Optional dependencies:

• Latest version of LibML 1.0.1 is posted

Changes in this release since 3.1.82.0:

• detection: use correct packet in trace logs
• doc: add libml to optional dependencies
• flow: add filter to dump flows
• flow: fix UT
• hash: exception handling for random device
• packet_capture: fixed wrong dlt in pcap header when nfq is used
• stream: count retransmits when we disable content rules
• trace: replace colon delimiter for tenant with whitespace in the trace_logger output

Optional dependencies:

• To use Snort ML(snort_ml inspector), please download libML and Snort Rules (Talos_LightSPD) from version 2024-03-13-001 onwards

Changes in this release since 3.1.82.0:

• appid: broadcast commands with ctrlcon
• appid: change eve pattern matching logic
• appid: replaced warning log with logging api for CBD
• file_api: do not clear the file capture and user file data pointers when updating the verdict from the cache
• filters: updated dyn array with vector
• flow: updated flow_data linklist with STL container
• framework: validate parameter of number type in a string form
• kaizen: rename to Snort ML
• main: clear lua stack when registering commands in a shell
• main: reset main-thread stats from the main thread
• main: update limits help
• packet_capture: add packet capturing per tenant
• sfip: remove references to unused mode feature
• sfip: zero out var/node pointers after operations to remedy heap-use-after-free on reload
• smb: fix for improper session cache destruction in tterm during config reload
• snort2lua: change deprecated use of ptr_fn to lambda
• stats: fix timing stats
• stats: perf improvement changes
• stream: remove splitter from session before inspectors
• stream_tcp: add reasons for drops due to trims
• stream_tcp: implement support for proxy mode normalization behavior
• stream_tcp: update documentation for stream TCP alerts to include the new 129:21 and 129:22 alerts
• trace: add tenants logging

Changes in this release (since 3.1.78.0)

3.1.81.0

• appid: check tenant_match() if required
• appid: log error message instead of fatal error if appid stats logfile is not accessible
• appid: Lowering max packet count before service fail
• control: Adds counting to ctrlcon blocked to allow for nested commands
• detection: add c'tors, use new instead of snort_calloc
• detection: copy ip var name in dup_rtn
• flow: added ips event suppression flags
• host_cache: fixed update_stats to remove race_condition
• http_inspect: recreate JSNorm if reload takes place inside transaction
• ips_context: add lazy-allocation of alt buffer
• kaizen: provide an option to enable Kaizen's mock
• kaizen: remove redundant semicolon and add explicit cast
• kaizen: rename modules
• lua: improve spell of wizard for HTTP
• memory: prevent data race between main and packet threads
• service_inspectors: add check for JSNorm config actuality
• stream_tcp: add alerts for exceeding thresholds for max queued bytes or segments
• stream_tcp: add check to verify seglist head is not nullptr and only initialize PAF when it is not
• utils: add macro for setting thread name

3.1.79.0

• appid: add tenants filter for appid debug
• appid: process organization unit instead of organization name
• appid: return false in is_appid_inspecting_session for quic if not decrypting
• appid: update peg counts to be thread safe
• coverity: fix for stream and hash
• filters: make rate_filter multithreaded + some cleanup
• kaizen: add dev_notes.txt
• kaizen: change default value of uri_depth to -1
• kaizen: change kaizen gid to 411
• kaizen: extend mock object with simple matching mechanism
• kaizen: make kaizen configurable per policy
• kaizen: register module only when LibML present or REG_TEST defined
• kaizen: update copyright
• mercury: updating alpn info without sni in 7.6
• network_inspectors: add kaizen ML based exploit detector
• packet_tracer: add tenants to filters
• profiler: improve multithread rule percentage calculation
• ssl: heap overflow issue when processing handshake records
• stream_tcp: correct labeling of in-sequence and out-of-sequence packets
• stream_tcp: persist disable_reassembly in Flow
• stream_tcp: set packet direction flag based on direction saved in reassembly state

Changes in this release since 3.1.77.0:

