From: Mike Stepanek (mstepane) <mstepane@cisco.com>
Date: Thu, 6 Aug 2020 12:15:50 +0000 (+0000)
Subject: Merge pull request #2367 in SNORT/snort3 from ~MSTEPANE/snort3:3_0_2_build_4 to master
X-Git-Tag: 3.0.2-4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbb33198cb68874abda48e9892723f94c1c0baa3;p=thirdparty%2Fsnort3.git

Merge pull request #2367 in SNORT/snort3 from ~MSTEPANE/snort3:3_0_2_build_4 to master

Squashed commit of the following:

commit 70e0c1d9a7e51c6f5edbd3b734bb9b68e36e8523
Author: Mike Stepanek <mstepane@cisco.com>
Date:   Fri Jul 31 08:12:24 2020 -0400

    build: generate and tag 3.0.2 build 4
---

diff --git a/ChangeLog b/ChangeLog
index d6b5c1367..24033760c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,61 @@
+2020/08/06 - 3.0.2 build 4
+
+-- appid: Clear service appid entries in dynamic host cache on ODP reload
+-- appid: Generate event notification when dns host is set
+-- dce_rpc: Fix for smb crash while tcp session pruning
+-- dce_rpc: Fix for smb session cleanup issue
+-- dce_rpc: Use file name hash as file id
+-- doc: Add documentation for dumping consolidated config in text format
+-- flow: Fixing free_flow_data logic
+-- http_inspect: Code clean up
+-- http_inspect: Test tool enhancement
+-- main: Dump consolidated config in the text format
+-- rna: Fix redefined macro warnings in between unit-test tools
+-- rna: TCP fingerprint input and retrieval
+-- utils: Keep deprecated attribute table pegcounts
+
+2020/07/28 - 3.0.2 build 3
+
+-- active: Move Active enabled flag into SnortConfig
+-- appid: For http traffic, if payload cannot be detected, set it to unknown
+-- appid: Move appid data needed by external components to stash
+-- appid: Support ODP reload for multiple packet threads and new session
+-- dce_rpc: Improve PAF autodetection for heavily segmented TCP traffic
+-- doc: Split Snort manual into separate user, reference, and upgrade docs.
+-- doc: Update default text manuals
+-- doc: Update extending.txt about TraceLogger plugin
+-- file_api: Log event generated when lookup timedout
+-- ftp_telnet: Remove global config variable shared between multiple threads to prevent data race
+-- http2_inpsect: Fix interaction with tool tcpclose
+-- http2_inspect: Fix stream_in_hi
+-- http2_inspect: General code cleanup
+-- http_inspect: Do partial inspections incrementally
+-- http_inspect: Reduce memory used by partial inspections
+-- main: Rename the config options to ignore flowbits and rules warnings
+-- parser: Add support for variables with each ips policy
+-- payload_injector: Add HTTP page translation
+-- payload_injector: Extend utility to support HTTP/2 (no injection)
+-- pub_sub: Added a method in HttpEvent to retrieve true client-ip address from HTTP header based
+   on priority
+-- rna: Fingerprint reader class and lookup table for tcp fingerprints
+-- snort_defaults: Remove the NOTIFY, SUBSCRIBE, and UPDATE HTTP methods
+-- stream_tcp: Only perform paws validation on real packets, skip this on meta-ack packets
+-- stream_tcp: When clearing a session during meta-ack processing pass a nullptr as the Packet*
+   parameter
+-- target_based: Add mutex lock to ensure host service accesses are thread safe
+-- target_based: Move host attribute peg counts from the process pegs to stats specific to host
+   attribute operations
+-- target_based: Refactor host attribute to use the LruCacheShared data store class to support
+   thread safe access
+-- target_based: Streamline host attribute table activate and swap logic on startup and reload
+-- trace: Add support for extending TraceLogger as a passive inspector plugin
+-- wizard: Abandon the wizard on UDP flows after the first packet
+-- wizard: Abort the splitter once we've hit the max PDU size
+-- wizard: Add peg counts for abandoned searches per protocol
+-- wizard: Improve wizard tracing to indicate direction and abandonment
+-- wizard: Properly terminate hex matching
+-- wizard: Report spell and hex configuration errors and warnings
+
 2020/07/15 - 3.0.2 build 2
 
 -- appid: Moving thread local ODP stuff to a new class
diff --git a/doc/reference/snort_reference.text b/doc/reference/snort_reference.text
index d4a510a4a..25ddaebee 100644
--- a/doc/reference/snort_reference.text
+++ b/doc/reference/snort_reference.text
@@ -8,7 +8,7 @@ Snort 3 Reference Manual
 The Snort Team
 
 Revision History
-Revision 3.0.2 (Build 2) 2020-07-23 11:20:26 EDT TST
+Revision 3.0.2 (Build 4) 2020-08-06 08:06:49 EDT TST
 
 ---------------------------------------------------------------------
 
@@ -824,6 +824,21 @@ Configuration:
   * enum hosts[].services[].proto = tcp: IP protocol { tcp | udp }
   * port hosts[].services[].port: port number
 
+Peg counts:
+
+  * hosts.total_hosts: maximum number of entries in the host
+    attribute table (max)
+  * hosts.hosts_pruned: number of LRU hosts pruned due to configured
+    resource limits (sum)
+  * hosts.dynamic_host_adds: number of host additions after initial
+    host file load (sum)
+  * hosts.dynamic_service_adds: number of service additions after
+    initial host file load (sum)
+  * hosts.dynamic_service_updates: number of service updates after
+    initial host file load (sum)
+  * hosts.service_list_overflows: number of service additions that
+    failed due to configured resource limits (sum)
+
 
 2.14. inspection
 
@@ -874,6 +889,7 @@ Configuration:
     rules too)
   * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
     policy uuid
+  * string ips.variables.$var: IPS policy variable
 
 
 2.16. latency
@@ -892,7 +908,6 @@ Configuration:
     thresholding (usec) { 0:max53 }
   * bool latency.packet.fastpath = false: fastpath expensive packets
     (max_time exceeded)
-  * bool latency.packet.test_timeout = false: timeout on every packet
   * int latency.rule.max_time = 500: set timeout for rule evaluation
     (usec) { 0:max53 }
   * bool latency.rule.suspend = false: temporarily suspend expensive
@@ -902,8 +917,6 @@ Configuration:
   * int latency.rule.max_suspend_time = 30000: set max time for
     suspending a rule (ms, 0 means permanently disable rule) {
     0:max32 }
-  * bool latency.rule.test_timeout = false: timeout on every rule
-    evaluation
 
 Rules:
 
@@ -1014,7 +1027,7 @@ Configuration:
   * bool output.verbose = false: be verbose (same as -v)
   * bool output.obfuscate = false: obfuscate the logged IP addresses
     (same as -O)
-  * bool output.wide_hex_dump = true: output 20 bytes per lines
+  * bool output.wide_hex_dump = false: output 20 bytes per lines
     instead of 16 when dumping buffers
 
 
@@ -1080,6 +1093,8 @@ Peg counts:
 
   * payload_injector.http_injects: total number of http injections
     (sum)
+  * payload_injector.http2_injects: total number of http2 injections
+    (sum)
 
 
 2.23. process
@@ -1392,6 +1407,7 @@ Configuration:
   * implied snort.--dirty-pig: don’t flush packets on shutdown
   * string snort.--dump-builtin-rules: [<module prefix>] output stub
     rules for selected modules { (optional) }
+  * implied snort.--dump-config-text: dump config in text format
   * implied snort.--dump-dynamic-rules: output stub rules for all
     loaded rules libraries
   * string snort.--dump-defaults: [<module prefix>] output module
@@ -1432,10 +1448,6 @@ Configuration:
     logdir instead of instance filename prefix
   * implied snort.--id-zero: use id prefix / subdirectory even with
     one packet thread
-  * implied snort.--ignore-warn-flowbits: ignore warnings about
-    flowbits that are checked but not set and vice-versa
-  * implied snort.--ignore-warn-rules: ignore warnings about
-    duplicate rules and rule parsing issues
   * string snort.--include-path: <path> where to find Lua and rule
     included files; searched before current or config directories
   * implied snort.--list-buffers: output available inspection buffers
@@ -1460,10 +1472,12 @@ Configuration:
   * implied snort.--nostamps: don’t include timestamps in log file
     names
   * implied snort.--nolock-pidfile: do not try to lock Snort PID file
+  * implied snort.--no-warn-flowbits: ignore warnings about flowbits
+    that are checked but not set and vice-versa
+  * implied snort.--no-warn-rules: ignore warnings about duplicate
+    rules and rule parsing issues
   * implied snort.--pause: wait for resume/quit command before
     processing packets/terminating
-  * int snort.--pause-after-n: <count> pause after count packets {
-    1:max53 }
   * string snort.--pcap-file: <file> file that contains a list of
     pcaps to read - read mode is implied
   * string snort.--pcap-list: <list> a space separated list of pcaps
@@ -1479,7 +1493,6 @@ Configuration:
   * implied snort.--pcap-show: print a line saying what pcap is
     currently being read
   * implied snort.--pedantic: warnings are fatal
-  * implied snort.--piglet: enable piglet test harness mode
   * string snort.--plugin-path: <path> a colon separated list of
     directories or plugin libraries
   * implied snort.--process-all-events: process all action groups
@@ -1511,8 +1524,6 @@ Configuration:
   * implied snort.--treat-drop-as-ignore: use drop, block, and reset
     rules to ignore session traffic when not inline
   * string snort.--tweaks: tune configuration
-  * string snort.--catch-test: comma separated list of cat unit test
-    tags or all
   * implied snort.--version: show version number (same as -V)
   * implied snort.--warn-all: enable all warnings
   * implied snort.--warn-conf: warn about configuration issues
@@ -1537,7 +1548,6 @@ Configuration:
     { 0x00:0xFF }
   * string snort.--x2s: output ASCII string for given byte code (see
     also --x2c)
-  * implied snort.--trace: turn on main loop debug trace
 
