma separated list of groups associated with file type
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].version</strong>: file type version
+string <strong><code>file_id.file_rules[].version</code></strong>: file type version
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].magic[].content</strong>: file magic content
+string <strong><code>file_id.file_rules[].magic[].content</code></strong>: file magic content
 </p>
 </li>
 <li>
 <p>
-int <strong>file_id.file_rules[].magic[].offset</strong> = 0: file magic offset { 0:max32 }
+int <strong><code>file_id.file_rules[].magic[].offset</code></strong> = 0: file magic offset { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>file_id.file_policy[].when.file_type_id</strong> = 0: unique ID for file type in file magic rule { 0:max32 }
+int <strong><code>file_id.file_policy[].when.file_type_id</code></strong> = 0: unique ID for file type in file magic rule { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_policy[].when.sha256</strong>: SHA 256
+string <strong><code>file_id.file_policy[].when.sha256</code></strong>: SHA 256
 </p>
 </li>
 <li>
 <p>
-enum <strong>file_id.file_policy[].use.verdict</strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset  }
+enum <strong><code>file_id.file_policy[].use.verdict</code></strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset  }
 </p>
 </li>
 <li>
 <p>
-bool <strong>file_id.file_policy[].use.enable_file_type</strong> = false: true/false &#8594; enable/disable file type identification
+bool <strong><code>file_id.file_policy[].use.enable_file_type</code></strong> = false: true/false &#8594; enable/disable file type identification
 </p>
 </li>
 <li>
 <p>
-bool <strong>file_id.file_policy[].use.enable_file_signature</strong> = false: true/false &#8594; enable/disable file signature
+bool <strong><code>file_id.file_policy[].use.enable_file_signature</code></strong> = false: true/false &#8594; enable/disable file signature
 </p>
 </li>
 <li>
 <p>
-bool <strong>file_id.file_policy[].use.enable_file_capture</strong> = false: true/false &#8594; enable/disable file capture
+bool <strong><code>file_id.file_policy[].use.enable_file_capture</code></strong> = false: true/false &#8594; enable/disable file capture
 </p>
 </li>
 <li>
@@ -12287,17 +12363,17 @@ bool <strong>ftp_client.bounce</strong> = false: check for bounces
 </li>
 <li>
 <p>
-addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed IP address in CIDR format
+addr <strong><code>ftp_client.bounce_to[].address</code></strong> = 1.0.0.0/32: allowed IP address in CIDR format
 </p>
 </li>
 <li>
 <p>
-port <strong>ftp_client.bounce_to[].port</strong> = 20: allowed port
+port <strong><code>ftp_client.bounce_to[].port</code></strong> = 20: allowed port
 </p>
 </li>
 <li>
 <p>
-port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive
+port <strong><code>ftp_client.bounce_to[].last_port</code></strong>: optional allowed range from port to last_port inclusive
 </p>
 </li>
 <li>
@@ -12360,12 +12436,12 @@ string <strong>ftp_server.data_xfer_cmds</strong>: check the formatting of the g
 </li>
 <li>
 <p>
-string <strong>ftp_server.directory_cmds[].dir_cmd</strong>: directory command
+string <strong><code>ftp_server.directory_cmds[].dir_cmd</code></strong>: directory command
 </p>
 </li>
 <li>
 <p>
-int <strong>ftp_server.directory_cmds[].rsp_code</strong> = 200: expected successful response code for command { 200:max32 }
+int <strong><code>ftp_server.directory_cmds[].rsp_code</code></strong> = 200: expected successful response code for command { 200:max32 }
 </p>
 </li>
 <li>
@@ -12395,17 +12471,17 @@ bool <strong>ftp_server.check_encrypted</strong> = false: check for end of encry
 </li>
 <li>
 <p>
-string <strong>ftp_server.cmd_validity[].command</strong>: command string
+string <strong><code>ftp_server.cmd_validity[].command</code></strong>: command string
 </p>
 </li>
 <li>
 <p>
-string <strong>ftp_server.cmd_validity[].format</strong>: format specification
+string <strong><code>ftp_server.cmd_validity[].format</code></strong>: format specification
 </p>
 </li>
 <li>
 <p>
-int <strong>ftp_server.cmd_validity[].length</strong> = 0: specify non-default maximum for command { 0:max32 }
+int <strong><code>ftp_server.cmd_validity[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }
 </p>
 </li>
 <li>
@@ -12520,32 +12596,32 @@ bool <strong>ftp_server.telnet_cmds</strong> = false: detect Telnet escape seque
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>gtp_inspect[].version</strong> = 2: GTP version { 0:2 }
+int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }
 </p>
 </li>
 <li>
 <p>
-int <strong>gtp_inspect[].messages[].type</strong> = 0: message type code { 0:255 }
+int <strong><code>gtp_inspect[].messages[].type</code></strong> = 0: message type code { 0:255 }
 </p>
 </li>
 <li>
 <p>
-string <strong>gtp_inspect[].messages[].name</strong>: message name
+string <strong><code>gtp_inspect[].messages[].name</code></strong>: message name
 </p>
 </li>
 <li>
 <p>
-int <strong>gtp_inspect[].infos[].type</strong> = 0: information element type code { 0:255 }
+int <strong><code>gtp_inspect[].infos[].type</code></strong> = 0: information element type code { 0:255 }
 </p>
 </li>
 <li>
 <p>
-string <strong>gtp_inspect[].infos[].name</strong>: information element name
+string <strong><code>gtp_inspect[].infos[].name</code></strong>: information element name
 </p>
 </li>
 <li>
 <p>
-int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }
+int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }
 </p>
 </li>
 <li>
@@ -12670,6 +12746,11 @@ bool <strong>http_inspect.decompress_swf</strong> = false: decompress swf files
 </li>
 <li>
 <p>
+bool <strong>http_inspect.decompress_zip</strong> = false: decompress zip files in response bodies
+</p>
+</li>
+<li>
+<p>
 bool <strong>http_inspect.normalize_javascript</strong> = false: normalize javascript in response bodies
 </p>
 </li>
@@ -13143,7 +13224,7 @@ bool <strong>http_inspect.simplify_path</strong> = true: reduce URI directory pa
 </li>
 <li>
 <p>
-<strong>119:229</strong> (http_inspect) PDF/SWF decompression of server response too big
+<strong>119:229</strong> (http_inspect) PDF/SWF/ZIP decompression of server response too big
 </p>
 </li>
 <li>
@@ -13375,6 +13456,21 @@ int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachmen
 </li>
 <li>
 <p>
+bool <strong>imap.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>imap.decompress_swf</strong> = false: decompress swf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>imap.decompress_zip</strong> = false: decompress zip files in MIME attachments
+</p>
+</li>
+<li>
+<p>
 int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }
 </p>
 </li>
@@ -13411,6 +13507,11 @@ int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-
 <strong>141:7</strong> (imap) Unix-to-Unix decoding failed
 </p>
 </li>
+<li>
+<p>
+<strong>141:8</strong> (imap) file decompression failed
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
@@ -13477,6 +13578,20 @@ int <strong>imap.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-
 </ul></div>
 </div>
 <div class="sect2">
+<h3 id="_mem_test">mem_test</h3>
+<div class="paragraph"><p>What: for testing memory management</p></div>
+<div class="paragraph"><p>Type: inspector</p></div>
+<div class="paragraph"><p>Usage: inspect</p></div>
+<div class="paragraph"><p>Peg counts:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+<strong>mem_test.packets</strong>: total packets (sum)
+</p>
+</li>
+</ul></div>
+</div>
+<div class="sect2">
 <h3 id="_modbus">modbus</h3>
 <div class="paragraph"><p>What: modbus inspection</p></div>
 <div class="paragraph"><p>Type: inspector</p></div>
@@ -14059,12 +14174,12 @@ enum <strong>perf_monitor.output</strong> = file: output location for stats { fi
 </li>
 <li>
 <p>
-string <strong>perf_monitor.modules[].name</strong>: name of the module
+string <strong><code>perf_monitor.modules[].name</code></strong>: name of the module
 </p>
 </li>
 <li>
 <p>
-string <strong>perf_monitor.modules[].pegs</strong>: list of statistics to track or empty for all counters
+string <strong><code>perf_monitor.modules[].pegs</code></strong>: list of statistics to track or empty for all counters
 </p>
 </li>
 <li>
@@ -14106,6 +14221,21 @@ int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment
 </li>
 <li>
 <p>
+bool <strong>pop.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>pop.decompress_swf</strong> = false: decompress swf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>pop.decompress_zip</strong> = false: decompress zip files in MIME attachments
+</p>
+</li>
+<li>
+<p>
 int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }
 </p>
 </li>
@@ -14142,6 +14272,11 @@ int <strong>pop.uu_decode_depth</strong> = 1460: Unix-to-Unix decoding depth (-1
 <strong>142:7</strong> (pop) Unix-to-Unix decoding failed
 </p>
 </li>
+<li>
+<p>
+<strong>142:8</strong> (pop) file decompression failed
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
@@ -15235,12 +15370,12 @@ string <strong>sip.methods</strong> = invite cancel ack  bye register options: l
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>smtp.alt_max_command_line_len[].command</strong>: command string
+string <strong><code>smtp.alt_max_command_line_len[].command</code></strong>: command string
 </p>
 </li>
 <li>
 <p>
-int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0:max32 }
+int <strong><code>smtp.alt_max_command_line_len[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }
 </p>
 </li>
 <li>
@@ -15270,6 +15405,21 @@ string <strong>smtp.data_cmds</strong>: commands that initiate sending of data w
 </li>
 <li>
 <p>
+bool <strong>smtp.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>smtp.decompress_swf</strong> = false: decompress swf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>smtp.decompress_zip</strong> = false: decompress zip files in MIME attachments
+</p>
+</li>
+<li>
+<p>
 int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }
 </p>
 </li>
@@ -15426,6 +15576,11 @@ enum <strong>smtp.xlink2state</strong> = alert: enable/disable xlink2state alert
 <strong>124:15</strong> (smtp) attempted authentication command buffer overflow
 </p>
 </li>
+<li>
+<p>
+<strong>124:16</strong> (smtp) file decompression failed
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Peg counts:</p></div>
 <div class="ulist"><ul>
@@ -15745,6 +15900,11 @@ int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time b
 </li>
 <li>
 <p>
+int <strong>stream.ip_cache.cap_weight</strong> = 64: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.icmp_cache.max_sessions</strong> = 65536: maximum simultaneous sessions tracked before pruning { 2:max32 }
 </p>
 </li>
@@ -15760,6 +15920,11 @@ int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time
 </li>
 <li>
 <p>
+int <strong>stream.icmp_cache.cap_weight</strong> = 8: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.tcp_cache.max_sessions</strong> = 262144: maximum simultaneous sessions tracked before pruning { 2:max32 }
 </p>
 </li>
@@ -15775,6 +15940,11 @@ int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time
 </li>
 <li>
 <p>
+int <strong>stream.tcp_cache.cap_weight</strong> = 11500: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.udp_cache.max_sessions</strong> = 131072: maximum simultaneous sessions tracked before pruning { 2:max32 }
 </p>
 </li>
@@ -15790,6 +15960,11 @@ int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time
 </li>
 <li>
 <p>
+int <strong>stream.udp_cache.cap_weight</strong> = 128: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.user_cache.max_sessions</strong> = 1024: maximum simultaneous sessions tracked before pruning { 2:max32 }
 </p>
 </li>
@@ -15805,6 +15980,11 @@ int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time
 </li>
 <li>
 <p>
+int <strong>stream.user_cache.cap_weight</strong> = 256: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.file_cache.max_sessions</strong> = 128: maximum simultaneous sessions tracked before pruning { 2:max32 }
 </p>
 </li>
@@ -15820,6 +16000,11 @@ int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time
 </li>
 <li>
 <p>
+int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.trace</strong>: mask for enabling debug traces in module { 0:max53 }
 </p>
 </li>
@@ -16444,6 +16629,11 @@ int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of
 int <strong>stream_tcp.session_timeout</strong> = 30: session tracking timeout { 1:max31 }
 </p>
 </li>
+<li>
+<p>
+bool <strong>stream_tcp.track_only</strong> = false: disable reassembly if true
+</p>
+</li>
 </ul></div>
 <div class="paragraph"><p>Rules:</p></div>
 <div class="ulist"><ul>
@@ -16897,52 +17087,52 @@ bool <strong>telnet.normalize</strong> = false: eliminate escape sequences
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>wizard.hexes[].service</strong>: name of service
+string <strong><code>wizard.hexes[].service</code></strong>: name of service
 </p>
 </li>
 <li>
 <p>
-select <strong>wizard.hexes[].proto</strong> = tcp: protocol to scan { tcp | udp }
+select <strong><code>wizard.hexes[].proto</code></strong> = tcp: protocol to scan { tcp | udp }
 </p>
 </li>
 <li>
 <p>
-bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer
+bool <strong><code>wizard.hexes[].client_first</code></strong> = true: which end initiates data transfer
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.hexes[].to_server[].hex</strong>: sequence of data with wild chars (?)
+string <strong><code>wizard.hexes[].to_server[].hex</code></strong>: sequence of data with wild chars (?)
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.hexes[].to_client[].hex</strong>: sequence of data with wild chars (?)
+string <strong><code>wizard.hexes[].to_client[].hex</code></strong>: sequence of data with wild chars (?)
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.spells[].service</strong>: name of service
+string <strong><code>wizard.spells[].service</code></strong>: name of service
 </p>
 </li>
 <li>
 <p>
-select <strong>wizard.spells[].proto</strong> = tcp: protocol to scan { tcp | udp }
+select <strong><code>wizard.spells[].proto</code></strong> = tcp: protocol to scan { tcp | udp }
 </p>
 </li>
 <li>
 <p>
-bool <strong>wizard.spells[].client_first</strong> = true: which end initiates data transfer
+bool <strong><code>wizard.spells[].client_first</code></strong> = true: which end initiates data transfer
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)
+string <strong><code>wizard.spells[].to_server[].spell</code></strong>: sequence of data with wild cards (*)
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.spells[].to_client[].spell</strong>: sequence of data with wild cards (*)
+string <strong><code>wizard.spells[].to_client[].spell</code></strong>: sequence of data with wild cards (*)
 </p>
 </li>
 <li>
@@ -18457,7 +18647,7 @@ implied <strong>md5.relative</strong> = false: offset from cursor instead of sta
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>metadata.</strong>*: comma-separated list of arbitrary name value pairs
+string <strong><code>metadata.*</code></strong>: comma-separated list of arbitrary name value pairs
 </p>
 </li>
 </ul></div>
@@ -18762,7 +18952,7 @@ interval <strong>seq.~range</strong>: check if TCP sequence number is in given r
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>service.</strong>*: one or more comma-separated service names
+string <strong><code>service.*</code></strong>: one or more comma-separated service names
 </p>
 </li>
 </ul></div>
@@ -18874,7 +19064,7 @@ int <strong>sid.~</strong>: signature id { 1:max32 }
 <div class="ulist"><ul>
 <li>
 <p>
-string <strong>sip_method.*method</strong>: sip method
+string <strong><code>sip_method.*method</code></strong>: sip method
 </p>
 </li>
 </ul></div>
@@ -18888,7 +19078,7 @@ string <strong>sip_method.*method</strong>: sip method
 <div class="ulist"><ul>
 <li>
 <p>
-int <strong>sip_stat_code.*code</strong>: status code { 1:999 }
+int <strong><code>sip_stat_code.*code</code></strong>: status code { 1:999 }
 </p>
 </li>
 </ul></div>
@@ -19352,12 +19542,12 @@ string <strong>alert_sfsocket.file</strong>: name of unix socket file
 </li>
 <li>
 <p>
-int <strong>alert_sfsocket.rules[].gid</strong> = 1: rule generator ID { 1:max32 }
+int <strong><code>alert_sfsocket.rules[].gid</code></strong> = 1: rule generator ID { 1:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>alert_sfsocket.rules[].sid</strong> = 1: rule signature ID { 1:max32 }
+int <strong><code>alert_sfsocket.rules[].sid</code></strong> = 1: rule signature ID { 1:max32 }
 </p>
 </li>
 </ul></div>
@@ -19387,6 +19577,12 @@ multi <strong>alert_syslog.options</strong>: used to open the syslog connection
 </ul></div>
 </div>
 <div class="sect2">
+<h3 id="_alert_talos">alert_talos</h3>
+<div class="paragraph"><p>What: output event in Talos alert format</p></div>
+<div class="paragraph"><p>Type: logger</p></div>
+<div class="paragraph"><p>Usage: context</p></div>
+</div>
+<div class="sect2">
 <h3 id="_alert_unixsock">alert_unixsock</h3>
 <div class="paragraph"><p>What: output event over unix socket</p></div>
 <div class="paragraph"><p>Type: logger</p></div>
@@ -20952,6 +21148,13 @@ options into a Snort++ configuration file</p></div>
 </li>
 <li>
 <p>
+<strong>--dont-convert-max-sessions</strong>
+                    do not convert max_tcp, max_udp, max_icmp, max_ip to
+                    max_session
+</p>
+</li>
+<li>
+<p>
 <strong>--error-file=&lt;error_file&gt;</strong>
                     Same as <em>-e</em>. output all errors to &lt;error_file&gt;
 </p>
@@ -23939,11 +24142,6 @@ bool <strong>alerts.alert_with_interface_name</strong> = false: include interfac
 </li>
 <li>
 <p>
-bool <strong>alerts.default_rule_state</strong> = true: enable or disable ips rules
-</p>
-</li>
-<li>
-<p>
 int <strong>alerts.detection_filter_memcap</strong> = 1048576: set available MB of memory for detection_filters { 0:max32 }
 </p>
 </li>
@@ -23959,12 +24157,12 @@ string <strong>alert_sfsocket.file</strong>: name of unix socket file
 </li>
 <li>
 <p>
-int <strong>alert_sfsocket.rules[].gid</strong> = 1: rule generator ID { 1:max32 }
+int <strong><code>alert_sfsocket.rules[].gid</code></strong> = 1: rule generator ID { 1:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>alert_sfsocket.rules[].sid</strong> = 1: rule signature ID { 1:max32 }
+int <strong><code>alert_sfsocket.rules[].sid</code></strong> = 1: rule signature ID { 1:max32 }
 </p>
 </li>
 <li>
@@ -24019,7 +24217,7 @@ string <strong>appid.app_detector_dir</strong>: directory to load appid detector
 </li>
 <li>
 <p>
-int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 0:max32 }
+int <strong>appid.app_stats_period</strong> = 300: time period for collecting and logging appid statistics { 1:max32 }
 </p>
 </li>
 <li>
@@ -24059,7 +24257,7 @@ bool <strong>appid.log_stats</strong> = false: enable logging of appid statistic
 </li>
 <li>
 <p>
-int <strong>appid.memcap</strong> = 0: disregard - not implemented { 0:maxSZ }
+int <strong>appid.memcap</strong> = 1048576: max size of the service cache before we start pruning the cache { 1024:maxSZ }
 </p>
 </li>
 <li>
@@ -24094,12 +24292,12 @@ int <strong>appid.trace</strong>: mask for enabling debug traces in module { 0:m
 </li>
 <li>
 <p>
-ip4 <strong>arp_spoof.hosts[].ip</strong>: host ip address
+ip4 <strong><code>arp_spoof.hosts[].ip</code></strong>: host ip address
 </p>
 </li>
 <li>
 <p>
-mac <strong>arp_spoof.hosts[].mac</strong>: host mac address
+mac <strong><code>arp_spoof.hosts[].mac</code></strong>: host mac address
 </p>
 </li>
 <li>
@@ -24164,112 +24362,117 @@ implied <strong>base64_decode.relative</strong>: apply offset to cursor instead
 </li>
 <li>
 <p>
-enum <strong>binder[].use.action</strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }
+enum <strong><code>binder[].use.action</code></strong> = inspect: what to do with matching traffic { reset | block | allow | inspect }
+</p>
+</li>
+<li>
+<p>
+string <strong><code>binder[].use.file</code></strong>: use configuration in given file
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.file</strong>: use configuration in given file
+string <strong><code>binder[].use.inspection_policy</code></strong>: use inspection policy from given file
