# 8.0.0-beta1 04/08/2025 * Optimization #426: threshold: rule based thresholding data structure improvement * Bug #635: Some keywords missing in list-keyword command (like 'tcp-pkt') * Feature #845: Memory consumption in stats.log * Feature #1065: Introduce vlan id keyword * Feature #1125: smtp: improve protocol detection * Feature #1199: protocol: LDAP support * Bug #1457: conf: non-standard units used for file size indication * Feature #1520: multitenancy - verbose output clarity * Feature #1971: lua: make mandatory * Bug #2224: Negated http_* match returns false if buffer not populated * Optimization #2272: Analyze DNS response if query is not present * Feature #2280: http: rules that match both request and response * Feature #2290: lua: use script as transform * Feature #2377: deprecate: ssh.softwareversion and ssh.protoversion * Feature #2448: Add additional buffers for DNS Responses * Feature #2486: prefilter/fast_pattern logic for flowbits * Task #2693: tracking: libsuricata * Feature #2695: websocket support * Feature #2696: http: implement parser in rust * Feature #2816: vlan: support more than 2 layers * Bug #2881: http.protocol parsing inaccuracy : accept spaces in URI * Bug #2886: IMAP protocol detection is incomplete * Documentation #3015: userguide: document "tag" keyword * Bug #3218: ssl_state does the wrong thing * Feature #3351: sip: parse traffic over tcp * Optimization #3427: Issue warning/info msg upon datasets of type string that are not base64 * Optimization #3449: output calls fflush very often * Feature #3487: mime: multi-part parser in Rust * Feature #3636: eve: configuration options to enable all, none or just a default set of outputs * Bug #3682: bsize needs to err upon non possible matching conditions * Task #3695: research: libhwloc for better autoconfiguration * Optimization #3827: clean up logging initialization code * Bug #3910: datasets: for type string the memcap isn't applied to the string data * Feature #3958: enip: convert protocol parser to rust * Task #4082: ftp: convert parser to Rust * Feature #4099: app-layer: allow direct rule keyword registration * Feature #4102: plugins: support creating app-layer parser, logger and detect * Task #4103: plugins: convert an app-layer to use the plugin API (snmp) * Task #4105: plugins: Create template capture source plugin * Bug #4135: dns: response only udp not detected as dns * Feature #4136: use Suricata-Update managed classification.config * Feature #4321: http2: Support link between packets in the same stream * Documentation #4359: Elaborate documentation for rule profiling * Task #4429: libsuricata: Use cases with examples * Feature #4660: base64_decode cannot be used with Transformations like pcrexform * Task #4683: detect: remove sigmatch_table in favor of a dynamic storage option * Task #4698: Example program to bootstrap Suricata (an alternate main() for Suricata) * Bug #4734: pfring: memory leak * Task #4742: Make the auto-generated config.h not conflict with other config.h. * Optimization #4753: lua: fix inconsistency in the init "needs" key * Feature #4776: lua: vendor latest lua stable * Feature #4777: lua: implement sandboxing * Optimization #4798: af-packet: default to tpacket-v3 in IDS mode * Feature #4853: eve: Add information about Suricata version * Feature #4854: pgsql: Add COPY subprotocol-state * Feature #4876: Additional FTP Buffers * Feature #4904: dcerpc: frames support * Feature #4905: smtp: add stream app-layer frame support * Bug #4921: detect/app-layer-protocol: unexpected results when one direction state "failed" * Feature #4974: Log references to Eve * Optimization #5047: sip: implement pattern based protocol detection * Task #5053: app-layer: dynamic alproto IDs * Feature #5075: smb: keyword for the SMB version * Feature #5082: smb: keyword for matching the SMB files * Documentation #5088: file.name sticky buffer is not documented * Bug #5185: MIME URL extraction missing. * Feature #5217: ips: allow dropping of flow if applayer specific memcap is hit * Bug #5220: fast_pattern specification in base64_data shouldn't be allowed * Feature #5234: SSL/TLS Sticky Buffer for subjectAltName * Optimization #5311: ftp: use unsigned integer for input_len * Documentation #5393: devguide: move github workflow document from redmine into devguide * Feature #5446: allow ranges in dns.opcode value * Documentation #5465: doc/userguide: document terminating behavior of rule actions * Feature #5466: detect: allow alert-then-pass logic * Documentation #5485: userguide: explain that the http.header_names buffer is normalized * Bug #5486: Ethernet