 Commands:
 
@@ -1612,11 +1622,10 @@ Usage: global
 
 Configuration:
 
-  * int trace.modules.latency.all: enable all trace options { 0:255 }
-  * int trace.modules.snort.all: enable all trace options { 0:255 }
-  * int trace.modules.snort.main: enable main trace logging { 0:255 }
-  * int trace.modules.snort.inspector_manager: enable inspector
-    manager trace logging { 0:255 }
+  * int trace.modules.appid.all: enable all trace options { 0:255 }
+  * int trace.modules.dce_smb.all: enable all trace options { 0:255 }
+  * int trace.modules.dce_udp.all: enable all trace options { 0:255 }
+  * int trace.modules.decode.all: enable all trace options { 0:255 }
   * int trace.modules.detection.all: enable all trace options { 0:255
     }
   * int trace.modules.detection.detect_engine: enable detection
@@ -1635,18 +1644,19 @@ Configuration:
     logging { 0:255 }
   * int trace.modules.detection.tag: enable tag trace logging { 0:255
     }
+  * int trace.modules.gtp_inspect.all: enable all trace options {
+    0:255 }
+  * int trace.modules.latency.all: enable all trace options { 0:255 }
+  * int trace.modules.snort.all: enable all trace options { 0:255 }
+  * int trace.modules.snort.main: enable main trace logging { 0:255 }
+  * int trace.modules.snort.inspector_manager: enable inspector
+    manager trace logging { 0:255 }
+  * int trace.modules.stream.all: enable all trace options { 0:255 }
   * int trace.modules.stream_ip.all: enable all trace options { 0:255
     }
   * int trace.modules.stream_user.all: enable all trace options {
     0:255 }
   * int trace.modules.wizard.all: enable all trace options { 0:255 }
-  * int trace.modules.dce_smb.all: enable all trace options { 0:255 }
-  * int trace.modules.dce_udp.all: enable all trace options { 0:255 }
-  * int trace.modules.decode.all: enable all trace options { 0:255 }
-  * int trace.modules.stream.all: enable all trace options { 0:255 }
-  * int trace.modules.gtp_inspect.all: enable all trace options {
-    0:255 }
-  * int trace.modules.appid.all: enable all trace options { 0:255 }
   * int trace.constraints.ip_proto: numerical IP protocol ID filter {
     0:255 }
   * string trace.constraints.src_ip: source IP address filter
@@ -2365,9 +2375,6 @@ Usage: context
 
 Configuration:
 
-  * int appid.first_decrypted_packet_debug = 0: the first packet of
-    an already decrypted SSL flow (debug single session only) {
-    0:max32 }
   * int appid.memcap = 1048576: max size of the service cache before
     we start pruning the cache { 1024:maxSZ }
   * bool appid.log_stats = false: enable logging of appid statistics
@@ -2389,8 +2396,6 @@ Configuration:
     on startup
   * bool appid.log_all_sessions = false: enable logging of all appid
     sessions
-  * bool appid.load_odp_detectors_in_ctrl = false: load odp detectors
-    in control thread
 
 Commands:
 
@@ -2398,6 +2403,7 @@ Commands:
     enable appid debugging
   * appid.disable_debug(): disable appid debugging
   * appid.reload_third_party(): reload appid third-party module
+  * appid.reload_odp(): reload appid open detector package
 
 Peg counts:
 
@@ -2413,6 +2419,10 @@ Peg counts:
     the service cache (sum)
   * appid.service_cache_removes: number of times an item was removed
     from the service cache (sum)
+  * appid.odp_reload_ignored_pkts: count of packets ignored after
+    open detector package is reloaded (sum)
+  * appid.tp_reload_ignored_pkts: count of packets ignored after
+    third-party module is reloaded (sum)
 
 
 5.2. appid_listener
@@ -3467,20 +3477,6 @@ Type: inspector
 
 Usage: inspect
 
-Configuration:
-
-  * bool http2_inspect.test_input = false: read HTTP/2 messages from
-    text file
-  * bool http2_inspect.test_output = false: print out HTTP section
-    data
-  * int http2_inspect.print_amount = 1200: number of characters to
-    print from a Field { 1:max53 }
-  * bool http2_inspect.print_hex = false: nonprinting characters
-    printed in [HH] format instead of using an asterisk
-  * bool http2_inspect.show_pegs = true: display peg counts with test
-    output
-  * bool http2_inspect.show_scan = false: display scanned segments
-
 Rules:
 
   * 121:1 (http2_inspect) error in HPACK integer value
@@ -3577,17 +3573,6 @@ Configuration:
     normalizing URIs
   * bool http_inspect.simplify_path = true: reduce URI directory path
     to simplest form
-  * bool http_inspect.test_input = false: read HTTP messages from
-    text file
-  * bool http_inspect.test_output = false: print out HTTP section
-    data
-  * int http_inspect.print_amount = 1200: number of characters to
-    print from a Field { 1:max53 }
-  * bool http_inspect.print_hex = false: nonprinting characters
-    printed in [HH] format instead of using an asterisk
-  * bool http_inspect.show_pegs = true: display peg counts with test
-    output
-  * bool http_inspect.show_scan = false: display scanned segments
 
 Rules:
 
@@ -4785,8 +4770,6 @@ Usage: global
 
 Configuration:
 
-  * int stream.footprint = 0: use zero for production, non-zero for
-    testing at given size (for TCP and user) { 0:max32 }
   * bool stream.ip_frags_only = false: don’t process non-frag flows
   * int stream.max_flows = 476288: maximum simultaneous flows tracked
     before pruning { 2:max32 }
@@ -7805,6 +7788,7 @@ these libraries see the Getting Started section of the manual.
   * --dirty-pig don’t flush packets on shutdown
   * --dump-builtin-rules [<module prefix>] output stub rules for
     selected modules (optional)
+  * --dump-config-text dump config in text format
   * --dump-dynamic-rules output stub rules for all loaded rules
     libraries
   * --dump-defaults [<module prefix>] output module defaults in Lua
@@ -7840,10 +7824,6 @@ these libraries see the Getting Started section of the manual.
     of instance filename prefix
   * --id-zero use id prefix / subdirectory even with one packet
     thread
-  * --ignore-warn-flowbits ignore warnings about flowbits that are
-    checked but not set and vice-versa
-  * --ignore-warn-rules ignore warnings about duplicate rules and
-    rule parsing issues
   * --include-path <path> where to find Lua and rule included files;
     searched before current or config directories
   * --list-buffers output available inspection buffers
@@ -7865,9 +7845,12 @@ these libraries see the Getting Started section of the manual.
     string in metadata if set
   * --nostamps don’t include timestamps in log file names
   * --nolock-pidfile do not try to lock Snort PID file
+  * --no-warn-flowbits ignore warnings about flowbits that are
+    checked but not set and vice-versa
+  * --no-warn-rules ignore warnings about duplicate rules and rule
+    parsing issues
   * --pause wait for resume/quit command before processing packets/
     terminating
-  * --pause-after-n <count> pause after count packets (1:max53)
   * --pcap-file <file> file that contains a list of pcaps to read -
     read mode is implied
   * --pcap-list <list> a space separated list of pcaps to read - read
@@ -7882,7 +7865,6 @@ these libraries see the Getting Started section of the manual.
     file or directory
   * --pcap-show print a line saying what pcap is currently being read
   * --pedantic warnings are fatal
-  * --piglet enable piglet test harness mode
   * --plugin-path <path> a colon separated list of directories or
     plugin libraries
   * --process-all-events process all action groups
@@ -7911,7 +7893,6 @@ these libraries see the Getting Started section of the manual.
   * --treat-drop-as-ignore use drop, block, and reset rules to ignore
     session traffic when not inline
   * --tweaks tune configuration
-  * --catch-test comma separated list of cat unit test tags or all
   * --version show version number (same as -V)
   * --warn-all enable all warnings
   * --warn-conf warn about configuration issues
@@ -7931,7 +7912,6 @@ these libraries see the Getting Started section of the manual.
   * --x2c output ASCII char for given hex (see also --c2x)
     (0x00:0xFF)
   * --x2s output ASCII string for given byte code (see also --x2c)
-  * --trace turn on main loop debug trace
 