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.inspection_policy</strong>: use inspection policy from given file
+string <strong><code>binder[].use.ips_policy</code></strong>: use ips policy from given file
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.ips_policy</strong>: use ips policy from given file
+string <strong><code>binder[].use.name</code></strong>: symbol name (defaults to type)
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.name</strong>: symbol name (defaults to type)
+string <strong><code>binder[].use.network_policy</code></strong>: use network policy from given file
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.network_policy</strong>: use network policy from given file
+string <strong><code>binder[].use.service</code></strong>: override automatic service identification
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.service</strong>: override automatic service identification
+string <strong><code>binder[].use.type</code></strong>: select module for binding
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].use.type</strong>: select module for binding
+addr_list <strong><code>binder[].when.dst_nets</code></strong>: list of destination networks
 </p>
 </li>
 <li>
 <p>
-addr_list <strong>binder[].when.dst_nets</strong>: list of destination networks
+bit_list <strong><code>binder[].when.dst_ports</code></strong>: list of destination ports { 65535 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.dst_ports</strong>: list of destination ports { 65535 }
+bit_list <strong><code>binder[].when.dst_zone</code></strong>: destination zone { 63 }
 </p>
 </li>
 <li>
 <p>
-int <strong>binder[].when.dst_zone</strong>: destination zone { 0:max31 }
+bit_list <strong><code>binder[].when.ifaces</code></strong>: list of interface indices { 255 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.ifaces</strong>: list of interface indices { 255 }
+int <strong><code>binder[].when.ips_policy_id</code></strong> = 0: unique ID for selection of this config by external logic { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>binder[].when.ips_policy_id</strong> = 0: unique ID for selection of this config by external logic { 0:max32 }
+addr_list <strong><code>binder[].when.nets</code></strong>: list of networks
 </p>
 </li>
 <li>
 <p>
-addr_list <strong>binder[].when.nets</strong>: list of networks
+bit_list <strong><code>binder[].when.ports</code></strong>: list of ports { 65535 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.ports</strong>: list of ports { 65535 }
+enum <strong><code>binder[].when.proto</code></strong>: protocol { any | ip | icmp | tcp | udp | user | file }
 </p>
 </li>
 <li>
 <p>
-enum <strong>binder[].when.proto</strong>: protocol { any | ip | icmp | tcp | udp | user | file }
+enum <strong><code>binder[].when.role</code></strong> = any: use the given configuration on one or any end of a session { client | server | any }
 </p>
 </li>
 <li>
 <p>
-enum <strong>binder[].when.role</strong> = any: use the given configuration on one or any end of a session { client | server | any }
+string <strong><code>binder[].when.service</code></strong>: override default configuration
 </p>
 </li>
 <li>
 <p>
-string <strong>binder[].when.service</strong>: override default configuration
+addr_list <strong><code>binder[].when.src_nets</code></strong>: list of source networks
 </p>
 </li>
 <li>
 <p>
-addr_list <strong>binder[].when.src_nets</strong>: list of source networks
+bit_list <strong><code>binder[].when.src_ports</code></strong>: list of source ports { 65535 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.src_ports</strong>: list of source ports { 65535 }
+bit_list <strong><code>binder[].when.src_zone</code></strong>: source zone { 63 }
 </p>
 </li>
 <li>
 <p>
-int <strong>binder[].when.src_zone</strong>: source zone { 0:max31 }
+bit_list <strong><code>binder[].when.vlans</code></strong>: list of VLAN IDs { 4095 }
 </p>
 </li>
 <li>
 <p>
-bit_list <strong>binder[].when.vlans</strong>: list of VLAN IDs { 4095 }
+bit_list <strong><code>binder[].when.zones</code></strong>: zones { 63 }
 </p>
 </li>
 <li>
@@ -24544,17 +24747,17 @@ implied <strong>byte_test.string</strong>: convert from string
 </li>
 <li>
 <p>
-string <strong>classifications[].name</strong>: name used with classtype rule option
+string <strong><code>classifications[].name</code></strong>: name used with classtype rule option
 </p>
 </li>
 <li>
 <p>
-int <strong>classifications[].priority</strong> = 1: default priority for class { 0:max32 }
+int <strong><code>classifications[].priority</code></strong> = 1: default priority for class { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>classifications[].text</strong>: description of class
+string <strong><code>classifications[].text</code></strong>: description of class
 </p>
 </li>
 <li>
@@ -24619,17 +24822,17 @@ string <strong>daq.input_spec</strong>: input specification
 </li>
 <li>
 <p>
-int <strong>daq.instances[].id</strong>: instance ID (required) { 0:max32 }
+int <strong><code>daq.instances[].id</code></strong>: instance ID (required) { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>daq.instances[].input_spec</strong>: input specification
+string <strong><code>daq.instances[].input_spec</code></strong>: input specification
 </p>
 </li>
 <li>
 <p>
-string <strong>daq.instances[].variables[].str</strong>: string parameter
+string <strong><code>daq.instances[].variables[].str</code></strong>: string parameter
 </p>
 </li>
 <li>
@@ -24639,7 +24842,7 @@ string <strong>daq.module</strong>: DAQ module to use
 </li>
 <li>
 <p>
-string <strong>daq.module_dirs[].str</strong>: string parameter
+string <strong><code>daq.module_dirs[].str</code></strong>: string parameter
 </p>
 </li>
 <li>
@@ -24654,7 +24857,7 @@ int <strong>daq.snaplen</strong>: set snap length (same as -s) { 0:65535 }
 </li>
 <li>
 <p>
-string <strong>daq.variables[].str</strong>: string parameter
+string <strong><code>daq.variables[].str</code></strong>: string parameter
 </p>
 </li>
 <li>
@@ -24694,6 +24897,11 @@ bool <strong>dce_smb.disable_defrag</strong> = false: disable DCE/RPC defragment
 </li>
 <li>
 <p>
+bool <strong>dce_smb.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
+</p>
+</li>
+<li>
+<p>
 int <strong>dce_smb.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
 </p>
 </li>
@@ -24759,6 +24967,11 @@ bool <strong>dce_tcp.disable_defrag</strong> = false: disable DCE/RPC defragment
 </li>
 <li>
 <p>
+bool <strong>dce_tcp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
+</p>
+</li>
+<li>
+<p>
 int <strong>dce_tcp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
 </p>
 </li>
@@ -24779,6 +24992,11 @@ bool <strong>dce_udp.disable_defrag</strong> = false: disable DCE/RPC defragment
 </li>
 <li>
 <p>
+bool <strong>dce_udp.limit_alerts</strong> = true: limit DCE alert to at most one per signature per flow
+</p>
+</li>
+<li>
+<p>
 int <strong>dce_udp.max_frag_len</strong> = 65535: maximum fragment size for defragmentation { 1514:65535 }
 </p>
 </li>
@@ -24819,6 +25037,16 @@ enum <strong>detection_filter.track</strong>: track hits by source or destinatio
 </li>
 <li>
 <p>
+bool <strong>detection.global_default_rule_state</strong> = true: enable or disable rules by default (overridden by ips policy settings)
+</p>
+</li>
+<li>
+<p>
+bool <strong>detection.global_rule_state</strong> = false: apply rule_state against all policies
+</p>
+</li>
+<li>
+<p>
 int <strong>detection.offload_limit</strong> = 99999: minimum sizeof PDU to offload fast pattern search (defaults to disabled) { 0:max32 }
 </p>
 </li>
@@ -24904,37 +25132,37 @@ bool <strong>esp.decode_esp</strong> = false: enable for inspection of esp traff
 </li>
 <li>
 <p>
-int <strong>event_filter[].count</strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }
+int <strong><code>event_filter[].count</code></strong> = 0: number of events in interval before tripping; -1 to disable { -1:max31 }
 </p>
 </li>
 <li>
 <p>
-int <strong>event_filter[].gid</strong> = 1: rule generator ID { 0:max32 }
+int <strong><code>event_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>event_filter[].ip</strong>: restrict filter to these addresses according to track
+string <strong><code>event_filter[].ip</code></strong>: restrict filter to these addresses according to track
 </p>
 </li>
 <li>
 <p>
-int <strong>event_filter[].seconds</strong> = 0: count interval { 0:max32 }
+int <strong><code>event_filter[].seconds</code></strong> = 0: count interval { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>event_filter[].sid</strong> = 1: rule signature ID { 0:max32 }
+int <strong><code>event_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>event_filter[].track</strong>: filter only matching source or destination addresses { by_src | by_dst }
+enum <strong><code>event_filter[].track</code></strong>: filter only matching source or destination addresses { by_src | by_dst }
 </p>
 </li>
 <li>
 <p>
-enum <strong>event_filter[].type</strong>: 1st count events | every count events | once after count events { limit | threshold | both }
+enum <strong><code>event_filter[].type</code></strong>: 1st count events | every count events | once after count events { limit | threshold | both }
 </p>
 </li>
 <li>
@@ -25024,77 +25252,77 @@ bool <strong>file_id.enable_type</strong> = true: enable type ID
 </li>
 <li>
 <p>
-bool <strong>file_id.file_policy[].use.enable_file_capture</strong> = false: true/false &#8594; enable/disable file capture
+bool <strong><code>file_id.file_policy[].use.enable_file_capture</code></strong> = false: true/false &#8594; enable/disable file capture
 </p>
 </li>
 <li>
 <p>
-bool <strong>file_id.file_policy[].use.enable_file_signature</strong> = false: true/false &#8594; enable/disable file signature
+bool <strong><code>file_id.file_policy[].use.enable_file_signature</code></strong> = false: true/false &#8594; enable/disable file signature
 </p>
 </li>
 <li>
 <p>
-bool <strong>file_id.file_policy[].use.enable_file_type</strong> = false: true/false &#8594; enable/disable file type identification
+bool <strong><code>file_id.file_policy[].use.enable_file_type</code></strong> = false: true/false &#8594; enable/disable file type identification
 </p>
 </li>
 <li>
 <p>
-enum <strong>file_id.file_policy[].use.verdict</strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset  }
+enum <strong><code>file_id.file_policy[].use.verdict</code></strong> = unknown: what to do with matching traffic { unknown | log | stop | block | reset  }
 </p>
 </li>
 <li>
 <p>
-int <strong>file_id.file_policy[].when.file_type_id</strong> = 0: unique ID for file type in file magic rule { 0:max32 }
+int <strong><code>file_id.file_policy[].when.file_type_id</code></strong> = 0: unique ID for file type in file magic rule { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_policy[].when.sha256</strong>: SHA 256
+string <strong><code>file_id.file_policy[].when.sha256</code></strong>: SHA 256
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].category</strong>: file type category
+string <strong><code>file_id.file_rules[].category</code></strong>: file type category
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].group</strong>: comma separated list of groups associated with file type
+string <strong><code>file_id.file_rules[].group</code></strong>: comma separated list of groups associated with file type
 </p>
 </li>
 <li>
 <p>
-int <strong>file_id.file_rules[].id</strong> = 0: file type id { 0:max32 }
+int <strong><code>file_id.file_rules[].id</code></strong> = 0: file type id { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].magic[].content</strong>: file magic content
+string <strong><code>file_id.file_rules[].magic[].content</code></strong>: file magic content
 </p>
 </li>
 <li>
 <p>
-int <strong>file_id.file_rules[].magic[].offset</strong> = 0: file magic offset { 0:max32 }
+int <strong><code>file_id.file_rules[].magic[].offset</code></strong> = 0: file magic offset { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].msg</strong>: information about the file type
+string <strong><code>file_id.file_rules[].msg</code></strong>: information about the file type
 </p>
 </li>
 <li>
 <p>
-int <strong>file_id.file_rules[].rev</strong> = 0: rule revision { 0:max32 }
+int <strong><code>file_id.file_rules[].rev</code></strong> = 0: rule revision { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].type</strong>: file type name
+string <strong><code>file_id.file_rules[].type</code></strong>: file type name
 </p>
 </li>
 <li>
 <p>
-string <strong>file_id.file_rules[].version</strong>: file type version
+string <strong><code>file_id.file_rules[].version</code></strong>: file type version
 </p>
 </li>
 <li>
@@ -25254,17 +25482,17 @@ bool <strong>ftp_client.bounce</strong> = false: check for bounces
 </li>
 <li>
 <p>
-addr <strong>ftp_client.bounce_to[].address</strong> = 1.0.0.0/32: allowed IP address in CIDR format
+addr <strong><code>ftp_client.bounce_to[].address</code></strong> = 1.0.0.0/32: allowed IP address in CIDR format
 </p>
 </li>
 <li>
 <p>
-port <strong>ftp_client.bounce_to[].last_port</strong>: optional allowed range from port to last_port inclusive
+port <strong><code>ftp_client.bounce_to[].last_port</code></strong>: optional allowed range from port to last_port inclusive
 </p>
 </li>
 <li>
 <p>
-port <strong>ftp_client.bounce_to[].port</strong> = 20: allowed port
+port <strong><code>ftp_client.bounce_to[].port</code></strong> = 20: allowed port
 </p>
 </li>
 <li>
@@ -25294,17 +25522,17 @@ string <strong>ftp_server.chk_str_fmt</strong>: check the formatting of the give
 </li>
 <li>
 <p>
-string <strong>ftp_server.cmd_validity[].command</strong>: command string
+string <strong><code>ftp_server.cmd_validity[].command</code></strong>: command string
 </p>
 </li>
 <li>
 <p>
-string <strong>ftp_server.cmd_validity[].format</strong>: format specification
+string <strong><code>ftp_server.cmd_validity[].format</code></strong>: format specification
 </p>
 </li>
 <li>
 <p>
-int <strong>ftp_server.cmd_validity[].length</strong> = 0: specify non-default maximum for command { 0:max32 }
+int <strong><code>ftp_server.cmd_validity[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }
 </p>
 </li>
 <li>
@@ -25329,12 +25557,12 @@ int <strong>ftp_server.def_max_param_len</strong> = 100: default maximum length
 </li>
 <li>
 <p>
-string <strong>ftp_server.directory_cmds[].dir_cmd</strong>: directory command
+string <strong><code>ftp_server.directory_cmds[].dir_cmd</code></strong>: directory command
 </p>
 </li>
 <li>
 <p>
-int <strong>ftp_server.directory_cmds[].rsp_code</strong> = 200: expected successful response code for command { 200:max32 }
+int <strong><code>ftp_server.directory_cmds[].rsp_code</code></strong> = 200: expected successful response code for command { 200:max32 }
 </p>
 </li>
 <li>
@@ -25399,27 +25627,27 @@ string <strong>gtp_info.~</strong>: info element to match
 </li>
 <li>
 <p>
-int <strong>gtp_inspect[].infos[].length</strong> = 0: information element type code { 0:255 }
+int <strong><code>gtp_inspect[].infos[].length</code></strong> = 0: information element type code { 0:255 }
 </p>
 </li>
 <li>
 <p>
-string <strong>gtp_inspect[].infos[].name</strong>: information element name
+string <strong><code>gtp_inspect[].infos[].name</code></strong>: information element name
 </p>
 </li>
 <li>
 <p>
-int <strong>gtp_inspect[].infos[].type</strong> = 0: information element type code { 0:255 }
+int <strong><code>gtp_inspect[].infos[].type</code></strong> = 0: information element type code { 0:255 }
 </p>
 </li>
 <li>
 <p>
-string <strong>gtp_inspect[].messages[].name</strong>: message name
+string <strong><code>gtp_inspect[].messages[].name</code></strong>: message name
 </p>
 </li>
 <li>
 <p>
-int <strong>gtp_inspect[].messages[].type</strong> = 0: message type code { 0:255 }
+int <strong><code>gtp_inspect[].messages[].type</code></strong> = 0: message type code { 0:255 }
 </p>
 </li>
 <li>
@@ -25429,7 +25657,7 @@ int <strong>gtp_inspect.trace</strong>: mask for enabling debug traces in module
 </li>
 <li>
 <p>
-int <strong>gtp_inspect[].version</strong> = 2: GTP version { 0:2 }
+int <strong><code>gtp_inspect[].version</code></strong> = 2: GTP version { 0:2 }
 </p>
 </li>
 <li>
@@ -25469,67 +25697,67 @@ bit_list <strong>high_availability.ports</strong>: side channel message port lis
 </li>
 <li>
 <p>
-int <strong>host_cache[].size</strong>: size of host cache { 1:max32 }
+int <strong><code>host_cache[].size</code></strong>: size of host cache { 1:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>hosts[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
+enum <strong><code>hosts[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
 </p>
 </li>
 <li>
 <p>
-addr <strong>hosts[].ip</strong> = 0.0.0.0/32: hosts address / CIDR
+addr <strong><code>hosts[].ip</code></strong> = 0.0.0.0/32: hosts address / CIDR
 </p>
 </li>
 <li>
 <p>
-string <strong>hosts[].services[].name</strong>: service identifier
+string <strong><code>hosts[].services[].name</code></strong>: service identifier
 </p>
 </li>
 <li>
 <p>
-port <strong>hosts[].services[].port</strong>: port number
+port <strong><code>hosts[].services[].port</code></strong>: port number
 </p>
 </li>
 <li>
 <p>
-enum <strong>hosts[].services[].proto</strong> = tcp: IP protocol { tcp | udp }
+enum <strong><code>hosts[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }
 </p>
 </li>
 <li>
 <p>
-enum <strong>hosts[].tcp_policy</strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
+enum <strong><code>hosts[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
 </p>
 </li>
 <li>
 <p>
-enum <strong>host_tracker[].frag_policy</strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
+enum <strong><code>host_tracker[].frag_policy</code></strong>: defragmentation policy { first | linux | bsd | bsd_right | last | windows | solaris }
 </p>
 </li>
 <li>
 <p>
-addr <strong>host_tracker[].ip</strong> = 0.0.0.0/32: hosts address / cidr
+addr <strong><code>host_tracker[].ip</code></strong> = 0.0.0.0/32: hosts address / cidr
 </p>
 </li>
 <li>
 <p>
-string <strong>host_tracker[].services[].name</strong>: service identifier
+string <strong><code>host_tracker[].services[].name</code></strong>: service identifier
 </p>
 </li>
 <li>
 <p>
-port <strong>host_tracker[].services[].port</strong>: port number
+port <strong><code>host_tracker[].services[].port</code></strong>: port number
 </p>
 </li>
 <li>
 <p>
-enum <strong>host_tracker[].services[].proto</strong> = tcp: IP protocol { tcp | udp }
+enum <strong><code>host_tracker[].services[].proto</code></strong> = tcp: IP protocol { tcp | udp }
 </p>
 </li>
 <li>
 <p>
-enum <strong>host_tracker[].tcp_policy</strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
+enum <strong><code>host_tracker[].tcp_policy</code></strong>: TCP reassembly policy { first | last | linux | old_linux | bsd | macos | solaris | irix | hpux11 | hpux10 | windows | win_2003 | vista | proxy }
 </p>
 </li>
 <li>
@@ -25589,6 +25817,11 @@ bool <strong>http_inspect.decompress_swf</strong> = false: decompress swf files
 </li>
 <li>
 <p>
+bool <strong>http_inspect.decompress_zip</strong> = false: decompress zip files in response bodies
+</p>
+</li>
+<li>
+<p>
 string <strong>http_inspect.ignore_unreserved</strong>: do not alert when the specified unreserved characters are percent-encoded in a URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore, tilde, and minus. { (optional) }
 </p>
 </li>
@@ -25924,6 +26157,21 @@ int <strong>imap.bitenc_decode_depth</strong> = 1460: non-Encoded MIME attachmen
 </li>
 <li>
 <p>
+bool <strong>imap.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>imap.decompress_swf</strong> = false: decompress swf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>imap.decompress_zip</strong> = false: decompress zip files in MIME attachments
+</p>
+</li>
+<li>
+<p>
 int <strong>imap.qp_decode_depth</strong> = 1460: quoted Printable decoding depth (-1 no limit) { -1:65535 }
 </p>
 </li>
@@ -25959,6 +26207,11 @@ string <strong>ip_proto.~proto</strong>: [!|&gt;|&lt;] name or number
 </li>
 <li>
 <p>
+enum <strong>ips.default_rule_state</strong> = inherit: enable or disable ips rules { false | true | inherit }
+</p>
+</li>
+<li>
+<p>
 bool <strong>ips.enable_builtin_rules</strong> = false: enable events from builtin rules w/o stubs