metadata is missing for some protocols or parts of a protocol * Feature #5489: research: multi version rules; or version dependent rules * Bug #5491: SMTP response 530 appears to generate an SMTP invalid response alert * Documentation #5494: userguide: update tls eve-log fields 'not_before' and 'not_after' * Optimization #5517: decode: big clean up (macros and functions) * Bug #5524: pgsql: parser should not error on parsing error, so as to keep on parsing the next PDUs * Bug #5539: landlock: coverity warnings * Optimization #5566: pgsql: add events * Bug #5576: Dataset is setting data despite the signature being a complete match * Task #5588: ips/tap: don't allow mixed tap and ips modes * Task #5626: doc: document file.data * Optimization #5634: Unify ValidateCallback for MD5-like keywords * Feature #5642: DNS: parity between log fields and detection * Feature #5646: rules: allow matching on flow pkts and bytes in either direction * Feature #5647: rules: mark flow as elephant flow * Documentation #5651: bsize: format should specify operators * Feature #5665: rules: bidirectional transaction matching * Optimization #5672: smb: avoid unbounded hash maps * Optimization #5699: dcerpc: switch to incomplete api for tcp * Feature #5734: ssh: add frame support * Feature #5743: http2: add frame support * Feature #5773: Support DNS over HTTPS (DoH) * Feature #5816: Exception policy stats counters * Feature #5838: dpdk: NIC encapsulation stripping * Feature #5839: dpdk: power saving mode * Security #5921: http1: configurable limit for maximum number of live transactions per flow * Security #5926: http2: evasion by splitting header fields over frames * Feature #5972: rules: "requires" keyword representing the minimum version of suricata to support the rule * Feature #5976: eve/stats: allow hiding counters whose value is 0 * Bug #5977: eve/alert: missing KRB5 metadata * Task #6050: base64: make a fuzz target * Documentation #6076: eve/schema: document quic * Feature #6079: eve/dcerpc: eve/smb: log dcerpc uuid with request/response txs * Bug #6080: pgsql/probe: TCP on 5432 traffic incorrectly tagged as PGSQL * Feature #6090: eve/alert: missing dcerpc metadata * Bug #6092: eve/alert: missing pgsql metadata * Task #6107: Convert unittests to new FAIL/PASS API - util-memcmp.c * Optimization #6111: defrag: avoid passing null pointers to functions * Feature #6164: rules: allow matching on flow pkts and bytes * Task #6209: libhtp 0.5.46 * Feature #6215: flow/output: log triggered exception policy * Bug #6254: Error: threads: thread "FB" failed to start in time: flags 0003 * Feature #6260: Support flow matching excluding packet recursion level * Bug #6280: base64: strict mode should only accept strings that can be reliably converted back * Bug #6281: dns: structure of query differs between "alert" and "dns" event types * Task #6287: suricatasc: rewrite in rust * Feature #6290: support case insensitive testing of HTTP header name existence * Bug #6291: Performance degradation on Suricata devices with a small number of rules * Security #6299: mqtt pcap with anomalies takes too long to process because of app-layer-event detection * Bug #6304: schema.json : if protocol such as ENIP is detection only, we do not have _tcp suffix in stats * Bug #6305: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP) * Task #6309: detect/analyzer: add more details for the flowbits keyword * Task #6312: detect/analyzer: add more details for the flow.age keyword * Task #6318: Convert unittests to new FAIL/PASS API - detect-engine-address-ipv4.c * Bug #6347: log-pcap: crash with suricata.yaml setting max-file to 1 * Task #6352: detect/analyzer: add more details for the tcp window keyword * Task #6353: detect/analyzer: add more details for the tcp seq keyword * Task #6354: detect/analyzer: add more details for the tcp ack keyword * Task #6355: detect/analyzer: add more details for the tcp.mss keyword * Task #6360: detect/analyzer: add more details for the icmp_id keyword * Feature #6366: pop3 protocol detection * Bug #6370: plugins: install libsuricata-config by default, or with headers * Feature #6374: Sticky buffers for sip headers * Bug #6376: Huge increase on Suricata load time with a lot of ip-only rules and bigger HOME_NET * Feature #6379: JA4 support for TLS and QUIC * Task #6382: Add DPDK 23.11 build to Github Actions * Optimization #6387: mqtt: move parser registration code to the rust side * Bug #6389: pgsql: u16 overflow found by oss-fuzz w/ quadfuzz * Bug #6390: file: do not store if filestore:both,flow is triggered after the file was set to nostore * Bug #6393: detect/filestore: be more explicit about the U16_MAX limit per signature group head * Bug #6394: Sudden increase in capture.kernel_drops and tcp.pkt_on_wrong_thread after upgrading to 6.0.14 * Feature #6396: Add protocol string support for mqtt * Bug #6398: Suricata 7.0.1 threads object in stats contains memcap_pressure scalars * Bug #6405: eve: ethernet src_mac should match src_ip * Bug #6408: Output plugins receive identifier, but not thread identifier * Security #6411: pgsql: quadratic complexity leads to over consumption of memory * Bug #6414: detect-engine/port: recursive DetectPortInsert calls are expensive * Bug #6415: http.header, http.header.raw and http.request_header buffers not populated when malformed header value exists * Bug #6419: dpdk: Analyze hugepage allocation on startup more thoroughly * Feature #6426: HTTP/2 - app-layer-event and normalization when userinfo is in the :authority pseudo header for the http.host header * Task #6427: runmodes: remove reference to auto modes * Task #6432: tracking: autofp capture stalls due to packetpool depletion * Optimization #6433: packetpool: improve return sync logic * Feature #6439: New Transformation: to_lowercase * Security #6441: detect: heap use after free with http.request_header keyword * Security #6444: http1: quadratic complexity from infinite folded headers * Documentation #6445: userguide: explain what flow_id is * Optimization #6454: Force os to release memory on rule reload * Feature #6455: txbits: support for new type of bits * Task #6476: ftp: parity of logging and detection buffers * Security #6477: SMTP: quadratic complexity from unbounded number of transaction per flow * Feature #6480: plugins: allow plugins to specify the version of suricata they are for * Security #6481: http2: quadratic complexity in find_or_create_tx not bounded by max-tx * Bug #6483: http.request_headers - odd behavior with multiple signtures * Feature #6487: transform: from_base64 * Task #6488: plugins: add example plugins to the suricata source tree * Bug #6490: profiling: rule profiling doesn't support absolute paths * Documentation #6492: doc: explain how FTP works * Feature #6496: dns: new detection buffer: dns.answer.name * Feature #6497: dns: new detection buffer: dns.query.name * Bug #6499: tcp.active_sessions and flow.active count will never reduce when using trex * Bug #6500: eve/alert: missing FTP metadata * Bug #6501: eve/alert: missing TFTP metadata * Bug #6527: cppcheck 2.11 errors * Task #6542: logging: deprecate tls-log * Task #6543: logging: deprecate http-log * Task #6544: logging: deprecate syslog * Feature #6546: transformation - strip_pseudo_headers * Bug #6547: HTTP/2 - http.response_line has leading space * Documentation #6548: http.stat_msg - note about HTTP/2 behavior * Feature #6550: profiling/rules: allow enabling profiling for pcap file runs * Bug #6551: Invalid registration of prefiltering in stream size * Documentation #6552: doc: add tcp timeout fix to upgrade guide * Bug #6553: eve/alert: payload/payload_printable misrepresent data in case of overlaps * Documentation #6568: devguide: document backports policies and process * Optimization #6569: threading: fix condition signalling w/o taking lock first * Documentation #6570: remove references in docs mentioning prehistoric Suricata versions * Bug #6574: detect/filestore: memory leak on rule parsing * Optimization #6575: detect/multi-buffer: use single definition of struct PrefilterMpmKrb5Name * Task #6577: pgsql: add cancel request message * Bug #6578: ssh: no alert on packet with Message Code: New Keys (21) * Bug #6584: SCTIME_ADD_SECS() macro zeros out ts.usec part * Bug #6585: SCTIME_FROM_TIMESPEC() creates incorrect timestamps * Task #6586: mpm/ac-bs: remove implementation * Documentation #6589: docs: fix broken bulleted list style on rtd * Bug #6592: mqtt: frames on TCP are not set properly when parsing multiple PDUs in one go * Documentation #6599: docs: update eBPF installation instructions * Task #6603: pgsql: don't log password msg if password disabled * Task #6605: flash decompression: update/remove deprecation warnings * Bug #6615: detect/analyzer: misrepresenting negative distance value * Bug #6617: detect/filestore: flow, to_server was broken by moving files into transactions * Bug #6618: Endace: timestamp fixes * Bug #6619: Profiling takes much longer to run than it used to * Feature #6621: dns: add keyword for dns rcode: dns.rcode * Feature #6624: http/2: event on :authority vs Host header mismatch * Feature #6627: SDP protocol: parser and logger * Documentation #6628: userguide: document generic aspects of integer keywords * Documentation #6629: Fix byte_test examples * Bug #6633: stats: flows with a detection-only alproto not accounted in this protocol * Bug #6634: tls: Invalid ja3 due to double client hello * Feature #6637: requires: add skipped rules to stats * Bug #6643: http: wrongly assuming http0.9 leads to missed headers * Feature #6645: detect: integer parsed with hexadecimal notation * Feature #6646: detect: integer: support negated ranges * Feature #6647: detect: integers: support for enumerations * Feature #6648: detect: integer: support bitmasks * Bug #6656: detect/requires: assertion failed !