• appid: print odp version and odp detector count on startup
• copyright: update year to 2024
• doc: update arg list for "generate_builtin.sh". Add parity to "generate_" scripts arg list, thanks to @puck(https://github.com/puck)
• main: fix inconsistent lua variables assignment
• parser: fix --dump-rule-meta for negated ports

Changes in this release since 3.1.76.0:

• appid: add http3 to the list of ssl protocols as http3 will always be inside quic and encrypted
• appid: do not delete hsession for http3
• appid: fix coverity issues
• appid: lua logging doc update
• build: arm compilation support
• catch: add boost software license for catch.hpp
• detection: adjust built-in GID range to 40-999
• detection: collect matched buffers on IpsContext
• flow: add tenant ID to FlowKey
• host_cache: fix race condition on peg counts
• http_inspect: publish HTTP/1 request bodies, track MIME boundary
• main: fix reload_id data race
• parser: add CWD to conf search order
• profiler: change time tracking for "rule_time (%)" field in rule_profiler output
• profiler: dump memory profiler stats at frequent interval
• pub_sub: add get_client_body and is_mime methods
• ssl: stopping inspection once client or server app packet is found
• utils: add get_file_size

Changes in this release since 3.1.75.0:

• appid: added missed cppcheck warning
• appid: adding support for memory profiling of third party lib
• appid: additional check for lua logging
• appid: fixing coverity issues
• dns: fix parsing 'additionals' section in dns response
• flow_cache: added new protocol base counters
• pegs: make add_peg_count and set_peg_count protected to be available for the derived class
• perf_mon: fix variable name issue reported by cppcheck

Changes in this release since 3.1.74.0:

• appid: add appId for DNS over QUIC and DNS over HTTP/3 to application_ids.h
• decompress: use list for OLE file entries to guarantee their order in file_data
• detection: setting flag for flows with affected logging due to event filter

Dependencies:

• Libdaq v3.0.13

Changes in this release since 3.1.73.0:

• actions, detection, file_api, flow, stream: coverity fixes
• appid: clean up main thread appid debug and make appid on, off, on work
• appid: lua log function with appiddebug check
• build: address miscellaneous cppcheck warnings
• build: fix up 32-bit compilation
• build: fix coverity and cppcheck issues
• build: remove unused functions reported by cppcheck
• codecs: fix bad checksum when auth(51) protocol header is present between IP and TCP layer.
• dce_rpc: added SMB Redesigned Multichannel enabled code
• http_inspect: add correct handling of configuration error
• ips_options: fix ack option
• ips_options: fix flow bits
• packet_io: fix incorrect counters caused by data plane counters reset
• search_tool: allow an override of the search method
• search_tool: fall back to normal mpse if no snort config

Changes in this release since 3.1.72.0:

• appid: added support for appid trace logs with multiple logging levels
• appid: fixing cppcheck issue
• control: code refactor to support all unix flavors
• detection: fix cleaning of rule profiling stats when profiling starts
• host_cache: added segmented cache
• http_inspect: handle reserved gzip flags
• http_inspect: response to 0.9 isn't necessarily 0.9
• profiler: extend field length to support uint64
• stream: skip duplicated alerts in TcpReassemblerState's list. Thanks wenhao-in-chengdu for reporting the issue and suggesting a fix.
• stream_tcp: ignore normalization checks when in midstream state

Changes in this release since 3.1.71.0:

• active: added API for printing delayed action string
• appid: support to get correct http session based on stream_id
• control: allow one command at a time
• dce_rpc: using reset_using_rpkt() inline to what is there in eval() of SMB inspector code as well
• flow_cache: added protocol base LRU caches
• helpers: increase buffer space for function names, allow printing truncated names
• http_inspect: clear fake headers snapshot for 0.9 response
• http_inspect: run detection on failed utf decoding
• memory: change NOW type counts to SUM type, where necessary
• packet_io: fix daq stats
• stream_tcp: accept 1 byte of trimmed probe data after zero window
• stream_tcp: update rcv_nxt appropriately for each segment
• tcp: timeout for embryonic and idle session