 </p>
 </li>
@@ -25979,6 +26232,11 @@ enum <strong>ips.mode</strong>: set policy mode { tap | inline | inline-test }
 </li>
 <li>
 <p>
+bool <strong>ips.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers
+</p>
+</li>
+<li>
+<p>
 string <strong>ips.rules</strong>: snort rules and includes
 </p>
 </li>
@@ -26104,17 +26362,12 @@ int <strong>memory.cap</strong> = 0: set the per-packet-thread cap on memory (by
 </li>
 <li>
 <p>
-bool <strong>memory.soft</strong> = false: always succeed in allocating memory, even if above the cap
-</p>
-</li>
-<li>
-<p>
 int <strong>memory.threshold</strong> = 0: set the per-packet-thread threshold for preemptive cleanup actions (percent, 0 to disable) { 0:100 }
 </p>
 </li>
 <li>
 <p>
-string <strong>metadata.</strong>*: comma-separated list of arbitrary name value pairs
+string <strong><code>metadata.*</code></strong>: comma-separated list of arbitrary name value pairs
 </p>
 </li>
 <li>
@@ -26364,11 +26617,6 @@ bool <strong>output.obfuscate</strong> = false: obfuscate the logged IP addresse
 </li>
 <li>
 <p>
-bool <strong>output.obfuscate_pii</strong> = false: mask all but the last 4 characters of credit card and social security numbers
-</p>
-</li>
-<li>
-<p>
 bool <strong>output.quiet</strong> = false: suppress non-fatal information (still show alerts, same as -q)
 </p>
 </li>
@@ -26484,12 +26732,12 @@ int <strong>perf_monitor.max_file_size</strong> = 1073741824: files will be roll
 </li>
 <li>
 <p>
-string <strong>perf_monitor.modules[].name</strong>: name of the module
+string <strong><code>perf_monitor.modules[].name</code></strong>: name of the module
 </p>
 </li>
 <li>
 <p>
-string <strong>perf_monitor.modules[].pegs</strong>: list of statistics to track or empty for all counters
+string <strong><code>perf_monitor.modules[].pegs</code></strong>: list of statistics to track or empty for all counters
 </p>
 </li>
 <li>
@@ -26529,6 +26777,21 @@ int <strong>pop.bitenc_decode_depth</strong> = 1460: Non-Encoded MIME attachment
 </li>
 <li>
 <p>
+bool <strong>pop.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>pop.decompress_swf</strong> = false: decompress swf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>pop.decompress_zip</strong> = false: decompress zip files in MIME attachments
+</p>
+</li>
+<li>
+<p>
 int <strong>pop.qp_decode_depth</strong> = 1460: Quoted Printable decoding depth (-1 no limit) { -1:65535 }
 </p>
 </li>
@@ -26889,12 +27152,12 @@ string <strong>process.set_uid</strong>: set user ID (same as -u)
 </li>
 <li>
 <p>
-string <strong>process.threads[].cpuset</strong>: pin the associated thread to this cpuset
+string <strong><code>process.threads[].cpuset</code></strong>: pin the associated thread to this cpuset
 </p>
 </li>
 <li>
 <p>
-int <strong>process.threads[].thread</strong> = 0: set cpu affinity for the &lt;cur_thread_num&gt; thread that runs { 0:65535 }
+int <strong><code>process.threads[].thread</code></strong> = 0: set cpu affinity for the &lt;cur_thread_num&gt; thread that runs { 0:65535 }
 </p>
 </li>
 <li>
@@ -26964,42 +27227,42 @@ enum <strong>profiler.rules.sort</strong> = total_time: sort by given field { no
 </li>
 <li>
 <p>
-string <strong>rate_filter[].apply_to</strong>: restrict filter to these addresses according to track
+string <strong><code>rate_filter[].apply_to</code></strong>: restrict filter to these addresses according to track
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].count</strong> = 1: number of events in interval before tripping { 0:max32 }
+int <strong><code>rate_filter[].count</code></strong> = 1: number of events in interval before tripping { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].gid</strong> = 1: rule generator ID { 0:max32 }
+int <strong><code>rate_filter[].gid</code></strong> = 1: rule generator ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>rate_filter[].new_action</strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }
+enum <strong><code>rate_filter[].new_action</code></strong> = alert: take this action on future hits until timeout { log | pass | alert | drop | block | reset }
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].seconds</strong> = 1: count interval { 0:max32 }
+int <strong><code>rate_filter[].seconds</code></strong> = 1: count interval { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].sid</strong> = 1: rule signature ID { 0:max32 }
+int <strong><code>rate_filter[].sid</code></strong> = 1: rule signature ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-int <strong>rate_filter[].timeout</strong> = 1: count interval { 0:max32 }
+int <strong><code>rate_filter[].timeout</code></strong> = 1: count interval { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>rate_filter[].track</strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }
+enum <strong><code>rate_filter[].track</code></strong> = by_src: filter only matching source or destination addresses { by_src | by_dst | by_rule }
 </p>
 </li>
 <li>
@@ -27024,12 +27287,12 @@ string <strong>reference.~scheme</strong>: reference scheme
 </li>
 <li>
 <p>
-string <strong>references[].name</strong>: name used with reference rule option
+string <strong><code>references[].name</code></strong>: name used with reference rule option
 </p>
 </li>
 <li>
 <p>
-string <strong>references[].url</strong>: where this reference is defined
+string <strong><code>references[].url</code></strong>: where this reference is defined
 </p>
 </li>
 <li>
@@ -27154,17 +27417,12 @@ string <strong>rpc.~ver</strong>: version number or * for any
 </li>
 <li>
 <p>
-bool <strong>rule_state[].enable</strong> = true: enable or disable rule in all policies
+enum <strong><code>rule_state.([0-9]+):([0-9]+).action</code></strong> = inherit: apply action if rule matches or inherit from rule definition { log | pass | alert | drop | block | reset | inherit }
 </p>
 </li>
 <li>
 <p>
-int <strong>rule_state[].gid</strong> = 0: rule generator ID { 0:max32 }
-</p>
-</li>
-<li>
-<p>
-int <strong>rule_state[].sid</strong> = 0: rule signature ID { 0:max32 }
+enum <strong><code>rule_state.([0-9]+):([0-9]+).enable</code></strong> = inherit: enable or disable rule in current ips policy or use default defined by ips policy { false | true | inherit }
 </p>
 </li>
 <li>
@@ -27234,6 +27492,11 @@ int <strong>search_engine.max_queue_events</strong> = 5: maximum number of match
 </li>
 <li>
 <p>
+dynamic <strong>search_engine.offload_search_method</strong>: set fast pattern offload algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }
+</p>
+</li>
+<li>
+<p>
 dynamic <strong>search_engine.search_method</strong> = ac_bnfa: set fast pattern algorithm - choose available search engine { ac_banded | ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan | lowmem }
 </p>
 </li>
@@ -27259,7 +27522,7 @@ interval <strong>seq.~range</strong>: check if TCP sequence number is in given r
 </li>
 <li>
 <p>
-string <strong>service.</strong>*: one or more comma-separated service names
+string <strong><code>service.*</code></strong>: one or more comma-separated service names
 </p>
 </li>
 <li>
@@ -27314,7 +27577,7 @@ string <strong>side_channel.connector</strong>: connector handle
 </li>
 <li>
 <p>
-string <strong>side_channel.connectors[].connector</strong>: connector handle
+string <strong><code>side_channel.connectors[].connector</code></strong>: connector handle
 </p>
 </li>
 <li>
@@ -27379,7 +27642,7 @@ int <strong>sip.max_via_len</strong> = 1024: maximum via field size { 0:65535 }
 </li>
 <li>
 <p>
-string <strong>sip_method.*method</strong>: sip method
+string <strong><code>sip_method.*method</code></strong>: sip method
 </p>
 </li>
 <li>
@@ -27389,17 +27652,17 @@ string <strong>sip.methods</strong> = invite cancel ack  bye register options: l
 </li>
 <li>
 <p>
-int <strong>sip_stat_code.*code</strong>: status code { 1:999 }
+int <strong><code>sip_stat_code.*code</code></strong>: status code { 1:999 }
 </p>
 </li>
 <li>
 <p>
-string <strong>smtp.alt_max_command_line_len[].command</strong>: command string
+string <strong><code>smtp.alt_max_command_line_len[].command</code></strong>: command string
 </p>
 </li>
 <li>
 <p>
-int <strong>smtp.alt_max_command_line_len[].length</strong> = 0: specify non-default maximum for command { 0:max32 }
+int <strong><code>smtp.alt_max_command_line_len[].length</code></strong> = 0: specify non-default maximum for command { 0:max32 }
 </p>
 </li>
 <li>
@@ -27429,6 +27692,21 @@ string <strong>smtp.data_cmds</strong>: commands that initiate sending of data w
 </li>
 <li>
 <p>
+bool <strong>smtp.decompress_pdf</strong> = false: decompress pdf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>smtp.decompress_swf</strong> = false: decompress swf files in MIME attachments
+</p>
+</li>
+<li>
+<p>
+bool <strong>smtp.decompress_zip</strong> = false: decompress zip files in MIME attachments
+</p>
+</li>
+<li>
+<p>
 int <strong>smtp.email_hdrs_log_depth</strong> = 1464: depth for logging email headers { 0:20480 }
 </p>
 </li>
@@ -28259,6 +28537,11 @@ implied <strong>ssl_version.tls1.2</strong>: check for tls1.2
 </li>
 <li>
 <p>
+int <strong>stream.file_cache.cap_weight</strong> = 32: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.file_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
 </p>
 </li>
@@ -28284,6 +28567,11 @@ int <strong>stream.footprint</strong> = 0: use zero for production, non-zero for
 </li>
 <li>
 <p>
+int <strong>stream.icmp_cache.cap_weight</strong> = 8: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.icmp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
 </p>
 </li>
@@ -28304,6 +28592,11 @@ int <strong>stream_icmp.session_timeout</strong> = 30: session tracking timeout
 </li>
 <li>
 <p>
+int <strong>stream.ip_cache.cap_weight</strong> = 64: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.ip_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
 </p>
 </li>
@@ -28389,6 +28682,11 @@ interval <strong>stream_size.~range</strong>: check if the stream size is in the
 </li>
 <li>
 <p>
+int <strong>stream.tcp_cache.cap_weight</strong> = 11500: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.tcp_cache.idle_timeout</strong> = 3600: maximum inactive time before retiring session tracker { 1:max32 }
 </p>
 </li>
@@ -28469,11 +28767,21 @@ int <strong>stream_tcp.small_segments.maximum_size</strong> = 0: limit number of
 </li>
 <li>
 <p>
+bool <strong>stream_tcp.track_only</strong> = false: disable reassembly if true
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.trace</strong>: mask for enabling debug traces in module { 0:max53 }
 </p>
 </li>
 <li>
 <p>
+int <strong>stream.udp_cache.cap_weight</strong> = 128: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.udp_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
 </p>
 </li>
@@ -28494,6 +28802,11 @@ int <strong>stream_udp.session_timeout</strong> = 30: session tracking timeout {
 </li>
 <li>
 <p>
+int <strong>stream.user_cache.cap_weight</strong> = 256: additional bytes to track per flow for better estimation against cap { 0:65535 }
+</p>
+</li>
+<li>
+<p>
 int <strong>stream.user_cache.idle_timeout</strong> = 180: maximum inactive time before retiring session tracker { 1:max32 }
 </p>
 </li>
@@ -28519,22 +28832,22 @@ int <strong>stream_user.trace</strong>: mask for enabling debug traces in module
 </li>
 <li>
 <p>
-int <strong>suppress[].gid</strong> = 0: rule generator ID { 0:max32 }
+int <strong><code>suppress[].gid</code></strong> = 0: rule generator ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-string <strong>suppress[].ip</strong>: restrict suppression to these addresses according to track
+string <strong><code>suppress[].ip</code></strong>: restrict suppression to these addresses according to track
 </p>
 </li>
 <li>
 <p>
-int <strong>suppress[].sid</strong> = 0: rule signature ID { 0:max32 }
+int <strong><code>suppress[].sid</code></strong> = 0: rule signature ID { 0:max32 }
 </p>
 </li>
 <li>
 <p>
-enum <strong>suppress[].track</strong>: suppress only matching source or destination addresses { by_src | by_dst }
+enum <strong><code>suppress[].track</code></strong>: suppress only matching source or destination addresses { by_src | by_dst }
 </p>
 </li>
 <li>
@@ -28659,52 +28972,52 @@ multi <strong>wizard.curses</strong>: enable service identification based on int
 </li>
 <li>
 <p>
-bool <strong>wizard.hexes[].client_first</strong> = true: which end initiates data transfer
+bool <strong><code>wizard.hexes[].client_first</code></strong> = true: which end initiates data transfer
 </p>
 </li>
 <li>
 <p>
-select <strong>wizard.hexes[].proto</strong> = tcp: protocol to scan { tcp | udp }
+select <strong><code>wizard.hexes[].proto</code></strong> = tcp: protocol to scan { tcp | udp }
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.hexes[].service</strong>: name of service
+string <strong><code>wizard.hexes[].service</code></strong>: name of service
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.hexes[].to_client[].hex</strong>: sequence of data with wild chars (?)
+string <strong><code>wizard.hexes[].to_client[].hex</code></strong>: sequence of data with wild chars (?)
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.hexes[].to_server[].hex</strong>: sequence of data with wild chars (?)
+string <strong><code>wizard.hexes[].to_server[].hex</code></strong>: sequence of data with wild chars (?)
 </p>
 </li>
 <li>
 <p>
-bool <strong>wizard.spells[].client_first</strong> = true: which end initiates data transfer
+bool <strong><code>wizard.spells[].client_first</code></strong> = true: which end initiates data transfer
 </p>
 </li>
 <li>
 <p>
-select <strong>wizard.spells[].proto</strong> = tcp: protocol to scan { tcp | udp }
+select <strong><code>wizard.spells[].proto</code></strong> = tcp: protocol to scan { tcp | udp }
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.spells[].service</strong>: name of service
+string <strong><code>wizard.spells[].service</code></strong>: name of service
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.spells[].to_client[].spell</strong>: sequence of data with wild cards (*)
+string <strong><code>wizard.spells[].to_client[].spell</code></strong>: sequence of data with wild cards (*)
 </p>
 </li>
 <li>
 <p>
-string <strong>wizard.spells[].to_server[].spell</strong>: sequence of data with wild cards (*)
+string <strong><code>wizard.spells[].to_server[].spell</code></strong>: sequence of data with wild cards (*)
 </p>
 </li>
 <li>
@@ -29424,6 +29737,11 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>detection.context_stalls</strong>: times processing stalled to wait for an available context (sum)
+</p>
+</li>
+<li>
+<p>
 <strong>detection.cooked_searches</strong>: fast pattern searches in cooked packet data (sum)
 </p>
 </li>
@@ -29939,6 +30257,51 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>memory.allocated</strong>: total amount of memory allocated (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.allocations</strong>: total number of allocations (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.deallocated</strong>: total amount of memory allocated (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.deallocations</strong>: total number of deallocations (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.max_in_use</strong>: highest allocated - deallocated (max)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.reap_attempts</strong>: attempts to reclaim memory (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.reap_failures</strong>: failures to reclaim memory (now)
+</p>
+</li>
+<li>
+<p>
+<strong>memory.total_fudge</strong>: sum of all adjustments (now)
+</p>
+</li>
+<li>
+<p>
+<strong>mem_test.packets</strong>: total packets (sum)
+</p>
+</li>
+<li>
+<p>
 <strong>modbus.concurrent_sessions</strong>: total concurrent modbus sessions (now)
 </p>
 </li>
@@ -33094,7 +33457,7 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
-<strong>119:229</strong> (http_inspect) PDF/SWF decompression of server response too big
+<strong>119:229</strong> (http_inspect) PDF/SWF/ZIP decompression of server response too big
 </p>
 </li>
 <li>
@@ -33449,6 +33812,11 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>124:16</strong> (smtp) file decompression failed
+</p>
+</li>
+<li>
+<p>
 <strong>125:1</strong> (ftp_server) TELNET cmd on FTP command channel
 </p>
 </li>
@@ -34159,6 +34527,11 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>141:8</strong> (imap) file decompression failed
+</p>
+</li>
+<li>
+<p>
 <strong>142:1</strong> (pop) unknown POP3 command
 </p>
 </li>
@@ -34184,6 +34557,11 @@ interval <strong>wscale.~range</strong>: check if TCP window scale is in given r
 </li>
 <li>
 <p>
+<strong>142:8</strong> (pop) file decompression failed
+</p>
+</li>
+<li>
+<p>
 <strong>143:1</strong> (gtp_inspect) message length is invalid
 </p>
 </li>
@@ -34416,16 +34794,13 @@ documentation and are not applicable elsewhere.</td>
 change -&gt;  dynamicengine ==&gt; 'snort.--plugin_path=&lt;path&gt;'
 change -&gt;  dynamicpreprocessor ==&gt; 'snort.--plugin_path=&lt;path&gt;'
 change -&gt;  dynamicsidechannel ==&gt; 'snort.--plugin_path=&lt;path&gt;'
-change -&gt; alertfile: 'config alertfile:' ==&gt; 'alert_fast.file'
-change -&gt; alertfile: 'config alertfile:' ==&gt; 'alert_full.file'
 change -&gt; attribute_table: 'STREAM_POLICY' ==&gt; 'hosts: tcp_policy'
 change -&gt; attribute_table: 'filename &lt;file_name&gt;' ==&gt; 'hosts[]'
 change -&gt; config ' addressspace_agnostic'  ==&gt; ' packets. address_space_agnostic'
 change -&gt; config ' checksum_mode'  ==&gt; ' network. checksum_eval'
-change -&gt; config ' daq'  ==&gt; ' daq. type'
-change -&gt; config ' daq_dir'  ==&gt; ' daq. dir'
-change -&gt; config ' daq_mode'  ==&gt; ' daq. mode'
-change -&gt; config ' daq_var'  ==&gt; ' daq. var'
+change -&gt; config ' daq'  ==&gt; ' daq. module'
+change -&gt; config ' daq_dir'  ==&gt; ' daq. module_dirs, true'
+change -&gt; config ' daq_var'  ==&gt; ' daq. variables, true'
 change -&gt; config ' detection_filter'  ==&gt; ' alerts. detection_filter_memcap'
 change -&gt; config ' enable_deep_teredo_inspection'  ==&gt; ' udp. deep_teredo_inspection'
 change -&gt; config ' event_filter'  ==&gt; ' alerts. event_filter_memcap'
@@ -34436,7 +34811,10 @@ change -&gt; config ' pkt_count'  ==&gt; ' packets. limit'
 change -&gt; config ' rate_filter'  ==&gt; ' alerts. rate_filter_memcap'
 change -&gt; config ' react'  ==&gt; ' react. page'
 change -&gt; config ' threshold'  ==&gt; ' alerts. event_filter_memcap'
-change -&gt; csv: 'dgmlen' ==&gt; 'dgm_len'
+change -&gt; converter: 'gen_id' ==&gt; 'gid'
+change -&gt; converter: 'sid_id' ==&gt; 'sid'
+change -&gt; csv: 'csv' ==&gt; 'fields'
+change -&gt; csv: 'dgmlen' ==&gt; 'pkt_len'
 change -&gt; csv: 'dst' ==&gt; 'dst_addr'
 change -&gt; csv: 'dstport' ==&gt; 'dst_port'
 change -&gt; csv: 'ethdst' ==&gt; 'eth_dst'
@@ -34447,6 +34825,7 @@ change -&gt; csv: 'icmpcode' ==&gt; 'icmp_code'
 change -&gt; csv: 'icmpid' ==&gt; 'icmp_id'
 change -&gt; csv: 'icmpseq' ==&gt; 'icmp_seq'
 change -&gt; csv: 'icmptype' ==&gt; 'icmp_type'
+change -&gt; csv: 'id' ==&gt; 'ip_id'
 change -&gt; csv: 'iplen' ==&gt; 'ip_len'
 change -&gt; csv: 'sig_generator' ==&gt; 'gid'
 change -&gt; csv: 'sig_id' ==&gt; 'sid'
@@ -34459,35 +34838,43 @@ change -&gt; csv: 'tcplen' ==&gt; 'tcp_len'
 change -&gt; csv: 'tcpseq' ==&gt; 'tcp_seq'
 change -&gt; csv: 'tcpwindow' ==&gt; 'tcp_win'
 change -&gt; csv: 'udplength' ==&gt; 'udp_len'
-change -&gt; detection: 'ac' ==&gt; 'ac_full_q'
+change -&gt; detection: 'ac' ==&gt; 'ac_full'
 change -&gt; detection: 'ac-banded' ==&gt; 'ac_banded'
-change -&gt; detection: 'ac-bnfa' ==&gt; 'ac_bnfa_q'
+change -&gt; detection: 'ac-bnfa' ==&gt; 'ac_bnfa'
 change -&gt; detection: 'ac-bnfa-nq' ==&gt; 'ac_bnfa'
-change -&gt; detection: 'ac-bnfa-q' ==&gt; 'ac_bnfa_q'
+change -&gt; detection: 'ac-bnfa-q' ==&gt; 'ac_bnfa'
 change -&gt; detection: 'ac-nq' ==&gt; 'ac_full'
-change -&gt; detection: 'ac-q' ==&gt; 'ac_full_q'
+change -&gt; detection: 'ac-q' ==&gt; 'ac_full'
 change -&gt; detection: 'ac-sparsebands' ==&gt; 'ac_sparse_bands'
-change -&gt; detection: 'ac-split' ==&gt; 'ac_full_q'
+change -&gt; detection: 'ac-split' ==&gt; 'ac_full'
 change -&gt; detection: 'ac-split' ==&gt; 'split_any_any'
