forked from OISF/suricata
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
2514 lines (2352 loc) · 132 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
7.0.0-rc1 -- 2023-01-31
Feature #5761: Unknown ethertype packets are not counted
Feature #5516: tls: client cert detection
Feature #5384: Thread Synchronisation: wait for all threads to be in an operating state before continuing initialisation
Feature #5383: Support for IP addresses in dataset
Feature #5219: ips: add 'master switch' to enable dropping on traffic (handling) exceptions
Feature #5184: Add more dataset user interaction
Feature #4981: frames: add general <app_proto>.stream frames
Feature #4979: frames: implement dynamic logic to disable frames of a type
Feature #4751: dns/eve: add 'HTTPS' type logging
Feature #4269: Additional dataset operations
Feature #3306: Support AF_XDP capture method
Feature #3086: app_proto for Torrent traffic
Feature #2497: error messages usability improvement
Security #5712: tcp: crafted packets lead to resource starvation
Security #5703: smb: crash inside of streaming buffer Grow()
Security #5701: Suricata crashes while processing FTP
Security #5700: SCRealloc of large chunk crashes Suricata
Security #5686: decoder/tunnel: tunnel depth not limited properly
Security #5623: smtp/base64: crash / memory corruption
Bug #5817: tls: certificates with dates prior to 1970 are not logged correctly
Bug #5814: smb: duplicate interface fields logged
Bug #5813: rfb/eve: depth in pixel format logged twice
Bug #5811: smb: tx logs sometimes have duplicate `tree_id` output
Bug #5781: smb: unbounded file chunk queuing after gap
Bug #5779: dcerpc: max-tx config parameter
Bug #5769: Incomplete values for .stats."app_layer".flow.proto
Bug #5765: exceptions: midstream flows are dropped if midstream=true && stream.midstream-policy=drop-flow
Bug #5753: smb: convert transaction list to vecdeque
Bug #5747: iprep/ipv6: warning issued on valid reputation input
Bug #5725: smtp: quoted-printable encoding skips empty lines in files
Bug #5707: quic: ja3 Stack-use-after-return READ 1
Bug #5706: app-layer-htp: Condition depending on enabled IPS mode never true
Bug #5693: decode: Padded packet to minimal Ethernet length marked with invalid length event
Bug #5691: HTTP/2 decompression bug
Bug #5663: tls: buffer overhead off by one in TLSDecodeHSHelloExtensionSupportedVersions
Bug #5661: security.limit-noproc: break ASAN/LSAN when non-root user
Bug #5658: SMTP: segfault on boundary data
Bug #5654: readthedocs: not showing pdf download option for recent versions
Bug #5644: Integer overflow at dcerpc.rs:846
Bug #5637: quic: convert to vecdeque
Bug #5624: quic: rule with ja3.hash keyword fails to load
Bug #5617: dpdk: avoid per thread warnings
Bug #5580: dpdk: IDS vs IPS confusion
Bug #5579: pgsql: support out of order parameter in startup message
Bug #5574: base64: skip over all invalid characters for RFC 2045 mode
Bug #5572: pcre2: allow different include/lib paths
Bug #5567: smb: failed assertion (!((f->alproto == ALPROTO_SMB && txd->files_logged != 0))), function CloseFile, file output-file.c
Bug #5564: tls: buffer overread
Bug #5558: detect: invalid hex character in content leads to bad debug message
Bug #5557: dcerpc: rust integer underflow
Bug #5553: dpdk: Packets with invalid checksums are not counted in DPDK capture mode
Bug #5530: frames: buffer overflow in signatures parsing
Bug #5529: frame: memory leak in signature parsing
Bug #5528: tcp: assertion failed in function DoInsertSegment
Bug #5456: detect: config keyword prevents tx cleanup
Bug #5444: dns: allow dns messages with invalid opcodes
Bug #5379: detect/udp: different detection from rules when UDP/TCP header is broken
Bug #5374: pcap-log: breaking change in file names
Bug #5258: smb/ntlmssp: parser incorrectly assumes fixed field order
Bug #5235: ftp: add event when command request or response is too long
Bug #5205: FTP-data unrecognized depending on multi-threading
Bug #5198: eve/stats: ASAN error when eve output file can't be opened.
Bug #5161: smb: file not tracked on smb2 async
Bug #4580: smb: large streams can cause large memory moves (memmove)
Bug #4554: Configuration test mode succeeds when classification.config file contains invalid content
Bug #3253: tls: handling of 'Not Before' date before unix epoch
Bug #2982: invalid dsize distance rule being loaded by suricata
Optimization #5782: smb: set defaults for file chunk limits
Optimization #5373: Prevent process creation by Suricata process
Optimization #4977: frames: gap handling in inspection
Optimization #4908: ftp: use AppLayerResult instead of buffering wherever possible
Optimization #4614: Fix warning about "field reassign with default"
Optimization #4612: Fix warning about "nonminimal bool"
Optimization #4611: Fix warning about "extra unused lifetimes"
Optimization #4610: Fix warning about "explicit counter loop"
Optimization #4608: Fix warning about "redundant pattern matching"
Optimization #4606: Fix warning about "match ref pats"
Optimization #4603: Fix warning about "type complexity"
Optimization #4602: Fix warning about "new without default"
Optimization #4601: Fix warning about "while let loop"
Optimization #4600: Fix warning about "needless lifetimes"
Optimization #4598: Fix warning about "needless_range_loop"
Optimization #4596: Fix warning about "single match"
Optimization #4594: Fix warning about "this loop never actually loops"
Optimization #4592: Fix warning about "for loop over fallibles"
Optimization #4591: Fix Rust clippy lints
Optimization #3160: clean up error codes
Task #5638: SWF decompression: Do not depend on libhtp
Task #5632: Disable swf decompression by default
Task #5587: ips/tap: in layer 2 ips/tap setups, warn that mixed usage of ips and tap will be removed in 8.0
Task #5586: rust/applayertemplate: remove pub and no_mangle from extern functions that don't need it
Task #5504: exceptions: error out when invalid configuration value is passed
Task #5496: detect/parse: add tests for parsing signatures with reject and drop action
Task #4939: app-layer: template and setup script
Task #4054: Convert unittests to new FAIL/PASS API: detect-replace.c
Task #4050: Convert unittests to new FAIL/PASS API: detect-l3proto.c
Task #4049: Convert unittests to new FAIL/PASS API: detect-itype.c
Task #4043: Convert unittests to new FAIL/PASS API: detect-icmp-seq.c
Task #4042: Convert unittests to new FAIL/PASS API: detect-icmp-id.c
Task #4039: Convert unittests to new FAIL/PASS API: detect-filesize.c
Task #4030: Convert unittests to new FAIL/PASS API: detect-engine-tag.c
Task #4029: Convert unittests to new FAIL/PASS API: detect-engine-sigorder.c
Task #4020: Convert unittests to new FAIL/PASS API - detect-distance.c
Documentation #5616: Ubuntu PPA: Package software-properties-common
Documentation #5585: devguide: bring section about installation from redmine wiki into DevGuide
Documentation #5515: userguide: add a dedicated chapter/section for the Exception Policies
Documentation #5129: devguide: clarify style guide for getframe functions
Documentation #4929: devguide: bring Contributing process page into it
Documentation #4697: devguide: document app-layer frame support
7.0.0-beta1 -- 2022-10-26
Feature #5509: App-layer event for protocol change failure
Feature #5506: DHCP: signature keyword for rebinding_time
Feature #5503: ips: add "reject" action to exception policies
Feature #5479: Add landlock support
Feature #5468: ips: midstream: add "exception policy" for midstream
Feature #5442: kerberos: log ticket encryption method
Feature #5435: DHCP: signature keyword for lease_time
Feature #5416: SNMP: signature keyword for usm
Feature #5218: ips: allow dropping of flow if applayer reaches error state
Feature #5216: ips: allow dropping of flow if flow.memcap is hit