 
 11.4. Configuration
@@ -8029,13 +8009,8 @@ these libraries see the Getting Started section of the manual.
     logging appid statistics { 1:max32 }
   * int appid.app_stats_rollover_size = 20971520: max file size for
     appid stats before rolling over the log file { 0:max32 }
-  * int appid.first_decrypted_packet_debug = 0: the first packet of
-    an already decrypted SSL flow (debug single session only) {
-    0:max32 }
   * bool appid.list_odp_detectors = false: enable logging of odp
     detectors statistics
-  * bool appid.load_odp_detectors_in_ctrl = false: load odp detectors
-    in control thread
   * bool appid.log_all_sessions = false: enable logging of all appid
     sessions
   * bool appid.log_stats = false: enable logging of appid statistics
@@ -8558,17 +8533,6 @@ these libraries see the Getting Started section of the manual.
   * port host_tracker[].services[].port: port number
   * enum host_tracker[].services[].proto: IP protocol { ip | tcp |
     udp }
-  * int http2_inspect.print_amount = 1200: number of characters to
-    print from a Field { 1:max53 }
-  * bool http2_inspect.print_hex = false: nonprinting characters
-    printed in [HH] format instead of using an asterisk
-  * bool http2_inspect.show_pegs = true: display peg counts with test
-    output
-  * bool http2_inspect.show_scan = false: display scanned segments
-  * bool http2_inspect.test_input = false: read HTTP/2 messages from
-    text file
-  * bool http2_inspect.test_output = false: print out HTTP section
-    data
   * implied http_cookie.request: match against the cookie from the
     request message even when examining the response
   * implied http_cookie.with_body: parts of this rule examine HTTP
@@ -8624,23 +8588,12 @@ these libraries see the Getting Started section of the manual.
     encodings
   * bool http_inspect.plus_to_space = true: replace + with <sp> when
     normalizing URIs
-  * int http_inspect.print_amount = 1200: number of characters to
-    print from a Field { 1:max53 }
-  * bool http_inspect.print_hex = false: nonprinting characters
-    printed in [HH] format instead of using an asterisk
   * int http_inspect.request_depth = -1: maximum request message body
     bytes to examine (-1 no limit) { -1:max53 }
   * int http_inspect.response_depth = -1: maximum response message
     body bytes to examine (-1 no limit) { -1:max53 }
-  * bool http_inspect.show_pegs = true: display peg counts with test
-    output
-  * bool http_inspect.show_scan = false: display scanned segments
   * bool http_inspect.simplify_path = true: reduce URI directory path
     to simplest form
-  * bool http_inspect.test_input = false: read HTTP messages from
-    text file
-  * bool http_inspect.test_output = false: print out HTTP section
-    data
   * bool http_inspect.unzip = true: decompress gzip and deflate
     message bodies
   * bool http_inspect.utf8_bare_byte = false: when doing UTF-8
@@ -8793,6 +8746,7 @@ these libraries see the Getting Started section of the manual.
     rules too)
   * string ips.uuid = 00000000-0000-0000-0000-000000000000: IPS
     policy uuid
+  * string ips.variables.$var: IPS policy variable
   * string isdataat.~length: num | !num
   * implied isdataat.relative: offset from cursor instead of start of
     buffer
@@ -8802,7 +8756,6 @@ these libraries see the Getting Started section of the manual.
     (max_time exceeded)
   * int latency.packet.max_time = 500: set timeout for packet latency
     thresholding (usec) { 0:max53 }
-  * bool latency.packet.test_timeout = false: timeout on every packet
   * int latency.rule.max_suspend_time = 30000: set max time for
     suspending a rule (ms, 0 means permanently disable rule) {
     0:max32 }
@@ -8812,8 +8765,6 @@ these libraries see the Getting Started section of the manual.
     rules
   * int latency.rule.suspend_threshold = 5: set threshold for number
     of timeouts before suspending a rule { 1:max32 }
-  * bool latency.rule.test_timeout = false: timeout on every rule
-    evaluation
   * bool log_codecs.file = false: output to log_codecs.txt instead of
     stdout
   * bool log_codecs.msg = false: include alert msg
@@ -8931,7 +8882,7 @@ these libraries see the Getting Started section of the manual.
   * int output.tagged_packet_limit = 256: maximum number of packets
     tagged for non-packet metrics { 0:max32 }
   * bool output.verbose = false: be verbose (same as -v)
-  * bool output.wide_hex_dump = true: output 20 bytes per lines
+  * bool output.wide_hex_dump = false: output 20 bytes per lines
     instead of 16 when dumping buffers
   * bool packet_capture.enable = false: initially enable packet
     dumping
@@ -9353,8 +9304,6 @@ these libraries see the Getting Started section of the manual.
   * string snort.--bpf: <filter options> are standard BPF options, as
     seen in TCPDump
   * string snort.--c2x: output hex for given char (see also --x2c)
-  * string snort.--catch-test: comma separated list of cat unit test
-    tags or all
   * string snort.-c: <conf> use this configuration
   * string snort.--control-socket: <file> to create unix socket
   * implied snort.-C: print out payloads with character data only (no
@@ -9378,6 +9327,7 @@ these libraries see the Getting Started section of the manual.
   * implied snort.-D: run Snort in background (daemon) mode
   * string snort.--dump-builtin-rules: [<module prefix>] output stub
     rules for selected modules { (optional) }
+  * implied snort.--dump-config-text: dump config in text format
   * string snort.--dump-defaults: [<module prefix>] output module
     defaults in Lua format { (optional) }
   * implied snort.--dump-dynamic-rules: output stub rules for all
@@ -9424,10 +9374,6 @@ these libraries see the Getting Started section of the manual.
     logdir instead of instance filename prefix
   * implied snort.--id-zero: use id prefix / subdirectory even with
     one packet thread
-  * implied snort.--ignore-warn-flowbits: ignore warnings about
-    flowbits that are checked but not set and vice-versa
-  * implied snort.--ignore-warn-rules: ignore warnings about
-    duplicate rules and rule parsing issues
   * string snort.-i: <iface>… list of interfaces
   * string snort.--include-path: <path> where to find Lua and rule
     included files; searched before current or config directories
@@ -9463,11 +9409,13 @@ these libraries see the Getting Started section of the manual.
   * implied snort.--nolock-pidfile: do not try to lock Snort PID file
   * implied snort.--nostamps: don’t include timestamps in log file
     names
+  * implied snort.--no-warn-flowbits: ignore warnings about flowbits
+    that are checked but not set and vice-versa
+  * implied snort.--no-warn-rules: ignore warnings about duplicate
+    rules and rule parsing issues
   * implied snort.-O: obfuscate the logged IP addresses
   * string snort.-?: <option prefix> output matching command line
     option quick help (same as --help-options) { (optional) }
-  * int snort.--pause-after-n: <count> pause after count packets {
-    1:max53 }
   * implied snort.--pause: wait for resume/quit command before
     processing packets/terminating
   * string snort.--pcap-dir: <dir> a directory to recurse to look for
@@ -9485,7 +9433,6 @@ these libraries see the Getting Started section of the manual.
   * implied snort.--pcap-show: print a line saying what pcap is
     currently being read
   * implied snort.--pedantic: warnings are fatal
-  * implied snort.--piglet: enable piglet test harness mode
   * string snort.--plugin-path: <path> a colon separated list of
     directories or plugin libraries
   * implied snort.--process-all-events: process all action groups
@@ -9522,7 +9469,6 @@ these libraries see the Getting Started section of the manual.
     talos)
   * string snort.-t: <dir> chroots process to <dir> after
     initialization
-  * implied snort.--trace: turn on main loop debug trace
   * implied snort.--treat-drop-as-alert: converts drop, block, and
     reset rules into alert rules when loaded
   * implied snort.--treat-drop-as-ignore: use drop, block, and reset
@@ -9616,8 +9562,6 @@ these libraries see the Getting Started section of the manual.
   * int stream.file_cache.idle_timeout = 180: maximum inactive time
     before retiring session tracker { 1:max32 }
   * bool stream_file.upload = false: indicate file transfer direction
-  * int stream.footprint = 0: use zero for production, non-zero for
-    testing at given size (for TCP and user) { 0:max32 }
   * int stream.held_packet_timeout = 1000: timeout in milliseconds
     for held packets { 1:max32 }
   * int stream.icmp_cache.cap_weight = 0: additional bytes to track
@@ -9834,6 +9778,8 @@ these libraries see the Getting Started section of the manual.
   * appid.appid_unknown: count of sessions where appid could not be
     determined (sum)
   * appid.ignored_packets: count of packets ignored (sum)
+  * appid.odp_reload_ignored_pkts: count of packets ignored after
+    open detector package is reloaded (sum)
   * appid.packets: count of packets received (sum)
   * appid.processed_packets: count of packets processed (sum)
   * appid.service_cache_adds: number of times an entry was added to
@@ -9843,6 +9789,8 @@ these libraries see the Getting Started section of the manual.
   * appid.service_cache_removes: number of times an item was removed
     from the service cache (sum)
   * appid.total_sessions: count of sessions created (sum)
+  * appid.tp_reload_ignored_pkts: count of packets ignored after
+    third-party module is reloaded (sum)
   * arp_spoof.packets: total packets (sum)
   * back_orifice.packets: total packets (sum)
   * binder.allows: allow bindings (sum)
@@ -10289,6 +10237,18 @@ these libraries see the Getting Started section of the manual.
     during reload (sum)
   * host_cache.removes: lru cache found entry and removed it (sum)
   * host_cache.replaced: lru cache found entry and replaced it (sum)
+  * hosts.dynamic_host_adds: number of host additions after initial
+    host file load (sum)
+  * hosts.dynamic_service_adds: number of service additions after
+    initial host file load (sum)
+  * hosts.dynamic_service_updates: number of service updates after
+    initial host file load (sum)
+  * hosts.hosts_pruned: number of LRU hosts pruned due to configured
+    resource limits (sum)
+  * hosts.service_list_overflows: number of service additions that
+    failed due to configured resource limits (sum)
+  * hosts.total_hosts: maximum number of entries in the host
+    attribute table (max)
   * host_tracker.service_adds: host service adds (sum)
   * host_tracker.service_finds: host service finds (sum)
   * http2_inspect.concurrent_sessions: total concurrent HTTP/2
@@ -10465,6 +10425,8 @@ these libraries see the Getting Started section of the manual.
   * packet_capture.captured: packets matching dumped after matching
     filter (sum)
   * packet_capture.processed: packets processed against filter (sum)
+  * payload_injector.http2_injects: total number of http2 injections
+    (sum)
   * payload_injector.http_injects: total number of http injections
     (sum)
   * pcre.pcre_native: total pcre rules compiled by pcre engine (sum)
@@ -11531,6 +11493,7 @@ these libraries see the Getting Started section of the manual.
     enable appid debugging
   * appid.disable_debug(): disable appid debugging
   * appid.reload_third_party(): reload appid third-party module
+  * appid.reload_odp(): reload appid open detector package
   * host_cache.dump(file_name): dump host cache
   * packet_capture.enable(filter): dump raw packets
   * packet_capture.disable(): stop packet dump
@@ -12254,14 +12217,6 @@ and are not applicable elsewhere.
   * logger::log_null: disable logging of packets
   * logger::log_pcap: log packet in pcap format
   * logger::unified2: output event and packet in unified2 format file
-  * piglet::pp_codec: Codec piglet
-  * piglet::pp_inspector: Inspector piglet
-  * piglet::pp_ips_action: Ips action piglet
-  * piglet::pp_ips_option: Ips option piglet
-  * piglet::pp_logger: Logger piglet
-  * piglet::pp_search_engine: Search engine piglet
-  * piglet::pp_so_rule: SO rule piglet
-  * piglet::pp_test: Test piglet
   * search_engine::ac_banded: Aho-Corasick Banded (high memory,
     moderate performance)
   * search_engine::ac_bnfa: Aho-Corasick Binary NFA (low memory, high
diff --git a/doc/upgrade/snort_upgrade.text b/doc/upgrade/snort_upgrade.text
index f452faee2..92903c45f 100644
--- a/doc/upgrade/snort_upgrade.text
+++ b/doc/upgrade/snort_upgrade.text
@@ -8,7 +8,7 @@ Snort 3 Upgrade Manual
 The Snort Team
 