 change -&gt; detection: 'ac-std' ==&gt; 'ac_std'
 change -&gt; detection: 'acs' ==&gt; 'ac_sparse'
 change -&gt; detection: 'bleedover-port-limit' ==&gt; 'bleedover_port_limit'
-change -&gt; detection: 'intel-cpm' ==&gt; 'intel_cpm'
-change -&gt; detection: 'lowmem' ==&gt; 'lowmem_q'
+change -&gt; detection: 'debug-print-fast-pattern' ==&gt; 'show_fast_patterns'
+change -&gt; detection: 'intel-cpm' ==&gt; 'hyperscan'
 change -&gt; detection: 'lowmem-nq' ==&gt; 'lowmem'
-change -&gt; detection: 'lowmem-q' ==&gt; 'lowmem_q'
+change -&gt; detection: 'lowmem-q' ==&gt; 'lowmem'
 change -&gt; detection: 'max-pattern-len' ==&gt; 'max_pattern_len'
+change -&gt; detection: 'no_stream_inserts' ==&gt; 'detect_raw_tcp'
 change -&gt; detection: 'search-method' ==&gt; 'search_method'
 change -&gt; detection: 'search-optimize' ==&gt; 'search_optimize'
+change -&gt; detection: 'split-any-any' ==&gt; 'split_any_any = true by default'
 change -&gt; detection: 'split-any-any' ==&gt; 'split_any_any'
+change -&gt; dnp3: 'ports' ==&gt; 'bindings'
 change -&gt; dns: 'ports' ==&gt; 'bindings'
 change -&gt; event_filter: 'gen_id' ==&gt; 'gid'
 change -&gt; event_filter: 'sig_id' ==&gt; 'sid'
 change -&gt; event_filter: 'threshold' ==&gt; 'event_filter'
 change -&gt; file: 'config file: file_block_timeout' ==&gt; 'block_timeout'
+change -&gt; file: 'config file: file_capture_block_size' ==&gt; 'capture_block_size'
+change -&gt; file: 'config file: file_capture_max' ==&gt; 'capture_max_size'
+change -&gt; file: 'config file: file_capture_memcap' ==&gt; 'capture_memcap'
+change -&gt; file: 'config file: file_capture_min' ==&gt; 'capture_min_size'
 change -&gt; file: 'config file: file_type_depth' ==&gt; 'type_depth'
 change -&gt; file: 'config file: signature' ==&gt; 'enable_signature'
 change -&gt; file: 'config file: type_id' ==&gt; 'enable_type'
+change -&gt; file: 'ver' ==&gt; 'version'
 change -&gt; frag3_engine: 'min_fragment_length' ==&gt; 'min_frag_length'
 change -&gt; frag3_engine: 'overlap_limit' ==&gt; 'max_overlaps'
 change -&gt; frag3_engine: 'policy bsd-right' ==&gt; 'policy = bsd_right'
@@ -34495,59 +34882,60 @@ change -&gt; frag3_engine: 'timeout' ==&gt; 'session_timeout'
 change -&gt; ftp_telnet_protocol: 'alt_max_param_len' ==&gt; 'cmd_validity'
 change -&gt; ftp_telnet_protocol: 'data_chan' ==&gt; 'ignore_data_chan'
 change -&gt; ftp_telnet_protocol: 'ports' ==&gt; 'bindings'
-change -&gt; gtp: 'ports' ==&gt; 'gtp_ports'
-change -&gt; http_inspect: 'http_inspect' ==&gt; 'http_global'
-change -&gt; http_inspect_server: 'apache_whitespace' ==&gt; 'profile.apache_whitespace'
-change -&gt; http_inspect_server: 'ascii' ==&gt; 'profile.ascii'
-change -&gt; http_inspect_server: 'bare_byte' ==&gt; 'profile.bare_byte'
-change -&gt; http_inspect_server: 'chunk_length' ==&gt; 'profile.chunk_length'
-change -&gt; http_inspect_server: 'client_flow_depth' ==&gt; 'profile.client_flow_depth'
-change -&gt; http_inspect_server: 'directory' ==&gt; 'profile.directory'
-change -&gt; http_inspect_server: 'double_decode' ==&gt; 'profile.double_decode'
-change -&gt; http_inspect_server: 'enable_cookie' ==&gt; 'enable_cookies'
-change -&gt; http_inspect_server: 'flow_depth' ==&gt; 'server_flow_depth'
+change -&gt; gtp: 'ports' ==&gt; 'bindings'
+change -&gt; http_inspect_server: 'bare_byte' ==&gt; 'utf8_bare_byte'
+change -&gt; http_inspect_server: 'client_flow_depth' ==&gt; 'request_depth'
+change -&gt; http_inspect_server: 'double_decode' ==&gt; 'iis_double_decode'
 change -&gt; http_inspect_server: 'http_inspect_server' ==&gt; 'http_inspect'
-change -&gt; http_inspect_server: 'iis_backslash' ==&gt; 'profile.iis_backslash'
-change -&gt; http_inspect_server: 'iis_delimiter' ==&gt; 'profile.iis_delimiter'
-change -&gt; http_inspect_server: 'iis_unicode' ==&gt; 'profile.iis_unicode'
-change -&gt; http_inspect_server: 'max_header_length' ==&gt; 'profile.max_header_length'
-change -&gt; http_inspect_server: 'max_headers' ==&gt; 'profile.max_headers'
-change -&gt; http_inspect_server: 'max_spaces' ==&gt; 'profile.max_spaces'
-change -&gt; http_inspect_server: 'multi_slash' ==&gt; 'profile.multi_slash'
-change -&gt; http_inspect_server: 'non_rfc_char' ==&gt; 'non_rfc_chars'
-change -&gt; http_inspect_server: 'non_strict' ==&gt; 'profile.non_strict'
-change -&gt; http_inspect_server: 'normalize_utf' ==&gt; 'profile.normalize_utf'
+change -&gt; http_inspect_server: 'iis_backslash' ==&gt; 'backslash_to_slash'
+change -&gt; http_inspect_server: 'inspect_gzip' ==&gt; 'unzip'
+change -&gt; http_inspect_server: 'non_rfc_char' ==&gt; 'bad_characters'
 change -&gt; http_inspect_server: 'ports' ==&gt; 'bindings'
-change -&gt; http_inspect_server: 'u_encode' ==&gt; 'profile.u_encode'
-change -&gt; http_inspect_server: 'utf_8' ==&gt; 'profile.utf_8'
-change -&gt; http_inspect_server: 'webroot' ==&gt; 'profile.webroot'
-change -&gt; http_inspect_server: 'whitespace_chars' ==&gt; 'profile.whitespace_chars'
+change -&gt; http_inspect_server: 'u_encode' ==&gt; 'percent_u'
+change -&gt; http_inspect_server: 'utf_8' ==&gt; 'utf8'
 change -&gt; imap: 'ports' ==&gt; 'bindings'
-change -&gt; paf_max: 'paf_max [0:63780]' ==&gt; 'max_pdu [1460:63780]'
-change -&gt; perfmonitor: 'accumulate' ==&gt; 'reset = false'
-change -&gt; perfmonitor: 'flow-file' ==&gt; 'flow_file = true'
+change -&gt; modbus: 'ports' ==&gt; 'bindings'
+change -&gt; na_policy_mode: 'na_policy_mode' ==&gt; 'mode'
+change -&gt; nap_selector: 'nap rules' ==&gt; 'bindings'
+change -&gt; paf_max: 'paf_max [0:63780]' ==&gt; 'max_pdu [1460:32768]'
+change -&gt; perfmonitor: 'console' ==&gt; 'format = 'text''
+change -&gt; perfmonitor: 'console' ==&gt; 'output = 'console''
+change -&gt; perfmonitor: 'file' ==&gt; 'format = 'csv''
+change -&gt; perfmonitor: 'file' ==&gt; 'output = 'file''
+change -&gt; perfmonitor: 'flow-file' ==&gt; 'format = 'csv''
+change -&gt; perfmonitor: 'flow-file' ==&gt; 'output = 'file''
 change -&gt; perfmonitor: 'flow-ip' ==&gt; 'flow_ip'
-change -&gt; perfmonitor: 'flow-ip-file' ==&gt; 'flow_ip_file = true'
+change -&gt; perfmonitor: 'flow-ip-file' ==&gt; 'format = 'csv''
+change -&gt; perfmonitor: 'flow-ip-file' ==&gt; 'output = 'file''
 change -&gt; perfmonitor: 'flow-ip-memcap' ==&gt; 'flow_ip_memcap'
 change -&gt; perfmonitor: 'flow-ports' ==&gt; 'flow_ports'
 change -&gt; perfmonitor: 'pktcnt' ==&gt; 'packets'
-change -&gt; perfmonitor: 'snortfile' ==&gt; 'file = true'
+change -&gt; perfmonitor: 'snortfile' ==&gt; 'format = 'csv''
+change -&gt; perfmonitor: 'snortfile' ==&gt; 'output = 'file''
 change -&gt; perfmonitor: 'time' ==&gt; 'seconds'
 change -&gt; policy_mode: 'inline_test' ==&gt; 'inline-test'
 change -&gt; pop: 'ports' ==&gt; 'bindings'
-change -&gt; ppm: 'max-pkt-time' ==&gt; 'max_pkt_time'
-change -&gt; ppm: 'max-rule-time' ==&gt; 'max_rule_time'
-change -&gt; ppm: 'pkt-log' ==&gt; 'pkt_log'
-change -&gt; ppm: 'rule-log' ==&gt; 'rule_log'
-change -&gt; ppm: 'suspend-timeout' ==&gt; 'suspend_timeout'
+change -&gt; ppm: ''both'' ==&gt; ''alert_and_log''
+change -&gt; ppm: 'fastpath-expensive-packets' ==&gt; 'packet.fastpath'
+change -&gt; ppm: 'max-pkt-time' ==&gt; 'packet.max_time'
+change -&gt; ppm: 'max-rule-time' ==&gt; 'rule.max_time'
+change -&gt; ppm: 'pkt-log' ==&gt; 'packet.action'
+change -&gt; ppm: 'ppm' ==&gt; 'latency'
+change -&gt; ppm: 'rule-log' ==&gt; 'rule.action'
+change -&gt; ppm: 'suspend-expensive-rules' ==&gt; 'rule.suspend'
+change -&gt; ppm: 'suspend-timeout' ==&gt; 'max_suspend_time'
+change -&gt; ppm: 'threshold' ==&gt; 'rule.suspend_threshold'
 change -&gt; preprocessor 'normalize_ icmp4' ==&gt; 'normalize. icmp4'
 change -&gt; preprocessor 'normalize_ icmp6' ==&gt; 'normalize. icmp6'
 change -&gt; preprocessor 'normalize_ ip6' ==&gt; 'normalize. ip6'
 change -&gt; profile: 'print' ==&gt; 'count'
+change -&gt; profile: 'sort avg_ticks' ==&gt; 'sort = avg_check'
+change -&gt; profile: 'sort total_ticks' ==&gt; 'sort = total_time'
 change -&gt; rate_filter: 'gen_id' ==&gt; 'gid'
 change -&gt; rate_filter: 'sig_id' ==&gt; 'sid'
-change -&gt; rule_state: 'disabled' ==&gt; 'enable'
-change -&gt; rule_state: 'enabled' ==&gt; 'enable'
+change -&gt; reputation: 'shared_mem' ==&gt; 'list_dir'
+change -&gt; rule_state: 'enabled/disabled' ==&gt; 'enable'
+change -&gt; rule_state: 'sdrop' ==&gt; 'drop'
 change -&gt; sfportscan: 'proto' ==&gt; 'protos'
 change -&gt; sfportscan: 'scan_type' ==&gt; 'scan_types'
 change -&gt; sip: 'ports' ==&gt; 'bindings'
@@ -34572,7 +34960,6 @@ change -&gt; stream5_tcp: 'max_queued_bytes' ==&gt; 'queue_limit.max_bytes'
 change -&gt; stream5_tcp: 'max_queued_segs' ==&gt; 'queue_limit.max_segments'
 change -&gt; stream5_tcp: 'policy hpux' ==&gt; 'stream_tcp.policy = hpux11'
 change -&gt; stream5_tcp: 'timeout' ==&gt; 'session_timeout'
-change -&gt; stream5_tcp: 'use_static_footprint_sizes' ==&gt; 'footprint'
 change -&gt; stream5_udp: 'timeout' ==&gt; 'session_timeout'
 change -&gt; suppress: 'gen_id' ==&gt; 'gid'
 change -&gt; suppress: 'sig_id' ==&gt; 'sid'
@@ -34612,9 +34999,12 @@ deleted -&gt; attribute_table: '&lt;FRAG_POLICY&gt;unknown&lt;/FRAG_POLICY&gt;'
 deleted -&gt; attribute_table: '&lt;STREAM_POLICY&gt;noack&lt;/STREAM_POLICY&gt;'
 deleted -&gt; attribute_table: '&lt;STREAM_POLICY&gt;unknown&lt;/STREAM_POLICY&gt;'
 deleted -&gt; config ' cs_dir'
+deleted -&gt; config ' daq_mode'
+deleted -&gt; config ' decode_data_link'
 deleted -&gt; config ' disable_attribute_reload_thread'
 deleted -&gt; config ' disable_decode_alerts'
 deleted -&gt; config ' disable_decode_drops'
+deleted -&gt; config ' disable_inline_init_failopen'
 deleted -&gt; config ' disable_ipopt_alerts'
 deleted -&gt; config ' disable_ipopt_drops'
 deleted -&gt; config ' disable_tcpopt_alerts'
@@ -34644,45 +35034,84 @@ deleted -&gt; config ' flowbits_size'
 deleted -&gt; config ' include_vlan_in_alerts'
 deleted -&gt; config ' interface'
 deleted -&gt; config ' layer2resets'
-deleted -&gt; config ' policy_version'
+deleted -&gt; config ' log_ipv6_extra_data'
+deleted -&gt; config ' nolog'
+deleted -&gt; config ' protected_content'
+deleted -&gt; config ' sidechannel'
 deleted -&gt; config ' so_rule_memcap'
+deleted -&gt; config 'dynamicoutput'
+deleted -&gt; config 'sfalert_unified2'
+deleted -&gt; config 'sflog_unified2'
+deleted -&gt; config 'sidechannel'
 deleted -&gt; csv: '&lt;filename&gt; can no longer be specific'
 deleted -&gt; csv: 'default'
 deleted -&gt; csv: 'trheader'
 deleted -&gt; detection: 'mwm'
+deleted -&gt; dnp3: 'disabled'
+deleted -&gt; dnp3: 'memcap'
 deleted -&gt; dns: 'enable_experimental_types'
 deleted -&gt; dns: 'enable_obsolete_types'
 deleted -&gt; dns: 'enable_rdata_overflow'
+deleted -&gt; event_trace: 'file'
 deleted -&gt; fast: '&lt;filename&gt; can no longer be specific'
 deleted -&gt; frag3_engine: 'detect_anomalies'
 deleted -&gt; frag3_global: 'disabled'
 deleted -&gt; ftp_telnet_protocol: 'detect_anomalies'
 deleted -&gt; full: '&lt;filename&gt; can no longer be specific'
+deleted -&gt; http_inspect: 'detect_anomalous_servers'
 deleted -&gt; http_inspect: 'disabled'
+deleted -&gt; http_inspect: 'proxy_alert'
+deleted -&gt; http_inspect_server: 'allow_proxy_use'
+deleted -&gt; http_inspect_server: 'enable_cookie'
+deleted -&gt; http_inspect_server: 'enable_xff'
+deleted -&gt; http_inspect_server: 'extended_ascii_uri'
+deleted -&gt; http_inspect_server: 'extended_response_inspection'
+deleted -&gt; http_inspect_server: 'iis_unicode_map not allowed in sever'
+deleted -&gt; http_inspect_server: 'inspect_uri_only'
+deleted -&gt; http_inspect_server: 'log_hostname'
+deleted -&gt; http_inspect_server: 'log_uri'
 deleted -&gt; http_inspect_server: 'no_alerts'
+deleted -&gt; http_inspect_server: 'no_pipeline_req'
+deleted -&gt; http_inspect_server: 'non_strict'
+deleted -&gt; http_inspect_server: 'normalize_cookies'
+deleted -&gt; http_inspect_server: 'normalize_headers'
+deleted -&gt; http_inspect_server: 'small_chunk_length'
+deleted -&gt; http_inspect_server: 'tab_uri_delimiter'
+deleted -&gt; http_inspect_server: 'unlimited_decompress'
 deleted -&gt; imap: 'disabled'
 deleted -&gt; imap: 'max_mime_mem'
 deleted -&gt; imap: 'memcap'
+deleted -&gt; nap_selector: 'fw_required'
+deleted -&gt; nap_selector: 'nap_stats_time'
+deleted -&gt; perfmonitor: 'accumulate'
 deleted -&gt; perfmonitor: 'atexitonly'
 deleted -&gt; perfmonitor: 'atexitonly: base-stats'
 deleted -&gt; perfmonitor: 'atexitonly: events-stats'
 deleted -&gt; perfmonitor: 'atexitonly: flow-ip-stats'
 deleted -&gt; perfmonitor: 'atexitonly: flow-stats'
+deleted -&gt; perfmonitor: 'atexitonly: reset'
+deleted -&gt; perfmonitor: 'events'
+deleted -&gt; perfmonitor: 'max'
 deleted -&gt; pop: 'disabled'
 deleted -&gt; pop: 'max_mime_mem'
 deleted -&gt; pop: 'memcap'
 deleted -&gt; ppm: 'debug-pkts'
 deleted -&gt; react: 'block'
 deleted -&gt; react: 'warn'
+deleted -&gt; reputation: 'shared_max_instances'
+deleted -&gt; reputation: 'shared_refresh'
 deleted -&gt; rpc_decode: 'alert_fragments'
 deleted -&gt; rpc_decode: 'no_alert_incomplete'
 deleted -&gt; rpc_decode: 'no_alert_large_fragments'
 deleted -&gt; rpc_decode: 'no_alert_multiple_requests'
-deleted -&gt; rule_state: 'action'
 deleted -&gt; sfportscan: 'detect_ack_scans'
 deleted -&gt; sfportscan: 'disabled'
 deleted -&gt; sfportscan: 'logfile'
+deleted -&gt; sfportscan: 'sense_level'
+deleted -&gt; sfunified2: 'mpls_event_types'
+deleted -&gt; sfunified2: 'vlan_event_types'
 deleted -&gt; sip: 'disabled'
+deleted -&gt; sip: 'max_sessions'
 deleted -&gt; smtp: 'alert_unknown_cmds'
 deleted -&gt; smtp: 'disabled'
 deleted -&gt; smtp: 'enable_mime_decoding'
@@ -34703,16 +35132,22 @@ deleted -&gt; ssh: 'enable_ssh1crc32'
 deleted -&gt; ssl: 'noinspect_encrypted'
 deleted -&gt; stream5_global: 'disabled'
 deleted -&gt; stream5_global: 'flush_on_alert'
+deleted -&gt; stream5_global: 'memcap'
 deleted -&gt; stream5_global: 'no_midstream_drop_alerts'
 deleted -&gt; stream5_tcp: 'check_session_hijacking'
 deleted -&gt; stream5_tcp: 'detect_anomalies'
 deleted -&gt; stream5_tcp: 'dont_store_large_packets'
+deleted -&gt; stream5_tcp: 'ignore_any_rules'
+deleted -&gt; stream5_tcp: 'log_asymmetric_traffic'
 deleted -&gt; stream5_tcp: 'policy noack'
 deleted -&gt; stream5_tcp: 'policy unknown'
+deleted -&gt; stream5_udp: 'ignore_any_rules'
 deleted -&gt; tcpdump: '&lt;filename&gt; can no longer be specific'
 deleted -&gt; test: 'file'
 deleted -&gt; test: 'stdout'
-deleted -&gt; unified2: 'filename'</code></pre>
+deleted -&gt; unified2: 'filename'
+deleted -&gt; unified2: 'mpls_event_types'
+deleted -&gt; unified2: 'vlan_event_types'</code></pre>
 </div></div>
 </div>
 <div class="sect2">
@@ -34765,6 +35200,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>alert_talos</strong> (logger): output event in Talos alert format
+</p>
+</li>
+<li>
+<p>
 <strong>alert_unixsock</strong> (logger): output event over unix socket
 </p>
 </li>
@@ -35360,6 +35800,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>mem_test</strong> (inspector): for testing memory management
+</p>
+</li>
+<li>
+<p>
 <strong>memory</strong> (basic): memory management configuration
 </p>
 </li>
@@ -35570,7 +36015,7 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
-<strong>rule_state</strong> (basic): enable/disable specific IPS rules
+<strong>rule_state</strong> (basic): enable/disable and set actions for specific IPS rules
 </p>
 </li>
 <li>
@@ -36175,6 +36620,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>inspector::mem_test</strong>: for testing memory management
+</p>
+</li>
+<li>
+<p>
 <strong>inspector::modbus</strong>: modbus inspection
 </p>
 </li>
@@ -36845,6 +37295,11 @@ deleted -&gt; unified2: 'filename'</code></pre>
 </li>
 <li>
 <p>
+<strong>logger::alert_talos</strong>: output event in Talos alert format
+</p>
+</li>
+<li>
+<p>
 <strong>logger::alert_unixsock</strong>: output event over unix socket
 </p>
 </li>
@@ -37546,13 +38001,225 @@ Note that on OpenBSD, divert sockets don&#8217;t work with bridges!
 </ol></div>
 </div>
 </div>
+<div class="sect2">
+<h3 id="_limitations">Limitations</h3>
+<div class="sect3">
+<h4 id="_reload_limitations">Reload limitations</h4>
+<div class="paragraph"><p>The following parameters can&#8217;t be changed during reload, and require a restart:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+active.attempts
+</p>
+</li>
+<li>
+<p>
+active.device
+</p>
+</li>
+<li>
+<p>
+alerts.detection_filter_memcap
+</p>
+</li>
+<li>
+<p>
+alerts.event_filter_memcap
+</p>
+</li>
+<li>
+<p>
+alerts.rate_filter_memcap
+</p>
+</li>
+<li>
+<p>
+attribute_table.max_hosts
+</p>
+</li>
+<li>
+<p>
+attribute_table.max_services_per_host
+</p>
+</li>
+<li>
+<p>
+daq.snaplen
+</p>
+</li>
+<li>
+<p>
+daq.no_promisc
+</p>
+</li>
+<li>
+<p>
+detection.asn1
+</p>
+</li>
+<li>
+<p>
+file_id.max_files_cached
+</p>
+</li>
+<li>
+<p>
+port_scan.memcap
+</p>
+</li>
+<li>
+<p>
+process.chroot
+</p>
+</li>
+<li>
+<p>
+process.daemon
+</p>
+</li>
+<li>
+<p>
+process.set_gid
+</p>
+</li>
+<li>
+<p>
+process.set_uid
+</p>
+</li>
+<li>
+<p>
+stream.footprint
+</p>
+</li>
+<li>
+<p>
+stream.ip_cache.max_sessions
+</p>
+</li>
+<li>
+<p>
+stream.ip_cache.pruning_timeout
+</p>
+</li>
+<li>
+<p>
+stream.ip_cache.idle_timeout
+</p>
+</li>
+<li>
+<p>
+stream.icmp_cache.max_sessions
+</p>
+</li>
+<li>
+<p>
+stream.icmp_cache.pruning_timeout
+</p>
+</li>
+<li>
+<p>
+stream.icmp_cache.idle_timeout
+</p>
+</li>
+<li>
+<p>
+stream.tcp_cache.max_sessions
+</p>
+</li>
+<li>
+<p>
+stream.tcp_cache.pruning_timeout
+</p>
+</li>
+<li>
+<p>
+stream.tcp_cache.idle_timeout
+</p>
+</li>
+<li>
+<p>
+stream.udp_cache.max_sessions
+</p>
+</li>
+<li>
+<p>
+stream.udp_cache.pruning_timeout
+</p>
+</li>
+<li>
+<p>
+stream.udp_cache.idle_timeout
+</p>
+</li>
+<li>
+<p>
+stream.user_cache.max_sessions
+</p>
+</li>
+<li>
+<p>
+stream.user_cache.pruning_timeout
+</p>
+</li>
+<li>
+<p>
+stream.user_cache.idle_timeout
+</p>
+</li>
+<li>
+<p>
+stream.file_cache.max_sessions
+</p>
+</li>
+<li>
+<p>
+stream.file_cache.pruning_timeout
+</p>
+</li>
+<li>
+<p>
+stream.file_cache.idle_timeout
+</p>
+</li>
+</ul></div>
+<div class="paragraph"><p>In addition, the following scenarios require a restart:</p></div>
+<div class="ulist"><ul>
+<li>
+<p>
+Enabling file capture for the first time
+</p>
+</li>
+<li>
+<p>
+Changing file_id.capture_memcap if file capture was previously or currently
+ enabled
+</p>
+</li>
+<li>
+<p>
+Changing file_id.capture_block_size if file capture was previously or
+ currently enabled
+</p>
+</li>
+<li>
+<p>
+Adding/removing stream_* inspectors if stream was already configured
+</p>
+</li>
+</ul></div>
+<div class="paragraph"><p>In all of these cases reload will fail with the following message: "reload
+ failed - restart required". The original config will remain in use.</p></div>
+</div>
+</div>
 </div>
 </div>
 </div>
 <div id="footnotes"><hr /></div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2018-12-06 14:30:46 EST
+Last updated
+ 2019-03-31 01:50:27 EDT
 </div>
 </div>
 </body>
diff --git a/doc/snort_manual.pdf b/doc/snort_manual.pdf
index e92e73454..7b4cb160a 100644
Binary files a/doc/snort_manual.pdf and b/doc/snort_manual.pdf differ
diff --git a/doc/snort_manual.text b/doc/snort_manual.text
index 91781e323..74017de65 100644
--- a/doc/snort_manual.text
+++ b/doc/snort_manual.text
@@ -165,28 +165,29 @@ Table of Contents
     9.21. http2_inspect
     9.22. http_inspect
     9.23. imap
-    9.24. modbus
-    9.25. normalizer
-    9.26. packet_capture
-    9.27. perf_monitor
-    9.28. pop
-    9.29. port_scan
-    9.30. reg_test
-    9.31. reputation
-    9.32. rpc_decode
-    9.33. sip
-    9.34. smtp
-    9.35. ssh
-    9.36. ssl
-    9.37. stream
-    9.38. stream_file
-    9.39. stream_icmp
-    9.40. stream_ip
-    9.41. stream_tcp
-    9.42. stream_udp
-    9.43. stream_user
-    9.44. telnet
-    9.45. wizard
+    9.24. mem_test
+    9.25. modbus
+    9.26. normalizer
+    9.27. packet_capture
+    9.28. perf_monitor
+    9.29. pop
+    9.30. port_scan
+    9.31. reg_test
+    9.32. reputation
+    9.33. rpc_decode
+    9.34. sip
+    9.35. smtp
+    9.36. ssh
+    9.37. ssl
+    9.38. stream
+    9.39. stream_file
+    9.40. stream_icmp
+    9.41. stream_ip
+    9.42. stream_tcp
+    9.43. stream_udp
+    9.44. stream_user
+    9.45. telnet
+    9.46. wizard
 
