-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathChangeLog
1824 lines (1586 loc) · 74 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
18/09/26 - build 248
-- appid: adding detector builder and fixing stats to recognize custom appid
thanks to Wang Jun <traceflight@outlook.com> for reporting the issue
-- appid: fixing ubuntu check tests
-- appid: fix valgrind issues in SIP event handler
-- appid: FreeBSD unit-test fix
-- appid: supporting pub-sub mechanism for app changes
-- build: add libnsl and libsocket to Snort for Solaris builds
-- build: fall back on TI-RPC if no built-in RPC DB is found
-- build: introduce a more robust check for GNU strerror_r
-- daqs: include unistd.h directly for better cross-platform compatibility
-- dce_rpc: add DCE2_CO_REM_FRAG_LEN_LT_SIZE (133:31) to the TCP rule map
-- dce_rpc: add DCE2_SMB_NB_LT_COM (133:11) to the SMB rule map
-- detection: added post-onload callbacks
-- detection: allocate ips context data using hard coded max_ips_id == 32
-- detection: don't use s_switcher to get file data
-- detection: run active actions at onload
-- detection: use packet to reference context
-- file_api: fix off-by-one bug that was hurting performance
-- file_api: move the check on REJECT or BLOCK inside an upper if clause for performance reasons
-- file_api: set disable flow inspection as soon as the verdict is REJECT
-- file_api: treat a BLOCK verdict the same as a REJECT verdict, for good measure
-- http_inspect: split and inspect immediately upon reaching depth
-- latency: added cleanup for RegexOffload threads
-- lua: changing default FTP EPSV string format
-- main: pause-after-n support
-- managers: handle tinit for inspectors added during reload
-- managers: if a plugin doesn't have tinit, still mark it as initialized
-- reputation: early return on parsing error causing uninitialized id
-- reputation: fix SI doesn't block traffic if Any Zone is specified
18/08/27 - build 247 - Beta
-- appid: change map to unordered map
-- appid: declare SMTPS early in STARTTLS state on success response code
-- appid: fix data-race issues from ips_appid_option and improve app_name search
-- detection: avoid repeating detection by always doing non-fast-pattern rules immediately
(applies to experimental offload only)
-- docs: update default html, pdf, and text user manuals
-- reputation: reevaluate current flows upon reload
-- stream_tcp: avoid duplicating split sement data
-- build: removing use of u_char and u_short macros (github #53)
18/08/13 - build 246
-- active: Add an upper limit of 255 to min_interval
-- appid: Avoid snort crash upon lua file errors
-- appid: Fixes for TNS, eDonkey, and debug logs in Lua detectors
-- appid: Single lua-state per thread
-- appid: code clean-up
-- appid: create developer notes document
-- appid: make the code compatible with the latest version of snort2.
-- appid: refactor detector initialization
-- appid: fix multithreading issues (data races) from app_forecast
-- appid: many other updates
-- binder: Make two passes at binder rules - one for policy IDs and then everything else
-- binder: Refactor binder as a passive, event-driven inspector
-- byte_test: update operator parsing, remove dead code
-- catch: Update to Catch v2.2.3
-- codecs: Handle raw IP packets in Snort proper
-- codecs: fix dynamic build of root codecs
-- decode: alternate checksum calculation to improve runtime performance
-- detection: don't offload when 0 threads are configured
-- detection: save the ropts used for dce rule options in ips context to support offload
-- detection: various bug fixes for offload emulation
-- doc: Update regarding the build issue with --enable-tcmalloc flag and known workarounds
-- doc: added active response section to user manual
-- doc: corrections to tutorial section
-- doc: update known problems
-- events: remove manager cruft
-- file_id: fix uninitialized
-- file_magic: Update file_magic.lua to cover all file types and versions
-- framework: Enable dynamic building of ips_{pcre,regex,sd_pattern} + Hyperscan MPSE
-- framework: Scratch handlers for SnortState
-- framework: fixed adding probe to wrong SnortConfig
-- http_inspect: URI normalization added to dev_notes
-- http_inspect: add perfmon to splitter
-- http_inspect: bug fix and cleanup
-- http_inspect: memory reduction and misc cleanup
-- http_inspect: renumbered events to avoid current and future conflicts with Snort 2.X
-- inspector: Rename ::update() to ::remove_inspector_binding() to better reflect what it does
-- ips: Remove unused IPS module stats
-- ips_fragbits: Removed dead code
-- packet_tracer: Report user policy IDs and add network policy
-- parser: reset parse error count before reload to avoid confusion
-- perf_monitor: fix for reload
-- perf_monitor: format error in dev_notes
-- policy: Add the ability to set network policy based on user-specified ID
-- policy: Export querying policies by user ID and setting runtime policies
-- profiler: Don't clobber max entry count when recursing
-- reload: do not set policies for incremental reload case
-- reload: set policies upon swap to avoid dangling pointers when idle
-- reputation: make sure reputation inspector is called in default policy
-- reputation: support reload module
-- sfip: if ips_policy doesn't exist, allow for ipvar parsing without vartable
-- sip: Ported sip-splitter implementation from snort2
-- snort.lua: add inline tweaks
-- snort.lua: add talos defaults
-- snort.lua: fix tweaks path; thanks to brastult@cisco.com for reporting the issue
-- snort.lua: fix community rules filename; thanks to mike@flyn.org for reporting the issue
-- snort2lua: Handle sidechannel config.
-- snort2lua: add conversion for shared memory
-- snort2lua: added missing keyword to nap parsing
-- snort2lua: don't try to index into empty lines
-- snort2lua: fixed nap ip parsing
-- snort2lua: merge multiple nap rules with the same id
-- snort2lua: translate file_type rule option
-- snort: match delete[] with new[]
-- snort: wrap snort SO_PUBLIC symbols in the snort namespace
-- ssh: added test code
-- stream_ip: match delete[] with new[]; don't create zero length trackers
-- stream_tcp: 86 r_nxt_ack as tracker state for next rx seq, use rcv_nxt instead
-- stream_tcp: back out fin handling changes for bug not relevant to snort3
-- tcp_connector_test: fixed version-sensitive build problem
18/05/21 - build 245
-- CodecManager: removed unused code
-- DataBus: fixed creating DataHandler when one doesn't exist
-- Debug messages: cleanup for service inspectors. New traces for detection, stream.
