Dependencies:

• Libdaq v3.0.21
• LibML v2.0.0

Changes in this release since 3.9.5.0

• actions: fix integer underflow in ips_actions pegcount aggregation
• appid: add setUserDetectorDataItem lua detector API
• appid: fixed crash in stats manager
• appid: fix http content processing
• appid: fixing loop inside nntp validate data
• appid: retain the shadow traffic status after detector reload
• appid: standardize variable types in user data map unit test
• codecs: fix encode for pppoe and ppp
• control: fix potential buffer overrun by properly checking return of vsnprintf.
• dce_rpc: clear rule options before freeing the buffer
• dce-rpc: proper proto-bits not set in DCE2_GetRpkt which causes assertion fail in u2 logger
• dce_rpc: reassembling out of bounds packets
• decoder: improved decoding fails error message on tracer
• decompress: added check for mini_fat_persector to not to be zero
• decompress: fixed VBA decompression unhandled mem alloc exception
• file_api: file cache sharing to use ref count for file inspector
• file_api: set file size when file size is middle and data flushed
• flow: continue retrying when the retry processing is still pending
• host_tracker: acquire lock on host tracker cache before read access of member variables
• host_tracker: iterate over network protocol vectors with reverse iterators instead of while loop
• http_inspect,pub_sub: provide an API in HttpEvent to find whether the HTTP response is using a supported encoding type.
• log: use batched logger for all kinds of log messages in prod when log_buffer config enabled
• main: add message when unable to set affinity
• memory: combine main and first pkt thread memory stats; resolve race condition
• module_manager: use std::move to improve performance when assigning string variables
• pub_sub: add quic logging events
• s7comm: added stream splitter abort checks
• stream: do not clear a session on a rebuilt packet
• stream_tcp: do not generate established event on RST if 3whs is not complete
• trace: print n-tuple for other packet types with IP layer set

Dependencies:

• Libdaq v3.0.21
• LibML v2.0.0

Changes in this release since 3.9.3.0 (3.9.4.0 was an internal tracking tag. No new commits between 3.9.3.0 and 3.9.4.0):

• appid: first packet API fixes for using asd instead of odp
• appid: fix multiple mdns issues
• appid: move tls metadata handling into single place
• codecs: override default encode for ciscometadata codec
• control: fix heap-use-after-free in is_local
• decompress: add unit test for vba decompression - infinite loops, divide-by-zero, integer overflow and out-of-bound
• file_api: clear file meta group before setting it during reload
• flow: clear flow ref in pkt on stale flow cleanup
• helpers: add syscall to flush new data written by SigSafePrinter to disk
• http_inspect: partial inspection for headers
• http_inspect: publish OPPORTUNISTIC_TLS
• imap: abort fallback functionality
• mp_dbus: make MPDataBusModule stats thread safe
• protocols: add sanity checks for tcp and ipv4 options to prevent out-of-buffer access
• ssl: fix unit test for OpenSSL v3+
• watchdog: replace watchdog command with atomic kicking from packet threads

Dependencies:

• Libdaq v3.0.21
• LibML v2.0.0

Changes in this release since 3.9.2.0:

• appid: accounting for tmp offset in RPC
• appid: change appid_shadow_traffic_status to atomic for thread safety
• appid: combined host pattern matchers
• appid: fix ASAN issue in AppIdHttpSession::set_req_body_field
• appid: fix out-of-bounds caused by strncat in identify_user_agent
• appid: getting packet from event than from detectionengine
• appid: out-of-range readings fix
• appid: prevent out_of_range and invalid_argument in rpc
• appid: rpc integer overflow fix
• build: enable exporting compile commands
• dce_rpc: checked for integer overflow of smb_hdr + next_command_offset
• dce_rpc: checking integer overflow on data_offset + data_length
• detection: extract children-related evaluation logic into separated functions
• detection: extract current node evaluation logic into separated function
• detection: fix compile warnings in detection_options.cc
• file_api: multi-process snort file cache crash fix
• file_api: multi process snort file cache sharing crash fix
• helpers: ringLogic framework updated to use atomic than volatile
• http_inspect: add peg count for when published body has hit the requested max size
• iec104: fallback functionality for abort scenario
• logger: add batched logger to improve packet_tracer output performace
• logger: add cpu affinity for log writer thread
• main: notify DAQ via ioctl message when a packet is injected
• mime: fix out-of-bounds in case of short boundary chunks
• packet_tracer: file output will not be using batched logger
• service_inspectors: Added random base file id generation for imap/pop/smtp.
• smtp: fix overflow caused by tls data processing in smtp
• stream_tcp: add splitter restart function, restart when hole skipped by AtomSplitter
• stream_tcp: fix issues with skipping seglist holes in ids mode
• stream_tcp: when reassembly is disable/ignored update rcv_nxt to left edge of first hole or to end of seglist
• vba_decompress: avoiding heap buffer overflows
• vba_decompress: exception handled