 10. IPS Action Modules
 
@@ -309,11 +310,12 @@ Table of Contents
     14.5. alert_json
     14.6. alert_sfsocket
     14.7. alert_syslog
-    14.8. alert_unixsock
-    14.9. log_codecs
-    14.10. log_hext
-    14.11. log_pcap
-    14.12. unified2
+    14.8. alert_talos
+    14.9. alert_unixsock
+    14.10. log_codecs
+    14.11. log_hext
+    14.12. log_pcap
+    14.13. unified2
 
 15. DAQ Configuration and Modules
 
@@ -380,14 +382,15 @@ Table of Contents
     20.11. Module Listing
     20.12. Plugin Listing
     20.13. LibDAQ and DAQ Modules
+    20.14. Limitations
 
 Snorty
 
  ,,_     -*> Snort++ <*-
-o"  )~   Version 3.0.0 (Build 250) from 2.9.11
+o"  )~   Version 3.0.0 (Build 251) from 2.9.11
  ''''    By Martin Roesch & The Snort Team
          http://snort.org/contact#team
-         Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
+         Copyright (C) 2014-2019 Cisco and/or its affiliates. All rights reserved.
          Copyright (C) 1998-2013 Sourcefire, Inc., et al.
 
 
@@ -1258,8 +1261,8 @@ Optional:
     UTF16-LE filenames to UTF8 (usually included in glibc)
   * lzma >= 5.1.2 from http://tukaani.org/xz/ for decompression of
     SWF and PDF files
-  * safec from https://sourceforge.net/projects/safeclib/ for runtime
-    bounds checks on certain legacy C-library calls
+  * safec from https://github.com/rurban/safeclib/ for runtime bounds
+    checks on certain legacy C-library calls
   * source-highlight from http://www.gnu.org/software/src-highlite/
     to generate the dev guide
   * w3m from http://sourceforge.net/projects/w3m/ to build the plain
@@ -5419,8 +5422,6 @@ Configuration:
 
   * bool alerts.alert_with_interface_name = false: include interface
     in alert info (fast, full, or syslog only)
-  * bool alerts.default_rule_state = true: enable or disable ips
-    rules
   * int alerts.detection_filter_memcap = 1048576: set available MB of
     memory for detection_filters { 0:max32 }
   * int alerts.event_filter_memcap = 1048576: set available MB of
@@ -5563,6 +5564,10 @@ Usage: global
 Configuration:
 
   * int detection.asn1 = 0: maximum decode nodes { 0:65535 }
+  * bool detection.global_default_rule_state = true: enable or
+    disable rules by default (overridden by ips policy settings)
+  * bool detection.global_rule_state = false: apply rule_state
+    against all policies
   * int detection.offload_limit = 99999: minimum sizeof PDU to
     offload fast pattern search (defaults to disabled) { 0:max32 }
   * int detection.offload_threads = 0: maximum number of simultaneous
@@ -5608,6 +5613,8 @@ Peg counts:
   * detection.event_limit: events filtered (sum)
   * detection.alert_limit: events previously triggered on same PDU
     (sum)
+  * detection.context_stalls: times processing stalled to wait for an
+    available context (sum)
 
 
 6.8. event_filter
@@ -5797,6 +5804,8 @@ Usage: detect
 
 Configuration:
 
+  * enum ips.default_rule_state = inherit: enable or disable ips
+    rules { false | true | inherit }
   * bool ips.enable_builtin_rules = false: enable events from builtin
     rules w/o stubs
   * int ips.id = 0: correlate unified2 events with configuration {
@@ -5804,6 +5813,8 @@ Configuration:
   * string ips.include: legacy snort rules and includes
   * enum ips.mode: set policy mode { tap | inline | inline-test }
   * string ips.rules: snort rules and includes
+  * bool ips.obfuscate_pii = false: mask all but the last 4
+    characters of credit card and social security numbers
   * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
     policy uuid
 
@@ -5869,11 +5880,20 @@ Configuration:
 
   * int memory.cap = 0: set the per-packet-thread cap on memory
     (bytes, 0 to disable) { 0:maxSZ }
-  * bool memory.soft = false: always succeed in allocating memory,
-    even if above the cap
   * int memory.threshold = 0: set the per-packet-thread threshold for
     preemptive cleanup actions (percent, 0 to disable) { 0:100 }
 
+Peg counts:
+
+  * memory.allocations: total number of allocations (now)
+  * memory.deallocations: total number of deallocations (now)
+  * memory.allocated: total amount of memory allocated (now)
+  * memory.deallocated: total amount of memory allocated (now)
+  * memory.reap_attempts: attempts to reclaim memory (now)
+  * memory.reap_failures: failures to reclaim memory (now)
+  * memory.max_in_use: highest allocated - deallocated (max)
+  * memory.total_fudge: sum of all adjustments (now)
+
 
 6.18. network
 
@@ -5933,15 +5953,13 @@ Configuration:
   * bool output.quiet = false: suppress non-fatal information (still
     show alerts, same as -q)
   * string output.logdir = .: where to put log files (same as -l)
-  * bool output.obfuscate = false: obfuscate the logged IP addresses
-    (same as -O)
-  * bool output.obfuscate_pii = false: mask all but the last 4
-    characters of credit card and social security numbers
   * bool output.show_year = false: include year in timestamp in the
     alert and log files (same as -y)
   * int output.tagged_packet_limit = 256: maximum number of packets
     tagged for non-packet metrics { 0:max32 }
   * bool output.verbose = false: be verbose (same as -v)
+  * bool output.obfuscate = false: obfuscate the logged IP addresses
+    (same as -O)
   * bool output.wide_hex_dump = false: output 20 bytes per lines
     instead of 16 when dumping buffers
 
@@ -6101,7 +6119,7 @@ Configuration:
 
 --------------
 
-What: enable/disable specific IPS rules
+What: enable/disable and set actions for specific IPS rules
 
 Type: basic
 
@@ -6109,10 +6127,12 @@ Usage: detect
 
 Configuration:
 
-  * int rule_state[].gid = 0: rule generator ID { 0:max32 }
-  * int rule_state[].sid = 0: rule signature ID { 0:max32 }
-  * bool rule_state[].enable = true: enable or disable rule in all
-    policies
+  * enum rule_state.([0-9]+):([0-9]+).action = inherit: apply action
+    if rule matches or inherit from rule definition { log | pass |
+    alert | drop | block | reset | inherit }
+  * enum rule_state.([0-9]+):([0-9]+).enable = inherit: enable or
+    disable rule in current ips policy or use default defined by ips
+    policy { false | true | inherit }
 
 
 6.27. search_engine
@@ -6152,6 +6172,10 @@ Configuration:
     algorithm - choose available search engine { ac_banded | ac_bnfa
     | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan |
     lowmem }
+  * dynamic search_engine.offload_search_method: set fast pattern
+    offload algorithm - choose available search engine { ac_banded |
+    ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std |
+    hyperscan | lowmem }
   * bool search_engine.search_optimize = true: tweak state machine
     construction for better performance
   * bool search_engine.show_fast_patterns = false: print fast pattern
@@ -7145,10 +7169,11 @@ Usage: context
 
 Configuration:
 
-  * int appid.memcap = 0: disregard - not implemented { 0:maxSZ }
+  * int appid.memcap = 1048576: max size of the service cache before
+    we start pruning the cache { 1024:maxSZ }
   * bool appid.log_stats = false: enable logging of appid statistics
   * int appid.app_stats_period = 300: time period for collecting and
-    logging appid statistics { 0:max32 }
+    logging appid statistics { 1:max32 }
   * int appid.app_stats_rollover_size = 20971520: max file size for
     appid stats before rolling over the log file { 0:max32 }
   * int appid.app_stats_rollover_time = 86400: max time period for
@@ -7263,8 +7288,9 @@ Configuration:
   * bit_list binder[].when.src_ports: list of source ports { 65535 }
   * bit_list binder[].when.dst_ports: list of destination ports {
     65535 }
-  * int binder[].when.src_zone: source zone { 0:max31 }
-  * int binder[].when.dst_zone: destination zone { 0:max31 }
+  * bit_list binder[].when.zones: zones { 63 }
+  * bit_list binder[].when.src_zone: source zone { 63 }
+  * bit_list binder[].when.dst_zone: destination zone { 63 }
   * enum binder[].when.role = any: use the given configuration on one
     or any end of a session { client | server | any }
   * string binder[].when.service: override default configuration
@@ -7361,6 +7387,8 @@ Usage: inspect
 
 Configuration:
 
+  * bool dce_smb.limit_alerts = true: limit DCE alert to at most one
+    per signature per flow
   * bool dce_smb.disable_defrag = false: disable DCE/RPC
     defragmentation
   * int dce_smb.max_frag_len = 65535: maximum fragment size for
@@ -7531,6 +7559,8 @@ Usage: inspect
 
 Configuration:
 
+  * bool dce_tcp.limit_alerts = true: limit DCE alert to at most one
+    per signature per flow
   * bool dce_tcp.disable_defrag = false: disable DCE/RPC
     defragmentation
   * int dce_tcp.max_frag_len = 65535: maximum fragment size for
@@ -7637,6 +7667,8 @@ Usage: inspect
 
 Configuration:
 
+  * bool dce_udp.limit_alerts = true: limit DCE alert to at most one
+    per signature per flow
   * bool dce_udp.disable_defrag = false: disable DCE/RPC
     defragmentation
   * int dce_udp.max_frag_len = 65535: maximum fragment size for
@@ -8101,6 +8133,8 @@ Configuration:
     response bodies
   * bool http_inspect.decompress_swf = false: decompress swf files in
     response bodies
+  * bool http_inspect.decompress_zip = false: decompress zip files in
+    response bodies
   * bool http_inspect.normalize_javascript = false: normalize
     javascript in response bodies
   * int http_inspect.max_javascript_whitespaces = 200: maximum
@@ -8227,8 +8261,8 @@ Rules:
   * 119:226 (http_inspect) unknown Content-Encoding used
   * 119:227 (http_inspect) multiple Content-Encodings applied
   * 119:228 (http_inspect) server response before client request
-  * 119:229 (http_inspect) PDF/SWF decompression of server response
-    too big
+  * 119:229 (http_inspect) PDF/SWF/ZIP decompression of server
+    response too big
   * 119:230 (http_inspect) nonprinting character in HTTP message
     header name
   * 119:231 (http_inspect) bad Content-Length value in HTTP header
@@ -8310,6 +8344,12 @@ Configuration:
     limit) { -1:65535 }
   * int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
     extraction depth (-1 no limit) { -1:65535 }
+  * bool imap.decompress_pdf = false: decompress pdf files in MIME
+    attachments
+  * bool imap.decompress_swf = false: decompress swf files in MIME
+    attachments
+  * bool imap.decompress_zip = false: decompress zip files in MIME
+    attachments
   * int imap.qp_decode_depth = 1460: quoted Printable decoding depth
     (-1 no limit) { -1:65535 }
   * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
@@ -8322,6 +8362,7 @@ Rules:
   * 141:4 (imap) base64 decoding failed
   * 141:5 (imap) quoted-printable decoding failed
   * 141:7 (imap) Unix-to-Unix decoding failed
+  * 141:8 (imap) file decompression failed
 