Feature #5215: ips: allow dropping of flow if stream.reassembly.memcap is hit
Feature #5214: ips: allow dropping of flow if stream.memcap is hit
Feature #5202: eve/drop: include drop "reason"
Feature #5191: new keyword for self signed certificates
Feature #5190: new tls.random keyword
Feature #5036: sip: add frames support
Feature #4984: dns: add frames support
Feature #4983: frames: support UDP
Feature #4967: QUIC v1 support
Feature #4872: nfs: add stream app-layer frame support
Feature #4556: HTTP2: support deflate decompression
Feature #4551: eve: add direct base64 to json option to json builder
Feature #4550: pthreads: set minimum stack size
Feature #4541: netmap: new API version (14) supports multi-ring software mode
Feature #4526: SIGSEGV handling -- log stack before aborting
Feature #4515: Add DNS logging of Z flag
Feature #4507: dpdk: initial support for IDS and IPS modes
Feature #4498: decoder: add VN-Tag support
Feature #4406: unix socket: Get flow information by flow_id
Feature #4386: Support for RFC2231
Feature #4332: Makes libhtp decompression time limit configurable from Suricata
Feature #4241: Protocol support: PostgreSQL (pgsql)
Feature #4144: file.data: support for request side files in HTTP
Feature #4142: file.data: support for NFS
Feature #4117: http2: byte-range support
Feature #4116: http2: body compression handling
Feature #3957: Convert protocol to Rust: Modbus
Feature #3887: yaml: Increase maximum size for address vars
Feature #3767: Add IKEv1 parser
Feature #3701: eve: add tenant_id in eve-log for other types than alert
Feature #3512: stream depth event rule
Feature #3440: Add GQUIC Protocol Analysis and CYU Fingerprinting
Feature #3292: support for network service header (NSH)
Feature #3285: rules: XOR keyword
Feature #3002: Flow and Netflow Not Logging ESP Traffic
Feature #2697: prefilter support for stream_size
Feature #2450: lua: scripts access to calling rule informations
Feature #2323: Applayer support for telnet
Feature #2096: eve: event_type for MODBUS
Feature #2054: Extracting HTTPS URL´s from SMTP, currently only HTTP is supported
Feature #1576: http: byte-range support
Feature #1478: Active flow counters
Feature #1369: eve: json schema
Feature #1096: tls: client certificate handling
Feature #120: Capture full session on alert
Security #5408: filestore: Segfault with filestore enabled and forced
Security #5399: mqtt: DOS by quadratic with too many transactions in one parse
Security #5244: Infinite loop in JsonFTPLogger
Security #5243: protocol detection: exploitable type confusion due to concurrent protocol changes
Security #5237: nfs: arbitrary allocation from nfs4_res_secinfo_no_name
Security #5187: Rust regex crate security advisory CVE-2022-24713
Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #5023: smtp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #4857: ftp: SEGV at flow cleanup due to protocol confusion
Security #4710: tcp: Bypass of Payload Detection on TCP RST with options of MD5header
Security #4569: tcp: crafted injected packets cause desync after 3whs
Security #4504: tcp: Evasion possibility on wrong/unexpected ACK value in crafted SYN packets
Bug #5595: eve/alert: SEGV in files to alert logging
Bug #5584: detect/tag: timeout handling issues on windows
Bug #5581: eve: mac address logging for packet records reverses direction
Bug #5571: ips: encapsulated packet logged as dropped, but not actually dropped
Bug #5538: Compiler Warning on Fedora 36 / gcc 12.2.1
Bug #5536: detect: flow.age keyword
Bug #5527: postgresql: limit number of live transactions
Bug #5521: detect: transform strip whitespace creates a 0-sized variable-length array
Bug #5518: dcerpc: More efficient transaction handling for UDP
Bug #5508: SMB2 async responses are not matched with its request
Bug #5507: DHCP: signature keyword for renewal_time
Bug #5458: Reject action is no longer working
Bug #5457: Counters are not initialized in all places.
Bug #5455: ike: logging state transforms instead of transaction transforms
Bug #5419: Failed assert DeStateSearchState
Bug #5409: PCRE: use match and recursion limit for pcrexform
Bug #5402: detect: will still inspect packets of a "dropped" flow for non-TCP
Bug #5401: tcp: assertion failed in DoInsertSegment (BUG_ON)
Bug #5392: fileinfo: inconsistent file size tracking for GAPs
Bug #5391: events: PACKET_RECYCLE does not reset event_last_logged
Bug #5390: smb: have default stream-depth of 0
Bug #5386: detect/threshold: offline time handling issue
Bug #5377: modbus: probing parser recognizes modbus with unknown function code
Bug #5368: bypass: Memory leak of some flow bypass objects.
Bug #5361: IPS: ip only rules, but with negated addresses not treated like pure ip-only rules in IPS context
Bug #5353: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails
Bug #5331: stacktrace-on-signal: Kills all processes in the same process group
Bug #5330: flow: vlan.use-for-tracking is not used for ICMPv4
Bug #5329: rust: inconsistency between rust structure RustParser and C structure AppLayerParser
Bug #5327: track by_rule|by_both incorrectly rejected for global thresholds
Bug #5321: dcerpc: More efficient transaction handling
Bug #5317: flow manager: end of flow counters not working
Bug #5316: smtp: PreProcessCommands does not handle all the edge cases
Bug #5315: decode/mime: base64 decoding for data with spaces is broken
Bug #5314: ftp: quadratic complexity for tx iterator with linked list
Bug #5313: python: distutils deprecation warning
Bug #5312: test failure on Ubuntu 22.04 with GCC 12
Bug #5310: detect: several potential infinite loops by comparing u16 to size_t
Bug #5309: CIDR prefix calculation fails on big endian archs
Bug #5308: file handling: avoid toctou race conditions
Bug #5306: dcerpc: unsigned integer overflow in parse_dcerpc_bindack
Bug #5298: template (rust): convert transaction list to vecdeque
Bug #5297: pgsql: convert transaction list to vecdeque
Bug #5296: http2: convert transaction list to vecdeque
Bug #5295: rdp: convert transaction list to vecdeque
Bug #5294: mqtt: convert to vecdeque
Bug #5291: cppcheck: various static analyzer "warning"s
Bug #5285: frame: assertion failed in PrefilterMpmFrame
Bug #5281: ftp: don't let first incomplete segment be over maximum length
Bug #5280: nfs: ASSERT: attempt to subtract with overflow (compound)
Bug #5278: app-layer: Allow for non slice based transaction containers in generate get iterator (rust)
Bug #5277: dns: More efficient transaction handling
Bug #5276: eve: payload field randomly missing even if the packet field is present
Bug #5271: app-layer: timeout when removing many transactions from the beginning
Bug #5268: mqtt: integer underflow with truncated
Bug #5260: rust: update regex dependency
Bug #5259: rust: update time dependency
Bug #5248: flow: double unlock in tcp reuse case
Bug #5246: smb: integer underflows and overflows
Bug #5238: frame: memory leak in signature parsing
Bug #5236: frame: buffer over read in SCACSearch
Bug #5228: pcre2: SEGV during rule loading
Bug #5226: Frames: failed assertion !((int64_t)data_len > frame->len)
Bug #5223: base64_decode does not populate base64_data buffer once hitting non-base64 chars
Bug #5208: DCERPC protocol detection when nested in SMB
Bug #5205: FTP-data unrecognized depending on multi-threading
Bug #5201: content:"22 2 22"; is parsed without error
Bug #5197: fast_pattern assignment of specific content results in FN
Bug #5188: SSL : over allocation for certificates
Bug #5183: TLS Handshake Fragments not Reassembled
Bug #5174: MIME URL extraction creates invalid url in JSON
Bug #5168: detect/iponly: non-cidr netmask settings can lead incorrect detection
Bug #5162: inspection of smb traffic without smb/dcerpc doesn't work correct.