-- Debug: Final debug messages cleanup, removal of macros from snort_debug
-- Ipv4Codec: removed random ip id pool and replaced randoms on demand
-- PacketManager: moved encode storage to heap
-- PerfMonitor: fixed subscribing to flow events multiple times
-- ProtoRef: Converge on single name for SnortProtocolId. Fix threading problems.
-- Reset: Always queue reject and test packet type in RejectAction::exec.
-- SFDAQModule: moved daq stats here. fixed stats not being output from perfmon.
-- Snort2lua: Add ftp_data to multiple files when needed, once per file.
-- Snort2lua: Translate ftp_server relative to default configurations.
-- Snort: moved s_data to heap
-- active: Enable when max_responses is enabled
-- alert: moved alert json. unixsock out from extra to snort3
-- appid: Add AppID debug command
-- appid: Enable Third-Party Code for Packet Processing
-- appid: Fix bug where Service and Application ID's set to port number instead of service appid
-- appid: Fixing service discovery states
-- appid: Only import dynamic detector pegcounts once
-- appid: Refactor debug command
-- appid: Refactor debug command, use SfIp, and fix non-Linux compilation
-- appid: Third party integration support
-- appid: appid session unit test changes
-- appid: change metadata buffers from std::string to pointers, to avoid extra copying
-- appid: clean-up code for performance and implement is_tp_processing_done()
-- appid: create referer object only for non-null string
-- appid: do not inspect out-of-order flows, ignore zero-payload packets for client/service discovery
-- appid: fix memory leak in appid_http_event_test and warning in appid_http_session.cc
-- appid: fix segfault due to dereferencing null host pointer.
-- appid: fix tabs and indentation
-- appid: fixed http fields, referer payload and appid debug
-- appid: make tp_attribute_data more localized, so we only allocate/deallocate it if needed.
-- appid: moved HttpFieldIds to appid_http_session
-- appid: peg count / dynamic peg count update. Split peg counts into the ones known at compile time and dynamic ones. Update stats , module manager and module to support dumping dynamic stats.
-- appid: report when third party appid is done inspecting
-- appid: sip: moved pattern thread local to class instance
-- base64_decode: moved buffer storage to regular heap
-- binder: Fix UBSAN invalid value type runtime error
-- build: 244
-- build: Add --enable-ub-sanitizer option for undefined behavior sanitizer
-- build: Add some header includes for FreeBSD
-- build: Clean up CMake string APPENDing for configure options
-- build: Clean up HAVE_* definition checks
-- build: Define NDEBUG if debugging is not enabled
-- build: Fix building unit tests on FreeBSD
-- build: Modernize code with =default for special member functions
-- build: Modernize code with virtual/override/final cleanups
-- build: Remove bashisms from most shell scripts
-- build: add cmake configure switches for NO_PROFILER, NO_MEM_MGR and DEEP_PROFILING
-- build: add disable-docs to disable doc build
-- build: fix various drops const qualifier cases
-- build: fix various warnings:
-- build: propogate snort3 tsc build option to the extra build system
-- byte_extract: fix cursor update
-- byte_jump: fix from_beginning
-- byte_math: allow rvalue == 0 except for division
-- catch: Update to Catch v2.2.1
-- clock: Allow use of ARM64 CNTVCT_EL0 register for timing (#46); thanks to j.mcdowell@titan-ic.com for the patch.
-- clock: use uint64_t with tsc clock instead of std::chrono for performance
-- cmake: Add --enable-appid-third-party to configure_cmake.sh
-- cmake: Add support for building with tcmalloc
-- cmake: Rework FindPCAP logic and ignore SFBPF
-- cmake: fixed checks for functions
-- cmake: update for iconv
-- codecs: add config option to detection to enable check and alert for address anomalies
-- daq_hext: Make IpAddr() static to fix compiler warning
-- dce_co_process_ctx_id needs to update its caller's (DCE2_CoCtxReq) frag_ptr as it is called in a loop in order to parse each dce/rpc ctx item, otherwise it ends up parsing the same ctx item over and over.
-- dce_rpc: fix parsing of dce/rpc ctx items
-- dce_rpc: pass frag_ptr by reference
-- debug: Remove debug messages from appid, arp_spoof, and perf_monitor
-- debug: Remove debug messages from detection and ips_options
-- debug: Remove debug messages from stream
-- decompress/file_decomp_pdf.cc: implicit fallthrough
-- detect: moving thread locals identified to ips context
-- detection: fixed uninitialized MpseStash
-- doc: add doc for module trace
-- encoders: fixed off-by-one error in underlying buffer handling
-- extra: Port some CMake options from Snort prime
-- extra: splitted extra out to snort3_extra repo
-- file_api: combine file cache for file resume and partial file processing
-- file_connector: Fix address-of-packed-member compiler warnings
-- file_decomp_pdf.cc: unreachable code return
-- file_type: Require strings instead of integers for types. Handle versions.
-- flow: SO_PUBLIC FlowKey
-- framework: align PktType and proto bits
-- framework: remove bogus PktType for ARP and just use proto bits instead
-- ftp_server: Added Flow::set_service and fixed FtpDataFlowData::handled_expected.
-- ftp_server: Added ability get TCP options length from TcpStreamSession.
-- ftp_server: Added accessors to Stream so TcpStreamSession can be private.
-- ftp_server: Base last_seg_size off of MSS.
-- ftp_server: Provide FLOW_SERVICE_CHANGE pub/sub event.