(ret == -4) * Bug #6661: content-inspect: FN on negative distance * Bug #6663: Config rules does not disable logging. * Bug #6664: eve/smtp: attachment filenames not logged * Feature #6666: dns: add keyword for dns rrtype: dns.rrtype * Security #6668: ip defrag: final overlapping packet can lead to "hole" in re-assembled data * Security #6669: ip defrag: re-assembly error in bsd policy * Security #6675: ip-defrag: packet can be considered complete even with holes * Bug #6678: datasets: discard datasets that hit the memcap while loading correctly * Task #6684: pcap-log: remove sguil mode * Documentation #6685: userguide: explain noalert keyword * Documentation #6686: docs: port userguide build instruction changes from master-6.0.x * Feature #6695: tls: log extensions * Optimization #6702: streaming-buffer: Explore Rank Balanced trees * Task #6705: build-info: remove obsolete "rust support" line * Documentation #6708: userguide/payload: fix explanation about bsize ranges * Bug #6710: rules: failed rules after a skipped rule are recorded as skipped, not failed * Task #6712: remove completely nss * Bug #6715: dpdk: NUMA warning on non-NUMA system * Optimization #6718: detect/frames: avoid rescanning in IPS mode * Documentation #6725: document pcap file variables * Bug #6726: stream: stream.drop-invalid drops valid traffic * Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) * Bug #6732: Suricata 7.0.2 parent interface object in stats contains VLAN-ID as keys * Bug #6733: tcp: tcp flow flags changing incorrectly when ruleset contains content matching * Bug #6737: dpdk: property configuration can lead to integer overflow * Feature #6739: dpdk: warn the user if user-settings are adjusted to the device capabilities * Bug #6741: dpdk: automatic cache calculation is broken * Bug #6745: util/mime: Memory leak at util-decode-mime.c:MimeDecInitParser * Task #6748: doc: mention X710 RX descriptor limitation * Bug #6750: dpdk: examine the functionality of multiple parallel-running DPDK Suricata processes * Bug #6753: detect/cip: missing return-value check for a 'scanf'-like function * Bug #6755: Netmap: deadlock if netmap_open fails * Security #6757: libhtp: quadratic complexity checking after request line missing protocol * Bug #6760: Hugepages Error for ARM64 and af-packet IPS mode * Bug #6762: Hugepages Error for FreeBSD when kernel NUMA build option is not enabled * Bug #6766: multi-tenancy: dead lock during tenant loading * Task #6769: libhtp 0.5.47 * Optimization #6773: app-layer/template: no limit on txs number * Optimization #6775: detect: do not run tx detection on tcp non established packets * Bug #6778: detect/tls.certs: direction flag checked against wrong field * Documentation #6781: http keywords lacking information about values from duplicate headers being concatenated * Bug #6782: streaming/buffer: crash in HTTP body handling * Optimization #6786: util-rohash.c : make code cleaner to make CodeQL happier * Bug #6787: decode/pppoe: Suspicious pointer scaling * Feature #6788: Decouple stream.bypass dependency from TLS encrypted bypass * Bug #6790: dpdk: evaluate the correct handling of DPDK ports on shutdown * Optimization #6792: detect/port: port grouping is quite slow in worst cases * Optimization #6795: detect/port: PortGroupWhitelist fn takes a lot of processing time * Security #6796: output/filestore: slowdown because of running OutputTxLog on useless packets * Security #6799: ssh: quadratic complexity in overlong banner * Feature #6805: cpu-affinity: enhance CPU affinity logic with per-interface NUMA preferences * Bug #6811: capture plugins: capture plugins unusable due to initialization order * Task #6814: libsuricata: opt-in signal handling * Task #6817: rust: kerberos-parser 0.8.0 * Task #6818: rust: snmp-parser 0.10.0 * Task #6819: tracking: rust: update dependencies for 8 * Optimization #6821: smtp: add 535 code * Feature #6822: threshold: support tracking by flow * Feature #6827: arp: implement decoder