Bug #5147: frames: debug assertion on SMB2 traffic
Bug #5146: libhtp: does not handle 100 continue if there is a 0 Content Length
Bug #5145: nfs: Integer underflow in NFS
Bug #5144: Failed assert DeStateSearchState
Bug #5132: segfault: master - HTPFileCloseHandleRange
Bug #5094: output: timestamp missing usecs on Arm 32bit + Musl
Bug #5093: rust/proc-macro-crate: pin to old version to support our MSRV
Bug #5086: htp: server personality radix handling issue
Bug #5085: defrag: policy config can setup radix incorrectly
Bug #5084: iprep: cidr support can set up radix incorrectly
Bug #5081: detect/iponly: rule parsing does not always apply netmask correctly
Bug #5080: eve/dnp3: coverity warnings for string handling
Bug #5079: swf: coverity warning
Bug #5077: byte_math rule options need to be in order or will fail otherwise
Bug #5073: Off-by-one in flow-manager flow_hash row allocation
Bug #5070: Stacktrace logger should propagate original signal
Bug #5066: detect/iponly: mixing netblocks can lead to FN/FP
Bug #5065: frames: coverity warning
Bug #5046: Documentation copyright years are invalid
Bug #5040: stats: add app-layer error counters
Bug #5034: dns: probing/parser can return error when it should return incomplete
Bug #5019: dataset: error with space in rule language
Bug #5018: MQTT can return AppLayerResult::incomplete forever and buffer forever
Bug #5011: frames: buffer overread in SigValidate
Bug #5009: dpdk: fails to compile on ubuntu 22.04
Bug #5007: pgsql: coverity warning
Bug #4972: Null deference in ConfigApplyTx
Bug #4969: Libhtp timeout lzma reallocing dictionary
Bug #4953: stream: too aggressive pruning in lossy streams
Bug #4948: SMTP assertion triggered
Bug #4947: suricatasc loop if recv returns no data
Bug #4945: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice()
Bug #4941: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit
Bug #4935: DPDK: Packet counters set incorrectly
Bug #4924: dns: transaction not created when z-bit set
Bug #4920: detect/app-layer-protocol: app-layer-protocol:http broken
Bug #4882: Netmap configuration -- need a configuration option for non-standard library locations.
Bug #4877: Run stream reassembly on both directions upon receiving a FIN packet
Bug #4862: MQTT : transactions are never cleaned by AppLayerParserTransactionsCleanup
Bug #4860: eve.json remove app-layer specific fields from root object
Bug #4859: dnp3: buffer over read in logging base64 empty objects
Bug #4849: protodetect: SMB vs TLS protocol detection in midstream
Bug #4848: TFTP: memory leak due to missing detect state
Bug #4842: smb: excessive memory use during file transfer
Bug #4839: Memory leak with signature using file_data and NFS
Bug #4836: profiling: Invalid performance counter when using sampling
Bug #4828: flow: flows not evicted & freed in time
Bug #4817: smtp: smtp transaction not logged if no email is present
Bug #4812: conf: quadratic complexity
Bug #4811: Range: memory leak from HTTP2
Bug #4810: pppoe decoder fails when protocol identity field is only 1 byte
Bug #4808: flow: worker-evicted flows need to be processed quicker
Bug #4807: packetpool: packets in pool may have capture method ReleasePacket callbacks set
Bug #4804: af-packet: tpacket v3 if/down logic broken
Bug #4803: af-packet: up/down logic leaks resources in autofp (tpacket v2)
Bug #4801: af-packet: tpacket v3 socket reference handling broken
Bug #4800: af-packet: flag colision between kernel and Suricata
Bug #4785: af-packet: threads sometimes get stuck in capture
Bug #4779: flow/bypass: flow worker not performing flow timeout "housekeeping"
Bug #4778: flow/bypass: app-layer/stream resources not freed when bypass activated
Bug #4771: pcrexform: does not capture substring but whole match
Bug #4769: dcerpc dce_iface just match a packet
Bug #4767: Rule error in SMB dce_iface and dce_opnum keywords
Bug #4766: Flow leaked when flow->use_cnt access race happens
Bug #4765: loopback: different AF_INET6 values per OS
Bug #4764: range: no validity check with HTTP2 leads to over allocation
Bug #4757: Incomplete range with overlap, and expected new bytes, lead to incomplete reassembly
Bug #4754: Invalid range leads to OOM
Bug #4752: Memory leak in SNMP with DetectEngineState
Bug #4741: Quadratic complexity in modus due to missing tx_iterator
Bug #4739: Absent app-layer protocol is always enabled by default
Bug #4737: ubsan: bytejump warning
Bug #4731: flows: spare pool not freeing flows aggressively enough
Bug #4724: pcre2: scan-build warning
Bug #4722: flows: TCP flow timeout handling stuck if there is no traffic
Bug #4720: pcre2: ASAN heap-buffer-overflow
Bug #4719: http2: byte-range test fails intermittently
Bug #4699: coverity warnings after output changes
Bug #4692: lua: file info callback returns wrong value
Bug #4685: detect: too many prefilter engines lead to FNs
Bug #4681: Wrong list_id with transforms for http_client_body and http file_data
Bug #4680: nfs: failed assert self.tx_data.files_logged > 1
Bug #4679: IPv6 : decoder event on invalid fragment length
Bug #4670: rules: mix of drop and pass rules issues
Bug #4666: http: ipv6 address is a valid host
Bug #4664: ipv6 evasions : fragmentation
Bug #4663: rules: drop rules with noalert not fully dropping
Bug #4659: Configuration test mode succeeds when reference.config file contains invalid content
Bug #4654: tcp: insert_data_normal_fail can hit without triggering memcap
Bug #4650: Stream TCP raw reassembly is leaking
Bug #4622: File deletions over SMB are not always logged
Bug #4621: rust panic: when using smb stream-depth
Bug #4620: Protocol detection : confusion with SMB in midstream
Bug #4619: HTTP2 null dereference in upgrade
Bug #4586: segmentfault when reopen redis
Bug #4582: BUG_ON triggered from TmThreadsInjectFlowById
Bug #4581: Excessive qsort/msort time when large number of rules using tls.fingerprint
Bug #4577: coverity: minor warnings
Bug #4570: eve/flow: many flows logged with reason==unknown
Bug #4563: Rules based on SSH banner-related keywords only match on acked data
Bug #4562: Memory leak in Protocol change during protocol detection
Bug #4561: Failed assertion in SMTP SMTPTransactionComplete
Bug #4560: Quadratic complexity in HTTP2 gzip decompression
Bug #4558: DNP3: intra structure overflow in DNP3DecodeObjectG70V6
Bug #4549: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Bug #4540: unused variables warnings on Windows compiles with rust
Bug #4537: alert count shows up as 0 when stats are disabled
Bug #4536: SWF decompression overread
Bug #4534: Timeout in ikev2 parsing
Bug #4533: Rust modbus parser does not handle gaps as it claims
Bug #4530: DOS Quadratic complexity when having too many transactions
Bug #4527: Fix implicit conversions in traffic facing source code modules
Bug #4525: segv with --set cmdline option if incorrect key is provided
Bug #4523: Application log cannot to be re-opened when running as non-root user
Bug #4516: Integer overflows
Bug #4509: Incorrect flags in Rust
Bug #4508: SSH bypass is not working
Bug #4505: Rust panic while parsing (new rust) modbus rule
Bug #4503: Buffer overflow in "by_rule" threshold context
Bug #4502: TCP reassembly memuse approaching memcap value results in TCP detection being stopped
Bug #4495: output: threaded output coverity warning