-- ftp_server: ftp_server requires that ftp_client and ftp_data be configured.
-- hashfcn: Fix UBSAN integer overflow runtime error
-- hashfcn: Fix UBSAN left shift of negative value runtime error
-- http_inspect: broken chunk performance improvement
-- http_inspect: bugfix and new alert for gzip underrun
-- http_inspect: embedded white space in Content-Length
-- http_inspect: handling of run-to-connection-close bodies beyond depth
-- http_inspect: know more Content-Encodings by name
-- http_inspect: patch around regression failures until a permanent solution is implemented
-- http_inspect: performance enhancements for file processing beyond detection depth
-- ip: replaced REG_TEST with -H option for ipv4 codec fixed seed
-- ips_byte_jump: Fix UBSAN left shift of negative value runtime error
-- ips_byte_math: Fix UBSAN left shift of negative value runtime error
-- ips_flags: remove dead code
-- javascript: moved decode buffer to stack
-- memory: disable with -DNO_MEM_MGR
-- memory_manager.cc: dangling references
-- packet_capture, cmake: Remove SFBPF dependencies
-- packet_capture: adding analyzer command to initialize dump file
-- packet_tracer: Fix compiler warning when compiling with NDEBUG
-- packet_tracer: Modularize and add constraint-based shell enablement
-- parameter: Fix UBSAN shift exponent is too large for 32-bit type runtime error
-- parser: allow arbitrary rule gids
-- pop, imap, and smtp: changes to MIME configuration parameters
-- port_scan: include open ports with alerts instead of separate
-- profile: disable with -DNO_PROFILER
-- profiler: add deep profiler option
-- reload: enabled reloading ips_actions; added parse error check for reloading
-- repuation: remove the limit for zone id
-- reputation: add zone support
-- search_engine: revert default detect_raw_tcp to false
-- service inspectors: debug cleanup
-- sfip: A version of set() which automatically determines the family
-- sfip: removed ntoa. use ntop(SfIpString) instead.
-- snort2lua: Add reject action when active responses is enabled
-- snort2lua: conversion of gid 120 to 119
-- snort2lua: enable reject action when firewall is enabled
-- snort: -r- will read packets from stdin
-- spell check: fix memeory and indicies typos
-- steam_tcp: change singleton names from linux to new_linux to avoid spurious collisions with defines
-- stream ip: refactored to use MemoryManager allocators
-- stream: assume gid 135 so those rules are handled as standard builtins
-- stream: be selective about flow creation for scans
-- stream: refactor flow control for new PktTypes
-- stream: remove usused ignore_any_rules from tcp and udp
-- stream: respect tcp require_3whs
-- stream: warning: potential memory leaks
-- stream_tcp: refactor tcp normalizer and reassembler to eliminate dynamic heap allocations per flow
-- stream_tcp: switch to splitter max
-- stream_tcp: tweak seglist cursor handling
-- target_based: 100% coverage on snort_protocols.cc
-- target_based: unit tests for ProtocolReference class
-- tcp codec: count bad ip6 checksums correctly; thanks to j.mcdowell@titan-ic.com for reporting the issue
-- tcp: allow data handlding for packet with invalid ack
-- time: initialize Stopwatch::start_time member variable to 0 ticks when TSC clock is enabled
-- trace: add traces for deleted debug messages
-- wizard: Fix UBSAN out-of-bounds access runtime error
-- zhash: cleanup cruftiness
18/03/15 - build 244
-- appid: unit-tests for http detector plugins
-- build: address compiler warnings, spell check and static analyzer issues
-- build: extirpate autotools usage
-- build: fix compilation issue on FreeBSD with extra
-- byte_jump: updated byte_jump post_offset option to support variable
-- cmake: update CMake config to use GNUInstallDirs and match automake
-- daq: hext DAQ can generate start of flow and end of flow meta events
-- doc: add documentation for ftp telnet
-- doc: fix including config_changes.txt when ruby is not present
-- doc: update ftp time format link
-- doc: updates for HTTP/2
-- http_inspect: handle white space before chunk length
-- inspectors: probes run regardless of active policy
-- logger: update Hext Logger to subscribe and log DAQ Meta Packets
-- main: reload hosts while reloading config
-- memory: override C++14 delete operators as well
-- packet tracer: added ability to direct logging to file
-- perf_monitor: fixed flow_ip outputting erroneous values
-- perf_monitor: query modules for stats only after they have all loaded
-- snort: --rule-to-text [<delim>] raw string output
-- snort: allow colon separated directories for --daq-dir
-- snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort' namespace
18/02/12 - build 243
-- build: enable gdb debugging info by default
-- build: fix cppcheck warnings
-- build: fix static analysis issue
-- comments: fix 6isco typos
-- copyright: update year to 2018
-- detection: use detection limit (alt_dsize)
-- detection: trace fast pattern searches with 0x20
-- detection: do not change search_engine.inspect_stream_inserts configuration
-- doc: update default manuals
-- flow: support episodic detection
-- help: upper case proto acronyms etc.
-- http_inspect: apply request/response depth to packet data
-- http_inspect: suppress raw packet inspection beyond request/response depth
-- main: Export AnalyzerCommand and main_broadcast_command()
-- rules: fix path variable expansion
-- search_engine: rename inspect_stream_inserts to detect_raw_tcp for clarity
default to true for 2.X rule sets
-- rules: update fast pattern selection to exclude redundant port groups
when service groups are present
-- wizard: count user scans and hits separate from tcp
18/01/29 - build 242
-- build: add STATIC to add_library call of port_scan to build it statically
otherwise link will fail (Makefile.am already build only the static version)
thanks to Fabrice Fontaine <fontaine.fabrice@gmail.com>
-- doc: update snort2lua for .rules files
-- doc: fixed some typos
-- expect: removed a single-element structure ExpectFlows
-- file_api: give FilePolicyBase a default virtual destructor
-- file: gracefully handle not having file policy configured in dce_smb
-- flow: provided access to all expected flows created by a packet
-- inspection events: added mandatory expected flow pub sub support
-- inspector_manager: fix acquire and use of default policy
-- profiler: fixed missing include
-- sfdaq: export can_whitelist() and modify_flow_opaque()file_api:
move VerdictName array out of file_api.h
-- snort2lua: fix file_rule_path and fw_log_size handling in firewall preprocessor
-- snort2lua: make sure file_magic table comes before file_id table.