and logger * Feature #6832: Support BPFs for filtering pcap output * Bug #6834: iprep: rule with '=,0' can't match * Bug #6835: BUG_ON triggered from TmThreadsInjectFlowById * Bug #6837: Error message from netmap when using Netmap pipes (with lb) * Bug #6838: eve/filetypes: move from plugin api to eve api * Bug #6839: coverity: warning in port grouping code * Bug #6843: detect/port: port ranges are incorrect when a port is single as well as a part of range * Bug #6846: alerts: wrongly using tx id 0 when there is no tx * Optimization #6852: mpm/ac: support endswith * Optimization #6855: src: var code cleanups * Feature #6856: http: anomaly when request line is missing protocol * Feature #6857: iprep: support seeing if rule is part of a rep list * Bug #6861: profiling/rules: crash when profiling ends * Bug #6864: Detect: ipopts keyword misfires * Security #6866: eve: excessive ssh long banner logging * Bug #6871: dpdk: fix compatibility issues for ice cards * Optimization #6873: byte_extract: convert keyword/option parsing to Rust * Bug #6875: output/alert: assertion failed p->flow != NULL * Bug #6877: Suricata 8 general protection fault ip:698117 sp:7fd537b08090 * Bug #6881: detect/port: port grouping does not happen correctly if gap between a single and range port * Bug #6883: rust: clippy 1.77 warning * Bug #6887: defrag: reassembled packet can have wrong datatype * Task #6888: Remove obsolete items from contrib * Bug #6891: sip: usage of Vec instead of Vecdeque leads to quadratic complexity on cleanup * Security #6892: http2: oom on copying compressed headers * Bug #6896: detect/port: upper boundary ports are not correctly handled * Security #6900: http2: timeout logging headers * Security #6902: base64: off-by-three overflow in DecodeBase64() * Bug #6903: streaming buffer: heap overflows in StreamingBufferAppend()/StreamingBufferAppendNoTrack() * Bug #6904: mime: buffer overflow in GetFullValue() (util-decode-mime.c) * Bug #6906: smtp/mime: data command rejected by pipelining server does not reset data mode * Documentation #6908: userguide: document how to verify tar.gz signature * Documentation #6911: manpages: use consistant date based on release and/or git commits * Bug #6913: reimplement systemd sd_notify w/o linking to libsystemd * Bug #6918: pcre2 compile warning * Bug #6921: jsonbuilder: serializes Rust f64 NaNs to an invalid literal * Feature #6927: dpdk: add unit tests for threading and mempool cache size functions * Task #6929: eve/stats: hide zero-values for counters individually * Task #6935: Convert unittests to new FAIL/PASS API - src/app-layer-htp.c * Feature #6936: landlock: enable by default * Optimization #6937: compile: make code clean with -Wunused-macros * Optimization #6938: packet: optimize packet data storage * Feature #6939: lua: incremement stat when a lua rule exhausts its instruction count * Bug #6940: lua: handle errors in lua rules * Task #6941: lua: review and document lua rule return types * Bug #6942: decode/ppp: decoder.event.ppp.wrong_type on valid packet * Feature #6943: pcap: datalink type 229 not (yet) supported in module PcapFile * Bug #6948: detect/http.response_body: false positive because not enforcing direction to_client * Bug #6954: eve: packet field packet_info.linktype is non-portable * Bug #6957: Assert: BUG_ON(id <= 0 || id > (int)thread_store.threads_size); * Bug #6959: improve handling of content encoding: gzip but request_body not actually compressed * Task #6961: lua create: use a rust crate to vendor lua * Task #6962: yaml: unify 0 stats counter config option terminology * Bug #6964: base64: consumed bytes are incorrectly set for different modes * Task #6965: libhtp 0.5.48 * Feature #6967: multi-tenancy: support thresholding per tenant * Bug #6969: dataset: lookup function is not working with ip type * Bug #6973: detect: log relevant frames app-layer metdata * Bug #6983: alert/metadata: no pgsql object encapsulation * Bug #6984: mqtt: do not log non-string messages? * Bug #6985: base64: coverity dead code warning * Security #6987: modbus: txs without responses are never freed * Bug #6989: tls.random buffers don't work as expected * Bug #6994: sip/sdp: logget closes unopened array for empty medias * Documentation #6998: userguide: add info on how to generate rule-profiling * Bug #7000: pgsql: trigger raw stream reassembly * Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs * Bug #7004: app-layer: wrong tx may be logged for stream rules * Feature #7011: DNS additional section parsing and logging * Feature #7012: Add dns.response sticky buffer * Bug #7013: rust: build with