1.3beta1 -- 2012-04-04 - TLS/SSL handshake parser, tls.subjectdn and tls.issuerdn keywords (#296, contributed by Pierre Chifflier) - Napatech capture card support (contributed by Randy Caldejon -- nPulse) - Scripts for looking up files / file md5's at Virus Total and others (contributed by Martin Holste) - Test mode: -T option to test the config (#271) - Ringbuffer and zero copy support for AF_PACKET - Commandline options to list supported app layer protocols and keywords (#344, #414) - File extraction for HTTP POST request that do not use multipart bodies - On the fly md5 checksum calculation of extracted files - Line based file log, in json format - Basic support for including other yaml files into the main yaml - New multi pattern engine: ac-bs - Profiling improvements, added lock profiling code - Improved HTTP CONNECT support in libhtp (#427, Brian Rectanus -- Qualys) - Unified yaml naming convention, including fallback support (by Nikolay Denev) - Improved Endace DAG support (#431, Jason Ish -- Endace) - New default runmode: "autofp" (#433) - Major rewrite of flow engine, improving scalability. - Improved http_stat_msg and http_stat_code keywords (#394) - Improved scalability for Tag and Threshold subsystems - Made the rule keyword parser much stricter in detecting syntax errors - Split "file" output into "file-store" and "file-log" outputs - Much improved file extraction - CUDA build fixes (#421) - Various FP's reported by Rmkml (#403, #405, #411) - IPv6 decoding and detection issues (reported by Michel Sarborde) - PCAP logging crash (#422) - Fixed many (potential) issues with the help of the Coverity source code analyzer - Fixed several (potential) issues with the help of the cppcheck and clang/scan-build source code analyzers 1.2.1 -- 2012-01-20 - fix malformed unified2 records when writing alerts trigger by stream inspection (#402) - only force a pseudo packet inspection cycle for TCP streams in a state >= established 1.2 -- 2012-01-19 - improved Windows/CYGWIN path handling (#387) - fixed some issues with passing an interface or ip address with -i - make live worker runmode threads adhere to the 'detect' cpu affinity settings 1.2rc1 -- 2012-01-11 - app-layer-events keyword: similar to the decoder-events and stream-events, this will allow matching on HTTP and SMTP events - auto detection of checksum offloading per interface (#311) - urilen options to match on raw or normalized URI (#341) - flow keyword option "only_stream" and "no_stream" - unixsock output options for all outputs except unified2 (PoC python script in the qa/ dir) (#250) - in IPS mode, reject rules now also drop (#399) - http_header now also inspects response headers (#389) - "worker" runmodes for NFQ and IPFW - performance improvement for "ac" pattern matcher - allow empty/non-initialized flowints to be incremented - PCRE-JIT is now enabled by default if available (#356) - many file inspection and extraction improvements - flowbits and flowints are now modified in a post-match action list - general performance increasements - fixed parsing really high sid numbers >2 Billion (#393) - fixed ICMPv6 not matching in IP-only sigs (#363) 1.2beta1 -- 2011-12-19 - File name, type inspection and extraction for HTTP - filename, fileext, filemagic and filestore keywords added - "file" output for storing extracted files to disk - file_data keyword support, inspecting normalized, dechunked, decompressed HTTP response body (feature #241 - new keyword http_server_body, pcre regex /S option - Option to enable/disable core dumping from the suricata.yaml (enabled by default) - Human readable size limit settings in suricata.yaml - PF_RING bpf support (required PF_RING >= 5.1) (feature #334) - tos keyword support (feature #364) - IPFW IPS mode does now support multiple divert sockets - New IPS running modes, Linux and FreeBSD do now support "worker" and "autofp" - Improved alert accuracy in autofp and single runmodes - major performance optimizations for the ac-gfbs pattern matcher implementation - unified2 output fixes - PF_RING supports privilege dropping now (bug #367) - Improved detection of duplicate signatures 1.1.1 -- 2011-12-07 - Fix for a error in the smtp parser that could crash Suricata. - Fix for AF_PACKET not compiling on modern linux systems like Fedora 16. 