-- snort2lua: detect commented 'alert' rules and convert them from snort to snort3 format.
Leave the rules commented out in the snort3 rules file.
-- snort2lua: convert *.rules files line-by-line
-- unit tests: updated Catch
-- unit tests: added ability to run Catch tests from dynamic modules
-- utils, flatbuffers: added a uniform interface for 64-bit endian swaps
17/12/15 - build 241
-- add back the ref count for file config
-- alert_csv: various fixes to match alert_json
-- alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers
-- alert_json: various fixes
thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issues
-- appid: close all Lua states when thread exits
-- appid: gracefully handle failed Lua state instantiation
thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue.
-- appid: only update session flags and discovery state if service id actually set to http
-- appid: patch to update the appid discovery state when an http event results in setting of the service id for a flow
-- appid: return false from is_third_party_appid_available when no third party module is available.
-- appid: tweak warnings and errors
-- binder: activate profiler support
-- binder: add FIXIT re creating default bindings when the wizard is not configured
-- binder: fix ingress / egress test
-- binder: minor perf and readability tweaks
-- build: fixed build issues on OSX with clang with cd_pbb, alert_json
-- build: fixed several dyanmic modules on OSX / clang
-- build: suppress appid warnings for valid case statement fall throughs
-- byte_test: fix string bounds check
-- catch: Update to Catch v2.0.1
-- cmake: add --define to configure_cmake.sh for arbitrary defines
-- codec: added wlan support for arp_spoof
-- codec: updated MIPv6 and merged cd_pim.cc, cd_swpie.cc and cd_sun_ud.cc to cd_bad_proto.cc
-- conf: remove OPTIONS from SIP and HTTP spells to avoid confusion with RTSP
-- conf: remove client to server spells for FTP, IMAP, POP, and SMTP to avoid false pickups
-- control: must execute from default policy only
-- control: process flow first
-- cppcheck: More miscellaneous fixes, mostly for new Catch
-- daq: explicitly initialize more fields in SFDAQInstance constructor
-- daq: handle real IP and port
-- data_bus: also publish to default policy
-- data_bus: refactor basic access for pub / sub
-- dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / dce_udp = dcerpc)
-- detection: fix option tree looping issue
-- detection: rename ServiceInfo to SignatureServiceInfo
-- doc: fix type in style section
-- doc: update default manuals
-- file api: move file verdict enforcement out of file policy
-- file api: support file verdict delay during signature lookup
-- file policy and file config update to allow user define customized file policy through file api
-- file policy: add support for file event logging
-- file_api: Set the FileContext verdict, not a local verdict
-- file_id: add interface to access file info from file capture
-- file_id: support groups
-- hash: Rename SFGHASH, SFXHASH, SFHASHFCN to something resonable
-- http_inspect: add profiler support
-- http_inspect: fix bugs related to stream interaction
-- http_inspect: use configured max_pdu as base target reassembly size
-- inspection: default policy mode depends on adaptor mode
-- ips options: error if lookup fails due to bad case, typos, etc.
thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue
-- memory: no stats output unless configured
-- normalizer: added test mode
-- normalizer: fix enable checks
-- parsing: resolve paths from the current config directory instead of process directory
-- policy: added inspection policy config.
-- port_scan: add alert_all to make alerting on all events in window optional
-- port_scan: fix flow checks
-- profiler: fix focus of eventq
-- reputation: tweak warning message
-- rules: default msg = "no msg in rule"
-- sfrt: remove cruft and reformat header
-- shell: fixed crash when issuing control commands
-- sip: use log splitter for tcp
-- snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
-- snort2lua: Convert file_magic.conf to Lua format.
-- snort2lua: added inspection uuid
-- snort2lua: added na_policy_mode. added ability amend tables if created.