Bug #4494: Failed assertion in HTTP2 decompression
Bug #4491: rules: rules w/o sid accepted, leading to alerts with signature_id: 0
Bug #4478: freebsd: lockups due to mutex handling issues
Bug #4477: Infinite loops in when using InspectionBufferMultipleForList
Bug #4476: heap-buffer-overflow WRITE in InspectionBufferSetup with use of InspectionBufferGetMulti
Bug #4473: Timeout in ftp parsing rs_ftp_active_eprt
Bug #4472: YAML -- interpretation of "~" (tilde)
Bug #4448: Properly set the ICMP emergency-bypassed value
Bug #4447: ipv6 & ftp & passive mode & error
Bug #4442: build: Build failure on FreeBSD
Bug #4440: eve: log if flow had gap
Bug #4438: Null-dereference in HTTP2MimicHttp1Request in midstream
Bug #4437: dns: high resource usage on long lived dns connections
Bug #4436: Buffer overread in SMTP SMTPParseCommandBDAT
Bug #4434: Duplicate alert record in eve log when using unix-socket mode
Bug #4433: Debug assert failed in ikev1 logger
Bug #4428: Rust panic in suricata::dcerpc::detect::handle_input_data (buffer overread)
Bug #4425: threaded eve: files not closed on deinitialization
Bug #4424: ftp: Memory leak with duplicate FTP expectation
Bug #4407: threshold: slow startup on threshold.config with many addresses in suppression
Bug #4404: eve/mqtt: mqtt logging crashes when eve is multithreaded
Bug #4403: Use after free or read overflow or use of unitized memory in TransformStripWhitespace called by HttpServerBodyXformsGetDataCallback
Bug #4401: Quadratic complexity in libhtp chunk parsing
Bug #4400: Panic in Rust HTTP2 dynamic headers table eviction
Bug #4397: eve.drop: alerts option logs lowest priority alert
Bug #4395: Incorrect AppLayerResult::incomplete for RDP
Bug #4394: detect: "drop" on protocol detect only rule doesn't drop flow
Bug #4389: Protocol detection tls-dcerpc
Bug #4388: Protocol detection evasion enip-dns
Bug #4387: Heap-use-after-free READ 8 · JsonDNP3LoggerToClient
Bug #4379: flow manager: using too much CPU during idle
Bug #4376: TCP flow that retransmits the SYN with a newer TSval not properly tracked
Bug #4375: segv in ApplyToU8Hash
Bug #4369: Configuration test mode succeeds when threshold.config file contains invalid content
Bug #4361: detect: file.data performance regression
Bug #4348: ftp: "g_expectation_data_id" and "g_expectation_id" in AppLayerExpectationHandle function
Bug #4335: Stack-buffer-overflow READ 4 in SetupU8Hash
Bug #4331: libhtp: don't put stream in error state on compression issues
Bug #4320: Heap use after free in parsing signatures with ip_proto and prefilter
Bug #4280: Suricata is not fully reading or loading the iprep files
Bug #4277: SIGABRT: rust panic HTTP2State
Bug #4274: Suricata crashes at exit in NFQ mode
Bug #4273: protodetect: SEGV due to NULL ptr deref
Bug #4272: Timeout in libhtp with lzma in gzip to be decompressed in many responses
Bug #4271: datasets: reference counter issue in string lookup
Bug #4267: output: don't use /etc/protocols
Bug #4262: ebpf: llc detection failure
Bug #4261: Mismatch between capture and outputs in rules leads to seg fault
Bug #4258: ftp-data: support for file.name keyword is incomplete
Bug #4254: Leak in signature parsing with urilen
Bug #4253: lua: flowint/flowvar API naming consistency
Bug #4247: detect: NOOPT flag not enforced correctly
Bug #4246: Assertion failed in AdjustToAcked delta > 10000000ULL && delta > stream->window
Bug #4245: SMTP/Email Body md5: Only logs the md5 of the first part in a multi-part mime message
Bug #4239: dataset file not written when run as user
Bug #4238: tcp/fastopen: false positive on "invalid option"
Bug #4233: ssl : Integer underflow in ssl parsing SSLV3_HANDSHAKE_PROTOCOL
Bug #4232: Protocol detection evasion enip-SMB
Bug #4231: ICMPv6 failed assert p->icmpv6h == NULL with icmpv6.hdr
Bug #4228: tcp/async: incorrect flagging of ACK values as invalid
Bug #4225: SC_ERROR_CONF_YAML_ERROR anomaly logger error when in socket mode
Bug #4224: modbus: Request flood leads to CPU exhaustion
Bug #4216: 5.0.5 in socket mode crashes when using file-store due to uninitialized stats_ctx
Bug #4211: Not all manpages are built by docs Makefile
Bug #4210: Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode
Bug #4208: Suricata crashes with multi-threaded eve logger and HTTP/2 traffic
Bug #4206: dns: output flags not set correctly on 32 bit systems
Bug #4205: eve: Memory leak from jsonbuilder in @MetadataJson@
Bug #4202: Wrong stream side after direction change
Bug #4199: Transformation keyword can’t trigger an alert
Bug #4198: dcerpc: no alert triggered with dce opnum in 6.0
Bug #4187: rs_dcerpc_udp_get_tx takes out unusual amount of CPU
Bug #4171: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL
Bug #4152: fatal error: 'gnu/stubs-32.h' file not found
Bug #4106: Duplicate TLS subjects in tls metadata.
Bug #4096: flow manager: 200% CPU in KVM host with no activity with Suricata 6
Bug #4080: DCERPCUDPState handle fragmented data functions pegging certain CPU cores/threads
Bug #3996: SIGABRT: SMTPTransactionComplete
Bug #3995: SIGABRT stream-tcp-reassemble
Bug #3846: Infinite loop if the sniffing interface temporarily goes down
Bug #3703: fileinfo "stored: false" even if the file is kept on disk
Bug #3685: Incorrect logging level for messages
Bug #3542: FTP: expectation created in wrong direction.
Bug #3475: SMB evasion against EICAR file detection
Bug #3419: af-packet: cluster_id is not used when trying to set fanout support
Bug #3109: dcerpc engine not generating alerts
Bug #2809: Applayer Mismatch protocol both directions for kerberos AS-REQ/KDC_ERR_PREAUTH_REQUIRED exchange
Bug #2802: iprep: use_cnt can get desynchronized (SIGABRT)
Bug #2510: Suricata doesnt decompress HTTP Post body
Bug #2190: apparent 1000 character limit in threshold.conf IP lists
Optimization #5592: tunnel: spinlock for tunnel packet sync
Optimization #5577: Fix warning about "comparing with null" in debug code
Optimization #5481: tls: support incomplete API to replace internal buffering
Optimization #5454: http2: slow http2_frames_get_header_value_vec because of allocation
Optimization #5400: dpdk: allow specifying of `rss_hf` flags in config
Optimization #5232: rules: pattern id assignment is too slow
Optimization #5231: rules: mpm setup more costly than needed
Optimization #5230: rules: too much time spent in DetectUnregisterThreadCtxFuncs due to pcre2
Optimization #5229: rules: too much time spent in SigMatchListSMBelongsTo at startup
Optimization #4991: pgsql: convert parser to nom7 functions
Optimization #4907: smtp: use AppLayerResult instead of buffering wherever possible
Optimization #4805: af-packet: move vlan hdr insert logic to capture/decode
Optimization #4795: Remove PASS_IF macro from the FAIL/PASS API
Optimization #4748: app-layer/rust: explore if tx iterator can be implemented as a trait
Optimization #4711: Clang 14 and rust nightly new warnings
Optimization #4653: Flow cleaning with chunked approach is memory hungry
Optimization #4609: Fix warning about "if same then else"
Optimization #4604: Fix warning about "branches sharing code"
Optimization #4599: Fix warning about "ptr_arg"
Optimization #4597: Fix warning about "enum's name"
Optimization #4593: Fix warning about "mixed case hex literals"
Optimization #4555: HTTP2: what to do when HTTP upgrade is requested and HTTP2 is disabled ?