 Revision History
-Revision 3.0.2 (Build 2) 2020-07-23 14:25:50 EDT TST
+Revision 3.0.2 (Build 4) 2020-08-06 08:06:38 EDT TST
 
 ---------------------------------------------------------------------
 
@@ -422,6 +422,8 @@ Some things Snort++ can do today that Snort can not do as well:
   * stream5_tcp: prune_log_max deleted; to be replaced with histogram
   * stream5_tcp: max_active_responses, min_response_seconds moved to
     active.max_responses, min_interval
+  * ips policies support snort variables (_PATH, _PORT, _NET,
+    _SERVER), ips = { variables = { var1 = expr1, var2 = expr2, … } }
 
 
 2.6. Rules
@@ -665,8 +667,6 @@ Converts the Snort configuration file specified by the -c or
   * --output-file=<out_file> Same as -o. output the new Snort++ lua
     configuration to <out_file>
   * --print-all Same as -a. default option. print all data
-  * --print-binding-order Print sorting priority used when generating
-    binder table
   * --print-differences Same as -d. output the differences, and only
     the differences, between the Snort and Snort++ configurations to
     the <out_file>
diff --git a/doc/user/snort_user.text b/doc/user/snort_user.text
index f92069183..87fe7f432 100644
--- a/doc/user/snort_user.text
+++ b/doc/user/snort_user.text
@@ -8,7 +8,7 @@ Snort 3 User Manual
 The Snort Team
 
 Revision History
-Revision 3.0.2 (Build 2) 2020-07-23 11:19:59 EDT TST
+Revision 3.0.2 (Build 4) 2020-08-06 08:06:38 EDT TST
 
 ---------------------------------------------------------------------
 
@@ -59,20 +59,21 @@ Table of Contents
     5.2. AppId
     5.3. Binder
     5.4. Byte rule options
-    5.5. DCE Inspectors
-    5.6. File Processing
-    5.7. High Availability
-    5.8. FTP
-    5.9. HTTP Inspector
-    5.10. HTTP/2 Inspector
-    5.11. Performance Monitor
-    5.12. POP and IMAP
-    5.13. Port Scan
-    5.14. Sensitive Data Filtering
-    5.15. SMTP
-    5.16. Telnet
-    5.17. Trace
-    5.18. Wizard
+    5.5. Consolidated Config
+    5.6. DCE Inspectors
+    5.7. File Processing
+    5.8. High Availability
+    5.9. FTP
+    5.10. HTTP Inspector
+    5.11. HTTP/2 Inspector
+    5.12. Performance Monitor
+    5.13. POP and IMAP
+    5.14. Port Scan
+    5.15. Sensitive Data Filtering
+    5.16. SMTP
+    5.17. Telnet
+    5.18. Trace
+    5.19. Wizard
 
 6. DAQ Configuration and Modules
 
@@ -2411,7 +2412,70 @@ content:"|00 00 00 01 00 00 00 01|", offset 20, depth 8;
 byte_test:4,>,200,36;
 
 
-5.5. DCE Inspectors
+5.5. Consolidated Config
+
+--------------
+
+Using Consolidated Config output enables troubleshooting of
+configuration issues. The output contains applied configurations (
+defaults and configured ) and is printed for the main config and all
+included policies. So far, Snort supports output in text format.
+
+5.5.1. Text Format
+
+The --dump-config-text option verifies the configuration and dumps it
+to stdout in text format.
+
+Example:
+
+consolidated config for snort.lua
+binder[0].when.ips_policy_id=0
+binder[0].when.role='any'
+binder[0].when.nets='10.1.2.0/24'
+binder[0].use.action='inspect'
+binder[1].when.ips_policy_id=0
+binder[1].when.role='any'
+binder[1].when.nets='192.168.2.0/24'
+binder[1].use.action='inspect'
+host_cache.memcap=8.38861e+06
+network.checksum_drop='none'
+network.checksum_eval='all'
+network.max_ip_layers=0
+process.daemon=false
+process.dirty_pig=false
+process.utc=false
+stream_tcp.flush_factor=0
+stream_tcp.max_window=0
+stream_tcp.overlap_limit=0
+stream_tcp.max_pdu=16384
+stream.footprint=0
+stream.ip_frags_only=false
+trace.modules.appid.all=1
+trace.modules.detection.opt_tree=2
+trace.modules.detection.fp_search=4
+trace.modules.detection.rule_eval=1
+trace.modules.wizard.all=1
+trace.constraints.match=true
+trace.constraints.dst_ip='10.1.1.2'
+trace.constraints.dst_port=200
+trace.constraints.src_port=100
+trace.constraints.ip_proto=17
+trace.output='stdout'
+wizard.spells[0].proto='tcp'
+wizard.spells[0].client_first=true
+wizard.spells[0].service='http'
+wizard.spells[0].to_client[0].spell='HTTP/'
+wizard.spells[0].to_server[0].spell='GET'
+wizard.spells[1].proto='tcp'
+wizard.spells[1].client_first=true
+wizard.spells[1].service='sip'
+wizard.spells[1].to_server[0].spell='INVITE'
+
+For lists, the index next to the option name designates an element
+parsing order.
+
+
+5.6. DCE Inspectors
 
 --------------
 
@@ -2419,7 +2483,7 @@ The main purpose of these inspector are to perform SMB desegmentation
 and DCE/RPC defragmentation to avoid rule evasion using these
 techniques.
 
-5.5.1. Overview
+5.6.1. Overview
 
 The following transports are supported for DCE/RPC: SMB, TCP, and
 UDP. New rule options have been implemented to improve performance,
@@ -2435,7 +2499,7 @@ defragmentation, are copied into each inspector configuration. The
 address/port mapping is handled by the binder. Autodetect
 functionality is replaced by wizard curses.
 