-- snort2lua: added normalize_tcp: ftp
-- snort2lua: fix stream_size: to_client, to_server conversion
-- snort2lua: future proof --bind-wizard binding order
-- snort2lua: no sticky buffer for relative pcre
-- snort2lua: remove when udp from binding to support tcp too
-- snort2lua: tweak const name for clarity (internal)
-- snort2lua: urilen:<> --> bufferlen:<=>
-- snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer
-- soid: allow stub to contain any or all options
-- --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static
-- stream: change tcp idle timeout to 3600 to match 2.X nominal timeout
-- stream_*: separate session profiler data from flow cache profiler data
-- stream_ip: fix non-frag counting
-- stream_size: fix eval packet checks
-- stream_tcp: delete superfluous memsets to zero
-- stream_tcp: ignore flush requests on unitialized sessions (early abort condition)
-- stream_tcp: instantiate wizard only when needed
-- stream_tcp: remove empty default state action
-- stream_user: clear splitter properly
-- target_based: Install header
-- wizard: abort if no match
-- wizard: activate profiler support
-- wizard: usage is inspect
17/10/31 - build 240
-- active: fix packet modify vs resize handling
-- alert_csv: rename dgm_len to pkt_len
-- alert_csv: add b64_data, class, priority, service, vlan, and mpls options
-- alert_json: initial json event logger
-- alerts: add log_references to store and log rule references with alert_full
-- appid: enable SSL certificate pattern matching
-- appid: fix build with LuaJIT 2.1
-- appid: reorganize AppIdHttpSession to minimize padding
-- appid: add count for applications detected by port only
-- appid: create exptected flow immediately after ftp PORT command for active mode
-- appid: handle sip events before packets
-- appid: overhaul peg counting for discovered appids
-- appid: use ac_full search method since it supports find_all; force enable dfa flag
-- binder: added network policy selection
-- binder: added zones
-- binder: allow src and dst specifications for ports and nets
-- binder: check interface on packet instead of flow
-- binder: fixed nets check falling through on failure
-- build: clean up a few ICC 2018 and GCC 7 warnings
-- build: fix linking against external libiconv with autotools
-- build: fix numerous analyzer errors and leaks
-- build: fix numerous clang-tidy warnings
-- build: fix numerous cppcheck warnings
-- build: fix numerous valgrind errors
-- build: fixed issues on OSX
-- catch: update to Catch v1.10.0
-- cd_icmp6: fix encoded cksum calculation
-- cd_pbb: initial version of codec for 802.1ah; thanks to jan hugo prins <jhp@jhprins.org> for reporting the issue
-- cd_pflog: fix comments; thanks to Markus Lude <markus.lude@gmx.de> for the 2X patch
-- content: fix relative loop condition
-- control: delete the old binder while reloading inspector
-- control: update binder with new inspector
-- daq: add support for DAQ_VERDICT_RETRY
-- daq: add support for packet trace
-- daq: add support tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS by config and flags
-- data_log: update to new http_inspect
-- dce_rpc: remove connection-oriented rules from dce_smb module
-- dce_smb: unicode filename support
-- doc: add module usage and peg count type
-- doc: add POP, IMAP and SMTP to user manual features
-- doc: add port scan feature
-- flow key: support associating router solicit/reply packets to a single session
-- http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status line or headers
-- http_inspect: add random increment to message body division points
-- http_inspect: added http_raw_buffer rule option
-- http_inspect: create message sections with body data that has been dechunked and unzipped but not otherwise nortmalized
-- http_inspect: handle borked reassembly gracefully; thanks to João Soares <joaopsys@gmail.com> for reporting the issue
-- http_inspect: support for u2 extra data logging
-- http_inspect: test tool improvements
-- http_inspect: true IP enhancements
-- inspectors: add control type and ensure appid is run ahead of other controls
-- inspectors: add peg count for max concurrent sessions
-- ips: add uuid
-- loggers: add base64 encoder based on libb64 from devolve
-- loggers: use standard year/mon/day format
-- main: fix potential memory leak when queuing analyzer commands
-- memory: align allocator metadata such that returned memory is also max_align_t-aligned
-- memory: output basic startup heap stats
-- messages: output startup warnings and errors to stderr instead of stdout
-- messages: redirect stderr to syslog as well
-- modules: add usage designating global, context, inspect, or detect policy applicability
-- mss: add extra rule option to check mss
-- parser: disallow invalid port range !:65535 (!any)
-- parser: tweak performance
-- pcre: fix relative search with ^
-- pop: service name is pop3
-- replace: fix activation sequence
-- rules: warn only once per gid:sid of no fast pattern
-- search_engine: port the optimized port table compilation from 2.9.12
-- search_engines: Fix case sensitive ac_full DFA matching
-- shell: delete inspector from the default inspection policy
-- shell: fix --pause to accept control commands while in paused state
-- sip: sip_method can use data from any sip inspector of any inspection policy
-- snort.lua: align default conf closer to 2.X
-- snort.lua: expand default conf for completeness and clarity
-- snort_defaults.lua: update default servers and ports
-- snort2lua: correctly identify ftpbounce and sameip as unsupported rule options
-- snort2lua: added XFF configuration to unsupported list
-- snort2lua: added config protected_content to deleted list
-- snort2lua: added config_na_policy_mode to unsupported list
-- snort2lua: added dynamicoutput to deleted list
-- snort2lua: added firewall to unsupported list
-- snort2lua: added nap.rules zone translation
-- snort2lua: added nap_selector support
-- snort2lua: added nap_selector to unsupported list
-- snort2lua: added sf_unified2 to unsupported list and matching log/alert to deleted.
-- snort2lua: bindings now merge and propagate to top level of corresponsing policy
-- snort2lua: config policy_id converts to when ips_policy_id
-- snort2lua: convert dsize:a<>b to dsize:a<=>b for consistency with other rule options
-- snort2lua: do not convert sameip; handle same as ftpbounce (no longer supported)
-- snort2lua: enforced ordering to bindings in binder table
-- snort2lua: fix null char in -? output
-- snort2lua: fixed extra whitespace generation
-- snort2lua: logto is not supported
-- snort2lua: removed port dce proxy bindings to fix http_inspect conflicts
-- snort2lua: search_engine.split_any_any now defaults to true
-- snort: -T does not compile mpse; --mem-check does
-- snort: add warnings count to -T ouptut
-- snort: add --dump-msg-map
-- snort: exit with zero from usage
-- snort: fix --dump-builtin-rules to accept optional module prefix
-- stdlog: support snort 3> log for text alerts
-- target: add rule option to indicate target of attack
-- thread: add logging directory ID offset controlled by --id-offset option
-- u2spewfoo: fix build on FreeBSD
-- unified2: add legacy_events bool for out-of-date barnyard2
-- unified2: log buffers as cooked packets with legacy events
-- wscale: add extra rule option to check tcp window scaling
17/07/25 - build 239
-- rules: remove sample.rules; Talos will publish Snort 3 rules on snort.org
-- logging: fix handling of out of range timeval
thanks to kamil@frankowicz.me for reporting the issue
-- wizard: fix direction issue
-- wizard: fix imap spell
17/07/24 - build 238
-- check: update hyperscan and regex tests
-- cpputests: clean up some header include issues
-- daq_socket: update to support query of pci
-- detection: fix debug print of fast pattern only
-- detection: rule evaluation trace utility
-- doc: update concepts and differences
-- file_api: memory leak fixed
-- file_id: fixes for file capture exit
-- http_inspect: added 119:97 for lower case letters in version field
-- http_inspect: alert 119:96 added for unsolicited 206 response.