Optimization #4497: rust: clean up constructors of state, transaction structs
Optimization #4496: decode: remove NULL checks after header casts
Optimization #4475: Rust: Make default_port in parser registration an Option
Optimization #4427: storage api: use dedicated 'id' type
Optimization #4366: decoder: limit number of decoding layers
Optimization #4319: dcerpc: improve protocol detection
Optimization #4207: Use configurable or more dynamic @ PACKET_ALERT_MAX@
Optimization #4154: Rust Parsers: Abstract AppLayer events to a derive macro
Optimization #4126: Threaded eve logging for output types other than regular file (socket, plugins, redis etc)
Optimization #4112: Use generic rust DetectU32Data in every keyword needing this
Optimization #3832: rust: Make core::* as enum to improve readability
Optimization #3825: Defining only one basic rust Files structure
Optimization #3658: Use WARN_UNUSED for ByteExtract* functions
Optimization #3315: app-layer: unify registration logic
Task #5569: transversal: update references to suricata webpage version 2
Task #5497: github-ci: update runners using ubuntu-18.04 image
Task #5475: doc: add exception policy documentation
Task #5319: add `alert-queue-expand-fails` command-line option
Task #5179: stats/alert: log out to stats alerts that have been discarded from packet queue
Task #5175: nfs4: Improve compound record parsers
Task #5166: quic: Support older versions like Q039 and Q043
Task #5143: QUIC: support JA3
Task #5002: applayertemplate: convert parser to nom7 functions
Task #5001: x509: convert parser to nom7 functions
Task #5000: rfb: convert parser to nom7 functions
Task #4999: ntp: convert parser to nom7 functions
Task #4998: krb: convert parser to nom7 functions
Task #4997: mime: convert parser to nom7 functions
Task #4996: rdp: convert parser to nom7 functions
Task #4995: snmp: convert parser to nom7 functions
Task #4994: ike: convert parser to nom7 functions
Task #4993: asn1: convert parser to nom7 functions
Task #4992: dcerpc: convert parser to nom7 functions
Task #4970: libhtp 0.5.40
Task #4915: transversal: update references to suricata webpage
Task #4912: Update default rule path to /var/lib/suricata/rules.
Task #4909: devguide: move into userguide as last chapter
Task #4796: af-packet: remove non-mmap tpacket-v1 support
Task #4784: config: add suricata version as a comment to the top of the configuration file
Task #4721: http2: enable by default
Task #4668: Remove Prelude output
Task #4667: libhtp 0.5.39
Task #4446: pcre2: document changes vs prce1 for rule writers
Task #4444: files: store files in transactions instead of per flow state
Task #4221: Build Suricata into a static and shared library
Task #4182: lua: Use lua_pushinteger for pushing integer types as integers instead of floats
Task #4157: deprecation: remove dns eve v1 logging (May 2022)
Task #4058: Convert unittests to new FAIL/PASS API: detect-sid.c
Task #4056: Convert unittests to new FAIL/PASS API: detect-rpc.c
Task #4053: Convert unittests to new FAIL/PASS API: detect-msg.c
Task #4038: Convert unittests to new FAIL/PASS API: detect-filesha256.c
Task #4036: Convert unittests to new FAIL/PASS API: detect-filename.c
Task #4035: Convert unittests to new FAIL/PASS API: detect-filemd5.c
Task #4034: Convert unittests to new FAIL/PASS API: detect-filemagic.c
Task #4033: Convert unittests to new FAIL/PASS API: detect-fileext.c
Task #4032: Convert unittests to new FAIL/PASS API: detect-file-data.c
Task #3905: GitHub CI: use sccache for commits build
Task #3194: pcre2 support
Documentation #5511: userguide: add subsection about setting up Suri in IPS mode with DPDK
Documentation #5441: userguide: rules meta page updates
Documentation #5385: userguide: update rule's format document
Documentation #5364: userguide: reorganize `Application Layers Parsers` and `Application layers` subsections in the suricata.yaml page
Documentation #5130: doc: add flowbits ORing doc
Documentation #4949: userguide: add explanation on max-streams in the suricata.yaml page
Documentation #4671: Document changes to HTTP events with respect to http/http2 normalization
Documentation #4396: Devguide: Transactions and State overview
Documentation #3029: No documentation for "dcerpc" keywords
Documentation #3017: No documentation for "rawbytes" keyword
6.0.1 -- 2020-12-04
Feature #2689: http: Normalized HTTP client body buffer
Feature #4121: http2: support file inspection API
Bug #1275: ET Rule 2003927 not matchin in suricata
Bug #3467: Alert metadata not present in EVE output when using Socket Control Pcap Processing Mode
Bug #3616: strip_whitespace causes FN
Bug #3726: Segmentation fault on rule reload when using libmagic
Bug #3856: dcerpc: last response packet not logged
Bug #3924: asan leak htp_connp_create
Bug #3925: dcerpc: crash in eve logging
Bug #3930: Out of memory from THashInitConfig called by DetectDatasetSetup
Bug #3994: SIGABRT TCPProtoDetectCheckBailConditions
Bug #4018: Napatech: Double release of packet possible in certain error cases.
Bug #4069: dcerpc: fix UDP transaction handling, free_tx, etc
Bug #4071: Null dereference in ipv4hdr GetData
Bug #4072: ssl: Integer underflow in SSL parser
Bug #4073: Protocol detection evasion by packet splitting on enip/SMB
Bug #4074: Timeout while loading many rules with keyword ssl_version
Bug #4076: http2: Memory leak when parsing signature with filestore
Bug #4085: Assertion from AdjustToAcked
Bug #4086: dns: memory leak in v1 dns eve logging
Bug #4090: icmpv4: header handling issue(s)
Bug #4091: byte_math: Offset is a signed value
Bug #4094: AddressSanitizer: dynamic-stack-buffer-overflow (util-crypt)
Bug #4100: ftp: Quadratic complexity in FTPGetOldestTx may lead to DOS
Bug #4109: mac address logging crash
Bug #4110: http: LibHTP wrong protocol with content duplication
Bug #4111: dnp3: DOS in long loop of zero sized objects
Bug #4120: http2: null ptr deref in http2 alert metadata
Bug #4124: dcerpc: UDP request response pair match is incorrect
Bug #4155: dnp3: memory leak when parsing objects with bytearrays
Bug #4156: dnp3: signed integer overflow
Bug #4158: PacketCopyData sets packet length even on failure
Bug #4173: dnp3: SV tests fail on big endian
Bug #4177: Rustc nightly warning getting the inner pointer of a temporary `CString`
Optimization #4114: Optmize Rust logging macros: SCLogInfo, SCLogDebug and friends
Task #4137: deprecate: eve.dns v1 record support
Task #4180: libhtp 0.5.36
6.0.0 -- 2020-10-08
Bug #3099: Weird handling of IKEv2 flows when alerts happen
Bug #3691: strip_whitespace doesn't strip_whitespace
Bug #3772: DNP3 probing parser does not detect the proper direction in midstream
Bug #3774: Assert failed in TLS due to integer underflow
Bug #3775: Memory leak in libhtp in error case
Bug #3853: Multi-byte Heap buffer over-read in ssl parser
Bug #3857: Protocol detection evasion by packet splitting on enip/dnp3
Bug #3877: Transaction list grows without bound on parsers that use unidirectional transactions
Bug #3896: app-layer-parser.c:1264: AppLayerParserParse: Assertion `!(res.needed + res.consumed < input_len)' failed.