rust 1.78 with slice::from_raw_parts now requiring the pointer to be non-null * Feature #7017: DNS add OPT rdata struct and parsing * Optimization #7018: dns/tcp: allow triggering raw stream reassembly * Bug #7020: unix-socket: hostbit commands don't properly release host * Bug #7022: unix-socket: iface-bypassed-stat crash * Bug #7025: websocket: wrong value for opcode ping/pong * Optimization #7026: app-protos: trigger raw stream reassembly * Security #7029: http/range: segv when http.memcap is reached * Documentation #7031: userguide: document SignatureProperties sigtype * Bug #7034: time: in offline mode, time can stay behind at pcap start * Feature #7036: DPDK NUMA setup: choose correct CPUs from worker-cpu-set * Bug #7037: pcap/log: MacOS rotates file well before limit is reached * Optimization #7044: applayer: clean up truncate callbacks and logic * Feature #7045: tls-store: add support client certs * Feature #7047: eve: add ip version field * Bug #7048: af-packet: failure to start up on many threads plus high load * Bug #7049: util/radix-tree: Possible dereference of nullptr in case of unsuccess allocation of memory for node * Feature #7051: websocket: data frame * Bug #7053: bypass: cannot bypass udp flow from first packet in second direction * Feature #7055: tls: log ALPN * Task #7058: fuzz/base64: check decoded strings for correctness in strict mode * Bug #7059: smtp: split name logged as 2 names * Optimization #7065: base64: move the decoder to rust * Security #7067: defrag: off by one leads to possible evasion * Feature #7069: config/eve: magic toggle to enable all types * Feature #7073: lua: expose hashing functions (md5/sha1/sha256) * Feature #7074: lua: expose base64 functions * Optimization #7076: pgsql: trigger raw stream reassembly when tx completed * Task #7079: rust: unify rust ffi style * Bug #7093: sip: wrong slice used for sip_take_line with tcp leads to quadratic oom * Feature #7098: Payload length field in JSON * Bug #7106: packet: app-layer-events incorrectly used on recycled packets * Feature #7108: tls: ALPN keyword * Bug #7111: protodetect: DNS flow direction is not correct sometimes * Bug #7113: pgsql: track 'progress' in tx per direction * Bug #7115: dpdk: timestamping packets through TSC does not yield the same time as kernel time * Feature #7120: threshold: add backoff type * Bug #7121: smb/ntlmssp: nonsense smb.ntlmssp.version values * Bug #7126: decode/base64: Error message on packet path. * Task #7130: rust: dependency "time" fails to build on Rust nightly * Bug #7135: util/thash: debug assertion for memuse * Task #7151: plugins: add template app-layer plugin * Task #7152: plugins: add template logger plugin * Task #7154: plugins: add template detection plugin * Optimization #7155: pcap: use larger read size buffer for a performance increase * Bug #7158: tcp: 'broken ack' event set on flow timeout * Task #7162: pfring: move into bundled plugin * Task #7165: napatech: move into bundled plugin * Task #7167: dns: make the version field in a dns object required * Bug #7169: lua/output: vendored lua search for modules in /usr/local/ rather than /usr/ * Feature #7170: hyperscan: Cache Hyperscan databases to disk to speed up the startup * Bug #7172: detect/integers: do not bother to free NULL pointer on setup/parse failure * Bug #7176: ldap: crash when encountering GAP * Optimization #7178: rfb: rustify keywords and app-layer registration * Bug #7181: fuzz: File confyaml.c is missing * Optimization #7185: stats: exceptions: use search-friendly log output * Bug #7187: detect: dcerpc logging and matching issues * Security #7191: http: quadratic complexity in headers processing/finding * Bug #7193: ldap: parser does not accept gaps yet * Security #7195: datasets: rule with unset makes suricata abort * Bug #7199: detect: missing app-layer metadata in alerts * Bug #7200: Suricata[239866]: Error: byte: Extra characters following numeric value [ByteExtractString:util-byte.c:227] * Feature #7202: ldap: frame support * Feature #7203: ldap: extend parser for udp * Feature #7204: sip: rustify sticky buffers * Bug #7206: cbindgen: comptability with newer version 0.27 * Optimization #7208: tcp/reassemble: GetBlock takes O(nlgn) in worst case * Security #7209: thash: random factor not used; possible abusive hash collisions * Bug #7210: Inconsistent spelling in documentation for RFB `security_result` key * Bug #7213: frames: stream frame is not always the first one registered * Bug #7216: drop_reason counters don't support tunneled connections * Bug #7218: profiling: packet profiling to log file is only active with