-5.5.2. Quick Guide
+5.6.2. Quick Guide
 
 A typical dcerpce configuration looks like this:
 
@@ -2485,7 +2549,7 @@ dce_udp = { }
 In this example, it defines smb, tcp and udp inspectors based on
 port. All the configurations are default.
 
-5.5.3. Target Based
+5.6.3. Target Based
 
 There are enough important differences between Windows and Samba
 versions that a target based approach has been implemented. Some
@@ -2514,7 +2578,7 @@ different policy. Here are the list of policies supported:
   * Samba-3.0.22
   * Samba-3.0.20
 
-5.5.4. Reassembling
+5.6.4. Reassembling
 
 Both SMB inspector and TCP inspector support reassemble. Reassemble
 threshold specifies a minimum number of bytes in the DCE/RPC
@@ -2525,13 +2589,13 @@ before full defragmentation is done. A value of 0 s supplied as an
 argument to this option will, in effect, disable this option. Default
 is disabled.
 
-5.5.5. SMB
+5.6.5. SMB
 
 SMB inspector is one of the most complex inspectors. In addition to
 supporting rule options and lots of inspector rule events, it also
 supports file processing for both SMB version 1, 2, and 3.
 
-5.5.5.1. Finger Print Policy
+5.6.5.1. Finger Print Policy
 
 In the initial phase of an SMB session, the client needs to
 authenticate with a SessionSetupAndX. Both the request and response
@@ -2539,7 +2603,7 @@ to this command contain OS and version information that can allow the
 inspector to dynamically set the policy for a session which allows
 for better protection against Windows and Samba specific evasions.
 
-5.5.5.2. File Inspection
+5.6.5.2. File Inspection
 
 SMB inspector supports file inspection. A typical configuration looks
 like this:
@@ -2594,16 +2658,16 @@ inspection in rules. An argument of 0 to "file_depth" means
 unlimited. Default is "off", i.e. no SMB file inspection is done in
 the inspector.
 
-5.5.6. TCP
+5.6.6. TCP
 
 dce_tcp inspector supports defragmentation, reassembling, and policy
 that is similar to SMB.
 
-5.5.7. UDP
+5.6.7. UDP
 
 dce_udp is a very simple inspector that only supports defragmentation
 
-5.5.8. Rule Options
+5.6.8. Rule Options
 
 New rule options are supported by enabling the dcerpc2 inspectors:
 
@@ -2616,7 +2680,7 @@ New modifiers to existing byte_test and byte_jump rule options:
   * byte_test: dce
   * byte_jump: dce
 
-5.5.8.1. dce_iface
+5.6.8.1. dce_iface
 
 For DCE/RPC based rules it has been necessary to set flow-bits based
 on a client bind to a service to avoid false positives. It is
@@ -2727,7 +2791,7 @@ longest) pattern will be used. If a content in the rule uses the
 fast_pattern rule option, it will unequivocally be used over the
 above mentioned patterns.
 
-5.5.8.2. dce_opnum
+5.6.8.2. dce_opnum
 
 The opnum represents a specific function call to an interface. After
 is has been determined that a client has bound to a specific
@@ -2749,7 +2813,7 @@ opnum of a DCE/RPC request will be matched against the opnums
 specified with this option. This option matches if any one of the
 opnums specified match the opnum of the DCE/RPC request.
 
-5.5.8.3. dce_stub_data
+5.6.8.3. dce_stub_data
 
 Since most DCE/RPC based rules had to do protocol decoding only to
 get to the DCE/RPC stub data, i.e. the remote procedure call or
@@ -2778,7 +2842,7 @@ that does not specify a relative modifier will be evaluated from the
 start of the stub data buffer. To leave the stub data buffer and
 return to the main payload buffer, use the "pkt_data" rule option.
 
-5.5.8.4. byte_test and byte_jump
+5.6.8.4. byte_test and byte_jump
 
 A DCE/RPC request can specify whether numbers are represented in big
 or little endian. These rule options will take as a new argument
@@ -2804,7 +2868,7 @@ byte_jump arguments will not be allowed: "big", "little", "string",
 "hex", "dec", "oct" and "from_beginning"
 
 
-5.6. File Processing
+5.7. File Processing
 
 --------------
 
@@ -2813,7 +2877,7 @@ network file inspection becomes more and more important. This feature
 will provide file type identification, file signature creation, and
 file capture capabilities to help users deal with those challenges.
 
-5.6.1. Overview
+5.7.1. Overview
 
 There are two parts of file services: file APIs and file policy. File
 APIs provides all the file inspection functionalities, such as file
@@ -2828,7 +2892,7 @@ file policy along with file event log.
   * Supported protocols: HTTP, SMTP, IMAP, POP3, FTP, and SMB.
   * Supported file signature calculation: SHA256
 
-5.6.2. Quick Guide
+5.7.2. Quick Guide
 
 A very simple configuration has been included in lua/snort.lua file.
 A typical file configuration looks like this:
@@ -2867,7 +2931,7 @@ There are 3 steps to enable file processing:
   * At last, enable file_log to get detailed information about file
     event
 
-5.6.3. Pre-packaged File Magic Rules
+5.7.3. Pre-packaged File Magic Rules
 
 A set of file magic rules is packaged with Snort. They can be located
 at "lua/file_magic.lua". To use this feature, it is recommended that
@@ -2890,7 +2954,7 @@ look at content at particular file offset to identify the file type.
 In this case, two magics look at the beginning of the file. You can
 use character if it is printable or hex value in between "|".
 
-5.6.4. File Policy
+5.7.4. File Policy
 
 You can enabled file type, file signature, or file capture by
 configuring file_id. In addition, you can enable trace to see file
@@ -2916,7 +2980,7 @@ In this example, it enables this policy:
   * For all file types identified, they will be logged with
     signature, and also captured onto log folder.
 
-5.6.5. File Capture
+5.7.5. File Capture
 
 File can be captured and stored to log folder. We use SHA as file
 name instead of actual file name to avoid conflicts. You can capture
@@ -2932,7 +2996,7 @@ or enable it for some file or file type in your file policy:
 
 The above rule will enable PDF file capture.
 
-5.6.6. File Events
+5.7.6. File Events
 
 File inspect preprocessor also works as a dynamic output plugin for
 file events. It logs basic information about file. The log file is in
@@ -2954,14 +3018,14 @@ File event example:
 [Size: 1039328]
 
 
-5.7. High Availability
+5.8. High Availability
 
 --------------
 
 High Availability includes the HA flow synchronization and the
 SideChannel messaging subsystems.
 
-5.7.1. HA
+5.8.1. HA
 
 HighAvailability (or HA) is a Snort module that provides state
 coherency between two partner snort instances. It uses SideChannel
@@ -3006,7 +3070,7 @@ message content. The stream HA content is always present in the
 messages while the ancillary module content is only present when
 requested via a status change request.
 
-5.7.2. Connector
+5.8.2. Connector
 
 Connectors are a set of modules that are used to exchange
 message-oriented data among Snort threads and the external world. A
@@ -3017,7 +3081,7 @@ forms of message transport.
 
 Connectors are a Snort plugin type.
 
-5.7.2.1. Connector (parent plugin class)
+5.8.2.1. Connector (parent plugin class)
 
 Connectors may either be a simplex channel and perform unidirectional
 communications. Or may be duplex and perform bidirectional
@@ -3035,7 +3099,7 @@ There are currently two implementations of Connectors:
   * FileConnector - Write messages to files and read messages from
     files.
 
-5.7.2.2. TcpConnector
+5.8.2.2. TcpConnector
 
 TcpConnector is a subclass of Connector and implements a DUPLEX type
 Connector, able to send and receive messages over a tcp session.
@@ -3062,7 +3126,7 @@ tcp_connector =
     },
 }
 
-5.7.2.3. FileConnector
+5.8.2.3. FileConnector
 
 FileConnector implements a Connector that can either read from files
 or write to files. FileConnector’s are simplex and must be configured
@@ -3105,7 +3169,7 @@ file_connector =
     },
 }
 
-5.7.3. Side Channel
+5.8.3. Side Channel
 
 SideChannel is a Snort module that uses Connectors to implement a
 messaging infrastructure that is used to communicate between Snort
@@ -3171,7 +3235,7 @@ file_connector =
 }
 
 
-5.8. FTP
+5.9. FTP
 
 --------------
 
@@ -3181,9 +3245,9 @@ codes and messages. It will enforce correctness of the parameters,
 determine when an FTP command connection is encrypted, and determine
 when an FTP data channel is opened.
 
-5.8.1. Configuring the inspector to block exploits and attacks
+5.9.1. Configuring the inspector to block exploits and attacks
 
-5.8.1.1. ftp_server configuration
+5.9.1.1. ftp_server configuration
 
   * ftp_cmds
 
@@ -3348,7 +3412,7 @@ to large file transfers from a trusted source — by ignoring traffic.
 If your rule set includes virus-type rules, it is recommended that
 this option not be used.
 
-5.8.1.2. ftp_client configuration
+5.9.1.2. ftp_client configuration
 
   * max_resp_len
 
@@ -3370,7 +3434,7 @@ character (TNC EAC) and erase line (TNC EAL) when normalizing FTP
 command channel. Some FTP clients do not process those telnet escape
 sequences.
 
