# TBD To be determined -- place holder for tickets that are not prioritized/scheduled yet * Feature #121: Alert on domain name look up, capture traffic for corresponding IP * Feature #249: Configure host-os-policy from a file, like snorts host_attribute.xml * Feature #266: log http raw request for network forensic * Feature #273: IRC protocol detection support * Feature #276: Libcap support for dropping privileges * Feature #294: Limit inspection of a stream and/or rule... * Bug #317: Invalid Rules * Feature #328: Traceability and QA with regards to rules loaded * Feature #365: expose interface(unix socket command) to reset tcp connection * Bug #376: Windows - Failure when trying to get MTU * Feature #385: Configuration option to log all known (pcap) data for a stream when an alert fires * Feature #425: Inspect the effects of mixing threshold and detection filters etc.. * Feature #432: PCAP-NG support * Bug #437: filemagic / libmagic inconsistent between releases * Feature #448: dlp: md5sum based on part of files * Feature #465: benchmark runmode * Feature #473: pcap log: alert log with packet indexes * Bug #500: duplicate values in host-os-policy not detected * Feature #511: Port indepedent protocol identification (nDPI) * Feature #535: new keywords - time , day * Optimization #536: share ctx for filemd5 keyword if identical files are used * Feature #544: Live traffic decryption * Feature #547: libinjection -- sqli library * Optimization #548: Use bloomfilter for filemd5 * Optimization #551: Replace SCLogError by a counter for memory issue and other memcap * Optimization #569: display syntax requirement on keyword parsing error * Task #570: tracking: memory fragmentation * Optimization #573: reduce allocs in signature parsing * Feature #584: lua: expose file buffers * Documentation #595: document csum keywords * Feature #596: rule profiling: multiple outputs per run * Feature #609: Active Response in inline mode (like react in snort 2.9+) * Optimization #614: Rate limiting messages * Feature #659: Update IP reputation from unix socket. * Feature #682: Add DEP and ASLR to Windows Binary * Bug #705: http.log missing lots of requests under high traffic load * Bug #708: Flow vars issue in pcap file mode * Feature #716: configurable packet_stats.csv and packet_stats.log * Optimization #721: full nfq zero copy mode * Feature #728: Add support for OpenCL * Feature #745: Tunnel configuration * Bug #747: Reset async flag if stream is found to be non-async * Feature #776: rules: Add smtp_envelope and smtp_header keywords * Bug #778: ipv6 addr with nat64 notation * Feature #783: LuaJIT be able to return various messages for a single script. * Bug #786: Windows - yaml directory paths * Optimization #795: stream: use pool instead of direct SACK record allocs * Optimization #808: Support the new GSO-avoidance NFQ feature * Feature #816: TCP SACK: limits per stream * Feature #821: conditional logging: output steering * Feature #843: Custom http logging filter functionality * Bug #849: Not alerting on invalid http request Content-Length * Bug #868: Makefile[.in] doesn't use its own INSTALL variable definition * Feature #870: luajit: global vars * Feature #880: memcap http parser * Feature #902: VLAN host table support * Optimization #923: memcap value in suricata.yaml : erroring if config value is bigger than what is available * Bug #924: missing space between variable and value in suricata.yaml * Feature #933: add a IPv6 ( RFC2460 recommended order of EH )rule to decoder events rules * Feature #936: support tzsp protocol * Optimization #945: remove useless includes * Feature #960: persistent TCP resets * Bug #992: Different alerts reported when reading from pcap file with runmode=single and runmode=autofp * Feature #1002: Possible to disabling/bypassing a rule by a specific source ip and a destination ip? * Feature #1015: add chained content info to rule analysis * Feature #1025: seperate #ifdef UNITTEST code into their own files * Optimization #1046: replace pcre_get_substring with pcre_copy_substring * Bug #1083: pfring: valgrind: Syscall param socketcall.setsockopt(optval) points to uninitialised byte(s) * Bug #1084: pfring: valgrind: memory leak at exit in bpf filter * Optimization #1094: Special check for first character of buffer * Feature #1095: Integration of support for STIX-based indicators * Feature #1132: set rpath for libs not in the default linker paths * Feature #1140: IP-Address white list implementation for IPS mode (without disable a rule global) * Bug #1152: Write to ipfw divert socket failed: Message too long * Optimization #1188: Don't use iface name in GetIfaceMaxHWHeaderLength * Feature #1191: EVE log does not support customformat * Feature #1194: Implement http_args keyword to match http arguments - query string or body * Feature #1215: journald logging support * Optimization #1222: Boyer Moore content not shared between same content * Documentation #1233: Documentation for each keyword in stats.log file. * Feature #1234: nfqueue: use mnl API * Feature #1239: Best effort TCP stack * Feature #1245: Add "drop-only" and "alert-only" option for pcap-log * Bug #1247: Using suppress in threshold.config does not prevent dropping * Feature #1250: protocol: Multipath TCP (mptcp) * Feature #1290: handle SIGHUP signal * Feature #1300: profiling: per flow recording of profiling data * Optimization #1313: All Free functions should correctly handle NULL pointers * Feature #1323: automated eve.json rotation * Feature #1348: OOBE -6- increasing max-pending-packets default value * Bug #1370: sctp fp on suricata engine * Feature #1380: JSON and Unified2 output "payload" does not contain full (or real in the case of Unified2) packets for session * Bug #1382: BPF not reflected in suricata.log when using pf-ring * Feature #1389: suppress by host * Bug #1390: suricatasc return empty iface-stat.pkts in IPS nfqueue mode * Bug #1399: Flowbits rules not always evaluated in necessary order * Bug #1412: byte_test checks before byte_extract happens in some cases * Feature #1469: Use ISO 8601 date/time formats * Bug #1484: Remove BUG_ON(1) statements in the packet path * Feature #1489: Log a message when memcap limit is reached * Feature #1504: lua: better notification in verbose mode on script errors * Feature #1505: lua: show lua scripts during rule (re)loading * Bug #1526: Malformed encoded base64 packet in json logs * Feature #1541: multi-detect - vlan range mapping * Bug #1549: flow keywords rule parsing * Bug #1560: Newline in certificate subject name results in premature line break in TLS log * Feature #1566: ICMPv4 control channel detection * Feature #1571: Socket permissions setting in suricata.yaml * Feature #1590: lua: force file magic and md5 lookup from script * Bug #1593: Negative within error - works in snort * Optimization #1595: Suricata starts in known conditions of no data * Feature #1608: Add option to disable JSON escape slash * Feature #1662: Disable action / rule ordering option * Documentation #1691: Docs: Convert windows docs * Feature #1710: Unix socket: Send output to unix socket * Feature #1712: multitenancy: 'lite' tenants * Optimization #1718: Time stamp in Log files should be ISO 8601 format * Bug #1722: ip rules don't trigger under the context of 'flow:stateless' * Bug #1738: [ERRCODE: SC_ERR_MEM_ALLOC<1>] - Can not allocate fingerprint string - Suricata 2.0.11-1 * Feature #1741: flow: use capture methods flow hash * Optimization #1749: Log PACKET_DROP in inline mode for invalid states as well * Feature #1750: Set Suricata to listen to all network interfaces when using AF_PACKET * Feature #1752: Netmap for Windows * Bug #1754: Inconsistent behavior with 'only_stream' flow keyword * Feature #1766: TLS keyword expansion * Feature #1767: Support DTLS protocol * Bug #1770: Suricata takes very long time to start using hyperscan and large/custom detect settings * Bug #1772: Inconsistent number of alerts while reading a pcap - runmode single/autofp,unix-socket * Bug #1782: Unkown TLS's subject attributes * Feature #1783: Create Suricata buffers to expose L2, L3, and L4 headers to Lua scripts * Feature #1794: test suricata rules over unix-socket * Feature #1799: netmap: capture drop stats * Bug #1833: Transaction can be logged before stream reassembly and parsing are complete * Bug #1838: suricata 3.0* and 3.1 hang after heavy traffic w/ pfring zc (reproducible) * Feature #1872: add --list-decoder-protos or similar * Bug #1881: pcap logging out of order * Documentation #1892: rule docs should include example rules * Feature #1899: Detecting Malicious TCP Network Flows Based on Benford’s Law * Bug #1911: Commandline provided configuration values don't persist after initial startup * Bug #1918: Incorrect packet stats in pcap and pf_ring capture modes * Bug #1922: runmodes: memory leaks * Feature #1939: Introduce packet/byte counter in stats.log/json for local bypass * Feature #1950: allow configuration of file-store types * Feature #1954: runtime option/flag to disable hardware timestamp support * Feature #1956: Add option to re-initialise Lua output scripts * Documentation #1974: DNP3: document lua support * Bug #1976: ioctl warnings at startup and shutdown with dropped privileges * Feature #1977: get the os info from TCP HTTP fingerprint * Bug #1981: luajit states fail to run with valgrind * Feature #1995: fast.log should show if packet has been dropped or rejected * Bug #2013: failure of TCP after DOS attack * Documentation #2016: doc: improve keywords self documentation * Feature #2021: doc: sha256 filesum extraction missing in documentation * Bug #2042: Difference protocol of MD5 rule will restart Suricata automatically * Feature #2055: Optionally logging on files.json - Not log every file, only certain files that are stored and extracted * Bug #2056: missing warning on a rule using within with one content keyword * Bug #2069: logging: payload may not represent traffic the generated alert (eve and unified2) * Bug #2091: nonexistent/misspelled custom fields accepted during parsing of suricata.yaml * Feature #2092: Improved support for xbits/hostbits - workers runmode * Bug #2094: luajit: SCFlowvarGet always returns null * Feature #2107: eve: rotate log output based on size * Feature #2115: Changing interfaces * Feature #2145: Relate directly flowid with certificate file * Feature #2147: fileinfo: sha1 hash not logged if state == TRUNCATED * Feature #2166: output: log only triggering buffers * Task #2167: tracking: eve enhancements * Feature #2174: Need a special keyword and functionality for ip address extraction from a content (html body for ex.) and comparing it to src,dst_ip/EXTERNAL,HOME_NET * Feature #2198: Extend the DNS parser to accept dns_response keyword in signatures * Feature #2213: file matching: allow generic file matching / store * Bug #2220: When running on a single-CPU machine, pcap processing takes a long time * Bug #2221: Suricata batch processing slowed down by 0.2s intervals * Feature #2227: more detailed output about number of threads created * Feature #2232: Allow Large value in suricata.yaml file * Feature #2233: Allow log for payload and packet only for defined sid * Bug #2249: rule with file keyword used with ip or tcp not seen as invalid * Bug #2257: rate_filter doesn't honor "timeout" if it is longer than "seconds" parameter * Feature #2262: Unix Socket Output Configurable Retries and Blocking * Documentation #2266: no documentation for file-store-waldo * Feature #2269: TLS: tls.version: allow negation or comparison * Feature #2273: engine analysis: enable analysis by default during startup * Feature #2277: netinfo: structured information about the network. Output hierarchical network tree in events * Task #2278: tracking: failing better * Feature #2281: tcp stream: simpler IDS handling of overlap evasions * Bug #2289: af-packet bpf filtering failed to select multiple vlan * Feature #2291: traffic-id: ruleset for traffic classification and bypass * Bug #2296: Unix Manager Should Not Use Conf Functions to Pass Information to source-pcap-file * Feature #2301: netflow: dump records at interval * Bug #2305: unified2 alerts not including xff ips using extra-data mode * Feature #2308: threshold/suppress by http_host * Feature #2310: lua: expose xbits * Task #2313: tracking: save & restore state when suricata restarts * Feature #2316: global memcap * Optimization #2317: rcu * Optimization #2321: yaml: clean up usage of lists * Bug #2337: give warning if permissions won't allow log reopen after dropping privs * Feature #2342: Write PCAP files directly to Unix Socket * Feature #2343: Add "flush" command to unix socket * Bug #2351: Suricata with alert-prelude option sending only one IDMEF message (not more). * Bug #2358: Inconsistent DNS/flows extracted from pcap * Feature #2371: list all available /exposed fields to lua * Bug #2373: unix domain socket owner stays root when priviledges dropped * Bug #2378: log rotation 'flag' should be atomic * Feature #2380: [discussion] deprecate: 'alert syslog' output * Bug #2393: One way TLS traffic not properly identified * Documentation #2404: Windows Installation Guide for Suricata bug * Feature #2409: Push signatures without reloading the entire set. * Feature #2410: Create a reset counter and track maximum number of parallel flows * Bug #2412: Suricatasc isn't showing or allowing pcap file continuous option * Bug #2413: Pcap Interrupt Keeps Pcap File Processing Interrupted * Bug #2423: Suricata 4.0.3 and Napatech crashing * Bug #2424: suri->userid (SCInstance) does not reflect correct uid if suricata is started as non-root * Feature #2426: tls: extend logging * Bug #2429: TCP-session and wrong alert timestamp * Bug #2434: memleak - possible/definite memleaks reported for libnss3 and pthread_create * Optimization #2460: Reduce timeout in unix-socket when multiple pcaps are enqueued * Bug #2462: memleak: gitmaster json dns logger - 4.1.0-dev (rev efdc592) * Documentation #2470: document content inspection in chunks * Bug #2477: 802.1ah & Untagged Traffic * Bug #2478: PCAP logging does not include 802.1q header when using af-packet * Bug #2479: http_cookie negation fails if no cookie in traffic * Feature #2487: Buffers for field/value pairs in http_uri and http_client_body * Feature #2488: HTML Parsing / Buffers * Bug #2494: Invalid Base64 payload for filemd5 alerts * Bug #2500: stored will always equal false in fileinfo events * Feature #2513: Suricata read the SSLProxy header * Feature #2519: XFF iprep support * Feature #2538: dsize keyword improvements * Feature #2569: multi-tenancy: allow mapping to 'device pair' in IPS mode * Bug #2581: content match fails with on large streams * Optimization #2582: document flags keyword * Optimization #2584: document tag keyword * Documentation #2585: document replace keyword * Optimization #2586: document flowvar keyword * Optimization #2587: document pktvar keyword * Documentation #2588: document hostbits keyword * Documentation #2589: document decode-event * Optimization #2590: document nfq_set_mark keyword * Optimization #2593: document pkt_data keyword * Optimization #2594: document dce keywords * Optimization #2595: document asn1 keyword * Optimization #2596: document engine-event keyword * Optimization #2597: document stream-event keyword * Optimization #2598: document l3_proto keyword * Optimization #2599: document base64 keywords * Feature #2613: stats: add xdp counters to stats * Bug #2614: filemagic: pdf filemagic match * Bug #2623: Missing http.status information in eve.log according to tcp packets. * Bug #2627: lua: load script from same location as rule file if not in default rule location * Feature #2628: Specify the flow direction in metadata sent by Suricata. * Feature #2648: store captured data into file * Bug #2656: Alerts not triggered under some conditions on traffic containing rule matches * Feature #2661: output the http-body-data to eve.json * Feature #2672: Split out DHCP parser to be reusable * Feature #2673: Split out DNS parser to be reusable * Feature #2674: Split out NFS parser to be reusable * Feature #2675: Split out SMB parser to be reusable * Bug #2680: eve output filetype:unix_dgram does not start a socket * Feature #2681: Reloading of categories file, IP reputation list during rule live reload * Task #2685: SuriCon 2018 brainstorm * Optimization #2687: current suricata.yaml is missing rotate-interval "example" * Documentation #2699: document all eve record types and fields * Feature #2700: ja3/ja3s functionality for IKEv2 * Feature #2701: flow: counter for allocations at runtime * Bug #2712: long wait time on exit - pcap read - unable to get all packet threads to process their packets in time * Feature #2713: protocol detection w/o protocol parsing * Bug #2718: pkts/drops counters discrepancy * Optimization #2725: stream/packet on wrong thread * Feature #2727: DCERPC UID to name mapping * Bug #2739: Incorrect detection of the jit support of libpcre * Feature #2746: Use Available Instruction Set Specialization (AVX2 and AVX512) in Hyperscan when available * Optimization #2750: document nfs-keywords * Feature #2755: vendor id / vid keyword to give rulesets unique sid ranges * Feature #2756: rules: input in json format * Task #2757: improve protocol detection * Feature #2759: iprep: more granularity * Bug #2763: different number of events on exact same runs with asan and no asan builds * Feature #2764: dns logging v1 vs v2 * Feature #2767: Interception of network stack attacks * Feature #2771: MPLS over Vlan support * Feature #2772: Add MPLS labels to alert output * Task #2778: tracking: port app-layer parsers to Rust * Optimization #2780: Convert DNP3 from C to Rust * Optimization #2781: Convert ENIP from C to Rust * Bug #2807: DNS LUA Logging does not have any way to log NXDOMAIN * Bug #2814: suricatasc: hangs indefinitely and uses too much processing for pcap-file-continuos command * Bug #2815: race condition during file-magic initialization * Feature #2818: Napatech Bypass support * Feature #2858: app-layer-protocol:failed; doesn't match traffic with ALPROTO_UNKNOWN * Feature #2860: Suricata doesn't detect part of IKEv2 traffic * Bug #2861: Suricata rule sid:2224005 SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman) not works * Feature #2871: lua: Exposing byte extract to script * Bug #2891: Empty rrname in DNS answer for non-recurse NS answers * Bug #2918: Unable to mmap, error Resource temporarily unavailable - err seems OS specific * Feature #2925: Support for SPB encapsulation * Bug #2928: alerts on icmp signatures in 4.0.x and 4.1.x * Feature #2931: Perform privdrop without libcap-ng support * Feature #2932: add batman-adv decode support * Bug #2933: Suricata 4.1.3 block flow * Bug #2934: VLAN tags stripped when saving pcap log * Feature #2935: Support for multiple-logger for drop eve-log * Feature #2939: Suricata enhancements - proposals * Bug #2954: Strange interaction with afpacket - high CPU usage and no packet processing * Feature #2957: Suricata x Moloch - protocol detection. Proposals for TLS/SSL * Bug #2960: valgrind gives 'Conditional jump or move depends on uninitialised value(s)' * Feature #2962: eve: log more IKEv2 fields * Bug #2973: the flow after match the rules * Task #2975: convert unittests to new FAIL/PASS API * Documentation #2976: review userguide from beginners point of view * Bug #2978: IRC traffic parsed by FTP * Optimization #2979: replace mime decoder with rust based implementation * Feature #2987: Suggestions for new keywords (streambits) * Bug #2988: redis fails sometimes to reload rules to suricata; restart of redis fixes * Feature #2996: Extend decode events and rules * Support #2998: Rules Reload doesn't work properly * Task #3016: No documentation for "endswith" keyword * Documentation #3018: No documentation for "flowvar" keyword * Documentation #3019: No documentation for "pktvar" keyword * Documentation #3022: No documentation for "nfq_set_mark" keyword * Documentation #3023: No documentation for "bsize" keyword * Documentation #3025: Missing docs for "http." keywords * Bug #3026: Windows MSI - add in service scripts * Documentation #3027: No documentation for "nfs" keywords * Documentation #3028: No documentation for "pkt_data" keyword * Documentation #3031: No documentation for "asn1" keyword * Documentation #3032: No documentation for "engine-event" keyword * Documentation #3033: No documentation for "stream-event" keyword * Documentation #3034: No documentation for "l3_proto" keyword * Documentation #3035: No docs for "base64_" keywords * Documentation #3036: No documentation for "template2" keyword * Support #3037: The rules detect order * Bug #3040: pcap: with -r pcap_open_offline failure does not lead to non-zero exit code * Bug #3041: snmp parsing error message * Feature #3042: stats: allow per second stats updates * Documentation #3046: Document each default value from the config file * Bug #3049: thread hangs in pfring mode * Bug #3065: tls_cert_XX keywords date format parsing error * Bug #3066: No documentation for hostbits * Bug #3071: coverity warning in tls wrt tainted scalars * Bug #3075: RX thread hang in pcap-file mode * Bug #3083: DROP rule with "noalert" * Bug #3087: Prelude output IDMEF message issue * Bug #3093: FTP logging needs suricata-verify tests * Bug #3095: default log dir not always honored - git master * Bug #3097: build for eBPF programs needs a way to specify Linux header location * Feature #3105: Add kafka output * Bug #3117: multiple valgrind reported warnings - 5.0.0-dev (9e126b210 2019-08-07) * Optimization #3127: Unable to set XDP on 'ens2f0': Invalid argument (-22) - Mellanox cards and Intel cards with jumbo frames * Bug #3146: scan-build warning for asn1 parser * Bug #3179: http_header_names not generating alerts * Documentation #3180: tracking: document all decoder and app-layer events * Documentation #3181: document http engine events * Bug #3191: When run suricata with pf_ring zc mode suricata did not try to connect redis. * Task #3195: tracking: rustify all input * Optimization #3206: improve int handling * Feature #3212: Prevent duplicate pcaps from being re-processed * Optimization #3213: improve rule parsing warnings * Bug #3220: ssl_version keyword negation (!) not working * Bug #3221: EBPFDeleteKey -- ERRCODE: SC_ERR_SYSCALL(50) * Documentation #3222: Configuring ipv6 * Bug #3229: Abnormal traffic produces unexpected alerts for traffic that is opposite direction of rule * Bug #3238: rust compile fail on ppc64el * Feature #3244: IMAP Support * Feature #3245: Email extraction to separate folder * Feature #3246: Logging of Email body * Bug #3257: Lua PANIC: unprotected error in call to Lua API (stack overflow) * Bug #3258: VXLAN exceeds MTU maximum * Feature #3260: SMTP Base64 Decoding of Message Body * Feature #3261: SMTP quoted-printable Decoding of Message Body * Documentation #3268: Add links to additional information at the wiki to the userguide * Feature #3271: Add keyword to determine flow based speed/bw * Documentation #3274: doc: some inconsistency between http docs keywords description * Task #3288: Suricon 2019 brainstorm * Feature #3290: use config vars everywhere * Task #3291: collect common mistakes rulewriters might run into * Task #3294: Test the maximum size for messages passed to the unix socket * Feature #3295: Unix socket: support to receive flow shunting information * Feature #3296: Include in the fileinfo if it was a duplicate * Feature #3298: Create a config flag in the DNS logger to limit events to only the ones in the custom field * Task #3299: tracking: Add support for industrial protocol * Task #3300: tracking: Add support for medical protocols * Task #3301: Research: Failover support within the current IPS implementation * Task #3302: Research: ruleset optimizations * Documentation #3303: Add a documentation about the used sid and gid ranges * Optimization #3304: generic way to register buffers for logging and detection * Optimization #3305: Tracking ticket: which parts of the engine should be dynamic * Task #3307: Research: evaluate future of lua support in Suricata * Bug #3309: xdp: some bypass stats/counters do not update properly * Feature #3310: ease suricata configuration with xdp * Feature #3311: Add better default suricata configuration for different traffic sizes and cpu/system architectures * Documentation #3313: Document 40Gbps IPS set up * Optimization #3314: rust: integrate log crate with suricata logging * Feature #3316: Unix socket: support dumping flow table * Feature #3317: rules: use rust for tokenizing rules * Task #3318: Research: NUMA awareness * Feature #3319: on 'wrong thread' reinject packets to correct thread * Feature #3321: Evaluate different encoders for eve-log * Optimization #3322: Use standard CRC32 for hash-like functions * Bug #3323: tracking: ipv6 evasions * Task #3329: Research: WASM as a Lua alternative and for dynamically loadable modules * Feature #3333: Research: Unwind panic's from Rust modules * Bug #3336: Suricata compilation on windows / mingw * Optimization #3337: Python is assumed to be installed in the same --prefix as suricata * Feature #3338: vxlan: log vni in eve * Bug #3348: Possible detection issue with VXLAN parser * Bug #3349: Suricata 5.0 crashes while rule reload * Bug #3353: xdp_filter segmentation fault util-ebpf.c:728 * Bug #3354: eve-log dns (possibly others) alerts miss metadata for all but first packet * Bug #3358: bypass_filter AFPBypassCallback Segmentation Fault * Bug #3359: suricata.log ownership not being set to run-as user/group * Bug #3370: Suricata 5.0.0 Crashes Intermittently * Bug #3371: 'suricatasc -c conf-get ...' returns outdated values after reloading suricata * Feature #3373: add init service file example script for Debian/Ubuntu * Bug #3374: Windows: Suricata does not warn upon insufficient permissions * Feature #3383: nflog: use mnl api * Task #3392: Tracking: protocol detection evasions * Feature #3439: bpf-filter does not accept path/file * Feature #3454: Add support to communicate with other networking products * Bug #3480: EVE JSON - Incorrect Packet Logged * Bug #3493: installed libhiredis includes/libs not found by configure script * Feature #3494: rules: Keyword for determining if the http_host is an ip address * Feature #3503: decoders: handle trailing data * Optimization #3544: Have small signature match context without allocation * Feature #3548: Support GTP(GPRS Tunnelling Protocol). * Task #3553: Tracking: enable GAP recovery for all TCP app-layer protocols * Task #3554: modbus: support GAP recovery * Task #3555: DNP3: support GAP recovery * Task #3556: dns: improve GAP recovery * Task #3557: ftp: support GAP recovery * Task #3558: smtp: support GAP recovery * Task #3560: ssl/tls: support GAP recovery * Task #3561: krb5: support GAP recovery * Task #3562: rdp: support GAP recovery * Task #3563: rfb: support GAP recovery * Bug #3617: Missing icmp netflow * Feature #3629: Publish the Suricata support Python libraries to PyPI (make pip installable) * Feature #3663: DNS: Parse and extract DNS NULL records * Feature #3675: Testimony support * Bug #3681: Rule reload causes segfault * Feature #3688: Re-implement fast_pattern:only; in some way * Bug #3692: delta calculations come up negative * Bug #3698: Incorrect max length of windivert filter * Bug #3702: windows: when using compile against latest npcap traffic not seen unless bpf is used * Bug #3705: VarNameStoreLookupById: Assertion `!