-- http_inspect: specific alert added 119:95 for Content-Encoding chunked.
-- ipv6: fix flow label access method; thanks to schrx3b6 for the patch
-- loggers: remove units options; all limits expressed in MB
-- mpse: Remove Intel Soft CPM support
-- mpse: make regex capability generic
-- mpse: only use literals for fast patterns if search_method is not hyperscan
-- output: add packet trace feature
-- perf_monitor: fixed main table (perf_monitor) having same name as pegs for
-- perfmon field
-- regex: fix pass through of mpse flags to hyperscan
-- replace: do not trip over fast pattern only
-- rpc: revert to positional params, fix tcp logic, clean up formatting
-- rules: promote metadata:service to a separate option since it is not metadata
-- snort2lua: Fixed incorrect file names errors
-- snort2lua: move footprint to stream from stream_tcp
-- spell check: fix message and comment typos
-- stream: add ip_proto as part of flow key
-- stream: fix user dependency on flush bucket
-- text logs: fix default unlimited file size
-- u2: add event3 to u2spewfoo
-- u2: convert thread local buffers to heap
-- u2: deprecate ip4 and ip6 specific events and add a single event for both
-- u2: remove obsolete configurations
-- u2: support mixed IP versions
17/07/13 - build 237
-- build: add support for appending EXTRABUILD to the BUILD string
-- build: Clean up some ICC 2017 warnings
-- build: clean up some GCC 7 warnings
-- build: support OpenSSL 1.1.0 API
-- build: clean up some cppcheck warnings
-- appid: port some missing 2.9.X FEAT_OPEN_APPID code
-- appid: fix thread-unsafe sharing of HTTP pattern tables
-- DAQ: fix leaking instance memory when configure fails
-- daq_hext and daq_file: pass PCI via query method
-- icmp6: reject non-ip6, raise 116:474
-- http_inspect: header normalization improvements
-- http_inspect: port fixes for UTF decoding
-- http_inspect: added 119:87 - 119:90 for expect / continue issues
-- http_inspect: added 119:91 for Transfer-Encoding header not valid for HTTP 1.0
-- http_inspect: added 119:92 for Content-Transfer-Encoding
-- http_inspect: added 119:93 for issues with chunked message trailers
-- PDF decompression: fix missing reset in state machine transition
-- ftp_server: implement splitter to improve EOF processing
-- port_scan: merge global settings into main module and other improvements
-- perf_monitor: add JSON formatter
-- ssl: add splitter to improve PDU processing
-- detection: fix segfault in DetectionEngine::idle sans thread_init
-- rules: tolerate spaces in positional parameters
thanks to Joao Soares for reporting the issue
-- ip and tcp options: fix max length handling and clean up logging
-- cmg: improved alert formatting
-- doc: updates re control channel
-- snort2lua: added line number and file name to error output
-- snort2lua: fix removal of ignore_ports in stream_tcp.small_segments
-- snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments
-- snort2lua: update for port_scan
17/06/15 - build 236
-- appid: clean up shutdown stats
-- appid: fix memory leak
-- conf: update defaults
-- decode: updated ipv6 valid next headers
-- detection: avoid superfluous leaf nodes in detection option trees
-- http_inspect: improved handling of badly terminated chunks
-- http_inspect: improved transfer-encoding header processing
-- ips options: add validation for range check types such as dsize
-- perf_monitor: add more tcp and udp peg counts
-- perf_monitor: update cpu tracker output to thread_#.cpu_*
-- port_scan: alert on all scan attempts so blocking is possible
-- port_scan: make fully configurable
-- sip: fix get body buffer for fast patterns
-- ssl: use stop-and-wait splitter (protocol aware splitter is next)
-- stream_ip: fix 123:7
17/06/01 - build 235
-- http_inspect: improve handling of improper bare \r separator
-- appid: fix bug where TNS detector corrupted the flow data object
-- search_engine: set range for max_queue_events parameter
thanks to Navdeep.Uniyal@neclab.eu for reporting the issue
-- arp_spoof: reject non-ethernet packets
-- stream_ip: remove dead code and tweak formatting
-- ipproto: remove unreachable code
-- control_mgmt: add support for daq module reload
-- control_mgmt: add support for unix sockets
-- doc: update default manuals
-- doc: update differences section
-- doc: update README
17/05/21 - build 234
-- byte_math: port rule option from 2X and add feature documentation
-- pgm: don't calculate checksum if header length is not divisible by 4
-- appid: fix sip event handling, http pattern lists, thread locals
-- build: fix issues with OpenSolaris and FreeBSD builds
-- cmake: fix issues with libpcap and miscellaneous
-- offload: refactor for initial (experimental) version of regex offload to other threads
-- cmg: revamp hex buffer dump format with 16 or 20 bytes per line
-- rules: reject positional parameters containing spaces
17/05/11 - build 233
-- packet manager: ensure ether type proto ids don't masquerade as ip proto ids
thanks to Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> for reporting the issue
-- codec manager: fix off-by-1 mapping array size
thanks to Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> for reporting the issue
-- codec: fix extraction of ether type from cisco metadata
-- appid: add new unit tests to the cmake build, fix missing lib reference to sfip
-- sfghash: clean up and add unit tests
-- http: fix 119:38 false positive
-- main: fix compiler warnings when SHELL is not enabled
-- perf_monitor: fix flatbuffers handling of empty strings
-- modbus: port fix for false positives on length field
-- http: port simple UTF decoding w/o byte order mark
-- build: updated code to resolve cppcheck warnings
-- cleanup: fix typos in source code string literals and comments
-- doc: fix typos
17/04/28 - build 232
-- build: clean up Intel compiler warnings and remarks
-- build: fix FreeBSD compilation issues
-- cmake: fix building with and without flatbuffers present
-- autoconf: check for lua.hpp as well as luajit.h to ensure C++ support
-- shell: make commands non-blocking