 Peg counts:
 
@@ -8342,7 +8383,22 @@ Peg counts:
   * imap.non_encoded_bytes: total non-encoded extracted bytes (sum)
 
 
-9.24. modbus
+9.24. mem_test
+
+--------------
+
+What: for testing memory management
+
+Type: inspector
+
+Usage: inspect
+
+Peg counts:
+
+  * mem_test.packets: total packets (sum)
+
+
+9.25. modbus
 
 --------------
 
@@ -8369,7 +8425,7 @@ Peg counts:
     sessions (max)
 
 
-9.25. normalizer
+9.26. normalizer
 
 --------------
 
@@ -8505,7 +8561,7 @@ Peg counts:
   * normalizer.tcp_block: blocked segments (sum)
 
 
-9.26. packet_capture
+9.27. packet_capture
 
 --------------
 
@@ -8533,7 +8589,7 @@ Peg counts:
     filter (sum)
 
 
-9.27. perf_monitor
+9.28. perf_monitor
 
 --------------
 
@@ -8573,7 +8629,7 @@ Peg counts:
   * perf_monitor.packets: total packets (sum)
 
 
-9.28. pop
+9.29. pop
 
 --------------
 
@@ -8589,6 +8645,12 @@ Configuration:
     limit) { -1:65535 }
   * int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
     extraction depth (-1 no limit) { -1:65535 }
+  * bool pop.decompress_pdf = false: decompress pdf files in MIME
+    attachments
+  * bool pop.decompress_swf = false: decompress swf files in MIME
+    attachments
+  * bool pop.decompress_zip = false: decompress zip files in MIME
+    attachments
   * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth
     (-1 no limit) { -1:65535 }
   * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
@@ -8601,6 +8663,7 @@ Rules:
   * 142:4 (pop) base64 decoding failed
   * 142:5 (pop) quoted-printable decoding failed
   * 142:7 (pop) Unix-to-Unix decoding failed
+  * 142:8 (pop) file decompression failed
 
 Peg counts:
 
@@ -8621,7 +8684,7 @@ Peg counts:
   * pop.non_encoded_bytes: total non-encoded extracted bytes (sum)
 
 
-9.29. port_scan
+9.30. port_scan
 
 --------------
 
@@ -8785,7 +8848,7 @@ Peg counts:
   * port_scan.packets: total packets (sum)
 
 
-9.30. reg_test
+9.31. reg_test
 
 --------------
 
@@ -8808,7 +8871,7 @@ Peg counts:
   * reg_test.retry_packets: total retried packets received (sum)
 
 
-9.31. reputation
+9.32. reputation
 
 --------------
 
@@ -8850,7 +8913,7 @@ Peg counts:
   * reputation.memory_allocated: total memory allocated (sum)
 
 
-9.32. rpc_decode
+9.33. rpc_decode
 
 --------------
 
@@ -8877,7 +8940,7 @@ Peg counts:
     sessions (max)
 
 
-9.33. sip
+9.34. sip
 
 --------------
 
@@ -8976,7 +9039,7 @@ Peg counts:
   * sip.code_9xx: 9xx (sum)
 
 
-9.34. smtp
+9.35. smtp
 
 --------------
 
@@ -9001,6 +9064,12 @@ Configuration:
     non-encoded MIME attachments (-1 no limit) { -1:65535 }
   * string smtp.data_cmds: commands that initiate sending of data
     with an end of data delimiter
+  * bool smtp.decompress_pdf = false: decompress pdf files in MIME
+    attachments
+  * bool smtp.decompress_swf = false: decompress swf files in MIME
+    attachments
+  * bool smtp.decompress_zip = false: decompress zip files in MIME
+    attachments
   * int smtp.email_hdrs_log_depth = 1464: depth for logging email
     headers { 0:20480 }
   * bool smtp.ignore_data = false: ignore data section of mail
@@ -9051,6 +9120,7 @@ Rules:
   * 124:13 (smtp) Unix-to-Unix decoding failed
   * 124:14 (smtp) Cyrus SASL authentication attack
   * 124:15 (smtp) attempted authentication command buffer overflow
+  * 124:16 (smtp) file decompression failed
 
 Peg counts:
 
@@ -9071,7 +9141,7 @@ Peg counts:
   * smtp.non_encoded_bytes: total non-encoded extracted bytes (sum)
 
 
-9.35. ssh
+9.36. ssh
 
 --------------
 
@@ -9108,7 +9178,7 @@ Peg counts:
     (max)
 
 
-9.36. ssl
+9.37. ssl
 
 --------------
 
@@ -9157,7 +9227,7 @@ Peg counts:
     (max)
 
 
-9.37. stream
+9.38. stream
 
 --------------
 
@@ -9178,36 +9248,48 @@ Configuration:
     before being eligible for pruning { 1:max32 }
   * int stream.ip_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
+  * int stream.ip_cache.cap_weight = 64: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
     sessions tracked before pruning { 2:max32 }
   * int stream.icmp_cache.pruning_timeout = 30: minimum inactive time
     before being eligible for pruning { 1:max32 }
   * int stream.icmp_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
+  * int stream.icmp_cache.cap_weight = 8: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
     sessions tracked before pruning { 2:max32 }
   * int stream.tcp_cache.pruning_timeout = 30: minimum inactive time
     before being eligible for pruning { 1:max32 }
   * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
     before retiring session tracker { 1:max32 }
+  * int stream.tcp_cache.cap_weight = 11500: additional bytes to
+    track per flow for better estimation against cap { 0:65535 }
   * int stream.udp_cache.max_sessions = 131072: maximum simultaneous
     sessions tracked before pruning { 2:max32 }
   * int stream.udp_cache.pruning_timeout = 30: minimum inactive time
     before being eligible for pruning { 1:max32 }
   * int stream.udp_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
+  * int stream.udp_cache.cap_weight = 128: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.user_cache.max_sessions = 1024: maximum simultaneous
     sessions tracked before pruning { 2:max32 }
   * int stream.user_cache.pruning_timeout = 30: minimum inactive time
     before being eligible for pruning { 1:max32 }
   * int stream.user_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
+  * int stream.user_cache.cap_weight = 256: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.file_cache.max_sessions = 128: maximum simultaneous
     sessions tracked before pruning { 2:max32 }
   * int stream.file_cache.pruning_timeout = 30: minimum inactive time
     before being eligible for pruning { 1:max32 }
   * int stream.file_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
+  * int stream.file_cache.cap_weight = 32: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.trace: mask for enabling debug traces in module {
     0:max53 }
 
@@ -9290,7 +9372,7 @@ Peg counts:
     sync (sum)
 
 
-9.38. stream_file
+9.39. stream_file
 
 --------------
 
@@ -9305,7 +9387,7 @@ Configuration:
   * bool stream_file.upload = false: indicate file transfer direction
 
 
-9.39. stream_icmp
+9.40. stream_icmp
 
 --------------
 
@@ -9330,7 +9412,7 @@ Peg counts:
   * stream_icmp.prunes: icmp session prunes (sum)
 
 
-9.40. stream_ip
+9.41. stream_ip
 
 --------------
 
@@ -9401,7 +9483,7 @@ Peg counts:
   * stream_ip.fragmented_bytes: total fragmented bytes (sum)
 
 
-9.41. stream_tcp
+9.42. stream_tcp
 
 --------------
 
@@ -9443,6 +9525,7 @@ Configuration:
     small segments queued { 0:2048 }
   * int stream_tcp.session_timeout = 30: session tracking timeout {
     1:max31 }
+  * bool stream_tcp.track_only = false: disable reassembly if true
 
 Rules:
 
@@ -9528,7 +9611,7 @@ Peg counts:
   * stream_tcp.fins: number of fin packets (sum)
 
 
-9.42. stream_udp
+9.43. stream_udp
 
 --------------
 
@@ -9554,7 +9637,7 @@ Peg counts:
   * stream_udp.ignored: udp packets ignored (sum)
 
 
-9.43. stream_user
+9.44. stream_user
 
 --------------
 
@@ -9572,7 +9655,7 @@ Configuration:
     0:max53 }
 
 
-9.44. telnet
+9.45. telnet
 
 --------------
 
@@ -9607,7 +9690,7 @@ Peg counts:
     sessions (max)
 
 
-9.45. wizard
+9.46. wizard
 
 --------------
 
@@ -11704,7 +11787,18 @@ Configuration:
     cons | ndelay | perror | pid }
 
 
-14.8. alert_unixsock
+14.8. alert_talos
+
+--------------
+
+What: output event in Talos alert format
+
+Type: logger
+
+Usage: context
+
+
+14.9. alert_unixsock
 
 --------------
 
@@ -11715,7 +11809,7 @@ Type: logger
 Usage: context
 
 
-14.9. log_codecs
+14.10. log_codecs
 
 --------------
 
@@ -11732,7 +11826,7 @@ Configuration:
   * bool log_codecs.msg = false: include alert msg
 