(current == ((void *)0))' * Bug #3728: ftp file extraction failure * Bug #3746: bsize needs to err upon non possible matching conditions (4.1.x) * Documentation #3748: Add documentation for flags keyword * Documentation #3751: Alert metadata JSON configs in suricata.yaml.in should match the RTD documentation * Documentation #3762: update documentation for user modes * Task #3768: research: investigate branch prediction vs likely/unlikely macros * Bug #3771: Extreme performance degradation when doing IP-only rules with flow-keyword * Optimization #3797: Filestore Setup Excess Directory Slash * Bug #3800: Netronome XDP mode: Unable to find 'cpus_count' map" * Bug #3801: Problem harware bypassing with Netronome * Task #3803: Research: use nom-derive * Bug #3809: Thresholding file-store rule with flowbits saves empty file to disk * Task #3828: pfring support: remove in favor of (externally maintained) plugin * Optimization #3829: pcap source: Counters, counters and... counters * Optimization #3830: pcap source: PcapThreadVars and cache lines * Bug #3834: Suricata 'content' keyword does not match on IP *payload* when using IP keywords * Task #3837: Investigate clang-tidy usage to enforce coding standards * Feature #3845: Threshold Hit Counter (for SID/IP) * Feature #3848: Keep a Reference to Matched Items in Suricata Datasets for Rule-Writing * Feature #3849: Extend Suricata Datasets to Datamaps with Keys and Values * Task #3852: Ability to build with sanitizers * Bug #3873: NET_RAW capability dropped for NFQ mode when uid/gid is specified * Feature #3875: Support multiple XFF * Bug #3889: Support interfaces with MTU > 1500 * Feature #3894: Option "ttl" exclusive range behavior is non-intuitive * Bug #3900: After a completed rule reload, Suricata sometimes is stuck for 1h with `rs_nfs_state_get_tx` peak * Feature #3950: Suricata bash completion * Feature #3953: 8021BR E packet decoder * Feature #3954: Optimize handling of encapsulation in cloud deployment * Feature #3959: Python tool to take ip rules and convert into iprep rule(s) * Feature #3960: Python tool to simulate GAP testing * Bug #3986: suricata -r not working for sshfs-mounted folder but working for sshfs-mounted file * Bug #3990: suricata -r not working for symbolic link linking to pcap in different folder but working for symbolic link linking to pcap within same folder * Bug #4016: filesize with filestore store empty files * Task #4022: Convert unittests to new FAIL/PASS API - detect-engine-address-ipv4.c * Task #4023: Convert unittests to new FAIL/PASS API: detect-engine-address-ipv6.c * Bug #4063: rdata field not included in DNS log for NS rrtype * Feature #4070: capture plugins: receive notification when suricata is done with a packet * Bug #4081: ICMP IPv6 signature not matching when source contains ! condition with IPv4 addresses only * Bug #4087: excessive CPU usage on Windows with --pcap-file-continuous option * Feature #4093: Extend stats log to print packet and byte rate on protocols * Task #4095: tracking: unify rule keyword value parsing * Task #4097: Suricon 2020 brainstorm * Task #4101: tracking: plugins * Bug #4107: Coredump with async-oneside: true enabled in suricata.yaml. * Bug #4108: Rule reloading: Rules that change the action from alert to drop, or drop to alert don't have their action updated. * Feature #4123: Research: handle different flow tuples in TLS decrypt * Feature #4138: A stable flow ID for dump/restore of state as well as state synchronization * Task #4146: Research: Hand off packet streams on alerts * Feature #4147: Map rules to MITRE ATT&CK * Feature #4148: Research: SSH Support for additional protocol analysis * Feature #4149: Research: Dynamic datasets * Feature #4150: Profiling mode: Ticks used to generate an alert available? * Task #4151: Research: New protocol support * Feature #4159: Log flow age as fractional value * Feature #4162: rules: entropy rule keyword * Feature #4172: Split eve.json into multiple files based on alert severity * Feature #4175: dcerpc: higher level logging * Bug #4178: DNS Query triggers alert but no output in alert-debug.log * Feature #4179: tunnel-Node for flow, netflow and dns-events in eve.json * Bug #4183: Timestamps sometimes off by 2 hours on Windows * Bug #4186: error when cpu cores > 64 (use pf-ring ) * Bug #4200: Flows not deleted in bpf ipv4_maps * Feature #4213: smb: higher level logging * Bug #4214: Honor vlan: use-for-tracking in ebpf maps * Feature #4217: not complete cmd start line does not produce expliccit enough warning or msg * Bug #4223: rule loading takes too much time in certain cases * Feature #4227: breakout components of tls.cert_subject and tls.cert_issuer into additional "sub" buffers * Optimization #4234: Filemagic logging puts big pressure on performance * Feature #4242: config: support predefined default configuration profiles * Bug #4248: Suricata HTTP protocol resolves hostname exception * Feature #4249: SS7 Protocol Support * Feature #4250: Diameter Protocol Support * Task #4251: protocol: SCTP support * Task #4252: SCTP: session tracking * Bug #4265: QA lab: add possibility to do repeatable replay tests * Feature #4270: load rules from database * Feature #4279: Optionally allow hashing truncated files, and a maximum length to hash * Bug #4286: FN occurs when using negated isdataat with http_cookie keyword * Optimization #4318: app-layer: "close" all txs if protocol reaches error state * Feature #4325: xdp compile warnings on 5.4 kernels * Bug #4330: file hash parameter in yaml accepts non valid values * Feature #4333: Include the ‘short name’ from classification.config in the all-eve.log * Bug #4356: Napatech memory leaks * Bug #4357: Napatech memory corruption * Bug #4370: the latest release of Suricata V6.0.1 for Windows use high CPU * Task #4380: tracking: improvements to bits, ints, vars * Feature #4381: flowbits: warn if flowbit dependencies don't follow suricata inspection order * Bug #4391: Explicit path for datastes load/save in a rule is not honored if the default log path is different * Feature #4398: support regex match and flowvars as keywords value * Feature #4408: definitive log count mode for qa purposes * Bug #4426: XDP redirect cpu likely broken in 5.9 * Task #4431: libsuricata: Example showing libsuricata as a replacement for libnids (network grep) * Task #4432: libsuricata: Wireshark plugin as an example * Bug #4499: Sudden and enormous memory leak * Bug #4520: Suricata 6.0.2 segfault NFQ * Feature #4547: pcrexform not support tcp and other protocol * Bug #4553: Configuration test mode succeeds when reference.config file contains invalid content * Feature #4559: Tags for rules that enables mapping to Mitre Att&ck * Feature #4573: add IPS drop total to eve log output * Bug #4583: xdp: libbpf xdp filter segfault with latest libbpf code * Task #4589: threading: debug validate mutexes with PTHREAD_MUTEX_ERRORCHECK * Feature #4617: Add ThreatFox (by Abuse.ch) to suricata ruleset index * Feature #4649: Autonomous System Number (ASN) support similar to GeoIP * Optimization #4651: malloc / memory handling improvement * Bug #4655: Dataset dumping to disk seems limited to 1000 * Bug #4657: SSLv2 app-layer detection patterns incorrectly registered * Documentation #4662: Add documentation section covering Suricata rule grammar * Bug #4669: threatexpert usage in reference.config * Task #4682: tracking: clean up globals and thread locals * Task #4684: libsuricata: define global context types for instance and per thread storage * Documentation #4706: Guide for rulewriting * Task #4714: Improve unittests coverage for Suricata's application layers rust nom parsers * Bug #4715: pcre keyword cause more alert! * Task #4735: tracking: ubsan clean * Bug #4736: ubsan: misaligned memory loads * Bug #4740: libnet error with reject action on pfSense * Documentation #4743: Improve Suricata code documentation (C files) * Bug #4755: eve: timestamp loses sub-second precision in some arm scenarios * Feature #4758: dns: weird query should have app-layer-event? * Task #4762: Suricon 2021 brainstorm * Task #4763: tracking: Suricon brainstorms * Documentation #4768: DNS v2 EVE does not longer contain `dns.rdata` but it is still listed in the documentation * Feature #4770: eve: specialized output for ML on packet sizes and similar properties * Task #4772: tracking: parity between fields logged and fields available for detection * Feature #4774: rules: analysis output that shows rules per 'progress' value * Feature #4775: lua: overhaul lua support * Task #4780: tracking config: configuration usability improvements * Feature #4781: config: add command to dump built-in config defaults * Feature #4782: config: add command to dump all active settings * Optimization #4809: stats: human readable sizes in the stats.log * Optimization #4813: stream: reset stream-depth if parser reaches error state * Feature #4840: stats: distinguish between observational stats and performance stats * Task #4841: tracking: research evasions wrt malformed IP and TCP options * Bug #4843: IPv6 evasion : dos mld chiron * Bug #4844: IPv6 evasion : redir6 * Bug #4845: IPv6 evasion : parasite6 + dos new ipv6 + fake mldrouter6 advertise * Bug #4846: IPv6 evasion : flood + ndpexhaust26 * Task #4865: rust/smb/*: add unit tests * Task #4867: rust/src/ike/*: add unit tests * Task #4868: rust/src/krb/*: add unit tests * Task #4869: rust/src/snmp/*: add unit tests * Task #4871: tracking: implement frames for all parsers * Bug #4874: FN when using stream_size with http proto and buffers * Bug #4875: FN when using flowbits and ftp protocol. * Bug #4880: hostbits/xbits: treat hostbits and xbits differently in the rule ordering stage * Task #4911: tracking: detect: cleanup tests * Bug #4914: FLOW_DIR_REVERSED is not handled in multiple places * Bug #4916: af-packet: Sending packet failed on socket 20: Message too long * Bug #4940: ftp-data: protocol misclassification if the file begins with a protocol pattern * Feature #4951: decode: datalink type 276 not yet supported * Feature #4976: frames: implement/complete profiling support * Feature #4982: frames: selective frame logging * Feature #4985: quic: support frames * Feature #4988: frames: logging improvements * Feature #4989: eve/alert: make frame logging configurable * Bug #5012: Remove duplicate definition of constants between C and Rust * Bug #5013: fast pattern discrepancy when using engine-analysis * Feature #5014: Enable suricatasc to use configured command socket by default * Documentation #5030: Documentation bugs for endswith, distance, within * Feature #5051: output/frames: allow tx logging to reference frames * Task #5052: unittest: create test for checking all app_proto registrations * Bug #5064: frames: duplicate alerts when no flow direction provided * Feature #5067: smb/dcerpc: Match dcerpc (over smb) requests before bind_ack * Documentation #5068: nfs: document rule keyword * Feature #5069: smb: keyword for matching smb command * Bug #5071: Suricata RAM usage never decreasing * Bug #5072: detect/ip_proto: inconsistent behavior when specifying protocol by string * Task #5074: rules: structured rule input * Optimization #5083: Proposal: new and compact rule parser for Suricata in Rust * Bug #5087: smb: file.name sticky buffer doesn't match all smb files * Optimization #5089: unifiy address range parsing * Feature #5128: Light weight packet profiling * Bug #5133: DCERPC: master - logs not created * Bug #5134: DCERPC: dcerpc.iface keyword not using fast pattern/mpm causes severe performance degradation * Bug #5135: DCERPC: dcerpc.iface keyword alert results differ from 5 vs 6/master * Bug #5140: nfs: NFS3/NFS2 procedure conflict * Feature #5152: Anomaly: CredSSP support addition to Suricata anomaly parsing * Bug #5160: smb: Misguiding keyword smb.named_pipe * Bug #5172: Napatech stream mismanagement following non-transient error * Bug #5176: False positive when negated content is far ahead of matching content. * Documentation #5182: userguide: better document rule keywords * Task #5195: tracking: give more insight into detection pipeline * Bug #5199: Setting flow memcap too low tries to allocate the whole system memory * Bug #5204: Memory leak caused by ippair processing * Feature #5206: Buffer Dump Utility * Feature #5209: Add "status" mode to Suricata's socket command interface * Documentation #5225: testing/fuzz: improve documentation on how to fuzz suricata * Feature #5245: allow fast_pattern on base64_data strings * Feature #5247: Applayer Detect protocol only one direction : RTSP protocol * Bug #5255: Reported pcap_filename in alerts are not correct * Task #5257: ci: cargo audit job * Bug #5263: Flow is stuck if there is no traffic * Bug #5264: random value for ja3 and ja3s hashes during the next scan * Documentation #5267: Meaning of insert_list_fail counter * Bug #5290: pip install failure * Bug #5292: cppcheck: "portability" warnings: using void pointers in calculations * Bug #5293: cppcheck: "portability" warnings: non thread-safe functions * Bug #5332: Smb2 can not store files! * Documentation #5359: userguide: improve documentation on (main) EVE fields * Bug #5363: Memory leak in rust SMB file tracker * Feature #5365: Limit rust 'filetracker' memory in configuration * Documentation #5367: byte_test: all examples in doc missing a required argument * Feature #5372: Add support for encrypted traffic analysis * Feature #5405: Make suricata point to where to report a bug * Bug #5406: HTTP Req and resp correlation incorrect * Bug #5407: suricatasc runtime error * Bug #5432: events: PACKET_RECYCLE does not reset event_last_logged (5.0.x backport) * Task #5433: tracking: reduce number of public data structures * Optimization #5434: app-layer: fix AppLayerParserGetTx (and friends) param confusion posibilities * Feature #5440: multiple stats EVE logs with different intervals * Feature #5450: Rule keyword for non midstream flows * Bug #5451: Non-Deterministic Behavior with HTTPS Checksum Verification * Task #5460: eol: include EOL dates in a per branch file in the repo * Feature #5461: eve: Use threaded output by default * Bug #5462: IPS bridge mode -- warn/error if there's an IP address associated with any monitoring interface * Feature #5469: rules: expose per flow stream.midstream setting to the rule language * Feature #5470: reject: allow reject dev to be specified in the yaml * Bug #5480: Cannot compile Suricata 6.0.6 with PF_RING support * Documentation #5484: userguide: explain content modifiers usage with regards to position usage in the rule * Documentation #5487: userguide: add explanation on how depth of inspection affects rules * Task #5488: Suricon 2022 brainstorm * Bug #5490: Applayer Detect protocol only one direction - NFS * Bug #5492: Applayer Detect protocol only one direction - Kerberos * Feature #5499: PCAP-over-IP client * Bug #5502: Suricata hangs and then exits when the first PCAP processed has 0 packets * Documentation #5514: userguide: document exception policy from an extreme profiling and tuning perspective * Bug #5520: If alert status code is 200, some fields are missing * Optimization #5522: decode: optional optimized tunnel packet handling * Documentation #5523: userguide: document the tcp-stream keyword * Documentation #5537: devguide: add section/chapter about how [capture] bypassing works for Suricata * Optimization #5545: prefilter keyword: increase code coverage * Bug #5562: rule_perf.log with multiple sort orders is invalid JSON * Optimization #5583: output: iface shortening more compact * Documentation #5591: devguide: bring section about OpenBSD Installation from git into devguide * Task #5593: tunnel: review locking logic * Task #5611: tracking: counters: improve efficiency of stats tracking * Task #5613: counters: reduce size of data structure * Task #5614: counters: compress id space in a thread * Task #5615: counters: avoid duplicate work * Feature #5618: setup-app-layer: add option to choose TCP/UDP protocol * Documentation #5620: doc: add vectorscan instructions * Feature #5639: Allow dataset to match on extracted domain * Feature #5641: dns: frame based keywords for "raw" fields in requests and responses * Optimization #5643: pcap: rule based conditional pcap logging * Task #5645: tracking: elephant flow detection * Feature #5648: flowworker: heuristic to see how busy a thread is with elephant flows * Feature #5649: eve.flow: add thread id(s) processing a flow to the record * Feature #5650: unix socket: query threads about most recent elephant flows * Bug #5652: af-packet: remove emergency flush from yaml * Feature #5655: host: make memuse and memcap reached counters for host table * Bug #5656: rules: engine analysis gives false positive warning * Feature #5657: byte_test: allow comparison with static value * Documentation #5660: userguide: add (more) documentation for the GRE protocol * Documentation #5662: Review/Update Hyperscan Documentation * Task #5666: rules: help to visualize how a Suricata rule matches (different contents/offsets) * Feature #5668: eve: optionally add rule fast_pattern * Documentation #5669: Better link together the bits keywords * Feature #5670: Support wide strings somehow * Optimization #5671: Better way to decide on flows memcap and timeouts * Feature #5673: capture: option to decapsulate everything first * Feature #5674: Support layered protocols * Feature #5675: protocol: MMS SCADA support * Feature #5676: ASN1 Spec to Rust nom generator * Feature #5677: protocol: BGP support * Task #5678: tracking: Parse protocols that are not over TCP/UDP * Optimization #5679: tracking: useful log output * Optimization #5680: eve-log: reduce duplication of info * Feature #5681: datasets: add more transform layers to match on domains * Task #5685: tracking: active directory protocols support * Feature #5687: eve: "auth" and/or "auth_fail" log * Feature #5705: Add Wireguard parser * Bug #5711: runmodes: Suricata does not hint anything about missing runmode * Bug #5713: TLSv1 not logged into tls events. * Feature #5716: rdp: add app-layer frame support * Bug #5721: http2: logging settings do not match what is seen in the RFC * Documentation #5724: Why does reject-dev option work only in Sniff Mode * Feature #5727: krb: add frame support * Feature #5728: modbus: add frame support * Feature #5729: bittorrent-dht: add frame support * Feature #5730: dhcp: add frame support * Feature #5732: ntp: add frame support * Feature #5733: snmp: add frame support * Feature #5737: smtp body extract * Bug #5739: htp: handle alloc failure for user data * Feature #5745: exceptions: allow setting via unix-socket * Bug #5748: iprep/ipv6: memory leak on same input in different forms * Bug #5750: Spurious "SURICATA DNP3 Length too small" error and failed reassembly * Bug #5751: DNP3 preprocessor incorrectly parses READ requests * Feature #5752: Proposed new DNP3 keywords and operators * Bug #5754: I use the file-extraction to store the files transferred by HTTP2, but fileinfo does not have the filename field. * Optimization #5755: datasets: ipv4.src/dst, ip.src/dst check rules should be ip-only * Bug #5756: datasets: ipv4.src/dst, ip.src/dst check rules match on pseudo packets * Bug #5758: tls: iOS session with TCP fastopen and TLS 1.3 gives invalid record warning * Feature #5764: logging: add a format string for a more standard log format * Bug #5766: Misparsing of DNP3 g70v1 objects and failed reassembly * Bug #5767: Dangling pointer in SSL Parser * Bug #5771: xdp: Flows with nested VLANs are not bypassed by XDP filter * Documentation #5772: docs: A wrong rule matching example provided by the official doc * Feature #5774: Addressing Mixed Case in HTTP Headers Names and HTTP2 * Feature #5776: PCRE fast_patterns via hyperscan * Bug #5778: ftp fileinfo and extraction seem not to trigger when it should * Optimization #5785: smb: use u32.to_be_bytes to replace function u32_as_bytes * Bug #5788: files: output modifies file state * Feature #5798: New transformation: dropbytes * Optimization #5801: filemagic keywords: increase code coverage and update documentation (if need be) * Documentation #5837: Unify documentation of command-line parameters * Documentation #5841: tracker: bring documentation from old wiki on redmine to readthedocs guides * Documentation #5842: userguide: bring session about Suricata installation from Ubuntu PPA * Security #5851: rust: handle allocation failures * Bug #5864: radix tree do not support "0.0.0.0/0 ::/0" * Optimization #5865: Remove dual tracking mechanisms in output loggers * Bug #5871: ips/af-packet: doesn't work between 2 virtio devices * Feature #5872: file structure awareness - precise identification of fields in file structs * Bug #5880: pcap recursive mode not working as expected * Task #5892: config: remove requirement for suricata.yaml to start with %YAML 1.1 * Task #5893: tracking: deep file awareness and inspection * Feature #5894: file: file classification keyword * Optimization #5902: detect: "alert dcerpc" sig sets up smb inspect engines * Feature #5913: rfb: add more record types * Bug #5938: for syslog output, the setting identity is not properly set * Bug #5941: DNS rules not matching when traffic is over tcp * Bug #5954: redis: output crash on Mac * Feature #5956: Report traffic with missing VLAN tag * Documentation #5995: userguide: ips upgrade guide * Feature #6004: Add retry option to redis outputs using a socket instead of IP * Optimization #6011: Research potential performance penalty with filestore feature * Feature #6012: dpdk: add support for segmented mbufs * Feature #6051: app-layer: dhcpv6 support * Documentation #6059: docs: fix build failure - urllib3 issue * Optimization #6065: warning _FORTIFY_SOURCE requires compiling with optimization * Feature #6067: Add field to track SID of Flowbit Matches * Documentation #6071: eve/schema: add descriptions to the schema * Documentation #6072: eve/schema: document smb * Documentation #6073: eve/schema: document dns * Documentation #6074: eve/schema: document nfs * Documentation #6075: eve/schema: document http * Documentation #6077: eve/schema: document sip * Bug #6088: xdp/ebpf: updated shipped bpf files to be supported by libbpf v1.0 and higher * Feature #6091: eve/alert: missing dhcp metadata * Documentation #6097: eve/dhcp: generate example dhcp output * Documentation #6098: eve/dns: generate example dns output * Feature #6101: icap: app-layer protocol support * Feature #6102: Translate NAT64 ranges (also custom ranges) * Bug #6108: http: leading gap in request data leads to invalid next request * Bug #6110: Bad Checksum 0xffff - ICMPv4 & ICMPv6 * Optimization #6126: compiling with outdated cbindgen does not have a corresponding err msg * Documentation #6133: tracking: security deployment documentation * Documentation #6150: doc: improve the file-store documentation for the eve output and the dedicated section * Bug #6154: Conditional pcap-log fails to log packets for some alerts when using “pcap-file-continuous” flag * Optimization #6160: filestore: decide on the impact of eve output over the global filestore settings * Bug #6161: file-store: missing hash on TRUNCATED files * Feature #6167: Stream retransmissions stats counters * Bug #6173: http: loss of backward compatibility in HTTP logs from v6 to v7 * Bug #6175: eve/alert: deprecated fields can have unexpected side affects * Bug #6176: Multi-tenancy: Tenant selector to tenant ID mapping is o(n) * Bug #6177: detect-engine: stream match for rules is interdependent * Bug #6178: dns: erroneous app_proto settings in rule analysis * Optimization #6190: flow_spare_pool_block_size is a constant defined as a variable * Bug #6197: stream: additional alerts being seen once sigs are added * Feature #6198: smtp: add keywords for use in rules * Feature #6200: output: suricata.yaml dump-all-headers applied for alerts * Bug #6204: pcre: "Conditional jump or move depends on uninitialised value(s)" in valgrind * Feature #6206: Investigate a more intuitive use of the timestamp field in traffic/metadata events * Feature #6214: mirror ruleset reload commands for tenants in suricata socket control * Feature #6216: http: HHHash support * Bug #6218: xbits inconsistent behavior when running a pcap file. * Optimization #6221: build: check for compiler warnings/messages * Bug #6238: AF-XDP crash when closing Suricata while receiving traffic * Bug #6239: ASAN: double free when multi-tenancy enabled and configured * Optimization #6246: initialization: do config validation before runtime * Bug #6250: libbpf: elf: legacy map definitions in 'maps' section are not supported by libbpf v1.0+ * Feature #6251: AF-XDP ability to bind custom program * Bug #6257: pcap: hang at shutdown for some interfaces * Optimization #6264: mpm/ac-ks: reduce stack usage * Feature #6268: Recognize related ICMP request/response pairs * Bug #6275: fail af_xdp at configure time when libxdp is missing? * Optimization #6277: Attach XDP filter with libxdp * Bug #6283: FTP parsing yields in some cases smtp and http event types * Documentation #6288: eve/schema: generate tables of data for app-layer protocols * Feature #6295: output: add stream-size to flow output * Feature #6296: smtp: BDAT chunking support incl MIME parsing * Bug #6307: Packet loss or client connection drop causes delayed detection on HTTP rules * Task #6310: detect/analyzer: add more details for the ttl keyword * Task #6311: detect/analyzer: add more details for the flowint keyword * Task #6314: Convert unittests to new FAIL/PASS API - tests/detect-http-client-body.c * Task #6315: Convert unittests to new FAIL/PASS API - ippair-storage.c * Task #6316: Convert unittests to new FAIL/PASS API - app-layer-detect-proto.c * Task #6317: Convert unittests to new FAIL/PASS API - detect-filestore.c * Task #6319: Convert unittests to new FAIL/PASS API - util-bloomfilter.c * Task #6320: Convert unittests to new FAIL/PASS API - detect-base64-data.c * Task #6321: Convert unittests to new FAIL/PASS API - decode-raw.c * Task #6322: Convert unittests to new FAIL/PASS API - util-pool.c * Task #6323: Convert unittests to new FAIL/PASS API - ippair-bit.c * Task #6324: Convert unittests to new FAIL/PASS API - stream-tcp-reassemble.c * Task #6325: Convert unittests to new FAIL/PASS API - detect-urilen.c * Task #6326: Convert unittests to new FAIL/PASS API - detect-ssh-software-version.c * Task #6327: Convert unittests to new FAIL/PASS API - threads.c * Task #6330: Convert unittests to new FAIL/PASS API - tests/stream-tcp-list.c * Task #6331: Convert unittests to new FAIL/PASS API - util-bloomfilter-counting.c * Task #6333: Convert unittests to new FAIL/PASS API - util-rule-vars.c * Task #6334: Convert unittests to new FAIL/PASS API - util-spm.c * Task #6335: Convert unittests to new FAIL/PASS API - decode-tcp.c * Task #6336: Convert unittests to new FAIL/PASS API - tests/detect-http-stat-code.c * Task #6338: Convert unittests to new FAIL/PASS API - tests/detect-http-stat-msg.c * Task #6340: Convert unittests to new FAIL/PASS API - tests/detect-http-method.c * Task #6341: Convert unittests to new FAIL/PASS API - decode-ethernet.c * Task #6343: Convert unittests to new FAIL/PASS API - tests/stream-tcp.c * Task #6344: Convert unittests to new FAIL/PASS API - detect-pcre.c * Task #6346: Convert unittests to new FAIL/PASS API - detect-engine-dcepayload.c * Task #6350: detect/analyzer: add more details for the tcp.flags keyword * Task #6351: detect/analyzer: add more details for the xbits keyword * Task #6356: detect/analyzer: add more details for the tcp.hdr keyword * Task #6357: detect/analyzer: add more details for the dsize keyword * Task #6358: detect/analyzer: add more details for the ICMP itype keyword * Task #6359: detect/analyzer: add more details for the ICMP icode keyword * Documentation #6361: userguide: add note about severity<-> priority on alert section * Bug #6365: Suricata AF_XDP not using libxdp XDP dispatcher and can't co-exist with another XDP program * Bug #6372: napatech: Can produce invalid microsecond values. * Bug #6373: main/startup: support sentinel file signal for initial rule processing completion * Optimization #6375: detect: merge urilen and bsize implementations * Bug #6385: NFQ: Dereference of pointer that potentially can be null * Documentation #6386: Add tls.cert_chain_len Documentation * Documentation #6404: flow.reason value is misleading? * Documentation #6406: userguide: remove ambiguous "we" usages * Feature #6409: Lua support for HTTP/2 * Feature #6410: Log packets/bytes per second in Suricata stats * Bug #6416: Suricata not using Myricom SNF driver in a performant way * Bug #6440: TLS logging and maybe more not working on tagged traffic * Task #6443: Suricon 2023 brainstorm * Task #6447: readthedocs: CI integration * Feature #6453: Support DNS over TLS * Feature #6456: output: binary logging * Feature #6457: eve: configurable list of fields in output * Bug #6458: eve/http: discrepancy in http events and http objects logged in alerts * Feature #6461: ics protocol: bacnet * Feature #6462: IEC104 Protocol Support * Task #6463: eve/output: investigate how to track coverage / parity * Feature #6464: protocol: profibus * Feature #6465: multi-tenant: support vxlan as a selector * Feature #6466: multi-tenant: support mpls as a selector * Feature #6467: flow tracking: add other parameters to flow tracking * Feature #6468: flow-tracking: add geneve as a flow tracking parameter * Feature #6469: flow-tracking: add erspan as a flow tracking parameter * Feature #6470: flow-tracking: add vxlan as a flow tracking parameter * Feature #6471: flow-tracking: add mpls as a tracking parameter * Task #6473: detect: smtp keyword coverage * Task #6475: detect: smtp.subject keyword * Documentation #6478: schema: add missing fields * Feature #6482: Deployment: detect if capture is good enough * Task #6491: multi-tenant: add selectors * Bug #6559: Signatures starting with space have invalid diagnosis * Bug #6560: Suricata can’t output response when meet a tcp retransmission after a response * Bug #6565: coverity: new issues after updating to 2023.6.2 * Bug #6567: anomaly and file info logs discrepancy results between versions * Optimization #6572: runmodes: fix `--list-runmodes` output * Optimization #6583: rust: get rid of unused final zeroes in protocol detection patterns * Bug #6587: DPDK 'tap' mode doesn't alert on TCP protocol rules * Bug #6588: DPDK 'ips' mode doesn't pass TCP traffic * Bug #6591: protodetect: ftp parsed as smtp * Bug #6611: Fake Tunnels In Fragmented IP Packets * Bug #6623: Suricata BPF filter differs from tcpdump (tcpdump behaviour seems correct) * Feature #6625: Apply netflow per network * Optimization #6632: Do not have any warning with -Wsign-conversion * Task #6644: tracking: detect: integer as first-class support * Feature #6649: Add a keyword to match on raw data within headers especially for protocols without a dedicated parser * Feature #6650: dns: support extended response/error codes * Feature #6651: quic: detect on non-standard ports * Bug #6655: invalid distance/within does not produce an error * Bug #6667: Compiler warning with --enable-dag * Feature #6683: stats: add packet time elapsed indicator * Bug #6692: Have keywords export JSON dump function for engine analysis * Feature #6693: byte_jump - add support for bitmask option * Documentation #6694: placement of bitmask note about right shift behavior * Feature #6701: Auto-bypass optimization * Bug #6713: Weak ciphers event in Kerberos protocol * Bug #6716: fast.log enabled when running specifically without rules * Optimization #6720: flow: explore how red black trees compare to linked list in hash buckets * Optimization #6721: hash tables: explore how red black trees compare to linked list in hash buckets * Bug #6722: dpdk: inconsistent stats reporting * Optimization #6730: threading: warn if cpu affinity assigns more than one thread to a core * Bug #6731: eBPF XDP program is not attached when pinned-maps is true * Bug #6735: setting variables with --set leads to segfault * Task #6752: libsuricata: don't include autoconf.h from other includes * Bug #6754: libsuricata: restructure directory and files to allow for include files to be name spaced * Feature #6779: http.header_names behavior when encountering duplicate header names * Bug #6789: Dns remarks without showing dns name * Bug #6793: Unit tests failed to build on Solaris * Feature #6794: Tie signature to live device in IPS mode * Feature #6802: Support Domain rollup using existing dataset library * Feature #6803: Add Support for Dataset Metadata * Bug #6804: ci: add test for non-bundled htp * Feature #6807: Support the use of variables within transforms * Feature #6808: Quantify how a Suricata rule matches against a PCAP * Bug #6815: util/decode-mime: Possible derefernce of nullptr * Bug #6820: libhtp: compile warning if libhtp is bundled * Feature #6823: SC_WARN_POOR_RULE on to_lowercase/to_uppercase transformation with non-possible matching content * Documentation #6824: doc: Document every parameter of the configure script * Bug #6825: af-packet: possible free of unallocated memory * Bug #6826: app-layer/htp: Possible dereference of null in HTPCallbackRequestLine * Feature #6831: support extraction of bytes of non-numeric values * Task #6851: eve/syslog: stats message too long for many default configurations * Feature #6853: Support of variables from byte_math / byte_extract in bsize / dsize comparisons * Task #6858: libsuricata: hook for flow expectation creation * Bug #6860: eve/alert: multiple issues for ICMP * Bug #6874: libhtp appears to stop parsing HTTP client requests mid-pcap - /libhtp::request_uri_not_seen * Feature #6885: references: new "wayback" reference and update others * Bug #6886: HTTP Chunk Length Value disappearing * Bug #6894: bsize validation FP on content negation with hex encoded 0d 0a * Feature #6914: support inspecting http.uri or http.request_body * Bug #6915: How to write the filepath to the alert log when using default mode with pcap-log? * Feature #6916: decoding : add support of IEEE 802.2, 802.3 frames * Bug #6920: FR, FM and Global stats gone after 7.0.4 * Feature #6922: Have a way to manually request decompression/inflate if headers are not present * Documentation #6924: replicate http.cookie behavior from "Differences From Snort" to http.cookie * Feature #6925: multi-buffer support for HTTP cookies * Feature #6926: new buffer that includes HTTP headers and the start of HTTP body * Optimization #6928: source-netmap: improve netmap receive loop packet processing performance * Bug #6933: dpdk: landlock support * Bug #6934: UBSAN: null pointer passed as argument to memcpy in unit test * Bug #6963: rule-reload: potential memory leak in multiple rule reloads * Documentation #6982: offset: no documentation that offset can be a name * Documentation #6991: add note about case sensitivity to flowbits docs * Documentation #6992: Document normalization of header name/value separator * Feature #6993: rule macros for commonly used logic in rules * Feature #6995: raw option for http.request/response_header * Bug #6997: Socket mode hard fail with pcap logging mode and multiple link layer pcap file * Bug #7005: Porting changes for running Suricata on Solaris * Bug #7006: spm: boyermoore implementation appears to underperforming * Bug #7008: Static build failure on Linux since * Bug #7009: dpdk: compile warning ‘rte_eth_bond_members_get’ is deprecated * Bug #7016: tls: hello retry request handling issues * Bug #7024: unix-socket: inconsistent default behavior * Feature #7052: Add facility to move data from code into data files * Feature #7056: version info not reported in stats json * Feature #7057: monitored interface information in stats json * Feature #7062: redis: support authenticating against a redis server * Task #7080: rust/core: rename and unify namestyling for internal fns * Feature #7082: redis: support EVE output to a Redis stream * Optimization #7083: detect/dataset: skip adding localstatedir if fullpath is provided * Optimization #7089: rust transaction iterator runs a useless iteration of the loop * Bug #7091: Segfault on 7.0.5 with generated live traffic * Feature #7095: rdp: keywords additions * Feature #7096: detect/flow: additions to time detection * Feature #7097: Additions to flow detection - size * Feature #7099: Addition of total bytes to the flow logs * Feature #7100: smb: additional keywords * Feature #7101: eve: add number of flowbits in protocol records and alerts * Feature #7103: ssh: extra fields and keywords * Feature #7114: from_base64: allow matching on decode error * Task #7118: tracking: add support for new protocols * Task #7123: tracking: improve detection capabilities * Feature #7127: extended http.referer buffers/keywords * Feature #7129: decode: Create a decode event for unknown ethertypes * Feature #7132: threshold: add thresholding options for all decode events * Bug #7133: Could the midstream policy support "drop-packet"? * Bug #7137: "invalid cpu range" when trying to use CPU affinity * Documentation #7143: Legacy keyword used in example for 'bypass' keyword * Documentation #7145: userguide: update legacy keyword mentions to new ones * Feature #7146: decode: Create a decode event for unknown IP types * Task #7161: detect prefilter: decide to enable it by default for a subset of keywords * Optimization #7163: unix-socket: refuse to startup if compiled w/o --enable-unixsocket * Feature #7175: Response module API * Feature #7177: http1: add frame support * Bug #7179: Capture Kernel Drops happen when data transferring inside the intranet * Bug #7184: failed to parse addresses * Optimization #7189: http/conf: warn or error on invalid value in custom headers logging * Documentation #7190: detect/integers: document usage of units * Bug #7197: detect/flowvars: persist if the inspection happens on multiple packets * Bug #7201: Thread 178 "W#21-84:00.0" received signal SIGSEGV, Segmentation fault. * Optimization #7205: detect: prefilter for app-layer events * Optimization #7212: strtoul: replace with ByteExtractString variant * Documentation #7217: userguide: add config section on reading pcap-files * Documentation #7220: guides: add a post on using 'ip' and 'tcpdump' to Suricata forum's Guides * Feature #7221: Sanity checking on IP network prefix base addresses * Documentation #7222: userguide: document decoder events * Documentation #7223: document 'stream-event' keyword * Feature #7231: ndpi: augment flows/alerts with ndpi metadata and extend signature keywords * Documentation #7237: userguide: default's to latest development branch instead of latest release tag * Documentation #7244: userguide: explain multi-tenant default config * Feature #7245: Add SIMD support for arm64 * Bug #7250: tls version match can have incorrect behaviour * Bug #7255: Cannot run suricata-update on a FIPS compliant server * Bug #7259: Flaky behaviour of rules using Threshold keyword when running with --pcap-file-continuous * Bug #7274: ssl_state:unknown not implemented * Optimization #7278: Merge detect-template.c and detect-template2.c to have a unique template with all features * Feature #7283: installing suricatasc functionality without installing suricata entirely * Bug #7284: rules: pass/drop rules actions no longer apply to flow * Documentation #7298: schema/netflow: add missing field * Documentation #7299: eve/schema: document tls * Feature #7313: transforms: have option on how to handle failure * Optimization #7317: HTTP2 push * Feature #7321: cross buffer byte_* keyword support * Feature #7328: detect: use hyper scan streaming mode * Bug #7331: Packet direction check incorrect for Lua TLS functions * Task #7336: Suricon 2024 brainstorm * Optimization #7342: applayer/htp: convert complex unittests to SV ones * Bug #7343: SURICATA TLS invalid record type and SURICATA Applayer Detect protocol only one direction on TLS handshake * Bug #7344: build: build can sometimes fail copying the lua headers into place * Bug #7345: build fail when only --enable-profiling-rules is used * Bug #7346: eve/fileinfo: sha256 should not be logged on incomplete file * Bug #7347: eve/alert: log file_data * Optimization #7352: Remove disable-hashing command line option * Feature #7354: detect: reimplement ip-only as a per group prefilter * Documentation #7355: Non working signatures in filestore explanation * Bug #7356: Unexpected effect of filestore keyword * Bug #7357: filestore keyword option seems not to work * Bug #7363: Flows are not recycled when use multi Flow Manager. * Feature #7364: deciphering https traffic from linux system * Bug #7369: xbits noalert does not appear to function, and syntax documentation is ambiguous. * Bug #7370: Local directories that are nested are not properly handled * Feature #7372: Datajson: a dataset evolution * Feature #7384: vlan: flowID should take MPLS into consideration * Documentation #7385: userguide/redmine: have some instructions for bug reports * Documentation #7386: userguide: list which config fields are updated w/ rule reload * Bug #7387: cbindgen 0.20 does not work for Suricata and rustc 1.75 and we do not get a meaningful error message * Bug #7388: runmodes: --unix-socket doesn't work w landlock * Bug #7389: log: adding too many 'v's cycles back to less verbose mode * Bug #7391: detect/config: 'scope' can't be applied to 'flow' * Bug #7392: Verdict output reports "drop" when rejected * Documentation #7395: engine/analysis: document the output for user friendliness * Documentation #7396: userguide: standardize rst formatting for chapters * Bug #7397: list-keywords command line option is crashing * Feature #7400: eve: optionally support logging pcap output file * Feature #7401: yaml: add schema * Feature #7402: tls: ability to detect self signed certs * Optimization #7408: GitHub CI: run only CodeQL for python if python fils have changed * Bug #7410: Engine does not warn when a rule contains multiple threshold keywords * Bug #7419: Incomplete logging message * Bug #7429: detect/ip-only: severe performance degradation of "ip-only" rules with negation * Feature #7446: add logic to parse QUIC CRYPTO frames and provide a keyword to access the reassembled data * Bug #7454: Inconsistent behavior for ftp rules * Feature #7470: detect/ldap: add ldap.bind.version keyword * Bug #7472: Bug in Fuzz Target Compilation and Code Coverage * Bug #7473: DecodeIPV4Options:Check that the IPv4 option length should be an integer multiple of 4 bytes * Optimization #7474: Pcap file mode locking on time synchronization * Bug #7475: Problem in HashTable remove function * Bug #7476: Suricata tls.sni check fails when PQC KEMs like kyber * Bug #7478: DNS packets not on port 53 are identified as DHCP protocol * Optimization #7483: detect: split SIG_FLAG_INIT_STATE_MATCH * Task #7484: engine/analysis: report rule dependencies * Bug #7497: pcap: exit with errors when running with -r and --pcap-file-continuous * Task #7499: tracking: rust/plugins: first class support for rust plugins * Task #7500: rust/plugins: first class support for eve filtetype plugins * Task #7501: rust/plugins: first class support for app-layer plugins * Bug #7509: Invalid macros in decode-tcp.h * Task #7512: engine/analysis: show warning when flowbit wasn't set * Feature #7518: add "blocking" argument to pcap-file socket command * Bug #7530: Kerberos: sname/cname code and suricata documentation both wrong * Task #7531: output: rename "ether_type" field * Feature #7535: detect/ldap: add ldap.search_request.filter and also log the filter * Bug #7541: `run-as` config option in Suricata remove capabilities needed for loading `ebpf` programs * Bug #7544: Verdict output reports "alert" when traffic is allowed implicitly/passively * Documentation #7545: userguide: document user mode and system mode and their relation to the log directory * Feature #7550: detect/ldap: add keywords for LDAP ExtendedResponse * Bug #7551: TCP alerts missing from fast.log in Suricata 7.0 * Feature #7559: Allow rule comment at end of rule line using # * Optimization #7563: detect: use named values for buffer priority * Feature #7572: Relative offset support for the entropy keyword * Documentation #7573: Clarify which buffers affect subsequent PCRE * Bug #7574: SURICATA DNS malformed request data from macOS to Active Directory DNS server * Bug #7575: TLS invalid certificate generated for CN=*.his.msappproxy.net * Bug #7585: SOF_TIMESTAMPING_RAW_HARDWARE dangerous default leading to incorrect timestamps * Feature #7594: mime: add email.status keyword * Bug #7611: Segmentation Fault When Using YAML Configuration with eve-log and stats.totals Output * Bug #7612: Modbus regression from Suricata 6 to 7 * Feature #7621: add lua extension or function * Bug #7622: AFPacket V3 missing socket ref count decrement * Bug #7630: pass rules with alert; keyword log with a verdict of "alert" instead of "pass" * Bug #7640: pcap-log: issues with multiple instances of pcap-log