Bug #3904: Suricata ASAN issue when detect.profiling.grouping.dump-to-disk=true
Bug #3926: dcerpc: Rust panic in handle_common_stub
Bug #3927: Alert "fileinfo" array conflicts with "fileinfo" event type
Bug #3928: eve: metadata section mixup with anomaly
Bug #3929: Unexpected exit from THashInitConfig called by DetectDatasetSetup
Bug #3930: Out of memory from THashInitConfig called by DetectDatasetSetup
Bug #3931: Memory leak from signature with file.name
Bug #3956: HTTP2 support variable integer lengths for headers
Bug #3972: HTTP2: stream_id_reuse
Bug #3977: SNMP: Better handling of unidirectional transactions
Bug #3978: DHCP: Add unidirectional transaction handling
Bug #3979: IKEv2: Add unidirectional transaction handling
Bug #3980: MQTT: Add unidirectional transaction handling
Bug #3981: SIP: Add unidirectional transaction handling
Bug #3982: RDP: Add unidirectional transaction handling
Bug #3983: KRB5: Add unidirectional transaction handling
Bug #3984: NTP: Add unidirectional transaction handling
Bug #3987: Hang while processing HTTP traffic
Bug #3989: HTTP2: invalid_frame_data anomaly
Bug #3991: Libhtp timeout in data_probe_chunk_length
Bug #3992: RDP incorrect AppLayerResult::incomplete
Bug #3993: Use of uninitialized value in DetectDatarepParse
Bug #3998: HTTP2: invalid header anomaly
Bug #4009: ENIP: Unidirectional transaction handling
Feature #3955: Protocol detection : run probing parser for protocol found in other direction
Task #3922: libhtp 0.5.35
Task #4017: suricata-update: bundle 1.2.0
Documentation #2211: doc: document issues with --set and lists in the command line parameters section of the manual
6.0.0-rc1 -- 2020-09-11
Feature #2970: DNS: Parse and extract SOA app layer data from DNS packets
Feature #3063: protocol decoder: geneve
Task #3178: json: remove individual loggers
Task #3559: http: support GAP recovery
Task #3759: datasets: finalize to move out of 'experimental'
Task #3824: libhtp 0.5.34
Task #3868: GitHub CI: Add Fedora 32 runner with ASAN and Suricata-Verify
Task #3903: remove BUG_ON from app-layer AppLayerResult eval
Documentation #3497: Document the removal of unified2 and migration options
Documentation #3799: Deprecated configuration keyword in "Hardware bypass with Netronome"
Bug #2433: memleak with suppression rules defined in threshold.conf
Bug #3776: Timeout in libhtp due to multiple responses with double lzma encoding
Bug #3816: Coverity scan issue -- null pointer deref in reject dev handling
Bug #3842: eve: logging silently continues if disk is full
Bug #3850: Invalid state for JsonBuilder with metadata signature keyword
Bug #3858: pcap recursive: coverity issues
Bug #3861: flow: check flow bypass handling
Bug #3863: reject: compile warning
Bug #3864: plugin: coverity issues
Bug #3865: flow: coverity issues
Bug #3866: http2: http1 to http2 upgrade support
Bug #3871: Include acsite.m4 in distribution
Bug #3872: Fail CROSS_COMPILE check for PCRE JIT EXEC
Bug #3874: configure: fails to check for netfilter_queue headers on older header packages
Bug #3879: detasets related memleak
Bug #3880: http parsing/alerting - continue
Bug #3882: Plugin support typo
Bug #3883: Runmode Single Memory Leak
Bug #3885: 6.0.0-beta1 stream-tcp-reassemble.c:1066: AdjustToAcked: Assertion `!(adjusted > check)' failed
Bug #3888: 6.0.0-dev - heap-buffer-overflow /opt/suricata/src/flow-manager.c:472:34 in FlowTimeoutHash with AFPv3
Bug #3890: AddressSanitizer: SEGV on unknown address - failed to setup/expand stream segment pool.
Bug #3895: Assert failed in DNS incomplete parsing
Bug #3897: Integer overflow in SCSigOrderByPriorityCompare
Bug #3898: Leak from bad signature with DCERPC keyword, then another protocol keyword
Bug #3902: flow/bypass: SEGV src/flow.c:1158:9 in FlowUpdateState
Bug #3906: mqtt 'assertion failed: `(left == right)` src/mqtt/parser.rs:500:13
Bug #3907: http2 rust - 'index out of bounds: the len is 2 but the index is 63'
Bug #3908: Port prscript to Python 3
Bug #3911: datasets: path handling issues with default-rule-path vs -S <file>
Bug #3913: Memory leak from signature with pcrexform
Bug #3914: Protocol detection gets not retries on protocol change if there is not enough data
Bug #3915: Eve output in threaded mode does not rotate logs on request (eg: SIGHUP)
Bug #3916: Dataset filename not always found on load
Bug #3917: HTTP2 incorrect incomplete after banner
6.0.0-beta1 -- 2020-08-07
Feature #641: Flowbits group for ORing
Feature #1807: Cisco HDLC Decoder
Feature #1947: HTTP2 decoder
Feature #2015: eve: add fileinfo in alert
Feature #2196: Add flow_id to the file extracted .meta file
Feature #2311: math on extracted values
Feature #2312: http: parsing for async streams
Feature #2385: deprecate: unified2
Feature #2524: Allow user to choose the reject iface
Feature #2553: support 'by_both' in threshold rule keyword
Feature #2694: thresholding: feature parity between global and per-rule options
Feature #2698: hassh and hasshServer for ssh fingerprinting
Feature #2859: Oss-fuzz integration
Feature #3199: transformation should be able to take options
Feature #3200: pcre: allow operation as transform
Feature #3293: eve: per thread output files
Feature #3332: Dynamic Loadable Module/Plugin Support
Feature #3422: GRE ERSPAN Type 1 Support
Feature #3444: app-layer: signal stream engine about expected data size
Feature #3445: Convert SSH parser to Rust
Feature #3501: Add RFB parser
Feature #3546: Teredo port configuration
Feature #3549: Add MQTT parser
Feature #3626: implement from_end byte_jump keyword
Feature #3635: datasets: add 'dataset-remove' unix command
Feature #3661: validate strip_whitespace content before loading a rule
Feature #3693: DCERPC multi tx support
Feature #3694: DCERPC logging support
Feature #3760: datasets: distinguish between 'static' and 'dynamic' sets
Feature #3823: conditional logging: tx log filtering
Optimization #749: pcre 8.32 introduces JIT pcre_jit_exec(...)