rule profiling * Task #7219: rust/crates: update base64 * Bug #7226: lua: use crate from crates.io instead of github to fix offline builds * Task #7227: logging: document and cleanup low level logging registration * Bug #7228: dns: no data logged, and no events with udp corrupt additional record * Bug #7230: dcerpc: invalid dcerpc header is not rejected * Bug #7235: tls: a rule stops working since 7.0.5 * Bug #7236: plugins: custom transaction loggers cannot be registered by a plugin * Bug #7238: applayer: protocol flows are miscounted in case of error * Feature #7240: libsuricata: use provided threads and packets * Bug #7241: app-layer-protocol: negated matching false positive * Feature #7243: lua: expose dataset functions * Task #7246: libhtp 0.5.49 * Bug #7252: stream/reassemble: GetBlock implies gap without searching the entire tree for block * Bug #7253: fuzz: CIFuzz is not fuzzing PRs as it is supposed to * Bug #7256: ja3: Error: ja3: Buffer should not be NULL * Documentation #7260: userguide/config: fix consistency of dashes instead of underscores * Documentation #7262: doc: remove mentions to suricata-6 * Bug #7264: detect/flow: ACK with data on 3whs fails to match 'flow:established' * Security #7267: ja4: non alphanumeric characters in alpn lead to panic * Bug #7270: conf: nullptr dereference if mem alloc fails for a node in yaml parser * Optimization #7272: af-packet: improve startup time * Bug #7279: dns: protocol detection is not strict enough * Task #7287: schema: add missing tls fields certificate and chain * Feature #7291: sdp: implements sticky buffer * Bug #7296: detect: transform base64 creates a 0-sized variable-length array * Optimization #7297: Remove duplicate function declarations * Bug #7300: output: oversized records lead to invalid json * Bug #7302: conf: memleak if yaml parser is initialized before checking if file exists * Bug #7303: detect: memleak in case of errors during initialization * Optimization #7304: Better support multi-protocol keywords * Bug #7305: sdp: media's encryption key not logged * Bug #7309: http: incorrect file direction handling * Feature #7311: http1: log invalid status as string * Bug #7314: misc/warnings: compile warnings during build * Bug #7315: template: remove usage of template-rust * Bug #7318: flow: flow timeout pseudo packet triggers unexpected alert * Feature #7319: flow: add user registerable flow initialization callback * Feature #7320: flow: add user registerable flow update callbacks * Bug #7323: mqtt: wrong and missing direction for keywords * Bug #7325: sdp: one or more time descriptions * Bug #7326: http: FN with prefilter if the first of multi buffer did not match * Feature #7330: dpdk: support HW VLAN stripping * Bug #7332: tls: fix duplicate EVE field issuerdn * Bug #7333: tls: impossible to log alpns with 'custom' logging * Bug #7334: asan/profiling: global-buffer-overflow error * Feature #7337: dpdk: implement configuration of RSS using rte_flow rules for major cards * Bug #7338: rust: different int types turn garbage on FFI boundary * Task #7341: rust: use bindgen to generate Rust bindings to C functions * Task #7350: firewall usecase: log app-layer metadata for for catch-all drop rules * Optimization #7353: files: remove deprecated force-md5 config option * Optimization #7358: CI: only run CodeQL python if the PR contains changed files that are python * Bug #7359: eve/syslog: crashes on use * Bug #7361: rules: unknown internal events not being detected as errors * Bug #7365: flow-manager: multi Flow Manager memory leak problem * Feature #7373: dpdk: provide "auto" option to mempool-size property * Bug #7374: dpdk: iface-copy should not be mandatory * Bug #7378: dpdk: having too few hugepages can lead to segfault on startup * Feature #7380: dpdk: provide "auto" option for RX/TX descriptors * Feature #7381: dpdk: when running with ice driver fully start only when link state change event is caught * Feature #7382: dpdk: create separate packet mempools per queue * Documentation #7383: userguide: fix typo * Bug #7390: byte_extract: issue with saved 'name' in distance keyword * Bug #7394: ldap: support starttls with tls upgrade * Bug #7398: datasets: scan-build warning call to blocking fn inside critical section * Feature #7403: requires: add ability to check for a rule keyword * Bug #7406: eve: Alerts with app_proto=tls no longer logs the tls app data * Bug #7414: detect: decoder event rules fail to match on invalid packets * Bug #7417: rust: remove shared reference to static mutable * Bug #7418: requires: rules with unmet requirements are still loaded * Bug #7422: tcp: GAP event set on unack'd data following a RST * Task #7426: flowint: add isnotset support * Optimization #7430: dns: parse more than 255 name segments to find end of name * Feature #7433: eve/alert: enrich decoder event rules * Bug #7435: fuzz: fix protocol detection target initialization sequence * Bug #7436: sip: remove UPDATE pattern as already used by HTTP/1.1 * Bug #7437: protocol detection : probing parsers are limited to 32 by use of bitflag * Feature #7438: detect: add flow.rate keyword * Bug #7440: eve/frame: incomplete frame logging * Bug #7444: dpdk: RSS key length missmatch on ice (E810) card with DPDK version 22.11.6 * Bug #7447: NULL dereference in ThreadLogFileHashFreeFunc in bug-5198 SV test * Bug #7449: app-layer metadata does not get logged for stream rules and unidirectional protocols * Task #7452: ldap: add keywords to match output * Feature #7453: detect/ldap: add ldap.request.operation and ldap.response.operation keywords * Bug #7455: flow: flow timeout behavior non-deterministic * Task #7456: engine/analysis: report rule state altered by flowbit rule * Bug #7466: Lua Flowvar memory leak * Bug #7467: detect: checksum detection broken by stream.checksum-validation * Bug #7469: smtp: recognize when client initiated TLS * Feature #7471: detect/ldap: add ldap.distinguished_name keywords for request and response * Feature #7477: ldap: add support for AbandonRequest * Feature #7481: rules/actions: explicit action scopes * Feature #7482: eve/flow: log tcp session reuse as a timeout reason * Feature #7485: rules: allow specifying explicit hooks * Task #7486: lua: turn flowvars into lib * Task #7487: lua: turn flowints into lib * Task #7488: lua: turn packet into lib * Task #7489: lua: turn flow into lib * Task #7490: lua: turn rule into lua lib * Task #7491: lua: turn file into lua lib * Task #7492: lua: remove script_api_ver check from needs block * Bug #7495: protocol detection: probing parsers do not finish as soon as possible * Bug #7498: rust: cleanup of extern "C" functions and no_mangle * Feature #7502: rules: ftp.command keyword * Feature #7503: rules: ftp.command_data keyword * Feature #7504: rules: ftp.dynamic_port keyword * Feature #7505: rules: ftp.mode keyword * Feature #7506: rules: ftp.reply_received keyword * Feature #7507: rules: ftp.completion_code keyword * Feature #7508: rules: ftp.reply keyword * Feature #7513: detect/integers: add support for negated strings when enum is used * Feature #7515: detect: smtp.helo keyword * Feature #7516: detect: smtp.rcpt_to keyword * Feature #7517: detect: smtp.mail_from keyword * Bug #7521: detect/ip-only: false positive alerts on pseudo packets ending a one direction flow * Bug #7523: rules/prefilter: prefilter keyword ignored when in content rule * Optimization #7529: detect/dns: move wrapper code from C to rust * Feature #7532: detect/ldap: add keywords for LDAPResult * Feature #7533: detect/ldap: add ldap.request.attribute_type and ldap.request.attribute keywords, and same for responses * Documentation #7540: doc/userguide: fix typo * Bug #7548: dcerpc: avoid integer underflow * Bug #7552: applayer: misdetection if response is seen first without request * Bug #7554: tls: parser error on unACK'd data in FIN shutdown * Bug #7556: quic: valid traffic blocked in IPS mode * Optimization #7558: detect: convert rule group dumping to JsonBuilder * Feature #7565: dcerpc: rpc interfaces info in request event * Bug #7569: logging: Mac addresses are not logged for pkt_src detect/log or flow timeout * Bug #7577: detect/files: file.data does not use content passed when closing the file internally * Feature #7586: mime: expose 'headers' as a keyword * Feature #7588: mime: add email.cc keyword * Task #7589: eve: deprecate syslog filetype for eve * Feature #7592: mime: add email.from keyword * Feature #7595: mime: add email.subject keyword * Feature #7596: mime: add email.to keyword * Task #7601: lua: turn dnp3 into lib * Task #7602: lua: turn dns into lib * Task #7603: lua: turn hassh into lib * Task #7604: lua: turn http into lib * Task #7605: lua: turn ja3 into lib * Task #7606: lua: turn smtp into lib * Task #7607: lua: turn ssh into lib * Task #7608: lua: turn tls into lib * Task #7609: lua: suricata.util lib * Optimization #7617: af-packet: set defrag based on passive or inline mode * Bug #7618: af-packet: setting bpf fails * Feature #7620: smb: configurable logging * Feature #7629: dpdk: support for a hardware-accelerated input drop filter * Feature #7633: dpdk: refrain from creating TX queues on zero TX descriptors * Feature #7635: eve: include transaction count