-5.8.1.3. ftp_data
+5.9.1.3. ftp_data
 
 In order to enable file inspection for ftp, the following should be
 added to the configuration:
@@ -3378,14 +3442,14 @@ added to the configuration:
 ftp_data = {}
 
 
-5.9. HTTP Inspector
+5.10. HTTP Inspector
 
 --------------
 
 One of the major undertakings for Snort 3 is developing a completely
 new HTTP inspector.
 
-5.9.1. Overview
+5.10.1. Overview
 
 You can configure it by adding:
 
@@ -3448,7 +3512,7 @@ user to write rules against it. If for example a header is supposed
 to be a date then normalization means put that date in a standard
 format.
 
-5.9.2. Configuration
+5.10.2. Configuration
 
 Configuration can be as simple as adding:
 
@@ -3459,7 +3523,7 @@ inspection and may be all that you need. But there are some options
 that provide extra features, tweak how things are done, or conserve
 resources by doing less.
 
-5.9.2.1. request_depth and response_depth
+5.10.2.1. request_depth and response_depth
 
 These replace the flow depth parameters used by the old HTTP
 inspector but they work differently.
@@ -3487,7 +3551,7 @@ omit the depth parameter entirely because that is the default.
 These limits have no effect on how much data is forwarded to file
 processing.
 
-5.9.2.2. detained_inspection
+5.10.2.2. detained_inspection
 
 Detained inspection is an experimental feature currently under
 development. It enables Snort to more quickly detect and block
@@ -3498,7 +3562,7 @@ mode operation (-Q).
 This feature is off by default. detained_inspection = true will
 activate it.
 
-5.9.2.3. gzip
+5.10.2.3. gzip
 
 http_inspect by default decompresses deflate and gzip message bodies
 before inspecting them. This feature can be turned off by unzip =
@@ -3507,14 +3571,14 @@ improvement but at a very high price. It is unlikely that any
 meaningful inspection of message bodies will be possible. Effectively
 HTTP processing would be limited to the headers.
 
-5.9.2.4. normalize_utf
+5.10.2.4. normalize_utf
 
 http_inspect will decode utf-8, utf-7, utf-16le, utf-16be, utf-32le,
 and utf-32be in response message bodies based on the Content-Type
 header. This feature is on by default: normalize_utf = false will
 deactivate it.
 
-5.9.2.5. decompress_pdf
+5.10.2.5. decompress_pdf
 
 decompress_pdf = true will enable decompression of compressed
 portions of PDF files encountered in a response body. http_inspect
@@ -3523,7 +3587,7 @@ locate PDF streams with a single /FlateDecode filter. The compressed
 content is decompressed and made available through the file data rule
 option.
 
-5.9.2.6. decompress_swf
+5.10.2.6. decompress_swf
 
 decompress_swf = true will enable decompression of compressed SWF
 (Adobe Flash content) files encountered in a response body. The
@@ -3533,7 +3597,7 @@ LZMA. The compressed content is decompressed and made available
 through the file data rule option. The compressed SWF file signature
 is converted to FWS to indicate an uncompressed file.
 
-5.9.2.7. normalize_javascript
+5.10.2.7. normalize_javascript
 
 normalize_javascript = true will enable normalization of JavaScript
 within the HTTP response body. http_inspect looks for JavaScript by
@@ -3545,7 +3609,7 @@ decodeURIComponent are %XX, %uXXXX, XX and uXXXXi. http_inspect also
 replaces consecutive whitespaces with a single space and normalizes
 the plus by concatenating the strings.
 
-5.9.2.8. URI processing
+5.10.2.8. URI processing
 
 Normalization and inspection of the URI in the HTTP request message
 is a key aspect of what http_inspect does. The best way to normalize
@@ -3641,7 +3705,7 @@ allow directories to be separated by backslashes:
 backslash_to_slash is turned on by default. It replaces all the
 backslashes with slashes during normalization.
 
-5.9.3. CONNECT processing
+5.10.3. CONNECT processing
 
 The HTTP CONNECT method is used by a client to establish a tunnel to
 a destination via an HTTP proxy server. If the connection is
@@ -3672,7 +3736,7 @@ tactic, the HTTP inspector will not cut over to the wizard if it sees
 any early client-to-server traffic, but will continue normal HTTP
 processing of the flow regardless of the eventual server response.
 
-5.9.4. Detection rules
+5.10.4. Detection rules
 
 http_inspect parses HTTP messages into their components and makes
 them available to the detection engine through rule options. Let’s
@@ -3743,7 +3807,7 @@ list.
 In addition to the headers there are rule options for virtually every
 part of the HTTP message.
 
-5.9.4.1. http_uri and http_raw_uri
+5.10.4.1. http_uri and http_raw_uri
 
 These provide the URI of the request message. The raw form is exactly
 as it appeared in the message and the normalized form is determined
@@ -3803,7 +3867,7 @@ Note: this section uses informal language to explain some things.
 Nothing here is intended to conflict with the technical language of
 the HTTP RFCs and the implementation follows the RFCs.
 
-5.9.4.2. http_header and http_raw_header
+5.10.4.2. http_header and http_raw_header
 
 These cover all the header lines except the first one. You may
 specify an individual header by name using the field option as shown
@@ -3833,7 +3897,7 @@ In most cases specifying individual headers creates a more efficient
 and accurate rule. It is recommended that new rules be written using
 individual headers whenever possible.
 
-5.9.4.3. http_trailer and http_raw_trailer
+5.10.4.3. http_trailer and http_raw_trailer
 
 HTTP permits header lines to appear after a chunked body ends.
 Typically they contain information about the message content that was
@@ -3845,7 +3909,7 @@ counterparts except they apply to these end headers. If you want a
 rule to inspect both kinds of headers you need to write two rules,
 one using header and one using trailer.
 
-5.9.4.4. http_cookie and http_raw_cookie
+5.10.4.4. http_cookie and http_raw_cookie
 
 These provide the value of the Cookie header for a request message
 and the Set-Cookie for a response message. If multiple cookies are
@@ -3854,7 +3918,7 @@ present they will be concatenated into a comma-separated list.
 Normalization for http_cookie is the same URI-style normalization
 applied to http_header when no specific header is specified.
 
-5.9.4.5. http_true_ip
+5.10.4.5. http_true_ip
 
 This provides the original IP address of the client sending the
 request as it was stored by a proxy in the request message headers.
@@ -3862,13 +3926,13 @@ Specifically it is the last IP address listed in the X-Forwarded-For
 or True-Client-IP header. If both headers are present the former is
 used.
 
-5.9.4.6. http_client_body
+5.10.4.6. http_client_body
 
 This is the body of a request message such as POST or PUT.
 Normalization for http_client_body is the same URI-like normalization
 applied to http_header when no specific header is specified.
 
-5.9.4.7. http_raw_body
+5.10.4.7. http_raw_body
 
 This is the body of a request or response message. It will be
 dechunked and unzipped if applicable but will not be normalized in
@@ -3877,30 +3941,30 @@ is a rule that uses packet data will search and may match an HTTP
 header, but http_raw_body is limited to the message body. Thus the
 latter is more efficient and more accurate for most uses.
 
-5.9.4.8. http_method
+5.10.4.8. http_method
 
 The method field of a request message. Common values are "GET",
 "POST", "OPTIONS", "HEAD", "DELETE", "PUT", "TRACE", and "CONNECT".
 
-5.9.4.9. http_stat_code
+5.10.4.9. http_stat_code
 
 The status code field of a response message. This is normally a
 3-digit number between 100 and 599. In this example it is 200.
 
 HTTP/1.1 200 OK
 
-5.9.4.10. http_stat_msg
+5.10.4.10. http_stat_msg
 
 The reason phrase field of a response message. This is the
 human-readable text following the status code. "OK" in the previous
 example.
 
-5.9.4.11. http_version
+5.10.4.11. http_version
 
 The protocol version information that appears on the first line of an
 HTTP message. This is usually "HTTP/1.0" or "HTTP/1.1".
 
-5.9.4.12. http_raw_request and http_raw_status
+5.10.4.12. http_raw_request and http_raw_status
 
 These are the unmodified first header line of the HTTP request and
 response messages respectively. These rule options are a safety valve
@@ -3910,7 +3974,7 @@ first header line. For a request message those are http_method,
 http_raw_uri, and http_version. For a response message those are
 http_version, http_stat_code, and http_stat_msg.
 
-5.9.4.13. file_data and packet data
+5.10.4.13. file_data and packet data
 
 file_data contains the normalized message body. This is the
 normalization described above under gzip, normalize_utf,
@@ -3919,7 +3983,7 @@ decompress_pdf, decompress_swf, and normalize_javascript.
 The unnormalized message content is available in the packet data. If
 gzip is configured the packet data will be unzipped.
 
-5.9.5. Timing issues and combining rule options
+5.10.5. Timing issues and combining rule options
 
 HTTP inspector is stateful. That means it is aware of a bigger
 picture than the packet in front of it. It knows what all the pieces
@@ -4025,7 +4089,7 @@ are received. Headers may be combined with later items but the body
 cannot.
 