Optimization #947: dynamic allocation of thread queues
Optimization #1038: Flow Queue should be a stack
Optimization #2779: Convert DCE_RPC from C to Rust
Optimization #2845: Counters for kernel_packets decreases at times without restart
Optimization #2977: replace asn1 parser with rust based implementation
Optimization #3234: dns app-layer c vs rust cleanup
Optimization #3308: rust: use cbindgen to generate bindings
Optimization #3538: dns: use app-layer incomplete support
Optimization #3539: rdp: use app-layer incomplete support
Optimization #3541: applayertemplate: use app-layer incomplete support
Optimization #3655: default to c11 standard
Optimization #3708: Convert SSH logging to JsonBuilder
Optimization #3709: Convert DNP3 logging to JsonBuilder
Optimization #3710: Convert SMTP logging to JsonBuilder
Optimization #3711: Convert NFS logging to JsonBuilder
Optimization #3712: Convert SMB logging to JsonBuilder
Optimization #3713: Convert RFB logging to JsonBuilder
Optimization #3714: Convert FTP logging to JsonBuilder
Optimization #3715: Convert RDP logging to JsonBuilder
Optimization #3716: Use uuid crate wherever possible in smb rust parser
Optimization #3754: Convert KRB to JsonBuilder
Optimization #3755: Convert IKEv2 to JsonBuilder
Optimization #3756: Convert SNMP to JsonBuilder
Optimization #3757: Convert Netflow to JsonBuilder
Optimization #3764: Convert TFTP to JsonBuilder
Optimization #3765: Convert Templates to JsonBuilder
Optimization #3773: DNP3 CRC disabled when fuzzing
Optimization #3838: Convert 'vars' (metadata logging) to JsonBuilder
Task #2381: deprecate: 'drop' log output
Task #2959: deprecate: filestore v1
Task #3128: nom 5
Task #3167: convert all _Bool use to bool
Task #3255: rdp: enable by default
Task #3256: sip: enable by default
Task #3331: Rust: Move to 2018 Edition
Task #3344: devguide: setup sphinx
Task #3408: FTP should place constraints on filename lengths
Task #3409: SMTP should place restraints on variable length items (e.g., filenames)
Task #3460: autotools: check autoscan output
Task #3515: GRE ERSPAN Type 1 Support configuration
Task #3564: dcerpc: support GAP recovery
Documentation #3335: doc: add ipv4.hdr and ipv6.hdr
Bug #2506: filestore v1: with stream-depth not null, files are never truncated
Bug #2525: Add VLAN support to reject feature
Bug #2639: Alert for tcp rules with established without 3whs
Bug #2726: writing large number of json events on high speed traffic results in packet drops
Bug #2737: Invalid memory read on malformed rule with Lua script
Bug #3053: Replace atoi with StringParse* for better error handling
Bug #3078: flow-timeout: check that 'emergency' settings are < normal settings
Bug #3096: random failures on sip and http-evader suricata-verify tests
Bug #3108: Calculation of threads in autofp mode is wrong
Bug #3188: Use FatalError wherever possible
Bug #3265: Dropping privileges does not work with NFLOG
Bug #3282: --list-app-layer-protos only uses default suricata.yaml location.
Bug #3283: bitmask option of payload-keyword byte_test not working
Bug #3339: Missing community ID in smb, rdp, tftp, dhcp
Bug #3378: ftp: asan detects leaks of expectations
Bug #3435: afl: Compile/make fails on openSUSE Leap-15.1
Bug #3441: alerts: missing rdp and snmp metadata
Bug #3451: gcc10: compilation failure unless -fcommon is supplied
Bug #3463: Faulty signature with two threshold keywords does not generate an error and never match
Bug #3465: build-info and configure wrongly display libnss status
Bug #3468: BUG_ON(strcasecmp(str, "any") in DetectAddressParseString
Bug #3476: datasets: Dataset not working in unix socket mode
Bug #3483: SIP: Input not parsed when header values contain trailing spaces
Bug #3486: Make Rust probing parsers optional
Bug #3489: rule parsing: memory leaks
Bug #3490: Segfault when facing malformed SNMP rules
Bug #3496: defrag: asan issue
Bug #3504: http.header.raw prematurely truncates in some conditions
Bug #3509: Behavior for tcp fastopen
Bug #3517: Convert DER parser to Rust
Bug #3519: FTP: Incorrect ftp_memuse calculation.
Bug #3522: TCP Fast Open - Bypass of stateless alerts
Bug #3523: Suricata does not log alert metadata info when running in unix-socket mode
Bug #3525: Kerberos vulnerable to TCP splitting evasion
Bug #3529: rust: smb compile warnings
Bug #3532: Skip over ERF_TYPE_META records
Bug #3547: file logging: complete files sometimes marked 'TRUNCATED'
Bug #3565: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
Bug #3566: rules: minor memory leak involving pcre_get_substring
Bug #3567: rules/bsize: memory issue during parsing
Bug #3568: rules: bad rule leads to memory exhaustion
Bug #3569: fuzz: memory leak in bidir rules
Bug #3570: rfb: invalid AppLayerResult use
Bug #3583: rules: missing 'consumption' of transforms before pkt_data would lead to crash
Bug #3584: rules: crash on 'internal'-only keywords
Bug #3586: rules: bad address block leads to stack exhaustion
Bug #3593: Stack overflow when parsing ERF file
Bug #3594: rules: memory leaks in pktvar keyword
Bug #3595: sslv3: asan detects leaks
Bug #3615: Protocol detection evasion by packet splitting
Bug #3628: Incorrect ASN.1 long form length parsing
Bug #3630: Recursion stack-overflow in parsing YAML configuration
Bug #3631: FTP response buffering against TCP stream
Bug #3632: rules: memory leaks on failed rules
Bug #3638: TOS IP Keyword not triggering an alert
Bug #3640: coverity: leak in fast.log setup error path
Bug #3641: coverity: data directory handling issues
Bug #3642: RFB parser wrongly handles incomplete data
Bug #3643: Libhtp request: extra whitespace interpreted as dummy new request
Bug #3654: Rules reload with Napatech can hang Suricata UNIX manager process
Bug #3657: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
Bug #3662: Signature with an IP range creates one IPOnlyCIDRItem by IP address
Bug #3677: Segfault on SMTP TLS
Bug #3680: Dataset reputation invalid value logging
Bug #3683: rules: memory leak on bad rule
Bug #3687: Null dereference in DetectEngineSignatureIsDuplicate
Bug #3689: Protocol detection evasion by packet splitting on enip/nfs
Bug #3690: eve.json windows timestamp field has "Eastern Daylight Time" appended to timestamp
Bug #3699: smb: post-GAP file handling
Bug #3700: nfs: post-GAP file handling
Bug #3720: Incorrect handling of ASN1 relative_offset keyword
Bug #3732: filemagic logging resulting in performance hit
Bug #3749: redis: Reconnect is invalid in batch mode
Bug #3750: redis: no or delayed data in low speed network
Bug #3772: DNP3 probing parser does not detect the proper direction in midstream
Bug #3779: Exit on signature with invalid transform pcrexform
Bug #3783: Stack overflow in DetectFlowbitsAnalyze
Bug #3802: Rule filename mutation when reading file hash files from a directory other than the default-rule-directory
Bug #3808: pfring: compile warnings
Bug #3814: Coverity scan issue -- null pointer deref in ftp logger
Bug #3815: Coverity scan issue -- control flow issue ftp logger
Bug #3817: Coverity scan issue -- resource leak in filestore output logger
Bug #3818: Coverity scan issue -- null pointer deref in detect engine
Bug #3820: ssh: invalid use to 'AppLayerResult::incomplete`
Bug #3821: Memory leak in signature parsing with keyword rfb.secresult
Bug #3822: Rust panic at DCERPC signature parsing
Bug #3840: Integer overflow in DetectContentPropagateLimits leading to unintended signature behavior
Bug #3841: Heap-buffer-overflow READ 8 · DetectGetLastSMByListId
Bug #3851: Invalid DNS incomplete result
Bug #3855: mqtt: coverity static analysis issues
5.0.1 -- 2019-12-13
Bug #1871: intermittent abort()s at shutdown and in unix-socket
Bug #2810: enabling add request/response http headers in master
Bug #3047: byte_extract does not work in some situations
Bug #3073: AC_CHECK_FILE on cross compile
Bug #3103: --engine-analysis warning for flow on an icmp request rule
Bug #3120: nfq_handle_packet error -1 Resource temporarily unavailable warnings
Bug #3237: http_accept not treated as sticky buffer by --engine-analysis
Bug #3254: tcp: empty SACK option leads to decoder event
Bug #3263: nfq: invalid number of bytes reported
Bug #3264: EVE DNS Warning about defaulting to v2 as version is not set.
Bug #3266: fast-log: icmp type prints wrong value
Bug #3267: Support for tcp.hdr Behavior
Bug #3275: address parsing: memory leak in error path
Bug #3277: segfault when test a nfs pcap file
Bug #3281: Impossible to cross-compile due to AC_CHECK_FILE
Bug #3284: hash function for string in dataset is not correct
Bug #3286: TCP evasion technique by faking a closed TCP session
Bug #3324: TCP evasion technique by overlapping a TCP segment with a fake packet
Bug #3328: bad ip option evasion
Bug #3340: DNS: DNS over TCP transactions logged with wrong direction.