1.1 -- 2011-11-10 - CUDA build fixed - minor pcap, AF_PACKET and PF_RING fixes (#368) - bpf handling fix - Windows CYGWIN build - more cleanups 1.1rc1 -- 2011-11-03 - extended HTTP request logging for use with (among other things) http_agent for Sguil (#38) - AF_PACKET report drop stats on shutdown (#325) - new counters in stats.log for flow and stream engines (#348) - SMTP parsing code support for BDAT command (#347) - HTTP URI normalization no longer converts to lowercase (#362) - AF_PACKET works with privileges dropping now (#361) - Prelude output for state matches (#264, #355) - update of the pattern matching code that should improve accuracy - rule parser was made more strict (#295, #312) - multiple event suppressions for the same SID was fixed (#366) - several accuracy fixes - removal of the unified1 output plugins (#353) 1.1beta3 -- 2011-10-25 - af-packet support for high speed packet capture - "replace" keyword support (#303) - new "workers" runmode for multi-dev and/or clustered PF_RING, AF_PACKET, pcap - added "stream-event" keyword to match on TCP session anomalies - support for suppress keyword was added (#274) - byte_extract keyword support was added - improved handling of timed out TCP sessions in the detection engine - unified2 payload logging if detection was in the HTTP state (#264) - improved accuracy of the HTTP transaction logging - support for larger (64 bit) Flow/Stream memcaps (#332) - major speed improvements for PCRE, including support for PCRE JIT - support setting flowbits in ip-only rules (#292) - performance increases on SSE3+ CPU's - overhaul of the packet acquisition subsystem - packet based performance profiling subsystem was added - TCP SACK support was added to the stream engine - updated included libhtp to 0.2.6 which fixes several issues 1.1beta2 -- 2011-04-13 - New keyword support: http_raw_uri (including /I for pcre), ssl_state, ssl_version (#258, #259, #260, #262). - Inline mode for the stream engine (#230, #248). - New keyword support: nfq_set_mark - Included an example decoder-events.rules file - api for adding and selecting runmodes was added - pcap logging / recording output was added - basic SCTP protocol parsing was added - more fine grained CPU affinity setting support was added - stream engine inspects stream in larger chunks - fast_pattern support for http_method content modifier (#255) - negation support for isdataat keyword (#257) - configurable interval for stats.log updates (#247) - new pf_ring runmode was added that scales better - pcap live mode now handles the monitor interface going up and down - several QA additions to "make check" - NFQ (linux inline) mode was improved - Alerts classification fix (#275) - compiles and runs on big-endian systems (#63) - unified2 output works around barnyard2 issues with DLT_RAW + IPv6 1.1beta1 -- 2010-12-21 - New keyword support: http_raw_header, http_stat_msg, http_stat_code. - A new default pattern matcher, Aho-Corasick based, that uses much less memory. - reference.config support as supplied by ET/ETpro and VRT. - Much improved fast_pattern support, including for http_uri, http_client_body, http_header, http_raw_header. - Improved parsers, especially the DCERPC parser. - Much improved performance & accuracy. 1.0.5 -- 2011-07-25 - Fix stream reassembly bug #300. Thanks to Rmkml for the report. - Fix several (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat. 1.0.4 -- 2011-06-24 - LibHTP updated to 0.2.6 - Large number of (potential) issues fixed after a source code scan with Coverity generously contributed by RedHat. - Large number of (potential) issues fixed after source code scans with the Clang static analizer. 1.0.3 -- 2011-04-13 - Fix broken checksum calculation for TCP/UDP in some cases - Fix errors in the byte_test, byte_jump, http_method and http_header keywords - Fix a ASN1 parsing issue - Improve LibHTP memory handling - Fix a defrag issue - Fix several stream engine issues