 
-5.10. HTTP/2 Inspector
+5.11. HTTP/2 Inspector
 
 --------------
 
@@ -4080,7 +4144,7 @@ http_inspect to provide full inspection of the individual HTTP/1.1
 streams.
 
 
-5.11. Performance Monitor
+5.12. Performance Monitor
 
 --------------
 
@@ -4089,14 +4153,14 @@ down by too many flows? perf_monitor! Why are certain TCP segments
 being dropped without hitting a rule? perf_monitor! Why is a sensor
 leaking water? Not perf_monitor, check with stream…
 
-5.11.1. Overview
+5.12.1. Overview
 
 The Snort performance monitor is the built-in utility for monitoring
 system and traffic statistics. All statistics are separated by
 processing thread. perf_monitor supports several trackers for
 monitoring such data:
 
-5.11.2. Base Tracker
+5.12.2. Base Tracker
 
 The base tracker is used to gather running statistics about Snort and
 its running modules. All Snort modules gather, at the very least,
@@ -4153,7 +4217,7 @@ perf_monitor =
 Note: Event stats from prior Snorts are now located within base
 statistics.
 
-5.11.3. Flow Tracker
+5.12.3. Flow Tracker
 
 Flow tracks statistics regarding traffic and L3/L4 protocol
 distributions. This data can be used to build a profile of traffic
@@ -4163,7 +4227,7 @@ To enable:
 
 perf_monitor = { flow = true }
 
-5.11.4. FlowIP Tracker
+5.12.4. FlowIP Tracker
 
 FlowIP provides statistics for individual hosts within a network.
 This data can be used for identifying communication habits, such as
@@ -4175,7 +4239,7 @@ To enable:
 
 perf_monitor = { flow_ip = true }
 
-5.11.5. CPU Tracker
+5.12.5. CPU Tracker
 
 This tracker monitors the CPU and wall time spent by a given
 processing thread.
@@ -4184,7 +4248,7 @@ To enable:
 
 perf_monitor = { cpu = true }
 
-5.11.6. Formatters
+5.12.6. Formatters
 
 Performance monitor allows statistics to be output in a few formats.
 Along with human readable text (as seen at shutdown) and csv formats,
@@ -4198,14 +4262,14 @@ used by Performance monitor, see the developer notes for Performance
 monitor or the code provided for fbstreamer.
 
 
-5.12. POP and IMAP
+5.13. POP and IMAP
 
 --------------
 
 POP inspector is a service inspector for POP3 protocol and IMAP
 inspector is for IMAP4 protocol.
 
-5.12.1. Overview
+5.13.1. Overview
 
 POP and IMAP inspectors examine data traffic and find POP and IMAP
 commands and responses. The inspectors also identify the command,
@@ -4213,7 +4277,7 @@ header, body sections and extract the MIME attachments and decode it
 appropriately. The pop and imap also identify and whitelist the pop
 and imap traffic.
 
-5.12.2. Configuration
+5.13.2. Configuration
 
 POP inspector and IMAP inspector offer same set of configuration
 options for MIME decoding depth. These depths range from 0 to 65535
@@ -4223,27 +4287,27 @@ be decoded. If you do not specify the default value is 1460 bytes.
 
 The depth limits apply per attachment. They are:
 
-5.12.2.1. b64_decode_depth
+5.13.2.1. b64_decode_depth
 
 Set the base64 decoding depth used to decode the base64-encoded MIME
 attachments.
 
-5.12.2.2. qp_decode_depth
+5.13.2.2. qp_decode_depth
 
 Set the Quoted-Printable (QP) decoding depth used to decode
 QP-encoded MIME attachments.
 
-5.12.2.3. bitenc_decode_depth
+5.13.2.3. bitenc_decode_depth
 
 Set the non-encoded MIME extraction depth used for non-encoded MIME
 attachments.
 
-5.12.2.4. uu_decode_depth
+5.13.2.4. uu_decode_depth
 
 Set the Unix-to-Unix (UU) decoding depth used to decode UU-encoded
 attachments.
 
-5.12.2.5. Examples
+5.13.2.5. Examples
 
 stream = { }
 
@@ -4277,13 +4341,13 @@ pop =
 }
 
 
-5.13. Port Scan
+5.14. Port Scan
 
 --------------
 
 A module to detect port scanning
 
-5.13.1. Overview
+5.14.1. Overview
 
 This module is designed to detect the first phase in a network
 attack: Reconnaissance. In the Reconnaissance phase, an attacker
@@ -4383,7 +4447,7 @@ however, Portscan will only track open ports after the alert has been
 triggered. Open port events are not individual alerts, but tags based
 off the original scan alert.
 
-5.13.2. Scan levels
+5.14.2. Scan levels
 
 There are 3 default scan levels that can be set.
 
@@ -4437,7 +4501,7 @@ setting will catch some slow scans because of the continuous
 monitoring, but is very sensitive to active hosts. This most
 definitely will require the user to tune Portscan.
 
-5.13.3. Tuning Portscan
+5.14.3. Tuning Portscan
 
 The most important aspect in detecting portscans is tuning the
 detection engine for your network(s). Here are some tuning tips:
@@ -4514,7 +4578,7 @@ require the least tuning. The low sensitivity level does not catch
 filtered scans, since these are more prone to false positives.
 
 
-5.14. Sensitive Data Filtering
+5.15. Sensitive Data Filtering
 
 --------------
 
@@ -4524,21 +4588,21 @@ credit card numbers, U.S. Social Security numbers, and email
 addresses. A rich regular expression syntax is available for defining
 your own PII.
 
-5.14.1. Hyperscan
+5.15.1. Hyperscan
 
 The sd_pattern rule option is powered by the open source Hyperscan
 library from Intel. It provides a regex grammar which is mostly PCRE
 compatible. To learn more about Hyperscan see https://intel.github.io
 /hyperscan/dev-reference/
 
-5.14.2. Syntax
+5.15.2. Syntax
 
 Snort provides sd_pattern as IPS rule option with no additional
 inspector overhead. The Rule option takes the following syntax.
 
 sd_pattern: "<pattern>"[, threshold <count>];
 
-5.14.2.1. Pattern
+5.15.2.1. Pattern
 
 Pattern is the most important and is the only required parameter to
 sd_pattern. It supports 3 built in patterns which are configured by
@@ -4576,7 +4640,7 @@ but would not match 1@ourdomain.com ab12@ourdomain.com or
 Note: This is just an example, this pattern is not suitable to detect
 many correctly formatted emails.
 
-5.14.2.2. Threshold
+5.15.2.2. Threshold
 
 Threshold is an optional parameter allowing you to change built in
 default value (default value is 1). The following two instances are
@@ -4594,7 +4658,7 @@ This example requires 300 matches of the pattern "This is a string
 literal" to qualify as a positive match. That is, if the string only
 occurred 299 times in a packet, you will not see an event.
 
-5.14.2.3. Obfuscating Credit Cards and Social Security Numbers
+5.15.2.3. Obfuscating Credit Cards and Social Security Numbers
 
 Snort provides discreet logging for the built in patterns
 "credit_card", "us_social" and "us_social_nodashes". Enabling
@@ -4607,7 +4671,7 @@ output =
     obfuscate_pii = true
 }
 
-5.14.3. Example
+5.15.3. Example
 
 A complete Snort IPS rule
 
@@ -4623,7 +4687,7 @@ Logged output when running Snort in "cmg" alert format.
 58 58 58 58 58 58 58 58 58 58 58 58 39 32 39 34              XXXXXXXXXXXX9294
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
-5.14.4. Caveats
+5.15.4. Caveats
 
  1. Snort currently requires setting the fast pattern engine to use
     "hyperscan" in order for sd_pattern ips option to function
@@ -4640,13 +4704,13 @@ Logged output when running Snort in "cmg" alert format.
     (This is a known bug).
 
 
-5.15. SMTP
+5.16. SMTP
 
 --------------
 
 SMTP inspector is a service inspector for SMTP protocol.
 
-5.15.1. Overview
+5.16.1. Overview
 
 The SMTP inspector examines SMTP connections looking for commands and
 responses. It also identifies the command, header and body sections,
@@ -4656,7 +4720,7 @@ identifies and whitelists the SMTP traffic.
 SMTP inspector logs the filename, email addresses, attachment names
 when configured.
 
-5.15.2. Configuration
+5.16.2. Configuration
 
 SMTP command lines can be normalized to remove extraneous spaces.
 TLS-encrypted traffic can be ignored, which improves performance. In
@@ -4665,7 +4729,7 @@ performance boost.
 
 The configuration options are described below:
 
-5.15.2.1. normalize and normalize_cmds
+5.16.2.1. normalize and normalize_cmds
 
 Normalization checks for more than one space character after a
 command. Space characters are defined as space (ASCII 0x20) or tab
@@ -4676,34 +4740,34 @@ example:
 
 smtp = { normalize = 'cmds', normalize_cmds = 'RCPT VRFY EXPN' }
 
-5.15.2.2. ignore_data
+5.16.2.2. ignore_data
 
 Set it to true to ignore data section of mail (except for mail
 headers) when processing rules.
 