Bug #3341: tcp.hdr content matches don't work as expected
Bug #3345: App-Layer: Not all parsers register TX detect flags that should
Bug #3346: BPF filter on command line not honored for pcap file
Bug #3362: cross compiling not affecting rust component of surrcata
Bug #3376: http: pipelining tx id handling broken
Bug #3386: Suricata is unable to get MTU from NIC after 4.1.0
Bug #3389: EXTERNAL_NET no longer working in 5.0 as expected
Bug #3390: Eve log does not generate pcap_filename when Interacting via unix socket in pcap processing mode
Bug #3397: smtp: file tracking issues when more than one attachment in a tx
Bug #3398: smtp: 'raw-message' option file tracking issues with multi-tx
Bug #3399: smb: post-GAP some transactions never close
Bug #3401: smb1: 'event only' transactions for bad requests never close
Bug #3411: detect/asn1: crashes on packets smaller than offset setting
Task #3364: configure: Rust 1.37+ has cargo-vendor support bundled into cargo.
Documentation #2885: update documentation to indicate -i can be used multiple times
5.0.0 -- 2019-10-15
Feature #1851: add verbosity level description to the help command
Feature #1940: Debian Jessie - better message when trying to run 2 suricata with afpacket
Feature #3204: ja3(s): automatically enable when rules require it
Bug #1443: deprecated library calls
Bug #1778: af_packet: IPS and defrag
Bug #2386: check if default log dir is writable at start up
Bug #2465: Eve Stats will not be reported unless stats.log is enabled
Bug #2490: Filehash rule does not fire without filestore keyword
Bug #2668: make install-full fails if CARGO_TARGET_DIR has spaces in the directory path
Bug #2669: make install-full fails due to being unable to find libhtp.so.2
Bug #2955: lua issues on arm (fedora:29)
Bug #3113: python-yaml dependency is actually ptyhon3-yaml dependency
Bug #3139: enip: compile warnings on gcc-8
Bug #3143: datasets: don't use list in global config
Bug #3190: file_data inspection inhibited by additional (non-file_data) content match rule
Bug #3196: Distributed archive do not include eBPF files
Bug #3209: Copy engine provided classification.config to $datadir/suricata.
Bug #3210: Individual output log levels capped by the default log level
Bug #3216: MSN protocol detection/parser is not working
Bug #3223: --disable-geoip does not work
Bug #3226: ftp: ASAN error
Bug #3232: Static build with pcap fails
Optimization #3039: configure: don't generate warnings on missing features
Documentation #2640: http-body and http-body-printable in eve-log require metadata to be enabled, yet there is no indication of this anywhere
Documentation #2839: Update perf and tuning user guides
Documentation #2876: doc: add nftables with nfqueue section
Documentation #3207: Update the http app-layer doc and config
Documentation #3230: EVE DNS logger defaults to version 2 instead of version when version not specified.
5.0.0-rc1 -- 2019-09-24
Feature #524: detect double encoding in URI
Feature #713: tls.fingerprint - file usage
Feature #997: Add libhtp event for every htp_log() that needs an event.
Feature #1203: TCP Fast Open support
Feature #1249: http/dns ip-reputation alike technique
Feature #1757: URL Reputation
Feature #2200: Dynamically add md5 to blacklist without full restart
Feature #2283: turn content modifiers into 'sticky buffers'
Feature #2314: protocol parser: rdp
Feature #2315: eve: ftp logging
Feature #2318: matching on large amounts of data with dynamic updates
Feature #2529: doc: include quick start guide
Feature #2539: protocol parser: vxlan
Feature #2670: tls_cert sticky buffer
Feature #2684: Add JA3S
Feature #2738: SNMP parser, logging and detection
Feature #2754: JA3 and JA3S - sets / reputation
Feature #2758: intel / reputation matching on arbitrary data
Feature #2789: Use clang for building eBPF programs even if Suricata is built using GCC
Feature #2916: FTP decoder should have Rust port parsers
Feature #2940: document anomaly log
Feature #2941: anomaly log: add protocol detection events
Feature #2952: modernize http_header_names
Feature #3011: Add new 'cluster_peer' runmode to allow for load balancing by IP header (src<->dst) only
Feature #3058: Hardware offload for XDP bypass
Feature #3059: Use pinned maps in XDP bypass
Feature #3060: Add way to detect TCP MSS values
Feature #3061: Add way to inspect TCP header
Feature #3062: Add way to inspect UDP header
Feature #3074: DNS full domain matching within the dns_query buffer
Feature #3080: Provide a IP pair XDP load balancing
Feature #3081: Decapsulation of GRE in XDP filter
Feature #3084: SIP parser, logging and detection
Feature #3165: New rule keyword: dns.opcode; For matching on the the opcode in the DNS header.
Bug #941: Support multiple stacked compression, compression that specifies the wrong compression type
Bug #1271: Creating core dump with dropped privileges
Bug #1656: several silent bypasses at the HTTP application level (chunking, compression, HTTP 0.9...)
Bug #1776: Multiple Content-Length headers causes HTP_STREAM_ERROR
Bug #2080: Rules with bad port group var do not error
Bug #2146: DNS answer not logged with eve-log
Bug #2210: logging: SC_LOG_OP_FILTER still displays some lines not matching filter
Bug #2264: file-store.stream-depth not working as expected when configured to a specfic value
Bug #2395: File_data inspection depth while inspecting base64 decoded data
Bug #2619: Malformed HTTP causes FN using http_header_names;
Bug #2626: doc/err: More descriptive message on err for escaping backslash
Bug #2654: Off-by-one iteration of EBPF flow_table_vX in EBPFForEachFlowVXTable (util-ebpf.c)
Bug #2655: GET/POST HTTP-request with no Content-Length, http_client_body miss
Bug #2662: unix socket - memcap read/set showing unlimited where there are limited values configured by default
Bug #2686: Fancy Quotes in Documentation
Bug #2765: GeoIP keyword depends on now discontinued legacy GeoIP database
Bug #2769: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0
Bug #2786: make install-full does not install some source events rules
Bug #2840: xdp modes - Invalid argument (-22) on certain NICs
Bug #2847: Confusing warning “Rule is inspecting both directions” when inspecting engine analysis output
Bug #2853: filestore (v1 and v2): dropping of "unwanted" files
Bug #2926: engine-analysis with content modifiers not always issues correct warning
Bug #2942: anomaly log: app layer events
Bug #2951: valgrind warnings in ftp
Bug #2953: bypass keyword: Suricata 4.1.x Segmentation Faults
Bug #2961: filestore: memory leaks
Bug #2965: Version 5 Beta1 - Multiple NFQUEUE failed
Bug #2986: stream bypass not making callback as expected
Bug #2992: Build failure on m68k with uclibc
Bug #2999: AddressSanitizer: heap-buffer-overflow in HTPParseContentRange
Bug #3000: tftp: missing logs because of broken tx handling
Bug #3004: SC_ERR_PCAP_DISPATCH with message "error code -2" upon rule reload completion
Bug #3006: improve rule keyword alproto registration
Bug #3007: rust: updated libc crate causes depration warnings
Bug #3009: Fixes warning about size of integers in string formats
Bug #3051: mingw/msys: compile errors
Bug #3054: Build failure with --enable-rust-debug
Bug #3070: coverity warnings in protocol detection
Bug #3072: Rust nightly warning
Bug #3076: Suricata sometimes doesn't store the vlan id when vlan.use-for-tracking is false
Bug #3089: Fedora rawhide af-packet compilation err
Bug #3098: rule-reloads Option?
Bug #3111: ftp warnings during compile
Bug #3112: engine-analysis warning on http_content_type
Bug #3133: http_accept_enc warning with engine-analysis
Bug #3136: rust: Remove the unneeded macros