-- shell: allow multiple remote connections
-- snort2lua: fix generated stream_tcp bindings
-- snort2lua: fix basic error handling with non-conformant 2.X conf
-- decode: fix 116:402
-- dnp3: fix 145:5
-- appid: numerous fixes and cleanup
-- http_server: removed (use new http_inspect instead)
-- byte_jump: add bitmask and from_end (from 2.9.9 Snort)
-- byte_extract: add bitmask (from 2.9.9 Snort)
-- flatbuffers: add version to banner if present
-- loggers: build alert_sf_socket on all platforms
17/04/07 - build 231
-- add decode of MPLS in IP
-- add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack)
-- cleanup: remove dead code
17/03/27 - build 230
-- require hyperscan >= 4.4.0, check runtime support
thanks to justin.viiret@intel.com for submitting the patch
-- fix search tool issue with empty pattern database
thanks to justin.viiret@intel.com for reporting the issue
-- fix sip_method to error out if sip not instantiated
-- major appid overhaul to address lingering concerns: refactor, cleanup,
simplify
-- major detection overhaul to address lingering concerns: refactor, cleanup,
release memory ASAP
-- add FlatBuffers output format to perf_monitor
also added tool to convert FlatBuffers files to yaml
-- add regex.fast_pattern; do not use for fast pattern unless explicitly indicated
-- update copyrights to 2017
17/03/17 - build 229
-- fixed mpse to ensure all search methods return consistent results
-- updated search tool to use fast pattern config's search method
(benefits appid, http_inspect, imap, pop, and smtp)
-- snort2lua parsing bug fixes to recognize incomplete constructs
-- http_inspect: added alert 119:81 for nonprinting character in header name
-- http_inspect: added alert 119:82 for bad Content-Length value
-- http_inspect: added alert 119:83 for header wrapping; CR and LF parsed as whitespace
17/03/02 - build 228 - Alpha 4
-- update hypercsan mpse: print error message and erroneous pattern when compilation fails
-- update rule parser: add multiple byte orders warning
-- fix pid file: create regardless of priv drop settings
-- fix dce_rpc: mark generated iface patterns as literal
-- snort2lua: mark appid conf and thirdparty_appid_dir as unsupported (temporary)
-- snort2lua: fix a couple of typos in table API output
-- snort2lua: fix sticky buffer following uricontent
-- doc: add DAQ configuration documentation
-- doc: move LibDAQ README to Reference, update, and fix typos
-- doc: update default manuals
17/02/24 - build 227
-- allow arbitrary / unused gids in text rules
-- support DAQs w/o explicit sources (nfq, ipfw)
-- fix up peg help (remove _)
-- fix u2 logging of PDUs
17/02/16 - build 226
-- add PDF/SWF decompression to http_inspect
-- add connectors to generated reference parts of manual
-- add feature documentation for HA, side_channel, and connectors
-- add feature documentation for http_inspect
-- update default manuals
-- fix privilege dropping and chroot behavior
-- fix perf_monitor segfault when tterm is called before tinit
-- fix stream_tcp counter underflow bug and handle max and instant stats
-- fix lzma length calculation bug
-- fix bogus 129:20 alerts
-- fix back orifice compiler warning with -O3
-- fix bug that could cause hang on ctl-C
-- fix memory leak after reload w/o changing search engine
-- fix off by one error when reassembling after TCP FIN received
-- fix cmake doc build to include plugins on SNORT_PLUGIN_PATH
-- fix compiler warnings in dce_http_server and dce_http_proxy
-- fix appid reload issue
-- snort2lua - changes for rpc over http
-- snort2lua - changes to convert config alertfile: <filename>
-- snort2lua - changes to add file_id when smb file inspection is on
-- snort2lua - add deprecated option stream5_tcp: log_asymmetric_traffic
17/02/01 - build 225
-- implement RPC over HTTP by adding dce_http_server and dce_http_proxy
-- port disable_replace option from snort 2.x and add snort2lua support
-- port ssh tunnel over http detection
-- fix stream splitter handling during final flush of session data
-- fix appid to use HTTP inspection events to detect webdav methods
-- fix unit test build to work w/o REG_TEST
-- fix shell to add missing newline to Lua execution error responses
-- fix support for content strings with escaped quotes ("foo\"bar")
thanks to secres@linuxmail.org for reporting the issue
-- fix various reload issues
-- fix various thread sanitizer issues
-- fix session disposal to always be after logging
-- fix appid pattern matching issues
-- fix appid dns flow counts
-- fix shell resume after command line --pause
-- fix sd_pattern validation boundary conditions
-- build: don't disable asserts when compiling with code coverage
-- autoconf: update to latest versions of autoconf-archive macros
-- main: add asynchronous, broadcastable analyzer commands
-- add salt to flow hash
-- normalize peg names to lower snake_case
-- update default manuals
17/01/17 - build 224
-- fix various stream_tcp flush issues
-- fix various cmake issues
-- fix appid counting of kerberos flows
-- fix expected flow leak when expiring nodes during lookup
thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue
-- fix autoconf retrieving PCRE cppflags from pkg-config
-- fix stream_user reassembly
-- remove unused appid.thirdparty_appid_dir
-- build and install plugins as modules instead of libraries
-- obfuscate stream rebuilt payload
-- updates for latest zlib
-- disable smb2 processing when file service is disabled
-- refactor includes; prune the set of installed headers
-- don't build alert_sf_socket on OSX
-- added CPP flags used to build Snort to snort.pc for extras and other
plugins to use
16/21/16 - build 223
-- port 2983 smb active response updates
-- fix reload crash with file inspector
-- fix appid service dispatch handling issue
thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue
-- fix paf-type flushing of single segments
thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue
-- fix daemonization
thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue
-- also fixes double counting of reassembled buffers