Dependencies:

• Libdaq v3.0.20
• LibML v2.0.0

Changes in this release since 3.9.1.0:

• build: fix comparison of empty integers. Thanks to Hatix Ntsoa.
• cip: cip inspector fallback functionality
• extractor: modify JSON Formatter to improve performance
• file_api: multi instance snort related file cache sharing
• flow: watchdog kick in dump flow summary
• hash: ensure that find_else_create functions set is_new field in all cases
• hash: return cache size from remove so new size check can be atomic
• http_inspect: parameter name change from partial_depth to partial_depth_body
• http_param: clear body http_param after each flush
• main: do not start Analyzer if codec manager doesn't match any codec
• modbus: modbus paf abort
• stream_tcp: separate logs and counters for left and right invalid sequence numbers

Dependencies:

• Libdaq v3.0.20
• LibML v2.0.0
• If you are using rules from snort.org, please use latest Talos_lightSPD package from version 2025-06-05-001 onward (due to API bump in 3.9.0.0)

Changes in this release since 3.9.0.0:

• appid: appid_debug_test and critical log fix
• appid: broadcast command for third party tfini during tterm rather than doing it sequentially
• appid: differentiate between request and response DNS host
• appid: fixed APPID_LOG macro for correct usage of log_level
• appid: fixed stash issue by fixing publishing shadow traffic
• appid: fix tcp dns multiple transaction support
• appid: queue analyzer command for third party setup during appid id tinit and stagger packet threads during third party tinit
• appid: sync flow service with protocol based detection
• binder, flow, framework: add a facility to block binding based on a do_not_decrypt flow flag and inspector can_decrypt method
• build: address coverity warnings
• connectors: add buffered output to std_connector
• connectors: add redirect option to print to a file
• connectors: give name to flusher thread
• connectors: rebuild readers as they might be outdated at exit
• connectors: rename text log field
• connectors: set affinity for flusher thread
• dns: handle multi DNS transactions one TCP connection
• extractor: add context logging event for notice
• helpers: add 1-reader-1-writer ring buffer
• helpers: fix JSON stream flags after escaping
• http_inspect: add support for partial_depth configuration option
• main: clarify the DAQ verdict for inject
• mime: fix crash in folding right after colon
• mime: fix eol search and add unit tests
• mp_dbus: transfer ownership of MPDataBus to new config during reload
• mp_unix_transport: refactored socket reconnect
• mp_unix_transport: use shared mutex in message processing
• profiler: add note for total percentage for profiler_dump
• ssl: fix integer underflow in certificate parsing
• unixdomain_connector: explicit include of select.h

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0
• If you are using rules from snort.org, please use latest Talos_lightSPD package from version 2025-06-05-001 onward (due to API bump)

Changes in this release since 3.8.1.0

• codec, flow: make mpls layers in flow pointers to save memory
• flow: use vector and binary search for flow data and stash
• managers, profiler, stream: fix glibc debug and assertion issues

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0

Changes in this release since 3.8.0.0:

• analyzer: print DAQ input specification next to its message
• build: set CMake minimal version to 3.5
• extractor: support conn.log history field
• file_api: introduced atomicity for is_file_service_enabled
• flow: add id_offset to filenames created by stream.dump_flows()
• flow: add option to move excess flows to allowlist
• flow: always count stale packets, only drop if that is enabled by config, set default value for drop_stale_packets to false (disabled)
• flow: implement a per flow check of the packet timestamp and drop packets if the timestamp is earlier than the timestamp of the previous packet
• http2_inspect: rid of removed base template
• http2_inspect: rid of removed base template in unit tests
• main: change process_id to a global var such that we don't require constant access to the SnortConfig
• main: remove snort cpu command output from log
• protocol: add ESP to valid next headers in IPv6
• pub_sub: get all headers, response str and method from HttpEvent
• rna: coverity fixes
• snort2lua: add include for cstdint to provide standard c++ integer types
• stream: detection of gaps in packet stream
• stream_tcp: deprecate the reassemble_async configuration option
• stream_tcp: do not purge seglist data on held packet retransmit
• stream_tcp: print stream_tcp state upon hitting queue_limits
• telnet: handle ayt commands in splitter