-5.15.2.3. ignore_tls_data
+5.16.2.3. ignore_tls_data
 
 Set it to true to ignore TLS-encrypted data when processing rules.
 
-5.15.2.4. max_command_line_len
+5.16.2.4. max_command_line_len
 
 Alert if an SMTP command line is longer than this value. Absence of
 this option or a "0" means never alert on command line length. RFC
 2821 recommends 512 as a maximum command line length.
 
-5.15.2.5. max_header_line_len
+5.16.2.5. max_header_line_len
 
 Alert if an SMTP DATA header line is longer than this value. Absence
 of this option or a "0" means never alert on data header line length.
 RFC 2821 recommends 1024 as a maximum data header line length.
 
-5.15.2.6. max_response_line_len
+5.16.2.6. max_response_line_len
 
 Alert if an SMTP response line is longer than this value. Absence of
 this option or a "0" means never alert on response line length. RFC
 2821 recommends 512 as a maximum response line length.
 
-5.15.2.7. alt_max_command_line_len
+5.16.2.7. alt_max_command_line_len
 
 Overrides max_command_line_len for specific commands For example:
 
@@ -4719,11 +4783,11 @@ alt_max_command_line_len =
     },
 }
 
-5.15.2.8. invalid_cmds
+5.16.2.8. invalid_cmds
 
 Alert if this command is sent from client side.
 
-5.15.2.9. valid_cmds
+5.16.2.9. valid_cmds
 
 List of valid commands. We do not alert on commands in this list.
 
@@ -4733,36 +4797,36 @@ HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SIZE
 STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS X-LINK2STATE
 XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR ]]
 
-5.15.2.10. data_cmds
+5.16.2.10. data_cmds
 
 List of commands that initiate sending of data with an end of data
 delimiter the same as that of the DATA command per RFC 5321 - "
 <CRLF>.<CRLF>".
 
-5.15.2.11. binary_data_cmds
+5.16.2.11. binary_data_cmds
 
 List of commands that initiate sending of data and use a length value
 after the command to indicate the amount of data to be sent, similar
 to that of the BDAT command per RFC 3030.
 
-5.15.2.12. auth_cmds
+5.16.2.12. auth_cmds
 
 List of commands that initiate an authentication exchange between
 client and server.
 
-5.15.2.13. xlink2state
+5.16.2.13. xlink2state
 
 Enable/disable xlink2state alert, options are {disable | alert |
 drop}. See CVE-2005-0560 for a description of the vulnerability.
 
-5.15.2.14. MIME processing depth parameters
+5.16.2.14. MIME processing depth parameters
 
 These four MIME processing depth parameters are identical to their
 POP and IMAP counterparts. See that section for further details.
 
 b64_decode_depth qp_decode_depth bitenc_decode_depth uu_decode_depth
 
-5.15.2.15. Log Options
+5.16.2.15. Log Options
 
 Following log options allow SMTP inspector to log email addresses and
 filenames. Please note, this is logged only with the unified2 output
@@ -4805,7 +4869,7 @@ This option specifies the depth for logging email headers. The
 allowed range for this option is 0 - 20480. A value of 0 will disable
 email headers logging. The default value for this option is 1464.
 
-5.15.3. Example
+5.16.3. Example
 
 smtp =
 {
@@ -4858,7 +4922,7 @@ smtp =
 }
 
 
-5.16. Telnet
+5.17. Telnet
 
 --------------
 
@@ -4868,7 +4932,7 @@ command sequences per RFC 854. It will also determine when a telnet
 connection is encrypted, per the use of the telnet encryption option
 per RFC 2946.
 
-5.16.1. Configuring the inspector to block exploits and attacks
+5.17.1. Configuring the inspector to block exploits and attacks
 
 ayt_attack_thresh number
 
@@ -4877,7 +4941,7 @@ the threshold number specified. This addresses a few specific
 vulnerabilities relating to bsd-based implementations of telnet.
 
 
-5.17. Trace
+5.18. Trace
 
 --------------
 
@@ -4890,7 +4954,7 @@ enable debug tracing, Snort must be configured at build time with
 wizard and snort.inspector_manager) are providing non-debug trace
 messages in normal production builds.
 
-5.17.1. Trace module
+5.18.1. Trace module
 
 The trace module is responsible for configuring traces and supports
 the following parameters:
@@ -4924,7 +4988,7 @@ The trace module supports config reloading. Also, it’s possible to
 set or clear modules traces and packet filter constraints via the
 control channel command.
 
-5.17.2. Trace module - configuring traces
+5.18.2. Trace module - configuring traces
 
 The trace module has the modules option - a table with trace
 configuration for specific modules. The following lines placed in
@@ -4986,7 +5050,7 @@ trace =
     }
 }
 
-5.17.3. Trace module - configuring packet filter constraints for
+5.18.3. Trace module - configuring packet filter constraints for
 packet related trace messages
 
 There is a capability to filter traces by the packet constraints. The
@@ -5041,7 +5105,7 @@ trace =
     }
 }
 
-5.17.4. Trace module - configuring trace output method
+5.18.4. Trace module - configuring trace output method
 
 There is a capability to configure the output method for trace
 messages. The trace module has the output option with two acceptable
@@ -5070,7 +5134,7 @@ trace =
 As a result, each trace message will be printed into syslog (the
 Snort run-mode will be ignored).
 
-5.17.5. Configuring traces via control channel command
+5.18.5. Configuring traces via control channel command
 
 There is a capability to configure module trace options and packet
 constraints via the control channel command by using a Snort shell.
@@ -5096,7 +5160,7 @@ trace.set({modules = {...}}) - set only module trace options keeping old filteri
 
 trace.set({}) - disable traces and constraints (set to empty)
 
-5.17.6. Trace messages format
+5.18.6. Trace messages format
 
 Each tracing message has a standard format:
 
@@ -5111,7 +5175,7 @@ the thread type.
 Possible thread types: C – main (control) thread P – packet thread O
 – other thread
 
-5.17.7. Example - Debugging rules using detection trace
+5.18.7. Example - Debugging rules using detection trace
 
 The detection engine is responsible for rule evaluation. Turning on
 the trace for it can help with debugging new rules.
@@ -5239,7 +5303,7 @@ detection:rule_eval:1: Matched rule gid:sid:rev 1:3:0
 detection:rule_vars:1: Rule options variables: var[0]=1 var[1]=10 var[2]=0
 04/22-20:21:40.905630, 1, TCP, raw, 56, C2S, 127.0.0.1:1234, 127.0.0.1:5678, 1:3:0, allow
 
-5.17.8. Example - Protocols decoding trace
+5.18.8. Example - Protocols decoding trace
 
 Turning on decode trace will print out information about the packets
 decoded protocols. Can be useful in case of tunneling.
@@ -5263,7 +5327,7 @@ decode:all:1: Codec ipv6 (protocol_id: 1) ip header starts at: 0x7f70800110f0, l
 decode:all:1: Codec icmp4 (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 8
 decode:all:1: Codec unknown (protocol_id: 256) ip header starts at: 0x7f70800110f0, length is 0
 
-5.17.9. Example - Track the time packet spends in each inspector
+5.18.9. Example - Track the time packet spends in each inspector
 
 There is a capability to track which inspectors evaluate a packet,
 and how much time the inspector consumes doing so. These trace
@@ -5304,7 +5368,7 @@ snort:inspector_manager:1: post detection inspection, raw, packet 1, context 1
 snort:inspector_manager:1: end inspection, raw, packet 1, context 1, total time: 0 usec
 snort:main:1: [0] Destroying completed command RUN
 
-5.17.10. Example - trace filtering by packet constraints:
+5.18.10. Example - trace filtering by packet constraints:
 
 In snort.lua, the following lines were added:
 
@@ -5366,7 +5430,7 @@ detection:rule_eval:1: packet 4 UNK 10.1.1.2:200 10.2.1.1:100 (non-fast-patterns
 The trace messages for two last packets (numbers 5 and 6) weren’t
 printed.
 
-5.17.11. Example - configuring traces via trace.set() command
+5.18.11. Example - configuring traces via trace.set() command
 
 In snort.lua, the following lines were added:
 
@@ -5449,7 +5513,7 @@ The new configuration was applied. decode:all:1 messages aren’t
 filtered because they don’t include a packet (a packet isn’t
 well-formed at the point when the message is printing).
 
-5.17.12. Other available traces
+5.18.12. Other available traces
 
 There are more trace options supported by detection:
 
@@ -5476,7 +5540,7 @@ developer. Some are for corner cases, others for complex data
 structures.
 
 
-5.18. Wizard
+5.19. Wizard
 
 --------------
 
diff --git a/src/main/build.h b/src/main/build.h
index bc520a46b..58355b176 100644
--- a/src/main/build.h
+++ b/src/main/build.h
@@ -12,7 +12,7 @@
 //                                               //
 //-----------------------------------------------//
 
-#define BUILD_NUMBER 3
+#define BUILD_NUMBER 4
 
 #ifndef EXTRABUILD
 #define BUILD STRINGIFY_MX(BUILD_NUMBER)