-- fix fallback from paf to atom splitter if flushing past gap
-- fix thread termination segfaults after DAQ module initialization fails
-- fix non-x86 builds - do not build tsc clock scaling
-- added appid to user manual features
-- update default user manuals
-- minor refactor of flush loop for clarity
-- improve http_inspect Field class
-- refactor plugin loading
16/12/16 - build 222
-- add JavaScript Normalization to http_inspect
-- fix appid service check dispatch list
-- fix modbus_data handling to not skip options
thanks to FabianMalte.Kopp@b-tu.de for reporting the issue
-- fix sensitive data filtering documentation issues
-- build: Illumos build fixes
-- build: Address some cppcheck concerns
-- miscellaneous const tweaks
-- reformat builtin rule text for consistency
-- reformat help text for consistency
-- refactor user manual for clarity
-- update default user manuals
16/12/09 - build 221
-- fix appid handling of sip inspection events
-- fix wizard to prevent use-after-free of service name
-- fix various issues reported by cppcheck
-- fix reload race condition
-- fix cmake + clang builds
-- add padding guards around hash key structs
-- update manual for dce_* inspectors
-- refactor IP address handling
16/12/01 - build 220
-- fixed uu and qp decode issue
-- fixed file signature calculation for ftp
-- fixed file resume blocking
-- fix 135:2 to be upon completion of 3-way handshake
-- fix memory leak with libcrypto use
-- fix multithreaded use of libcrypto
-- fix default snort2lua output for gtp and modbus
-- fix Lua ordering issue with net and port vars
-- fix miscellaneous multithreading issues with appid
-- fix comment in snort.lua re install directory use;
thanks to Yang Wang for sending the pull request
-- add alternate fast patterns for dce_udp endianness
-- removed underscores from all peg counts
-- document sensitive data use
-- user manual refactoring and updates
16/11/21 - build 219
-- add dce auto detect to wizard
-- add MIME file processing to new http_inspect
-- add chapters on perf_monitor and file processing to user manual
-- appid refactoring and cleanup
-- many appid fixes for leaks, sanitizer, and analyzer issues
-- fix appid pattern matching for http
-- fix various race conditions reported by thread sanitizer
-- fix out-of-order FIN handling
-- fix cmake package name used in HS and HWLOC so that REQUIRED works
-- fix out-of-tree doc builds
-- fix image sizes to fit page; thanks to wyatuestc for reporting the issue
-- fix fast pattern selection when multiple designated
thanks to j.mcdowell@titanicsystems.com for reporting the issue
-- change -L to -K in README and manual; thanks to jncornett for reporting the issue
-- support compiling catch tests in standalone source files
-- create pid file after dropping privileges
-- improve detection and use of CppUTest in non-standard locations
16/11/04 - build 218
-- fix shutdown stats
-- fix misc appid issues
-- rewrite appid loading of lua detectors
-- add sip inspector events for appid
-- update default manuals
16/10/28 - build 217
-- update appid to 2983
-- add inspector events from http_inspect to appid
-- fix appid error messages
-- fix flow reinitialization after expiration
-- fix release of blocked flow
-- fix 129:16 false positive
16/10/21 - build 216
-- add build configuration for thread sanitizer
-- port dce_udp fragments
-- build: clean up some ICC warnings
-- fix various unit test leaks
-- fix -Wmaybe-uninitialized issues
-- fix related to appid name with space and SSL position
16/10/13 - build 215
-- added module trace facility
-- port block malware over ftp for clients/servers that support REST command
-- port dce_udp packet processing
-- change search_engine.debug_print_fast_pattern to show_fast_patterns
-- overhaul appid for multiple threads, memory leaks, and coding style
-- fix various appid patterns and counts
-- fix fast pattern selection
-- fix file hash pruning issue
-- fix rate_filter action config and apply_to clean up
16/10/07 - build 214
-- updated DAQ - you *must* use DAQ 2.2.1
-- add libDAQ version to snort -V output
-- add support http file upload processing and process decode/detection depths
-- port sip changes to avoid using NAT ip when calculating callid
-- port dce_udp autodetect and session creation
-- fix static analysis issues
-- fix analyzer/pig race condition
-- fix explicit obfuscation disable not working
-- fix ftp_data: Gracefully handle cleared flow data
-- fix LuaJIT rule option memory leak of plugin name
-- fix various appid issues - initial port is nearing completion
-- fix http_inspect event 119:66
-- fix ac_full initialization performance
-- fix stream_tcp left overlap on hpux, solaris
-- fix/remove 129:5 ("bad segment") events
-- file_mempool: fix initializing total pool size
-- fix bpf includes
-- fix builds for OpenSolaris
-- expected: push expected flow information through the DAQ module
-- expected: expected cache revamp and related bugfixes
-- ftp_data: add expected data consumption to set service name and fix bugs
-- build: remove lingering libDAQ #ifdefs
-- defaults: update FTP default config based on Snort2's hardcoded one
-- rename default_snort_manual.* to snort_manual.*
-- build docs only by explicit target (make html|pdf|text)
-- update default manuals to build 213
-- tolerate more spaces in ip lists
-- add rev to rule latency logs
-- change default latency actions to none
-- deleted non-functional extra decoder for i4l_rawip
16/09/27 - build 213
-- ported full retransmit changes from snort 2X
-- fixed carved smb2 filenames
-- fixed multithread hyperscan mpse
-- fixed sd_pattern iterative validation
16/09/24 - build 212
-- add dce udp snort2lua
-- add file detection when they are transferred in segments in SMB2
-- fix another case of CPPUTest header order issues
-- separate idle timeouts from session timeouts counts
-- close tcp on rst in close wait, closing, fin wait 1, and fin wait 2
-- doc: update style guide for 'using' statements and underscores
-- packet_capture: Include top-level pcap.h for backward compatibility
-- main: remove unused -w commandline option