Changes in this release since 3.7.4.0:

• framework: make alias name internal to inspector instance
• managers: update formatting
• packet_io: add trace logs when injecting packets

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0

Changes in this release since 3.7.3.0:

• appid: fixed crash while printing appid debug
• appid: multiprocess init for appid third-party syncevents
• build: apply workaround only for lower versions of LuaJIT. Thanks to Michael Cho for reporting the issue.
• extractor: add weird and notice logging
• extractor: extend dns support
• extractor: support conn.log orig_bytes, resp_bytes
• flow: don't offset flow instance number by 1 when printing flows
• http_inspect: add dynamic length-limited publishing of request and response body
• mp_data_bus: adding peg stats and socket commands for multiprocess databus
• mp_data_bus: core logic for multi-process databus
• mp_data_bus: standartize data types
• mp_unix_transport: clang compilation fix for multiprocess
• mp_unix_transport: multiprocess_transport plugin type, implementation of unix domain name based multiprocess transport

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0

Changes in this release since 3.7.2.0

• appid: added caching for dns detector
• appid: fixed unknown payload case for domain fronting
• control: fix data race in ControlConn touch method
• dns: handle multi transaction-IDs in single DNS-UDP flow
• extractor: enable TSV(Tab-Separated Values) formatting
• extractor: extend dns logging
• extractor: fix static checker warning
• extractor: make parsing more strict
• extractor: simplify CSV logger implementation and add configurable delimiter
• filters: initialize struct fields when instance is defined
• flow: fix coverity SWAPPED ARGUMENTS and Y2K38_SAFETY issues
• helpers: validate input from conf file to verify port number string is valid digits
• host_tracker: recode while loop to avoid bogus coverity infinite loop warning
• http2_inspect: added settings_max_frame_size parameter and built-in rule 121:44 to check for max frame size
• http: initialize class member variables in the ctor
• ips_options: allocate large buffer for base64 decode from heap instead of on stack
• loggers: allocate large buffer for writing unified2 extra data from heap instead of stack
• main: added show_snort_packet_latency() help command support
• main: do not collect configurations for utility shells
• main: redirect stdin, stdout, stderr to /dev/null with the freopen system call
• main: refactor signal handling switch statement, return codes and FatalError
• managers: use std::move to pass shared ptr to new owner to avoid a copy
• packet_capture: rename pcaps and change default values

Dependencies:

• Libdaq v3.0.19
• LibML v2.0.0

Changes in this release since 3.7.1.0

• appid: added flag to inspect out-of-order packets
• appid: modified shadow traffic status to default
• connectors: new unix domain connector
• dce_rpc: ignoring false positives and fixing spell checks
• dns: pass packet in DnsResponseEvent
• dump_config: include PID into dump file name
• file_api: making current_context as nullptr before it gets the value of ctx and removing redundant check
• imap:pop: delete if expression that compared session flag to the packet_flag filed
• main: initialize openssl at startup
• packet_capture: support packet capture limit and location
• packet_capture: use existing util function to check directory path
• pub_sub: basic framework with skeleton APIs multiprocess databus
• stream_tcp: eliminate redundant calls to initialize the normalizer policy
• stream_tcp: initialize each tracker's normalizer for missed 3whs behavior invidually when the initial packet is processed by the tracker
• stream_tcp: make member variables private to improve tracker class encapsulation
• stream_tcp: only allow legacy OS and FIRST normalizer policies to be configurable. Proxy and missed 3whs modes are determined dynamically per flow
• stream_tcp: reduce verbosity of packet tracer log messages for normalizer initialization actions
• stream_tcp: rename OS policy names to prevent conflict with existing macros
• stream_tcp: split StreamPolicy enum into enums specific to normalization and to overlap resolution
• unified2: add packet dump to unified event with reassembled udp packet