 
-14.10. log_hext
+14.11. log_hext
 
 --------------
 
@@ -11754,7 +11848,7 @@ Configuration:
     0:max32 }
 
 
-14.11. log_pcap
+14.12. log_pcap
 
 --------------
 
@@ -11770,7 +11864,7 @@ Configuration:
     is unlimited) { 0:maxSZ }
 
 
-14.12. unified2
+14.13. unified2
 
 --------------
 
@@ -12578,6 +12672,8 @@ Converts the Snort configuration file specified by the -c or
   * --dont-parse-includes Same as -p. if <snort_conf> file contains
     any <include_file> or <policy_file> (i.e. include path/to/conf/
     other_conf), do NOT parse those files
+  * --dont-convert-max-sessions do not convert max_tcp, max_udp,
+    max_icmp, max_ip to max_session
   * --error-file=<error_file> Same as -e. output all errors to
     <error_file>
   * --help Same as -h. this overview of snort2lua
@@ -14048,8 +14144,6 @@ these libraries see the Getting Started section of the manual.
     character sequence
   * bool alerts.alert_with_interface_name = false: include interface
     in alert info (fast, full, or syslog only)
-  * bool alerts.default_rule_state = true: enable or disable ips
-    rules
   * int alerts.detection_filter_memcap = 1048576: set available MB of
     memory for detection_filters { 0:max32 }
   * int alerts.event_filter_memcap = 1048576: set available MB of
@@ -14080,7 +14174,7 @@ these libraries see the Getting Started section of the manual.
   * string appid.app_detector_dir: directory to load appid detectors
     from
   * int appid.app_stats_period = 300: time period for collecting and
-    logging appid statistics { 0:max32 }
+    logging appid statistics { 1:max32 }
   * int appid.app_stats_rollover_size = 20971520: max file size for
     appid stats before rolling over the log file { 0:max32 }
   * int appid.app_stats_rollover_time = 86400: max time period for
@@ -14093,7 +14187,8 @@ these libraries see the Getting Started section of the manual.
   * bool appid.log_all_sessions = false: enable logging of all appid
     sessions
   * bool appid.log_stats = false: enable logging of appid statistics
-  * int appid.memcap = 0: disregard - not implemented { 0:maxSZ }
+  * int appid.memcap = 1048576: max size of the service cache before
+    we start pruning the cache { 1024:maxSZ }
   * string appids.~: comma separated list of application names
   * bool appid.tp_appid_config_dump: print third party configuration
     on startup
@@ -14145,7 +14240,7 @@ these libraries see the Getting Started section of the manual.
   * addr_list binder[].when.dst_nets: list of destination networks
   * bit_list binder[].when.dst_ports: list of destination ports {
     65535 }
-  * int binder[].when.dst_zone: destination zone { 0:max31 }
+  * bit_list binder[].when.dst_zone: destination zone { 63 }
   * bit_list binder[].when.ifaces: list of interface indices { 255 }
   * int binder[].when.ips_policy_id = 0: unique ID for selection of
     this config by external logic { 0:max32 }
@@ -14158,8 +14253,9 @@ these libraries see the Getting Started section of the manual.
   * string binder[].when.service: override default configuration
   * addr_list binder[].when.src_nets: list of source networks
   * bit_list binder[].when.src_ports: list of source ports { 65535 }
-  * int binder[].when.src_zone: source zone { 0:max31 }
+  * bit_list binder[].when.src_zone: source zone { 63 }
   * bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
+  * bit_list binder[].when.zones: zones { 63 }
   * interval bufferlen.~range: check that length of current buffer is
     in given range { 0:65535 }
   * int byte_extract.align = 0: round the number of converted bytes
@@ -14290,6 +14386,8 @@ these libraries see the Getting Started section of the manual.
     list
   * bool dce_smb.disable_defrag = false: disable DCE/RPC
     defragmentation
+  * bool dce_smb.limit_alerts = true: limit DCE alert to at most one
+    per signature per flow
   * int dce_smb.max_frag_len = 65535: maximum fragment size for
     defragmentation { 1514:65535 }
   * enum dce_smb.policy = WinXP: target based policy to use { Win2000
@@ -14313,6 +14411,8 @@ these libraries see the Getting Started section of the manual.
     v2 | all }
   * bool dce_tcp.disable_defrag = false: disable DCE/RPC
     defragmentation
+  * bool dce_tcp.limit_alerts = true: limit DCE alert to at most one
+    per signature per flow
   * int dce_tcp.max_frag_len = 65535: maximum fragment size for
     defragmentation { 1514:65535 }
   * enum dce_tcp.policy = WinXP: target based policy to use { Win2000
@@ -14322,6 +14422,8 @@ these libraries see the Getting Started section of the manual.
     before performing reassembly { 0:65535 }
   * bool dce_udp.disable_defrag = false: disable DCE/RPC
     defragmentation
+  * bool dce_udp.limit_alerts = true: limit DCE alert to at most one
+    per signature per flow
   * int dce_udp.max_frag_len = 65535: maximum fragment size for
     defragmentation { 1514:65535 }
   * int dce_udp.trace: mask for enabling debug traces in module {
@@ -14337,6 +14439,10 @@ these libraries see the Getting Started section of the manual.
     1:max32 }
   * enum detection_filter.track: track hits by source or destination
     IP address { by_src | by_dst }
+  * bool detection.global_default_rule_state = true: enable or
+    disable rules by default (overridden by ips policy settings)
+  * bool detection.global_rule_state = false: apply rule_state
+    against all policies
   * int detection.offload_limit = 99999: minimum sizeof PDU to
     offload fast pattern search (defaults to disabled) { 0:max32 }
   * int detection.offload_threads = 0: maximum number of simultaneous
@@ -14586,6 +14692,8 @@ these libraries see the Getting Started section of the manual.
     response bodies
   * bool http_inspect.decompress_swf = false: decompress swf files in
     response bodies
+  * bool http_inspect.decompress_zip = false: decompress zip files in
+    response bodies
   * string http_inspect.ignore_unreserved: do not alert when the
     specified unreserved characters are percent-encoded in a
     URI.Unreserved characters are 0-9, a-z, A-Z, period, underscore,
@@ -14715,6 +14823,12 @@ these libraries see the Getting Started section of the manual.
     limit) { -1:65535 }
   * int imap.bitenc_decode_depth = 1460: non-Encoded MIME attachment
     extraction depth (-1 no limit) { -1:65535 }
+  * bool imap.decompress_pdf = false: decompress pdf files in MIME
+    attachments
+  * bool imap.decompress_swf = false: decompress swf files in MIME
+    attachments
+  * bool imap.decompress_zip = false: decompress zip files in MIME
+    attachments
   * int imap.qp_decode_depth = 1460: quoted Printable decoding depth
     (-1 no limit) { -1:65535 }
   * int imap.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
@@ -14727,12 +14841,16 @@ these libraries see the Getting Started section of the manual.
   * select ipopts.~opt: output format { rr|eol|nop|ts|sec|esec|lsrr|
     lsrre|ssrr|satid|any }
   * string ip_proto.~proto: [!|>|<] name or number
+  * enum ips.default_rule_state = inherit: enable or disable ips
+    rules { false | true | inherit }
   * bool ips.enable_builtin_rules = false: enable events from builtin
     rules w/o stubs
   * int ips.id = 0: correlate unified2 events with configuration {
     0:65535 }
   * string ips.include: legacy snort rules and includes
   * enum ips.mode: set policy mode { tap | inline | inline-test }
+  * bool ips.obfuscate_pii = false: mask all but the last 4
+    characters of credit card and social security numbers
   * string ips.rules: snort rules and includes
   * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
     policy uuid
@@ -14779,8 +14897,6 @@ these libraries see the Getting Started section of the manual.
     of buffer
   * int memory.cap = 0: set the per-packet-thread cap on memory
     (bytes, 0 to disable) { 0:maxSZ }
-  * bool memory.soft = false: always succeed in allocating memory,
-    even if above the cap
   * int memory.threshold = 0: set the per-packet-thread threshold for
     preemptive cleanup actions (percent, 0 to disable) { 0:100 }
   * string metadata.*: comma-separated list of arbitrary name value
@@ -14872,8 +14988,6 @@ these libraries see the Getting Started section of the manual.
   * string output.logdir = .: where to put log files (same as -l)
   * bool output.obfuscate = false: obfuscate the logged IP addresses
     (same as -O)
-  * bool output.obfuscate_pii = false: mask all but the last 4
-    characters of credit card and social security numbers
   * bool output.quiet = false: suppress non-fatal information (still
     show alerts, same as -q)
   * bool output.show_year = false: include year in timestamp in the
@@ -14929,6 +15043,12 @@ these libraries see the Getting Started section of the manual.
     limit) { -1:65535 }
   * int pop.bitenc_decode_depth = 1460: Non-Encoded MIME attachment
     extraction depth (-1 no limit) { -1:65535 }
+  * bool pop.decompress_pdf = false: decompress pdf files in MIME
+    attachments
+  * bool pop.decompress_swf = false: decompress swf files in MIME
+    attachments
+  * bool pop.decompress_zip = false: decompress zip files in MIME
+    attachments
   * int pop.qp_decode_depth = 1460: Quoted Printable decoding depth
     (-1 no limit) { -1:65535 }
   * int pop.uu_decode_depth = 1460: Unix-to-Unix decoding depth (-1
@@ -15141,10 +15261,12 @@ these libraries see the Getting Started section of the manual.
   * int rpc.~app: application number { 0:max32 }
   * string rpc.~proc: procedure number or * for any
   * string rpc.~ver: version number or * for any
-  * bool rule_state[].enable = true: enable or disable rule in all
-    policies
-  * int rule_state[].gid = 0: rule generator ID { 0:max32 }
-  * int rule_state[].sid = 0: rule signature ID { 0:max32 }
+  * enum rule_state.([0-9]+):([0-9]+).action = inherit: apply action
+    if rule matches or inherit from rule definition { log | pass |
+    alert | drop | block | reset | inherit }
+  * enum rule_state.([0-9]+):([0-9]+).enable = inherit: enable or
+    disable rule in current ips policy or use default defined by ips
+    policy { false | true | inherit }
   * string sd_pattern.~pattern: The pattern to search for
   * int sd_pattern.threshold = 1: number of matches before alerting {
     1:max32 }
@@ -15169,6 +15291,10 @@ these libraries see the Getting Started section of the manual.
     compiling into state machine (0 means no maximum) { 0:max32 }
   * int search_engine.max_queue_events = 5: maximum number of
     matching fast pattern states to queue per packet { 2:100 }
+  * dynamic search_engine.offload_search_method: set fast pattern
+    offload algorithm - choose available search engine { ac_banded |
+    ac_bnfa | ac_full | ac_sparse | ac_sparse_bands | ac_std |
+    hyperscan | lowmem }
   * dynamic search_engine.search_method = ac_bnfa: set fast pattern
     algorithm - choose available search engine { ac_banded | ac_bnfa
     | ac_full | ac_sparse | ac_sparse_bands | ac_std | hyperscan |
@@ -15234,6 +15360,12 @@ these libraries see the Getting Started section of the manual.
     non-encoded MIME attachments (-1 no limit) { -1:65535 }
   * string smtp.data_cmds: commands that initiate sending of data
     with an end of data delimiter
+  * bool smtp.decompress_pdf = false: decompress pdf files in MIME
+    attachments
+  * bool smtp.decompress_swf = false: decompress swf files in MIME
+    attachments
+  * bool smtp.decompress_zip = false: decompress zip files in MIME
+    attachments
   * int smtp.email_hdrs_log_depth = 1464: depth for logging email
     headers { 0:20480 }
   * bool smtp.ignore_data = false: ignore data section of mail
@@ -15510,6 +15642,8 @@ these libraries see the Getting Started section of the manual.
   * implied ssl_version.!tls1.2: check for records that are not
     tls1.2
   * implied ssl_version.tls1.2: check for tls1.2
+  * int stream.file_cache.cap_weight = 32: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.file_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
   * int stream.file_cache.max_sessions = 128: maximum simultaneous
@@ -15519,6 +15653,8 @@ these libraries see the Getting Started section of the manual.
   * bool stream_file.upload = false: indicate file transfer direction
   * int stream.footprint = 0: use zero for production, non-zero for
     testing at given size (for TCP and user) { 0:max32 }
+  * int stream.icmp_cache.cap_weight = 8: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.icmp_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
   * int stream.icmp_cache.max_sessions = 65536: maximum simultaneous
@@ -15527,6 +15663,8 @@ these libraries see the Getting Started section of the manual.
     before being eligible for pruning { 1:max32 }
   * int stream_icmp.session_timeout = 30: session tracking timeout {
     1:max31 }
+  * int stream.ip_cache.cap_weight = 64: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.ip_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
   * int stream.ip_cache.max_sessions = 16384: maximum simultaneous
@@ -15559,6 +15697,8 @@ these libraries see the Getting Started section of the manual.
     direction(s) { either|to_server|to_client|both }
   * interval stream_size.~range: check if the stream size is in the
     given range { 0: }
+  * int stream.tcp_cache.cap_weight = 11500: additional bytes to
+    track per flow for better estimation against cap { 0:65535 }
   * int stream.tcp_cache.idle_timeout = 3600: maximum inactive time
     before retiring session tracker { 1:max32 }
   * int stream.tcp_cache.max_sessions = 262144: maximum simultaneous
@@ -15594,8 +15734,11 @@ these libraries see the Getting Started section of the manual.
     segments queued { 0:2048 }
   * int stream_tcp.small_segments.maximum_size = 0: limit number of
     small segments queued { 0:2048 }
+  * bool stream_tcp.track_only = false: disable reassembly if true
   * int stream.trace: mask for enabling debug traces in module {
     0:max53 }
+  * int stream.udp_cache.cap_weight = 128: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.udp_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
   * int stream.udp_cache.max_sessions = 131072: maximum simultaneous
@@ -15604,6 +15747,8 @@ these libraries see the Getting Started section of the manual.
     before being eligible for pruning { 1:max32 }
   * int stream_udp.session_timeout = 30: session tracking timeout {
     1:max31 }
+  * int stream.user_cache.cap_weight = 256: additional bytes to track
+    per flow for better estimation against cap { 0:65535 }
   * int stream.user_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
   * int stream.user_cache.max_sessions = 1024: maximum simultaneous
@@ -15879,6 +16024,8 @@ these libraries see the Getting Started section of the manual.
   * detection.analyzed: packets sent to detection (now)
   * detection.body_searches: fast pattern searches in body buffer
     (sum)
+  * detection.context_stalls: times processing stalled to wait for an
+    available context (sum)
   * detection.cooked_searches: fast pattern searches in cooked packet
     data (sum)
   * detection.event_limit: events filtered (sum)
@@ -16013,6 +16160,15 @@ these libraries see the Getting Started section of the manual.
   * latency.total_packets: total packets monitored (sum)
   * latency.total_rule_evals: total rule evals monitored (sum)
   * latency.total_usecs: total usecs elapsed (sum)
+  * memory.allocated: total amount of memory allocated (now)
+  * memory.allocations: total number of allocations (now)
+  * memory.deallocated: total amount of memory allocated (now)
+  * memory.deallocations: total number of deallocations (now)
+  * memory.max_in_use: highest allocated - deallocated (max)
+  * memory.reap_attempts: attempts to reclaim memory (now)
+  * memory.reap_failures: failures to reclaim memory (now)
+  * memory.total_fudge: sum of all adjustments (now)
+  * mem_test.packets: total packets (sum)
   * modbus.concurrent_sessions: total concurrent modbus sessions
     (now)
   * modbus.frames: total Modbus messages (sum)
@@ -16767,8 +16923,8 @@ these libraries see the Getting Started section of the manual.
   * 119:226 (http_inspect) unknown Content-Encoding used
   * 119:227 (http_inspect) multiple Content-Encodings applied
   * 119:228 (http_inspect) server response before client request
-  * 119:229 (http_inspect) PDF/SWF decompression of server response
-    too big
+  * 119:229 (http_inspect) PDF/SWF/ZIP decompression of server
+    response too big
   * 119:230 (http_inspect) nonprinting character in HTTP message
     header name
   * 119:231 (http_inspect) bad Content-Length value in HTTP header
@@ -16852,6 +17008,7 @@ these libraries see the Getting Started section of the manual.
   * 124:13 (smtp) Unix-to-Unix decoding failed
   * 124:14 (smtp) Cyrus SASL authentication attack
   * 124:15 (smtp) attempted authentication command buffer overflow
+  * 124:16 (smtp) file decompression failed
   * 125:1 (ftp_server) TELNET cmd on FTP command channel
   * 125:2 (ftp_server) invalid FTP command
   * 125:3 (ftp_server) FTP command parameters were too long
@@ -17037,11 +17194,13 @@ these libraries see the Getting Started section of the manual.
   * 141:4 (imap) base64 decoding failed
   * 141:5 (imap) quoted-printable decoding failed
   * 141:7 (imap) Unix-to-Unix decoding failed
+  * 141:8 (imap) file decompression failed
   * 142:1 (pop) unknown POP3 command
   * 142:2 (pop) unknown POP3 response
   * 142:4 (pop) base64 decoding failed
   * 142:5 (pop) quoted-printable decoding failed
   * 142:7 (pop) Unix-to-Unix decoding failed
+  * 142:8 (pop) file decompression failed
   * 143:1 (gtp_inspect) message length is invalid
   * 143:2 (gtp_inspect) information element length is invalid
   * 143:3 (gtp_inspect) information elements are out of order
@@ -17119,16 +17278,13 @@ change ->  dynamicdetection ==> 'snort.--plugin_path=<path>'
 change ->  dynamicengine ==> 'snort.--plugin_path=<path>'
 change ->  dynamicpreprocessor ==> 'snort.--plugin_path=<path>'
 change ->  dynamicsidechannel ==> 'snort.--plugin_path=<path>'
-change -> alertfile: 'config alertfile:' ==> 'alert_fast.file'
-change -> alertfile: 'config alertfile:' ==> 'alert_full.file'
 change -> attribute_table: 'STREAM_POLICY' ==> 'hosts: tcp_policy'
 change -> attribute_table: 'filename <file_name>' ==> 'hosts[]'
 change -> config ' addressspace_agnostic'  ==> ' packets. address_space_agnostic'
 change -> config ' checksum_mode'  ==> ' network. checksum_eval'
-change -> config ' daq'  ==> ' daq. type'
-change -> config ' daq_dir'  ==> ' daq. dir'
-change -> config ' daq_mode'  ==> ' daq. mode'
-change -> config ' daq_var'  ==> ' daq. var'
+change -> config ' daq'  ==> ' daq. module'
+change -> config ' daq_dir'  ==> ' daq. module_dirs, true'
+change -> config ' daq_var'  ==> ' daq. variables, true'
 change -> config ' detection_filter'  ==> ' alerts. detection_filter_memcap'
 change -> config ' enable_deep_teredo_inspection'  ==> ' udp. deep_teredo_inspection'
 change -> config ' event_filter'  ==> ' alerts. event_filter_memcap'
@@ -17139,7 +17295,10 @@ change -> config ' pkt_count'  ==> ' packets. limit'
 change -> config ' rate_filter'  ==> ' alerts. rate_filter_memcap'
 change -> config ' react'  ==> ' react. page'
 change -> config ' threshold'  ==> ' alerts. event_filter_memcap'
-change -> csv: 'dgmlen' ==> 'dgm_len'
+change -> converter: 'gen_id' ==> 'gid'
+change -> converter: 'sid_id' ==> 'sid'
+change -> csv: 'csv' ==> 'fields'
+change -> csv: 'dgmlen' ==> 'pkt_len'
 change -> csv: 'dst' ==> 'dst_addr'
 change -> csv: 'dstport' ==> 'dst_port'
 change -> csv: 'ethdst' ==> 'eth_dst'
@@ -17150,6 +17309,7 @@ change -> csv: 'icmpcode' ==> 'icmp_code'
 change -> csv: 'icmpid' ==> 'icmp_id'
 change -> csv: 'icmpseq' ==> 'icmp_seq'
 change -> csv: 'icmptype' ==> 'icmp_type'
+change -> csv: 'id' ==> 'ip_id'
 change -> csv: 'iplen' ==> 'ip_len'
 change -> csv: 'sig_generator' ==> 'gid'
 change -> csv: 'sig_id' ==> 'sid'
@@ -17162,35 +17322,43 @@ change -> csv: 'tcplen' ==> 'tcp_len'
 change -> csv: 'tcpseq' ==> 'tcp_seq'
 change -> csv: 'tcpwindow' ==> 'tcp_win'
 change -> csv: 'udplength' ==> 'udp_len'
-change -> detection: 'ac' ==> 'ac_full_q'
+change -> detection: 'ac' ==> 'ac_full'
 change -> detection: 'ac-banded' ==> 'ac_banded'
-change -> detection: 'ac-bnfa' ==> 'ac_bnfa_q'
+change -> detection: 'ac-bnfa' ==> 'ac_bnfa'
 change -> detection: 'ac-bnfa-nq' ==> 'ac_bnfa'
-change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa_q'
+change -> detection: 'ac-bnfa-q' ==> 'ac_bnfa'
 change -> detection: 'ac-nq' ==> 'ac_full'
-change -> detection: 'ac-q' ==> 'ac_full_q'
+change -> detection: 'ac-q' ==> 'ac_full'
 change -> detection: 'ac-sparsebands' ==> 'ac_sparse_bands'
-change -> detection: 'ac-split' ==> 'ac_full_q'
+change -> detection: 'ac-split' ==> 'ac_full'
 change -> detection: 'ac-split' ==> 'split_any_any'
 change -> detection: 'ac-std' ==> 'ac_std'
 change -> detection: 'acs' ==> 'ac_sparse'
 change -> detection: 'bleedover-port-limit' ==> 'bleedover_port_limit'
-change -> detection: 'intel-cpm' ==> 'intel_cpm'
-change -> detection: 'lowmem' ==> 'lowmem_q'
+change -> detection: 'debug-print-fast-pattern' ==> 'show_fast_patterns'
+change -> detection: 'intel-cpm' ==> 'hyperscan'
 change -> detection: 'lowmem-nq' ==> 'lowmem'
-change -> detection: 'lowmem-q' ==> 'lowmem_q'
+change -> detection: 'lowmem-q' ==> 'lowmem'
 change -> detection: 'max-pattern-len' ==> 'max_pattern_len'
+change -> detection: 'no_stream_inserts' ==> 'detect_raw_tcp'
 change -> detection: 'search-method' ==> 'search_method'
 change -> detection: 'search-optimize' ==> 'search_optimize'
+change -> detection: 'split-any-any' ==> 'split_any_any = true by default'
 change -> detection: 'split-any-any' ==> 'split_any_any'
+change -> dnp3: 'ports' ==> 'bindings'
 change -> dns: 'ports' ==> 'bindings'
 change -> event_filter: 'gen_id' ==> 'gid'
 change -> event_filter: 'sig_id' ==> 'sid'
 change -> event_filter: 'threshold' ==> 'event_filter'
 change -> file: 'config file: file_block_timeout' ==> 'block_timeout'
+change -> file: 'config file: file_capture_block_size' ==> 'capture_block_size'
+change -> file: 'config file: file_capture_max' ==> 'capture_max_size'
+change -> file: 'config file: file_capture_memcap' ==> 'capture_memcap'
+change -> file: 'config file: file_capture_min' ==> 'capture_min_size'
 change -> file: 'config file: file_type_depth' ==> 'type_depth'
 change -> file: 'config file: signature' ==> 'enable_signature'
 change -> file: 'config file: type_id' ==> 'enable_type'
+change -> file: 'ver' ==> 'version'
 change -> frag3_engine: 'min_fragment_length' ==> 'min_frag_length'
 change -> frag3_engine: 'overlap_limit' ==> 'max_overlaps'
 change -> frag3_engine: 'policy bsd-right' ==> 'policy = bsd_right'
@@ -17198,59 +17366,60 @@ change -> frag3_engine: 'timeout' ==> 'session_timeout'
 change -> ftp_telnet_protocol: 'alt_max_param_len' ==> 'cmd_validity'
 change -> ftp_telnet_protocol: 'data_chan' ==> 'ignore_data_chan'
 change -> ftp_telnet_protocol: 'ports' ==> 'bindings'
-change -> gtp: 'ports' ==> 'gtp_ports'
-change -> http_inspect: 'http_inspect' ==> 'http_global'
-change -> http_inspect_server: 'apache_whitespace' ==> 'profile.apache_whitespace'
-change -> http_inspect_server: 'ascii' ==> 'profile.ascii'
-change -> http_inspect_server: 'bare_byte' ==> 'profile.bare_byte'
-change -> http_inspect_server: 'chunk_length' ==> 'profile.chunk_length'
-change -> http_inspect_server: 'client_flow_depth' ==> 'profile.client_flow_depth'
-change -> http_inspect_server: 'directory' ==> 'profile.directory'
-change -> http_inspect_server: 'double_decode' ==> 'profile.double_decode'
-change -> http_inspect_server: 'enable_cookie' ==> 'enable_cookies'
-change -> http_inspect_server: 'flow_depth' ==> 'server_flow_depth'
+change -> gtp: 'ports' ==> 'bindings'
+change -> http_inspect_server: 'bare_byte' ==> 'utf8_bare_byte'
+change -> http_inspect_server: 'client_flow_depth' ==> 'request_depth'
+change -> http_inspect_server: 'double_decode' ==> 'iis_double_decode'
 change -> http_inspect_server: 'http_inspect_server' ==> 'http_inspect'
-change -> http_inspect_server: 'iis_backslash' ==> 'profile.iis_backslash'
-change -> http_inspect_server: 'iis_delimiter' ==> 'profile.iis_delimiter'
-change -> http_inspect_server: 'iis_unicode' ==> 'profile.iis_unicode'
-change -> http_inspect_server: 'max_header_length' ==> 'profile.max_header_length'
-change -> http_inspect_server: 'max_headers' ==> 'profile.max_headers'
-change -> http_inspect_server: 'max_spaces' ==> 'profile.max_spaces'
-change -> http_inspect_server: 'multi_slash' ==> 'profile.multi_slash'
-change -> http_inspect_server: 'non_rfc_char' ==> 'non_rfc_chars'
-change -> http_inspect_server: 'non_strict' ==> 'profile.non_strict'
-change -> http_inspect_server: 'normalize_utf' ==> 'profile.normalize_utf'
+change -> http_inspect_server: 'iis_backslash' ==> 'backslash_to_slash'
+change -> http_inspect_server: 'inspect_gzip' ==> 'unzip'
+change -> http_inspect_server: 'non_rfc_char' ==> 'bad_characters'
 change -> http_inspect_server: 'ports' ==> 'bindings'
-change -> http_inspect_server: 'u_encode' ==> 'profile.u_encode'
-change -> http_inspect_server: 'utf_8' ==> 'profile.utf_8'
-change -> http_inspect_server: 'webroot' ==> 'profile.webroot'
-change -> http_inspect_server: 'whitespace_chars' ==> 'profile.whitespace_chars'
+change -> http_inspect_server: 'u_encode' ==> 'percent_u'
+change -> http_inspect_server: 'utf_8' ==> 'utf8'
 change -> imap: 'ports' ==> 'bindings'
-change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:63780]'
-change -> perfmonitor: 'accumulate' ==> 'reset = false'
-change -> perfmonitor: 'flow-file' ==> 'flow_file = true'
+change -> modbus: 'ports' ==> 'bindings'
+change -> na_policy_mode: 'na_policy_mode' ==> 'mode'
+change -> nap_selector: 'nap rules' ==> 'bindings'
+change -> paf_max: 'paf_max [0:63780]' ==> 'max_pdu [1460:32768]'
+change -> perfmonitor: 'console' ==> 'format = 'text''
+change -> perfmonitor: 'console' ==> 'output = 'console''
+change -> perfmonitor: 'file' ==> 'format = 'csv''
+change -> perfmonitor: 'file' ==> 'output = 'file''
+change -> perfmonitor: 'flow-file' ==> 'format = 'csv''
+change -> perfmonitor: 'flow-file' ==> 'output = 'file''
 change -> perfmonitor: 'flow-ip' ==> 'flow_ip'
-change -> perfmonitor: 'flow-ip-file' ==> 'flow_ip_file = true'
+change -> perfmonitor: 'flow-ip-file' ==> 'format = 'csv''
+change -> perfmonitor: 'flow-ip-file' ==> 'output = 'file''
 change -> perfmonitor: 'flow-ip-memcap' ==> 'flow_ip_memcap'
 change -> perfmonitor: 'flow-ports' ==> 'flow_ports'
 change -> perfmonitor: 'pktcnt' ==> 'packets'
-change -> perfmonitor: 'snortfile' ==> 'file = true'
+change -> perfmonitor: 'snortfile' ==> 'format = 'csv''
+change -> perfmonitor: 'snortfile' ==> 'output = 'file''
 change -> perfmonitor: 'time' ==> 'seconds'
 change -> policy_mode: 'inline_test' ==> 'inline-test'
 change -> pop: 'ports' ==> 'bindings'
-change -> ppm: 'max-pkt-time' ==> 'max_pkt_time'
-change -> ppm: 'max-rule-time' ==> 'max_rule_time'
-change -> ppm: 'pkt-log' ==> 'pkt_log'
-change -> ppm: 'rule-log' ==> 'rule_log'
-change -> ppm: 'suspend-timeout' ==> 'suspend_timeout'
+change -> ppm: ''both'' ==> ''alert_and_log''
+change -> ppm: 'fastpath-expensive-packets' ==> 'packet.fastpath'
+change -> ppm: 'max-pkt-time' ==> 'packet.max_time'
+change -> ppm: 'max-rule-time' ==> 'rule.max_time'
+change -> ppm: 'pkt-log' ==> 'packet.action'
+change -> ppm: 'ppm' ==> 'latency'
+change -> ppm: 'rule-log' ==> 'rule.action'
+change -> ppm: 'suspend-expensive-rules' ==> 'rule.suspend'
+change -> ppm: 'suspend-timeout' ==> 'max_suspend_time'
+change -> ppm: 'threshold' ==> 'rule.suspend_threshold'
 change -> preprocessor 'normalize_ icmp4' ==> 'normalize. icmp4'
 change -> preprocessor 'normalize_ icmp6' ==> 'normalize. icmp6'
 change -> preprocessor 'normalize_ ip6' ==> 'normalize. ip6'
 change -> profile: 'print' ==> 'count'
+change -> profile: 'sort avg_ticks' ==> 'sort = avg_check'
+change -> profile: 'sort total_ticks' ==> 'sort = total_time'
 change -> rate_filter: 'gen_id' ==> 'gid'
 change -> rate_filter: 'sig_id' ==> 'sid'
-change -> rule_state: 'disabled' ==> 'enable'
-change -> rule_state: 'enabled' ==> 'enable'
+change -> reputation: 'shared_mem' ==> 'list_dir'
+change -> rule_state: 'enabled/disabled' ==> 'enable'
+change -> rule_state: 'sdrop' ==> 'drop'
 change -> sfportscan: 'proto' ==> 'protos'
 change -> sfportscan: 'scan_type' ==> 'scan_types'
 change -> sip: 'ports' ==> 'bindings'
@@ -17275,7 +17444,6 @@ change -> stream5_tcp: 'max_queued_bytes' ==> 'queue_limit.max_bytes'
 change -> stream5_tcp: 'max_queued_segs' ==> 'queue_limit.max_segments'
 change -> stream5_tcp: 'policy hpux' ==> 'stream_tcp.policy = hpux11'
 change -> stream5_tcp: 'timeout' ==> 'session_timeout'
-change -> stream5_tcp: 'use_static_footprint_sizes' ==> 'footprint'
 change -> stream5_udp: 'timeout' ==> 'session_timeout'
 change -> suppress: 'gen_id' ==> 'gid'
 change -> suppress: 'sig_id' ==> 'sid'
@@ -17315,9 +17483,12 @@ deleted -> attribute_table: '<FRAG_POLICY>unknown</FRAG_POLICY>'
 deleted -> attribute_table: '<STREAM_POLICY>noack</STREAM_POLICY>'
 deleted -> attribute_table: '<STREAM_POLICY>unknown</STREAM_POLICY>'
 deleted -> config ' cs_dir'
+deleted -> config ' daq_mode'
+deleted -> config ' decode_data_link'
 deleted -> config ' disable_attribute_reload_thread'
 deleted -> config ' disable_decode_alerts'
 deleted -> config ' disable_decode_drops'
+deleted -> config ' disable_inline_init_failopen'
 deleted -> config ' disable_ipopt_alerts'
 deleted -> config ' disable_ipopt_drops'
 deleted -> config ' disable_tcpopt_alerts'
@@ -17347,45 +17518,84 @@ deleted -> config ' flowbits_size'
 deleted -> config ' include_vlan_in_alerts'
 deleted -> config ' interface'
 deleted -> config ' layer2resets'
-deleted -> config ' policy_version'
+deleted -> config ' log_ipv6_extra_data'
+deleted -> config ' nolog'
+deleted -> config ' protected_content'
+deleted -> config ' sidechannel'
 deleted -> config ' so_rule_memcap'
+deleted -> config 'dynamicoutput'
+deleted -> config 'sfalert_unified2'
+deleted -> config 'sflog_unified2'
+deleted -> config 'sidechannel'
 deleted -> csv: '<filename> can no longer be specific'
 deleted -> csv: 'default'
 deleted -> csv: 'trheader'
 deleted -> detection: 'mwm'
+deleted -> dnp3: 'disabled'
+deleted -> dnp3: 'memcap'
 deleted -> dns: 'enable_experimental_types'
 deleted -> dns: 'enable_obsolete_types'
 deleted -> dns: 'enable_rdata_overflow'
+deleted -> event_trace: 'file'
 deleted -> fast: '<filename> can no longer be specific'
 deleted -> frag3_engine: 'detect_anomalies'
 deleted -> frag3_global: 'disabled'
 deleted -> ftp_telnet_protocol: 'detect_anomalies'
 deleted -> full: '<filename> can no longer be specific'
+deleted -> http_inspect: 'detect_anomalous_servers'
 deleted -> http_inspect: 'disabled'
+deleted -> http_inspect: 'proxy_alert'
+deleted -> http_inspect_server: 'allow_proxy_use'
+deleted -> http_inspect_server: 'enable_cookie'
+deleted -> http_inspect_server: 'enable_xff'
+deleted -> http_inspect_server: 'extended_ascii_uri'
+deleted -> http_inspect_server: 'extended_response_inspection'
+deleted -> http_inspect_server: 'iis_unicode_map not allowed in sever'
+deleted -> http_inspect_server: 'inspect_uri_only'
+deleted -> http_inspect_server: 'log_hostname'
+deleted -> http_inspect_server: 'log_uri'
 deleted -> http_inspect_server: 'no_alerts'
+deleted -> http_inspect_server: 'no_pipeline_req'
+deleted -> http_inspect_server: 'non_strict'
+deleted -> http_inspect_server: 'normalize_cookies'
+deleted -> http_inspect_server: 'normalize_headers'
+deleted -> http_inspect_server: 'small_chunk_length'
+deleted -> http_inspect_server: 'tab_uri_delimiter'
+deleted -> http_inspect_server: 'unlimited_decompress'
 deleted -> imap: 'disabled'
 deleted -> imap: 'max_mime_mem'
 deleted -> imap: 'memcap'
+deleted -> nap_selector: 'fw_required'
+deleted -> nap_selector: 'nap_stats_time'
+deleted -> perfmonitor: 'accumulate'
 deleted -> perfmonitor: 'atexitonly'
 deleted -> perfmonitor: 'atexitonly: base-stats'
 deleted -> perfmonitor: 'atexitonly: events-stats'
 deleted -> perfmonitor: 'atexitonly: flow-ip-stats'
 deleted -> perfmonitor: 'atexitonly: flow-stats'
+deleted -> perfmonitor: 'atexitonly: reset'
+deleted -> perfmonitor: 'events'
+deleted -> perfmonitor: 'max'
 deleted -> pop: 'disabled'
 deleted -> pop: 'max_mime_mem'
 deleted -> pop: 'memcap'
 deleted -> ppm: 'debug-pkts'
 deleted -> react: 'block'
 deleted -> react: 'warn'
+deleted -> reputation: 'shared_max_instances'
+deleted -> reputation: 'shared_refresh'
 deleted -> rpc_decode: 'alert_fragments'
 deleted -> rpc_decode: 'no_alert_incomplete'
 deleted -> rpc_decode: 'no_alert_large_fragments'
 deleted -> rpc_decode: 'no_alert_multiple_requests'
-deleted -> rule_state: 'action'
 deleted -> sfportscan: 'detect_ack_scans'
 deleted -> sfportscan: 'disabled'
 deleted -> sfportscan: 'logfile'
+deleted -> sfportscan: 'sense_level'
+deleted -> sfunified2: 'mpls_event_types'
+deleted -> sfunified2: 'vlan_event_types'
 deleted -> sip: 'disabled'
+deleted -> sip: 'max_sessions'
 deleted -> smtp: 'alert_unknown_cmds'
 deleted -> smtp: 'disabled'
 deleted -> smtp: 'enable_mime_decoding'
@@ -17406,16 +17616,22 @@ deleted -> ssh: 'enable_ssh1crc32'
 deleted -> ssl: 'noinspect_encrypted'
 deleted -> stream5_global: 'disabled'
 deleted -> stream5_global: 'flush_on_alert'
+deleted -> stream5_global: 'memcap'
 deleted -> stream5_global: 'no_midstream_drop_alerts'
 deleted -> stream5_tcp: 'check_session_hijacking'
 deleted -> stream5_tcp: 'detect_anomalies'
 deleted -> stream5_tcp: 'dont_store_large_packets'
+deleted -> stream5_tcp: 'ignore_any_rules'
+deleted -> stream5_tcp: 'log_asymmetric_traffic'
 deleted -> stream5_tcp: 'policy noack'
 deleted -> stream5_tcp: 'policy unknown'
+deleted -> stream5_udp: 'ignore_any_rules'
 deleted -> tcpdump: '<filename> can no longer be specific'
 deleted -> test: 'file'
 deleted -> test: 'stdout'
 deleted -> unified2: 'filename'
+deleted -> unified2: 'mpls_event_types'
+deleted -> unified2: 'vlan_event_types'
 
 
 20.11. Module Listing
@@ -17431,6 +17647,7 @@ deleted -> unified2: 'filename'
   * alert_json (logger): output event in json format
   * alert_sfsocket (logger): output event over socket
   * alert_syslog (logger): output event to syslog
+  * alert_talos (logger): output event in Talos alert format
   * alert_unixsock (logger): output event over unix socket
   * alerts (basic): configure alerts
   * appid (inspector): application and service identification
@@ -17599,6 +17816,7 @@ deleted -> unified2: 'filename'
   * log_hext (logger): output payload suitable for daq hext
   * log_pcap (logger): log packet in pcap format
   * md5 (ips_option): payload rule option for hash matching
+  * mem_test (inspector): for testing memory management
   * memory (basic): memory management configuration
   * metadata (ips_option): rule option for conveying arbitrary name,
     value data within the rule text
@@ -17658,7 +17876,8 @@ deleted -> unified2: 'filename'
   * rewrite (ips_action): overwrite packet contents
   * rpc (ips_option): rule option to check SUNRPC CALL parameters
   * rpc_decode (inspector): RPC inspector
-  * rule_state (basic): enable/disable specific IPS rules
+  * rule_state (basic): enable/disable and set actions for specific
+    IPS rules
   * sd_pattern (ips_option): rule option for detecting sensitive data
   * search_engine (basic): configure fast pattern matcher
   * seq (ips_option): rule option to check TCP sequence number
@@ -17806,6 +18025,7 @@ deleted -> unified2: 'filename'
   * inspector::http2_inspect: the HTTP/2 inspector
   * inspector::http_inspect: the new HTTP inspector!
   * inspector::imap: imap inspection
+  * inspector::mem_test: for testing memory management
   * inspector::modbus: modbus inspection
   * inspector::normalizer: packet scrubbing for inline mode
   * inspector::packet_capture: raw packet dumping facility
@@ -18002,6 +18222,7 @@ deleted -> unified2: 'filename'
   * logger::alert_json: output event in json format
   * logger::alert_sfsocket: output event over socket
   * logger::alert_syslog: output event to syslog
+  * logger::alert_talos: output event in Talos alert format
   * logger::alert_unixsock: output event over unix socket
   * logger::log_codecs: log protocols in packet by layer
   * logger::log_hext: output payload suitable for daq hext
@@ -18539,3 +18760,63 @@ Here is one way to set things up:
 
       + Note that on OpenBSD, divert sockets don’t work with bridges!
 
+
+20.14. Limitations
+
+--------------
+
+20.14.1. Reload limitations
+
+The following parameters can’t be changed during reload, and require
+a restart:
+
+  * active.attempts
+  * active.device
+  * alerts.detection_filter_memcap
+  * alerts.event_filter_memcap
+  * alerts.rate_filter_memcap
+  * attribute_table.max_hosts
+  * attribute_table.max_services_per_host
+  * daq.snaplen
+  * daq.no_promisc
+  * detection.asn1
+  * file_id.max_files_cached
+  * port_scan.memcap
+  * process.chroot
+  * process.daemon
+  * process.set_gid
+  * process.set_uid
+  * stream.footprint
+  * stream.ip_cache.max_sessions
+  * stream.ip_cache.pruning_timeout
+  * stream.ip_cache.idle_timeout
+  * stream.icmp_cache.max_sessions
+  * stream.icmp_cache.pruning_timeout
+  * stream.icmp_cache.idle_timeout
+  * stream.tcp_cache.max_sessions
+  * stream.tcp_cache.pruning_timeout
+  * stream.tcp_cache.idle_timeout
+  * stream.udp_cache.max_sessions
+  * stream.udp_cache.pruning_timeout
+  * stream.udp_cache.idle_timeout
+  * stream.user_cache.max_sessions
+  * stream.user_cache.pruning_timeout
+  * stream.user_cache.idle_timeout
+  * stream.file_cache.max_sessions
+  * stream.file_cache.pruning_timeout
+  * stream.file_cache.idle_timeout
+
+In addition, the following scenarios require a restart:
+
+  * Enabling file capture for the first time
+  * Changing file_id.capture_memcap if file capture was previously or
+    currently enabled
+  * Changing file_id.capture_block_size if file capture was
+    previously or currently enabled
+  * Adding/removing stream_* inspectors if stream was already
+    configured
+
+In all of these cases reload will fail with the following message:
+"reload failed - restart required". The original config will remain
+in use.
+
diff --git a/src/helpers/markup.cc b/src/helpers/markup.cc
index 454dbac78..dc4fc381d 100644
--- a/src/helpers/markup.cc
+++ b/src/helpers/markup.cc
@@ -66,27 +66,18 @@ const string& Markup::emphasis(const string& s)
 const string& Markup::escape(const char* const c)
 { return escape(string(c)); }
 
-// FIXIT-L some asciidoc chars need to be escaped.
-// This function should escape all of those characters
 const string& Markup::escape(const string& s)
 {
     static string m;
     m = s;
 
-#if 0
-    const char* const asciidoc_chars = "*<>^'";
+    const char* const asciidoc_chars = "+*<>[]^'";
 
-    if (enabled)
+    if ( enabled and (m.find_first_of(asciidoc_chars, 0) != string::npos) )
     {
-        for (size_t found = m.find_first_of(asciidoc_chars, 0);
-            found != string::npos;
-            found = m.find_first_of(asciidoc_chars, found))
-        {
-            m.insert(found, "\\");
-            found +=2;
-        }
+        m.insert(0, "`");
+        m += "`";
     }
-#endif
     return m;
 }
 
diff --git a/src/main/build.h b/src/main/build.h
index 1c5cf3b73..7403da4da 100644
--- a/src/main/build.h
+++ b/src/main/build.h
@@ -12,7 +12,7 @@
 //                                               //
 //-----------------------------------------------//
 
-#define BUILD_NUMBER 250
+#define BUILD_NUMBER 251
 
 #ifndef EXTRABUILD
 #define BUILD STRINGIFY_MX(BUILD_NUMBER)
diff --git a/src/main/help.cc b/src/main/help.cc
index 1555ba65a..2fae1613b 100644
--- a/src/main/help.cc
+++ b/src/main/help.cc
@@ -95,10 +95,10 @@ void help_args(const char* pfx)
             cout << Markup::item();
 
             cout << Markup::emphasis_on();
-            cout << Markup::escape(p->name);
+            cout << p->name;
             cout << Markup::emphasis_off();
 
-            cout << " " << Markup::escape(p->help);
+            cout << " " << p->help;
 
             if ( const char* r = p->get_range() )
             {
diff --git a/src/managers/module_manager.cc b/src/managers/module_manager.cc
index 60809a08b..a040c1501 100644
--- a/src/managers/module_manager.cc
+++ b/src/managers/module_manager.cc
@@ -201,16 +201,16 @@ static DumpFormat dump_fmt = DF_STD;
 static void dump_field_std(const string& key, const Parameter* p)
 {
     cout << Markup::item();
-    cout << Markup::escape(p->get_type());
+    cout << p->get_type();
     cout << " " << Markup::emphasis(Markup::escape(key));
 
     if ( p->deflt )
-        cout << " = " << Markup::escape(p->deflt);
+        cout << " = " << p->deflt;
 
     cout << ": " << p->help;
 
     if ( const char* r = p->get_range() )
-        cout << " { " << Markup::escape(r) << " }";
+        cout << " { " << r << " }";
 
     cout << endl;
 }
@@ -222,14 +222,14 @@ static void dump_field_tab(const string& key, const Parameter* p)
     cout << "\t" << Markup::emphasis(Markup::escape(key));
 
     if ( p->deflt )
-        cout << "\t" << Markup::escape(p->deflt);
+        cout << "\t" << p->deflt;
     else
         cout << "\t";
 
     cout << "\t" << p->help;
 
     if ( const char* r = p->get_range() )
-        cout << "\t" << Markup::escape(r);
+        cout << "\t" << r;
     else
         cout << "\t";
 
@@ -1027,10 +1027,10 @@ void ModuleManager::show_module(const char* name)
         if ( strcmp(m->get_name(), name) )
             continue;
 
-        cout << endl << Markup::head(3) << Markup::escape(name) << endl << endl;
+        cout << endl << Markup::head(3) << name << endl << endl;
 
         if ( const char* h = m->get_help() )
-            cout << endl << "What: " << Markup::escape(h) << endl;
+            cout << endl << "What: " << h << endl;
 
         cout << endl << "Type: "  << mod_type(p->api) << endl;
         cout << endl << "Usage: "  << mod_use(m->get_usage()) << endl;
@@ -1171,11 +1171,11 @@ void ModuleManager::show_commands(const char* pfx, bool exact)
         {
             cout << Markup::item();
             cout << Markup::emphasis_on();
-            cout << Markup::escape(p->mod->get_name());
-            cout << "." << Markup::escape(c->name);
+            cout << p->mod->get_name();
+            cout << "." << c->name;
             cout << Markup::emphasis_off();
             cout << c->get_arg_list();
-            cout << ": " << Markup::escape(c->help);
+            cout << ": " << c->help;
             cout << endl;
             c++;
         }
@@ -1211,7 +1211,7 @@ void ModuleManager::show_gids(const char* pfx, bool exact)
             cout << Markup::emphasis_on();
             cout << gid;
             cout << Markup::emphasis_off();
-            cout << ": " << Markup::escape(m->get_name());
+            cout << ": " << m->get_name();
             cout << endl;
         }
         c++;
@@ -1255,11 +1255,11 @@ void ModuleManager::show_pegs(const char* pfx, bool exact)
         {
             cout << Markup::item();
             cout << Markup::emphasis_on();
-            cout << Markup::escape(p->mod->get_name());
-            cout << "." << Markup::escape(pegs->name);
+            cout << p->mod->get_name();
+            cout << "." << pegs->name;
             cout << Markup::emphasis_off();
-            cout << ": " << Markup::escape(pegs->help);
-            cout << Markup::escape(peg_op(pegs->type));
+            cout << ": " << pegs->help;
+            cout << peg_op(pegs->type);
             cout << endl;
             ++pegs;
         }
@@ -1294,7 +1294,7 @@ void ModuleManager::show_rules(const char* pfx, bool exact)
             cout << gid << ":" << r->sid;
             cout << Markup::emphasis_off();
             cout << " (" << m->get_name() << ")";
-            cout << " " << Markup::escape(r->msg);
+            cout << " " << r->msg;
             cout << endl;
             r++;
         }
diff --git a/src/managers/plugin_manager.cc b/src/managers/plugin_manager.cc
index 671dca085..8abb108e6 100644
--- a/src/managers/plugin_manager.cc
+++ b/src/managers/plugin_manager.cc
@@ -412,7 +412,7 @@ void PluginManager::list_plugins()
     {
         Plugin& p = it->second;
         cout << Markup::item();
-        cout << Markup::escape(p.key);
+        cout << p.key;
         cout << " v" << p.api->version;
         cout << " " << p.source;
         cout << endl;
diff --git a/tools/snort2lua/helpers/parse_cmd_line.cc b/tools/snort2lua/helpers/parse_cmd_line.cc
index bd2a021e3..282d0bfaf 100644
--- a/tools/snort2lua/helpers/parse_cmd_line.cc
+++ b/tools/snort2lua/helpers/parse_cmd_line.cc
@@ -509,7 +509,7 @@ static void help_args(const char* /*pfx*/, const char* /*val*/)
                 else
                     std::cout << "\n" << std::setw(name_field_len) << " ";
 
-                std::cout << std::left << Markup::escape(help_str.substr(0, len));
+                std::cout << std::left << help_str.substr(0, len);
 
                 if (len < help_str.size())
                     help_str = help_str.substr(len + 1);
diff --git a/tools/snort2lua/helpers/s2l_markup.cc b/tools/snort2lua/helpers/s2l_markup.cc
index 6b20cf916..06adca857 100644
--- a/tools/snort2lua/helpers/s2l_markup.cc
+++ b/tools/snort2lua/helpers/s2l_markup.cc
@@ -69,28 +69,18 @@ const string& Markup::emphasis(const string& s)
 const string& Markup::escape(const char* const c)
 { return escape(string(c)); }
 
-// FIXIT-L some asciidoc characters need to be escaped.
-// This function should escape all of those characters
 const string& Markup::escape(const string& s)
 {
     static string m;
     m = s;
 
-#if 0
+    const char* const asciidoc_chars = "+*<>[]^'";
 
-    const char* const asciidoc_chars = "*<>^'";
-
-    if (enabled)
+    if ( enabled and (m.find_first_of(asciidoc_chars, 0) != string::npos) )
     {
-        for (size_t found = m.find_first_of(asciidoc_chars, 0);
-            found != string::npos;
-            found = m.find_first_of(asciidoc_chars, found))
-        {
-            m.insert(found, "\\");
-            found +=2;
-        }
+        m.insert(0, "`");
+        m += "`";
     }
-#endif
     return m;
 }